[*] [-] [-] [x] [A+] [a-]  
[l] at 11/14/19 1:33pm
Symantec addressed a local privilege escalation flaw that affects all Symantec Endpoint Protection client versions prior to 14.2 RU2.

Symantec addressed a local privilege escalation flaw, tracked as CVE-2019-12758, that affects all Symantec Endpoint Protection client versions prior to 14.2 RU2. The vulnerability could be exploited by attackers to escalate privileges on target devices and carry out malicious actions, including the execution of malicious code with SYSTEM privileges.

The issue is similar to other vulnerabilities discovered by researchers from SafeBreach Labs in other antivirus solutions from several security vendors, including McAfee, Trend Micro, Check Point, Bitdefender, AVG and Avast.  

The flaws could allow attackers to bypass the self-defense mechanism of the antivirus solutions and deliver persisten t malicious payloads.

Like other DLL hijacking issues in security solutions, the Symantec Endpoint Protection LPE flaws could be exploited only by attackers with Administrator privileges.

“This vulnerability could have been used in order to bypass Symantec’s Self-Defense mechanism and achieve defense evasion, persistence and privilege escalation by loading an arbitrary unsigned DLL into a process which is signed by Symantec and that runs as NT AUTHORITY\SYSTEM.” reads the advisory published by SafeBreach.

“we found a service (SepMasterService) of the Symantec Endpoint Protection which is running as signed process and as NT AUTHORITY\SYSTEM, which is trying to load the following DLL which doesn’t exist: c:\Windows\SysWOW64\wbem\DSPARSE.dll”

In the case of the Symantec Endpoint Protection experts discovered a service called SepMasterService, which is running as signed process and as NT AUTHORITY\SYSTEM, attempts to load a DLL from the following patch: c:\Windows\SysWOW64\wbem\DSPARSE.dll

The researchers tested the flaw by compiling a 32-bit Proxy DLL (unsigned) out of the original dsparse.dll DLL file, which writes the name of the process which loaded it, the username which executed it and the name of the DLL file. Then the experts implanted it in C:\Windows\SysWow64\Wbem , and restarted the computer:

“We were able to load an arbitrary Proxy DLL (which loaded another arbitrary DLL) and execute our code within a service’s process which is signed by Symantec Corporation as NT AUTHORITY\SYSTEM, resulting in bypassing the self-defense mechanism of the program.” continues the analysis.

“There are two root causes for this vulnerability:

  • No digital signature validation is made against the binary. The program does not validate whether the DLL that it is loading is signed (for example, using the WinVerifyTrust function). Therefore, it can load an arbitrary unsigned DLL.
  • The fastprox.dll library is trying to import the dsparse.dll from it’s current working directory (CWD), which is C:\Windows\SysWow64\Wbem, while the file is actually located in the SysWow64 folder.”

Symantec addressed the flaw with the release of the Symantec Endpoint Protection 14.2 RU2 on October 22, 2019.

“The vulnerability gives attackers the ability to load and execute malicious payloads in a persistent way, each time the services are being loaded. That means that once the attacker drops a malicious DLL, the services will load the malicious code each time it is restarted.” concludes SafeBreach.

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – Symantec Endpoint Protection, hacking)

The post Experts found privilege escalation issue in Symantec Endpoint Protection appeared first on Security Affairs.

[Category: Breaking News, Hacking, hacking news, information security news, Pierluigi Paganini, Security Affairs, Security News, Symantec Endpoint Protection]

[*] [-] [-] [x] [A+] [a-]  
[l] at 11/14/19 7:40am
Security vulnerabilities in Qualcomm allow attackers to steal private data from hundreds of million millions of devices, especially Android smartphones.

Security experts from Check Point have discovered security flaws in Qualcomm that could be exploited attackers to steal private data from the so-called TrustZone.

The TrustZone is a security extension integrated by ARM into the Corex-A processor that aims at creating an isolated virtual secure environment that can be used by the main operating system running on the applications’ CPU.

The ARM TrustZone is part of all modern mobile devices, the most popular commercial implementations of the Trusted Execution Environment (TEE) for mobile devices running on top of ARM hardware:

  • Qualcomm’s Secure Execution Environment (QSEE), used on Pixel, LG, Xiaomi, Sony, HTC, OnePlus, Samsung and many other devices.
  • Trustronic’s Kinibi, used on Samsung devices for the Europe and Asia markets.
  • HiSilicon’s Trusted Core, used on most Huawei devices.

The flaws affect the first of the above implementations, the Qualcomm’s Secure Execution Environment (QSEE).

The QSEE is a sort of hardware enclave that protects sensitive information (i.e. private encryption keys, passwords, payment card credentials) and offers a separate secure environment for executing Trusted Applications.

“TEE code is highly critical to bugs because it protects the safety of critical data and has high execution permissions. A vulnerability in a component of TEE may lead to leakage of protected data, device rooting, bootloader unlocking, execution of undetectable APT, and more.” reads the analysis published by Check Point. “Therefore, a Normal world OS restricts access to TEE components to a minimal set of processes. Examples of privileged OS components are DRM service, media service, and keystore . However, this does not reduce researchers’ attention to the TrustZone.”

The experts reversed the Qualcomm’s Secure World operating system used a custom-made fuzzing tool to find the vulnerabilities.

“We can now execute a trusted app in the Normal world . We found a way to load a patched version of signed trustlet in the Secure world and adapted the CPU emulator to communicate with it. In other words, we emulated a trustlet’s command handler on the Android OS. All that’s left to do is to repeatedly call the command handler with different inputs generated on the basis of code coverage metrics. The QEMU emulator can be used to produce such metrics.” reads the analysis. “The prepared fuzzer easily found that the  prov   trustlet can be crashed by the following packet.”

Qualcomm fuzzer

The experts used the fuzzing tool to test trusted code on Samsung, LG, Motorola devices, and found the following vulnerabilities in the implementation of Samsung, Motorola, and LG:

  • dxhdcp2 (LVE-SMP-190005)
  • sec_store (SVE-2019-13952)
  • authnr (SVE-2019-13949)
  • esecomm (SVE-2019-13950)
  • kmota (CVE-2019-10574)
  • tzpr25 (acknowledged by Samsung)
  • prov (Motorola is working on a fix)

The flaws could be also exploited by an attacker to:

  • execute trusted apps in the Normal World (Android OS),
  • load patched trusted app into the Secure World (QSEE),
  • bypass the Qualcomm’s Chain Of Trust,
  • adapt the trusted app for running on a device of another manufacturer.

Check Point reported the vulnerability (CVE-2019-10574) to Qualcomm in June, only a day before the publication of the research the flaw was addressed.

The security firm also disclosed its findings to all affected vendors, some of them, including LG, Samsung, and Qualcomm, have already released a patch to address them.

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

( SecurityAffairs  – mobile, Qualcomm)

The post Flaws in Qualcomm chips allows stealing private from devices appeared first on Security Affairs.

[Category: Breaking News, Hacking, Mobile, hacking news, information security news, Pierluigi Paganini, Qualcomm, Security Affairs, Security News]

[*] [-] [-] [x] [A+] [a-]  
[l] at 11/14/19 4:49am
APT33, the Iran-linked APT group, has been using multiple layers of obfuscation to run a dozen live C2 servers for extremely targeted attacks.

APT33, the Iran-linked APT group, has been using multiple layers of obfuscation to run a dozen live C2 servers involved in extremely targeted malware attacks.

The targeted malware campaigns aimed at organizations in the Middle East, the U.S., and Asia.

The APT33 group has been around since at least 2013, since mid-2016, the group targeted the aviation industry and energy companies with connections to petrochemical production. Most of the targets were in the Middle East, others were in the U.S., South Korean, and Europe. 

The nation-state actors are using small botnets composed of up to a dozen infected computers to gain persistence within the target networks.

“The malware is rather basic, and has limited capabilities that include downloading and running additional malware.” reads the analysis published by Trend Micro. “Among active infections in 2019 are two separate locations of a private American company that offers services related to national security, from a university and a college in the U.S., a victim most likely related to the U.S. , and several victims in the Middle East and Asia.”

According to a report published by the experts from Recorder Future in July, Iran-linked cyberespionage group APT33 has updated its infrastructure after the publication of a report detailing its activities.

The APT group recently targeted organizations in the oil and aviation industries, a private American company that offers services related to national security, victims connected to a university and a college in the US, a victim most likely related to the US military, and several entities in the Middle East and Asia.

While investigating the attacks, the experts from Trend Micro collected useful information to understand how APT33 manages its hacking infrastructure.

APT33-Infection-Chain

The command and control infrastructure was layered and isolated to remain under the radar and make harder investigation and takedown from security firms and law enforcement agencies.

The above scheme shows that the APT group leverage a VPN layer build with a custom-built network of VPN nodes, APT33 was operating its own private VPN network.

“Threat actors often use commercial VPN services to hide their whereabouts when administering C&C servers and doing reconnaissance. But besides using VPN services that are available for any user, we also regularly see actors using private VPN networks that they set up for themselves.” continues the post. “APT33 likely uses its VPN exit nodes exclusively. We have been tracking some of the group’s private VPN exit nodes for more than a year and we have listed known associated IP addresses in the table below. “

Trend Micro has been tracking some of the group’s private VPN exit nodes for more than a year, below the list of IP addresses associated with the group’s activity .

IP address First seen Last seen 5.135.120.57 12/4/18 1/24/19 5.135.199.25 3/3/19 3/3/19 31.7.62.48 9/26/18 9/29/18 51.77.11.46 7/1/19 7/2/19 54.36.73.108 7/22/19 10/05/19 54.37.48.172 10/22/19 11/05/19 54.38.124.150 10/28/18 11/17/18 88.150.221.107 9/26/19 11/07/19 91.134.203.59 9/26/18 12/4/18 109.169.89.103 12/2/18 12/14/18 109.200.24.114 11/19/18 12/25/18 137.74.80.220 9/29/18 10/23/18 137.74.157.84 12/18/18 10/21/19 185.122.56.232 9/29/18 11/4/18 185.125.204.57 10/25/18 1/14/19 185.175.138.173 1/19/19 1/22/19 188.165.119.138 10/8/18 11/19/18 193.70.71.112 3/7/19 3/17/19 195.154.41.72 1/13/19 1/20/19 213.32.113.159 6/30/19 9/16/19 216.244.93.137 12/10/18 12/21/18

The private VPN exit nodes were used to send command to the malware as well as for reconnaissance of networks that are relevant to the supply chain of the oil industry and military hospitals in the Middle East.

“APT33 also has a clear interest in websites that specialize in the recruitment of employees in the oil and gas industry,” concludes Trend Micro. “We recommend companies in the oil and gas industry to cross-relate their security log files with the IP addresses listed above.”

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

( SecurityAffairs  – APT33, VPN)

The post Tracking Iran-linked APT33 group via its own VPN networks appeared first on Security Affairs.

[Category: APT, Breaking News, Hacking, Malware, APT33, malware, Pierluigi Paganini, Security Affairs, Security News, state-sponsored hacking]

[*] [-] [-] [x] [A+] [a-]  
[l] at 11/14/19 3:46am
The Canadian Security Intelligence Service (CSIS) and the Communications Security Establishment (CSE) are divided over the ban of Huawei 5G technology.

The Canadian Security Intelligence Service (CSIS) and the Communications Security Establishment (CSE) agencies are divided over the ban of Huawei 5G technology. Canada, along with the US, the UK, New Zealand, and Australia formed the so-called Five Eyes intelligence-alliance .

In November 2018, The Wall Street Journal reported that the US Government urged its allies to exclude Huawei from critical infrastructure and 5G architectures.

Currently, the Chinese supplier is already prohibited from bidding on government contracts and core network equipment.

According to the Globe and Mail reported Wednesday, the Canadian government asked the intelligence agencies to evaluate the risks related to the adoption of the Huawei 5 equipment for the national telecommunication infrastructure. The agencies were also tasked to evaluate the economic impact for the Canadian telecoms and consumers in replacing and blacklisting Huawei equipment.

The Globe and Mail revealed that according to an unnamed source, the CSIS and the CSE have a different opinion on the ban of Huawei 5G technology.

While CSE suggests the full ban of Huawei 5G equipment from the national infrastructure the CSIS believes the risks associated with the deployment of the Chinese technology can be mitigated with the effective validation and monitoring of the equipment.

“The office of the minister of public safety, Ralph Goodale, declined to comment on Huawei specifically as it relates to its evaluation of emerging 5G technologies.” reported the AFP press.

“But it said in a statement that the government’s review “includes the careful consideration of our allies’ advice” and it “will ensure that our networks are kept secure.””

The relationship between the Chinese and the Canadian government deteriorated following the arrest in Vancouver of a senior Huawei executive on a US warrant that took place in December and the arrest of two Canadian citizens in apparent retaliation.

Experts pointed out that the ban could cost Canadian telecom firms millions of dollars and two of the largest wireless carriers in the country, Bell and Telus, plans to use Huawei equipment in the upcoming 5G infrastructure.

Rogers, the nation’s top carrier announced the use of 5G equipment from Ericsson.

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

( SecurityAffairs  – Huawei 5G, cyberespionage)

The post Canadian intelligence agencies CSE and CSIS are divided on Huawei 5G ban appeared first on Security Affairs.

[Category: Breaking News, Intelligence, Security, 5G, China, Huawei 5G, information security news, Pierluigi Paganini, Security Affairs, Security News]

[*] [-] [-] [x] [A+] [a-]  
[l] at 11/14/19 1:28am
McAfee a vulnerability in its antivirus software that could allow an attacker to escalate privileges and execute code with SYSTEM privileges.

Security experts at SafeBreach have discovered a vulnerability in McAfee antivirus software tracked as CVE-2019-3648 that could allow an attacker with Administrator privileges to escalate privileges and execute code with SYSTEM privileges.

The flaw impacts McAfee Total Protection (MTP), McAfee Anti-Virus Plus (AVP), and all McAfee Internet Security (MIS)  versions including 16.0.R22.

The CVE-2019-3648 flaw could be exploited by attackers to load unsigned DLLs into multiple services that run as NT AUTHORITY\SYSTEM.

“ this vulnerability could have been used in order to bypass McAfee’s Self-Defense mechanism; and achieve defense evasion and persistence by loading an arbitrary unsigned DLL into multiple services that run as NT AUTHORITY\SYSTEM.” reads the analysis published by SafeBreach. 

“Multiple parts of the software run as a Windows service executed as “NT AUTHORITY\SYSTEM,” which provides it with very powerful permissions.” “this vulnerability can be exploited to achieve arbitrary code execution within the context of multiple McAfee services, gaining access with NT AUTHORITY\SYSTEM level privileges.

The experts discovered that multiple services of the McAfee software try to load a library from the path c:\Windows\System32\wbem\wbemcomn.dll, that cannot be found because it is located in System32 and not in the System32\Wbem folder.

An attacker can place a malicious dll named wbemcomn.dll. in the wbem  folder and get it executed.

Experts explained that it is possible to bypass the self-defense mechanism of the antivirus because the antivirus doesn’t validate digital signature of the DLL file.

The researchers tested the flaw by compiling a proxy DLL (unsigned) out of the original wbemcomn.dll DLL file, which writes the name of the process which loaded it, the username which executed it and the name of the DLL file. Then the experts implanted it in C:\Windows\System32\Wbem, and restarted the computer:

“We were able to load an arbitrary DLL and execute our code within multiple processes which are signed by McAfee, LLC as NT AUTHORITY\SYSTEM, resulting in bypassing the self-defense mechanism of the program.” continue the experts.

Experts reported the flaw to McAfee in August and on November 12 Mcafee published a security advisory and releases a patch to address the issue. McAfee confirmed that it is not aware of the vulnerability being exploited in attacks in the wild.

SafeBreach discovered similar issues in other security solutions from other vendors, including Trend Micro, Check Point, Bitdefender, AVG and Avast.

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

( SecurityAffairs  – McAfee, hacking)

The post CVE-2019-3648 flaw in all McAfee AV allows DLL Hijacking appeared first on Security Affairs.

[Category: Breaking News, Hacking, DLL hijacking, information security news, McAfee, Pierluigi Paganini, Security Affairs, Security News]

[*] [-] [-] [x] [A+] [a-]  
[l] at 11/13/19 1:24pm
Eclypsium experts found a vulnerability affecting the popular PMx Driver Intel driver that can give malicious actors deep access to a device.

In August, Eclypsium researchers found multiple serious vulnerabilities in more than 40 device drivers from tens of vendors, including AMI, ASRock, ASUS, ATI, Biostar, EVGA, Getac, Gigabyte, Huawei, Insyde , Intel, MSI, NVIDIA, Phoenix Technologies, Realtek, SuperMicro and Toshiba.

The experts warn that the vulnerabilities that can be exploited by attackers to deploy persistent backdoor on vulnerable systems.

The experts pointed out that since they reported the issued to the vendor, only Intel and Huawei addressed them with patches and advisories, while Insyde and Phoenix provided patches to their OEM customers.

According to Eclypsium, Intel addressed a vulnerability in its PMx Driver (PMxDrv). The vulnerability could be exploited to have full access to the devices. The driver implements a superset of all the capabilities including read and write to physical memory, model specific registers, control registers, IDT and GDT descriptor tables, debug registers, gain I/O and PCI access.

“This level of access can provide an attacker with near-omnipotent control over a victim device. Just as importantly, this capability has been included as a staple component of many Intel ME and BIOS related toolsets going back to 1999.” reads the analysis published by Eclypsium.”Ironically, the very tool released by Intel to detect and mitigate a recent AMT vulnerability included the vulnerable driver as part of the toolset used to solve the AMT issue.”

Experts recommend users and organizations to enable Hypervisor-protected Code Integrity (HVCI) for devices that support the feature.

This option will only work with 7th generation or newer processor, new processor features such as mode-based execution control, this means it will not possible to enable HVCI on many devices.

The only universally effective possible consist of blocking or blacklisting old, known-bad drivers.

“The only universally available option possible today is to block or blacklist old, known-bad drivers. To this end, we would like to specifically commend the response of Insyde Software, a UEFI firmware vendor. Of the 19 vendors we notified early this summer, Insyde is the only vendor to date to proactively contact Microsoft and ask that the old version of the driver be blocked.” concludes the report. “Due to this request, Windows Defender will proactively quarantine the vulnerable version of the driver so it can’t cause damage to the system.”

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

( SecurityAffairs  – PMx Driver, hacking)

The post A flaw in PMx Driver can give hackers full access to a device appeared first on Security Affairs.

[Category: Breaking News, Hacking, hacking news, information security news, Pierluigi Paganini, PMx Driver, Security Affairs, Security News]

[*] [+] [-] [x] [A+] [a-]  
[l] at 11/13/19 8:39am
ZombieLoad 2, aka TSX Asynchronous Abort, is a new flaw that affects the latest Intel CPUs that could be exploited to launch TSX Speculative attack.

ZombieLoad 2, aka TSX Asynchronous Abort, is a new vulnerability tracked as CVE-2019-11135 that affects the latest Intel CPUs that could be exploited to launch TSX Speculative attack.

The flaw affects the Transactional Synchronization Extensions (TSX) feature in Intel processors, it could be exploited by a local attacker or a malicious code to steal sensitive data from the underlying operating system kernel.

The ZombieLoad 2 attack also targets the speculative execution implemented in modern CPU to improve performance.

In the past months, security researchers devised several speculative -channel RIDL (Rogue In-Flight Data Load), Fallout, Microarchitectural Data Sampling (MDS attacks), and ZombieLoad.

Unlike Meltdown, Spectre , and Foreshadow attacks, MDS attacks target CPU’s microarchitectural data structures.

News of the day is that a new version of the ZombieLoad attack was devised by researchers, it also impacts processors in the Intel Cascade Lake CPU family that are not impacted by other attacks.

The Zombieload 2 attack only affects CPU supporting the Intel TSX instruction-set extension, a condition that is true in all Intel CPUs manufactured since 2013.

The TSX feature allows improving performance by leveraging a hardware transactional memory, any operation on this memory doen’t impact on the overall performance of the systems.

“The TSX Asynchronous Abort (TAA) vulnerability is similar to Microarchitectural Data Sampling (MDS) and affects the same buffers (store buffer, fill buffer, load port writeback data bus).” reads the security advisory published by Intel.

“Intel TSX supports atomic memory transactions that are either committed or aborted. When an Intel TSX memory transaction is aborted, either synchronously or asynchronously, all earlier memory writes inside the transaction are rolled back to the state before the transaction start. While an Intel TSX asynchronous abort (TAA) is pending, certain loads inside the transaction that are not yet completed may read data from microarchitectural structures and speculatively pass that data to dependent operations. This may cause microarchitectural side effects, which can later be measured to infer the value of the data in the microarchitectural structures.”

Experts discovered that aborting memory transactions may allow processes to compute the data found in other running processes, including operating system kernel data. An attacker could exploit the flaw to steal sensitive data, including passwords and encryption keys.

The following video shows a ZombieLoad MDS attack:

Additional technical details are available on the Zombieload website.

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – TSX Speculative Attack, hacking)

The post New TSX Speculative Attack allows stealing sensitive data from latest Intel CPUs appeared first on Security Affairs.

[Category: Breaking News, Hacking, Intel, Security News, TSX Speculative Attack]

[*] [-] [-] [x] [A+] [a-]  
[l] at 11/13/19 6:19am
Adobe patch Tuesday updates addressed a total of 11 vulnerabilities affecting its Animate, Illustrator, Media Encoder and Bridge products.

Adobe patch Tuesday updates addressed a total of 11 flaws affecting its Animate, Illustrator, Media Encoder and Bridge products.

“Adobe has published security bulletins for Adobe Animate CC (APSB19-34), Adobe Illustrator CC (APSB19-36), Adobe Media Encoder (APSB19-52) and Adobe Bridge CC (APSB19-53). Adobe recommends users update their product installations to the latest versions using the instructions referenced in the bulletin.” reads the advisory published by Adobe.

The good news is that all the vulnerabilities fixed by Adobe are unlikely to be exploited, the company also confirmed that it is not aware of attacks in the wild exploiting them.

5 out of 11 vulnerabilities addressed by Adobe have been rated as critical:

Adobe Media Encoder

  • CVE-2019-8246 – Out-of-bounds Write issue that could lead to arbitrary code execution on Windows and macOS

Adobe Illustrator CC

  • CVE-2019-8247 is a memory corruption issue that could lead to arbitrary code execution on Windows and macOS .
  • CVE-2019-8248 is a memory corruption issue that could lead to arbitrary code execution on Windows and macOS

Adobe credited independent researchers from NSFOCUS, Qihoo 360 and Fortinet for reporting the vulnerabilities .

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – Adobe Patch Tuesday updates, hacking)

The post Adobe patch Tuesday updates addressed critical flaws in Media Encoder and Illustrator products appeared first on Security Affairs.

[Category: Breaking News, Security, Adobe Patch Tuesday, Hacking, information security news, Pierluigi Paganini, Security News]

[*] [-] [-] [x] [A+] [a-]  
[l] at 11/13/19 2:09am
Aleksei Burkov is a Russian accused of being involved in more than $20 million in credit-card frauds, has been extradited to the US to face criminal charges.

Aleksei Burkov (29) is a Russian man accused of running an online criminal marketplace, called Cardplanet, that helped crooks to organize more than $20 million in credit card fraud. The suspect has been extradited to the US to face criminal charges.

“According to court documents, Burkov allegedly ran a website called “Cardplanet” that sold payment card numbers (e.g., debit and credit cards) that had been stolen primarily through computer intrusions.  Many of the cards offered for sale belonged to U.S. citizens .  The stolen credit card data from more than 150,000 compromised payment cards was allegedly sold on Burkov’s site and has resulted in over $20 million in fraudulent purchases made on U.S. credit cards.” reads a press release published by the DoJ.

Burkov was also operating another invite-only cybercrime forum, to obtain membership prospective members needed three existing members to “vouch” for their good reputation in the cybercrime community. The membership also requested a sum of money, normally $5,000, as insurance. 

“Additionally, Burkov allegedly ran another online Cybercrime Forum that served as an invite-only club where elite cybercriminals could meet and post in a secure location to plan various cybercrimes, to buy and sell stolen goods and services,  such as personal identifying information and malicious software, and offer criminal services, such as money laundering and hacking services.”

In October, the Israel justice minister approved the extradition of Alexei Bourkov to the United States.

The suspect was arrested in Israel in 2015, his case made the headlines multiple times because media speculated a possible prisoner swap with Naama Issachar, an Israeli-American that was arrested in Russia on cannabis charges.

According to the media, the Naama Issachar’s family is opposing the extradition for the above reason.

Israel’s Prime Minister Benjamin Netanyahu also commented on the case and told the media that he “would appreciate” Russian President Vladimir Putin looking into Naama Issachar’s case. Of course, Russian officials also made opposition to the extradition.

Burkov initially appeared in Alexandria on Tuesday after being extradited from Israel.

According to the indictment, Cardplanet was offering its members stolen credit card data for a price that goes from $3 up to $60. Burkov was also offering a money-back guarantee for expired or blocked card numbers.

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

( SecurityAffairs  – Aleksei Burkov , malware)

The post Russian man Aleksei Burkov extradited for running online criminal marketplace appeared first on Security Affairs.

[Category: Breaking News, Cyber Crime, Aleksei Burkov, credit card, Hacking, hacking news, information security news, Pierluigi Paganini, Security Affairs, Security News]

[*] [-] [-] [x] [A+] [a-]  
[l] at 11/13/19 1:23am
Microsoft’s Patch Tuesday updates for November 2019 address over 70 flaws, including an Internet Explorer issue (CVE-2019-1429) that has been exploited in attacks in the wild.

Microsoft’s Patch Tuesday updates for November 2019 address 74 flaws, including an Internet Explorer vulnerability, tracked as CVE-2019-1429, that has been exploited in the wild. Microsoft doesn’t provide any information on the nature of the active attacks, it only pointed out that they are likely limited at this time.

The CVE-2019-1429 zero-day is a scripting engine memory corruption vulnerability that affects Internet Explorer 9, 10 and 11. Microsoft.

“A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.” read the security adviso r y published by Microsoft. “If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

The vulnerability could be exploited by an attacker to execute arbitrary code in the context of the current user by tricking the victims into visiting a specially crafted website with a vulnerable IE browser or into opening a weaponized Office document.

“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked “safe for initialization” in an application or Microsoft Office document that hosts the IE rendering engine.” continues the advisory “The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.”

Microsoft addressed the flaw by modifying how the scripting engine handles objects in memory, the company has not identified any workarounds or mitigating factors for this issue.

Microsoft has credited Ivan Fratric from Google Project Zero, Clément Lecigne from Google’s Threat Analysis Group, an anonymous researcher from iDefense Labs, and Resecurity for reporting the issue.

Microsoft’s Patch Tuesday updates for November 2019 addressed security issue in Microsoft Windows, Internet Explorer (IE), Microsoft Edge (EdgeHTML-based), ChakraCore, Office and Office Services and Web Apps, Open Source Software, Exchange Server, and Visual Studio.

Of these 74 CVEs addressed by Microsoft, 13 are rated Critical and 61 are rated Important in severity. 15 vulnerabilities were reported through the ZDI program.

According to Trend Micro’s Zero Day Initiative (ZDI), several threat groups could start exploiting the CVE-2019-1429 zero-day now that the patch has been released and that it is possible to make a reverse-engineering of the fix.

Microsoft also addressed a remote code execution vulnerability, tracked as CVE-2019-1373, in Microsoft Exchange. The vulnerability resides in the deserialization of metadata via PowerShell. An attacker could exploit this vulnerability by tricking victims into running cmdlets via PowerShell.

“While this may be an unlikely scenario, it only takes one user to compromise the server. If that user has administrative privileges, they could hand over complete control to the attacker.” reads a post published by ZDI.

Other critical vulnerabilities addressed by Microsoft impact Windows, Internet Explorer, and Hyper-V.

“Looking through the Critical-rated patches, the updates for Hyper-V stand out the most. Five separate code execution bugs receive patches this month, and each could allow a user on the guest OS to execute code on the underlying host OS,” ZDI concludes.

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

( SecurityAffairs  – CVE-2019-1429, Patch Tuesday)

The post Microsoft Patch Tuesday updates fix CVE-2019-1429 flaw exploited in the wild appeared first on Security Affairs.

[Category: Breaking News, Hacking, Security, CVE-2019-1429, hacking news, IE, information security news, Patch Tuesday, Pierluigi Paganini, Security Affairs, Security News]

[*] [-] [-] [x] [A+] [a-]  
[l] at 11/12/19 2:38pm
On S unday , the Mexican state-owned oil company Petróleos Mexicanos (Pemex) was infected with the DoppelPaymer ransomware.

On Sunday, a piece of the DoppelPaymer ransomware infected systems of the Mexican state-owned oil company Petróleos Mexicanos (Pemex) taking down part of its network.

The ransom amount for Pemex is 565 BTC currently…
Also, DoppelPaymer's TOR site's text was updated sometimes & now have this:
"Also, we have gathered all your private sensitive data.
So if you decide not to pay, we would share it.
It may harm your business reputation."
</div></dd>
<dt id=Facebook is secretly using iPhone’s camera as users scroll their feed

[*] [-] [-] [x] [A+] [a-]  
[l] at 11/12/19 11:55am
New problems for Facebook, it seems that the social networking giant is secretly using the camera while iPhone users are scrolling their feed.

Is this another privacy issue for Facebook? The iPhone users Joshua Maddux speculates that Facebook might be actively using your camera without your knowledge while you’re scrolling your feed.

Maddux published footage on Twitter that shows the camera o n his iPhone that is active while he scrolls through his feed.

Found a @facebook #security & #privacy issue. When the app is open it actively uses the camera. I found a bug in the app that lets you see the camera open behind your feed. Note that I had the camera pointed at the carpet. pic.twitter.com/B8b9oE1nbl

— Joshua Maddux (@JoshuaMaddux) November 10, 2019

“The problem becomes evident due to a bug that shows the camera feed in a tiny sliver on the left side of your screen, when you open a photo in the app and swipe down. TNW has since been able to independently reproduce the issue.” reported The Next Web.

The expert successfully tested the issue on devices iPhone devices running iOS version 13.2.2, but the problem doesn’t affect iOS version 12,

Maddux adds he found the same issue on five iPhone devices running iOS 13.2.2, but was unable to reproduce it on iOS 12.

“I will note that iPhones running iOS 12 don’t show the camera (not to say that it’s not being used),” Maddux said.

The personnel at TNW noticed that the issue only occurs if users have granted the Facebook app access to your camera.

At the time of writing, it is still unclear if the issue is expected behavior, the issue is not working on Android devices.

A similar issue was described in October 2017 by the Austrian developer and Google engineer, Felix Krause. The expert explained that the privacy issue in Apple iPhone could be exploited by iOS app developers to silently take users’ photos and record their live video by enabling both front and back cameras.

The iPhone users will never receive any notification from the device, Krause shared technical details in a blog post.

At the time, the researcher explained that the best way to mitigate the issue was to revoke camera access.

TNW contacted Facebook for comment.

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – iPhone, hacking)

The post Facebook is secretly using iPhone’s camera as users scroll their feed appeared first on Security Affairs.

[Category: Breaking News, Mobile, Security, hacking news, information security news, iPhone, privacy, Security Affairs, Security News]

[*] [-] [-] [x] [A+] [a-]  
[l] at 11/12/19 6:49am
The analysis of a malicious email revealed a possible raising interest of the TA505 cybercrime gang in system integrator companies. Introduction

During a normal monitoring activity, one of the detection tools hits a suspicious email coming from the validtree.com domain. The domain was protected by a Panama company to hide its real registrant and this condition rang a warning bell on the suspected email so that it required a manual analysis in order to investigate its attachment. Digging into this malicious artifact opened up to a possible raising interest of the infamous TA505 in System Integrator Companies (companies in which have been found that threat).

Technical Analysis

During the past few weeks suspicious emails coming from the validtree.com domain was detected: they were addressing System Integration Companies. The domain validtree.com is registered through namecheap.com on 2017-12-07T15:55:27Z but recently renewed on 2019-10-16T05:35:18Z. The registrant is protected by a Panama company named WhoisGuard which hides the original registrant name. Currently the domain points to 95.211.151.230 which is an IP address assigned to LeaseWeb a VPS hosting provider located in Netherland, Europe. Attached to the email a suspicious word document was waiting to be opened from the victim.

Hash 7ebd1d6fa8c21b0d0c015475ab8c7225f949c13a33d0a39b8c069072a4281392 Threat Macro Dropper Brief Description Document Dropper Ssdeep 384:nFZ5ZtDGGkLmTUrioRPATRn633Dmej0SnJzbmiVywP0jKk:n1oqwT2J633DVgiVy25

By opening the word document the victim displays the following text (Image1). The document tempts the victim in enabling the macro functionality in order to re-encode the document with readable charsets by translating the current encoding charset to the local readable one.

Image1: Word Document Content

A transparent Microsoft-word-shape placed on top of the encoded text avoids the victim to interact with the unreadable text. That document holds two VBA-Macro functions which were identified as a romantic AutoOpen and an additional one named HeadrFooterProperty. Interesting to note that the document had no evidences on VT (during the analysis time), so it could be a revamped threat or a totally new one! The two Macros decoded a Javascript payload acting as a drop and execute by using a well-known strategy as described in: “Frequent VBA Macros used in Office Malware”. The following image shows the decoding process. A first round of obfuscation technique was adopted by the attacker in order to make harder the analyst’s decoding process. That stage implements an obfuscated Javascript embedded code which decodes, by using a XOR with key=11, a third Javascript stage acting as drop and execute on 66.133.129.5 resource. That IP is assigned to Frontier Communications Solutions: a NY based company.

Image2: Deobfuscation Steps from obfuscated VBA to Clear “evaled” javascript

It was nice to read the obfuscated code since the variable names where actually thematically chosen per function. For example the theseus function is obfuscated with “divine terms”, one of my favorite was actually the following conditional branch: If pastorale / quetzalcoatl < 57 Then …, which actually was always true ! </div></dd>
<dt id=Buran ransomware-as-a-service continues to improve

[*] [-] [-] [x] [A+] [a-]  
[l] at 11/12/19 6:15am
The recently discovered ransomware-as-a-service (RaaS) Buran attempts to gain popularity by offering discounted licenses.

In May, researchers from McAfee’s Advanced Threat Research Team discovered a new piece of ransomware named ‘Buran.’ Buran is offered as a RaaS model, but unlike other ransomware families such as REVil , GandCrab the authors take 25% of the income earned by affiliates, instead of the 30% – 40%. Now the operators behind the Buran RaaS announced in their ads that all the affiliates will have a personal arrangement with them.

Operators’ ad states that Buran works with all versions of the Windows OS’s, but experts at McAfee explained that on older systems like Windows XP it doesn’t work.

Researchers also discovered that the ransomware will not infect any region inside the CIS segment of former Soviet Republics (Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Ukraine, and Uzbekistan).

The ransomare appears to be the evolution of the Jumper ransomware that is based on VegaLocker.

Operators behind this RaaS announced that they can negotiate the fee with anyone who can guarantee an impressive level of infection with the ransomware.

Buran is advertised as a stable malware that uses an offline cryptoclocker , 24/7 support, global and session keys, and has no third-party dependencies such as libraries. Below an excerpt of its ad:

"Reliable cryptographic algorithm using global and session keys + random file keys; Scan all local drives and all available network paths;
High speed: a separate stream  works  for each disk and network path;
Skipping Windows system directories and browser directories;
 Decryptor  generation based on an encrypted file;
Correct work on all OSs from Windows XP, Server 2003 to the latest;
The locker has no dependencies, does not use third-party libraries, only mathematics and vinapi;" reads the ad. 
"The completion of some processes to free open files (optional, negotiated); The ability to encrypt files without changing extensions (optional); Removing recovery points + cleaning logs on a dedicated server (optional); Standard options: tapping, startup, self-deletion (optional);
Installed protection against launch in the CIS segment.

McAfee experts believe that Buran ransomware was delivered through the Rig Exploit Kit. The Rig EK was exploiting the CVE-2018-8174 to deliver the Buran ransomware.

“In our analysis we detected two different versions of Buran, the second with improvements compared to the first one released.” reads the analysis published by McAfee.

The two versions analyzed by the experts are written in Delphi, one of them includes improvements on the other one. The malware will encrypt the files only if the machines are not in Russia, Belarus or Ukraine. 

The malware gain persistence using registry keys, below an example of the ransom note left on the infected system:

Buran RaaS

“Buran represents an evolution of a well-known player in the ransomware landscape. VegaLocker had a history of infections in companies and end-users and the malware developers behind it are still working on new features, as well as new brands, as they continue to generate profits from those actions.” concludes the analysis. “We observed new versions of Buran with just a few months between them in terms of development, so we expect more variants from the authors in the future and, perhaps, more brand name changes if the security industry puts too much focus on them.” “It mimics some features from the big players and we expect the inclusion of more features in future developments.”

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – Buran RaaS, malware)

The post Buran ransomware-as-a-service continues to improve appeared first on Security Affairs.

[Category: Breaking News, Cyber Crime, Malware, Buran RaaS, Cybercrime, Hacking, information security news, Pierluigi Paganini, RaaS, ransomware, Security Affairs, Security News]

[*] [-] [-] [x] [A+] [a-]  
[l] at 11/12/19 12:47am
Researchers from Radware reported that massive TCP SYN-ACK DDoS reflection attacks hit Amazon, SoftLayer and telecom infrastructure in the last month.

Researchers from Radware are warning of a wave of TCP SYN-ACK DDoS reflection attacks that in the last 30 days hit Amazon, SoftLayer and telecom infrastructure.

“Over the last 30 days, Radware has observed a number of criminal campaigns that have been abusing the TCP implementation by performing TCP reflection attacks against large corporations.” reads the analysis published by Radware. “The attacks not only impacted the targeted networks, but also disrupted reflection networks across the world, creating a fallout of suspected SYN-flood attacks by many businesses.”

In a TCP SYN-ACK reflection attack, the attacker sends a spoofed SYN packet to a wide range of random or pre-selected reflection IP addresses. The spoofed packers have the original source IP replaced by the target’s IP address, The systems at the reflection IP addresses reply with a SYN-ACK packet to the target, but while your typical three-way handshake might assume for a single SYN-ACK packet to be delivered to the victim, when the victim does not respond with the last ACK packet the reflection service will continue to retransmit the SYN-ACK packet. This mechanism allows the amplification of the DDoS attack.

The amplification factors depends on the number of SYN-ACK retransmits by the service running at the reflection IP address. An independent research found more than 4.8 million devices vulnerable to an average amplification factor of 112x and thousands of hosts that could be abused for amplification up to a factor of almost 80,000x, an amazing firepower for attackers.

Experts observed several campaign carrying out TCP reflection DDoS attacks against many corporations, including Amazon, SoftLayer, Eurobet Italia SRL, Korea Telecom, HZ Hosting and SK Broadband.

The new wave of major attacks begun in October when a major DDoS attack crippled the network of the Italian branch of the online sports gambling website Eurobet. The attack lasted for several days and also affected other betting networks.

TCP DDoS reflection attacks Packet counts originating from Garanti BBVA IP ranges – October 2019 (Radware report)

At the end of October, Radware observed other criminal campaigns mounting TCP reflection DDoS attacks against the financial and telecommunication industries in Italy, South Korea and Turkey.

“This attack was noticed by the security community due to the reflective nature of one of the attack vectors,” continues the analysis. “In a period of 24 hours, millions of TCP-SYN packets from nearly 7,000 distinct source IP addresses part of [the infrastructure of Turkish provider] Garanti Bilisim Teknolojisi ve Ticaret TR.A.S. were sensed globally and specifically targeting ports 22, 25, 53, 80 and 443.”

According to the experts, the campaign began in 2018 and targeted both large and well-resourced corporations and smaller businesses and homeowners. Experts pointed out that organizations not prepared for the spikes in TCP traffic suffer from secondary outages, “with SYN floods one of the perceived side-effects by the collateral victims.”

Most of the reflection IP addresses involved in the recent wave of TCP reflection attacks belong to internet IPv4 address space.

“This means the recent attackers, illustrated in Figure 13, used a rapid rate of falsified SYN packets to a wide range of the IPv4 address space with a spoofed source originating from either bots or servers hosted on subnets and by providers that do not implement BCP 38 to prevent IP source address spoofing on their servers or networks.” concludes the analysis. “The spoofed source in these attacks were the entire network ranges of the intended targets which resulted in the targeted reflectors retransmitting SYN-ACK packets in a carpet bombing attack as long as RST packets were not received.”

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – TCP DDoS reflection attacks, cybercrime)

The post Experts warn of spike in TCP DDoS reflection attacks targeting Amazon, SoftLayer and telco infrastructure appeared first on Security Affairs.

[Category: Breaking News, Cyber Crime, Hacking, Cybercrime, DDoS reflection attacks, hacking news, Pierluigi Paganini, Security Affairs, Security News, TCP reflection attacks]

[*] [-] [-] [x] [A+] [a-]  
[l] at 11/11/19 11:49pm
Crowdsourced security platform Bugcrowd announced it paid over $500,000 in bug bounty rewards during the last week of October.

Bug bounty program could represent an excellent opportunity to monetize your passion, in just one week crowdsourced security platform Bugcrowd announced it paid over $500,000 in bug bounty rewards at the end of October.

Bugcrowd is used by many enterprises, it allows them to manage bug bounty programs, penetration testing, and vulnerability disclosure.

In October, the platform paid a total of $1.6 million to over 550 hackers, the biggest payout was of over $40,000. It marked significant progress in respect five years ago.

“The Crowd also surfaced more than 300 P1s! Looking back to October 2014, we paid out nearly $30,000 to 85 hackers, and uncovered five P1s.” reads a post published on Bugcrowd website.”In a matter of a five-year span, we’ve exponentially multiplied payouts, Crowd engagement, and critical findings, and to say we’re excited is an understatement.”

According to Bugcrowd, the payouts are increasing year after year, in 2019 experts observed an increase of more than 80% over the payouts assigned during 2018.

“As more organizations reach security maturity and trust in the value of the Crowd, we will continue to see more programs launch and pay out in higher sums. Great news for our researchers, both new and experienced on the platform.” Bugcrowd concludes.

“For those just starting out, we’re always committed to growing our community and uplifting the skills of our hackers. That’s why we launched Bugcrowd University in 2018, offering free, ungated resources co-curated by our community and security experts to help other hackers hone their skills.”

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – bug bounty program, hacking)

The post Bugcrowd paid over $500,000 in bug bounty rewards in one week appeared first on Security Affairs.

[Category: Breaking News, Hacking, Security, Bug Bounty, Bugcrowd, information security news, Pierluigi Paganini, Security Affairs, Security News]

[*] [-] [-] [x] [A+] [a-]  
[l] at 11/11/19 1:09pm
This is really an embarrassing incident, ZoneAlarm forum site has suffered a data breach exposing data of its discussion forum users.

ZonaAlarm , the popular security software firm owned by Check Point Technologies, has suffered a data breach. According to the post published by The Hacker News, the security breach exposed the data of ZonaAlarm discussion forum users.

The ZoneAlarm suite includes antivirus software and firewall solutions to and users and small organizations, it has nearly 100 million downloads.

“Though neither ZoneAlarm or its parent company Check Point has yet publicly disclosed the security incident, the company quietly sent an alert via email to all affected users over this weekend, The Hacker News learned.” reads the post published by The Hacker News.

The company sent a data breach notification mail to forum users urging them to change their forum account passwords. At the time it is unclear when the attackers compromised the ZoneAlarm forum. The message revealed that attackers gained unauthorized access to forum members data, including names, email addresses, hashed passwords, and date of births.

The good news is that the number of affected members is not so great, the incident only impacted the “forums.zonealarm.com” domain, which has roughly 4,500 subscribers.

“This is a separate website from any other website we have and used only by a small number of subscribers who registered to this specific forum,” reads the data breach notification message. “The website became inactive in order to fix the problem and will resume as soon as it is fixed. You will be requested to reset your password once joining the forum.”

The incident is embarrassing because was caused by the lack of patch management for the impacted forum. A company spokesperson told The Hacker News that attackers exploited the CVE-2019-16759 remote code execution vulnerability in the vBulletin forum software.

In September, an anonymous hacker disclosed technical details and proof-of-concept exploit code for a critical zero-day remote code execution flaw in  vBulletin . The issue could be exploited remotely by an unauthenticated attacker. The PoC exploit published by the hacker works on  vBulletin  versions 5.0.0 till the latest 5.5.4, and the ZoneAlarm forum was running the 5.4.4 version.

ZoneAlarm forum hacked

The zero-day flaw in the forum software resides in the way an internal widget file of the forum software package accepts configurations via the URL parameters. The expert discovered that the package fails to validate the parameters, an attacker could exploit it to inject commands and remotely execute code on the vulnerable install.

Another security firm suffered a data breach due to the CVE-2019-16759 remote code execution vulnerability. In October, hackers breached the ITarian Forum, the Comodo discussion board and support forum, accessing login credentials of nearly 245,000 users registered with the Comodo Forums  websites . 

ZoneAlarm immediately launched an investigation into the incident and took down the forum website .

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)

The post ZoneAlarm forum site hack exposed data of thousands of users appeared first on Security Affairs.

[Category: Breaking News, Data Breach, Hacking, data breach, hacking news, information security news, Pierluigi Paganini, Security Affairs, Security News, ZoneAlarm]

[*] [-] [-] [x] [A+] [a-]  
[l] at 11/11/19 8:44am
The Global Cyber Security Center has developed a tool named CERTrating to evaluate the Maturity Level of CERTs and services provided to the Constituency

Cyber-attacks that have occurred in recent years have fully confirmed that Cybersecurity is an increasingly complex challenge that represents a priority for all companies both in terms of development and investments.

In this complex context, CERTs certainly play a central role in companies security perimeter but even more in National Scenarios. Computer and Emergency Response Teams are one of the main protagonists and one of the first defense line of cybersecurity, identifying, preventing, responding, resolving and struggling any type of IT incident in order to protect corporate and national interests.

For these reasons the Global Cyber Security Center, a not-for-profit foundation of Poste Italiane, according to its mission of developing and disseminating knowledge and awareness on Cyber Security, has developed a Tool, CERTrating, to evaluate the Maturity Level of CERTs and services provided to the Constituency to better face today’s complex “cyber–scenarios”.

The idea to develop a Tool that can help CERTs/CSIRTs was thought to deal with a need to understand how mature companies are in delivering CERT’s services.

CERTrating is based on a capability maturity model designed by ENISA for CERTs that represents one of the methods to understand how and where investments must be directed and how much effort should be made in terms of time and resources to become more resilient.

The Capability Maturity Model (CMM) was conceived and initially introduced by Watts Humphrey “father of software quality”, in the days when he worked at IBM for the American Ministry of Defense. The model is mainly used to evaluate maturity process in companies, from the technology used to organization management, staffs and training. This model makes it possible to classify, identify and plan improvement actions to be applied in specific areas and improve the maturity level of the system for which the model is implemented.

ENISA has decided to apply this model to CSIRT / CERT in order to assess their maturity.

CERTrating was developed according to the Capability Maturity Model defined by ENISA (according to SIM3 approach), which is based on a specific classification in three main levels: Basic, Intermediate or Advanced.

As highlighted by the European Agency this three-tier Maturity Level approach, is recognized both by ENISA and by TF-CSIRT/Trusted Introducer, the European cooperation body of all types of CSIRTs. It is possible to tie that in to the SIM3 maturity model by introducing, again, three levels of increasing maturity. [For the sake of this report] these levels have been labelled basic, intermediate and advanced – the latter, most mature, level connecting with the existing CSIRT Certification scheme in Europe. It is important to note that no exact 1:1 mapping between these three levels and the older schemes is proposed here – but rather a unified, sustainable approach meant to serve especially the “CSIRT Network” required by the NISD.

CERTrating follows the SIM3 maturity model, built on three fundamental and basic elements Maturity Parameters, Maturity Quadrants and Maturity Levels. Parameters are the quantities that are measured regarding the maturity of the 44 answers provided to the self-assessment survey. Each Parameter belongs to one of the 4 Quadrants: (O)Organization, (H)Human, (T)Tools, (P)Processes.

To measure the Maturity Level of each question in all of the Quadrants, CERTrating use the original SIM3 capability maturity model and let users to answer to questions with an increasing maturity level progression (from 0 to 4):

  • 0 = not available / undefined / unaware
  • 1 = implicit (known/considered but not written down, “between the ears”)
  • 2 = explicit, internal (written down but not formalised in any way)
  • 3 = explicit, formalised on authority of CERT/CSIRT head (rubberstamped or published)
  • 4 = explicit, audited on authority of governance levels above the CERT/CSIRT head (subject to control process/audit/enforcement)

One of the differences between CERTrating and ENISA’s survey is that the new platform provides a self-assessment, faithful to ENISA’s SIM3 model, that could be applied both for the entire CERT and its services.

In particular the 14 CERT Services (also defined by ENISA) have their own dedicated surveys based on the model and metrics of the Capability Maturity Model and customized for each service. After answering CERT and services’ self-assessment, the CERTrating could offer the “applied maturity” of the CERT. The “applied maturity” is different from ENISA maturity because it considers both the maturity of each individual service and the role played by each of them for the achievement of Constituency’s goals.

The platform is completely customizable by the User. CERTrating offers the possibility of typing the name of your CERT and Company, its logo, selecting services provided by the CERT assigning a relative weigh. You could also modify at any time the completed surveys to constantly update your Maturity level.

CERTrating includes a dashboard and specific reports for Top Management that provide a view of the CERT and its services maturity level once you have completing the dedicated surveys. The reporting section offers a graphical view of maturity level of the CERT and its services, the maturity trend over time, the history of all the assessments made for the CERT and its services, the average obtained by the CERT compared to others Italian CERTs.

In addition, CERTrating offers advices and actions that have to be taken for your CERT and services to reach the level of maturity immediately following yours and the level of Optimal maturity.

According to ENISA, “by adopting the proposed approach, the [CERT] CSIRT Network will have immediate access to a clearly laid out CSIRT maturity improvement process, that is both implementable and sustainable. A growth path is suggested that reaches basic level within one year, intermediate two years later and advanced another two years later: a total of five years maximum. Basic level already allows a minimum of successful co- operation between teams on incident handling, the higher levels are needed to allow the members of the CSIRT network to interact on all levels, including pro-actively…”

The tool is going to be available in a short time. In the meanwhile, readers could get more information on CERTrating sites:

www.certrating.com

GCSEC is grateful to Cyber Affairs for sharing this article and broadening the target audience, hoping that the use of CERTrating can help National and Private organizations to reduce the asymmetrical conflict that is struggled every day in cybersecurity against cybercriminals.

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

( SecurityAffairs  – CERTrating, CERT)

The post CERTrating a new Tool to evaluate CERT/CSIRT maturity level appeared first on Security Affairs.

[Category: Breaking News, Hacking, Malware, CERT, Cybersecurity, information security news, Pierluigi Paganini, Security Affairs, Security News]

[*] [+] [-] [x] [A+] [a-]  
[l] at 11/11/19 3:16am
The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) warns businesses and netizens of Emotet and BlueKeep attacks in the wild.

The ACSC is warning organizations and people of a wave of cyberattacks exploiting the Windows BlueKeep vulnerability to deliver crypto-currency miners.

“The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), with its state and territory partners, is continuing to respond to the widespread malware campaign known as Emotet while responding to reports that hackers are exploiting the BlueKeep vulnerability to mine cryptocurrency .” reads the advisory published by the ACSC.

The alert follows the one issued by Microsoft of more BlueKeep attacks that could deliver disruptive payloads and urged organizations to patch their systems.

The Australian agency also warns of Emotet campaigns that in the last months hit the country posing a significant threat for both organizations and government offices.

The Cyber Incident Management Arrangements (CIMA) will remain active despite the alert has been downgraded to Level 4 – ‘Lean Forward,’ (CIMA Level 4 requests a precautionary approach through increasing monitoring, analysis, and strategic coordination and engagement at the national level).

At the end of October, the CIMA was activated to Level 3 in response to the Emotet campaigns

The ACSC announced the activation of Australia’s CIMA to Level 3 – ‘Alert’ on 25 October 2019, in response to the widespread exploitation of vulnerable systems by the Emotet malware. The threat posed by this malicious software required immediate action at the national level to ensure Australian organisations, from critical infrastructure providers to small businesses, receive mitigation advice to protect their networks. 

The ACSC announced the activation of Australia’s CIMA to Level 3 – ‘Alert’ on 25 October 2019, in response to the widespread exploitation of vulnerable systems by the Emotet malware. The threat posed by this malicious software required immediate action at the national level to ensure Australian organizations, from critical infrastructure providers to small businesses, receive mitigation advice to protect their networks. 

“There are two concerning cyber security threats in the wild. While we have seen a drop in the number of Emotet infections in the last week, people and businesses should remain vigilant,” said Head of the ACSC, Rachel Noble PSM.

“We are also concerned about reports cybercriminals are exploiting the BlueKeep vulnerability to access computers and control them without the users’ knowledge.”

Recently, researchers warned of the first mass-hacking campaign exploiting the BlueKeep exploit, the attack aimed at installing a  cryptocurrency  miner on the infected systems. The popular expert Kevin Beaumont observed some of its EternalPot RDP  honeypots  crashing after being attacked.

huh, the EternalPot RDP honeypots have all started BSOD'ing recently. They only expose port 3389. pic.twitter.com/VdiKoqAwkr

— Kevin Beaumont (@GossiTheDog) November 2, 2019

The popular expert Marcus Hutchins analyzed data shared by Beaumont and confirmed that attacks the  honeypot  systems were hit by attackers leveraging the BlueKeep exploits to deliver a  Monero  Miner.

The vulnerability, tracked as CVE-2019-0708, impacts the Windows Remote Desktop Services (RDS) and was addressed by Microsoft with May 2019 Patch Tuesday updates. BlueKeep is a wormable flaw that can be exploited by malware authors to create malicious code with WannaCry capabilities.

As explained by Microsoft, this vulnerability could be exploited by malware with wormable capabilities, it could be exploited without user interaction, making it possible for malware to spread in an uncontrolled way into the target networks.

While we currently see only coin miners being dropped, we agree w/ the research community that CVE-2019-0708 (BlueKeep) exploitation can be big. Locate and patch exposed RDP services now. Read our latest blog w/ assist from @GossiTheDog & @MalwareTechBlog https://t.co/y1NgN5WVu8

— Microsoft Security Intelligence (@MsftSecIntel) November 7, 2019

The ACSC also warns about the Emotet threat, a banking trojan that has been active since 2014.

In 2019, security experts haven’t detected any activity associated with Emotet since early April, when researchers at Trend Micro have uncovered a malware campaign distributing a new Emotet Trojan variant that compromises devices and uses them as Proxy C2 servers. Experts at Talos discovered that in April 2019, Emotet was using hijacking email conversations in only 8.5% of the infection attempts. The situation is now changed, the latest campaign sees that stolen email threads appeared in nearly one quarter of Emotet’s outbound emails.

The threat is back in September with an active spam distribution campaign. Researchers from Malwarebytes observed the Trojan started pumping out spam, spam messages initially targeted users in Germany, Poland and Italy, and also the US. The campaign continues targeting users in Austria, Switzerland, Spain, the United Kingdom, and the United States.

The researchers observed hundreds of thousands of messages were sent as part of this distribution effort.

The most notable characteristic of this campaign is the reuse of stolen email content to trick recipients into opening attachments or clicking on links pointing to weaponized Word documents that were used to fetch and execute Emotet.

“While we have helped many organisations mitigate the impact of Emotet in its current form, like most forms of malware and ransomware, Emotet may continue to evolve as cybercriminals seek to evade detection and the law.” Noble added.

“I urge all Australians to remain vigilant about Emotet, BlueKeep and other forms of viruses or vulnerabilities. The threat is real, but there is something you can do about it,” Ms Noble said.”

The ACSC also provides technical advice on Emotet to allow organizations to adopt necessary countermeasures against the threat.

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – BlueKeep, malware)

The post Australian Govt agency ACSC warns of Emotet and BlueKeep attacks appeared first on Security Affairs.

[Category: Breaking News, Cyber Crime, Hacking, Malware, ACSC, BlueKeep, EMOTET, hacking news, information security news, Pierluigi Paganini, Security Affairs, Security News]

[*] [+] [-] [x] [A+] [a-]  
[l] at 11/11/19 12:47am
The Apple Mail app available on macOS stores leave s a portion of users encrypted emails in plaintext in a database called snippets . db .

The Apple expert Bob Gendler discovered that the Apple Mail app available on macOS stores leaves a portion of users encrypted emails in plaintext in a database called snippets . db . The issue affects all macOS versions, including the latest Catalina.

The issue is yet to be fixed and even if Apple plans to address it, the company did not provide a timeline.

“But if you send encrypted emails from Apple Mail, there’s currently a way to read some of the text of those emails as if they were unencrypted — and allegedly , Apple’s known about this vulnerability for months without offering a fix.” reads a post published by The Verge.

“Apple tells The Verge it’s aware of the issue and says it will address it in a future software update. The company also says that only portions of emails are stored. But the fact that Apple is still somehow leaving parts of encrypted emails out in the open, when they’re explicitly supposed to be encrypted, obviously isn’t good.”

The expert discovered the issue while he was investigating how macOS and Siri suggest contacts and information to the user.

“This led me to the process called , run by the system level LaunchAgent apple, and the Suggestions folder in the user-level Library folder, which contains multiple files and some potentially important database files ( files).” reads a post published by Gendler on Medium. “These are databases with information from Apple Mail and other Apple applications that enable and Siri to become better at suggesting information.”

Gendler explained that Siri uses a process named “ suggestd ” to collect contact information from various apps. Data collected by the process are stored in the snippets . db file.

The expert discovered that if the Apple Mail is used to send and receive encrypted email, Siri would collect a plaintext version of the emails storing them in the database.

“Let me say that again… The snippets . db  database is storing encrypted Apple Mail messages … completely, totally, fully — UNENCRYPTED — readable, even with Siri disabled, without requiring the private key. Most would assume that disabling Siri would stop macOS from collecting information on the user.” continues the post.

“This is a big deal. This is a big deal for governments, corporations and regular people who use encrypted email and expect the contents to be protected”

Unfortunately, disabling Siri will not solve the issue because the ‘ suggestd ‘ process will continue to scrape emails.

The expert proposed the following three ways to disable these processes from scraping messages from Apple Mail:

  • Manually click the settings, go to System Preferences → Siri →Siri Suggestions & Privacy →Uncheck the boxes for Apple Mail.
  • Run the following command in Terminal to turn off Siri from learning from Apple Mail: defaults write com.apple.suggestions SiriCanLearnFromAppBlacklist -array com.apple.mail
  • Deploy a System-Level (for all users) configuration profile to turn off Siri from learning from Apple Mail.

The third solution is permanent, it will disable macOS and Siri from collecting this Mail information for all users. The expert explained that future OS updates will not re-enable Siri scraping Apple Mail.

Gendler also suggests to manually remove the snippets.db file that is located in “/Users/(username)/Library/Suggestions/”.

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

( SecurityAffairs  – encryption, hacking)

The post Apple Mail stores parts of encrypted emails in plaintext DB appeared first on Security Affairs.

[Category: Breaking News, Security, Apple Mail, encryption, hacking news, information security news, macOS, Pierluigi Paganini, Security Affairs, Security News]

[*] [+] [-] [x] [A+] [a-]  
[l] at 11/10/19 12:00pm
Another day, another victim of a ransomware attack, this time major ASP.NET hosting provider SmarterASP announced it was infected by ransomware.

SmarterASP.NET is one of the most popular ASP.NET hosting providers, the company has more than 440,000 customers. SmarterASP announced it was hit yesterday by ransomware attack.

The attack encrypted customer data and the company’s website was not reachable on Saturday, it was up again earlier this morning on Sunday.

At the time of writing, the company confirmed the incident and announced that it is working to restore customers’ servers, no info was shared on the family of malware that hit the company. It is unclear if SmarterASP decided to pay the ransom, or if it is restoring data using its backups.

“Your hosting account was under attack and hackers have encrypted all your data. We are now working with security experts to try to decrypt your data and also to make sure this would never happen again. Please stay tune for more info. Please know that we are getting thousands of messages in our email and live chat and we don’t have enough staffs to reply them all.” reads a statement published on the company website. “We will continue to put out notices on our Facebook page and http://status.smarterasp.net/ page, Please check back soon.”

The company hired security experts to decrypt its data and secure its infrastructure .

“A phone call to SmarterASP.NET was not returned. The company’s phone line was down, citing an influx of calls. In a status message posted on its website, the company admitted to the hack.” reported ZDNet.

Many customers are still not able to access their accounts and data. Experts pointed out that the ransomware attack encrypted both public-facing web servers and backend databases.

According to screenshots shared by some customers on Twitter, the piece of ransomware that infected the company appends the “. kjhbx ” file extension to each file name it encrypts.

SmarterASP

Ransomware attacks continue to make the headlines, a few hours ago I reported that the leading action sports company  Boardriders  and its subsidiaries including   QuikSilver  and Billabong, were hit by this kind of malware.

A few days ago Everis, NTT DATA-owned firm Everis​ and one of Spain’s largest managed service providers (MSP), has suffered a ransomware attack. Unfortunately, it ws not alone, because also Spain’s largest radio station Cadena SER (Sociedad Española Radiodifusión) was a victim of a similar attack.

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

( SecurityAffairs  – SmarterASP, ransomware)

The post Major ASP.NET hosting provider SmarterASP hit by ransomware attack appeared first on Security Affairs.

[Category: Breaking News, Cyber Crime, Malware, Hacking, information security news, malware, Pierluigi Paganini, ransomware, Security Affairs, Security News, smarterasp]

As of 11/15/19 12:00am. Last new 11/14/19 1:34pm.

Next feed in category: Dark Reading