CenturyLink Announces New Threat Research on Necurs

“Necurs is the multitool
of botnets, evolving from operating as a spam botnet delivering banking trojans
and ransomware to developing a proxy service, as well as cryptomining and DDoS
capabilities,” said Mike Benjamin, head of Black Lotus Labs. “What’s
particularly interesting is Necurs’ regular cadence of going dark to avoid
detection, reemerging to send new commands to infected hosts and then going
dark again. This technique is one of many the reasons Necurs has been able to
expand to more than half a million bots around the world.”

Key Takeaways

  • Beginning in
    May of 2018, Black Lotus Labs observed regular, sustained downtime of
    roughly two weeks, followed by roughly three weeks of activity for the
    three most active groups of bots comprising Necurs.
  • Necurs’ roughly
    570,000 bots are distributed globally, with about half located in the
    following countries, in order of prevalence: India, Indonesia, Vietnam,
    Turkey and Iran. 
  • Necurs uses
    a domain generation algorithm (DGA) to obfuscate its operations and avoid
    takedown. However, DGA is a double-edged sword: because the DGA domains
    Necurs will use are known in advance, security researchers can use methods
    like sinkholing DGA domains and analyzing DNS and network traffic to
    enumerate bots and command and control (C2) infrastructure.
  • CenturyLink
    took steps to mitigate the risk of Necurs to customers, in addition to
    notifying other network owners of potentially infected devices to help
    protect the internet. 

Additional Resources

SOURCE CenturyLink, Inc.

ICANN urges adopting DNSSEC now

With DNS server being attacked all over the world, The Internet Corporation for Assigned Names and Numbers (ICANN) believes that there is an ongoing and significant risk to key parts of the Domain Name System (DNS) infrastructure.

In the context of increasing reports of malicious activity targeting the DNS infrastructure, ICANN is calling for full deployment of the Domain Name System Security Extensions (DNSSEC)
across all unsecured domain names. The organization also reaffirms its
commitment to engage in collaborative efforts to ensure the security,
stability and resiliency of the Internet’s global identifier systems.

As one of many entities engaged in the decentralized management of the Internet, ICANN is specifically responsible for coordinating the top-most level of the DNS to ensure its stable and secure operation and universal resolvability.

On 15 February 2019, in response to reports of attacks against key parts of the DNS infrastructure, ICANN offered a checklist
of recommended security precautions for members of the domain name
industry, registries, registrars, resellers, and related others, to
proactively take to protect their systems, their customers’ systems and
information reachable via the DNS.

Public reports indicate that there is a pattern of multifaceted attacks utilizing different methodologies. Some of the attacks target the DNS,
in which unauthorized changes to the delegation structure of domain
names are made, replacing the addresses of intended servers with
addresses of machines controlled by the attackers. This particular type
of attack, which targets the DNS, only works when DNSSEC is not in use. DNSSEC is a technology developed to protect against such changes by digitally ‘signing’ data to assure its validity. Although DNSSEC cannot solve all forms of attack against the DNS, when it is used, unauthorized modification to DNS information can be detected, and users are blocked from being misdirected.

ICANN has long recognized the importance of DNSSEC
and is calling for full deployment of the technology across all
domains. Although this will not solve the security problems of the
Internet, it aims to assure that Internet users reach their desired
online destination by helping to prevent so-called “man in the middle”
attacks where a user is unknowingly re-directed to a potentially
malicious site. DNSSEC complements other technologies, such as Transport Layer Security (most typically used in HTTPS) that protect the end user/domain communication.

As the coordinator of the top-most level of the DNS, ICANN is in the position to help mitigate and detect DNS-related
risks, and to facilitate key discussions together with its partners.
The organization believes that all members of the domain name system
ecosystem must work together to produce better tools and policies to
secure the DNS and other critical operations of the Internet. To facilitate these efforts, ICANN is planning an event for the Internet community to address DNS protection: The first is an open session during the upcoming ICANN64 public meeting on 9-14 March 2019, in Kobe, Japan.

As we learn more information, updates may be provided. For information about ICANN64, visit https://meetings.icann.org/kobe64.

This article was a repost off of the ICANN site as a important security notice to all who use or have DNS servers.

617 million accounts stolen

According to the Register.co.uk 617million accounts stolen from 16 hacked websites now for sale on dark web, seller boasts.

 Some 617
million online account details stolen from 16 hacked websites are on
sale from today on the dark web, according to the data trove’s seller.

For less than $20,000 in Bitcoin, it is claimed, the
following pilfered account databases can be purchased from the Dream
Market cyber-souk, located in the Tor network:

Dubsmash (162 million),
MyFitnessPal (151 million),

MyHeritage (92 million),
ShareThis (41 million),
HauteLook (28 million),

Animoto (25 million),
EyeEm (22 million),
8fit (20 million),
Whitepages
(18 million),
Fotolog (16 million),
500px (15 million),
Armor Games (11
million),
BookMate (8 million),
CoffeeMeetsBagel (6 million),
Artsy (1
million), and
DataCamp (700,000).

The hacker told The Register that his goal in putting up the stolen
accounts was to ‘make life easier for hackers’. He plans to sell the
information to anyone who promises to keep the data secret. This
attacker has been hacking accounts since 2012 and information on at
least 20 databases.
Further, the hacker stated:

“I don’t think I am deeply evil. I need the money”
“Security
is just an illusion. I started hacking a long time ago. I’m just a tool
used by the system. We all know measures are taken to prevent cyber
attacks, but with these upcoming dumps, I’ll make hacking easier than
ever.”

To read the full article go here 

Social Media Phishing Attack

    Social media has changed how the world interacts with each other in so many ways, such as closer interaction between businesses and their customers, law enforcement alerts, and more.  Creators of public content that want any real degree of reach involves social media in their business and marketing plan somehow, including many requiring logging in through social media to view content.

    There are many methods to ensure that a login prompt is legit, but a new phishing technique
discovered by researchers at password management company MyKi throws the usual precautions out the window. Phishing is a fraudulent attempt to gain sensitive personal information through posing as a legitimate entity, such as a company or a website. It is a form of social engineering and is very popular and successful due to the willingness of many to take things on the internet at face value.

    Recent years have shown an increase in phishing attempts leading to serious data breaches, as was the case in the San Diego Unified School District breach involving social security numbers and other personal information of over 500,000 students and staff. 
   
    Researchers at Myki discovered the attackers were convincing victims to visit fraudulent sites for blogs and services that first required people to log in with a Facebook account to access the content. The sites looked legitimate, as did the pop-up window for the Facebook login: the URL was for www.facebook.com, it was using HTTPS with a green padlock to show a valid certificate, and browser addons for detecting malicious domains weren’t throwing any warnings. However, their credentials were still harvested by the attacker. The pop-up window was not a real window: it was created with HTML and JavaScript to imitate a real browser window but was part of the original page.

    The only way to tell is to try to drag the window away from the browser. If it is fake then part of the window will disappear past the edge of the browser instead of moving as a separate entity. While harvesting Facebook login credentials may not seem like much of a threat beyond seeing what cat pictures were posted by friends, many people use the same or similar credentials across many sites and this gives attackers a jump ahead in trying to gain unauthorized access to other accounts. Also, this same technique could show up in other areas in the future, such as e-commerce sites asking for PayPal logins or something similar.

Sources
https://threatpost.com/sneaky-phishing-scam-facebook/141869/
https://threatpost.com/san-diego-school-district-data-breach-hits-500kstudents/140366/
https://thehackernews.com/2019/02/advance-phishing-login-page.html

Vulnerability So Old it Could Vote

     This past week, a vulnerability has been found in the WinRAR archive extraction software that has existed for almost 19 years. It was discovered by researchers at Check Point Software Technologies. The exploit allows for a path traversal which leads to remote code execution anywhere on the system. This issue stems from a third party dll, unacev2.dll, that is used to handle the .ace archive type.
    This bug was discovered through fuzzing the WinRaR program and identifying the root cause of a crash. When the group identified the problem, they looked for a memory corruption bug, but instead found a logical bug which let the team navigate to any location on the target machine without even needing to know a user name.
     When testing to identify the root cause of the bug, the fuzzer was used and they detected an anomaly where bits of the advertisement string and other pieces of the file’s hex dump were placed in a created directory and file.
     They were unable to recreate it exactly due to the file name validation functions of WinRaR when attempting to utilize this similar issue inside of WinRaR. Even though the original case is caught by WinRaR, the unacev2.dll function return is cancelled by WinRar, the folder is still created temporarily due to a late check for the value that calls for cancellation.
     This allows for the creation of empty files wherever the creator would like.  The team goes a step farther and circumvents the path limitations set by WinRar using the cleanPath function that WinRaR uses to remove extraneous ‘C:/’ from relative paths. By adding another ‘C:/’ the team was able to bypass this and gain Path Traversal because the WinRaR path Check does not look for the ‘C:’. It was supposedly removed by cleanPath. With a Path Traversal Vulnerability found, the team was able to gain access to an SMB attack vector by adding more arbitrary ‘C:/’ to strings to allow connections. Code execution is obtained by extracting a compressed executable file from an ace archive that’s been renamed to a .rar to a startup folder which will run the code on machine boot. The code itself is arbitrary and the consequences of this can be catastrophic.    

    You can even ignore usernames using the WinRar subkeys by right clicking on the archive in question, and moving it using that tool. This works because of how ‘C:’ is interpreted by windows. It represents the current directory of the running process, so inside of the WinRaR gui, it would be the WinRar folder, but using the menu option, it becomes C:Users<user name><location of the file>. When this exploit was reported to WinRar, they claimed that it was the third party’s code that allowed the arbitrary folder creation and decided to drop the support for the ACE archive format. 

Sources
https://research.checkpoint.com/extracting-code-execution-from-winrar/

https://news.softpedia.com/news/19-year-old-vulnerability-discovered-inwinrar-525050.shtml

Container Escape

    Over the years there has been a fundamental shift in evolving software development practices. In the past it was typical to build and maintain large monolithic code bases and run it on large servers, individual virtual machines, or even bare metal. Now, like many of us know already, many applications are being packaged as small services, loosely coupled together into what is called microservices architecture across a smaller group of distributed commodity hardware. The nature of this security infrastructure creates layers between application and host environments, facilitates fast and easy application of patches and updates across the technologies, and helps to maintain overall security compliance.
    This past January there was a severe vulnerability disclosure affecting these containerized environments, which allows an attacker to escape from container to host system via docker-runc identified as CVE2019-5736. This vulnerability affects containerized technologies such as cri-o, containerd, and Kuerbenetes and it is to note an attacker would have to have root level access within the target container. Then an attacker would need to create a nefarious binary that is run on user entry. According to researcher’s attack description an attacker would then need their code execution to replace any dynamic library used by docker-runc with a custom .so file that has an additional global constructor. This function opens /proc/self/ exe for reading and then executes another binary which opens this time for writing to /proc/self/fd/3, which is a file descriptor of docker-runc which is opened before execve. An attacker could essentially subsequently write to the docker-runc file descriptor any arbitrary code they wish which would then overwrite the original docker-runc file on the system host and affect the host operating system.
    As researchers describe the attack timeline, when a host user runs the affected container, the new docker-runc process is executed within the container but using the actual binary on the host file system. The docker-runc process however, loads the attacker controlled .so files from the container file system. The malicious global constructor function will be executed and load the attacker controlled binary. This binary overwrites the docker-runc on the host file system with a compromised docker-runc. Then when any user starts a docker image on the host file system the compromised docker-runc file is executed within the host environment, which fully compromises that system.
    A fix to docker-runc was created, the applied code creates a memory based file descriptor, which loads a known good docker-runc binary. Before entering namespaces docker-runc is then run from the memory based file descriptor so the docker-runc on the host file system cannot be overridden. There also are other potential mitigations that involve appropriately configuring SELinux, configuring appropriate affected files to read-only, and lowering privileges of users inside of containers.

 Sources
• https:// blog.dragonsector.pl/2019/02/cve2019-5736-escape-from-dockerand.html
https://cyware.com/news/proof-ofconcept-for-container-escapevulnerability-unleashed-0c79f909

“Catastrophic” hack on VFEmail destroys almost two decades of data

!!!ALERT!!!! Update Feb 11 2019
www.vfemail.net and mail.vfemail.net are currently unavailable in their prior form.
We have suffered catastrophic destruction at the hands of a hacker, last seen as aktv@94.155.49.9
This person has destroyed all data in the US, both primary and backup systems. We are working to recover what data we can.


Main points:

  • If you didn’t use nl101.vfemail.net, then your mailbox is gone. Send yourself an email to re-create it (if necessary).
  • After the initial incident on 2/11, incoming mail was queued on the sending servers.
    These
    should have started coming in within 12 hours, creating new mailboxes
    for existing accounts – ‘new’ mail should not be lost.
  • Accounts exist, the mail data does not. If your mailbox hasn’t
    been re-created, you can’t login. Send yourself an email to re-create
    it.
  • If you’re one of the 10% who used webmail, your addressbook and calendars still exist.
  • If you can’t login, use https://nl101.vfemail.net to login to webmail.
  • If you used POP. Change your mail server to nl101.vfemail.net
  • If you used IMAP. CREATE A NEW ACCOUNT, and use nl101.vfemail.net for the server name.

    DO NOT CHANGE AN EXISTING ACCOUNT, YOU WILL SYNC WITH AN EMPTY MAILBOX AND LOSE YOUR LOCAL MAIL.
  • There is no control panel
  • Consider your mailbox data to be lost, but we haven’t given up yet.

Timeline –

As of 5am 2/11/19
www.vfemail.net and mail.vfemail.net are currently unavailable.
We have suffered catastrophic destruction at the hands of a hacker, last seen as aktv@94.155.49.9
This person has destroyed all data in the US, both primary and backup systems. We are working to recover what data we can.

New updates 2/11/19 6pm CST:

  • Incoming mail is now being delivered.
  • Webmail is up. Note-mailboxes are created upon new mail delivery. If you cannot login, you may not have received mail.
  • Mailboxes are new, no subfolders exist.
  • No filters are in place. If you created a filter with Horde, Login to Horde, Create any folders you need.

    Click Filter, Click Script, then click ‘Activate Script’.
  • There is no spam scanning at this time – Incoming mail may be Spam scanned depending on DNS status.
  • Free users should not attempt to send email, there is currently
    no delivery mechanism for free accounts. Paid accounts should be
    useable, including Horde/Roundcube contacts and calendars.
  • NL hosted email is available (if you bought and requested a Migraiton).

At this time I am unsure of the status of existing mail for US users. If
you have your own email client, DO NOT TRY TO MAKE IT WORK.
If you reconnect your client to your new mailbox, all your local mail will be lost.

2/12/19
AT YOUR OWN RISK – POP users can use ‘nl101.vfemail.net’
IMAP Users should create a new account, then use ‘nl101.vfemail.net’ as the IMAP/SMTP server

2/13/19

  • If you are unable to login, send yourself an email from another location. Receipt of an email creates your new mailbox.
  • We have engaged a data recovery vendor to discuss options.
  • Mailboxes were shutdown for a short time while we move data between volumes
    We’ve used 11Gb of space in 2 days – FYI.
  • Vanity domains should receive mail properly now
  • If you were set to ‘nobackup’, you should start receiving mail now.

“Yes, @VFEmail is effectively gone,” VFEmail founder Rick Romero wrote on Twitter
Tuesday morning after watching someone methodically reformat hard
drives of the service he started in 2001. “It will likely not return. I
never thought anyone would care about my labor of love so much that
they’d want to completely and thoroughly destroy it.”

VFEmail says data for virtually all US users is gone for good!

More about Windows Sandbox

Windows Sandbox is a new lightweight desktop environment tailored for safely running applications in isolation.

How many times have you downloaded an executable file, but were
afraid to run it? Have you ever been in a situation which required a
clean installation of Windows, but didn’t want to set up a virtual
machine?

 At Microsoft we regularly encounter these situations, so we developed Windows Sandbox:
an isolated, temporary, desktop environment where you can run untrusted
software without the fear of lasting impact to your PC. Any software
installed in Windows Sandbox stays only in the sandbox and cannot affect
your host. Once Windows Sandbox is closed, all the software with all
its files and state are permanently deleted.

Windows Sandbox has the following properties:

  • Part of Windows – everything required for this feature ships with Windows 10 Pro and Enterprise. No need to download a VHD!
  • Pristine – every time Windows Sandbox runs, it’s as clean as a brand-new installation of Windows
  • Disposable – nothing persists on the device; everything is discarded after you close the application
  • Secure – uses hardware-based virtualization for
    kernel isolation, which relies on the Microsoft’s hypervisor to run a
    separate kernel which isolates Windows Sandbox from the host
  • Efficient – uses integrated kernel scheduler, smart memory management, and virtual GPU

Prerequisites for using the feature

  • Windows 10 Pro or Enterprise Insider build 18305 or later
  • AMD64 architecture
  • Virtualization capabilities enabled in BIOS
  • At least 4GB of RAM (8GB recommended)
  • At least 1 GB of free disk space (SSD recommended)
  • At least 2 CPU cores (4 cores with hyperthreading recommended)

If you have this build here are the steps located here to implement this technology.

The information posted here comes from Microsoft

Internet Romance Scams Be Warned

The Federal Trade Commission (FTC) has released an article addressing a rise
in reports of internet romance scams. In this type of fraud, cyber criminals
gain the confidence of their victims and trick them into sending money. Use
caution when online dating, and never send money or gifts to someone you have
not met in person.

The National Cybersecurity and Communications Integration Center (NCCIC),
part of the Cybersecurity and Infrastructure Security Agency (CISA), encourages
users to review FTC’s article on
Romance
Scams
and NCCIC’s tip on Staying Safe on Social
Networking Sites
. If you think you have been a target of a romance scam,
file a report with

Ransomware Attack Via MSP Locks Customers Out of Systems

Vulnerable
plugin for a remote management tool gave attackers a way to encrypt
systems belonging to all customers of a US-based MSP.

An
attacker this week simultaneously encrypted endpoint systems and
servers belonging to all customers of a US-based managed service
provider by exploiting a vulnerable plugin for a remote monitoring and
management tool used by the MSP.

The attack resulted in some 1,500 to 2,000 systems belonging to the
MSP’s clients getting cryptolocked and the MSP itself facing a $2.6
million ransom demand.

Discussions this week on an MSP forum on Reddit over what appears to
be the same — or at least similar — incident suggest considerable
anxiety within the community over such attacks, with a few describing
them as a nightmare scenario.

To read the full article go here