Friday, November 15, 2019

(In)Security Management Engine

   The out of band management system bundled on almost all Intel processors has become a hot target for attackers in recent years. This is because it runs alongside the main processor and has virtually unrestricted access to all the hardware in the machine. As long as the machine has power the management engine is sitting there silently waiting for commands from a system administrator with access to it. While this feature can be a huge help for administrators managing a large number of machines it also presents an extremely attractive attack point.

    Intel provides a number of different subsystems under the Converged Security and Management Engine (CSME). The management engine is the specific firmware for mainstream chips, they also provide Server Platform Services (SPS) for server hardware and the Trusted Execution Engine (TXE) for tablets and other low power devices. Security researchers have been skeptical of the CSME for years due to it being closed source, having full access to the hardware, and its inability to be disabled. Several vulnerabilities have been found in the system by various researchers in the past. It’s time to make sure your systems are up to date as Intel just released a bug advisory with 77 found vulnerabilities, including one listed as critical.
    The most critical vulnerability found (CVE-2019-0169) is a heap overflow bug that could allow an unauthenticated attacker to take over a target system or cause a denial of service. Other high security bugs were found as well including cross site scripting, insufficient access control, and privilege escalation. For most of the attacks the only requirement is that the target machine is on the same network as the attacker. While many of the vulnerabilities allow an already privileged user to escalate their privileges, some of them require no prior authorization. By chaining these types of vulnerabilities together it would be possible for someone to go from having no access to having full privileges on the machine.
    Most of the vulnerabilities were found by Intel itself as part of an internal audit designed to harden the CSME system. 10 of the vulnerabilities came from independent researchers who reported the bugs to Intel. As always, it is important to make sure your systems are up to date, especially if public facing or used on untrusted networks. The required patches are typically bundled in your operating systems update mechanism such as processor micro code updates. Depending on your specific hardware and software setup you may have to acquire and run the updates manually.

Sources

 • https://threatpost.ccom/intel-critical-info-disclosure-bug-securityengine/150124/

https://blogs.intel.com/technology/2019/11/ipas-november-2019-intelplatform-update-ipu/11

Vulnerability in Amazon’s Ring Video Doorbell

    Researchers at Bitdefender have found a vulnerability in Amazon’s Ring Video Doorbell which allows an attacker with proximity to the device to intercept the Wi-Fi credentials of the network it operates on, which could lead to further attacks to devices on the network. The Ring Doorbell is an IoT device that allows a person to remotely view and communicate to people on their property. The exploit revolves around the setup procedure and the lack of security in place during that setup. The researchers say that while setting up the device, the doorbell will broadcast an unprotected wireless signal which is meant to facilitate the communication between the app and the device. Besides this, the communication between the app and the doorbell is done insecurely through HTTP. This means that when the app prompts the user to enter their home Wi-Fi credentials, an eavesdropper can see the password in plaintext. This could then lead to exploitation of the network and attacks against the devices on it.

    While the doorbell is only vulnerable when performing the initial setup, the researchers say that there is a way to trick the user into going through the setup again. They discovered that sending de-authentication messages to the device will make the user think that the device is not properly working, leading them to reconfigure it. A de-authentication attack is a type of denial of service attack where an attacker continuously sends de-authentication frames to one or more devices, preventing them from connecting to the network. While sending the de-authentication messages, the doorbell will disconnect itself from the Wi-Fi network and make it unable to reconnect. The last resort to resolve the connection issue is to reconfigure the device by going through the setup process again, leading to an eavesdropper gathering the credentials.

    Ring has since patched this vulnerability with the release of its newest software update and urges its users to perform an update on their device. However, users that have not yet updated should be aware of this method to force a reconfiguration. If you suddenly find that the device is unable to connect to Wi-Fi you may be the victim of this attack. The exploitation of this vulnerability, while relatively easy, does require the attacker to be within some proximity to the network. This is not the first time that Ring has exposed users’ Wi-Fi passwords to attackers. In 2016, researchers found that by pushing a button on the device to activate access point mode, an attacker could use a mobile device to navigate to a URL that exposed the network settings. While IoT devices can provide great benefits to consumers, they must contain proper security controls.

Sources: 

https://thehackernews.com/2019/11/ring-doorbell-wifi-password.html 

https://www.bitdefender.com/files/News/CaseStudies/study/294/Bitdefender-WhitePaper-RDoor-CREA3949-en-EN-GenericUse.pdf 
11

Wednesday, November 13, 2019

Amazon Alexa and Google Home are listening

    Amazon Alexa and Google Home are listening. It’s likely you are aware of the security and privacy concerns as well as their mitigations. It’s the price we pay for the technology we want. Unfortunately, there is another attack vector recently exposed by researchers at Germany's Security Research Labs (SRL). The most interesting part of this research is that it is an absolute “confirmed proofof-concept”. The researchers developed four Alexa “skills” and 4 more Google Home “actions”, submitted the malicious apps where they all passed Amazon and Google security vetting processes, and made it into the respective markets. SRL developed two types of malicious applications: a set for eavesdropping, and a set for phishing. The eavesdropping apps responded to the wake phrase and provided the requested information while the phishing apps responded with an error message. Both methods created the illusion of stopped functions while proceeding silently with their attack. The eavesdropping attacks used methods involving pauses, delays, and exploiting flaws in text-to-speech engines speaking unspeakable phrases that produced no auditable output. This gave the impression that the application finished when it was still listening, recording, and sending it back to the application developer. In the case of the phishing apps, the error message created the impression that the application had finished unsuccessfully. Similar tricks to keep the application running were used followed by the application mimicking the device voice claiming there is an update available and requesting that the user say their account password. Neither Amazon Alexa nor Google Home do this, but naive users might respond. These seem like they may not be too effective- a user may not say anything of utility or anything at all to the eavesdropper and they should know to ignore the requests of a phishing attempt.

    But these attacks highlight key issues:

• What vetting process is Amazon or Google using?

• What other exploitable flaws exist in their vetting methods?

• Why would Amazon or Google allow a functionality change after review?

    Google Play has an unfortunate history of hosting a variety of malicious apps and eavesdropping concerns have been previously reported by Checkmarx and MWR Labs for Alexa skills. SRL did report the results of its research to Amazon and Google through their responsible disclosure process. Both companies removed the apps and said they are changing their approval processes to prevent skills and actions from having similar capabilities in the future. But SRL’s success raises serious concerns and it’s worth noting these key issues are not only applicable to listening smart home devices but can be considered for all applications available on any platform. I’m not ready to give them up just yet, but Dan Goodin of ARS Technica sums it up this way: “SRL’s research only adds to my belief that these devices shouldn't be trusted by most people.”

Sources: 

https://arstechnica.com/information-technology/2019/10/alexa-andgoogle-home-abused-to-eavesdrop-and-phish-passwords/

https://srlabs.de/bites/smart-spies/

Adobe Data Leak

    Multinational software company Adobe has suffered a data leak that exposed the account information of an estimated 7.5 million customers, according to security researcher Bob Diachenko. Those affected were subscribers to Adobe’s Creative Cloud service which provides users with access to its line of software applications which includes Photoshop, Illustrator, and After Effects, among others. This leak is the result of an unsecured and poorly implemented Elasticsearch database.

    The researchers discovered the database on October 19th and notified Adobe the same day. Exposed information includes email addresses, owned products, account creation date, subscription status, account ID, country, last login date, and if the user is an Adobe employee. The database did not include any financial information or passwords. It is also unknown whether this database had been stumbled upon before researchers found and disclosed it to Adobe. Adobe released a blog post stating that” last week, Adobe became aware of a vulnerability related to work on one of our prototype environments. We promptly shut down the misconfigured environment, addressing the vulnerability.” Adobe also confirmed that the data did not include any passwords or financial information.

    This is not the first time Adobe has been careless about how user information is stored. In 2013, Adobe suffered a major data breach that affected at least 38 million users but could have affected up to 150 million. This 2013 breach also resulted in the loss of password data as well as stolen source code for several Adobe products. Analysis of this breach found that Adobe was improperly storing passwords, allowing for many of the most common passwords to be guessed. At the time, the 2013 breach was considered one of the worst data breaches to have occurred. 

    While the leaked data may seem unalarming, it may still be a cause for concern. Using the leaked data, a malicious actor could create a very targeted phishing campaign. Typically, phishing emails are sent to a wide range of individuals, and because of this tend to not include information relevant to the recipient. However, using this data an individual could use details such as first and last name, account number, subscription status, and last login date to create a very convincing phishing email. While, as previously stated, it is unknown as to whether this information was found by anyone else, users should still be aware of possible phishing emails containing Adobe account information. 

Sources

https://thehackernews.com/2019/10/adobe-database-leaked.html 

https://securityaffairs.co/wordpress/92986/breaking-news/adobe-creative-cloud-data-leak.html11

Friday, November 1, 2019

Computer Baselines


    Security, for many, seems hard to do right.   I know that we all think about firewalls, patch management, antivirus and physical security.   But I like to cover an area that does not get focused on by most companies.

     Baseline and inventory of computers on a network are often overlooked.  I ask all the time, “Do you know what the computers are in your network?  What are the services that are running?  What ports are open?  Who uses the services?  Who are the users?”

    For the most part, I hear “Uh, no. We don’t know.”   If you do not know what’s running on your systems, how will you know what changed if someone breaks into your network?  How will you know?  I believe that you need to create a master file (portfolio) that lists what the computers/servers are doing; what tasks/services are being run; what ports are open; who is the owner of that application; who are the users; what are the data backup requirements, 1 a day, once and hour ?; and finally, who maintains master file (portfolio)?


    If you have this as minimum documentation you can then do a risk assessment and identify all the systems and prioritize what needs to be monitored and controlled.

Monday, October 28, 2019

Apps Apple App Store that are infected with clicker trojan malware.

    Wandera’s threat research team has discovered 17* apps on the Apple App Store that are infected with clicker trojan malware. The apps communicate with a known command and control (C&C) server to simulate user interactions in order to fraudulently collect ad revenue.
The clicker trojan module discovered in this group of applications is designed to carry out ad fraud-related tasks in the background, such as continuously opening web pages or clicking links without any user interaction.

    The objective of most clicker trojans is to generate revenue for the attacker on a pay-per-click basis by inflating website traffic. They can also be used to drain the budget of a competitor by artificially inflating the balance owed to the ad network.
Because these apps are infected with the clicker trojan module, they fall within the trojan category of Wandera’s malware classification.

About the infected apps

    The group of 17 infected apps covers a random set of application categories, including productivity, platform utilities, and travel. The full list of infected apps appears below:
All 17 infected apps are published on the App Stores in various countries by the same developer, India-based AppAspect Technologies Pvt. Ltd.

Adware Campaign Affects Millions

    Smartphones have become the icon of our modern technological society. They are so prevalent that app development has grown exponentially in recent years in the struggle to become the next Facebook or Pinterest. The phrase “There’s an app for that” truly describes the breadth of apps available. However, this can also lead to many malicious apps available that could be harmful to users, such as the Ashas family of adware apps available on the Google Play store.

    ESET researchers discovered a family of 42 apps, dubbed the Ashas family, that were originally designed as legitimate apps but later updated to provide fullscreen advertisements to users and exfiltration of some basic device data. The original functionality, such as photo viewers, video downloaders, music apps, and games still exists but with the malicious activity included as well. The adware campaign had been active since July 2018 with over 8 million downloads and half of the apps still available on the Play store at the time of discovery. Since the researchers reported their findings, the remaining apps have been removed.

    The apps use a command and control (C&C) server to send device information such as type, version of the operating system, language, installed apps, free storage space, and other fingerprinting data. The app is then configured from the C&C server and also includes ways of avoiding detection. First, the app can detect if it is being run on a Google server and therefore will not run the adware payload. Next, a custom delay can be set so that ads are displayed well after starting the app (a half-hour later, for instance) so that the user doesn’t associate the ad behavior with that particular app. Ashas apps can also display a different icon when users try to determine which app is showing the ad, usually hiding as Google or Facebook. Finally, the app installs a shortcut in the app menu instead of the icon itself so that when a user tries to delete it, they are removing only the shortcut and the app continues to run in the background. 

    ESET researchers managed to track down the author of the Ashas apps, a university student in Vietnam. They backtracked from the IP address of the C&C server to the owner information, then to university information and eventually the author’s YouTube channel and personal Facebook page. All of the information was publicly-available open-source data, showing that the author didn’t try to cover his tracks. This leads the researchers to believe that the developer started honestly when creating the apps and then later decided to turn to malicious behavior.

Sources:

 • https://thehackernews.com/2019/10/42-adware-apps-with-8-milliondownloads.html 

 • https://www.welivesecurity.com/2019/10/24/tracking-down-developerandroid-adware/ 

https://www.zdnet.com/article/vietnamese-student-behind-androidadware-strain-that-infected-millions/10

Tuesday, October 22, 2019

Unpatched Linux bug may open devices to serious attacks over Wi-Fi

NIST   National Vulnerability Database  - CVE-2019-17666 Detail            
rtl_p2p_noa_ie in drivers/net/wireless/realtek/rtlwifi/ps.c in the Linux kernel through 5.3.6 lacks a certain upper-bound check, leading to a buffer overflow.
 
Buffer overflow can be triggered in Realtek Wi-Fi chips, no user interaction needed.
 
A potentially serious vulnerability in Linux may make it possible for nearby devices to use Wi-Fi signals to crash or fully compromise vulnerable machines, a security researcher said.
The flaw is located in the RTLWIFI driver, which is used to support Realtek Wi-Fi chips in Linux devices. The vulnerability triggers a buffer overflow in the Linux kernel when a machine with a Realtek Wi-Fi chip is within radio range of a malicious device. At a minimum, exploits would cause an operating-system crash and could possibly allow a hacker to gain complete control of the computer. The flaw dates back to version 3.10.1 of the Linux kernel released in 2013.
"The bug is serious," Nico Waisman, who is a principal security engineer at Github, told Ars. "It's a vulnerability that triggers an overflow remotely through Wi-Fi on the Linux kernel, as long as you're using the Realtek (RTLWIFI) driver."
The vulnerability is tracked as CVE-2019-17666. Linux developers proposed a fix on Wednesday that will likely be incorporated into the OS kernel in the coming days or weeks. Only after that will the fix make its way into various Linux distributions.
Waisman said he has not yet devised a proof-of-concept attack that exploits the vulnerability in a way that can execute malicious code on a vulnerable machine.
"I'm still working on exploitation, and it will definitely... take some time (of course, it might not be possible)," he wrote in a direct message. "On paper, [this] is an overflow that should be exploitable. Worst-case scenario, [this] is a denial of service; best scenario, you get a shell."
After the vulnerability became public, the researcher discussed the flaw on Twitter.

Notice of Absence

The driver flaw can be triggered when an affected device is within radio range of a malicious device. As long as the Wi-Fi is turned on, it requires no interaction on the part of the end user. The malicious device exploits the vulnerability by using a power-saving feature known as a Notice of Absence that's built into Wi-Fi Direct, a standard that allows two devices to connect over Wi-Fi without the need of an access point. The attack would work by adding vendor-specific information elements to Wi-Fi beacons that, when received by a vulnerable device, trigger the buffer overflow in the Linux kernel.
The vulnerability only affects Linux devices that use a Realtek chip when Wi-Fi is turned on. The flaw can't be triggered if Wi-Fi is turned off or if the device uses a Wi-Fi chip from a different manufacturer. Based on links here and here, it appears that Android devices with Realtek Wi-Fi chips may also be affected.
Representatives of both Realtek and Google didn't immediately comment on this story.
While it's still not clear how severely this vulnerability can be exploited, the prospect of code-execution attacks that can be staged wirelessly by devices within radio range is serious. This post will be updated if new information becomes available.

you can read the full post here

Monday, October 21, 2019

New malware strain that allows the adversary to deploy man-in-the-middle (MitM) attacks on TLS traffic.

   The vast majority of websites these days have Hypertext Transfer Protocol Secure (HTTPS) enabled, adding a layer of security that protects our communications against eavesdropping and tampering. It is encrypted using Transport Layer Security (TLS), the current standard for secure web communication. Like all protocols, it is not immune to attack. Some of the more infamous malware that impacts TLS (or its predecessor Secure Sockets Layer [SSL]) are FREAK, Logjam, POODLE, and Heartbleed.

   More recently, researchers from Kaspersky's Global Research and Analysis Team (GReAT) discovered a malware strain that allows the adversary to deploy man-in-the-middle (MitM) attacks on TLS traffic. Dubbed Reductor, it appears to be related to the COMPfun trojan discovered in 2014, which provides one of its infection vectors. Servers that that are infected with COMPfun can be used to download and install Reductor. Reductor is also delivered through software downloads from untrustworthy sites. 

   Once installed, the malware patches Firefox® and Chrome web browsers to snoop on the victim's encrypted traffic. It modifies the target's TLS certificate and gives the attacker remote access to manipulate and execute files. What really sets Reductor apart is the way that it patches the code for pseudorandom number generator functions (PRNG). This function adds random numbers to the packet at the beginning of the TLS handshake. Reductor is able to use the PRNG code to inject victim-specific identifiers, allowing the attacker to track the victim's traffic wherever it goes. 

   GReAT believes Reductor comes from a hacker group operating under the protection of the Russian government and may be linked to the Advanced Persistent Thread (APT) group Turla, however there is no concrete evidence to support a Turla connection. There are similarities both with the COMPfun code and in the affected victims, where "cyber-espionage on diplomatic entities" appears to be a primary objective. 

Sources
 • https://www.bleepingcomputer.com/news/security/hackers-patch-webbrowsers-to-track-encrypted-traffic/

https://threatpost.com/new-reductor-malware-hijacks-httpstraffic/148904/

https://securelist.com/compfun-successor-reductor/93633/

New Phishing Emails Attack

  Phishing emails typically provide some obvious tells to their malicious nature. However, when a    phishing email contains information such as organizationspecific email bodies and email signatures, organization branding, and relevant news, it can be harder to distinguish the difference between legitimate and malicious. These factors are what make the phishing campaign of TA407 or the “Silent Librarian” threat actor group different. This group, as described by researchers at Proofpoint and Secureworks, are a group of Iranian hackers targeting the intellectual property of universities in the United States and Europe.

    This is done through a phishing campaign targeted at university students which redirect users to a malicious landing page tailored to look like the universities’ login page. The hackers are then able to access library content with the stolen account credentials. 
What makes this campaign unique is the length at which the threat actors went to appear convincing. Each targeted university has a personalized landing page. In addition to that, the email contains proper grammar, providing links to library resources and a helpdesk email address if the student should need any help with account login. The landing page contains spoofed display names, stolen branding matching the actual login page and even in one case, an accurate weather forecast informing students that the campus is closed due to a snowstorm.

   In 2018, the US Department of Justice charged nine members of the group for their actions, alleging that between 2013 and 2017, TA407’s activities accounted for $3.4 billion worth of stolen intellectual property, 31.5 terabytes of academic data, almost 8000 compromised university accounts and 3700 compromised accounts belonging to professors at US-based universities. They also allege that 144 US-based and 176 foreign universities were victims of the scheme. The Department of Justice states that this group operates on behalf of the Iranian government and that the stolen data is being used by the Iranian government and Iranian universities. Although this specific phishing campaign is targeted toward students, there are many steps that you can take to avoid falling victim to phishing emails. Noticing such things as a strange sender email address, the lack of identifying information (e.g. valid account number, name, address), links to strange domains, and improper grammar may all be a tell that the email is malicious. If you are still unable to determine if it is a phishing email, it may be best to visit the site in question directly and not through any links provided in the email. 

Sources

https://www.bleepingcomputer.com/news/security/iranian-hackers-create-credible-phishing-to-steal-library-access/

 • https://www.proofpoint.com/us/threat-insight/post/threat-actor-profileta407-silent-librarian 

New Infected Docker Daemons in the Docker Engine

    Researchers at Palo Alto's Unit 42 have discovered a worm that mines Monero, a privacy focused cryptocurrency, and spreads itself via infected Docker Daemons in the Docker Engine. Shodan scans of Docker engines show over 2000 unsecured Docker hosts. The researchers have named the cyptojacking malware Graboid. 

    Graboid has a downloader planted on an infected Docker image with a Docker Client tool used to connect to other Docker hosts. The attacker accesses an unsecured Docker host and infects it with the malicious image. Anti-virus solutions would normally look for viral content or virus like activity but not check the contents of data within container as the container is maintained separately from the main machine. This form of obfuscation has been observed in other containerization solutions before, but Graboid is exceptional in its erratic and relatively ineffective methodology.

    After retrieving and establishing the malicious image, the attacker then downloads the 4 shell scripts of DOOM. These Shell scrips are named live.sh, worm.sh, xmr.sh, and cleanxmr.sh. The first script, live.sh, surveys the victim assessing the resources to be plundered. it reports the number of available CPUs on the compromised host for the Command & control (C2) server to coordinate. The next script brings the ever hunting nose of the beast. The worm.sh script downloads the list of over 2000 vulnerable host's IPs and replicates itself onto one of those IPs randomly. Then the last two scripts bring the chaos. The xmr.sh script deploys gakaws/nginx, a Monero cryptominer disguised to look like a NGIX load balancer/ web server, and does so on a randomly selected infected server. The last script, cleanxmr.sh, stops any xmrig based containers on another randomly selected infected server. It seems like Graboid runs Cleanxmr.sh before it runs xmr.sh as to avoid deactivating any Docker engines that just had their Monero mining capabilities turned on. This leads to a delay in the mining capabilities being turned on until the host is selected randomly by another infected host. Eventually the host will be selected to be disabled until a later time to be re enabled. This flash of infection and erratic appearances as well as the worm functionality has led to the researcher's choice in naming the malware after the monsters in the 1990's film Tremors.

    Graboid currently uses 15 C2 servers where 14 are included in the list of vulnerable IPs and the last has over 50 known vulnerabilities. The researchers have observed that it is likely these are controlled by the attacker illicitly. they have also calculated that it would have taken about 60 minutes to infect 70% of the vulnerable hosts with returns diminishing sharply after that. At that point there would be about 900 active miners at any particular time rotating through the available infected hosts with all of the infected hosts acting as nodes to facilitate communication with the Monero blockhain network. With a 100 second period of activity, a node is expected to be active for 250 seconds before being deactivated.

Sources:
 • https://unit42.paloaltonetworks.com/graboid-first-ever-cryptojacking-worm-found-in-images-on-docker-hub/

https://threatpost.com/dockercontainers-graboid-cryptoworm/149235/

https://securityaffairs.co/wordpress/92586/malware/graboidtargets-docker-hub.html

NSA and NCSC Release Joint Advisory on Turla Group Activity


National Cyber Awareness System:

 


10/21/2019 11:56 AM EDT

 

Original release date: October 21, 2019

The National Security Agency (NSA) and the United Kingdom National Cyber Security Centre (NCSC) have released a joint advisory on advanced persistent threat (APT) group Turla—widely reported to be Russian. The advisory provides an update to NCSC’s January 2018 report on Turla’s use of the malicious Neuron, Nautilus, and Snake tools to steal sensitive data. Additionally, the advisory states that Turla has compromised—and is currently leveraging—an Iranian APT group’s infrastructure and resources, which include the Neuron and Nautilus tools.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following resources for more information:
•    NSA Advisory
Turla Group Exploits Iranian APT To Expand Coverage Of Victims
•    UK NCSC Advisory Turla group exploits Iranian APT to expand coverage of victims
•    January 2018 UK NCSC Report Turla Group Malware

Wednesday, October 16, 2019

Is Your VPN at Risk ?

    A commonly used method to secure network resources is a Virtual Private Network (VPN). They allow remote network devices to securely communicate with local resources as if they were physically plugged into the same network segment. You may even use one when working remotely to help keep your network traffic secure. While they can easily provide a lot of protection from various network attacks there are many pitfalls to avoid in order to keep the network resources secure.

    One common mistake when setting up a VPN is not properly securing the devices that the VPN provides access to. Because the servers or devices will not have direct inbound internet access many times a relaxed security policy is taken. This is because it is assumed that in order to access them an attacker would first have to either be on the network directly or be connected tuourhrough the VPN. Another common mistake is not regularly updating the VPN software. There are many reasons this can occur, including avoiding downtime or not wanting to break something that appears to be working fine as is.

    This week the National Security Agency (NSA) issued an advisory stating that APT groups have been actively using flaws in some popular VPN software to attack networks. They say the groups have weaponized three vulnerabilities against two pieces of VPN software, Pulse Secure VPN and Fortinet VPN. Two of the vulnerabilities, CVE-2019-11539 and CVE-201911510 specifically target Pulse Secure VPN servers. They allow remote unauthenticated command injection and arbitrary file reads on the VPN server device. The remaining vulnerability, CVE-201813379, targets Fortinet VPN servers and allows for remote unauthenticated arbitrary file reads from the server device. The National Cyber Security Center in the UK posted a separate advisory which added CVE-2018-13383 and CVE-2018-13383 to the list of vulnerabilities being used against Fortinet devices. Palo Alto Networks VPN software was also added to the vulnerable devices list with attackers utilizing CVE-2019-1579 for remote code execution on the affected VPN servers.

    In total the two agencies reported six vulnerabilities against three separate VPN software vendors. For each of the affected VPN products the vulnerabilities being used could allow an attacker access to the network resources as if the attacker were physically on the network. All of the affected products have updates available to fix these flaws so it is important that they are updated immediately if an affected version is still in use. The NSA also recommends rotating any existing VPN keys or tokens just in case they were stolen before the patches were able to be applied. 
Sources:

https://threatpost.com/apt-groupsexploiting-flaws-in-unpatched-vpnsofficials-warn/148956/

https://www.cyberscoop.com/vpnvulnerabilities-china-apt-palo-alto/

Saturday, October 5, 2019

Ransomware attacks across the world - TheCybersecurity and Infrastructure Security Agency (CISA)

The Cybersecurity and Infrastructure Security Agency (CISA) has observed an increase in ransomware attacks across the world: See CISA's Awareness Briefings on Combating Ransomware, Joint Ransomware Statement, and CISA Insights – Ransomware Outbreak
Ransomware is a type of malicious software, or malware, designed to deny access to a computer system or data until a ransom is paid. Ransomware typically spreads through phishing emails or by unknowingly visiting an infected website.
Ransomware can be devastating to an individual or an organization. Anyone with important data stored on their computer or network is at risk, including government or law enforcement agencies and healthcare systems or other critical infrastructure entities. Recovery can be a difficult process that may require the services of a reputable data recovery specialist, and some victims pay to recover their files. However, there is no guarantee that individuals will recover their files if they pay the ransom.
CISA recommends the following precautions to protect users against the threat of ransomware:
  • Update software and operating systems with the latest patches. Outdated applications and operating systems are the target of most attacks.
  • Never click on links or open attachments in unsolicited emails.
  • Backup data on a regular basis. Keep it on a separate device and store it offline.
  • Follow safe practices when browsing the Internet. Read Good Security Habits for additional details.
In addition, CISA also recommends that organizations employ the following best practices:
  • Restrict users’ permissions to install and run software applications, and apply the principle of “least privilege” to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through a network.
  • Use application whitelisting to allow only approved programs to run on a network.
  • Enable strong spam filters to prevent phishing emails from reaching the end users and authenticate inbound email to prevent email spoofing.
  • Scan all incoming and outgoing emails to detect threats and filter executable files from reaching end users.
  • Configure firewalls to block access to known malicious IP addresses.
See the Ransomware Security Publication, technical guidance on How to Protect Your Networks from Ransomware, and CISA's Awareness Briefings on Combating Ransomware, Joint Ransomware Statement, and CISA Insights – Ransomware Outbreak for more information.
For recent CISA Alerts on specific ransomware threats, see:
Victims of ransomware should report it immediately to CISA at www.us-cert.gov/report, a local FBI Field Office, or Secret Service Field Office.

NCSC Releases Fact Sheet on DNS Monitoring

Original release date: October 4, 2019

The Dutch National Cyber Security Centre (NCSC) has released a fact sheet on the increasing difficulty of Domain Name System (DNS) monitoring. NCSC warns that although modernization of transport protocols is helpful, it also makes it more difficult to monitor or modify DNS requests. These changes could render an organization’s security controls ineffective.

The Cybersecurity and Infrastructure Security Agency (CISA) recommends users and administrators review the Dutch NCSC fact sheet on DNS monitoring for additional information and recommendations.

Microsoft Reports Cyberattacks on Targeted Email Accounts


Original release date: October 4, 2019

The Microsoft Threat Intelligence Center (MSTIC) has released a blog post describing an increase in malicious cyber activity from the Iranian group known as Phosphorus. These threat actors are exploiting password reset or account recovery features to take control of targeted email accounts.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users to review the Microsoft blog for additional information and recommendations and CISA’s Tip on Supplementing Passwords.

New Portable Document Format (PDF) attack on encryption features

    The Portable Document Format (PDF) standard has been able to provide many benefits that unify communications across many different software and hardware platforms. One of those elements is the encryption schemes that allow users to password protect their documents from view, edit, or saving permissions without the required password. Another encryption feature included with the PDF standard is the ability to sign documents with an electronic signature with the same legal standing as a handwritten signature, this may include digital signing which uses cryptographic measures to assure authenticity.

    Researchers from Ruhr University Bochum, FH Münster University of Applied Sciences, and Hackmanit GmbH have developed a two pronged attack on the security measures of PDFs and their encryption schemes. They have named their attack PDFex. In their research they developed methods for the exfiltration of the contents of the encrypted PDF with minimal prior knowledge of the contents of the PDF file. The methods studied can also modify the contents to change the plain text as well as add malicious functionality. The first prong of PDFex attack methods rely on how an encrypted PDF only encrypts portions of the PDF file leaving other portions unencrypted and unprotected. The attacker is then able to modify the contents of the unencrypted portions of the file. In this way they can plant data which submits a form including the contents of the PDF to an attacker controlled server granting the attacker access to the contents of the PDF. The attacker can edit an unencrypted field with a URL which will be sent encrypted and unencrypted strings from the document. The last method in this attack on the unencrypted portion of PDF files injects JavaScript code into the document which then ex filtrates the data within the file. This is the "Direct Exfiltration" method of the PDFex attack.

    The other prong of this attack uses CBC malleability gadgets, tools that are able to edit cipher texts encrypted with the cipher block chaining (CBC) encryption mode without integrity checks. It just so happens that the PDF standard does exactly that. This method can modify plain text as well as add in new encrypted content to the file. This technique can enact the PDF forms and hyperlink techniques as listed in the Direct Exfiltration method. The CBC Gadgets method can also edit PDF object streams such that they submit themselves to an attacker controlled server. Both attacks require the victim to open the tainted document so that the traps can deliver the finally decrypted information to the attacker. The researchers have tested their techniques on 27 PDF viewers and all were susceptible to at least one method of the PDFex attack.
    The attack requires that the attacker have access to the file to modify it, some of the attacks have other requirements such as the ability to trigger URL s from the viewer, or for the viewer to have permission to use JavaScript in the background. One of the researchers reported to Threatpost that "There are currently no effective countermeasures, as the weaknesses lie in the PDF encryption standard itself" and that the best mitigation is to use additional layers of encryption outside of the PDF standard to protect their data.

Sources:

https://www.pdf-insecurity.org/download/paper-pdf_encryptionccs2019.pdf

https://threatpost.com/hack-breakspdf-encryption/148834/

New Malware Uses messaging app Telegram

    Remote malware has been around for almost the entire history of computers. Attackers are always looking for ways to exfiltrate data from systems and be able to control their malware from a remote location. The Command & Control (C2) devices are usually servers controlled by the attacker, but a new malware dubbed by Juniper researchers as Masad has taken a different approach: using the messaging app Telegram for its C2 functions.

    Telegram is a popular messaging and Voice-over-IP (VoIP) app with over 200 million active monthly users. This makes it a pretty good place to try and hide malicious activity. Masad uses the sendDocument API of Telegram to exfiltrate data stolen from victims as a 7zip archive. Juniper has detected over 1,000 variants of Masad in the wild, as well as 338 unique Telegram C2 bots related to its use. Due to the malware being sold as a product rather than kept to a particular group, multiple groups can be using Masad for different campaigns. The developers of Masad have even created a group within Telegram with over 300 members, designed for potential clients and tech support.
Masad’s attack vectors include disguising itself as a legitimate tool or hiding itself in other third-party tools. For instance, it has been seen mimicking CCleaner, Utilman, Whoami, ProxySwitcher, a Samsung Galaxy software update, and many others. The developers have also included current trends in gaming, especially for younger internet users that may not be security conscious, by hiding Masad as Fortniteaimbot 2019.exe and an EXEA HACK CRACKED executable claiming to be for PUBG, CounterStrike Global Offensive, Fortnite, Grand Theft Auto 5, and DOTA.

    The malware also has the capability to download additional malicious tools, usually more cryptominers. Masad has a wide array of abilities for information stealing in addition to its cryptomining. It can steal system information including running processes, desktop files and screenshots, browser information such as cookies, passwords, credit cards, and AutoFill data, as well as Steam, FileZilla, and Discord files. Masad is also being advertised as a Clipper which looks for cryptocurrency wallet information in the system’s clipboard and replaces it with the attacker’s wallet information. It searches for over two dozen different flavors of cryptocurrency, including Bitcoin, Litecoin, Monero, Ethereum, and DogeCoin.

    Juniper researchers recommend locking down the Telegram communication protocol at the firewall level provided there is no legitimate business use that this would interrupt. They also suggest using a next-generation firewall with Advanced Persistent Threat (APT) protection to help counteract the malware if it gets inside the organization.

Sources

https://threatpost.com/masad-spyware-telegram-bots/148759/ 

https://coingeek.com/new-malware-uses-telegram-app-to-replace-cryptoaddresses/

https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltratingusing-Telegram/ba-p/468559 

Baseband Management Controllers (BMC) critical vulnerability

    Baseband Management Controllers (BMC) are a popular feature found on most motherboards targeting the server market. They provide a number of convenience functions for remote management which is great for machines typically located in a cold noisy room. Some of the functions they provide include remote power cycling, keyboard video mouse (KVM), and virtual media emulation. The combination of these functions can allow an administrator to provision a server without ever having to touch it. With that much power over the system they are bound to be a highly valuable target for attack.

    This week the security company Eclypsium released a critical vulnerability they found in Supermicro’s BMC implementation. The vulnerability reported is in the virtual media service subsystem. This service allows a remote administrator to attach USB devices, such as DVD drives or keyboards, to the machine remotely as if they were physically plugged into the machine. The feature requires authentication to function properly of course but the researchers found a way to bypass this requirement. 

    The first weakness is that the BMC would accept authentication requests via plaintext by default. They noted that encryption support is available but based on an old weak Rivest Cipher 4 algorithm. In addition, the key used when using encryption is shared across all Supermicro devices, making man-in-the-middle decryption possible. They also uncovered a complete authentication bypass in the system. This is possible because the BMC does not timeout a valid authorized session in a timely manner. An attacker would be able to re-use the session and gain access if an administrator had recently successfully logged into the system and used the virtual media service. BMC systems are rarely reset due to their nature of being an always online out of band management system, increasing the likelihood of this attack being successful.

    Supermicro has issued an update to their BMC software, but it is unlikely that machines will be patched immediately. This is due to the machines needing to be completely powered off in order to apply the update. Until then it is recommended to block the port used by the virtual media service, port 623, until the patch can be applied. Researchers warn that this will likely not be the last BMC vulnerability discovered, so additional measures should be taken when possible. The best defense against these attacks is keeping vulnerable machines on a separate network from other traffic. Ideally management interfaces should be on their own network that is not exposed to public facing traffic.

Sources

 • https://csoonline.com/article/3435900/insecure-virtual-usb-feature-insupermicro-bmcs-exposes-servers-to-attack.html

https://eclypsium.com/2019/09/03/usbanywhere-bmc-vulnerability-opens-servers-to-remote-attack

Fake Veteran Hiring Website

    Researchers at Cisco Talos have discovered a fake veteran hiring website, hosted by an Iranian hacking group, luring users into downloading malware by spoofing a legitimate veteran job search site. The sham website, hiremilitaryheroes.com has been designed to resemble the valid US Chamber of Congress sponsored hireheroesusa.org and is targeting veteran job seekers with malicious code including Remote Administration Trojans and spying tools.

    Researchers have attributed the website to a nation state hacking group known as “Tortoiseshell”, which has since been determined to be aligned with the Iranian hacking team “Imperial Kitten”. Adam Meyers, VP of intelligence at CrowdStrike noted in their research that “Imperial Kitten” is a nation-state hacking group supporting Iran’s Islamic Revolutionary Guard. The modus operandi for the group has been to first target major IT provider networks in Saudi Arabia and then to leapfrog from those provider networks to customer target networks. The Iranian group has been hosting a website with an image from the film “Flags of our Fathers” seen here. The malicious site prompts users to download their “desktop app” for free. The app is a fake installer that downloads malware to the device. The downloads are binary base 64 encoded and perform reconnaissance and provide remote administrative access to the victim’s machine.

    The recon tool collects a vast amount of information from the system including, date and time, installed drivers, patch levels, network configuration, number of processors, hardware and firmware versions, a listing of accounts, and much more. This information is then sent to two hardcoded email addresses in the malware, “ericaclayton2020@gmail.com” and “marinaparks108@gmail.com”. The threat actors also deploy a Remote Access Tool (RAT) which reaches back to the Command and Control (C2) server for further directions from the hacking group. The RAT has functionality allowing it to download additional modules from the internet, zip and unzip files, and to execute commands on the system.
    The malicious website has the potential to impact a large swath of victims due to the nature of this particular attack vector. Americans are supportive of veterans, and one could imagine how many could be infected if this fake site is shared online among social media sites. 

Sources:

https://blog.talosintelligence.com/2019/09/tortoiseshell-fake-veterans.html

Google Play Store and Malicious Applications

    There has always been a battle between the Google Play Store and the malicious applications that attempt to reside on it. Google implements rigorous security testing of all apps, but some can still slip through the cracks. Such was the case when researchers from Symantec’s Threat Intelligence team found 25 instances of malicious apps, with a combined userbase of over 2.1 million, on the Google Play Store. These apps were designed to be camouflaged as photo utility and fashion apps, and upon download, did not exhibit any malicious properties. It wasn’t until the app downloads a remote configuration file that it becomes malicious. This behavior is what allows the app to bypass the security checks implemented by Google. Since the malicious code is not actually in the app and is downloaded remotely, Google is none the wiser. Researchers say that the 25 apps share a similar code structure, leading them to believe that the developers are part of the same organization or, at least, using the same code base. 

    Once installed, the app hides its icon and begins to display full-screen advertisements at random intervals with the app title hidden. This is done to prevent users from determining which app is responsible for the ads. This behavior continues even when the app is closed. This can be confusing for users who cannot even recall downloading the app as there is no icon or name associated with the behavior. Another interesting trick the developers use is the use of two versions of the same app. One version is a malicious version with full-screen advertisements while the other is a non-malicious version, which just so happens to be present in the Google Play’s Top App Charts. The researchers believe that this is done in the hope that users accidentally download the malicious copy of the app instead of the popular, non-malicious version. 

    The researchers believe that the primary reason for the creation of these apps is the monetary gain from the advertising revenue. There will be some subset of users that will continue to deal with the advertisements, despite their annoyance. When downloading apps from the Google Play Store, it can be difficult to determine which are malicious at first glance. In order to protect yourself from malicious applications, the researchers suggest keeping software updated, not downloading apps from unfamiliar sites, only installing apps from trusted sources, and noticing the permissions requested by apps that you download

Sources: 

https://www.bleepingcomputer.com/news/security/malicious-androidapps-evade-google-play-protect-via-remote-commands/ 

https://www.symantec.com/blogs/threat-intelligence/hidden-adwaregoogle-play09

Tuesday, September 24, 2019

NY Metro Joint Cyber Security Conference & Workshop

The 2019 NY Metro Joint Cyber Security Conference will take place on Thursday October 10th. NYMJCSC is now in its sixth year; featuring keynotes, panels and sessions aimed at various aspects of information security and technology.

NYMJCSC is also offering a post-conference workshop on Friday, October 11th featuring in-depth full-day hands-on classroom-style educational courses to expand your knowledge and foster security discussions.

We are pleased to announce Ron Ross, Fellow at the National Institute of Standards and Technology (NIST), as our 2019 conference keynote.

NYMJCSC: Who We Are
The New York Metro Joint Cyber Security Conference is a collaborative event cooperatively developed, organized and sponsored by the leading information security industry organizations and chapters.

Organizational Partners:
  • InfraGard Members Alliance - New York Metro Chapter
  • Information Systems Audit and Control Association (ISACA) - New Jersey Chapter
  • Information Systems Audit and Control Association (ISACA) - Greater Hartford CT Chapter
  • High Technology Crime Investigation Association (HTCIA) - New York City Metro Chapter
  • Internet Society (ISOC) - New York Chapter
  • Information Systems Security Association (ISSA) - New York Chapter
  • Association of Certified Fraud Examiners (ACFE) - New Jersey Chapter
Community Partners:
  • (ISC)2 - New Jersey Chapter
  • Cloud Security Alliance (CSA) - New York Metro Chapter
  • Association of Continuity Professionals (ACP) - New York City Metro Chapter
Driven by the collaboration between members of this coalition, the strength of organizational membership, the provision of desirable CPE credits and the concurrence of National Cyber Security Awareness Month, the NYMJCSC promises -- once again -- to be well-attended by members of the information technology, information security, audit, academic, and business communities.

To learn more please go to  http://nymjcsc.org/

Tuesday, September 17, 2019

#Beware #RedAlert: New SIM Card Flaw Lets Hackers Hijack Any Phone Just By Sending SMS

Cybersecurity researchers today revealed the existence of a new and previously undetected critical vulnerability in SIM cards that could allow remote attackers to compromise targeted mobile phones and spy on victims just by sending an SMS.

Dubbed "SimJacker," the vulnerability resides in a particular piece of software, called the S@T Browser (a dynamic SIM toolkit), embedded on most SIM cards that is widely being used by mobile operators in at least 30 countries and can be exploited regardless of which handsets victims are using.

What's worrisome? A specific private company that works with governments is actively exploiting the SimJacker vulnerability from at least the last two years to conduct targeted surveillance on mobile phone users across several countries.

S@T Browser, short for SIMalliance Toolbox Browser, is an application that comes installed on a variety of SIM cards, including eSIM, as part of SIM Tool Kit (STK) and has been designed to let mobile carriers provide some basic services, subscriptions, and value-added services over-the-air to their customers.


you can read the full  article

https://alienskills.com/contents/BewareRedAlertNewSIM_1279477829062.html

LULU ransomware encrypts files on Linux systems

    Linux™ operating systems are sometimes overlooked as targets for malware due to the smaller pool of victims compared to more popular operating systems. With the reduced number of targets, the attacker is incentivized to direct their efforts towards a richer hunting ground. But despite that, the lilu (or lilocked) ransomware targets solely Linux based web servers. It has infected over 6000 servers so far and looks to continue for the foreseeable future.


    While the ransomware primarily targets Linux web servers, there is no evidence precluding the ransomware’s ability to infect other Linux systems. The web server’s infected status is visible to web crawlers whereas non-web server systems would not be as publicly visible. The lilu ransomware encrypts files on the victim’s system and leaves a “#README.lilocked” file in each folder in which encrypted files are located. The “#README.lilocked” file is a ransom note that directs the victim to a Tor page with a key to use on said Tor page. The key provides access to a second ransom note that directs the victim to purchase Bitcoin or Electrum to pay a ransom to decrypt the files.

    The ransom has been so far inconsistent and has reportedly requested from .01BTC to .03BTC. So far the ransomware has only encrypted non-essential files and has left the servers running. It targets a few kinds of file extensions such as HTML, SHTML, JS, CSS, PHP, INI, and other image file formats. 

   There has not been any success in the decryption efforts. But one victim, going by Jay Gairson on Twitter, claims that the ransomware uses an Exim exploit and that the ransomware persists despite the system being taken offline and replaced. Exim is an open-source mail transfer agent for Unix-like operating systems. The exploit that is suspected is tracked in CVE-2019-15846 and has since been patched and leads researchers to believe lilu only affects older versions of Exim. There has yet to be any evidence of paying the ransom being a successful method to decrypt one’s files as well, though the attacker is not incentivized to create a reputation of services not rendered.

Sources:

 • https://www.bleepingcomputer.com/news/security/lilocked-ransomwareactively-targeting-servers-and-web-sites/ 

https://www.zdnet.com/article/thousands-of-servers-infected-with-newlilocked-lilu-ransomware/ 

https://fossbytes.com/lilocked-ransomware-infected-linux-servers/09

Does Anyone Else Know Where Your Children Are

    Keeping track of your child’s whereabouts has never been easier. A quick search on Amazon shows thousands of entries for low-cost GPS trackers designed to be worn by children and linked to an app on the parent’s smartphone. However, the appeal of the low cost comes at a much larger price. Researchers from Avast found a handful of vulnerabilities in 29 models of GPS trackers made by Chinese company Shenzhen i365. The researchers found that an attacker with an internet connection can use the GPS to track the location of the wearer, spoof the location data of the device, and even access the microphone of the device to eavesdrop on the wearer. This is because the communication between the device, the cloud, and the companion mobile app use the unencrypted HTTP protocol. This allows for the exploitation of a man in the middle (MitM) attack where an attacker can listen in on the communication and alter the data being sent or received.

    In addition to this, the user account, which is associated with an ID number, comes shipped with a default password of 123456. The researchers found that the ID number is not assigned randomly, it is associated with the device’s IMEI number. An IMEI number is a 15-digit identifier given to mobile and satellite phones. With this knowledge, the researchers could log into the accounts of about 25% of the devices in the sequence of IMEI numbers. This would allow them to see the real-time location of the devices on that account.  Avast estimated that over half-a-million people are using GPS trackers affected by these vulnerabilities.

    Despite the manufacturer’s location in China, the researchers found that the GPS trackers were also widely used in the United States and elsewhere around the world. Avast attempted to privately contact the manufacturer about these vulnerabilities but have not received a response. A senior researcher stated that "we have done our due diligence in disclosing these vulnerabilities to the manufacturer, but since we have not heard back after the standard window of time, we are now issuing this public service announcement to consumers and strongly advise you to discontinue use of these devices." When shopping for any IoT devices, it can be tempting to go with the low-cost, off-brand option, especially when that name-brand device can be so much more expensive. However, the cheaper option is often skimped on or has simply not included basic security measures to reduce the cost. The researchers advised consumers to do their research and buy from respected vendors. These devices are designed to provide peace of mind but in reality, they make the wearer more vulnerable, not less.

Sources

 • https://thehackernews.com/2019/09/gps-tracking-device-for-kids.html 

https://decoded.avast.io/martinhron/the-secret-life-of-gps-trackers/ 

Wednesday, September 4, 2019

Intentional Backdoor Webmin RCE Vulnerability

    When Turkish researcher Özkan Mustafa Akkuş publicly disclosed a Remote Code Execution (RCE) vulnerability in the Webmin application at DefCon this month, the Webmin developers went into emergency overdrive mode to fix this issue ASAP. While the ethics of Akkuş’ disclosure without notifying the Webmin team first are certainly questionable, the vulnerability itself is severe and had been hidden for over a year. Even more alarming, further investigation by the Webmin team revealed that it wasn’t a coding error but in fact a malicious backdoor injected into the codebase through a build server.

    Webmin is a popular open-source application allowing management of Unixbased systems over the web. This includes management of users and groups, databases, web servers, e-mail, firewall, backups: pretty much any administration of the system. The vulnerability, CVE-2019-15107, pertains to the password expiration function allowing admins to require a user to set a new password at a set interval. By adding a pipe command “|” to the old password field using POST requests, a remote attacker could run arbitrary commands as the root user on the system.

   The vulnerability was introduced into the system by a malicious attacker in April 2018 by exploiting a Webmin development build server and modifying the password_change.cgi script. After some users reported that the password expiration feature was encountering errors, the developers reverted to an older version of the file that turned this feature off by default and inadvertently corrected the vulnerability. However, the attacker once again modified the file in July 2018. Even though the build server was decommissioned in September 2018, the new server was built from a directory containing the modified file so the vulnerability persisted until its DefCon reveal.

    The Webmin development team stated that version 1.890 included the vulnerability and that the password expiration function is enabled by default, making this the most vulnerable version. Versions 1.900 through 1.920 also include the vulnerability but with the password expiration function disabled by default. Version 1.930 was released following the DefCon reveal, which contains fixes for this vulnerability as well as some Cross-Site Scripting (XSS) vulnerabilities. Webmin developers are taking steps to ensure this issue doesn’t happen again, including an updated build process to only use checked-in code from GitHub, rotating all passwords and keys, and an audit of all GitHub check-ins over the past year.

Sources:

•  https://thehackernews.com/2019/08/webmin-vulnerability-hacking.html

 • https://www.zdnet.com/article/backdoor-found-in-webmin-a-popular-web-based-utility-for-managing-unix-servers/ 

http://www.webmin.com/exploit.html

The Syrk ransomware

    The Syrk ransomware, first reported by researchers at Cyren Security, disguises itself as a cheating device for the multiplayer Hunger Games style video game Fortnite. It proclaims the ability to provide aim assistance as well as player location revealing abilities. It doesn't provide any of these capabilities and instead installs an open source ransomware, Hidden-Cry with a .syrk extension.
   
    Hidden-Cry was shared on git-hub at the end of last year and is still openly available. The ransomware goes through a ten step process which consists of contacting a command & control (CC) server, disabling common defenses, executing a payload, encrypting files with a .Syrk extension, establishing persistence, preventing termination, periodically deleting files to establish a threat, and finally propagating itself malicious versions of files within connected USB drives. This particular malware is relatively benign. The decrypting tool is readily available with the files downloaded and is easily extracted and used to decrypt the ransomed files. The malware also creates .txt files to be sent to the CC server so that the attacker may provide a password to the victim once the ransom is paid. It's possible for a criminal to simply not send anything once payment is rendered. But if they intend to propagate via USB drive, it's likely that the first victim would be in contact with the next, and creating a reputation where payment brings no benefit would only prevent further payment. What's surprising is that the ransomware creates the file with the password right on the victim's computer. It even includes a Delete.exe that removes all traces of itself from the victim's computer (not USB drives) and even removes the start up file, making good on its promise after the password is entered.

    This attack is clearly targeted towards either the weak willed or the less informed. Children are particularly susceptible to the temptation to even the playing field to match the older or more dexterous peers in the game. The disguise as a tool for cheating already shows that the attacker intends to target those who would try to use shortcuts to achieve success over the effort of getting better at the game. While desire to win doesn’t make a vulnerable target, the lack of experience with scams and pressure to perform despite the limitations of age combine to make a particularly vulnerable demographic. The malware itself may not be as dangerous or complex as others, but it's target is particularly susceptible to such machinations.


Sources:

https://www.cyren.com/blog/articles/open-source-ransomware-targetsfortnite-users

https://www.kaspersky.com/blog/ransomware-in-fortnite-cheats/28104/

https://threatpost.com/fortnite-ransomware-masquerades-as-an-aimbotgame-hack/147549/

Potential Hurricane Dorian Cyber Scams


Original release date: September 4, 2019

The Cybersecurity and Infrastructure Security Agency (CISA) warns users to remain vigilant for malicious cyber activity targeting Hurricane Dorian disaster victims and potential donors. Fraudulent emails commonly appear after major natural disasters and often contain links or attachments that direct users to malicious websites. Users should exercise caution in handling any email with a hurricane-related subject line, attachment, or hyperlink. In addition, users should be wary of social media pleas, texts, or door-to-door solicitations relating to severe weather events.

To avoid becoming victims of malicious activity, users and administrators should review the following resources and take preventative measures:


If you believe you have been a victim of cybercrime, file a complaint with the Federal Bureau of Investigation Internet Crime Complaint Center at www.ic3.gov.

Monday, August 26, 2019

SQLite Heavy Vulnerabilities

Researchers at CheckPoint unveiled a method that could allow malicious actors to exploit programs that query SQLite databases. The findings were presented at the DEFCON cybersecurity conference last weekend by Omer Gull, a vulnerability researcher at CheckPoint. The researchers found that by overwriting a non-malicious SQLite database with a specially crafted malicious one, they can achieve remote code execution. SQLite is a C-language library that enables a fully self-contained SQL database engine. SQLite is used extensively by multiple operating systems such as iOS and Android, and applications such as Chrome, Firefox, Safari, and Dropbox. The researchers state that this attack technique allows for the exploitation of code that queries an SQLite database that an attacker can modify.

The researchers stated that the idea of an SQLite attack came from its role in command-and-control (C2) servers utilized by password-stealing malware. While reverse-engineering the malware, the researchers determined that most of them work in the same way. They state that “after the malware collects these SQLite files, it sends them to its C2 server where they are parsed using PHP and stored in a collective database containing all of the stolen credentials”. Using the specially crafted SQLite database, the researchers were able to gain a web shell on a C2 server in a lab environment by simulating the upload of a database.

In addition to exploiting a C2 server, the researchers provided another scenario where this vulnerability can be exploited. Within the iOS operating system, the “AddressBook.sqlitedb” file is one of the most common database files. This file is used for contact storage and is often referenced by either Apple apps or third-party messaging apps. By replacing this file with a malicious version, the researchers say that they can gain code execution. Normally persistence on iOS devices is difficult to achieve due to Apple’s Secure Boot feature. This security feature mandates that all executable files must be signed. However, SQLite database files are not signed, which allow for their modification.
While the researchers privately disclosed the vulnerabilities (CVE-2019-8600, CVE2019-8598, CVE-2019-8602, CVE-20198577) that were then patched in the latest SQLite version along with the latest iOS version (iOS 12.3), they said there are numerous other scenarios where this vulnerability can be exploited. “SQLite is one of the most deployed software in the world. However, from a security perspective, it has only been examined through the lens of WebSQL and browser exploitation,” said Omer Gull. SQLite attack scenarios should be considered a “major cyberthreat.” As always, keeping programs and operating systems up to date with the latest patches is one of the best ways to prevent the exploitation of these vulnerabilities.

Sources

https://threatpost.com/sqlite-exploits-iphone-hack/147203/ 

https://research.checkpoint.com/select-code_execution-from-usingsqlite/ 

VxWorks operating system Critical Vulnerabilities Found in Millions of Devices

    The Armis research team recently revealed 11 vulnerabilities, ranging from denial of service to remote code execution, affecting the VxWorks operating system. VxWorks is a real time operating system used in millions of embedded devices, from consumer electronics to medical devices. The vulnerabilities discovered bypass most forms of security and can even be used on the devices designed to secure the infrastructure if they utilize VxWorks.
The most critical vulnerabilities found allow for remote code execution on the target devices. Five of the critical vulnerabilities found require no interaction on the target system and are exploitable no matter how the device is configured. The sixth vulnerability requires the VxWorks internal DHCP client to parse a specially crafted response from an IP address allocation request. While this may seem like a difficult attack scenario, DHCP requires no authentication during these requests. This means an attacker can just wait, listening on the network until a request is made, and then spoof a malicious response before the real server. These vulnerabilities could allow for full takeover of a target network that used VxWorks based firewalls, making them especially dangerous.
Besides the critical vulnerabilities, there were also five lower impact, but still impactful, vulnerabilities found. One of the vulnerabilities allows for a complete denial of service which can be triggered by an attacker outside of the network. The other denial of service vulnerabilities discovered require the attacker to be in network proximity of the vulnerable device but can still prevent the vulnerable device from functioning if triggered.

    Armis describes three attack scenarios in their release document. The first scenario is based on the attacker being outside of the target network. VxWorks is used in a number of firewall devices and are immediately able to be exploited because they handle all network traffic. The second attack scenario is similar to the first in that the attack is outside of the network but are able to attack devices inside the network that can be reached from the outside. The third attack scenario is by an attacker positioned inside the network, such as on wifi or a guest network.

   VxWorks is sold and supported by Wind River, who was notified about the vulnerabilities. Wind River posted a security advisory covering the vulnerabilities and updates for affected customers. It is critical that affected devices are patched as soon as updates for them are available to prevent exploitation of these flaws.
Sources: 
https://www.threatpost.com/urgent-11-critical-infrastructureeternalblue/146731/

https://armis.com/urgent11/

IRS Warns of New Email Scam

The Internal Revenue Service (IRS) has issued a warning about a new email scam in which malicious cyber actors send unsolicited emails to taxpayers from fake (i.e., spoofed) IRS email addresses. The emails contain a link to a spoofed IRS.gov website that displays fake details about the targeted recipient’s tax refund, return, or account. The emails instruct the recipient to access their refund information by entering a provided password on the spoofed website. By entering the password, the victim unintentionally downloads malware that could enable the malicious cyber actors to take control of the affected system or obtain sensitive information.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the IRS news release and the CISA Tip on Avoiding Social Engineering and Phishing Attacks for more information.