China Believes Its Cyber Capabilities Lag Behind US: Pentagon
21.8.2018 securityweek BigBrothers

China believes its cyberwarfare capabilities lag behind the United States, but it’s working on closing the gap, according to the U.S. Department of Defense (DOD).

In its annual report to Congress, the Pentagon describes the cyber capabilities and cyber operations of the People's Liberation Army (PLA), and warns that China continues to launch cyberattacks against organizations around the world, including in the United States.

The PLA sees cyberspace as one of the four critical security domains and it has taken steps to make improvements in this area, the report says.

“China believes its cyber capabilities and personnel lag behind the United States and is working to improve training and bolster domestic innovation to overcome these perceived deficiencies and advance cyberspace operations,” the Pentagon noted.

One of the steps taken by the PLA in an effort to improve its cyber capabilities is the creation of the Strategic Support Force (SSF). Believed to have been established in 2015, the SSF’s role is to centralize the military’s space, cyber and electronic warfare missions.

“The establishment of the SSF may represent the first step in developing a cyber force that creates efficiencies by combining cyber reconnaissance, attack, and defense capabilities into one organization,” the report reads. “PLA writings acknowledge the benefits of unifying leadership, centralizing cyber resource management, and combining offensive and defensive cyber capabilities in one military organization, and cite U.S. Cyber Command as accomplishing such a consolidation.”

According to the Pentagon, the Chinese military distinguishes between wartime and peacetime cyber operations. The former focuses on helping the PLA understand its enemy’s trend, plan combat operations, and “ensure victory on the battlefield.” During peacetime, the focus is on defending cyberspace and electromagnetic space.

“[PLA writings] suggest that China is prepared to use cyber operations to manage the escalation of a conflict, as they view cyber operations as a low-cost deterrent and can demonstrate capabilities and resolve to an adversary,” the DoD says.

The Chinese military’s cyber warfare strategy involves targeting an adversary’s command and control (C&C) and logistics networks in an effort to disrupt its ability to operate. The PLA noted that attacking C&C systems has the potentially to paralyze the enemy and gain superiority on the battlefield.

“Accordingly, the PLA may seek to use its cyberwarfare capabilities to collect data for intelligence and cyber attack purposes; to constrain an adversary’s actions by targeting network-based logistics, communications, and commercial activities; or to serve as a force- multiplier when coupled with kinetic attacks during times of crisis or conflict,” the report says.

Threat actors based in China continued to target computers around the world through 2017, including systems belonging to the DOD and other U.S. government agencies, with a focus on accessing networks and extracting information.

“China can use the information to benefit China’s defense high-technology industries, support China’s military modernization, provide the [Chinese Communist Party] insights into U.S. leadership perspectives, and enable diplomatic negotiations, such as those supporting China’s Belt and Road Initiative,” the DOD says in its report. “Additionally, targeted information could enable PLA cyber forces to build an operational picture of U.S. defense networks, military disposition, logistics, and related military capabilities that could be exploited prior to or during a crisis. The accesses and skills required for these intrusions are similar to those necessary to conduct cyber operations in an attempt to deter, delay, disrupt, and degrade DoD operations prior to or during a conflict.”


NCC Group Releases Open Source DNS Rebinding Attack Tool
21.8.2018 securityweek Attack

Cyber security and risk mitigation company NCC Group has released a new open source tool designed to make it easier for penetration testers and others to perform DNS rebinding attacks.

DNS rebinding, an attack method that has been known for more than a decade, can allow a remote hacker to abuse a targeted entity’s web browser to directly communicate with devices on the local network. DNS rebinding can be leveraged to exploit vulnerabilities in services the targeted machine has access to.

Getting the target to access a malicious page or view a malicious ad is often enough to conduct an attack that can lead to theft of sensitive information or taking control of vulnerable systems.

NCC Group on Friday announced the availability of Singularity of Origin, an open source tool designed for conducting DNS rebinding attacks.

“During recent security assessments, we’ve seen applications running on the localhost interface or exposing services on an internal network without authentication. This includes Electron-based applications or applications exposing Chrome Developer Tools and other various debuggers,” NCC Group Senior Security Consultant Roger Meyer said in a blog post.

“Exploiting such services is typically straight forward, but it takes a substantial effort to implement an attack in the context of a security assessment. There are tools available to exploit DNS rebinding vulnerabilities but they pose a number of challenges including the lack of support or documentation. They sometimes do not even work, are very specific and/or do not provide a full exploitation stack, requiring much effort to assemble and integrate all the missing bits and pieces,” Meyer noted.

According to NCC, Singularity provides a complete exploitation stack, including a custom DNS server that allows rebinding the DNS name and IP address of the attacker’s server to the targeted machine, an HTTP server for serving HTML and JavaScript code to targeted users, and various attack payloads. The payloads, which include grabbing an app’s homepage and remotely executing code, can be adapted for new and custom attacks.

NCC Group Senior Security Consultant Gerald Doussot told SecurityWeek that the purpose of Singularity is to provide penetration testers “a simple tool that rapidly exploits a DNS rebinding attack finding and illustrates graphically its potential impact, including remote code execution.”

Singularity also aims to increase awareness of DNS rebinding attacks among application developers and security teams.

“We wanted to increase awareness that DNS rebinding attacks are easy to exploit and damaging but can be remediated with appropriate controls,” Doussot explained.

Singularity source code is available on GitHub, where users can also find detailed instructions on how the tool can be set up and utilized. For demo purposes, NCC Group is also temporarily offering a test instance of the tool.

Singularity of Origin

Google Project Zero researcher Tavis Ormandy earlier this year put the spotlight on DNS rebinding attacks after finding serious vulnerabilities in some popular BitTorrent apps and Blizzard games.

Tripwire researcher Craig Young showed recently how the technique can be used against Google Home and Chromecast devices to reveal a user’s precise physical location. A study published in July by IoT security firm Armis showed that DNS rebinding exposes nearly half a billion devices used by enterprises to attacks.


Code of App Security Tool Posted to GitHub
21.8.2018 securityweek Security

Code of DexGuard, software designed to secure Android applications and software development kits (SDKs), was removed from GitHub last week, after being illegally posted on the platform.

The tool is developed by Guardsquare, a company that specializes in hardening Android and iOS applications against both on-device and off-device attacks, and is designed to protect Android applications and SDKs against reverse engineering and hacking.

The DexGuard software is built on top of ProGuard, a popular optimizer for Java and Android that Guardsquare distributes under the terms of the GNU General Public License (GPL), version 2. Unlike ProGuard, however, DexGuard is being distributed under a commercial license.

In the DMCA takedown notice published on GitHub, Guardsquare reveals that the DexGuard code posted on the Microsoft-owned code platform was illegally obtained from one of their customers.

“The listed folders (see below) contain an older version of our commercial obfuscation software (DexGuard) for Android applications. The folder is part of a larger code base that was stolen from one of our former customers,” the notice reads.

The leaked code was quickly removed from the open-source hosting platform, but it did not take long for it to appear on other repositories as well. In fact, Guardsquare said it discovered nearly 200 forks of the infringing repository and that demanded all be taken down.

HackedTeam, the account that first published the stolen code, also maintains repositories of open-source malware suite RCSAndroid (Remote Control System Android).

The spyware was attributed several years ago to the Italy-based Hacking Team, a company engaged in the development and distribution of surveillance technology to governments worldwide. Earlier this year, Intezer discovered a new backdoor based on the RCS surveillance tool.


Necurs Campaign Targets Banks
21.8.2018 securityweek
Virus

A recently observed spam campaign powered by the infamous Necurs botnet has been specifically targeting banks with the FlawedAmmyy RAT, security researchers warn.

First observed in 2012, the Necurs botnet is best known for the massive Locky ransomware campaigns that it powered in 2016 and 2017. Considered the largest spam botnet in the world, Necurs was sending tens of millions of emails daily at the end of last year.

The botnet has managed to remain active by employing multiple Domain Generation Algorithms (DGA’s) and a peer-to-peer communication protocol, along with .bit domain names, Cofense’s researchers report. Over the past weeks, it has also shown an increase in activity, the security firm notes.

Last week, Necurs started sending spam emails that appeared highly targeted at the banking industry, and Cofense says that over 3,700 bank domains were targeted as recipients.

“There were no free mail providers in this campaign, signaling clear intent by the attackers to infiltrate banks specifically. […] The banks range from small regional banks all the way up to the largest financial institutions in the world,” the security firm reveals.

The main purpose of the attack was to infect recipients with the FlawedAmmyy remote access Trojan (RAT), a payload that Necurs has been delivering a few months ago.

Supposedly based on Ammyy Admin RAT’s leaked code, FlawedAmmyy can provide attackers with full control over the compromised systems. The malware can be leveraged to execute commands on the infected machine, enable remote desktop sessions, launch a file manager, view screen, and more.

The highly targeted campaign revealed yet another step in the constant evolution of Necurs: the use of .pub attachments (Microsoft Office Publisher files) to bypass security protections.

Similar to other Office applications, Microsoft Publisher supports macros, and the actor behind this campaign embedded a malicious macro in the .pub file delivered by the spam messages. The macro was designed to access a URL and execute a downloaded file.

A subset of the spam emails in this campaign, Cofense says, employed weaponized PDF files instead. These were identical to those observed in June to leverage .iqy files for malware delivery.

Compared to other attacks fueled by Necurs, this campaign was small, Trustwave points out. The security firm also confirms that all of the targeted addresses were domains belonging to banks, clearly indicating a “desire for the attackers to get a foothold within banks with the FlawedAmmyy RAT.”


Flaw in SOLEO IP Relay Service potentially exposed over 30 million Canadian records
20.8.2018 securityaffairs
Vulnerebility

Major Internet service providers (ISPs) in Canada were impacted by a local file disclosure flaw in the SOLEO IP Relay service that was recently addressed.
Almost all major Internet service providers (ISPs) in Canada were impacted by a local file disclosure vulnerability in the SOLEO IP Relay service that was recently addressed.

Telecommunications relay services (TRSs) developed by Soleo Communications are IP relay services used by major Internet service providers (ISPs) in Canada.

The SOLEO IP Relay service is a cloud-based IP Relay service for telecommunications providers that allows people who are deaf, hard of hearing, or have a speech disorder to place calls through a TTY or other assistive telephone device.

According to Project Insecurity researcher Dominik Penner, the flaw ties the improper input sanitization and leads to the exposure of sensitive user information.

“This vulnerability exists due to the fact that there is improper sanitization on the
“page” GET parameter in servlet/IPRelay. A developer should always check for
dangerous characters in filenames. In this case, we were able to navigate our way
through the server and into the WEB-INF directory by using directory traversal
characters (../)” states the vulnerability report published by the researcher.

The impact of such vulnerability is severe, a foreign attacker can trigger the vulnerability to compromise over 30 million Canadian records.

An attacker can exploit the security vulnerability to determine the composition of the IPRelayApp directory and find the location of the source files on the IP Relay server and then download them.

The experts highlighted that WEB-INF directory is within the IPRelayApp directory, this means that they were able to load web.xml, a XML document that has a few mappings for Tomcat to understand where to pull certain files from.

“At this point, we wrote a nice little proof-of-concept to parse the web.xml file and
find the location of the source files.” continues the report.

“All of the following files can be downloaded by loading them from
WEB-INF/classes/*. ” “Once again, to confirm severity, we tried to load one of these
files. After loading this file into our text editor, it was evident that these classes had been compiled in Java bytecode. However, a determined attacker would easily be able to convert this directly back to source, compromising source code and other sensitive
files.”

SOLEO IP relay

An attacker accessing the source code could retrieve the passwords the servlet uses to communicate with other services could escalate his privileges on the server or use the information in other attacks.

“ An attacker could extract these passwords from within the source files, and further escalate their privileges on the server, or even use said information in a social engineering attack. The end result could be escalated to yield remote code execution, though we were not comfortable attempting to do this before getting in contact with the vendor” the researcher continues.

Penner discovered that at least ten of major Canadian ISPs were running the vulnerable Soleo IP Relay.

“To conclude this report, we have confirmed that a determined attacker (APT/foreign
entity) could leverage this vulnerability to steal passwords from configuration files
across multiple providers, compromise said providers using the stolen passwords,
and then potentially launch a large scale identity theft operation against Canadians.” concludes the report.

The expert reported the flaw to SOLEO on July 19 and it was patched on August 10.


China’s Belt and Road project (BRI) is a driver of regional cyber threat activity
20.8.2018 securityaffairs BigBrothers

Security experts have observed increasing cyber espionage activity related to China’s Belt and Road Initiative (BRI).
The alarm was launched by the experts from cybersecurity firms FireEye and Recorded Future.

China’s Belt and Road Initiative (BRI) is a development project for the building of an infrastructure connecting countries in Southeast Asia, Central Asia, the Middle East, Europe, and Africa.

For this reason, the project is considered strategic for almost any intelligence Agency.

FireEye defined it as a “driver of regional cyber threat activity”, experts warn of a spike in espionage operations aimed at gathering info in the project.

Cyber spies are already targeting organizations from various sectors that are involved in the project.

“Cyber espionage activity related to the initiative will likely include the emergence of new groups and nation-state actors. Given the range of geopolitical interests affected by this endeavor, it may be a driver of emerging nation-state cyber actors to use their capabilities,” reads a report published by FireEye.

FireEye uncovered an espionage campaign carried out by the China-linked APT group dubbed Roaming Tiger.

The Roaming Tiger campaign was discovered by experts at ESET in 2014, in December 2015 experts uncovered a cyber espionage campaign aimed at Russian organizations.

The APT group targeted entities in Belarus using specially crafted documents that referenced the Chinese infrastructure project as a bait.

FireEye observed the use of several malicious codes against organizations involved in the BRI project.

Chinese hackers used the TOYSNAKE backdoor to target several European foreign ministries. According to FireEye, another malware tracked as BANECHANT was used to target Maldives, a strategic center for financial investments related to BRI, meanwhile the LITRECOLA malware was used in attacks against Cambodia and the SAFERSING malware was involved in campaigns against international NGOs.

Experts also mentioned the recent attacks powered by the TEMP.Periscope group on the maritime industry.

“We expect BRI will also highlight the capabilities of emerging cyber actors across Asia and the Middle East and under what norms such nation-states sponsors will employ their capabilities,” FireEye said in its report. “Prior FireEye iSIGHT Intelligence reporting has noted that rising regional cyber actors, such as Vietnam, have been willing to employ their espionage capabilities against foreign corporations conducting business inside their borders. Similarly, there may be a willingness for other nation-state actors to aggressively target private sector organizations contributing to BRI.”

Researchers at Recorded Future also reported several attacks originating from China, precisely from the Tsinghua University.

The hackers targeted Tibetan community and many governments and private sector organizations worldwide.

The attacks launched from the Tsinghua University targeted Mongolia, Kenya, and Brazil, that “are key investment destinations as part of China’s Belt and Road Initiative.”

“During the course of our research, we also observed the Tsinghua IP scan ports and probe government departments and commercial entities networks in Mongolia, Kenya, and Brazil. Each of these countries are key investment destinations as part of China’s Belt and Road Initiative.” states the report published by Recorded Future.

“We assess with medium confidence that the consistent reconnaissance activity observed from the Tsinghua IP probing networks in Kenya, Brazil, and Mongolia aligns closely with the BRI economic development goals, demonstrating that the threat actor using this IP is engaged in cyberespionage on behalf of the Chinese state,”

BRI

The appendix in the PDF report published by Recorded Future includes a full list of the associated indicators of compromise.


North Korea-linked Dark Hotel APT leverages CVE-2018-8373 exploit
20.8.2018 securityaffairs APT

The North Korea-linked Dark Hotel APT group is leveraging the recently patched CVE-2018-8373 vulnerability in the VBScript engine in attacks in the wild.
The vulnerability affects Internet Explorer 9, 10 and 11, it was first disclosed last month by Trend Micro and affected all supported versions of Windows.

The flaw could be exploited by remote attackers to take control of the vulnerable systems by tricking victims into viewing a specially crafted website through Internet Explorer. The attacker could also embed an ActiveX control marked ‘safe for initialization’ in an application or Microsoft Office document that hosts the IE rendering engine.

“A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.” reads the security advisory published by Microsoft.

“An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

The analysis of the exploit code for the CVE-2018-8373 revealed it shared the obfuscation technique implemented for another exploit triggering the CVE-2018-8174 flaw.

The CVE-2018-8174 was first discovered by experts at Chinese security company Qihoo 360 and it was fixed in May by Microsoft.

The similarities in the exploits suggest that were developed by the same threat actor.

“We found this exploit using heuristics, which led to a more in-depth analysis. Interestingly, we found that this exploit sample uses the same obfuscation technique as exploits for CVE-2018-8174, a VBScript engine remote code execution vulnerability patched back in May” wrote Trend Micro.

“We suspect that this exploit sample came from the same creator. Our analysis revealed that it used a new use-after-free (UAF) vulnerability in vbscript.dll, which remained unpatched in the latest VBScript engine.”

CVE-2018-8174

A similar theory was proposed by experts from Qihoo that collected evidence that linked the use of the CVE-2018-8373 exploit to Dark Hotel.

The experts discovered that domain name embedded in Office documents in latest attacks is the same used to download Double Kill exploit code in previous attacks linked to the North Korea-linked APT group.

“The 360 Threat Intelligence Center first obtained the IOC address after Trend Micro coding through the big data analysis association:

http://windows-updater[.]net/realmuto/wood[.]php?who=1??????

Associated homologous 0day attack sample” states Qihoo

“And found an attack time and trend technology found in the wild “double kill” 0day attack on the same day suspected of using the 0day attack of the office document sample, the domain name embedded in the Offce document sample and the domain name format given by Trend Micro (http ://windows-updater[.]net/stack/ov[.]php?w= 1\x00who =1)”

CVE-2018-8373

In the analysis published in May by Qihoo 360 the researchers associated the CVE-2018-8373 exploit with Dark Hotel based on TTPs associated with the threat actor (e.g. the decryption algorithm that malware used is identical to Dark Hotel’s one).
Experts speculated that the CVE-2018-8373 was used in a cyber espionage campaign aimed at China.


Unusual Malspam campaign targets banks with Microsoft Publisher files
20.8.2018 securityaffairs
Virus

Researchers from Trustwave have uncovered a malspam campaign targeting banks with the FlawedAmmyy RAT.
The peculiarity of this malspam campaign is the unusual use of a Microsoft Office Publisher file to infect victims’ systems.

Experts noticed an anomalous spike in the number of emails with a Microsoft Office Publisher file (a .pub attachment) and the subject line, “Payment Advice,” that was sent to domains belonging to banks.

This campaign is very small but appears to be very focused on banks.

The spam messages contained URLs that downloaded FlawedAmmyy remote-access trojan (RAT), a well-known backdoor.

Another interesting aspect of the campaign is that It was powered by the Necurs botnet.

“This campaign was unusual in the use of .pub files. It also appeared to originate from the Necurs botnet, a notorious botnet responsible for much mass malware distribution in the past,” reads the analysis published by Trustwave.

“Unlike previous mass campaigns, this campaign was small and, interestingly, all of the To: addresses we saw targeted were domains belonging to banks, indicating a desire for the attackers to get a foothold within banks with the FlawedAmmyy RAT.”

malspam

When the victims open the pub file, they are prompted to “Enable Macros,” earlier versions of Microsoft Publisher may display instructions to “Enable Editing” and “Enable Content”

When manually opening the Visual Basic Editor (VBA Editor) in Microsoft Publisher and clicking “ThisDocument” in Project Explorer, the VBScript executes a weaponized archive containing the RAT.

“The macro script is triggered with the function Document_Open(). As the name implies, when the file is opened, the script will access a URL and execute a downloaded file.” continues the analysis.

The malicious code leverages control objects in forms to hide the URL from which It downloads the RAT, the URL is stored in the Tag Property.

malspam

“By the time we examined the sample, the URL was not accessible anymore, but a little further research indicated this URL was used for downloading a self-extracting archive, which contained the FlawedAmmyy RAT,” researchers said.

In July, Proofpoint uncovered another massive malspam campaign delivering the FlawedAmmyy RAT that was leveraging emails with weaponized PDF documents containing malicious SettingContent-ms files.

The campaign was attributed to the financially motivated cybercriminal group TA505.

“this campaign was unusual in the use of .pub files. It also appeared to originate from the Necurs botnet, a notorious botnet responsible for much mass malware distribution in the past (see here and here).” concludes Trustwave.

“Unlike previous mass campaigns, this campaign was small and, interestingly, all of the To: addresses we saw targeted were domains belonging to banks, indicating a desire for the attackers to get a foothold within banks with the FlawedAmmyy RAT.”

Technical details, including the IoCs, are reported in the analysis published by the experts.


Malware researcher reverse engineered a threat that went undetected for at least 2 years
20.8.2018 securityaffairs
Virus

The popular malware researchers Marco Ramilli has analyzed a malware that remained under the radar for more than two years.
Today I’d like to share the following reverse engineering path since it ended up to be more complex respect what I thought. The full path took me about hours work and the sample covers many obfuscation steps and implementation languages.
During the analysis time, only really few Antivirus (6 out of 60) were able to “detect” the sample. Actually, none really detected it, but some AVs triggered “generic unwanted software” signature, without being able to really figure it out. As usually, I am not going to show you who was able to detect it compared to the one who wasn’t, since I won’t ending on wrong a declaration such as (for example): “Marco said that X is better than Y”. Anyway, having the hash file I believe it would be enough to search for such information.

AntiVirus Coverage

The Sample (SHA256: e5c67daef2226a9e042837f6fad5b338d730e7d241ae0786d091895b2a1b8681) presents itself as a JAR file. The first thought that you might have as an experienced malware reverse engineer would be: “Ok, another bytecode reversing night, easy.. just put focus and debug on it…”. BUT surprisingly when you decompile the sample you read the following class!

Stage1: JAR invoking JavaScript
A Java Method that invokes (through evals) an embedded “Javascript” file ! This is totally interesting stuff :D. Let’s follow up on stages and see where it goes. The extracted Javascript (stage 2) looks like the following image. The “OOoo00” obfuscation technique has been used. Personally I do not like this obfuscation technique it’s harder to reverse respect to different obfuscation techniques, even the CTR-F takes confused on substrings, but we need to figure out what it does, so let’s try to manually substitute every string and watch-out for matching substrings (in order words %s/OOoo00/varName/g won’t work at all.

Stage 2: evaluated Javacript (obfuscated)
Manually substitution takes “forever” if you do not have a substitution framework which asks you for a string, it replaces such string (and not a substring) and eventually represents the new beautified JavaScript. After many substitutions (I really have no idea how many :D) you land on a quite readable JavaScript as the following one (click on it to make it bigger).

Stage 2: Manually Deobfuscated JavaScript
What is interesting (at least in my personal point of view) is the way the attacker (ab)used the JS-JVM integration. JavaScript takes the Java context by meaning it might use Java functions calling contextual java classes. In this stage the JavaScript is loading an encrypted content from the original JAR, using a KEY decrypts such a content and finally loads it (Dynamic Class Loader) on memory in order to fire it up as a new Java code.
The used encryption algorithm is AES and everything we need to decrypt is in this file, so let’s build up a simple python script to print our decryption parameters. The following image shows the decoding script made to easily reconstruct AES-KEY and surrounded parameters. NB: The written python code is not for production, is not protected and full of imprecisions. I made it up just for decode AES key and such, so don’t judge it, take it as a known weak but working dirty code.

Python Script to Decode AES-KEY

We now have every decoding parameter, we just need to decrypt the classes by using the following data:
ClassName
Resource (a.k.a package in where it will be contextualized)
Byte to be decrypted
Secret Key
Byte Length to be decrypted
A Simple Java Decrypter has been developed following the original Malware code. Once run, the following code was decrypted.

Stage 3 Decrypted JavaClass
Here my favorite point. As you might appreciate from the previous image we are facing a new stage (Stage 3). What is interesting about this new stage is in the way it reflects the old code. It is a defacto replica of Stage 2. We have new classes to be decrypted (red tag on the image), the same algorithm (orange label on the image), a new KEY (this time is not derived by algorithm as was in Stage 2 but simply in clear text, orange tag on the image) and the same reflective technique in which attacker dynamically loads memory decrypted content on Java.loader and uses it to decrypt again a further step, and after that it replies the code again and again. There is an interesting difference although, this stage builds up a new in-memory stage (let’s call Stage 4) by adding static GZIpped contents at the end of encrypted section (light blue tag on image). By using that technique the attacker can reach as many decryption stages as he desires.
At the end of the decryption loop (which took a while, really ) the sample saves (or drops from itself, if you wish) an additional file placed in AppData – Local – Temp named: _ARandomDecimalNumber.class. This .class is actually a JAR file carrying a whole function set. The final stage before ending up runs the following command:
java -jar _ARandomDecimalNumber.class
The execution of such a command drops on local HardDrive (AppData-Local-Temp) three new files named: RetrieveRandomNumber.vbs (2x) and RandomName.reg. The following image represents a simple ‘cat’ command on the just dropped files.

On Final Stage VBS Run Files
It’s quite funny to see the attacker needed a new language script (he already needed Java, as the original entry point, Javascript as payload decrypt and now he is using VBS ! ) to query WMI in order to retrieve installed AntiVirus and Installed Firewall information. Significative the choice to use a .reg file to enumerate tons of security tools that have been widely used by analysts to analyze Malware. The attacker enumerates 571 possible analysis tools that should not be present on the target machine (Victim). Brave, but not neat at all (on my personal point of view). The sample does not evade the system but it forces the System Kill of such a process independently if they are installed or not, just like Brute force Killing process. The sample enters in a big loop where it launches 571 sigKill one for each enumerated (.reg) analysis program. It copies through xcopy.exe the entire Java VM into AppData-Roaming-Oracle and by changing local environment classpath uses it to perform the following actions. It finally drops and executes another payload called “plugins”.
The following image shows plugins and initial new stage JAR stage.

Final Droppe Files (_RandomDec and plugins)
At a first sight experienced Malware reverser engineer would notice that the original sample finally drops a AdWind/JRat Malware having as a main target to steal files and personal information from victims. While the AdWind/JRat is not interesting per-se since widely analysed, this new way to deliver AdWind/JRat, it is definitely fascinating me. The attacker mixed up Obfuscation Techniques, Decryption Techniques, File–less abilities, Multi Language Stages and Evasions* Techniques in order to deliver this AdWind/JRat version. Multiple programming styles have been found during the analysis path. Each Stage belonging with specific programming language is atomic by meaning that could be run separately and each following stage could easily consume its outputs. All these indicators make me believe the original Sample has been built by using Malware builder, which BTW, perfectly fits the AdWind philosophy to run as a service platform.
A final consideration is about timing. Checking the VirusTotal details (remembering that only 6 on 60 AV were able to say the original JAR was malicious or unwanted) you might notice the following timeline.

Detection Time Line (VirusTotal)
VT shows the first time it captured that hash (sha256): it was in 2016. But then the first submission is on 2018-08-14 a few days ago. In such a date (2018-08-14) only 6 out of 60 detected a suspicious (malicious) behavior and triggered on red state. But what about the almost 2 years between December 2016 and August 2018? If we assume the Malware is 2 years old, was it silent until now (until my submission)? Have we had technology two years ago to detect such a threat? Or could it be a targeted attack that took almost 2 years before being deployed?
I currently have no answers to such questions, hope you might find some.
*Actually not really an evasion technique, more likely a toolset mitigation.
Further details on the malware, including the IoCs are reported in the original analysis published by Marco Ramilli


Twitch bug may have exposed some users messages to others
20.8.2018 securityaffairs
Vulnerebility

A glitch in the live streaming platform Twitch may have exposed some of its users’ private messages to other users. The company is notifying affected users.
The live streaming platform Twitch warning users that a glitch may have exposed some of their private messages to other users.

The company sent out the notifications to some broadcasters informing them that a software bug could have changed access permissions to older messages allowing other users to download them and read them.

The flaw affected recently removed a feature dubbed Messages that have exposed some the messages.

“I reached out to Twitch for a comment, and a company spokesperson says that it has fixed the bug. It also explained that most of the exposed messages were promotional announcements that went out to everyone who subscribes to certain channels. But it’s possible that this also affected private communications featuring more sensitive information as well.” reported VentureBeat.

Twitch email
Copy of the email sent by Twitch obtained by Bleeping Computer

“In May, we removed a legacy feature called Messages and provided users the ability to download an archive of past messages. Due to a bug in the code that generated the message archive files, which has since been fixed, a small percentage of user messages were included in the wrong archives.” reads the statement from Twitch’s spokesperson.

“The primary use case for Messages was promotion; streamers sending out mass communication to subscribers for example, and the majority of messages that were unintentionally provided to another user fall into that category. We have notified users via email and provided them the affected messages for review. Protecting our users’ privacy is important to us and we have taken actions to ensure this kind of error does not happen in the future.”

According to Twitch, the bug only affected the Messages feature, and there were no private messages sent via the Twitch Whisper systems included in these archives.

Twitch users can discover if their messages were accidentally exposed by visiting the website twitch.tv/messages/archive.

Searching on Twitter it is possible to find messages of Twitter users that found messages in their archive belonging to other users.

Elspeth Eastman
@elspetheastman
So uh hey did anyone else get that unsettling email about people possibly downloading your archived Twitch Messages by mistake because I sure did.

“A small percentage of messages were included in the wrong archives”

8:42 PM - Aug 16, 2018
60
16 people are talking about this
Twitter Ads info and privacy

kaitlyn, solid
@kaitly_n
at first when i saw my twitch messages were mistakenly sent to other users i was p concerned

so i checked and saw it was just this one.

if anything i should thank @twitch. in fact, everyone can have this message. i'm happy to serve as an example of banning that shit in 2014. 😎

9:22 PM - Aug 16, 2018
38
See kaitlyn, solid's other Tweets
Twitter Ads info and privacy
Anyway, Twitch sent a warning message to all affected users.


Spam and phishing in Q2 2018
18.8.2018 Kaspersky Analysis 
Phishing  Spam

Quarterly highlights
GDPR as a phishing opportunity
In the first quarter, we discussed spam designed to exploit GDPR (General Data Protection Regulation), which came into effect on May 25, 2018. Back then spam traffic was limited to invitations to participate in workshops and other educational events and purchase software or databases. We predicted that fraudulent emails were soon to follow. And we found them in the second quarter.

As required by the regulation, companies notified email recipients that they were switching to a new GDPR-compliant policy and asked them to confirm permission to store and process personal information. This was what criminals took advantage of. To gain access to the personal information of well-known companies’ customers, criminals sent out phishing emails referencing the GDPR and asking recipients to update their account information. To do this, customers had to click on the link provided and enter the requested data, which immediately fell into the hands of the criminals. It must be noted that the attackers were targeting customers of financial organizations and IT service providers.

Phishing emails exploiting GDPR

Malicious IQY attachments
In the second quarter, we uncovered several malspam incidents with never-before-seen IQY (Microsoft Excel Web Query) attachments. Attackers disguise these files as invoices, order forms, document copies, etc., which is a known ploy that is still actively used for malspamming. The From field contains addresses that look like personal emails, and names of attachments are generated in accordance with the following template: the name of the attachment, and then either a date or a random number sequence.

Harmful .iqy files

When the victim opens the IQY file, the computer downloads several trojan-downloaders, which install the Flawed Ammyy RAT backdoor. The infection chain may look like this: Trojan-Downloader.MSExcel.Agent downloads another downloader from the same family, which, in turn, downloads Trojan-Downloader.PowerShell.Agent, then this trojan downloads Trojan-Downloader.Win32.Dapato, which finally installs the actual Backdoor.Win32.RA-based.hf (also known as Flawed Ammyy RAT) used to gain remote access to the victim’s computer, steal files and personal information, and send spam.

It is rather difficult to detect these attachments because these files look like ordinary text documents which transfer web-inquiry data transfer parameters from remote sources to Excel spreadsheets. IQY files can also be a very dangerous tool in the hands of criminals because their structure is no different from the structure of legitimate files, yet they can be used to download any data at all.

It must be noted that malspam with IQY attachments is distributed via the largest botnet called Necurs. As a reminder, this is the botnet responsible for malspam (ransomware, macro-viruses, etc.), as well as pump-and-dump and dating spam. The botnet’s operation is characterized by periods of spiking and idling while infection and filter evasion mechanisms become ever more sophisticated.

Data leaks
The wave of confidential information leaks we discussed in the previous quarter is still on the rise. Here are some of the most notable events of the quarter:

Hacking and theft of personal information of 27M Ticketfly customers;
92M MyHeritage genealogy service users’ personal information was discovered on a public server;
340M individual records were lost by Exactis, a marketing company;
An unprotected Amazon server allowed access to the personal information of 48M Facebook, LinkedIn, Twitter, and Zillow users.
As a result of such leaks, cybercriminals get a hold of users’ names, email addresses, phone numbers, dates of birth, credit card numbers, and personal preferences. This information may later be used to launch targeted phishing attacks, which are the most dangerous type of phishing.

Cryptocurrency
In the second quarter, our antiphishing system prevented 58,000 user attempts to connect to phishing websites masquerading as popular cryptocurrency wallets and markets. In addition to classic phishing, which aims at gaining access to the victim’s accounts and private key information, cybercriminals try every way to entice a victim to willingly send them cryptocurrency. One of the examples of this are cryptocoin giveaways. Cybercriminals continue using the names of new ICO projects to collect money from potential investors that are trying to gain early access to new tokens. Sometimes phishing sites pop up before official project sites.

Ethereum (ETH) is currently the most popular cryptocurrency with phishers. The popularity of Ethereum with cybercriminals increases as more funds are attracted by ICOs on the Ethereum platform. According to our very rough estimate (based on data received from over a thousand ETH wallets used by malefactors), over the Q2 2018, cybercriminals exploiting ICOs managed to make $2,329,317 (end-of-July-2018 exchange rate), traditional phishing not included.

Fake ICO project pages: the first is located on fantom.pub and imitates fantom.foundation, the real site of the FANTOM project; the second one, found on sparkster.be, is an imitation of sparkster.me, the original SPARKSTER site

World Cup 2018
Cybercriminals from all over the world prepared for the World Cup as much as its organizers and soccer fans. The World Cup was used in many traditional scamming methods using social engineering. Cybercriminals created fake championship partner websites to gain access to victims’ bank and other accounts, carried out targeted attacks, and created bogus fifa.com account sign-in pages.

HTTPS
As mentioned in the 2017 report, more and more phishing pages are now found on certified domains. Those may include hacked or specially registered domains that cybercriminals use to store their content. This has to do with the fact that most of the Internet is switching to HTTPS and it has become easy to get a simple certificate. In the middle of the second quarter, this prompted Google to announce future efforts aimed at changing the way Chrome works with certificates. Starting in September 2018, the browser (Chrome 69) will stop marking HTTPS sites as “Secure” in the URL bar. Instead, starting in October 2018, Chrome will start displaying the “Not secure” label when users enter data on unencrypted sites.

When Chrome 70 comes out in October 2018, a red “Not secure” marker will be displayed for all HTTP sites where users enter data.

Google believes that this will make more sites use encryption. After all, users should expect the web to be safe by default and receive warnings only in the event of any issues.

An example of a certified phishing website marked as “Secure”.

At the moment, the green Secure message in the URL bar is rather misleading for a user, especially when they visit a phishing website.

Vacation season
In anticipation of the vacation season, cybercriminals have used all of the possible topics that may interest travelers, from airplane ticket purchases to hotel bookings. For instance, we’ve found many websites that offer very tempting accommodations at absurd prices (e.g., an entire four-bedroom house in Prague with a pool and a fireplace at $1,000 a month). Such websites pose as Amazon, TripAdvisor, and other sites popular among travelers.

An example of a fake hotel booking website

A similar method is used to fake ticket aggregator websites. In these cases, the displayed flight information is real, but the tickets turn out to be fake.

An example of fake airline ticket websites

Distribution channels
In our reports, we regularly point out you that phishing and other spam has gone way beyond email a long time ago. Attackers use every means of communication at their disposal and even recruit unsuspecting users themselves for malware distribution. In this quarter, most large-scale attacks were found in messengers and on social networks.

WhatsApp
Cybercriminals have been using WhatsApp more frequently to distribute their content lately. WhatsApp users copy and resend spam messages themselves, just like they used to do with luck chain letters many years ago. Most of these messages contain information about fictional lotteries or giveaways (we have already discussed these types of scams many times). Last quarter, cybercriminals brought back the airplane ticket giveaways. This quarter in Russia, for instance, they used names of popular retailers such as Pyaterochka and Leroy Merlin, and also McDonald’s. Some fake messages come from popular sportswear brands, as well as certain stores and coffee shops.

Users share messages about ticket raffles with their contacts via a messenger since it’s one of the conditions for winning

Once a user has sent the message to some friends, he or she is redirected to another resource, the content of which changes depending on the victim’s location and device. If the user visits the site from their smartphone, most often they are automatically subscribed to paid services. The user may also be redirected to a page containing a survey or a lottery or to some other malicious website. For instance, a user may be invited to install a browser extension which will later intercept the data they enter on other websites and use their name to do other things online, such as publish posts on social media.

An example of a page which a user is redirected to after a survey, at the end of which they were promised a coupon to be used in a popular retail chain. As you can see, no coupon has been received, but the user is invited to install a browser extension with suspicious permissions.

Twitter and Instagram
Cybercriminals have been using Twitter to distribute fraudulent content for a long time. However, it has recently become a breeding ground for fake celebrity and company accounts.

Fake account for Pavel Durov

The most popular cover used by cybercriminals is cryptocurrency giveaways on behalf of celebrities. The user is asked to transfer a small amount of cryptocurrency to a certain wallet to get double or triple coins back. To enhance trust, the wallet may be located on a separate website, which also contains a list of fake transactions that the victim can see “updating” in real time, which confirms that any person who transfers money to the fake wallet gets back several times the amount transferred. Of course, the victim does not receive anything. Despite the simplicity of this scheme, it makes cybercriminals millions of dollars. This quarter, cybercriminals favoured the names of Elon Musk, Pavel Durov, and Vitalik Buterin in their schemes. These names were chosen for a reason — Elon Musk is an entrepreneur, inventor, and investor, while Durov and Buterin made it to the cryptocurrency market leader list published by Fortune.

An example of a website advertised on Elon Musk’s fake account

News sensations make these schemes even more effective. For instance, the shutdown of the Telegram messenger generated a wave of fake messages from “Pavel Durov” promising compensation. In this case cybercriminals use similarly-spelled account names. For example, if the original account name contains an underscore, cybercriminals register a new user with two underscores in the name and publish messages about cryptocurrency giveaways in comments to the celebrities’ authentic Twitter posts. As a result, even a detail-oriented person may have a hard time spotting the fake.

Twitter administration promised to stop this type of fraud a long time ago. One of their first steps involved blocking accounts that tried to change the user’s name to Elon Musk, and most probably other names commonly used by cybercriminals as well. However, it is easy to keep the account from being blocked by entering a Captcha and a code sent via text, after which the user can keep Elon’s name or change it to anything they want— the account will not be blocked again. It is also unclear whether Twitter will block the obfuscated names of famous people that are often exploited by cybercriminals.

Another measure taken by the social network is blocking accounts that post links to Elon Musk’s account. Just like in the previous example, the account can be unblocked by entering a Captcha and confirming a phone number via a code received in a text message.

This scam has started spreading to other platforms as well. Fake accounts can also be found on Instagram.

Vitalik Buterin’s fake Instagram account

Facebook
On Facebook, in addition to the aforementioned content distribution through viral threads, cybercriminals often use the advertising mechanisms offered by the social network. We have recorded instances of get-rich-quick schemes being spread through Facebook ads.

Fraudulent website ad on Facebook

After clicking on the ad, the user is redirected to a website where, after completing a few steps, they are offered a reward. To receive this reward, the user must either pay a fee, enter their credit card information, or share some personal details. Of course, the user does not receive any reward in the end.

Search results
Ads with malicious content and links to phishing sites can be found not only on social networks, but also in the search results pages of major search engines. This has recently become a popular method of advertising fake ICO project websites.

Users do not always notice the “Ad” label next to the ads

Spammer tricks
Last quarter, spammers tried to use the following new tricks to evade filters.

Double email headers
When generating spam emails, spammers use two From fields in the email header. The first From field contained a legitimate address, usually one from a well-known organization (whose reputation is untarnished by spam scandals) while the second contained the actual spammer email address, which has nothing to do with the first one. Spammers were expecting the email to be treated as legitimate by filters, forgetting that modern anti-spam solutions rely not only on the technical part of the email, but also on its content.

Subscription forms
In these events, spam messages in the form of an automatic mailing list subscription confirmations arrive in recipient inboxes. Regular websites capable of unlimited user registration were employed to create them (especially when they allowed using the same email address multiple times). Spammers used a script that auto-filled subscription forms inserting recipient addresses from previously collected (or purchased) databases. Spam content was a short phrase with a link to a spam resource inserted into one of the mandatory fields in the form (in particular, the recipient name). As a result, the user received a notification sent from a legitimate mail address containing a spam link instead of their name.

An example of spam mail sent using the subscription service on a legal site

Statistics: spam
Proportion of spam in email traffic

Proportion of spam in global email traffic, Q1 and Q2 2018 (download)

In the Q2 2018, the largest percentage of spam was recorded in May at 50.65%. The average percentage of spam in world mail traffic is 49.66%, which was 2.16 p.p. lower than the previous reporting period.

Sources of spam by country

Spam -originating countries, Q2 2018 (download)

The leading spam-originating country in Q2 2018 was Vietnam (3.98%), which fell to seventh place in the second quarter, replaced by China (14.36%). The second and third places, the USA in Germany, are only one percentage point apart, with 12.11% and 11.12% shares, respectively. France occupied the fourth place (4.42%), and the fifth was occupied by Russia (4.34%). Great Britain occupied the tenth place (2.43%).

Spam email size

Spam email size, Q1 and Q2 2018 (download)

The results of the Q2 2018 indicate that the share of very small spam messages (up to 2 KB) fell 2.45 p.p. to 79.17%. The percentage of 5-10 KB spam messages, on the other hand, grew somewhat (by 1.45 p.p.) in comparison with the previous quarter and amounted to 5.56%.

The percentage of 10-20 KB spam messages was practically unchanged — it went down by 0.93 p.p. to 3.68%. 20-50 KB spam messages saw a similar trend, their share decreasing by 0.4 p.p. (to 2.68%) in comparison with the previous reporting period.

Malicious attachments: malware families

Top 10 malware families, Q2 2018 (download)

According to the results of the Q2 2018, the most widely-distributed family of malware by-mail was Exploit.Win32.CVE-2017-11882 (with 10.35%)/ This is the verdict attributed to various malware that exploited the CVE-2017-11882 vulnerability in Microsoft Word. The amount of mail with the Trojan-PSW.Win32.Fareit malware family in it, which steals user information and passwords, decreased during the second quarter, losing the first place and now occupying the second place (with 5.90%). The third and fourth places are occupied by Backdoor.Win32.Androm (5.71%) and Backdoor.Java.QRat (3.80%). The Worm.Win32.WBVB family was the fifth most popular malware with cybercriminals.

Countries targeted by malicious mailshots

Distribution of Mail Anti-Virus triggers by country, Q2 2018 (download)

The first, second, and third places among the countries with the highest quantity of Mail Anti-Virus triggers in Q2 2018 were unchanged. Germany remained in the first place (9.54%), and the second and third places were taken by Russia and Great Britain (8.78% and 8.67%, respectively). The fourth and fifth places were taken by Brazil (7.07%) and Italy (5.39%).

Statistics: phishing
In the Q2 2018, the Antiphishing prevented 107,785,069 attempts to connect users to malicious websites. 9.6% of all Kaspersky Lab users around the world were subject to attack.

Geography of attacks
The country with the highest percentage of users attacked by phishing in Q2 2018 was again Brazil, with 15.51% (-3.56 p.p.).

Geography of phishing attacks, Q2 2018 (download)

Country %*
Brazil 15.51
China 14.77
Georgia 14.44
Kyrgyzstan 13.60
Russia 13.27
Venezuela 13.26
Macao 12.84
Portugal 12.59
Belarus 12.29
South Korea 11.66
* Percentage of users whose Antiphishing system triggered against all Kaspersky Lab users in the respective country.

Organizations under attack
The rating of attacks by phishers on different categories of organizations is based on detections by Kaspersky Lab’s heuristic Anti-Phishing component. It is activated every time the user attempts to open a phishing page, either by clicking a link in an email or a social media message, or as a result of malware activity. When the component is triggered, a banner is displayed in the browser warning the user about a potential threat.[/caption]

In Q2 2018, the Global Internet Portals category again took first place with 25.00% (+1.3 p.p.).

Distribution of organizations affected by phishing attacks by category, Q2 2018. (download)

The percentage of attacks on organizations that may be combined into a general Finance category (banks, at 21.10%, online stores, at 8.17%, and payment systems, at 6.43%) fell to 35.70% (-8.22 p.p.). IT companies in the second quarter were more often subject to threats then in the first quarter. This category saw an increase of 12.28 p.p. to 13.83%.

Conclusion
Average spam volume of 49.66% in world mail traffic in this quarter fell 2.16 p.p. in comparison with the previous reporting period, and the Antiphishing system prevented more than 107M attempts to connect users to phishing sites, which is 17M more than in the first quarter of 2018.

In this quarter, malefactors actively used GDPR, World Cup, and cryptocurrency themes, and links to malicious websites could be found on social networks and messengers (users were often distributing them themselves), as well as in marketing messages served by large search engines.

Exploit.Win32.CVE-2017-11882 was the most widely-distributed family of malware via mail, at 10.35%. Trojan-PSW.Win32.Fareit fell from the first place to the second place (5.90%), and the third and fourth places were taken by Backdoor.Win32.Androm (5.71%) and Backdoor.Java.QRat (3.80%).


Industry Reactions to Foreshadow Flaws: Feedback Friday
17.8.2018 securityweek Attack

Researchers and several major tech companies this week disclosed the details of three new speculative execution side-channel vulnerabilities affecting Intel processors.

The flaws, tracked as Foreshadow and L1 Terminal Fault (L1TF), are CVE-2018-3615, which impacts Intel’s Software Guard Extensions (SGX); CVE-2018-3620, which impacts operating systems and System Management Mode (SMM); and CVE-2018-3646, which affects virtualization software and Virtual Machine Monitors (VMM).

Industry professionals comment on Foreshadow/L1TF

A piece of malware installed on a system can exploit the flaws to gain access to potentially sensitive data stored in supposedly protected memory.

Industry professionals have commented on various aspects of Foreshadow/L1TF, including its impact on various types of systems, difficulty of exploitation, and performance issues introduced by mitigations.

And the feedback begins…

Tod Beardsley, research director, Rapid7:

“The L1TF / Foreshadow vulnerability announced today should be of particular interest to enterprises which run virtual computers in a shared hosting environments. Customers of this kind of cloud computing service should keep an eye out for communications from their hosting providers, which will tell them if they need to do anything special with their guest operating systems. In many cases, hosting providers already provide a reasonable mitigation by ensuring that virtual machines run by different customers are isolated from each other, and don't intermingle different processes on the same CPU core.

So, while it's likely that virtual machine users need to update their own guest operating systems, they should be rolling out security patches routinely anyway. If you're a VM customer and haven't yet heard anything from your provider, a call to their tech support is in order to make sure they're aware of the issue, since the host operating systems need to be updated as well.

All that said, home users generally do not need to worry too much about these issues; all of these speculative execution bugs are pretty exotic, and unlikely to be used against individual end users anytime soon. Cryptojacking and ransom-based malware are still pretty effective mechanisms that criminals employ to extract money out of victims, so they don't need to go to the trouble of setting up and executing a complicated attack using Foreshadow.”

Ken Spinner, VP of Field Engineering, Varonis:

“Cloud providers of virtual servers are more susceptible than on-premises networks in this instance because that's the most likely place you'd have one physical server housing dozens of virtual machines run by different companies. If the vulnerability could be successfully exploited, attackers could hit the jackpot. However, a data centre could hold literally hundreds of thousands of servers and potentially millions of VMs. Hackers would be conducting an unfocused attack, rather than focusing on exploiting a target organisation. It would be a shot in the dark.

These vulnerabilities are the latest in a long line of exploits. While the approaches change, the goal often stays the same – to grab your company’s data. To complicate matters, most companies are dealing with hybrid data stores with some of their data on-premises and some in the cloud, which creates challenges and potential risk from a security and data governance standpoint. Never assume your data is safe in the cloud. If your cloud environment isn’t secure, your data won’t just be in danger of being exposed to your entire organisation – it could be accessible to hackers or even the world.”

Roi Panai, Senior Engineering Manager for Research at Mimecast and Director of Research at Solebit:

“The rising number of hardware vulnerabilities should concern us, the defenders, since these kind of exploits are much more difficult to patch and thus very difficult to be protected.

Following other Intel CPU vulnerabilities such as "Melt-Down", Foreshadow proves that protecting an essential data (i.e. kernel space) with strong confidentiality and integrity security methods is not enough.

The attack exploits instructions execution cache methods designed for processing optimization in order to extract information from privileged locations using different methods (i.e. covert-channel). Together with "Foreshadow-NG" variations, these kind of attacks proved to be very effective against "isolated" sections by exposing cached physical memory data which is widely used by virtual entities for example, giving the attacker full information about running virtual machines which was considered to be unreachable before.

Some strong and important modules, such as optimization processes, may compromise other security methods leaving some holes for attackers to be exploited, thus proving that the trade-off between security and advanced processing might be dangerous.”

Heather Paunet, Vice President of Product Management, Untangle:

“Foreshadow allows hackers to read the enclave memory without penetrating the enclave from the outside. This essentially allows hackers to make a shadow copy of the data and place it in a different unprotected location, causing speculative execution to revert all data to the new unprotected location. While this new vulnerability can be critically damaging to a device, the researchers and Intel have worked together to release patches to fix the underlying issues.

While Foreshadow is threatening, exploiting those vulnerabilities in practice is very difficult. However, there are certain scenarios that may warrant immediate action and concern. Data centers and cloud providers with highly virtualized environments are particularly at risk. Administrators must be vigilant to ensure that all environments take advantage of the latest available patches on an ongoing basis. Intel is working with some of its partners to address this scenario which could impact performance and resource utilization.

One key takeaway from the Foreshadow announcement is that Intel is working with both the research community as well as the security community at large, expanding its bug bounty program. Industry partnerships with researchers and wider security community are critical. Closed-source companies are sometimes reluctant to embrace these partnerships when compared to open-source companies, so it's a positive step overall to see more collaboration. Cybersecurity changes in real time, so vendors, researchers and the community must continue to work together to stay one step ahead of potential exploit vectors to head off future attacks.”

Abhishek Iyer, Technical Marketing Manager, Demisto:

“There are a few menacing projections that we can draw from the Foreshadow vulnerability, and these projections are not new. Firstly, a base exploitation technique like L1TF can lead to many derivative attack methods, each affecting a separate user base in different ways. The variants of L1TF that have been discovered so far affect isolated systems, virtualized systems, and cloud-hosted systems on multi-tenant environments. While the microcode updates and OS patches supplied so far can stop these attacks, the likelihood of other attack derivatives that bypass these safeguards is real and present.

The other interesting pattern to note is how attackers piggyback on computing advancements and exploit the fact that there’s often a lag between performance improvements and corresponding security improvements. The Intel SGX brought an innovation to market – the Abort Page Semantics that allowed increased performance through speculative execution while thwarting Spectre and Meltdown attacks – but the Foreshadow (L1TF) attack explicitly misused that innovation and resulted in the minor performance hit that comes with microcodes and patches. This balance between improving performance and maintaining security is something that organizations will continue to explore gingerly with attackers waiting in the sidelines.”

Jeff Ready, CEO, Scale Computing:

“The design flaw in Intel chips has left Windows and Linux systems vulnerable. Any device or services connected to the chips is essentially left at risk – especially after the latest flaw that was revealed – Foreshadow. The main focus is working in real time to identify the issues and look at what needs to be patched. Performance impacts will be seen across the industry. Systems that utilize software defined storage via a mid-layer filesystem will likely experience the most impact. Many software-defined storage solutions, which use a mid-layer filesystem will likely have a much larger performance impact as a result of these fixes. After the patches and fixes roll out, we will be able to see the true extent of the impact.”

Setu Kulkarni, VP of corporate strategy, WhiteHat Security:

“Unlike application security vulnerabilities where the remediation/mitigation is increasingly ‘centralized’ with cloud-based, multi-tenant systems, the same cannot be said about chip vulnerabilities. It’s getting to be a zero-sum game, as infosecurity teams are dealing with an increasing variety of security issues... the more they protect, the more there is to protect. There is a revolution waiting to happen in the way security teams will respond to the increasing variety and volume of security challenges – and it’s going to be based in automation, data science and shifting from ‘what we need to protect’ to ‘who we need to protect.’

The universal backward compatibility for the internet may also be subject to future change. Just as old versions of TLS and SSL can never be secure again, Foreshadow’s use of speculative execution has the potential capacity to break down the barriers between virtual machines – which may also impact cloud service providers and eHosting. The demand for speed of web page loading may yet prove our undoing, and the web may see an adjustment of expectations in the name of security rather than expedience.”

Bill Conner, CEO, SonicWall:

“Once again, relentless researchers are demonstrating that cyber criminals can use the very architecture of processor chips to gain access to sensitive and often highly valued information. Like its predecessors Meltdown and Spectre, Foreshadow is attacking processor, memory and cache functions to extract sought after information. Once gained, side-channels can then be used to ‘pick locks’ within highly secured personal computers or even third-party clouds undetected.

This class of attack is something that will not dissipate. Instead, attackers will only seek to benefit from the plethora of malware strains available to them and which they can formulate like malware cocktails to divert outdated technologies, security standards and tactics.”


'Hacky Hack Hack': Australia Teen Breaches Apple's Secure Network
17.8.2018 securityweek Apple

A schoolboy who "dreamed" of working for Apple hacked the firm's computer systems, Australian media has reported, although the tech giant said Friday no customer data was compromised.

The Children's Court of Victoria was told the teenager broke into Apple's mainframe -- a large, powerful data processing system -- from his home in the suburbs of Melbourne and downloaded 90GB of secure files, The Age reported late Thursday.

The boy, then aged 16, accessed the system multiple times over a year as he was a fan of Apple and had "dreamed of" working for the US firm, the newspaper said, citing his lawyer.

Apple said in a statement Friday that its teams "discovered the unauthorised access, contained it, and reported the incident to law enforcement".

The firm, which earlier this month became the first private-sector company to surpass US$1 trillion in market value, said it wanted "to assure our customers that at no point during this incident was their personal data compromised".

An international investigation was launched after the discovery involving the FBI and the Australian Federal Police, The Age reported.

The federal police said it could not comment on the case as it is still before the court.

The Age said police raided the boy's home last year and found hacking files and instructions saved in a folder called "hacky hack hack".

"Two Apple laptops were seized and the serial numbers matched the serial numbers of the devices which accessed the internal systems," a prosecutor was reported as saying.

A mobile phone and hard drive were also seized whose IP address matched those detected in the breaches, he added.

The teen has pleaded guilty and the case is due to return to court for his sentencing next month.


China's 'Belt and Road Initiative' Drives Cyber Spying
17.8.2018 securityweek BigBrothers

Cybersecurity firms have observed increasing cyber espionage activity related to China’s Belt and Road Initiative, and researchers expect to see more of these operations in the upcoming period.

China’s Belt and Road Initiative (BRI) is a trillion-dollar development project focused on building infrastructure connecting roughly 70 countries across Asia, Europe and Africa.

Intelligence-focused cybersecurity firms Recorded Future and FireEye this week warned of attacks apparently coming from China and related to the BRI.

FireEye believes that the project will be a “driver of regional cyber threat activity”. Based on historic activity, the company expects threat actors to target organizations in the government, academic, energy, transportation, construction, manufacturing, mining and financial sectors.

FireEye says it has already seen evidence of an increase in cyber espionage operations related to the BRI.

“Cyber espionage activity related to the initiative will likely include the emergence of new groups and nation-state actors. Given the range of geopolitical interests affected by this endeavor, it may be a driver of emerging nation-state cyber actors to use their capabilities,” FireEye said in a report provided to customers and shared with SecurityWeek.

One of the campaigns spotted by FireEye that may be related to the BRI was conducted by a China-linked threat group dubbed Roaming Tiger, which has been known to target high profile organizations in Russia and former Soviet Union countries. Some recent Roaming Tiger attacks aimed at Belarus attempted to deliver malware using specially crafted documents that referenced the Chinese infrastructure project. Belarus is one of the countries targeted by the Belt and Road Initiative.

Other China-linked campaigns observed by FireEye that appear related to the BRI involved the TOYSNAKE backdoor targeting multiple European foreign ministries; the BANECHANT malware targeting Maldives, which has been a focal point of development and financial investments related to BRI; the LITRECOLA malware targeting Cambodia, which is a vital node in the Belt and Road network; the SAFERSING malware targeting international NGOs; and the TEMP.Periscope group targeting the maritime industry.

“We expect BRI will also highlight the capabilities of emerging cyber actors across Asia and the Middle East and under what norms such nation-states sponsors will employ their capabilities,” FireEye said in its report. “Prior FireEye iSIGHT Intelligence reporting has noted that rising regional cyber actors, such as Vietnam, have been willing to employ their espionage capabilities against foreign corporations conducting business inside their borders. Similarly, there may be a willingness for other nation-state actors to aggressively target private sector organizations contributing to BRI.”

A report published on Thursday by Recorded Future details several attack campaigns apparently originating from the Tsinghua University, an elite Chinese academic institution.

The attacks have been aimed at the Tibetan community and various government and private sector organizations around the world.

Researchers noted that some of the countries targeted in attacks originating from this university, specifically Mongolia, Kenya, and Brazil, “are key investment destinations as part of China’s Belt and Road Initiative.”

“We assess with medium confidence that the consistent reconnaissance activity observed from the Tsinghua IP probing networks in Kenya, Brazil, and Mongolia aligns closely with the BRI economic development goals, demonstrating that the threat actor using this IP is engaged in cyberespionage on behalf of the Chinese state,” Recorded Future said in its report.


Facebook Announces 2018 Internet Defense Prize Winners
17.8.2018 securityweek
Social

Facebook this week announced the winners of its 2018 Internet Defense Prize. Three teams earned a total of $200,000 this year for innovative defensive security and privacy research.

In the past years, Facebook awarded only one team a prize of $100,000 as part of the initiative. In 2016, the winning team presented research focusing on post-quantum security for TLS, and last year’s winners demonstrated a novel technique of detecting credential spear-phishing attacks in enterprise environments.

Winners of Facebook Internet Defense Prize

Facebook says this year’s submissions were of very high quality so the social media giant has decided to reward three teams instead of just one.Winners of Facebook Internet Defense Prize

The first prize, $100,000 as in the previous years, was won by a team from imec-DistriNet at Belgian university KU Leuven. Their paper, titled “Who Left Open the Cookie Jar? A Comprehensive Evaluation of Third-Party Cookie Policies,” describes methods that browsers can employ to prevent cross-site attacks and third-party tracking via cookies.

It’s worth mentioning that a different team of researchers from KU Leuven has been credited for discovering the recently disclosed Foreshadow speculative execution vulnerabilities affecting Intel processors.

Second place, a team from Brigham Young University, earned $60,000 for a paper titled “The Secure Socket API: TLS as an Operating System Service.” The research focuses on a prototype implementation that makes it easier for app developers to use cryptography.

“We believe safe-by-default libraries and frameworks are an important foundation for more secure software,” Facebook said.

Third place, a group from the Chinese University of Hong Kong and Sangfor Technologies, earned $40,000 for “Vetting Single Sign-On SDK Implementations via Symbolic Reasoning.”

“This work takes a critical look at the implementation of single sign-on code. Single sign-on provides a partial solution to the internet’s over-reliance on passwords. This code is widely used, and ensuring its safety has direct implications for user safety online,” Facebook explained.

Last week, Facebook announced that it had awarded a total of more than $800,000 as part of its Secure the Internet Grants, which the company unveiled in January. Facebook has prepared a total of $1 million for original defensive research, offering grants of up to $100,000 per proposal.


U.S. and Chile Agree to Cooperate on Cyber Security
17.8.2018 securityweek BigBrothers

SANTIAGO, Chile (AP) — U.S. Defense Secretary Jim Mattis and his Chilean counterpart have signed an agreement pledging closer cooperation in combating cyber threats.

Mattis and Defense Minister Alberto Espina held a signing ceremony Thursday after meeting to discuss a range of security issues, including military exercises and cooperation in science and technology. Cyber defense is a topic of growing interest throughout the Western Hemisphere. Banco de Chile, one of the country's biggest commercial banks, has said a hacking operation robbed it of $10 million in June.

Santiago was the fourth stop for Mattis on a tour of South America that began in Brasilia on Sunday. He also visited Rio de Janeiro and Buenos Aires and is scheduled to hold talks in Bogota, Colombia, on Friday.


An Australian schoolboy hacked into Apple Servers and stole 90GB of secure files
17.8.2018 securityaffairs Apple

According to Australian media, a teen hacker broke into Apple mainframe and downloaded 90GB of secure files. He dreams to work for the Tech Giant.
I believe it is time for Apple to hire an Australian 16-year old schoolboy who hacked its computer systems. Yes, it is not a joke, according to Australian media the teen hacker broke into Apple mainframe and downloaded 90GB of secure files.

It is embarrassing, the young hacker targeted Apple system from his home in Melbourne.

Downloaded data included extremely secure authorized keys used to grant login access to users, as well as access multiple user accounts, Apple declared that no customer data was exposed.

When the authorities identified the young hacker, he explained that he attempted to hack Apple because he is a fan of the company and “dreamed of” working for it.

According to the Children’s Court of Victoria, the schoolboy hacked the company’s servers numerous times in more than a year, only when Apple finally discovered the intrusion, the company contacted the FBI.

Feds with the help of the Australian Federal Police (AFP) blocking the hacker and identified him.

The Apple security team “discovered the unauthorised access, contained it, and reported the incident to law enforcement”.

[We wanted] “to assure our customers that at no point during this incident was their personal data compromised” added Apple.

Apple hacked

The police raided the home of the schoolboy last year and found evidence of the hack, the agents found hacking files and instructions saved in a folder called “hacky hack hack”. The police also seized a mobile phone and hard drive.

“Two Apple laptops were seized, and the serial numbers matched the serial numbers of the devices which accessed the internal systems,” a prosecutor was quoted as saying by Australian media The Age. “A mobile phone and hard drive were also seized, and the IP address matched the intrusions into the organization.”

The tech giant requested authorities of not disclosing details regarding the way the hacker breached its systems.

The teen has pleaded guilty to a Children’s Court, the judge has postponed his sentencing till next month (20 September).


Linux Kernel Project rolled out security updates to fix two DoS vulnerabilities
17.8.2018 securityaffairs
Vulnerebility

Linux kernel maintainers have rolled out security updates for two DoS vulnerabilities tracked as SegmentSmack and FragmentSmack.
Linux kernel maintainers have released security patches that address two vulnerabilities, tracked as two bugs are known as SegmentSmack (CVE-2018-5390) and FragmentSmack (CVE-2018-5391). potentially exploitable to trigger a DoS condition.

The vulnerabilities reside the Linux kernel’s TCP stack, an attacker can exploit them by sending malformed TCP or IP packets to cause the cause a significant resource usage in Linux-based systems.

The saturation of resources on the vulnerable system could lead to their reboot.
An attacker can exploit SegmentSmack issue via a specially crafted stream of TCP segments, while the second vulnerability, FragmentSmack, could be triggered by sending a specially crafted stream of IP datagrams.

The bug for the SegmentSmack resides in the tcp_collapse_ofo_queue() function, while the second issue affects the tcp_prune_ofo_queue() function.

“Juha-Matti Tilli reported that malicious peers could inject tiny packets in out_of_order_queue, forcing very expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for every incoming packet.” reads the security advisory.

“With tcp_rmem[2] default of 6MB, the ooo queue could contain ~7000 nodes. “

“Linux kernel versions 4.9+ can be forced to make very expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for every incoming packet which can lead to a denial of service.” states the description provided by the Mitre.

Devices running Linux kernel 4.9 and later are vulnerable to SegmentSmack, while Linux devices running Linux kernel 3.9 and later are vulnerable to FragmentSmack.

Most popular Linux distros, including Debian, Red Hat, and Ubuntu have already rolled out the security updates.

“The Linux kernel project has released an updated version that includes fixes for both [1, 2]. Companies and open source projects that use the Linux kernel for their custom operating systems will have to update the Linux kernel they use to include these two updates.” reported Bleeping Computer.

“Vendors of Linux-based SOHO routers will probably be slower in incorporating these updates. ISP-grade routers, firewall providers, cloud services, and hosting firms will also have to ship or deploy updates.”


Black Hat 2018 – Expert demonstrated a new PHP code execution attack
17.8.2018 securityaffairs Congress

The security researcher Sam Thomas from Secarma, has discovered a new attack technique that leverages critical deserialization vulnerabilities in PHP programming language.
The flaws potentially expose web applications written in the popular language to cyber attacks, including websites running CMSs like WordPress and Typo3.

The expert discovered that an attacker can use low-risk functions against Phar archives to trigger deserialization attack without requiring the use of unserialize() function. Phar archives are similar to Java JAR archives but are specific for PHP applications. A Phar application or library could be distributed in a single file.

Phar files include metadata in a serialized format. The data is unserialized for every file operation function (fopen, file_exists, file_get_contents, etc.) on the archive file.

“Typically, these archives are used to hold self-extracting or self-contained applications, in the same
way that a Jar archive can be executed a Phar archive contains an executable stub containing PHP
code. To get to the crux of the issue at hand, Phar archives can also contain meta-data, and:
“Meta-data can be any PHP variable that can be serialized.” wrote Thomas.

This meta-data is unserialized when a Phar archive is first accessed by any(!) file operation. This
opens the door to unserialization attacks whenever a file operation occurs on a path whose
beginning is controlled by an attacker. This is true for both direct file operations (such as
“file_exists”) and indirect operations such as those that occur during external entity processing
within XML (i.e. when an XXE vulnerability is being exploited).”

Thomas demonstrated at the Black Hat hacking conference how to trigger the flaws to hack WordPress sites using an author account and take full control over the underlying web server.

An attacker could trigger the flaws by uploading a specially crafted Phar archive containing a malicious payload onto the target’s local file system and then access it using the “phar://” stream wrapper.
Thomas explained that it is possible to carry out the attack by converting a Phar archive in a JPEG image, an operation that is possible by modifying its first 100 bytes.

“The way certain thumbnail functionality within the application works enables an attacker with the
privileges to upload and modify media items to gain sufficient control of the parameter used in a
“file_exists” call to cause unserialization to occur.” explained the researcher.

“The core vulnerability is within the wp_get_attachment_thumb_file function in /wpincludes/post.php:”

PHP hacking

Once uploaded the malicious thumbnail on the targeted server running the WordPress website the attacker can use another function to call the image file as a Phar archive using the “phar://” stream wrapper.

“It is possible to reach this function through an XMLRPC call to the “wp.getMediaItem” method, with
an arbitrary value for $imagedata[‘thumb’] and a partially controlled value for $file.
$file is returned by get_attached_file also from /wp-includes/post.php” continues the analysis.

A remote authenticated attacker that is in position to create/edit posts can upload a malicious image and execute arbitrary PHP code the target system.
Thomas reported his findings to the WordPress security team on 28th February 2017l. WordPress released a security update that did not solve the problem completely.

The researcher also reported the flaw to Typo3 on 9th June 2018, and the issue was fixed with the release of the versions 7.6.30, 8.7.17 and 9.3.


CVE-2018-14023 – Recovering expired messages from Signal
17.8.2018 securityaffairs
Vulnerebility

An Italian cybersecurity passionate discovered that it was possible to recover the expired messages from Signal version 1.14.3,
Advisory ID:
n0sign4l-002
Risk level:
4 / 5
Title:
Signal Desktop – Recover Expired Messages
Credit:
Leonardo Porpora – ‘n0sign4l’
Product:
Signal
CVE:
CVE-2018-14023
Version:
1.14.3 and prior
Public Disclosure: 17/08/2018
Vendor:
Open Whisper System
Details
Signal version 1.14.3 was vulnerable to the recovery of expired messages.
When I reported the vulnerability to the Signal Security Team, its experts fixed it in a very short time, but the fix was partial; in fact version 1.14.4, even though fixed one vulnerability, was still vulnerable to a different attack. I reported the new issue to the security team and version 1.15.0-beta.10 finally addressed the problem.

Everything started from a message that was not cleared from the preview of Signal-Desktop

Signal bug

so I said this message must be stored somewhere…, I tried to dump the memory and BOOM 🙂 the message was still there. Messages were stored in the log [I think to double check that they are actually deleted] but they did not clear them with a garbage collector or whatever so I was able to recover them].
Signal bug 2
The version 1.14.4 fixed this issue but I wanted to try if it was possible to recover messages again from the logs and they were still there. The issue was related to IndexedDB not deleting messages predictably.

Below a video PoC of the vulnerability:

Solution
Update Signal to version 1.15.0-beta.10
Final thoughts:
I am very happy to have contributed to the security of Signal, an application that I use every day to talk with my friends, professors…

My contribution was also possible because this is an open-source project and other than just reporting the security hole I had the opportunity to analyze the source code and highlight the flaw.

This is a small example of how effective is the open-source model and I hope everyone can understand the benefits of the community contribution in data protection field so that everybody can provide contributions.

Sorry I can not hear you, there’s interference

n0sign4l 🙂
About the author Leonardo Porpora
I am 17 years old and since I started dealing with informatics and cybersecurity I have been inspired by E. Snowden character, bravery, and value, even when he faced hard consequences for his actions. To me, he is a really special person and I consider him like a brother.
Defending human rights – and privacy in particularly – is a must in a democratic society and for this reason, in my opinion, everybody should use Signal messaging application for their communications.
Original post @ http://n0sign4l.blogspot.com/2018/08/advisory-id-n0sign4l-002-risk-level-4-5.html


ESET Launches New Enterprise Security Tools
17.8.2018 securityweek Security

ESET on Thursday announced the general availability of a new line of enterprise security solutions that include endpoint detection and response (EDR), forensic investigation, threat monitoring, sandbox, and management tools.

The new EDR tool is ESET Enterprise Inspector, which provides real-time data from the cybersecurity firm’s endpoint security platform. The product is fully customizable and ESET claims it offers “vastly more visibility for complete prevention, detection and response against all types of cyber threats.”

The new enterprise solutions also include ESET Threat Hunting, an on-demand forensic investigation tool that provides details on alarms and events, and ESET Threat Monitoring, which constantly monitors all Enterprise Inspector data for threats.

Enterprise Inspector is also complemented by ESET Dynamic Threat Defense, a cloud sandbox designed for a quick analysis of potential threats.

ESET also announced the availability of Security Management Center, a successor of Remote Administrator that provides network visibility, security management and reporting capabilities from a central console.

“We understand that global enterprises require cybersecurity solutions tailored specifically for their business as we have cooperated with a number of them to create our all-new suite of security solutions,” said Juraj Malcho, Chief Technology Officer at ESET. “We believe that any enterprise should be able to manage and customize their security solutions with ease, and we are proud that our new lineup reduces complexity and integrates seamlessly into their network.”

The new solutions were first demoed at the RSA Conference in May and they are now available to organizations in the United States, Canada, Czech Republic, Slovakia and the Netherlands.


Cosmos Bank – Hackers stole Rs 94 crore ($13.5 million) in just in 2 days
17.8.2018 securityaffairs Incindent

Cosmos Bank, one of the largest Indian cooperative banks, confirmed it was the victim of a cyberheist, over the weekend hackers stole over 940 million rupees ($13.5 million) in three days.
Hackers stole over 940 million rupees ($13.5 million) in three days from the Indian cooperative Cosmos bank. The Cosmos bank publicly disclosed the attacks in a press conference on Tuesday, according to the financial institution, the hackers stole the funds in three attacks using a malware.

“Hackers managed to siphon off over Rs 94 crore through a malware attack on the server of Pune-based Cosmos Bank and cloning thousands of the bank’s debit cards over a period of two days, a top official said.” reports the economictimes.indiatimes.com.

According to Cosmos Bank chairman Milind Kale, the attack was launched from Canada, but likely the country was used as a relay for the attack.

The first two security breaches occurred on August 11 when hackers withdrew 805 million rupees ($11.4 million) through 14,849 ATM transactions across 28 countries.

“The fraudulent transactions were carried out on August 11 and August 13 and the malware attack by the hackers originated in Canada, Cosmos Bank chairman Milind Kale told reporters here today.”

“In two days, hackers withdrew a total Rs 78 crore from various ATMs in 28 countries, including Canada, Hong Kong and a few ATMs in India, and another Rs 2.5 crore were taken out within India,” he said.

“On August 13, hackers again transferred Rs 13.92 crore in a Hong Kong-based bank by using fraudulent transactions.”

In the first wave of attacks, crooks stole 780 million rupees ($11 million) through 12,000 ATM withdrawals via the VISA card system. Most of the fraudulent transactions were made overseas.

The second wave of attacks was launched two hours later, cybercriminals withdrew an additional 25 million rupees ($400,000) via 2,849 ATM transactions via the Rupay debit card system at ATM locations across India.

The good news is that the Cosmos Bank detected the fraudulent transactions and halted them, but its staff was not able to lock out the attackers.

On Monday, August 13, the hackers launched a third wave of attacks targeting the SWIFT system. Crooks made three fraudulent transactions to a bank account in Hong Kong for a total of Rs 13.92 crore rupees ($1,8 million).

The good news is that money wasn’t stolen from customer accounts, the bank reported the incident to the authorities and it is currently investigating the attacks with the support of a forensic agency.

“On Saturday afternoon, the bank came to know about malware attack on its debit card payment system and it was observed that unusual repeated transactions were taking place through Visa and Rupay cards used at various ATMs for nearly two hours,” Kale added.

Crooks used a “parallel” or proxy switch system while cloning the cards, all the fraudulent payment approvals were passed by this proxy mechanism.

Anyway, Kale confirmed that the core banking system was not affected by the malware attack.


KeyPass ransomware
17.8.2018 Kaspersky 
Ransomware

In the last few days, our anti-ransomware module has been detecting a new variant of malware – KeyPass ransomware. Others in the security community have also noticed that this ransomware began to actively spread in August:

Notification from MalwareHunterTeam

Distribution model
According to our information, the malware is propagated by means of fake installers that download the ransomware module.

Description
The Trojan sample is written in C++ and compiled in MS Visual Studio. It was developed using the libraries MFC, Boost and Crypto++. The PE header contains a recent compilation date.

PE header with compilation date

When started on the victim’s computer, the Trojan copies its executable to %LocalAppData% and launches it. It then deletes itself from the original location.

Following that, it spawns several copies of its own process, passing the encryption key and victim ID as command line arguments.

Command line arguments

KeyPass enumerates local drives and network shares accessible from the infected machine and searches for all files, regardless of their extension. It skips files located in a number of directories, the paths to which are hardcoded into the sample.

The list of excluded paths

Every encrypted file gets an additional extension: “.KEYPASS” and ransom notes named “”!!!KEYPASS_DECRYPTION_INFO!!!.txt”” are saved in each processed directory.

The ransom note

Encryption scheme
The developers of this Trojan implemented a very simplistic scheme. The malware uses the symmetric algorithm AES-256 in CFB mode with zero IV and the same 32-byte key for all files. The Trojan encrypts a maximum of 0x500000 bytes (~5 MB) of data at the beginning of each file.

Part of the procedure that implements data encryption

Soon after launch, KeyPass connects to its command and control (C&C) server and receives the encryption key and the infection ID for the current victim. The data is transferred over plain HTTP in the form of JSON.

If the C&C is inaccessible (e.g. if the infected machine is not connected to the internet or the server is down), the Trojan uses a hardcoded key and ID, which means that in the case of offline encryption the decryption of the victim’s files will be trivial.

GUI
From our point of view, the most interesting feature of the KeyPass Trojan is the ability to take ‘manual control’. The Trojan contains a form that is hidden by default, but which can be shown after pressing a special button on the keyboard. This capability might be an indication that the criminals behind the Trojan intend to use it in manual attacks.

GUI of the trojan

This form allows the attacker to customize the encryption process by changing such parameters as:

encryption key
name of ransom note
text of ransom note
victim ID
extension of the encrypted files
list of paths to be excluded from the encryption

Paths excluded from encryption by default

Pseudocode of the procedure that shows the GUI by a keypress

Geography

IOC
901d893f665c6f9741aa940e5f275952 – Trojan-Ransom.Win32.Encoder.n
hxxp://cosonar.mcdir.ru/get.php


Botnet of Smart Heaters, ACs Can Cause Power Disruptions: Researchers

16.8.2018 securityweek BotNet

BlackIoT attack can lead to power grid disruptions

A research paper published this week at the 27th USENIX Security Symposium describes a new type of attack that could cause energy grid disruptions. The method involves a botnet powered by tens of thousands of compromised high-wattage IoT devices such as heaters and air conditioners.

Wi-Fi enabled air conditioners, ovens, water heaters and space heaters that can be controlled remotely over the Internet are increasingly popular. The power usage of these devices ranges between 1,000 and 5,000 watts.

Researchers from the Department of Electrical Engineering at Princeton University claim that these types of high-wattage IoT devices can be exploited in what they call “Manipulation of demand via IoT” (MadIoT) attacks to cause local power outages and even large-scale blackouts.

In a MadIoT attack, a threat actor takes control of smart high-wattage devices in order to manipulate (i.e. increase or decrease) power consumption.

MadIoT attack

The experts tested their theory using state-of-the-art simulators of real-world power grid models.

One attack scenario involves frequency instability. The researchers noted that the normal operation of a power grid relies on the balance between supply and demand. They believe that this balance can be disrupted using an IoT botnet of air conditioners and heater that are simultaneously switched on or off by the attacker.

“If the resulting sudden increase in the demand is greater than a threshold, which depends on the inertia of the system, it can cause the system’s frequency to drop significantly before the primary controllers can react,” the researchers wrote in their paper. “This consequently may result in the activation of the generators’ protective relays and loss of generators, and finally a blackout. Sudden decrease in the demand may also result in the same effect but this time by causing a sudden rise in the frequency.”

Using a simulator based on the power grid model of the Western Electricity Coordinating Council (WECC), which is responsible for compliance monitoring and enforcement in the Western part of the United States and Canada, researchers calculated that a 30 percent increase in power demand would lead to all generators tripping.

In order to launch such an attack, experts determined that an attacker would need a botnet of 90,000 air conditioners and 18,000 electric water heaters within the targeted geographical area.

Register for SecurityWeek’s 2018 ICS Cyber Security Conference

A botnet of roughly 100,000 IoT systems may not seem like an impossible task considering that the Mirai botnet, at its peak, infected over 600,000 devices. However, those devices were distributed across more than 160 countries and they included low-wattage devices such as cameras. In the case of a MadIoT botnet, the bots would need to be concentrated in the region of the targeted power grid and they would need to be high-wattage devices for the attack to have an impact.

If the attack leads to a blackout, the grid operator will need to perform what is known as a black start in order to get the power back on. During this process, power is restored in one area at a time to avoid frequency instability. The attacker can use the botnet to suddenly increase demand once power is restored in one area, which can cause the grid to shut down once again.

Another type of attack, which can also lead to a widespread blackout, involves line failures that lead to further line failures in what is known as a cascading failure. Tests for this type of attack were conducted using a simulation of the power grid in Poland, which researchers say is one of the largest and most detailed publicly available real-world power grids.

Calculations showed that an increase of one percent in the demand in Poland’s grid during the summer of 2008 would result in a cascading failure with 263 line failures and an 86 percent load outage. Such an attack would require a botnet of 210,000 compromised air conditioners.

Researchers noted that even if the botnet does not cause frequency instability or line failures, simultaneously turning on tens of thousands of devices within a region can significantly increase costs for the grid operator. These types of attacks could be launched by utilities that operate reserve generators, which provide grid operators electric power – at a higher-than-normal cost – if the demand is higher than estimated, experts said.

“The MadIoT attacks’ sources are hard to detect and disconnect by the grid operator due to their distributed nature. These attacks can be easily repeated until being effective and are black-box since the attacker does not need to know the operational details of the power grid. These properties make countering the MadIoT attacks challenging,” they wrote in their paper.

The same team of Princeton researchers has published a separate paper focusing on how the power grid can be protected against IoT botnets of high wattage devices.

Experts and government authorities have often warned that there is an increasing risk of cyber attacks aimed at the energy sector. However, most warnings involve scenarios in which actors target energy organizations directly.

Earlier this year, researchers warned that threat actors may be able to cause blackouts by remotely manipulating residential or commercial AC units via RF signals to create a surge. However, other experts argued that such attacks would not be easy to carry out in the real world – at least in the United States – due to how power distribution works.


NIST Small Business Cybersecurity Act Becomes Law
16.8.2018 securityweek BigBrothers

The NIST Small Business Cybersecurity Act Aims to Provide Cyberdefense Resources

U.S. President Donald Trump signed the NIST Small Business Cybersecurity Act, S. 770 (formerly known as the MAIN STREET Cybersecurity Act) into law on Tuesday (August 14, 2018). It requires NIST to "disseminate clear and concise resources to help small business concerns identify, assess, manage, and reduce their cybersecurity risks."

The resources to be provided are informational. They must be generally applicable to a wide range of small businesses; vary with the nature and size of small businesses; promote cybersecurity awareness and workplace cybersecurity culture; and include practical application strategies. The resources must further be technology-neutral and compatible with COTS solutions; and as far as possible consistent with international standards and the Stevenson-Wydler Technology Innovation Act of 1980.

Use of these resources by small businesses is voluntary.

The bi-partisan act was authored by U.S. Senators Brian Schatz (D-Hawai'i) and James Risch (R-Idaho), and co-sponsored by Senators John Thune (R-S.D.), Maria Cantwell (D-Wash.), Bill Nelson (D-Fla.), Cory Gardner (R-Colo.), Catherine Cortez Masto (D-Nev.), Maggie Hassan (D-N.H.), Claire McCaskill (D-Mo.), and Kirsten Gillibrand (D-N.Y.).

"As businesses rely more and more on the internet to run efficiently and reach more customers, they will continue to be vulnerable to cyberattacks. But while big businesses have the resources to protect themselves, small businesses do not, and that's exactly what makes them an easy target for hackers," said Schatz, lead Democrat on the Commerce Subcommittee on Communications Technology, Innovation, and the Internet, in a statement. "This new law will give small businesses the tools to firm up their cybersecurity infrastructure and fight online attacks."

The act has been well-received by the security industry.

"Bills focusing on the cybersecurity needs of small businesses are becoming increasingly necessary to protect activity crucial to the U.S. economy," explains Jessica Ortega, a member of the SiteLock research team. "Small businesses account for 99.7% [SBA figures] of employers in the United States and as many as 50% [CNBC figures] of those have experienced a cyberattack. Not surprising when you consider that websites are attacked as many as 50 times per day on average [Sitelock's own figures].

She adds, "The NIST Small Business Cybersecurity Act aims to provide cyberdefense resources for small businesses by creating a set of guidelines for basic security measures that should be easy to follow and implement affordably. It also creates guidelines for making security best practices a required component of corporate training and workplace culture, something that is very needed as cyberthreats continue to evolve."

Small businesses, and many large organizations, struggle to comply with the existing NIST Security Framework. "This change sets the stage for greater compliance and readiness from smaller organizations who previously thought that NIST compliance was too costly or complex to obtain," adds Dr. Bret Fund, founder and CEO at SecureSet.

The basic problem is small organizations cannot afford extensive cybersecurity resources in-house, while many still believe they will not be a target for cyber attackers. "Small businesses are not immune to threats, and are often not equipped with the IT resources or personnel to protect their networks," warns Dirk Morris, chief product officer at Untangle. Small businesses are a major direct target for business email compromise (BEC) and ransomware https://www.securityweek.com/ransomware-where-its-been-and-where-its-going attacks; and as part of the supply chain for larger organizations they are targeted for both credential theft and island-hopping to the larger target.

Counterintuitively, small businesses suffer more from a successful attack than do the larger companies. "In fact," suggests Anupam Sahai, Vice President of Product Management at Cavirin, "recent reports shows that smaller businesses lose proportionately more to cyberattacks since they are targeted just as often, and are less able to recover due to less resilient infrastructures."

The same report highlighted by Sahai also points out that smaller companies paying lower salaries have a proportionately higher number of grey hats working for them, making them more susceptible to insider threats.

While the security industry generally applauds this new act, it still suffers from one major drawback -- use of the new NIST resources by small businesses is voluntary.

"I will be curious to see how this plan is carried out," says Francis Dinha, CEO and co-founder of OpenVPN. "Many small businesses neglect cyber security because they aren't aware and don't understand the risks -- so, they don't seek out solutions. But if they're not seeking out solutions now, what makes anyone think they will seek out these new NIST resources?"

The act, he says, "does not seem to specify how to connect or engage with small businesses in these practices. It only requires NIST to make resources, in the form of guidelines, methodologies, and other information, available online. I'm concerned this won't be enough. If small businesses aren't engaged in a more active way, they may miss this opportunity and remain at risk."

A complaint often heard at SecurityWeek from harassed CISOs is, "If it's not a regulation, it won't happen." Perhaps what is required as a next step is a small business cybersecurity framework that can be audited. Larger organizations can then insist that smaller companies they engage must show compliance to the NIST small business cybersecurity framework -- but even that will create problems. Small companies with great new ideas will continue to develop their idea without intrinsic security -- and the larger companies will have to choose between a great new non-conformant idea and an older conformant solution.

This new act is a great help in assisting those small businesses that wish to improve their cybersecurity to do so. But it needs to be made a requirement before it will seriously improve the overall cybersecurity posture of the nation.


Senate Passes MAIN STREET Cybersecurity Act for Small Business
16.8.2018 securityweek BigBrothers

The U.S. Senate has passed the MAIN STREET Cybersecurity Act on Sept. 28, which will require NIST to "disseminate clear and concise resources to help small business concerns identify, assess, manage, and reduce their cybersecurity risks."

Co-sponsored by Senators Maria Cantwell (D-WA), Brian Schatz (D-HI), James Risch (R-ID), John Thune (R-SD) and Bill Nelson (D-Fla.), and introduced in March 2017, MAIN STREET's full title is 'Making Available Information Now to Strengthen Trust and Resilience and Enhance Enterprise Technology Cybersecurity Act of 2017'.

The basic requirement is that NIST shall provide cybersecurity resources specifically geared for small businesses (SMEs). Those resources are to promote awareness of simple, basic controls; a workplace cybersecurity culture; and third-party stakeholder relationships, in order to assist SMEs in mitigating common cybersecurity risks. The resources are to be technology-neutral that can be implemented using commercial and off-the-shelf technologies.

They are to be consistent with the requirements of the Cybersecurity Enhancement Act of 2014, which gave more weight and support to the NIST Cybersecurity Framework. While widely used by large organizations, the NIST framework is usually ignored by SMEs.

In a statement of support for MAIN STREET issued in March, Sen. John Thune, chairman of the Senate Committee on Commerce, Science, and Transportation, pointed out that SMEs provide more than half of all jobs in the U.S., but are unprepared for the effect of cyberattacks. According to figures from the National Cybersecurity Alliance, 60% of small businesses are forced to close following an attack.

"Cyberattacks can have catastrophic effects on small businesses and their customers," he said. "This legislation offers important resources, specifically meeting the unique needs of small businesses, to help them guard sensitive data and systems from thieves and hackers."

"In 2012, nearly 71 percent of cyberattacks occurred in businesses with fewer than 100 employees," said Senator Risch. "These attacks seriously compromise not only the businesses, but also their employees' and customers' personal information. As we work to reduce our nation's cyber vulnerabilities, we must be equally mindful of our responsibility to uniformly educate all small business owners on how to deter these threats."

The small business version of the NIST Framework will need to provide a cybersecurity framework that does not require the high level of investment needed for the full NIST Framework. However, like the full version, it will be voluntary for business. Whether SMBs actually derive practical benefit remains to be seen.

The Ponemon 2016 State of Cybersecurity in SMBs survey found that 50% of small businesses had suffered a data breach in the previous 12 months. SMEs are clearly a target for cybercriminal attacks, but are unprepared to stop them. The primary reasons are twofold: SMEs often think they are too small to be a target, and that effective security can only be achieved with the resources of a large organization.

The first is simply wrong: small businesses are increasingly targeted for extortion (such as ransomware) and credential theft (especially where that business might be part of the supply chain of larger organizations). It is hoped that the new small business Cybersecurity Act will change the second.

A survey of 1,420 small business owners published in March 2017 by Manta suggests that only 69% of small business owners currently have controls in place to prevent hacks -- meaning 1 in 3 small business owners have no safeguards in place. Where controls are used, they tend to be basic: such as antivirus software (17%), firewalls (16%), and spam filters (14%).

"Overall," concludes Manta, "with the growth in hackers targeting small businesses, owners should invest more heavily in cyber defense to prevent attacks, which can often be more crippling for a small business than a large corporation."

Andy Halataei, Senior Vice President for Government Affairs of the Information Technology Industry Council, said at the time the bill was introduced, "Small businesses often don't have the resources they need to guard against sophisticated cyber-attacks, and this legislation can be the helping hand small businesses need to help reduce their cybersecurity risks." He added, "By offering small businesses federal agencies' resources and coordinated support, they can better manage risks, protect customer privacy, and focus on growing their ventures."

The reality for small businesses today is that they face threats from both criminals and government legislation. Legal regulatory requirements, like common cybercriminals, do not differentiate hugely between large and small businesses. For example, any business of whatever size that does business with a member state of the European Union will be subject to the strict requirements of the European General Data Protection Regulation (GDPR) by May 2018.

The MAIN STREET Cybersecurity Act of 2017 will hopefully help SMEs protect themselves from both hackers and regulators. It is expected that this Act will rapidly pass through the final stages to become law.


Piping botnet: Researchers warns of possible cyberattacks against urban water services
16.8.2018 securityaffairs BotNet

Piping botnet – Israeli researchers warn of a potential distributed attack against urban water services that uses a botnet of smart irrigation systems that water simultaneously.
Ben-Gurion University of the Negev (BGU) cyber security researchers warn of a potential distributed attack against urban water services that uses a botnet of smart irrigation systems that water simultaneously. A botnet is a large network of computers or devices controlled by a command and control server without the owner’s knowledge.

Ben Nassi, a researcher at Cyber@BGU, will be presenting “Attacking Smart Irrigation Systems” in Las Vegas at the prestigious Def Con 26 Conference in the IoT Village on August 11.

The researchers analyzed and found vulnerabilities in a number of commercial smart irrigation systems, which enable attackers to remotely turn watering systems on and off at will. The researchers tested three of the most widely sold smart irrigation systems: GreenIQ, BlueSpray, and RainMachine smart irrigation systems. Watch the video.

“By simultaneously applying a distributed attack that exploits such vulnerabilities, a botnet of 1,355 smart irrigation systems can empty an urban water tower in an hour and a botnet of 23,866 smart irrigation systems can empty good water reservoir overnight,” Nassi says. “We have notified the companies to alert them of the security gaps so they can upgrade their smart system’s irrigation system’s firmware.”

Water production and delivery systems are part of a nation’s critical infrastructure and generally, are secured to prevent attackers from infecting their systems. “However, municipalities and local government entities have adopted new green technology using IoT smart irrigation systems to replace traditional sprinkler systems, and they don’t have the same critical infrastructure security standards.”

In the study, the researchers present a new attack against urban water services that doesn’t require infecting its physical cyber systems. Instead, the attack can be applied using a botnet of smart irrigation regulation systems at urban water services that are much easier to attack.

piping botnet

The researchers demonstrated how a bot running on a compromised device can (1) detect a smart irrigation system connected to its LAN in less than 15 minutes, and (2) turn on watering via each smart irrigation system using a set of session hijacking and replay attacks.

Further technical details on the Piping botnet are included in the article published by the experts, titled “Piping Botnet – Turning Green Technology into a Water Disaster”

“Although the current generation of IoT devices is being used to regulate water and electricity obtained from critical infrastructures, such as the smart-grid and urban water services, they contain serious security vulnerabilities and will soon become primary targets for attackers,” says Nassi, who is also Ph.D. student of Prof. Yuval Elovici’s in BGU’s Department of Software and Information Systems Engineering and a researcher at the BGU Cyber Security Research Center. Elovici is the Center’s director as well as the director of Telekom Innovation Labs at BGU.

The research team also included Ph.D. student Yair Meidan supervised by Dr. Asaf Shabtai, as well as two interns, Moshe Sror and Ido Lavi.

Previous research focused on a new method to detect illicit drone video-filming.

About the Author: American Associates, Ben-Gurion University of the Negev

American Associates, Ben-Gurion University of the Negev (AABGU) plays a vital role in sustaining David Ben-Gurion’s vision: creating a world-class institution of education and research in the Israeli desert, nurturing the Negev community and sharing the University’s expertise locally and around the globe. As Ben-Gurion University of the Negev (BGU) looks ahead to turning 50 in 2020, AABGU imagines a future that goes beyond the walls of academia. It is a future where BGU invents a new world and inspires a vision for a stronger Israel and its next generation of leaders. Together with supporters, AABGU will help the University foster excellence in teaching, research and outreach to the communities of the Negev for the next 50 years and beyond. Visit vision.aabgu.org to learn more.

AABGU, which is headquartered in Manhattan, has nine regional offices throughout the United States. For more information, visit http://www.aabgu.org.


SAP Security Notes August 2018, watch out for SQL Injection
16.8.2018 securityaffairs
Vulnerebility

SAP released security notes for August 2018 that address dozens patches, the good news is that there aren’t critical vulnerabilities.
SAP issues 27 Security Notes, including 14 Patch Day Notes and 13 Support Package Notes. Seven notes are related to previously published patches.

“On 14th of August 2018, SAP Security Patch Day saw the release of 12 Security Notes. Additionally, there were 2 updates to previously released security notes.” reads the advisory published by SAP.

Principal type of vulnerabilities fixed by SAP security notes are SQL Injection and Information Disclosure flaws as reported in the following graph.

SAP security notes August 2018

According to the experts from ERPScan, in August Implementation Flaw and Missing Authorization Check are the largest groups in terms of the number of vulnerabilities

SAP security notes August 2018

SAP addressed nine high severity flaws, including two SQL injection vulnerabilities in SAP BusinessObjects that could be exploied by an attacker to extract information from vulnerable system.

The SQL injection issues were reported by the researchers at the security firm Onapsis that shared technical details of the flaws in a blog post.
“Two of these High Priority notes concern vulnerabilities reported by Onapsis Research Labs: one fixes two SQL Injection vulnerabilities in SAP BusinessObjects. Basically, an attacker with a low privileges session can inject data and extract information that he should not be able to. The other vulnerability fixes two bugs found in SAP HANA XSA.” reads the blog post published by Onapsis.

“Another High Priority Note reported by the Onapsis Research Labs, #2644154, is tagged with a CVSS v3 base score: 7.7/10. It fixes two SQL-injection (SQLi) vulnerabilities found in SAP BusinessObjects (BOBJ) by Onapsis researcher Gaston Traberg. The issues were found in the frontend webserver of the Central Management Console (CMC). One of these SQLi is a blind boolean-based SQLi, and the other a regular SQLi vulnerability.”

Security experts from ERPScan also published an interesting analysis of the security patches rolled out by SAP.
ERPScan focused the analysis on most serious vulnerabilities all rated as “high severity,” including the two SQL injection flaws found by Onapsis in BusinessObjects (CVE-2018-2447).

Other High severity flaws are a missing authorization check in the SAP SRM MDM Catalog (CVE-2018-2449), and a memory corruption flaw in the BusinessObjects Business Intelligence platform tracked as (CVE-2015-5237) that can be exploited by attackers to run arbitrary command on the vulnerable systems.
“An attacker can use [CVE-2018-2449] vulnerability to access a service without any authorization procedures and to use service functionality that has restricted access. This can lead to an information disclosure, privilege escalation, and other attacks,” states ERPScan.

“An attacker can use [CVE-2018-2447] vulnerability with a help of specially crafted SQL queries. He or she can read and modify sensitive information in a database, execute administration operations, destroy data or make it unavailable. In some cases, the hacker can access system data or execute OS commands. Install this SAP Security Note to prevent the risks”


Google Bug Bounty Program Now Covers Platform Abuse
16.8.2018 securityweek Safety

Google on Wednesday announced the expansion of its bug bounty program to include techniques that can be used to bypass the company’s abuse detection systems.

The Internet giant claims to have paid out over $12 million as part of its Vulnerability Reward Programs since 2010, including payouts for bug reports describing techniques for bypassing fraud, abuse and spam systems.

These types of reports have now officially been added to Google’s bug bounty program. The company says it’s prepared to pay up to $5,000 for high impact and high probability issues.

Google assesses probability based on the technical skills needed to conduct an attack, the possible motivators of an attack, and the likelihood of the flaw being discovered by a malicious actor.

“Reports that deal with potential abuse-related vulnerabilities may take longer to assess, because reviewing our current defense mechanisms requires investigating how a real life attack would take place and reviewing the impact and likelihood requires studying the type of motivations and incentives of abusers of the submitted attack scenario against one of our products,” Google said.

For example, a technique that allows an attacker to manipulate the rating score of a Google Maps listing by submitting a large volume of fake reviews without being detected by the company’s systems would qualify for a reward in the new platform abuse category. Researchers can also earn rewards for bypassing account recovery systems at scale, finding systems vulnerable to brute-force attacks, bypassing content use and sharing restrictions, or buying items from Google without paying.

“Valid reports tend to result in changes to the product’s code, as opposed to removal of individual pieces of content,” members of Google’s Trust & Safety team wrote in a blog post. “This program does not cover individual instances of abuse, such as the posting of content that violates our guidelines or policies, sending spam emails, or providing links to malware.”


PhishPoint Phishing Attack – A new technique to Bypass Microsoft Office 365 Protections
16.8.2018 securityweek Attack 
Phishing

Security experts from the cloud security firm Avanan have discovered a new technique dubbed PhishPoint, that was used by hackers to bypass Microsoft Office 365 protections.
PhishPoint is a new SharePoint phishing attack that affected an estimated 10% of Office 365 users over the last 2 weeks.

The experts are warning of the new technique that was already used in attacks by scammers and crooks to bypass the Advanced Threat Protection (ATP) mechanism implemented by most popular email services, Microsoft Office 365.

“Over the past two weeks, we detected (and blocked) a new phishing attack that affected about 10% of Avanan’s Office 365 customers. We estimate this percentage applies to Office 365 globally. PhishPoint marks an evolution in phishing attacks, where hackers go beyond just email and use SharePoint to harvest end-users’ credentials for Office 365.” reads the analysis published by Avanan.

“Essentially, hackers are using SharePoint files to host phishing links. By inserting the malicious link into a SharePoint file rather than the email itself, hackers bypass Office 365 built-in security. “

In a PhishPoint attack scenario, the victim receives an email containing a link to a SharePoint document. The content of the message is identical to a standard SharePoint invitation to collaborate.

phishpoint attack

Once the user clicked the hyperlink included in the fake invitation, the browser automatically opens a SharePoint file.

The SharePoint file content impersonates a standard access request to a OneDrive file, with an “Access Document” hyperlink that is actually a malicious URL that redirects the victim to a spoofed Office 365 login screen.

This landing page asks the victim to provide his login credentials.

Experts highlighted that Microsoft protection mechanisms scan the body of an email, including the links provided in it, but since the URL points to an actual SharePoint document, the protections fail in identifying the threat.
“To protect against potential threats, Office 365 scans links in email bodies to look for blacklisted or suspicious domains. Since the link in the email leads to an actual SharePoint document, Microsoft did not identify it as a threat.” the researchers said.“The crux of this attack is that Microsoft link-scanning only goes one level deep, scanning the links in the email body, but not within files hosted on their other services, such as SharePoint. In order to identify this threat, Microsoft would have to scan links within shared documents for phishing URLs. This presents a clear vulnerability that hackers have taken advantage of to propagate phishing attacks. In order to identify this threat, Microsoft would have to scan links within shared documents for phishing URLs. This presents a clear vulnerability that hackers have taken advantage of to propagate phishing attacks,”

PhishPoint

The problem is that Microsoft cannot blacklist links associated with SharePoint documents.

“Even if Microsoft were to scan links within files, they would face another challenge: they could not blacklist the URL without blacklisting links to all SharePoint files. If they blacklisted the full URL of the Sharepoint file, the hackers could easily create a new URL.”

Experts recommend being suspicious of the URLs in the email body if it uses URGENT or ACTION REQUIRED in the subject line.
Every time a login page is displayed it is necessary to double check the address bar in the web browser to discover if the link points to a legitimate resource, and of course, always use two-factor authentication (2FA).

If you are interested in other attack techniques discovered in the last months by Avanan give a look at the post titled “Five Techniques to Bypass Office 365 Protections Used in Real Phishing Campaigns”


Hundreds of Instagram accounts were hijacked in a coordinated attack
16.8.2018 securityweek Hacking

Hundreds of Instagram accounts were hijacked in what appears to be the result of a coordinated attack, all the accounts share common signs of compromise.
Alleged attackers have hijacked Instagram accounts and modified personal information making impossible to restore the accounts.

The number of Instagram accounts that was hacked has increased since the beginning of August, all the victims were logged out of their accounts, their personal and contact information were deleted, personal email address was changed.

The attackers changed victims’ email addresses with one associated to a Russian domain (.ru).

The media outlet Mashable first reported the spike in the account takeover.

“Like half a dozen other hacking victims who spoke with Mashable, her profile photo had been changed, as had all the contact information linked to the account, which was now linked to an email with a .ru Russian domain.” reported Mashable.

“Megan and Krista’s experiences are not isolated cases. They are two of hundreds of Instagram users who have reported similar attacks since the beginning of the month.”

More than 5,000 tweets from 899 accounts were mentioning Instagram hacks in the last seven days, many users have been desperately tweeting at Instagram’s Twitter account requesting support.

Numerous reports of hacks were reported on Reddit, and Mashable reported a Google Trends search that shows a spike in searches for “Instagram hacked” on Aug. 8, and again on Aug. 11.

Instagram accounts hacked

Instagram hacked accounts have had their profile photos changed with Disney- or Pixar-themed film images.

“A number of Instagram users have taken to social media to report a mysterious hack in which their profile photos are replaced by random stills from films.” reported the BBC.

It’s not clear how hackers have hacked the Instagram accounts, there are some cases in which owner s of the accounts explained that they were using two-factor authentication (2FA).

“The extra security measure didn’t protect Chris Woznicki, who was using two-factor authentication at the time his account was hacked 10 days ago. Woznicki says Instagram sent him security emails notifying him the email address on his account had been changed (once again, to a .ru address) and 2FA had been disabled. But by the time he saw the messages, it was too late and he had already lost access to his account, which had 660 followers. Others have reported similar occurrences. “continues Mashable.

Instagram confirmed it is aware of the problems that some users are facing, below an excerpt from an Instagram security advisory:

“We are aware that some people are having difficulty accessing their Instagram accounts. As we investigate this issue, we wanted to share the below guidance to help keep your account secure:

If you received an email from us notifying you of a change in your email address, and you did not initiate this change – please click the link marked ‘revert this change’ in the email, and then change your password.
We advise you pick a strong password. Use a combination of at least six numbers, letters and punctuation marks (like ! and &). It should be different from other passwords you use elsewhere on the internet.
You can also use the steps outlined on this page to restore your account. Please use a new, secure email address to restore your account.
Finally, revoke access to any suspicious third-party apps and turn on two-factor authentication for additional security. Our current two-factor authentication allows people to secure their account via text, and we’re working on additional two-factor functionality with more to share soon.”
It isn’t the first time that Instagram faces such kind of problems, in September 2017 6 million celebrities Instagram High-Profiles data were offered for sale on DoxaGram website.

For more information, users can visit the Instagram Help Centre that includes instructions to restore a compromised account.


FBI Eyes Plethora of River-Related Threats
15.8.2018 securityweek BigBrothers

NEW ORLEANS (AP) — Giant cranes loading and unloading gargantuan barges. Oil tankers, supply vessels and pipelines serving a vital energy industry. Flood control structures. Chemical plants. Cruise ships. Drinking water sources. All computer-reliant and tied in some way to the internet. All of them vulnerable to cyber thieves, hackers and terrorists.

Roughly nine months into his job as special agent in charge of the New Orleans office of the FBI, agent Eric Rommal is keenly aware of the dangers cyber-criminals pose to Mississippi River-related businesses and south Louisiana infrastructure.

"Louisiana is a major cyber vulnerability area," Rommal told The Associated Press in an interview.

"Every time that we have a vessel that travels up or down the Mississippi River there's a vulnerability: that that vessel or persons on those vessels may in fact be doing harm to our systems," said Rommal. "And that affects the national economy and affects the entire United States."

Rommal, accompanied by Matthew Ramey, who supervises the office's cyber squad, and Drew Watts, an assistant special agent in charge, discussed a litany of vulnerable areas and the ways the FBI in New Orleans works to protect them.

COMMERCE

"When it relates to commerce and the economy throughout the United States, oil and gas — it all starts here," said Rommal. "And when those systems are compromised, it doesn't just affect Louisiana. It affects the entire nation."

ICS Cyber Security Conference

A cyber disruption of security systems that protect pipelines and refineries "could essentially cripple the oil and gas industry until we could get that system up and running again," said Rommal.

Energy isn't the only concern.

"The ports that are along the Mississippi River — many may think of them as an agricultural or a petroleum depot. But what we need to know more about is that each one of those systems is controlled by sort of computer network that allows barges to be off-loaded, loaded," he said.

A hacker disrupting those operations could effectively disrupt nationwide and international commerce, he said, until it could be manually restored.

THEFT

Ports and the businesses that use them are susceptible to theft of money or critical information, Ramey said. And the theft can be state-sponsored.

"That would be, say, the Chinese, the Russians, the Iranians, the North Koreans, want to compromise the ports for, say, some sort of economic or secretive information. The maritime and the port industry are susceptible to what we call BEC — business email compromises," Ramey said.

"Wire transfers are going out all the time, 24/7. If the attacker can insert himself into that email chain, they can assume the identity of the person who controls that account." And that can lead to money being diverted to unintended sources.

FBI statistics show some 41,000 victims lost $2.9 billion to cyber-thieves nationally from October 2013 to May 2018, said Ramey. Over $5 million left the state in 2017 due to cyber-thieves, he said, adding: "In 2018, we're on track to surpass that."

TERRORISM

Offshore there are drilling rigs and production platforms. Inland, refineries and chemical plants line the river. Compromise of their computer systems and safety systems could lead to disaster, Rommal said.

"We're confident that the internal security systems owned by each one of those companies have mitigation plans to prevent terrible disasters from happening," he said. "But, nonetheless, it's something that we think about every day."

In addition, the agents acknowledged threats to public utilities — New Orleans, for instance, draws its drinking water from the river — and various flood-control structures and pumping systems.

Register for SecurityWeek’s ICS Cyber Security Conference

THE FIGHT

Rommal said more than 20 people working for the FBI headquarters in Louisiana are working on cyber security.

They include experts working at forensics labs, doing forensics on computer hard drives and developing techniques for analyzing computer memories in efforts to fight and find intruders.

And, Rommal said, there are partnerships with other federal agencies, including a joint effort known as the National Cyber Investigative Joint Terrorism Task Force.

There is also the national InfraGard, an FBI program that enlists thousands of private-industry partners from potential cybercrime target sectors, such as such as transportation, energy, banking and infrastructure. Ramey said there are 800 members in Louisiana.

Participants can provide and receive real-time information on imminent cyber threats.

The FBI also maintains a website for its Internet Crime Complaint Center. It's a mechanism for businesses and individuals to report cybercrime, and a source of information on the ever-evolving threat.

"We're not in this fight alone," said Rommal. "And it is a fight."


Foreshadow/L1TF: What You Need to Know
15.8.2018 securityweek
Vulnerebility

The details of three new speculative execution vulnerabilities affecting Intel Xeon and Core processors were disclosed on Tuesday. The flaws have been dubbed Foreshadow and L1 Terminal Fault (L1TF), and patches and mitigations are already available.

The security holes were discovered independently by two teams of researchers. A team from KU Leuven, a university in Belgium, informed Intel of its findings on January 3, the day when the notorious Spectre and Meltdown vulnerabilities were disclosed to the public. The second team, comprising researchers from Israel-based Technion, University of Michigan, the University of Adelaide in Australia, and Australia-based CSIRO's Data61, reported its findings to Intel on January 23.

The Foreshadow/L1TF vulnerabilities are CVE-2018-3615, which impacts Intel’s Software Guard Extensions (SGX); CVE-2018-3620, which impacts operating systems and System Management Mode (SMM); and CVE-2018-3646, which affects virtualization software and Virtual Machine Monitors (VMM).Foreshadow

Researchers first discovered the vulnerability affecting SGX, a feature in Intel processors designed to protect user data even if an attacker takes control of the entire system. SGX was believed to be resilient to speculative execution attacks, but experts have now demonstrated that an attacker can read memory protected by SGX.

“Making things worse, due to SGX’s privacy features, an attestation report cannot be linked to the identity of its signer. Thus, it only takes a single compromised SGX machine to erode trust in the entire SGX ecosystem,” researchers explained on a website set up for the Foreshadow vulnerabilities.

During its investigation into the cause of Foreshadow, Intel discovered the two other flaws, which are tracked as Foreshadow-Next Generation (NG). Foreshadow-NG attacks can allow malicious actors to read information from the L1 cache, including information associated with the SMM, the operating system’s kernel, and hypervisors.

“Perhaps most devastating, Foreshadow-NG might also be used to read information stored in other virtual machines running on the same third-party cloud, presenting a risk to cloud infrastructure,” researchers said. “Finally, in some cases, Foreshadow-NG might bypass previous mitigations against speculative execution attacks, including countermeasures to Meltdown and Spectre.”

According to Intel, a malicious application installed on the targeted system can deduce data values from the operating system or other apps. Exploitation of the flaws can also allow a malicious guest VM to obtain data in the memory of the virtual machine manager (VMM) or other guest VMs.

Intel also says that the Foreshadow vulnerabilities allow malicious software to obtain data from the SMM memory. Finally, malware running outside or within an SGX enclave may be able to access data from another SGX enclave.

Intel and other tech giants have released updates and mitigations which, in combination with the patches released previously for speculative execution vulnerabilities (e.g. Meltdown and Spectre), should prevent attacks. Intel claims it has not seen any significant performance impact introduced by the available mitigations, either on PCs or data center workloads.

There is no evidence of malicious attacks exploiting these vulnerabilities.

Companies respond to Foreshadow

Microsoft has published both a security advisory describing the flaws and a blog post containing technical details. The company says it has released several updates that should mitigate Foreshadow on both consumer devices and on its Azure cloud services.

Google also says it has deployed mitigations to its infrastructure, including for the infrastructure that underpins its cloud services.

Amazon Web Services (AWS) told customers that its infrastructure includes protections for these types of attacks, and additional security mechanisms have been deployed for L1TF. “All EC2 host infrastructure has been updated with these new protections, and no customer action is required at the infrastructure level,” AWS said.

Oracle has also published a blog post describing which of its products are impacted and which are not, and provided instructions on how attacks can be mitigated.

VMware has published separate advisories for CVE-2018-3646 and CVE-2018-3620. The former affects VMware vSphere, Workstation, and Fusion, and the company says it has released updates that patch the issue. The latter impacts vCloud Usage Meter (UM), Identity Manager (vIDM), vCenter Server (vCSA), vSphere Data Protection (VDP), vSphere Integrated Containers (VIC) and vRealize Automation (vRA). Patches are pending for this vulnerability, but virtual appliance mitigations are available.

Cisco is also working on patches for the vulnerabilities. The networking giant says that while its products are not directly affected, they could still be targeted if the hosting environment is vulnerable.

“Cisco recommends that customers harden their virtual environments, tightly control user access, and ensure that all security updates are installed. Customers who are deploying products as a virtual device in multi-tenant hosting environments should ensure that the underlying hardware, as well as the operating system or hypervisor, is patched against the vulnerabilities in question,” the company said.

The Xen Project revealed that systems running any version of Xen are impacted.

“New microcode, and possibly a new firmware image is required to prevent SMM data from being leaked with this vulnerability,” Xen developers explained. “Software updates to Xen (details below) are required to prevent guests from being able to leak data belonging to Xen or to other guests in the system.”

Red Hat has published both technical and high level materials describing the Foreshadow flaws. The company is working on updates that should make it easier for its users to implement mitigations.

The list of Linux distributions that have also published advisories includes Suse, Debian, Gentoo and Ubuntu.


Container Security Firm Twistlock Raises $33 Million
15.8.2018 securityweek IT

Twistlock, a provider of solutions to protect cloud containers, today announced that it has raised $33 million in Series C funding, bringing the total raised to-date by the Portland, Oregon-based company to $63 million.

The company’s flagship Twistlock platform provides protection for containers, serverless functions, and container-as-a-service platforms like AWS Fargate into a single full stack security platform.

The latest version of the platform brings cloud native forensics capabilities to help during the incident response process.

Twistlock“The Twistlock platform replaces multiple outdated layers of security – from standalone vulnerability assessment tools that force developers to read CVEs in CSVs, to application firewalls that require static configuration and updates with every build,” CEO Ben Bernstein explained in an associated blog post.

Twistlock

Founded in 2015, Twistlock says it has grown its customer base over 350 percent each year, and counts 25 percent of Fortune 100 companies as customers, including McKesson, Walgreens, Aetna and USAA. The company also said it has grown its employee headcount 200 percent year over year, and has opened five offices across the globe.

Led by ICONIQ Capital, existing investors YL Ventures, TenEleven, Rally Ventures, Polaris Partners and Dell Technologies Capital all participated in the round.

Twistlock is one of several companies looking to lead in the container security space that has raised funding in recent years. Israel-based Aqua Security has raised more than $38 million, NeuVector has raised $7 million, Capsule8 has raised $23.5 million, and Tigera received $23 million. Container security firm StackRox announced in April that it had secured $25 million in a Series B funding round, bringing the total raised by the company to more than $39 million.

While several security startups have emerged with a focus on containers, veteran security firms are also targeting the sector. In June 2017, cloud-based security and compliance solutions provider Qualys launched a product designed for securing containers across cloud and on-premises deployments.

According to a 2015 survey of 272 IT decision makers in North America conducted by Twistlock, 91 percent of the respondents said they were concerned about the security of containers.


SAP Releases August 2018 Security Updates
15.8.2018 securityweek
Vulnerebility

SAP on Tuesday released its security updates for August 2018. The latest round of updates includes over two dozen patches, but none of them are for critical (hot news) vulnerabilities.

The German software giant has provided 27 SAP Security Notes, including 14 Patch Day Notes and 13 Support Package Notes. Seven of the total are updates to previously published patches.

SAP releases security updates for August 2018

Nine of the patches address high severity flaws, including two discovered by researchers at Onapsis, a company that specializes in securing Oracle and SAP applications.

“One [Security Note] fixes two SQL Injection vulnerabilities in SAP BusinessObjects. Basically, an attacker with a low privileges session can inject data and extract information that he should not be able to. The other vulnerability fixes two bugs found in SAP HANA XSA,” Onapsis said in a blog post detailing this month’s patches.

“The [SQL injection] issues were found in the frontend webserver of the Central Management Console (CMC). One of these SQLi is a blind SQLi, and the other a regular SQLi blind boolean-based SQLi vulnerability,” the company added. “These SQLi vulnerabilities [...] allow an attacker without privileges to get information from the Central Management Server System Database. As described, it is sensitive infrastructure information related to the BusinessObjects Enterprise platform, its structure and configuration.”

ERPScan, another company specializing in securing SAP applications, noted that six of the flaws resolved in the past month are implementation issues, while another six have been described as missing authorization checks.

ERPScan has provided a brief description for three of the most serious vulnerabilities patched by SAP with the August updates. The security holes, all rated “high severity,” include the SQL injection flaws found by Onapsis in BusinessObjects (CVE-2018-2447), a missing authorization check in the SAP SRM MDM Catalog (CVE-2018-2449), and a memory corruption flaw in the BusinessObjects Business Intelligence platform that can lead to arbitrary command execution (CVE-2015-5237).

“An attacker can use [CVE-2018-2449] to access a service without any authorization procedures and to use service functionality that has restricted access. This can lead to an information disclosure, privilege escalation, and other attacks,” ERPScan said.


Hundreds of Instagram accounts were hijacked in a coordinated attack
15.8.2018 securityaffairs Hacking

Hundreds of Instagram accounts were hijacked in what appears to be the result of a coordinated attack, all the accounts share common signs of compromise.
Alleged attackers have hijacked Instagram accounts and modified personal information making impossible to restore the accounts.

The number of Instagram accounts that was hacked has increased since the beginning of August, all the victims were logged out of their accounts, their personal and contact information were deleted, personal email address was changed.

The attackers changed victims’ email addresses with one associated to a Russian domain (.ru).

The media outlet Mashable first reported the spike in the account takeover.

“Like half a dozen other hacking victims who spoke with Mashable, her profile photo had been changed, as had all the contact information linked to the account, which was now linked to an email with a .ru Russian domain.” reported Mashable.

“Megan and Krista’s experiences are not isolated cases. They are two of hundreds of Instagram users who have reported similar attacks since the beginning of the month.”

More than 5,000 tweets from 899 accounts were mentioning Instagram hacks in the last seven days, many users have been desperately tweeting at Instagram’s Twitter account requesting support.

Numerous reports of hacks were reported on Reddit, and Mashable reported a Google Trends search that shows a spike in searches for “Instagram hacked” on Aug. 8, and again on Aug. 11.

Instagram accounts hacked

Instagram hacked accounts have had their profile photos changed with Disney- or Pixar-themed film images.

“A number of Instagram users have taken to social media to report a mysterious hack in which their profile photos are replaced by random stills from films.” reported the BBC.

It’s not clear how hackers have hacked the Instagram accounts, there are some cases in which owner s of the accounts explained that they were using two-factor authentication (2FA).

“The extra security measure didn’t protect Chris Woznicki, who was using two-factor authentication at the time his account was hacked 10 days ago. Woznicki says Instagram sent him security emails notifying him the email address on his account had been changed (once again, to a .ru address) and 2FA had been disabled. But by the time he saw the messages, it was too late and he had already lost access to his account, which had 660 followers. Others have reported similar occurrences. “continues Mashable.

Instagram confirmed it is aware of the problems that some users are facing, below an excerpt from an Instagram security advisory:

“We are aware that some people are having difficulty accessing their Instagram accounts. As we investigate this issue, we wanted to share the below guidance to help keep your account secure:

If you received an email from us notifying you of a change in your email address, and you did not initiate this change – please click the link marked ‘revert this change’ in the email, and then change your password.
We advise you pick a strong password. Use a combination of at least six numbers, letters and punctuation marks (like ! and &). It should be different from other passwords you use elsewhere on the internet.
You can also use the steps outlined on this page to restore your account. Please use a new, secure email address to restore your account.
Finally, revoke access to any suspicious third-party apps and turn on two-factor authentication for additional security. Our current two-factor authentication allows people to secure their account via text, and we’re working on additional two-factor functionality with more to share soon.”
It isn’t the first time that Instagram faces such kind of problems, in September 2017 6 million celebrities Instagram High-Profiles data were offered for sale on DoxaGram website.

For more information, users can visit the Instagram Help Centre that includes instructions to restore a compromised account.


Foreshadow Attacks – experts found 3 new Intel CPU side-channel flaws
15.8.2018 securityaffairs Attack

Foreshadow Attacks – Security researchers disclosed the details of three new speculative execution side-channel attacks that affect Intel processors.
The new flaws, dubbed Foreshadow and L1 Terminal Fault (L1TF), were discovered by two independent research teams.

An attacker could exploit the Foreshadow vulnerabilities attacks to gain access to the sensitive data stored in a computer’s memory or third-party clouds.

The flaws affect the Intel’s Core and Xeon processors, they were reported to Intel in January, shortly after the disclosure of Spectre and Meltdown attacks.

The three Foreshadow vulnerabilities are:

CVE-2018-3615 that affects the Intel’s Software Guard Extensions (SGX);
CVE-2018-3620 that affects operating systems and System Management Mode (SMM);
CVE-2018-3646 that affects virtualization software and Virtual Machine Monitors (VMM).
“Today, Intel and our industry partners are sharing more details and mitigation information about a recently identified speculative execution side-channel method called L1 Terminal Fault (L1TF). This method affects select microprocessor products supporting Intel® Software Guard Extensions (Intel® SGX) and was first reported to us by researchers at KU Leuven University*, Technion – Israel Institute of Technology*, University of Michigan*, University of Adelaide* and Data61.” reads the post published by Intel

“Further research by our security team identified two related applications of L1TF with the potential to impact other microprocessors, operating systems and virtualization software.”.

Security researchers initially discovered the SGX vulnerability, meanwhile, Intel experts found other two other issues while analyzing the cause of Foreshadow.

“All previously known attacks against Intel SGX rely on application-specific information leakage from either sidechannels [30, 39, 45, 51, 57, 58, 60] or software vulnerabilities [38, 59]. It was generally believed that well-written enclaves could prevent information leakage by adhering to good coding practices, such as never branching on secrets, prompting Intel to state that “in general, these research papers do not demonstrate anything new or unexpected about the Intel SGX architecture.” states the research paper.

“[Foreshadow-NG] attacks can potentially be used to read any information residing in the L1 cache, including information belonging to the System Management Mode (SMM), the Operating System’s Kernel, or Hypervisor. Perhaps most devastating, Foreshadow-NG might also be used to read information stored in other virtual machines running on the same third-party cloud, presenting a risk to cloud infrastructure. Finally, in some cases, Foreshadow-NG might bypass previous mitigations against speculative execution attacks, including countermeasures to Meltdown and Spectre,”

The good news for end users is that the patches released for these vulnerabilities don’t have a significant impact on the performance of PCs and workstations.

“Once systems are updated, the expected risk to consumer and enterprise users running non-virtualized operating systems will be low. This includes most of the data center installed base and the vast majority of PC clients. In these cases, there has been no meaningful performance impact observed as a result of mitigations applied. For a portion of the market – specifically a subset of those running traditional virtualization technology, and primarily in the data center – it may be advisable that customers or partners take additional steps to protect their systems.” said Intel.

Intel is not aware of the public exploitation of the vulnerabilities.

Major tech companies have already rolled out security updates that the Foreshadow flaws, Microsoft, Cisco, Oracle, VMware, Linux kernel developers, the Xen Project, Red Hat, SUSE have published technical details for the vulnerabilities.

AMD systems are not affected by Foreshadow or Foreshadow-NG due to the implementation of “hardware paging architecture protections.

Further info was shared by the researchers through on a dedicated website that includes the research paper and a demo.

“Foreshadow enables an attacker to extract SGX sealing keys, previously sealed data can be modified and re-sealed,” the researchers wrote. “With the extracted sealing key, an attacker can trivially calculate a valid Message Authentication Code (MAC), thus depriving the data owner from the ability to detect the modification.”


Microsoft Patches Zero-Day Flaws in Windows, Internet Explorer
15.8.2018 securityweek
Vulnerebility

Microsoft’s Patch Tuesday updates for August 2018 address 60 vulnerabilities, including two zero-day flaws affecting Windows and Internet Explorer.

One of the actively exploited vulnerabilities is CVE-2018-8414, which Microsoft learned of from Matt Nelson of SpecterOps. Nelson disclosed the details of the bug in June after Microsoft told him that “the severity of the issue is below the bar for servicing and that the case will be closed.”

Proofpoint then revealed in July that a financially-motivated threat actor tracked by the company as TA505 had been exploiting the flaw to deliver the FlawedAmmyy RAT.

Microsoft described the issue as a Windows Shell remote code execution vulnerability that can be exploited by getting the targeted user to open a specially crafted file. The company says the flaw impacts Windows 10 and Windows Server (versions 1709 and 1803).

According to Trend Micro’s Zero Day Initiative (ZDI), the same vulnerability also impacts Adobe Acrobat Reader. ZDI researcher Abdul-Aziz Hariri reported the weakness to Adobe, which also released a patch for it on Tuesday.

“The Acrobat patch blocks the embedding of certain files types – a tactic Microsoft has already done with Office 365 docs,” ZDI explained in a blog post published after the patches were released. “This [Microsoft] patch prevents the bypassing of traditional file execution restrictions within Windows. It’s fascinating to see exploit authors combine different products to evade detection and proliferate their malware.”

The second zero-day vulnerability patched on Tuesday by Microsoft is CVE-2018-8373, a remote code execution flaw that exists due to how the scripting engine in Internet Explorer handles objects in memory.

The security hole was reported to Microsoft by Elliot Cao of Trend Micro Security Research, but Trend Micro has yet to make any information public on the attacks it has seen.

On the other hand, the security firm did reveal that CVE-2018-8373 is very similar to CVE-2018-8174, which Microsoft patched in May. CVE-2018-8174 had been exploited by an unnamed advanced persistent threat (APT) actor when it was fixed.

“[The vulnerability] used a new UAF vulnerability in vbscript.dll. This UAF occurs when the VBScript engine uses AssignVar to assign a value to the element of an array accessed by AccessArray,” ZDI explained. “Interestingly, the previous CVE was also being actively exploited when patched. In other words, if there are similar bugs to this one, they will likely be found and exploited, too.”

A total of 20 vulnerabilities patched this month by Microsoft have been rated “critical” and, unsurprisingly, many of them impact Edge and Internet Explorer. Remote code execution flaws discovered in SQL Server, Exchange, and Windows have also been assigned a “critical” severity rating.

Some of the more interesting vulnerabilities patched by Microsoft this month, whose details were disclosed shortly after the tech giant pushed out the security updates, include an Active Directory Federation Services (ADFS) issue discovered by Okta and an Exchange RCE flaw reported by an anonymous researcher through ZDI.


Microsoft's National Cybersecurity Policy Framework: Practical Strategy or Non-Starter?
15.8.2018 securityweek Safety

Microsoft's Cybersecurity Policy Framework Has Good Intentions, But It's Difficult to See What It Actually Brings to the Table

Microsoft has never been backward in making global recommendations for improved cybersecurity. Its latest recommendations come in a paper titled, Cybersecurity Policy Framework -- A practical guide to the development of national cybersecurity policy (PDF). Its purpose is nothing short of providing a framework that all nations can follow in the formulation of their own national cybersecurity policies.

There is nothing new in this document. Rather it is the collection of existing best practices into one source document at a critical moment in history -- the nascence of the fourth industrial revolution. This revolution promises enormous benefits to mankind; but at the same time, its increasing connectivity brings an increasing opportunity for cybercriminals to deliver dire consequences.

Microsoft believes that the solution to transnational cyber threats will be found in the generation of mutually compatible national cybersecurity policies across the globe. The intent of this document is good; but whether it is feasible is questionable. For every individual country, national policies will always be shaped by national culture and local politics; and international policies will always be subject to current geopolitical tensions. The idea that a single framework can work for everyone is ambitious.

Microsoft Cybersecurity Policy FrameworkThe document is divided into four sections, each of which offers advice. These are 'establishing and empowering a national cybersecurity agency'; 'developing and updating cybercrime laws'; 'developing and updating critical infrastructure protection laws'; and an 'international strategy for cybersecurity'.

The problems become apparent in the first section. One of the key principles that should underscore a national cybersecurity agency is that it should be "respectful of privacy, civil liberties, and rule of law." Privacy and civil liberties are subjective and relative concepts that are ultimately defined by law and often contrary to public opinion. Laws differ by country-by-country and state-by-state; and the United States came into being as a rejection of the rule of law.

The European Union has defined privacy within the General Data Protection Regulation (GDPR) and the European Constitution. This legal definition, however, has no (or very limited) standing in the U.S., which has different federal and state regulations concerning privacy -- and, indeed, a different concept of privacy tempered by the long-standing constitutional right to freedom of speech.

But perhaps the best example of the difficulties of the relative nature of 'privacy and civil liberties' can be seen in the UK. The UK traditionally and apparently places its responsibility for protecting national security above its responsibility to protect personal privacy. It has consequently introduced intrusive cybersecurity legislation designed to track actual and potential terrorists, but inevitably intruding on the privacy of innocent civilians. (The same is sometimes said of the United States.)

Since the UK is still within the European Union, it is technically subject to the European Constitution -- and there is a very strong likelihood that some UK practices would be deemed unconstitutional. Brexit will solve this problem, leaving two allied states (UK and EU) with very different views of cyber privacy separated by less than 21 miles of water at the Dover Strait (Pas de Calais).

This isn't necessarily a problem since this section of the framework is designed to provide a base level for national agencies -- and their priorities can obviously differ from country to country. The final key principal for national agencies, however, is that they should be 'globally-relevant'. When different nations cannot agree on fundamental principles of law, and simultaneously assert that their jurisdiction extends beyond their national boundaries, this is a very difficult ask.

The next two sections of the document have similar difficulties. Microsoft suggests that national cybercrime laws need to be updated, and much of this makes sense. It again falls down with the final recommendation: "build global cooperation". National laws will always reflect national politics and global tensions. Russia for example, is prohibited by its constitution from extraditing a Russian citizen to a foreign country. Regardless of U.S. law, it is unlikely that Russia will ever extradite Russian nationals indicted for cybercrimes by U.S. law enforcement.

The potential to build global cooperation into national cyberlaw becomes a one-sided option that is not likely to extend beyond national interests. Nevertheless, Microsoft describes the Budapest Convention as an example of cross-border harmonization of legal definitions.

The difficulties with the section on 'developing and updating the critical infrastructure protection laws' are more nuanced. Using NIST as the basis, Microsoft defines the critical infrastructure (CI) as, "systems and assets, whether physical or virtual, so vital to the country that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters."

It is immediately clear that CI requires additional security and protection. But the implication of this is that the average commercial organization, whose destruction would not have a debilitating impact on the national economic security, does not require the same level of security -- and that individual citizens require even less. While this is pure risk management -- apply your greatest resources to your greatest assets -- it is not a comfortable, nor perhaps a politically acceptable, idea.

Since each nation defines its own critical infrastructure, the relationship between definition and level of required security can also become an issue. For example, following Russian interference in the 2016 U.S. presidential election, there were calls for reclassifying both the voting system and social networks as part of CI. Should either receive greater or lesser protection simply based on whether they are or are not classified as CI?

A second example of difficulties in this section comes with the difference between owners and operators of CI. "Owners of critical infrastructure may own the infrastructure but they are not always able or best placed to comply with the statutory [requirements] because they usually do not operate the computer systems that process the data on a day-to-day basis."

In other legislative areas this is not really an issue. GDPR separates personal data users into controllers and processors. Loosely speaking, the controllers are the primary owners, while the processors are the data users. Controllers cannot pass responsibility to processors, while processors cannot avoid responsibility. The same principle could be applied to CI -- the infrastructure owners cannot pass responsibility for security to the infrastructure users, while the infrastructure users cannot avoid liability. It simply means that both sides must communicate and operate under strict contractual terms.

It is, however, in the fourth section of the document that the Microsoft framework really begins to unravel: an international strategy for cybersecurity. For this section, Microsoft simply returns to two interrelated earlier recommendations: the need for international norms of behavior; and the proposed Digital Geneva Convention.

"Norms," explains Microsoft, "are intended to deter actions by defining what behaviors are acceptable and unacceptable, and imposing consequences when states actions don't adhere to the defined behaviors."

The Gordian Knot of international norms is the problem of attribution before the application of consequences. Attribution is always likely to follow geo-political schisms, and no nation is likely to admit to cyber transgressions. The fear -- almost certainty -- that transgressors will not accept arbitration over responsibility means that it is a proposal not likely to receive international acceptance during any period of geo-political tension.

The second proposal, the Digital Geneva Convention, also breaks down over geo-politics. Microsoft's document provides six key principles. The third requires the agreement to "Report vulnerabilities to vendors rather than to stockpile, sell or exploit them." However well-intentioned, this is unlikely to ever happen. Western governments are unlikely to abandon their cyber stockpiles for fear that Russia, China, North Korea and Iran will not abandon theirs -- and vice versa.

The final section of Microsoft's cybersecurity policy framework is a non-starter, certainly within the foreseeable future. With an almost certain guarantee of non-reciprocation in the 'global' elements of the first three sections, users of the framework will resort to purely nationalistic cybersecurity policy frameworks. These will be based on local politics and national cultural expectations, flavored by geo-political concerns -- not on the rigors of a Microsoft document. It is, frankly, difficult to see what this document actually brings to the table.


ETF Publishes TLS 1.3 as RFC 8446
15.8.2018 securityweek Safety

The Internet Engineering Task Force (IETF) on Friday published version 1.3 of the Transport Layer Security (TLS) traffic encryption protocol as RFC 8446.

The final version of TLS 1.3 was approved by the IETF in late March, after nearly four years of work and 28 drafts.

RFC 8446 updates RFC 5705 and 6066, and it makes RFC 5077, 5246 and 6961 obsolete. The document also specifies new requirements for TLS 1.2 implementations, IETF said. IETF Publishes TLS 1.3 as RFC 8446

TLS is designed to allow client and server applications to communicate over the Internet securely. It provides authentication, confidentiality, and integrity mechanisms that should prevent eavesdropping and tampering, even by an attacker who has complete control over the network.

There are nearly a dozen major functional differences between the previous major version and TLS 1.3, including ones designed to improve performance and mitigate certain types of attacks.

After IETF published RFC 8446, CloudFlare, which introduced support for TLS 1.3 back in 2016, published an overview of the protocol and the improvements it brings.

Mozilla, which has been working on enabling TLS 1.3 in Firefox for the past several months, also made an announcement on Monday.

“TLS 1.3 is already widely deployed: both Firefox and Chrome have fielded ‘draft’ versions. Firefox 61 is already shipping draft-28, which is essentially the same as the final published version (just with a different version number),” Mozilla’s Eric Rescorla wrote.

“We expect to ship the final version in Firefox 63, scheduled for October 2018. Cloudflare, Google, and Facebook are running it on their servers today. Our telemetry shows that around 5% of Firefox connections are TLS 1.3. Cloudflare reports similar numbers, and Facebook reports that an astounding 50+% of their traffic is already TLS 1.3!” he added.

Facebook last week announced the open source availability of Fizz, a robust and highly performant library that the social media giant uses for the implementation of TLS 1.3.


DoD Launches 'Hack the Marine Corps' Bug Bounty Program
15.8.2018 securityweek
Vulnerebility

The U.S. Department of Defense on Monday announced the launch of “Hack the Marine Corps,” the Military's sixth bug bounty program.

Similar to previous programs run by the Pentagon, Hack the Marine Corps is hosted by bug bounty platform HackerOne.

The goal of the bug bounty program, scheduled to run until August 26, is to help the Marine Corps improve the security of the Marine Corps Enterprise Network (MCEN), which is part of the DoD Information Network (DoDIN). The initiative will focus on the organization’s public websites and services.

Hack the Marine Corps kicked off at the DEF CON security conference in Las Vegas, where nearly 100 white hat hackers handpicked by the DoD attempted to find vulnerabilities for nine straight hours.

In this phase of the program, researchers earned more than $80,000 for finding 75 unique vulnerabilities.

“Hack the Marine Corps allows us to leverage the talents of the global ethical hacker community to take an honest, hard look at our current cybersecurity posture,” said Maj. Gen. Matthew Glavy, Commander of the U.S. Marine Corps Forces Cyberspace Command. “Our Marines need to operate against the best. What we learn from this program will assist the Marine Corps in improving our warfighting platform, the Marine Corps Enterprise Network. Working with the ethical hacker community provides us with a large return on investment to identify and mitigate current critical vulnerabilities, reduce attack surfaces, and minimize future vulnerabilities. It will make us more combat ready.”

Hack the Marine Corps was implemented with the help of Jack Cable, an 18-year-old who won the Hack the Air Force challenge. Cable has joined the Pentagon’s Defense Digital Service (DDS) for a tour of duty following his success in the previous bug bounty program.

The DoD launched its first bug bounty program, Hack the Pentagon, in May 2016. As a result of that program’s success, the organization decided to launch Hack the Army, Hack the Air Force, Hack the Air Force 2.0, and Hack the Defense Travel System.

Roughly 5,000 vulnerabilities were disclosed to the Pentagon as part of these programs, with ethical hackers earning hundreds of thousands of dollars for their work.


Crypto Flaw Affects Products From Cisco, Huawei, ZyXEL
15.8.2018 securityweek
Vulnerebility

A team of researchers has disclosed the details of a new attack method that can be used to crack encrypted communications. The products of several vendors, including Cisco, Huawei, ZyXEL and Clavister, are impacted.

The attack will be presented later this week at the 27th USENIX Security Symposium in Baltimore, Maryland, by researchers from the University of Opole in Poland and the Ruhr-University Bochum in Germany. The research paper has already been made public.

The experts have analyzed the impact of key reuse on Internet Protocol Security (IPsec), a protocol that authenticates and encrypts the data packets sent over a network. IPsec is often used for virtual private networks (VPNs).

The cryptographic key for IPsec uses the Internet Key Exchange (IKE) protocol, which has two versions, IKEv1 and IKEv2. Each version of IKE has different modes, configurations and authentication methods.

“[Reusing] a key pair across different versions and modes of IKE can lead to cross-protocol authentication bypasses, enabling the impersonation of a victim host or network by attackers,” the researchers explained. “We exploit a Bleichenbacher oracle in an IKEv1 mode, where RSA encrypted nonces are used for authentication. Using this exploit, we break these RSA encryption based modes, and in addition break RSA signature based authentication in both IKEv1 and IKEv2. Additionally, we describe an offline dictionary attack against the PSK (Pre-Shared Key) based IKE modes, thus covering all available authentication mechanisms of IKE.”

The attack has been found to work against Cisco (CVE-2018-0131), Huawei (CVE-2017-17305), ZyXEL (CVE-2018-9129) and Clavister (CVE-2018-8753) products.

Cisco, Huawei and ZyXEL published advisories for this vulnerability on Monday. Clavister, a provider of network security solutions, released patches for its Clavister cOS Core operating system in early May.

Cisco, which assigned the issue a severity rating of “medium,” described it as a vulnerability in the implementation of RSA-encrypted nonces in the company’s IOS and IOS XE software. An unauthenticated attacker can remotely obtain the encrypted nonces of an IKEv1 session by sending specially crafted ciphertexts to the targeted device.

ZyXEL says the vulnerability affects its ZyWALL and USG series network security appliances. The company has released firmware updates that should prevent attacks.

“ZyWALL/USG devices have a security vulnerability in the Internet Key Exchange (IKE) handshake implementation used for their IPsec-based VPN connections. Attackers might be able to use this vulnerability to retrieve IKEv1 session keys and decrypt connections by using a chosen-ciphertext attack called Bleichenbacher's attack,” the company told customers.

Huawei’s advisory reveals that the company’s firewall products are affected by the vulnerability. The company also noted that the IPsec IKEv1 implementations in its firewalls introduce two other flaws that can be used to cause a device to enter a denial-of-service (DoS) condition by sending specially crafted packets.


UK Police Deploy Homemade Mobile Fingerprint Scanners
15.8.2018 securityweek BigBrothers

The UK Metropolitan Police Service -- the Met, the UK's largest police force and one of the largest in the world -- has introduced a new portable fingerprint scanner. This is not the first portable scanner used by the Met, but differs from the earlier option by being developed in-house.

Known as INK (identity not known), it combines software produced in-house by Met staff with an Android mobile phone paired with a Cross Match Technologies fingerprint reader. The device communicates securely with the Home Office Biometric Services Gateway (BSG), which then searches the Criminal Records Office (IDENT1) and immigration enforcement (IABS) databases.

If a suspect has a criminal record, the Met says, or is known to immigration enforcement, his or her identity can be confirmed at the roadside. An officer, with relevant access levels, can also use the device to check the Police National Computer to establish if they are currently wanted for any outstanding offences.

The statement made it clear that all fingerprints taken on the device are deleted automatically once the officer logs off the device. The 2017 Vault 7 CIA documents leaked by WikiLeaks seem to indicate that the CIA used a tool called ExpressLane to surreptitiously collect biometric data recorded by other Cross Match devices in the U.S.

Miami-based Cross Match Technologies provides biometric management systems to law enforcement and governments. In 2011 it was reported that a Cross Match device was used to identify Osama Bin Laden, allowing then president Obama to announce his death.

UK Met Police Fingerprint scanner

For now, the Met devices cannot be used to increase the size of the national fingerprint database regardless of whether the subject is convicted of a crime. However, there seems little to prevent this development in the future.

The Police and Criminal Evidence Act 1984 (PACE) allows fingerprints to be taken if a constable reasonably suspects the subject of committing or attempting to commit an offence, or they have committed or attempted to commit an offence, and: the name of the person is unknown to, and cannot be readily ascertained by, the constable -- or if the constable has reasonable grounds for doubting whether a name given by the person is their real name.

Again under PACE, fingerprints may be stored by the police for 2-3 years (more if the courts grant an extension) or indefinitely if the subject is subsequently convicted of an offense. However, it is worth noting that European attitudes towards fingerprinting are changing. In April 2018, the European Commission proposed that all identity cards held by European citizens should be required to include a digital image of the holder's fingerprints.

The driving force behind the new scanners is, however economy of both police funds and officers' time. Project lead Superintendent Adrian Hutchinson, explained, "Mobile identification technology helps officers to do their jobs efficiently and effectively. For example, if police stop a driver for a traffic violation but the driver has no documents on him and the car is registered to another person officers may not be happy that the name given is correct. INK can allow them to confirm the identity to allow the service of a summons, rather than arrest them and take them to a police station where they then confirm their identity. Also, if the person is wanted for other offences, this device will allow us to establish this at the point they are stopped."

The reduced cost of the new devices will allow the Met to increase their usage from less than 100 to 600 devices in the field, to be rolled out over the next six months. It is believed that the failure rate for a scanned fingerprint is around one in 7,000.

It is not immediately clear whether this is the same device that was described by the West Yorkshire Police earlier this year. On 10 February, the Home Office announced, "An app on an officer's phone, combined with a handheld scanner, will mean police will be able to check fingerprints against both criminal and immigration records by connecting to the two live databases (IDENT1 and IABS) via the new Biometric Services Gateway... It is expected that another 20 forces across the country will roll out the system by the end of this year."

A Westminster press conference that would answer such details, scheduled for Tuesday was canceled following an incident at Westminster on Monday evening. A vehicle was driven at speed into crash barriers outside the Houses of Parliament, injuring several pedestrians and cyclists. It is being treated as terror-related and investigated by the Met's counter-terrorism police -- who have said that the identity of the driver is not yet confirmed.


Adobe Patches 11 Flaws Across Four Products
15.8.2018 securityweek
Vulnerebility

The Patch Tuesday updates released by Adobe for August 2018 address nearly a dozen vulnerabilities in Flash Player, the Creative Cloud Desktop Application, Experience Manager, and Acrobat and Reader.

Five security holes have been fixed by the company in Flash Player, but none of them appear too serious. The company described the bugs fixed with the release of version 30.0.0.154 as “important” out-of-bounds read and security feature bypass issues that can lead to information disclosure.

One of the flaws, reported by Kai Song from Tencent, is a privilege escalation that can lead to arbitrary code execution, but its severity rating is also only “important.”

Adobe fixed two vulnerabilities in Acrobat and Reader for Windows and macOS. Both are considered “critical” and they both allow code execution.

In the Creative Cloud Desktop Application installer for Windows, the company resolved a DLL hijacking issue that can lead to privilege escalation.

Finally, patches released by Adobe for its Experience Manager product address two cross-site scripting (XSS) flaws that can result in information disclosure, and one input validation bypass vulnerability that can allow an attacker to modify information. All of these bugs have been assigned “moderate” severity ratings.

Adobe says it’s not aware of in-the-wild exploits for any of the vulnerabilities patched with this month’s updates. The company has assigned priority ratings of “2” to a majority of the flaws, which means the company does not expect to see malicious exploitation attempts any time soon.

Last month, researchers claimed they had found a potentially serious security issue in Adobe’s internal systems, but the company downplayed the impact of the vulnerability saying it was only an XSS flaw.


SIEM Platform Provider Exabeam Raises $50 Million
15.8.2018 securityweek IT

Exabeam, a San Mateo, California-based provider of a next-gen security information and event management (SIEM) platform, announced on Tuesday that it has closed $50 million in Series D funding.

Exabeam was founded in 2013 by Nir Polak, CEO, Sylvain Gil, vice president of products, and Domingo Mihovilovic, chief technology officer. Before launching the company, Polak and Gil worked for Imperva, while Mihovilovic occupied a founding leadership role at Sumo Logic.

While SIEMs are sometimes outed as a dying tool for security teams, Exabeam's Security Intelligence Platform(SIP) includes more features than legacy SIEMs, including powerful data collection, threat identification and response capabilities.

"We started," Polak told SecurityWeek in early 2017, "as a SIEM-helper." The intention was always to be more, but the route to a complete platform was designed to be in steps. SIEMs, he suggested are broken, difficult to use and no longer fit for today's needs; and a SIEM-helper was the obvious starting point. "SIEMs were born some 20 years ago, before the age of big data and before the skills gap became as severe as it is today. So, we used machine language and analytics to help find the threats for the SIEMs."

"We're moving to the next phase, ready to take on the incumbents -- Splunk, ArcSight and QRadar -- head on," Polak said at the time.

“Built on open source, big data technology, including Elasticsearch and Hadoop, it provides unlimited secure data collection, indexing and search but without volume-based pricing,” the company explains. “Advanced machine learning capabilities provide rapid insights into all events, including attacks and vulnerabilities so subtle and precise that humans simply cannot see them.”

According to the company, the additional funding will be used to grow its cloud portfolio and support global sales efforts.

Led by Lightspeed Venture Partners, the Series D round was supported by Aspect Ventures, Cisco Investments, Icon Ventures, Norwest Venture Partners and cybersecurity investor Shlomo, all which are existing investors.


Vulnerability Could Allow Insider to Bypass CEO's Multi-Factor Authentication
15.8.2018 securityweek
Vulnerebility

Vulnerability Allows a Second Factor for One Account to be Used for All Accounts in an Organization

A simple vulnerability in Microsoft's Active Directory Federation Services (ADFS) can lead to catastrophic results. The flaw (CVE-2018-8340) was discovered by Okta researcher Andrew Lee; and patched by Microsoft in this month's Patch Tuesday security updates.

ADFS is used by third party vendors, such as Okta, Gemalto, Duo, Authlogics, RSA, and SecureAuth. It allows companies to add multi-factor authentication to their security controls. Exploiting the vulnerability allows any attacker with a valid second factor to access any other user's account if they can obtain that user's credentials. The flaw affects all third-party MFA vendors that use Microsoft's ADFS.

There is obviously some work to do by the attacker; but it is not that difficult. An insider would already have one part -- his or her own valid 2FA token. With that, he or she would be able to access any other employee's account by phishing their username and password, and combining it with his or her own MFA token.

In reality, 2FA is not always difficult to crack. Earlier this month it was disclosed that Reddit had suffered a breach following an SMS intercept that gained one user's SMS token. Alternatively, an attacker could phish for, or use a stolen database to gain ID and password, and then social engineer the help desk to reset the second factor. If he can log on as a user or process that has not yet been supplied with a second factor, then he might simply and automatically be granted one.

With just one full set of credentials (username, password and the second factor), an external attacker could phish for any other user's credentials and gain access without that user's second factor. If he manages to phish an admin, he has immediately hit the jackpot.

But even with lower privileges he will gain basic access to the network and can start looking for higher privileges. If he finds an admin password, this flaw will allow him to bypass any installed 2FA controls associated with the privileged account.

The flaw lies in the way in which ADFS communicates with the login process. The attacker will attempt to log in at the AD login page using two separate browsers -- one for each account. He then observes the authentication flow for each login, looking for the MFA Context and the MFA token for each user. The Context is labeled such in the page's HTML, while the MFA token appears in a script just below the context.

"By combining Bob’s MFA Context with Alice’s session cookie," writes Andrew Lee in an associated Okta blog, "the attacker can finish logging in as Alice using Bob’s second factor and MFA Token. The attacker does not need Alice’s second factor to log into her account."

After obtaining the session cookies, MFA Contexts, and MFA Tokens for himself and his target, the attacker first completes second-factor authentication with his owned MFA Token, then sends his MFA Context with his target's session cookie to the AD server. The AD server confirms with the MFA provider that the attacker's token was approved, then it logs the attacker in as the target.

The flaw is really very simple in concept. "The MFA Context contains an encrypted and signed copy of the MFA Token, using the AD server’s certificate/key pair to encrypt and sign," writes Lee. "Therefore the AD server can verify that it issued the MFA Token. However, the AD server does not verify the relationship of the MFA Token to the identity being logged in, allowing the attacker to log in as [the target] using [the attacker's] second factor."

One way to verify that relationship, suggests Okta, would be for Microsoft to include the username in the signed data of the MFA Context.

The flaw was discovered by researcher Andrew Lee in March 2018. Okta first attempted to mitigate the problem within its own ADFS Agent, but found this was not possible. In April, Okta reported the issue to Microsoft, who confirmed they were able to reproduce the issue within 4 days.

Microsoft set its remediation process in action, and set a patch date in early May. In July it filed CVE-2018-8340. It arranged to release its fix on Patch Tuesday (August 14, 2018); and Okta published the vulnerability details.

Okta told SecurityWeek that it has seen nothing to suggest that this flaw has been used against any of its customers.


Foreshadow: New Speculative Execution Flaws Found in Intel CPUs
15.8.2018 securityweek Hacking

Researchers and several major tech companies on Tuesday disclosed the details of three new speculative execution side-channel vulnerabilities affecting Intel processors.

The flaws, tracked as Foreshadow and L1 Terminal Fault (L1TF), were discovered independently by two research teams, who reported their findings to Intel in January, shortly after the existence of the notorious Spectre and Meltdown vulnerabilities was made public.

There are three Foreshadow vulnerabilities: CVE-2018-3615, which impacts Intel’s Software Guard Extensions (SGX); CVE-2018-3620, which impacts operating systems and System Management Mode (SMM); and CVE-2018-3646, which affects virtualization software and Virtual Machine Monitors (VMM).Foreshadow: New speculative execution vulnerability in Intel processors

“Each variety of L1TF could potentially allow unauthorized disclosure of information residing in the L1 data cache, a small pool of memory within each processor core designed to store information about what the processor core is most likely to do next,” Intel said.

Researchers initially discovered the SGX vulnerability and Intel identified the two other issues while analyzing the cause of Foreshadow.

“While it was previously believed that SGX is resilient to speculative execution attacks (such as Meltdown and Spectre), Foreshadow demonstrates how speculative execution can be exploited for reading the contents of SGX-protected memory as well as extracting the machine’s private attestation key. Making things worse, due to SGX’s privacy features, an attestation report cannot be linked to the identity of its signer. Thus, it only takes a single compromised SGX machine to erode trust in the entire SGX ecosystem,” researchers said.

“[Foreshadow-NG] attacks can potentially be used to read any information residing in the L1 cache, including information belonging to the System Management Mode (SMM), the Operating System's Kernel, or Hypervisor. Perhaps most devastating, Foreshadow-NG might also be used to read information stored in other virtual machines running on the same third-party cloud, presenting a risk to cloud infrastructure. Finally, in some cases, Foreshadow-NG might bypass previous mitigations against speculative execution attacks, including countermeasures to Meltdown and Spectre,” they explained.

The security holes impact Intel’s Core and Xeon processors. According to the company, the patches released for these vulnerabilities don’t have a significant impact on performance, either on PC clients or data center workloads.

There is no indication that these vulnerabilities have been exploited for malicious purposes. Impacted tech companies have released patches and mitigations, which should prevent attacks when combined with the software and microcode updates released in response to Meltdown and Spectre.

AMD says its products are not impacted by Foreshadow or Foreshadow-NG due to the company’s “hardware paging architecture protections.”

“We are advising customers running AMD EPYC™ processors in their data centers, including in virtualized environments, to not implement Foreshadow-related software mitigations for their AMD platforms,” AMD told SecurityWeek in an emailed statement.

Advisories and blog posts containing technical details on Foreshadow have been published by Microsoft, Cisco, Oracle, VMware, Linux kernel developers, the Xen Project, Red Hat, SUSE and others. The researchers who discovered Foreshadow have also set up a dedicated website where users can get more information.

 

 


North Dakota Guard Unit Alerted of Potential Deployment
15.8.2018 securityweek IT

BISMARCK, N.D. (AP) — A North Dakota Army National Guard unit based in Bismarck has been notified it could be mobilized.

Detachment 1, 174th Cyber Protection Team has about seven soldiers on an alert status. The unit is led by 1st Lt. Charles Werner of Upham.

The Bismarck Tribune reports the decision to mobilize this unit has not yet occurred.

If mobilized, the unit would provide network security and cyber defense operations in support of the Department of Defense early next year at Fort Meade, Maryland.

North Dakota's adjutant general, Maj. Gen. Al Dohrmann, says the unit's potential mission would mark a new era for the North Dakota National Guard "as it engages in cutting-edge cyber operations technology."

Currently, about 45 North Dakota Guardsmen are mobilized for stateside and overseas missions.


Tech Giants Face Hefty Fines Under Australia Cyber Laws
15.8.2018 securityweek IT

Tech companies could face fines of up to Aus$10 million (US$7.3 million) if they fail to hand over customer information or data to Australian police under tough cyber laws unveiled Tuesday.

The government is updating its communication laws to compel local and international providers to co-operate with law enforcement agencies, saying criminals were using technology, including encryption, to hide their activities.

The legislation, first canvassed by Canberra last year, will take into account privacy concerns by "expressly" preventing the weakening of encryption or the introduction of so-called backdoors, Cyber Security Minister Angus Taylor said.

Taylor said over the past year, some 200 operations involving serious criminal and terrorism-related investigations were negatively impacted by the current laws.

"We know that more than 90 percent of data lawfully intercepted by the Australian Federal Police now uses some form of encryption," he added in a statement.

"We must ensure our laws reflect the rapid take-up of secure online communications by those who seek to do us harm."

The laws have been developed in consultation with the tech and communications industries and Taylor stressed that the government did not want to "break the encryption systems" of companies.

"The (law enforcement) agencies are convinced we can get the balance right here," he told broadcaster ABC.

"We are only asking them to do what they are capable of doing. We are not asking them to create vulnerabilities in their systems that will reduce the security because we know we need high levels of security in our communications."

The type of help that could be requested by Canberra will include asking a provider to remove electronic protections, concealing covert operations by government agencies, and helping with access to devices or services.

If companies did not comply with the requests, they face fines of up to Aus$10 million, while individuals could be hit with penalties of up to Aus$50,000. The requests can be challenged in court.

The draft legislation expands the obligations to assist investigators from domestic telecom businesses to encompass foreign companies, including any communications providers operating in Australia.

This could cover social media giants such as Facebook, WhatsApp and gaming platforms with chat facilities.

The Digital Industry Group (DIGI), which represents tech firms including Facebook, Google, Twitter and Oath in Australia, said the providers were already working with police to respond to requests within existing laws and their terms of service.

DIGI managing director Nicole Buskiewicz called for "constructive dialogue" with Canberra over the adoption of surveillance laws that respect privacy and freedom of expression.


Key Reuse opens to attacks on IPsec IKE, Cisco, Huawei, ZyXEL products are affected
14.8.2018 securityaffairs Hacking

Security expert demonstrated that reusing a key pair across different versions and modes of IPsec IKE open the doors to attacks. Many vendors are affected
Security researchers from the University of Opole in Poland and the Ruhr-University Bochum in Germany have devised a new attack technique that allows cracking encrypted communications.

The products of several vendors, including Cisco, Huawei, ZyXEL, and Clavister, are vulnerable to the attack.

The experts will present their findings this week at the 27th USENIX Security Symposium, meantime they have released a research paper.

“In this paper, we show that reusing a key pair across different versions and modes of IKE can lead to cross-protocol authentication bypasses, enabling the impersonation of a victim host or network by attackers. We exploit a Bleichenbacher oracle in an IKEv1 mode, where RSA encrypted nonces are used for authentication.” reads the paper.

“Using this exploit, we break these RSA encryption based modes, and in addition break RSA signature-based authentication in both IKEv1 and IKEv2.”

The experts focused their analysis on the impact of key reuse on Internet Protocol Security (IPsec). IPsec is used for virtual private networks (VPNs). The cryptographic key for IPsec leverages the Internet Key Exchange (IKE) protocol, which has two versions, IKEv1 and IKEv2.

The experts have also described an offline dictionary attack against the PSK (Pre-Shared Key) based IKE modes, thus covering all available authentication mechanisms of IKE.

The researchers found Bleichenbacher oracles in the IKEv1 implementations of Cisco (CVE-2018-0131), Huawei (CVE2017-17305), Clavister (CVE-2018-8753), and ZyXEL (CVE-2018-9129).

Major vendors, including Cisco, Huawei and ZyXEL have published security advisories for this vulnerability.

The Cisco’s advisory describes the issue as an issue in the implementation of RSA-encrypted nonces in the IOS and IOS XE software. A remote unauthenticated attacker can obtain the encrypted nonces of an IKEv1 session by sending specially crafted ciphertexts to the targeted system.

“A vulnerability in the implementation of RSA-encrypted nonces in Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to obtain the encrypted nonces of an Internet Key Exchange Version 1 (IKEv1) session.” reads the advisory published by Cisco.

“The vulnerability exists because the affected software responds incorrectly to decryption failures. An attacker could exploit this vulnerability sending crafted ciphertexts to a device configured with IKEv1 that uses RSA-encrypted nonces. A successful exploit could allow the attacker to obtain the encrypted nonces.”

According to ZyXEL, the Bleichenbacher attack works against the ZyWALL and USG series network security appliances, the vendor already released firmware updates that address the vulnerability.

According to the Huawei’s advisory, its firewall products are affected by the flaw.


Google tracks users’ movements even if they have disabled the “Location History” on devices
14.8.2018 securityaffairs BigBrothers

According to the AP, many Google services on both Android and iPhone store records of user location even if the users have disabled the “Location History”.
According to a recent investigation conducted by the Associated Press, many Google services on both Android and iPhone devices store records of user location data, and the bad news is that they do it even if the users have disabled the “Location History” on devices.

When a user disables the “Location History” from the privacy settings of Google applications, he should prevent Google from stole location data.

Currently, the situation is quite different, experts from AP discovered that even when users have turned off the Location History, some Google apps automatically store “time-stamped location data” without explicit authorization.

“Google says that will prevent the company from remembering where you’ve been. Google’s support page on the subject states: “You can turn off Location History at any time. With Location History off, the places you go are no longer stored.”

That isn’t true. Even with Location History paused, some Google apps automatically store time-stamped location data without asking. (It’s possible, although laborious, to delete it .)” reads the post published by AP.

“For example, Google stores a snapshot of where you are when you merely open its Maps app. Automatic daily weather updates on Android phones pinpoint roughly where you are,”

“And some searches that have nothing to do with location, like “chocolate chip cookies,” or “kids science kits,” pinpoint your precise latitude and longitude—accurate to the square foot—and save it to your Google account.”

The AP has used location data from an Android smartphone with ‘Location History’ disabled to desing a map of the movements of Princeton postdoctoral researcher Gunes Acar.

Location History

Data plotted on the map includes records of Dr. Acar’s train commute on two trips to New York and visits to the High Line park, Chelsea Market, Hell’s Kitchen, Central Park and Harlem other markers on the map, including Acar’s home address.

“The privacy issue affects some two billion users of devices that run Google’s Android operating software and hundreds of millions of worldwide iPhone users who rely on Google for maps or search.” continues the AP.
Google replied to the study conducted by the AP with the following statement:

“There are a number of different ways that Google may use location to improve people’s experience, including Location History, Web, and App Activity, and through device-level Location Services. We provide clear descriptions of these tools, and robust controls so people can turn them on or off, and delete their histories at any time.” states Google.

Jonathan Mayer, a Princeton researcher and former chief technologist for the FCC’s enforcement bureau, remarked that location history data should be disabled when the users switch off’ the Location History,

“If you’re going to allow users to turn off something called ‘Location History,’ then all the places where you maintain location history should be turned off. That seems like a pretty straightforward position to have.”

The good news is it is possible to stop Google from collecting your location, it is sufficient to turn off the “Web and App Activity” setting, anyway, Google will continue to store location markers.

Open your web browser, go to myactivity.google.com, select “Activity Controls” and now turn off the “Web & App Activity” and “Location History. features”

For Android Devices:
Go to the “Security & location” setting, select “Privacy”, and tap “Location” and toggle it off.

For iOS Devices:
Google Maps users can access Settings → Privacy Location Services and change their location setting to ‘While Using’ the app.


Faxploit – Critical flaws potentially exposes millions of HP OfficeJet Printers to hack
14.8.2018 securityaffairs
Exploit

A vulnerability in HP OfficeJet all-in-one inkjet printer can be exploited by attackers to gain control of the printer and use it as entry point into the network environment.
A critical vulnerability potentially exposes millions of HP OfficeJet printers to hack, according to the experts at Check Point the attackers only need to send a fax to the vulnerable printers.

The researchers discovered two critical vulnerabilities in HP’s implementation of a widely used fax protocol implemented in all its OfficeJet all-in-one inkjet printers.

The vulnerabilities affect the HP all-in-one printers that support Group 3 (G3) fax protocols that are part of the ITU T.30 standard for sending and receiving color faxes.

OfficeJet HP flawCheckpoint experts reported the flaws to HP and shared details for the two vulnerabilities at the DEF CON conference.

The researchers devised an attack technique dubbed Faxploit, they demonstrated that once the attackers have compromised a fax machine they could leverage the NSA exploit EternalBlue for lateral movements.

“The below diagram shows the Faxploit attack flow, following which a threat actor could then move laterally across your network to access your organization’s most confidential information.” reads the blog post published by CheckPoint Security.

“The crucial element to notice is that whereas most attacks today penetrate through an internet connection to enter an organization’s network, using this vulnerability in the fax protocol even a network that is completely detached would be vulnerable. This is due to the attack being channeled through a route that until now was considered to be secure and need not have protection layers applied.”

HP OfficeJet all-in-one inkjet printer 2

The experts explained that attackers run several type of attack, such as stealing documents or tampering with the fax content by replacing the documents received with altered versions of them.

The fax flaws could be exploited by attackers during the receiving handshake.

“We could reach this vulnerability by sending a huge XML (> 2GB) to the printer over TCP port 53048 thus triggering a stack-based buffer overflow. Exploiting this vulnerability then gave us full control over the printer, meaning that we could use this as a debugging vulnerability,” researchers wrote.

The expert explained that when sending a fax the OfficeJet printer it is used the TIFF image format. The sender’s fax broadcasts the .TIFF meta-data for the receiving fax machine to set transmission parameters such as page sizes. According to the ITU T.30 standard protocol, the receiver’s fax will have to analyze meta-data for data continuity and sanitation, but exports discovered that by sending a color fax, they noticed the sending/receiving machines used the image format .JPG instead of .TIFF.

“When we examined the code that handles the colourful faxes we found out another good finding: the received data is stored to a .jpg file without any check. In contrast to the .tiff case in which the headers are built by the receiver, in the .jpg case we controlled the entire file,” researchers noted. “When the target printer receives a colourful fax it simply dumps its content into a .jpg file (“%s/jfxp_temp%d_%d.jpg” to be precise), without any sanitation checks.”

The vulnerable OfficeJet printers used a custom JPEG parser to parse the fax data, instead of using libjpeg, the developers implemented their own JPEG parser.

The experts examined the parser and discovered two stack-based buffer overflow vulnerabilities.

HP also released security patches for both vulnerabilities tracked as CVE-2018-5925 and CVE-2018-5924.

“Two security vulnerabilities have been identified with certain HP Inkjet printers. A maliciously crafted file sent to an affected device can cause a stack or static buffer overflow, which could allow remote code execution.” reads the security advisory published by HP.


Researcher Finds Hundreds of Planes Exposed to Remote Attacks
13.8.2018 securityweek
Vulnerebility

Hacking airplanes via satcom systems

A researcher has discovered that hundreds of airplanes from several airlines could have been hacked remotely from the ground through vulnerabilities in satellite communications systems.

Back in 2014, IOActive Principal Security Consultant Ruben Santamarta published a research paper describing theoretical attack scenarios on satellite communications. The expert resumed his research in November 2017, after taking a look at the in-flight entertainment system during a Norwegian flight.

After passively collecting traffic from the airplane’s Wi-Fi network, Santamarta noticed that several commonly used services, such as Telnet, HTTP and FTP, were available for certain IP addresses, and some interfaces associated with the plane’s on-board satellite communications (satcom) modems were accessible without authentication.

Further research into satcom systems revealed the existence of various types of vulnerabilities, including insecure protocols, backdoors, and improper configuration that could allow attackers to take control of affected devices. The expert disclosed his findings this week at the Black Hat security conference in Las Vegas.

Specifically, Santamarta has found security holes that can be exploited by remote hackers to take control of satcom equipment on commercial flights, earth stations on ships, and earth stations used by the U.S. military in conflict zones.

In the case of commercial aviation, the researcher discovered that hackers could have targeted, from the ground, hundreds of planes from Southwest, Norwegian and Icelandair.

Worryingly, in the case of one airplane, the researcher discovered that its satcom terminal had already been targeted from the ground by the Gafgyt IoT botnet via a compromised router.

“There is no indication that this malware family either had success accessing the SATCOM terminal on any aircraft or that it was specifically targeting airborne routers, so we should consider this situation as a ‘collateral damage’. However, the astonishing fact is that this botnet was, inadvertently, performing brute-force attacks against SATCOM modems located onboard an in-flight aircraft,” Santamarta wrote in his research paper.

Even more worrying is the fact that one of the vessels analyzed by the expert already had its Antenna Control Unit (ACU) infected with the Mirai malware.

In the military and maritime sectors, remote attacks on satcom systems could pose a safety risk. For instance, in the case of ships, attackers could disrupt communications and they can conduct cyber-physical attacks using high-intensity radiated field (HIRF), a radio-frequency energy strong enough to adversely affect living organisms and electronic devices. In the case of the military, malicious actors could abuse satcom systems to pinpoint the location of military units, disrupt communications, and conduct HIRF attacks.

On the other hand, remote attacks on an aircraft’s satcom equipment do not pose a safety risk due to the isolation between various systems on board. However, a hacker could still intercept or modify in-flight Wi-Fi traffic, and hijack devices belonging to passengers and crew.

IOActive disclosed the findings to affected vendors and organizations such as US-CERT and ICS-CERT, and while the aforementioned airlines and some of the affected equipment manufacturers have taken steps to address the issues, others have not been very open to collaboration.

In addition to Santamarta’s presentation at Black Hat, IOActive Senior Security Consultant Josep Pi Rodriguez, will on Sunday give a talk at the DEF CON conference on vulnerabilities discovered in the Extreme Networks embedded WingOS.

According to the researcher, the flaws he has identified can be exploited to hack millions of devices found in aircraft, government agencies, and smart cities.


Kaspersky VPN Bug Leaked DNS Lookups
13.8.2018 securityweek Safety

A recently patched security vulnerability in the Kaspersky VPN application for Android resulted in DNS queries being exposed even after the user connected to a virtual server.

The flaw was discovered in Kaspersky VPN version 1.4.0.216 and is believed to affect previous iterations of the Android software.

According to Dhiraj Mishra, the security researcher who discovered the bug, the application would send DNS queries outside the established VPN tunnel. The privacy issue could be triggered when connecting to any random virtual server, and basically allowed a DNS service to log the domain names of the sites visited by users.

Kaspersky VPN has more than 1 million downloads in Google Play.

“I believe this leaks the traces of an end user who wants to remain anonymous on the internet,” the researcher notes in a blog post.

The vulnerability was reported to Kaspersky via the anti-virus maker’s bug bounty program on HackerOne on April 21. A fix was already released for the flaw, but no reward was issued for the finding, the security researcher says.

As per Kaspersky’s public bug bounty program’s rules, rewards are handed out for flaws that result in leaked sensitive data, but only user passwords, payment data, and authentication tokens are considered within the scope of the program.

Thus, it becomes clear that the researcher’s discovery of a bug that results in leaked DNS addresses doesn’t fall within the bug bounty program’s scope.

On the other hand, however, Kaspersky does note in the application’s description in Google Play, that its VPN software can keep users anonymous while they browse the Internet.

“Because your location and your IP address aren't revealed through the VPN service, it's easier for you to access websites and content in other regions – without being traced,” Kaspersky VPN’s description reads.

Responding to a SecurityWeek inquiry, Kaspersky Lab confirmed the flaw and recognized Dhiraj’s contribution to improving the app’s security: “This vulnerability was responsibly reported by the researcher, and was fixed in June.”

Kaspersky also confirmed that the researcher did not receive a bug bounty reward for the discovery.

“The Kaspersky Secure Connection app is currently out of the scope of the company’s Bug Bounty Program, so we could not reward Dhirai under the current rules. We highly appreciate his work, and in the future the program may include new products,” Kaspersky said.


Beware the Fax Machine: Some Hackers Target Old Gadgets
13.8.2018 securityweek
Exploit

What could be less threatening than the old office fax machine? Nothing. That's precisely why it's used as a backdoor for hackers to get into an organization's network.

Check Point, a cyber security firm in Israel, said Sunday that their research discovered security flaws in tens of millions of fax machines.

The hack works by sending an image file through the phone line — or a file that the fax machine thinks is an image file — and that is coded to contain malicious software. When a company receives the photo, the image is decoded and uploaded into the fax-printer's memory, allowing the hackers to take over the device and spreading the malicious code through the network.

Hackers could infiltrate a network by exploiting all-in-one printer-fax machines.

"Many companies may not even be aware they have a fax machine connected to their network, but fax capability is built into many multifunction office and home printers," said Yaniv Balmas, group manager of security research at Check Point.

The researchers focused on Hewlett Packard's OfficeJet Pro all-in-one fax printers — the global market leader for fax machines. Hewlett Packard quickly fixed the issue — a patch is available on their support page — but the same vulnerabilities are present in most fax machines, including those by Canon and Epson.

Many machines are too old to even update. That means it will be difficult for companies to stop hackers from entering their system.

Globally, businesses use an estimated 45 million fax machines. Faxes are still widely used in healthcare, banking, and law, sectors in which highly sensitive data is stored. In the U.S. medical sector, 75 percent of all communications are sent by fax.

To prevent organizations' networks from becoming compromised, experts recommend that companies check if their fax machines can be updated, or place fax devices on a secure network that is separate from the networks that carry sensitive information.


Smart Irrigation Systems Expose Water Utilities to Attacks
13.8.2018 securityweek IoT

A team of experts has analyzed smart irrigation systems from several vendors and found vulnerabilities that can be exploited to cause potentially serious disruptions to urban water services.

Researchers from the Ben-Gurion University of the Negev in Israel recently published a paper describing what they call a “piping botnet,” a botnet of smart sprinklers that can be used to quickly empty water towers and even anti-flood water reservoirs.

Based on an analysis of popular smart irrigation systems from RainMachine, BlueSpray and GreenIQ, they determined that a bot running on a device in the same local area network (LAN) can detect an irrigation system within 15 minutes by analyzing outgoing traffic. They also showed that the bot can initiate the watering process and cause significant damage.

“While previous attacks against critical infrastructure required the attacker to compromise the systems of critical infrastructure, we present an attack against critical infrastructure that does not necessitate compromising the infrastructure itself and is done indirectly by attacking attacking client infrastructure that is not under the control of the critical infrastructure provider,” the researchers explained in their paper.

Smart irrigation systems rely on sensors and online services for improved efficiency. Users can control the system remotely from a mobile phone or computer, and they can configure it using a dedicated cloud service. These products can also adapt the watering schedule based on data obtained from weather forecast services.

While many smart irrigation systems communicate via Wi-Fi, some also have a GSM component that gives them direct access to the Internet. Researchers conducted an Internet search using Shodan and discovered tens of exposed devices from one of the targeted vendors.

According to the experts, malicious actors can create a botnet of smart irrigation systems by infecting various types of Internet-connected devices with malware (e.g. routers, laptops, smartphones). The malware searches the local network for irrigation systems and takes control of them using various security flaws. The attacker can then manipulate the compromised system via command and control (C&C) servers.

Once in the network, hackers can launch man-in-the-middle (MitM) attacks and spoof the input of the irrigation system. Researchers found that attackers could spoof the system’s configuration, the weather forecast, and various sensors (rain, water flow and soil moisture sensors) to manipulate the sprinklers.

In addition to spoofing attacks, hackers can launch replay attacks, where they send arbitrary instructions to the targeted device in the form of legitimate data. Specially crafted HTTP packets containing watering plan updates are sent to the system so that the sprinklers are activated as specified by the attacker.

Replay attacks can also be used to open the valves of smart irrigation systems and initiate the watering process whenever the hacker wishes. In their experiments, researchers got the master valve of a system to open and close every ten seconds.

Piping botnet targets smart irrigation systems

Launching malicious attacks against irrigation systems can have a significant impact on water utilities and their customers, the researchers warned.

For example, threat actors can activate sprinklers and keep them running until areal reservoirs and water tanks have been emptied, which can result in temporary water outages or at least a reduction of the water flow. This can be particularly problematic in regions where there is a shortage of water.

Based on the calculations performed by the researchers, a botnet of roughly 1,300 irrigation systems can empty a standard water tower in an hour. A larger botnet of nearly 24,000 sprinklers can empty an anti-flood water reservoir overnight.

Increasing the water consumption also leads to financial damage, which can be significant, especially in areas where water is expensive.

Each type of attack was demonstrated against one of the targeted products. All impacted vendors, including one weather forecast service abused in the tests, were notified in June and some of them have started implementing measures to prevent potential attacks.


Google Tracks Your Movements, Like It or Not
13.8.2018 securityweek BigBrothers

Google wants to know where you go so badly that it records your movements even when you explicitly tell it not to.

An Associated Press investigation found that many Google services on Android devices and iPhones store your location data even if you've used privacy settings that say they will prevent it from doing so.

Computer-science researchers at Princeton confirmed these findings at the AP's request.

For the most part, Google is upfront about asking permission to use your location information. An app like Google Maps will remind you to allow access to location if you use it for navigating. If you agree to let it record your location over time, Google Maps will display that history for you in a "timeline" that maps out your daily movements.

Storing your minute-by-minute travels carries privacy risks and has been used by police to determine the location of suspects — such as a warrant that police in Raleigh, North Carolina, served on Google last year to find devices near a murder scene. So the company will let you "pause" a setting called Location History.

Google says that will prevent the company from remembering where you've been. Google's support page on the subject states: "You can turn off Location History at any time. With Location History off, the places you go are no longer stored."

That isn't true. Even with Location History paused, some Google apps automatically store time-stamped location data without asking.

For example, Google stores a snapshot of where you are when you merely open its Maps app. Automatic daily weather updates on Android phones pinpoint roughly where you are. And some searches that have nothing to do with location, like "chocolate chip cookies," or "kids science kits," pinpoint your precise latitude and longitude — accurate to the square foot — and save it to your Google account.

The privacy issue affects some two billion users of devices that run Google's Android operating software and hundreds of millions of worldwide iPhone users who rely on Google for maps or search.

Storing location data in violation of a user's preferences is wrong, said Jonathan Mayer, a Princeton computer scientist and former chief technologist for the Federal Communications Commission's enforcement bureau. A researcher from Mayer's lab confirmed the AP's findings on multiple Android devices; the AP conducted its own tests on several iPhones that found the same behavior.

"If you're going to allow users to turn off something called 'Location History,' then all the places where you maintain location history should be turned off," Mayer said. "That seems like a pretty straightforward position to have."

Google says it is being perfectly clear.

"There are a number of different ways that Google may use location to improve people's experience, including: Location History, Web and App Activity, and through device-level Location Services," a Google spokesperson said in a statement to the AP. "We provide clear descriptions of these tools, and robust controls so people can turn them on or off, and delete their histories at any time."

To stop Google from saving these location markers, the company says, users can turn off another setting, one that does not specifically reference location information. Called "Web and App Activity" and enabled by default, that setting stores a variety of information from Google apps and websites to your Google account.

When paused, it will prevent activity on any device from being saved to your account. But leaving "Web & App Activity" on and turning "Location History" off only prevents Google from adding your movements to the "timeline," its visualization of your daily travels. It does not stop Google's collection of other location markers.

You can delete these location markers by hand, but it's a painstaking process since you have to select them individually, unless you want to delete all of your stored activity.

You can see the stored location markers on a page in your Google account at myactivity.google.com, although they're typically scattered under several different headers, many of which are unrelated to location.

To demonstrate how powerful these other markers can be, the AP created a visual map of the movements of Princeton postdoctoral researcher Gunes Acar, who carried an Android phone with Location history off, and shared a record of his Google account.

The map includes Acar's train commute on two trips to New York and visits to The High Line park, Chelsea Market, Hell's Kitchen, Central Park and Harlem. To protect his privacy, The AP didn't plot the most telling and frequent marker — his home address.

Huge tech companies are under increasing scrutiny over their data practices, following a series of privacy scandals at Facebook and new data-privacy rules recently adopted by the European Union. Last year, the business news site Quartz found that Google was tracking Android users by collecting the addresses of nearby cellphone towers even if all location services were off. Google changed the practice and insisted it never recorded the data anyway.

Critics say Google's insistence on tracking its users' locations stems from its drive to boost advertising revenue.

"They build advertising information out of data," said Peter Lenz, the senior geospatial analyst at Dstillery, a rival advertising technology company. "More data for them presumably means more profit."

The AP learned of the issue from K. Shankari, a graduate researcher at UC Berkeley who studies the commuting patterns of volunteers in order to help urban planners. She noticed that her Android phone prompted her to rate a shopping trip to Kohl's, even though she had turned Location History off.

"So how did Google Maps know where I was?" she asked in a blog postq.

The AP wasn't able to recreate Shankari's experience exactly. But its attempts to do so revealed Google's tracking. The findings disturbed her.

"I am not opposed to background location tracking in principle," she said. "It just really bothers me that it is not explicitly stated."

Google offers a more accurate description of how Location History actually works in a place you'd only see if you turn it off — a popup that appears when you "pause" Location History on your Google account webpage. There the company notes that "some location data may be saved as part of your activity on other Google services, like Search and Maps."

Google offers additional information in a popup that appears if you re-activate the "Web & App Activity" setting — an uncommon action for many users, since this setting is on by default. That popup states that, when active, the setting "saves the things you do on Google sites, apps, and services ... and associated information, like location."

Warnings when you're about to turn Location History off via Android and iPhone device settings are more difficult to interpret. On Android, the popup explains that "places you go with your devices will stop being added to your Location History map." On the iPhone, it simply reads, "None of your Google apps will be able to store location data in Location History."

The iPhone text is technically true if potentially misleading. With Location History off, Google Maps and other apps store your whereabouts in a section of your account called "My Activity," not "Location History."

Since 2014, Google has let advertisers track the effectiveness of online ads at driving foot traffic , a feature that Google has said relies on user location histories.

The company is pushing further into such location-aware tracking to drive ad revenue, which rose 20 percent last year to $95.4 billion. At a Google Marketing Live summit in July, Google executives unveiled a new tool called "local campaigns" that dynamically uses ads to boost in-person store visits. It says it can measure how well a campaign drove foot traffic with data pulled from Google users' location histories.

Google also says location records stored in My Activity are used to target ads. Ad buyers can target ads to specific locations — say, a mile radius around a particular landmark — and typically have to pay more to reach this narrower audience.

While disabling "Web & App Activity" will stop Google from storing location markers, it also prevents Google from storing information generated by searches and other activity. That can limit the effectiveness of the Google Assistant, the company's digital concierge.

Sean O'Brien, a Yale Privacy Lab researcher with whom the AP shared its findings, said it is "disingenuous" for Google to continuously record these locations even when users disable Location History. "To me, it's something people should know," he said.


Critical Flaws Found in NetComm Industrial Routers
13.8.2018 securityweek ICS 
Vulnerebility

An industrial router made by Australian telecommunications equipment company NetComm Wireless is affected by several serious vulnerabilities that can be exploited remotely to take control of affected devices.

According to an advisory published last week by ICS-CERT, NetComm 4G LTE Light industrial M2M routers running firmware version 2.0.29.11 and prior are impacted by four vulnerabilities. The list includes information disclosure, cross-site scripting (XSS) and cross-site request forgery (CSRF) issues that have been assigned the CVE identifiers CVE-2018-14782 through CVE-2018-14785.

Researcher Aditya K. Sood, who has been credited for finding the vulnerabilities, told SecurityWeek that one of the security holes allows an unauthenticated attacker to access information about a device’s web server. NetComm patches critical flaws in industrial routers

A CSRF vulnerability, present due to failure to enforce a token mechanism, can be exploited by a remote attacker to perform various actions, including to change the password to the router’s web interface.

An XSS flaw is caused by the failure of the application hosted on the embedded web server to implement input filtering and sanitization.

“Any arbitrary value passed by the remote user was processed and rendered in the application. As a result, the payload passed as a value gets executed in the browser. The attacker could have stolen session information or could have executed malicious code via the NetComm router web interface,” Sood explained.

The last vulnerability is an information disclosure issue that can be exploited by an attacker to obtain details on the router’s components.

 NetComm patches critical flaws in industrial routers

The CSRF and XSS flaws have been classified by ICS-CERT as “critical,” while the information disclosure issues are said to be “high severity.” CSRF and XSS flaws typically require the targeted user to click on a link.

The flaws can be exploited remotely from the Internet. A search revealed the existence of hundreds of devices exposed to attacks, Sood told SecurityWeek.

“The vulnerabilities combined with other sets of attacks and specific command execution to alter the configuration could result in compromising the device at the system level,” the researcher explained.

The expert reported his findings via ICS-CERT in October 2017. NetComm appears to have released a firmware update that patches the security holes in mid-May 2018.


IBM Describes AI-powered Malware That Can Hide Inside Benign Applications
13.8.2018 securityweek
Virus

IBM Researchers Describe "DeepLocker" as a Stealthy, Evasive, Targeted Attack Methodology in a Class of Its Own

Cybersecurity is an arms-race game of leapfrog. Adversaries gain the upper hand until they are leapfrogged by a superior technology from the defenders; which lasts as long as it takes for the adversaries to develop a new technology or methodology, and a new defensive technology is required. We have reached the point where many cybersecurity vendors claim to have gained the upper hand against adversaries through the use of artificial intelligence (AI) and machine learning (ML) threat detection.

But deep down, everyone knows this game of leap frog will continue. Adversaries are expected -- and in some cases have started -- to use their own application of AI and ML to defeat that of the defenders. At the Black Hat conference on Thursday, IBM presented just one way that black hats could do just that: a new class of AI-enhanced malware attack it calls DeepLocker.

Dr. Marc Ph. Stoecklin, principal research scientist and manager, cognitive cybersecurity intelligence, IBM Research, described the methodology to SecurityWeek. This is the IBM team that started Watson within IBM. While the team's primary purpose is to develop new AI applications to enhance security and improve threat detection, "We also need to understand where attackers are going," said Stoecklin. "So, we spend quite a lot of time understanding the threat landscape, evolutions of technologies, and how attackers are benefitting from the technology shifts going on."

AI is perhaps the major current technology shift. "With the progression and democratization of AI," warned Stoecklin, "there is a new shift going on where attackers can very easily and very quickly weaponize existing AI tools that are open source, and build highly effective and capable attacks." DeepLocker is the result of research into what is already possible, using only freely available open-source AI technology. It is not required for adversaries to develop anything new, but merely to use current technology in a new manner.

"DeepLocker," Stoecklin told SecurityWeek, "uses AI to hide any malicious payload invisibly within a benign, popular application -- for example, any popular web conferencing application. With DeepLocker we can embed a malicious payload and hide it within the videoconferencing application. Through the use of AI," he added, "the conditions to unlock the malicious behavior will be almost impossible to reverse engineer."

DeepLocker - Advanced Malware

In short, DeepLocker is a methodology for hiding malware within a legitimate application in a manner that would prevent any researcher or threat hunter from knowing that it is there. But DeepLocker goes further. The key to unlocking and detonating the malware is the biometric recognition of a predefined target. This means that DeepLocker malware can be widely distributed to millions of users, but it will only ever activate against the precise target or targets.

"You can think of this capability as similar to a sniper attack in contrast to the 'spray and pray' approach of traditional malware," writes Stoecklin in an associated blog. "It is designed to be stealthy and fly under the radar, avoiding detection until the very last moment when a specific target has been recognized. What makes this AI-powered malware particularly dangerous is that, similar to how nation-state malware works, it could infect millions of systems without ever being detected, only unleashing its malicious payload to specified targets which the malware operator defines. But unlike nation-state malware, it is a concept that is feasible in the civilian and commercial realms."

The military 'sniper' allusion is telling. IBM would not be drawn on whether any nation-states are already using this particular technique; but it is certainly not impossible. Consider Stuxnet. It was a targeted attack against Iran, but it escaped and was ultimately reverse engineered and understood -- leading to considerable embarrassment to the U.S. government, and to a lesser degree Israel.

Had the Stuxnet payload been embedded in the DeepLocker methodology, it would (almost certainly) never have escaped and never been reverse-engineered. Attribution becomes almost impossible, and nation-states could deliver highly targeted attacks with a higher degree of impunity. Zero-day exploits could be employed with less certainty that defenders could reverse engineer and create defenses.

In the Black Hat presentation on Thursday, IBM used a Wannacry payload embedded within DeepLocker in a video conferencing application, triggered by facial recognition of the intended victim. This is a particularly pernicious example. Triggering a targeted wiper could first destroy the target's computer while removing all evidence of what had happened.

"Basically," explained Stoecklin, "we can train the AI to recognize a specific person, a specific victim or target -- and only when that person is sitting in front of a computer and can be recognized via the web cam, then a key can be derived that allows the software to unlock the malicious behavior."

The trigger can be anything -- facial recognition, behavioral biometrics, or the presence of a particular application on the system to help target a specific group or company. "Take yourself." IBM said. "As a journalist you do a lot of writing and will have your own stylometry. We could train the AI to recognize a concentration of your documents with your stylometry, and trigger on that basis. You add a couple of more -- geolocation, IP address -- and you only need a few details to uniquely recognize and identify anyone in the world."

This just leaves delivery. "Upstream," suggested IBM. Like CCleaner. CCleaner was infected by attackers and downloaded by millions of users. If the infection had been hidden in DeepLocker, only the intended target or targets would have been affected by the malware. Other upstream targets could include CMS add-ons known to be used by the target.

While the threat seems extreme, its success is not inevitable. The threat comes from the increasing use of AI-powered attacks that challenge traditional rule-based security tools. "We, as defenders," blogs Stoecklin, "also need to lean-in to the power of AI as we develop defenses against these new breeds of attack. A few areas that we should focus on immediately include the use of AI in detectors, going beyond rule-based security, reasoning and automation to enhance the effectiveness of security teams, and cyber deception to misdirect and deactivate AI-powered attacks."

At the same time, not everyone believes that DeepLocker will be undetectable. Ilia Kolochenko, CE at High-Tech Bridge, comments, “We are still pretty far from AI/ML hacking technologies that can outperform the brain of a criminal hacker. Of course, cybercriminals are already actively using machine learning and big data technologies to increase their overall effectiveness and efficiency. But," he said, "it will not invent any substantially new hacking techniques or something beyond a new vector of exploitation or attack as all of those can be reliably mitigated by the existing defense technologies. Moreover, many cybersecurity companies also start leveraging machine learning with a lot of success, hindering cybercrime. Therefore, I see absolutely no reason for panic today.”


Nigerian Man Found Guilty on Charges Related to Hacking
13.8.2018 securityweek Hacking

ATLANTA (AP) — A jury in Atlanta has convicted a Nigerian man on federal charges related to hacking universities.

Prosecutors said in a news release Monday that 34-year-old Olayinka Olaniyi and co-defendant 29-year-old Damilola Solomon Ibiwoye ran several phishing scams targeting employees at U.S. colleges and universities, including Georgia Tech and the University of Virginia.

Prosecutors say they obtained employee logins and passwords and used them to steal payroll deposits and to file fraudulent tax returns.

Olaniyi was convicted last week of conspiracy to commit wire fraud, computer fraud and aggravated identity theft. He is to be sentenced Oct. 22.

Ibiwoye, who's also from Nigeria, pleaded guilty to similar charges. He was sentenced to serve three years and three months in prison.


Faxploit – Critical flaws potentially exposes millions of HP OfficeJet Printers to hack
13.8.2018 securityaffairs
Vulnerebility

A vulnerability in HP OfficeJet all-in-one inkjet printer can be exploited by attackers to gain control of the printer and use it as entry point into the network environment.
A critical vulnerability potentially exposes millions of HP OfficeJet printers to hack, according to the experts at Check Point the attackers only need to send a fax to the vulnerable printers.

The researchers discovered two critical vulnerabilities in HP’s implementation of a widely used fax protocol implemented in all its OfficeJet all-in-one inkjet printers.

The vulnerabilities affect the HP all-in-one printers that support Group 3 (G3) fax protocols that are part of the ITU T.30 standard for sending and receiving color faxes.

OfficeJet HP flawCheckpoint experts reported the flaws to HP and shared details for the two vulnerabilities at the DEF CON conference.

The researchers devised an attack technique dubbed Faxploit, they demonstrated that once the attackers have compromised a fax machine they could leverage the NSA exploit EternalBlue for lateral movements.

“The below diagram shows the Faxploit attack flow, following which a threat actor could then move laterally across your network to access your organization’s most confidential information.” reads the blog post published by CheckPoint Security.

“The crucial element to notice is that whereas most attacks today penetrate through an internet connection to enter an organization’s network, using this vulnerability in the fax protocol even a network that is completely detached would be vulnerable. This is due to the attack being channeled through a route that until now was considered to be secure and need not have protection layers applied.”

HP OfficeJet all-in-one inkjet printer 2

The experts explained that attackers run several type of attack, such as stealing documents or tampering with the fax content by replacing the documents received with altered versions of them.

The fax flaws could be exploited by attackers during the receiving handshake.

“We could reach this vulnerability by sending a huge XML (> 2GB) to the printer over TCP port 53048 thus triggering a stack-based buffer overflow. Exploiting this vulnerability then gave us full control over the printer, meaning that we could use this as a debugging vulnerability,” researchers wrote.

The expert explained that when sending a fax the OfficeJet printer it is used the TIFF image format. The sender’s fax broadcasts the .TIFF meta-data for the receiving fax machine to set transmission parameters such as page sizes. According to the ITU T.30 standard protocol, the receiver’s fax will have to analyze meta-data for data continuity and sanitation, but exports discovered that by sending a color fax, they noticed the sending/receiving machines used the image format .JPG instead of .TIFF.

“When we examined the code that handles the colourful faxes we found out another good finding: the received data is stored to a .jpg file without any check. In contrast to the .tiff case in which the headers are built by the receiver, in the .jpg case we controlled the entire file,” researchers noted. “When the target printer receives a colourful fax it simply dumps its content into a .jpg file (“%s/jfxp_temp%d_%d.jpg” to be precise), without any sanitation checks.”

The vulnerable OfficeJet printers used a custom JPEG parser to parse the fax data, instead of using libjpeg, the developers implemented their own JPEG parser.

The experts examined the parser and discovered two stack-based buffer overflow vulnerabilities.

HP also released security patches for both vulnerabilities tracked as CVE-2018-5925 and CVE-2018-5924.

“Two security vulnerabilities have been identified with certain HP Inkjet printers. A maliciously crafted file sent to an affected device can cause a stack or static buffer overflow, which could allow remote code execution.” reads the security advisory published by HP.


Oracle warns of CVE-2018-3110 Critical Vulnerability in Oracle Database product, patch it now!
13.8.2018 securityaffairs
Vulnerebility

Last week Oracle disclosed a critical vulnerability in its Oracle Database product, the issue tracked as CVE-2018-3110 has received a CVSS score of 9.9,
On Friday, Oracle released security patches to address a critical vulnerability affecting its Database product, the company is urging install them as soon as possible.

The vulnerability resides in the Java VM component of Oracle Database Server, a remote authenticated attacker can exploit it take complete control of the product and establish a shell access to the underlying server.

The vulnerability, tracked as CVE-2018-3110, affects Oracle Database 11.2.0.4, 12.2.0.1, 12.1.0.2 on Windows and 12.1.0.2 running on Unix or Linux.

“Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are 11.2.0.4, 12.1.0.2, 12.2.0.1 and 18.” reads the security advisory published by Oracle “Easily exploitable vulnerability allows low privileged attacker having Create Session privilege with network access via Oracle Net to compromise Java VM. While the vulnerability is in Java VM, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java VM. “

The Version 12.1.0.2 on both Windows and Unix/Linux systems was already addressed with the Oracle July 2018 CPU.

“Due to the nature of this vulnerability, Oracle recommends that customers apply these patches as soon as possible.” reads the blog post published by Oracle.

“This means that:

Customers running Oracle Database versions 11.2.0.4 and 12.2.0.1 on Windows should apply the patches provided by the Security Alert.
Customers running version 12.1.0.2 on Windows or any version of the database on Linux or Unix should apply the July 2018 Critical Patch Update if they have not already done so.”
Oracle “strongly recommends that customers take action without delay.”


Critical Vulnerability Patched in Oracle Database
13.8.2018 securityweek
Vulnerebility

Oracle informed customers late on Friday that its Database product is affected by a critical vulnerability. Patches have been released and users have been advised to install them as soon as possible.

The security hole, tracked as CVE-2018-3110 with a CVSS score of 9.9, affects Oracle Database 11.2.0.4 and 12.2.0.1 on Windows. Version 12.1.0.2 on Windows and Database running on Unix or Linux are also impacted, but patches for these versions were included in Oracle’s July 2018 CPU.

The vulnerability, present in the Java VM component of Oracle Database Server, can be exploited to take complete control of the product and obtain shell access to the underlying server.

However, the vendor noted that the weakness cannot be exploited remotely without authentication, and that the fix does not apply to client-only installations (i.e. installations that do not have Database Server).

“Easily exploitable vulnerability allows low privileged attacker having Create Session privilege with network access via Oracle Net to compromise Java VM. While the vulnerability is in Java VM, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java VM,” Oracle said in its advisory.

The company “strongly recommends that customers take action without delay” to address CVE-2018-3110, which has led some to wonder if Oracle believes that the risk of exploitation is high.

Oracle patches critical Database flaw


Apple zero-day exposes macOS to Synthetic Mouse-Click attacks
13.8.2018 securityaffairs Apple

Patrick Wardle, the popular white hat hacker, has discovered a zero-day vulnerability that could allow attackers to carry out synthetic mouse-click attacks
Patrick Wardle, the popular white hat hacker and chief research officer at Digita Security, has discovered a zero-day vulnerability that could allow attackers to mimic mouse-clicks for kernel access.

Wardle presented his discovery during the Def Con 2018 conference in Las Vegas, he explained that by using two lines of code he found an Apple zero-day in the High Sierra operating system that could allow a local attacker to virtually “click” a security prompt and thus load a kernel extension.

Once obtained the Kernel access on a Mac, the attack can fully compromise the system.

Apple has already in place security measures to prevent attackers from mimicking mouse-clicks for approving security prompts presented to the user when attempting to perform tasks that can potentially expose to risks the system.

Patrick Wardle has discovered a flaw that allows attackers to bypass such kind of security measures through Synthetic Mouse-Click attacks.

patrick wardle

@patrickwardle
Good morning @Defcon attendees ☀️

My talk, "🐭 > ⚔️" is today:
"The Mouse is Mightier than the Sword"
Sunday 10:00, 101 Track, Flamingo

Includes new bypasses of privacy controls & 0day breaking 'User Assisted Kext Loading' 🙈🍎🤒

See you there 🤗 https://www.defcon.org/html/defcon-26/dc-26-speakers.html#Wardle2 …

5:29 PM - Aug 12, 2018
82
18 people are talking about this
Twitter Ads info and privacy
Wardle recently demonstrated that a local, privileged attacker could leverage vulnerabilities in third-party kernel extensions to bypass Apple’s kernel code-signing requirements.

Malware developers and hackers have started using synthetic mouse-click attacks to bypass this security mechanism and emulate human behavior in approving security warnings.

Apple mitigated the attack devised by Wardle by implementing a new security feature dubbed “User Assisted Kernel Extension Loading,” a measure that force users to manually approve the loading of any kernel extension by clicking the “allow” button in the security settings UI.

The latest macOS versions, including High Sierra introduced a filtering mechanism to ignore synthetic events.

“Before an attacker can load a (signed) kernel extension, the user has to click an ‘allow’ button. This recent security mechanism is designed to prevent rogue attacks from loading code into the kernel. If this mechanism is bypassed it’s game over,” Wardle explained.

Synthetic Mouse-Click attacks

Wardle discovered that is it possible to deceive macOS by using two consecutive synthetic mouse “down” events because the operating system wrongly interprets them as a manual approval.

“For some unknown reason the two synthetic mouse ‘down’ events confuse the system and the OS sees it as a legitimate click,” Wardle said. “This fully breaks a foundational security mechanism of High Sierra.”

The expert explained that the operating system confuses a sequence of two-down as mouse “down” and “up.” The OS also confuse the “up” event as an internal event and for this reason, it is not filtered and it can be abused to interact with High Sierra’s user interface allowing to load kernel extensions.

Wardle accident discovered the issue by copying and pasting code for a synthetic mouse down twice.

“I was just kind of goofing around with this feature. I copied and pasted the code for a synthetic mouse down twice accidentally – forgetting to change a value of a flag that would indicate a mouse “up” event. Without realizing my ‘mistake,’ I compiled and ran the code, and honestly was rather surprised when it generated an allowed synthetic click!”

“Two lines of code completely break this security mechanism,” he added. “It is truly mind-boggling that such a trivial attack is successful. I’m almost embarrassed to talk about the bug as it’s so simple — though I’m actually more embarrassed for Apple.”

According to Wardle, the issue only affects High Sierra, because it is the using OS version that implements the Apple’s User Assisted Kernel Extension Loading.

The Wardle’s presentation is available at the following URL:

https://media.defcon.org/DEF%20CON%2026/DEF%20CON%2026%20presentations/Patrick%20Wardle/DEFCON-26-Patrick-Wardle-The-Mouse-Is-Mightier-Synthetic0Reality.pdf


DNS Hijacking targets Brazilian financial institutions

12.8.2018 securityaffairs Hacking

Crooks are targeting DLink DSL modem routers in Brazil to redirect users to fake bank websites by changing the DNS settings.

With this trick, cybercriminals steal login credentials for bank accounts, Radware researchers reported.

The attackers change the DNS settings pointing the network devices to DNS servers they control, in this campaign the experts observed crooks using two DNS servers, 69.162.89.185 and 198.50.222.136. The two DNS servers resolve the logical address for Banco de Brasil (www.bb.com.br) and Itau Unibanco (hostname www.itau.com.br) to bogus clones.

“The research center has been tracking malicious activity targeting DLink DSL modem routers in Brazil since June 8th. Via old exploits dating from 2015, a malicious agent is attempting to modify the DNS server settings in the routers of Brazilian residents, redirecting all their DNS requests through a malicious DNS server.” reads the analysis published by Radware.

“The malicious DNS server is hijacking requests for the hostname of Banco de Brasil (www.bb.com.br) and redirecting to a fake, cloned website hosted on the same malicious DNS server which has no connection whatsoever to the legitimate Banco de Brasil website.”

Hackers are using old exploits dating from 2015 that work on some models of DLink DSL devices, they only have to run for vulnerable routers online and change their DNS settings.

The experts highlighted that the hijacking is performed without any user interaction.

“The attack is insidious in the sense that a user is completely unaware of the change. The hijacking works without crafting or changing URLs in the user’s browser. A user can use any browser and his/her regular shortcuts, the user can type in the URL manually or even use it from mobile devices, such as a smart phone or tablet.” reads the alert published by Radware.

“The user will still be sent to the malicious website instead of to their requested website and the hijacking effectively works at the gateway level.”

Attackers carried out phishing campaigns with crafted URLs and malvertising campaigns attempting to change the DNS configuration from within the user’s browser. Such kind of attack is not a novelty, hackers are using similar techniques since 2014, in 2016, an exploit tool known as RouterHunterBr 2.0 was published online and used the same malicious URLs, but Radware is not aware of currently of abuse originating from this tool.

Radware has recorded several infections attempts for an old D-Link DSL router exploits since June 12.

DNS hijacking
The malicious URL used in the campaign appear as:

DNS hijacking 2

Several exploits for multiple DSL routers, mostly D-Link, were available online since February, 2015:

Shuttle Tech ADSL Modem-Router 915 WM / Unauthenticated Remote DNS Change. Exploit http://www.exploit-db.com/exploits/35995/
D-Link DSL-2740R / Unauthenticated Remote DNS Change Exploit http://www.exploit-db.com/exploits/35917/
D-Link DSL-2640B Unauthenticated Remote DNS Change Exploit https://www.exploit-db.com/exploits/37237/
D-Link DSL-2780B DLink_1.01.14 – Unauthenticated Remote DNS Change https://www.exploit-db.com/exploits/37237/
D-Link DSL-2730B AU_2.01 – Authentication Bypass DNS Change https://www.exploit-db.com/exploits/37240/
D-Link DSL-526B ADSL2+ AU_2.01 – Unauthenticated Remote DNS Change https://www.exploit-db.com/exploits/37241/
Once the victims visit the fake websites, they will be asked for bank info, including agency number, account number, mobile phone number, card pin, eight-digit pin, and a CABB number.

The experts noticed that the phishing websites used in the campaign are flagged as not secure in the URL address.

Radware reported the campaigns to the financial institutions targeted by the attacks and fake websites have since been taken offline.

“A convenient way for checking DNS servers used by your devices and router is through websites like http://www.whatsmydnsserver.com/.
Only modems and routers that were not updated in the last two years can be exploited. Updates will protect the owner of the device and also prevent devices being enslaved for use in DDoS attacks or used to conceal targeted attacks.” recommends Radware.


Unsecured AWS S3 Bucket exposed sensitive data on 31,000 GoDaddy servers

12.8.2018 securityaffairs Incindent

UpGuard discovered an unsecured GoDaddy’s Amazon S3 bucket containing sensitive information related to more than 31,000 GoDaddy systems.
Experts at cybersecurity firm UpGuard have reported that another big company was victim of a data leak, it is the domain name registrar and web hosting company GoDaddy.

The popular UpGuard’s risk analyst Chris Vickery discovered an unsecured GoDaddy’s Amazon S3 bucket containing sensitive information related to more than 31,000 GoDaddy systems.

“The UpGuard Cyber Risk Team has discovered and secured a data exposure of documents appearing to describe GoDaddy infrastructure running in the Amazon AWS cloud, preventing any future exploitation of this information.” reads the post published by UpGuard.

“The documents were left exposed in a publicly accessible Amazon S3 bucket which, according to a statement from Amazon, “was created by an AWS salesperson.”

The expert discovered the unsecured AWS bucket named abbottgodaddy on June 19th, 2018. It was containing several versions of a spreadsheet, the latest one named “GDDY_cloud_master_data_1205 (AWS r10).xlsx.

The document was a 17MB Microsoft Excel file with multiple sheets and tens of thousands of rows.

Each sheet contained data related to the large-scale infrastructure running in the Amazon cloud, such as “high-level configuration information” of company systems and pricing facilities for operating them.

“The exposed configuration information included fields for hostname, operating system, “workload” (what the system was used for), AWS region, memory and CPU specs, and more.” continues the post.

“Essentially, this data mapped a very large scale AWS cloud infrastructure deployment, with 41 different columns on individual systems, as well as summarized and modeled data on totals, averages, and other calculated fields. Also included were what appear to be GoDaddy’s discounts from Amazon AWS, usually restricted information for both parties, who must negotiate for rates– as do GoDaddy’s competitors.”

godaddy data leak

The experts pointed out that the availability of the configuration information for the GoDaddy infrastructure could allow attackers to select targets based on their role, probable data, size, and region.

Competitors, vendors, cloud providers, and others, could also use business data exposed in the unsecured Amazon S3 bucket as a competitive advantage for cloud hosting strategy and pricing.

“From operations as large as GoDaddy and Amazon, to small and medium organizations, anyone who uses cloud technology is subject to the risk of unintentional exposure, if the operational awareness and processes aren’t there to catch and fix misconfigurations when they occur,” concludes UpGuard.

This year many other companies have exposed sensitive data in the same way, including Accenture, FedEx, and Walmart. Even though Amazon S3 buckets are configured by default with a secure configuration, many AWS customers turn off security settings for expedience. This particular data leak was caused by an AWS employee.

“The bucket in question was created by an AWS salesperson to store prospective AWS pricing scenarios while working with a customer,” an Amazon spokesperson said. “No GoDaddy customer information was in the bucket that was exposed. While Amazon S3 is secure by default, and bucket access is locked down to just the account owner and root administrator under default configurations, the salesperson did not follow AWS best practices with this particular bucket.”


Quiet Skies, TSA surveillance program targets Ordinary U.S. Citizens

11.8.2018 securityaffairs BigBrothers

Journalists revealed a new surveillance program that targets US citizens, the program was previously-undisclosed and code named ‘Quiet Skies’.
According to the Transportation Security Administration (TSA), that has admitted the Quiet Skies, the program has monitored about 5,000 U.S. citizens on domestic flights in recent months.

Quiet Skies was criticized by privacy advocates because the authorities have begun monitoring U.S. citizens that aren’t suspected of a crime or of involvement in terrorist organizations.

The domestic surveillance program aims at collecting extensive information about the movements of the citizens and their behaviour.

“The previously undisclosed program, called ‘Quiet Skies,’” specifically targets travelers who “are not under investigation by any agency and are not in the Terrorist Screening Data Base,” states a bulletin issued in March by the TSA.

The Agency is monitoring individuals who have spent a certain amount of time in specific countries, who have visited those counties within a certain period of time, or that have made a reservation which includes email addresses or phone numbers associated to terrorism suspects could trigger monitoring.

Passengers remain on the Quiet Skies watch list “for up to 90 days or three encounters, whichever comes first, after entering the United States,” according to the TSA. Travelers are not notified when they have been added to the watch list.

Every day about 40 to 50 people on domestic flights are selected under the Quiet Skies program and on average, air marshals follow and monitor about 35 of them.

Quiet skies program
Source atlantamusic.us

This type of surveillance activity is very expensive and according to the experts it drains resources from other vital activities.

At the time there are no data on the cost of the program or whether it allowed authoritied to neutralize any threat.

“Since this initiative launched in March, dozens of air marshals have raised concerns about the Quiet Skies program with senior officials and colleagues, sought legal counsel, and expressed misgivings about the surveillance program, according to interviews and documents reviewed by the Globe.”

Privacy advocates and experts on civil liberties considers the Quiet Skies program worrisome and potentially illegal:

Further details on the program are reported in the article titled “Quiet Skies– A TSA Surveillance Program Targets Ordinary U.S. Citizens” that I have published on the Infosec Institute website.


Experts explained how to hack macs in enterprises through MDM
11.8.2018 securityaffairs Apple

Researchers demonstrated how a sophisticated threat actor can hack a brand new Apple Mac computer in enterprise environments through MDM.
A security duo composed by Jesse Endahl, CPO and CSO at macOS management firm Fleetsmith, and Max Bélanger, staff engineer at Dropbox, demonstrated at the Black Hat security conference how a persistent attacker could compromise brand new Mac systems in enterprise environments on the first boot.

The experts leverage the Apple mobile device management protocol to retrieve the manifest and install a different application than the one chosen by the victim.

MDM allows administrators in enterprises to remotely manage macOS and iOS devices, it allows to easily install or remove applications, lock devices or securely erase them.

Every time a new device is added in an enterprise, it receives a Configuration Profile, an operation that can be performed automatically using the Device Enrollment Program (DEP).

macOS computers automatically contact the MDM server during the boot or after a factory reset procedure.

The DEP profile sent to the device is created by the MDM server and includes information related to software installation (i.e. server’s URL, pinned certificates).

MDM Apple hack

By using the MDM command InstallApplication, administrators can install a specified application. The command uses a manifest URL that returns an XML file containing all the information needed to install the application.

The experts explained that it is possible to manipulate this manifest to install a specific application by carrying out a man-in-the-middle (MitM) attack.

The attack is not easy to conduct, anyway, a sophisticated nation-state actor or an ISP could carry out it.

The attack can exploit this technique to force the installation of a malicious application as soon as the macOS computers connect to the MDM server.

The security duo reported the hacking technique to Apple in April and early May Apple acknowledged it. Apple addressed the issue in July with the release of macOS version 10.13.6.

“We disclosed the issue to Apple shortly after discovering it. Based on our feedback, a fix was quickly implemented in the form of a new MDM command: InstallEnterpriseApplication, which is now documented publicly” reads the research paper published by the experts.

“This command (available as of macOS 10.13.6) allows MDM vendors to provide specific certificates to pin the request to the ManifestURL (using the new ManifestURLPinningCerts property of said command). It is up to the MDM vendor to implement this, but this serves as an adequate solution to this problem. We will take a closer look at how the vulnerability was addressed.”

With the new release, Apple introduced the InstallEnterpriseApplication MDM that allows MDM vendors to provide certificates to pin the request to the manifest URL.


Group-IB: The Shadow Market Is Flooded with Cheap Mining Software
10.8.2018 securityaffairs Cryptocurrency

Group-IB is recording new outbreaks of illegal mining (cryptojacking) threats in the networks of commercial and state organizations.
Group-IB, an international company specializing in the prevention of cyberattacks, is recording new outbreaks of illegal mining (cryptojacking) threats in the networks of commercial and state organizations. According to Group-IB’s Threat Intelligence, over a year, the number of shadow-forum ads offering mining software has increased fivefold (H1 2018 vs H1 2017). Group-IB experts say it is a very dangerous tendency to have so many mining Trojans available designed to use other people’s devices and infrastructure for illegitimate generation of cryptocurrency.

Cryptojacking (using computation capacity of a computer or infrastructure for cryptocurrency mining without the knowledge or consent of its owner) is still a comparatively popular method of personal gain, in spite of a clear tendency toward a decrease in the number of incidents of this type of fraud. Growth in the number of such thefts may be caused not only by the growth of mining software offers in Darknet but also by their comparatively low price, which is often less than $0.50.

Mining Software darkweb cryptojacking

The low entry barrier to the illegal mining market results in a situation where cryptocurrency is being mined by people without technical expertise or experience with fraudulent schemes. When they gain access to simple tools for making money off hidden cryptocurrency mining, they don’t consider it a crime, all the more so as the Russian legislative environment still leaves enough loopholes to avoid prosecution for such thefts. There are still very few arrests and cases of prosecution for cryptojacking.

One cryptocoin after another: what are the dangers of mining?

Any device (computer, smartphone, IoT, server, etc.) may be used for cryptojacking: that’s why it is not enough to install detection systems only at the workstation level. New types of mining software appear regularly that bypass security systems based on signature alone. A symmetric response to this threat is the analysis of various mining manifestations at the network level. With this end in view, it is necessary to use, among other things, behavioral analysis technologies to detect previously unknown programs and tools.

Group-IB experts warn that mining results not just in direct financial losses due to increased expenditures for electricity. It threatens the stability and continuity of business processes by decelerating corporate systems and increasing depreciation of hardware. Infection of infrastructure with a mining Trojan may result in the failure of corporate apps, networks and systems. Unauthorized external programs working without the knowledge of business owners is fraught with reputational losses, as well as compliance and regulatory risks.

What should we do?

Integrated countermeasures against cryptojacking require the detection of all forms of malicious codes distributed or working in the network, based on a regularly updated database of threats to systems (Threat Intelligence class). Suspicious activity should always be analyzed in a secure isolated environment to ensure the absolute confidentiality of data about infected computers, infrastructure segments and other resources. It is important not only to protect yourself within your own network, but to detect cryptomining tools running java scripts on hacked resources seeking to infect as many victims as possible. There is one more type of fraud that has been gaining popularity recently: the use of traditional insiders. Companies should be able to protect themselves against their own dishonest employees who attempt to increase their incomes at the expense of their employer’s resources.


Macs in Enterprise Can Be Hacked on First Boot
10.8.2018 securityweek Apple

Hacking Macs in the enterprise via MDM

Researchers have demonstrated that brand new Mac computers used in enterprise environments can be hacked by sophisticated threat actors on the first boot through Apple’s mobile device management (MDM) protocol.

MDM is designed to allow system administrators to send management commands to managed macOS and iOS devices, including to install or remove applications, monitor compliance with corporate policies, and securely erase or lock a device.

When a device is enrolled in MDM, it receives a Configuration Profile, which can either be installed manually or ​automatically using the Device Enrollment Program (DEP). If DEP is used on macOS, the device automatically checks in with the MDM server during the initial setup process or after the system has been reset to factory settings and the operating system has been reinstalled.

The DEP profile received by a device during this process is delivered by Apple but populated by the MDM server. The profile includes information such as the MDM server’s URL, pinned certificates, and which screens should be skipped during the setup process.

One of the most popular MDM commands used during the initial setup process is InstallApplication, which allows administrators to install a specified application package. The command relies on a manifest URL that returns an XML file containing all the information needed to install the app.

Jesse Endahl, CPO and CSO at macOS management firm Fleetsmith, and Max Bélanger, staff engineer at Dropbox, showed this week at the Black Hat security conference how a threat actor could compromise the retrieval of the manifest and install a different application than the one intended by the victim.

Exploitation involves a man-in-the-middle (MitM) attack, which makes it difficult for unsophisticated cybercrime groups. However, a sophisticated state-sponsored actor or a malicious ISP may be able to carry out such an attack and infiltrate devices in a targeted organization.

According to Bélanger and Endahl, an attacker could use this method to take full control of Mac computers right after they are unboxed, as soon as they connect to the organization’s Wi-Fi network.

The researchers disclosed their findings to Apple in late April and the tech giant acknowledged their findings on May 2. The company implemented a fix on July 9 with the release of macOS 10.13.6.

Apple addressed the issue by implementing a new MDM command named InstallEnterpriseApplication​. This command allows MDM vendors to provide specific certificates to pin the request to the manifest URL.

“It is up to the MDM vendor to implement this, but this serves as an adequate solution to this problem,” the researchers wrote in a paper.


The analysis of the code reuse revealed many links between North Korea malware
10.8.2018 securityaffairs
Virus

Security researchers at Intezer and McAfee have conducted a joint investigation that allowed them to collect evidence that links malware families attributed to North Korean APT groups such as the notorious Lazarus Group and Group 123.
The experts focused their analysis on the code reuse, past investigations revealed that some APT groups share portions of code and command and control infrastructure for their malware.

Security researchers when analyzing a hacking campaign attempt to attribute it to a specific threat actor also evaluating the code reuse.

“The following graph presents a high-level overview of these relations. Each node represents a malware family or a hacking tool (“Brambul,” “Fallchill,” etc.) and each line presents a code similarity between two families. A thicker line correlates to a stronger similarity. In defining similarities, we take into account only unique code connections, and disregard common code or libraries. This definition holds both for this graph and our entire research.” reads the analysis published by the experts.

“We can easily see a significant amount of code similarities between almost every one of the attacks associated with North Korea. Our research included thousands of samples, mostly unclassified or uncategorized.”

According to the experts, North Korea-linked groups operated with two main goals, raise money and pursue nationalist aims.

Each state-sponsored hacker was involved in cyber operations with one of the above goals depending on his cyber capabilities.

Financially motivated operations consisting in hacking into financial institutions, hijack gambling sessions or sell pirated and cracked software were conducted by the Unit 180. Operations with nationalist aims are mostly executed by the Unit 121.

The joint research conducted by the experts was focused on the larger-scale nationalism-motivated campaigns, most of which presented a significant code reuse.

The experts analyzed thousands of malware samples, many still unclassified or uncategorized, and discovered many similarities in the source code used in attacks associated with North Korea.

For example, the “Common SMB module” that was part of the WannaCry Ransomware (2017) was similar to the code used the malware Mydoom (2009), Joanap, and DeltaAlfa.

“The first code example appeared in the server message block (SMB) module of WannaCry in 2017, Mydoom in 2009, Joanap, and DeltaAlfa. Further shared code across these families is an AES library from CodeProject. These attacks have been attributed to Lazarus; that means the group has reused code from at least 2009 to 2017.” states the analysis published by the experts.

The expert notices many similarities in the source code of three different remote access Trojans, tracked as NavRAT, Gold Dragon, and a DLL that was used in the attack against the South Korean gambling industry. The similarity consists in the Common file mapping.

“The second example demonstrates code responsible for mapping a file and using the XOR key 0xDEADBEEF on the first four bytes of the file. This code has appeared in the malware families NavRAT and Gold Dragon, plus a certain DLL from the South Korean gambling hacking campaign.” reads the report published by the experts.

The three malware were associated with the APT group tracked as Group 123 (also tracked as Reaper, APT37, and ScarCruft).

The researchers also found a similarity in the source code of the Brambul malware (2009) and KorDllBot (2011).

“The third example, responsible for launching a cmd.exe with a net share, has been seen in 2009’s Brambul, also known as SierraBravo, as well as KorDllBot in 2011. These malware families are also attributed to the Lazarus group.” states the report.

The experts also discovered a connection between the Tapaoux (or DarkHotel) malware family and samples involved in the Operation Troy.

The analysis of the code reuse conducted by the experts confirmed that most of the samples attributed to North Korea-linked APT group Lazarus presented many similarities. The only malware that appears different are the RATs involved in the operations attributed to Group 123 APT group.

“The malware attributed to the group Lazarus has code connections that link many of the malware families spotted over the years. Lazarus is a collective name for many DPRK cyber operations, and we clearly see links between malware families used in different campaigns,” the researchers concluded.

North Korea code reuse 2

“We clearly saw a lot of code reuse over the many years of cyber campaigns we examined. This indicates the North Koreans have groups with different skills and tools that execute their focused parts of cyber operations while also working in parallel when large campaigns require a mix of skills and tools.” concluded the experts.


IT threat evolution Q2 2018. Statistics
10.8.2018 Kaspersky Analysis

Q2 figures
According to KSN:

Kaspersky Lab solutions blocked 962,947,023 attacks launched from online resources located in 187 countries across the globe.
351,913,075 unique URLs were recognized as malicious by Web Anti-Virus components.
Attempted infections by malware designed to steal money via online access to bank accounts were logged on the computers of 215,762 users.
Ransomware attacks were registered on the computers of 158,921 unique users.
Our File Anti-Virus logged 192,053,604 unique malicious and potentially unwanted objects.
Kaspersky Lab products for mobile devices detected:
1,744,244 malicious installation packages
61,045 installation packages for mobile banking Trojans
14,119 installation packages for mobile ransomware Trojans.
Mobile threats
General statistics
In Q2 2018, Kaspersky Lab detected 1,744,244 malicious installation packages, which is 421,666 packages more than in the previous quarter.

Number of detected malicious installation packages, Q2 2017 – Q2 2018

Distribution of detected mobile apps by type

Distribution of newly detected mobile apps by type, Q1 2018

Distribution of newly detected mobile apps by type, Q2 2018

Among all the threats detected in Q2 2018, the lion’s share belonged to potentially unwanted RiskTool apps (55.3%); compared to the previous quarter, their share rose by 6 p.p. Members of the RiskTool.AndroidOS.SMSreg family contributed most to this indicator.

Second place was taken by Trojan-Dropper threats (13%), whose share fell by 7 p.p. Most detected files of this type came from the families Trojan-Dropper.AndroidOS.Piom and Trojan-Dropper.AndroidOS.Hqwar.

The share of advertising apps continued to decreased by 8%, accounting for 9% (against 11%) of all detected threats.

A remarkable development during the reporting period was that SMS Trojans doubled their share up to 8.5% in Q2 from 4.5% in Q1.

TOP 20 mobile malware
Note that this malware rating does not include potentially dangerous or unwanted programs such as RiskTool or Adware.

Verdict %*
1 DangerousObject.Multi.Generic 70.04
2 Trojan.AndroidOS.Boogr.gsh 12.17
3 Trojan-Dropper.AndroidOS.Lezok.p 4.41
4 Trojan.AndroidOS.Agent.rx 4.11
5 Trojan.AndroidOS.Piom.toe 3.44
6 Trojan.AndroidOS.Triada.dl 3.15
7 Trojan.AndroidOS.Piom.tmi 2.71
8 Trojan.AndroidOS.Piom.sme 2.69
9 Trojan-Dropper.AndroidOS.Hqwar.i 2.54
10 Trojan-Downloader.AndroidOS.Agent.ga 2.42
11 Trojan-Dropper.AndroidOS.Agent.ii 2.25
12 Trojan-Dropper.AndroidOS.Hqwar.ba 1.80
13 Trojan.AndroidOS.Agent.pac 1.73
14 Trojan.AndroidOS.Dvmap.a 1.64
15 Trojan-Dropper.AndroidOS.Lezok.b 1.55
16 Trojan-Dropper.AndroidOS.Tiny.d 1.37
17 Trojan.AndroidOS.Agent.rt 1.29
18 Trojan.AndroidOS.Hiddapp.bn 1.26
19 Trojan.AndroidOS.Piom.rfw 1.20
20 Trojan-Dropper.AndroidOS.Lezok.t 1.19
* Unique users attacked by the relevant malware as a percentage of all users of Kaspersky Lab’s mobile antivirus that were attacked.

As before, first place in our TOP 20 went to DangerousObject.Multi.Generic (70.04%), the verdict we use for malware detected using cloud technologies. In second place was Trojan.AndroidOS.Boogr.gsh (12.17%). This verdict is given to files recognized as malicious by our system based on machine learning. Third was Dropper.AndroidOS.Lezok.p (4.41%), followed by a close 0.3 p.p. margin by Trojan.AndroidOS.Agent.rx (4.11%), which was in the third position in Q1.

Geography of mobile threats

Map of attempted infections using mobile malware, Q2 2018

TOP 10 countries by share of users attacked by mobile malware:

Country* %**
1 Bangladesh 31.17
2 China 31.07
3 Iran 30.87
4 Nepal 30.74
5 Nigeria 25.66
6 India 25.04
7 Indonesia 24.05
8 Ivory Coast 23.67
9 Pakistan 23.49
10 Tanzania 22.38
* Excluded from the rating are countries with relatively few users of Kaspersky Lab’s mobile antivirus (under 10,000).
** Unique users attacked in the country as a percentage of all users of Kaspersky Lab’s mobile antivirus in the country.

In Q2 2018, Bangladesh (31.17%) topped the list by share of mobile users attacked. China (31.07%) came second with a narrow margin. Third and fourth places were claimed respectively by Iran (30.87%) and Nepal (30.74%).

Russia (8.34%) this quarter was down in 38th spot, behind Taiwan (8.48%) and Singapore (8.46%).

Mobile banking Trojans
In the reporting period, we detected 61,045 installation packages for mobile banking Trojans, which is 3.2 times more than in Q1 2018. The largest contribution was made by Trojan-Banker.AndroidOS.Hqwar.jck – this verdict was given to nearly half of detected new banking Trojans. Second came Trojan-Banker.AndroidOS.Agent.dq, accounting for about 5,000 installation packages.

Number of installation packages for mobile banking Trojans detected by Kaspersky Lab, Q2 2017 – Q2 2018

TOP 10 mobile bankers

Verdict %*
1 Trojan-Banker.AndroidOS.Agent.dq 17.74
2 Trojan-Banker.AndroidOS.Svpeng.aj 13.22
3 Trojan-Banker.AndroidOS.Svpeng.q 8.56
4 Trojan-Banker.AndroidOS.Asacub.e 5.70
5 Trojan-Banker.AndroidOS.Agent.di 5.06
6 Trojan-Banker.AndroidOS.Asacub.bo 4.65
7 Trojan-Banker.AndroidOS.Faketoken.z 3.66
8 Trojan-Banker.AndroidOS.Asacub.bj 3.03
9 Trojan-Banker.AndroidOS.Hqwar.t 2.83
10 Trojan-Banker.AndroidOS.Asacub.ar 2.77
* Unique users attacked by the relevant malware as a percentage of all users of Kaspersky Lab’s mobile antivirus that were attacked by banking threats.

The most popular mobile banking Trojan in Q2 was Trojan-Banker.AndroidOS.Agent.dq (17.74%), closely followed by Trojan-Banker.AndroidOS.Svpeng.aj (13.22%). These two Trojans use phishing windows to steal information about user’s banking cards and online banking credentials. Besides, they steal money through abuse of SMS services, including mobile banking. The popular banking malware Trojan-Banker.AndroidOS.Svpeng.q (8.56%) took third place in the rating, moving one notch down from its second place in Q2.

Geography of mobile banking threats, Q2 2018

TOP 10 countries by share of users attacked by mobile banking Trojans

Country* %**
1 USA 0.79
2 Russia 0.70
3 Poland 0.28
4 China 0.28
5 Tajikistan 0.27
6 Uzbekistan 0.23
7 Ukraine 0.18
8 Singapore 0.16
9 Moldova 0.14
10 Kazakhstan 0.13
* Excluded from the rating are countries with relatively few users of Kaspersky Lab’s mobile antivirus (under 10,000).
** Unique users attacked by mobile banking Trojans in the country as a percentage of all users of Kaspersky Lab’s mobile antivirus in this country.

Overall, the rating did not see much change from Q1: Russia (0.70%) and USA (0.79%) swapped places, both remaining in TOP 3.

Poland (0.28%) rose from ninth to third place thanks to activation propagation of two Trojans: Trojan-Banker.AndroidOS.Agent.cw and Trojan-Banker.AndroidOS.Marcher.w. The latter was first detected in November 2017 and uses a toolset typical of banking malware: SMS interception, phishing windows and Device Administrator privileges to ensure its persistence in the system.

Mobile ransomware Trojans
In Q2 2018, we detected 14,119 installation packages for mobile ransomware Trojans, which is larger by half than in Q1.

Number of installation packages for mobile ransomware Trojans detected by Kaspersky Lab, Q2 2017 – Q2 2018

Verdict %*
1 Trojan-Ransom.AndroidOS.Zebt.a 26.71
2 Trojan-Ransom.AndroidOS.Svpeng.ag 19.15
3 Trojan-Ransom.AndroidOS.Fusob.h 15.48
4 Trojan-Ransom.AndroidOS.Svpeng.ae 5.99
5 Trojan-Ransom.AndroidOS.Egat.d 4.83
6 Trojan-Ransom.AndroidOS.Svpeng.snt 4.73
7 Trojan-Ransom.AndroidOS.Svpeng.ab 4.29
8 Trojan-Ransom.AndroidOS.Small.cm 3.32
9 Trojan-Ransom.AndroidOS.Small.as 2.61
10 Trojan-Ransom.AndroidOS.Small.cj 1.80
* Unique users attacked by this malware as a percentage of all users of Kaspersky Lab’s mobile antivirus attacked by ransomware Trojans.

The most popular mobile ransomware is Q2 was Trojan-Ransom.AndroidOS.Zebt.a (26.71%), encountered by more than a quarter of all users who got attacked by this type of malware. Second came Trojan-Ransom.AndroidOS.Svpeng.ag (19.15%), nudging ahead of once-popular Trojan-Ransom.AndroidOS.Fusob.h (15.48%).

Geography of mobile ransomware Trojans, Q2 2018

TOP 10 countries by share of users attacked by mobile ransomware Trojans

Country* %**
1 USA 0.49
2 Italy 0.28
3 Kazakhstan 0.26
4 Belgium 0.22
5 Poland 0.20
6 Romania 0.18
7 China 0.17
8 Ireland 0.15
9 Mexico 0.11
10 Austria 0.09
* Excluded from the rating are countries where the number of users of Kaspersky Lab’s mobile antivirus is relatively small (fewer than 10,000)
** Unique users in the country attacked by mobile ransomware Trojans as a percentage of all users of Kaspersky Lab’s mobile antivirus in the country.

First place in the TOP 10 went to the United States (0.49%); the most active family in this country was Trojan-Ransom.AndroidOS.Svpeng:

Verdict %*
1 Trojan-Ransom.AndroidOS.Svpeng.ag 53.53%
2 Trojan-Ransom.AndroidOS.Svpeng.ae 16.37%
3 Trojan-Ransom.AndroidOS.Svpeng.snt 11.49%
4 Trojan-Ransom.AndroidOS.Svpeng.ab 10.84%
5 Trojan-Ransom.AndroidOS.Fusob.h 5.62%
6 Trojan-Ransom.AndroidOS.Svpeng.z 4.57%
7 Trojan-Ransom.AndroidOS.Svpeng.san 4.29%
8 Trojan-Ransom.AndroidOS.Svpeng.ac 2.45%
9 Trojan-Ransom.AndroidOS.Svpeng.h 0.43%
10 Trojan-Ransom.AndroidOS.Zebt.a 0.37%
* Unique users in USA attacked by this malware as a percentage of all users of Kaspersky Lab’s mobile antivirus in this country who were attacked by ransomware Trojans.

Italy (0.28%) came second among countries whose residents were attacked by mobile ransomware. In this country, most attacks were the work of Trojan-Ransom.AndroidOS.Zebt.a. Third place was claimed by Kazakhstan (0.63%), where Trojan-Ransom.AndroidOS.Small.cm was the most popular mobile ransomware.

Attacks on IoT devices
Judging by the data from our honeypots, brute forcing Telnet passwords is the most popular method of IoT malware self-propagation. However, recently there has been an increase in the number of attacks against other services, such as control ports. These ports are assigned services for remote control over routers – this feature is in demand e.g. with internet service providers. We have observed attempts to launch attacks on IoT devices via port 8291, which is used by Mikrotik RouterOS control service, and via port 7547 (TR-069), which was used, among other purposes, for managing devices in the Deutsche Telekom network.

In both cases the nature of attacks was much more sophisticated than plain brute force; in particular, they involved exploits. We are inclined to think that the number of such attacks will only grow in the future on the back of the following two factors:

Brute forcing a Telnet password is a low-efficiency strategy, as there is a strong competition between threat actors. Each few seconds, there are brute force attempts; once successful, the threat actor blocks such the access to Telnet for all other attackers.
After each restart of the device, the attackers have to re-infect it, thus losing part of the botnet and having to reclaim it in a competitive environment.
On the other hand, the first attacker to exploit a vulnerability will gain access to a large number of device, having spent minimum time.

Distribution of attacked services’ popularity by number of unique attacking devices, Q2 2018

Telnet attacks
The scheme of attack is as follows: the attackers find a victim device, check if Telnet port is open on it, and launch the password brute forcing routine. As many manufacturers of IoT devices neglect security (for instance, they reserve service passwords on devices and do not leave a possibility for the user to change them routinely), such attacks become successful and may affect entire lines of devices. The infected devices start scanning new segments of networks and infect new, similar devices or workstations in them.

Geography of IoT devices infected in Telnet attacks, Q2 2018

TOP 10 countries by shares of IoT devices infected via Telnet
Country %*
1 Brazil 23.38
2 China 17.22
3 Japan 8.64
4 Russia 7.22
5 USA 4.55
6 Mexico 3.78
7 Greece 3.51
8 South Korea 3.32
9 Turkey 2.61
10 India 1.71
* Infected devices in each specific country as a percentage of all IoT devices that attack via Telnet.

In Q2, Brazil (23.38%) took the lead in the number of infected devices and, consequently, in the number of Telnet attacks. Next came China (17.22%) by a small margin, and third came Japan (8.64%).

In these attacks, the threat actors most often downloaded Backdoor.Linux.Mirai.c (15.97%) to the infected devices.

TOP 10 malware downloaded to infected IoT devices in successful Telnet attacks
Verdict %*
1 Backdoor.Linux.Mirai.c 15.97
2 Trojan-Downloader.Linux.Hajime.a 5.89
3 Trojan-Downloader.Linux.NyaDrop.b 3.34
4 Backdoor.Linux.Mirai.b 2.72
5 Backdoor.Linux.Mirai.ba 1.94
6 Trojan-Downloader.Shell.Agent.p 0.38
7 Trojan-Downloader.Shell.Agent.as 0.27
8 Backdoor.Linux.Mirai.n 0.27
9 Backdoor.Linux.Gafgyt.ba 0.24
10 Backdoor.Linux.Gafgyt.af 0.20
*Proportion of downloads of each specific malware program to IoT devices in successful Telnet attacks as a percentage of all malware downloads in such attacks

SSH attacks
Such attacks are launched similarly to Telnet attacks, the only difference being that they require to bots to have an SSH client installed on them to brute force credentials. The SSH protocol is cryptographically protected, so brute forcing passwords require large computational resources. Therefore, self-propagation from IoT devices is inefficient, and full-fledged servers are used to launch attacks. The success of an SSH attack hinges on the device owner or manufacturers’ faults; in other words, these are again weak passwords or preset passwords assigned by the manufacturer to an entire line of devices.

China took the lead in terms of infected devices attacking via SSH. Also, China was second in terms of infected devices attacking via Telnet.

Geography of IoT devices infected in SSH attacks, Q2 2018

TOP 10 countries by shares of IoT devices attacked via SSH
Country %*
1 China 15.77%
2 Vietnam 11.38%
3 USA 9.78%
4 France 5.45%
5 Russia 4.53%
6 Brazil 4.22%
7 Germany 4.01%
8 South Korea 3.39%
9 India 2.86%
10 Romania 2.23%
*The proportion of infected devices in each country as a percentage of all infected IoT devices attacking via SSH

Online threats in the financial sector
Q2 events
New banking Trojan DanaBot
The Trojan DanaBot was detected in May. It has a modular structure and is capable of loading extra modules with which to intercept traffic, steal passwords and crypto wallets – generally, a standard feature set for this type of a threat. The Trojan spread via spam messages containing a malicious office document, which subsequently loaded the Trojans’ main body. DanaBot initially targeted Australian users and financial organizations, however in early April we noticed that it had become active against the financial organizations in Poland.

The peculiar BackSwap technique
The banking Trojan BackSwap turned out much more interesting. A majority of similar threats including Zeus, Cridex and Dyreza intercept the user’s traffic either to inject malicious scripts into the banking pages visited by the victim or to redirect it to phishing sites. By contrast, BackSwap uses an innovative technique for injecting malicious scripts: using WinAPI, it emulates keystrokes to open the developer console in the browser, and then it uses this console to inject malicious scripts into web pages. In a later version of BackSwap, malicious scripts are injected via the address bar, using JavaScript protocol URLs.

Carbanak gang leader detained
On March 26, Europol announced the arrest of a leader of the cybercrime gang behind Carbanak and Cobalt Goblin. This came as a result of a joint operation between Spain’s national police, Europol and FBI, as well as Romanian, Moldovan, Belorussian and Taiwanese authorities and private infosecurity companies. It was expected that the leader’s arrest would reduce the group’s activity, however recent data show that no appreciable decline has taken place. In May and June, we detected several waves of targeted phishing against banks and processing companies in Eastern Europe. The email writers from Carbanak masquerades as support lines of reputable anti-malware vendors, European Central Bank and other organizations. Such emails contained attached weaponized documents exploiting vulnerabilities CVE-2017-11882 and CVE-2017-8570.

Ransomware Trojan uses Doppelgänging technique
Kaspersky Lab experts detected a case of the ransomware Trojan SynAck using the Process Doppelgänging technique. Malware writers use this complex technique to make it stealthier and complicate its detection by security solutions. This was the first case when it was used in a ransomware Trojan.

Another remarkable event was the Purga (aka Globe) cryptoware propagation campaign, during which this cryptoware, alongside with other malware including a banking Trojan, was loaded to computers infected with the Trojan Dimnie.

General statistics on financial threats
These statistics are based on detection verdicts of Kaspersky Lab products received from users who consented to provide statistical data.

In Q2 2018, Kaspersky Lab solutions blocked attempts to launch one or more malicious programs designed to steal money from bank accounts on the computers of 215,762 users.

Number of unique users attacked by financial malware, Q2 2018

Geography of attacks

Geography of banking malware attacks, Q2 2018

TOP 10 countries by percentage of attacked users
Country* % of users attacked**
1 Germany 2.7%
2 Cameroon 1.8%
3 Bulgaria 1.7%
4 Greece 1.6%
5 United Arab Emirates 1.4%
6 China 1.3%
7 Indonesia 1.3%
8 Libya 1.3%
9 Togo 1.3%
10 Lebanon 1.2%
These statistics are based on Anti-Virus detection verdicts received from users of Kaspersky Lab products who consented to provide statistical data.

*Excluded are countries with relatively few Kaspersky Lab’ product users (under 10,000).
** Unique Kaspersky Lab users whose computers were targeted by banking Trojans or ATM/PoS malware as a percentage of all unique users of Kaspersky Lab products in the country.

TOP 10 banking malware families
Name Verdicts* % of attacked users**
1 Nymaim Trojan.Win32. Nymaim 27.0%
2 Zbot Trojan.Win32. Zbot 26.1%
3 SpyEye Backdoor.Win32. SpyEye 15.5%
4 Emotet Backdoor.Win32. Emotet 5.3%
5 Caphaw Backdoor.Win32. Caphaw 4.7%
6 Neurevt Trojan.Win32. Neurevt 4.7%
7 NeutrinoPOS Trojan-Banker.Win32.NeutrinoPOS 3.3%
8 Gozi Trojan.Win32. Gozi 2.0%
9 Shiz Backdoor.Win32. Shiz 1.5%
10 ZAccess Backdoor.Win32. ZAccess 1.3%
* Detection verdicts of Kaspersky Lab products. The information was provided by Kaspersky Lab product users who consented to provide statistical data.
** Unique users attacked by this malware as a percentage of all users attacked by financial malware.

In Q2 2018, the general makeup of TOP 10 stayed the same, however there were some changes in the ranking. Trojan.Win32.Zbot (26.1%) and Trojan.Win32.Nymaim (27%) remain in the lead after swapping positions. The banking Trojan Emotet ramped up its activity and, accordingly, its share of attacked users from 2.4% to 5.3%. Conversely, Caphaw dramatically downsized its activity to only 4.7% from 15.2% in Q1, taking fifth position in the rating.

Cryptoware programs
Number of new modifications
In Q2, we detected 7,620 new cryptoware modifications. This is higher than in Q1, but still well below last year’s numbers.

Number of new cryptoware modifications, Q2 2017 – Q2 2018

Number of users attacked by Trojan cryptors
In Q2 2018, Kaspersky Lab products blocked cryptoware attacks on the computers of 158,921 unique users. Our statistics show that cybercriminals’ activity declined both against Q1 and on a month-on-month basis during Q2.

Number of unique users attacked by cryptors, Q2 2018

Geography of attacks

TOP 10 countries attacked by Trojan cryptors
Country* % of users attacked by cryptors**
1 Ethiopia 2.49
2 Uzbekistan 1.24
3 Vietnam 1.21
4 Pakistan 1.14
5 Indonesia 1.09
6 China 1.04
7 Venezuela 0.72
8 Azerbaijan 0.71
9 Bangladesh 0.70
10 Mongolia 0.64
* Excluded are countries with relatively few Kaspersky Lab users (under 50,000).
** Unique users whose computers were attacked by Trojan cryptors as a percentage of all unique users of Kaspersky Lab products in the country.

The list of TOP 10 countries in Q2 is practically identical to that in Q1. However, some place trading occurred in TOP 10: Ethiopia (2.49%) pushed Uzbekistan (1.24%) down from first to second place, while Pakistan (1.14%) rose to fourth place. Vietnam (1.21%) remained in third position, and Indonesia (1.09%) remained fifth.

TOP 10 most widespread cryptor families
Name Verdicts* % of attacked users**
1 WannaCry Trojan-Ransom.Win32.Wanna 53.92
2 GandCrab Trojan-Ransom.Win32.GandCrypt 4.92
3 PolyRansom/VirLock Virus.Win32.PolyRansom 3.81
4 Shade Trojan-Ransom.Win32.Shade 2.40
5 Crysis Trojan-Ransom.Win32.Crusis 2.13
6 Cerber Trojan-Ransom.Win32.Zerber 2.09
7 (generic verdict) Trojan-Ransom.Win32.Gen 2.02
8 Locky Trojan-Ransom.Win32.Locky 1.49
9 Purgen/GlobeImposter Trojan-Ransom.Win32.Purgen 1.36
10 Cryakl Trojan-Ransom.Win32.Cryakl 1.04
* Statistics are based on detection verdicts of Kaspersky Lab products. The information was provided by Kaspersky Lab product users who consented to provide statistical data.
** Unique Kaspersky Lab users attacked by a particular family of Trojan cryptors as a percentage of all users attacked by Trojan cryptors.

WannaCry further extends lead over other cryptor families, its share rising to 53.92% from 38.33% in Q1. Meanwhile, the cybercriminals behind GandCrab (4.92%, emerged only in Q1 2018) put so much effort into its distribution that it rose all the way up to second place in this TOP 10, displacing the polymorphic worm PolyRansom (3.81%). The remaining positions, just like in Q1, are occupied by the long-familiar cryptors Shade, Crysis, Purgen, Cryakl etc.

Cryptominers
As we already reported in Ransomware and malicious cryptominers in 2016-2018, ransomware is shrinking progressively, and cryptocurrency miners is starting to take its place. Therefore, this year we decided to begin to publish quarterly reports on the situation around type of threats. Simultaneously, we began to use a broader range of verdicts as a basis for collecting statistics on miners, so the Q2 statistics may not be consistent with the data from our earlier publications. It includes both stealth miners which we detect as Trojans, and those which are issued the verdict ‘Riskware not-a-virus’.

Number of new modifications
In Q2 2018, Kaspersky Lab solutions detected 13,948 new modifications of miners.

Number of new miner modifications, Q2 2018

Number of users attacked by cryptominers
In Q2, we detected attacks involving mining programs on the computers of 2,243,581 Kaspersky Lab users around the world.

Number of unique users attacked by cryptominers, Q2 2018

In April and May, the number of attacked users stayed roughly equal, and in June there was a modest decrease in cryptominers’ activity.

Geography of attacks

Geography of cryptominer attacks, Q2 2018

TOP 10 countries by percentage of attacked users
Country* % of attacked users**
1 Ethiopia 17.84
2 Afghanistan 16.21
3 Uzbekistan 14.18
4 Kazakhstan 11.40
5 Belarus 10.47
6 Indonesia 10.33
7 Mozambique 9.92
8 Vietnam 9.13
9 Mongolia 9.01
10 Ukraine 8.58
*Excluded are countries with relatively few Kaspersky Lab’ product users (under 50,000).
** Unique Kaspersky Lab users whose computers were targeted by miners as a percentage of all unique users of Kaspersky Lab products in the country.

Vulnerable apps used by cybercriminals
In Q2 2018, we again observed some major changes in the distribution of platforms most often targeted by exploits. The share of Microsoft Office exploits (67%) doubled compared to Q1 (and quadrupled compared with the average for 2017). Such a sharp growth was driven primarily by massive spam messages distributing documents containing an exploit to the vulnerability CVE-2017-11882. This stack overflow-type vulnerability in the old, deprecated Equation Editor component existed in all versions of Microsoft Office released over the last 18 years. The exploit still works stably in all possible combinations of the Microsoft Office package and Microsoft Windows. On the other hand, it allows the use of various obfuscations for bypassing the protection. These two factors made this vulnerability the most popular tool in cybercriminals’ hands in Q2. The shares of other Microsoft Office vulnerabilities did no undergo much change since Q1.

Q2 KSN statistics also showed a growing number of Adobe Flash exploits exploited via Microsoft Office. Despite Adobe and Microsoft’s efforts to obstruct exploitation of Flash Player, a new 0-day exploit CVE-2018-5002 was discovered in Q2. It propagated in an XLSX file and used a little-known technique allowing the exploit to be downloaded from a remote source rather than carried in the document body. Shockwave Flash (SWF) files, like many other file formats, are rendered in Microsoft Office documents in the OLE (Object Linking and Embedding) format. In the case of a SWF file, the OLE object contains the actual file and a list of various properties, one of which points to the path to the SWF file. The OLE object in the discovered exploit did not contain an SWF file in it, but only carried a list of properties including a web link to the SWF file, which forced Microsoft Office to download the missing file from the provided link.

Distribution of exploits used in cybercriminals’ attacks by types of attacked applications, Q2 2018

In late March 2018, a PDF document was detected at VirusTotal that contained two 0-day vulnerabilities: CVE-2018-4990 and CVE-2018-8120. The former allowed for execution of shellcode from JavaScript via exploitation of a software error in JPEG2000 format image processor in Acrobat Reader. The latter existed in the win32k function SetImeInfoEx and was used for further privilege escalation up to SYSTEM level and enabled the PDF viewer to escape the sandbox. Ana analysis of the document and our statistics show that at the moment of uploading to VirusTotal, this exploit was at the development stage and was not used for in-the-wild attacks.

In late April, Kaspersky Lab experts using an in-house sandbox have found the 0-day vulnerability CVE-2018-8174 in Internet Explorer and reported it to Microsoft. An exploit to this vulnerability used a technique associated with CVE-2017-0199 (launching an HTA script from a remote source via a specially crafted OLE object) to exploit a vulnerable Internet Explorer component with the help of Microsoft Office. We are observing that exploit pack creators have already taken this vulnerability on board and actively distribute exploits to it both via web sites and emails containing malicious documents.

Also in Q2, we observed a growing number of network attacks. There is a growing share of attempts to exploit the vulnerabilities patched with the security update MS17-010; these make up a majority a of the detected network attacks.

Attacks via web resources
The statistics in this chapter are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Malicious websites are specially created by cybercriminals; web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected.

Top 10 countries where online resources are seeded with malware
The following statistics are based on the physical location of the online resources used in attacks and blocked by our antivirus components (web pages containing redirects to exploits, sites containing exploits and other malware, botnet command centers, etc.). Any unique host could be the source of one or more web attacks. In order to determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established.

In the second quarter of 2018, Kaspersky Lab solutions blocked 962,947,023 attacks launched from web resources located in 187 countries around the world. 351,913,075 unique URLs were recognized as malicious by web antivirus components.

Distribution of web attack sources by country, Q2 2018

In Q2, the TOP 4 of web attack source countries remain unchanged. The US (45.87%) was home to most sources of web attacks. The Netherlands (25.74%) came second by a large margin, Germany (5.33%) was third. There was a change in the fifth position: Russia (1.98%) has displaced the UK, although its share has decreased by 0.55 p.p.

Countries where users faced the greatest risk of online infection
To assess the risk of online infection faced by users in different countries, for each country we calculated the percentage of Kaspersky Lab users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.

This rating only includes attacks by malicious programs that fall under the Malware class; it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.

Country* % of attacked users**
1 Belarus 33.49
2 Albania 30.27
3 Algeria 30.08
4 Armenia 29.98
5 Ukraine 29.68
6 Moldova 29.49
7 Venezuela 29.12
8 Greece 29.11
9 Kyrgyzstan 27.25
10 Kazakhstan 26.97
11 Russia 26.93
12 Uzbekistan 26.30
13 Azerbaijan 26.12
14 Serbia 25.23
15 Qatar 24.51
16 Latvia 24.40
17 Vietnam 24.03
18 Georgia 23.87
19 Philippines 23.85
20 Romania 23.55
These statistics are based on detection verdicts returned by the Web Anti-Virus module that were received from users of Kaspersky Lab products who consented to provide statistical data.
Excluded are countries with relatively few Kaspersky Lab users (under 10,000).
** Unique users targeted by Malware-class attacks as a percentage of all unique users of Kaspersky Lab products in the country.

Geography of malicious web attacks in Q2 2018 (percentage of attacked users)

On average, 19.59% of Internet user computers worldwide experienced at least one Malware-class web attack.

Local threats
Local infection statistics for user computers are an important indicator: they reflect threats that have penetrated computer systems by infecting files or removable media, or initially got on the computer in an encrypted format (for example, programs integrated in complex installers, encrypted files, etc.).

Data in this section is based on analyzing statistics produced by Anti-Virus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media.

In Q2 2018, our File Anti-Virus detected 192,053,604 malicious and potentially unwanted objects.

Countries where users faced the highest risk of local infection
For each country, we calculated the percentage of Kaspersky Lab product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.

The rating includes only Malware-class attacks. It does not include File Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.

Country* % of attacked users**
1 Uzbekistan 51.01
2 Afghanistan 49.57
3 Tajikistan 46.21
4 Yemen 45.52
5 Ethiopia 43.64
6 Turkmenistan 43.52
7 Vietnam 42.56
8 Kyrgyzstan 41.34
9 Rwanda 40.88
10 Mongolia 40.71
11 Algeria 40.25
12 Laos 40.18
13 Syria 39.82
14 Cameroon 38.83
15 Mozambique 38.24
16 Bangladesh 37.57
17 Sudan 37.31
18 Nepal 37.02
19 Zambia 36.60
20 Djibouti 36.35
These statistics are based on detection verdicts returned by OAS and ODS Anti-Virus modules received from users of Kaspersky Lab products who consented to provide statistical data. The data include detections of malicious programs located on user computers or removable media connected to computers, such as flash drives, camera and phone memory cards, or external hard drives.
Excluded are countries with relatively few Kaspersky Lab users (under 10,000).
** Unique users on whose computers Malware-class local threats were blocked, as a percentage of all unique users of Kaspersky Lab products in the country.

Geography of malicious web attacks in Q2 201 (ranked by percentage of users attacked)

On average, 19.58% of computers globally faced at least one Malware-class local threat in Q2.


Flaws in ATM Dispenser Controllers Allowed Hackers to Steal Cash
10.8.2018 securityweek
Vulnerebility

ATM hacking exploits cash dispenser controller vulnerabilities

Researchers have disclosed the details of two serious vulnerabilities affecting ATM currency dispensers made by NCR. The flaws have been patched, but they could have been exploited to install outdated firmware and get ATMs to dispense cash.

Positive Technologies experts Vladimir Kononovich and Alexey Stennikov have conducted a successful black box attack against the NCR S1 and S2 cash dispenser controllers. In these types of attacks, the attacker only sees inputs and outputs, without having any knowledge of the system’s internal workings.

The method, which the researchers described as a “logical attack,” requires physical access to the targeted device. In this particular case, an attacker could have leveraged the poor physical security of the targeted dispenser controller to connect to it, install vulnerable firmware, and issue commands that would instruct the machine to dispense cash.

The experts disclosed their findings this week at the Black Hat security conference in Las Vegas.

Two different security holes have been found that allow an attacker to roll back the firmware to an older, vulnerable version.

One of them is CVE-2017-17668, which affects the S1 controller, and the other is CVE-2018-5717, which affects the S2 controller.

The flaws are similar and they are both related to insufficient protection of the memory write mechanism. They can be exploited by an unauthenticated attacker to execute arbitrary code, bypass the firmware anti-rollback mechanism, and install firmware containing known vulnerabilities, according to Positive Technologies.

“Our research indicated that not all requests from the ATM computer to the dispenser were encrypted. Instead, encryption was applied only to requests deemed critical by the manufacturer, such as dispensing cash. But some of the so-called non-critical requests can be just as dangerous,” said Alexey Stennikov, Head of Hardware Security Analysis at Positive Technologies.

The researchers notified NCR of their findings and the vendor released critical firmware updates in February that should provide better protection against black box attacks. The update should address the firmware rollback vulnerability and it adds an extra layer of protection for physical authentication mechanisms.

“The physical authentication mechanism used to authorize encrypted communications to the dispenser has been strengthened to add protection against an attacker using endoscope technology in an attempt to manipulate dispenser electronics from outside the safe. Additionally, further authentication mechanisms have been added as configuration options,” NCR said in its advisory.


Social Mapper – Correlate social media profiles with facial recognition
10.8.2018 securityaffairs
Social

Trustwave developed Social Mapper an Open Source Tool that uses facial recognition to correlate social media profiles across different social networks.
Security experts at Trustwave have released Social Mapper, a new open-source tool that allows finding a person of interest across social media platform using facial recognition technology.

The tool was developed to gather intelligence from social networks during penetration tests and are aimed at facilitating social engineering attacks.

Social Mapper facial recognition tool automatically searches for targets across eight social media platforms, including Facebook, Instagram, Twitter, LinkedIn, Google+, VKontakte (The Russian Facebook), and Chinese Weibo and Douban.

An individual could be searcher by providing a name and a picture, the tool allows to conduct an analysis “on a mass scale with hundreds or thousands of individuals” at once.

“Performing intelligence gathering is a time-consuming process, it typically starts by attempting to find a person’s online presence on a variety of social media sites. While this is a easy task for a few, it can become incredibly tedious when done at scale.” Trustwave states in a blog post.

“Introducing Social Mapper an open source intelligence tool that uses facial recognition to correlate social media profiles across a number of different sites on a large scale. Trustwave, which provides ethical hacking services, has successfully used the tool in a number of penetration tests and red teaming engagements on behalf of clients.”

Social Mapper

The Social Mapper search for specific profiles in three stages:

Stage 1—The tool creates a list of targets based on the input you give it. The list can be provided via links in a CSV file, images in a folder or via people registered to a company on LinkedIn.

Stage 2—Once the targets are processed, the second stage of Social Mapper kicks in that automatically starts searching social media sites for the targets online.

This stage can be time-consuming, the search could take over 15 hours for lists of 1,000 people and use a significant amount of bandwidth, for this reason, experts recommend running the tool overnight on a machine with a good internet connection.

Stage 3—The Social Mapper starts generating a variety of output, including a CSV file with links to the profile pages of the target list and a visual HTML report.

Of course, this intelligence-gathering tool could be abused by attackers to collect information to use in highly sophisticated spear- phishing campaigns.

Experts from Trustwave warn of potential abuses of Social Mapper that are limited “only by your imagination.” Attackers can use the results obtained with the tool to:

Create fake social media profiles to ‘friend’ the targets and send them links to credential capturing landing pages or downloadable malware. Recent statistics show social media users are more than twice as likely to click on links and open documents compared to those delivered via email.
Trick users into disclosing their emails and phone numbers with vouchers and offers to make the pivot into phishing, vishing or smishing.
Create custom phishing campaigns for each social media site, knowing that the target has an account. Make these more realistic by including their profile picture in the email. Capture the passwords for password reuse.
View target photos looking for employee access card badges and familiarise yourself with building interiors.
If you want to start using the tool you can find it for free on GitHub.

Trustwave researcher Jacob Wilkin will present Social Mapper at the Black Hat USA conference today.


Researchers Say Code Reuse Links North Korea's Malware

10.8.2018 securityweek Virus

Following trails of reused code, security researchers at Intezer and McAfee have uncovered new links between malware families attributed to North Korean threat groups and tracked most of the samples to the infamous Lazarus Group.

Code reuse isn’t novel, and many cases where cybercriminals and threat actors employed this technique have been already reported on. In fact, actors operating from the same country have been often observed sharing malware code and infrastructure, which often makes attribution highly problematic.

For security researchers, the reuse of code between different malware families and variations and between one campaign to another means that they can gain insight into the activities of threat actors, and this is exactly what Intezer and McAfee focused on in their recent analysis.

The multiple cyber campaigns attributed to North Korean hackers have been so far focused on two different directions: to raise money or pursue nationalist aims.

Thus there’s a workforce of hackers that focuses on cybercrime activities such as hacking into financial institutions (Unit 180) and another to gather intelligence from other nations and to try to disrupt rival states and military targets (Unit 121).

The researchers focused on the latter and discovered “many overlaps in code reuse,” which led them to the conclusion that nation-state sponsored groups were active in those efforts.

After analyzing thousands of malware samples, many unclassified or uncategorized, the researchers noticed a “significant amount of code similarities between almost every one of the attacks associated with North Korea.”

One similarity was found in the server message block (SMB) module of WannaCry (2017), Mydoom (2009), Joanap, and DeltaAlfa.

The use of these malware families has been already attributed to the Lazarus Group, which is tracked by the U.S. government as Hidden Cobra.

Believed to have orchestrated the $81 million heist from the Bangladesh bank, and seen as the most serious threat to banks, the group is also said to have launched campaigns such as Operation Blockbuster, Dark Seoul, and Operation Troy.

The researchers also noticed a similarity between three different remote access Trojans, namely NavRAT, Gold Dragon, and a DLL from the South Korean gambling hacking campaign, all three believed to be affiliated with Group 123 (also tracked as Reaper, APT37, and ScarCruft).

There’s also a connection between the Brambul malware (2009) and KorDllBot (2011), based on code responsible for launching a cmd.exe with a net share. Both malware families are attributed to Lazarus.

The security researchers also discovered a connection between the Tapaoux (or DarkHotel) malware family and samples from Operation Troy.

The code reuse and sharing between various threat groups known to be affiliated with North Korea has revealed that most malware families link back to Lazarus. The only malware that stands apart are the RATs attributed to Group 123, which are linked to one another.

“The malware attributed to the group Lazarus has code connections that link many of the malware families spotted over the years. Lazarus is a collective name for many DPRK cyber operations, and we clearly see links between malware families used in different campaigns,” the security researchers note.

On Thursday, the U.S. Department of Homeland Security (DHS) warned of a new malware variant dubbed KEYMARBLE, which the U.S. government has attributed to malicious cyber activity by the North Korean government. DHS says the malware is a Remote Access Trojan (RAT) capable of accessing device configuration data, downloading additional files, executing commands, modifying the registry, capturing screenshots, and exfiltrating data. More details on KEYMARBLE are available from the malware report (AR18-221A) from the DHS.


Security expert discovered a bug that affects million Kaspersky VPN users
10.8.2018 securityaffairs
Vulnerebility

A security issue exists in Kaspersky VPN <=v1.4.0.216 which leaks your DNS Address even after you’re connected to any virtual server. (Tested on Android 8.1.0)
What is a DNS leaks?

In this context, with the term “DNS leak” we indicate an unencrypted DNS query sent by your system OUTSIDE the established VPN tunnel.

Kaspersky VPN is one of the most trusted VPN which comes with 1,000,000+ tier downloads in the official Google Play Store, however, it was observed that when it connects to any random virtual server still leaks your actual DNS address.

The expert Dhiraj Mishra that discovered the flaw reported it to Kaspersky via Hackerone.

Mishra also published a step-by-step guide to reproduce the problem:

Visit IPleak (Note your actual DNS address).
Now, connect to any random virtual server using Kaspersky VPN.
Once you are successfully connected, navigate to IPleak you will observe that the DNS address still remains the same.
Kaspersky VPN

The expert explained that the data leak could threaten the privacy of end-users that want to remain anonymous on the internet.

“I believe this leaks the trace’s of an end user, who wants to remain anonymous on the internet. I reported this vulnerability on Apr 21st (4 months ago) via H1, and a fix was pushed for same but no bounty was awarded.” states Mishra.

The expert reported this vulnerability to Kaspersky on Apr 21st via HackerOne, and a fix was pushed for the issue.

Unfortunately, at the time, the researcher was awarded as expected under the company’s bug bounty.


DeepLocker – AI-powered malware are already among us
10.8.2018 securityaffairs
Virus

Security researchers at IBM Research developed a “highly targeted and evasive” AI-powered malware dubbed DeepLocker and will present today.
What about Artificial Intelligence (AI) applied in malware development? Threat actors can use AI-powered malware to create powerful malicious codes that can evade sophisticated defenses.
Security researchers at IBM Research developed a “highly targeted and evasive” attack tool powered by AI,” dubbed DeepLocker that is able to conceal its malicious intent until it has infected the specific target.

“IBM Research developed DeepLocker to better understand how several existing AI models can be combined with current malware techniques to create a particularly challenging new breed of malware.” reads a blog post published by the experts.

“This class of AI-powered evasive malware conceals its intent until it reaches a specific victim. It unleashes its malicious action as soon as the AI model identifies the target through indicators like facial recognition, geolocation and voice recognition.”

According to the IBM researcher, DeepLocker is able to avoid detection and activate itself only after specific conditions are matched.
AI-powered malware represents a privileged optional in high-targeted attacks like the ones carried out by nation-state actors.
The malicious code could be concealed in harmful applications and select the target based on various indicators such as voice recognition, facial recognition, geolocation and other system-level features.
“DeepLocker hides its malicious payload in benign carrier applications, such as a video conference software, to avoid detection by most antivirus and malware scanners.” continues IBM.

“What is unique about DeepLocker is that the use of AI makes the “trigger conditions” to unlock the attack almost impossible to reverse engineer. The malicious payload will only be unlocked if the intended target is reached. It achieves this by using a deep neural network (DNN) AI model.”

deeplocker chart

The researchers shared a proof of concept by hiding the WannaCry ransomware in a video conferencing app and keeping it stealth until the victim is identified through the facial recognition. Experts pointed out that the target can be identified by matching his face with publicly available photos.

“To demonstrate the implications of DeepLocker’s capabilities, we designed a proof of concept in which we camouflage a well-known ransomware (WannaCry) in a benign video conferencing application so that it remains undetected by malware analysis tools, including antivirus engines and malware sandboxes. As a triggering condition, we trained the AI model to recognize the face of a specific person to unlock the ransomware and execute on the system.”

“Imagine that this video conferencing application is distributed and downloaded by millions of people, which is a plausible scenario nowadays on many public platforms. When launched, the app would surreptitiously feed camera snapshots into the embedded AI model, but otherwise behave normally for all users except the intended target,” the researchers added.

“When the victim sits in front of the computer and uses the application, the camera would feed their face to the app, and the malicious payload will be secretly executed, thanks to the victim’s face, which was the preprogrammed key to unlock it.”

The IBM Research group will provider further details today more details in a live demo at the Black Hat USA security conference in Las Vegas.


Researchers Find Flaws in WPA2's 4-way Handshake Implementations
9.8.2018 securityweek
Vulnerebility

Researchers have discovered several security vulnerabilities in implementations of Wi-Fi Protected Access two (WPA2)’s 4-way handshake, which is used by nearly all protected Wi-Fi networks.

The discovery was the result of simulating cryptographic primitives during symbolic execution for the analysis of security protocol implementations, KU Leuven researchers Mathy Vanhoef and Frank Piessens explain in a recently published whitepaper (PDF).

By applying the technique on three client-side implementations of WPA2’s 4-way handshake, the researchers discovered timing side-channels when verifying authentication tags, a denial-of-service attack, a stack-based buffer overflow, and a non-trivial decryption oracle.

Through symbolic execution, the researchers claim, one aims to exhaustively explore all code paths of a program by running on symbolic inputs instead of concrete ones. For their experiments, the researchers implemented the techniques on top of the KLEE symbolic execution engine (they modified the engine to handle cryptographic primitives).

Of the three tested implementations, two were found susceptible to trivial timing side-channels, because they verify authentication tags using timing-unsafe memory compares.

The researchers found a denial of service in Intel’s iwd daemon (iNet wireless daemon) and a stack-based buffer overflow (in code that processes decrypted data) in MediaTek’s implementation, both of which can be triggered by malicious Access Point (AP). The AES unwrap algorithm was found to be incorrectly implemented in MediaTek’s code.

Furthermore, the wpa supplicant (a cross-platform supplicant with support for WEP, WPA and WPA2 (IEEE 802.11i)) was found vulnerable to a non-trivial decryption oracle caused by processing decrypted but unauthenticated data. Tracked as CVE-2018-14526, the bug can be exploited to recover sensitive information.

“This decryption oracle can be exploited when the victim connects to a WPA2 network using the old TKIP encryption algorithm. It can be abused to decrypt the group key transported in message 3 of the 4-way handshake,” the researchers note.

The attack, however, is only possible if WPA2 is used and if the client selects TKIP as the pairwise cipher, so that the RC4 stream cipher is used to encrypt the key data field (if CCMP is selected, AES is used to protect the key data field). Both conditions are met when the Wi-Fi network uses WPA2 and only supports TKIP (in 2016, 20% of protected Wi-Fi networks used this configuration).

The flaw allows an attacker to decrypt the group key transported in message 3 of WPA2’s 4-way handshake and use it to inject both broadcast and unicast traffic. Furthermore, the key could be used to decrypt unicast and broadcast traffic, the research paper claims.

“We successfully applied symbolic execution to client-side implementations of the 4-way handshake of WPA2, by simulating cryptographic primitives, and constraining parts of the symbolic input to prevent excessive state explosions. This revealed memory corruptions in code that processes decrypted data, uncovered insecure implementations of cryptographic primitives, and even revealed a decryption oracle,” the researchers note.

Earlier this week developers of the popular password cracking tool Hashcat identified a new method that can in some cases be used to obtain a network’s Wi-Fi Protected Access (WPA) or Wi-Fi Protected Access II (WPA2) password.


Flaws in Smart City Systems Can Allow Hackers to Cause Panic
9.8.2018 securityweek
Vulnerebility

Smart city - Credits: JCT 600 https://www.jct600.co.uk/blog/future-of-motoring/what-will-motoring-look-like-70-years-from-now/

Critical vulnerabilities discovered in smart city systems from several vendors can allow malicious actors to perform various actions that could lead to widespread panic, researchers warn.

The world’s major cities are increasingly reliant on smart technologies, including for traffic management, disaster detection and response, and remotely controlling utilities. These systems communicate via protocols such as 4G, ZigBee and Wi-Fi.

Following the recent accidental false missile alert in Hawaii, experts at Threatcare and IBM X-Force Red have decided to join forces and analyze smart city technologies to see if they are affected by any vulnerabilities that could be exploited to intentionally cause panic.

Researchers from the two companies analyzed products from Echelon, Libelium and Battelle. Their tests led to the discovery of 17 previously unknown vulnerabilities across four types of smart city products, including eight security holes described as “critical” and six as “high severity.”

In the case of Echelon, the companies tested i.LON 100 and 600 routers, which allow organizations to monitor and control LonWorks devices such as pumps, valves, motors, sensors and lights. They also analyzed the vendor’s SmartServer products, described as a “versatile controller, router, and smart energy manager that connects control devices to IP-based applications such as building automation, enterprise energy management, demand response programs, and high-value remote asset management programs.”

A total of five vulnerabilities were discovered in these systems, including two critical flaws that allow authentication bypass, default credentials, plaintext passwords, and the lack of encrypted communications. ICS-CERT recently published an advisory describing some of the issues identified by IBM and Threatcare.

In the case of Libelium, which specializes in hardware for wireless sensor networks, researchers analyzed Meshlium, an IoT gateway designed for connecting sensors to any cloud platform. Four distinct instances of a pre-authentication shell injection flaw were discovered in the product, and they have all been classified as “critical.”

As for Battelle, a global research and development organization, IBM and Threatcare analyzed two versions of its V2I (vehicle-to-infrastructure) Hub product, which is used for communicating data from traffic signal controllers to connected vehicles.

The list of vulnerabilities found in these systems include SQL injection, hardcoded passwords, unprotected sensitive functionality, cross-site scripting (XSS) flaws, and various API-related issues. A majority of these security holes have been assigned either a “critical” or “high severity” rating.

All the affected vendors have been notified and they have addressed the vulnerabilities.

Battelle has clarified that V2I Hub is a 2.5-year project that it’s working on for the Federal Highway Administration. The project is ongoing – it’s expected to be finished at the end of September – and it has only been deployed for testing purposes. Battelle told SecurityWeek that it fixed the flaws found by IBM in early July.

However, the discovery of these basic security holes shows that smart city systems are highly exposed to cyberattacks.

While there is no evidence of malicious attacks exploiting the vulnerabilities found as part of this research project, the companies warned that the risks are significant.

Worryingly, online searches conducted using Shodan and Censys showed that there are tens or hundreds of vulnerable systems accessible directly from the Internet. Some of them have been found to belong to a European country that uses vulnerable devices to detect radiation, and a major U.S. city that relies on them for traffic monitoring.

“According to our logical deductions, if someone, supervillain or not, were to abuse vulnerabilities like the ones we documented in smart city systems, the effects could range from inconvenient to catastrophic,” researchers said.

In a theoretical attack scenario described by the experts, an attacker exploits the vulnerabilities to manipulate data from water level sensors to indicate a flood, which could create panic. In addition, hackers could make the water level appear normal during a flood.

Hackers could also cause mass panic by manipulating data from radiation sensors in order to trigger radiation leak warnings.

Hijacking traffic systems can also have serious consequences. Attackers can cause chaos by controlling traffic signals, and create additional panic by setting off building and emergency alarms, and triggering gunshot sensors.


New G Suite Alerts Provide Visibility Into Suspicious User Activity
9.8.2018 securityweek Security

After bringing alerts on state-sponsored attacks to G Suite last week, Google is now also providing administrators with increased visibility into user behavior to help identify suspicious activity.

Courtesy of newly introduced reports, G Suite administrators can keep an eye on account actions that seem suspicious and can also choose to receive alerts when critical actions are performed.

Admins can set alerts for password changes, and can also receive warnings when users enable or disable two-step verification or when they change account recovery information such as phone number, security questions, and recovery email.

By providing admins with visibility into these actions, Google aims at making it easier to identify suspicious account behavior and detect when user accounts may have been compromised.

Should an admin notice that a user has changed both the password and the password recovery info, which could be a sign that the account has been hijacked, they can leverage the reports to track time and IP address and determine if the change indeed seems suspicious.

Based on the findings, the G Suite administrator could then take the appropriate action to mitigate the issue and restore the user account, such as password reset and disable 2-step verification.

Admins can also use the new reports to gain visibility into an organization's security initiatives, such as the monitoring of domain-wide initiative to increase the adoption of two-step verification.

Access to these reports is available in Admin console > Reports > Audit > Users Accounts.

The new capabilities are set to gradually roll out to all G Suite editions and should become available to all customers within the next two weeks.

“G Suite admins have an important role in protecting their users’ accounts and ensuring their organization’s security. To succeed, they need visibility into user account actions. That’s why we’re adding reports in the G Suite Admin console that surface more information on user account activity,” Google notes.


A Guided Tour of the Asian Dark Web
9.8.2018 securityweek Cyber

Inside the Asian Dark Web - Cybercrime

The Asian dark web is not well known. Most people just think of Russia when thinking about underground hacking forums. To gain a better understanding of Asian onion sites and black markets, researchers from IntSights embarked on a six-month long investigation and analysis.

The results, published this week at Black Hat, show a diverse, culturally sensitive and wider than perhaps expected Asian dark web. Along with the report, IntSights' director of threat research, Itay Kozuch, took SecurityWeek on a guided tour of the Asian dark web.

We started at the Hidden Wiki, a South Korean page that bookmarks other sites in the dark web all over the world. "It's been live for a few years, and is being maintained on a regular basis," explained Kozuch. The page is organized in sections and even provides an 'editor's choice' selection. It provides links to whatever the existing or budding hacker or underworld character might be looking for: bank accounts, card details, advice, drugs, porn, fake passports and IDs, UK driving licenses, firearms and more.

"It's a good place to start a foray into the dark web," said Kozuch. Despite this expansive index onto blacker parts of the dark web, the IntSights report, "At the moment, there are no significant threat actors that operate out of South Korea."

Our next stop was deeper into the dark web: Mushroom, a Chinese black-market site specializing in the sale of drugs. "The most important feature for the researcher," continued Kozuch, "are the prices. They are all in Chinese Yuan, not as we usually see in dark websites, bitcoin or other cryptocurrency." This is because cryptocurrencies are forbidden in China and the site primarily serves Chinese nationals -- although it does offer advice on how to obtain bitcoin and is willing to ship produce outside of China. The price is also 30% to 40% lower than is typically found in western black markets.

From there we moved to Japan. The Japanese dark web has one major difference to other parts: it is remarkably polite. "Many Japanese users view it as an alternate universe," says the report, "where they can express themselves and have harmless discussions, just behind the mask of an anonymous avatar. It is not uncommon to see diaries and blogs on the Japanese dark web." It is more about obtaining things, such as drugs and porn, than about facilitating hacking. One even asks the visitor to suggest a price for the products.

We visited the Japanese branch of Anonymous, which is a bit of an exception. "Its primary purpose is protest against the Japanese government on environmental issues," explained Kozuch. Two current ops are Hope Japan and Hope Fukushima. "Anonymous accuses the Japanese government of hiding information about what really happened in the nuclear plant, and the extent of pollution in the seas around Japan." The website directly calls for attacks against Japanese government websites, and Anonymous is willing to provide what is necessary -- methodologies for DDoS, SQLi, XSS and other attack vectors.

We then visited another Japanese language site that is a bit different -- a site that buys and sells information, focusing on military intelligence, documents, protocols, science, and technology, "What's really remarkable," added Kozuch, "is that this site is not typically Japanese in flavor. Japanese sites usually handle drugs and porn. After analyzing the style and content, "We came to the conclusion that this is not a Japanese website at all. The Japanese would never be so direct and forthright. We suspect that the people behind it are North Korean, which has its problems with Japan." The report adds that it may be a North Korean (or Chinese) group "that is attempting to gather intelligence for some attack on or operation in Japan)."

We also visited another Anonymous site in Thailand (this one is offering a free database of 30,000 FBI and DHS officers stolen in 2016); and a hacking forum/black market in Indonesia (providing free downloads of malware and exploits).

The main focus, however, was on China, and we visited three more websites. Surprisingly, none of these are onion sites. They are dark sites to anybody outside of China because of the Chinese firewall, but in the clear web to Chinese nationals. The first offers DDoS as a packaged service -- a fairly unique offering selling different options of strength and duration. "The largest offering," Kozuch pointed out, "is for a 500 Gb attack with unlimited connections."

The second, known as QQ, is a hacking forum designed as a combination of different social media platforms and providing communication tools such as QQ groups, QQ forums and private chatrooms.

The last was Hack80, a hacking forum more in line with the better known Russian underground forums. "It offers everything you might find in the traditional Russian hacking forums," said Kozuch: "bitcoin mining tutorials, hacker toolkits, malware and so on. You can ask about and get almost anything -- if you're Chinese, of course. You cannot ask questions or get answers in English." This isn't surprising since the site is in the clear web, and thus only visible to Chinese nationals (IntSights was using a very specific VPN for the research and this tour).

Kozuch believes it is time for the West to take the Chinese dark web more seriously. "We usually like to look at the North Koreans and the Russians as the primary attackers; but I believe that the Chinese offer is more sophisticated with more capability than we have realized. Many of the next threats that we are going to see will come from China."

The fact that so many dark Chinese sites are on the Chinese clear web raises the question of collusion between the hackers and the government. Kozuch does not believe that the existence of hacking sites in the clear web automatically means they are permitted by the government, or that the hackers work for the government. It is perfectly feasible for these sites to hide in plain sight given the size of the Chinese internet.

"I think there is a big element of private cybercrime groups that operate from China that we were simply not aware of," he told SecurityWeek. "It is more comfortable to blame the APT groups we already know about, but I think this research shows how much knowledge and how much capability that private groups have, and how they communicate and what kind of tools they are using."

He suspects that we often automatically blame APT groups simply because the attack comes from China; but the perpetrator may well be an unknown private group. "Usually, APT groups (with the exception of North Korea) are not after money -- they're after intelligence or to steal intellectual property. I believe that in some cases there are Chinese threat actors that we simply aren't aware of." As in Russia, many of the Chinese threat actors will focus on targets outside of China so as not to draw the attention -- and ire -- of the local police.

But this doesn't mean there is no collusion at all between the criminal groups and the Chinese government. "I haven't found any evidence that private groups are sub-contracting for the government," he continued, "but I really believe that it is happening -- like in many other places around the world. Sometimes the government doesn't have all the capabilities it needs, so it uses sub-contractors who will deliver the skills provided the government allows them to continue their own operations outside of China. There are examples of known Chinese hackers that are now running their own security firms. Nobody turns from crime life to become whitehats for no reason and without any consequences. I really believe that there are all kinds of groups that enjoy government protection because they provide services to the government when it needs it. Give and take rules."

"The Asian dark web," concludes the IntSights research, "is relatively small compared to its counterparts in Western countries, such as the United States and Europe. However, this doesn't mean that it poses less of a threat. In fact, due to the laws and political motivations of these countries, the risk to non-Asian companies is significantly higher."

Israel-born startup IntSights Cyber Intelligence raised $17 million in a Series C funding round led by Tola Capital in June 2018; bringing the total capital raised by the firm to $41.3 million. IntSights was founded in 2015 by Alon Arvatz, Gal Ben David, Guy Nizan.


Flaws in Siemens Tool Put ICS Environments at Risk
9.8.2018 securityweek ICS

Serious vulnerabilities discovered by researchers in Siemens’ TIA Portal for SIMATIC STEP7 and SIMATIC WinCC can be exploited by threat actors for lateral movement and other purposes in ICS environments.

The TIA Portal (Totally Integrated Automation Portal) is a piece of software from Siemens that gives organizations unrestricted access to the company’s automation services.

Researchers at industrial cybersecurity firm Nozomi Networks discovered that the default installation of the TIA Portal is affected by two high severity improper file permission vulnerabilities.

One of them, CVE-2018-11453, allows an attacker with access to the local file system to insert specially crafted files that can cause the TIA Portal to enter a denial-of-service (DoS) condition or allow the hacker to execute arbitrary code. Exploiting the flaw does not require special privileges, but the victim needs to attempt to open the TIA Portal for the exploit to be triggered, Siemens said in its advisory.

Nozomi Co-founder and Chief Technology Officer Moreno Carullo told SecurityWeek that the company sent a proof-of-concept (PoC) to ICS-CERT and Siemens that shows how this security hole can be exploited for code execution.

The second vulnerability, CVE-2018-11454, is related to an improper file permission configuration issue in specific TIA Portal directories.

“[The flaw] may allow an attacker with local privileges in the machine where the software is installed to manipulate the resources inside the misconfigured directories (eg., adding a malicious payload),” Carullo explained. “While a legitimate user uses the software suite to transfer configuration (in a licit way) to the targeted device, using the TIA Portal software, a maliciously-added file would be automatically executed by the remote device.”

Siemens has released updates for SIMATIC STEP7 and SIMATIC WinCC versions 14 and 15 to address the vulnerabilities. For earlier versions, users can prevent exploitation by restricting operating system access to authorized users, and processing GDS files only from trusted sources.

Nozomi believes these types of flaws can pose a significant risk to ICS environments.

“These types of flaws may enable an advanced persistent threat (APT) to be installed in the ICS and act by itself hidden from regular ICS engineers in a plant. So it could be used to build bigger malwares,” Carullo said.


Leaked GitHub API Token Exposed Homebrew Software Repositories
9.8.2018 securityweek Hacking

A GitHub API token leaked from Homebrew’s Jenkins provided a security researcher with access to core Homebrew software repositories (repos).

Around since 2009, Homebrew is a free and open-source software package management system that is integrated with command line and which allows for simple installation of software on macOS machines.

On July 31, 2018, security researcher Eric Holmes discovered that an exposed token provided him with commit access to Homebrew/brew, Homebrew/homebrew-core, and Homebrew/formulae.brew.sh repositories.

With hundreds of thousands of people using Homebrew, the potential impact of the compromise was disastrous. By modifying a highly popular package, such as openssl, the researcher could have pushed the malicious code directly to a large number of users.

“If I were a malicious actor, I could have made a small, likely unnoticed change to the openssl formulae, placing a backdoor on any machine that installed it,” Holmes explained.

The issue, which was addressed the same day that it was discovered, did not result in compromised packages, Homebrew lead maintainer Mike McQuaid reveals.

The exposed token had elevated scopes, but the GitHub Support team has verified that it hasn’t been used to perform any pushes to Homebrew/brew or Homebrew/homebrew-core.

“Within a few hours the credentials had been revoked, replaced and sanitised within Jenkins so they would not be revealed in future. Homebrew/brew and Homebrew/homebrew-core were updated so non-administrators on those repositories cannot push directly to master,” McQuaid says.

He also explains that the team also enforced stronger security by updating most repositories in the Homebrew organization “to require CI checks from a pull request to pass before changes can be pushed to master.”

In addition to enabling branch protection and requiring reviews on additional repositories, the Homebrew team also required all maintainers to review and prune their personal access tokens and disable SMS fallback for 2FA.

“We try our best to behave as a for-profit company would do in terms of timely response to security issues but this is heavily limited by our lack of resources. For example, in this the Homebrew maintainer who resolved the above issues was on paternity leave from work and the primary carer for their child and had to reach a quick resolution while their child had a nap,” McQuaid notes.

In the wake of recent incidents with compromised Gentoo Linux and Arch Linux AUR repositories, it is increasingly clear that malicious actors can cause a great deal of damage by targeting the supply chain. This is exactly what last year’s CCleaner and NotPetya attacks demonstrated as well.

“This is my growing concern, and it’s been proven time and time again that package managers, and credential leaks, are a weak point in the security of the internet, and that supply chain attacks are a real and persistent threat. This is not a weakness in Homebrew, but rather a systemic problem in the industry, and one where we need more security research,” Holmes concludes.


Researchers find vulnerabilities in WhatsApp that allow to spread Fake News via group chats
9.8.2018 securityaffairs
Social

WhatsApp has been found vulnerable to multiple security flaws that could allow malicious users to spread fake news through group chats.
WhatsApp, the most popular messaging application in the world, has been found vulnerable to multiple security flaws that could allow malicious users to intercept and modify the content of messages sent in both private as well as group conversations.

Researchers at security firm Check Point have discovered several vulnerabilities in the popular instant messaging app Whatsapp, the flaws take advantage of a bug in the security protocols to modify the messages.

An attacker could exploit the flaws “to intercept and manipulate messages sent by those in a group or private conversation” as well as “create and spread misinformation”.

The issues affect the way WhatsApp mobile application communicates with the WhatsApp Web and decrypts the messages using the protobuf2 protocol.

The flaws allow hackers to abuse the ‘quote’ feature in a WhatsApp group conversation to change the identity of the sender, or alter the content of members’ reply to a group chat, or send private messages to one of the group members disguised as a group message.

Experts pointed out the that flaws could not be exploited to access the content of end-to-end encrypted messages and in order to exploit them, the attackers must be already part of group conversations.

“Check Point researchers have discovered a vulnerability in WhatsApp that allows a threat actor to intercept and manipulate messages sent by those in a group or private conversation.” reads the blog post published by the experts.

“The vulnerability so far allows for three possible attacks:

Changing a reply from someone to put words into their mouth that they did not say.
Quoting a message in a reply to a group conversation to make it appear as if it came from a person who is not even part of the group.
Sending a message to a member of a group that pretends to be a group message but is in fact only sent to this member. However, the member’s response will be sent to the entire group.”
The experts demonstrated the exploitation of the flaws by changing a WhatsApp chat entry sent by one member of a group.

Below a video PoC of the attack that shows how to modify WhatsApp Chats and implements the three different attacks.

The research team from CheckPoint researchers (Dikla Barda, Roman Zaikin, and Oded Vanunu) developed a custom extension for the popular tool Burp Suite, dubbed WhatsApp Protocol Decryption Burp Tool, to intercept and modify encrypted messages on their WhatsApp Web.

“By decrypting the WhatsApp communication, we were able to see all the parameters that are actually sent between the mobile version of WhatsApp and the Web version. This allowed us to then be able to manipulate them and start looking for security issues.” states the experts.

The extension is available on Github, it requires the attacker to provide its private and public keys.

“The keys can be obtained from the key generation phase from WhatsApp Web before the QR code is generated:” continues the report published by the experts.

“After we take these keys we need to take the “secret” parameter which is sent by the mobile phone to WhatsApp Web while the user scans the QR code:”

Experts demonstrated that using their extension an attacker can:

Change the content of a group member’s reply.
Change the identity of a sender in a group chat. The attack works even if the attacker is not a member of the group. “Use the ‘quote’ feature in a group conversation to change the identity of the sender, even if that person is not a member of the group.”
Send a Private Message in a Group, but when the recipient replies the members of the group will see it.

The experts reported the flaws to WhatsApp, but the company explained that end-to-end encryption if not broken by the attacks.

“We carefully reviewed this issue and it’s the equivalent of altering an email to make it look like something a person never wrote.” WhatsApp said in a statement.

“This claim has nothing to do with the security of end-to-end encryption, which ensures only the sender and recipient can read messages sent on WhatsApp.”

“These are known design trade-offs that have been previously raised in public, including by Signal in a 2014 blog post, and we do not intend to make any change to WhatsApp at this time,” WhatsApp security team replied to the researchers.

Checkpoint experts argue that the flaws could be abused to spread fake news and misinformation, for this reason, it is essential to fix the flaws as soon as possible along with putting limits on the forwarded messages.


GitHub started warning users when adopting compromised credentials
9.8.2018 securityaffairs Incindent

In order to improve the security of its users, the popular software code hosting service GitHub is now alerting account holders whenever it detects that a password has been exposed by data breaches on other services.
Last week the popular software code hosting service GitHub has introduced a new feature to protect its users, it will alert them whenever it detects that a password has been compromised in a third-party data breach.

GitHub has teamed with the HaveIBeenPwned.com service, managed by the cybersecurity expert Troy Hunt, to provide implement a feature that allows users to check whether their credentials have been involved in known data breaches.

“Common password advice is to use a long and unique password for each website you have an account with. It’s challenging to remember a strong and unique password for each website without either using a password manager or using a trivially discovered theme. As a result, password reuse is extremely prevalent. Regardless of the strength of a password, a single breach can nullify its security when used elsewhere.” reads the advisory published by GitHub.

“While Troy hosts a service that people and services can use to check for compromised passwords, he also generously made the approximately 517 million record dataset available for download. Using this data, GitHub created an internal version of this service so that we can validate whether a user’s password has been found in any publicly available sets of breach data.”

GitHub has developed service that leverages the 517 million record dataset provided by Huntto “validate whether a user’s password has been found in any publicly available sets of breach data.”

GitHub account check

The feature will alert users that are using compromised credentials and ask them to change them during login, registration, or during a password change.

The service will store Github the hashed passwords using the bcrypt algorithm.

“Don’t worry, your password is protected by the password hashing function bcrypt in our database. We only verify whether your password has been compromised when you provide it to us,” continues GitHub.

GitHub encourages the use of two-factor authentication (2FA), those users that have enabled it will receive periodic warnings to review the 2FA setup and recovery options.

“If you have two-factor authentication enabled, GitHub will now periodically remind you to review your 2FA setup and recovery options. We highly recommend using a 2FA authenticator application that supports cloud backups in the event your phone is lost, stolen, or falls in the ocean.” continues the advisory.

In June, Microsoft announced the acquisition of GitHub for $7.5 billion in Microsoft stock and the hosting service is improving its security by introducing new measures, including the enforcing of SSL/TLS.


Snapchat source Code leaked after an iOS update exposed it
9.8.2018 securityaffairs
Social

Hackers leaked the Snapchat source code on GitHub, after they attempted to contact the company for a reward.
Hackers gained access to the source code of the frontend of Snapchat instant messaging app for iOS and leaked it on GitHub.

A GitHub account associated with a person with the name Khaled Alshehri who claimed to be from Pakistan and goes online with the handle i5xx created the GitHub repository titled Source-Snapchat.

After being notified, Snap Inc., has confirmed the authenticity of the source core and asked GitHub to remove it by filing a DMCA (Digital Millennium Copyright Act) request.

“Please provide a detailed description of the original copyrighted work that has allegedly been infringed. If possible, include a URL to where it is posted online.**”

“SNAPCHAT SOURCE CODE. IT WAS LEAKED AND A USER HAS PUT IT IN THIS GITHUB REPO. THERE IS NO URL TO POINT TO BECAUSE SNAP INC. DOESN’T PUBLISH IT PUBLICLY.” reads the reply of the company to a question included in the DMCA request.

SnapChat source code

According to Snapchat, the source code was leaked after an iOS update made in May that exposed a “small amount” of the app source code. The problem was solved and Snap Inc ensured that the data leak has no impact on the Snapchat users.

The hackers who leaked the source code are threatening the company of releasing new parts of the leaked code until the Snap Inc will not reply. Likely they are blackmailing the company.SnapChat source code

SnapChat source code

Two members of the group who leaked the Snapchat source code have been posting messages written in Arabic and English on Twitter.

The two hackers are allegedly based in Pakistan and France, they were expecting a bug bounty reward from the company without success.

At the time of writing two other forks containing the source code are still present on GitHub, it seems that the code was published just after the iOS update.

Snapchat currently run an official bug bounty program through HackerOne and has already paid several rewards for critical vulnerabilities in its app.


Flaw in BIND Security Feature Allows DoS Attacks
9.8.2018 securityweek
Vulnerebility

The Internet Systems Consortium (ISC) revealed on Wednesday that the BIND DNS software is affected by a serious vulnerability that can be exploited for denial-of-service (DoS) attacks.

The flaw, discovered by Tony Finch of the University of Cambridge and tracked as CVE-2018-5740, can be exploited remotely and it has been assigned a CVSS score of 7.5, which makes it “high severity.”

However, the vulnerability only impacts servers on which a feature called “deny-answer-aliases” has been enabled. The feature is disabled by default.

The “deny-answer-aliases” feature is designed to help recursive server operators protect users against DNS rebinding attacks. These types of attacks allow a remote hacker to abuse the targeted user’s web browser to directly communicate with devices on the local network and exploit any flaws they might have.

“Accidental or deliberate triggering of this defect will cause an INSIST assertion failure in named, causing the named process to stop execution and resulting in denial of service to clients,” ISC wrote in its advisory.

The security hole impacts BIND versions 9.7.0 through 9.8.8, 9.9.0 through 9.9.13, 9.10.0 through 9.10.8, 9.11.0 through 9.11.4, 9.12.0 through 9.12.2, and 9.13.0 through 9.13.2. A patch is included in versions 9.9.13-P1, 9.10.8-P1, 9.11.4-P1 and 9.12.2-P1. As a workaround, ISC suggests disabling the problematic feature if it has been used.

“Most operators will not need to make any changes unless they are using the ‘deny-answer-aliases’ feature. ‘deny-answer-aliases’ is off by default; only configurations which explicitly enable it can be affected by this defect,” ISC said.

The organization says it’s not aware of any instances where this vulnerability has been exploited for malicious purposes. Potentially affected users were notified of the flaw in advance, on July 31.


Reconnaissance, Lateral Movement Soar in Manufacturing Industry
9.8.2018 securityweek ICS

An unusually high volume of malicious internal reconnaissance and lateral movement have been observed in the manufacturing industry, which experts believe is a result of the rapid convergence between IT and OT networks.

The data comes from the 2018 Spotlight Report on Manufacturing released on Wednesday by threat detection company Vectra. The report is based on observations from another report released on Wednesday by the company, the 2018 Black Hat Edition of the Attacker Behavior Industry Report, which shows attacker behavior and trends across nine industries.

The Attacker Behavior Industry Report shows that Vectra has detected a significant number of threats in manufacturing companies. This industry has generated the third highest number of detections, after the education and energy sectors.

Threats by industry per 10,000 host devices

The cybersecurity firm has focused on botnets, command and control (C&C) traffic, data exfiltration, reconnaissance and lateral movement.

In the case of manufacturing organizations, it discovered a significant volume of malicious internal behavior, which suggests that adversaries are already inside the network. For example, Vectra noted that in many instances there was twice as much lateral movement as C&C traffic.

“These behaviors reflect the ease and speed with which attacks can proliferate inside manufacturing networks due to the large volume of unsecured IIoT devices and insufficient internal access controls,” Vectra said in its report. “Most manufacturers do not invest heavily in security access controls for business reasons. These controls can interrupt and isolate manufacturing systems that are critical for lean production lines and digital supply chain processes.”

Many factories connect their industrial internet of things (IIoT) systems to regular computers and enterprise applications for data telemetry and remote management purposes. The use of widely used protocols instead of proprietary protocols makes it easier for malicious actors to infiltrate networks, spy on the targeted organization, and steal data, Vectra said.

According to the company, a recently observed spike in internal reconnaissance in the manufacturing sector was the result of internal darknet scans and SMB account scans. Internal darknet scans are when a device on the network looks for internal IP addresses that do not exist, while SMB account scans occur when a host quickly uses multiple accounts via the SMB protocol.

“Manufacturing networks consist of many gateways that communicate with smart devices and machines. These gateways are connected to each other in a mesh topology to simplify peer-to-peer communication. Cyberattackers leverage the same self-discovery used by peer-to-peer devices to map a manufacturing network in search of critical assets to steal or damage,” Vectra said.

As for lateral movement, the company has seen a wide range of activities, but the most common are SMB brute-force attacks, suspicious Kerberos clients, and automated replication, which occurs when an internal host sends similar payloads to multiple systems on the network.

“IIoT systems make it easy for attackers to move laterally across a manufacturing network, jumping across non-critical and critical subsystems, until they find a way to complete their exploitative missions,” the firm explained.


DarkHydrus Uses Open Source Phishery Tool in Middle-East Attacks
9.8.2018 securityweek
Phishing

The recently detailed DarkHydrus threat group is leveraging the open-source Phishery tool to create malicious documents used in attacks on government entities in the Middle East, Palo Alto Networks warns.

Just weeks ago, the security firm revealed that the actor is employing numerous free or open-source utilities for their malicious purposes. They have leveraged tools such as Meterpreter, Mimikatz, PowerShellEmpire, Veil, and CobaltStrike, as well as a PowerShell-based backdoor called RogueRobin.

With a focus on credential harvesting, the attacker(s) employs spear-phishing emails to deliver malicious Office documents and is using an infrastructure dating back to fall 2017.

The malicious documents, which use the attachedTemplate technique, load a template from a remote, attacker-controlled location to prompt users to provide login credentials. The login information is then sent to the attacker’s server.

Last year, the FBI and the DHS issued a joint report warning of cyber-attacks targeting energy facilities in the U.S. and elsewhere and leveraging the same template injection technique. Those attacks, however, were attributed to a different actor.

Palo Alto Networks’ security researchers believe that DarkHydrus used the open-source Phishery tool to create two of the Word documents observed in the observed credential harvesting attacks.

One of these attacks was observed on June 24, 2018, targeting an educational institution in the Middle East. The subdomain (of attacker-controlled 0utl00k[.]net) used in this incident was the domain of the targeted educational institution, which made the malicious document and the authentication request look credible.

The security researchers discovered additional documents that employed the same malicious domain for credential harvesting and say that the malicious campaign has been ongoing for almost a year.

Previously, Palo Alto Networks uncovered additional domains the threat actor has been using in assaults, including anyconnect[.]stream, Bigip[.]stream, Fortiweb[.]download, Kaspersky[.]science, microtik[.]stream, owa365[.]bid, symanteclive[.]download, and windowsdefender[.]win.

The RogueRobin backdoor, the security firm says, can determine whether it runs in a sandbox. It provides attackers with various remote administration capabilities, including file upload, PowerShell command, DNS queries, download of content from the command and control (C&C), and the addition of PowerShell modules to the script.The researchers were able to confirm that the Phishery tool was used to create DarkHydrus documents. The open-source utility allows for the injection of remote template URLs into Word documents and is also capable of hosting a C&C server to gather the user-provided credentials.

“We discovered DarkHydrus carrying out credential harvesting attacks that use weaponized Word documents, which they delivered via spear-phishing emails to entities within government and educational institutions. This threat group not only used the Phishery tool to create these malicious Word documents, but also to host the C2 server to harvest credentials,” Palo Alto Networks concluded.


DDoS Attacks Less Frequent But Pack More Punch: Report
8.8.2018 securityweek Attack

There were seven times more distributed denial (DDoS) attacks larger than 300 Gbps (gigabit per second) observed during the first six months of 2018 compared to the first half of 2017, NETSCOUT Arbor reveals.

According to the security company’s latest threat intelligence report, the number of large DDoS attacks jumped from 7 to 47 year-over-year in the first half of 2018, and the average DDoS attack size grow 174% during that period. The overall frequency of attacks, however, went down 13%.

The overall assault size was driven by novel techniques and has seen an increase of 37% since memcached appeared (memcached amplification fueled a 1.7 Tbps attack earlier this year). Between March and June 2018, the number of vulnerable (and accessible) memcached servers dropped from 17,000 to 550.

Although it has been used for reflection/amplification for years, Simple Service Discovery Protocol (SSDP) has received increased attention this year, when it was used to deliver traffic from ephemeral source ports. There are around 33,000 SSDP reflectors that could be abused in attacks, the report reveals (PDF).

The rise of Internet of Things (IoT) devices, most of which lack proper protection, use default credentials and are plagued with both known and unknown software vulnerabilities, is expected to continue to fuel a growth in IoT botnets such as Mirai, which has spawned numerous variants over the past two years.

Attack targets have diversified, with verticals such as finance, gaming, and e-commerce being most likely to be targeted. Telecommunications providers observed the largest number of incidents, and data hosting services were also targeted.

“Today, any organization, for any real or perceived offense or affiliation, can become a target of a DDoS attack,” NETSCOUT Arbor says.

In addition to DDoS attacks, cybercrime and nation-state espionage attacks represent other types of threats posing high risks to organizations and consumers alike.

“Over the past 18 months, internet worms, supply chain attacks, and customer premises equipment (CPE)/IoT compromises have opened up internetscale threat activity. Nation-state APT groups continue to develop globally, used as another means of state-craft and often targeting governments and institutions of geo-strategic relevance,” the report reads.

Targeting newly discovered vulnerabilities in Office, the Iran-based threat actor OilRig has been highly active over the past year. Russian-linked cyber-group Fancy Bear wasn’t dormant either, with the most noteworthy attack recently attributed to it being the VPNFilter malware campaign.

Hidden Cobra, the North Korean threat actor also known as the Lazarus Group, has been observed targeting crypto-currency exchanges, as well as Central and South American banks. Operating out of Vietnam, Ocean Lotus has been actively targeting government and finance sectors over the past year.

The crimeware sector too remains robust and NETSCOUT Arbor expects it to spread beyond its traditional attack methods. There’s an increase in the use of auto-propagation methods, which have already fueled massive malware distribution campaigns such as last year’s WannaCry and NotPetya.

“The hunger for exploitation of new vectors will also continue, as we have seen in the immense DDoS attack impact created by Memcached earlier this year,” NETSCOUT Arbor says.

The security firm also expects an increase in SSDP abuse for internal intrusion, as well as growth in the “use of legitimate software programs by espionage groups and the addition of secondary tactics such as adding crypto-currency mining by crimeware actors.”


Let's Encrypt Now Trusted by All Major Root Programs
8.8.2018 securityweek Safety

Let’s Encrypt root, ISRG Root X1, is now trusted by all major root programs, including Microsoft, Google, Apple, Mozilla, Oracle, and Blackberry.

Let’s Encrypt is a free, automated, and open Certificate Authority (CA) backed by the Linux Foundation that provides website owners with free digital certificates for their sites and handles the certificate management process for them.

Launched by the Internet Security Research Group (ISRG) as an effort to drive HTTPS adoption, the initiative was launched publicly in December 2015 and came out of beta in April 2016.

At the end of July 2018, Let’s Encrypt received direct trust from Microsoft products, which resulted in it being trusted by all major root programs. The CA’s certificates are cross-signed by IdenTrust, and have been widely trusted since the beginning.

“Browsers and operating systems have not, by default, directly trusted Let’s Encrypt certificates, but they trust IdenTrust, and IdenTrust trusts us, so we are trusted indirectly. IdenTrust is a critical partner in our effort to secure the Web, as they have allowed us to provide widely trusted certificates from day one,” noted Josh Aas, Executive Director of ISRG.

Now, the CA’s root is directly trusted by almost all newer versions of operating systems, browsers, and devices. Many older versions, however, still do not directly trust Let’s Encrypt.

While some of these are expected to be updated to trust the CA, others won’t, and it might take at least five more years until most of them cycle out of the Web ecosystem. Until that happens, Let’s Encrypt will continue to use a cross signature.

“Let’s Encrypt is currently providing certificates for more than 115 million websites. We look forward to being able to serve even more websites as efforts like this make deploying HTTPS with Let’s Encrypt even easier,” Aas concludes.


Researchers Find Flaw in WhatsApp
8.8.2018 securityweek
Vulnerebility

Researchers at Israeli cybersecurity firm CheckPoint said Wednesday they had found a flaw in WhatsApp that could allow hackers to modify and send fake messages in the popular social messaging app.

CheckPoint said the vulnerability gives a hacker the possibility "to intercept and manipulate messages sent by those in a group or private conversation" as well as "create and spread misinformation".

The report of the flaw comes as the Facebook-owned is coming under increasing scrutiny as a means of spreading misinformation due to its popularity and convenience for forwarding messages to groups.

Last month, the app announced limits of forwarding messages following threats by the Indian government to take action after more than 20 people were butchered by crazed mobs after being accused of child kidnapping and other crimes in viral messages circulated wildly on WhatsApp.

WhatsApp said in a statement: "We carefully reviewed this issue and it's the equivalent of altering an email to make it look like something a person never wrote."

However, WhatsApps said: "This claim has nothing to do with the security of end-to-end encryption, which ensures only the sender and recipient can read messages sent on WhatsApp."

The app noted it recently placed a limit on forwarding content, added a label to forwarded messages, and made a series of changes to group chats in order to tackle the challenge of misinformation.

Founded in 2009 and purchased by Facebook in 2014, WhatsApp said that at the beginning of the year it had more than 1.5 billion users who exchanged 65 billion messages per day.


NERC Names Bill Lawrence as VP, Chief Security Officer
8.8.2018 securityweek Security

North American Electric Reliability Corporation (NERC) on Tuesday announced that Bill Lawrence has been named vice president and chief security officer (CSO), and will officially step into the lead security role on August 16, 2018.

In his new role, Lawrence will be tasked with heading NERC's security programs executed through the Electricity Information Sharing and Analysis Center (E-ISAC), where he currently serves as senior director. He will also be responsible for directing security risk assessments and mitigation initiatives to protect critical electricity infrastructure across North America, the regulatory authority said.

ICS Cyber Security Conference

As VP and CSO, Lawrence will also lead coordination efforts with government agencies and stakeholders on cyber and physical security matters, including analysis, response and sharing of critical sector information, NERC said.

Lawrence joined NERC in July 2012 and has directed the development of NERC’s grid security exercise, GridEx.

A not-for-profit international regulatory authority formed to reduce risks to the reliability and security of the grid, NERC's jurisdiction includes owners and operators that serve more than 334 million people.

Lawrence is a graduate of the U.S. Naval Academy with a bachelor’s degree in Computer Science, and flew F-14 Tomcats and F/A-18F Super Hornets for the U.S. Navy prior to joining NERC. He holds a master’s degree in International Relations from Auburn Montgomery and a master’s degree in Military Operational Art and Science from the Air Command and Staff College.

NERC is subject to oversight by the Federal Energy Regulatory Commission (FERC) and governmental authorities in Canada.


Enterprises: Someone on Your Security Team is Likely a Grey Hat Hacker
8.8.2018 securityweek Security

Companies Should Not Dismiss a Bit of Grey Hatting by Staff as Just a Form of Letting Off Steam

The cost of cybercrime is normally described as direct costs: the cost of remediation, forensic support, legal costs and compliance fines, etcetera. A new survey has sought to take a slightly different approach, looking at the organizational costs associated with cybercriminal activity.

Sponsored by Malwarebytes, Osterman Research surveyed 900 security professionals during May and June 2018 across five countries: the United States (200), UK (175), Germany (175), Australia (175), and Singapore (175). All respondents were employed either managing or working on cybersecurity issues in an organization of between 200 and 10,000 employees.

The survey (PDF) relates staff salaries, security budgets and remediation costs; and concludes that the average firm employing 2,500 staff in the U.S. can expect to spend more than $2 million per year for cybersecurity-related costs. The amount is lower in the other surveyed countries, but still close to, or above, $1 million per year. Interestingly, the survey took the unusual step to see if there is any correlation in the number of grey hats employed by a firm and the overall cost of cybersecurity.

The basic findings are much as we would expect, and have been confirmed by numerous other research surveys: most companies have been breached; phishing is the most common attack vector; mid-market companies are attacked more frequently than small companies and as frequently as large companies; and attacks occur with alarming frequency.

The most surprising revelation from this survey is the number of grey hats working within organizations, and black hats that have been employed by organizations. Grey hats are defined as computer security experts who may sometimes violate laws or typical ethical standards, but do not have the full malicious intent associated with a full-time black hat hacker.

Overall, the 900 respondents believe that 4.6 of their colleagues are grey hats -- or, as the report puts it, a full-time security professional that is a black hat on the side. This varies by country: 3.4% in Germany, Australia and Singapore, 5.1% in the U.S., and as much as 7.9% in the UK.

Motivations provided by the respondents include black hat activity being more lucrative (63%), the challenge (50%), retaliation against an employer (40%), philosophical (39%), and, well, it's not really wrong, is it (34%)?

The extent of the income differential between a white hat employee and a black hat hacker is confirmed in a separate report from Bromium, published in April 2018: "High-earning cybercriminals can make $166,000+ per month; Middle-earners can make $75,000+ per month; Low-earners can make $3,500+ per month."

According to the Malwarebytes survey, the highest average starting salary for security professionals (in the U.S.) is $65,578 or just $5,464 per month (compared to $75,000 for middle-earning black hats). The difference is far greater in the UK, where the average starting salary for security professionals is less than $3,000 per month.

"It's interesting," Jerome Segura, lead malware intelligence analyst at Malwarebytes told SecurityWeek: "that despite the skills shortage, when companies hire new security staff, they generally don't pay them very much. There's kind of a contrast here, where companies and governments claim it's difficult to find the right people -- but when they do hire people they don't always pay them accordingly."

There appears to be an inevitable conclusion when correlating figures between the U.S. and the U.K. Not only do the U.S. companies pay their security staff much more than UK companies, they also have a considerably higher security budget ($1,573,197 in the U.S. compared to $350,157 in the UK). Can it be simply coincidence that the UK then has a higher percentage of grey hats within their companies, and that the cost of remediation is proportionately higher (14.7% of the security budget in the U.S., and 17.0% in the UK)?

It makes sense that remediation would take up a higher percentage of a small budget -- and it is tempting to think that the higher rewards of black-hattery would be attractive to lowly paid British staff. The U.S government believes it has found an example in Marcus Hutchins, the British researcher who found and triggered the 'kill-switch' in WannaCry. That was pure white hat behavior -- but Hutchins was later arrested in the US and accused of involvement in making and distributing the Kronos banking malware.

"Hutchins has many who support him," commented Segura, "and many who don't. But given the surprising number of employed white hats who are considered by their peers to be grey hats, it will be interesting to see how this turns out."

Segura accepts that comparatively low pay in the industry could be a partial cause for the surprisingly high number of grey hats working in infosec. He points out that the highest percentage of grey hats appear to work for mid-size companies that cannot afford the highest salaries, and which predominate in the UK. But he does not believe that finance is the only motivating factor. "There is a tricky line in the security profession," he told SecurityWeek. "Some people are pure hackers in the original non-malevolent sense, and they like to poke around to understand things better -- even if it is strictly speaking illegal. It also helps the job -- by peaking behind the curtain you get a better understanding of how the criminals operate and you can better defend against them."

But there's more. "Don't forget the social issues," he added. "Techies can be socially awkward and have difficulty in fitting into a corporate structure. The nerd in his bedroom is a bit of a cliche, but there is some truth to it. Working in a business corporate environment is not for everybody. And in infosec there is a lot of pressure. You can't fit the work into 9-to-5, five days a week -- so people work up to 80 hours or more per week without getting recompensed for it. That's a lot of mental pressure -- there's a lot of burnout in infosec. It's tough, but that's the reality. If you're in infosec, you're on call 24/7."

It would be wrong for companies to dismiss a bit of grey hatting by staff as just a form of letting off steam -- that could prove disastrous. But at the same time, the onus is on the employer to find the solution. Companies probably cannot compete with black hats financially -- but they should do as much as possible to be as inclusive and supportive as possible to the pressures of working in infosec.


New Law May Force Small Businesses to Reveal Data Practices
8.8.2018 securityweek Security

NEW YORK (AP) — A Rhode Island software company that sells primarily to businesses is nonetheless making sure it complies with a strict California law about consumers' privacy.

AVTECH Software is preparing for what some say is the wave of the future: laws requiring businesses to be upfront with customers about how they use personal information. California has already passed a law requiring businesses to disclose what they do with people's personal information and giving consumers more control over how their data is used — even the right to have it deleted from companies' computers.

Privacy rights have gotten more attention since news earlier this year that the data firm Cambridge Analytica improperly accessed Facebook user information. New regulations also took effect in Europe.

For AVTECH, which makes software to control building environmental issues, preparing now makes sense not only to lay the groundwork for future expansion, but to reassure customers increasingly uneasy about what happens to their personal information.

"People will look at who they're dealing with and who they're making purchases from," says Russell Benoit, marketing manager for the Warren, Rhode Island-based company.

Aware that California was likely to enact a data law, AVTECH began reviewing how it handles customer information last year. Although most of the company's customers are businesses, it expects it will increase its sales to consumers.

While it may yet face legal challenges, the California Consumer Privacy Act is set to take effect Jan. 1, 2020. It covers companies that conduct business in California and that fit one of three categories: Those with revenue above $25 million; those that collect or receive the personal information of 50,000 or more California consumers, households or electronic devices; and those who get at least half their revenue from selling personal information.

Although many small businesses may be exempt, those subject to the law will have to ensure their systems and websites can comply with consumer inquiries and requests. That may be an added cost of thousands for small companies that don't have in-house technology staffers and need software and consulting help.

Under California's law, consumers have the right to know what personal information companies collect from them, why it's collected and who the businesses share, transfer or sell it to. That information includes names, addresses, email addresses, browsing histories, purchasing histories, professional or employment information, educational records and information about travel from GPS apps and programs. Companies must give consumers at least two ways to find out their information, including a toll-free phone number and an online form, and companies must also give consumers a copy of the information they've collected.

Consumers also have the right to have their information deleted from companies' computer systems, and to opt out of having the information sold or shared.

The law was modeled on the European Union's General Data Protection Regulation, which took effect May 25. The California Legislature passed its law to prevent a more stringent proposed law from being placed on the November election ballot.

Frank Samson hopes the California law will help prevent what he sees as troubling marketing tactics by some in his industry, taking care of senior citizens. When people inquire about senior care companies online, it's sometimes on sites run by brokers rather than care providers themselves.

"It may be in the fine print, or it may not be: We're going to be taking your info and sending it out to a bunch of people," says Samson, founder of Petaluma, California-based Senior Care Authority.

That steers many would-be clients to just a handful of companies, he says, and can mean seniors and families get bombarded with calls while dealing with stressful situations.

But many unknowns remain about the California law. The state attorney general's office must write regulations to accompany several provisions. There are inconsistencies between different sections of the law, and the Legislature would need to correct them, says Mark Brennan, an attorney with Hogan Lovells in Washington, D.C., who specializes in technology and consumer protection laws. Questions about the law might need to be litigated, including whether California can force businesses based in other states to comply, Brennan says. There are similar questions about the European GDPR.

In the meantime, small business owners who want to start figuring out if they're likely to be subject to the California law and GDPR can talk to attorneys and technology consultants who deal with privacy rights. Brennan suggests companies contact professional and industry organizations that are gathering information about the laws and how to comply.

Some small businesses may benefit, such as any developing software tied to the law. Among other things, the software is designed to allow companies and customers to see what information has been gathered, who has access to it and who it has been shared with.

The software, expected to stay free for consumers, could cost companies into the thousands of dollars a year depending on their size, says Andy Sambandam, CEO of Clarip, one of the software makers. But, he says, "over time, the price is going to come down."

And other states are expected to adopt similar laws.

"This is the direction the country is going in," says Campbell Hutcheson, chief compliance officer with Datto, an information technology firm.


RiskRecon Raises $25 Million to Grow Third-Party Cyber Risk Management Business
8.8.2018 securityweek Cyber

Salk Lake City-based RiskRecon, which offers solutions to help companies manage third-party cyber risk, has raised $25 million in Series B financing, the company announced Wednesday.

The Series B round brings the total amount raised by RiskRecon to more than $40 million.

RiskRecon helps its customers control third-party risk by providing assessments of each third-party’s security practices, which can be used to establish a base level of trust and identify specific areas for further discussion and investigation.

The company, which has nearly tripled its customer base in the last twelve months, says the additional funding will be used to support increasing demand for its third-party cyber risk management solutions.

“Though most businesses have no choice but to obtain internet services, security solutions, and a range of other business-critical technologies from third-party providers, they do have a choice in how they manage the associated security risks,” noted SecurityWeek contributor Josh Lefkowitz in a recent column.

“Third-party risk management is the process of holding enterprises accountable to good security practices,” explained Kelly White, RiskRecon’s CEO and Co-founder. “As you improve the risk management of your third parties, you improve the collective security of the Internet.”

The Series B round was led by Accel and joined by existing investors Dell Technologies Capital, General Catalyst, and Fidelity’s F-Prime Capital. Several existing individual investors also participated in the round.

“As we talk to our CISOs, we see a growing need for third-party risk management as enterprises have become more intertwined with third-party service providers,” said Nate Niparko, a partner at Accel.

“Conducting thorough due diligence on a prospective vendor’s security is essential,” Lefkowitz added in his April 2018 column. “The most secure and successful vendor relationships are rooted in preparation and transparency. Thoroughly understanding all facets of a vendor’s security program, implementing additional controls as needed to appropriately safeguard your business’s assets, and being prepared to respond to future incidents can go a long way toward reducing business risks associated with any vendor relationship.”


Serious OpenEMR Flaws Expose Medical Records
8.8.2018 securityweek
Vulnerebility

Researchers have discovered nearly two dozen vulnerabilities in the OpenEMR software, including critical flaws that can be exploited to gain unauthorized access to medical records.

OpenEMR is a highly popular open source management software for health records and medical practices. The free application offers a wide range of features and it can run on various operating systems, including Windows, Linux and macOS.

Researchers at Project Insecurity, which provides penetration testing, vulnerability assessment and other cybersecurity services, conducted a detailed analysis of the OpenEMR source code. The analysis was based on manual source code reviews and Burp tests, and it led to the discovery of 23 flaws.Serious flaws found in OpenEMR

Fifteen of the security holes have been rated “high severity.” These include an authentication bypass issue that allows an attacker to access the patient portal, SQL injection flaws, remote command execution bugs, and arbitrary file read/write issues.

The authentication bypass vulnerability can be exploited by an unauthenticated attacker by navigating to the patient registration page and then modifying the URL to access pages that would normally require authentication, including ones storing patient data.

Experts discovered a total of nine SQL injection vulnerabilities, including ones that provide access to databases storing sensitive information. Exploiting the SQL injection flaws requires authentication, but that can be achieved using the aforementioned security bypass.

Four remote command execution flaws have been identified by experts, but they all require authentication, including admin privileges in some cases.

Researchers also found vulnerabilities that can be exploited to upload, read or delete files on the system. Exploitation requires authentication, but their impact can be high.

According to Project Insecurity, OpenEMR is affected by several cross-site request forgery (CSRF) vulnerabilities. In some cases, these flaws can be exploited to escalate privileges and execute arbitrary code if the attacker can convince an administrator to click on a malicious link.

The other vulnerabilities discovered by Project Insecurity include unrestricted file upload, information disclosure and other issues classified as medium or low severity.

Project Insecurity has published a 28-page report detailing each of the flaws, including impact, cause, and proof-of-concept (PoC) code. The report also shares recommendations on how the security holes can be addressed.

The vulnerabilities were reported to OpenEMR developers on July 7 and patches were rolled out for all the bugs within roughly two weeks.


IT threat evolution Q2 2018
8.8.2018 Kaspersky CyberSpy

Targeted attacks and malware campaigns
Operation Parliament
In April, we reported the workings of Operation Parliament, a cyber-espionage campaign aimed at high-profile legislative, executive and judicial organizations around the world – with its main focus in the MENA (Middle East and North Africa) region, especially Palestine. The attacks, which started early in 2017, target parliaments, senates, top state offices and officials, political science scholars, military and intelligence agencies, ministries, media outlets, research centers, election commissions, Olympic organizations, large trading companies and others.

The attackers have taken great care to stay under the radar, imitating another attack group in the region. The targeting of victims is unlike that of previous campaigns in the Middle East, by Gaza Cybergang or Desert Falcons, and points to an elaborate information-gathering exercise that was carried out prior to the attacks (physical and/or digital). The attackers have been particularly careful to verify victim devices before proceeding with the infection, safeguarding their C2 (Command-and-Control) servers. The attacks seem to have slowed down since the start of 2018, probably after the attackers achieved their objectives.

The malware basically provides a remote CMD/PowerShell terminal for the attackers, enabling them to execute any scripts or commands and receive the result via HTTP requests.

This campaign is a further symptom of escalating tensions in the Middle East.

Energetic Bear
Crouching Yeti (aka Energetic Bear) is an APT group that has been active since at least 2010, mainly targeting energy and industrial companies. The group targets organizations around the world, but with a particular focus on Europe, the US and Turkey – the latter being a new addition to the group’s interests during 2016-17. The group’s main tactics include sending phishing e-mails with malicious documents and infecting servers for different purposes, including hosting tools and logs and watering-hole attacks. Crouching Yeti’s activities against US targets have been publicly discussed by US-CERT and the UK National Cyber Security Centre (NCSC).

In April, Kaspersky Lab ICS CERT provided information on identified servers infected and used by Crouching Yeti and presented the findings of an analysis of several web servers compromised by the group during 2016 and early 2017.

Our findings are as follows.

With rare exceptions, the group’s members get by with publicly available tools. The use of publicly available utilities by the group to conduct its attacks renders the task of attack attribution without any additional group ‘markers’ very difficult.
Potentially, any vulnerable server on the internet is of interest to the attackers when they want to establish a foothold in order to develop further attacks against target facilities.
In most cases that we have observed, the group performed tasks related to searching for vulnerabilities, gaining persistence on various hosts, and stealing authentication data.
The diversity of victims may indicate the diversity of the attackers’ interests.
It can be assumed with some degree of certainty that the group operates in the interests of or takes orders from customers that are external to it, performing initial data collection, the theft of authentication data and gaining persistence on resources that are suitable for the attack’s further development.
You can read the full report here.

ZooPark
The use of mobile platforms for cyber-espionage has been growing in recent years – not surprising, given the widespread use of mobile devices by businesses and consumers alike. ZooPark is one such operation. The attackers have been focusing on targets in the Middle East since at least June 2015, using several generations of malware to target Android devices, which we have labelled versions one to four.

Each version marks a progression – from very basic first and second versions, to the commercial spyware fork in the third version and then to the complex spyware that is the fourth version. The last step is especially interesting, showing a big leap from straightforward code functionality to highly sophisticated malware.

This suggests that the latest version may have been bought from a vendor of specialist surveillance tools. This wouldn’t be surprising, since the market for these espionage tools is growing, becoming popular among governments, with several known cases in the Middle East. At this point, we cannot confirm attribution to any known threat actor. If you would like to learn more about our intelligence reports, or request more information on a specific report, contact us at intelreports@kaspersky.com.

We have seen two main distribution vectors for ZooPark – Telegram channels and watering-holes. The second of these has been the preferred method: we found several news websites that have been hacked by the attackers to redirect visitors to a downloading site that serves malicious APKs. Some of the themes observed in the campaign include ‘Kurdistan referendum’, ‘TelegramGroups’ and ‘Alnaharegypt news’, among others.

The target profile has evolved in the last few years of the campaign, focusing on victims in Egypt, Jordan, Morocco, Lebanon and Iran.

Some of the samples we have analyzed provide clues about the intended targets. For example, one sample mimics a voting application for the independence referendum in Kurdistan. Other possible high-profile targets include the United Nations Relief and Works Agency (UNRWA) for Palestine refugees in the Near East in Amman, Jordan.

The king is dead, long live the king!
On April 18, someone uploaded an interesting exploit to VirusTotal. This was detected by several security vendors, including Kaspersky Lab – using our generic heuristic logic for some older Microsoft Word documents.

This turned out to be a new zero-day vulnerability for Internet Explorer (CVE-2018-8174) –patched by Microsoft on May 8, 2018. Following processing of the sample in our sandbox system, we noticed that it successfully exploited a fully patched version of Microsoft Word. This led us to carry out a deeper analysis of the vulnerability.

The infection chain consists of the following steps. The victim receives a malicious Microsoft Word document. After opening it, the second stage of the exploit is downloaded – an HTML page containing VBScript code. This triggers a UAF (Use After Free) vulnerability and executes shellcode.

Despite the initial attack vector being a Word document, the vulnerability is actually in VBScript. This is the first time we have seen a URL Moniker used to load an IE exploit in Word, but we believe that this technique will be heavily abused by attackers in the future, since it allows them to force victims to load IE, ignoring the default browser settings. It’s likely that exploit kit authors will start abusing it in both drive-by attacks (through the browser) and spear-phishing campaigns (through a document).

To protect against this technique, we would recommend applying the latest security updates and using a security solution with behavior detection capabilities.

VPNFilter
In May, researchers from Cisco Talos published the results of their investigation into VPNFilter, malware used to infect different brands of routers – mainly in Ukraine, although affecting routers in 54 countries in total. Initially, they believed that the malware had infected around 500,000 routers – Linksys, MikroTik, Netgear and TP-Link networking equipment in the small office/home office (SOHO) sector, and QNAP network-attached storage (NAS) devices. However, it later became clear that the list of infected routers was much longer – 75 in total, including ASUS, D-Link, Huawei, Ubiquiti, UPVEL and ZTE.

The malware is capable of bricking the infected device, executing shell commands for further manipulation, creating a TOR configuration for anonymous access to the device or configuring the router’s proxy port and proxy URL to manipulate browsing sessions.

Further research by Cisco Talos showed that the malware is able to infect more than just targeted devices. It is also spread into networks supported by the device, thereby extending the scope of the attack. Researchers also identified a new stage-three module capable of injecting malicious code into web traffic.

The C2 mechanism has several stages. First, the malware tries to visit a number of gallery pages hosted on ‘photobucket[.]com’ and fetches the image from the page. If this fails, the malware tries to fetch an image from the hard-coded domain ‘toknowall[.]com’ (this C2 domain is currently sink-holed by the FBI). If this fails also, the malware goes into passive backdoor mode, in which it processes network traffic on the infected device, waiting for the attacker’s commands. Researchers in the Global Research and Analysis Team (GReAT) at Kaspersky Lab analyzed the EXIF processing mechanism.

One of the interesting questions is who is behind this malware. Cisco Talos indicated that a state-sponsored or state affiliated threat actor is responsible. In its affidavit for sink-holing the C2, the FBI suggests that Sofacy (aka APT28, Pawn Storm, Sednit, STRONTIUM, and Tsar Team) is the culprit. There is some code overlap with the BlackEnergy malware used in previous attacks in Ukraine (the FBI’s affidavit makes it clear that they see BlackEnergy (aka Sandworm) as a sub-group of Sofacy).

LuckyMouse
In March 2018, we detected an ongoing campaign targeting a national data center in Central Asia. The choice of target of the campaign, which has been active since autumn 2017, is especially significant – it means that the attackers were able to gain access to a wide range of government resources in one fell swoop. We think they did this by inserting malicious scripts into the country’s official websites in order to conduct watering-hole attacks.

We attribute this campaign to the Chinese-speaking threat actor LuckyMouse (aka EmissaryPanda and APT27) because of the tools and tactics used in the campaign, because the C2 domain, update.iaacstudio[.]com, was previously used by this group and because they have previously targeted government organizations, including those in Central Asia.

The initial infection vector used in the attack against the data centre is unclear. Even where we observed LuckyMouse using weaponized documents with CVE-2017-118822 (Microsoft Office Equation Editor, widely used by Chinese-speaking actors since December 2017), we couldn’t prove that they were related to this particular attack. It’s possible that the attackers used a watering hole to infect data center employees.

The attackers used the HyperBro Trojan as their last-stage, in-memory remote administration tool (RAT) and their anti-detection launcher and decompressor makes extensive use of the Metasploit ‘shikata_ga_nai’ encoder as well as LZNT1 compression.

The main C2 used in this campaign is bbs.sonypsps[.]com, which resolved to an IP address that belongs to a Ukrainian ISP network, held by a MikroTik router using version 6.34.4 (March 2016) of the firmware with SMBv1 on board. We suspect that this router was hacked as part of the campaign in order to process the malware’s HTTP requests.

The initial module drops three files that are typical for Chinese-speaking threat actors – a legitimate Symantec pcAnywhere file (‘intgstat.exe’) for DLL side-loading, a DLL launcher (‘pcalocalresloader.dll’) and the last-stage decompressor (‘thumb.db’). As a result of all these steps, the last-stage Trojan is injected into the process memory of ‘svchost.exe’.

The launcher module, obfuscated with the notorious Metasploit ‘shikata_ga_nai’ encoder, is the same for all the droppers. The resulting de-obfuscated code performs typical side-loading: it patches the pcAnywhere image in memory at its entry-point. The patched code jumps back to the second ‘shikata_ga_nai’ iteration of the decryptor, but this time as part of the white-listed application.

The Metasploit encoder obfuscates the last part of the launcher’s code, which in turn resolves the necessary API and maps ‘thumb.db’ into the memory of the same process (i.e. pcAnywhere). The first instructions in the mapped ‘thumb.db’ are for a new iteration of ‘shikata_ga_nai’. The decrypted code resolves the necessary API functions, decompresses the embedded PE file with ‘RtlCompressBuffer()’ using LZNT1 and maps it into memory.

Olympic Destroyer
In our first report on Olympic Destroyer, the cyberattack on the PyeongChang Winter Olympics, we highlighted a specific spear-phishing attack as the initial infection vector. The threat actor sent weaponized documents, disguised as Olympic-related content, to relevant persons and organizations.

We have continued to track this APT group’s activities and recently noticed that they have started a new campaign with a different geographical distribution and using new themes. Our telemetry, and the characteristics of the spear-phishing documents we have analysed, indicate that the attackers behind Olympic Destroyer are now targeting financial and biotechnology-related organizations based in Europe – specifically, Russia, the Netherlands, Germany, Switzerland and Ukraine.

The group continues to use a non-executable infection vector and highly obfuscated scripts to evade detection.

The earlier Olympic Destroyer attacks – designed to destroy and paralyse infrastructure of the Winter Olympic Games and related supply chains, partners and venues – were preceded by a reconnaissance operation. It’s possible that the new activities are part of another reconnaissance stage that will be followed by a wave of destructive attacks with new motives. This is why it is important for all bio-chemical threat prevention and research companies and organizations in Europe to strengthen their security and run unscheduled security audits.

The variety of financial and non-financial targets could indicate that the same malware is being used by several groups with different interests. This could also be a result of cyberattack outsourcing, which is not uncommon among nation state threat actors. However, it’s also possible that the financial targets might be another false flag operation by a threat actor that has already shown that they excel at this during their last campaign.

It would be possible to draw certain conclusions about who is behind this campaign, based on the motives and selection of targets. However, it would be easy to make a mistake with only the fragments of the picture that are visible to researchers. The appearance of Olympic Destroyer at the start of this year, with its sophisticated deception efforts, changed the attribution game forever. In our view, it is no longer possible to draw conclusions based on a few attribution vectors discovered during a regular investigation. The response to threats such as Olympic Destroyer should be based on co-operation between the private sector and governments across national borders. Unfortunately, the current geo-political situation in the world only boosts the global segmentation of the internet and introduces many obstacles for researchers and investigators. This will encourage APT attackers to continue marching into the protected networks of foreign governments and commercial companies.

Malware stories
Leaking ads
When we download popular apps with good ratings from official app stores, we assume they are safe. This is partially true, because usually these apps have been developed with security in mind and have been reviewed by the app store’s security team. Recently, we looked at 13 million APKs and discovered that around a quarter of them transmit unencrypted data over the internet. This was unexpected, because most apps were using HTTPS to communicate with their servers. But among the HTTPS requests, there were unencrypted requests to third-party servers. Some of these apps were very popular – in some cases they could boast hundreds of millions of downloads. On further inspection, it became clear that the apps were exposing customer data because of third-party SDKs – with advertising SDKs usually to blame. They collect data so that they can show relevant ads, but often fail to protect that data when sending it to their servers.

In most cases the apps were exposing IMEI, IMSI, Android ID, device information (e.g. manufacturer, model, screen resolution, system version and app name). Some apps were also exposing personal information, mostly the customer’s name, age, gender, phone number, e-mail address and even their income.

Information transmitted over HTTP is sent in plain text, allowing almost anyone to read it. Moreover, there are likely to be several ‘transit points’ en route from the app to the third-party server – devices that receive and store information for a certain period of time. Any network equipment, including your home router, could be vulnerable. If hacked, it will give the attackers access to your data. Some of the device information gathered (specifically IMEI and IMSI numbers) is enough to monitor your further actions. The more complete the information, the more of an open book you are to outsiders — from advertisers to fake friends offering malicious files for download. However, data leakage is only part of the problem. It’s also possible for unencrypted information to be substituted. For example, in response to an HTTP request from an app, the server might return a video ad, which cybercriminals can intercept and replace with a malicious version. Or they might simply change the link inside an ad so that it downloads malware.

You can find the research here, including our advice to developers and consumers.

SynAck targeted ransomware uses the Doppelganging technique
In April 2018, we saw a version of the SynAck ransomware Trojan that employs the Process Doppelganging technique. This technique, first presented in December 2017 at the BlackHat conference, has been used by several threat actors to try and bypass modern security solutions. It involves using NTFS transactions to launch a malicious process from the transacted file so that it looks like a legitimate process.

Malware developers often use custom packers to try and protect their code. In most cases, they can be effortlessly packed to reveal the original Trojan executable so that it can then be analyzed. However, the authors of SynAck obfuscated their code prior to compilation, further complicating the analysis process.

SynAck checks the directory where its executable is started from. If an attempt is made to launch it from an ‘incorrect’ directory, the Trojan simply exits. This is designed to counter automatic sandbox analysis.

The Trojan also checks to see if is being launched on a PC with the keyboard set to a Cyrillic script. If it is, it sleeps for 300 seconds and then exits, to prevent encryption of files belonging to victims from countries where Cyrillic is used.

Like other ransomware, SynAck uses a combination of symmetric and asymmetric encryption algorithms. You can find the details here.

The attacks are highly targeted, with a limited number of attacks observed against targets in the US, Kuwait, Germany and Iran. The ransom demands can be as high as $3,000.

Roaming Mantis
In May we published our analysis of a mobile banking Trojan, Roaming Mantis. We called it this because of its propagation via smartphones roaming between different Wi-Fi networks, although the malware is also known as ‘Moqhao’ and ‘XLoader’. This malicious Android app is spread using DNS hijacking through compromised routers. The victims are redirected to malicious IP addresses used to install malicious apps – called ‘facebook.apk’ and ‘chrome.apk’. The attackers count on the fact that victims are unlikely to be suspicious as long as the browser displays the legitimate URL.

The malware is designed to steal user information, including credentials for two-factor authentication, and give the attackers full control over compromised Android devices. The malware seems to be financially motivated and the low OPSEC suggests that this is the work of cybercriminals.

Our telemetry indicates that the malware was detected more than 6,000 times between February 9 and April 9, although the reports came from just 150 unique victims – some of whom saw the same malware appear again and again on their network. Our research revealed that there were thousands of daily connections to the attackers’ C2 infrastructure.

The malware contains Android application IDs for popular mobile banking and game applications in South Korea. It seems the malicious app was initially targeted at victims in South Korea and this is where the malware was most prevalent. We also saw infections in China, India and Bangladesh.

It’s unclear how the attackers were able to hijack the router settings. If you are concerned about DNS settings on your router, you should check the user manual to verify that your DNS settings haven’t been tampered with, or contact your ISP for support. We would also strongly recommend that you change the default login and password for the admin web interface of the router, don’t install firmware from third-party sources and update the router firmware regularly to prevent similar attacks.

Some clues left behind by the attackers – for example, comments in the HTML source, malware strings and a hardcoded legitimate website – point to Simplified Chinese. So we believe the cybercriminals are familiar with both Simplified Chinese and Korean.

Following our report, we continued to track this campaign. Less than a month later, Roaming Mantis had rapidly expanded its activities to include countries in Europe, the Middle East and beyond, supporting 27 languages in total.

The attackers also extended their activities beyond Android devices. On iOS, Roaming Mantis uses a phishing site to steal the victim’s credentials. When the victim connects to the landing page from an iOS device, they are redirected to fake ‘http://security.apple.com/’ webpage where the attackers steal user ID, password, card number, card expiry date and CVV.

On PCs, Roaming Mantis runs the CoinHive mining script to generate crypto-currency for the attackers – drastically increasing the victim’s CPU usage.

The evasion techniques used by Roaming Mantis have also become more sophisticated. They include a new method of retrieving the C2 by using the e-mail POP protocol, server-side dynamic auto-generation of APK file/filenames and the inclusion of an additional command to potentially assist in identifying research environments.

The rapid growth of the campaign implies that those behind it have a strong financial motivation and are probably well-funded.

If it’s smart, it’s potentially vulnerable
Our many years of experience in researching cyberthreats suggests that if a device is connected to the internet, eventually someone will try to hack it. This includes children’s CCTV cameras, baby monitors, household appliances and even children’s toys.

This also applies to routers – the gateway into a home network. In May, we described four vulnerabilities and hardcoded accounts in the firmware of the D-Link DIR-620 router – this runs on various D-Link routers supplied to customers by one of the biggest ISPs in Russia.

The latest versions of the firmware have hardcoded default credentials that can be exploited by an unauthenticated attacker to gain privileged access to the firmware and to extract sensitive data – for example, configuration files with plain-text passwords. The vulnerable web interface allows an unauthenticated attacker to run arbitrary JavaScript code in the user environment and run arbitrary commands in the router’s operating system. The issues were originally identified in firmware version 1.0.37, although some of the discovered vulnerabilities were also identified in other version of the firmware.

You can read the details on the vulnerabilities here.

In May, we also investigated smart devices for animals – specifically, trackers to monitor the location of pets. These gadgets are able to access the pet owner’s home network and phone, and their pet’s location. We wanted to find out how secure they are. Our researchers looked at several popular trackers for potential vulnerabilities.

Four of the trackers we looked at use Bluetooth LE technology to communicate with the owner’s smartphone. But only one does so correctly. The others can receive and execute commands from anyone. They can also be disabled, or hidden from the owner – all that’s needed is proximity to the tracker. Only one of the tested Android apps verifies the certificate of its server, without relying solely on the system. As a result, they are vulnerable to Man-in-the-Middle (MitM) attacks—intruders can intercept transmitted data by ‘persuading’ victims to install their certificate.

GPS trackers have been used successfully in many areas, but using them to track the location of pets is a step beyond their traditional scope of application. For this, they need to be upgraded with new ‘user communication interfaces’ and ‘trained’ to work with cloud services, etc. If security is not properly addressed, user data becomes accessible to intruders, potentially endangering both users and pets.

Some of our researchers recently looked at human wearable devices – specifically, smart watches and fitness trackers. We were interested in a scenario where a spying app installed on a smartphone could send data from the built-in motion sensors (accelerometer and gyroscope) to a remote server and use the data to piece together the wearer’s actions – walking, sitting, typing, etc. We started with an Android-based smartphone, created a simple app to process and transmit the data and then looked at what we could get from this data.

Not only was it possible to work out if the wearer is sitting or walking, but also figure out if they are out for a stroll or changing subway trains, because the accelerometer patterns differ slightly – this is how fitness trackers distinguish between walking and cycling. It is also easy to see when someone is typing. However, finding out what they are typing would be hard and would require repeated text entry. Our researchers were able to determine the moments when a computer password entered with 96 per cent accuracy and a PIN code entered at an ATM with 87 per cent accuracy. However, it would be much harder to obtain other information – for example, a credit card number or CVC code – because of the lack of predictability about when the victim would type such information.

In reality, the difficulty involved in obtaining such information means that an attacker would have to have a strong motive for targeting someone specific. Of course, there are situations where this might be worthwhile for attackers.

An MitM extension for Chrome
Many browser extensions make our lives easier, hiding obtrusive advertising, translating text, helping us to choose the goods we want in online stores, etc. Unfortunately, there are also less desirable extensions that are used to bombard us with advertising or collect information about our activities. Then there are extensions whose main aim is to steal money. In the course of our work, we analyse a large number of extensions from different sources. Recently, a particular browser extension caught our eye because it communicated with a suspicious domain.

This extension, named ‘Desbloquear Conteúdo’ (which means ‘Unblock Content’ in Portuguese) targeted customers of Brazilian online banking services – all the attempted installations that we traced occurred in Brazil.

The aim of this malicious extension is to harvest logins and passwords and then steal money from the victims’ bank accounts. Such extensions are quite rare, but they need to be taken seriously because of the potential damage they can cause. You should only install verified extensions with large numbers of installations and reviews in the Chrome Web Store or other official service. Even so, in spite of the protection measures implemented by the owners of such services, malicious extensions can still end up being published there. So it’s a good idea to use an internet security product that gives you a warning if an extension acts suspiciously.

By the time we published our report on this malicious extension, it had already been removed from the Chrome Web Store.

The World Cup of fraud
Fraudsters are always on the lookout for opportunities to make money off the back of major sporting events. The FIFA World Cup is no different. Long before anyone kicked a football in Russia, cybercriminals had started to create phishing websites and send messages exploiting World Cup themes.

This included notifications of fake lottery wins, informing recipients that they had won cash in a lottery supposedly held by FIFA or official partners and sponsors.

They typically contain attached documents congratulating the ‘winner’ and asking for personal details such as name, address, e-mail address, telephone number, etc. Sometimes such messages also contain malicious programs, such as banking Trojans.

Sometimes recipients are invited to take part in a ticket giveaway, or they are offered the chance to win a trip to a match. Such messages are sent in the name of FIFA, usually from addresses on recently registered domains. The purpose of such schemes is mainly to update e-mail databases used to distribute more spam.

One of the most popular ways to steal banking and other credentials is to create counterfeit imitations of official partner websites. Partner organizations often arrange ticket giveaways for clients, and attackers exploit this to lure their victims onto fake promotion sites. Such pages look very convincing: they are well-designed, with a working interface, and are hard to distinguish from the real thing. Some fraudsters buy SSL certificates to add further credibility to their fake sites. Cybercriminals are particularly keen to target clients of Visa, the tournament’s commercial sponsor, offering prize giveaways in Visa’s name. To take part, people need to follow a link that points to a phishing site where they are asked to enter their bank card details, including the CVV/CVC code.

Cybercriminals also try to extract data by mimicking official FIFA notifications. The victim is informed that the security system has been updated and all personal data must be re-entered to avoid being locked out. The link in the message takes the victim to a fake account and all the data they enter is harvested by the scammers.

In the run up to the tournament, we also registered a lot of spam advertising soccer-related merchandise, though sometimes the scammers try to sell other things too – for example, pharmaceutical products.

You can find our report on the ways cybercriminals have exploited the World Cup in order to make money here. We’ve provided some tips on how to avoid phishing scams – advice that holds good for any phishing scams, not just for those related to the World Cup.

In the run up to the tournament, we also analyzed wireless access points in 11 cities hosting FIFA World Cup matches – nearly 32,000 Wi-Fi hotspots in total. While checking encryption and authentication algorithms, we counted the number of WPA2 and open networks, as well as their share among all the access points.

More than a fifth of Wi-Fi hotspots use unreliable networks. This means that criminals simply need to be located near an access point to intercept the traffic and get their hands on people’s data. Around three quarters of all access points use WPA/WPA2 encryption, considered to be one of the most secure. The level of protection mostly depends on the settings, such as the strength of the password set by the hotspot owner. A complicated encryption key can take years to successfully hack. However, even reliable networks, like WPA2, cannot be automatically considered totally secure. They are still susceptible to brute-force, dictionary and key reinstallation attacks, for which there are a large number of tutorials and open source tools available online. Any attempt to intercept traffic from WPA Wi-Fi in public access points can also be made by penetrating the gap between the access point and the device at the beginning of the session.

You can read our report here, together with our recommendations on the safe use of Wi-Fi hotspots, advice that holds good wherever you may be – not just at the World Cup.


Snapchat Source Code Leaked
8.8.2018 securityweek  Apple

iOS Update Led to Snapchat Source Code Leak

Hackers obtained some source code for the popular messaging application Snapchat and made it public on GitHub, claiming that they were ignored by the app’s developer.

The source code appears to be for the frontend of Snapchat for iOS. The company behind Snapchat, Snap Inc., has confirmed that the code is genuine by getting GitHub to remove it using a DMCA (Digital Millennium Copyright Act) request.

When users file a DMCA request with GitHub, they are instructed to provide a detailed description of the original copyrighted work that has allegedly been infringed. In this section, a Snap representative wrote, “Snapchat source code. It was leaked and a user has put it in this GitHub repo. There is no URL to point to because Snap Inc. doesn't publish it publicly.”

Snapchat code leaked to GitHub

Snapchat told several news websites that the leak is a result of an iOS update made in May that exposed a “small amount” of its source code. The issue has been addressed and the company says the incident has not compromised its application and had no impact on the Snapchat community.

Messages posted on Twitter by the individuals who appear to be behind the source code leak suggest that they are expecting some sort of “reward” from Snapchat. It’s not uncommon for researchers who find vulnerabilities to quarrel with vendors over the impact or severity of a bug. However, Snapchat appears to be the target of an extortion attempt considering that the hackers say they will continue posting the code.

At least two individuals, allegedly based in Pakistan and France, appear to be involved in the incident. They have been posting messages written in Arabic and English on Twitter.

Snapchat hacker

While Snap says the code posted online has been removed, at least two forks (i.e. copies) exist on GitHub and they suggest that the code has been online since May 24. A few hours before this article was published, the original hackers also re-uploaded the code to GitHub.

Snapchat does have an official bug bounty program powered by HackerOne and the company has been known to award significant rewards for critical vulnerabilities. Last year, two researchers earned a total of $20,000 for finding exposed Jenkins instances that allowed arbitrary code execution and provided access to sensitive data.


Canadian Industrial Security Firm iS5Com Raises $17 Million
8.8.2018 securityweek  IT

iS5 Communications (iS5Com), a Canadian provider of networking and cybersecurity solutions for industrial systems, announced on Tuesday that it has raised roughly $17 million (CDN $22 million) in funding.

iS5Com Raptor

iS5Com RaptorAccording to the company, the funding will be used to enhance its flagship RAPTOR platform and to develop additional solutions for securing critical infrastructure communications and networks.

Designed to protect Smart Cities and various critical infrastructure systems, including those in harsh environments, RAPTOR is compliant with IEC 61850 Ed. 2, IEEE 1613, and EN50155 standards. The flexible platform allows the customers to connect various plug‐in modules to meet functional requirements, the company says.

Additionally, the company says that all of its products have the ability to transmit data efficiently without the loss of any packets under harsh environments and EMI conditions.

Phoenix Contact Innovation Ventures GmbH led the round with participation from new investors, existing shareholders and management.


IBM Opens New Labs for Cracking ATMs, IoT Devices
8.8.2018 securityweek  IoT

IBM’s X-Force Red, a team of veteran hackers focused on finding security vulnerabilities in devices and systems, now has four new labs to work in.

The new network of facilities provides all the toys required for testing the security of consumer and industrial Internet of Things (IoT) technologies, automotive equipment, and Automated Teller Machines (ATMs), both before and after they are deployed to customers.

Referred to as X-Force Red Labs, the new facilities are located in Austin, TX; Hursley, England; Melbourne, Australia; and Atlanta, GA. Additionally, the IBM X-Force Red has launched a dedicated ATM Testing practice.

The IBM X-Force Red team has seen significant growth, experiencing penetration testing client base increase by over 170% in the last year and doubling the number of X-Force Red practitioners across multiple domains.

“IBM X-Force Red has one mission – hack anything to secure everything. Via X-Force Red Labs, we have the ability to do just that, in a secure and controlled environment,” Charles Henderson, Global Managing Partner, IBM X-Force Red, said.

Services provided by IBM X-Force Red through the new four global testing labs include documenting product requirements with product engineers, technical analysis to scope the penetration test, disclosing potential threats and risks to the product and company, creating and implementing a list of security requirements, and actual hacking into products the same as real-world attackers would do.

With over 300 million ATMs globally, finding and addressing vulnerabilities in these systems is one of the key activities the X-Force Red team engages in. According to IBM, it saw a 300% increase in requests for ATM testing, mainly driven by a massive increase in attacks on these devices.

The jackpotting attacks on ATMs, which are performed using both malware and physical access to the machines, have reached the United States as well. With many ATMs running outdated software, cybercriminals attempt to find and exploit vulnerabilities in them for financial gain.

X-Force Red ATM Testing service can help identify and remediate physical, hardware and software vulnerabilities within ATMs before the attackers, IBM says.

The team evaluates the physical, network, application, and computer system security of ATMs, leverages the same tools and methods as criminals do to hack into these machines, helps hardening systems and defenses, and reviews ATM logs to help financial organizations stay in compliance with industry standards.


BGP Hijacking Attacks Target US Payment Processors
8.8.2018 securityweek  Hacking

Several payment processing companies in the United States were targeted recently in BGP hijacking attacks whose goal was to redirect users to malicious websites, Oracle reported last week.

The Border Gateway Protocol (BGP) controls the route of data across the Web. BGP hijacking, also known as prefix or route hijacking, is carried out by taking over IP address groups by corrupting the routing tables that store the path to a network.

In the past months, Oracle, which gained deep visibility into Web traffic after acquiring Dyn in 2016, has observed several instances of malicious actors trying to force users to their websites by targeting authoritative DNS servers in BGP hijacking attacks.

The attackers used rogue DNS servers to return forged DNS responses to users trying to access a certain website. They maximized the duration of an attack with long time-to-live (TTL) values in those forged responses so that DNS servers would hold the fake DNS entries in their cache for an extended period.

“[The] perpetrators showed attention to detail, setting the TTL of the forged response to ~5 days. The normal TTL for the targeted domains was 10 minutes (600 seconds). By configuring a very long TTL, the forged record could persist in the DNS caching layer for an extended period of time, long after the BGP hijack had stopped,” explained Doug Madory, Director of Internet Analysis at Oracle's Internet Intelligence team.

Oracle spotted the first BGP hijacking attempt on July 6, when an Indonesian ISP announced some prefixes associated with Vantiv, a brand owned by US-based payment processing company Worldpay.

The same prefixes were also announced on July 10 by a Malaysian ISP. At the same time, someone hijacked domains associated with Datawire, which is described as a “connectivity service that transports financial transactions securely and reliably over the public Internet to payment processing systems.”

On July 11, someone started hijacking prefixes associated with Mercury Payment Systems, which is also owned by Worldpay. The previously targeted prefixes were then once again hijacked on July 12.

While the initial BGP attacks did not have a significant impact, the last hijacks, which involved Vantiv domains, lasted for nearly three hours, Oracle reported.

A similar attack was seen by the company in April, when cybercriminals attempted to conduct a BGP hijack of Amazon's authoritative DNS service in an effort to redirect users of a cryptocurrency wallet to a fake website set up to steal their money. Evidence suggests that the recent attacks are linked to the ones from April.


Ramnit is back and contributes in creating a massive proxy botnet, tracked as ‘Black’ botnet
8.8.2018 securityaffairs   BotNet

Security researchers at Checkpoint security have spotted a massive proxy botnet, tracked as ‘Black’ botnet, created by Ramnit operators.
Security researchers at Checkpoint security have spotted a massive proxy botnet, tracked as ‘Black’ botnet, that could be the sign of a wider ongoing operation involving the Ramnit operators.

Ramnit is one of the most popular banking malware families in existence today, it was first spotted in 2010 as a worm, in 2011, its authors improved it starting from the leaked Zeus source code turning the malware into a banking Trojan. In 2014 it reached the pinnacle of success, becoming the fourth largest botnet in the world.

In 2015, Europol partnering with several private technology firms announced the takedown of the Ramnit C2 infrastructure.

A few months later Ramnit was back, the researchers at IBM security discovered a new variant of the popular Ramnit Trojan.

Recently the experts observed that the “Black” botnet campaign has infected up 100,000 systems in two months, and this is just the tip of the iceberg because according to researchers a second-stage malware called Ngioweb is already spreading.

There is the concrete risk that Ramnit operators are using the two malware to build a large, multi-purpose proxy botnet that could be used for many fraudulent activities (i.e. DDoS attacks, ransomware-based campaigns, cryptocurrency mining campaigns).

“Recently we discovered the Ramnit C&C server (185.44.75.109) which is not related to the previously most prevalent botnet “demetra”. According to domain names which are resolved to the IP address of this C&C server, it pretends to control even old bots, first seen back in 2015. We named this botnet “Black” due to the RC4 key value, “black”, that is used for traffic encryption in this botnet.” reads the analysis published by Checkpoint security.

“This C&C server has actually been active since 6th March 2018 but didn’t attract attention because of the low capacity of the “black” botnet at that time. However, in May-July 2018 we detected a new Ramnit campaign with around 100,000 computers infected.”

According to the experts, in the Black operation, the Ramnit malware is distributed via spam campaigns. The malicious code works as a first-stage malware and it is used to deliver a second-stage malware dubbed Ngioweb.

“Ngioweb represents a multifunctional proxy server which uses its own binary protocol with two layers of encryption,” continues the analysis published by Checkpoint.

“The proxy malware supports back-connect mode, relay mode, IPv4, IPv6 protocols, TCP and UDP transports, with first samples seen in the second half of 2017.”

Ngioweb leverages a two-stage C&C infrastructure, the STAGE-0 C&C server informs the malware about the STAGE-1 C&C server while the unencrypted HTTP connection is used for this purpose. The second STAGE-1 C&C server is used for controlling malware via an encrypted connection.

Ramnit campaign

The Ngioweb malware can operate in two main modes, the Regular back-connect proxy, and the Relay proxy mode.

In a relay proxy mode, the malware allows operators to build chains of proxies and hide their services behind the IP address of a bot.

“The following sequence of actions is used for building a hidden service using the Ngioweb botnet:

Ngioweb Bot-A connects to C&C STAGE-0 and receives command to connect to the server C&C STAGE-1 with address X:6666.
Ngioweb Bot-A connects to C&C STAGE-1 (Server-X) at X:6666. Server-X asks the bot to start the TCP server. Ngioweb bot reports on starting TCP server with IP address and port.
Malware actor publishes the address of the Bot-A in DNS (or using any other public channel).
Another malware Bot-B resolves the address of Bot-A using DNS (or using any other public channel).
Bot-B connects to Bot-A.
Bot-A creates new connection to Server-X and works as relay between Server-X and Bot-B.
Ramnit campaign 3.png

Further details, including the IoC, are reported in the analysis published by Checkpoint.


Hacking WiFi Password in a few steps using a new attack on WPA/WPA2
8.8.2018 securityaffairs   Hacking

A security researcher has devised a new WiFi hacking technique that could be exploited to easily crack WiFi passwords of most modern routers.
The security researcher Jens ‘Atom’ Steube, lead developer of the popular password-cracking tool Hashcat, has devised a new WiFi hacking technique that could be exploited to easily crack WiFi passwords of most modern routers.

The new WiFi hacking technique allows to crack WPA/WPA2 wireless network protocols with Pairwise Master Key Identifier (PMKID)-based roaming features enabled.

The expert was analyzing the recently launched WPA3 security standard when accidentally the new technique.

“This attack was discovered accidentally while looking for new ways to attack the new WPA3 security standard. WPA3 will be much harder to attack because of its modern key establishment protocol called “Simultaneous Authentication of Equals” (SAE).” Steube wrote in a post.

“The main difference from existing attacks is that in this attack, capture of a full EAPOL 4-way handshake is not required. The new attack is performed on the RSN IE (Robust Security Network Information Element) of a single EAPOL frame.”

Older attack techniques required capturing a full 4-way handshake of Extensible Authentication Protocol over LAN (EAPOL), that is a network port authentication protocol. The new attack technique, differently from the previous ones, targets the Robust Secure Network Information Element (RSN IE).
The RSN protocol was designed for establishing secure communications over an 802.11 wireless network and it is part of the 802.11i (WPA) standard. Every time it attempts to establish a secure communication channel, the RSN broadcasts an RSN IE message within the network.


The Robust Security Network protocol has the PMKID (Pairwise Master Key Identifier), that is the key needed to establish a connection between a client and an access point.

An attacker can obtain the WPA PSK (Pre-Shared Key) password from the PMKID.

The WPA PSK is used in the “Personal” version of WPA and is designed for home and small office networks.

“Since the PMK is the same as in a regular EAPOL 4-way handshake this is an ideal attacking vector,” Steube added.

“We receive all the data we need in the first EAPOL frame from the AP.”

Below the description of the technique step by step:

Step 1 — An attacker can use a tool like hcxdumptool (v4.2.0 or higher) to request the PMKID from the targeted access point and dump the received frame to a file.

$ ./hcxdumptool -o test.pcapng -i wlp39s0f3u4u5 –enable_statusStep 2 — Run hcxpcaptool tool to convert the captured data from pcapng format to a hash format accepted by hashcat

$ ./hcxpcaptool -z test.16800 test.pcapng

Step 3 — Use Hashcat (v4.2.0 or higher) password cracking tool to obtain the WPA PSK (Pre-Shared Key) password that is the password of the target wireless network.

$ ./hashcat -m 16800 test.16800 -a 3 -w 3 ‘?l?l?l?l?l?lt!’The time to crack the password depends on its complexity.

“At this time, we do not know for which vendors or for how many routers this technique will work, but we think it will work against all 802.11i/p/q/r networks with roaming functions enabled (most modern routers).” Steube concluded.

“The main advantages of this attack are as follow:

No more regular users required – because the attacker directly communicates with the AP (aka “client-less” attack)
No more waiting for a complete 4-way handshake between the regular user and the AP
No more eventual retransmissions of EAPOL frames (which can lead to uncrackable results)
No more eventual invalid passwords sent by the regular user
No more lost EAPOL frames when the regular user or the AP is too far away from the attacker
No more fixing of nonce and replaycounter values required (resulting in slightly higher speeds)
No more special output format (pcap, hccapx, etc.) – final data will appear as regular hex encoded string”
If you are searching for a good step by step explanation, give a look at the blog post published by the penetration tester Adam Toscher.

The new attack technique does not work against the recently introduced WPA3 security protocol.

The WPA3 protocol is “much harder to attack because of its modern key establishment protocol called “Simultaneous Authentication of Equals” (SAE).”


SegmentSmack' Flaw in Linux Kernel Allows Remote DoS Attacks
7.8.2018 securityweek  Attack

A vulnerability in the Linux kernel can allow a remote attacker to trigger a denial-of-service (DoS) condition by sending specially crafted packets to the targeted system. The flaw could impact many companies.

The security hole, classified as high severity, has been named SegmentSmack and is tracked as CVE-2018-5390. The issue was discovered by Juha-Matti Tilli of Aalto University and Nokia’s Bell Labs.

The vulnerability exists due to the way versions 4.9 and later of the Linux kernel handle specially crafted TCP packets. Linux kernel developers have released a patch that should address the problem.

“A remote attacker could use this flaw to trigger time and calculation expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() functions by sending specially modified packets within ongoing TCP sessions which could lead to a CPU saturation and hence a denial of service on the system,” Red Hat explained in an advisory for SegmentSmack. “Maintaining the denial of service condition requires continuous two-way TCP sessions to a reachable open port, thus the attacks cannot be performed using spoofed IP addresses.”

Red Hat says all its products with moderately new Linux kernel versions are affected. The company has not identified any workarounds or mitigations besides the kernel patches.

CERT/CC has also published an advisory for SegmentSmack. The organization believes the vulnerability could impact tens of major vendors, including Amazon, Apple, BlackBerry, Cisco, Dell, Google, HP, IBM, Lenovo, Microsoft and several cybersecurity and networking solutions providers.

Amazon Web Services (AWS) says it has launched an investigation into the impact of the flaw on its products.

“AWS is aware of a recently-disclosed security issue, commonly referred to as SegmentSmack, which affects the TCP processing subsystem of several popular operating systems including Linux,” AWS said. “AWS services are operating normally. We will post a further update as soon as one is available.”

SUSE Linux has also released patches, but the organization says the vulnerability only affects SUSE Linux Enterprise 15.


New Method Discovered for Cracking WPA2 Wi-Fi Passwords
7.8.2018 securityweek  Hacking

Developers of the popular password cracking tool Hashcat have identified a new method that can in some cases be used to obtain a network’s Wi-Fi Protected Access (WPA) or Wi-Fi Protected Access II (WPA2) password.

Jens ‘Atom’ Steube, the lead developer of Hashcat, revealed that the new attack method was discovered by accident during an analysis of the recently launched WPA3 security standard.

According to Steube, the main difference between the new and older attacks is that the new method does not require capturing a full 4-way handshake of Extensible Authentication Protocol over LAN (EAPOL), which is a network port authentication protocol. Instead, the attack targets the Robust Secure Network Information Element (RSN IE).

RSN is a protocol designed for establishing secure communications over an 802.11 wireless network and is part of the 802.11i (WPA) standard. When it begins to establish a secure communication channel, RSN broadcasts an RSN IE message across the network.

One of the capabilities of RSN is PMKID (Pairwise Master Key Identifier), from which an attacker can obtain the WPA PSK (Pre-Shared Key) password. WPA PSK is used in the “Personal” version of WPA and is designed for home and small office networks.

“Since the PMK is the same as in a regular EAPOL 4-way handshake this is an ideal attacking vector,” Steube explained in a post on the Hashcat forum. “We receive all the data we need in the first EAPOL frame from the AP.”

An attacker can use the hcxdumptool tool to request the PMKID from the targeted access point and dump the received frame to a file. Hcxdumptool can then be used to obtain a hash of the password that Hashcat can crack. The recommendation is that the tool be run for up to 10 minutes before aborting the process.

“At this time, we do not know for which vendors or for how many routers this technique will work, but we think it will work against all 802.11i/p/q/r networks with roaming functions enabled (most modern routers),” Steube said.

Penetration tester Adam Toscher has published a blog post explaining step-by-step how such an attack can be conducted. The method has been tested by several individuals and while some claim to have successfully reproduced the attack, others say they haven’t been able to do so.

Some members of the industry pointed out that while this new method can make the attack easier to conduct, brute-forcing is still involved, which means a strong password represents an efficient mitigation. Experts also noted that WPA Enterprise (i.e. systems using WPA2-EAP) is not impacted.

New WPA2 attack method

As for WPA3, Steube noted that it’s “much harder to attack because of its modern key establishment protocol called ‘Simultaneous Authentication of Equals’ (SAE).”


Honeypot Highlights Danger to ICS Systems From Criminal Hackers
7.8.2018 securityweek  ICS

A security firm established a sophisticated honeypot masquerading as a power transmission substation for a major electricity provider. The purpose was to attract attackers and analyze how they operate against the energy sector of the critical infrastructure.

Within two days of going live on June 17, the honeypot developed and operated by Cybereason was found, prepped by a black-market reseller, and sold on in the dark web underworld. xDedic RDP Patch was found in the environment. This is a tool developed by the owners of the xDedic underground forum that allows multiple simultaneous uses of the same RDP credentials. xDedic is a forum that focuses on selling RDP credentials. The initial attacker, notes the report, "also installed backdoors in the honeypot servers by creating additional users, another indicator that the asset was being prepared for sale on xDedic."

On June 27, eight days after the first incursion, a new criminal entity arrived. It was immediately clear, explains Cybereason in a report published today, that this attacker had just one purpose -- to pivot from the IT side of the 'substation' and gain access to the OT environment.

The honeypot had been designed to look like a typical substation: an IT side separated by a firewall from the OT side, comprising the industrial control systems separated from the pumps, monitors, breakers and other hardware elements of the energy provider.

ICS Cyber Security Conference

It was immediately clear that these were attackers with skills beyond script kiddies. "The attackers appear to have been specifically targeting the ICS environment from the moment they got into the environment. They demonstrated non-commodity skills, techniques and a pre-built playbook for pivoting from an IT environment towards an OT environment," said Cybereason CISO Israel Barak.

The attackers showed no interest in anything but the ICS assets. But with access to the ICS devices on the IT side of the environment, the attackers were still denied immediate access to the target OT by the firewall. Blocked by the firewall, the attackers used multipoint network reconnaissance.

"The attackers," reports Cybereason, "moved from the remote server, to the SharePoint server, to the domain controller, to the SQL server to run network scans to determine if one of these assets would allow them to access the ICS environment. Instead of scanning the full network, attackers focused on scanning for assets that would give them access to the HMI and OT computers."

But this was not a nation-state attack. "I would place the attackers in the upper echelon of criminal hackers, just below the expertise of state operators," Ross Rustici, Cybereason's senior director for intelligence services told SecurityWeek. They made mistakes and were too noisy to be the best of the best -- for example, they disabled the security tools on one of the servers, which would present an immediate red flag to the security team.

Cybereason had installed its own platform in the honeypot -- but intentionally in a manner that would make its removal simple. The attackers removed it. The Cybereason platform was re-installed with some hardening, but less than the level recommended by the firm. Again, the attackers were able to disable the hardened version. "After that incident," notes the report, "the platform was installed a third time based on our recommended guidelines and the attackers haven’t been able to deactivate it."

This gives us some insight into the attackers. They were not sufficiently competent to be stealthy, but were not afraid of being discovered. They persisted, even though they would have known that their presence had been detected. This argues against a state actor, who would firstly avoid detection, but then, if detected, most likely silently withdraw.

To be fair, Rustici wasn't expecting a state attacker. "Nation-state attacks against the critical infrastructure of an adversary state are effectively military operations; and military operations are planned with incredible detail," he said. "Such adversaries will be aware of all an energy provider's substations, and while we designed the honeypot sufficient to fool cybercriminals, it would not have withstood the standard reconnaissance and reconnoitering of a military operation."

What this tells us, however, is that the critical infrastructure is a target for standard criminals. The most obvious motivation would be extortion -- taking control of the substation and holding it to ransom. Detection would not be considered important if the endgame of extortion was still possible. But the motivation could also be just for the kudos or even CV-building.

ICS environments are often complex and use a diverse set of control system vendors. Without familiarity of the OT environment and assets, it becomes more challeging for attackers to cause any significant disruption.

The danger is that criminal hackers are more clumsy than elite state actors. Current geopolitical tensions encourage nation states to explore the critical infrastructure of adversaries looking for an advantage in case of an escalation into actual warfare; but for the moment, that type of preparatory cyberwarfare is stealthy reconnaissance. State actors do not wish to be discovered.

These criminals were clumsy and not concerned with being discovered. This type of activity, warns Cybereason, "dramatically increases the risk of a mistake having real-world consequences... Hackers seeking to make a name for themselves or simply prove that they can get into a system are far more likely to cause failures out of ignorance rather than malice. This makes incident response and attribution harder, but it also is more likely to result in an unintended real-world effect."

The long-term danger to the critical infrastructure may come from nation-sate attacks -- but the immediate danger is more likely to come from less competent cyber criminals. Cybereason recommends that companies with ICS environments should operate a unified SOC. "Companies may have a NOC monitoring the OT environment, but a combined SOC lets you see all operations as they move through the network. Having this visibility is important because attackers could start in the IT environment and move to the OT environment," said Barak.

Boston, MA-based threat-hunting Cybereason raised $100 million in Series D funding from SoftBank Corp in June 2017 -- bringing the total raised to $189 million. It was founded by Lior Div, Yonatan Amit, Yossi Naar in 2012. All three are veterans of Israel's elite IDF 8200 intelligence unit.


TSMC Chip Maker confirms its facilities were infected with WannaCry ransomware
7.8.2018 securityaffairs
Ransomware

TSMC shared further details on the attack and confirmed that its systems were infected with a variant of the infamous WannaCry ransomware.
Early in August, a malware has infected systems at several Taiwan Semiconductor Manufacturing Co. (TSMC) factories, the plants where Apple produces its devices.

TSMC is the world’s biggest contract manufacturer of chips for tech giants, including Apple and Qualcomm Inc.

Now the company shared further details on the attack and confirmed that its systems were infected with a variant of the infamous WannaCry ransomware that hit 200,000 computers across 150 countries in a matter of hours in May 2017.

WannaCry took advantage of a tool named “Eternal Blue”, originally created by the NSA, which exploited a vulnerability present inside the earlier versions of Microsoft Windows. This tool was soon stolen by a hacking group named “Shadow Brokers” which leaked it to the world in April 2017.

The infection caused one of the most severe disruptions suffered by TSMC as it ramps up chipmaking for Apple Inc.’s next iPhones.

The company contained the problem, but some of the affected plants shut down an entire day of production.

It has been estimated that the overall impact on the revenue of TSMC would be approx $256 million.

Chief Financial Officer Lora Ho confirmed that the infection would have some impact on TSMC’s 2018 profit, but declining to elaborate on further details.

TSMC Apple infection

According to the manufacturer, it wasn’t a targeted attack, instead, the systems were infected “when a supplier installed tainted software without a virus scan” to TSMC’s network.

The malware rapidly spread within the company network and infected more than 10,000 machines in some of the company’s production plants, including Tainan, Hsinchu, and Taichung.

“We are surprised and shocked,” TSMC Chief Executive Officer C. C. Wei said, “We have installed tens of thousands of tools before, and this is the first time this happened.”

WannaCry infected many other bit companies, the list of victims includes Boeing, Renault, and Honda,

TSMC confirmed that customers data were not compromised during the attack, it warned customers that shipment delays are expected.


Duo Security created open tools and techniques to identify large Twitter botnet

7.8.2018 securityaffairs BotNet

Researchers at security firm Duo Security have created a set of open source tools and disclosed techniques that could be used to identify large Twitter botnet.
Security experts from Duo Security have developed a collection of open source tools and disclosed techniques that can be useful in identifying large Twitter botnet.

The experts developed the tools starting from the analysis of 88 million Twitter accounts and over half-a-billion tweets, one of the largest random datasets of Twitter accounts analyzed to date.

“This paper details the techniques and tools we created to both build a large dataset containing millions of public Twitter profiles and content, as well as to analyze the dataset looking for automated accounts.” reads the research paper published by Duo Security.

“By applying a methodical data science approach to analyzing our dataset, we were able to build a classifier that effectively finds bots at a large scale.”

The dataset was composed by using the Twitter’s API, collected records include profile name, tweet and follower count, avatar, bio, the content of tweets, and social network connections.

Practical data science techniques can be used to create a classifier that could help researchers in finding automated Twitter accounts.

The experts defined 20 unique account heuristics to discover the bots, they include the number of digits in a screen name, Entropy of the screen name, followers/following ratio, number of tweets and likes relative to the account’s age, number of users mentioned in a tweet, number of tweets with the same content, percentage of tweets with URLs, time between tweets, average hours tweeted per day, and average “distance” of account age in retweets/replies.

The above heuristics are organized in the 3 categories, the “Account attributes,” “Content,” and “Content Metadata.”

The tools and the techniques devised by the researchers could be very useful in investigating fraudulent activities associated with Twitter botnet. The experts first identify the automated bots then they use the tool to monitor the evolution of the botnets they belong.

The experts shared a case study related to the discovery of a sophisticated botnet of at least 15,000 bots involved in a cryptocurrency scam. The analysis of the botnet and the monitoring of the malicious infrastructure over time allowed the expert to discover how bots evolve to evade detection.

The experts reported their findings to Twitter that confirmed it is aware of the problem and that is currently working on implementing new security measure to detect problematic accounts.

Twitter botnet

“Twitter is aware of this form of manipulation and is proactively implementing a number of detections to prevent these types of accounts from engaging with others in a deceptive manner. Spam and certain forms of automation are against Twitter’s rules. In many cases, spammy content is hidden on Twitter on the basis of automated detections.” replied Twitter.

“When spammy content is hidden on Twitter from areas like search and conversations, that may not affect its availability via the API. This means certain types of spam may be visible via Twitter’s API even if it is not visible on Twitter itself. Less than 5% of Twitter accounts are spam-related.”.

Duo Security will release its tools as open source on August 8 during the the Black Hat conference in Las Vegas.

“Malicious bot detection and prevention is a cat-and-mouse game,” concluded Duo Principal R&D Engineer Jordan Wright. “We anticipate that enlisting the help of the research community will enable discovery of new and improving techniques for tracking bots. However, this is a more complex problem than many realize, and as our paper shows, there is still work to be done.”


How do file partner programs work?
7.8.2018 Kaspersky Analysis

It’s easy to notice if you’ve fallen victim to an advertising partner program: the system has new apps that you didn’t install, ad pages spontaneously open in the browser, ads appear on sites where they never used to, and so on. If you notice these symptoms on your computer, and in the list of installed utilities there is, for example, setupsk, Browser Enhancer, Zaxar game browser, “PC optimizers” (such as Smart Application Controller or One System Care), or unknown browsers, 99% of the time it’s pay-per-install network. Every month, Kaspersky Lab security solutions prevent more than 500,000 attempts to install software that is distributed through advertising partner programs. Most such attempts (65%) happen in Russia.

Geography of attempts to install advertising partner programs apps, June 2018

The partner program acts as an intermediary between software vendors who wish to distribute their apps and owners of file hosting sites. When the user clicks the Download or similar button on such sites, the partner program provides a special installer that downloads the required file, but also determines which set of additional software should be installed on the PC.

File partner programs benefit everyone except the user. The site owner receives money for installing “partner” apps, and the partner program organizer collects a fee from the advertisers, who in turn get what they wanted, since their software is installed.

Propagation methods
To illustrate the process, we chose a scheme used by several partner programs. Let’s look at a real page offering to download a plugin for the S.T.A.L.K.E.R. game.

On attempting to download it, the user is redirected to a landing page selected by the administrator of the file-sharing site when loading the file onto the partner program server. Such pages often mimic the interface of popular cloud services:

Example of a fake page to which the user is redirected

This is what the landing page chooser looks like in the File-7 partner program settings

On clicking the download button, the user receives a file with one of the following formats:

ZIP-archive
Torrent file
ISO image
HTML document
Moreover, archives are often multi-layered and, in many cases, password-protected. Such protective measures and choice of format are not accidental — partner programs engage a wide range of tricks to prevent browser from blocking the download of their installers.

Notification about installer download blocks in a partner program’s news feed

The victim is often guided through the loader installation with hints on the download pages as to how to find the program, which password to use for the archive, and how to run the installer. Some versions contain readme attachments with a description of the actions required for the installation. Regardless of the type of file that the user wanted to download, the end product is an executable. Interestingly, every time one and the same file is downloaded, its hash sum changes, and the name always contains a set of some characters.

Example of how loader files are named

Communicating with the server
At the preparatory stage, the partner program installer exchanges data with the C&C server. Every message transmitted uses encryption, usually rather primitive: first it is encoded in Base64, then the result is inverted, and again encoded in Base64.

At stage one, the loader transmits information about the downloaded installer, plus data for identifying the victim to the server. The message includes confidential information: user name, PC domain name, MAC address, machine SID, hard drive serial number, lists of running processes and installed programs. Naturally, the data is collected and transmitted without the consent of the device owner.

The server responds with a message containing the following information fields:
adverts list — with the installation conditions for certain partner software
content — contains the name of the file that the user originally intended to download and a link to it
icon — contains a link to an icon that is later downloaded and used when starting the graphical interface of the loader.

The installer checks that the conditions listed for each “advert” are fulfilled. If all conditions are met, the id of the advert is added to the adverts_done list. In the example above, for instance, the registry is checked for paths indicating that one of the selected antiviruses is installed on the computer. If this is the case, the partner software with id 1116 is not added to the adverts_done list and will not subsequently be installed on the user’s computer. The purpose of such a check is to prevent the installation of a program that would trigger antivirus software. Next, the generated list is sent to the server:

The server selects several id’s (usually 3-5) from the resulting adverts_done list and returns them to the campaigns list. For each id, this list has a checkboxes field containing the text to be displayed in the installation consent window, the url field containing a link to the installer of the given advert, and the parameter field containing a key for installing the unwanted software in silent mode.

After that, a window opens that simulates the download process in Internet Explorer. The loader does not explicitly notify the user that additional programs will be installed on the computer along with the downloaded file. Their installation can be declined only by clicking a barely discernible slider in the bottom part of the window.

File loader window

During the file download process, software that the user does not deselect is installed inconspicuously. At the final stage of operation, the loader reports to the server about the successful installation of each individual product:

Installed software analysis
By analyzing the loader process, we managed to get some links to various programs that can be installed secretly. Although most of the software relates to different advertising families (that’s how Pbot finds its way onto user devices, for example), that is not the only thing distributed via file partner programs. In particular, around 5% of the files were legitimate browser installers. About 20% of the files are detected as malicious (Trojan, Trojan-Downloader, etc.).

Conclusion
Owners of file-sharing sites that cooperate with similar partner programs often do not even check what kind of content visitors get from the resource. As a result, anything at all can be installed on the user’s computer besides legitimate software. Therefore, in the absence of security solutions, such resources need to be used with extreme caution.

Kaspersky Lab products detect the loaders of file partner programs with the following verdicts:

AdWare.Win32.AdLoad
AdWare.Win32.FileTour
AdWare.Win32.ICLoader
AdWare.Win32.DownloadHelper

IoCs:
1F2053FFDF4C86C44013055EBE83E7BD
FE4932FEADD05B085FDC1D213B45F34D
38AB3C96E560FB97E94222740510F725
F0F8A0F4D0239F11867C2FD08F076670
692FB5472F4AB07CCA6511D7F0D14103


Pentagon Restricts Use of Fitness Trackers, Other Devices
7.8.2018 securityweek  BigBrothers

WASHINGTON (AP) — Military troops and other defense personnel at sensitive bases or certain high-risk warzone areas won't be allowed to use fitness-tracker or cellphone applications that can reveal their location, according to a new Pentagon order.

The memo, obtained by The Associated Press, stops short of banning the fitness trackers or other electronic devices, which are often linked to cellphone applications or smart watches and can provide the users' GPS and exercise details to social media. It says the applications on personal or government-issued devices present a "significant risk" to military personnel, so those capabilities must be turned off in certain operational areas.

Under the new order, military leaders will be able to determine whether troops under their command can use the GPS function on their devices, based on the security threat in that area or on that base.

"These geolocation capabilities can expose personal information, locations, routines, and numbers of DOD personnel, and potentially create unintended security consequences and increased risk to the joint force and mission," the memo said.

Defense personnel who aren't in sensitive areas will be able to use the GPS applications if the commanders conclude they don't present a risk. For example, troops exercising at major military bases around the country, such at Fort Hood in Texas or Norfolk Naval Station in Virginia, would likely be able to use the location software on their phones or fitness devices. Troops on missions in more sensitive locations, such as Syria, Iraq, Afghanistan or parts of Africa, meanwhile, would be restricted from using the devices or be required to turn off any location function.

Army Col. Rob Manning, a Pentagon spokesman, said it's a move to ensure the enemy can't easily target U.S. forces.

"It goes back to making sure that we're not giving the enemy an unfair advantage and we're not showcasing the exact locations of our troops worldwide," Manning said.

Concerns about exercise trackers and other electronic devices came to a head in January in the wake of revelations that an interactive, online map was pinpointing troop locations, bases and other sensitive areas around the world.

The Global Heat Map, published by the GPS tracking company Strava, used satellite information to map the locations of subscribers to Strava's fitness service. At the time, the map showed activity from 2015 through September 2017. And while heavily populated areas were well lit, warzones such as Iraq and Syria show scattered pockets of activity that could denote military or government personnel using fitness trackers as they move around.

The Pentagon immediately launched a review, noting that the electronic signals could potentially disclose the location of troops who are in secret or classified locations or on small forward operating bases in hostile areas.

This is the second memo affecting the use of cellphones and other electronic devices that the department has released in recent months. In May, defense officials laid out new restrictions for the use of cellphones and other mobile wireless devices inside the Pentagon.

That memo called for stricter adherence to long-held practices that require phones be left in storage containers outside secure areas where sensitive matters are discussed. But it also stopped short of banning the devices, and instead made clear that cellphones can still be used in common areas and other offices in the Pentagon if classified information is not present.

The latest memo says the new restrictions include GPS functions on fitness trackers, phones, tablets, smartwatches and other applications.

The Pentagon also said it will provide additional cybersecurity training to include the risks posed by the trackers and other mobile devices.

Heather Pierce, a spokeswoman for Fitbit, said Monday: "Fitbit is committed to protecting consumer privacy and keeping data safe. Unlike a smartphone, location data is not collected by Fitbit unless a user gives us access to the data, and users can always remove our access."


Facebook Asks Big Banks to Share Customer Details
7.8.2018 securityweek 
Social

Facebook has asked major US banks to share customer data to allow it to develop new services on the social network's Messenger texting platform, a banking source told AFP on Monday.

Facebook had discussions with Chase, JPMorgan, Citibank, and Wells Fargo several months ago, said the source, who asked to remain anonymous.

The Silicon Valley-based social network also contacted US Bancorp, according to the Wall Street Journal, which first reported the news.

Facebook, which has faced intense criticism for sharing user data with many app developers, was interested in information including bank card transactions, checking account balances, and where purchases were made, according to the source.

Facebook confirmed the effort in a statement to AFP, but said it was not asking for transaction data.

"Like many online companies with commerce businesses, we partner with banks and credit card companies to offer services like customer chat or account management," Facebook said.

The goal was to create new ways for Messenger to be woven into, and facilitate, interactions between banks and customers, according to the reports. The smartphone texting service boasts 1.3 billion users.

"The idea is that messaging with a bank can be better than waiting on hold over the phone -- and it's completely opt-in," the statement said.

Citigroup declined to comment regarding any possible discussions with Facebook about Messenger.

"While we regularly have conversations about potential partnerships, safeguarding the security and privacy of our customers' data and providing customer choice are paramount in everything we do," Citigroup told AFP by email.

JPMorgan Chase spokeswoman Patricia Wexler directed AFP to a statement given to the Wall Street Journal saying, "We don't share our customers' off-platform transaction data with these platforms and have had to say 'No' to some things as a result."

Wells Fargo decline to address the news.

Privacy worries

Messenger can be used by businesses to help people keep track of account information such as balances, receipts, or shipping dates, according to the social network.

"We're not using this information beyond enabling these types of experiences -- not for advertising or anything else," Facebook explained in its statement.

"A critical part of these partnerships is keeping people's information safe and secure."

But word Facebook is fishing for financial information comes amid concerns it has not vigilantly guarded private information.

Facebook acknowledged last month that it was facing multiple inquiries from US and British regulators about a scandal involving the now bankrupt British consultancy Cambridge Analytica.

In Facebook's worst ever public relations disaster, it admitted that up to 87 million users may have had their data hijacked by Cambridge Analytica, which was working for US President Donald Trump's 2016 election campaign.

Facebook CEO Mark Zuckerberg announced in May he was rolling out privacy controls demanded by European regulators to Facebook users worldwide because "everyone cares about privacy."

The social network is now looking at cooler growth following a years-long breakneck pace.

Shares in Facebook plummeted last week, wiping out some $100 billion, after the firm missed quarterly revenue forecasts and warned growth would be far weaker than previously estimated.

Shares in the social network have regained some ground, and rose 4.4 percent to close at $185.69 on Monday.


Group-IB experts record a massive surge of user data leaks form cryptocurrency exchanges
7.8.2018 securityaffairs Cryptocurrency

Group-IB researchers have investigated user data leaks from cryptocurrency exchanges and has analyzed the nature of these incidents.
Security experts from Group-IB, an international company specializing in preventing cyberattacks and developing information security solutions, has investigated user data leaks from cryptocurrency exchanges and has analyzed the nature of these incidents. Within a year, the number of data leaks soared by 369%.

The USA, Russia and China are TOP-3 countries in which registered users became the victims of cyberattacks.

In 2017, when cryptocurrencies were gaining momentum, their record-breaking capitalization and a spike in Bitcoin’s exchange rate led to dozens of attacks on cryptocurrency services. Based on data obtained from the Group-IB Threat Intelligence (cyber intelligence) system, experts from the international company Group-IB have analyzed the theft of 720 user accounts (logins and passwords) from the 19 largest cryptocurrency exchanges

January holidays for hackers: a 689% surge in the number of leaks

The report «2018 Cryptocurrency Exchanges. User Accounts Leaks Analysis»shows a steady increase in the number of compromised user accounts on cryptocurrency exchanges. In 2017, their number increased by 369% compared to 2016. The first month of 2018 set a record: due to growing interest in cryptocurrencies and the blockchain industry, in January the number of incidents jumped by 689% compared to the 2017 monthly average. The USA, Russia, and China are the countries where users are targeted most often. The study has shown that every third victim of the attack is located in the United States.

cryptocurrency exchanges affected

Toolkit and infrastructure used for attacks

Experts of Group-IB have identified 50 active botnets used for launching cyberattacks on cryptocurrency exchanges users. The infrastructure used by cybercriminals is mainly based in the USA (56.1%), the Netherlands (21.5%), Ukraine (4.3%) and Russia (3.2%).

cryptocurrency exchanges affected

The attackers use an increasingly wide range of malicious software and update their tools on a regular basis. The most frequently used malicious software includes Trojans such as AZORult and Pony Formgrabber, as well as the Qbot. At the same time, cybercriminals have modified tools previously used for attacks on banks and now successfully use them to hack cryptocurrency exchanges and gain access to users’ personal data.

What makes a successful attack possible?

This is one of the key issues covered in the Group-IB report. The answer is actually quite simple: disregard for information security and underestimating the capabilities of cybercriminals. The first and main cause is that both users and exchanges omit to use two-factor authentication. The second cause is disregard for basic security rules such as the use of complex and unique passwords.

Group-IB has analyzed 720 accounts and found that one out of five users chose a password shorter than 8 characters (see Figure).

cryptocurrency exchanges affected

Attack as a premonition

Experts of Group-IB draw a bleak conclusion: currently no cryptocurrency exchange, regardless of its size and track record, can guarantee absolute security to its users. At least 5 out of 19 exchanges in question fell victim to targeted cyberattacks widely covered by the media. These are Bitfinex, Bithumb, Bitstamp, HitBTC, Poloniex and, presumably, Huobi. There are various attack vectors: errors in the source code of the software, phishing attacks, unauthorized access to the user database, vulnerabilities related to storage and withdrawal of funds. However, all of them stem from the lack of attention to information security and protection of digital assets.

“Increased fraudulent activity and attention of hacker groups to cryptoindustry, additional functional of malicious software related to cryptocurrencies, as well as the significant amounts of already stolen funds, signals that the industry is not ready to defend itself and protect its users”, says Ruslan Yusufov, the Director of Special Projects at Group-IB. “In 2018 we will see even more incidents. This situation requires prompt and effective response of all stakeholders, including experts in different areas.”

Recommendations of Group-IB experts to users and exchanges

In order to protect one’s funds against crypto-fraud, Group-IB recommends users to be mindful of their passwords (which should contain at least 14 unique symbols), never use the same passwords for different exchanges and always enable the 2FA (two-factor authentication). Experts recommend avoiding the use of public Wi-Fi (at least when carrying out exchange transactions) and paying special attention to one’s “traces” on the social media. For instance, users should not demonstrate the fact that they possess any cryptocurrency.

Recommendations to cryptoexchanges are also of high importance. First of all, they are strongly advised to make two-factor authentication obligatory for all the users and their operations, conduct regular security audits of IT infrastructure and related services, and allocate resources to training and awareness-raising concerning personnel security, starting from top management (founders) and down to rank-and-file employees. To improve the cybersecurity of cryptocurrency exchanges, experts also recommend installing Anti-APT solutions, using Threat Intelligence and implementing anti-fraud solutions, as well as behavioral analysis systems. Specialists also suggest preparing cybersecurity incident response plans which will minimize potential damage.


HP releases firmware updates for two critical RCE flaws in Inkjet Printers
7.8.2018 securityaffairs
Vulnerebility

HP has released firmware updates that address two critical remote code execution vulnerabilities in some models of inkjet printers.
HP has released firmware updates to address two critical RCE flaws affecting some Inkjet printers. The two flaws, tracked as CVE-2018-5924 and CVE-2018-5925, could be exploited by attackers to trigger stack or static buffer overflow.

An attacker can exploit the vulnerabilities by sending a specially crafted file to the vulnerable inkjet printers.

“Two security vulnerabilities have been identified with certain HP Inkjet printers. A maliciously crafted file sent to an affected device can cause a stack or static buffer overflow, which could allow remote code execution.” reads the security advisory published by HP.

The flaws have been assigned a CVSS score of 9.8 and affected roughly 160 models, including PageWide, DesignJet, Officejet, Deskjet, Envy, and Photosmart.

To download the firmware updates, go to the HP Software and Drivers page for your product and find the appropriate firmware update from the list of available software.
Go to the Upgrading Printer Firmware page and follow the instructions provided to install the firmware.

HP inkjet printers hacking

Flaws in the firmware of printers are not a novelty, in NNovember2017, experts from FoxGlove Security firm found a potentially serious remote code execution vulnerability in some of HP’s enterprise printers.

Recently HP launched a private bug bounty program that offers up to $10,000 to white hat hackers that will discover serious issues in its printers.


Ex-Tesla Worker Accused of Hacking Seeks $1M in Counterclaim

6.8.2018 securityweek  Hacking

Tesla Breach

RENO, Nev. (AP) — A former Tesla Inc. employee at the electric car maker's battery plant in Nevada is seeking at least $1 million in defamation damages after it accused him of sabotage, hacking into computers and stealing confidential information leaked to the media.

Lawyers for Martin Tripp filed a counterclaim in federal court this week alleging any damages Tesla incurred were caused or contributed to by Tesla's "own negligence, acts or omissions."

Tripp alleges that between $150 million and $200 million worth of battery module parts for Tesla's Model 3 vehicle were incorrectly handled as scrap earlier this year. He said more than 700 dented and/or punctured battery modules were not discarded and instead were being shipped or were in the process of being shipped to customers.

A punctured battery could pose a fire risk.

Tesla officials did not respond to repeated requests for comment from The Associated Press on Thursday.

Tripp said he was recruited by Tesla, moved to Sparks, Nevada, from Wisconsin and started working at the battery factory in October 2017 as a lead process engineering technician. He was fired June 19.

Tesla filed the lawsuit against Tripp on June 20, three days after Musk warned employees of sabotage from within the company.

In the months prior, Tripp witnessed "several concerning business practices" inconsistent with Tesla's representations to investors and the general public, according to his counterclaim filed in U.S. District Court in Reno on Tuesday.

Tripp said he repeatedly questioned supervisors about the large quantities of waste and scrap vehicle parts he observed "lying haphazardly on the ground inside the Gigafactory." But his concerns were never addressed or resolved, Tripp said.

Tripp said he emailed CEO Elon Musk directly about his concerns on May 16 before Musk was scheduled to visit the factory east of Sparks that night. Later that day, Tripp said his manager asked him to forward the email he sent to Musk "so that I can avoid getting fired tonight," according to the lawsuit.

His counterclaim says a design engineer also told Tripp to clean up the production line area so Musk wouldn't see the mounds of scrap and waste lying on the ground, but Tripp declined to do so because he wanted Musk "to see how the Gigafactory was actually being operated." He said he was reassigned to a different position the following day.

Tesla's original lawsuit said Tripp admitted to Tesla investigators that he wrote software that transferred several gigabytes of data outside the company, including dozens of photographs and a video, according to the lawsuit filed Wednesday. Hacking software from Tripp also was running on three computer systems of other employees "so that the data would be exported even after he left the company and so that those individuals would be falsely implicated," the lawsuit alleged.

The lawsuit said Tripp made false claims about the information he stole, including claims that Tesla used punctured battery cells in the Model 3, and claims about the amount and value of scrap material generated by Tesla's manufacturing process. Some of the claims made it into media stories about the company, but media organizations are not identified in the lawsuit.

Tripp, a former aviation electronics technician in the U.S. Navy who worked two decades in the electronic and engineering industries, said in his counterclaim he "did not sabotage Tesla or its operations" and his actions "were necessary, reasonable and/or privileged."

He acknowledged in the counterclaim that he had made claims about the scrap and punctured battery cells being used in Model 3 vehicles. But he said he did not direct code changes to the Tesla Manufacturing Operating System under false user names or export large amounts of highly sensitive Tesla data as Musk had asserted.

After he was reassigned to a new position, Tripp "learned of and witnessed additional unnerving, dangerous and wasteful business practices," including employees systematically reusing parts and battery cells that had been previously discarded as waste, the suit said.

The scrap problem dramatically increased in March 2018 when Tesla initiated a company-wide effort to reach its publicized goal of producing 2,500 Model 3 vehicles per week, the lawsuit said. It said the production push — with an objective of making 5,000 vehicles per week by July 2018 — was known as the "March to 2,500."


GitHub to Warn Users on Compromised Passwords
6.8.2018 securityweek  Incindent

In a move to protect its users, software repository site GitHub is now alerting account holders whenever it detects that a password has been compromised in breaches on other services.

Security experts have long pushed for the use of long, unique passwords, to ensure stronger security of all online accounts. However, even unique passwords can pose a great risk when compromised, especially if attackers can link them to specific accounts.

The new feature is the result of a partnership with Troy Hunt, the security researcher behind the popular HaveIBeenPwned.com project. The service allows users to check whether their accounts and passwords have appeared in any data breaches.

An internal tool GitHub has created is now taking advantage of a 517 million record dataset that Hunt made available for download through its service to “validate whether a user’s password has been found in any publicly available sets of breach data.”

The open-source software repository platform enabled the feature last week. The functionality, it says, it meant to alert all people who are using compromised passwords and prompt them to select a different one during login, registration, or when updating their password.

“Don’t worry, your password is protected by the password hashing function bcrypt in our database. We only verify whether your password has been compromised when you provide it to us,” GitHub explains.

Users who have two-factor authentication (2FA) enabled will receive periodic warnings to review the 2FA setup and recovery options, GitHub also reveals.

However, traditional 2FA options such as SMS have proven to be unreliable, and all of the online platform’s users are advised to use a 2FA authenticator application that supports cloud backups, to ensure a recovery option is always available for them.

“These new account security enhancements will help improve the security of your account. We hope you will take this opportunity to review the security of your account. Balancing security, usability, and recoverability is a personal decision,” GitHub notes.

The service’s users are advised to generate strong, unique passwords using a dedicated manager, to enable 2FA, and to make sure an account-recovery method is available. They should also update their primary email address if necessary and review their other credentials on the platform, GitHub says.

GitHub, which will soon become part of Microsoft, has made other security improvements as well, including the enforcing of SSL/TLS. This, however, did not stop hackers from compromising accounts to spread malicious code, as was the case with the recent Gentoo incident.


HP Patches Critical RCE Flaws in Inkjet Printers
6.8.2018 securityweek 
Vulnerebility

HP has released firmware updates for many of its ink printers to address a couple of critical vulnerabilities that can be exploited for remote code execution.

According to the HP Product Security Response Team (PSRT), the company’s Inkjet printers are affected by flaws that allow an attacker to trigger a stack or static buffer overflow and execute arbitrary code by sending a specially crafted file to an affected device.

The vulnerabilities are tracked as CVE-2018-5924 and CVE-2018-5925, and they have both been assigned a CVSS score of 9.8.

HP has shared a list of roughly 160 impacted products, including PageWide, DesignJet, Officejet, Deskjet, Envy and Photosmart devices. The firmware updates for each impacted product can be obtained from HP’s website.

This is not the first time a remote code execution flaw has been found in HP printers. Last year, researchers discovered several potentially serious vulnerabilities in some of HP’s enterprise printers, including an RCE bug affecting LaserJet Enterprise, PageWide Enterprise, LaserJet Managed and OfficeJet Enterprise printers.

HP recently announced the launch of a private bug bounty program that offers up to $10,000 for serious vulnerabilities found in the company’s printers. HP had invited 34 researchers by the time the initiative was unveiled.

The program covers HP LaserJet Enterprise printers and MFPs (A3 and A4), as well as the HP PageWide Enterprise printers and MFPs (A3 and A4).


Campaigns on Their Own as Cyber Threats Roil Midterms
6.8.2018 securityweek  Cyber

NEW YORK (AP) — Kamala Harris has been the target of social media misinformation campaigns since she became a U.S. senator.

Every month for the last 18 months, her office has discovered on average between three and five fake Facebook profiles pretending to be hers, according to a Harris aide. It's unclear who creates the pages, which are often designed to mislead American voters about the ambitious Democratic senator's policies and positions.

The aide spoke on the condition of anonymity, like more than a half dozen campaign officials contacted for this story, for fear of attracting unwanted attention from adversaries or scrutiny on the Senate office's evolving cybersecurity protocols.

Such internet mischief has become commonplace in U.S. politics. Facebook announced earlier this week that it uncovered "sophisticated" efforts, possibly linked to Russia, to influence U.S. politics on its platforms. Senior intelligence officials declared Thursday that foreign adversaries continue waging a quiet war against U.S. campaigns and election systems.

Still, one thing has become clear: With the midterm elections just three months away, campaigns are largely on their own in the increasingly challenging task of protecting sensitive information and countering false or misleading content on social media.

The Democratic National Committee has worked to strengthen its own internal security protocols and encouraged state parties to do the same, according to Raffi Krikorian, who previously worked for Uber and Twitter and now serves as the DNC's chief technology officer.

But in an interview, he acknowledged there are limits to how much the national party can protect the thousands of Democratic campaigns across the country.

"We're providing as much assistance to campaigns as we can, but there's only so much we can do," Krikorian said.

"For all the high-level campaigns I'm worried, but at least there are people to talk to," he continued. "The mid-sized campaigns are at least getting technical volunteers, but the truly down-ballot campaigns, that's where the state parties and coordinated campaigns can help, but there's no doubt that this is an uphill battle when we're dealing with a foreign adversary."

Officials in both political parties have intensified cybersecurity efforts, although the known cases of interference have so far overwhelmingly focused on Democrats.

The DNC now has a staff of 40 on its technical team, led by Krikorian and other Silicon Valley veterans hired in the months after Russians hacked the party's email system and released a trove of damaging messages in the months before President Donald Trump's 2016 victory.

Top U.S. intelligence and homeland security officials raised new alarms Thursday about outside efforts to influence the 2018 and 2020 elections during a White House press briefing.

Homeland Security chief Kirstjen Nielsen said: "Our democracy is in the crosshairs," while Director of National Intelligence Dan Coats added: "We continue to see a pervasive messaging campaign by Russia to try to weaken and divide the United States."

Facebook said it removed 32 accounts from its site and Instagram because they were involved in "coordinated" political behavior and appeared to be fake. Nearly 300,000 people followed at least one of the accounts, which featured names such as "Black Elevation" and "Resisters" and were designed to manipulate Americans with particular ethnic, cultural or political identities.

In many cases, House and Senate political campaigns said they're just beginning to adopt basic internal security protocols, such as two-step verification for all email, storage and social media accounts and encrypted messaging services such as Wickr.

There is no protocol in place for campaigns or national parties to monitor broader social media misinformation campaigns, however. Nor is there any sign that law enforcement is playing a proactive role to protect campaigns from meddling on a day-to-day basis.

The FBI has set up a Foreign Influence Task Force and intelligence agencies are collecting information on Russian aggression, but campaigns report no regular contact with law enforcement officials.

"At the end of the day, the U.S. government is not putting any type of a bubble around any (campaign). They do not have the authority, capacity or capability to do it," said Shawn Henry, a former senior FBI official who now leads the cybersecurity firm CrowdStrike, which works with political campaigns. "NSA is not sitting in the ISPs filtering out malicious traffic."

Henry added: "They've got to take pro-active actions themselves."

Earlier this month, Microsoft said it discovered a fake domain had been set up as the landing page for phishing attacks by a hacking group believed to have links to Russian intelligence. A Microsoft spokesman said this week that additional analysis confirmed the attempted attacks occurred in late 2017 and targeted multiple accounts associated with the offices of two legislators running for re-election. Microsoft did not name the lawmakers.

Sen. Claire McCaskill, D-Mo., said Russian hackers tried unsuccessfully to infiltrate her Senate computer network in 2017. Former Democratic U.S. Rep. Brad Ashford of Nebraska also recently confirmed that his 2016 campaign emails had been hacked by Russian agents.

Ashford, who narrowly lost his seat to Republican Don Bacon that year, said hackers obtained all of his campaign email correspondence with the Democratic Congressional Campaign Committee. He said he was notified of the breach in late July or early August 2016 by House Democratic Leader Nancy Pelosi's office.

Ashford has said he doesn't believe any of the stolen information ever went to Bacon or the Republican Party, and he doesn't know whether it made a difference in his race. He did face a series of anonymous political attacks on social media.

By their very nature, U.S. political campaigns can be a challenge to defend from a cybersecurity standpoint. They are essentially pop-up organizations that rely heavily on volunteers and are focused on a singular task — winning. In addition, high-level IT expertise costs money and campaigns typically run on tight budgets.

Some 2018 House campaigns have yet to hire basic communications staffers.

In the case of California Sen. Harris, who is considered a 2020 presidential prospect, her office plans to continue rooting out fake social media profiles on its own. They have had no contact with the FBI. They have reported the issue to Facebook in every case — not the other way around.

"It's on the forefront of everybody's mind," said Patrick McHugh, a former Senate campaign official who now leads the Democratic-aligned super PAC Priorities USA.

He acknowledged the tremendous challenge for many campaigns.

"All it takes is one person on a campaign to make a mistake," McHugh said. "You're up against a foreign country. That's a pretty big adversary that can and will go to all ends to get in."


New Open Source Tools Help Find Large Twitter Botnets
6.8.2018 securityweek  BotNet

Duo Security has created open source tools and disclosed techniques that can be useful in identifying automated Twitter accounts, which are often used for malicious purposes.

The trusted access solutions provider, which Cisco recently agreed to acquire for $2.35 billion, has collected and studied 88 million Twitter accounts and over half-a-billion tweets. Based on this data, which the company says is one of the largest random datasets of Twitter accounts analyzed to date, researchers were able to create algorithms for differentiating humans from bots.

The dataset, collected using Twitter’s API, includes profile name, tweet and follower count, avatar, bio, content of tweets, and social network connections.

Researchers created their tools and techniques for identifying bots based on 20 unique account characteristics, including the number of digits in a screen name, followers/following ratio, number of tweets and likes relative to the account’s age, number of users mentioned in a tweet, number of tweets with the same content, percentage of tweets with URLs, time between tweets, and average hours tweeted per day.

Tests conducted by experts led to the discovery of a sophisticated cryptocurrency-related scam botnet powered by at least 15,000 bots. These accounts were designed to use deceptive behaviors to avoid automatic detection, while attempting to obtain money from users by spoofing cryptocurrency exchanges, celebrities and news organizations.

Duo Security informed Twitter of its findings. The social media giant says it’s aware of the problem and claims it’s proactively implementing mechanisms to detect problematic accounts.

“Spam and certain forms of automation are against Twitter's rules. In many cases, spammy content is hidden on Twitter on the basis of automated detections. When spammy content is hidden on Twitter from areas like search and conversations, that may not affect its availability via the API. This means certain types of spam may be visible via Twitter's API even if it is not visible on Twitter itself. Less than 5% of Twitter accounts are spam-related,” Twitter said.

Duo Security has published a 46-page research paper describing its findings and techniques. The company will release its tools as open source on August 8 at the Black Hat conference in Las Vegas.

“Malicious bot detection and prevention is a cat-and-mouse game,” explained Duo Principal R&D Engineer Jordan Wright. “We anticipate that enlisting the help of the research community will enable discovery of new and improving techniques for tracking bots. However, this is a more complex problem than many realize, and as our paper shows, there is still work to be done.”


Mozilla to Researchers: Stay Away From User Data and We Won’t Sue
6.8.2018 securityweek  Security

Security researchers looking to find bugs in Firefox should not worry about Mozilla suing them, the Internet organization says. That is, of course, as long as they don’t mess with user data.

Mozilla, which has had a security bug bounty program for over a decade, is discontent with the how legal issues are interfering with the bug hunting process and has decided to change its bug bounty program policies to mitigate that.

Because legal protections afforded to those participating in bounty programs failed to evolve, security researchers are often at risk, and the organization is determined to offer a safe harbor to those researchers seeking bugs in its web browser.

According to the Internet organization, bug bounty participants could end up punished for their activities under the Computer Fraud and Abuse Act (CFAA),the anti-hacking law that criminalizes unauthorized access to computer systems.

“We often hear of researchers who are concerned that companies or governments may take legal actions against them for their legitimate security research. […] The policy changes we are making today are intended to create greater clarity for our own bounty program and to remove this legal risk for researchers participating in good faith,” Mozilla says.

For that, the browser maker is making two changes to its policy. On the one hand, the organization has clarified what is in scope for its bug bounty program, while on the other it has reassured researchers it won’t take legal action against them if they don’t break the rules.

Now, Mozilla makes it clear that participants to its bug bounty program “should not access, modify, delete, or store our users’ data.” The organization also says that it “will not threaten or bring any legal action against anyone who makes a good faith effort to comply with our bug bounty program.”

Basically, the browser maker says it won’t sue researchers under any law (the DMCA and CFAA included) or under its applicable Terms of Service and Acceptable Use Policy for their research performed as part of the bug bounty program.

“We consider that security research to be ‘authorized’ under the CFAA,” Mozilla says.

These changes, which are available in full in the General Eligibility and Safe Harbor sections of organization’s main bounty page, should help researchers know what to expect from Mozilla.


Fortnite APK is coming soon, but it will not be available on the Google Play Store
6.8.2018 securityaffairs Android

Fortnite, the most popular game will be soon available for Android users but the Fortnite APK will not be in the Play Store.
Fortnite continues to be the most popular game, it is a co-op sandbox survival game developed by Epic Games and People Can Fly.

The great success obtained by the Fortnite attracted cyber criminals that are attempting to exploit its popularity to target its fans.

Unfortunately for Android users, Fortnite for Android devices is not available yet, it is currently under development while the iOS version was released in March by Epic Games.

In the recent months, crooks attempted to take advantage of Android users’ interest in an alleged version for their devices of the popular game.

Experts discovered many blog posts and video tutorial with instructions to install fake Fortnite Android App.

Scammers are exploiting this interest to trick Android fans into downloading tainted version of the game that can compromise Android devices.

Fortnite APK

Now there is a news for the Android fans of the popular game, Epic Games confirmed the Fortnite APK for Android will be available for download exclusively only through its official website and not through the official Google Play Store.

According to the Epic Games CEO Tim Sweeney in this way, the company will have “have a direct relationship” with its consumers and will allow saving 30 percent fee that Google maintains when users download a software from the Play Store.

“The awesome thing about Fortnite is it’s brought a huge volume of digital commerce to Epic. We can now do that very efficiently. We can handle payment processing and customer support and download bandwidth with some great deals. We’re passing the savings along with the Unreal Engine Marketplace. We’ve change the royalty split from the 30/70 you see everywhere to developers getting 88 percent. We find that’s a great boon for developers.” Sweeney told GamesBeat.

Sweeney explained that the share of profits for the version running on Microsoft or Nintendo is right because the “enormous investment in hardware, often sold below cost, and marketing campaigns in broad partnership with publishers.”

Sweeney considers disproportionate 30% cut on the fee applied by Google for its services but evidently doesn’t evaluate the security features implemented by the Google store to avoid crooks will serve tainted versions of the Fortnite APK.

Even if in the past we have found several malicious apps uploaded to the Play Store, we cannot underestimate the Google’s efforts for the security of its users.

The availability of Fortnite APK on a third-party website could expose Android users to the risk of infection.

The only way to download an APK from a third-party store is to manually enable “Install Apps from Unknown Sources” option in the settings.

A large number of Android users will search “how to install Fortnite on Android,” these fans could be targeted in various ways, for example in black SEO campaigns devised to infect their devices.

“The move will simply encourage users to manually enable “Install Apps from Unknown Sources” option in the settings menu or accept a variety of Android security prompts in order to install Fortnite game directly from the Epic Games website.” reported The Hacker News.

“So, thousands of people out there searching, “how to install Fortnite on Android” or “how to download Fortnite APK for Android” on the Internet, could land themselves on unofficial websites, ending up installing malware.”

In order to install Fortnite on Android, players will have to download the Fortnite Launcher from the official Epic website, then it will allow them to load the Fortnite Battle Royale onto their devices.

Attackers can impersonate the legitimate source, for example by carrying out phishing campaign to trick Android users into downloading tainted version of Fortnite APK.


Chip Giant TSMC Says WannaCry Behind Production Halt
6.8.2018 securityweek
Ransomware

TSMC Chip Factory hit by Malware

Image Source: Taiwan Semiconductor Manufacturing Co., Ltd.

Chipmaker giant Taiwan Semiconductor Manufacturing Co (TSMC) said Monday the computer virus that brought its production to a halt for two days was a variant of the WannaCry ransomware that hit users all around the world.

WannaCry infected more than 200,000 users in more than 150 countries last year, encrypting user files and demanding ransom payments from their owners to get them back.

TSMC -- a key Apple supplier -- said some its computer systems and equipment in its Taiwan plants were infected on August 3 during software installation, which is expected to cause shipment delays and cutting third-quarter revenue by two percent.

It comes as Apple is set to release new iPhone models later this year.

TSMC declined to specify which customers and products are affected by the brief outage, but it said no confidential information was compromised.

Chief Executive Officer C.C. Wei told reporters and analysts on Monday that the virus has been eliminated and all production is back online.

Wei ruled out the incident as a hack targeted at the company, but an oversight by employees to conduct virus scans properly.

"This is purely our negligence so I don't think there is any hacking behaviour," he said.

"We regret this. There won't be any more human errors," said Wei.

He added that TSMC will develop a more automated anti-virus procedure going forward.

The firm said it is in close contact with its customers to minimise the impact, and maintains its sales growth outlook for the year.


Dept. of Energy announced the Liberty Eclipse exercise to test electrical grid against cyber attacks
6.8.2018 securityaffairs Attack

DoE announced the Liberty Eclipse exercise to test the electrical grid ‘s ability to recover from a blackout caused by cyberattacks.
This is the first time the Department of Energy will test the electrical grid’s ability to recover from a blackout caused by cyberattacks.

We have discussed many times the effects of a cyber attack against an electrical grid, the most scaring scenario sees wide power outage bringing population in the dark.

Is this a feasible scenario for the US critical infrastructure?

The Department of Energy wants to test the resilience of an electrical grid to a cyber attack, so it’s going to launch the first hands-on exercise to test the ability of the operators of such infrastructure in recovering from a blackout caused by a cyber attack.

According to the E&E News website, the Department of Energy plans to conduct a weeklong experiment, dubbed ‘Liberty Eclipse,’ that will take place starting Nov. 1 on a restricted area off the cost of New York called Plum Island.

“The Department of Energy is planning an unprecedented, “hands-on” test of the grid’s ability to bounce back from a blackout caused by hackers, E&E News has learned.” reported the E&E News website.

“The “Liberty Eclipse” exercise will simulate the painstaking process of re-energizing the power grid while squaring off against a simultaneous cyberattack on electric, oil and natural gas infrastructure. The weeklong stress test is scheduled to take place this November on Plum Island, a restricted site off the coast of New York that houses a Department of Homeland Security animal disease center.”

This is the first time that the Department of Energy is planning such kind of “hands-on” test of the grid’s ability to restore operations from a blackout caused by a cyber attack. The “Liberty Eclipse” exercise aims at evaluating the response of the infrastructure to coordinated attacks against an electric, oil and natural gas infrastructure. The DOE wants to prepare the infrastructure of the country for threats.

“It’s in our national security interest to continue to protect these sources of energy and to deliver them around the world,” Energy Secretary Rick Perry said at a cybersecurity conference in New York last week.

“Taking care of that infrastructure, from the standpoint of protecting it from cyberattacks — I don’t think it’s ever been more important than it is today.”

electrical grid

The goal of the Liberty Eclipse exercise is to prepare the response to a major incident caused by cyber attacks, that could be frequent events in a short future. Utilities that have to restore electricity following massive blackouts first need to provide initial jump of electricity before they can start generating it.

This operation is done by the operators by using diesel generators and other blackstart sources to choreograph “cranking paths” for restoring the functions of the electrical grid.

“Utilities can’t just flip a few switches to bring the lights on following a major shutdown. In fact, power plants typically need an initial jump of electricity before they can start generating it.” continues the E&E News website. Power companies rely on diesel generators and other blackstart sources to choreograph “cranking paths” for bringing the grid on its feet. Once enough pockets of electricity have been brought online, operators can sync up the islands with the wider grid.”

The entire process is time-consuming and can take many hours to be completed, even under the most favorable circumstances.

The DOE aims at speed up the restoration of the electrical grid by incorporating simulated cranking paths, provided by the Defense Advanced Research Projects Agency, that were designed for this reason.

“Together, [participants] will work to energize a blackstart cranking path by detecting the attack, cleaning malicious influence, and restoring crank path digital systems to operation,” the DOE states in a planning memo from last month.

This is the first exercise that is going to test the “blackstart” cranking paths that were excluded from previous simulations.


TCM Bank: website misconfiguration exposed applicant data for 16 months
6.8.2018 securityaffairs Hacking

TCM Bank announced that a Web site misconfiguration exposed applicant data for 16 months, between early March 2017 and mid-July 2018
TCM Bank, a subsidiary of ICBA Bancard, serves as a trusted advisor to community banks, it serves as a direct issuer of credit cards for more than 750 small and community U.S. banks who prefer not to issue cards themselves.

TCM Bank announced that a Web site misconfiguration exposed applicant data for 16 months, including names, addresses, dates of birth and Social Security numbers.

“In a letter being mailed to affected customers today, TCM said the information exposed was data that card applicants uploaded to a Web site managed by a third party vendor.” wrote the popular investigator Brian Krebs.

“TCM said it learned of the issue on July 16, 2018, and had the problem fixed by the following day.”

Thousands of people who applied for cards between early March 2017 and mid-July 2018 were affected by the incident.

The company notified the incident to the affected customers via email, data exposed belongs to card applicants uploaded to a Web site managed by a third party vendor.

The attorney Bruce Radke who is helping TCM confirmed that the number of affected customers is less than 10,000.

“It was less than 25 percent of the applications we processed during the relevant time period that were potentially affected, and less than one percent of our cardholder base was affected here,” Radke said.

“We’ve since confirmed the issue has been corrected, and we’re requiring the vendor to look at their technologies and procedures to detect and prevent similar issues going forward.”

TCM Bank

Businesses have to carefully review the level of security implemented by their partners to avoid those third-party incidents could have a significant impact on their operations.

“Many companies that experience a data breach or data leak are quick to place blame for the incident on a third-party that mishandled sensitive information. Sometimes this blame is entirely warranted, but more often such claims ring hollow in the ears of those affected — particularly when they come from banks and security providers.” concludes Krebs.

“Managing third-party risk can be challenging, especially for organizations with hundreds or thousands of partners”


ZombieBoy, a new Monero miner that allows to earn $1,000 on a monthly basis
6.8.2018 securityaffairs Cryptocurrency

A security researcher discovered a new crypto mining worm dubbed ZombieBoy that leverages several exploits to evade detection.
The security researcher James Quinn has spotted a new strain of crypto mining worm dubbed ZombieBoy that appears to be very profitable and leverages several exploits to evade detection.

The expert called this new malware ZombieBoy because it uses a tool called ZombieBoyTools to drop the first dll, it uses some exploits to spread.

Unlike MassMiner cryptocurrency miner, ZombieBoy leverages WinEggDrop instead of MassScan to search for new hosts to infect.

ZombieBoy

The cryptocurrency uses Simplified Chinese language, which suggests that its author is a Chinese coder.

The ZombieBoy mine leverages several exploits, including:

CVE-2017-9073, RDP vulnerability on Windows XP and Windows Server 2003
CVE-2017-0143, SMB exploit
CVE-2017-0146, SMB exploit
ZombieBoy also uses both NSA-linked exploits DoublePulsar and EternalBlue exploits to remotely install the main dll. The malware used the ZombieBoyTools to install the two exploits.

Once the has established a backdoor in the target system it could deliver other families of malware, such as ransomware, and keyloggers.

According to Quinn’s, the 64.exe module downloaded by ZombieBoy uses the DoublePulsar exploit to install both an SMB backdoor as well as an RDP backdoor.

The same component uses XMRIG to mine Monero coins at 43 KH/s, that means that users can earn $1,000 on a monthly base at the current rate.

“In addition, 64.exe uses XMRIG to mine for XMR. Prior to shutting down one of its addresses on minexmr.com, ZombieBoy was mining at around 43KH/s. This would earn the attackers slightly over $1,000 per month at current Monero prices.” continues the analysis.

Quinn highlighted that the miner is being updated constantly, he is observing new samples on a daily base.

The malware is able to detect VM and doesn’t run in a virtualized environment to make hard its detection.

Further details including IoCs are reported in the analysis published by the expert.


Tech Support Scams improved with adoption of Call Optimization Service
6.8.2018 securityaffairs
Spam

Security experts from Symantec are warning of tech support scams abusing Call Optimization Services to insert phone numbers.
Crooks are improving their tech support scams by using Call Optimization Services that are commonly used in legitimate call center operations to perform:

Tracking the source of inbound calls
Creation and management of phone numbers
Call load balancing
Call forwarding
Call analytics
Call routing
Call recording
Scammers continue to improve their techniques and now they are using the service to dynamically insert phone numbers into their scam web pages and potentially gain additional features to make their scams more successful

The scams begin when unaware victims visit a malicious website or are redirected to a bogus website in various ways such as a malvertising campaign.

“The scam web page informs the victim that the computer has been blocked due to a malware infection and tries to lure the user into calling a “toll free” number for assistance. An audio file, stating that the computer is infected, is also played in the background when the user arrives on the scam web page.” reads the analysis published by Symantec.

tech support scams

The malicious page implements some tricks to avoid victims will close the page. The pages show display notification dialogs in full-screen mode or execute a javascript routine that makes the site unresponsive.
The pages display a list of numbers to call to fix the problem and users in panic tend to call them.

According to Symantec, crooks leverages call optimization services in order to dynamically insert phone numbers into a scam page.

This specific tech support scams not only is performing browser fingerprinting, it retrieves the browser version as well based in which crooks redirect victims to different scam pages.

Crooks used a script in the call optimization services to check a specific tag in the scam URL, then the script retrieves the scammer’s phone number from the service’s servers. When the servers return the scammer’s phone number, the tag triggers the “Callback” function that retrieves and displays the appropriate phone number for victims to call.

If the tag from the call optimization service is not present in the scam URL, the phone number is retrieved by loading an XML file using the function loadXMLDoc() which is then displayed on the scam page.

The advantage of using the call optimization service’s tag in the URL is that it allows the scammers to dynamically insert phone numbers into their scam pages that are localized. “localized” to provide a different number based on the victim’s country.
Victims are shown a phone number that calls someone that speaks their language.
“However, by using the call optimization service’s tag in the URL the scammers can dynamically insert phone numbers into their scam pages,” continues Symantec.

“This can be useful, for example, if victims are based in multiple countries, as the victim can be shown a phone number that calls someone that speaks their language.”

Crooks can abuse Call Optimization Services in their tech support scams also for other goals, for example, to provide analytics, to implement load balancing during busy times to avoid losing calls.


Malware Hits Plants of Chip Giant TSMC
6.8.2018 securityweek
Virus

A piece of malware has caused significant disruptions in the factories of Taiwan Semiconductor Manufacturing Company (TSMC), the world’s biggest contract chipmaker.

TSMC’s most important customer is Apple, whose iPhone and iPad products use TSMC chips, but the company also supplies semiconductors to Qualcomm, Nvidia, AMD, MediaTek and Broadcom.

In a statement published on its website on Sunday, the company described the incident as a “computer virus outbreak” that impacted an unspecified number of computer systems and fabrication tools in Taiwan.

The infection was discovered on August 3 and the semiconductor foundry said it had restored 80 percent of systems by August 5, with a full recovery expected by August 6.

The company expects the incident to have a significant impact on its revenue for the third quarter. Financial Times reported that its revenue will take a hit of roughly $255 million.

“TSMC expects this incident to cause shipment delays and additional costs. We estimate the impact to third quarter revenue to be about three percent, and impact to gross margin to be about one percentage point. The Company is confident shipments delayed in third quarter will be recovered in the fourth quarter 2018, and maintains its forecast of high single-digit revenue growth for 2018 in U.S. dollars given on July 19, 2018,” TSMC stated.

“Most of TSMC’s customers have been notified of this event, and the Company is working closely with customers on their wafer delivery schedule. The details will be communicated with each customer individually over the next few days,” the company added.

According to TSMC, the malware made its way onto the network due to “misoperation” during the installation of a new tool. The company said the incident did not affect data integrity and it did not result in confidential information getting compromised.


Salesforce warns of API error that exposed Marketing data
5.8.2018 securityweek
Vulnerebility

The US Cloud-based customer relationship management software giant Salesforce is warning marketing customers of a data leakage caused by an API error.
The US cloud computing company Salesforce is warning marketing customers of a data leakage caused by an API error. The incident could potentially affect a large number of companies, including Aldo, Dunkin Donuts, GE, HauteLook, Nestle Waters, and Sony.

The error was in production between June 4 to July 18, and potentially affected users of two modules within the broader Marketing Cloud offering, the Email Studio and Predictive Intelligence solutions.

“On July 18, we became aware of an issue that impacted a subset of Marketing Cloud customers using Marketing Cloud Email Studio and Predictive Intelligence.” reads the notice published by Salesforce.

“We resolved the issue on that same day, July 18. Customers who may have been impacted were notified. For additional details, please see the Email Studio and Predictive Intelligence REST API Issue article here: https://sfdc.co/XIbG2”

salesforce marketing-cloud

The news was first reported by BankInfoSecurity that obtained a copy of the alert distributed by the company via email on Thursday.

Salesforce states that the error involved the company’s REST application programming interface.

“During a Marketing Cloud release between June 4, 2018, and July 7, a code change was introduced that, in rare cases, could have caused REST API calls to retrieve or write data from one customer’s account to another inadvertently,” reads the alert issued by Salesforce and published by BankInfoSecurity.

“Where the issue occurred, the API call may have failed and generated an error message rather than writing or modifying data.”

The company also warns that some customers may have had their data corrupted, it has also posted a knowledge article on the issue.

The bad news for the customers of the company. is that at the time it is not able to say if data was altered or is attackers maliciously tampered with.

“We have no evidence of malicious behavior associated with this issue,” a Salesforce spokesman told ISMG.

“We are unable to confirm if your data was viewed or modified by another customer,” Salesforce explained in its alert, noting that it was notifying all customers just to be on the safe side. “While Salesforce continues to conduct additional quality checks and testing in relation to this issue, we recommend that you monitor and review your data carefully to ensure the accuracy of your account.”


Do Businesses Know When They’re Using Unethical Data?
5.8.2018 securityweek Security

Data breaches are costly for businesses that expterience them, this data fuel the black markets and sometime are offered to complanies as legitimate data.
Data breaches are extraordinarily costly for businesses that experience them, both concerning reputational damage and money spent to repair the issues associated with those fiascos. And, on the consumer side of things, the scary thing is hackers don’t just steal data for notoriety. They do it to profit, typically by selling the snatched details online.

But, then, are other businesses aware of times when the data they just bought might have been stolen instead of legally obtained?

People Can Access Most of the Relevant Black Market Sites on Standard Browsers
There was a time when venturing into the world of the online black market typically meant downloading encryption software that hid the identity of users. However, most black market transactions happen on the “open” web so that it’s possible to access the respective sites via browsers like Firefox and Chrome without downloading special software first.

That means business representatives aren’t safe from coming across stolen data if they decide only to browse the internet normally. However, the kind of information advertised on the open web should be enough to raise eyebrows by itself. It often contains credit card information or sensitive medical details — not merely names, email addresses or phone numbers.

Companies can reduce the chances of unknowingly benefiting from stolen data by not proceeding with purchases if they contain private, not readily obtainable details.

Illegitimate Sellers Avoid Giving Payment Details
Even when people seek to profit by peddling stolen data, their desire to make money typically isn’t stronger than their need to remain anonymous. Most criminals who deal with data from illegal sources don’t reveal their names even when seeking payment. They’ll often request money through means that allow keeping their identities secret, such as Bitcoin.

Less Information, More Suspicion
If companies encounter data sellers that stay very secretive about how they get their data and whether it is in compliance with data protection and sharing standards, those are red flags.

However, even when data providers do list information about how they obtain data, it’s a good idea to validate the data on your own. For example, if you get calling data from a third-party provider, you should always check it against current Do Not Call lists.

Dark Web Monitoring Services Exist
As mentioned above, stolen data frequently works its way through the open web rather than the dark web. However, it’s still advisable for companies to utilize monitoring services that search the dark web for stolen data. The market for such information is lucrative, and some clients pay as much as $150,000 annually for such screening measures. If businesses provide data that comes up as originating from the dark web, that’s a strong indicator that it came from unethical sources.

data breaches

Do Legitimate Companies Create the Demand for Stolen Data?
It’s difficult to quantify how many reputable companies might be purchasing stolen data. If they do it knowingly, such a practice breaks the law. And, even if it happens without their knowledge, that’s still a poor reflection on those responsible. It means they didn’t carefully check data sources and sellers before going through with a purchase.

Unfortunately, analysts believe it happens frequently. After data breaches occur, some of the affected companies discover their data being sold online and buy it back. When hackers realize even those who initially had the data seized will pay for it, they realize there’s a demand for their criminal actions.

After suffering data breaches, some companies even ask their own employees to find stolen data and buy it back.

Most use intermediary parties, though representatives at major companies, including PayPal, acknowledge that this process of compensating hackers for the data they took occurs regularly. They say it’s part of the various actions that happen to protect customers — or to prevent them from knowing breaches happened at all.

If companies can find and recover their stolen data quickly enough, customers might never realize hackers had their details. That’s especially likely, since affected parties often don’t hear about breaches until months after companies do, giving those entities ample time to locate data and offer hackers a price for it.

Plus, it’s important to remember that companies pay tens of thousands of dollars to recover their data after ransomware attacks, too.

Should Businesses Bear the Blame?
When companies buy data that’s new to them, they should engage in the preventative measures above to verify its sources and check that it’s not stolen. Also, although businesses justify buying compromised data back from hackers, they have to remember that by doing so, they are stimulating demand — and that makes them partially to blame.

Instead of spending money to retrieve data that hackers take, those dollars would be better spent cracking down on the vulnerabilities that allow breaches to happen so frequently.


Russian troll factory suspected to be behind the attack against Italian President Mattarella
5.8.2018 securityweek BigBrothers

The Russian shadow behind the attack on Italian President Mattarella, a coordinated attack via Twitter involved hundreds of profiles inviting him to resign.
Cybersecurity experts and Italian media believe that the Italian President Sergio Mattarella is the last victim of the Russian troll farm.

On May 27 the late afternoon, thousands of Twitter profiles suddenly started spreading messages against the Italian president asking him to resign.

The messages appeared as a coordinated attack, they were using the hashtag #MattarellaDimettiti (Italian translation: “Mattarella resign”). Messages using this hashtag were rapidly spreading across the Internet, many other legitimate users started using it and it is quite easy to find similar legitimate message today.

But someone has triggered the protest online, someone who has clear interests to destabilize the Italian government.

Actual vice-premier Luigi Di Maio was asking for the indictment of President Mattarella who refused to endorse the choice of a candidate to the Minister of Economy because of his known anti-euro position.

The analysis of social media Twitter revealed that around at two o’clock in the morning there was an anomalous spike in the number of messages against the President Mattarella.

President Mattarella

Were they sleepless Italians or someone was attempting to influence the sentiment of the population on specific topics?

According to the Huffington Post Italy, in just a few minutes there were about 400 new profiles, that were traced back to a single origin, coordinating the misinformation campaign.

The Huffington Post reported that the Italian law enforcement Polizia Postale confirmed that the source of the campaign was one, but due to countermeasures adopted by the attackers was impossible to find the control room and attribute the attack to a specific threat actor.

“It is well known that, with high probability, it should have been created abroad, even if no one is able to say whether the Russian operators involved in disruptive actions in the American election campaign are involved.” states the Huffington Post citing the Italian newspaper Corriere della Sera.

According to the Huffington Post, at least twenty Twitter profiles involved in the attack against Italian President Mattarella belonging to completely unsuspecting Italians had been used one or more times by the Internet Research Agency (Ira) of Saint Petersburg, also known as the Russian troll factory.

The same accounts were involved in other propaganda campaigns in favor of populist parties, sovereignists, and anti-Europeans.

This is the conclusion of an analysis conducted on a sample composed of 67% of the archive related to the activity of the Internet Research Agency (Ira) that was published by the Firethirtyeight website.

The website published 3 Million Russian Troll tweets that were analyzed by the US prosecutor Robert Mueller as part of the investigation of the Russian influence on the 2016 Presidential election.

The huge number of tweets was collected by the researchers Darren Linvill and Patrick Warren from the Clemson University.

The archive includes roughly 16,000 tweets in the Italian language, according to the Italian newspaper Corriere della Sera, some of the accounts were particularly active and were fueling discussions against government representatives.

Now let me close with a simple consideration … the propaganda online attributed to the Internet Research Agency is really very noisy, and I fear it was designed to be so, likely under a wider diversionary strategy.

Involving more sophisticated technologies it is possible to obtain better results, let’s think of the involvement of artificial intelligence.

Putin said several times that the nation that leads in AI ‘will be the ruler of the world,’ and I’m sure that the involvement of machine learning systems in a troll factory can produce results much better than actual ones.

Is the Internet Research Agency itself the result of a bigger troll farm the already leverage artificial intelligence?


A malware paralyzed TSMC plants where also Apple produces its devices
5.8.2018 securityweek
Virus

A virus has infected systems at several Taiwan Semiconductor Manufacturing Co. (TSMC) factories on Friday night, the plants where Apple produces its devices
A malware has infected systems at several Taiwan Semiconductor Manufacturing Co. (TSMC) factories on Friday night, the iPhone chipmaker plans.

TSMC is the world’s biggest contract manufacturer of chips for tech giants, including Apple and Qualcomm Inc.

According to Bloomberg that first reported the news, the infection caused one of the most severe disruptions suffered by the company as it ramps up chipmaking for Apple Inc.’s next iPhones.

The company contained the problem, but some of the affected plants will not able to restart before Sunday.
“The sole maker of the iPhone’s main processor said a number of its fabrication tools had been infected, and while it had contained the problem and resumed some production, several of its factories won’t restart till at least Sunday. The virus wasn’t introduced by a hacker, the company added in a statement.” states the Bloomberg.

“Certain factories returned to normal in a short period of time, and we expect the others will return to normal in one day,” the company said in its Saturday statement.

This is the first time that a malware cripples a TSMC facility paralyzing the production, according to the company “the degree of infection varied from factory to factory.”
“TSMC has been attacked by viruses before, but this is the first time a virus attack has affected our production lines,” Chief Financial Officer Lora Ho told Bloomberg News by phone.

TSMC Apple infection

The economic impact of this kind of incidents could be severe, at the time there is no info about losses caused by the attack on the Taiwanese firm.

At the time it is not possible to estimate the potential effects on the production of Apple devices, “the implications are also unclear for Apple.”

“The incident comes weeks after TSMC cheered investors with a rosy outlook for smartphone demand in the latter half of the year. That helped the market look past a reduced revenue outlook.” reported Bloomberg.

“A bellwether for the chip industry as well as an early indicator of iPhone demand, it heads into its busiest quarters grappling with waning enthusiasm for the high-powered chips used to mine digital currencies. Chief Executive Officer C. C. Wei had said TSMC’s sales will rise this year by a high single-digit percentage in U.S. dollar terms, down from an already reduced projection of about 10 percent”


MikroTik Routers Exploited in Massive Crypto-Mining Campaign
4.8.2018 securityweek
Exploit  Cryptocurrency

Attackers managed to infect tens of thousands of MikroTik network routers in Brazil with code that injects the CoinHive in-browser crypto-mining script into web traffic.

The attack emerged on July 31, when more than 70,000 MikroTik devices in the country started displaying the same behavior. With all using the same CoinHive site-key, it became apparent that a single actor was behind the attack.

No zero-day was used in this massive attack, as MikroTik, a Latvian router manufacturer, patched the targeted vulnerability back in April 2018. The issue, however, is that the vulnerable devices haven’t been updated in a timely manner.

At the moment, there are “hundreds of thousands of unpatched (and thus vulnerable) devices still out there, and tens of thousands of them are in Brazil alone,” Trustwave’s Simon Kenin, the researcher who analyzed the attack, reveals.

The employed exploit provides the attacker with the ability to read files from a vulnerable MikroTik router and get unauthenticated remote admin access to the device.

As part of this attack, however, the actor didn’t run a malicious executable on the router, but leveraged the device’s functionality to inject the CoinHive script into every web page the user visited.

For that, the attacker created a custom error page with the CoinHive script in it, which resulted in the user landing on that page when encountering any kind of error page while browsing. The attack works in both directions, meaning that users who visit websites behind those infected routers are impacted as well.

Initially, users would encounter the CoinHive script on every visited page, likely because the attacker, who appears to have high understanding of how the MikroTik routers work, might have built code to inject the script in every page.

In addition to modifying the device’s settings to serve the crypto-mining error page, the attacker also created a backdoor on the compromised devices. Kenin also noticed that the script has been updated several times during his investigation.

“The attacker seems to be adding more cleanup commands to leave a smaller footprint and reduce risk of being detected,” the researcher notes.

Kenin also noticed that, although the attack was initially focused on Brazil, MikroTik devices in other countries started being infected as well. In fact, he eventually discovered that over 170,000 routers globally appeared to have the CoinHive site-key.

By targeting MikroTik’s vulnerable carrier-grade router devices, the attackers ensured a broad reach: impacted are not only users behind the routers, but also the visitors of any website hosted behind such a router.

“There are hundreds of thousands of these devices around the globe, in use by ISPs and different organizations and businesses, each device serves at least tens if not hundreds of users daily,” Kenin points out.

While the routers were exploited to deliver a crypto-mining payload, the devices coudl have been exploited for other objectives, Sean Newman, Director Product Management at Corero Network Security, sold SecurityWeek. "From a DDoS perspective, the scale of processing power available in such devices could easily be leveraged for a single attack which could extend to tens of terabits per second, or many smaller attacks if they were used as part of a DDoS for hire service," Newman said.


Global Shipping Firm Clarksons Provides Update on 2017 Breach
3.8.2018 securityweek  Incindent

Clarkson PLC (Clarksons), a global shipping services firm, this week provided an update to the breach it suffered between May and November 2017. Little further on the nature of the breach is revealed, other than the extent of the customer personal information that was stolen.

In November 2017, Clarksons revealed that a single compromised user account had allowed attackers to infiltrate their systems, exfiltrate personal data, and demand a ransom for its safe return. Clarkson's declined to pay the ransom, and for some time it was expected that the data might be revealed. "I hope our clients understand that we would not be held to ransom by criminals, and I would like to sincerely apologise for any concern this incident may have understandably raised," said Andi Case, CEO of Clarksons.

In its latest statement (PDF) the firm claims it was able -- with the help of law enforcement and forensic specialists -- to successfully trace and recover the stolen data. It doesn't state -- and probably could not know -- whether the stolen data had been copied before it was recovered. It is nevertheless warning those potentially affected by the incident to, "Remain vigilant against incidents of identity theft and fraud by reviewing personal account statements for suspicious activity and to detect errors."

What is most surprising in this updated information is the extent of personal information that was stored by the company and stolen by the criminals. In full, the statement says,

"While the potentially affected personal information varies by individual, this data may include a date of birth, contact information, criminal conviction information, ethnicity, medical information, religion, login information, signature, tax information, insurance information, informal reference, national insurance number, passport information, social security number, visa/travel information, CV / resume, driver's license/vehicle identification information, seafarer information, bank account information, payment card information, financial information, address information and/or information concerning minors."

There is no mention of whether any of this data was encrypted or hashed. Identity theft, bank fraud and blackmail are the most obvious threats if such data were in the wrong hands.

"In this particular incident, what is honestly shocking is the amount of sensitive data that this single account had access to and I am sure the EU GDPR will be looking closely," comments Joseph Carson, chief security scientist at Thycotic. "If it is found that EU GDPR applies, and Clarkson PLC had failed to apply adequate security, they could be facing a huge financial penalty." Whether GDPR can be invoked will be up to the individual EU regulators. Clarksons claims the intruder had access to its systems from May 31, 2017 until November 4, 2017; which is before GDPR became active on May 25, 2018.

Rishi Bhargava, co-founder at Demisto, told SecurityWeek that Clarksons appears to have gone through the mechanics of breach notification conscientiously. "Clarksons seems to have provided updates and apprised affected individuals in a comprehensive and transparent manner," he said. "There are numerous cross-industry regulations to deal with while implementing breach notifications, and the granularity of US state-specific information shared by Clarksons is testament to that."

But he added, "The bigger question to consider is whether Clarksons needed to retain all this personal information in the first place. With GDPR introducing strict regulations for data processing, data consent, explicit need for processing, retention timelines, and deletion, organizations need to rethink their entire ‘data supply chain' if they haven't already. However transparent breach notifications are, they're still a post-breach exercise and need to be matched by operational data discipline in order to truly bring accountability to data processors."

It is possible that the tracing and recovery of the stolen data also implies knowledge of the perpetrator -- he or she may even be in custody. If this is true, it will probably be only through subsequent court documents that we discover exactly how the breach occurred. However, most security experts believe our knowledge so far points to a failure to use multi-factor authentication, and a failure to adequately manage privileged accounts.

Timur Kovalev, CTO at Untangle, told SecurityWeek, "While unfortunate, these sorts of breaches are certainly not uncommon. However, there are steps that organizations can take to mitigate their risk. Requiring multi-factor authentication for user accounts is a rational first step. Additionally, IT departments need to limit access of even properly credentialed users to only those apps and systems that are critical for that person's business use. Finally, companies can reduce the amount of customer data they are storing anywhere on networked systems; GDPR will certainly help accelerate this best practice."

Carson agrees. "The lesson to be learned from this incident is the importance in protecting accounts with privileged access to sensitive data and that those accounts should never use a password as the only security control. Similarly, a single account should never have full access to such a large amount of data -- at least without peer reviews and approval processes."

The question of whether Clarksons had a valid reason to store that amount of highly sensitive personal data remains one for the regulators.


Google Offers G Suite Alerts for State-Sponsored Attacks
3.8.2018 securityweek  Attack

Google this week announced that it can now alert G Suite admins when it believes users have been targeted by government-backed attackers.

The search company has been notifying users on what it believes might be state-sponsored attacks for over six years, and reaffirmed its commitment to continue alerting users on such incidents last year.

The Internet giant is now providing G Suite admins with the option to receive alerts whenever attacks appearing to be coming from a state-sponsored actor are targeting their users. The feature will show up in the G Suite Admin console as soon as it becomes available.

“If an admin chooses to turn the feature on, an email alert (to admins) is triggered when we believe a government-backed attacker has likely attempted to access a user’s account or computer through phishing, malware, or another method,” Google explains.

As usual, such alerts don’t necessarily imply that the account has been compromised or that the organization has been hit with a larger attack.

The new feature is turned off by default, but admins can easily enable or disable it in Admin Console > Reports > Manage Alerts > Government backed attack.

The feature also allows admins to set who is being notified when such attacks are detected (by default, super admins receive the notification via email).

Once an attack has been detected, admins can choose to secure the account suspected to have been targeted, and can also opt to alert the user on both the attack and the security measures taken.

The feature is set to gradually roll out to all G Suite editions and should be available for all admins within the next 15 days, Google said.

Companies such as Microsoft, Facebook, and Twitter are also warning users when detecting attacks believed to have been performed by a government-backed actor.


Industrial Sector targeted in surgical spear-phishing attacks
3.8.2018 securityaffairs 
Phishing

Industrial sector hit by a surgical spear-phishing campaign aimed at installing legitimate remote administration software on victims’ machines.
Attackers carried out a spear-phishing campaign against entities in the industrial sector, the messages disguised as commercial offers where used by attackers to deliver a legitimate remote administration software on victims’ systems (TeamViewer or Remote Manipulator System/Remote Utilities (RMS)).

Attackers personalized the content of each phishing email reflecting the activity of the target organization and the type of work performed by the employee to whom the email is sent.

The campaign was discovered by experts from Kaspersky Lab who speculate the attackers are financially motivated.

“Kaspersky Lab ICS CERT has identified a new wave of phishing emails with malicious attachments targeting primarily companies and organizations that are, in one way or another, associated with industrial production.” reads the blog post published by Kaspersky.

“According to the data available, the attackers’ main goal is to steal money from victim organizations’ accounts,”

Once the attackers have gained access to the victim’s system they will search for any purchase documents, as well as the financial and accounting software. Then the crooks look for various ways in which they can monetize their effort, for example, by spoofing the bank details used to make payments.

According to Kaspersky, there was a spike in the number of spear phishing messages in November 2017 that targeted up to 400 industrial companies located in Russia.

industrial sector spear-phishing

The spear-phishing campaign is still ongoing, the messages purported to be invitations to tender from large industrial companies.

The quality of the phishing messages suggests the attackers have spent a significant effort in the reconnaissance phase.

“It is worth noting that the attackers addressed an employee of the company under attack by his or her full name,” state the researchers. “This indicates that the attack was carefully prepared and an individual email that included details relevant to the specific organization was created for each victim.”

The attackers used both malicious attachments and links to external resources that are used to download the malicious code.

“Malicious files can be run either by an executable file attached to an email or by a specially crafted script for the Windows command interpreter.” states the researchers.

“For example, the archive mentioned above contains an executable file, which has the same name and is a password-protected self-extracting archive. The archive extracts the files and runs a script that installs and launches the actual malware in the system.”

Regarding the legitimate software used by the attackers, TeamViewer or Remote Manipulator System/Remote Utilities (RMS), for both, the attackers performed a DLL injection attack by injecting the malicious code directly into the process by substituting a malicious library for system DLL.

The malicious library includes the system file winspool.drv that is located in the system folder and is used to send documents to the printer.

The winspool.drv decrypts the attackers’ configuration files, including software settings and the password for remotely controlling the target machine.

In the case of RMS, one of the configuration files includes the email address used by the attacker to receive the information (i.e. computer name, username and the RMS machine’s internet ID) about the infected system.

When the attackers use TeamViewer software to exfiltrate system information, a file in a malicious library contains various parameters, including the password used for remotely controlling the system and a URL of the attackers’ command-and-control server.

Unlike RMS, Team Viewer also uses a built-in VPN to remotely control a computer located behind NAT.

“After launching, the malicious library checks whether an internet connection is available by executing the command “ping 1.1.1.1” and then decrypts the malicious program’s configuration file tvr.cfg. The file contains various parameters, such as the password used for remotely controlling the system, URL of the attackers’ command-and-control server, parameters of the service under whose name TeamViewer will be installed, the User-Agent field of the HTTP header used in requests sent to the command-and-control server, VPN parameters for TeamViewer, etc.” continues the analysis.

“Unlike RMS, Team Viewer uses a built-in VPN to remotely control a computer located behind NAT.”

Kaspersky highlighted that the industrial sector is becoming a privileged target for crooks, they are able to make profits even using simple techniques and known malware.

The use of legitimate Remote administration software allows crooks to gain full control of compromised systems avoiding detection.

“This choice on the part of the cybercriminals could be explained by the fact that the threat-awareness and cybersecurity culture in industrial companies is inferior to that in companies from other sectors of the economy (such as banks or IT companies),” Kaspersky concludes.


CVE-2018-14773 Symfony Flaw expose Drupal websites to hack
3.8.2018 securityaffairs 
Vulnerebility

A vulnerability in the Symfony HttpFoundation component tracked as CVE-2018-14773, could be exploited by attackers to take full control of the affected Drupal websites.
Maintainers at Drupal addressed the security bypass vulnerability by releasing a new version of the popular content management system, the version 8.5.6.

“The Drupal project uses the Symfony library. The Symfony library has released a security update that impacts Drupal. Refer to the Symfony security advisory for the issue. The same vulnerability also exists in the Zend Feed and Diactoros libraries included in Drupal core; however, Drupal core does not use the vulnerable functionality.” reads the advisory published by Drupal.

“If your site or module uses Zend Feed or Diactoros directly, read the Zend Framework security advisory and update or patch as needed.”

Symfony HttpFoundation component is a third-party library used in the Drupal Core, the flaw affects Drupal 8.x versions before 8.5.6.

Symfony is web application framework that is being used by a lot of projects, this means that the CVE-2018-14773 vulnerability could potentially affect a large number of web applications.

The flaw is due to the Symfony’s support for legacy and risky HTTP headers.

“Support for a (legacy) IIS header that lets users override the path in the request URL via the X-Original-URL or X-Rewrite-URL HTTP request header allows a user to access one URL but have Symfony return a different one which can bypass restrictions on higher level caches and web servers.” reads the security advisory published by Symfony.

“The fix drops support for these two obsolete IIS headers: X-Original-URL and X_REWRITE_URL.” reads the security advisory published Symfony.

A remote attack can trigger the flaw by using specially crafted ‘X-Original-URL’ or ‘X-Rewrite-URL’ HTTP header value.

According to the security advisory published by Symfony, the version 2.7.49, 2.8.44, 3.3.18, 3.4.14, 4.0.14, and 4.1.3 addressed the flaw.

CVE-2018-14773

The Drupal maintainers also found a similar issue affecting the Zend Feed and Diactoros libraries used in the Drupal Core. The libraries are affected by an ‘URL Rewrite vulnerability,’ anyway the Drupal team confirmed that the Drupal Core does not use the vulnerable functionality.

Administrators of websites that use Zend Feed or Diactoros directly need to patch them as soon as possible.

Drupal administrators need to patch their installs urgently before hackers will start exploiting the CVE-2018-14773 flaw.


Google introduced G Suite alerts for state-sponsored attacks
3.8.2018 securityaffairs  Attack

Google announced that has implemented an alerting system for G Suite admins when users have been targeted by state-sponsored attacks.
Google announced it will alert G Suite admins when state-sponsored hackers will target their users.

The new feature will be available in the G Suite Admin console very soon, it confirms the effort spent by the tech giant of protecting its users.

“We’re adding a feature in the Admin console that can alert admins if we believe a user’s account has been targeted by a government-backed attack. If an admin chooses to turn the feature on, an email alert (to admins) is triggered when we believe a government-backed attacker has likely attempted to access a user’s account or computer through phishing, malware, or another method.” reads the security advisory published by Google.

“It does not necessarily mean that the account has been compromised or that there was a widespread attack on an organization.”

In June 2012, for the first time, the company announced it was going to offer a specific protection service for a restrict number of users that could be the target of state-sponsored attacks.

Google is now implementing the new protection feature within the G Suite Admin console, admins will have the opportunity to receive alerts whenever attacks could be attributed to a nation-state actor.

Every time an attack will be detected, admins can choose to secure the account hit by the hackers and can also opt to alert the victim.

The alerts don’t necessarily imply that the account has been hacked or that the organization has been compromised in a massive attack.

G Suite state sponsored attacks

Google pointed out the alerts will be turned off by default, admins can choose to turn them on in the Admin Console > Reports > Manage Alerts > Government backed attack.

According to Google, the new feature is set to gradually roll out to all G Suite editions, the tech giant plans to make it available for all admins within the next 15 days.


Attacks on industrial enterprises using RMS and TeamViewer
3.8.2018 Kaspersky Attack

Main facts
Kaspersky Lab ICS CERT has identified a new wave of phishing emails with malicious attachments targeting primarily companies and organizations that are, in one way or another, associated with industrial production.

The phishing emails are disguised as legitimate commercial offers and are sent mainly to industrial companies located in Russia. The content of each email reflects the activity of the organization under attack and the type of work performed by the employee to whom the email is sent.

According to the data that we have collected, this series of attacks started in November 2017 and is currently in progress. Notably, the first similar attacks were recorded as far back as 2015.

The malware used in these attacks installs legitimate remote administration software – TeamViewer or Remote Manipulator System/Remote Utilities (RMS). This enables the attackers to gain remote control of infected systems. The threat actor uses various techniques to mask the infection and the activity of malware installed in the system.

According to the data available, the attackers’ main goal is to steal money from victim organizations’ accounts. When attackers connect to a victim’s computer, they search for and analyze purchase documents, as well as the financial and accounting software used. After that, the attackers look for various ways in which they can commit financial fraud, such as spoofing the bank details used to make payments.

In cases where the cybercriminals need additional data or capabilities after infecting a system, such as privilege escalation and obtaining local administrator privileges, the theft of user authentication data for financial software and services, or Windows accounts for lateral movement, the attackers download an additional pack of malware to the system, which is specifically tailored to the attack on each individual victim. The malware pack can include spyware, additional remote administration utilities that extend the attackers’ control on infected systems, malware for exploiting operating system and application software vulnerabilities, as well as the Mimikatz utility, which provides the attackers with Windows account data.

Apparently, among other methods, the attackers obtain the information they need to perpetrate their criminal activity by analyzing the correspondence of employees at the enterprises attacked. They may also use the information found in these emails to prepare new attacks – against companies that partner with the current victim.

Clearly, on top of the financial losses, these attacks result in leaks of the victim organizations’ sensitive data.

Phishing emails
In most cases, the phishing emails have finance-related content; the names of attachments also point to their connection with finance. Specifically, some of the emails purport to be invitations to tender from large industrial companies (see below).

Malicious attachments may be packed into archives. Some of the emails have no attachments – in these cases, message text is designed to lure users into following links leading to external resources and downloading malicious objects from those resources.

Below is a sample phishing email used in attacks on some organizations:

Screenshot of a phishing email

The above email was sent on behalf of a well-known industrial organization. The domain name of the server from which the message was sent was similar to the domain name of that organization’s official website. The email had an archive attached to it. The archive was protected with a password that could be found in the message body.

It is worth noting that the attackers addressed an employee of the company under attack by his or her full name (this part of the email was masked in the screenshot above for confidentiality reasons). This indicates that the attack was carefully prepared and an individual email that included details relevant to the specific organization was created for each victim.

As part of the attacks, the threat actor uses various techniques to mask the infection. In this case, Seldon 1.7 – legitimate software designed to search for tenders – is installed in infected systems in addition to malware components and a remote administration application.

To keep users from wondering why they didn’t get information on the procurement tender referred to in the phishing email, the malicious program distributes a damaged copy of Seldon 1.7 software.

Window of legitimate software Seldon 1.7

In other cases, the user is shown a partially damaged image.

Image opened by malware

There is also a known case of malware being masked as a PDF document containing a bank transfer receipt. Curiously, the receipt contains valid data. Specifically, it mentions existing companies and their valid financial details; even a car’s VIN matches its model.

Screenshot of a bank transfer receipt displayed by malware

The malware used in these attacks installs legitimate remote administration software – TeamViewer or Remote Manipulator System/Remote Utilities (RMS).

Attacks using RMS
There are several known ways in which the malware can be installed in a system. Malicious files can be run either by an executable file attached to an email or by a specially crafted script for the Windows command interpreter.

For example, the archive mentioned above contains an executable file, which has the same name and is a password-protected self-extracting archive. The archive extracts the files and runs a script that installs and launches the actual malware in the system.

Contents of the malware installation file

It can be seen from the commands in the screenshot above that after copying the files the script deletes its own file and launches legitimate software in the system – Seldon v.1.7 and RMS, – enabling the attackers to control the infected system without the user’s knowledge.

Depending on the malware version, files are installed in %AppData%\LocalDataNT folder %AppData%\NTLocalData folder or in %AppData%\NTLocalAppData folder.

When it launches, legitimate RMS software loads dynamic libraries (DLL) required for the program’s operation, including the system file winspool.drv, which is located in the system folder and is used to send documents to the printer. RMS loads the library insecurely, using its relative path (the vendor has been notified of this vulnerability). This enables the attackers to conduct a DLL hijacking attack: they place a malicious library in the same directory with the RMS executable file, as a result of which a malware component loads and gains control instead of the corresponding system library.

The malicious library completes malware installation. Specifically, it creates a registry value responsible for automatically running RMS at system startup. Notably, in most cases of this campaign the registry value is placed in the RunOnce key, instead of the Run key, enabling the malware to run automatically only the next time the system starts up. After that, the malware needs to create the registry value again.

It is most likely that the attackers chose this approach to mask the presence of malware in the system as well as possible. The malicious library also implements techniques for resisting analysis and detection. One such technique involves dynamically importing Windows API functions using their hashes. This way, the attackers do not have to store the names of these functions in the malicious library’s body, which helps them to conceal the program’s real functionality from most analysis tools.

Part of a malicious code fragment implementing the dynamic import of functions

The malicious dynamic library, winspool.drv, decrypts configuration files prepared by the attackers, which contain RMS software settings, the password for remotely controlling the machine and the settings needed to notify the attackers that the system has been successfully infected.

One of the configuration files contains an email address to which information about the infected system is sent, including computer name, user name, the RMS machine’s Internet ID, etc. The Internet ID sent as part of this information is generated on a legitimate server of the RMS vendor after the computer connects to it. The identifier is subsequently used to connect to the remotely controlled system located behind NAT (a similar mechanism is also used in popular instant messaging solutions).

A list of email addresses found in the configuration files discovered is provided in the indicators of compromise section.

A modified version of RC4 is used to encrypt configuration files. Configuration files from the archive mentioned above are shown below.

Decrypted contents of InternetId.rcfg file

Decrypted contents of notification.rcfg file

Decrypted contents of Options.rcfg file

Decrypted contents of Password.rcfg file

After this, the attackers can use the system’s Internet ID and password to control it without the user’s knowledge via a legitimate RMS server, using the standard RMS client.

Attacks using TeamViewer
Attacks using legitimate TeamViewer software are very similar to those using RMS software, which are described above. A distinguishing feature is that information from infected systems is sent to malware command-and-control servers, rather than the attackers’ email address.

As in the case of RMS, malicious code is injected into the TeamViewer process by substituting a malicious library for system DLL. In the case of TeamViewer, msimg32.dll is used.

This is not a unique tactic. Legitimate TeamViewer software has been used in APT and cybercriminal attacks before. The best-known group to have used this toolset is TeamSpy Crew. We believe that the attacks described in this document are not associated with TeamSpy and are the result of known malware being re-used by another cybercriminal group. Curiously, the algorithm used to encrypt the configuration file and the password for decrypting it, which were identified in the process of analyzing these attacks, are the same as those published last April in a description of similar attacks.

It is common knowledge that legitimate TeamViewer software does not hide its startup or operation from the user and, specifically, notifies the user of incoming connections. At the same time, the attackers need to gain remote control of the infected system without the user’s knowledge. To achieve this, they hook several Windows API functions.

The functions are hooked using a well-known method called splicing. As a result, when legitimate software calls one of the Windows API functions, control is passed to the malicious DLL and the legitimate software gets a spoofed response instead of one from the operating system.

Windows API function hooked by the malware

Hooking Windows API functions enables attackers to hide TeamViewer windows, protect malware files from being detected, and control TeamViewer startup parameters.

After launching, the malicious library checks whether an internet connection is available by executing the command “ping 1.1.1.1” and then decrypts the malicious program’s configuration file tvr.cfg. The file contains various parameters, such as the password used for remotely controlling the system, URL of the attackers’ command-and-control server, parameters of the service under whose name TeamViewer will be installed, the User-Agent field of the HTTP header used in requests sent to the command-and-control server, VPN parameters for TeamViewer, etc.

Screenshot of decrypted contents of the malware configuration file

Unlike RMS, Team Viewer uses a built-in VPN to remotely control a computer located behind NAT.

As in the case of RMS, the relevant value is added to the RunOnce registry key to ensure that the malware runs automatically at system startup.

The malware collects data on the infected machine and sends it to the command-and-control server along with the system’s identifier needed for remote administration. The data sent includes:

Operating system version
User name
Computer name
Information on the privilege level of the user on whose behalf the malware is running
Whether or not a microphone and a webcam are present in the system
Whether or not antivirus software or other security solutions are installed, as well as the UAC level
Information about security software installed in the system is obtained using the following WQL query:

root\SecurityCenter:SELECT * FROM AntiVirusProduct

The information collected is sent to the attackers’ server using the following POST request:

POST request used to send encrypted data to the command-and-control server

Another distinguishing feature of attacks that involve the TeamViewer is the ability to send commands to an infected system and have them executed by the malware. Commands are sent from the command-and-control server using the chat built into the TeamViewer application. The chat window is also hidden by the malicious library and the log files are deleted.

A command sent to an infected system is executed in the Windows command interpreter using the following instruction:

cmd.exe /c start /b

The parameter “/b” indicates that the command sent by the attackers for execution will be run without creating a new window.

The malware also has a mechanism for self-destructing if the appropriate command is received from the attackers’ server.

The use of additional malware
In cases where attackers need additional data (authorization data, etс.), they download spyware to victim computers in order to collect logins and passwords for mailboxes, websites, SSH/FTP/Telnet clients, as well as logging keystrokes and making screenshots.

Additional software hosted on the attackers’ servers and downloaded to victims’ computers was found to include malware from the following families:

Babylon RAT
Betabot/Neurevt
AZORult stealer
Hallaj PRO Rat
In all probability, these Trojans were downloaded to compromised systems and used to collect information and steal data. In addition to remote administration, the capabilities of malware from these families include:

Logging keystrokes
Making screenshots
Collecting system information and information on installed programs and running processes
Downloading additional malicious files
Using the computer as a proxy server
Stealing passwords from popular programs and browsers
Stealing cryptocurrency wallets
Stealing Skype correspondence
Conducting DDoS attacks
Intercepting and spoofing user traffic
Sending any user files to the command-and-control server
In other cases observed, after an initial analysis of an infected system, the attackers downloaded an additional malware module to the victim’s computer – a self-extracting archive containing various malicious and legitimate programs, which were apparently individually selected for each specific system.

For example, if the malware had previously been executed on behalf of a user who did not have local administrator privileges, to evade the Windows User Account Control (UAC), the attackers used the DLL hijacking technique mentioned above, but this time on a Windows system file, %systemdir%\migwiz\migwiz.exe, and a library, cryptbase.dll.

Additionally, another remote administration utility, RemoteUtilities, which provides a more extensive feature set for controlling an infected machine than RMS or TeamViewer, has been installed in some systems. Its capabilities include:

Remotely controlling the system (RDP)
Transferring files to and from the infected system
Controlling power on the infected system
Remotely managing the processes of running application
Remote shell (command line)
Managing hardware
Capturing screenshots and screen videos
Recording sound and video from recording devices connected to the infected system
Remote management of the system registry
The attackers use a modified build of RemoteUtilities, which enables them to perform the above operations without the user’s knowledge.

In some cases, the Mimikatz utility was installed in addition to cryptbase.dll and RemoteUtilities. We believe that the attackers use Mimikatz in cases when the first system infected is not one that has software for working with financial data installed on it. In these cases, the Mimikatz utility is used to steal authentication data from the organization’s employees and gain remote access to other machines on the enterprise’s network. The use of this technique by the attackers poses a serious danger: if they succeed in obtaining the account credentials for the domain administrator’s account, this will give them control of all systems on the enterprise’s network.

Attack targets
According to KSN data, from October 2017 to June 2018, about 800 computers of employees working at industrial companies were attacked using the malware described in this paper.

Number of computers attacked by month. October 2017 – June 2018

According to our estimate, at least 400 industrial companies in Russia have been targeted by this attack, including companies in the following industries:

Manufacturing
Oil and gas
Metallurgy
Engineering
Energy
Construction
Mining
Logistics
Based on this, it can be concluded that the attackers do not concentrate on companies in any specific industry or sector. At the same time, their activity clearly demonstrates their determination to compromise specifically systems belonging to industrial companies. This choice on the part of the cybercriminals could be explained by the fact that the threat awareness and cybersecurity culture in industrial companies is inferior to that in companies from other sectors of the economy (such as banks or IT companies). At the same time, as we have noted before, it is more common for industrial companies than for companies in other sectors to conduct operations involving large amounts of money on their accounts. This makes them an even more attractive target for cybercriminals.

Conclusions
This research demonstrates once again that even when they use simple techniques and known malware, threat actors can successfully attack many industrial companies by expertly using social engineering and masking malicious code in target systems. Criminals actively use social engineering to keep users from suspecting that their computers are infected. They also use legitimate remote administration software to evade detection by antivirus solutions.

This series of attacks targets primarily Russian organizations, but the same tactics and tools can be used in attacks against industrial companies in any country of the world.

We believe that the threat actor behind this attack is highly likely to be a criminal group whose members have a good command of Russian. This is indicated by the high level at which texts in Russian are prepared for phishing emails used in the attack, as well as the attackers’ ability to make changes to organizations’ financial data in Russian. More data about the research on the infrastructure and language used by the attackers is available in the private version of the report on the Treat Intelligence portal.

Remote administration capabilities give criminals full control of compromised systems, so possible attack scenarios are not limited to the theft of money. In the process of attacking their targets, the attackers steal sensitive data belonging to target organizations, their partners and customers, carry out surreptitious video surveillance of the victim companies’ employees, and record audio and video using devices connected to infected machines.

The various malware components used in this attack are detected by Kaspersky Lab products with the following verdicts:

Trojan.BAT.Starter
Trojan.Win32.Dllhijack
Trojan.Win32.Waldek
Backdoor.Win32.RA-based
Backdoor.Win32.Agent


Student Charged in Elaborate Digital Money Theft Scheme

3.8.2018 securityweek Hacking

LOS ANGELES (AP) — A Massachusetts college student who was named his high school's valedictorian for his savvy tech skills hacked into unsuspecting investors' personal cellphones, email and social media accounts to steal at least $2 million in digital currency like Bitcoin, according to documents provided by California prosecutors Wednesday.

Joel Ortiz was taken into custody July 12 at Los Angeles International Airport ahead of a flight to Boston, according to prosecutors. The 20-year-old faces more than two dozen charges including grand theft, identity theft and computer hacking, court documents show. He's held on $1 million bail.

The Santa Clara County, California, public defender's office, which is representing Ortiz, declined comment. A number listed for his home in Boston was disconnected.

The elaborate scheme involved taking over victims' phones, allowing him to reset passwords and access online accounts containing electronic assets in the form of Bitcoin, Coinbase, Bittrex and Binance, the criminal complaint said.

In one case Ortiz allegedly walked into an AT&T store and impersonated a victim in order to get a new SIM card, which gave him control of the victim's phone. He obtained access to the victim's "financial and personal identifying information, tax returns, private passwords" and siphoned $10,000 from a cryptocurrency account, according to police report.

In several instances Ortiz allegedly impersonated victims over text messages and convinced friends and family members to "loan" him digital funds, court documents said.

At one point Ortiz allegedly stole $10,000 from a California resident, and then tried to get more, calling the victim's wife and sending a text to the victim's daughter that said "TELL YOUR DAD TO GIVE US BITCOIN," the documents said.

Court documents identify more than 20 victims who live in California, and prosecutors say they know of additional victims outside of the state.

Ortiz enrolled at the University of Massachusetts Boston and studies information technology, said school spokesman DeWayne Lehman.

Ortiz was the 2016 valedictorian of Another Course to College, a small public college preparatory school in Boston, and was honored alongside other top students across the city at a luncheon that year with Democratic Mayor Marty Walsh and other officials at a downtown hotel.

At his school, Ortiz was the lead robot software programmer on its robotics team, taught other students the basics of software coding and "led efforts to teach computer science," according to a Boston Public Schools' press release touting the students' accomplishments.

The school system said Ortiz "loves science and technology," is fluent in Spanish and speaks conversational Chinese.

Boston Public Schools spokesman Daniel O'Brien declined to comment.


Cisco to Acquire Duo Security for $2.35 Billion in Cash

3.8.2018 securityweek IT

Cisco announced on Thursday that it will pay $2.35 billion in cash to acquire cloud-based identity and access management solutions provider Duo Security.

Ann Arbor, Michigan-based Duo raised $70 million in Series D funding in October 2017, which valued the company at $1.17 billion at the time.

Through its flagship two-factor authentication (2FA) app, Duo's "Trusted Access" product suite helps verify the identity of users, and the health of their devices, before granting them access to applications. The platform supports Macs, PCs and mobile devices, and gives administrators visibility into end user devices accessing the corporate network.

Duo Security Logo“Integration of Cisco's network, device and cloud security platforms with Duo Security's zero-trust authentication and access products will enable Cisco customers to easily and securely connect users to any application on any networked device,” Cisco said.

Overall, Cisco says that by getting its hands on Duo’s technology, it will be able to extend intent-based networking into multi-cloud environments, simplify policy for cloud security, and expand endpoint visibility coverage.

The acquisition is expected to close during the first quarter of Cisco's fiscal year 2019, subject to customary closing conditions and required regulatory approvals.

Duo said previously that it has doubled its annual recurring revenue for the past four years, and currently has more than 500 employees globally, after doubling its headcount in 2016.

Duo serves more than 10,000 paying customers and said protects more than 300 million logins worldwide every month. Customers include Facebook, Etsy, Facebook, K-Swiss, Paramount Pictures, Toyota, Random House, Yelp, Zillow and more.

In addition to its Ann Arbor, Michigan headquarters, Duo currently maintains offices in Austin, Texas; San Mateo, California; and London, England.

Duo Security, which will continue to be led by Dug Song, Duo Security's co-founder and chief executive officer, will join Cisco's Networking and Security business led by EVP and GM David Goeckeler.

Cisco has acquired several emering security companies over the years. In June 2015, it announced its acquisition of OpenDNS for $635 Million. The move followed other acquisitions by Cisco in the security sector, including its acquisition of Porcullis, ThreatGRID, Neohapsis, Virtuata, and its $2.7 billion acquistionof Sourcefire in 2013. In June 2016, it agreed to pay $293 million to acquire cloud access security broker (CASB) CloudLock.


Attackers Circumvent Two Factor Authentication Protections to Hack Reddit

3.8.2018 securityweek Crypto

Popular Community Site Reddit Breached Through Continued Use of NIST-Deprecated SMS Two Factor Authentication (2FA)

Online community site Reddit announced Wednesday that it was breached in June 2018. In a refreshingly candid advisory, it provides a basic explanation of how the incident occurred, details on the extent of the breach, details on its own response, and advice to potential victims.

The extent of the breach was limited. It was discovered on June 19, and occurred between June 14 and June 18, this year. "A hacker broke into a few of Reddit's systems and managed to access some user data, including some current email addresses and a 2007 database backup containing old salted and hashed passwords," announced Chris Slowe, CTO and founding engineer at Reddit.

With more than 330 million active monthly users, Reddit is home to thousands of online communities where users can share stories and host public discussions.

Apart from the limited extent, it was also limited in scope. "The attacker did not gain write access to Reddit systems; they gained read-only access to some systems that contained backup data, source code and other logs." This comprises a complete copy of an old database backup including account credentials and email addresses (2005 to 2007); logs containing email digests sent between June 3 and June 17, 2018; and internal data such as source code, internal logs, configuration files and other employee workspace files.

"The disclosure of email addresses and their connected Reddit usernames," warns Jessica Ortega, a security researcher at SiteLock, "could potentially mean attackers can identify and dox users -- that is, release personally identifying information -- who rely on Reddit for discussing controversial topics or posting controversial images. It is recommended that all Reddit users update their passwords."

Reddit's response to the breach has been to report the incident to, and cooperate with, law enforcement; to contact users who may be impacted; and to strengthen its own privileged access controls with enhanced logging, more encryption and required token-based 2FA. It also advises all users to move to token-based 2FA.

This advice is because it believes the breach occurred through SMS intercept on one of its own employees. "We learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept."

This last comment has raised eyebrows. As long ago as 2016, NIST denounced SMS 2FA. "Due to the risk that SMS messages may be intercepted or redirected, implementers of new systems SHOULD carefully consider alternative authenticators," it stated in the DRAFT NIST Special Publication 800-63B.

The most common attack against SMS 2FA, explains Joseph Kucic, CSO at Cavirin, is mobile device malware designed to capture/intercept SMS messages -- a major feature for use against mobile banking apps. But, he adds, "SMS messages have had other risks: SIM swap and unauthorized access from SS7 (core telco signaling environments) -- these issues have been known and discussed in the security circles for years."

While Reddit doesn't make it clear whether the 'intercept' was via malware on an employee's mobile device or via flaws in the SS7 telecommunications protocol, the latter seems the most likely. SS7 is a telephony signaling protocol initially developed in 1975, and it has become deeply embedded in mobile telephone routing. As such it is unlikely to be corrected or replaced in the immediate future -- but the effect is that almost any mobile telephone conversation anywhere in the world can be intercepted by an advanced adversary.

The fact that SS7 attacks are not run-of-the-mill events makes Tom Kellermann, CSO at Carbon Black, wonder who might be behind the attack. "The Reddit breach seems to be more tradecraft-oriented," he told SecurityWeek. "They were victimized, but by whom: more than likely a nation-state given their capacity to influence Americans. I hope that they were not used to island hop into other victims' systems via a watering hole." According to Carbon Black research, 36% of cyberattacks attempt to leapfrog through the victims' systems into their customers' systems.

He is not alone in wondering if there may be more to this breach. "I am concerned that Reddit seems to be playing down the data breach as it was only read access to sensitive data and not write. This is positive news; however, it does not reduce the severity of the data breach when it relates to sensitive data," comments Joseph Carson, chief security scientist at Thycotic.

Of course, the attack may not have been effected via the SS7 flaws. "In this type of attack, the phone number is the weakest link," warns Tyler Moffit, senior threat research analyst at Webroot. "Cybercriminals can steal a victim's phone number by transferring it to a different SIM card with relative ease, thereby getting access to text messages and SMS-based authentication. For example, a cybercriminal would simply need to give a wireless provider an address, last 4 digits of a social security number, and perhaps a credit card to transfer a phone number. This is exactly the type of data that is widely available on the dark web thanks to large database breaches like Equifax."

"When Reddit started using SMS for Two Factor Authentication in 2003 it was a best practice," Joseph Kucic, CSO at Cavirin told SecurityWeek; adding, "The one fact about any security technology is that its effectiveness decreases over time for various reasons -- and one needs to take inventory of the deployed security effectiveness at least annually." He believes that security technologies, just like applications, have a product lifecycle, "and there is a point when an end-of-life should be declared before unauthorized individuals -- hackers or nation/state actors -- do it for you."

Reddit has earned plaudits for its breach notification as well as criticism for its continued use of SMS 2FA. "The level of detail Reddit provides," said Chris Morales, head of security analytics at Vectra, "is more than many larger organizations have provided on much more significant breaches. These details are based on an investigation and explain what happened during the breach -- how the attackers infiltrated the network and what exactly they gained access to -- and most importantly disclosed Reddit's internal processes to address the breach, including the hiring of new and expanded security staff."

Ilia Kolochenko, CEO at High-Tech Bridge, makes the point that despite Reddit's apparent openness, we still don't know everything about the breach. "Often, large-scale attacks are conducted in parallel by several interconnected cybercrime groups aimed to distract, confuse and scare security teams," he comments. "While attack vectors of the first group are being mitigated, others are actively exploited, often not without success. Otherwise, the disclosure and its timeline are done quite well done by Reddit."

He also cautions against placing too much blame on Reddit's use of SMS 2FA. "I would refrain from blaming the 2FA SMS -- in many cases it's still better than nothing. Moreover, when most of business-critical applications have serious vulnerabilities varying from injections to RCE, 2FA hardening is definitely not the most important task to take care of."

Nevertheless, the consensus is that Reddit should be applauded for its disclosure, but censured for its use of SMS 2FA. "Reddit won't be the last organization to be breached via SMS authentication in the future," comments Sean Sullivan, security advisor at F-Secure. "At this point, the use of SMS-based MFA for administrators should be considered negligent."


Phishing Campaign Targets 400 Industrial Organizations

3.8.2018 securityweek Phishing

A new wave of spear-phishing emails masquerading as legitimate procurement and accounting letters have hit over 400 industrial organizations, according to Kaspersky Lab.

Data collected by Kaspersky showed that the malware associated with the campaign attacked nearly 800 company PCs across various industries. The attacks, which are ongoing, attempt to steal money and confidential data from the targeted organizations, which include oil and gas to metallurgy, energy, construction and logistics.

The spear-phishing emails, Kaspersky’s security researchers discovered, are tailored with “content that corresponded to the profile of the attacked organizations and took into account the identity of the employee – the recipient of the letter.”

“This suggests that the attacks were carefully prepared and that criminals took the time to develop an individual letter for each user,” the researchers say.

The emails either contain malicious attachments designed to silently install modified legitimate software onto the victim’s machine, such as TeamViewer or Remote Manipulator System/Remote Utilities (RMS), or try to trick victims into following external links and downloading malicious objects from there.

Analysis of the attacks has revealed the use of various techniques to mask the presence of malware on the system. Incidents involving RMS software relied on exfiltrating data over email, while those abusing legitimate TeamViewer software sent the data directly to a command and control (C&C) server.

The main goals of these attacks is to steal money from the victim organizations’ accounts. After gaining access to a victim’s system and gathering required information by accessing documents and financial and accounting software, the attackers would engage in various financial fraud operations, such as spoofing the bank details used to make payments.

When needed, the attackers would also upload additional malware onto the compromised machines, specifically crafted for each attack. They have been using spyware, remote administration tools to expand their control over the infected systems, Mimikatz, and malware to exploit different vulnerabilities in the operating system.

Some of the malicious programs found on compromised machines includes the Babylon RAT, Betabot/Neurevt, AZORult stealer, Hallaj PRO Rat families. These allowed attackers to log keystrokes, take screenshots, collect system information, download additional malware, steal passwords and crypto-currency wallets, intercept traffic, and conduct distributed denial of service (DDoS) attacks.

In some attacks, the remote administration tool called RemoteUtilities was used to remotely control the infected system, transfer files, manage running applications, manage hardware, remote shell, capture screenshots and screen videos, and record audio and video.

While the attacks did not appear to concentrate on companies in a specific industry or sector, the actors did focus on compromising systems belonging to industrial companies. Furthermore, most of the organizations that were hit are located in Russia, Kaspersky said.

“The attackers demonstrated a clear interest in targeting industrial companies in Russia. Based on our experiences, this is likely to be due to the fact that their level of cybersecurity awareness is not as high as it is in other markets, such as financial services. That makes industrial companies a lucrative target for cybercriminals – not only in Russia, but across the world,” Vyacheslav Kopeytsev, security expert, Kaspersky Lab, said.


Iran-Linked Actor Targets U.S. Electric Utility Firms
3.8.2018 securityweek CyberSpy

Likely operating out of Iran, the Leafminer cyber-espionage group has been targeting entities in the United States, Europe, Middle East, and East Asia, industrial cybersecurity firm Dragos warns.

The group was previously said to have been targeting government and other types of organizations in the Middle East since at least early 2017, but it appears that its target list is much broader.

Dragos, which calls the actor RASPITE, says the entity has been targeting industrial control systems in numerous countries, including access operations in the electric utility sector in the United States.

Initial access to target networks is obtained through strategic website compromise (also known as watering hole attacks), the security firm says. Similar to DYMALLOY and ALLANITE threat actors, the group embeds a link to a resource to prompt an SMB connection to harvests Windows credentials.

Next, the actor deploys scripts to install a malicious service that connect to the RASPITE-controlled infrastructure and provide remotely access the victim machine.

Although it did focus on ICS-operating entities, RASPITE has yet to demonstrated an ICS-specific capability. At the moment, there is no indication that the actor can launch destructive ICS attacks such as the widespread blackouts that hit Ukraine.

In a report on the group last week, Symantec revealed that both custom-built malware and publicly-available tools were leveraged in observed campaigns, including a modified version of Mimikatz. Some of the tools were linked to other groups apparently tied to Iran, Symantec said, noting that the actor appears to be inspired by the Russia-linked Dragonfly group.

“Dragos caught RASPITE early in its maturity which is ideal as it allows us to track its behavior and threat progression to help organizations defend against them. RASPITE uses common techniques which is good because defenders with sufficient monitoring can catch them and mitigate any opportunity for them to get better,” Sergio Caltagirone, Director of Threat Intelligence, Dragos, said.

“At this time we are limiting the amount of information in our public reports to avoid the proliferation of ideas or tradecraft to other activity groups,” Caltagirone continued.


Hundreds of thousands MikroTik Routers involved in massive Coinhive cryptomining campaign
3.8.2018 securityaffairs Cryptocurrency

Experts uncovered a massive cryptojacking campaign that is targeting MikroTik routers to inject a Coinhive cryptocurrency mining script in the web traffic.
Security experts have uncovered a massive cryptojacking campaign that is targeting MikroTik routers, the hackers aim to change the configuration of the devices to inject a Coinhive cryptocurrency mining script in the users’ web traffic.

The campaign was first spotted by the researcher who goes online with the Twitter handle MalwareHunterBR.

MalwareHunterBR
@MalwareHunterBR
another mass exploitation against @mikrotik_com devices (https://github.com/mrmtwoj/0day-mikrotik …)
hxxp://170.79.26.28/
CoinHive.Anonymous('hsFAjjijTyibpVjCmfJzlfWH3hFqWVT3', #coinhive

1:31 PM - Jul 30, 2018
45
38 people are talking about this
Twitter Ads info and privacy
According to Catalin Cimpanu from Bleeping Computer, the campaign first started in Brazil, but it is rapidly expanding to other countries targeting MikroTik routers all over the world.

The same campaign was monitored by the experts at Trustwave that confirmed that campaign initially targeted MikroTik routers used by Brazilians.

“On July 31st , just after getting back to the office from my talk at RSA Asia 2018 about how cyber criminals use cryptocurrencies for their malicious activities, I noticed a huge surge of CoinHive in Brazil.” reads the report published by Trustwave.

“After a quick look I saw that this is not your average garden variety website compromise, but that these were all MikroTik network devices.”

The experts noticed that the compromised devices were all using the same CoinHive sitekey, most of them in Brazil, this means that they were targeted by the same attackers.

MikroTik routers compromised

According to Trustwave the hackers were exploiting a zero-day flaw in the MikroTik routers to inject a copy of the Coinhive library in the traffic passing through the MikroTik router.

“Initial investigation indicates that instead of running a malicious executable on the router itself, which is how the exploit was being used when it was first discovered, the attacker used the device’s functionality in order to inject the CoinHive script into every web page that a user visited.” continues the analysis.

The vulnerability was discovered in April and patched by the vendor in just one day.

Technical details for the MikroTik flaw were publicly disclosed in May, public proof-of-concept (PoC) codes for the issue were published on GitHub.
Trustwave pointed out that many users that weren’t using the MikroTik routers were affected too because Internet providers and big organizations leverage MikroTik routers compromised by hackers.

The experts noticed that the threat actors once discovered to have been spotted by the experts switched tactics and injected the Coinhive script only in error pages returned by the routers.

After the initial phase, the campaign was targeting devices outside Brazil, and it has been estimated that roughly 170,000 MikroTik routers were compromised to inject the Coinhive script. The campaign can potentially compromise over a million of MikroTik routers exposed on the Internet.

“The attacker wisely thought that instead of infecting small sites with few visitors, or finding sophisticated ways to run malware on end user computers, they would go straight to the source; carrier-grade router devices,” concludes the experts.

“Even if this attack only works on pages that return errors, we’re still talking about potentially millions of daily pages for the attacker.”


Analyzing the Telegram-based Android remote access trojan HeroRAT
3.8.2018 securityaffairs Android

Researchers at CSE Cybsec ZLab analyzed shared published their analysis of the Telegram-based Android RAT tracked as HeroRAT.
In June, researchers from security firm ESET discovered a new family of Android Remote Administration Tool (RAT), dubbed HeroRAT, that leverages the Telegram BOT API to communicate with the attacker.

The use of Telegram API can be considered a new trend in Android RAT landscape, because other RAT families implementing the same functionalities, such as TeleRAT and IRRAT, were discovered in the wild before HeroRAT.

HeroRAT appeared very active in Iran where it was spreading through third-party app stores, through tainted social media and messaging apps.

ESET experts speculate that the HeroRAT borrows the source code of a malware appeared in the hacking community in March 2018, however, it has some characteristics that distinguish it different from IRRAT and TeleRAT. One of these features is the usage of the Xamarin Framework and TeleSharp Library for the development of the RAT.

HeroRAT is offered for sale on a dedicated Telegram channel, the author offers three different variants depending on its functionalities: bronze (25 USD), silver (50 USD) and gold panels (100 USD). The malware author also released a demo video in which explains the RAT functionalities; below we have a screenshot from this demo video, showing the differences between the three variants.

Figure 1 – Differences between the RAT variants

Further details on the RAT analyzed by CSE Cybsec, including the IoCs and Yara Rules are available in the report published by researchers at ZLAb.


Three members of FIN7 (Carbanak) gang charged with stealing 15 million credit cards
3.8.2018 securityweek  CyberCrime

Three members of the cybercrime group tracked as FIN7 and Carbanak have been indicted and charged with 26 felony counts
Three members of the notorious cybercrime gang known as FIN7 and Carbanak have been indicted and charged with 26 felony counts of conspiracy, wire fraud, computer hacking, access device fraud and aggravated identity theft.

The gang stole over a billion euros from banks across the world, the name “Carbanak” comes with the name of the malware they used to compromise computers at banks and other financial institutions. The three suspects (Dmytro Fedorov, 44, Fedir Hladyr, 33, and Andrii Kopakov, 30) are Ukrainians, they were arrested last year in Europe between January and June.

Fedorov, is a skilled hacker and, who is suspected to be a manager of the group, was arrested at the request of U.S. officials in Bielsko-Biala, Poland, in January and is currently waiting for his extradition to the United States.

In January 2018 foreign authorities also arrested Fedir Hladyr in Dresden, Germany, he is currently detained in Seattle pending trial. Hladyr is suspected to be a system administrator for the group.

In late June 2018, foreign authorities arrested Andrii Kolpakov in Lepe, Spain. The man is suspected to be a supervisor of the group. He is currently detained in Spain pending the United States’ request for extradition.

According to DoJ, the suspects stole more than 15 million credit cards from over 6,500 individual point-of-sale terminals at 3,600 business locations in 47.

“Three high-ranking members of a sophisticated international cybercrime group operating out of Eastern Europe have been arrested and are currently in custody facing charges filed in U.S. District Court in Seattle, announced Assistant Attorney General Brian A.” reads the press release published by the DoJ.

“In the United States alone, FIN7 successfully breached the computer networks of companies in 47 states and the District of Columbia, stealing more than 15 million customer card records from over 6,500 individual point-of-sale terminals at more than 3,600 separate business locations. “

FIN7

“The three Ukrainian nationals indicted today allegedly were part of a prolific hacking group that targeted American companies and citizens by stealing valuable consumer data, including personal credit card information, that they then sold on the Darknet,” said Assistant Attorney General Benczkowski. “Because hackers are committed to finding new ways to harm the American public and our economy, the Department of Justice remains steadfast in its commitment to working with our law enforcement partners to identify, interdict, and prosecute those responsible for these threats.”
The trio has been accused of targeting hundreds of companies in the United States, and U.S. individuals. The list of victims is long and includes Chipotle Mexican Grill, Jason’s Deli, Sonic Drive-in, and Arby’s.

According to the European authorities, FIN7 developed sophisticated banking trojan tracked as Cobalt, based on the Cobalt Strike penetration testing tool, that was spread through spear-phishing campaigns aimed at employees at different banks.

Once infected the victims’ PC with Carbanak malware, the hackers attempted to identify key people authorized to transfer money from the banks in order to make transactions to fake accounts or ATMs under the control of the gang.

The three men could face many years in prison if convicted.


Alleged Iran-linked APT group RASPITE targets US electric utilities
3.8.2018 securityaffairs APT

According to Dragos firm, the RASPITE cyber-espionage group (aka Leafminer) has been targeting organizations in the United States, Europe, Middle East, and East Asia.
Researchers from security firm Dragos reported that a group operating out of Iran tracked as RASPITE has been targeting entities in the United States, Europe, Middle East, and East Asia, industrial cybersecurity firm Dragos warns.

The group has been active at least since 2017, researchers uncovered operations aimed at government and other types of organizations in the Middle East.

“Dragos has identified a new activity group targeting access operations in the electric utility sector. We call this activity group RASPITE.” read a blog post published by Dragos.

“Analysis of RASPITE tactics, techniques, and procedures (TTPs) indicate the group has been active in some form since early- to mid-2017. RASPITE targeting includes entities in the US, Middle East, Europe, and East Asia. Operations against electric utility organizations appear limited to the US at this time.”

Last week, experts from Symantec who tracked the group as Leafminer published a detailed report on the activity of the cyber espionage team who leveraged both custom-built malware and publicly-available tools in observed campaigns.

According to Symantec, the extent of the campaigns conducted by the group could be wider, the researchers uncovered a list, written in Iran’s Farsi language, of 809 targets whose systems were scanned by the attackers.

The list groups each entry with organization of interest by geography and industry, in includes targets in the United Arab Emirates, Qatar, Bahrain, Egypt, and Afghanistan.

Now researchers from Dragos confirmed that the RASPITE is behind attacks that has been targeting industrial control systems in several states.

According to the experts, the hackers also accessed operations in the electric utility sector in the United States.

The hackers carry on watering hole attacks leveraging compromised websites providing content of interest for the potential victims.

RASPITE attacks appear similar to the ones conducted by other threat actors like DYMALLOY and ALLANITE, the hackers injected in the websites links to a resource to prompt an SMB connection with the intent to gather Windows credentials.

Then, the attackers deploy scripts to install a malware that connects to C&C ad give then attacker the control of the compromised machine.

RASPITE attacks

According to Dragos, even if RASPITE has mainly focused on ICS systems, at the time there is no news about destructive attacks on such kind of devices.

“RASPITE’s activity to date currently focuses on initial access operations within the electric utility sector. Although focused on ICS-operating entities, RASPITE has not demonstrated an ICS-specific capability to date.” continues Dragos.

“This means that the activity group is targeting electric utilities, but there is no current indication the group has the capability of destructive ICS attacks including widespread blackouts like those in Ukraine.”

Sergio Caltagirone, Director of Threat Intelligence, Dragos, explained that his firm provided only limited information on the activity of the group to avoid “proliferation of ideas or tradecraft to other activity groups.”


A mining multitool

2.8.2018 Kaspersky  Cryptocurrency
Symbiosis of PowerShell and EternalBlue for cryptocurrency mining
Recently, an interesting miner implementation appeared on Kaspersky Lab’s radar. The malware, which we dubbed PowerGhost, is capable of stealthily establishing itself in a system and spreading across large corporate networks infecting both workstations and servers. This type of hidden consolidation is typical of miners: the more machines that get infected and the longer they remain that way, the greater the attacker’s profits. Therefore, it’s not uncommon to see clean software being infected with a miner; the popularity of the legitimate software serves to promote the malware’s proliferation. The creators of PowerGhost, however, went further and started using fileless techniques to establish the illegal miner within the victim system. It appears the growing popularity and rates of cryptocurrencies have convinced the bad guys of the need to invest in new mining techniques – as our data demonstrates, miners are gradually replacing ransomware Trojans.

Technical description and propagation method
PowerGhost is an obfuscated PowerShell script that contains the core code and the following add-on modules: the actual miner, mimikatz, the libraries msvcp120.dll and msvcr120.dll required for the miner’s operation, a module for reflective PE injection and a shellcode for the EternalBlue exploit.

Fragment of the obfuscated script

The add-on modules encoded in base64

The malicious program uses lots of fileless techniques to remain inconspicuous to the user and undetected by antivirus technologies. The victim machine is infected remotely using exploits or remote administration tools (Windows Management Instrumentation). During infection, a one-line PowerShell script is run that downloads the miner’s body and immediately launches it without writing it to the hard drive.

What the script does after that can be broken down into several stages:

Automatic self-update. PowerGhost checks if a new version is available on the C&C. If there is, it downloads the new version and launches it instead of itself.

Propagation.With the help of mimikatz, the miner obtains the user account credentials from the current machine, uses them to log on and attempts to propagate across the local network by launching a copy of itself via WMI. By “a copy of itself” here and below we mean the one-line script that downloads the miner’s body from the C&C.
PowerGhost also tries to spread across the local network using the now-notorious EternalBlue exploit (MS17-010, CVE-2017-0144).
Escalation of privileges. As the miner spreads via mimikatz and WMI, it may end up on a new machine with user rights. It will then attempt to escalate its privileges in the system with the 32- or 64-bit exploits for MS16-032, MS15-051 and CVE-2018-8120.
Establishing a foothold in the system. PowerGhost saves all the modules as properties of a WMI class. The miner’s body is saved in the form of a one-line PowerShell script in a WMI subscription that activates every 90 minutes.

Payload.Lastly, the script launches the miner by loading a PE file via reflective PE injection.
In one PowerGhost version, we detected a tool for conducting DDoS attacks. The malware writers obviously decided to make some extra money by offering DDoS services.

PowerShell function with the tell-tale name RunDDOS

It’s worth pointing out that this is the only one of the miner’s functions that copies files to the hard drive. This is quite possibly a test tool that will later be replaced with a fileless implementation. Also supporting the assertion that this function was added to this version as an afterthought is the peculiar way the DDoS module is launched: the script downloads two PE modules, logos.png and cohernece.txt. The former is saved to the hard drive as java-log-9527.log and is an executable file for conducting DDoS attacks. The file cohernece.txt is protected with the software protection tool Themida, complete with a check for execution in a virtual environment. If the check does not detect a sandbox, then cohernece.txt launches the file java-log-9527.log for execution. In this curious way, the ready DDoS module was supplemented with a function to check for execution in a virtual environment.

Fragment of disassembled code of the file cohernece.txt

Statistics and geography
Corporate users bore the brunt of the attack: it’s easier for PowerGhost to spread within a company’s local area network.

Geography of infections by the miner

PowerGhost is encountered most often in India, Brazil, Columbia and Turkey.

Kaspersky Lab’s products detect the miner and/or its components with the following verdicts:

PDM:Trojan.Win32.Generic
PDM:Exploit.Win32.Generic
HEUR:Trojan.Win32.Generic
not-a-virus:HEUR:RiskTool.Win32.BitMiner.gen
E-wallets at nanopool.org and minexmr.com:

43QbHsAj4kHY5WdWr75qxXHarxTNQDk2ABoiXM6yFaVPW6TyUJehRoBVUfEhKPNP4n3JFu2H3PNU2Sg3ZMK85tPXMzTbHkb
49kWWHdZd5NFHXveGPPAnX8irX7grcNLHN2anNKhBAinVFLd26n8gX2EisdakRV6h1HkXaa1YJ7iz3AHtJNK5MD93z6tV9H

Indicators of compromise
C&C hostnames:
update.7h4uk[.]com
185.128.43.62
info.7h4uk[.]com
MD5:
AEEB46A88C9A37FA54CA2B64AE17F248
4FE2DE6FBB278E56C23E90432F21F6C8
71404815F6A0171A29DE46846E78A079
81E214A4120A4017809F5E7713B7EAC8


Darknet Market Spokesman Gets Nearly 4 Years in Prison
2.8.2018 securityweek Crime

ATLANTA (AP) — A man who promoted an international criminal online marketplace and assisted people using it for illicit transactions was sentenced Tuesday in Atlanta to serve nearly four years in federal prison.

Ronald L. Wheeler III of Streamwood, Illinois, worked for about two years as a public relations specialist for AlphaBay, which authorities have said was the world's leading "darknet" marketplace when an international law enforcement effort shut it down in July 2017.

Wheeler pleaded guilty in March to a charge of conspiracy to commit access device fraud. Prosecutors said he worked with others to steal personal information — including passwords, email addresses and bank account numbers — to obtain money, goods and services.

U.S. District Judge Leigh May sentenced Wheeler, 25, to spend three years and 10 months in prison, followed by three years of supervised release. As part of a plea deal reached with prosecutors, Wheeler also agreed to forfeit $27,562 in cash found in his home and 13.97 bitcoins, which are currently worth a total of more than $100,000.

Wheeler apologized to the judge and told her he has worked hard since he was caught to get himself on the right path — getting a legitimate job, paying taxes and kicking a drug addiction.

"As I move forward, I hope to be able to do right by this country and the world," he said.

May said Wheeler's crime was extremely serious, but she imposed the relatively light sentence agreed to by the two sides in part because of the effort he'd made.

"You're doing what you need to do to show me you've learned from this," she said.

Known online as Trappy and Trappy_Pandora, Wheeler began working for AlphaBay in May 2015. His duties included moderating the AlphaBay forum on Reddit and posting information about AlphaBay in other Reddit forums, mediating sales disputes among the marketplace's users, providing nontechnical assistance to users and promoting AlphaBay online, prosecutors have said.

Wheeler's lawyer, Phillip Turner, described his client as a "very misguided young man who came from a situation where he lacked self-esteem and got on the wrong path." Having a title bestowed upon him by AlphaBay made him feel important and gave him a sense of belonging, Turner said in court.

Prosecutor Samir Kaushal told the judge Wheeler was completely aware he was involved in illegal activity and encouraged lawlessness in others. Given the scope of the illegal activity enabled by AlphaBay — including the sale of personal financial information and dangerous drugs — Wheeler could have been charged with much more serious crimes that would have carried a much heftier sentence.

"This is a very good outcome for him," Kaushal said.

The only reason prosecutors recommended a lower sentence is because when he was caught, he immediately admitted his guilt and began cooperating with the government, Kaushal said.

Wheeler was paid a salary in bitcoin, a digital currency, by Alexandre Cazes, the 25-year-old Canadian owner of AlphaBay who was known online as Alpha02 and Admin, according to a court filing.

AlphaBay used Tor, a network of thousands of computers run by volunteers, to hide its tracks. With Tor, traffic gets relayed through multiple computers, with identifying information stripped at each stop so no single computer knows the full chain.

The court filing says Wheeler's work with AlphaBay ended July 3, 2017. Two days later, Cazes was arrested in Thailand with DEA and FBI assistance, resulting in AlphaBay going offline. Cazes died in Thai police custody on July 12, 2017. The country's narcotics police chief told reporters at the time that Cazes hanged himself in jail just before a scheduled court hearing.

The police agency Europol estimates AlphaBay had done $1 billion in business since its 2014 creation. Cazes had amassed a $23 million fortune as the site's creator and administrator, according to court records.


Dixons Carphone Breach: Much Larger Than First Thought
2.8.2018 securityweek Incindent

A data breach at Dixons Carphone that was made public last month resulted in 10 million records being accessed by unknown actors, the consumer UK electronics retailer announced Tuesday.

The company initially said that only 1.2 million records containing personal data of its customers, such as name, address or email address, were accessed during the intrusion. They also claimed that the accessed data did not include financial information.

In an update released this week (PDF), the company revealed that hackers were able to access approximately 10 million records containing personal data. The incident happened last year, but no specific details on when or how the intrusion took place were provided.

Although it initially said that the attackers were attempting to access 5.9 million cards and that 105,000 non-EU issued payment cards were indeed compromised, the company now says that the impacted records did not contain payment card details.

“While there is now evidence that some of this data may have left our systems, these records do not contain payment card or bank account details and there is no evidence that any fraud has resulted. We are continuing to keep the relevant authorities updated,” Dixons Carphone said.

The company also announced that it has decided to inform all of its customers of the data breach. The retailer claims that this is only a precaution and that it only apologizes to customers, while advising them of available protective steps they could take to minimize the risk of fraud.

“As we indicated previously, we have taken action to close off this access and have no evidence it is continuing,” the company said.


Yale University Discloses Decade-Old Data Breach
2.8.2018 securityweek Incindent

"Because the intrusion happened nearly ten years ago, we do not have much more information about how it occurred."

Yale University revealed that hackers accessed one of its databases between 2008 and 2009 and accessed the personal information of 119,000 people.

The intrusion happened between April 2008 and January 2009 and apparently affected a single database stored on a Yale server. The data breach was discovered on June 16, 2018, during a security review. The attackers extracted names, Social Security numbers, and, in almost all cases, dates of birth. In many cases, Yale email addresses were also extracted, and in some cases the physical addresses of individuals associated with the university were compromised as well.

According to Yale, no financial information was stored in the database and almost all people impacted by the breach were affiliated with the university.

“In 2011, Yale IT deleted the personal information in the database as part of an effort to eliminate unneeded personal information on Yale servers, but the intrusion was not detected at that time,” the university says.

Last week, Yale sent notices of the data breach to impacted members of the Yale community, including alumni/ae, faculty members, and staff members. The university says notices were sent to nearly 97% of the individuals affected, but that it has yet to acquire a verified current address for the remaining 3%.

In a letter (PDF) to the State of New Hampshire Attorney General, Yale also revealed that the same server was hacked a second time between March 2016 and June 2018. The intrusion resulted in the compromise of the names and Social Security numbers of 33 individuals, none of whom reside in New Hampshire.

Yale claims that there is no indication that the compromised information has been misused. However, it decided to offer identity monitoring services at no cost, to help users guard against identity theft.

Because the intrusion occurred a decade ago, there is no information on how the attackers hacked the server. Yale also says that “it is not feasible to determine the identities of the perpetrators.”


Trump Criticized for Not Leading Effort to Secure Elections
2.8.2018 securityweek BigBrothers

WASHINGTON (AP) — As alarms blare about Russian interference in U.S. elections, the Trump administration is facing criticism that it has no clear national strategy to protect the country during the upcoming midterms and beyond.

Both Republicans and Democrats have criticized the administration's response as fragmented, without enough coordination across federal agencies. And with the midterms just three months away, critics are calling on President Donald Trump to take a stronger stand on an issue critical to American democracy.

"There's clearly not enough leadership from the top. This is a moment to move," said Maryland Sen. Chris Van Hollen, head of the Democratic Senatorial Campaign Committee. "I don't think they are doing nearly enough."

Various government agencies have been at work to ensure safe voting. The FBI has set up a Foreign Influence Task Force and intelligence agencies are collecting information on Russian aggression.

But Trump himself rarely talks about the issue. And in the nearly two years since Russians were found to have hacked into U.S. election systems and manipulated social media to influence public opinion, the White House has held two meetings on election security.

One was last week. It ran 30 minutes.

The meeting resulted in no new presidential directive to coordinate the federal effort to secure the election, said Suzanne Spaulding, former undersecretary of homeland security who was responsible for cyber security and protecting critical infrastructure.

"Trump's failure to take a leadership role on this, up until this (National Security Council) meeting, misses an opportunity to send a clear message to states that this is a very serious threat," Spaulding said. "We did not get out of this NSC meeting a comprehensive, interagency strategy. It was each department and agency working in their silos."

Garrett Marquis, a spokesman for the NSC, said the government response is robust. He said NSC staff "leads the regular and continuous coordination of the whole-of-government approach to addressing foreign malign influence and ensuring election security."

At a cybersecurity summit on Tuesday, Vice President Mike Pence said he was confident officials could prevent further meddling by foreign agents.

"We will repel any efforts to interfere in our elections," he said.

Republican Sen. Lindsey Graham of South Carolina said government agencies are "doing a lot of good work, but nobody knows about it." He lamented Trump's contradictory statements about whether he accepts the U.S. intelligence assessment that Russia meddled in the 2016 presidential election.

"What I think he needs to do is lead this nation to make sure the 2018 election is protected," Graham said recently on CBS' "Face the Nation." ''He needs to be the leader of the movement — not brought to the dance reluctantly. So, I hope he will direct his government, working with Congress, to harden the 2018 election before it's too late."

The debate over safeguarding U.S. elections comes as evidence of cyber threats piles up. Facebook announced Tuesday that it has uncovered "sophisticated" efforts, possibly linked to Russia, to influence U.S. politics on its platforms.

The company said it removed 32 accounts from Facebook and Instagram because they were involved in "coordinated" political behavior and appeared to be fake. Nearly 300,000 people followed at least one of the accounts.

Earlier this month, Microsoft said it discovered that a fake domain had been set up as the landing page for phishing attacks by a hacking group believed to have links to Russian intelligence. A Microsoft spokesman said Monday that additional analysis has confirmed that the attempted attacks occurred in late 2017 and targeted multiple accounts associated with the offices of two legislators running for re-election. Microsoft did not name the lawmakers.

Sen. Claire McCaskill, D-Mo., has said Russian hackers tried unsuccessfully to infiltrate her Senate computer network in 2017.

Sen. Jeanne Shaheen, D-N.H., who is not running for re-election, told The Associated Press on Monday that someone contacted her office "claiming to be an official from a country."

A frequent critic of Russia, Shaheen said she didn't know if Moscow was behind the email received in November but had turned the matter over to the FBI.

Shaheen said another senator had been targeted besides McCaskill. "It's my understanding that there is, but I don't want to speak for other senators," she said. When asked if it was a Democratic senator, Shaheen nodded yes.

"People on both sides of the aisle have been beating the drum for two years now about the need for somebody to be accountable for cybersecurity across the government," Shaheen said.

National Intelligence Director Dan Coats said U.S. intelligence officials continue to see activity from individuals affiliated with the Internet Research Agency, whose members were indicted by U.S. special counsel Robert Mueller. Coats said they create new social media accounts disguised as those of Americans, then use the fake accounts to drive attention to divisive issues in America.

In the Obama administration, synchronizing federal agencies' work on election security would have likely been the job of the White House cybersecurity coordinator. Trump's national security adviser, John Bolton, abolished the post in May to remove a layer of bureaucracy from the NSC flow chart.

Under the current structure, the point man for election security is Rear Adm. Douglas Fears. Trump tapped Fears in early June as his deputy assistant to the president and homeland security and counterterrorism adviser.

Fears oversees the election security and other portfolios of the NSC's Cybersecurity Directorate and coordinates the federal government's response to disasters.

Homeland Security Secretary Kirstjen Nielsen says cyber threats are "an urgent, evolving crisis."

"Our adversaries' capabilities online are outpacing our stove-piped defenses," Nielsen said Tuesday. "In fact, I believe that cyber threats collectively now exceed the danger of physical attacks against us. This is a major sea change for my department and for our country's security."


FireEye MalwareGuard Uses Machine Learning to Detect Malware
2.8.2018 securityweek
Virus

FireEye on Tuesday announced the launch of MalwareGuard, an engine that leverages machine learning (ML) to detect malware and prevent it from executing.

MalwareGuard has been added to FireEye’s Endpoint Security product and the firm will also be deploying the new engine to its Network Security and Email Security solutions.

The engine is designed to predict whether a Windows executable file is malicious, prior to its execution. MalwareGuard should be able to detect both known malware and zero-day threats, FireEye said.

MalwareGuard is based on two years of research conducted by the company, which included assembling a dataset of more than 300 million samples and using it to train the engine. During its internal evaluation, which involved testing in real-world incident response cases, FireEye made predictions on over 20 million executable files.

“During the internal evaluation period, we also developed the infrastructure to support long-term tracking and maintenance for MalwareGuard,” FireEye said in a blog post. “Our goal was and is to have real-time visibility into the model’s performance, with the expectation that model retraining could be done on demand when performance dips below a threshold. To meet this objective, we developed data pipelines for each phase of the ML process, which makes the system fully automatable.”

The company’s blog post includes details on the goals, development, and testing of MalwareGuard.

In addition to MalwareGuard, FireEye informed customers that its Endpoint Security solution now includes new features designed to provide improved management capabilities and enable organizations to rapidly respond to important alerts.

MalwareGuard and the other new features have been added to the latest version of FireEye Endpoint Security, specifically version 4.5.


Leaked Chats Show Alleged Russian Spy Seeking Hacking Tools
2.8.2018 securityweek BigBrothers

MOSCOW (AP) — Six years ago, a Russian-speaking cybersecurity researcher received an unsolicited email from Kate S. Milton.

Milton claimed to work for the Moscow-based anti-virus firm Kaspersky. In an exchange that began in halting English and quickly switched to Russian, Milton said she was impressed by the researcher's work on exploits — the digital lock picks used by hackers to break into vulnerable systems — and wanted to be copied in on any new ones that the researcher came across.

"You almost always have all the top-end exploits," Milton said, after complimenting the researcher about a post to her website, where she often dissected malicious software.

"So that our contact isn't one-sided, I'd offer you my help analyzing malicious viruses, and as I get new samples I'll share," Milton continued. "What do you think?"

The researcher — who works as a security engineer and runs the malware-sharing site on the side — always had a pretty good idea that Milton wasn't who she said she was. Last month, she got confirmation via an FBI indictment.

The indictment, made public on July 13, lifted the lid on the Russian hacking operation that targeted the 2016 U.S. presidential election. It identified "Kate S. Milton" as an alias for military intelligence officer Ivan Yermakov, one of 12 Russian spies accused of breaking into the Democratic National Committee and publishing its emails in an attempt to influence the 2016 election.

The researcher, who gave her exchanges with Milton to The Associated Press on condition of anonymity, said she wasn't pleased to learn she had been corresponding with an alleged Russian spy. But she wasn't particularly surprised either.

"This area of research is a magnet for suspicious people," she said.

The researcher and Milton engaged in a handful of conversations between April 2011 and March 2012. But even their sparse exchanges, along with a few digital breadcrumbs left behind by Yermakov and his colleagues, offer insight into the men behind the keyboards at Russia's Main Intelligence Directorate, or GRU.

It isn't unusual for messages like Milton's to come in out of the blue, especially in the relatively small world of independent malware analysts.

"There was nothing particularly unusual in her approach," the researcher said. "I had very similar interactions with amateur and professional researchers from different countries."

The pair corresponded for a while. Milton shared a piece of malicious code at one point and sent over a hacking-related YouTube video at another, but contact fizzled out after a few months.

Then, the following year, Milton got back in touch.

"It's been all work, work, work," Milton said by way of apology, before quickly getting to the point. She needed new lock picks.

"I know that you can help," she wrote. "I'm working on a new project and I really need contacts that can provide information or have contacts with people who have new exploits. I am willing to pay for them."

In particular, Milton said she wanted information on a recently disclosed vulnerability codenamed CVE-2012-0002 - a critical Microsoft flaw that could allow hackers to remotely compromise some Windows computers. Milton had heard that someone had already cobbled together a working exploit.

"I'd like to get it," she said.

The researcher demurred. The trade in exploits — for use by spies, cops, surveillance companies or criminals — can be a seedy one.

"I usually steer clear from any wannabe buyers and sellers," she told the AP.

She politely declined - and never heard from Milton again.

Milton's Twitter account — whose profile photo features "Lost" star Evangeline Lilly — is long dormant. The last few messages carry urgent, awkwardly worded appeals for exploits or tips about vulnerabilities.

"Help me find detailed description CVE-2011-0978," one message reads, referring to a bug in PHP, a coding language often used for websites. "Need a work exploit," the message continues, ending with a smiley face.

It isn't clear whether Yermakov was working for the GRU when he first masqueraded as Kate S. Milton. Milton's Twitter silence — starting in 2011 — and the reference to a "new project" in 2012 might hint at a new job.

In any case, Yermakov wasn't working for the anti-virus firm Kaspersky — not then and not ever, the company said in a statement.

"We don't know why he allegedly presented himself as an employee," the statement said.

Messages sent by the AP to Kate S. Milton's Gmail account were not returned.

The exchanges between Milton (Yermakov) and the researcher could be read in different ways.

They might show that the GRU was trying to cultivate people in the information security community with an eye toward getting the latest exploits as soon as possible, said Cosimo Mortola, a threat intelligence analyst at the cybersecurity company FireEye.

It's also possible that Yermakov might have initially worked as an independent hacker, hustling for spy tools before being hired by Russian military intelligence — a theory that makes sense to defense and foreign policy analyst Pavel Felgenhauer.

"For cyber, you have to hire boys that understand computers and everything the old spies at the GRU don't understand," Felgenhauer said. "You find a good hacker, you recruit him and give him some training and a rank — a lieutenant or something — and then he will do the same stuff."

The leak of Milton's conversations shows how the glare of publicity is revealing elements of the hackers' methods — and perhaps even hints about their private lives.

It's possible, for example, that Yermakov and many of his colleagues commute to work through the arched entrance to Komsomolsky 22, a military base in the heart of Moscow that serves as home to the alleged hacker's Unit 26165. Photos shot from inside show it's a well-kept facility, with a czarist-era facade, manicured lawns, flower beds and shady trees in a central courtyard.

The AP and others have tried to trace the men's digital lives, finding references to some of those indicted by the FBI in academic papers on computing and mathematics, on Russian cybersecurity conference attendee lists or — in the case of Cpt. Nikolay Kozachek, nicknamed "kazak" — written into the malicious code created by Fancy Bear, the nickname long applied to the hacking squad before their identities were allegedly revealed by the FBI.

One of Kozachek's other nicknames also appears on a website that allowed users to mine tokens for new weapons to use in the first-person shooter videogame "Counter Strike: Global Offensive" — providing a flavor of the hackers' extracurricular interests.

The AP has also uncovered several social media profiles tied to another of Yermakov's indicted colleagues — Lt. Aleksey Lukashev, allegedly the man behind the successful phishing of the email account belonging to Hillary Clinton's campaign chairman, John Podesta.

Lukashev operated a Twitter account under the alias "Den Katenberg," according to an analysis of the indictment as well as data supplied by the cybersecurity firm Secureworks and Twitter's "Find My Friends" feature.

A tipster using the Russian facial recognition search engine FindFace recently pointed the AP to a VKontatke account that, while using a different name, appears active and features photos of the same young, Slavic-looking man.

Many of his posts and his friends appear to originate from a district outside Moscow known as Voskresensky. The photos show him cross-country skiing at night, wading in emerald waters somewhere warm and visiting Yaroslavl, an ancient city northwest of Moscow. One video appeared to show Russia's 2017 Spasskaya Tower Festival, a military music festival popular with officers.

The AP could not establish with certainty that the man on the VKontatke account is Lukashev. Several people listed as friends either declined to comment when approached by the AP or said Lukashev's name was unknown to them.

Shortly thereafter, the profile's owner locked down his account, making his vacation snaps invisible to outsiders.

The exchanges between the cybersecurity researcher and Kate S. Milton are available here.


The Disconnect Between Understanding Email Threats and Preventing Them
2.8.2018 securityweek
Spam

Email continues to be the starting point for the majority of all security breaches. The 2018 Verizon Data Breaches Investigation Report (DBIR) says that email is the attack vector in 96% of breaches. But a new study suggests that despite these figures, companies are not allocating sufficient resources to reduce email risk.

The study (PDF) was conducted the Ponemon Institute for Valimail, an email security automation firm. Ponemon surveyed 650 IT and IT security professionals who have a role in securing email applications and/or protecting end-users from email threats. It found, according to Ponemon, a "disconnect between concerns about email threats and fraud and the lack of action taken by companies represented in this study."

Findings suggest that 80% of respondents are very concerned about their ability to counter the email threat, but only 29% are taking significant steps to counter the threat. The greatest concerns are that hackers might spoof their email domain "to hurt the deliverability of legitimate emails" (82%); the overall state of their current email security (80%); and that they could be hacked or infiltrated via a phishing email (69%).

The threat from email phishing, spoofing and impersonation attacks is understood and acknowledged. Seventy-four percent of respondents are concerned about phishing emails directed at employees or executives; 67% about email as a source of fraud against the company (such as BEC attacks); 66% about email as a vector for infiltrating malware and/or exfiltrating data; and 65% about hackers impersonating the company in phishing attacks against others -- that is, other firms and non-employees.

The disconnect comes from the company response to the concerns held by their own professionals. Only 29% of the respondents believe their firm is taking significant steps to prevent phishing attacks and email impersonation, while 21% say they are taking 'no steps' -- despite the DBIR's evidence that email is the source of almost all data breaches.

Only 41% of the respondents say their organization has created a security infrastructure or plan for email -- but of these, almost half say there is no schedule for reviewing its effectiveness (39%), or are unsure of any review schedule (10%). Only 11% of respondents said their organization reviews the effectiveness of its email security plan quarterly.

Part of the problem may be down to the traditional relationship between OT and IT. While email is firmly a part of information technology rather than operational technology, nevertheless it has an operational business function. As such, operational ease and continuity might be receiving a higher priority than security. This is possibly supported by managerial responsibility.

Asked, 'Who within the organization is primarily responsible for the security of email and services/applications that use email?', only 15% of the respondents said it was the CISO/CSO. Twenty-one percent said it was the CIO/CTO, 20% said the line of business management, 9% said the head of messaging services, and 9% said the head of IT Operations. Somewhat surprisingly, the majority of organizations do not have their head of security responsible for the security of emails.

Impersonation attacks are an acknowledged and growing email threat. The top five currently-used technologies to prevent these are anti-spam/phishing filters (63%), secure email gateways (53%), SIEMs (44%), DMARC (39%), and anti-phish training (30%). Use of all of these is expected to grow over the next 12 months: filters by 2%, SEGs by 10%, SIEMs by 3%, DMARC by 9%, and phish training by a colossal 27%.

These figures simply indicate that use of existing technologies that have currently failed to prevent the email start-point in 96% or all security breaches will be increased. This doesn't mean, however, that the respondents have abandoned hope in their ability to improve things. Asked what effect a 20% increase in their email security budget would have, the reply was a 45% improvement in the detection rate with a 33% improvement in the prevention rate.

"With the dramatic rise in impersonation attacks as a primary vector for cyberattacks, companies are re-assessing the balance of their security efforts,” said Alexander García-Tobar, CEO and co-founder of Valimail.

“While traditional approaches are good for filtering malicious content and blocking spam, impersonation attacks can only be stopped with email anti-impersonation solutions. Individuals at all levels of a company, including customers and clients, are vulnerable to phishing, fraud, and impersonation attacks. Companies can strengthen their security against email fraud with automated solutions and close that disconnect between email threats and preventive action," he added

What surprises Ponemon, however, is the current lack of adoption of such automated solutions. "We were surprised to see a vast majority of companies who believe that they have had a breach involving email but are not yet embracing automated anti-impersonation solutions to protect themselves proactively,” said Dr. Larry Ponemon, chairman and founder of Ponemon Institute. “Adopting fully automated solutions for DMARC enforcement that provide email authentication will help companies get ahead of the attackers and build trust with their clients and end users."


Human Rights Group: Employee Targeted With Israeli Spyware
2.8.2018 securityweek
Virus

LONDON (AP) — An Amnesty International employee has been targeted with Israeli-made surveillance software, the human rights group said Wednesday, adding to a growing number of examples of Israeli technology being used to spy on human rights workers and opposition figures in the Middle East and beyond.

In a 20-page report, Amnesty outlined how it thinks a hacker tried to break into an unidentified staff member's smartphone in early June by baiting the employee with a WhatsApp message about a protest in front of the Saudi Embassy in Washington.

The London-based human rights organization said it traced the malicious link in the message to a network of sites tied to the NSO Group, an Israeli surveillance company implicated in a series of digital break-in attempts, including a campaign to compromise proponents of a soda tax in Mexico and an effort to hack into the phone of an Arab dissident that prompted an update to Apple's operating system.

Joshua Franco, Amnesty's head of technology and human rights, said the latest hacking attempt was emblematic of the increased digital risk faced by activists worldwide.

"This is the new normal for human rights defenders," Franco said.

NSO said in a written statement that its product was "intended to be used exclusively for the investigation and prevention of crime and terrorism" and that allegations of wrongdoing would be investigated. In response to a series of written questions, the company said past allegations of customer misuse had, in an undisclosed number of cases, led to the termination of contracts.

Amnesty's findings were corroborated by internet watchdog Citizen Lab, which has been tracking NSO spyware for two years and is based at the University of Toronto's Munk School of Global Affairs.

In its own report being released Wednesday, Citizen Lab said it so far had counted some 175 targets of NSO spyware worldwide, including 150 people in Panama identified as part of a massive domestic espionage scandal swirling around the country's former president.

The Amnesty International report said the organization identified a second human rights activist, in Saudi Arabia, who was targeted in a similar way to its staffer. Citizen Lab said it found traces of similar hacking attempts tied to Qatar or Saudi, hinting at the use of the Israeli spyware elsewhere in the Gulf.

Any possible use of Israeli technology to police dissent in the Arab world could raise uncomfortable questions both for Israel, which still sees itself as a bastion of democracy in the region, and for countries with no formal diplomatic ties to the Jewish state.

For Amnesty's Franco, it was a sign of an out-of-control trade in high-tech surveillance tools.

"This is a huge market that's completely opaque and under-regulated," he said.


Three Ukrainians Arrested for Hacking Over 100 US Companies
2.8.2018 securityweek Crime

Three Ukrainians have been arrested for hacking more than 100 US companies and stealing millions of customer records, the Department of Justice announced Wednesday.

Dmytro Fedorov, 44, Fedir Hladyr, 33, and Andrii Kopakov, 30, were members of a "sophisticated international cybercrime group" called "FIN7," the department said in a statement.

"Since at least 2015, FIN7 members engaged in a highly sophisticated malware campaign targeting more than 100 US companies, predominantly in the restaurant, gaming, and hospitality industries," it said.

"FIN7 hacked into thousands of computer systems and stole millions of customer credit and debit card numbers, which the group used or sold for profit," it said.

The Justice Department said members of the "prolific hacking group" also targeted computer networks in Britain, Australia, and France.

FBI special agent Jay Tabb told a press conference in Seattle, Washington, where the arrests were announced, that the hacking was not state-sponsored.

"No linkage at all to any state-sponsored activity," Tabb said. "This is just old-fashioned organized crime."

Fedorov, a "high-level hacker and manager," was arrested in Bielsko-Biala, Poland, in January and is being detained pending extradition to the United States, the Department of Justice said.

Hladyr, FIN7's systems administrator, was arrested in Dresden, Germany, in January, it said, and is being held in Seattle, Washington, pending a trial scheduled to open on October 22.

Kolpakov, described as a "supervisor of a group of hackers," was arrested in Lepe, Spain, in late June and is being detained there pending a US extradition request, the department said.

- Chipotle, Arby's targeted -

"Cyber criminals who believe that they can hide in faraway countries and operate from behind keyboards without getting caught are just plain wrong," said Annette Hayes, US Attorney for the Western District of Washington.

The charges against the three were contained in federal indictments unsealed on Wednesday.

They were charged with 26 counts of conspiracy, wire fraud, computer hacking, access device fraud, and aggravated identity theft.

The Justice Department said that FIN7 also known as the "Carbanak Group" and the "Navigator Group," breached computer networks of companies in 47 US states and Washington DC.

They allegedly stole "more than 15 million customer card records from over 6,500 individual point-of-sale terminals at more than 3,600 separate business locations."

Among the companies which have publicly disclosed hacks by FIN7 are Chipotle Mexican Grill, Chili's, Arby's, Red Robin and Jason's Deli, the Justice Department said.

Many of the businesses were targeted through phishing schemes involving email.

"FIN7 carefully crafted email messages that would appear legitimate to a business' employee, and accompanied emails with telephone calls intended to further legitimize the email," it said.

Once an attached file was opened, it would trigger malware to steal payment card data which was sold on online underground marketplaces.


A study of car sharing apps
2.8.2018 Kaspersky  Mobil

The growing popularity of car sharing services has led some experts to predict an end to private car ownership in big cities. The statistics appear to back up this claim: for example, in 2017 Moscow saw the car sharing fleet, the number of active users and the number of trips they made almost double. This is great news, but information security specialists have started raising some pertinent questions: how are the users of these services protected and what potential risks do they face in the event of unauthorized access to their accounts?

Why is car sharing of interest to criminals?
The simple answer would be because they want to drive a nice car at somebody else’s expense. However, doing so more than once is likely to be problematic – once the account’s owner finds out they have been charged for a car they never rented, they’ll most likely contact the service’s support line, the service provider will check the trip details, and may eventually end up reporting the matter to the police. It means anyone trying it a second time will be tracked and caught red-handed. This is obvious and makes this particular scenario the least likely reason for hijacking somebody’s account.

The selling of hijacked accounts appears to be a more viable reason. There is bound to be demand from those who don’t have a driving license or those who were refused registration by the car sharing service’s security team. Indeed, offers of this nature already exist on the market.

Criminals offer hijacked accounts from a wide range of car sharing services…

…and explain why you are better off using somebody else’s account

In addition, someone who knows the details of a user’s car sharing account can track all their trips and steal things that are left behind in the car. And, of course, a car that is fraudulently rented in somebody else’s name can always be driven to some remote place and cannibalized for spare parts.

Application security
So, we know there is potential interest among criminal elements; now let’s see if the developers of car sharing apps have reacted to it. Have they thought about user security and protected their software from unauthorized access? We tested 13 mobile apps and (spoiler alert!) the results were not very encouraging.

We started by checking the apps’ ability to prevent launches on Android devices with root privileges, and assessed how well the apps’ code is obfuscated. This was done for two reasons:

the vast majority of Android applications can be decompiled, their code modified (e.g. so that user credentials are sent to a C&C), then re-assembled, signed with a new certificate and uploaded again to an app store;
an attacker on a rooted device can infiltrate the process of the necessary application and gain access to authentication data.
Another important security element is the ability to choose a username and password when using a service. Many services use a person’s phone number as their username. This is quite easy for cybercriminals to obtain as users often forget to hide it on social media, while car sharing users can be identified on social media by their hashtags and photos.

An example of how a social media post can give you away

We then looked at how the apps work with certificates and if cybercriminals have any chance of launching successful MITM attacks. We also checked how easy it is to overlay an application’s interface with a fake authorization window.

Reverse engineering and superuser privileges
Of all the applications we analyzed, only one was capable of countering reverse engineering. It was protected with the help of DexGuard, a solution whose developers also promise that protected software will not launch on a device where the owner has gained root privileges or that has been modified (patched).

File names in the installation package indicate the use of DexGuard

However, while that application is well protected against reverse engineering, there’s nothing to stop it from launching on an Android device with superuser privileges. When tested that way, the app launches successfully and goes through the server authorization process. An attacker could obtain the data located in protected storage. However, in this particular app the data was encrypted quite reliably.

Example of user’s encrypted credentials

Password strength
Half the applications we tested do not allow the user to create their own credentials; instead they force the user to use their phone number and a PIN code sent in a text message. On the one hand, this means the user can’t set a weak password like ‘1234’; on the other hand, it presents an opportunity for an attacker to obtain the password (by intercepting it using the SS7 vulnerability, or by getting the phone’s SIM card reissued). We decided to use our own accounts to see how easy it is to find out the ‘password’.

If an attacker finds a person’s phone number on social media and tries to use it to log in to the app, the owner will receive an SMS with a validation code:

As we can see, the validation code is just four digits long, which means it only takes 10,000 attempts to guess it – not such a large number. Ideally, such codes should be at least six digits long and contain upper and lower case characters as well as numbers.

Another car sharing service sends stronger passwords to users; however, there is a drawback to that as well. Its codes are created following a single template: they always have numbers in first and last place and four lower-case Latin characters in the middle:

That means there are 45 million possible combinations to search through; if the positioning of the numbers were not restricted, the number of combinations would rise to two billion. Of course, 45,000,000 is also large amount, but the app doesn’t have a timeout for entering the next combination, so there are no obstacles to prevent brute forcing.

Now, let’s return to the PIN codes of the first application. The app gives users a minute to enter the PIN; if that isn’t enough time, users have to request a new code. It turned out that the combination lifetime is a little over two minutes. We wrote a small brute force utility, reproduced part of the app/server communication protocol and started the brute force. We have to admit that we were unable to brute force the code, and there are two possible reasons for that. Firstly, our internet line may have been inadequate, or secondly, the car sharing operator set an appropriate two-minute timeout for the PIN code, so it couldn’t be brute forced within two minutes even with an excellent internet connection. We decided not to continue, confirming only that the service remained responsive and an attack could be continued after several attempts at sending 10,000 requests at a time.

While doing so, we deliberately started the brute force in a single thread from a single IP address, thereby giving the service a chance to detect and block the attack, contact the potential victim and, as a last resort, deactivate the account. But none of these things happened. We decided to leave it at that and moved on to testing the next application.

We tried all the above procedures on the second app, with the sole exception that we didn’t register a successful brute force of the password. We decided that if the server allows 1,000 combinations to be checked, it would probably also allow 45 million combinations to be checked, so it is just a matter of time.

The server continues to respond after 1,000 attempts to brute force the password

This is a long process with a predictable result. This application also stores the username and password locally in an encrypted format, but if the attacker knows their format, brute forcing will only take a couple of minutes – most of this time will be spent on generating the password/MD5 hash pair (the password is hashed with MD5 and written in a file on the device).

MITM attack
It’s worth noting that the applications use HTTPS to communicate data to and from their control centers, so it may take quite a while to figure out the communication protocol. To make our ‘attack’ faster, we resorted to an MITM attack, aided by another global security flaw: none of the tested applications checks the server’s certificate. We were able to obtain the dump of the entire session.

Screenshot of a successful MITM attack. HTTPS traffic dump was obtained

Protection from overlaying
Of course, it’s much faster and more effective (from the attacker’s point of view) if an Android device can be infected, i.e., the authorization SMS can be intercepted, so the attacker can instantly log in on another device. If there’s a complex password, then the attacker can hijack the app’s launch by showing a fake window with entry fields for login details that covers the genuine app’s interface. None of the applications we analyzed could counter this sort of activity. If the operating system version is old enough, privileges can be escalated and, in some cases, the required data can be extracted.

Outcome
The situation is very similar to what we found surrounding Connected Car applications. It appears that app developers don’t fully understand the current threats to mobile platforms – that goes for both the design stage and when creating the infrastructure. A good first step would be to expand the functionality for notifying users of suspicious activities – only one service currently sends notifications to users about attempts to log in to their account from a different device. The majority of the applications we analyzed are poorly designed from a security standpoint and need to be improved. Moreover, many of the programs are not just very similar to each other but are actually based on the same code.

Russian car sharing operators could learn a thing or two from their colleagues in other countries. For example, a major player in the market of short-term car rental only allows clients to access a car with a special card – this may make the service less convenient, but dramatically improves security.

Advice for users
Don’t make your phone number publicly available (the same goes for your email address)
Use a separate bank card for online payments, including car sharing (a virtual card also works) and don’t put more money on it than you need.
If your car sharing service sends you an SMS with a PIN code for your account, contact the security service and disconnect your bank card from that account.
Do not use rooted devices.
Use a security solution that will protect you from cybercriminals who steal SMSs. This will make life harder not only for free riders but also for those interested in intercepting SMSs from your bank.
Recommendations to car sharing services
Use commercially available packers and obfuscators to complicate reverse engineering. Pay special attention to integrity control, so the app can’t be modified.
Use mechanisms to detect operations on rooted devices.
Allow the user to create their own credentials; ensure all passwords are strong.
Notify users about successful logons from other devices.
Switch to PUSH notifications: it’s still rare for malware to monitor the Notification bar in Android.
Protect your application interface from being overlaid by another app.
Add a server certificate check.


DDoS attacks in Q2 2018
2.8.2018 Kaspersky  Attack

CONTENTS
News overview
Q2 2018 news includes: non-standard use of old vulnerabilities, new botnets, the cutthroat world of cryptocurrencies, a high-profile DDoS attack (or not) with a political subtext, the slashdot effect, some half-baked attempts at activism, and a handful arrests. But first things first.

Knowing what we know about the devastating consequences of DDoS attacks, we are not inclined to celebrate when our predictions come true. Alas, our forecast in the previous quarter’s report was confirmed: cybercriminals continue to seek out new non-standard amplification methods. Even before the panic over the recent wave of Memcached-based attacks had subsided, experts discovered an amplification method using another vulnerability—in the Universal Plug and Play protocol, known since 2001. It allows garbage traffic to be sent from several ports instead of just one, switching them randomly, which hinders the blocking process. Experts reported two attacks (April 11 and 26) in which this method was likely used; in the first instance, the DNS attack was amplified through UPnP, and in the second the same was applied to an NTP attack. In addition, the Kaspersky DDoS Protection team observed an attack that exploited a vulnerability in the CHARGEN protocol. A slightly weaker attack using the same protocol to amplify the flood (among other methods) targeted the provider ProtonMail, the reason for which was an unflattering comment made by the company’s executive director.

New botnets are causing more headaches for cybersecurity specialists. A noteworthy case is the creation of a botnet formed from 50,000 surveillance cameras in Japan. And a serious danger is posed by a new strain of the Hide-n-Seek malware, which was the first of all known bots to withstand, under certain circumstances, a reboot of the device on which it had set up shop. True, this botnet has not yet been used to carry out DDoS attacks, but experts do not rule out such functionality being added at a later stage, since the options for monetizing the botnet are not that many.

One of the most popular monetization methods remains attacking cryptocurrency sites and exchanges. What’s more, DDoS attacks are used not only to prevent competitors from increasing their investors, but as a way of making a big scoop. The incident with the cryptocurrency Verge is a case in point: in late May, a hacker attacked Verge mining pools, and made off with XVG 35 million ($1.7 million). In the space of two months, the currency was hacked twice, although the preceding attack was not a DDoS.

Not only that, June 5 saw cybercriminals bring down the Bitfinex cryptocurrency exchange, with the system crash followed by a wave of garbage traffic, pointing to a multistage attack that was likely intended to undermine credibility in the site. It was probably competitive rivalry that caused the renowned online poker site, Americas Cardroom, to suffer a DDoS attack that forced first the interruption and then cancellation of a tournament. That said, it was rumored that the attack could have been a political protest against the in-game availability of Donald Trump and Kim Jong Un avatars.

As always, the most media hype in the past quarter was generated by politically motivated DDoS attacks. In mid-April, British and US law enforcement bodies warned that a significant number of devices had been seized by Russian (supposedly Kremlin-sponsored) hackers in the US, the EU, and Australia with a view to carrying out future attacks. Then just a few days later, in late April, it was a Russian target that got hit: the site of the largest Russian political party, United Russia, was down for two whole days, yet there was precious little public speculation about the masterminds behind the DDoS campaign.

An attack on the Danish railway company DSB, which struggled to serve passengers for several days as a result, was also alleged to be politically motivated. Some see it as a continuation of the attack on Swedish infrastructure last fall.

At the end of the quarter, attention was focused on the Mexican elections and an attack on an opposition party website hosting materials about the illegal activities of a rival. According to the victim, the attack began during a pre-election debate when the party’s candidate showed viewers a poster with the website address. However, it was immediately rumored that DDoS was not the culprit, but the Slashdot effect, which Reddit users also call “the hug of death.” This phenomenon has been around since the dawn of the Internet, when bandwidth was a major issue. But it’s still encountered to this day when a small resource suffers a major influx of legitimate web traffic on the back of media hype.

The Slashdot effect was also observed by the Kaspersky DDoS Protection team in early summer. After a press conference by the Russian president, a major news outlet covering the event experienced a powerful wave of tens of thousands of HTTP GET requests all sent simultaneously. The size of the supposed botnet suggested a new round of attacks involving IoT devices, but further analysis by KDP experts showed that all suspicious queries in the User Agent HTTP header contained the substring “XiaoMi MiuiBrowser”. In fact, owners of Xiaomi phones with the browser app installed received a push notification about the outcome of the conference, and it seems that many took an interest and followed the link, causing a glut of requests.

Meanwhile, law enforcement agencies have been making every effort to prevent organized attacks: in late April, Europol managed to shut down Webstresser.org, the world’s largest DDoS-for-hire service. When it was finally blocked, the portal had more than 136,000 users and had served as the source of more than 4 million DDoS attacks in recent years. After the fall of Webstresser, conflicting trends were reported: some companies observed a significant decline in DDoS activity in Europe (although they warned that the drop was going to be relatively short-lived); others, however, pointed to a rise in the number of attacks across all regions, which may have been the result of attackers seeking to compensate by creating new botnets and expanding old ones.

On top of that, several DDoS attack masterminds were caught and convicted. German hacker ZZboot was sentenced for attacking major German and British firms with ransom demands. However, he avoided jail time, receiving 22 months of probation. At the other end of the Eurasian continent, in Taipei, a hacker named Chung was arrested for allegedly attacking the Taiwan Bureau of Investigation, the Presidential Administration, Chungwa Telecom, and the Central Bank. In the other direction, across the pond, a self-proclaimed hacktivist was arrested in the US for obstructing the work of police in Ohio.

Another, less significant, but more curious arrest took place in the US: an amateur hacker from Arizona was arrested, fined, and jailed after an online acquaintance posted a tweet with his name. Despite his rudimentary skills, the cybercriminal, calling himself the “Bitcoin Baron,” had terrorized US towns for several years, crashing the websites of official institutions and demanding ransoms; in one incident, his actions seriously hindered emergency response services. He too tried to position himself as a cyberactivist, but his bad behavior ruined any reputation he might have had, especially his alleged (only by himself, it should be said) attempt to bring down the site of a children’s hospital by flooding it with child pornography.

Quarter trends
In H1 2018, the average and maximum attack power fell significantly compared to H2 2017. This can be explained by the seasonal slowdown that is usually observed at the start of the year. However, a comparison of H1 indicators for 2017 and 2018 shows a measurable rise in attack power since last year.

Change in DDoS attack power, 2017-2018

One way to increase the attack power is third-party amplification. As mentioned in the news overview, hackers continue to look for ways to amplify DDoS attacks through new (or well-forgotten old) vulnerabilities in widely popular software, not without success, unfortunately. This time, the KDP team detected and repelled an attack with a capacity in the tens of Gbit/s that exploited a vulnerability in the CHARGEN protocol—an old and very simple protocol described in RFC 864 way back in 1983.

CHARGEN was intended for testing and measurement purposes, and can listen on both the TCP and UDP sockets. In UDP mode, the CHARGEN server responds to any request with a packet with a string length from 0 to 512 random ASCII characters. Attackers use this mechanism to send requests to the vulnerable CHARGEN server, where the outgoing address is substituted by the address of the victim. US-CERT estimates the amplification factor at 358.8x, but this figure is somewhat arbitrary, since the responses are generated randomly.

Despite the protocol’s age and limited scope, many open CHARGEN servers can be found on the Internet. They are mainly printers and copying devices in which the network service is enabled by default in the software.

The use of CHARGEN in UDP attacks, as reported by KDP and other providers (Radware, Nexusguard), may indicate that attacks using more convenient protocols (for example, DNS or NTP) are becoming less effective, since there exist well-developed methods to combat this kind of UDP flooding. But the simplicity of such attacks makes cybercriminals unwilling to abandon them; instead they hope that modern security systems will not be able to resist antiquated methods. And although the search for non-standard holes will doubtless continue, CHARGEN-type amplification attacks are unlikely to take the world by storm, since vulnerable servers lack a source of replenishment (how often are old copiers connected to the Internet?).

If cybercriminals are going retro in terms of methods, when it comes to targets they are breaking new ground. DDoS attacks against home users are simple, but not profitable, whereas attacks on corporations are profitable, but complex. Now DDoS planners have found a way to get the best of both worlds—in the shape of the online games industry and streamers. Let’s take as an example the growing popularity of e-sports tournaments, in which the victors walk away with tens—sometimes hundreds—of thousands of dollars. The largest events are usually held at special venues with specially setup screens and stands for spectators, but the qualifying rounds to get there often involve playing from home. In this case, a well-planned DDoS attack against a team can easily knock it out of the tournament at an early stage. The tournament server might also be targeted, and the threat of disruption could persuade the competition organizers to pay the ransom. According to Kaspersky Lab client data, DDoS attacks on e-sports players and sites with the goal of denying access are becoming increasingly common.

Similarly, cybercriminals are trying to monetize the market of video game streaming channels. Streaming pros show live playthroughs of popular games, and viewers donate small sums to support them. Naturally, the larger the audience, the more money the streamer gets for each broadcast; top players can earn hundreds or thousands of dollars, which basically makes it their job. Competition in this segment is fierce and made worse by DDoS attacks with the capacity to interfere with livestreams, causing subscribers to look for alternatives.

Like e-sports players, home streamers have virtually no means of protection against DDoS attacks. They are essentially reliant on their Internet provider. The only solution at present could be to set up specialized platforms offering greater protection.

Methodology
Kaspersky Lab has extensive experience of combating cyber threats, including DDoS attacks of all types and complexity. Company experts monitor the actions of botnets using the Kaspersky DDoS Intelligence system.

The DDoS Intelligence system is part of the Kaspersky DDoS Protection solution, and intercepts and analyzes commands sent to bots from C&C servers. What’s more, the system is proactive, not reactive—there’s no need to wait for a user device to get infected or a command to be executed.

This report contains DDoS Intelligence statistics for Q2 2018.

In the context of this report, it is assumed that an incident is a separate (single) DDoS-attack if the interval between botnet activity periods does not exceed 24 hours. For example, if the same web resource was attacked by the same botnet with an interval of 24 hours or more, then this incident is considered as two attacks. Bot requests originating from different botnets but directed at one resource also count as separate attacks.

The geographical locations of DDoS-attack victims and C&C servers used to send commands are determined by their respective IP addresses. The number of unique targets of DDoS attacks in this report is counted by the number of unique IP addresses in the quarterly statistics.

DDoS Intelligence statistics are limited to botnets detected and analyzed by Kaspersky Lab. Note that botnets are just one of the tools for performing DDoS attacks, and that the data presented in this report do not cover every single DDoS attack that occurred during the period under review.

Quarter results
The stormiest period for DDoS attacks was the start of the quarter, particularly mid-April. By contrast, late May and early June were fairly quiet.
Top spot in terms of number of attacks was retained by China (59.03%), with Hong Kong (17.13%) in second. It also entered the Top 3 by number of unique targets with 12.88%, behind only China (52.36%) and the US (17.75%).
The attacks were quite evenly distributed across the days of the week. The most and least popular were Tuesday and Thursday, respectively, but the difference is slight.
The share of SYN attacks rose sharply to 80.2%; second place went to UDP attacks with 10.6%.
The share of attacks from Linux botnets increased significantly to 94.47% of all single-family attacks.
Geography of attacks
The latest quarter threw up a number of surprises. The leader by number of attacks is still China, with its share practically unchanged (59.03% against 59.42% in Q1). However, for the first time since monitoring began, Hong Kong broke into the Top 3, rising from fourth to second: its share increased almost fivefold, from 3.67% to 17.13%, squeezing out the US (12.46%) and South Korea (3.21%), whose shares declined by roughly 5 p.p. each.

Another surprise package in the territorial ranking was Malaysia, which shot up to fifth place, now accounting for 1.30% of all DDoS attacks. It was joined in the Top 10 by Australia (1.17%) and Vietnam (0.50%), while the big-hitters Japan, Germany, and Russia all dropped out. Britain (0.50%) and Canada (0.69%) moved into eighth and seventh, respectively.

The Top 10 in Q2 also had a greater share of the total number of attacks than in Q1: 96.44% compared with 95.44%.

Distribution of DDoS attacks by country, Q1 and Q2 2018

The territorial distribution of unique targets roughly corresponds to the distribution of the number of attacks: China has the largest share (52.36%), a rise of 5 p.p. against the previous quarter. Second place belongs to the US (17.5%) and third to Hong Kong (12.88%), up from fourth, replacing South Korea (4.76%) (note that in Hong Kong the most popular targets are now Microsoft Azure servers). Britain fell from fourth to eighth, now accounting for 0.8% of unique targets.

The Top 10 said goodbye to Japan and Germany, but welcomed Malaysia (2.27%) in fourth place and Australia (1.93%) just behind in fifth. This quarter’s Top 10 accounted for slightly more of the total number of unique attacks, reaching 95.09% against 94.17% in Q1.

Distribution of unique DDoS-attack targets by country, Q1 and Q2 2018

Dynamics of the number of DDoS attacks
Peak activity in Q2 2018 was observed in mid-April: a significant increase in the number of attacks was registered in the middle third of this month, with two large spikes occurring just days apart: April 11 (1163) and April 15 (1555). The quarter’s deepest troughs came in the second half and at the end: the calmest days were May 24 (13) and June 17 (16).

Dynamics of the number of DDoS attacks, Q2 2018

In Q2 2018, Sunday went from being the quietest day for cybercriminals to the second most active: it accounted for 14.99% of attacks, up from 10.77% in the previous quarter. But gold in terms of number of attacks went to Tuesday, which braved 17.49% of them. Thursday, meanwhile, went in the opposite direction: only 12.75% of attacks were logged on this day. Overall, as can be seen from the graph, in the period April-June the attack distribution over the days of the week was more even than at the beginning of the year.

Distribution of DDoS attacks by day of the week, Q1 and Q2 2018

Duration and types of DDoS attacks
The longest attack in Q2 lasted 258 hours (almost 11 days), slightly short of the previous quarter’s record of 297 hours (12.4 days). This time, the focus of persevering hackers was an IP address belonging to China Telecom.

Overall, the share of long-duration attacks fell by 0.02 p.p. to 0.12%. Whereas the share of attacks lasting from 100 to 139 hours remained the same, the share of attacks from 10 to 50 hours almost doubled (from 8.28% to 16.27%); meanwhile, the share of attacks lasting from five to nine hours increased nearly by half (from 10.73% to 14.01%). The share of short-duration attacks (up to four hours) fell sharply from 80.73% in January to 69.49% in March.

Distribution of DDoS attacks by duration (hours), Q1 and Q2 2018

All other types of attacks decreased in share; UDP attacks are in second place (10.6%), while TCP, HTTP, and ICMP constitute a relatively small proportion.

Distribution of DDoS attacks by type, Q2 2018

Correlation between Windows- and Linux-based botnet attacks, Q2 2018

Geographical distribution of botnets
The Top 10 regions by number of botnet C&C servers underwent some significant changes. Top spot went to the US with almost half of all C&C centers (44.75% against 29.32% in Q1). South Korea (11.05%) sank from first to second, losing nearly 20 p.p. China also dropped significantly (from 8.0% to 5.52%). Its place was taken by Italy, whose share climbed from 6.83% in the previous quarter to 8.84%. The Top 10 saw the departure of Hong Kong, but was joined—for the first time since our records began—by Vietnam, whose 3.31% was good enough for seventh place.

Distribution of botnet C&C servers by country, Q2 2018

Conclusion
In Q2 2018, cybercriminals continued the above-outlined trend of searching for exotic holes in UDP transport protocols. It surely won’t be long before we hear about other sophisticated methods of attack amplification.

Another technical discovery of note is the potential for creating botnets using the UPnP protocol; although evidence for them exists, they are still extremely rare in the wild, fortunately.

Windows botnet activity decreased: in particular, Yoyo activity experienced a multifold drop, and Nitol, Drive, and Skill also declined. Meanwhile, Xor for Linux significantly increased its number of attacks, while another infamous Linux botnet, Darkai, scaled back slightly. As a result, the most popular type of attack was SYN flooding.

The total attack duration changed little since the previous quarter, but the share of medium-duration attacks increased, while the share of shorter ones decreased. The intensity of attacks also continues to grow. The most lucrative targets for cybercriminals seem to be cryptocurrencies, but we can soon expect to see high-profile attacks against e-sports tournaments as well as relatively small ransoms targeting individual streamers and players. Accordingly, there will be market demand for affordable individual anti-DDoS protection.


Amnesty International employee targeted with NSO group surveillance malware
2.8.2018 securityweek 
Virus

An employee at Amnesty International has been targeted with Israeli surveillance malware, the news was revealed by the human rights group.
Amnesty International revealed that one of its employees was targeted with a surveillance malware developed by an Israeli firm.

The human rights group published a report that provides details on the attack against its employee. The hacker attempted to compromise the mobile device of a staff member in early June by sending him a WhatsApp message about a protest in front of the Saudi Embassy in Washington.

This SMS message translates to:

“Court order #XXXXXX issued against identity owner **** on XX/XX/XXX”

[link]”

surveillance Amnesty International NGO spyware

The organization added that such kind of attacks is becoming even more frequent, a growing number of Israeli surveillance software being used to spy on human rights operators and opposition figures in the Middle East and beyond.

Amnesty International traced the malicious link in the message to the surveillance network of the Israeli firm NSO Group.

“In June 2018, an Amnesty International staff member received a malicious WhatsApp message with Saudi Arabia-related bait content and carrying links Amnesty International believes are used to distribute and deploy sophisticated mobile spyware. Through the course of our subsequent investigation we discovered that a Saudi activist based abroad had also received similar malicious messages.” reads the report published Amnesty International.

“In its analysis of these messages, Amnesty International found connections with a network of over 600 domain names. Not only are these domain names suspicious, but they also overlap with infrastructure that had previously been identified as part of Pegasus, a sophisticated commercial exploitation and spyware platform sold by the Israel surveillance vendor, NSO Group.”

The servers identified by the experts were matching NSO Group’s description of Pegasus in the Hacking Team leaked document, they found two other connections to NSO Group:

evidence that connects the malicious links used by the attackers and collected with NSO Group network infrastructure that was previously detailed by researchers at Citizen Lab.
a domain registration pattern showing that most of the domains in the NSO Group infrastructure were registered during Israeli working days and hours.
“With the technique we developed, we were then able to identify over 600 servers that demonstrated similar behavior. Among these we found servers that hosted domain names that have been previously identified as connected to NSO Group by Citizen Lab and others, specifically banca-movil[.]com, pine-sales[.]com, and ecommerce-ads[.]org.” continues the report.

There are several companies that develop surveillance platforms for targeting mobile devices, the NSO Group operated in the dark for several years, until the researchers from the Citizenlab organization and the Lookout firm spotted its software in targeted attacks against UAE human rights defender, Ahmed Mansoor.

The researchers also spotted other attacks against a Mexican journalist who reported to the public a story of the corruption in the Mexican government.

NSO replied that its surveillance solution was “intended to be used exclusively for the investigation and prevention of crime and terrorism.”

People familiar with the NSO Group confirmed that the company has an internal ethics committee that monitors the sales and potential customers verifying that the software will not be abused to violate human rights.

Officially the sale of surveillance software is limited to authorized governments to support investigation of agencies on criminal organizations and terrorist groups.

Unfortunately, its software is known to have been abused to spy on journalists and human rights activists.

The traces collected by Amnesty International was corroborated by the findings of the investigation conducted by researchers at the internet watchdog Citizen Lab.

“Amnesty International shared the suspicious messages with us and asked us to verify their findings, as we have been tracking infrastructure that appears to be related to NSO Group’s Pegasus spyware since March 2016.” reads the analysis published by Citizen Lab.

“Based on our analysis of the messages sent to these individuals, we can corroborate Amnesty’s findings that the SMS messages contain domain names pointing to websites that appear to be part of NSO Group’s Pegasus infrastructure.”

Citizen Lab collected evidence of attacks against 175 targets worldwide carried on with the NSO spyware. Citizen Lab uncovered other attacks against individuals in Qatar or Saudi, where the Israeli surveillance software is becoming very popular.

COUNTRY NEXUS REPORTED CASES OF INDIVIDUALS TARGETED YEAR(S) IN WHICH SPYWARE INFECTION WAS ATTEMPTED
Panama Up to 150 (Source: Univision)1 2012-2014
UAE 1 (Source: Citizen Lab) 2016
Mexico 22 (Source: Citizen Lab) 2016
Saudi Arabia 2 (Source: Amnesty, Citizen Lab) 2018
Amnesty International report confirmed that its experts identified a second human rights activist, in Saudi Arabia, who was targeted with the powerful spyware.

According to Joshua Franco, Amnesty’s head of technology and human rights, recent discovery demonstrates that trading of surveillance software is going out-of-control.

“This is a huge market that’s completely opaque and under-regulated,” he concluded.


Hundreds of apps removed from Google Play store because were carrying Windows malware
2.8.2018 securityweek Android

Google recently removed 145 applications from the official Google Play store because they were found to carry malicious Windows executables inside.
Researchers from Palo Alto Networks revealed that Google removed more than 145 apps from the Play store because they were carrying a Windows malware,

The apps were uploaded to the Google Play store between October and November 2017, this means that for months Android users were exposed to the attack. In some cases, the apps have been downloaded thousands of times and were rated with 4-stars.

The malicious code included in the code of the app was developed to compromised Windows systems and leverage the Android device as an attack vector.

“Notably, the infected APK files do not pose any threat to Android devices, as these embedded Windows executable binaries can only run on Windows systems: they are inert and ineffective on the Android platform.” reads the analysis published by Palo Alto networks.

“The fact that these APK files are infected indicates that the developers are creating the software on compromised Windows systems that are infected with malware. This type of infection is a threat to the software supply chain, as compromising software developers has proven to be an effective tactic for wide scale attacks.”

Palo Alto Networks reported that the malicious PE files when executed on a Windows system will perform these suspicious activities:

Creates executable and hidden files in Windows system folders, including copying itself
Changes Windows registry to auto-start themselves after restarting
Attempts to sleep for a long period
Has suspicious network connection activities to IP address 87.98.185.184 via port 8829
Some of the apps included multiple malicious PE files at different locations, with different file names, anyway the experts the experts noticed that malware were found embedded in most applications.

The researchers discovered that one of malware was included in 142 APKs, a second malicious code was found in 21 APKs. 15 apps were found containing both PE files inside.

In one case, the malicious PE file that was included in the APK of most of the Android apps was a keylogger.

“After investigating all those malicious PE files, we found that there is one PE file which infects most of the Android apps, and the malicious activity of that PE file is key logging.” continues the analysis.

“On a Windows system, this key logger attempts to log keystrokes, which can include sensitive information like credit card numbers, social security numbers and passwords.”

Google play store infected apps

The attackers attempted to conceive the PE files by using fake names that look like legitimate, such as Android.exe, my music.exe, COPY_DOKKEP.exe, js.exe, gallery.exe, images.exe, msn.exe and css.exe.

The researchers discovered that not all the apps uploaded by the same developers were infected with the malicious files, likely because they were using different development platform for the apps.

“The malicious PE files cannot directly run on the Android hosts. However, if the APK file is unpacked on a Windows machine and the PE files are accidentally executed, or the developers also issue Windows-based software, or if the developers are infected with malicious files runnable on Android platforms, the situation will go much worse.” concludes Palo Alto Networks.

“The development environment is a critical part of the software development life cycle. We should always try to secure it first. Otherwise other security countermeasures could just be attempts in vain,”


Facebook reported and blocked attempts to influence campaign ahead of midterms US elections
2.8.2018 securityweek 
Social

Facebook removed 32 Facebook and Instagram accounts and pages that were involved in a coordinated operation aimed at influencing the midterm US elections
Facebook has removed 32 Facebook and Instagram accounts and pages that were involved in a coordinated operation aimed at influencing the forthcoming midterm US elections.

Facebook midterm US elections

Facebook is shutting down content and accounts “engaged in coordinated inauthentic behavior”

At the time there is no evidence that confirms the involvement of Russia, but intelligence experts suspect that Russian APT groups were behind the operation.

Facebook founder Mark Zuckerberg announced its response to the recently disclosed abuses.

“One of my top priorities for 2018 is to prevent misuse of Facebook,” Zuckerberg said on his own Facebook page.

“We build services to bring people closer together and I want to ensure we’re doing everything we can to prevent anyone from misusing them to drive us apart.”

According to Facebook, “some of the activity is consistent” with Tactics, Techniques and Procedures (TTPs) associated with the Internet Research Agency that is known as the Russian troll farm that was behind the misinformation campaign aimed at the 2016 Presidential election.

“But we don’t believe the evidence is strong enough at this time to make public attribution to the IRA,” Facebook chief security officer Alex Stamps explained to the reporters.

Facebook revealed that some 290,000 users followed at least one of the blocked pages.

“Resisters” enlisted support from real followers for an August protest in Washington against the far-right “Unite the Right” group.

According to Facebook, fake pages that were created more than a year ago, in some cases the pages were used to promote real-world events, two of them have taken place.

Just after the announcement, the US Government remarked it will not tolerate any interference from foreign states.

“The president has made it clear that his administration will not tolerate foreign interference into our electoral process from any nation-state or other malicious actors,” deputy press secretary Hogan Gidley told reporters.

The investigation is still ongoing, but the social media giant decided to disclose early findings to shut down the orchestrated misinformation campaign.

Nathaniel Gleicher, Head of Cybersecurity Policy at Facebook, explained that the threat actors used VPNs and internet phone services to protect their anonymity.

“In total, more than 290,000 accounts followed at least one of these Pages, the earliest of which was created in March 2017. The latest was created in May 2018.
The most followed Facebook Pages were “Aztlan Warriors,” “Black Elevation,” “Mindful Being,” and “Resisters.” The remaining Pages had between zero and ten followers, and the Instagram accounts had zero followers.
There were more than 9,500 organic posts created by these accounts on Facebook and one piece of content on Instagram.
They ran about 150 ads for approximately $11,000 on Facebook and Instagram, paid for in US and Canadian dollars. The first ad was created in April 2017, and the last was created in June 2018.
The Pages created about 30 events since May 2017. About half had fewer than 100 accounts interested in attending. The largest had approximately 4,700 accounts interested in attending, and 1,400 users said that they would attend.” said Gleicher.
Facebook announced it would start notifying users that were following the blocked account and users who said would attend events created by one of the suspended accounts and pages

Facebook reported its findings to US law enforcement agencies, Congress, and other tech companies.

“Today’s disclosure is further evidence that the Kremlin continues to exploit platforms like Facebook to sow division and spread disinformation, and I am glad that Facebook is taking some steps to pinpoint and address this activity,” declared the Senate Intelligence Committee’s top Democrat Mark Warner.


Ten years ago someone breached into a server of the Yale University
2.8.2018 securityweek Incindent

Ten years ago someone breached into a server of the Yale University, but because the intrusion happened nearly ten years ago there is much more information about how it occurred.
After ten years, Yale University revealed a security breach that exposed an archive containing personal information of 119,000 people.

Hackers breached into the database of the famous University between April 2008 and January 2009 and apparently accessed a server where it is hosted a single database.

“On July 26th and 27th, Yale mailed notices to members of the Yale community, including alumni/ae, faculty members, and staff members, who were affected by a data intrusion that occurred in 2008-2009.” reads the security alert published by the Yale University.

yale university

The database contained data of individuals affiliated with the university, the unauthorized access was discovered on June 16, 2018, during a security review.

The hackers accessed names, Social Security numbers, dates of birth, Yale email addresses, and in some cases the physical addresses of individuals associated with the university.

Unfortunately, there is no way to understand how attackers hacked the server either “it is not feasible to determine the identities of the perpetrators.”

The academic institution announced that no financial information was exposed, it sent a notice letter to 97% of affected people in the Yale community.

Unfortunately, there is another disconcerting news for the Yale community, a letter sent by the University to the State of New Hampshire Attorney General, revealed that the same server was hacked a second time between March 2016 and June 2018.

This second intrusion caused the exposure of the names and Social Security numbers of 33 individuals, none of whom reside in New Hampshire.

Yale is offering identity monitoring services to all affected U.S. residents through the Kroll security firm. At the time there is no indication that the exposed data has been misused.


Reddit discloses a data breach, a hacker accessed user data
2.8.2018 securityweek Incindent

Reddit Warns Users of Data Breach
Reddit is warning its users of a security breach, an attacker broke into the systems of the platform and accessed user data.
Reddit is warning its users of a security breach, a hacker broke into the systems of the platform and accessed user data.

The hacker accessed user data, email addresses, and a 2007 backup database containing hashed passwords managed by the platform.

The data breach was discovered on June 19, 2018, according to Reddit, between June 14 and 18, 2018, the attacker compromised some of the employees’ accounts with the company cloud and source code hosting providers.

“A hacker broke into a few of Reddit’s systems and managed to access some user data, including some current email addresses and a 2007 database backup containing old salted and hashed passwords. Since then we’ve been conducting a painstaking investigation to figure out just what was accessed, and to improve our systems and processes to prevent this from happening again.” reads a data breach notification published by the company.

Reddit users that are still using the same password since 2007 have to do it now and change the password for any service where they share the same login credentials.

The hacker did not gain write access to Reddit systems containing backup data, source code, and other logs.

The company explained that the accounts were protected with two-factor SMS-based authentication, a circumstance that suggests the attackers were in the position to intercept authentication codes sent via SMS.

“Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA.” continues Reddit.

reddit data breach

The company has taken steps to lock down and rotate all production secrets and API keys, and to enhance our monitoring systems.

Reddit already reported the security breach to law enforcement and is notifying affected urging to change their passwords.

Let me close with this Q&A published by Reddit:

What information was involved?

Since June 19, we’ve been working with cloud and source code hosting providers to get the best possible understanding of what data the attacker accessed. We want you to know about two key areas of user data that was accessed:

All Reddit data from 2007 and before including account credentials and email addresses
What was accessed: A complete copy of an old database backup containing very early Reddit user data — from the site’s launch in 2005 through May 2007. In Reddit’s first years it had many fewer features, so the most significant data contained in this backup are account credentials (username + salted hashed passwords), email addresses, and all content (mostly public, but also private messages) from way back then.
How to tell if your information was included: We are sending a message to affected users and resetting passwords on accounts where the credentials might still be valid. If you signed up for Reddit after 2007, you’re clear here. Check your PMs and/or email inbox: we will be notifying you soon if you’ve been affected.
Email digests sent by Reddit in June 2018
What was accessed: Logs containing the email digests we sent between June 3 and June 17, 2018. The logs contain the digest emails themselves — they look like this. The digests connect a username to the associated email address and contain suggested posts from select popular and safe-for-work subreddits you subscribe to.
How to tell if your information was included: If you don’t have an email address associated with your account or your “email digests” user preference was unchecked during that period, you’re not affected. Otherwise, search your email inbox for emails from [noreply@redditmail.com](mailto:noreply@redditmail.com) between June 3-17, 2018.


Facebook Uncovers Political Influence Campaign Ahead of Midterms
1.8.2018 securityweek 
Social 

Facebook said Tuesday it shut down 32 fake pages and accounts involved in an apparent "coordinated" effort to stoke hot-button issues ahead of November midterm US elections, but could not identify the source although Russia is suspected of involvement.

It said the "bad actor" accounts on the world's biggest social network and its photo-sharing site Instagram could not be tied directly to Russian actors, who American officials say used the platform to spread disinformation ahead of the 2016 US presidential election.

The US intelligence community has concluded that Russia sought to sway the vote in Donald Trump's favor, and Facebook was a primary tool in that effort, using targeted ads to escalate political tensions and push divisive online content.

With the 2018 mid-terms barely three months away, Facebook founder Mark Zuckerberg announced his company's crackdown.

"One of my top priorities for 2018 is to prevent misuse of Facebook," Zuckerberg said on his own Facebook page.

"We build services to bring people closer together and I want to ensure we're doing everything we can to prevent anyone from misusing them to drive us apart."

Trump, now president, has repeatedly downplayed Kremlin efforts to interfere in US democracy.

Two weeks ago, he caused an international firestorm when he stood alongside Russian President Vladimir Putin and cast doubt on assertions that Russia tried to sabotage the vote.

But after Facebook's announcement, the White House stressed Trump opposed all efforts at election interference.

"The president has made it clear that his administration will not tolerate foreign interference into our electoral process from any nation state or other malicious actors," deputy press secretary Hogan Gidley told reporters.

Facebook said "some of the activity is consistent" with that of the Saint Petersburg-based Internet Research Agency -- the Russian troll farm that managed many false Facebook accounts used to influence the 2016 vote.

"But we don't believe the evidence is strong enough at this time to make public attribution to the IRA," Facebook chief security officer Alex Stamps said during a conference call with reporters.

Special Counsel Robert Mueller is heading a sprawling investigation into possible collusion with Russia by Trump's campaign to tip the vote toward the real estate tycoon.

Mueller has indicted the Russian group and 12 Russian hackers connected to the organization.

Facebook said it is shutting down 32 pages and accounts "engaged in coordinated inauthentic behavior," even though it may never be known for certain who was behind the operation.

The tech giant's investigation is at an early stage, but was revealed now because one of the pages being covertly operated was orchestrating a counter-protest to a white nationalism rally in Washington.

The coordinators of a deadly white-supremacist event in Charlottesville last year reportedly have been given a permit to hold a rally near the White House on August 12, the anniversary of the 2017 gathering.

Facebook said it will notify members of the social network who expressed interest in attending the counter-protest.

- US 'not doing' enough -

Facebook has briefed US law enforcement agencies, Congress and other tech companies about its findings.

"Today's disclosure is further evidence that the Kremlin continues to exploit platforms like Facebook to sow division and spread disinformation, and I am glad that Facebook is taking some steps to pinpoint and address this activity," said the Senate Intelligence Committee's top Democrat Mark Warner.

The panel's chairman, Republican Senator Richard Burr, said he was glad to see Facebook take a "much-needed step toward limiting the use of their platform by foreign influence campaigns."

"The goal of these operations is to sow discord, distrust and division," he added. "The Russians want a weak America."

US lawmakers have introduced multiple bills aimed at boosting election security.

While top Senate Democrat Chuck Schumer applauded Facebook's action, he said the Trump administration itself "is not doing close to enough" to protect elections.

Some of the most-followed pages that were shut down included "Resisters" and "Aztlan Warriors."

Facebook said some 290,000 users followed at least one of the pages.

"Resisters" enlisted support from real followers for an August protest in Washington against the far-right "Unite the Right" group.

Inauthentic pages dating back more than a year organized an array of real world events, all but two of which have taken place, according to Facebook.

The news comes just days after Facebook suffered the worst single-day evaporation of market value for any company, after missing revenue forecasts for the second quarter and offering soft growth projections.

Zuckerberg's firm says the slowdown will come in part due to its new approach to privacy and security, which helped experts uncover these so-called "bad actors."


Mimecast Acquires Threat Detection Startup Solebit for $88 Million
1.8.2018 securityweek   IT

Email and data security firm Mimecast (NASDAQ: MIME) announced on Tuesday that it has acquired threat detection firm Solebit for approximately $88 million net of cash acquired.

Founded in 2014 by cybersecurity experts from the Israel Defense Forces (IDF), Solebit announced that it had raised $11 million in Series A funding in March 2018.

Solebit’s technology helps detect and protect against zero-day malware and unknown threats in data files and links to external resources/URLs.

“Security methods like signature-based antivirus and sandbox detonation are too limited when it comes to today’s most advanced threats,” said Peter Bauer, chief executive officer at Mimecast.

“Solebit has developed a differentiated approach that is engineered to preclude the need for signatures and sandboxes,” the company explains. “It is designed to help customers find advanced threats by recognizing when there is malicious code embedded within active content and data files.”

Mimecast says that Solebit’s threat detection tools are already integrated into Mimecast Targeted Threat Protection products.

London, UK-based Mimecast announced earlier this month that it had acquired Bethesda, Md-based security training company Ataata.

“Combined with the recent acquisition of Ataata in the security awareness and training space, and the recently previewed early adopter web security program, Solebit brings another important set of microservices to the Mime|OS platform that all of Mimecast’s unified services are built upon,” the company says.

Research by Mimecast and Vanson Bourne in May 2018 highlighted the extent to which humans are the targeted weakness in cybersecurity. From a pool of 800 IT decision makers and C-level executives, 94% had witnessed untargeted phishing attacks, 92% had witnessed spear-phishing attacks, 87% had witnessed financially-based email impersonation attacks (BEC), and 40% had seen an increase in trusted third-party impersonation attacks.

Founded by Bauer and CTO Neil Murray in 2003, Mimecast went public in late 2015 at $10 per share, raising $78 million in gross proceeds. After the IPO, share value fell as low as $6.20 in January 2016. Since July 2016, however, share price has risen steadily, sitting at $36.37 at the time of writing.

Investors in Solebit include ClearSky Security, MassMutual Ventures and Glilot Capital Partners.


HP Launches Bug Bounty Program for Printers
1.8.2018 securityweek  
Vulnerebility

HP announced on Tuesday the launch of a bug bounty program for printers. The company is prepared to pay out up to $10,000 for serious vulnerabilities found in its products.

The initiative, which HP calls the industry’s first printer bug bounty program, was launched in partnership with crowdsourced security platform Bugcrowd.HP launches printer bug bounty program

The program is private, which means not anyone can participate. Researchers invited by HP have been instructed to focus on firmware-level vulnerabilities, including remote code execution, cross-site request forgery (CSRF) and cross-site scripting (XSS) bugs.

The rewards range between $500 and $10,000 per flaw, but HP is not disclosing the specific payouts for each type of issue. Researchers can also earn a reward if they report a vulnerability previously discovered by HP itself – the company describes this as a “good faith payment.”

The bug bounty program currently covers HP LaserJet Enterprise printers and MFPs (A3 and A4), as well as the HP PageWide Enterprise printers and MFPs (A3 and A4).

HP told SecurityWeek that currently it’s engaged with 34 researchers. The company says the program covers only endpoint devices – printer-related web domains are out of scope – with a focus on print firmware.

The company plans on expanding the program to its PC line soon, but it currently focuses on printers due to concerns that the technological advancements in this area make these types of devices an attractive target for malicious actors. HP noted that printers can not only provide access to the network that houses them, but they can also expose confidential documents.

“As we navigate an increasingly complex world of cyber threats, it’s paramount that industry leaders leverage every resource possible to deliver trusted, resilient security from the firmware up,” said Shivaun Albright, HP's Chief Technologist of Print Security. “HP is committed to engineering the most secure printers in the world.”


SamSam Ransomware: Patient, Persistent, Competent and Dangerous
1.8.2018 securityweek  
Ransomware

The SamSam ransomware has always been a bit different. Unlike many ransomware infections, its victims are targeted rather than random -- and the attacker establishes a presence on the victim network before beginning the encryption process.

Victims this year include the City of Atlanta, Allscripts, Adams Memorial Hospital, Colorado Department of Transportation and the Mississippi Valley State University. It could seem that SamSam targets health, education and government; but a new and detailed analysis of SamSam from Sophos shows this is not the case -- and its success rate is far higher than previously thought.

"Sophos have discovered that these three sectors account for fewer than half of the total number of organizations we believe have been victims of SamSam, and it's the private sector who have suffered the most (and disclosed the least)."

By following the money and tracking the Bitcoin payment wallets with help from Neutrino (a firm that specializes in tracking cryptocurrency flows), Sophos researchers have estimated that the SamSam attacker has netted more than $5.9 million dollars since version 1 (it is now at version 3) began being used in January 2016. The attacker is currently collecting an average of $300,000 per month. Sophos estimates that about 233 victims have paid a SamSam ransom.

The attacker is thought to be a single person working alone rather than a criminal or nation-state gang. He (or she) is proficient, although not perfect, in the English language; but probably comes from a country where English is not the first language. He does not boast about his exploits and has no known social media presence, where linguistic tells within has ransomware might provide clues to his identity. At this point, his identity and nationality are unknown.

Sophos researchers have tracked (PDF) the evolution of SamSam through its three versions. It shows a developer getting evermore proficient in his craft. The basic MO is to select the targets, possibly through publicly available search engines such as Shodan or Censys, to access the network, to elevate privilege and reconnoiter, and then encrypt everything he can access. The encryption itself is usually done overnight to reduce the chance of detection.

According to the researchers, version 3 usually affects entry through brute-forcing Windows RDP accounts. "While some may find this shocking," say the researchers, "a simple search on Shodan will reveal thousands of IP addresses accessible over port 3389, the default RDP port."

Once access to a domain user account is obtained, the attacker will typically use Mimikatz to harvest the credentials of the first domain admin to log on. This has been known on some occasions to take days, with the attacker simply waiting.

Armed with privileged access, the attacker starts to manually deploy the ransomware. First, he takes control of one of the victim's servers, which he uses as his command center. Then, he scans the network. If he can write a tiny text file to a computer's filesystem (called test.txt), the name of that file is added to a separate file stored on his command server and known as 'alive.txt'. "The attacker later uses this .txt file as a target list," report the researchers.

Deployment from the command server is usually done with the Sysinternals PsExec application, although the attacker has been known to switch to PowerAdmin's PaExec if the former is blocked. Once the attack is initiated, the attacker simply waits for payment.

One key element of SamSam is the extent to which stealth is used -- completely in keeping and supporting the attacker's low-profile approach to crime. "In version 3 of SamSam," say the reporters, "the general operation of the payload hasn't changed much since version 1, but the attackers have put significant efforts into creating a stealthier version of the malware."

One example of this is the order in which targeted files are encrypted -- anything smaller than 100 Mb immediately, and larger files in size order. SQL and MDF files (which are typically large and time-consuming to encrypt) are next; and finally, anything left that is not on an exclusion list. "This carefully curated approach enables the attacker to achieve a greater volume of encrypted files before the attack is spotted and interrupted."

Another example is the consistency with which the attacker deletes the files he uses one the device is encrypted, or if the attack is interrupted.

Payment is made in Bitcoin (BTC), and the attacker offers several initial options. Individual computers can be decrypted on payment of 0.8 BTC (as of July 2018). Full decryption -- regardless of the number of encrypted computers -- costs 7 BTC (around $40,000 at July 2018 exchange rates). Victims have 7 days to make payment; but there is at least one example of the victim being offered the option to reopen the countdown on payment of 0.5 BTC.

The bad news for victims is that there is no known way to recover SamSam encrypted files. The good news, if you can call it such, is that the attacker really does provide decryption, and even offers online support for those who have difficulties.

Sophos urges companies not to pay any ransom, but accepts the difficulties with SamSam. "Instead," say the researchers, "Sophos strongly recommends a comprehensive layered approach to security, to both avoid an initial attack, and enable system recovery through backups." However, they also note, "Securing an environment against a competent, persistent, and patient, human adversary is somewhat different from defending against the more conventional kinds of semi-automated, social engineering-driven threats more commonly seen in enterprise environments. And SamSam's own particularly damaging behavior sets it apart from many other ransomwares."


Mozilla Reinforces Commitment to Distrust Symantec Certificates
1.8.2018 securityweek Security 

Mozilla this week reaffirmed its commitment to distrust all Symantec certificates starting in late October 2018, when Firefox 63 is set to be released to the stable channel.

The browser maker had decided to remove trust in TLS/SSL certificates issued by the Certification Authority (CA) run by Symantec after a series of problems emerged regarding the wrongful issuance of such certificates.

Despite being one of the oldest and largest CAs, Symantec sold its certificate business to DigiCert after Internet companies, including Google and Mozilla, revealed plans to gradually remove trust in said certificates, even after DigiCert said it won’t repeat the same mistakes as Symantec.

The first step Mozilla took was to warn site owners about Symantec certificates issued before June 1, 2016, and encourage them to replace their TLS certificates.

Starting with Firefox 60, users see a warning when the browser encounters websites using certificates issued before June 1, 2016 that chain up to a Symantec root certificate.

According to Mozilla, less than 0.15% of websites were impacted by this change when Firefox 60 arrived in May. Most site owners were receptive and replaced their old certificates.

“The next phase of the consensus plan is to distrust any TLS certificate that chains up to a Symantec root, regardless of when it was issued […]. This change is scheduled for Firefox 63,” Mozilla’s Wayne Thayer notes in a blog post.

That browser release is currently planned for October 23, 2018 (it will arrive in Beta on September 5).

At the moment, around 3.5% of the top 1 million websites are still using Symantec certificates that will be impacted by the change. While the number is high, it represents a 20% improvement over the past two months, and Mozilla is confident that site owners will take action in due time.

“We strongly encourage website operators to replace any remaining Symantec TLS certificates immediately to avoid impacting their users as these certificates become distrusted in Firefox Nightly and Beta over the next few months,” Thayer concludes.

Google too is on track to distrust all Symantec certificates on October 23, 2018, when Chrome 70 is expected to land in the stable channel. Released in April, Chrome 66 has already removed trust in certificates issued by Symantec's legacy PKI before June 1, 2016.


DHS Unveils National Risk Management Center
1.8.2018 securityweek   BigBrothers

Kirstjen Nielsen introduces National Risk Management Center

Secretary of Homeland Security Kirstjen Nielsen said on Tuesday that the U.S. Department of of Homeland Security (DHS) has launched The National Risk Management Center, a joint center housed within DHS that will enable the private sector and government to collaborate and devise solutions to reduce risk to critical infrastructure.

Announced at the DHS National Cybersecurity Summit today in New York City, the new center will focus on three things:

● Identify, assess, and prioritize efforts to reduce risks to national critical functions, which enable national and economic security;

● Collaborate on the development of risk management strategies and approaches to manage risks to national functions; and

● Coordinate integrated cross-sector risk management activities.

According to the DHS, the center will lead a series of activities that will help “define what is truly critical; create the frameworks by which government and industry collectively manage risk; and initiate specific cross-sector activities to address known threats.”

Notable attendees and participants at the Summit include, Vice President Mike Pence, Secretary of Energy Rick Perry, FBI Director Christopher Wray, Commander, U.S. Cyber Command and Director, National Security Agency General Paul M. Nakasone.

A live stream of the event can be watched online throughout the day.


Android Apps Carrying Windows Malware Yanked From Google Play
1.8.2018 securityweek   Android

Google recently removed 145 applications from Google Play after they were found to carry malicious Windows executables inside, Palo Alto Networks reveals.

Most of the infected applications, Palo Alto's researchers say, were uploaded to the application store between October and November 2017 and remained there for over half a year. Google removed all of them after being alerted on the issue.

While not representing a threat to the Android users who downloaded and installed them, the malicious code within these APKs is proof of the dangers posed by supply chain attacks: the software developers built these applications on compromised Windows systems.

Some of the infected Android applications had over 1000 downloads and 4-star ratings before being removed from Google Play.

The security researchers discovered that some of the infected APKs contained multiple malicious PE files at different locations, with different names. However, two malicious files were found embedded in most applications.

One of the files was present in 142 APKs, while the second had infected 21 APKs. The security firm also found 15 apps with both PE files inside, as well as some APKs with a number of other malicious PE files inside.

The researchers also note that one malicious PE file that infected most of the Android apps was a keylogger. The malicious program attempted to log keystrokes, including sensitive information like credit card numbers, social security numbers and passwords.

To appear legitimate, these files use fake names, including Android.exe, my music.exe, COPY_DOKKEP.exe, js.exe, gallery.exe, images.exe, msn.exe and css.exe.

When executed on Windows systems, the malicious PE files would create executable and hidden files in Windows system folders, including copies of themselves, would change Windows registry to auto-start after system restart, would attempt to sleep for long periods of time, and also showed suspicious network connection activities to IP address 87.98.185.184 via port 8829.

“Interestingly, we saw a mixture of infected and non-infected apps from the same developers. We believe the reason might be that developers used different development environment for different apps,” Palo Alto Networks says.

The malicious PE files cannot directly run on Android devices, but, if the APK is unpacked on a Windows machine and malicious code executed, the system becomes infected. As Palo Alto Networks points out, the situation could become much worse if the developers are infected with malicious files that can run on Android.

“The development environment is a critical part of the software development life cycle. We should always try to secure it first. Otherwise other security countermeasures could just be attempts in vain,” the security firm concludes.


Medical System Notifies 1.4M Patients About Computer Breach
1.8.2018 securityweek   Incindent

A major Iowa hospital and medical clinic system has notified about 1.4 million patients and former patients about a computer breach that might have exposed their personal information.

UnityPoint Health officials say hackers used broke into the company's email system and could have obtained medical information.

UnityPoint's privacy officer, RaeAnn Isaacson, said Monday the company isn't aware of any misuse of patient information related to the incident. But she says the company is telling patients what UnityPoint is doing to address the situation and what patients can do to help protect their information.

The company says the hackers also might have obtained some patients' financial information.

UnityPoint say that after the problem was discovered May 31, it hired outside experts and notified the FBI.


SamSam Ransomware operators earned more than US$5.9 Million since late 2015
1.8.2018 securityaffairs 
Ransomware

The security experts from Sophos have published a report on the multimillion-dollar black market business for crooks, they analyzed the SamSam ransomware case as a case study.

The researchers that have tracked Bitcoin addresses managed by the crime gang discovered that crooks behind the SamSam ransomware had extorted nearly $6 million from the victims since December 2015 when it appeared in the threat landscape.

“SamSam has earned its creator(s) more than US$5.9 Million since late 2015.
74% of the known victims are based in the United States. Other regions known to have
suffered attacks include Canada, the UK, and the Middle East.” reads the report published by Sophos.

“The largest ransom paid by an individual victim, so far, is valued at US$64,000, a
significantly large amount compared to most ransomware families.”

Sophos tracked the Bitcoin addresses reported in all the SamSam versions it has spotted and discovered that 233 victims paid an overall amount of $5.9 million, the security firm also estimated that the group is netting around $300,000 per month.

“In total, we have now identified 157 unique addresses which have received ransom payments as well as 89 addresses which have been used on ransom notes and sample files but, to date, have not received payments,” continues the report published by Sophos.

“By analyzing the payments, and comparing this with ransom notes at the time, we can estimate the number of individual victims who have chosen to pay at least some of the ransom amount stands at 233 as of July 19th 2018. With an estimated 1 new victim being attacked each day, we believe that roughly 1 in 4 victims pay at least some of the ransom. “

SamSam report 1
SamSam ransomware payments

The attackers deploy the SamSam ransomware manually by compromising RDP on the target machine, this aspect makes SamSam infections different from the ones associated with other ransomware that leverages spam campaigns or malvertising.

The attackers carry on brute-force attacks on RDP of the target system, some time they leverage credentials obtained from ot