Cyber espionage campaign targets Samsung service centers in Italy
19.7.2018 securityaffairs CyberSpy
Security researchers from Italian security firm TG Soft have uncovered an ongoing malware campaigns targeting Samsung service centers in Italy.
“TG Soft’s Research Centre (C.R.A.M.) has analyzed the campaign of spear-phishing on 2 april 2018 targeting the service centers of Samsung Italy.” reads the analysis published by TG Soft.
“The campaign analyzed is targeting only the service centers of Samsung Italy, it’s an attack multi-stage and we have monitored it until July 2018″
The campaign has similarities with the attacks campaigns that targeted similar electronics service centers in Russia that was discovered by Fortinet in June. The attackers’ motivation is still unclear, experts explained that the malicious code is not particularly sophisticated.
The attackers used spear-phishing emails sent to Samsung Italy service center workers. The messages have attached weaponized Excel documents.
The documents trigger the CVE-2017-11882 Office Equation Editor vulnerability to infect users.
According to a technical report published by the experts, this attack and the one against Russian service centers offering maintenance and support for various electronic goods started in the same period, in March.
While Russian service centers were hit by the Imminent Monitor RAT, the attacks on Samsung Italy service centers also involved other RATs, such Netwire and njRAT.
The quality of the spear phishing messages was high in both campaigns, they appear to have been written by a native in Italian and Russian, respectively.
The attachment used in this campaign is an Excel document titled “QRS non autorizzati.xlsx,” while the phishing messages are signed with the name of the Samsung IT Service Manager, a real employee of Samsung Italia, and includes the email and phone numbers of the employee.
At the time, the experts were not able to attribute the attack to a specific threat actor. The electronics service centers appear not particularly interesting for attackers because the volume of data it manage is little.
Probably the attackers want to compromise remote management tools used by these services in order to gain control over the computers of the customers that request support to the electronics service centers.
“Command and control servers use services like noip.me or ddns.net, which in combination with a VPN, allow hiding the IP address of the server where the exfiltrated data is sent.” concludes the report.
“During the analysis in some cases, the C2 servers were not online and the RAT failed to contract them, and then returns active after a few tens of hours with a new IP address.
The actors behind this attack remain unknown …”
The Italian version of the report that includes also the IoCs is available here.
QUASAR, SOBAKEN AND VERMIN RATs involved in espionage campaign on Ukraine
19.7.2018 securityaffairs Virus
Security experts from ESET uncovered an ongoing cyber espionage campaign aimed at Ukrainian government institutions and involving three different RATs, including the custom-made VERMIN.
Security researchers from ESET uncovered an ongoing cyber espionage campaign aimed at Ukrainian government institutions, attackers used at least three different remote access Trojans (RATs).
The campaign was first spotted in January by experts from PaloAlto Networks when the researchers discovered a new piece of malware tracked VERMIN RAT targeting Ukraine organizations.
“Pivoting further on the initial samples we discovered, and their infrastructure, revealed a modestly sized campaign going back to late 2015 using both Quasar RAT and VERMIN.” reads the report from PaloAlto Networks.
Back to the present, the experts discovered that the attackers used several RATs to steal sensitive documents, the researchers collected evidence of the involvement of the Quasar RAT, Sobaken RAT, and Vermin.
The Quasar RAT is available for free on GitHub, many other attackers used it in their campaigns, including the Gaza Cybergang, which is also known as Gaza Hackers Team and Molerats. Sobaken is an improved version of Quasar RAT, that includes several anti-sandbox and other evasion mechanisms.
The RATs have been used against different targets at the same time, experts noticed they share some infrastructure and connect to the same C&C servers.
The threat actors don’t have advanced skills, their attack vector is spear phishing messages and they have been quite successful in using social engineering to lure victims into opening the email and downloading and executing the malicious codes.
“Even though these threat actors don’t seem to possess advanced skills or access to 0-day vulnerabilities, they have been quite successful in using social engineering to both distribute their malware and fly under the radar for extended periods of time.” Reads the analysis published by ESET.
“We were able to trace attacker activity back to October 2015; however, it is possible that the attackers
have been active even longer. These attackers use three different .NET malware strains in their attacks – Quasar RAT, Sobaken (a RAT derived from Quasar) and a custom-made RAT called Vermin. All three malware strains have been in active use against different targets at the same time, they share some infrastructure and connect to the same C&C servers.”
Some emails carried weaponized Word documents attempting to exploit CVE-2017-0199, attackers used a dropper masquerades as a legitimate software (i.e. Adobe, Intel or Microsoft) to deliver the final payload.
The threat actors used a scheduled task that executes the malware every 10 minutes to achieve persistence on the infected machine.
“The installation procedure is the same for all three malware strains used by these attackers. A dropper drops a malicious payload file (Vermin, Quasar or Sobaken malware) into the %APPDATA% folder, in a subfolder named after a legitimate company (usually Adobe, Intel or Microsoft).” continues the report.
“Then it creates a scheduled task that runs the payload every 10 minutes to ensure its persistence.”
Since mid-2017, the threat actors adopted steganography to bypass content filtering by hiding the payloads in images that were hosted on the free image hosting websites saveshot.net and ibb.co.
The malicious code executed only on hosts where the Russian or Ukrainian keyboard layouts are installed, it also checks the IP address and the username on the target machine.
To avoid automated analysis systems, that often use tools like Fakenet-NG where all DNS/HTTP communication succeeds and returns some result, the malware generates a random
website name/URL and attempt to connect it. If the connection fails in some cases the system could be considered real and not a virtualized environment used by researchers.
“Among the many different malware attacks targeted at high value assets in Ukraine, these attackers haven’t received much public attention – perhaps because of their initial use of open-source-based malware before developing their own strain (Vermin).” concludes the report.
“Employing multiple malware families, as well as various infection mechanisms – including common social engineering techniques but also not-so-common steganography – over the past three years, could be explained by the attackers simply experimenting with various techniques and malware, or it may suggest operations by multiple subgroups.”
Further details on the campaign, including the IoCs are included in the report.
US Biggest Blood Testing Laboratories LabCorp suffered a security breach
19.7.2018 securityaffairs Incindent
Hackers have breached the network at LabCorp, one of the largest diagnostic blood testing laboratories in the US, millions of Americans potentially at risk.
The biggest blood testing laboratories network in the US, LabCorp has suffered a security breach. The company announced the incident on Monday, the security breach occurred over the weekend.
The hackers breached into the LabCorp Diagnostic systems, but the company says there’s no indication that attackers compromised also the systems used by its drug development business Covance.
“At this time, there is no evidence of unauthorized transfer or misuse of data. LabCorp has notified the relevant authorities of the suspicious activity and will cooperate in any investigation,” it said, in its statement.
LabCorp did not share further details about the security breach, in response to the incident the company shut down part of its infrastructure.
“LabCorp immediately took certain systems offline as part of its comprehensive response to contain the activity,” the firm said in a 8-K filed with the Securities and Exchange Comission.
“This temporarily affected test processing and customer access to test results over the weekend. Work has been ongoing to restore full system functionality as quickly as possible, testing operations have substantially resumed today, and we anticipate that additional systems and functions will be restored through the next several days,”
Mike Thomas, a technologist at LabCorp, works with patient samples at the company’s location in Burlington. JULIE KNIGHT – Source www.bizjournals.com
The company is currently testing operations that have been resumed, other suctions will be fully restored in the next days, meantime some customers may face brief delays.
“We anticipate that additional systems and functions will be restored throughout the next several days,” it added. “Some customers of LabCorp Diagnostics may experience brief delays in receiving results as we complete that process.”
The hack might have severe consequences for millions of Americans due to the potential extent of the breached networks that connects thousands of hospitals and testing facility offices worldwide.
How crooks conduct Money Laundering operations through mobile games
19.7.2018 securityaffairs Mobil
Experts uncovered a money laundering ring that leverages fake Apple accounts and gaming profiles to make transactions with stolen payment cards.
A money laundering ring leverages fake Apple accounts and gaming profiles to make transactions with stolen payment cards and then sells these game premiums on online forums and within gaming communities.
The money laundering operation was unveiled by the US Department of Justice, the investigation started in mid-June when the experts from Kromtech Security discovered a MongoDB database exposed online. The database was containing information related to carders’ activities, the database contained 150,833 unique cards records (card number, expiration date, and CCV)
“Following our MongoDB investigations and honey pots deployments from the beginning of this year, we did another round of security audit of unprotected MongoDB instances. In June 2018 we have spotted a strange database publicly exposed to the public internet (no password/login required) along with a large number of credit card numbers and personal information inside.” reads the blog post published by Kromtech Security.
“As we examined the database we rapidly became aware that this was not your ordinary corporate database, this database appeared to belong to credit card thieves (commonly known as carders) and that it was relatively new, only a few months old. So we dug much deeper.”
The activity of the criminal gang behind the operation is simple as effective. Crooks used a special tool to create iOS accounts using valid emails accounts, then they associated with the accounts the stolen payment cards. Most of the created accounts are specific to users located in Saudi Arabia, India, Indonesia, Kuwait, and Mauritania.
The group then made the jailbreaking of iOS devices to install various games, create in-game accounts, and use them to purchase game features or premiums.
The cash out was made later when crooks re-sold the game features or premiums online for real money.
Experts found credit cards belong to 19 different banks, they speculated they were probably bought on the specific carder markets where they were offered in groups of 10k, 20k, 30k.
The list of mobile games used by the cybercriminals includes popular apps such as Clash of Clans and Clash Royale developed by Supercell, and Marvel Contest of Champions developed by Kabam.
The three apps have a gaming community of over 250 million users and generate approximately $330 million USD a year in revenue. Associated third-party markets are very active, websites like g2g.com to allow gamers to buy and sell resources and games, a great opportunity for crooks involved in money laundering.
“It is interesting to note that these three games are not even in the top five games. Scaling this scheme across other popular apps and games with in-app purchases places the potential market well into the billions of dollars USD per year.” reported Kromtech Security.
App Offered by Android Users Release Metacritic score In-app Products price per item Daily revenue $
Clash of Clans Supercell 100 000 000+ 2012 74/100 $0.99 – $99.99 per item 684 002 250M
Clash Royale Supercell 100 000 000+ 2016 86/100 $0.99 – $99.99 per item 153 150 56M
Marvel Contest of Champions Kabam 50 000 000+ 2014 76/100 $0.99 – $99.99 per item 64 296 23.5M
The experts also found that the Apple was employing lax credit card verification process when users add payment card data to iOS accounts, advantaging fraudulent activities. The experts noticed that cards with improper names and addresses were approved by Apple, for this reason, they notified their discovery to Apple.
The experts also highlighted that game makers do not implement necessary measures to prevent such kind of abuses. For example, the game makers do not control the interaction of tools like Racoonbot with Supercell games that are used to automate the premium feature buying operations.
“Raccoonbot.com is an automated bot dedicated to Supercell’s Clash of the Clans. It advertises itself in it’s forum as a way to “Become rich at Clash of the Clans”. This is done by automating the game and selling the gems. It can potentially be used in conjunction with MaxTooliOS to further enhance the profit from the stolen credit cards. It’s a direct violation of Supercell policy, it aids in laundering money, and it also remains in operation.” continues the analysis.
“iGameSupply is an approved marketplace for selling Racoonbot generated gems https://www.raccoonbot.com/forum/forum/80-approved-marketplace/“
Expert discovered RoboCent AWS S3 bucket containing US voters’ records exposed online
19.7.2018 securityaffairs BigBrothers
A security researcher has discovered that the US political robocall firm RoboCent exposed personal details of hundreds of thousands of US voters.
The US political robocall firm RoboCent exposed personal details of hundreds of thousands of US voters.
The researcher Bob Diachenko from Kromtech Security discovered the company database exposed online. The expert was using the online service GrayhatWarfare that could be used to search publicly exposed Amazon Web Services data storage buckets.
The company offers for sale voter records for a price of 3¢/record, the same data that left exposed online.
Querying the system for the term “voters” he found the AWS bucket used by RoboCent.
The bucked discovered by the expert contained 2,584 files, exposed voters’ data includes:
Full Name, suffix, prefix
Phone numbers (cell and landlines)
Address with house, street, city, state, zip, precinct
Political affiliation provided by state, or inferred based on voting trends/history
Age and birth year
Jurisdiction breakdown based on district, zip code, precinct, county, state
Demographics based on ethnicity, language, education
The server also contained audio files with prerecorded political messages used for the robo-calling service.
“Just when I thought the days of misconfigured AWS S3 buckets are over, I discovered a massive US voter data online, apparently being part of Robocent, Virginia Beach-based political autodial firm’s cloud storage.” wrote Diachenko.
“Many of the files did not originate at Robocent, but are instead the aggregate of outside data firms such as NationalBuilder.”
Diachenko responsibly disclosed the discovery to the company that quickly secured the bucket, below the message sent by a developer of the company that solved the issue.
“We’re a small shop (I’m the only developer) so keeping track of everything can be tough”
This isn’t the first case of unsecured Amazon S3 buckets exposed online, in June 2017 DRA firm left 1.1 TB of data unsecured on an Amazon S3, 198 million US voter records exposed.
In December 2017, Diachenko discovered another an exposed MongoDB database containing voter registration data for more than 19 million California residents.
Okta Acquires Access Control Startup ScaleFT
19.7.2018 securityweek IT
Enterprise identity management firm Okta this week announced that it has acquired ScaleFT, a company that offers a Zero Trust access control platform.
Okta provides a Single Sign-On (SSO) solution to help customers efficiently manage user accounts across the enterprise and eliminate passwords while simplifying access. With Multi-factor Authentication (MFA), it provides strong authentication various services, with over 5,500 pre-built integrations to applications and infrastructure providers.
Founded in 2015, ScaleFT’s access management platform was inspired by Google’s BeyondCorp security model, which provides remote access without the use of a VPN (virtual private network).
With this acquisition, publicly traded Okta (NASDAQ:OKTA), which already helps over 4,700 organizations both secure and manage their extended enterprise, plans to bring Zero Trust to corporations with a framework to protect sensitive data without compromising on experience.
By combining ScaleFT’s Zero Trust platform with its own Identity Cloud, Okta aims to help organizations easily validate users, devices, application and network information while also securing access to data from cloud to ground.
“Companies have realized they can no longer trust their network and have to understand device security — instead of trusting everyone behind a firewall, now IT and security leaders must trust no one, inside or outside the organization,” Frederic Kerrest, Chief Operating Officer and co-founder, Okta, said.
“To help our customers increase security while also meeting the demands of the modern workforce, we’re acquiring ScaleFT to further our contextual access management vision — and ensure the right people get access to the right resources for the shortest amount of time,” Kerrest continued.
The Zero Trust security paradigm requires organizations to move away from the traditional approach of perimeter-based security that included static credentials and access controls, and to focus on adaptive and context-aware controls instead, for making continuous access decisions.
Following the acquisition, ScaleFT CEO and co-founder Jason Luce will manage the transition, while CTO and co-founder Paul Querna will lead strategy and execution of Okta's Zero Trust architecture. Marc Rogers, CSO, will join Okta as Executive Director, Cybersecurity Strategy.
Cisco Finds Serious Flaws in Policy Suite, SD-WAN Products
19.7.2018 securityweek Vulnerebility
Cisco informed customers on Wednesday that it has found and patched over a dozen critical and high severity vulnerabilities in its Policy Suite, SD-WAN, WebEx and Nexus products.
The networking giant reported discovering four critical flaws in Policy Suite during internal testing. Two of these security holes are unauthenticated access issues that allow a remote attacker to access the Policy Builder interface and the Open Systems Gateway initiative (OSGi) interface.
Once they gain access to the Policy Builder interface, which is exposed due to a lack of authentication, attackers can make changes to existing repositories and create new repositories. The OSGi interface allows an attacker to access or change any file accessible by the OSGi process.
The lack of an authentication mechanism also exposes the Policy Builder database, allowing an attacker to access and change any data stored in it.
Cisco also discovered that the Cluster Manager in Policy Suite has a root account with default and static credentials. A remote attacker can log in to this account and execute arbitrary commands with root privileges.
These critical Policy Suite vulnerabilities are tracked as CVE-2018-0374, CVE-2018-0375, CVE-2018-0376 and CVE-2018-0377.
Cisco has also fixed a total of seven flaws in its SD-WAN solution. The only one of these vulnerabilities that can be exploited remotely without authentication impacts the Zero Touch Provisioning service and it allows an attacker to cause a denial-of-service (DoS) condition.
The other SD-WAN security holes, which require authentication, can be exploited to overwrite arbitrary files on the underlying operating system, and execute arbitrary commands with vmanage or root privileges. One of the SD-WAN bugs requires both authentication and local access for exploitation.
Cisco also informed customers that its Nexus 9000 series Fabric switches, specifically their DHCPv6 feature, are impacted by a high severity flaw that can be exploited by a remote and unauthenticated attacker to cause a DoS condition.
The company has also assigned a high severity rating to multiple vulnerabilities affecting the Cisco Webex Network Recording Player for Advanced Recording Format (ARF) and Webex Recording Format (WRF) files. The security bugs can be exploited for arbitrary code execution by getting the targeted user to open specially crafted ARF or WRF files using the affected player.
None of the vulnerabilities patched this week appear to have been exploited for malicious purposes.
ABB to Patch Code Execution Flaw in HMI Tool
19.7.2018 securityweek Vulnerebility
Swiss industrial tech company ABB is working on a patch for a serious arbitrary code execution vulnerability affecting one of its engineering tools.
The security hole, tracked as CVE-2018-10616, impacts all versions of Panel Builder 800. ABB’s Panel 800 devices provide operator panels for process automation systems, and the Panel Builder is an engineering tool for the process panels included in the product suite. According to ICS-CERT, which published an advisory this week, the tool is used worldwide in the chemical, critical manufacturing, dams, energy, water, and food and agriculture sectors.ABB Panel Builder 800 vulnerabilities
Researchers discovered that the HMI tool, specifically its file parser component, is affected by a high severity improper input validation flaw that can allow an attacker to run arbitrary code on the device hosting the affected utility.
A remote attacker can exploit the vulnerability for arbitrary code execution by tricking a local user into opening a specially crafted file. The weakness cannot be exploited without user interaction, ABB pointed out.
The vendor says it’s working on a patch. In the meantime, it has advised customers to ensure that their employees are aware of the threat posed by opening malicious files with the Panel Builder tool, to scan files transferred between devices, and avoid giving users more permissions than required for their job.
ABB says it’s not aware of any malicious exploits targeting this vulnerability and details of the security hole have not been publicly disclosed.
The vulnerability was reported to ABB by Michael DePlante of the Leahy Center for Digital Investigation at Champlain College and Michael Flanders of Trend Micro, both working with the Zero Day Initiative (ZDI).
ZDI lists over 30 upcoming advisories for vulnerabilities discovered by DePlante and Flanders in ABB products, and a majority have been assigned CVSS scores of 9.3, which puts them in the critical severity category. While there are more than 30 advisories, ZDI often publishes a separate advisory for each variation of a flaw, but vendors typically view them as a single issue and only one CVE identifier gets assigned to them.
APT Trends Report Q2 2018
19.7.2018 Kaspersky APT
In the second quarter of 2017, Kaspersky Lab’s Global Research and Analysis Team (GReAT) began publishing summaries of the quarter’s private threat intelligence reports, in an effort to make the public aware of the research we have been conducting. This report serves as the latest installment, focusing on the relevant activities that we observed during Q2 2018.
These summaries are a representative snapshot of what has been discussed in greater detail in our private reports. They aim to highlight the significant events and findings that we feel people should be aware of. For brevity’s sake, we are choosing not to publish indicators associated with the reports highlighted. However, readers who would like to learn more about our intelligence reports or request more information on a specific report are encouraged to contact: firstname.lastname@example.org.
Remarkable new findings
We are always interested in analyzing new techniques used by existing groups, or in finding new clusters of activity that might lead us to discover new actors. Q2 2018 was very interesting in terms of APT activity, with a remarkable campaign that reminds us how real some of the threats are that we have been predicting over the last few years. In particular, we have warned repeatedly how ideal networking hardware was for targeted attacks, and that we had started seeing the first advanced sets of activity focusing on these devices.
In terms of well-known groups, Asian actors were the most active by far.
Lazarus/BlueNoroff was suspected of targeting financial institutions in Turkey as part of a bigger cyberespionage campaign. The same actor was also suspected of a campaign against an online casino in Latin America that ended in a destructive attack. Based on our telemetry, we further observed Lazarus targeting financial institutions in Asia. Lazarus has accumulated a large collection of artefacts over the last few years, in some cases with heavy code reuse, which makes it possible to link many newly found sets of activity to this actor. One such tool is the Manuscrypt malware, used exclusively by Lazarus in many recent attacks. The US-CERT released a warning in June about a new version of Manuscrypt they call TYPEFRAME.
Even if it is unclear what the role of Lazarus will be in the new geopolitical landscape, where North Korea is actively engaged in peace talks, it would appear that financially motivated activity (through the BlueNoroff and, in some cases, the Andariel subgroup) continues unabated.
Possibly even more interesting is the relatively intense activity by Scarcruft, also known as Group123 and Reaper. Back in January, Scarcruft was found using a zero-day exploit, CVE-2018-4878 to target South Korea, a sign that the group’s capabilities were increasing. In the last few months, the use of Android malware by this actor has been discovered, as well as a new campaign where it spreads a new backdoor we call POORWEB. Initially, there was suspicion that Scarcruft was also behind the CVE-2018-8174 zero day announced by Qihoo360. We were later able to confirm the zero day was actually distributed by a different APT group, known as DarkHotel.
The overlaps between Scarcruft and Darkhotel go back to 2016 when we discovered Operation Daybreak and Operation Erebus. In both cases, attacks leveraged the same hacked website to distribute exploits, one of which was a zero day. We were later able to separate these as follows:
Operation Exploit Actor
Daybreak CVE-2016-4171 DarkHotel
Erebus CVE-2016-4117 Scarcruft
DarkHotel’s Operation Daybreak relied on spear-phishing emails predominantly targeting Chinese victims with a Flash Player zero day. Meanwhile, Scarcruft’s Operation Erebus focused primarily on South Korea.
Analysis of the CVE-2018-8174 exploit used by DarkHotel revealed that the attacker was using URLMoniker to invoke Internet Explorer through Microsoft Word, ignoring any default browser preferences on the victim’s computer. This is the first time we have observed this. It is an interesting technique that we believe may be reused in future for different attacks. For more details check our Securelist Blog: “The King is Dead. Long Live the King!“.
We also observed some relatively quiet groups coming back with new activity. A noteworthy example is LuckyMouse (also known as APT27 and Emissary Panda), which abused ISPs in Asia for waterhole attacks on high profile websites. We wrote about LuckyMouse targeting national data centers in June. We also discovered that LuckyMouse unleashed a new wave of activity targeting Asian governmental organizations just around the time they had gathered for a summit in China.
Still, the most notable activity during this quarter is the VPNFilter campaign attributed by the FBI to the Sofacy and Sandworm (Black Energy) APT groups. The campaign targeted a large array of domestic networking hardware and storage solutions. It is even able to inject malware into traffic in order to infect computers behind the infected networking device. We have provided an analysis on the EXIF to C2 mechanism used by this malware.
This campaign is one of the most relevant examples we have seen of how networking hardware has become a priority for sophisticated attackers. The data provided by our colleagues at Cisco Talos indicates this campaign was at a truly global level. We can confirm with our own analysis that traces of this campaign can be found in almost every country.
Activity of well-known groups
It seems that some of the most active groups from the last few years have reduced their activity, although this does not mean they are less dangerous. For instance, it was publicly reported that Sofacy started using new, freely available modules as last stagers for some victims. However, we observed how this provided yet another innovation for their arsenal, with the addition of new downloaders written in the Go programming language to distribute Zebrocy.
There is possibly one notable exception to this supposed lack of activity. After the Olympic Destroyer campaign last January against the Pyeongchang Winter Olympic games, we observed new suspected activity by the same actor (we tentatively called them Hades) in Europe. This time, it seems the targets are financial organizations in Russia, and biological and chemical threat prevention laboratories in Europe and Ukraine.
But even more interesting is the resemblance between the TTPs and OPSEC of the Olympic Destroyer set of activity and those of Sofacy. Olympic Destroyer is a master of deception, so this may be yet another false flag, but so far we connect, with low to medium confidence, the Hades group activity to Sofacy.
One of the most interesting attacks we detected was an implant from Turla (attributed to this actor with medium confidence) that we call LightNeuron. This new artefact directly targets Exchange Servers and uses legitimate standard calls to intercept emails, exfiltrate data and even send mails on behalf of the victims. We believe this actor has been using this technique since maybe as early as 2014, and that there is a version affecting Unix servers running Postfix and Sendmail. So far we have seen victims of this implant in the Middle East and Central Asia.
Newcomers and comebacks
Every now and then, we are surprised to see old actors that have been dormant for months or even years distributing new malware. Obviously, this may be caused by a lack of visibility, but regardless of that, it indicates that these actors are still active.
One good example would be WhiteWhale, an actor that has been extremely quiet since 2016. We detected a new campaign last April where the actor was distributing both the Taidoor and Yalink malware families. This activity was almost exclusively targeting Japanese entities.
Following the intense diplomatic activity around the North Korea peace talks and the subsequent summit with the U.S. president in Singapore, Kimsuky decided to take advantage of this theme to distribute its malware in a new campaign. A massive update to its arsenal in late 2017 and early 2018 was mobilized in a new wave of spear-phishing emails.
We also discovered a new low-sophistication set of activity we call Perfanly, which we couldn´t attribute to any known actor. It has been targeting governmental entities in Malaysia and Indonesia since at least 2017. It uses custom multistage droppers as well as freely available tools such as Metasploit.
Between June and July, we observed a battery of attacks against various institutions in Kuwait. These attacks leverage Microsoft Office documents with macros, which drop a combination of VBS and Powershell scripts using DNS for command and control. We have observed similar activity in the past from groups such as Oilrig and Stonedrill, which leads us to believe the new attacks could be connected, though for now that connection is only assessed as low confidence.
The combination of simple custom artefacts designed mainly to evade detection, with publicly available tools for later stages seems to be a well-established trend for certain sets of activity, like the ones found under the ‘Chinese-speaking umbrella’, as well as for many newcomers who find the entry barrier into APT cyberespionage activity non-existent.
The intermittent activity by many actors simply indicates they were never out of business. They might take small breaks to reorganize themselves, or to perform small operations that might go undetected on a global scale. Probably one of the most interesting cases is LuckyMouse, with aggressive new activity heavily related to the geopolitical agenda in Asia. It is impossible to know if there is any coordination with other actors who resurfaced in the region, but this is a possibility.
One interesting aspect is the high level of activity by Chinese-speaking actors against Mongolian entities over the last 10 months. This might be related to several summits between Asian countries – some related to new relations with North Korea – held in Mongolia, and to the country’s new role in the region.
There were also several alerts from NCSC and US CERT regarding Energetic Bear/Crouching Yeti activity. Even if it is not very clear how active this actor might be at the moment (the alerts basically warned about past incidents), it should be considered a dangerous, active and pragmatic actor very focused on certain industries. We recommend checking our latest analysis on Securelist because the way this actor uses hacked infrastructure can create a lot of collateral victims.
To recap, we would like to emphasize just how important networking hardware has become for advanced attackers. We have seen various examples during recent months and VPNFilter should be a wake-up call for those who didn’t believe this was an important issue.
Coinvault, the court case
19.7.2018 Kaspersky Cryptocurrency
Today, after almost 3 years of waiting, it was finally the day of the trial. In the Netherlands, where the whole case took place, the hearings are open to the public. Meaning anyone who is interested can visit. And it was quite busy. Because besides the suspects, their lawyers, the judges and the prosecutor there were also several members of the press, a sketch artist (to make a drawing of the suspects), several members of the Dutch police, a few victims and other people who were interested in the case.
The defence started by calling the public prosecution service “niet ontvankelijk” for one of the defendants, meaning they are not allowed to prosecute the case. As a reason there was given that one of the defendants was underage during some of the actions. However, all three of the judges also do cases concerning underaged defendants and after a quick consultation with each other they decided to continue.
The hearing was resumed with what the two brothers were accused of:
Breaking into computers;
Make other people’s work inaccessible;
Extortion of 1295 people.
For us it was quite interesting to understand how they came up with the number of 1295 people, because when we released our final decryption tool we had at least 14k keys. So most likely much more people were infected. In fact, we think a zero could be added to 1295 to give a more realistic view on the number of victims.
The judge then went on with was basically a summary of the case. What happened, why did they do certain things etc. We as researchers often guess about motives behind actions, but we can never be 100% certain until there is a confession of the criminal. One of such an example is the amount of ransom to pay. During the time this all took place the brothers wanted 1 bitcoin as a ransom, which was worth about 220 euro at the time. We always say that we believe ransomware criminals choose a relatively small amount to make it more attractive to pay. When the judge asked the same question they gave exactly this answer. Always good to see your theories being confirmed 🙂
Some other interesting facts were that the case file was too big to fit in a moving box, they made around 20k euro (10k each), they didn’t stop with making ransomware because of the technical challenges, they accepted the risk of C2 seizure and they didn’t really see the influence their actions had on the victims. One of the judges then asked how this was possible, because they had a helpdesk where victims could e-mail to in case they had problems. All their “helpdesk” replies were that the victims just had to pay. The answers they gave to the judge weren’t very convincing.
The suspects mentioned though they started the helpdesk because their malware had some implementation mistakes (files were encrypted twice for example). A consequence of this is that even today, despite releasing our decryption tool which has all the keys, some victims were not able to recover all of their files. There was even one victim who mentioned that he just deleted all of his files because he didn’t believe a decryption tool would come available.
Another thing that we as Kaspersky Lab kept from the public, is that in our initial blogpost about Coinvault we had a screenshot with one of the suspect’s first name in the pdb path. When we worked with the police on this case they kindly asked us to remove that screenshot (which we did), so that the suspects didn’t realize they made a mistake. During the court case they mentioned that they read the blogpost and saw their name and they were on the edge of stopping their campaign, but ultimately decided not to.
It then continued with claims by victims who paid money to get their files back. One of the victims was interested in Bitcoin and decided to pay the ransom. However, he already had some bitcoins on his computer, which were stolen by the suspects (the software supported this functionality) and now he wanted his bitcoin back :). One other victim had his own company and this took place while he was on vacation. He wanted 5000 euro because the suspects ruined his vacation and with the 5000 euro he could go on vacation again.
Now it was time for the prosecutor: twelve months of jail time will all but three suspended. Effectively this comes down to three months – the time they already did * ⅔ = about two months of jail. The lawyers then requested (since they made a full confession, wanted to help the victims getting their files back, etc) many hours of community service. One of the reasons not request jail time was because: “Bitcryptor is not malware”. But BitCryptor was the follow up of Coinvault, different name for the same software. Nobody really understood the quote, except for the lawyer, since it was obvious malware and made some victims.
In two weeks, on the 26th of July at 13:00 CET we know the outcome.
Vulnerability or Not? Pen Tester Quarrels With Software Maker
19.7.2018 securityweek Vulnerebility
Security Industry Battles Over Testing Methods
Researcher Publishes PoC; Vendor Says it's Not a Vulnerability
A SpiderLabs security researcher has published details of what he considers to be a vulnerability in the RLM web application provided by Reprise Software. Reprise CEO Matt Christiano has told SecurityWeek, it is not a vulnerability.
RLM is the Reprise License Manager, described by Reprise as "a flexible and easy-to-use license manager with the power to serve enterprise users." The researcher is Adrian Pruteanu, security consultant with SpiderLabs at Trustwave.
During a penetration engagement, Pruteanu writes, "I was able to identify a critical vulnerability which allowed me to execute code on the server, eventually leading to full domain compromise. Regrettably, despite my best efforts, the vendor has refused to issue patches as they do not believe these findings to be vulnerabilities."
Christiano responded, "The issue described in the [SpiderLabs] article is certainly not a vulnerability, it is misuse of the product."
Pruteanu claims RLM allows users (and attackers) to read and write data to any file on disk provided RLM has access to it. By default, RLM's web server running on port 5054, does not require authentication. This allows an attacker to write malware to the user startup folder without administrator access and even if RLM.exe is running under a low-privilege user. If RLM.exe is privileged, the malware can be written to the All Users Startup folder.
Christiano retorts, "RLM does not require elevated permissions to perform any operation, and is designed to be run in a segregated, non-privileged account. To install the program as root/administrator is simply negligent. This is clearly documented."
Christiano goes on to state that port 5054 was assigned to RLM by IANA in 2008. Furthermore, he adds, "License server machines are rarely internet-facing, and when they are, port 5054 is not required for operation, and should not be enabled thru the company's firewall."
The researcher provides a full proof of concept (PoC) for his 'vulnerability'. He also located a cross-site scripting (reflected) vulnerability in the lf parameter of the /goform/edit_lf_get_data URL in RLM's web interface. RLM does not enforce POST for this URL and the payload can also be passed with a GET request.
What worries the researcher even more than the vulnerabilities themselves (vulnerabilities can be fixed through responsible disclosure) has been the vendor's support staff response to the disclosure. Pruteanu reports, "During our email correspondence the general theme could be wrapped up in the following quotes: 'We tell end users not to run the rlm server (which implements the web server) in privileged mode. There is no reason it needs to run with elevated privileges'."
Pruteanu's response is that users typically ignore best practices and leave pre-existing defaults untouched.
Reprise support continued, "We do not consider this a vulnerability, any more than vi or notepad are vulnerabilities. Of course, NO ONE should run the servers as root/administrator; if they do, they deserve what they get. They can, also, disable the web interface, or, if they want to run it, they can enable logins for it. So there are plenty of opportunities for an admin to prevent any file writing."
Christiano expanded on his support staff comments. He clearly sees the issue as user or installer security misconfiguration (#6 in OWASP's current Top Ten Web Application Risks) rather than a vulnerability. "SpiderLabs refused to identify the 'customer' with this 'problem', denying us the opportunity to review our ISV's installation procedures and correct them," he said.
Of course, SpiderLabs is almost certainly enjoined by customer NDAs not to mention it by name. "One could argue," continued Christiano, "that SpiderLabs cares less about solving the problem than they do about creating sensational headlines to generate more business. I am not arguing that, but one could."
The timeline for the researcher's attempted responsible disclosure is short and limited. Over the course of just 13 days in May 2018, the researcher claims that he disclosed the vulnerabilities; the vendor, he says, refused to accept they are vulnerabilities and refused to patch; the researcher encouraged the vendor to reconsider; and the vendor chose to discontinue communication. There was no route to escalate the issue beyond the support person; and Pruteanu feels he had no alternative but to go to public disclosure.
But Christiano refutes this. "We did correspond with SpiderLabs thru June 2018 (not May)," he told SecurityWeek, "and described the situation to them; we received no further reply from them until they provided you with this misleading information."
"The biggest problem we run into during the disclosure process," comments Pruteanu "is getting the disclosure in front of the correct audience. Even though these vendors are basically getting a free audit that helps them secure their products for their customers, we are often met with hostility simply because they are unsure how to handle the report. If you don't have the capability to support this process in house there are third party options like Bugcrowd."
Christiano replies, "It is not at all clear how [SpiderLabs] did their testing, or how the software was installed. Clearly, it was installed incorrectly. Finally, Reprise has never refused to address any security vulnerability in any of our products."
It comes down to whether 'allowing' misconfiguration is in itself a vulnerability. Pruteanu believes it is. Christiano believes it is not, and that software installers have a responsibility to configure applications in the way intended and advised.
Chicago-based data security and compliance solutions firm Trustwave was acquired by Singapore Telecommunications (Singtel) for $810 million in cash in April 2015.
Russia Targeted by Almost 25 Million Cyber-Attacks During World Cup: Putin
19.7.2018 securityweek BigBrothers
Russia was the target of almost 25 million cyber-attacks during the World Cup, President Vladimir Putin said, though he did not indicate who may have been behind the attacks.
"During the period of the World Cup, almost 25 million cyber-attacks and other criminal acts on the information structures in Russia, linked in one way or another to the World Cup, were neutralised," Putin said during a meeting on Sunday with security services.
The president, whose comments were reported by the Kremlin on Monday, gave no information on the nature or possible origins of the cyber-attacks.
"Behind this (World Cup) success lies huge preparatory, operational, analytical and information work, we operated at maximum capacity and concentration," said Putin.
Russia, which hosted the World Cup from June 14 to July 15 in 11 cities and 12 stadiums, has been repeatedly accused by Western countries of conducting cyber-attacks.
On Friday, 12 Russian military intelligence officers were charged with hacking Hillary Clinton's 2016 presidential campaign and the Democratic Party in a stunning indictment three days before President Donald Trump meets with Putin in Helsinki on Monday.
The charges were drawn up by Special Counsel Robert Mueller, the former FBI director who is looking into Russian interference in the November 2016 vote and whether any members of Trump's campaign team colluded with Moscow.
Proposed EU Cybersecurity Product Certification Scheme Has Global Effects
19.7.2018 securityweek Cyber
The European Union is active in passing cybersecurity legislation ostensibly for the European Union but with worldwide ramifications. The General Data Protection Regulation (GDPR), and the Payment Services Directive 2 (PSD2) are recent examples. This process is similar on a global scale to California on a U.S. federal scale -- the respective markets are so important that vendors tend to comply generally.
There is more coming from the EU: the proposed Cybersecurity Act (9350/18) (PDF). On July 10, the proposal passed one of the major hurdles for new legislation when it was approved by the European Parliament's Industry Committee by 55 votes to five with one abstention. The key features of the proposal are to give more authority, budget and responsibility to the European Union Agency for Network and Information Security (ENISA); and to develop "European cybersecurity certification schemes for the purpose of ensuring an adequate level of cybersecurity of ICT processes, products and services in the Union."
The likelihood of the proposal proceeding to binding legislation can be gauged by the Industry Committee's reaction: it seeks to strengthen the proposal by making the certification mandatory for the critical infrastructure industries (the original proposal does not require certification, suggesting it should be voluntary). At this stage we do not know the details of the final outcome, but we can be fairly certain that there will be a new unified European certification scheme designed, developed and operated by ENISA.
The scope of the certification scheme is wide. Title III, paragraph 2 of the Act states, "The European cybersecurity certification framework defines a mechanism to establish European cybersecurity certification schemes and to attest that the ICT processes, products and services that have been evaluated in accordance with such schemes comply with specified security requirements with the aim to protect the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the functions or services offered by, or accessible via, those products, processes, and services throughout their life cycle." It covers both traditional computer devices and the connected devices that comprise the Internet of Things (IoT).
The intention seems to be for ENISA to develop three levels of product assurance: basic, substantial and high.
The Cybersecurity Act generates mixed feelings, especially among non-EU companies operating or trading with Europe. There have been, and still are, many different security product certification schemes worldwide; and some feel that this will be just another burden placed on device manufacturers. Ilia Kolochenko, CEO of High-Tech Bridge is unsure of the need for a new scheme.
"Based on the information currently available about the ENISA certification," he told SecurityWeek, "I cannot see any substantially new or significantly better approach to cybersecurity or privacy compared to numerous already existing certifications, regulations or international standards such as ISO 27001."
The danger in new, locally-based, requirements is that they can further balkanize any attempts at global harmonization -- and given current global political and economic tensions, the result could do more harm than good. "In light of the escalating tariff war between the US and Europe," Kolochenko continued, "further segmentation of cybersecurity certifications and accreditations will inevitably bring more confusion and add unnecessary complexity -- let alone Russia or China with their own rules of the game. Different communities of experts will compete to make their standard slightly better, instead of joining their efforts to bring a unified global set of simple but efficient rules."
In August 2017, the IOT Cybersecurity Coalition wrote to the European Commission offering advice and voicing concerns. For example, it urges the EU to 'leverage existing best practices and global industry-led standards'.
"This avoids burdening multinational enterprises with the requirements of conflicting jurisdictions while facilitating interoperability, compatibility, reliability, and security on a global scale." This is part of the 'regulations inhibit innovation' argument. The Coalition fears that existing voluntary efforts "would be stymied by the slow and unitary nature of the EU standards development process should the EU move forward with mandatory standards, testing, and labelling requirements. Meanwhile, threat actors will continue to innovate unhindered."
Kolochenko touches on this concern. "One should be careful not to overestimate the value of a certification. Certification is merely a beautiful facade, behind which there is a reality. We have seen quite a few breaches of PCI DSS certified merchants and similarly notorious cases." He is concerned that industry will spend more time on ensuring that products they use are correctly certified than on ensuring their digital premises are really secure. "Paper security may undermine practical security," he said.
The Coalition considers the potential for a false sense of security based on trust labels that could potentially have been issued several years earlier to be a concern. "Specifically," it says, "we remain concerned that pushing for generic or blanket cybersecurity labelling of IoT products could result in counterproductive technology mandates, new market access barriers, or roadblocks to innovation without necessarily bringing any real security or privacy benefits that could not otherwise be achieved on the basis of already existing instruments."
In February this year, AmCham EU (the American Chamber of Commerce to the European Union, claiming to be the voice of American business in Europe) published its own critique of the Cybersecurity Act. It welcomes the plan to convert ENISA into a permanent EU cybersecurity agency with greater power and resources, but urges the agency to strengthen its collaboration with industry "in an inclusive and transparent way."
AmCham has major reservations over the effect of certification on industry. "The framework should be voluntary and market-driven in nature as companies should be able to develop the security system features best for their unique risk situation... The proposal should also take into account the possibility of self-declaration."
Kolochenko doesn't think this is likely -- or if initially possible, it will necessarily remain so. "Of course, it’s a question of how the certification will be used and where it will be mandatory, but one may reasonably assume that European governmental entities and some companies will require it -- and prefer it to NIST or any foreign standards that have existed for more than a decade."
Transparency -- or its lack -- is as much a concern for AmCham as it is for the IOT Cybersecurity Coalition. "The proposed process lacks provisions for adequate transparency and openness, and is ultimately not reflecting the provisions and best practices under the WTO Agreement on Technical Barriers to Trade."
Some concerns seem to have been met. "The limitation of the applicability of certifications to a maximum of three years under Article 48.6 is particularly problematic," says AmCham. The current draft proposal has struck out "a maximum period of three years" and replaced it with "the period defined by the particular certification scheme". Nevertheless, this concern links back to the 'false sense of security' concern: a product may have been in compliance when it was tested, but how can you guarantee it is still in compliance, or not vulnerable to a newly discovered zero-day vulnerability today?
Indeed, this raises a further legal or at least moral complication. If a product fails to meet its description, there is potential for legal action against the manufacturer. But if a product has been 'guaranteed' by ENISA certification and still fails, who is liable: the manufacturer, ENISA or the European Commission?
It would be wrong, however, to suggest that the proposed certifications are completely without support. "I welcome any initiative to increase the security and assurance of ICT products," comments Ed Williams, director EMEA of SpiderLabs at Trustwave; "given the current climate this legislation is welcome... ICT products can be difficult and complex: ensuring that security is baked in could, initially, be difficult but is clearly the correct thing to do -- secure by design is a must in 2018 and moving forward. I, for one," he added, "hope that this certification framework is successful in raising what is currently a low bar. Good luck!"
Russia's National Vulnerability Database Slow, Incomplete
19.7.2018 securityweek BigBrothers
Russia’s national vulnerability database is slow, incomplete and it focuses on security flaws that could pose a threat to the country’s IT systems, according to an analysis conducted by threat intelligence firm Recorded Future.
After analyzing the national vulnerability databases of the United States and China, Recorded Future has decided to take a look at Russia’s database, known as the BDU. The BDU is maintained by the Federal Service for Technical and Export Control of Russia (FSTEC), an agency whose role is to protect state secrets and provide support for counterespionage and counterintelligence missions.
Researchers discovered significant differences both in the number of vulnerabilities and the time it takes to add them to the database, compared to the databases run by China and the United States. For instance, while the US’s NVD stored information on nearly 108,000 security holes, the BDU only documented just over 11,000 flaws in March, when Recorded Future conducted its analysis.
As for the time it takes for a vulnerability to be included in the BDU, the average is 95 days, much more than in the United States (45 days) and China (11 days).
While Russia’s database only covers roughly 10 percent of known vulnerabilities, there are certain pieces of software and certain types of bugs that seem more important to the maintainers of the database.
Researchers noticed that the BDU stores information on 61 percent of the vulnerabilities known to have been exploited by Russia-linked advanced persistent threat (APT) groups in their campaigns. This is in contrast to China, whose CNNVD database hides or delays flaws exploited by the country’s intelligence services.
While the vulnerabilities exploited by Russia-linked APTs affect some of the world’s most widely used software, their presence in the vulnerability database suggests that the systems of the Russian government also run these programs, especially since FSTEC’s mission is to protect government systems. This also provides insight into the applications used by the Russian government.
Moreover, Recorded Future points out it’s also possible that hackers sponsored by the Russian military leverage vulnerabilities in the BDU in their operations, or that the military may be obligated to protect the state’s IT systems by providing information on these flaws.
“The public record and available data is not yet sufficient to determine the relationship between FSTEC and Russian state-sponsored cyber operations,” Recorded Future said in its report.
On the other hand, while the BDU covers many vulnerabilities affecting Adobe products, even in this category the database is incomplete. According to researchers, there are over 1,200 Adobe bugs with a CVSS score higher than 8 that are not present in Russia’s database.
So why waste resources on an incomplete and very slow vulnerability database?
A lack of resources could be an explanation, but analysts note that FSTEC has over 1,100 employees, nearly triple compared to the US’s NIST Information Technology Laboratory (ITL), which maintains the country’s NVD.
Another possible scenario is that FSTEC has both an offensive and defensive mission and its database covers vulnerabilities based on competing needs. However, experts believe this theory is not accurate either considering that the agency is not a public service organization, as its main mission is to protect state and critical infrastructure systems and support counter intelligence initiatives.
The most likely scenario, Recorded Future believes, is that the DBU is “simply a baseline for government information systems security and software inspections.”
One of the roles of FSTEC is to review the software of foreign companies that want to sell their products in Russia. This includes firewalls, antiviruses and applications that use encryption.
“FSTEC is a military organization and is publishing ‘just enough’ content to be credible as a national vulnerability database. The Russian government needs vulnerability research as a baseline for FSTEC’s other technical control responsibilities, such as requiring reviews of foreign software,” the threat intelligence firm said.
Researchers Stealthily Manipulate Road Navigation Systems
19.7.2018 securityweek CyberCrime
A team of researchers from Virginia Tech, the University of Electronic Science and Technology of China, and Microsoft Research has discovered a new and stealthy GPS spoofing method that has been proven to be highly effective against road navigation systems.
GPS spoofing has been around for many years. This attack method can in theory be used to trick drivers into going to an arbitrary location, but in practice the instructions provided by the targeted navigation system often contradict the physical road (e.g. make a left turn on a highway), making it less likely to work in a real-world scenario.
Researchers now claim to have discovered a more efficient method that is less likely to raise suspicion. Using this technique an attacker could trick the victim into following an incorrect route (e.g. cause ambulances and police cars to enter a loop route), deviate a targeted vehicle to a specific location, or cause the target to enter a dangerous situation (e.g. enter a highway the wrong way).
For the attack to work, the attacker needs to know the target’s approximate destination and the most likely victim of this technique would be an individual who in not familiar with the area.
Using 600 real-world taxi routes from Manhattan and Boston, the researchers have created an algorithm that generates a virtual route mimicking the shape of real roads. The attack is most likely to work in a city where road networks are dense.
The attacker creates false GPS signals in an effort to set the final location to a nearby “ghost location.” The navigation system recalculates the new route, which researchers have dubbed the “ghost route,” and guides the victim, turn-by-turn, to the ghost location.
In order to avoid raising suspicion, the ghost route is generated based on the collected taxi trips. The search algorithm is run at each road segment in an effort to identify all possible attack (ghost) locations. During tests, the algorithm identified, on average, roughly 1,500 potential attack routes for each trip.
“The algorithm crafts the GPS inputs to the target device such that the triggered navigation instruction and displayed routes on the map remain consistent with the physical road network,” researchers said in their paper.
In some cases, if the original location is not on the route to the ghost location, the user may be informed by the navigation system that the route is being recalculated, but researchers have determined based on a survey that it might not raise too much suspicion considering that this can often occur in a real-world scenario.
These types of attacks can be carried out using a portable GPS spoofer, which costs roughly $200, from a distance of 40-50 meters (130-160 feet). The attacker can either follow the targeted vehicle or place the spoofer inside or under the targeted car and control it remotely.
The researchers reproduced the attack in a real-world scenario using their own car, which they drove after midnight in suburban areas to avoid causing any problems. They also asked 40 individuals (20 in the U.S. and 20 in China) to use a driving test simulator that was attacked via the newly discovered method. The attack’s success rate was 95%, with only one Chinese and one U.S. participant detecting the attack.
Compliance-Focused Cybersecurity Firm A-LIGN Raises $54.5 Million
19.7.2018 securityweek IT
A-LIGN, a provider of cybersecurity and compliance solutions, announced this week that it has raised $54.5 million from growth equity firm FTV Capital.
Tampa, Florida-based A-LIGN provides assessments, audits and cyber risk advisory and testing services for companies of all sizes. Using its flagship platform, A-SCEND, the company helps organizations address third-party risks, security controls, and privacy concerns, with a focus in four core areas:
• Compliance Assessments: SSAE 18, SOC I, II, III audits, and assessments;
• Industry Specific Audits such as ISO, PCI, HITRUST, HIPAA;
• Cybersecurity Services: Penetration testing, vulnerability scanning; and
• Cyber Risk and Privacy: GDPR, CCPA, related privacy and incident planning services.
“Evolving security frameworks and the continual release of new regulations and compliance requirements, such as GDPR, SOC I/II/III, and the recently-passed California Consumer Privacy Act, require that company executives constantly examine their data privacy practices,” Scott Price, CEO of A-LIGN, said in a statement. “Organizations across all industries are conducting critical assessment and audits not only for mandated compliance but also to deepen trust among customers and users which has a direct impact on the bottom line.”
A-LIGN is a licensed CPA firm, Qualified Security Assessor Company (QSAC), accredited ISO 27001 certification body, certified HITRUST Assessor firm, and accredited FedRAMP 3PAO. The company’s tools help customers streamline the audit and certification process through workflow automation, document management, and auditing history.
As part of the transaction, FTV Capital partner Liron Gitig and managing partner Richard Garman will join the company’s board of directors.
North Korean Hackers Launch New ActiveX Attacks
19.7.2018 securityweek BigBrothers
Watering Hole Attacks Target South Korean Users With ActiveX Exploits
A new series of reconnaissance attacks targeting ActiveX objects has been associated with the North Korean-linked Andariel group, a known branch of the notorious Lazarus Group.
In May, the group was observed exploitnig an ActiveX zero-day vulnerability in a series of attacks on South Korean targets, mainly for reconnaissance purposes. A script injected into compromised websites would identify the visitors’ operating system and browser and check for ActiveX and running plugins from a specific list of ActiveX components if Internet Explorer was detected.
Highly active in recent months, the Andariel group has apparently launched a new reconnaissance attack against South Korean targets, by injecting their code into four other compromised websites. The attack, which was spotted on June 21, attempts to collect different object information than before.
Despite targeting objects it wasn’t targeting before, the newly discovered script is similar to the one used in May, which led Trend Micro to the conclusion that the same group of hackers is behind both campaigns.
Previously, the group collected targeted ActiveX objects on users’ Internet Explorer browser and only launched the zero-day exploit after identifying the right targets.
“Based on this, we believe it’s likely that the new targeted ActiveX objects we found could be their next targets for a watering hole exploit attack,” Trend Micro explains.
The new attack lasted until June 27 and targeted the visitors of a Korean non-profit organization’s website and those of three South Korean local government labor union websites.
The injected script, which had similar obfuscation and structure as the Andariel-linked script found in May, was designed to collect visitor information such as browser type, system language, Flash Player version, Silverlight version, and multiple ActiveX objects.
According to Trend Micro, the script was attempting to detect two additional ActiveX objects that were not previously targeted, namely one related to a DRM (Digital Rights Management) software from a South Korean Document Protection Security vendor and another related to a South Korea-based voice conversion software company.
The script also included code to connect websocket to localhost. “The voice conversion software has websocket service listening on the local host so the injected script can detect the software by checking if they can establish a connection to ports 45461 and 45462, which the software uses,” Trend Micro explains.
The websocket verification, the security researchers say, could also be performed on Chrome and Firefox, in addition to Internet Explorer, which would suggest that the hackers have expanded their target base, aiming at the software and not just the ActiveX objects.
“Based on this change, we can expect them to start using attack vectors other than ActiveX,” Trend Micro notes.
At Summit, Trump Refuses to Confront Putin on Vote Row
19.7.2018 securityweek BigBrothers
President Donald Trump refused to confront Vladimir Putin over meddling in the US election at their first face to face summit, publicly challenging the findings of the US intelligence community and triggering bipartisan outrage at home.
The US and Russian presidents came out of their meeting in Helsinki Monday expressing desire for a fresh start between the world's leading nuclear powers and more talk on global challenges, after discussing an array of issues from Syria, Ukraine and China to trade tariffs and the size of their nuclear arsenals.
There were indications of an arrangement to work together and with Israel to support a ceasefire in southern Syria, suggesting that the US administration is backing off its demand that Moscow's ally Bashar al-Assad step down.
If that is anathema to many in Washington, Trump's apparent concessions to Putin over the election controversy drew stinging condemnation from across the political divide.
Standing alongside the Kremlin boss at a joint news conference, Trump acknowledged that his intelligence chiefs believe Russia hacked and leaked Democrats' emails containing politically damaging information about his rival Hillary Clinton in 2016.
But, insisting he had won the race fair and square, the wealthy property tycoon said: "I have President Putin, he just said it is not Russia. I will say this: I don't see any reason why it would be."
Friday's US indictment of 12 Russian military intelligence agents exploded with embarrassing timing for Trump as he prepared to meet Putin. On Monday, officials said another Russian agent had been arrested for seeking to influence US politics.
But the US leader insisted that his counterpart had delivered a "powerful" denial of any Russian manipulation, and that the investigation by special counsel Robert Mueller was proving a "disaster" for the United States.
In his own interview with Fox, Trump said he was "fascinated" by an offer from Putin for US agents to indirectly grill the indicted Russians by submitting their questions to Russian officials but said Mueller's team "probably won't want to go" to Moscow.
- 'Never interfered' -
Trump again denied any collusion between his campaign and the Kremlin, while Putin insisted: "The Russian state has never interfered and is not planning to interfere in the USA's internal affairs."
As criticism mounted, Trump tweeted from Air Force One on his way home from Finland that he had "GREAT confidence in MY intelligence people".
"However, I also recognize that in order to build a brighter future, we cannot exclusively focus on the past – as the world’s two largest nuclear powers, we must get along."
Angry criticism of his disavowal of his own intelligence agencies came even from within Trump's Republican Party.
Senior Republican Senator John McCain was particularly scathing, saying: "Coming close on the heels of President Trump's bombastic and erratic conduct towards our closest friends and allies in Brussels and Britain, today's press conference marks a recent low point in the history of the American presidency."
Director of National Intelligence Dan Coats distanced himself from his boss, issuing a statement saying the US intelligence community's judgment that Russia interfered in the 2016 election was "clear".
But the top Democrat in the US Senate, Chuck Schumer, tweeted that many Americans can only wonder if "the only possible explanation for this dangerous behaviour is the possibility that President Putin holds damaging information over President Trump."
And former CIA director John Brennan said Trump's behavior at the news conference "rises to & exceeds the threshold of 'high crimes & misdemeanors.' It was nothing short of treasonous."
Putin denied the notion that Russian spy bosses may hold compromising information on Trump, who in his previous business career oversaw the Miss Universe pageant in Moscow in 2013.
"Please get this rubbish out of your heads," the Russian leader said.
In a post-summit interview with Fox News, Putin said US-Russia relations should not be held "hostage" to "internal political games," referring to the Mueller probe.
The two leaders appeared relaxed at the Helsinki news conference, smiling on occasion, in contrast to their sombre demeanour at the start of the day.
Trump, bent on forging a personal bond with the Kremlin chief despite the election allegations, went into the summit blaming the "stupidity" of his predecessors for plunging ties to their present low.
His manner towards Putin was also a contrast to the anger Trump flashed at NATO allies at a combative summit of the alliance in Brussels last week, which critics said would only hearten Putin.
- 'Only the beginning' -
A post-NATO trip to Britain, supposedly America's partner in a "special relationship", was riddled with controversy as well.
In Helsinki, however, Trump was determined to accentuate the positive, as was Putin.
The two leaders met one-on-one for more than two hours, with just their interpreters present, before they were joined by their national security teams.
Many in Washington were agog at Trump's decision to sit alone with Putin, worried about what he might give away to the former KGB spymaster, after previously cosying up to the autocratic leaders of China and North Korea.
But Trump, convinced his unique brand of diplomacy can win over Putin, pressed ahead and looked forward to "having an extraordinary relationship" as the pair sat down to discuss global hotspots.
- 'Foolishness and stupidity' -
Trump began the day by firing a Twitter broadside at his domestic opponents, blaming the diplomatic chill on the election investigation.
"Our relationship with Russia has NEVER been worse thanks to many years of U.S. foolishness and stupidity and now, the Rigged Witch Hunt!" Trump tweeted.
Russia's foreign ministry tweeted in response: "We agree."
In a weekend interview with CBS News, Trump admitted that Russia remains a foe, but he put Moscow on a par with China and the European Union as economic and diplomatic rivals.
Symantec Launches Email Threat Isolation Solution
19.7.2018 securityweek IT
Symantec on Tuesday unveiled a new solution designed to help protect enterprises against email-based attacks using threat isolation.
According to the security firm, the new Email Threat Isolation technology can block advanced email attacks, including spear phishing, credential theft and account takeover attempts, and ransomware.
The solution creates what Symantec describes as a secure remote execution environment between the user and the potentially malicious content.
Specifically, Email Threat Isolation sends traffic from the links included in suspicious emails to this secure environment. All potentially malicious elements remain confined in this isolated environment while the user is only shown a safe visual representation of the content.
The solution can also render websites in read-only mode, which helps prevent employees from entering sensitive information, such as corporate credentials, on a phishing website.
Email Threat Isolation is available as a cloud-based or on-premises service, and it can be used with Symantec Email Security or third-party email security solutions.
“Despite significant efforts by our industry to detect and block email-borne threats, messaging remains the primary vector for malware and scams within the enterprise. The industry requires a paradigm shift to properly secure messaging, and we are excited to be bringing the innovation of integrated isolation technology to email,” said Greg Clark, CEO of Symantec.
“This revolutionary technology helps enterprises to quickly and easily isolate all malicious email content – both internal and external – to substantially reduce inherent risks within messaging applications. Further, because the technology is cloud-based, organizations can be up and running quickly and easily, reducing stress on already taxed IT teams,” Clark added.
Security Instrumentation Firm Verodin Raises $21 Million
19.7.2018 securityweek IT
Verodin, a Virginia-based company that helps organizations assess the effectiveness of their cybersecurity controls, on Tuesday announced that it has raised $21 million in a Series B funding round.
The round was led by TenEleven Ventures and Bessemer Venture Partners (BVP), with participation from Capital One Growth Ventures, Citi Ventures and all existing investors. As part of the deal, TenEleven Ventures founder Mark Hatfield will join the company’s board of directors.
The company says it will use the funds to continue the development of its Security Instrumentation Platform (SIP), increase hiring in all functional areas, and expand global sales.
“Boards and C-level executives increasingly want evidence that the dollars and effort they spend on cyber defenses are actually working,” said TenEleven Ventures’ Hatfield. “Verodin is leading a revolutionary shift in cybersecurity, delivering organizations the evidence they need to measure, manage and improve their cybersecurity effectiveness.”
The latest funding round brings the total raised by Verodin to $34 million. The company secured $10 million in a Series A funding round in June 2016.
While the Series B round was officially announced only on Tuesday, the funding was actually revealed in late June when a SEC filing showed that the company had raised roughly $20.7 million from 14 investors. The company refused to make any comments at the time.
Verodin SIP is deployed in an organization’s IT environment and it continuously tests the effectiveness of endpoint, cloud, email and network controls. The solution helps enterprises ensure that the products they have purchased and deployed are actually protecting business-critical assets.
Irish Silk Road Suspect Extradited to US: Prosecutors
19.7.2018 securityweek BigBrothers
A 30-year-old Irish man accused of working for now defunct "dark web" marketplace Silk Road has been extradited to the United States to face charges in New York, four years after his arrest, prosecutors announced Friday.
Gary Davis, who went by the alias "Libertas," was allegedly a Silk Road administrator in 2013 -- and was paid a weekly salary to carry out duties that included resolving disputes between drug dealers and buyers on the site.
He is charged with one count of conspiracy to distribute narcotics, which carries a maximum sentence of life in prison, one count of conspiracy to commit computer intrusion and one count of conspiracy to commit money laundering.
The Wicklow man, who was arrested in January 2014, appeared before a Manhattan federal court on Friday.
"Thanks to our partner agencies here and abroad, Davis now faces justice in an American court," said Manhattan US Attorney Geoffrey Berman.
Until the FBI shut it down in October 2013, the US government called Silk Road "the most sophisticated and extensive criminal marketplace on the Internet" used by vendors in more than 10 countries in North America and Europe.
Texan mastermind Ross Ulbricht was convicted and sentenced to life in prison in 2015 for running the online enterprise that sold $200 million in drugs worldwide.
Operating under the alias "Dread Pirate Roberts," Ulbricht amassed $13 million in commissions by making the purchase of heroin, cocaine and crystal meth as easy as shopping online at eBay or Amazon, the government said.
His four-week trial was considered a landmark case in the murky world of online crime and government surveillance.
Charitable Hackers Collaborate in Deep Web Forums
19.7.2018 securityweek Hacking
Through Multiple Methods and Collaborations, Many Hackers Donate Money to Good Causes
Sun Tzu is a cliche in cybersecurity, but no less valid for that. He wrote, "If you know the enemy and know yourself, you need not fear the result of a hundred battles." Security researchers infiltrate the deep web forums to understand both the enemy and his weapons -- and sometimes they can be surprised by what they find.
Last month, Trustwave's SpiderLabs blog posted a discussion on the cybercriminal members of underground forums with the title, 'Underground Code of Honor'. In this blog is brief mention of hackers' charitable works. Now Ziv Mador, VP of security research at Trustwave, has given SecurityWeek more details of a well-organized charitable element found in numerous deep web forums.
He explained that Trustwave was investigating the modular structure of the underground. Different groups specialize in specific aspects of cybercrime and sell their products or services to other groups. One group might specialize in running botnets and botnet servers. Another might specialize in developing malware -- and each might sell their services to the other to meet a specific demand.
During this research, the researchers came across charity-themed communications; and decided to investigate further. "And the more we delved," said Mador, "the more fascinating it became. We found that through multiple methods and collaborations these hackers actually donate a lot of money to good causes." The most frequent donations, he said, are for orphanages and hospitals (especially children's hospitals).
Trustwave particularly looked at three different forums: two Russian-speaking and one English-speaking. There were immediate differences. In the English-speaking forum, charitable donations tended be from individuals. In the Russian-speaking forums they were collaborative campaigns. This could be partly cultural (individualism versus team working) or partly economic (eastern European hackers really needing to collaborate in order to collect sufficient funds).
Whatever the reasons, however, the Russian-speaking hackers have developed relatively sophisticated 'giving campaigns'. "Near the Russian new year (7 January), they ran a campaign and used the money raised to buy equipment for hospitals and supplies for orphanages." The hospital equipment included stretchers, inhalers, and bacteria-killing lamps." They even have plans to buy heart-rate monitors; and are working with a contractor to remodel a particular department in one particular hospital.
The orphanage supplies included toiletries such as hair brushes, tooth brushes and toothpaste. With money left over, they bought 25 kilos of fresh fruit, since 'sweets are not healthy for the kids'. These supplies were delivered by hand (about 15 bags full), and photographic evidence of the hand-over, and the kids, were posted as proof to the forum.
If all this seems just a little bit 'Robin Hood', it's a comparison not lost to the hackers themselves. "Anyone can become a modern Robin Hood" one hacker posted to the forum. But perhaps the most intriguing charitable act has been the development of a 'needy support' capability. "They have established a process in one of the forums," explained Mador, "where parents of children who are sick and the families are poor, can submit a request for support. So, if a child needs some medication or surgery and the parents cannot pay for it, they can submit a request for support with supporting documents -- and there is a very specific post in one of the underground forums specifying exactly what documents are needed to get support from the forum."
It's not just the members that get involved. One forum promises to donate half the money it collects to the charitable work. It gets this from two primary sources -- using the forum for advertising; and through arbitration services. "If two forum members get into conflict," said Mador; "let's say one bought a service from another one, and promises were not fulfilled, they go to arbitration. Here the forum administrator will work with them to decide on who is right and who is wrong; and to determine any compensation. Part of that compensation goes to the arbitration fund -- and part of that goes to charity."
One of the forums publishes a list of donators and amounts. The names are obviously false or online handles -- but some individuals can still be recognized. Petr Severa donated more than $100. He is now better known as Peter Yuryevich Levashov, after being arrested while holidaying in Spain and extradited to the U.S. He is now awaiting trial in Connecticut on eight charges, and faces 50 years in jail.
As the cybercriminals' charitable work grows, so too does a need for improved administration. "In one of the forums," said Mador, "it was suggested that since this charitable work takes time and effort, it needed a manager to manage the whole process. It was further suggested that they should hire a woman -- and it specifically had to be a woman -- to manage the funds. They also mentioned that their 'punchers' would check the candidates' information." Punchers are people in the criminal underground who have expertise in getting confidential information about people -- so the candidates should expect a pretty invasive background check on their credentials.
The picture painted really is one of the romantic Robin Hood idea: robbing the rich to pay the poor. Mador doesn't accept this, finding the situation to be more ironic than romantic. It would take an analysis by psychologists and sociologists to understand the causes and motives behind the rise of underground charitable work; but Mador does concede that there may be an element of cultural patriotism among some of the Russian and eastern European hackers.
Ilia Kolochenko, CEO of High-Tech Bridge, sees nothing attractive in the phenomenon -- he finds it alarming and an indication of a growing breakdown in government authority and increasing anarchy. "The substance of the charity is certainly laudable and justified. However," he told SecurityWeek, "it also serves as a harbinger of the global cybersecurity crisis. Governments and law authorities are unable to protect their citizens in the digital space anymore. Cybercriminals are undermining governmental authority by helping indigent people abandoned by the state. What will be the next? Cybercriminals offering private protection in the digital space for a reasonable cost affordable to the citizens? Governments will lose their authority and power, and Robin Hoods will reign.”
Chicago-based data security and compliance solutions firm Trustwave was acquired by Singapore Telecommunications (Singtel) for $810 million in cash in April 2015.
Downward Trend in Healthcare Ransomware Attacks May be Temporary
19.7.2018 securityweek Ransomware
Confirming a trend noted by other researchers, a new report from network security firm Cryptonite notes that ransomware incidents have declined over the last six months.
Cryptonite's Healthcare Cyber Research Report (H1, 2018) draws its conclusions from an analysis of 'IT/Hacking' incidents reported to the Health and Human Services Office of Civil Rights (HHS/OCR) between January 1, 2018 and June 30, 2018, supplemented by its own research.
The report (PDF) notes that ransomware events impacting more than 500 patient data records dropped from 19 in the first half of 2017 to eight in the first half of 2018 -- a decrease of 57%. At the same time, however, the number of patient records (ePHI) breached in the first half of 2018 has increased from 1,674,793 in the first half of 2017 to 1,928,432 in the first half of 2018.
The implication is that while ransomware is not currently either the most favored or most successful method of attacking the healthcare industry, the attraction of patient record data is as strong as ever.
"Medical records," explains the report, "are prime targets, as this data is highly prized to support identity theft and financial fraud. Medical records are an attractive commodity on the dark web where they demand high premiums from criminal purchasers."
Cryptonite believes that one of the reasons for the decline in ransomware is general improvements in healthcare security. "Customers have started to add micro-segmentation to networks, as well as specialized software to address ransomware threats. In general, in the largest hospitals, new Zero Trust technologies have been added to the existing mix of defense in depth technologies to expand and harden the defensive perimeters."
However, it suspects that this may be only a temporary respite. "We do believe that ransomware still presents a formidable threat to healthcare and expect new variants, such as AI based malware, to present very difficult challenges to healthcare institutions later in 2018 and into 2019."
At the beginning of 2018, MIT Technology Review published 'Six Cyber Threats to Really Worry About in 2018'. One of these is the weaponization of artificial intelligence. Hackers, it suggested, are "likely to use AI to help design malware that's even better at fooling 'sandboxes', or security programs that try to spot rogue code before it is deployed in companies' systems."
It is the potential weaponization of AI to support ransomware that Cryptonite feels might fuel a resurgence of ransomware attacks over the next year.
In the meantime, Britton White, security & HIPAA compliance advisor at Fortified Health Security, fears that any reported decline in ransomware is likely to give a false sense of optimism -- and potentially lead healthcare organizations to relax their vigilance. "I've not seen anyone address ransomware in their security training and awareness program or disaster recovery plan," he told SecurityWeek. "In the state of Tennessee just two weeks ago, a breach notice was sent out to thousands of people due to a local Memphis organization getting hit with ransomware. Adding to it, they're a business associate to a number of major hospitals in the area, so they had to be notified as well. It's a huge mess."
While the number of ransomware attacks has decreased over last year, the number of breached patient records has grown from 1,767,955 in the second half of 2017 to 1,928,432 in the first half of 2018 -- an increase of 9.08%. "The positive trend in reduction of the use of ransomware is overshadowed by the continued high volume of major attacks," says Cryptonite. "Healthcare insurers, hospitals... and a broad variety of other important health entities such as surgical centers, skilled nursing facilities, urology centers, vision surgical centers, cancer treatment centers, MRI/CT-scan centers and diagnostic laboratories fall victim to these attacks every month."
But White points out that these statistics are official numbers only. "Bottom line is, ransomware continues to be a huge problem for all healthcare organizations. How many healthcare organizations haven't reported being hit with ransomware? I'd imagine they'd prefer to remain off the radar as much as possible," he told SecurityWeek. "Everyone needs to remain vigilant and ensure they have the ability to recover as quickly as possible if/when they get hit."
Rockville, Maryland-based Cryptonite emerged from stealth mode in October 2017. A spin-off of Maryland defense contractor Intelligent Automation (IAI), Cryptonite is led by President and CEO Michael Simon, and Justin Yackoski, CTO and former lead researcher at IAI.
'Blackgear' Cyberspies Resurface With New Tools, Techniques
19.7.2018 securityweek CyberSpy
The hackers behind a cyberespionage campaign known as Blackgear are back with improved malware that abuses social media websites, including Facebook, for command and control (C&C) communications.
The threat group, also known as Topgear and Comnie, has been around since at least 2008, mainly targeting entities in Taiwan, South Korea and Japan. Their objectives include organizations in the telecommunications, defense, government, aerospace, and high-tech sectors. Some limited evidence suggests that the attacks may be conducted by Chinese state-sponsored actors.
Previous Blackgear attacks involved malware tracked as Elirks and Protux, which the hackers created themselves. The latest attacks, analyzed by Trend Micro, relied on a new version of the Protux backdoor and a downloader named Marade.
One interesting technique leveraged by the threat group involves using blogs and social media websites for C&C communications, which helps it easily change C&C servers and improve its chances of evading detection. In the past, the actor posted encrypted C&C configurations on websites such as github.com, tumblr.com and blogspot.com. The more recent attacks also abuse Facebook to store and retrieve C&C data.
The more recent attacks start with an email delivering a fake installer or decoy document, which drop the Marade downloader. The downloader is placed in a file whose size exceeds 50 Mb in an effort to bypass traditional sandbox products.
Marade checks the infected system for an antivirus solution and retrieves C&C data from a blog or social media post. If the compromised machine is of interest, the Protux backdoor is downloaded.
Protux allows the attackers to list all the files, processes, services and registries on the compromised host, along with taking screenshots and creating a shell that provides access to the system.
“Blackgear has been targeting various industries since its emergence a decade ago. Its apparent staying power stems from the furtive ways with which its attacks can evade traditional security solutions,” Trend Micro researchers explained. “For instance, Blackgear employs two stages of infection for each of its attacks. The potential victim may not be able to notice the intrusions as the first stage involves only profiling and reconnaissance. And once infection with a backdoor occurs, typical red flags may not be raised as it abuses microblogging and social media services to retrieve information needed for C&C communication.”
Researchers have also stumbled upon a tool that provides the user interface from which the hackers control the Protux and Marade malware.
“Based on the controller’s behavior, we can posit that both Marade and Protux were authored by the same threat actors,” experts noted.
Malware Creator Admits to Building and Selling LuminosityLink RAT
19.7.2018 securityweek Virus
A Kentucky man admitted in a U.S. court to developing and distributing the remote access Trojan known as LuminosityLink.
21-year-old Colton Ray Grubbs of Stanford, Kentucky, pleaded guilty to developing the malware and selling it to thousands of people, knowing it would be used for computer intrusion, according to court documents.
Also known as Luminosity, the LuminosityLink RAT was first spotted in April 2015, providing its users with surveillance capabilities such as remote desktop and webcam and microphone access; a smart keylogger that could target specific programs; a crypto-currency miner; and distributed denial of service (DDoS) features.
In early February 2018, Europol and the UK’s National Crime Agency (NCA) announced an operation specifically targeting the sellers and users of Luminosity, but security researchers revealed soon after that the malware itself had been retired for over half a year.
According to the plea agreement obtained by investigative journalist Brian Krebs (PDF), Grubbs, who used the online handle of KFC Watermelon, admitted to have designed and sold LuminosityLink at $39.99 to over 6,000 customers between April 2015 and July 2017.
The malware was being distributed via the luminosity.link website and through the HackForums.net forum. Although he claimed the tool had legitimate purposes, being designed for system administration, the developer was touting capabilities that would allow potential customers to access and control systems without the legitimate owners’ knowledge or permissions.
According to the document filed in court, the hacker emphasized that the malware could be installed remotely without notification, as well as its keylogging and surveillance capabilities, file exfiltration functionality, the ability to steal login credentials, crypto-mining and DDoS features, and the ability to prevent detection and removal attempts from anti-malware software.
The document also claims that Grubbs was offering free support to customers, sending private messages to respond to “questions about accessing and controlling victim computers without authorization or detection.” He also admitted to recruiting other people to sell the malware as affiliates.
In July 2017, after learning the Federal Bureau of Investigation would raid his apartment, Grubbs warned the PayPal user who was collecting LuminosityLink payments, asked his roommate to hide a laptop in his car, and also concealed a debit card associated with his Bitcoin account and a phone storing his Bitcoin information.
“Defendant removed the hard drives from his desktop computer and removed them from his apartment before the authorized search so that they would not be seized by the government. Three days later, Defendant transferred over 114 bitcoin from his LuminosityLink bitcoin address into six new bitcoin addresses,” the plea agreement reads.
Overall, the hacker pleaded guilty to three counts, two of which carry maximum sentences of 5 years in prison and a fine of up to $250,000 each, while the third carries a maximum sentence of 20 years in prison and a fine of no more than $500,000.
Back in Washington, Trump Under Pressure to Reverse Course on Russia
19.7.2018 securityweek BigBrothers
President Donald Trump found himself isolated and under pressure to reverse course Tuesday after publicly challenging the US intelligence conclusion that Russia meddled in the 2016 election during his face-to-face with Vladimir Putin.
At his inaugural summit with the Russian president in Finland, Trump appeared to accept at face value the strongman's denial that Moscow interfered in a bid to undermine the Democrat Hillary Clinton -- a stance that triggered bipartisan outrage at home.
Back in Washington, Trump sounded a defensive note, insisting his meeting with Putin had been "even better" than his one last week with traditional allies NATO -- a testy gathering seen as having badly strained trans-Atlantic ties.
But the US president -- who is expected to speak about the meeting at 2:00 pm (1800 GMT) on Tuesday -- has found precious little support for his decision not to confront Putin, and faced calls even from allies to change tack.
"He has to reverse course immediately and he's gotta get out there as soon as possible before the concrete starts to set on this," former White House communications director Anthony Scaramucci said on CNN.
"Loyalty right now requires you to tell the truth and sit with him and explain to him the optics of the situation, why the optics are bad, the strategy in terms of trying to get along with Vladimir Putin and deploying a strategy of going against the intelligence agency is very bad," Scaramucci said.
Former House speaker and longtime Trump ally Newt Gingrich put it yet more bluntly.
"President Trump must clarify his statements in Helsinki on our intelligence system and Putin," he tweeted as Trump headed home. "It is the most serious mistake of his presidency and must be corrected -- immediately.
Trump's performance at the summit has even come under fire from the hosts at Fox News, usually a reliable defender of the president.
"No negotiation is worth throwing your own people and country under the bus," Fox anchor and Fox & Friends co-host Abby Huntsman -- the daughter of the US ambassador to Russia -- wrote on Twitter.
And former president Barack Obama, who has remained above the political fray since leaving office, appeared to allude to the events of the day before during a rare public appearance Tuesday at which he warned the world had plunged into "strange and uncertain times."
"Strongman politics are ascendant, suddenly, whereby elections and some pretense of democracy are maintained -- the form of it -- but those in power seek to undermine every institution or norm that gives democracy meaning," Obama said in Johannesburg.
- 'Undermine democracy' -
Trump and Putin met for two hours in Helsinki on Monday with only their interpreters present, then held a joint press conference.
Standing alongside the Kremlin boss, Trump acknowledged that his intelligence chiefs believe Russia hacked and leaked Democrats' emails containing politically damaging information about his rival Clinton in 2016.
But, insisting he had won the race fair and square, the Republican said: "I have President Putin, he just said it is not Russia. I will say this: I don't see any reason why it would be."
Special Counsel Robert Mueller's investigation into Russian meddling and possible collusion with the Trump campaign has increasingly put pressure on the White House, and the president -- who regards it as an attack on his legitimacy -- has dubbed it a "witch hunt."
But the investigation continues to progress, resulting in the indictment of 12 Russian military intelligence agents on Friday -- timing that was embarrassing in light of the upcoming summit.
While Trump has faced intense criticism over Helsinki, he is not entirely without defenders.
Republican Senator Rand Paul has given a series of interviews supporting Trump's stance towards Putin, and berating his critics as biased.
"I think the president did a good thing by meeting with Putin and I think it's a mistake for people to try to turn this into a partisan escapade," the Kentucky Republican said on CBS.
Paul's efforts drew praise from Trump, who tweeted: "Thank you @RandPaul, you really get it!"
But the bipartisan consensus has been broadly hostile to Trump's stance -- as the top Republican in Congress, House Speaker Paul Ryan made clear once more at a press conference Tuesday on Capitol Hill.
"We stand by our NATO allies and all those countries who are facing Russian aggression," Ryan said. "Vladimir Putin does not share our interests, Vladimir Putin does not share our values."
"We just conducted a yearlong investigation into Russia's interference in our elections. They did interfere in our elections. It's really clear. There should be no doubt about that," he said.
"Russia is trying to undermine democracy itself."
RATs Bite Ukraine in Ongoing Espionage Campaign
19.7.2018 securityweek Virus
An ongoing espionage campaign aimed at Ukraine is leveraging three different remote access Trojans (RATs), ESET security researchers warn.
The attacks apparently started in late 2015, but the first report on them emerged in January 2018. ESET says they have been tracking the campaign since mid-2017, and that the attacks have been mainly focused on Ukrainian government institutions, with a few hundred victims in different organizations.
The actors behind this cyber-espionage campaign have been using multiple stealthy RATs to exfiltrate sensitive documents, namely Quasar RAT, Sobaken RAT, and a custom-made RAT called Vermin.
The attackers, which appear to lack advanced skills and access to zero-day vulnerabilities, are using emails and social engineering to distribute the malware. Some emails carried Word documents attempting to exploit CVE-2017-0199, a vulnerability patched in April 2017.
A dropper is usually used to deliver the final payload (which masquerades as software form Adobe, Intel or Microsoft) to the %APPDATA% folder and to achieve persistence via a scheduled task that executes the malware every 10 minutes. Steganography was also employed to trick content filtering, accordnig to a whitepaper (PDF) published by ESET.
To avoid automated analysis systems and sandboxes, the malware checks if the Russian or Ukrainian keyboard layouts are installed and terminates itself if none is found. It also checks the system’s IP address and the username on the machine. Moreover, it checks if the connection to a randomly generated website name/URL fails, as would be expected on a real system.
An open-source backdoor, Quasar RAT can be freely downloaded from GitHub and has been employed by the actors behind this campaign since at least October 2015. Other groups have been using the malware in their attacks as well, including the Gaza Cybergang, which is also known as Gaza Hackers Team and Molerats.
Sobaken is a heavily modified version of Quasar RAT, with removed functionality to make the executable smaller, but also with several anti-sandbox and other evasion tricks added.
Vermin RAT, on the other hand, is a custom-made backdoor that first emerged in mid-2016 and which continues to be used. Written in .NET, it is protected using ConfuserEx and uses Vitevic Assembly Embedder, free software for embedding required DLLs into the main executable.
The malware includes support for screen capturing, reading directory contents, file upload/download/deletion/renaming, process monitoring and termination, shell execution, run keylogger, folder manipulation, audio capture, and bot update.
Most of the commands are implemented in the main payload, but the RAT also includes support for optional components, such as audio recorder, keylogger, password stealer, and USB file stealer.
“These attackers haven’t received much public attention compared to others who target high-profile organizations in Ukraine. However, they have proved that with clever social engineering tricks, cyber-espionage attacks can succeed even without using sophisticated malware. This underscores the need for training staff in cybersecurity awareness, on top of having a quality security solution in place,” ESET notes.
Siemens Informs Customers of New Meltdown, Spectre Variants
19.7.2018 securityweek Vulnerebility
Siemens recently updated its security bulletin for the Meltdown and Spectre vulnerabilities to inform customers of the latest variants, specifically the ones known as LazyFP and Spectre 1.1.
Several industrial control systems (ICS) vendors published security advisories for the CPU flaws shortly after they were disclosed in early January. Siemens published a bulletin on speculative side-channel vulnerabilities on January 11.
In late May, the company updated its bulletin to include information about Variant 3a and Variant 4, which are also known as Spectre-NG. On Tuesday, Siemens once again updated the security bulletin to describe the variants known as LazyFP, a medium severity Meltdown-like flaw disclosed in mid-June and tracked as CVE-2018-3665, and Spectre 1.1, disclosed earlier this month and tracked as CVE-2017-5753.
LazyFP is related to the floating point unit (FPU), also known as the math coprocessor. Researchers discovered that if certain conditions are met an attacker may be able to access FPU state data, which can contain sensitive information, such as cryptographic keys.
Spectre 1.1, described as a bounds check bypass store (BCBS) issue, was disclosed along with Spectre 1.2. Intel awarded $100,000 to the researchers who identified these variants.
While LazyFP and Spectre 1.1 are related to the original Meltdown and Spectre vulnerabilities, CPU and operating system vendors are not as concerned about their impact.
Register for SecurityWeek’s 2018 ICS Cyber Security Conference
Siemens has advised customers to keep an eye out for software and firmware updates provided for operating systems and processors, but warned that some of these updates “can result in compatibility, performance or stability issues.”
The German industrial giant continues to analyze the impact of these vulnerabilities on its products.
In the case of the original Meltdown and Spectre flaws, they have been found to impact many Siemens products, including SIMATIC, RUGGEDCOM, SIMOTION, SINEMA and SINUMERIK devices. The company has released both software and BIOS updates, along with workarounds and mitigations.
Microsoft Offers $100,000 in New Identity Bug Bounty Program
19.7.2018 securityweek Security
Microsoft on Tuesday announced the launch of a new bug bounty program that offers researchers the opportunity to earn up to $100,000 for discovering serious vulnerabilities in the company’s various identity services.
White hat hackers can earn a monetary reward ranging between $500 and $100,000 if they find flaws that impact Microsoft Identity services, flaws that can be leveraged to hijack Microsoft and Azure Active Directory accounts, vulnerabilities affecting the OpenID or OAuth 2.0 standards, or weaknesses that affect the Microsoft Authenticator applications for iOS and Android.
The list of domains covered by the new bug bounty program includes login.windows.net, login.microsoftonline.com, login.live.com, account.live.com, account.windowsazure.com, account.activedirectory.windowsazure.com, credential.activedirectory.windowsazure.com, portal.office.com and passwordreset.microsoftonline.com.
The top reward can be earned for a high quality submission describing ways to bypass multi-factor authentication, or design vulnerabilities in the authentication standards used by Microsoft. OpenID and OAuth implementation flaws can earn hackers up to $75,000.
The smallest rewards are offered for XSS (up to $10,000), authorization issues ($8,000), and sensitive data exposure ($5,000).
“A high-quality report provides the information necessary for an engineer to quickly reproduce, understand, and fix the issue. This typically includes a concise write up containing any required background information, a description of the bug, and a proof of concept. We recognize that some issues are extremely difficult to reproduce and understand, and this will be considered when adjudicating the quality of a submission,” Microsoft wrote on a page dedicated to its new bug bounty program.
The tech giant currently runs several bug bounty programs that offer hundreds of thousands of dollars for a single vulnerability report. This includes the speculative execution side-channel program, which offers up to $250,000 and which the company launched following the disclosure of Meltdown and Spectre; the Hyper-V program, which also offers up to $250,000; the mitigation bypass bounty, with rewards of up to $100,000 for novel exploitation techniques against Windows protections; and the Bounty for Defense, which offers an additional $100,000 for defenses to the mitigation bypass techniques.
GandCrab: The New King of Ransomware?
19.7.2018 securityweek Ransomware
Cryptominers have plateaued, GandCrab is the new king of ransomware, adware -- surprise! -- is as prolific as ever, and VPNFilter might herald a new genre of sophisticated multi-purpose malware. These are some of the conclusions drawn from the Malwarebytes Cybercrime tactics and techniques report for Q2, 2018.
The details come from an analysis (PDF) of the telemetry obtained from the millions of computers using Malwarebytes software. It confirms what has been seen elsewhere: "Ransomware detections dropped this quarter on both the consumer and business sides by 12 and 35 percent, respectively."
This doesn't mean that ransomware has gone away. GandCrab has been the most prolific, partly down to its use by the Magnitude botnet. A decryptor for GandCrab is available on the NoMoreRansom website; but Malwarebytes warns, "there's always a risk that the latest versions being distributed by various exploit kits have no solution in place."
Other new ransomwares highlighted in the report demonstrate either ends of the sophistication spectrum. Spartacus is simple. Although there is no current decryptor, the report suggests, "Spartacus is the kind of software one expects to find offered on a script kiddie forum. There's no online functionality whatsoever." It adds that it seems likely (because the RSA key is embedded in the ransomware), that the private key is held on the author's server. "Decryption for all victims is possible, should this key ever be leaked."
SamSam resides at the sophisticated end of the spectrum. It has had high profile success at the City of Atlanta and Hancock Health this year. "While SamSam has been around for some time, recent evolutions in the attack vector and methodology have proven novel in their approach and successful for the attackers -- raking in over $1 million this year," comments Malwarebytes. Unlike many other ransomwares, SamSam specifically targets and compromises its victims before encrypting the files.
Many commentators have noted that criminal focus has shifted from ransomware to cryptomining in recent months. Malwarebytes telemetry suggests that cryptomining growth has now flattened. It is already declining in the consumer arena, and the firm expects to see it also decline in business attacks next quarter. It suspects that criminals are not receiving the returns on effort they expected; but warns that growth or decline might depend on whether the value of crypto coins goes up or down. Business detections in Q2 grew by just 5%, while consumer detections fell by 36%.
Adware, always near the top of all malware detections, is on the opposite trajectory. Consumer detections grew by 19% (making it the top consumer threat), while business detections fell by 7% (making it the third most prolific threat).
The fastest growing threat for both consumers and businesses has been the return of the backdoor -- growing by 442% up to number three for consumers, and by 109% up to number four for businesses. Malwarebytes puts much of this growth to a malware spreading campaign it refers to as Backdoor.Vools. Since it uses the worm features that exploit vulnerable SMB protocols, Malwarebytes expects it to hang around for months to come.
However, it warns, "The primary fear of Vools' capabilities is not due to its mining component or even its use of ETERNALBLUE, but the additional threats that this malware can and will install on the system once cryptomining goes out of fashion. Based on plummeting cryptocurrency values over the last few months, that time is going to come sooner than later."
While backdoors became more popular, spyware dropped in popularity -- at least in business detections. In consumer detections it grew by 32%; but in business detections it fell 41%, dropping from the most detected malware to the fifth most detected. "The top spyware for Q2," notes the report, "was the notorious TrickBot, which added functionality to steal cryptocurrency wallets from its victims." However, Malwarebytes suspects that the fall will continue, and spyware may not be in the top ten threats for business in Q3.
The report reserves particular attention for VPNFilter, "malware that reportedly infected over 500,000 small-office and consumer-grade routers and NAS devices." The FBI has said that Russian government-linked Fancy Bear (APT 28) is responsible for the malware; and although the initial infection vector is unknown, an understanding of its capabilities is growing. It is multi-stage malware that eventually has wide-ranging functionality. Stage 2 can download files, restart devices, copy data, execute programs, kill processes, and set proxies and other configuration parameters.
Stage 3, downloaded by stage 2, establishes a Tor client to send stolen data back to the authors. The malware, notes the report, "is not only capable of harvesting usernames and passwords, but can also change webpages and insert artificial data to deceive users while, at the same time, draining accounts in the shadows. VPNFilter could also be used to perform DDoS attacks or as a catalyst to install other software like coin miners."
Malwarebytes believes that the end of Q2 2018 and the beginning of Q3 is "the cusp of another significant change in the cybercrime world." It believes that cryptomining will continue to decline, but that ransomware will stage a comeback. It expects more activity from exploit kits, but they will not regain their earlier importance. It does, however, expect data-stealing threats to increase. Since GDPR will limit the time for companies to retain the personal information of their customers, criminals will resort to stealing it directly from the customer.
But perhaps most importantly Malwarebytes believes that VPNFilter might spawn copycats that will target widely-used devices -- and "a new age of IoT malware, long predicted, may finally come to pass."
Santa Clara, Silicon Valley-based Malwarebytes raised $50 million in a Series B funding round from Fidelity Management and Research Company in January 2016, bringing the total raised by the firm to $80 million.
Oracle Patches Record 334 Vulnerabilities in July 2018
19.7.2018 securityweek Vulnerebility
Oracle Patches Over 200 Remotely Exploitable Vulnerabilities in July 2018 Critical Patch Update
Oracle this week released its July 2018 set of patches to address a total of 334 security vulnerabilities, the largest number of flaws resolved with a Critical Patch Update (CPU) to date. Over 200 of the bugs may be remotely exploitable without authentication.
This month, 23 products from the enterprise security giant were patched, including E-Business Suite, Financial Services Applications, Fusion Middleware, Hospitality Applications, Java SE, MySQL, PeopleSoft Products, Retail Applications, Siebel CRM, and the Sun Systems Products Suite.
More than 50 of the flaws addressed this month had a CVSS 3.0 Base Score of 9.8. Overall, 61 security bugs had a CVSS score of 9.0 or above, according to Oracle’s advisory.
A total of 203 vulnerabilities were patched in business-critical applications, around 65% of which could be exploited remotely without entering credentials, ERPScan, a company that specializes in securing Oracle and SAP applications, points out.
This month, Financial Services Applications received the largest number of fixes, at 56. 21 of these vulnerabilities may be remotely exploitable without authentication.
Fusion Middleware received the second largest number of patches, at 44, with 38 of the addressed issues remotely exploitable without authentication.
Next in line are Retail Applications at 31 fixes (26 flaws being remotely exploitable) and MySQL, also with 31 patches (only 7 bugs remotely exploitable), followed by Hospitality Applications with 24 fixes (7 issues remotely exploitable), Sun Systems Products Suite at 22 patches (10 flaws remotely exploitable), and Enterprise Manager Products Suite with 16 fixes (all remotely exploitable without authentication).
Oracle also addressed vulnerabilities in PeopleSoft Products (15 bugs – 11 remotely exploitable without authentication), E-Business Suite (14 flaws – 13 remotely exploitable), Communications Applications (14 – 10), Virtualization (12 – 2), Construction and Engineering Suite (11 – 6), JD Edwards Products (10 – 9), Java SE (8 – 8), and Supply Chain Products Suite (8 – 6).
“On the surface, the downward trend of Java SE patches would appear to be positive,” Apostolos Giannakidis, Security Architect at Waratek, told SecurityWeek. “However, several actions taken to fix Java SE vulnerabilities in the July CPU are likely to break the functionality of certain applications. Application owners who apply binary patches should be extremely cautious and thoroughly test their applications before putting patches into production.”
"The fix for the most critical Java SE vulnerability in the July CPU - CVE-2018-2938 - removes the vulnerable component (Java DB) from the JDK," Waratek explained in a guidance note sent to SecurityWeek Wednesday. "Users that depend on this component must manually obtain the latest Apache Derby artifacts and rebuild their applications."
The least impacted products include Utilities Applications (4 vulnerabilities – 3 remotely exploitable without authentication), Policy Automation (3 flaws – all remotely exploitable), and Database Server (3 – 1).
All of the vulnerabilities impacting Hyperion (2 bugs), Insurance Applications (2), Global Lifecycle Management (1), iLearning (1), Siebel CRM (1), and Support Tools (1) may be exploited remotely without authentication.
Some of the most important issues addressed this month could be exploited remotely to take over the impacted application: CVE-2017-15095 in Oracle Spatial, CVE-2018-7489 in Global Lifecycle Management OPatchAuto component, CVE-2018-2943 in Fusion Middleware MapViewer, CVE-2018-2894 in WebLogic Server, and CVE-2017-5645 in PeopleSoft Enterprise FIN Install.
In late June, Oracle announced the availability of patches for new variants of the speculative execution attack methods known as Meltdown and Spectre. The company released the first set of mitigations against Spectre and Meltdown as part of the January 2018 CPU.
All Oracle customers are advised to apply the fixes included in Oracle’s Critical Patch Updates without delay, as some of the addressed vulnerabilities are being targeted by malicious actors in live attacks.
“Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches,” the company notes.
Flashpoint Launches Ransomware Response & Readiness Service
19.7.2018 securityweek Ransomware
Threat intelligence and research company Flashpoint on Wednesday announced the launch of a new service designed to help organizations prepare and respond to ransomware and other types of cyber extortion incidents.
The new Threat Response & Readiness Subscription is available immediately, both as an extension to Flashpoint’s other business risk intelligence offerings and a standalone service that can be purchased separately. Pricing is customized based on the customer’s requirements for response and readiness engagements.
The readiness part of the service includes ransomware workshops, tabletop exercises (TTX), and pre-negotiated rates and engagement hours. The workshops are designed to educate the customer’s employees on ransomware, including how it works, how organizations can become infected, attacker profiles, and cryptocurrencies.
The TTX involves discussing simulated scenarios, assessing the effectiveness of current response plans, establishing roles and responsibilities, and improving coordination.
As for incident response, Flashpoint provides research on the threat actor launching the attack, engages with the attacker in an effort to determine appropriate mitigations, and even helps the victim acquire cryptocurrency in case they decide to pay the ransom.
“While law enforcement and the security community generally do not recommend that victims pay ransoms or extortion demands, in some cases it is the most reasonable decision, particularly for organizations concerned with the consequences of impermissible downtime and the inaccessibility of critical systems or data,” Tom Hofmann, VP of Threat intelligence at Flashpoint, told SecurityWeek.
“Determining whether or not to pay a ransom or extortion demand is a highly individual and situational decision. Deciding factors generally include available evidence, information, estimated impact, and perhaps most importantly, the estimated validity of the attacker’s claims—in other words, if a payment is made, will the attacker actually unlock or deliver the data?” Hofmann added.
As part of the response service, Flashpoint directly engages with the attacker on behalf of the customer to verify if the threat is real and if the hackers’ claims are credible, determine if the compromised data may be recovered by other means, identify mitigations, and, if necessary, pay the ransom.
Analyzing the threat also involves investigating the digital wallet accepting the ransom or extortion payment, which can provide insight into the validity of the attacker’s claims.
“In some cases, suspected attackers are actually just automated bots attempting to scam victims into paying and have no intention of encrypting or otherwise compromising the victim’s data. If analysis reveals that a unique wallet has not been configured for each unique infection, it is an indicator that the attacker may be less sophisticated, an automated bot could potentially be involved, and further analysis is likely required,” Hofmann explained.
Flashpoint strongly discourages any individual or organization from engaging directly with the threat actor on their own, due to “the inherent difficulties and security risks involved,” Hofmann said.
Data Privacy Automation Provider Integris Software Raises $10 Million
19.7.2018 securityweek IT
Integris Software, a Seattle-based provider of data privacy automation tools, today announced that it has raised $10 million through a Series A financing round led by Aspect Ventures.
The oversubscribed round brings the total funding raised by the company to $13 million.
The company explains that its flagship data privacy automation platform automates the process of “identifying, classifying and continuously monitoring sensitive data that enables a defensible compliance strategy for enterprises.”
"Global CTOs are realizing that complying with privacy law is essentially a data problem and that without an automated discovery mechanism for sensitive information, they’re flying blind on what data is important to secure and why,” Kristina Bergman, CEO of Integris Software, said in a statement.
The company will help customers comply with emerging and changing data privacy regulations, such as the EU’s General Data Protection Regulation (GDPR) and the upcoming California state law AB375.
Other investors participating in the funding round include Workday Ventures, Madrona Venture Group, and Amplify Partners.
“Integris is a unique vendor that, through automation, can discover data at rest or in motion, structured or unstructured, on premise or in the cloud,” said Mark Peek, managing director and co-head, Workday Ventures. “Companies need to be able to produce evidence that shows what sensitive information has been deleted or rectified.”
NIST to Withdraw 11 Outdated Cybersecurity Publications
19.7.2018 securityweek BigBrothers
The U.S. National Institute of Standards and Technology (NIST) announced on Tuesday that its Computer Security Division has decided to withdraw eleven outdated SP 800 publications.
NIST’s 800 series Special Publications (SP) focus on cybersecurity and include guidelines, technical specifications, recommendations, and annual reports. These publications are meant to address and support the security and privacy needs of government agencies, but they are often used and referenced by private sector companies.
NIST’s website currently lists over 180 SP 800 publications, including drafts and final versions. Eleven of them, which are now considered out of date, will be withdrawn on August 1, 2018, and will not be revised or superseded.
The documents will still be available for historical reference, but their status will be changed from “final” to “withdrawn.”
The following SP 800 publications will be withdrawn, with the reason for withdrawal listed for each document:
● SP 800-13 (October 1995): Telecommunications Security Guidelines for Telecommunications Management Network – describes outdated technologies;
● SP 800-17 (February 1998): Modes of Operation Validation System (MOVS): Requirements and Procedures – validation system is for deprecated algorithms, such as DES and Skipjack;
SP 800-19 (October 1999): Mobile Agent Security – environments and technologies far less complex than what is used today;
SP 800-23 (August 2000): Guidelines to Federal Organizations on Security Assurance and Acquisition/Use of Tested/Evaluated Products – based on outdated laws, regulations and executive directives;
● SP 800-24 (April 2001): PBX Vulnerability Analysis: Finding Holes in Your PBX Before Someone Else Does – does not address newer technologies, such as VOIP;
● SP 800-33 (December 2001): Underlying Technical Models for Information Technology Security – describes a model that pre-dates the Risk Management Framework and Cybersecurity Framework;
● SP 800-36 (October 2003): Guide to Selecting Information Technology Security Products – outdated references and it does not reflect current types of security products;
● SP 800-43 (November 2002): Systems Administration Guidance for Securing Windows 2000 Professional System – Windows 2000 no longer supported;
● SP 800-65 (January 2005): Integrating IT Security into the Capital Planning and Investment Control Process – pre-dates the Cybersecurity Framework and other important SP 800 guidance;
● SP 800-68 Rev. 1 (October 2008): Guide to Securing Microsoft Windows XP Systems for IT Professionals: A NIST Security Configuration Checklist – Windows XP no longer supported;
● SP 800-69 (September 2006): Guidance for Securing Microsoft Windows XP Home Edition: A NIST Security Configuration Checklist – Windows XP no longer supported.
US Lifts Export Ban on Suppliers to China's ZTE
18.7.2018 securityweek BigBrothers
The United States on Friday formally lifted a crippling ban on exports to China's ZTE, rescuing the smartphone maker from the brink of collapse after it was denied key components.
The US Commerce Department said it would continue to monitor the company to prevent further violations of US sanctions on Iran and North Korea.
"While we lifted the ban on ZTE, the Department will remain vigilant as we closely monitor ZTE's actions to ensure compliance with all US laws and regulations," Commerce Secretary Wilbur Ross said in a statement.
But the move to reverse the harsh penalties, made at President Donald Trump's insistence, has left US lawmakers irate. Congress has taken steps to keep the ban in place and accused Trump of rewarding a company which had repeatedly flouted American law, lied to authorities and engaged in espionage.
The about-face to rescue to the company created a stark contrast with the escalating trade war between Washington and Beijing.
The Commerce Department in April banned US companies from supplying ZTE with crucial components, forcing it to halt operations, after officials found further violations even after reaching a settlement in March of last year over the initial complaints.
The company had paid bonuses rather than reprimanding employees involved in illegal activity and created an "elaborate scheme" to deceive US officials and obstruct justice, US officials said.
But as a favor to Chinese President Xi Jinping, Trump ordered Commerce to ease the penalties on ZTE.
In an agreement struck last month, Washington agreed to lift the export ban if ZTE paid an additional $1 billion fine -- beyond the $892 million penalty imposed in 2017.
The company also was required to replace its board of directors, retain outside monitors and put $400 million in escrow to cover any future violations -- a final step it took this week.
In a statement this week, Senator Mark Warner of Virginia, the senior Democrat on the Select Committee on Intelligence, lambasted the reversal, saying the US military and spy agencies had branded ZTE an "ongoing threat" to US national security.
"This sweetheart deal not only ignores these serious issues, it lets ZTE off the hook for evading sanctions against Iran and North Korea with a slap on the wrist," Warner said.
BEC Scam Losses Top $12 Billion: FBI
18.7.2018 securityweek BigBrothers
The losses and potential losses reported as a result of business email compromise (BEC) and email account compromise (EAC) scams exceed $12 billion globally, according to an alert published last week by the FBI.
The report is based on data collected by the FBI’s Internet Crime Complaint Center (IC3), international law enforcement and financial institutions between October 2013 and May 2018. The amounts represent both money that was actually lost by victims and money they could have lost had they taken the bait.
BEC scams, which involve sending requests for fund transfers and personally identifiable information from hijacked business email accounts, have been observed in 50 U.S. states and 150 countries, with money being sent to 115 countries.
The top destinations for money generated by BEC scams are Asian banks in China and Hong Kong, but a significant number of schemes involve financial organizations in the U.K., Mexico and Turkey.
According to the FBI, more than 78,000 complaints have been made globally between October 2013 and May 2018, with over 41,000 victims reported in the United States. Targeted individuals and businesses lost or could have lost $12.5 billion, nearly $3 billion of which in the U.S. Losses increased by 136% between December 2016 and May 2018.
The number of non-U.S. victims known to the FBI is 2,565, with losses totaling over $670 million.
In comparison, the FBI’s previous report on BEC scams, which covered the period between October 2013 and December 2016, said there had been 40,203 incidents globally with exposed losses totaling over $5.3 billion.
In its recent 2017 Internet Crime Report, the FBI said IC3 received over 15,000 BEC and EAC complaints last year, reporting losses of $675 million.
The law enforcement agency highlighted that the real estate sector continues to be increasingly targeted. Victims include law firms, title companies, real estate agents, sellers, and buyers.
In scams targeting this sector, the fraudsters use spoofed emails on behalf of real estate transaction participants and instruct recipients to transfer money into fraudulent accounts.
“Based on victim complaint data, BEC/EAC scams targeting the real estate sector are on the rise,” the FBI said. “From calendar year 2015 to calendar year 2017, there was over an 1100% rise in the number of BEC/EAC victims reporting the real estate transaction angle and an almost 2200% rise in the reported monetary loss. May 2018 reported the highest number of BEC/EAC real estate victims since 2015, and September 2017 reported the highest victim loss.”
The topic of BEC scams and how the threat can be prevented using human-powered intelligence was covered recently in a SecurityWeek column by Josh Lefkowitz, CEO of business risk intelligence firm Flashpoint.
“BEC underscores why even the most technically sophisticated cyber defenses aren’t always a match for low-tech threats. Combating BEC requires more than just advanced technologies and robust perimeter security—it requires humans to understand the threat,” Lefkowitz said.
Dark Web Chatter Helpful in Predicting Real World Hacks, Firm Says
18.7.2018 securityweek CyberCrime
Some hacks are serendipitous events for skiddies who happen across a website with an easily exploitable common vulnerability. Others, especially the major breaches of major enterprises, are planned and executed with care. Such planning often leaves traces of noise across the internet. IntSights, founded in 2015, searches both the surface and deep web for this noise, and converts it into actionable intelligence. It looks for evidence of planned attacks before they actually occur.
Financial services is one sector that is unlikely to fall to skiddie attacks. The bank heists of $4.4 million (NIC Asia Bank, November 2017), $60 million (Far Eastern Bank, October 2017) and $100 million (Post-Soviet Bank, Russia, February 2017) would have needed planning. IntSight is predicated on the idea that such planning may be detectable; and if detected, the attack can be mitigated.
It has found considerable growth in pre-attack indicators, matching the actual growth in real financial services attacks. An analysis (PDF) focuses on two categories of 'attack indicators' found on the internet: company or customer data offered for sale in a black market, and phishing email target lists. Based on this analysis, IntSights finds that financial organizations comprise the single most-attacked industry sector.
In the first six months of 2017, it found an average of 207 attack indicators per U.S. bank. By the first six months of 2018, this had risen to an average of 520 indicators per bank -- an increase of 151%.
These figures come from a similar year-on-year growth of 135% in instances of financial data being sold on dark web black markets. a 91% increase in corporate email addresses found on phishing target lists, a 40% increase in corporate credential leakage, and a 149% increase in stolen bank card information.
Following high-profile takedowns of major deep web marketplaces leading to arrests and prosecutions for the sale of illegal physical goods (such as drugs and guns), IntSights believes that these marketplaces are now concentrating on the sale of data. However, even this is evolving. While the deepest forums remain, criminals are increasingly untrustful of their fellow members -- and are shifting towards business hidden in plain sight on the surface web.
Over the same period, IntSights has seen a 49% growth in the creation of fake social media accounts -- or put another way, two new fake profiles targeting each individual bank per week.
"A fake profile," notes the report, "can lure users to phishing sites or downloading fake apps. It can pose as customer service and ask for confidential information. It can spread false information to misdirect the public, manipulate stock price or influence the public to buy or sell. Additionally, it can also be used to harvest personal data and enrich other personal data that the attacker might hold."
The report also notes that the three dominant hacking groups that attack the financial sector are Money Taker, Carbanak and Cobalt -- all believed to be situate in Russia. Money Taker is thought to be responsible for more than 20 successful attacks against financial institutions in the U.S., UK and Russia. Carbanak has been credited with more than 300 successful attacks on banks, financial institutions and retailers. Cobalt has been credited with the theft of $9.7 million from the Russian MetakkinvestBank; ATM thefts of $2.18 million from Taiwan banks; a SWIFT attack on Russian banks; and more than 200 other attacks on banks in Europe, Thailand, Turkey and Taiwan.
However, financial services aren't merely attacked by criminal gangs -- they also attract the attention of nation-state APT groups like Lazarus (North Korea). Lazarus has been credited with the 2014 attack on Sony Pictures; the WannaCry ransomware attack on multiple organizations around the world; the theft of $12 million from Banco del Austro in Ecuador; the theft of $1 million from Tien Phong Bank in Vietnam -- SWIFT attack; the theft of $81 million from the Central Bank of Bangladesh; the theft of $60 million from FEIB Bank in Taiwan; and the theft of $5 million from various banks in Nepal.
Based on its analysis of the activity it has tracked over the last 18 months, IntSights sees a continuously adapting and evolving financial services threat landscape -- some of which is already evident. Criminals will increasingly attack the supply chain, gaining access to large enterprises via their smaller suppliers. They will also look to compromise third-party software used by larger organizations -- a case in point being the recent Ticketmaster breach via Inbenta software.
IntSights also believes that direct extortion 'will become the new ransomware'. The huge fines that can be levied from new legislation such as the EU's General Data Protection Regulation (GDPR) will far exceed that amount that can be extorted by ransomware or the cost of recovering from ransomware. "Regulation fines and brand reputation damage," warns the report, "can be way more costly than downtime or lost data. Therefore, organizations are willing to pay more to not have a breach disclosed to the public, rather than pay to regain access to their data. Hackers will leverage this fear as a tactic to get more money."
Finally, IntSights notes that black market vendors are moving away from the deep web "to social media platforms (such as Facebook closed groups) and encrypted chat rooms (such as Telegram, ICQ and Jabber). We expect this trend to continue over the next year as it provides black market vendors with better privacy and secrecy."
"We see many financial organizations too focused on stopping direct attacks to their corporate systems," concludes Itay Kozuch, director of threat research at IntSights. "However, our research shows that cybercriminals have begun circumventing these defenses using social media, mobile application stores and phishing schemes.
"These tactics leverage an organization's brand and credibility to trick users and run scams, which can be even more costly and dangerous than direct attacks," he added. "We published our Financial Services Threat Landscape report to help these organizations widen their view of the threat landscape to not just protect against direct attacks, but protect their customers and prevent successful fraud."
Israel-born startup IntSights Cyber Intelligence raised $17 million in a Series C funding round led by Tola Capital in June 2018, bringing the total capital raised by the firm to $41.3 million.
VPNFilter Malware Hits Critical Infrastructure in Ukraine
18.7.2018 securityweek Virus
The Security Service of Ukraine (SBU) revealed this week that the VPNFilter malware, which it attributed to Russian intelligence agencies, had targeted a critical infrastructure organization.
According to the SBU, the malware was detected on the systems of the Aulska chlorine station in Auly, Dnipropetrovsk. The organization is part of the country’s critical infrastructure as it supplies chlorine to water treatment and sewage plants across Ukraine.
The malware reportedly targeted technological processes and safety systems, but the security agency said it quickly detected and blocked the attempt. The SBU said the attack could have resulted in technological process disruptions or a crash of the affected systems, which could have led to a “disaster.” The agency believes the attackers’ goal was to disrupt operations at the facility.
While the SBU’s statement suggests that this attack was specifically aimed at the chlorine station, it’s also possible that the organization was an opportunistic target. VPNFilter at one point had ensnared at least 500,000 routers and network-attached storage (NAS) devices and Ukraine appears to be its main target.
Even after U.S. authorities disrupted VPNFilter by seizing one of its command and control (C&C) domains, researchers reported that the threat had continued to target devices in Ukraine.
The fact that Ukraine has attributed the VPNFilter attack to Russia is not surprising. Even the United States government has linked the operation to some cyber-espionage groups believed to be sponsored by the Kremlin.
The VPNFilter botnet, whose existence was brought to light in May, targets more than 50 types of routers and NAS devices from Linksys, MikroTik, Netgear, TP-Link, QNAP, ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE.
The malware can intercept data passing through the compromised device, it can monitor the network for communications over the Modbus SCADA protocol, and also has destructive capabilities that can be leveraged to make an infected device unusable.
This is not the first time an attack that targets Ukraine has been blamed on Russia. Moscow has also been accused of launching the NotPetya attack and campaigns aimed at Ukraine’s power grid.
Support for Python Packages Added to GitHub Security Alerts
18.7.2018 securityweek Security
GitHub announced on Thursday that developers will be warned if the Python packages used by their applications are affected by known vulnerabilities.
The code hosting service last year introduced a new feature, the Dependency Graph, that lists the libraries used by a project. It later extended it with a capability designed to alert developers when one of the software libraries used by their project has a known security hole.
“We’ve chosen to launch the new platform offering with a few recent vulnerabilities,” GitHub said in a blog post. “Over the coming weeks, we will be adding more historical Python vulnerabilities to our database.”
The security alerts feature is powered by information collected from the National Vulnerability Database (NVD) and other sources. When a new flaw is disclosed, GitHub identifies all repositories that use the affected version and informs their owners.
The security alerts are enabled by default for public repositories, but the owners of private repositories will have to manually enable the feature.
When a vulnerable library is detected, a “Known security vulnerability” alert will be displayed next to it in the Dependency Graph. Administrators can also configure email alerts, web notifications, and warnings via the user interface, and they can configure who should see the alerts.
GitHub reported in March that the introduction of the security alerts led to a significant decrease in the number of vulnerable libraries on the platform.
When the feature was launched, GitHub’s initial scan revealed over 4 million vulnerabilities across more than 500,000 repositories. Roughly two weeks after the first notifications were sent out, over 450,000 of the flaws were addressed by updating the impacted library or removing it altogether.
Cisco Patches High Risk Flaws in StarOS, IP Phone
18.7.2018 securityweek Vulnerebility
Cisco this week released a set of security patches to address several vulnerabilities in its products, including High risk issues impacting StarOS and 6800, 7800, and 8800 Series IP Phones.
The first High severity bug (CVE-2018-0369) impacts the reassembly logic for fragmented IPv4 packets of Cisco StarOS running on virtual platforms. By abusing this security flaw, an unauthenticated remote attacker could trigger a reload of the npusim process, thus causing denial of service (DoS).
An attacker could trigger the simultaneous reload of all four instances of the npusim process that are running per Service Function (SF) instance.
According to Cisco, the vulnerability resides in the improper handling of fragmented IPv4 packets containing options. Thus, an attacker could exploit the issue by sending a malicious IPv4 packet across an affected device.
“An exploit could allow the attacker to trigger a restart of the npusim process, which will result in all traffic queued toward this instance of the npusim process to be dropped while the process is restarting. The npusim process typically restarts within less than a second,” Cisco explains in an advisory.
Impacted products include Cisco Virtualized Packet Core-Single Instance (VPC-SI), Cisco Virtualized Packet Core-Distributed Instance (VPC-DI), and Cisco Ultra Packet Core (UPC) running StarOS operating system releases prior to the fixed version.
The second High risk flaw (CVE-2018-0341) addressed this week impacts the web-based UI of Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware and could be exploited by an authenticated, remote attacker for command injection.
“The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by including arbitrary shell commands in a specific user input field,” Cisco says.
In addition to these two bugs, Cisco addressed six Medium severity issues in Web Security Appliance (WSA), FireSIGHT System Software, Firepower System Software, and Digital Network Architecture (DNA).
Exploitation of these vulnerabilities could result in denial of service, bypass of file policy, bypass of URL-based access control policy, and cross-site scripting (XSS) attacks, Cisco’s advisories reveal.
Flaws Expose Siemens Protection Relays to DoS Attacks
18.7.2018 securityweek ICS
Siemens has informed customers that some of the company’s SIPROTEC protection relays are exposed to denial-of-service (DoS) attacks due to a couple of vulnerabilities present in the EN100 communication module.
SIPROTEC devices provide control, protection, measurement and automation functions for electrical substations. These products use the EN100 ethernet module for IEC 61850, PROFINET IO, Modbus, DNP3 and IEC 104 communications.
Researchers at ScadaX, an independent group of experts focusing on ICS and IoT security, discovered that the EN100 module and SIPROTEC 5 relays are impacted by two DoS vulnerabilities that can be exploited by sending specially crafted packets to the targeted device’s TCP port 102.Siemens SIPROTEC relays affected by DoS vulnerabilities
Exploitation of the flaws causes the device’s network functionality to enter a DoS condition, which Siemens says compromises the system’s availability. Manual intervention is required to restore the impacted service.
An attacker needs access to the targeted organization’s network and IEC 61850-MMS communication needs to be enabled in order to exploit the flaws, but no user interaction is required.
The vulnerabilities are similar, but one of them, tracked as CVE-2018-11451, has been classified as “high severity,” while the other, CVE-2018-11452, which impacts the EN100 module if oscilographs are running, has been rated “medium severity.” Siemens noted that SIPROTEC 5 relays are only affected by the more serious flaw.
Siemens has released firmware updates for some of the impacted devices to address the flaws, and advised users to block access to port 102 with an external firewall to prevent attacks on systems for which patches have yet to be made available.
Industry professionals have often warned that DoS vulnerabilities are far more severe in the case of industrial control systems compared to regular IT systems due to the fact that they impact availability, which is a top priority in industrial environments.
In the case of Siemens’ SIPROTEC relays, the threat is not just theoretical. Researchers reported last year that the attackers behind the Industroyer/Crashoverride malware, which was linked to the December 2016 attack on an electrical substation in Ukraine, had also developed a DoS tool that exploited CVE-2015-5374 to cause SIPROTEC relays to become unresponsive.
Attackers Target iPhones Using Open Source MDM Solution
18.7.2018 securityweek Apple
Recently discovered cyber attacks targeting iPhone users have been using an open source mobile device management (MDM) system to control enrolled devices, Talos reports.
Enrollment of targeted devices could be performed via physical access or social engineering, but Talos could not determine which method the attackers used. As part of a highly targeted campaign, the attackers went to great lengths in their attempt to replace specific apps and intercept user data.
With the use of the MDM solution, the actor deployed five applications to the 13 targeted devices in India. As a result, they were able to steal SMS messages, view the device location, and exfiltrate data. Apple has been informed on the attack and has already acted against the certificates the attackers used.
Talos security researchers discovered that the attackers added features to legitimate apps (including WhatsApp and Telegram) using the BOptions sideloading technique. Then, the MDM was used to deploy the apps onto targeted devices.
The injected malicious code could gather and steal information such as phone number, serial number, location, contacts, user's photos, SMS and Telegram and WhatsApp chat messages.
The malware appears to have been in use since August 2015, logs on the MDM server and the command and control (C&C) server reveal. Based on other information found on these servers, Talos believes that the malware author works out of India.
The two MDM servers used by the attackers are based on the small, open-source project mdm-server. Through MDM, admins can control multiple devices from a single location, can install and remove apps and certificates, lock the device, change password requirements, and more.
The enrollment process, however, requires user interaction at each step, which suggests that social engineering was used as part of the attack. Most likely, users were advised to install the attacker’s certificate to allow enrollment, and the use of a domain such as "ios-certificate-update[.]com" helped them trick users.
The attacker used a certificate issued in September 2017 for an email address located in Russia, which is believed to be a false flag, as the attacker isn’t located in Russia. The certificates are either self-signed or signed by the Comodo certificate authority.
According to Talos, the affected devices, all located in India, include the following models: iPhone 5.4, iPhone 7.2, iPhone 8.1, iPhone 8.2, iPhone 9.3, and iPhone 9.4. The operating system versions include 10.2.1, 10.3.1, 10.3.2, 10.3.3, 11.0, 11.0.3, 11.2.1, 11.2.5, and 11.2.6.
While there’s no information available on how the 13 devices were enrolled in the MDM, the attacker likely tested the solution on their own iPhone, the researchers say.
The attack, however, appears focused on deploying malicious apps onto the compromised devices to steal information. The attacker injected code into applications such as AppsSLoader, Telegram, WhatsApp, PrayTime, and MyApp and then loaded them onto the targeted iPhones.
The malicious Telegram and WhatsApp versions were observed sending the collected information to a server that has been active since August 2015.
“At the time, it is unclear who the targets of the campaign were, who was the perpetrator, or what the exact purpose was. It's very likely the vector for this campaign was simply social engineering - in other words asking the user to click "ok". This type of vector is very difficult to defend against since users can often be tricked into acting against their best interests,” Talos concludes.
12 Russian Intelligence Officers Indicted for Hacking U.S. Democrats
18.7.2018 securityweek BigBrothers
Twelve Russian intelligence officers were indicted by a US grand jury on Friday -- just three days before President Donald Trump is scheduled to meet with Russia's Vladimir Putin -- for interfering in the November 2016 presidential election.
The charges were drawn up by Special Counsel Robert Mueller, the former FBI director who is looking into Russian interference in the 2016 vote and whether any members of Trump's campaign colluded with Moscow.
The indictment accuses members of Russia's military intelligence agency known as the GRU of carrying out "large-scale cyber operations" to steal Democratic Party documents and emails.
Deputy Attorney General Rod Rosenstein, who announced the indictment at a press conference in Washington, said "there's no allegation in this indictment that any American citizen committed a crime."
Rosenstein said "the conspirators corresponded with several Americans during the course of the conspiracy through the internet."
However, "there's no allegation in this indictment that the Americans knew they were corresponding with Russian intelligence officers," he said.
Rosenstein also stressed that "there's no allegation that the conspiracy changed the vote count or affected any election result."
Rosenstein said he briefed Trump about the indictment before Friday's announcement and that the timing was determined by "the facts, the evidence, and the law."
The deputy attorney general's press conference came as Trump was meeting Queen Elizabeth II and just three days before his meeting with Putin in Helsinki.
- Calls to cancel Putin meeting -
Senator Chuck Schumer, the Democratic Senate minority leader, immediately called on Trump to cancel the Putin talks.
"These indictments are further proof of what everyone but the president seems to understand: President Putin is an adversary who interfered in our elections to help President Trump win," Schumer said in a statement.
"President Trump should cancel his meeting with Vladimir Putin until Russia takes demonstrable and transparent steps to prove that they won't interfere in future elections," he said.
Speaking earlier Friday, before the indictments were announced, Trump said he would ask Putin about the allegations of Russian election meddling.
"I will absolutely, firmly ask the question, and hopefully we'll have a good relationship with Russia," he told a joint press conference with British Prime Minister Theresa May.
But he simultaneously denounced the Mueller investigation as a "rigged witch hunt," and said he has been "tougher on Russia than anybody."
"We have been extremely tough on Russia," Trump said.
The US president recalled that 60 intelligence officers were expelled from the Russian embassy in Washington in response to a nerve agent attack on a former Russian spy in Britain.
Russia has denied any involvement in the attack and rejected accusations that it interfered in the US presidential election in a bid to bring about the defeat of Democrat Hillary Clinton.
Rosenstein said 11 of the Russians indicted Friday were charged with "conspiring to hack into computers, steal documents, and release those documents with the intent to interfere in the election.
"One of those defendants and a 12th Russian are charged with conspiring to infiltrate computers of organizations involved in administering elections," he added.
"The defendants accessed email accounts of volunteers and employees of a US presidential campaign, including the campaign chairman starting in March of 2016," the deputy attorney general said.
"They also hacked into the computer networks of a congressional campaign committee and a national political committee."
Trump Says 'Might' Ask Putin to Extradite Accused Russian Hackers
18.7.2018 securityweek Hacking
Donald Trump has said he may ask Vladimir Putin during their upcoming summit meeting to extradite to the US 12 Russian intelligence officers accused of attempting to interfere with the 2016 presidential election.
Speaking in an interview with CBS Evening News conducted on Saturday ahead of his meeting with the Russian leader in Helsinki on Monday, the US president also sought to temper expectations about how much could be achieved.
Asked whether he would press his Russian counterpart to send to the US members of the Russian military intelligence agency accused of hacking Hillary Clinton's failed presidential campaign, he said: "Well, I might.
"I hadn't thought of that. But I certainly, I'll be asking about it, but again, this was during the Obama administration. They were doing whatever it was during the Obama administration," he told CBS's Jeff Glor on "Face the Nation."
Speaking before the summit in Helsinki, Trump added that his Republican Party had also been the target of Russian hacking efforts but had superior cyber security measures in place.
"I think the DNC (Democratic National Committee) should be ashamed of themselves for allowing themselves to be hacked," he said. "They had bad defenses and they were able to be hacked. But I heard they were trying to hack the Republicans too. But -- and this may be wrong -- but they had much stronger defenses."
CNN reported in January last year that then-FBI Director James Comey told a Senate panel that "old emails" of the Republican National Committee had been the target of hacking -- but the material was not publicly released -- and there was no sign the current RNC or the Trump campaign had been successfully hacked.
The indictments issued Friday by special counsel Robert Mueller allege that the Russian hackers publicly released tens of thousands of stolen Democratic emails and documents using "fictitious online personas."
Mueller is investigating possible collusion between Trump's campaign and Russia.
"If the Russians wanted to exfiltrate data from the RNC and use it against Donald Trump, they would have done so," Democratic Congressman Adam Schiff said on CNN's "State of the Union" Sunday.
While Trump blamed the administration of former president Barack Obama, not Russia, after the indictments, US ambassador to Moscow Jon Huntsman said Sunday that "Russia is guilty of involvement and mischief in our election this last go-around."
He said the summit is important as the start of a dialogue, not only about election meddling but a range of issues.
- At boiling point -
Huntsman said on "Fox News Sunday" that Trump "is genuinely looking forward to sitting across the table and trying to reduce the tension in a relationship where our collective blood pressure is off-the-charts high."
The two presidents have shared personal bonhomie in the past, but beyond the alleged hacking of the US election, their countries are deeply divided on a host of other issues including Syria and Ukraine.
Before coming to Europe, Trump predicted his meeting with Putin could be the "easiest" stage of a tour that included stops in Brussels and Britain.
But he told CBS that he was going into it with "low expectations."
Trump also defended his decision to hold the meeting after opposition Democrats, and Republican Senator John McCain, said the summit should be canceled in the wake of the indictments.
"I believe it's really good. So having meetings with Russia, China, North Korea, I believe in it. Nothing bad is going to come out of it, and maybe some good will come out," the president said in broadcast excerpts. The rest of the interview will air on Monday.
Trump told CBS that "Russia is a foe in certain respects," and also named the European Union and China as "foes" economically, over trade practices for which Washington has imposed sanctions, sparking a trade war.
US National Security Adviser John Bolton said that, after the indictments, Trump "can put this on the table and say, this is a serious matter that we need to talk about."
He told ABC's "This Week" that "it's very important that the president has a direct one-on-one conversation" with Putin, and European leaders have expressed support for it.
Over 100 Vulnerabilities Patched in Adobe Acrobat, Reader
18.7.2018 securityweek Vulnerebility
Adobe on Tuesday released security updates that patch 105 vulnerabilities in Acrobat and Reader, two in Flash Player, three in Experience Manager, and three in Connect.
The latest versions of Acrobat and Reader for Windows and macOS address tens of critical memory corruption bugs that can allow remote code execution, including double-free, heap overflow, use-after-free, out-of-bounds write, type confusion, untrusted pointer dereference, and buffer error issues.
The list of weaknesses fixed with this month’s Patch Tuesday updates also includes a critical privilege escalation and tens of important out-of-bounds read issues that lead to information disclosure.
Over two dozen researchers have been credited for responsibly disclosing these flaws to Adobe. Many of the security holes were reported to the vendor through Trend Micro’s Zero-Day Initiative (ZDI).
In the case of Flash Player, version 126.96.36.199 resolves a critical type confusion issue that can lead to code execution and a flaw rated important that can result in information disclosure.
Hotfixes released by Adobe for Experience Manager patch three server-side request forgery (SSRF) vulnerabilities that can lead to the exposure of sensitive information, but none of the flaws are considered critical.
Finally, updates released for Adobe Connect fix authentication bypass and insecure library loading flaws that have been assigned medium and important severity ratings.
Adobe says it’s not aware of any malicious exploitation attempts for the vulnerabilities patched with this round of updates and the company does not expect to see attacks leveraging these flaws any time soon.
PE Firm Thoma Bravo Buys Majority Stake in Centrify
18.7.2018 securityweek IT
Private equity investment firm Thoma Bravo said it will acquire a majority interest in identity and access management (IAM) solutions firm Centrify.
Financial details of the transaction were not disclosed, and the transaction is expected to close in the third quarter of this year.
Founded in 2004, Centrify has raised a total of $94 million in funding to date, and offers a unified platform that provides Privileged Identity Management (PIM) and Identity-As-A-Service (IDaaS).
The Santa Clara, California-based company serves over five thousand customers around the world in industries including defense, banking, energy, retail, manufacturing and health care.
Thoma Bravo has made several large investments in the cybersecurity space over the years. In May 2018, it announced that it would acquire a majority interest in Security Information and Event Management (SIEM) solutions vendor LogRhythm. Other cybersecurity investments include SonicWall, SailPoint, Hyland Software, Deltek, Blue Coat Systems, Imprivata, Bomgar, Barracuda Networks, Compuware and SolarWinds.
“With Thoma Bravo’s extensive sector experience and insight in the enterprise security software space, Centrify is in a strong position to provide our products, services and unique expertise to meet the rising need for identity-based cybersecurity technology in today’s global environment,” Tom Kemp, co-founder and CEO of Centrify, said in a statement.
Hide 'N Seek IoT Botnet Can Infect Database Servers
18.7.2018 securityweek BotNet
The Hide 'N Seek Internet of Things (IoT) botnet has recently added support for more devices and can also infect OrientDB and CouchDB database servers, Qihoo 360's NetLab researchers say.
When first detailed in January this year, the botnet was evolving and spreading rapidly, ensnaring tens of thousands of devices within days. Targeting numerous vulnerabilities, the malware was capable of data exfiltration, code execution, and interference with the device operation.
By early May, the malware had infected over 90,000 devices, added code to target more vulnerabilities, and also adopted persistence, being able to survive reboots. The persistence module, however, would only kick in if the infection was performed over the Telnet service.
A peer-to-peer (P2P) botnet, Hide 'N Seek has continued to evolve, and is currently targeting even more vulnerabilities than before. The botnet now also includes exploits for AVTECH devices (webcam) and Cisco Linksys routers, Qihoo 360's NetLab reveals.
Furthermore, the malware now includes 171 hardcoded P2P node addresses, has added a crypto-currency mining program to its code, and has also evolved into a cross-platform threat, with the addition of support for OrientDB and CouchDB database servers.
The botnet’s spreading mechanism includes a scanner borrowed from Mirai, targeting fixed TCP port 80/8080/2480/5984/23 and other random ports.
For infection, the malware attempts remote code execution using exploits targeting TPLink Routers, Netgear routers (also targeted by Reaper botnet and Mirai variant Wicked), AVTECH cameras, Cisco Linksys Routers, JAW/1.0, OrientDB, and Apache CouchDB.
The Hide 'N Seek bots attempt to contact other P2P peers using one of three methods: a hard-coded built-in list of 171 peer addresses, command-line arguments, and via other P2P peers. The node would also interact with the 171 peers for check-in purposes and during the follow-up interaction process.
“When started with no command-line args, HNS node will send lots of UPD check-in packets. IP addresses of these packets are randomized, while some others are set based on the build-in list,” the NetLab researchers explain.
Due to its peer-to-peer architecture, the botnet is rather difficult to shut down. Furthermore, the constant stream of updates received over the past half a year suggests that Hide 'N Seek will continue to evolve, likely broadening its capabilities and target list.
Microsoft Patch Tuesday Updates Fix Over 50 Vulnerabilities
18.7.2018 securityweek Vulnerebility
Microsoft’s Patch Tuesday updates for July 2018 address more than 50 vulnerabilities, but none of them appear to have been exploited for malicious purposes before the fixes were released.
The company has classified 18 of the flaws as critical and, similar to previous months, they mostly affect the Edge and Internet Explorer web browsers. Many of these security holes have been described as memory corruption bugs that allow remote code execution.
Three of the flaws patched this month were publicly disclosed before Microsoft released patches. The list includes CVE-2018-8278, a spoofing vulnerability affecting Edge; and CVE-2018-8314 and CVE-2018-8313, both of which are Windows privilege escalation vulnerabilities.
Trend Micro’s Zero Day Initiative (ZDI) has highlighted some of the more interesting flaws patched this month. One of them is a low severity Office tampering issue that can be exploited by getting the targeted user to open a specially crafted file.
“An attacker exploiting this vulnerability could embed untrusted TrueType fonts into an email. Bugs in fonts have been popular since 2013 and have been used in malware attacks in the past. This bug could allow them to spread and possibly even bypass traditional filters. That’s likely the reason Microsoft chose to go ahead and release a patch for this Low-rated vulnerability,” ZDI explained in a blog post.
Another interesting vulnerability that is not very serious affects the Microsoft Wireless Display Adapter (MWDA). The flaw allows an authenticated attacker to execute arbitrary commands, but what makes the issue interesting is the fact that a firmware update is required to address it.
“To get the new firmware, it has to be downloaded from the Wireless Display Adapter App available in the Microsoft App Store. That doesn’t sound like something easily automated. From a sysadmin’s perspective, this patch will be very labor intensive to roll out,” ZDI said.
Microsoft also made some updates to advisories describing the Spectre and Meltdown vulnerabilities, including to inform users of a new Spectre variant.
Adobe’s Patch Tuesday updates resolve more than 100 vulnerabilities in Acrobat and Reader, including tens of critical memory corruption bugs that can allow remote code execution. The company has also released security updates for Flash Player, Experience Manager, and Connect.
Departing Apple Engineer Stole Autonomous Car Tech: FBI
18.7.2018 securityweek BigBrothers
An ex-Apple engineer on Monday was charged with stealing secrets from a hush-hush self-driving car technology project days before he quit to go to a Chinese startup.
Xiaolang Zhang was in custody for stealing trade secrets from the Apple project, according to a copy of the criminal complaint posted online.
The charge is punishable by 10 years in prison and a $250,000 fine.
"Apple takes confidentiality and the protection of our intellectual property very seriously," the California-based internet titan said in response to an AFP query.
"We're working with authorities on this matter and will do everything possible to make sure this individual and any other individuals involved are held accountable for their actions."
Zhang was hired by Apple in December of 2015 to be part of a team developing hardware and software for self-driving vehicles, a project that was a "closely-guarded secret," according to the complaint filed by the FBI.
Zhang took paternity leave in the month of April, going with his family to China.
Upon his return to Apple at the end of April, he told a supervisor he was quitting to return to China to be near his ailing mother.
Zhang mentioned he planned to go work for a Chinese self-driving vehicle startup called Xiaopeng Motors, or XMotors, in Guangzhou, according to the complaint.
The supervisor thought Zhang "evasive" and brought in an Apple product security team, which had Zhang turn in all company devices and walked him off campus, according to the filing.
Apple security found that Zhang's activity on the company network surged "exponentially" in the days before he returned from paternity leave.
Zhang did searches of confidential databases, and downloaded technical files, the criminal complaint said.
Documents downloaded by Zhang included some on topics such as "prototypes," according to the case against him.
Apple also had closed-circuit camera recording of Zhang going into autonomous driving tech team labs late on a Saturday night while he was on paternity leave, according to the filing.
Zhang later admitted to taking circuit boards and a Linux server from the hardware lab, and to transferring some Apple files to his wife's computer, the FBI said in the complaint.
Zhang was "voluntarily terminated" from Apple in early March, and FBI agents searched his home in June as part of their investigation.
Zhang told the FBI at that time he was working at XMotors offices in Silicon Valley, according to the complaint.
Zhang was heading to China with a "last-minute round-trip ticket" when FBI agents arrested him at an airport in the Silicon Valley city of San Jose, the filing said.
Intel Pays $100,000 Bounty for New Spectre Variants
18.7.2018 securityweek Security
Researchers have discovered new variations of the Spectre attack and they received $100,000 from Intel through the company’s bug bounty program.
The new flaws are variations of Spectre Variant 1 (CVE-2017-5753) and they are tracked as Spectre 1.1 (CVE-2018-3693) and Spectre 1.2.
The more serious of these issues is Spectre 1.1, which has been described as a bounds check bypass store (BCBS) issue.
“[Spectre1.1 is] a new Spectre-v1 variant that leverages speculative stores to create speculative buffer overflows,” researchers Vladimir Kiriansky of MIT and Carl Waldspurger of Carl Waldspurger Consulting explained in a paper.
New Spectre vulnerabilities discovered
“Much like classic buffer overflows, speculative out-of-bounds stores can modify data and code pointers. Data-value attacks can bypass some Spectre-v1 mitigations, either directly or by redirecting control flow. Control-flow attacks enable arbitrary speculative code execution, which can bypass fence instructions and all other software mitigations for previous speculative-execution attacks. It is easy to construct return-oriented-programming (ROP) gadgets that can be used to build alternative attack payloads,” they added.
Spectre 1.2 impacts CPUs that fail to enforce read/write protections, allowing an attacker to overwrite read-only data and code pointers in an effort to breach sandboxes, the experts said.
Both Intel and ARM have published whitepapers describing the new vulnerabilities. AMD has yet to make any comments regarding Spectre 1.1 and Spectre 1.2.
Microsoft also updated its Spectre/Meltdown advisories on Tuesday to include information on CVE-2018-3693.
“We are not currently aware of any instances of BCBS in our software, but we are continuing to research this vulnerability class and will work with industry partners to release mitigations as required,” the company said.
Oracle is also assessing the impact of these vulnerabilities on its products and has promised to provide technical mitigations.
“Note that many industry experts anticipate that a number of new variants of exploits leveraging these known flaws in modern processor designs will continue to be disclosed for the foreseeable future,” noted Eric Maurice, Director of Security Assurance at Oracle. “These issues are likely to primarily impact operating systems and virtualization platforms, and may require software update, microcode update, or both. Fortunately, the conditions of exploitation for these issues remain similar: malicious exploitation requires the attackers to first obtain the privileges required to install and execute malicious code against the targeted systems.”
Just as the researchers published their paper, Intel made a $100,000 payment to Kiriansky via the company’s HackerOne bug bounty program. The experts did reveal in their paper that the research was partially sponsored by Intel.
Following the disclosure of the Spectre and Meltdown vulnerabilities in January, Intel announced a bug bounty program for side-channel exploits with rewards of up to $250,000 for issues similar to Meltdown and Spectre. The reward for flaws classified “high severity” can be as high as $100,000.
Facebook Faces Australia Data Breach Compensation Claim
18.7.2018 securityweek Social
Facebook could face a hefty compensation bill in Australia after a leading litigation funder lodged a complaint with the country's privacy regulator over users' personal data shared with a British political consultancy.
The social networking giant admitted in April the data of up to 87 million people worldwide -- including more than 300,000 in Australia -- was harvested by Cambridge Analytica.
Under Australian law, all organisations must take "reasonable steps" to ensure personal information is held securely and IMF Bentham has teamed up with a major law firm to lodge a complaint with the Office of the Australian Information Commissioner (OAIO).
The OAIO launched an investigation into the alleged breaches in April and depending on its outcome, a class action could follow.
IMF said in a statement late Tuesday it was seeking "compensation for Facebook users arising from Facebook's alleged breaches of the Australian Privacy Principles contained in the Privacy Act 1988".
"The alleged breaches surround the circumstances in which a third party, Cambridge Analytica, gained unauthorised access to users' profiles and information.
"The complaint seeks financial recompense for the unauthorised access to, and use of, their personal data."
In its statement, IMF Bentham said it appeared Facebook learned of the breach in late 2015, but failed to tell users about it until this year.
IMF investment manager Nathan Landis told The Australian newspaper most awards for privacy breaches ranged between Aus$1,000 and Aus$10,000 (US$750-US$7,500).
This implies a potential compensation bill of between Aus$300 million and Aus$3 billion.
Facebook did not directly comment on the IMF Bentham action but a spokesperson told AFP Wednesday: "We are fully cooperating with the investigation currently underway by the Australian Privacy Commissioner.
"We will review any additional evidence that is made available when the UK Office of the Information Commissioner releases their report."
A vulnerability in the Credential Security Support Provider (CredSSP) authentication protocol has been found to impact several human-machine interface (HMI) products from Germany-based industrial automation firm Pepperl+Fuchs.
The flaw, tracked as CVE-2018-0886, affects all supported versions of Windows and it was fixed by Microsoft with its March 2018 Patch Tuesday updates.
The vulnerability was discovered by security firm Preempt, which has classified it as critical, but Microsoft, which believes exploitation is “less likely,” has assigned it only an “important” severity rating.
CredSSP processes authentication requests for applications such as the Remote Desktop Protocol (RDP) and Windows Remote Management (WinRM). A man-in-the-middle (MitM) attacker can exploit this vulnerability to remotely execute arbitrary code and move laterally within the targeted organization’s network.
Microsoft says any application using CredSSP for authentication could be vulnerable to this type of attack.
According to an advisory published by Germany’s CERT@VDE, an organization that focuses on industrial cybersecurity, CVE-2018-0886 affects Pepperl+Fuchs’ VisuNet RM, VisuNet PC, and Box Thin Client BTC human-machine interface products.
“A successful vulnerability exploitation enables an attacker to execute arbitrary code and get access to sensitive data, e.g. passwords of the compromised system. The vulnerability allows the attacker to intercept the initial RDP connection between a client and a remote-server. Then an attacker can relay user credentials to a target system and thus get complete Man in the Middle control over a session. A stolen session can be abused to run arbitrary code or commands on the target server on behalf of the user,” CERT@VDE said in its advisory.
Pepperl+Fuchs has advised owners of devices running RM Shell 4 and RM Shell 5 HMI software to install the security patches provided by the company. Users of devices running Windows 7 or Windows 10 can patch the vulnerability by updating Windows.
The advisory from CERT@VDE says Preempt reported the vulnerabilities to Pepperl+Fuchs, but the security firm told SecurityWeek that it did not explicitly reach out to any ICS vendor.
“CredSSP is a broadly used protocol and we worked with Microsoft, since it was in their software that we found these vulnerabilities,” said Ajit Sancheti, co-founder and CEO at Preempt. “It is quite likely that Pepperl+Fuchs uses the MSFT version and hence may have been informed by them.”
Products from other ICS vendors are likely also affected by the CredSSP vulnerability, but to date no other company has published security advisories.
Britain's data regulator said Wednesday it will fine Facebook half a million pounds for failing to protect user data, as part of its investigation into whether personal information was misused ahead of the Brexit referendum.
The Information Commissioner's Office (ICO) began investigating the social media giant earlier this year, when evidence emerged that an app had been used to harvest the data of tens of millions of Facebook users worldwide.
In the worst ever public relations disaster for the social media giant, Facebook admitted that up to 87 million users may have had their data hijacked by British consultancy firm Cambridge Analytica, which was working for US President Donald Trump's 2016 campaign.
Cambridge Analytica, which also had meetings with the Leave.EU campaign ahead of Britain's EU referendum in 2016, denies the accusations and has filed for bankruptcy in the United States and Britain.
"In 2014 and 2015, the Facebook platform allowed an app... that ended up harvesting 87 million profiles of users around the world that was then used by Cambridge Analytica in the 2016 presidential campaign and in the referendum," Elizabeth Denham, the information commissioner, told BBC radio.
Wednesday's ICO report said: "The ICO's investigation concluded that Facebook contravened the law by failing to safeguard people's information."
Without detailing how the information may have been used, it said the company had "failed to be transparent about how people's data was harvested by others".
The ICO added that it plans to issue Facebook with the maximum available fine for breaches of the Data Protection Act -- an equivalent of $660,000 or 566,000 euros.
Because of the timing of the breaches, the ICO said it was unable to impose penalties that have since been introduced by the European General Data Protection, which would cap fines at 4.0 percent of Facebook's global turnover.
In Facebook's case this would amount to around $1.6 billion (1.4 billion euros).
"In the new regime, they would face a much higher fine," Denham said.
- 'Doing the right thing' -
"We are at a crossroads. Trust and confidence in the integrity of our democratic processes risk being disrupted because the average voter has little idea of what is going on behind the scenes," Denham said.
"New technologies that use data analytics to micro-target people give campaign groups the ability to connect with individual voters. But this cannot be at the expense of transparency, fairness and compliance with the law."
In May, Facebook chief Mark Zuckerberg apologised to the European Parliament for the "harm" caused.
EU Justice Commissioner Vera Jourova welcomed the ICO report.
"It shows the scale of the problem and that we are doing the right thing with our new data protection rules," she said.
"Everyone from social media firms, political parties and data brokers seem to be taking advantage of new technologies and micro-targeting techniques with very limited transparency and responsibility towards voters," she said.
"We must change this fast as no-one should win elections using illegally obtained data," she said, adding: "We will now assess what can we do at the EU level to make political advertising more transparent and our elections more secure."
- Hefty compensation bill -
The EU in May launched strict new data-protection laws allowing regulators to fine companies up to 20 million euros ($24 million) or four percent of annual global turnover.
But the ICO said because of the timing of the incidents involved in its inquiry, the penalties were limited to those available under previous legislation.
The next phase of the ICO's work is expected to be concluded by the end of October.
Erin Egan, chief privacy officer at Facebook, said: "We have been working closely with the ICO in their investigation of Cambridge Analytica, just as we have with authorities in the US and other countries. We're reviewing the report and will respond to the ICO soon."
The British fine comes as Facebook faces a potential hefty compensation bill in Australia, where litigation funder IMF Bentham said it had lodged a complaint with regulators over the Cambridge Analytica breech -- thought to affect some 300,000 users in Australia.
IMF investment manager Nathan Landis told The Australian newspaper most awards for privacy breaches ranged between Aus$1,000 and Aus$10,000 (US$750-$7,500).
This implies a potential compensation bill of between Aus$300 million and Aus$3 billion.
Israeli cyber security firm Radiflow, which provides cybersecurity solutions for industrial control systems (ICS) and Supervisory control and data acquisition (SCADA) networks, announced on Wednesday that it has raised $18 million in venture funding through an investment round led by Singapore-based engineering company ST Engineering.
Radiflow’s product offerings include risk assessment, threat detection and secure remote access tools with industrial asset visibility and anomaly detection.
Under a strategic partnership, ST Engineering has integrated Radiflow’s detection and prevention tools with its SCADA system.
Radiflow logoMore specifically, Radiflow said that its tools would be integrated with ST Engineering’s Rail Command, Control and Communications (C3) Systems (SCADA) to offer an end-to-end cybersecurity solution for the rail transport industry.
Radiflow says the investment will be used to expand its sales team to support growing market demand, strengthen its brand globally and support product development.
Radiflow also recently announced partnerships with Palo Alto Networks and RSA, to make field deployments easier and help ensure compliance with new regulations, including NERC CIP and the EU NIS Directive.
Radiflow will demonstrate its technology at SecurityWeek’s 2018 ICS Cyber Security Conference, taking place October 22-25, 2018 in Atlanta.
Radiflow is one of several cybersecurity startups targeting the industrial space that have raised funding. Some others include Dragos, Indegy, Bayshore Networks, CyberX, SCADAfence and Nozomi Networks. Veteran industrial software firm PAS raised $40 million in April 2017. Darktrace, which has an offering targeted to the industrial sector, raised $75 million at a valuation of $825 million in July 2017. Just last month, New York-based Claroty announced that it had raised $60 million in a Series B funding round, bringing the total amount raised by the company to date to $93 million.
Power Grid Protection Firm SEL Patches Severe Software Flaws
18.7.2018 securityweek ICS
Several vulnerabilities, including ones rated high severity, have been discovered in management and configuration tools from power grid protection company Schweitzer Engineering Laboratories (SEL). The vendor has released software updates to address the flaws.
The security holes were discovered by Gjoko Krstic, a researcher with industrial cybersecurity firm Applied Risk. The flaws affect SEL Compass, a tool designed for managing SEL products, and AcSELerator Architect, an app that streamlines the configuration and documentation of IEC 61850 control and SCADA communications.
According to advisories published by Applied Risk and ICS-CERT, AcSELerator Architect 188.8.131.52 and prior versions are affected by two vulnerabilities. One of them, a high severity XML External Entity (XXE) vulnerability, can lead to information disclosure and in some cases to arbitrary code execution or a denial-of-service (DoS) condition. The flaw, tracked as CVE-2018-10600, can be exploited by getting the targeted user to open a specially crafted template or project file.Vulnerabilities found in SEL products
“The vulnerability is triggered when input passed to the XML parser is not sanitized while parsing the XML project and/or template file (.selaprj). This attack can also be used to execute arbitrary code (in certain circumstances, depending on the platform) or cause a denial of service (DoS) condition (billion laughs) via a specially crafted XML file including multiple external entity references,” Applied Risk wrote in its advisory.
The second flaw affecting AcSELerator Architect, identified as CVE-2018-10608, is a medium severity DoS issue that can be triggered using a malicious FTP server.
“The vulnerability can be triggered when an attacker provides the victim with a rogue malicious FTP server and listens for connections from the AcSELerator Architect FTP client feature. Once the victim gets connected to the evil FTP via the TCP protocol, a 100% CPU exhaustion occurs rendering the software to hang (not responding), denying legitimate workflow to the victim until the application is forcibly restarted,” Applied Risk explained.
As for SEL Compass, the application is affected by a high severity insecure file permissions issue that can be exploited for privilege escalation. This bug is tracked as CVE-2018-10604.
“The vulnerability exists due to the improper permissions on the SEL Compass directory, with the 'F' flag (Full) for 'Everyone' group. This gives an authenticated attacker the ability to modify or overwrite any file in the Compass directory with malicious code (trojan or a rootkit). This could result in escalation of privileges or malicious effects on the system the next time that a privileged user runs Compass,” Applied Risk said in a different advisory.
SEL patched the vulnerabilities with the release of SEL Compass v184.108.40.206 and SEL AcSELerator v220.127.116.11. Applied Risk told SecurityWeek that it took the vendor more than three months to release the updates.
SEL recently teamed up with industrial cybersecurity firm Dragos to “arm the electric power community with the tools to better detect and respond to threats within their industrial control system (ICS) networks.”
Outdated DoD IT Jeopardizes National Security: Report
18.7.2018 securityweek BigBrothers
Failure to Modernize Legacy DoD Systems is Putting U.S. National Security in Jeopardy, Report Claims
In a new study titled 'Innovation Imperative: The Drive to Modernize DoD', Meritalk queried 150 federal IT managers working in Department of Defense (DoD) organizations. The stated objective was "to understand the state of their IT infrastructure and applications." This was to include levels of satisfaction, an indication of where missions are being met or missed, and what should be done next.
In fact, this report is solely about DoD IT managers' attitude towards cloud migration -- which is perhaps unsurprising since the survey was underwritten by AWS and Red Hat.
The results confirm a strong belief that cloud is the way forward -- and perhaps the only way for the U.S. military to maintain an advantage over the world's other super powers: China and increasingly Russia. For example, 80% of the respondents say the DoD needs to improve the use of cloud to maintain the military’s technical advantage and support mission success; and 81% say accelerating DoD’s adoption of cloud is critical.
86% of respondents said that failing to modernize legacy DoD systems is putting U.S. national security in jeopardy.
The increasing use of artificial intelligence and big data analytics by the military, the need for more efficient data sharing between agencies, and the power to transcribe and translate massive amounts of recorded voice in almost real time can only be served by the power and flexibility of the cloud.
PentagonRespondents to the survey specifically see DoD cloud adoption important for big data analytics (85%), electronic warfare (83%), shared services (82%), DevOps (81%), AI (77%), IoT (73%), machine learning (72%) and blockchain (61%). But this understanding is not new to the DoD.
The Joint Enterprise Defense Infrastructure (JEDI) initiative is a plan for the DoD to acquire its own commercial cloud infrastructure suitable to hold DoD data at all classification levels, and available to any organization in DoD. It is a massive project spread over a ten-year ordering period, and thought to have a budget of around $10 billion over that timeframe.
It is believed that the DoD's preference is to award the project to a single provider; and it is equally believed that AWS is the frontrunner. Smaller existing cloud providers would lose out, and have been lobbying for a multi-provider approach. Microsoft, Google and IBM are also rumored to be interested in bidding for the project.
There is little mention of JEDI within the Meritalk survey. However, 51% of the respondents said they believe that a single-vendor cloud solution has more pros than cons. Sixty-three percent said that talk about JEDI has had "a positive impact on the pace of their organization’s IT modernization efforts"; and "72% feel utilizing multiple cloud vendors would increase the complexity of their organization’s system integrations."
The Meritalk survey, underwritten by AWS and Red Hat, offers strong support for the DoD's single supplier JEDI preference, where AWS (most probably backed by Red Hat software) is the frontrunner.
But regardless of who wins the JEDI provider contract, the survey also demonstrates that DoD IT managers are ready to increase their migration to the cloud. More than 50% of the respondents would recommend moving 50% of their current data to the cloud (13% would move 'the vast majority' of their data). They are unlikely -- and in some cases for reasons of national security unable -- to adopt a cloud-only strategy.
This will set the DoD on a path directly parallel to that faced by commercial enterprises today -- to what extent should existing infrastructures and data be migrated to the cloud, how can it be achieved, and how do you secure it. The only primary difference is that DoD already knows which cloud; that is, the JEDI cloud.
"The survey shows that the interest and promise of the cloud is well recognized, but the DoD would benefit from the lessons being learned right now by large private enterprises going through the same processes," Ken Spinner, VP of field engineering at Varonis told SecurityWeek. "Private industry, which is often recognized for its agility and embrace of new technologies, still largely works with a hybrid mix of cloud and on-premises systems and storage."
"One thing is certain," agrees Rick Moy, head of marketing at Acalvio: "hybrid networks, or cloud and on-premises." Both agree that adoption of JEDI -- or any other cloud solution -- will present the DoD organizations with both challenges and opportunities.
"There’s no easy button and the cloud is not without risks," says Spinner. "Another concern, and perhaps the weakest link, are the defense contractors that access confidential intelligence as part of their daily workload. It’s far too tempting for a few bad actors to breach a system and attempt to steal data -- the cloud needs to be protected just like on-premises systems and data. Another challenge will be to ensure that the security capabilities people currently have with on-prem solutions are available and tested with both pure cloud solutions and hybrid solutions."
But Moy adds the possibility of 'starting over'. "“I would argue that a move to cloud represents a fresh opportunity to build in better security and advanced monitoring capabilities," he told SecurityWeek: "ones that we may have overlooked in on-premises deployments. For instance, unified policy, access controls, deception, logging and monitoring, and so on."
The JEDI project shows that the DoD hierarchy is already set on a cloud future; and the Meritalk survey shows that individual DoD IT managers are ready for the challenge. "As DoD knows," concludes the Meritalk report, "cloud isn’t the final destination -- but it sets the foundation for necessary innovation, collaboration, and next-generation technologies like big data analytics, shared services, AI, and electronic warfare. Agencies must keep their eyes on the future and consider cloud in terms of broader IT modernization efforts government-wide."
AT&T to Acquire Threat Management Firm AlienVault
18.7.2018 securityweek IT
AT&T on Tuesday said it would acquire San Mateo, Calif.-based threat management and intelligence firm AlienVault for an undisclosed sum.
AlienVault offers its Unified Security Management platform and Open Threat Exchangeintelligence community, which will be integrated into AT&T’s cybersecurity suite of services.
Both companies have approved the agreement but the terms of the deal haven’t been disclosed. The acquisition, which is subject to customary closing conditions, is expected to complete in the third quarter of 2018.
AlienVault had raised more than $118 million in funding prior to agreeing to be acquired by the telecom giant.
With the acquisition of AlienVault, AT&T aims at expanding its portfolio of enterprise-focused security solutions to target small and medium-sized businesses.
“Regardless of size or industry, businesses today need cyber threat detection and response technologies and services. The current threat landscape has shifted this from a luxury for some, to a requirement for all,” Thaddeus Arroyo, CEO, AT&T Business, commented.
After the transaction is completed, AT&T will provide business customers with a unified security management platform that aims at helping organizations detect and respond to threats more effectively. According to AT&T, AlienVault will become a key part of its Edge-to-Edge Intelligence capabilities.
Although the two companies did not provide details on the transaction, AT&T did say the deal is not “expected to have a material effect on AT&T’s results.”
Hacker Offers Access to Machine at International Airport for $10
18.7.2018 securityweek Hacking
The cost of RDP (Remote Desktop Protocol) access to a system located at a major international airport is only $10 on the Dark Web, McAfee has discovered.
RDP, a proprietary Microsoft protocol that provides access to remote machines through a graphical interface, was designed for administration purposes, but cybercriminals are increasingly using it as part of their arsenal of attack tools.
In fact, numerous malware families have adopted RDP over the past several years, which resulted in the technique becoming more popular than email for ransomware distribution.
SamSam, the ransomware behind multiple attacks against healthcare organizations, has adopted the technique as well. SamSam was the malware used to infect customer-facing applications and some internal services at the City of Atlanta (recovery would cost the city over $10 million).
As McAfee has discovered, it’s actually incredibly easy for cybercriminals to gain RDP access to high-value networks: they only need to access an underground market and spend an initial $10 or less, or conduct their own scans for accessible systems.
The researchers looked into several RDP shops, offering between 15 to more than 40,000 RDP connections for sale. The largest of these shops is the Ultimate Anonymity Service (UAS), a Russian business, followed by Blackpass, Flyded, and xDedic (which was first analyzed in June 2016).
On these marketplaces, cybercriminals sell RDP access to a broad range of systems, ranging from Windows XP to Windows 10, with Windows 2008 and 2012 Server being the most popular (at around 11,000 and 6,500, respectively). Prices range from $3 (for a simple configuration) to $19 (for a high-bandwidth system with admin rights).
Access to systems running Windows Embedded Standard (or Windows IOT) is also available, including hundreds of similar configurations associated with municipalities, housing associations, and healthcare institutions in the Netherlands. Multiple government systems worldwide were also being sold.
On the UAS Shop, the researchers also found a newly added Windows Server 2008 R2 Standard machine available at only $10, and they eventually discovered it was located in a major International airport in the United States.
The investigation also revealed that the system had three user accounts available, one being an administrator account, while the other two were associated with a company specializing in airport security and building automation and with another specializing in camera surveillance and video analytics for airports.
“We did not explore the full level of access of these accounts, but a compromise could offer a great foothold and lateral movement through the network using tools such as Mimikatz,” McAfee points out.
An account found on another system led the researchers to a domain that appears to be related to “the airport’s automated transit system, the passenger transport system that connects terminals.” This system too was accessible from the Internet.
“Now we know that attackers, like the SamSam group, can indeed use an RDP shop to gain access to a potential high-value ransomware victim. We found that access to a system associated with a major international airport can be bought for only $10—with no zero-day exploit, elaborate phishing campaign, or watering hole attack,” the researchers underline.
While remote access to systems might be essential for administrators, it can also become a liability if not properly secured. Furthermore, with RPD shops stockpiling addresses of vulnerable machines, cybercriminals do not need to put a lot of effort into selecting victims: they only need to make a simple online purchase.
“In addition to selling RDP, some of these shops offer a lively trade in social security numbers, credit card data, and logins to online shops. […] BlackPass offered the widest variety of products. The most prolific of these brokers provide one-stop access to all the tools used to commit fraud: RDP access into computers, social security numbers and other integral data to set up loans or open bank accounts,” McAfee said.
Hackers Can Chain Multiple Flaws to Attack WAGO HMI Devices
18.7.2018 securityweek Vulnerebility
Germany-based industrial automation company WAGO has patched several vulnerabilities in its e!DISPLAY 7300T Web Panel human-machine interface (HMI) products that can be chained to take control of affected devices.
The security holes, discovered by researchers at security consultancy SEC Consult and rated “high severity,” include multiple reflected and one stored cross-site scripting (XSS) vulnerabilities (CVE-2018-12981), unrestricted file upload and file path manipulation issues (CVE-2018-12980), and an incorrect default permissions flaw (CVE-2018-12979).
The reflected XSS flaws allow an unauthenticated attacker to execute arbitrary scripts in the context of the victim and hijack their session by getting them to click on a specially crafted link. The stored XSS can only be exploited by an authenticated hacker, but it does not require the targeted user to click on a link. Instead, the malicious code is triggered when the victim visits the “PLC List” page in the web interface.WAGO HMI vulnerabilities
The unrestricted file upload vulnerability allows an attacker to upload arbitrary files, but not directly to the root as the web service does not run as a privileged user. On the other hand, the incorrect default permissions weakness does allow a file in the web root, specifically index.html, to be overwritten by the unprivileged “www” user.
Combining these flaws allows an attacker to upload a shell by overwriting index.html and execute arbitrary commands with the privileges of the “www” user.
“HMI displays are widely used in SCADA infrastructures. The link between their administrative (or informational) web interfaces and the users which access these interfaces is critical. The presented attacks demonstrate how simple it is to inject malicious code in order to break the security of this link by exploiting minimal user interaction,” SEC Consult explained. “As a consequence a computer which is used for HMI administration should not provide any possibility to get compromised via malicious script code.”
The vulnerabilities impact e!DISPLAY 7300T Web Panel models 762-3000, 762-3001, 762-3002 and 762-3003 running firmware version 01. The issues have been patched by the vendor with the release of firmware version 02.
In addition to installing the latest firmware, WAGO has advised customers to restrict network access to the device and avoid connecting it directly to the Internet, restrict the number of users who can access the system, change default passwords, and avoid clicking on links from untrusted sources.
Advisories describing these vulnerabilities have been published by SEC Consult, VDE@CERT, which coordinated the disclosure of the flaws, and WAGO.
This was not the first time SEC Consult identified vulnerabilities in WAGO products. Last year, the company reported finding a potentially serious vulnerability that could give a remote attacker access to an organization’s entire network.
Broadcom Buys Business Software Firm CA for $18.9 Billion
18.7.2018 securityweek IT
Semi-conductor giant Broadcom, which recently failed in a bid to buy US rival Qualcomm, on Wednesday announced a cash deal to buy software and services firm CA Technologies for $18.9 billion.
Broadcom described CA as a major provider of information technology management software, in an acquisition that would help the chip maker diversify its offerings.
"This transaction represents an important building block as we create one of the world's leading infrastructure technology companies," Broadcom chief executive Hock Tan said in a release.
The deal was approved by the boards of both companies.
Broadcom will pay $44.50 per share of CA stock; about 20 percent over the closing price for common shares at the end of formal market trading on Wednesday, according to the company.
"We are excited to have reached this definitive agreement with Broadcom," CA Technologies chief Mike Gregoire said in the joint release.
"This combination aligns our expertise in software with Broadcom's leadership in the semiconductor industry."
The companies expected the acquisition to close in the final quarter of this year. The merger must be approved by shareholders and regulators.
Broadcom in April transferred its headquarters from Singapore to the US as promised when it tried to buy Qualcomm.
The prior month, President Donald Trump issued an order barring the proposed $117 billion hostile takeover of Qualcomm, citing what he called "credible evidence" such a deal "threatens to impair the national security of the United States."
It would have been the biggest-ever deal in the tech sector.
Trump's order made no mention of China, but an earlier letter from the US Treasury Department warned that a takeover might hurt US leadership in 5G, super-fast fifth-generation wireless networks now being deployed, and consequently pose a threat to US security.
The presidential action was allowed because Broadcom is a foreign entity, but would not have been possible had it completed its move to Silicon Valley.
On March 14, Broadcom said it was withdrawing its offer for Qualcomm.
Broadcom was founded in California but moved its headquarters after a 2015 deal that merged it with Avago Technologies.
Timehop Shares More Details on Data Breach
18.7.2018 securityweek Incindent
Timehop has shared additional details about the recent data breach that impacted roughly 21 million user accounts, including what the attackers did once they gained access to the company’s systems and what other type of information was compromised.
Timehop provides an application that shows users the photos, videos and posts they shared on the current day in previous years on Facebook, Instagram, Twitter and other websites.
Earlier this month, the company revealed that one or more malicious hackers gained unauthorized access to a database storing usernames, phone numbers, email addresses, and social media access tokens for all users, which could have been leveraged to access a user’s posts on social networking websites.
In response to the incident, Timehop invalidated social media tokens to prevent abuse and instructed users to re-authenticate each service.
In an update posted on Wednesday, Timehop revealed that dates of birth, genders, and country codes were also compromised in the incident.
The investigation is ongoing, but so far the company believes the attacker gained access to 20.4 million names, 15.5 million dates of birth, 18.6 million email addresses, 9.2 million gender designations, and 4.9 million phone numbers. Timehop listed separately the number of impacted PII records covered by the recently introduced GDPR.
According to Timehop, the attacker first accessed its systems on December 19, 2017, after stealing an employee’s credentials for the company’s cloud computing environment. The unauthorized access came from an IP address in the Netherlands.
The hacker immediately started conducting reconnaissance, including scraping the list of roles and accounts, but the compromised environment had not stored any personal information.
Personal information was copied by Timehop to the compromised database in early April and the attacker only discovered it on June 22. On July 4, the hacker made a copy of the user database and then changed its password. These actions led to service disruptions and internal alerts being triggered, but it took nearly 24 hours for Timehop to determine that it had been breached after the first alert.
“[Timehop engineers] did not immediately suspect a security incident for two reasons that in retrospect are learning moments,” Timehop said. “First, because it was a holiday and no engineers were in the office, he considered it likely that another engineer had been doing maintenance and changed the password. Second, password anomalies of a similar nature had been observed in past outage. He made the decision that the event would be examined the next day, when engineers returned to the office.”
HackerOne Bug Bounty Programs Paid Out $11 Million in 2017
18.7.2018 securityweek Safety
White hat hackers who responsibly disclosed vulnerabilities through bug bounty programs hosted by HackerOne earned more than $11 million last year, according to the company’s 2018 Hacker-Powered Security Report.
HackerOne hosts roughly 1,000 programs that over the past years have received over 72,000 vulnerability reports from researchers in more than 100 countries. The bounties paid out since the launch of the company until June 2018 reached over $31 million.
Of the total, more than $25 million was paid out by organizations in the United States, which was also the country where the highest percentage of money went to ($5.3 million).
According to the company, 116 of the bug reports submitted last year resulted in payouts that exceeded $10,000, and the average amount paid out by companies for critical issues has increased to over $2,000, with organizations such as Microsoft and Intel offering as much as $250,000.
An increasing number of companies have launched public bug bounty programs, but still nearly 80% of programs were private last year. The majority of public programs are launched by organizations in the tech sector, which accounts for 63%.
The government sector recorded the biggest increase in new program launches, with the European Commission, and Singapore’s Ministry of Defense announcing initiatives. The U.S. government has also continued to run programs, including Hack the Air Force and Hack the Army.
Roughly 27,000 valid vulnerabilities were reported last year and cross-site scripting (XSS) remained the most common type of flaw, followed by information disclosure bugs.
When it comes to the time it takes organizations to patch security holes, the consumer goods industry was the fastest, with an average of 14 days. At the other end of the chart we have the government sector, which patched vulnerabilities, on average, in 68 days.
The highest bug bounty paid out last year was $75,000. A technology firm awarded the sum for three vulnerabilities that could have been chained for remote code execution without user interaction. Successful exploitation could have allowed an attacker to access credit card information, hijack user and employee accounts, access infrastructure code, or deploy mass ransomware campaigns.
The complete 2018 Hacker-Powered Security Report is available from HackerOne in PDF format.
Arch Linux AUR Repository Compromised
12.7.2018 securityweek Incindent
A user-maintained Arch Linux AUR (Arch User Repository) software repository was pulled earlier this week after it was found to contain malware.
The repository was apparently compromised by an actor using the handle “xeactor” after its original maintainer abandoned it. The affected repo was a user-maintained PDF viewer called acroread.
The orphaned package was modified on June 7, when xeactor added to it a curl script to fetch and execute a malicious script from an attacker-controlled server. The result was the installation of a persistent program that causes systemd to start periodically.
The executed scripts were also found to include a component to gather various data on the compromised machine, including ID, CPU details, Pacman (package management utility) Information, and the output of uname –a and systemctl list-units.
The modification was reported on July 8 and the commits were reverted within hours by maintainer Eli Schwartz, who also suspended the offending account and removed two other packages. The affected packages are acrored 9.5.5-8, balz 1.20-3, and minergate 8.1-2.
Some of those who analyzed the modified code suggested that the changes might have been intended as a warning, because the script would create files in such a way that generated a lot of noise. Specifically, a compromised.txt file was created in root and all home folders.
However, the scripts could have been modified at any time to execute arbitrary code, thus turning malicious.
As Arch's Giancarlo Razzolini points out, the issue itself isn’t that severe, despite the attention it has already gathered. All those who download from AUR do so at their own risk, and such incidents could happen more often than not, he suggests.
“I'm surprised that this type of silly package takeover and malware introduction doesn't happen more often. This is why we insist users always download the PKGBUILD from the AUR, inspect it and build it themselves. Helpers that do everything automatically and users that don't pay attention, *will* have issues. You should use helpers even more so at your risk than the AUR itself,” Razzolini notes.
Late last month, the developers of the Gentoo Linux distribution informed users that one of their GitHub accounts was compromised and that attackers planted malicious code. Gentoo’s infrastructure and repository mirrors weren’t affected.
As Facial Recognition Use Grows, So Do Privacy Fears
12.7.2018 securityweek Privacy
The unique features of your face can allow you to unlock your new iPhone, access your bank account or even "smile to pay" for some goods and services.
The same technology, using algorithms generated by a facial scan, can allow law enforcement to find a wanted person in a crowd or match the image of someone in police custody to a database of known offenders.
Facial recognition came into play last month when a suspect arrested for a shooting at a newsroom in Annapolis, Maryland, refused to cooperate with police and could not immediately be identified using fingerprints.
"We would have been much longer in identifying him and being able to push forward in the investigation without that system," said Anne Arundel County police chief Timothy Altomare.
Facial recognition is playing an increasing role in law enforcement, border security and other purposes in the US and around the world.
While most observers acknowledge the merits of some uses of this biometric identification, the technology evokes fears of a "Big Brother" surveillance state.
Heightening those concerns are studies showing facial recognition may not always be accurate, especially for people of color.
A 2016 Georgetown University study found that one in two American adults, or 117 million people, are in facial recognition databases with few rules on how these systems may be accessed.
A growing fear for civil liberties activists is that law enforcement will deploy facial recognition in "real time" through drones, body cameras and dash cams.
"The real concern is police on patrol identifying law-abiding Americans at will with body cameras," said Matthew Feeney, specialist in emerging technologies at the Cato Institute, a libertarian think tank.
"This technology is of course improving but it's not as accurate as science fiction films would make you think."
- 'Aggressive' deployments -
China is at the forefront of facial recognition, using the technology to fine traffic violators and "shame" jaywalkers, with at least one arrest of a criminal suspect.
Clare Garvie, lead author of the 2016 Georgetown study, said that in the past two years, "facial recognition has been deployed in a more widespread and aggressive manner" in the US, including for border security and at least one international airport.
News that Amazon had begun deploying its Rekognition software to police departments sparked a wave of protests from employees and activists calling on the tech giant to stay away from law enforcement applications.
Amazon is one of dozens of tech firms involved in facial recognition. Microsoft for example uses facial recognition for US border security, and the US state of Maryland uses technology from German-based Cognitec and Japanese tech firm NEC.
Amazon maintains that it does not conduct surveillance or provide any data to law enforcement, but simply enables them to match images to those in its databases.
The tech giant also claims its facial recognition system can help reunite lost or abducted children with their families and stem human trafficking.
- 'Slippery slope' -
Nonetheless, some say facial recognition should not be deployed by law enforcement because of the potential for errors and abuse.
That was an argument made by Brian Brackeen, founder and the chief executive officer of the facial recognition software developer Kairos.
"As the black chief executive of a software company developing facial recognition services, I have a personal connection to the technology, both culturally and socially," Brackeen said in a blog post on TechCrunch.
"Facial recognition-powered government surveillance is an extraordinary invasion of the privacy of all citizens -- and a slippery slope to losing control of our identities altogether."
The Georgetown study found facial recognition algorithms were five to 10 percent less accurate on African Americans than Caucasians.
- Policy questions -
Microsoft announced last month it had made significant improvements for facial recognition "across skin tones" and genders.
IBM meanwhile said it was launching a large-scale study "to improve the understanding of bias in facial analysis."
While more accurate facial recognition is generally welcomed, civil liberties groups say specific policy safeguards should be in place.
In 2015, several consumer groups dropped out of a government-private initiative to develop standards for facial recognition use, claiming the process was unlikely to develop sufficient privacy protections.
Cato's Feeney said a meaningful move would be to "purge these databases of anyone who isn't currently incarcerated or wanted for violent crime."
Jennifer Lynch, an attorney with the Electronic Frontier Foundation, said that the implications for police surveillance are significant.
"An inaccurate system will implicate people for crimes they did not commit. And it will shift the burden onto defendants to show they are not who the system says they are," Lynch said in a report earlier this year.
Lynch said there are unique risks of breach or misuse of this data, because "we can't change our faces."
Evan Selinger, a philosophy professor at the Rochester Institute of Technology, says facial recognition is too dangerous for law enforcement.
"It's an ideal tool for oppressive surveillance," Selinger said in a blog post.
"It poses such a severe threat in the hands of law enforcement that the problem cannot be contained by imposing procedural safeguards."
Apple Patches KRACK Flaws in Boot Camp
12.7.2018 securityweek Apple
Apple has released an update for its Boot Camp utility to address vulnerabilities related to the wireless Key Reinstallation Attacks (KRACK) that were disclosed late last year.
A total of 10 KRACK vulnerabilities were disclosed in October 2017, all impacting the Wi-Fi standard itself and rendering all Wi-Fi Protected Access II (WPA2) protocol implementations vulnerable. The new type of attack also impacts industrial networking devices.
An attacker looking to exploit the vulnerabilities would need manipulate replay handshake messages to trick the victim into reinstalling an already-in-use key. An attacker within Wi-Fi range of a victim would then have access to information previously assumed to be safely encrypted.
Vendors raced to patch the flaws, and Apple themselves released a fist set of KRACK-related patches in October last year, for iOS, macOS, tvOS, and watchOS devices. The company also addressed the bugs in Apple Watch and AirPort Base Station Firmware.
Apple is now pushing a fix for Boot Camp, the multi-boot utility included in macOS that allows users install Microsoft Windows operating systems on Intel-based Macs.
With the release of a Wi-Fi Update for Boot Camp 6.4.0 last week, the Cupertino-based tech giant is addressing a total of three KRACK-released flaws, which are tracked as CVE-2017-13077, CVE-2017-13078, and CVE-2017-13080.
By targeting vulnerable devices, an attacker in Wi-Fi range may force nonce reuse in WPA unicast/PTK clients or in WPA multicast/GTK clients, Apple explains in an advisory.
The software update, the company explains, is available for a broad range of machines running Boot Camp, including MacBook (Late 2009 and later), MacBook Pro (Mid 2010 and later), MacBook Air (Late 2010 and later), Mac mini (Mid 2010 and later), iMac (Late 2009 and later), and Mac Pro (Mid 2010 and later).
“A logic issue existed in the handling of state transitions. This was addressed with improved state management,” Apple noted.
Timehop Data Breach Hits 21 Million Users
12.7.2018 securityweek Incindent
Timehop informed users late last week that hackers gained unauthorized access to some of its systems as part of an attack that impacts roughly 21 million accounts.
New York-based Timehop has created an application that shows users the photos, videos and posts they shared on the current day in previous years on Facebook, Instagram, Twitter and other websites. The app also allows users to share these memories with their friends.
According to Timehop, the attacker accessed a database storing usernames, phone numbers, email addresses and social media access tokens. The incident affects approximately 21 million accounts, but only social media access tokens were exposed for all of them. Roughly 4.7 million accounts included phone numbers.
The compromised tokens can allow a malicious actor to access some of the targeted user’s social media posts, but they do not provide access to private messages. Moreover, Timehop has highlighted that there is no evidence of any unauthorized access using these tokens.
“In general, Timehop only has access to social media posts you post yourself to your profile. However, it is important that we tell you that there was a short time window during which it was theoretically possible for unauthorized users to access those posts - again, we have no evidence that this actually happened,” Timehop said.
The compromised tokens have been invalidated so users will have to re-authenticate each service with Timehop, a process that will generate new tokens.
The breach was discovered on July 4, but an investigation conducted by the company showed that the attack started as early as December 19, 2017, when hackers obtained admin credentials for cloud computing services used by Timehop.
“This unauthorized user created a new administrative user account, and began conducting reconnaissance activities within our Cloud Computing Environment. For the next two days, and on one day in March, 2018, and one day in June, 2018, the unauthorized user logged in again and continued to conduct reconnaissance,” the company explained.
The malicious activity was detected on July 4 after the attacker accessed a production database and started transferring data, which triggered an alarm.
Timehop says it took just over two hours to contain the incident after it was detected. The company has launched an investigation in collaboration with law enforcement, an incident response firm, and a threat intelligence company. Timehop has published both high-level and more technical reports on the incident.
The company has also retained the services of GDPR specialists to help it address the implications of the breach in Europe.
German Hosting Firm DomainFactory Hacked
12.7.2018 securityweek Hacking
DomainFactory, a Germany-based web hosting services provider of GoDaddy-owned Host Europe Group, informed customers late last week that their personal and financial information was exposed after a hacker gained access to some of its systems.
According to DomainFactory, one of the largest hosting firms in Germany, the breach occurred in late January, but the company only learned of the incident on July 3 after the hacker started disclosing samples of the stolen information on the DomainFactory forum.
The hack is still being investigated, but the attacker appears to have gained access to data such as customer name, company name, customer number, address, email address, phone number, DomainFactory phone password, date of birth, and bank name and account number.
The company says it has secured the point of entry used by the hacker, but has warned customers that the compromised information may be misused for financial fraud and other types of attacks.
Users have been instructed to change their passwords, including for their DomainFactory, DomainFactory phone, email, FTP, SSH and MySQL accounts.
According to German publication Heise, the hacker published a post on the DomainFactory forum on July 3 claiming to have gained access to one of the company’s customer databases. Both Heise and some of the impacted users have confirmed that the data appears to be legitimate.
The hacker has created the Twitter account “@NaHabedere” and claims to be from Austria. He told Heise that he breached DomainFactory in an effort to obtain information on a person who owes him money and decided to disclose the hack after the company failed to notify customers. The hacker apparently does not plan on selling or publishing the data he obtained.
DomainFactory has shut down its forum following the breach. Users have been advised to monitor their bank statements and report any suspicious activity to authorities.
UK Financial Authorities Publish Paper On Operational Resilience
12.7.2018 securityweek IT
UK Financial Authorities' Paper on Resilience Potentially Silos Continuity from Data Protection
The Bank of England (BofE), the UK's Prudential Regulation Authority (PRA), and the UK's Financial Conduct Authority (FCA) -- together known as the financial supervisory authorities -- have jointly published a discussion paper (PDF) on building operational resilience into the financial sector. While cyber is a major risk, the concept is to build resilience to all risks including cyber.
Regulated firms, financial market infrastructures (FMIs), consumers, industry bodies, auditors, specialist third-party providers, professional advisors and other regulators are invited to comment on the paper by 5 October 2018. The paper notes that there is currently no global framework for resilience, and says that the authorities "will share our insights with the global regulatory community."
While the paper does not differentiate between the types of risk to continuity, it nevertheless reflects a great deal of current thinking about cyber risk. It suggests that relevant companies should plan on the assumption that disruption will occur, as well as seeking to prevent it. Current cyber advice is that companies should assume they either are currently breached or will be breached in the future.
Consequently, the key to resilience is for the board to define "the level of disruption that could be tolerated" (CISOs call this the 'risk appetite'); and for the risk managers (CISOs for the cyber aspect) to put in place the means to confine any disruption within those bounds. This is the thinking behind cyber advice to concentrate on incident response.
The paper takes the view that concentrating on resilience is consistent with the Bank of England's Financial Policy Committee's (FPC) work on cyber risk. "The FPC identifies, monitors and takes action to remove or reduce systemic risks with a view to protecting and enhancing the resilience of the UK financial system. The FPC has been considering whether testing the financial system for disruption from cyber incidents is warranted for the purpose of enhancing and maintaining UK financial stability. While the FPC has been doing this in the context of cyber, the concepts are relevant to operational resilience regardless of the specific cause of disruption."
Indeed, the recommended process for evaluating and reducing the risk to resilience is similar to the recommended process for evaluating and reducing cyber risk.
But where the paper digresses from current cyber thinking is the view "that managing operational resilience is most effectively addressed by focusing on business services, rather than on systems and processes." It's a question of emphasis, and is similar in concept to the ongoing difficulties between operational technology and information technology. OT frequently prioritizes continuity over data protection. While few cyber experts believe that security can be obtained by technology alone, even fewer believe it can be obtained without it.
In the financial sector it is feasible that risk management might conclude that maintaining legacy systems is more important to operational continuity than the cyber risk to those same legacy systems; or that the introduction of new cyber security technologies might be operationally disruptive. Neil Costigan, CEO at BehavioSec, sees a danger here. "This is less about appropriate technology than practices and thinking," he told SecurityWeek. "It does, I guess, offer solid support for CISOs to lobby their boards about the threats and expectations; but I see it as recommendations/guidelines/advice for silos."
While current cyber thinking is that OT and IT need to merge, there is a danger that this emphasis on continuity and processes might maintain and even promote the separation. Costigan goes further, suggesting the UK might be missing an opportunity here. The paper discusses individual bank responsibility, where possibly sector resiliency is a shared responsibility.
"If you look at Sweden and Norway," he said, "you'll see that the banks do not operate in isolation -- security is viewed as a collective responsibility." He gives the example of BankID -- a single identity system that operates across multiple financial institutions, and has been recognized as a legally binding signature in other areas.
Dan Sloshberg, director product marketing at Mimecast, suggests that concentrating on resilience will automatically include cyber issues. "WannaCry was a wakeup call and highlighted the disruptive power and scale cyber-attacks can have on our critical national infrastructure," he says. "Organizations can also learn from the new NIS Directive. This legislation clearly signals the move away from pure protection-based cybersecurity thinking. Robust business continuity strategies have never been more important to ensure organizations can continue to operate during an attack and get back up on their feet quickly afterwards."
Dave Ginsburg, VP of marketing at Cavirin, sees the paper as a reasonable attempt to improve resiliency in a changing world. He notes that since the London bombing threat going back to the IRA and The Troubles last century in the UK, and 9/11 in the U.S., banks in both countries have effective disaster recovery operations in place.
"However," he told SecurityWeek, "financial interconnections and interdependencies are much more complicated than they were 17 years ago. What the UK is getting at is putting in place the mechanisms to preserve the financial ‘supply chain' if the worst occurs due to physical or cyberattack. Everyday approaches to physical security and user training don't necessarily address this, and one would hope that institutions in the US, if not implementing such an approach already, may use this as a template. And, it need not only apply to finance, but to the cyber posture of other critical systems such as telecommunications, transportation, electricity, and water supply, to name a few."
"The concept of impact tolerance is core to the supervisory authorities' thinking," comments the paper, "and may challenge firms and FMIs to think differently. It encourages them to assume operational disruptions will occur. This means that attention can be directed towards minimizing the impact of disruption on important business services. Impact tolerance focuses firms, FMIs and the supervisory authorities on the potential vulnerabilities in business and operating models. The work they do to increase the resilience of these need not be tied to specific threats, rather an important business service should be made resilient to a wide variety of threats."
The paper highlights an unpalatable truth for consumers: in critical industries such as the financial sector, operational continuity is more important than data protection -- including PII. Concentrating resources on continuity could feasibly leave customer data more exposed to cyber-attack. Having PII stolen does not normally directly impinge on continuity, and could conceivably be considered of lesser importance (at least as far as the financial regulators are concerned).
The problem for individual firms within such critical industries is that any ensuing resilience regulations will not excuse them from existing data protection regulations. By treating resiliency as a separate issue to data protection, it merely complicates an already complicated regulatory environment.
Intel Patches Security Flaws in Processor Diagnostic Tool
12.7.2018 securityweek Vulnerebility
Intel has updated its Processor Diagnostic Tool to address vulnerabilities that could lead to arbitrary code execution and escalation of privileges.
The Intel Processor Diagnostic Tool (IPDT) is a piece of software designed to verify the functionality of an Intel processor. It can check for brand identification and operating frequency, test specific features, and perform a stress test on the processor.
The recently addressed vulnerabilities (two of which are tracked as CVE-2018-3667 and CVE-2018-3668) were found by Stephan Kanthak and affect the IPDT releases up to v18.104.22.168, Intel reveals.
Kanthak says he found a total of four vulnerabilities in the executable installers of Intel’s tool, three of which would lead to arbitrary code execution with escalation of privilege, and a fourth that could lead to denial of service.
The security flaws can be exploited in standard Windows installations where a user UAC-protected administrator account that is created during Windows setup is used, without elevation.
“This precondition holds for the majority of Windows installations: according to Microsoft's own security intelligence reports <https://www.microsoft.com/security/sir>, about 1/2 to 3/4 of the about 600 million Windows installations which send telemetry data have only ONE active user account,” Kanthak points out.
The issue is that the IPDT installer creates three files with improper permissions, thus opening the door to said vulnerabilities.
One issue was that the installer created a randomly named folder in the %TEMP% directory, copied itself into it, and then executed the copy. Because the folder and the copy inherit the NTFS access control list from %TEMP%, once execution of files from that directory is denied, the installer would fail to execute.
Another issue was that the copy of the executable self-extractor would run with administrative privileges, but the extracted payloads (the installers setup.exe and setup64.exe, and the batch script setup.bat) are dropped unprotected into the user's %TEMP% directory. The copy would also change directory to %TEMP% and execute the batch script %TEMP%\setup.bat.
“The extracted files inherit the NTFS ACLs from their parent %TEMP%, allowing ‘full access’ for the unprivileged (owning) user, who can replace/overwrite the files between their creation and execution. Since the files are executed with administrative privileges, this vulnerability results in arbitrary code execution with escalation of privilege,” the researcher notes.
Because setup.bat calls setup.exe and setup64.exe without a path, the command processor starts searching for the files via %PATH% as it does not find them in the current working directory.
In Windows Vista and newer, however, it is possible to remove the current working directory from the executable search path and an unprivileged user, who is in full control of %PATH%, can replace the two files with rogue ones in an arbitrary directory they add to %PATH%, which results in arbitrary code execution with escalation of privilege.
The researcher also discovered that the two setup executables also load multiple Windows system DLLs from their "application directory" in the %TEMP% folder, instead of using those in Windows' "system directory."
“An unprivileged attacker running in the same user account can copy rogue DLLs into %TEMP%; these are loaded and their DllMain() routine executed with administrative privileges, once more resulting in arbitrary code execution with escalation of privilege,” the researcher points out.
The issues were reported to Intel in May and the company updated the installer the same month, but information on the vulnerabilities was not released until last week. Intel Processor Diagnostic Tool v22.214.171.124 resolves all of the above issues.
Hackers Using Stolen D-Link Certificates for Malware Signing
12.7.2018 securityweek Virus
A cyber-espionage group is abusing code-signing certificates stolen from Taiwan-based companies for the distribution of their backdoor, ESET reports.
The group, referred to as BlackTech, appears highly skilled and focused on the East Asia region, particularly Taiwan. The certificates, stolen from D-Link and security company Changing Information Technology Inc., have been used to sign the Plead backdoor, ESET's security researchers say.
The Plead campaign is believed to have been active since at least 2012, often focused on confidential documents and mainly targeting Taiwanese government agencies and private organizations.
Evidence of the fact that the D-Link certificate was stolen comes from the fact that it was used to sign non-malicious D-Link software, not only the Plead malware, ESET explains.
After being informed on the misuse of its certificate, D-Link revoked it, along with a second certificate, on July 3. In an advisory, the company said that most of its customers should not be affected by the revocation.
“D-Link was victimized by a highly active cyber espionage group which has been using PLEAD Malware to steal confidential information from companies and organizations based in East Asia, particularly in Taiwan, Japan, and Hong Kong,” the company said.
Changing Information Technology Inc., also based in Taiwan, revoked the misused certificate on July 4, but the threat actor continued to use it for malicious purposes even after that date, ESET reveals.
The signed malware samples also contain junk code for obfuscation purposes, but all perform the same action: they either fetch from a remote server or open from the local disk encrypted shellcode designed to download the final Plead backdoor module.
The malware can steal passwords from major web browsers, such as Chrome, Firefox, and Internet Explorer, and from Microsoft Outlook.
According to Trend Micro, the Plead backdoor can also list drives, processes, open windows and files on the compromised machine, can open remote shell, upload files, execute applications via ShellExecute API, and delete files.
“Misusing digital certificates is one of the many ways cybercriminals try to mask their malicious intentions – as the stolen certificates let malware appear like legitimate applications, the malware has a greater chance of sneaking past security measures without raising suspicion,” ESET notes.
The use of code-signing certificates for malware delivery isn’t a novel practice, and the Stuxnet worm, which was discovered in 2010, is a great example of how long threat actors have been engaging in such practices. The first to target critical infrastructure, Stuxnet used digital certificates stolen from RealTek and JMicron, well-known Taiwanese tech companies.
New Attacks on Palestine Linked to 'Gaza Cybergang'
12.7.2018 securityweek APT
The Gaza Cybergang, an advanced persistent threat (APT) group linked to the Palestinian terrorist organization Hamas, apparently continues to target organizations in the Middle East, researchers at Check Point revealed last week.
The attacks observed by the security firm started with a spear-phishing email carrying a self-extracting archive that stored a Word document and a malicious executable. The emails purported to come from the Palestinian Political and National Guidance Commission and the documents contained copies of media reports from various Palestinian news websites.
While the targeted user is busy looking at the document, a piece of malware is being installed on their system. The malware, an upgraded variant of Micropsia, a tool previously linked to the Gaza Cybergang, is capable of taking screenshots, stealing documents, rebooting the system, obtaining information about the compromised device, and killing itself.
These and other capabilities are provided by more than a dozen modules, each named after characters in the American TV show “The Big Bang Theory” and a popular Turkish TV series called “Resurrection: Ertugrul.” In a related malware sample, the modules are named after various BMW car models (e.g. BMW_x1, BMW_x8).
The main target of this campaign, which Check Point has dubbed “Big Bang,” appears to be the Palestinian Authority, the governing body of the emerging Palestinian autonomous regions of the West Bank and Gaza Strip.
Researchers believe the latest attacks started in March and evidence suggests that they could be the work of the Gaza Cybergang, which has been known to target the Palestinian Authority many times in the past years.
“Although the group behind it seems to be focused on carefully selecting their victims, using a custom-made info-stealer for intelligence gathering operations, due to its very nature it is difficult to assert what the ultimate goal of this campaign is. Indeed, the next stages of the attack may even still be in the works, not yet deployed or only deployed to selected few victims,” Check Point researchers wrote in a blog post.
Also known as Gaza Hackers Team and Molerats, the threat actor has been active since at least 2012. Its targets include Israel, Egypt, Saudi Arabia, the UAE, Iraq, the United States, and some European countries.
The group has occasionally suspended activity after security firms exposed its operations, but it has continued improving tools and techniques and expanding its list of targets.
One of the most recent reports on Gaza Cybergang was published in October 2017 by Kaspersky Lab. The security firm reported at the time that the group had been targeting organizations in the Middle East and North Africa (MENA) region, including an oil and gas company from which the hackers stole information for more than a year.
Cisco Talos also published a report on Gaza Cybergang last year, detailing attacks aimed at Palestinian law enforcement.
Fitness App Revealed Data on Military, Intelligence Personnel
12.7.2018 securityweek BigBrothers
Mobile fitness app Polar has suspended its location tracking feature after security researchers found it had revealed sensitive data on military and intelligence personnel from 69 countries.
The revelation on the application from Finnish-based app Polar Flow comes months after another health app, Strava, was found to have showed potentially sensitive information about US and allied forces around the world.
Security researchers in the Netherlands said Sunday they were able to find data on some 6,000 individuals including military personnel from dozens of countries and employees of the FBI and National Security Agency.
The disclosure illustrates the potential security risks of using fitness apps which can track a person's location, and which may be "scraped" for espionage.
"With only a few clicks, a high-ranking officer of an airbase known to host nuclear weapons can be found jogging across the compound in the morning," security researcher Foeke Postma said in a blog post Sunday after an investigation with the Dutch news organization De Correspondent.
"We can find Western military personnel in Afghanistan through the Polar site. Cross-checking one name and profile picture with social media confirmed one soldier or officer's identity."
The investigation found detailed personal information, including home addresses, of military personnel, persons serving on submarines, Americans in the Green Zone in Baghdad and Russian soldiers in Crimea, the researchers said.
Polar said in a statement it was suspending the app's feature that allowed users to share data, while noting that any data made public was the result of users who opted in to location tracking.
"It is important to understand that Polar has not leaked any data, and there has been no breach of private data," the statement said.
It said the location tracking feature "is used by thousands of athletes daily all over the world to share and celebrate amazing training sessions."
According to De Correspondent, only about two percent of Polar users chose to share their data, but that nonetheless allowed anyone to discover potentially sensitive data from military or civilian personnel.
"We found the names and addresses of personnel at military bases including Guantanamo Bay in Cuba, Arbil in Iraq, Gao in Mali, and bases in Afghanistan, Saudi Arabia, Qatar, Chad, and South Korea," the report said.
In January, the Pentagon said it was reviewing its policies on military personnel use of fitness application after Strava's map showed a series of military bases in Iraq as well as sites in Afghanistan.
Two More Traders Convicted in Newswire Hacking Scheme
12.7.2018 securityweek Hacking
Two more individuals, a hedge fund manager and a securities trader, have been convicted by a U.S. court for their role in a $30 million scheme that involved hacking major newswire companies.
Vitaly Korchevsky, a 53-year-old former hedge fund manager from Pennsylvania, and Vladislav Khalupsky, a 47-year-old securities trader residing in New York and Ukraine, have been convicted in a Brooklyn federal court on charges of conspiracy to commit wire fraud, conspiracy to commit securities fraud and computer intrusion, conspiracy to commit money laundering, and securities fraud. They each face up to 20 years in prison for their crimes.
The scheme involved Ukraine-based hackers breaking into the systems of Marketwired, PR Newswire and Business Wire between February 2010 and August 2015, and stealing as many as 150,000 press releases. The hackers sent the stolen press releases containing nonpublic financial information to several traders who quickly monetized it.
Korchevsky and Khalupsky are said to have traded based on nonpublic press releases issued by hundreds of companies, including Align Technology, CA Technologies, Caterpillar, HP, Home Depot, Panera Bread, and Verisign.
According to authorities, Korchevsky made more than $15 million over the course of the scheme, while Khalupsky, who traded for the criminal network and received a percentage of the profits, made at least $500,000.
“The evidence at trial also demonstrated that the defendants went to great lengths to conceal their roles in the criminal scheme,” the Justice Department said. “The conspirators used separate phones, computers and hotspots to conduct their illegal trading activity, and routinely deleted emails and/or destroyed hardware that contained evidence of their crimes. The conspirators also directed that payments received for the illegal profits they generated for the criminal network be made to offshore shell companies.”
Korchevsky and Khalupsky were among nine individuals accused of making $30 million through the newswire hacking scheme. Three of the suspects are still at large, but all the others, including a Ukrainian national responsible for hacking into the newswire firms, have been convicted or pleaded guilty.
The scheme involved many people, not just the nine individuals charged by the Justice Department. A separate civil case filed by the U.S. Securities and Exchange Commission (SEC) names 34 people who allegedly made $100 million in unlawful profits through this operation.
Email Security Firm Mimecast Buys Staff Training Startup Ataata
12.7.2018 securityweek IT
London, UK-based email archiving and security firm Mimecast has acquired Bethesda, Md-based security training company Ataata. Financial terms of the acquisition have not been disclosed
Mimecast, founded by CEO Peter Bauer and CTO Neil Murray in 2003, offers a SaaS-based email platform providing email security and management. Ataata was founded in 2016 by CEO Michael Madon. It offers a continuous training platform that analyzes results and predicts which staff may be security risks.
Research by Mimecast and Vanson Bourne in May 2018 highlighted the extent to which humans are the targeted weakness in cybersecurity. From a pool of 800 IT decision makers and C-level executives, 94% had witnessed untargeted phishing attacks, 92% had witnessed spear-phishing attacks, 87% had witnessed financially-based email impersonation attacks (BEC), and 40% had seen an increase in trusted third-party impersonation attacks.
Mimecast LogoDespite this, only 11% of the respondents claimed to use continuous staff training to help employees detect and respond to such email attacks. "Cybersecurity awareness training has traditionally been viewed as a check the box action for compliance purposes, boring videos with PhDs rambling about security or even less than effective gamification which just doesn't work," commented Bauer.
"As cyberattacks continue to find new ways to bypass traditional threat detection methods, it's essential to educate your employees in a way that changes behavior," he continued. "According to a report from Gartner, the security awareness computer-based training market will grow to more than $1.1 billion by year-end 2020. The powerful combination of Mimecast's cyber resilience for email capabilities paired with Ataata's employee training and risk scoring will help customers enhance their cyber resilience efforts."
Ataata brings humor to staff training. "Every module is drafted by professional television comedy writers who understand the reality of security in the enterprise," it explains. "Yes, such people exist. We hired 'em. So our content is funny, deeply knowing about the contemporary workplace and driven by characters your employees will recognize all too well." Ataata was founded on the principle that training should not be a compliance tool imposed by management, but a commitment enjoyed by staff.
Human error is involved in the majority of all security breaches, and casual mistakes can cost organizations money, their reputation -- and employees, potentially their job. "Organizations need to understand that employees are their last line of defense," says Madon. "Cybersecurity training and awareness doesn't need to be difficult or boring. Training and awareness is needed to help mitigate these internal risks. Our customers rely on engaging content at the human level, which helps to change behavior at the employee-level. We're excited to join forces with Mimecast to help customers build a stronger cyber resilience strategy that includes robust content, risk scoring and real-world attack simulation -- going way beyond basic security awareness capabilities."
Mimecast told SecurityWeek that teams from both firms will be working to integrate the products "to create the most advanced, sophisticated and effective cyber awareness training product on the market." Over time, the two platforms will become more tightly integrated, but, says Mimecast, "the offering is immediately relevant and valuable to all of Mimecast's target audiences."
Ataata has not operated from a central office. Existing staff will be maintained as employees of Mimecast, and remain based where they currently live -- with the exception of Madon. Madon, Mimecast told SecurityWeek, will relocate to Boston, where he "will now be leading up the newly established Mimecast Learning Labs, a training and certification program for Mimecast customers looking to achieve role-based excellence around security best practices."
Mimecast went public in late 2015 at $10 per share, raising $78 million in gross proceeds. After the IPO, share value fell as low as $6.20 in January 2016. Since July 2016, however, share price has risen steadily to $42.99 at the time of writing. Ataata raised $3 million in a Series A funding round in December 2017.
Apple Rolls-Out USB Restricted Mode in iOS
12.7.2018 securityweek Apple
Apple on Monday released patches for various security vulnerabilities in iOS, macOS, tvOS, watchOS, and Safari, as well as for iCloud and iTunes for Windows.
In addition to fixes for 22 issues, the iOS 11.4.1 software update also introduces the long expected USB Restricted Mode, a feature that should boost the security of its platform and improve privacy.
“Starting with iOS 11.4.1, if you use USB accessories with your iPhone, iPad, or iPod touch, or if you connect your device to a Mac or PC, you might need to unlock your device for it to recognize and use the accessory. Your accessory then remains connected, even if your device is subsequently locked,” Apple says.
The new feature should prevent the use of USB devices that connect over the Lightning port to crack the device’s passcode and access user data, should the connection attempt occur one hour after the device was locked.
The new feature can be found in Settings > Face ID (or Touch ID) & Passcode > USB Accessories. Users should leave the toggle disabled to take advantage of USB Restricted Mode.
With the roll-out of this new capability on iOS, it would be more difficult for forensics analysis to access data on a suspect’s devices, as they would only have a one-hour window at their disposal to attempt to crack the available protections.
Once it has kicked in, USB Restricted Mode persists through reboots and even if the device software has been restored via Recovery mode, ElcomSoft’s Oleg Afonin explains.
However, it is possible to reset the USB Restrictive Mode countdown timer if an untrusted USB accessory is connected to the device within the first hour.
The 22 vulnerabilities addressed with the release of iOS 11.4.1 impact CFNetwork, Emoji, Kernel, libxpc, LinkPresentation, WebKit, WebKit Page Loading, and Wi-Fi. WebKit was impacted the most, with 14 vulnerabilities addressed in it.
The addressed issues include unexpected persistence of cookies in Safari, denial of service, elevation of privileges, access to restricted memory, address bar spoofing, arbitrary code execution, unexpected Safari crashes, exfiltration of audio data cross-origin, and sandbox escape.
The new iOS release is available for iPhone 5s and later, iPad Air and later, and iPod touch 6th generation.
Apple also patched 11 security flaws with the release of macOS High Sierra 10.13.6, Security Update 2018-004 Sierra, Security Update 2018-004 El Capitan. The bugs impact AMD, APFS, ATS, CFNetwork, CoreCrypto, DesktopServices, IOGraphics, Kernel, libxpc, and LinkPresentation.
The most important of the issues is CVE-2018-3665, a vulnerability that impacts Intel processors. Dubbed LazyFP and detailed last month, the bug is similar to Meltdown Variant 3a and could be exploited to access floating point unit (FPU) state data, which can contain sensitive information, such as cryptographic keys.
“Systems using Intel Core-based microprocessors may potentially allow a local process to infer data utilizing Lazy FP state restore from another process through a speculative execution side channel,” Apple notes.
The newly released watchOS 4.3.2 resolves a total of 14 vulnerabilities, while tvOS 11.4.1 addresses 18. Apple resolved 16 flaws with the release of Safari 11.1.2, and patched 14 bugs in both iCloud for Windows 7.6 and iTunes 12.8 for Windows.
GandCrab Ransomware Spreads Via NSA Exploit
12.7.2018 securityweek Ransomware
GandCrab, a ransomware family that has received numerous updates in recent months, is now attempting to infect Windows XP machines using the NSA-linked EternalBlue exploit.
The malware is usually spreading via spam emails, but GandCrab 4, which first emerged earlier this month, is being distributed via compromised websites, Fortinet says. The malware now appends the .KRAB extension to the encrypted files.
The new variant also includes an overhaul in terms of code structure, has switched to the Salsa20 stream cipher for data encryption, and also removed some of the older features. More importantly, it no longer requires command and control (C&C) communication to encrypt files.
“For this latest release, we have found numerous infected websites injected with malicious pages. These pages instantly redirect users to a separate page containing the actual download link leading to the GandCrab executable,” Fortinet explains.
Both the malware executable and the download links are being updated regularly, the security researchers say. In fact, within days after version 4 emerged, the ransomware authors released GandCrab 4.1, which has already showed signs of network communication.
More importantly, as security researcher Kevin Beaumont has discovered, the ransomware is also attempting to spread through the National Security Agency’s EternalBlue SMB exploit.
The most interesting aspect of this new capability is the fact that Windows XP and Windows Server 2003 systems too are targeted, along with modern operating systems.
The EternalBlue exploit targets a security bug in Windows’ Server Message Block (SMB) on port 445.The flaws, however, only impact older operating system versions, mainly Windows XP and Windows 7.
The exploit wasn’t previously working on Windows XP out of the box, but that did not prevent ransomware such as WannaCry to attempt to spread using it. In fact, numerous malware families have been abusing the exploit to date, including the NotPetya wiper.
Microsoft patched the vulnerability that EternalBlue targets before the exploit became public, and even pushed an emergency patch for Windows XP to keep users safe from WannaCry.
Thus, as Beaumont points out, the best defense against GandCrab and any malware spreading via EternalBlue is to apply the available patch for all operating systems, including the older Windows XP and Windows Server 2003.
“Many antivirus products have dropped support for Windows XP and 2003, which makes this problematic. You probably want to make sure staff know not to download things from BitTorrent, install unknown software, run keygens, access random USB sticks etc.,” Beaumont notes.
Ticketmaster Breach: Tip of the Iceberg in Major Ongoing Magecart Attacks
12.7.2018 securityweek Attack
In June 2018, Ticketmaster UK warned that some of its customers -- which it put at less than 5% of its global customer base -- may have had their payment information accessed by an unknown third-party. Ticketmaster laid the blame on third-party provider Inbenta, who laid the blame on Ticketmaster, who in turn had been warned by online bank Monzo in April that they might have been breached. Clearly, there was more to this story than was being told at the time.
RiskIQ researchers Yonathan Klijnsma and Jordan Herman have now filled in some of the gaps. An analysis of the events suggests that the breach was bigger and over a longer period than previously thought -- but it is only one part of a much larger and ongoing campaign to steal users' payment details. The researchers go further -- naming the unknown third-party culprit as the Magecart actors.
RiskIQ has been monitoring Magecart since 2015, and produced a report in 2016. Magecart uses a form of virtual card skimming, scraping payment details during online transactions and sending the card details to the criminals. Originally, the Magecart actors hacked retail stores directly. Now it seems to have evolved to breaching the suppliers of widely used third-party components.
This is what seems to have happened with Ticketmaster UK and Inbenta. Inbenta code was compromised with the addition of Magecart skimming software. "Inbenta explained that the module was custom built for Ticketmaster," write the researchers. "To modify the source of this module, the attackers would have needed access to Inbenta's systems in some way or form. We believe that Inbenta was breached, but there another possibility a Ticketmaster developer account was breached to access Inbenta. Unless the companies provide more transparency into the event, we will never know."
Ticketmaster UK has said that the Inbenta breach led to subsequent 'breaches' at their Ticketmaster International, Ticketmaster UK, GETMEIN!, and TicketWeb websites. RiskIQ research say this list should include at least Ticketmaster New Zealand and Ticketmaster Ireland as well; and adds that Ticketmaster Germany, Ticketmaster Australia, and Ticketmaster International were compromised by Magecart via a different third-party supplier of functionality -- in this case SociaPlus.
The Magecart campaign spreads far beyond just Ticketmaster and Inbenta and SociaPlus. "While Ticketmaster received the publicity and attention, the Magecart problem extends well beyond Ticketmaster," said Klijnsma. "We believe it's cause for far greater concern -- Magecart is bigger than any other credit card breach to date and isn't stopping any day soon."
The report highlights three other major component suppliers that it claims are currently breached by Magecart. The first, PushAssist, provides web analytics similar to Google Analytics. "Their server has been breached and is still serving analytics with the Magecart skimmer. The service boasts having over 10 thousand websites using its analytics platform... This means any website performing payment processing on their website that uses PushAssist is, right now, within reach of the Magecart skimmer."
The second is Clarity Connect, which provides a CMS for company owners to create an online presence with a website or web store. The Magecart actors have even left a message in the compromised code: 'If you will delete my code one more time I will encrypt all your sites: you very bad admins.' It seems, suggest the researchers, "the Magecart actors have broad access that they aren't afraid to use if the administrator removes their skimmer again. Clarity Connect's customers are affected by this injected skimmer code."
The third example is Annex Cloud, another analytics provider currently compromised by Magecart -- and again it appears as if the actors have broad access to the Annex Cloud servers.
"It appears that Magecart was able to access hundreds of other high-profile ecommerce sites during its credit card skimming campaign, which means the scale of this breach looks set to be unprecedented," comments Ross Brewer, VP & MD EMEA at LogRhythm. He notes that like many other hackers, the Magecart actors have switched their attention to the supply chain. They are, he says, "redirecting their attention to smaller, third party suppliers that can act as a gateway to more lucrative targets. As the saying goes, you're only as strong as your weakest link, which means if one of your third-party partners doesn't have the same commitment to data protection, any tools you have in place are essentially rendered useless."
Magecart, warn the RiskIQ researchers, "is an active threat that operates at a scale and breadth that rivals -- or possibly surpasses -- the recent compromises of point-of-sale systems of retail giants such as Home Depot and Target. The Magecart actors have been active since 2015 and have never retreated from their chosen criminal activity. Instead, they have continually refined their tactics and targets to maximize the return on their efforts."
San Francisco, Calif-based RiskIQ raised $30.5 million in a Series C funding round led by Georgian Partners in November 2016. This brought the total funding raised by the firm to $65.5 million.
Popular software VSDC official website was hacked and used to distribute malware
12.7.2018 securityaffairs Virus
Hackers have compromised the website of VSDC, (http://www.videosoftdev.com), a popular company that provides free audio and video conversion and editing software.
Experts from Chinese security firm Qihoo 360 Total Security discovered that attackers hijacked the download links of the popular audio and video editor, VSDC.
The experts discovered that hackers hijacked download links on the websites in three different periods, the links were pointing to servers they were operating.
The attackers gained access to the administrative server part of the site and replaced the links to the distribution file of the program.
The experts discovered that attacks were registered from an IP address in Lithuania – 185[.]25.51.133.
“360 Security Center discovered the download links of a famous audio and video editor, VSDC (http://www.videosoftdev.com), has been hijacked in official website. The computer will be injected by theft Trojan, keylogger and remote control Trojan after the program is downloaded and installed.” reads the analysis published by Qihoo 360 Total Security.
Below the details of the three different attacks:
June 18 – Hackers substituted download links with hxxp://126.96.36.199/_files/file.php
July 2 – Hackers substituted download links with hxxp://drbillbailey.us/tw/file.php
July 6 – Hackers substituted download links with hxxp://drbillbailey.us/tw/file.php
VSDC confirmed the incident and fixed the links on its website.
The first and third periods affected the most users that were infected with three different pieces of malware.
The infostealer hijacks sensitive information including Telegram account / password, Steam account / password, Skype chat log, Electrum wallet and screenshot from victims’ machine. Data are sent back to hxxp://system-check.xyz/index.php.
The keylogger records all keyboard actions and sends the record to hxxp://wqaz.site/log/index.php.
The third file is a Hidden VNC remote control Trojan that could be used by attackers to control the infected PC.
The security researcher Ivan Korolev from Dr.Web revealed that the third file is a version of DarkVNC, a lesser known RAT.
Popular Software Site Hacked to Redirect Users to Keylogger, Infostealer, More - by @campuscodihttps://www.bleepingcomputer.com/news/security/popular-software-site-hacked-to-redirect-users-to-keylogger-infostealer-more/ …
The third trojan that is screenshoted by Qihoo is DarkVNC, not a TVRAT or SpyAgent. However, they might have replaced the file before it was analyzed by @malwrhunterteam
9:05 AM - Jul 12, 2018
See Ivan Korolev's other Tweets
Twitter Ads info and privacy
“This domain name hijacking is a global attack and has affected more than thirty countries. It is more likely to be a Supply Chain Attack instead of a local network hijacking.” continues the analysis.
“On behalf of VSDC team we’d like to inform our users that the attacks have been stopped and all the vulnerabilities detected and removed”
1. All the source files of the site have been restored, the fake ones have been deleted.
All the passwords have been changed. As our practice has shown, 10-12 character passwords made of random characters are not complex enough, so they have their length significantly increased.
2. Two-level authentication of access to the administrative part at the IIS server level was introduced.
3. On the server currently there is a utility that checks all files for validity.
A tainted version of Arch Linux PDF reader package found in a user-provided AUR
12.7.2018 securityaffairs Hacking
Hackers have poisoned the Arch Linux PDF reader package named “acroread” that was found in a user-provided Arch User Repository (AUR),
Hackers have poisoned the Arch Linux PDF reader package, this means that users who have downloaded recently a PDF viewer named “acroread” may have been compromised.
ThePDF reader package has been tainted with a malware and Arch Linux has removed the user-provided AUR (Arch User Repository).
This incident raises the discussion about the installation of software from untrusted sources and the possibility that threat actors poison the supply chain.
The specific user repository had been abandoned by its maintainer leaving open the doors for a threat actor.
Someone using the handle “xeactor” modified the package by adding a downloader script that loads a malicious code hosted on a server maintained by the attackers.
The maintainer Eli Schwartz quickly reverted the commits after discovering the hack, it also suspended the account of xeactor.
“The acroread AUR package appears to have been compromised: look at https://aur.archlinux.org/cgit/aur.git/commit/?h=acroread&id= b3fec9f2f16703c2dae9e793f75ad6e0d98509bc (and in particular that curl|bash line!). Not exactly sure who to contact, but I assume someone on this list can get things sorted out.” wrote Schwartz.
“Account suspended, commit reverted using Trusted User privileges.”
Schwartz also discovered two other packages that were tainted with a similar technique, both have been removed.
The user Bennett Piater wrote in the Arch Linux mailing that he noticed a suspect script that creates ‘compromised.txt’ in the root and all home folders.”
“Looks to me like this is more of a warning than anything else, no? Why would he create those files otherwise, given how much attention that would attract?” Piater said.
for x in /root /home/*; do
if [[ -w "$x/compromised.txt" ]]; then
echo "$FULL_LOG" > "$x/compromised.txt"
The acroread was used by attackers as a dropper and the script would set the systemd to restart on a regular basis, a circumstance confirmed by Schwartz too.
“Side note on the acroread pastes: https://ptpb.pw/~xwas executed by the PKGBUILD, which in turn executed https://ptpb.pw/~u. But the thing it installed declares an ssupload()function then tries to execute the contents of $uploader to actually upload the data collection.” wrote Schwartz.
Arch Linux PDF reader package
The good news is that the malicious software could not work.
Arch maintainer Giancarlo Razzolini tried to downplay the problem explaining the usage of AUR clearly could expose users at risk, but it is their choice.
“This would be a warning for what exactly? That orphaned packages can be adopted by anyone? That we have a big bold disclaimer on the front page of the AUR clearly stating that you should use any content at your own risk? This thread is attracting way more attention than warranted. I’m surprised that this type of silly package takeover and malware introduction doesn’t happen more often.” wrote Razzolini.
“This is why we insist users always download the PKGBUILD from the AUR, inspect it and build it themselves. Helpers that do everything automatically and users that don’t pay attention, *will* have issues. You should use helpers even more so at your risk than the AUR itself.”
Hacker offered for sale US Military Reaper Drone documents for $200
12.7.2018 securityaffairs CyberCrime
Researchers at threat intelligence firm Recorded Future have reported that a hacker was trying to sell US Military Reaper drone documents for less than $200.
The news is disconcerting, the hackers may have obtained the documents related to the Reaper drone by hacking into at least two computers belonging to U.S. military personnel.
“Specifically, an English-speaking hacker claimed to have access to export-controlled documents pertaining to the MQ-9 Reaper unmanned aerial vehicle (UAV). Insikt analysts engaged the hacker and confirmed the validity of the compromised documents.” reads the analysis published by Recorded Future.
“Insikt Group identified the name and country of residence of an actor associated with a group we believe to be responsible.”
Experts from Recorded Future contacted the hacker that explained to them that had obtained the documents by exploiting a vulnerability in Netgear routers that was known since 2016.
The hacker used the Shodan search engine to discover vulnerable devices online and targeted them with the available exploit, evidently one of them gave the attacker the access to the precious documents.
The compromised Netgear router was located at Reaper station at the Creech Air Force Base in Nevada and it was simple for the hacker to compromise it.
The hacker stole Reaper maintenance course books and a list of airmen assigned to controlling the drone.
“Utilizing the above-mentioned method, the hacker first infiltrated the computer of a captain at 432d Aircraft Maintenance Squadron Reaper AMU OIC, stationed at the Creech AFB in Nevada, and stole a cache of sensitive documents, including Reaper maintenance course books and the list of airmen assigned to Reaper AMU.” states Recorded Future.
“While such course books are not classified materials on their own, in unfriendly hands, they could provide an adversary the ability to assess technical capabilities and weaknesses in one of the most technologically advanced aircrafts.”
The hacker also offered for sale a dozen training manuals describing improvised explosive device defeat tactics, how to operate an M1 Abrams tank, a file on tank platoon tactics, and crewman training and survival manual.
Though Recorded Future couldn’t elicit the source of those docs from the hacker, the company said it appeared the files had been taken from a U.S. Army staffer.
The documents weren’t classified, but Recorded Future pointed out that their content was highly sensitive and could be abused by various threat actors, including terrorist organizations.
Recorder Future reported its discovery to the DHS in mid-June that started an internal investigation.
“We will not comment on documents that were allegedly stolen, and cannot verify.” a said a Department of Defense spokesperson.
If the source of the documents is confirmed, this incident raises the discussion about the lack of security on military personnel computers.
“Maybe government agencies should start looking into their own policies,” concludes Recorded Future researcher Andrei Bareseyvich. “Right now it seems to be a bigger problem than we had anticipated.”
Intel pays a $100K bug bounty for the new CPU Spectre 1.1 flaw
12.7.2018 securityaffairs Security
A team of researchers has discovered new variant of the famous Spectre attack (Spectre 1.1), and Intel has paid a $100,000 bug bounty as part of its bug bounty program.
Intel has paid out a $100,000 bug bounty for new vulnerabilities that are related to the first variant of the Spectre attack (CVE-2017-5753), for this reason, they have been tracked as Spectre 1.1 (CVE-2018-3693) and Spectre 1.2.
Intel credited Kiriansky and Waldspurger for the vulnerabilities to Intel and paid out $100,000 to Kiriansky via the bug bounty program on HackerOne.
Early 2018, researchers from Google Project Zero disclosed details of both Spectre Variants 1 and 2 (CVE-2017-5753 and CVE-2017-5715) and Meltdown (CVE-2017-5754).
Both attacks leverage the “speculative execution” technique used by most modern CPUs to optimize performance.
The team of experts composed of Vladimir Kiriansky of MIT and Carl Waldspurger of Carl Waldspurger Consulting discovered two new variants of Spectre Variant 1.
Back to the present, the Spectre 1.1 issue is a bounds-check bypass store flaw that could be exploited by attackers to trigger speculative buffer overflows and execute arbitrary code on the vulnerable processor.
This code could potentially be exploited to exfiltrate sensitive data from the CPU memory, including passwords and cryptographic keys.
“We introduce Spectre1.1, a new Spectre-v1 variant that leverages speculative stores to create speculative buffer overflows. Much like classic buffer overflows, speculative out-ofbounds stores can modify data and code pointers. Data-value attacks can bypass some Spectre-v1 mitigations, either directly or by redirecting control flow.” reads the research paper.
“Control-flow attacks enable arbitrary speculative code execution, which can bypass
fence instructions and all other software mitigations for previous speculative-execution attacks.”
The second sub-variant discovered by the experts, called Spectre1.2 is a read-only protection bypass
It depends on lazy PTE enforcement that is the same mechanism exploited for the original Meltdown attack.
Also in this case, the issue could be exploited by an attacker to bypass the Read/Write PTE flags and write code directly in read-only data memory, code metadata, and code pointers to avoid sandboxes.
“Spectre3.0, aka Meltdown , relies on lazy enforcement of User/Supervisor protection flags for page-table entries (PTEs). The same mechanism can also be used to bypass the Read/Write PTE flags. We introduce Spectre1.2, a minor variant of Spectre-v1 which depends on lazy PTE enforcement, similar to Spectre-v3.”In a Spectre1.2 attack, speculative stores are allowed to overwrite read-only data, code pointers, and code metadata, including vtables, GOT/IAT, and control-flow mitigation metadata. As a result, sandboxing that depends on hardware enforcement of read-only memory is rendered ineffective.,” continues the research paper.
ARM confirmed that Spectre 1.1 flaw affects also its processor but avoided to mention flawed ARM CPUs.
Mayor tech firms, including Microsoft, Red Hat and Oracle have released security advisories, confirming that they are investigating the issues and potential effects of the new Spectre variants.
“Microsoft is aware of a new publicly disclosed class of vulnerabilities referred to as “speculative execution side-channel attacks” that affect many modern processors and operating systems including Intel, AMD, and ARM. Note: this issue will affect other systems such as Android, Chrome, iOS, MacOS, so we advise customers to seek out guidance from those vendors.” reads the advisory published by Microsoft.
“An attacker who successfully exploited these vulnerabilities may be able to read privileged data across trust boundaries. In shared resource environments (such as exists in some cloud services configurations), these vulnerabilities could allow one virtual machine to improperly access information from another.”
Do you want penetrate an airport network? An RDP access to internal machine goes for $10 on the dark web.
12.7.2018 securityaffairs Hacking
The access to a system at a major international airport via RDP (Remote Desktop Protocol) could be paid only $10 on the Dark Web.
Experts at McAfee have discovered hackers offering RDP access to compromised machines worldwide while analyzing several black markets.
The researchers discovered shops offering between 15 to more than 40,000 RDP connections for sale, the largest one is the Russian Ultimate Anonymity Service (UAS).
The second-largest RDP shop experts researched is BlackPass, where it is possible to find the widest variety of products, including RDP access into computers.
Other RDP shops in the dark web are Flyded, and xDedic that was discovered by experts from Kaspersky in June 2016.
Crooks are increasingly leveraging RDP connections in their attacks, many campaigns used RDP to distribute malware, such as the SamSam ransomware.
Cybercriminals also started offering in the dark web RDP accessed to high-value networks for less than $1 or scanning services for accessible systems.
Sellers in major black marketplaces offer RDP accesses to a broad range of systems, ranging from Windows XP to Windows 10. The experts noticed that Windows 2008 and 2012 Server are the most popular with 11,000 and 6,500 accesses respectively.
“The advertised systems ranged from Windows XP through Windows 10. Windows 2008 and 2012 Server were the most abundant systems, with around 11,000 and 6,500, respectively, for sale.” reads the analysis published by McAfee.
“Prices ranged from around US $3 for a simple configuration to $19 for a high-bandwidth system that offered access with administrator rights.”
Experts also found accesses to systems running Windows Embedded Standard (or Windows IOT), the offers at UAS Shop and BlackPass were characterized by hundreds of identically configured machines associated with municipalities, housing associations, and healthcare institutions in the Netherlands. The offer of black markets also includes multiple government systems worldwide.
Analyzing the UAS Shop, the researchers discovered a recently added Windows Server 2008 R2 Standard machine available at only $10 that was located in a major International airport in the United States.
The seller was offering it with three user accounts, the administrator account, and other two associated with a company specializing in airport security and building automation and with another specializing in camera surveillance and video analytics for airports.
Such kind of accesses could be very dangerous because they offer an entry point in critical infrastructure for attackers.
“We did not explore the full level of access of these accounts, but a compromise could offer a great foothold and lateral movement through the network using tools such as Mimikatz,” explained McAfee.
The surprises are not ended, the researchers found an account on another system associated with a domain that appears to be related to “the airport’s automated transit system, the passenger transport system that connects terminals.”
“Now we know that attackers, like the SamSam group, can indeed use an RDP shop to gain access to a potential high-value ransomware victim. We found that access to a system associated with a major international airport can be bought for only $10—with no zero-day exploit, elaborate phishing campaign, or watering hole attack.” conclude the researchers.
“Governments and organizations spend billions of dollars every year to secure the computer systems we trust. But even a state-of-the-art solution cannot provide security when the backdoor is left open or carries only a simple padlock.”
China-based TEMP.Periscope APT targets Cambodia’s elections
12.7.2018 securityaffairs APT
FireEye uncovered a large-scale Chinese phishing and hacking campaign powered by Temp.periscope APT aimed at Cambodia’s elections.
Security researchers at FireEye have uncovered a large-scale Chinese phishing and hacking campaign aimed at Cambodia’s elections.
The hackers distributed a remote access trojan (RAT) and data exfiltration operation targeting the poll.
The experts from FireEye attributed the attacks to an APT group tracked as TEMP.Periscope that targeted in past operations American engineering and maritime operations.
FireEye found evidence of infection on systems used by election-related entities in Cambodia, including the National Election Commission, human rights advocates, an MP for the Cambodia National Rescue Party, two Cambodian diplomats in overseas posts, and some media outlets.
“FireEye has examined a range of TEMP.Periscope activity revealing extensive interest in Cambodia’s politics, with active compromises of multiple Cambodian entities related to the country’s electoral system. This includes compromises of Cambodian government entities charged with overseeing the elections, as well as the targeting of opposition figures.” reads the analysis published by FireEye.
“This campaign occurs in the run up to the country’s July 29, 2018, general elections.”
TEMP.Periscope used the same infrastructure of other campaigns against other targets, including the defense industrial base in the United States and a chemical company based in Europe.
Analyzing this campaign, FireEye found files on three open indexes operated by the attackers, in this way the company gathered information about group’s TTPs and its targets. The activity on these servers extends from at least April 2017 to the present, with the most current operations focusing on Cambodia’s government and elections.
Two servers (chemscalere[.]com and scsnewstoday[.]com) is used to operate a typical Command and Control infrastructure and hosting sites, while a third one, mlcdailynews[.]com, works as an active SCANBOX server.
SCANBOX is another APT that FireEye has monitored in various campaigns since 2015, the presence of a SCANBOX server suggested TEMP.Periscope was also planning to target individuals with an interest in US-East Asia politics, Russia, and NATO affairs in forthcoming campaigns.
The servers contain both malware and logs, the analysis of the latter revealed:
Analysis of logs from the three servers revealed:
Potential actor logins from an IP address located in Hainan, China that was used to remotely access and administer the servers, and interact with malware deployed at victim organizations.
Malware command and control check-ins from victim organizations in the education, aviation, chemical, defense, government, maritime, and technology sectors across multiple regions. FireEye has notified all of the victims that we were able to identify.
The malware present on the servers included both new families (DADBOD, EVILTECH) and previously identified malware families (AIRBREAK, EVILTECH, HOMEFRY, MURKYTOP, HTRAN, and SCANBOX) .
The servers were administered by operators based in Hainan (one of the IP addresses, 112.66.188[.]28, is located in Hainan, China), and experts found two new malware families hosted on them, DADBOD and EVILTECH, and other malware families detected in the past (AIRBREAK, EVILTECH, HOMEFRY, MURKYTOP, HTRAN, and SCANBOX)”.
The most active tolls of this campaign were the AIRBREAK backdoor, the HOMEFRY password cracker and dumper; the LUNCHMONEY uploader and a command line reconnaissance tool called MURKYTOP.
Malware Function Details
During the infection process, EVILTECH is run on the system, which then causes a redirect and possibly the download of additional malware or connection to another attacker-controlled system.
DADBOD Credential Theft
DADBOD is a tool used to steal user cookies.
Analysis of this malware is still ongoing.
The experts attributed the attacks to China, other IP addresses involved in the campaign are associated with virtual private servers, but researchers noticed that artifacts indicate that the computers used to log in all cases are configured with Chinese language settings.
“The activity uncovered here offers new insight into TEMP.Periscope’s activity.” concludes FireEye. “Notably, Cambodia has served as a reliable supporter of China’s South China Sea position in international forums such as ASEAN and is an important partner. While Cambodia is rated as Authoritarian by the Economist’s Democracy Index, the recent surprise upset of the ruling party in Malaysia may motivate China to closely monitor Cambodia’s July 29 elections”
Hackers steal $13.5 Million from Israeli Bancor exchange
11.7.2018 securityaffairs CyberCrime
The Israeli-based decentralized cryptocurrency Bancor exchange is the last victim of a security breach in the cryptocurrency industry.
According to a statement published by the Bancor exchange, an unknown hacker has stolen roughly $13.5 million worth of cryptocurrency.
The security breach occurred on July 9, 2018 at 00:00 UTC, the attackers gained access to one of the wallets operated by the Israeli exchange, no user wallets were compromised.
This morning (CEST) Bancor experienced a security breach. No user wallets were compromised. To complete the investigation, we have moved to maintenance and will be releasing a more detailed report shortly. We look forward to being back online as soon as possible.
12:56 PM - Jul 9, 2018
88 people are talking about this
Twitter Ads info and privacy
The company moved its infrastructure to maintenance to conduct the investigation.
Bancor exchange doesn’t operate as a classic exchange platform, it used a complex mechanism based on smart contracts running on the Ethereum platform to improve the speed of transactions compared with classic exchange platforms.
“With Bancor exchange, every transaction is executed directly against a smart contract. This means that converting a cryptocurrency does not require matching two parties in real-time with opposite wants; rather, it can be completed by a single party directly through the token’s smart contract.” reads the company.
The attackers gained the access to a company wallet to withdraw $12.5 million (24,984 Ether (ETH) from Bancor smart contracts and transfer the funds to a private wallet they controlled.
The attackers also withdrew 229,356,645 Pundi X (NPXS) ($1 million) from another wallet.
The attackers also withdrew 3,200,000 Bancor tokens (BNT) (roughly $10 million) that were obtained by Bancor last year as part of its ICO that raised over $150 million. Fortunately, a security feature in Bancor tokens allowed the company to freeze the transfers of funds making impossible for the hackers to move them to other wallets.
Here is the latest update on the recent security breach:
10:35 PM - Jul 9, 2018
505 people are talking about this
Twitter Ads info and privacy
“It is not possible to freeze the ETH and any other stolen tokens,” reads the statement published by Bancor.
“However, we are working together with dozens of cryptocurrency exchanges to trace the stolen funds and make it more difficult for their thief to liquidate them.”
Bancor did not reveal how the hackers have breached its wallet and stolen the funds.