Friday, September 21, 2018

Magecart? Again?

I don’t like writing breach stories because they occur far too often. On the other hand, when the breach is the fault of the sales merchant, one hopes exposure would cause a renewed interest in other merchants to better secure their retail websites to assure such data loss doesn’t happen to them.
With the numbers of breaches so large, how easily we forget that back in June, Magecart applied a kind of cross-site-scripting (XSS) attack to effectively digitally skim the credit card information from Ticketmaster buyers used for payment. In defense of Ticketmaster, the actual attack appeared to be a code insertion compromise against Inbenta, a thirdparty supplier for their website. Although obfuscated, and having no impact on the site’s functionality, the subtle change captured and diverted the information to Magecartowned servers with legitimate looking names.

 This attack was nothing new to Magecart, who’s been behind such malaise since 2015 and focuses on e-commerce. At the time of the Ticketmaster breach, RiskIQ believed that there were over 800 different commerce websites also targeted based on their analysis. Clearly Magecart continued with attacks as evidenced by the large compromise of British Airways (having lost over 380,000 transactions). One might imagine that other smaller sites are also being targeted based on the announcement that just this week ABC-CBN (who’s on-line store was compromised) may have lost information on 213 customers.

You’d think with such publicity, e-commerce sites, especially those with a large customer base would be watching for similar Magecart activity to assure they don’t fall victim. Or not. Per Threatpost yesterday, “Newegg is a top online merchant with tens of millions of registered users in 50 countries, according to its website. It sells a range of consumer electronics, entertainment, smart-home and gaming products, and is the 161st most popular site in the U.S. according to Alexa. In all, it receives more than 50 million site visitors per month. And between Aug. 14 and Sept. 18, a Magecart-linked payment skimmer was active on the Newegg site”. Like the attacks on the other e-commerce sites, with an eloquent injection of only 8 lines of code (similar to the code used in the British Airways incident but improved), Magecart diverted information to a domain with a legitimate Comodo-issued certificate called neweggstats[.]com. In the analysis of these attacks, RiskIQ further states: “Magecart attacks are surging—RiskIQ’s automatic detections of instances of Magecart breaches pings us almost hourly.”

Who’s to blame for these breaches? Clearly web service providers in the e-commerce arena need to improve their approaches to security. How many sites have been compromised? Perhaps there are some we may never know about, but for many more, my guess is we will learn about them in the near future as e-commerce providers take a closer look at their websites for some unauthorized Magecart additions. 
Sources:
 https://www.riskiq.com/blog/labs/magecart-ticketmaster-breach/ https://www.computerworlduk.com/security/magecart-who-what-is-behindbritish-airways-attack-3683768/ https://threatpost.com/magecart-strikes-againsiphoning-payment-info-from-newegg/137576/

This article was created by Peraton

Saturday, September 15, 2018

Draft Cybersecurity Practice Guide SP 1800-14, Protecting the Integrity of Internet Routing: Border Gateway Protocol (BGP) Route Origin Validation, is Available for Comment


Draft Cybersecurity Practice Guide SP 1800-14, Protecting the Integrity of Internet Routing: Border Gateway Protocol (BGP) Route Origin Validation, is Available for Comment

It is difficult to overstate the importance of the internet to modern business and society in general. The internet is not a single network, but rather a complex grid of independent interconnected networks that relies on a protocol known as Border Gateway Protocol (BGP) to route traffic to its intended destination.

Unfortunately, BGP was not designed with security in mind and a route hijack attack can deny access to internet services, misdeliver traffic to malicious endpoints, and cause routing instability. A technique known as BPG route origin validation (ROV) is designed to protect against route hijacking.

NIST’s National Cybersecurity Center of Excellence (NCCoE), together with several technology vendors, has developed proof-of-concept demonstrations of BGP ROV implementation designed to improve the security of the internet's routing infrastructure. 

Comments for this draft are due by October 15, 2018. To review Draft Special Publication (SP) 1800-14, and for information on submitting comments, please visit the links below.

CSRC Update: https://csrc.nist.gov/news/2018/nist-requests-comments-on-draft-sp-1800-14  
Publication details: https://csrc.nist.gov/publications/detail/sp/1800-14/draft  
Project Homepage: https://www.nccoe.nist.gov/projects/building-blocks/secure-inter-domain-routing 

Mitigating Ransomware Using the Rapid Cyberattack Assessment Tool

Here are a group of articles on Mitigating Ransomware Using the Rapid Cyberattack Assessment Tool, by Microsoft.

Every Question Tells a Story – Mitigating Ransomware Using the Rapid Cyberattack Assessment Tool: Part 1 Link is here
 
Every Question Tells a Story – Mitigating Ransomware Using the Rapid Cyberattack Assessment Tool: Part 2 Link is here
 
Every Question Tells a Story – Mitigating Ransomware Using the Rapid Cyberattack Assessment Tool: Part 3 Link is here
 
 

Deep dive on Windows Server 2019 updates

Here is a link to a video on Deep dive on Windows Server 2019 updates..

Link is here

McAfee Researchers Falsify Patient Vitals in Real Time.

During the 26th DEFCON conference this past week McAfee researchers showed how they have successfully been able to falsify patient vitals that are reported to the central monitoring stations. Two variations of the attack are possible due to weak communication protocols between client devices and the central monitoring station. In the first scenario, the attacker would need direct access to the patient and the equipment, where they would be able to disconnect the patient and plug in their own device that would then transmit false information.

However, McAfee researchers found that it was possible to also use a method called ARP spoofing to feed false information to the monitoring station by capturing data coming from a client device, manipulating it, and sending the data on to the central monitoring station because of a UDP based protocol called RWHAT. RWHAT is used by many medical devices, most of which are wired and wireless capable devices. While this is not a widely known protocol, it is easy to see and manipulate due to the simplicity of the UDP packets. Additionally, these devices often use no authentication or weak authentication. 
The doctors that helped the researchers vet the potential threat indicated that it is common practice to make diagnoses based on the data on the central monitoring stations. The method that was used by the McAfee researchers was to acquire a client monitoring station and a central monitoring system from eBay. While the units used are from 2004, they are still commonly used today. McAfee was careful not to mention the manufacturer of the units used as they are still in the process of working with the company to patch the vulnerabilities. Once they had the equipment and were able to crack the networking component, their next step was to acquire an ECG simulator from eBay for about $100. With the ECG simulator available, they determined that the traffic was unencrypted and contained counter and patient information.

Using the emulation as a springboard they successfully were able to modify the data being sent to the monitoring station. Then in real-time they were able to simulate a flatline signal to the central monitoring station as well as manipulate oxygen levels and blood pressure information. This creates the potential to falsify information to staff that might result in unneeded or unwanted procedures or prescriptions. This attack could potentially make staff believe that a patient is resting peacefully when they are not hooked up to their bedside equipment, or worse. While this threat vector might not be subjected to mass exploitation it could be leveraged in cases of high-value patients.
Sources
https://www.bleepingcomputer.com/news/security/hackers-can-falsify-patientvitals/ https://www.theregister.co.uk/2018/08/14/patient_monitor_hack/
https://venturebeat.com/2018/08/11/mcafee-researchers-falsify-a-patientsvital-signs-in-real-time/
visual

What Else is your Fax Machine Doing?

Researchers Eyal Itkin and Yaniv Balmas revealed a new type of vulnerability at Defcon 2018 – one which attacks your fax machine. They call this new exploit ‘Faxploit’ and demonstrated how a victim’s network could be infiltrated by sending a malicious fax to a certain model of networked fax machines over a normal phone line connection. By utilizing vulnerabilities, they discovered they could take over the machine and use it as a jump point into the internal network. After an impressive amount of reverse engineering utilizing existing exploits to load a debugger onto the target fax machine, the two researchers discovered additional vulnerabilities which could be used for a device takeover attack.
The vulnerability used in their demonstration relates to the embedded JPEG image parser on the device, normally used when receiving or sending colored faxes. By sending specially crafted JPEG headers to the machine they could trigger a stack based buffer overflow in the header parser and run arbitrary code on the device. Once they discovered the vulnerability in the fax handling mechanism of the device it was time to write an exploit to take advantage of it. They discovered that when the device received a JPEG it simply dumped the contents to a file with no validation. Due to this flaw they were able to store the exploit entirely inside of a specially crafted JPEG, achieving persistence due to it being written to the disk. When they wanted to perform tasks that needed additional input they could simply read from the file sitting on disk.
Their finished exploit implemented 3 main features. First it would take over the LCD display on the printer as a demonstration that they had full control of the device. Next it would check if the printer had an ethernet cable attached. If the cable is attached the third feature is activated – it attempts to attack and take control of other computers attached to the same network using previously leaked NSA tools Eternal Blue and Double Pulsar. While the demonstration exploit shown by the researchers changed the LCD on the printer, a real attacker’s exploit may instead opt to stay quiet to increase the time it goes undetected.
The fax machine attacked in their demonstration was an HP Officejet Pro 6830. HP was coordinated with after the vulnerabilities were discovered and patched firmware has been available on HP’s website since August 1st. While only one specific model was attacked in their demonstration it is possible that other models from other manufacturers may suffer from similar flaws due to the nature of parsing complex file formats from unknown origins.
The researchers coordinated with HP to rectify the vulnerability;  patched firmware has been available from HP since August 1st. This means special care should be taken similar to other riskier devices on the network, such as ensuring that the devices are firewalled off appropriately or on different network segments. While these precautions would prevent the device from being used as a door into the network, they wouldn’t protect against other types of local attacks. 

Sources: • https://research.checkpoint.com/sending-fax-back-to-the-dark-ages/https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-andexploits/faxploit-vulnerabilities-in-hp-officejet-printers-can-let-hackersinfiltrate-networks

Adware Doctor App Turns Out To Be Adware Itself


The Apple App Store is considered and recommended to be the best way to get programs for your Mac. After all, Apple states that “The safest place to download apps for your Mac is the Mac App Store. Apple reviews each app before it’s accepted by the store...”. But what if one of the apps claiming to clean your computer of adware and malware turns out to be malicious itself? That seems to be the case with Adware Doctor.

Adware Doctor has risen to become one of the most popular paid apps in the Apple App Store. It is the top paid utility app, and the fourth paid app overall, giving it a spot on the app store main site. However, there has been some controversy in its history. When the app was first released, it was called Adware Medic. However, it was removed when Malwarebytes complained due to their app Adware Medic which was released first. A few days later the app reappeared as Adware Doctor. Many of the high rated reviews are suspected to be fake to boost the app’s popularity as well.

Adware Doctor has been revealed to secretly collect a user’s internet browsing history from multiple browsers, as well as active processes running on the computer, and then sending that information to a server located in China. A security researcher with the Twitter handle @privacyis1st discovered the behavior and teamed up with another researcher Patrick Wardle to delve deeper into the app. Adware Doctor requests access to the user’s files, which would be a legitimate need for a malware scanner. However, it abuses that access by finding browsing history from Chrome, Firefox, and Safari as well as search history within the app store and a list of running processes on the machine. That by itself violates Apple rules by breaking out of the sandbox to enumerate the processes.
The app then archives this information into a zip file, history.zip, and sends it off to a web server located in China, adscan.yelabapp.com.
The researchers revealed their findings to Apple over a month ago, but Apple seemed to not do anything about it.
The app remained on the store. However, when the researchers finally went public with their findings, the app was quickly removed. Along with Adware Doctor and another app by the same developer called AdBlock master, Apple removed 3 other related apps that were accused of exfiltrating browsing and search histories: Open Any Files, Dr. Antivirus, and Dr. Cleaner. Apple has yet to comment on why it took so long to remove the malicious apps that flagrantly violated the rules or how it got past the app store review in the first place.
Sources:
        https://thehackernews.com/2 018/09/mac­adware­removal­ tool.html#comment­box
        https://threatpost.com/apple­ finally­boots­sneaky­adware­ doctor­app­from­mac­app­ store/137319/ https://objective­ see.com/blog/blog_0x37.html