How Antivirus Software Can be the Perfect Spying Tool
10.1.2018 securityweek Virus
Your antivirus product could be spying on you without you having a clue. It might be intentional but legitimate behavior, yet (malicious) intent is the one step separating antivirus software from a cyber-espionage tool. A perfect one, experts argue.
Because we trust the antivirus to keep us safe from malware, we let it look at all of our files, no questions asked. Regardless of whether personal files or work documents, the antivirus has access to them all, which allows it to work as needed.
We do expect a security product to work in this manner, as most of them have been designed to scan all files on the system to detect any possible threats, and we accept this behavior as being part of our computer’s protection mechanism.
What if the very same features that are meant to protect us from threats become the threats themselves? Would it be possible for an antivirus application to be used as a spying tool, to flag documents of interest and exfiltrate them instead of keeping our files safe? The answer appears to be “Yes!”
"In order for AV to work correctly, it has to be plumbed into the system in such a way that it can basically see and control anything the system can do. Memory allocation, disk reads and writes, communication, etc... This means that it is essentially in the middle of all transactions within the OS. Therefore, it makes a pretty good candidate for take over and compromise,” Jason Kent, CTO at AsTech, told SecurityWeek via email.
In some cases, the data exfiltration, which is legitimate behavior, could result in unintended leakage, as would be the case with security programs that upload binaries to cloud-based multiscanners like Google’s VirusTotal. In an attempt to better assess whether files are malicious or not, these security tools end up leaking data if the analyzed files are accessible to the multiscanner’s subscribers.
But what if your antivirus was intentionally turned into a tool that could spy on you? Would that be possible without modifying the program itself? According to security researcher Patrick Wardle, it is possible.
To prove this and using the "Antivirus Hacker's Handbook" (Joxean Koret) as base for an experiment, he tampered with the virus signatures for Kaspersky Lab’s Internet Security for macOS and modified one of the signatures to automatically detect classified documents and mark them for collection. By modifying signatures instead of the antivirus engine, he didn’t alter the security application’s main purpose.
Wardle conducted his experiment on a Kaspersky product for an obvious reason: last year, reports suggested that the Russian-based security company’s software had been used to steal classified documents from a National Security Agency (NSA) contractor’s computer. The contractor took home sensitive data, including NSA exploits, and was apparently targeted by hackers after a Kaspersky product on his home computer flagged the files as malicious and sent them to the company’s server for further analysis.
In December 2017, the NSA contractor, Vietnam-born Nghia Hoang Pho, agreed to plead guilty to removing and retaining top-secret documents from the agency. Last week, another NSA contractor agreed to plead guilty after being accused of hoarding around 50 terabytes of NSA data and documents in his home and car over a 20-year period.
In September 2017, the United States Department of Homeland Security (DHS) ordered government departments and agencies to stop using Kaspersky products due to concerns regarding the company’s ties to Russian intelligence. Last month, Lithuania said it would ban Kaspersky Lab's products from computers managing key energy, finance and transport systems due to security concerns.
The anti-virus maker has continually denied any connections to the Russian government and even launched a new transparency initiative to clear its name. In December, the company sued the U.S. government over the product ban.
So far, no evenidence has been presented that shows any inappropriate connections between Kaspersky Lab and the Russian government.
In a technical analysis published last year, Kaspersky suggested the report might be referring to a 2014 incident where its antivirus worked as intended by flagging what appeared to be suspected Equation malware source code on a personal computer. The company said it had deleted the files from its servers but couldn’t confirm the NSA contractor was involved in the incident.
What Wardle decided to do was to find out whether the Moscow-based security company’s products can indeed be used to flag and exfiltrate classified documents. He successfully managed to modify a signature for his security product, despite the complex process Kaspersky employs for updating and deploying virus signatures onto the users’ computers.
And while he made the modifications locally, his experiment demonstrated that it is indeed possible to abuse anti-virus programs to spy on users. By modifying their signatures, antivirus programs can become “the absolute perfect cyber-espionage collection” tools. And this isn’t true about Kaspersky’s products only.
“Of course if an anti-virus company wanted to (or was forced to) they'd simply deploy a new signature likely to select clients (targets), in order to persistently detect such documents […]. I am confident without a doubt that any anti-virus product with collection capabilities could arbitrarily collect (exfiltrate) files flagged by their product,” Wardle noted.
The file collection capability is, of course, designed to support legitimate functionality of the product. Thus, for an antivirus product to become a spying tool, it would have to have an actor with malicious intent behind it.
“A malicious or willing insider within any anti-virus company, who could tactically deploy such a signature, would likely remain undetected. And of course, in a hypothetical scenario; any anti-virus company that is coerced to, or is willing to work with a larger entity (such as a government) would equally be able to stealthily leverage their product to detect and exfilitrate any files of interest,” Wardle concluded.
The researcher’s findings aren’t surprising and Kaspersky themselves said last week that “any malicious actor who gains administrative access to a computer could theoretically engage in file searching activity on the computer or subvert almost any application running on it (which is the type of activity that Kaspersky Lab products are designed to detect and prevent).”
SecurityWeek contacted Kaspersky for comment, but they redirected us to last week’s statement, saying that that is their official position.
Security experts contacted by SecurityWeek for perspective agree that antivirus products could potentially be used for nefarious purposes, if a malicious actor was involved. While the general consensus is that users wouldn’t even know if their antivirus was spying on them, it doesn’t mean that antivirus companies engage in such practices. Only that it would be possible to use their products in such a manner.
“AV vendors must be very careful to ensure they are never compromised. Imagine if I could control all of the AV installations at an enterprise. It would be possible to make all of those machines participate in a botnet or use the AV system to load additional code, such as Ransomware. This is conceptually possible as the engine and signatures are designed to be changed via an update process. Compromise there would be a very interesting thing for sure,” Kent told us.
Chris Morales, head of security analytics at San Jose, California-based Vectra Networks, agrees that antivirus products could be manipulated to find and exfiltrate sensitive documents. He also agrees that this could be the act of a malicious or willing insider at any antivirus company.
“AV vendors, as do many security vendors who perform malware scanning on the network and endpoint, have administrative level access to systems to scan files for malicious code. This scanning engine could be manipulated to look for sensitive documents and then upload them to the cloud analysis engine. This would most likely be someone at the vendor with malicious intent,” Morales told SecurityWeek in an emailed comment.
“Security vendors who perform cloud based analysis have to walk a very thin line and it is important that these vendors implement the proper controls to ensure they do not create the security hole for customers. I would say most vendors do a very good job of ensuring their processes are secure and would not cause a problem for the client. This does mean there is a level of trust in security vendors that clients need to validate and should be asking for a description of how their detection processes work,” Morales continued.
Chris Roberts, chief security architect at Santa Clara, Calif.-based threat protection firm, told SecurityWeek that it is a known fact that “Kaspersky is not the only tool that’s built into enterprises to be used against themselves for the fortunes of malicious intent.” Over the past couple of years, several endpoint detection tools have been revealed to have issues identifying problems and to include management techniques that can be turned against enterprises.
“So, yes, Kaspersky software can be used against the intended targets, we have established that. The mechanism is there, however, the INTENT is the issue. The analysis into IS it being used against organizations is the factor that is obviously in dispute. Late last year, the UK took the step to warn all agencies against deploying Kaspersky. The US has already taken that step, but in all honesty, IF we were to look at the plethora of endpoint detection/manipulation/management tools out there, we’d better remove 50% of them for the same insecurities and inabilities to protect the very end-users we’re trying to save,” Roberts says.
He also points out that most security software out there requires access to everything stored on a computer, not only one single product. “The others all being carefully kept out of the news in the hope we don’t all suddenly wake up and realize that everything designed to keep us safe is also designed to access our darkest secrets… and scour them for whatever we hope it’s meant to be finding… or what it WANTS to find,” Roberts continued.
Of course, there’s no proof that an antivirus program has been used for malicious intent, although it is clear that they could be used in such a manner. As Wardle puts it: “Please avoid jumping to the conclusion that this [is] something Kaspersky, or any other anti-virus company actually did!”
Kaspersky Lab has continually denied any inappropriate ties to the Russian intelligence services; and there is no public evidence to suggest otherwise. Unfortunately, for the Moscow-based security company, this is a restult of the effect of geopolitics on cybersecurity.
Turla APT group’s espionage campaigns now employs Adobe Flash Installer and ingenious social engineering
10.1.2018 securityaffairs APT
Turla APT group’s espionage campaigns now employs Adobe Flash Installer and an ingenious social engineering technique, the backdoor is downloaded from what appears to be legitimate Adobe URLs and IP addresses.
Security researchers from ESET who have analyzed recent cyber espionage campaigns conducted by the dreaded Turla APT group reported that hackers leverage on malware downloaded from what appears to be legitimate Adobe URLs and IP addresses.
Turla is the name of a Russian cyber espionage APT group (also known as Waterbug, Venomous Bear and KRYPTON) that has been active since at least 2007 targeting government organizations and private businesses.
The list of victims is long and includes also the Swiss defense firm RUAG, US Department of State, and the US Central Command.
The Turla’s arsenal is composed of sophisticated hacking tools and malware tracked as Turla (Snake and Uroburos rootkit), Epic Turla (Wipbot and Tavdig) and Gloog Turla. In June 2016, researchers from Kaspersky reported that the Turla APT had started using rootkit), Epic Turla (Wipbot and Tavdig) and Gloog Turla.
In the most recent attacks, the group is packaging its macOS backdoor with a real Adobe Flash installer and downloading the malware on victim systems from endpoint systems that use a remote IP belonging to Akamai, the Content Delivery Network that is also used by Adobe for its supply chain. Legitimate Flash installer, in fact, are also distributed through the Akamai network.
“In recent months, we have observed a strange, new behavior, leading to compromise by one of Turla’s backdoors. Not only is it packaged with the real Flash installer, but it also appears to be downloaded from adobe.com.” reads the report published by ESET.
“From the endpoint’s perspective, the remote IP address belongs to Akamai, the official Content Delivery Network (CDN) used by Adobe to distribute their legitimate Flash
Researchers noted that Turla installers were exfiltrating information to get.adobe.com URLs since at least July 2016, data were sent back to legitimate URLs at Adobe.com. The download attempts observed by ESET observed were made through HTTP and not via HTTPS, the researchers state with confidence that Adobe was not compromised.
The social engineering technique adopted by Turla group to trick victims into believing they are downloading a legitimate software from Adobe server is very ingenious.
Data collected by the experts revealed that most of the victims belong to the former USSR, targeted entities include embassies and consulates located in East Europe.
At the time of the report is still unclear how the Turla APT group distributed the backdoor through Adobe.com.
Experts speculate that this is possible by compromising a machine on the victim’s network to perform a local man-in-the-middle attack. In this attack scenario, the threat actors redirect traffic from a target system through the compromised server and modifying it on the fly. Another possibility is to leverage on a compromised local gateway that could allow the attackers to potentially intercept and modify traffic for the whole organization.
Other attacks scenarios see Turla executing a man-in-the-middle attack at the ISP level, or BGP hijacking.
“We quickly discarded the hypothesis of a rogue DNS server, since the IP address corresponds to the servers used by Adobe to distribute Flash.” continues the report. “Thus, these are the hypotheses that remain: ➊ a Man-in-theMiddle
(MitM) attack from an already-compromised machine in the local network, ➋ a compromised gateway or proxy of the organization, ➌ a MitM attack at the Internet Service Provider (ISP) level or ➍ a Border Gateway Protocol (BGP) hijack to redirect the traffic to Turla-controlled servers a MitM attack at the Internet Service Provider (ISP) level or ➍ a Border Gateway Protocol (BGP) hijack to redirect the traffic to Turla-controlled servers.”
Researchers believe the most likely scenario sees attackers controlling the router for the traffic hijacking.
Such kind of attack is any way possible because the files are downloaded via HTTP, for this reason, it is important to avoid installing any update or software that was downloaded through unsecured connections.
Administrators must also check that Flash Player installers downloaded are properly signed with a valid Adobe certificate.
Further information, including the IOCs are included in the report published by ESET.
January 2018 Patch Tuesday security updates fix a zero-day vulnerability in MS Office
10.1.2018 securityaffairs Vulnerebility
Microsoft has released the January 2018 Patch Tuesday security updates, containing fixes for 56 vulnerabilities including the zero-day vulnerability CVE-2018-0802 in MS Office.
Microsoft has released the January 2018 Patch Tuesday security updates, containing fixes for 56 vulnerabilities including a zero-day vulnerability in MS Office. 16 security updates are rated as critical, 38 as important, 1 is rated moderate, and 1 is rated as low in severity. The security updates fix security vulnerabilities in Windows, Office, Internet Explorer, ChakraCore, Edge, ASP.NET, and the .NET Framework.
The January 2018 Patch Tuesday includes three special security advisories that address flaws related to Adobe Flash, Meltdown & Spectre vulnerabilities, an update for Office suite.
The zero-day vulnerability is a memory corruption flaw in Office tracked as CVE-2018-0802, in the past few months it had been actively exploited by multiple attackers in the wild. The vulnerability can be exploited for remote code execution by tricking the victim into opening a specially crafted malicious Word file in MS Office or WordPad.
The flaw was discovered by several experts from Tencent, Qihoo 360, ACROS Security’s 0Patch Team, and Check Point Software Technologies.
Security firm Check Point has published a detailed analysis of the flaw in a blog post including a video PoC of its exploitation.
The flaw is related the memory-corruption issue CVE-2017-11882 that affects all versions of Microsoft Office released in the past 17 years, it resides in the Equation Editor functionality (EQNEDT32.EXE) and was addressed by Microsoft in November.
The analysis of the flaw CVE-2017-11882 allowed the researchers at 0Patch to discover the CVE-2018-0802 fixed in the January 2018 Patch Tuesday.
Microsoft also addressed nine remote code execution and memory disclosure vulnerabilities in MS Office.
Microsoft also addressed an X509 certificate validation bypass vulnerability tracked as CVE-2018-0786 in .NET Framework (and .NET Core) that could be exploited by threat actors to show their invalid certificates as valid.
“Microsoft is aware of a security vulnerability in the public versions of .NET Core where an attacker could present a certificate that is marked invalid for a specific use, but a component uses it for that purpose. This action disregards the Enhanced Key Usage tagging.” states Microsoft.
The January 2018 Patch Tuesday also addresses a total of 15 vulnerabilities in the scripting engine used by Microsoft Edge and Internet Explorer, the flaws could be exploited by a remote attacker for code execution by tricking the victim into opening a specially-crafted webpage that triggers a memory corruption error.
Finally, Microsoft also patched a flaw in Outlook for Mac (CVE-2018-0819, aka Mailsploit attack) that could be exploited by attackers to send emails with spoofed identities.
Microsoft, Intel Share Data on Performance Impact of CPU Flaw Patches
10.1.2018 securityweek Vulnerebility
Microsoft and Intel have shared more information on the performance impact of the patches released for the recently disclosed attack methods known as Spectre and Meltdown.
The Spectre and Meltdown exploits work on systems using CPUs from Intel, AMD and ARM, and they allow malicious applications to bypass memory isolation mechanisms and access passwords, photos, documents, emails, and other sensitive information. Patches and workarounds have been released by both hardware and software vendors, but they may introduce significant performance penalties.
Intel has insisted that average computer users – owners of typical home and business PCs – should not see any significant impact on performance during common tasks, such as reading emails, viewing photos or writing documents. Benchmark tests conducted by the company using SYSmark 2014 showed an impact of 6 percent or less for 8th Generation Core platforms with solid state storage.
All but two of currently supported Intel processors are said to be affected by the Spectre and Meltdown vulnerabilities. However, a technology called PCID (Process-Context Identifiers), which is present in newer processors, should lessen impact on performance.
Intel says it has yet to “build a complete picture of the impact on data center systems,” but points to statements from major vendors who have conducted tests.
Shortly after applying the Meltdown and Spectre patches to its Azure cloud platform, Microsoft said it had not seen any noticeable performance impact. The company noted that some users may experience networking performance impact, but that can be addressed using the Azure Accelerated Networking feature.
After conducting more tests, Microsoft pointed out that mitigations for Meltdown (CVE-2017-5754) and one of the Spectre flaws (CVE-2017-5753) have minimal performance impact, but the remediation for the second Spectre vulnerability (CVE-2017-5715) does introduce more significant performance penalties.
Specifically, Microsoft found that users running Windows 10 on newer chips (2016-era PCs with Skylake, Kabylake or newer CPUs) should not notice any slowdowns. While there are some single-digit performance penalties, they are reflected in milliseconds.
On the other hand, when running Windows 10, Windows 8 or Windows 7 on devices with older chips (2015-era PCs with Haswell or older CPUs), benchmark tests showed more significant penalties and users may actually notice a decrease in performance. On Windows 10, only some users should experience slowdowns, but on older versions of the operating system most users are expected to notice performance issues.
In the case of Windows Server, regardless of what type of chip is used, a more significant performance impact is expected after mitigations are applied, particularly in the case of IO-intensive applications. In the case of Windows Server, Microsoft has actually advised users to evaluate the risk of untrusted code running on their machines and “balance the security versus performance tradeoff” for their specific environment.
“For context, on newer CPUs such as on Skylake and beyond, Intel has refined the instructions used to disable branch speculation to be more specific to indirect branches, reducing the overall performance penalty of the Spectre mitigation. Older versions of Windows have a larger performance impact because Windows 7 and Windows 8 have more user-kernel transitions because of legacy design decisions, such as all font rendering taking place in the kernel,” Microsoft explained.
Red Hat has also reported seeing measurable performance impact, ranging between 8 and 19 percent, for operations involving highly cached random memory.
Amazon said it had not observed any significant performance impact for the overwhelming majority of EC2 workloads, but some AWS customers have complained about degraded performance after the patches were applied starting with December.
Apple, which started performing tests after releasing updates in December, also said it had not seen any measurable reduction in the performance of macOS and iOS. Google also claimed to have observed negligible impact on performance after applying mitigations to its own systems.
Epic Games informed users recently that the CPU usage of its backend cloud services increased significantly after Meltdown mitigations were applied, which led to login issues and service instability.
Microsoft Releases Patches for 16 Critical Flaws, Including a Zero-Day
10.1.2018 thehackernews Vulnerebility
If you think that only CPU updates that address this year's major security flaws—Meltdown and Spectre—are the only ones you are advised to grab immediately, there are a handful of major security flaws that you should pay attention to.
Microsoft has issued its first Patch Tuesday for 2018 to address 56 CVE-listed flaws, including a zero-day vulnerability in MS Office related that had been actively exploited by several threat groups in the wild.
Sixteen of the security updates are listed as critical, 38 are rated important, one is rated moderate, and one is rated as low in severity. The updates address security flaws in Windows, Office, Internet Explorer, Edge, ChakraCore, ASP.NET, and the .NET Framework.
The zero-day vulnerability (CVE-2018-0802), described by Microsoft as a memory corruption flaw in Office, is already being targeted in the wild by several threat actor groups in the past few months.
The vulnerability, discovered by several researchers from Chinese companies Tencent and Qihoo 360, ACROS Security's 0Patch Team, and Check Point Software Technologies, can be exploited for remote code execution by tricking a targeted user into opening a specially crafted malicious Word file in MS Office or WordPad.
According to the company, this security flaw is related to CVE-2017-11882—a 17-year-old vulnerability in the Equation Editor functionality (EQNEDT32.EXE), which Microsoft addressed in November.
When researchers at 0Patch were analysing CVE-2017-11882, they discovered a new, related vulnerability (CVE-2018-0802). More details of CVE-2018-0802 can be found in a blog post published by Check Point.
Besides CVE-2018-0802, the company has addressed nine more remote code execution and memory disclosure vulnerabilities in MS Office.
A spoofing vulnerability (CVE-2018-0819) in Microsoft Outlook for MAC, which has been listed as publicly disclosed (Mailsploit attack), has also addressed by the company. The vulnerability does not allow some versions Outlook for Mac to handle the encoding and display of email addresses properly, causing antivirus or anti-spam scanning not to work as intended.
Microsoft also addressed a certificate validation bypass vulnerability (CVE-2018-0786) in .NET Framework (and .NET Core) that could allow malware authors to show their invalid certificates as valid.
"An attacker could present a certificate that is marked invalid for a specific use, but the component uses it for that purpose," describes Microsoft. "This action disregards the Enhanced Key Usage taggings."
The company has also patched a total of 15 vulnerabilities in the scripting engine used by Microsoft Edge and Internet Explorer.
All these flaws could be exploited for remote code execution by tricking a targeted user into opening a specially-crafted webpage that triggers a memory corruption error, though none of these has been exploited in the wild yet.
Meanwhile, Adobe has patched a single, out of bounds read flaw (CVE-2018-4871) this month that could allow for information disclosure, though no active exploits have been seen in the wild.
Users are strongly advised to apply October security patches as soon as possible to keep hackers and cybercriminals away from taking control of their computers.
For installing security updates, simply head on to Settings → Update & security → Windows Update → Check for updates, or you can install the updates manually.
Microsoft Patches Zero-Day Vulnerability in Office
10.1.2018 securityweek Vulnerebility
Microsoft’s January 2018 Patch Tuesday updates address more than 50 vulnerabilities, including a zero-day vulnerability in Office related to an Equation Editor flaw that has been exploited by several threat groups in the past few months.
The zero-day vulnerability, tracked as CVE-2018-0802, has been described by Microsoft as a memory corruption issue that can be exploited for remote code execution by getting targeted users to open a specially crafted file via Office or WordPad.
Microsoft has credited several researchers from Chinese companies Tencent and Qihoo 360, ACROS Security’s 0Patch Team, and experts from Check Point Software Technologies for finding the flaw.
The security hole is related to CVE-2017-11882, a 17-year-old vulnerability in the Equation Editor (EQNEDT32.EXE), which the vendor addressed with the November 2017 Patch Tuesday updates. Based on how the patch was developed, experts believe Microsoft may have lost the application’s source code, which forced it to somehow patch the executable file directly.
Microsoft replaced the Equation Editor component in Office 2007, but kept the old one as well for compatibility reasons. The problematic component has now been removed from Office.
0Patch researchers have been analyzing CVE-2017-11882, which has likely led them to discovering a new, related vulnerability. Check Point has published a blog post with the details of CVE-2018-0802 and showed how an exploit works, but they have not mentioned any attacks.
This suggests that the Chinese researchers may have been the ones who spotted the vulnerability being exploited in attacks. This would not be the first time experts at Qihoo 360 witnessed the exploitation of an Office zero-day. Back in October, after Microsoft released a patch, they reported seeing CVE-2017-11826 being leveraged to deliver malware.
If CVE-2018-0802 is related to CVE-2017-11882, there is a long list of threat actors who may be exploiting it. CVE-2017-11882 has been exploited by Iranian cyberspies, the Cobalt hacking group, someone who uses TelegramRAT, and likely others.
Microsoft’s Patch Tuesday updates also address a spoofing vulnerability in Office for Mac that has already been publicly disclosed. Sixteen of the flaws resolved this month have been rated critical, a majority affecting the scripting engine used by the Edge and Internet Explorer web browsers.
Microsoft has also rated critical a Word vulnerability (CVE-2018-0797) that can be exploited for remote code execution using specially crafted RTF files.
Adobe’s Patch Tuesday updates for this month patch only one information disclosure vulnerability in Flash Player.
VirusTotal announced the availability of a visualization tool, dubbed VirusTotal Graph, designed to help with malware analysis.
10.1.2018 securityweek Virus
The VirusTotal Graph should allow investigators working with multiple reports at the same time, to try to pivot between multiple data points (files, URLs, domains and IP addresses). The observation of the connections across different samples of malware could allow investigators to collect more events from different cases.
“VirusTotal receives a large number of files and URLs every day, and each of them is analyzed by AVs and other tools and sandboxes to extract information about them. This information is critical for our ecosystem, as it connects the dots and makes clear the connections between entities.” states VirusTotal.
“It is common to pivot over many data points (files, URLs, domains and IP addresses) to get the full picture of your investigation, and this usually involves looking at multiple reports at the same time. We know this can be complicated when you have many open tabs, therefore, we’ve developed VirusTotal Graph.”
The tool VirusTotal Graph is based on VirusTotal’s data set and was designed to visualize them in a single graphical interface relationship between files, URLs, domains and IP addresses. The graph is navigable, making easier for malware researchers the investigation of malicious codes.
Analysts can build their own network by exploring and expanding each of the nodes in the graph.
The tool includes a search box, node summary section, node expansion section that allows correlation of the information from more entities, node action menu, detection dropdown, and a node list.
VirusTotal also allows users to save the graphs they generated, as well as to share their findings with other users. All saved graphs are public and also linked in VirusTotal public reports of files, URLs, IP addresses or domains that appear in the graph.
“We feel the community will benefit from this intelligence. We understand that there are scenarios where a higher degree of privacy is needed, and we are working on a solution — expect to see some news around it soon,” VirusTotal concludes.
The complete documentation is available at
Virus Total also published two videos that shows main features implemented in the tool.
Microsoft: Meltdown and Spectre patches could cause noticeable performance slowdowns
10.1.2018 securityaffairs Vulnerebility
Microsoft officially confirmed that Meltdown and Spectre patches could cause noticeable performance slowdowns contrary to what initially thought.
Just after the disclosure of the Meltdown and Spectre vulnerabilities, many security experts argued that forthcoming patches will have a significant impact on the performance (30% degradation), but Intel pointed out that average users will not notice any difference.
“Intel continues to believe that the performance impact of these updates is highly workload-dependent and, for the average computer user, should not be significant and will be mitigated over time.” continues Intel.
“While on some discrete workloads the performance impact from the software updates may initially be higher, additional post-deployment identification, testing and improvement of the software updates should mitigate that impact.”
Intel confirmed that extensive testing conducted by tech giants (Apple, Amazon, Google, and Microsoft) to assess any impact on system performance from security updates did not reveal negative effects.
Unfortunately, someone has underestimated the problem and Microsoft Windows patches for the CPU flaws will cause noticeable performance degradation, with most severe impact on Windows servers as well as Windows 7 and 8 client machines.
Microsoft published a blog post that confirmed that Windows servers will experience noticeable performance slowdowns, as will Windows 7 and 8 client machines running older processors (2015-timeframe PCs with Haswell or older CPUs).
The good news is that newer Windows 10 platforms won’t experience perceptible performance degradation.
Below Microsoft’s findings related to performance degradation caused by the installation of Meltdown/Spectre patches.
With Windows 10 on newer silicon (2016-era PCs with Skylake, Kabylake or newer CPU), benchmarks show single-digit slowdowns, but we don’t expect most users to notice a change because these percentages are reflected in milliseconds.
With Windows 10 on older silicon (2015-era PCs with Haswell or older CPU), some benchmarks show more significant slowdowns, and we expect that some users will notice a decrease in system performance.
With Windows 8 and Windows 7 on older silicon (2015-era PCs with Haswell or older CPU), we expect most users to notice a decrease in system performance.
Windows Server on any silicon, especially in any IO-intensive application, shows a more significant performance impact when you enable the mitigations to isolate untrusted code within a Windows Server instance. This is why you want to be careful to evaluate the risk of untrusted code for each Windows Server instance, and balance the security versus performance tradeoff for your environment.
Microsoft announced it is working to solve the problem and the situation appears critical for Windows servers.
Microsoft has patched 41 of its 45 Windows versions and is going to release the remaining four issues as soon as possible.
Microsoft requires entire industry to work together to find the best possible solutions for customers affected by vulnerabilities like Spectre and Meltdown.
WPA3 to Bring Improved Wireless Security in 2018
9.1.2018 secrityweek Safety
Wi-Fi Alliance Announces WPA3, the Successor to Wi-Fi's WPA2 Security Protocol
The Wi-Fi Alliance -- comprising 15 major sponsor members (including Apple, Cisco, Dell, Intel, Microsoft, Qualcomm and more) and hundreds of contributing members -- has announced that WPA3 will be introduced during 2018.
WPA3 is not an immediate replacement for WPA2, which will continue to be maintained and enhanced. In particular, the Alliance will introduce new testing enhancements for WPA2 to reduce the potential for vulnerabilities caused by network misconfigurations; and will further safeguard managed networks with centralized authentication services.
New Wi-Fi Alliance WPA3 certified devices will take some time to filter into widespread use. Use of the new specification will require WPA3 devices and WPA3 routers -- and since the vast majority of home wi-fi users never buy a router but use the one supplied by their ISP, many users won't become WPA3 compatible before they change ISPs. That could take several years.
WPA3 Security ProtocolNevertheless, there are some welcome enhancements over the WP2 specification that has kept users largely, but not entirely, protected for around two decades.
Four new capabilities for both personal and enterprise networks have been announced. There are no technical details in the Wi-Fi announcement, leading to some conjecture over exactly how they will be introduced.
The first will be to provide "robust protections" even when the user fails to use a strong password. Mathy Vanhoef, the researcher who discovered the KRACK WPA2 vulnerability, has suggested on Twitter, "That means dictionary attacks no longer work. The handshake they're referring to is likely Simultaneous Authentication of Equals (SAE). Which is also called Dragonfly;" adding, "The standards behind WPA3 already existed for a while. But now devices are *required* to support them, otherwise they're won't receive the "WPA3-certified" label."
The second will simplify the process of configuring security on wi-fi devices that have limited or no display interface. The obvious use will be for small personal devices, like wearables such as smart watches -- but it could also play some role in improving the future security of the industrial internet of things.
The third will improve the security of open wi-fi hotspots -- such as cafes, hotels and airport lounges -- by giving each user individualized data encryption. On this, Vanhoef commented, "This might refer to Opportunistic Wireless Encryption: encryption without authentication." It won't make the use of wi-fi hotspots completely secure, but should go some way to reassuring security officers who know that corporate employees work from hotspots while traveling.
The fourth will be a 192-bit security suite aligned with the Commercial National Security Algorithm (CNSA) Suite, that will further protect wi-fi networks with higher security requirements; such as government, defense, and industrial.
We can expect that new WPA3 devices will start to appear over the next few months -- particularly since many of the manufacturers will be members of the Alliance. However, the devices will need wait for the launch of the Wi-Fi Alliance's formal certification process before they can be truly called such. The Wi-Fi Certified designation will be important to reassure buyers.
"Security is a foundation of Wi-Fi Alliance certification programs, and we are excited to introduce new features to the Wi-Fi CERTIFIED family of security solutions," commented Edgar Figueroa, president and CEO of Wi-Fi Alliance. "The Wi-Fi CERTIFIED designation means Wi-Fi devices meet the highest standards for interoperability and security protections."
Microsoft Suspends CPU Flaw Patches for AMD Devices
9.1.2018 secrityweek Vulnerebility
Microsoft Will Not Deliver Security Updates to Devices With Incompatible Antiviruses
Users whose computers have AMD processors no longer receive the recent Windows updates designed to patch the Meltdown and Spectre vulnerabilities, and Microsoft has warned that some systems may not receive upcoming security updates if the antivirus running on them has not set a specific registry key.
Several individuals whose devices are powered by some AMD processors, particularly older models, complained that they had been unable to boot Windows 10 after installing KB4056892, an update released by Microsoft in response to flaws affecting Intel, AMD and ARM processors.
Many of those affected said their operating system froze during boot. Those who managed to restore their systems by reverting to a previous state needed to quickly disable automatic updates to prevent the patch from being reinstalled.
Some of the impacted users pointed out that since the risk of attacks against AMD CPUs is said to be low, they can wait for proper updates from Microsoft.
Microsoft has confirmed the issue, explaining that “some AMD chipsets do not conform to the documentation previously provided to Microsoft to develop the Windows operating system mitigations to protect against the chipset vulnerabilities known as Spectre and Meltdown.”
The tech giant has decided to temporarily pause Windows updates to devices with impacted AMD processors. For those who have already installed the updates and are experiencing problems, Microsoft has provided some recommendations on how to fix the issue.
Microsoft’s advice for Windows 10 users includes starting the computer in safe mode and uninstalling recent updates, or restoring the system to an earlier point. Several users have complained, however, that they get an error when attempting to restore the system.
In addition to causing problems to Windows, the Spectre and Meltdown updates from Microsoft also break some applications, including the PulseSecure VPN and an Asus utility.
Security updates will not be delivered to devices with incompatible antiviruses
When Microsoft first released the updates designed to prevent Spectre and Meltdown attacks, the company warned that it had identified compatibility issues with some security products. It informed users that if they had not been offered the security updates, it may have been due to the failure of their antivirus to create a specific registry key.
Microsoft later also informed users that they may not receive any future security updates if their antivirus vendor does not address the problem.
Researcher Kevin Beaumont has been keeping track of which security vendors have implemented this requirement. As of Monday, a majority of firms had either released automatic fixes or made available instructions on how to manually create the required registry. The remaining vendors are working on fixes.
Microsoft noted that users who don’t rely on any antivirus will also need to manually create the registry key.
The role of the registry key is to prevent blue screen of death (BSOD) errors triggered due to compatibility issues when security products make unsupported calls to the Windows kernel memory. Microsoft says the requirement for the registry key will remain in place until the company is confident that a majority of consumers will not experience crashes due to the security updates.
Adobe Patch Tuesday Updates Fix Only One Flash Player Flaw
9.1.2018 secrityweek Vulnerebility
Adobe’s Patch Tuesday updates for January 2018 resolve only an information disclosure vulnerability affecting Flash Player.
The flaw is tracked as CVE-2018-4871, it has been classified as “important,” and it has been assigned a priority rating of 2, which means it’s unlikely to be exploited in malicious attacks any time soon.
The security hole has been described as an out-of-bounds read issue that can lead to information exposure. It affects Flash Player 188.8.131.52 and earlier on Windows, Mac, Linux and Chrome OS, and it has been patched with the release of version 184.108.40.206. The patch will also be included in the next Chrome release and Microsoft’s Patch Tuesday updates.
Adobe says it has learned about the vulnerability from an anonymous researcher via Trend Micro’s Zero Day Initiative (ZDI).
The number of vulnerabilities discovered by researchers in Flash Player has dropped significantly in the past months after Adobe announced its intention to kill the application by 2020.
However, malicious actors are still finding and exploiting zero-day vulnerabilities in Flash. In October, shortly after Adobe announced that it had no Patch Tuesday updates, the company was forced to quickly release a fix for Flash Player after learning that a cyber espionage group from the Middle East had been leveraging a zero-day to deliver spyware.
The same vulnerability was later exploited by the Russia-linked group APT28 (also known as Fancy Bear, Pawn Storm, Strontium, Sofacy, Sednit and Tsar Team) in attacks aimed at government organizations and aerospace companies. Fortunately, this was apparently the only Flash Player zero-day exploited in 2017.
VirusTotal Launches Visualization Tool
9.1.2018 secrityweek Security
VirusTotal this week announced the availability of a visualization tool designed to help with malware investigations.
Dubbed VirusTotal Graph, the new tool is available at https://www.virustotal.com/graph/ or through a public report in the tool section (which requires a VirusTotal login).
The tool should make it easier for investigators who are working with multiple reports at the same time, attempting to pivot between multiple data points (files, URLs, domains and IP addresses), as such work would normally result in having multiple tabs opened, which could complicate operations.
“VirusTotal receives a large number of files and URLs every day, and each of them is analyzed by AVs and other tools and sandboxes to extract information about them. This information is critical for our ecosystem, as it connects the dots and makes clear the connections between entities,” VirusTotal notes.
Built on top of VirusTotal’s data set, the new tool was designed to “understand the relationship between files, URLs, domains and IP addresses” and to bring the necessary information on these five entity types (relationships are included) together on a single interface, thus making it easier to navigate.
Some of the features available for users include a search box (it even supports multiple indicators of compromise, via a Multi-entity search section), node summary section (summarizes the more relevant information), node expansion section (to correlate information from more than one entity), node action menu, detection dropdown (shows the number of AV detections), and node list (shows the list of all nodes in the panel).
The key elements of the VirusTotal Graph user interface will provide investigators not only with the most relevant information at a glance when clicking on a node, but also with the option to explore and expand each of the nodes in their graph, and build a network and observe connections across samples. Zooming in or out on a graph is also possible.
VirusTotal also allows users to save the graphs so they can access them at any time, as well as to share their findings with other users (generating permalinks to the graph is also possible). VirusTotal makes all saved graphs public and also linked in VirusTotal public reports of files, URLs, IP addresses or domains that appear in the graph.
Furthermore, with the help of VirusTotal Public or VirusTotal Intelligence report, users will be able to add labels and access in-depth reports.
“We feel the community will benefit from this intelligence. We understand that there are scenarios where a higher degree of privacy is needed, and we are working on a solution -- expect to see some news around it soon,” VirusTotal concludes.
Additional information on the new tool is available on VirusTotal’s support page and in two YouTube videos providing tutorials on Files and Domains.
Wi-Fi Alliance launches WPA2 enhancements and announced WPA3
9.1.2018 secrityaffairs Safety
The Wi-Fi Alliance introduced several key improvements to the Wi-Fi Protected Access II (WPA2) security protocol and announced its successor WPA3.Wi-Fi security will be dramatically improved with the introduction of the WPA3 protocol.
The arrival of WPA3 protocol was announced on Monday by the Wi-Fi Alliance, it is the successor of WPA2 protocol for the security of Wi-Fi communication.
WPA3 will build on the core components of WPA2, anyway, the alliance plans to roll out three enhancements for WPA2 in the first part of the year.
“Wi-Fi Alliance is launching configuration, authentication, and encryption enhancements across its portfolio to ensure Wi-Fi CERTIFIED devices continue to implement state of the art security protections.” reads the announcement published by the Wi-Fi Alliance.
“Four new capabilities for personal and enterprise Wi-Fi networks will emerge in 2018 as part of Wi-Fi CERTIFIED WPA3”
The WPA2 is known to be vulnerable to KRACK attacks and DEAUTH attacks. The three key enhancements to the WPA2 protocol will address authentication, encryption, and configuration issues.
The Wi-Fi Alliance includes tech giants like Apple, Cisco, Intel, Qualcomm, and Microsoft it announced WPA3-certified devices for later 2018. They will include two features to improve protection when users choose weak passwords and simplify the choice of proper security settings on devices with limited or no interface screens.
Another feature will strengthen user privacy in open networks by using individualized data encryption. The last feature is a 192-bit security suite, aligned with the Commercial National Security Algorithm (CNSA) Suite from the Committee on National Security Systems, that will ensure the protection of Wi-Fi networks with higher security requirements such as government and defense.
“Security is a foundation of Wi-Fi Alliance certification programs, and we are excited to introduce new features to the Wi-Fi CERTIFIED family of security solutions,” concluded Edgar Figueroa, president and CEO of Wi-Fi Alliance. “The Wi-Fi CERTIFIED designation means Wi-Fi devices meet the highest standards for interoperability and security protections.”
Further information will be made available once the WPA3 program will be launched.
Apple released patches to fix Spectre flaws in Safari, macOS, and iOS
9.1.2018 secrityaffairs Apple
Apple released iOS 11.2.2 software, a macOS High Sierra 10.13.2 supplemental update, and Safari 11.0.2 to fix Spectre flaws.
On Monday, Apple released patches to fix Spectre flaws in Safari, macOS, and iOS, the tech giant released iOS 11.2.2 software a macOS High Sierra 10.13.2 supplemental update. The patches also fixed vulnerabilities in Apple WebKit, the web browser engine used by Safari, Mail, and App Store.
The security updates issued by Apple aim to mitigate the two known methods for exploiting Spectre identified as “bounds check bypass” (CVE-2017-5753/Spectre/v1) and “branch target injection” (CVE-2017-5715/Spectre/v2).
Just after the disclosure of the Meltdown and Spectre attacks, Apple released security updates (iOS 11.2, macOS and tvOS 11.2) to protect its systems against Meltdown attacks.
Apple now released the following security updates:
macOS High Sierra 10.13.2 supplemental;
Safari 11.0.2 that is available for OS X El Capitan 10.11.6 and macOS Sierra 10.12.6;
iOS 11.2.2 available for iPhone 5s and later, iPad Air and later, and iPod touch 6th generation;
After the disclosure of the flaws, security experts pointed out that the Spectre vulnerability is very hard to patch, but fortunately, the exploitation is much more difficult than Meltdown.
Another worrisome aspect of the Spectre attacks is that it breaks the isolation between different applications opening the door to remote attacks, for example, an attacker can remotely bypass sandboxing mechanism implemented by modern browsers.
Každý den kolují internetem statisíce virů
9.1.2018 Novinky/Bezpečnost Analýzy
Bezpečnostní odborníci z antivirové společnosti Kaspersky Lab spočítali, že každý den koluje internetem rekordních 360 000 virů. Toto číslo je alarmující i s ohledem na to, že o rok dříve to bylo o 11,5 % méně. Uživatelé by tak nejrůznější počítačové hrozby rozhodně neměli podceňovat.
Aktivita počítačových pirátů v kyberprostoru se zkrátka neustále zvyšuje, jak je ze statistik patrné. Například v roce 2011 kolovalo internetem pouze 70 000 škodlivých souborů denně. Od té doby prakticky každý rok počet virů pouze roste, v současnosti dosahuje pětinásobku původní hodnoty.
V uplynulých měsících se přitom nejčastěji šířily vyděračské viry z rodiny ransomware.
„V průběhu posledních dvou let jsme zaznamenali enormní nárůst počtu útoků ransomwarem. Předpokládáme, že tento trend bude i nadále pokračovat, protože za vývojem ransomwaru stojí obrovský zločinný ekosystém, který denně produkuje stovky nových hrozeb,“ prohlásil Vyacheslav Zakorzhevsky, vedoucí anti-malwarového týmu ve společnosti Kaspersky Lab.
Jak probíhá útok vyděračského viru
Útoky vyděračských virů probíhají prakticky vždy na chlup stejně. Nejprve zašifrují záškodníci všechna data uložená na pevném disku. Za jejich zpřístupnění pak útočníci požadují výkupné, a to klidně i několik tisíc korun.
Kyberzločinci se zpravidla snaží v majiteli napadeného stroje vzbudit dojem, že se ke svým souborům dostane po zaplacení pokuty. Ta byla údajně vyměřena za používání nelegálního softwaru apod. I proto jim celá řada lidí již výkupné zaplatila.
Ani po zaplacení výkupného se ale uživatelé ke svým datům nedostanou. Místo placení výkupného je totiž nutné virus z počítače odinstalovat. Zpřístupnit nezálohovaná data je už ale ve většině případů nemožné.
„Minulý rok se také výrazně rozšířily minery. Tento malware začali kyberzločinci využívat ve vyšší míře především proto, že stoupala obliba kryptoměn. V neposlední řadě stojí za zvyšujícím se počtem každodenně detekovaných škodlivých souborů i zlepšující se bezpečnostní technologie. Díky každé nové aktualizaci jsme schopni detekovat více druhů malwaru, a tím pádem stoupá i počet objevených hrozeb,“ uzavřel Zakorzhevsky.