My information Resource (blog.mir.net)

Original
release date: October 4, 2019

The Dutch National Cyber Security Centre (NCSC) has released a fact sheet on
the increasing difficulty of Domain Name System (DNS) monitoring. NCSC warns
that although modernization of transport protocols is helpful, it also makes it
more difficult to monitor or modify DNS requests. These changes could render an
organization’s security controls ineffective.

The Cybersecurity and Infrastructure Security Agency (CISA) recommends users
and administrators review the Dutch NCSC fact
sheet on DNS monitoring for additional information and recommendations.

The Microsoft Threat Intelligence Center (MSTIC) has released a blog post
describing an increase in malicious cyber activity from the Iranian group known
as Phosphorus. These threat actors are exploiting password reset or account
recovery features to take control of targeted email accounts.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users
to review the Microsoft
blog for additional information and recommendations and CISA’s Tip on Supplementing
Passwords.

    The Portable Document Format (PDF) standard has been able to provide many benefits that unify communications across many different software and hardware platforms. One of those elements is the encryption schemes that allow users to password protect their documents from view, edit, or saving permissions without the required password. Another encryption feature included with the PDF standard is the ability to sign documents with an electronic signature with the same legal standing as a handwritten signature, this may include digital signing which uses cryptographic measures to assure authenticity.

    Researchers from Ruhr University Bochum, FH Münster University of Applied Sciences, and Hackmanit GmbH have developed a two pronged attack on the security measures of PDFs and their encryption schemes. They have named their attack PDFex. In their research they developed methods for the exfiltration of the contents of the encrypted PDF with minimal prior knowledge of the contents of the PDF file. The methods studied can also modify the contents to change the plain text as well as add malicious functionality. The first prong of PDFex attack methods rely on how an encrypted PDF only encrypts portions of the PDF file leaving other portions unencrypted and unprotected. The attacker is then able to modify the contents of the unencrypted portions of the file. In this way they can plant data which submits a form including the contents of the PDF to an attacker controlled server granting the attacker access to the contents of the PDF. The attacker can edit an unencrypted field with a URL which will be sent encrypted and unencrypted strings from the document. The last method in this attack on the unencrypted portion of PDF files injects JavaScript code into the document which then ex filtrates the data within the file. This is the “Direct Exfiltration” method of the PDFex attack.

    The other prong of this attack uses CBC malleability gadgets, tools that are able to edit cipher texts encrypted with the cipher block chaining (CBC) encryption mode without integrity checks. It just so happens that the PDF standard does exactly that. This method can modify plain text as well as add in new encrypted content to the file. This technique can enact the PDF forms and hyperlink techniques as listed in the Direct Exfiltration method. The CBC Gadgets method can also edit PDF object streams such that they submit themselves to an attacker controlled server. Both attacks require the victim to open the tainted document so that the traps can deliver the finally decrypted information to the attacker. The researchers have tested their techniques on 27 PDF viewers and all were susceptible to at least one method of the PDFex attack.
    The attack requires that the attacker have access to the file to modify it, some of the attacks have other requirements such as the ability to trigger URL s from the viewer, or for the viewer to have permission to use JavaScript in the background. One of the researchers reported to Threatpost that “There are currently no effective countermeasures, as the weaknesses lie in the PDF encryption standard itself” and that the best mitigation is to use additional layers of encryption outside of the PDF standard to protect their data.

Sources:

• https://www.pdf-insecurity.org/download/paper-pdf_encryptionccs2019.pdf

• https://threatpost.com/hack-breakspdf-encryption/148834/

    Remote malware has been around for almost the entire history of computers. Attackers are always looking for ways to exfiltrate data from systems and be able to control their malware from a remote location. The Command & Control (C2) devices are usually servers controlled by the attacker, but a new malware dubbed by Juniper researchers as Masad has taken a different approach: using the messaging app Telegram for its C2 functions.

    Telegram is a popular messaging and Voice-over-IP (VoIP) app with over 200 million active monthly users. This makes it a pretty good place to try and hide malicious activity. Masad uses the sendDocument API of Telegram to exfiltrate data stolen from victims as a 7zip archive. Juniper has detected over 1,000 variants of Masad in the wild, as well as 338 unique Telegram C2 bots related to its use. Due to the malware being sold as a product rather than kept to a particular group, multiple groups can be using Masad for different campaigns. The developers of Masad have even created a group within Telegram with over 300 members, designed for potential clients and tech support.
Masad’s attack vectors include disguising itself as a legitimate tool or hiding itself in other third-party tools. For instance, it has been seen mimicking CCleaner, Utilman, Whoami, ProxySwitcher, a Samsung Galaxy software update, and many others. The developers have also included current trends in gaming, especially for younger internet users that may not be security conscious, by hiding Masad as Fortniteaimbot 2019.exe and an EXEA HACK CRACKED executable claiming to be for PUBG, CounterStrike Global Offensive, Fortnite, Grand Theft Auto 5, and DOTA.

    The malware also has the capability to download additional malicious tools, usually more cryptominers. Masad has a wide array of abilities for information stealing in addition to its cryptomining. It can steal system information including running processes, desktop files and screenshots, browser information such as cookies, passwords, credit cards, and AutoFill data, as well as Steam, FileZilla, and Discord files. Masad is also being advertised as a Clipper which looks for cryptocurrency wallet information in the system’s clipboard and replaces it with the attacker’s wallet information. It searches for over two dozen different flavors of cryptocurrency, including Bitcoin, Litecoin, Monero, Ethereum, and DogeCoin.

    Juniper researchers recommend locking down the Telegram communication protocol at the firewall level provided there is no legitimate business use that this would interrupt. They also suggest using a next-generation firewall with Advanced Persistent Threat (APT) protection to help counteract the malware if it gets inside the organization.

Sources

• https://threatpost.com/masad-spyware-telegram-bots/148759/ 

• https://coingeek.com/new-malware-uses-telegram-app-to-replace-cryptoaddresses/

• https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltratingusing-Telegram/ba-p/468559 

    Baseband Management Controllers (BMC) are a popular feature found on most motherboards targeting the server market. They provide a number of convenience functions for remote management which is great for machines typically located in a cold noisy room. Some of the functions they provide include remote power cycling, keyboard video mouse (KVM), and virtual media emulation. The combination of these functions can allow an administrator to provision a server without ever having to touch it. With that much power over the system they are bound to be a highly valuable target for attack.

    This week the security company Eclypsium released a critical vulnerability they found in Supermicro’s BMC implementation. The vulnerability reported is in the virtual media service subsystem. This service allows a remote administrator to attach USB devices, such as DVD drives or keyboards, to the machine remotely as if they were physically plugged into the machine. The feature requires authentication to function properly of course but the researchers found a way to bypass this requirement. 

    The first weakness is that the BMC would accept authentication requests via plaintext by default. They noted that encryption support is available but based on an old weak Rivest Cipher 4 algorithm. In addition, the key used when using encryption is shared across all Supermicro devices, making man-in-the-middle decryption possible. They also uncovered a complete authentication bypass in the system. This is possible because the BMC does not timeout a valid authorized session in a timely manner. An attacker would be able to re-use the session and gain access if an administrator had recently successfully logged into the system and used the virtual media service. BMC systems are rarely reset due to their nature of being an always online out of band management system, increasing the likelihood of this attack being successful.

    Supermicro has issued an update to their BMC software, but it is unlikely that machines will be patched immediately. This is due to the machines needing to be completely powered off in order to apply the update. Until then it is recommended to block the port used by the virtual media service, port 623, until the patch can be applied. Researchers warn that this will likely not be the last BMC vulnerability discovered, so additional measures should be taken when possible. The best defense against these attacks is keeping vulnerable machines on a separate network from other traffic. Ideally management interfaces should be on their own network that is not exposed to public facing traffic.

Sources

 • https://csoonline.com/article/3435900/insecure-virtual-usb-feature-insupermicro-bmcs-exposes-servers-to-attack.html

• https://eclypsium.com/2019/09/03/usbanywhere-bmc-vulnerability-opens-servers-to-remote-attack

    There has always been a battle between the Google Play Store and the malicious applications that attempt to reside on it. Google implements rigorous security testing of all apps, but some can still slip through the cracks. Such was the case when researchers from Symantec’s Threat Intelligence team found 25 instances of malicious apps, with a combined userbase of over 2.1 million, on the Google Play Store. These apps were designed to be camouflaged as photo utility and fashion apps, and upon download, did not exhibit any malicious properties. It wasn’t until the app downloads a remote configuration file that it becomes malicious. This behavior is what allows the app to bypass the security checks implemented by Google. Since the malicious code is not actually in the app and is downloaded remotely, Google is none the wiser. Researchers say that the 25 apps share a similar code structure, leading them to believe that the developers are part of the same organization or, at least, using the same code base. 

    Once installed, the app hides its icon and begins to display full-screen advertisements at random intervals with the app title hidden. This is done to prevent users from determining which app is responsible for the ads. This behavior continues even when the app is closed. This can be confusing for users who cannot even recall downloading the app as there is no icon or name associated with the behavior. Another interesting trick the developers use is the use of two versions of the same app. One version is a malicious version with full-screen advertisements while the other is a non-malicious version, which just so happens to be present in the Google Play’s Top App Charts. The researchers believe that this is done in the hope that users accidentally download the malicious copy of the app instead of the popular, non-malicious version. 

    The researchers believe that the primary reason for the creation of these apps is the monetary gain from the advertising revenue. There will be some subset of users that will continue to deal with the advertisements, despite their annoyance. When downloading apps from the Google Play Store, it can be difficult to determine which are malicious at first glance. In order to protect yourself from malicious applications, the researchers suggest keeping software updated, not downloading apps from unfamiliar sites, only installing apps from trusted sources, and noticing the permissions requested by apps that you download

Sources: 

• https://www.bleepingcomputer.com/news/security/malicious-androidapps-evade-google-play-protect-via-remote-commands/ 

• https://www.symantec.com/blogs/threat-intelligence/hidden-adwaregoogle-play09

The 2019 NY Metro Joint Cyber Security Conference will take place on Thursday October 10^th. NYMJCSC is now in its sixth year; featuring keynotes, panels and sessions aimed at various aspects of information security and technology.

NYMJCSC is also offering a post-conference workshop on Friday, October 11^th
featuring in-depth full-day hands-on classroom-style educational
courses to expand your knowledge and foster security discussions.

We are pleased to announce Ron Ross, Fellow at the National Institute of Standards and Technology (NIST), as our 2019 conference keynote.


NYMJCSC:
Who We Are

The New York Metro Joint Cyber Security Conference is a collaborative
event cooperatively developed, organized and sponsored by the leading
information security industry organizations and chapters.

Organizational Partners:

• InfraGard Members Alliance – New York Metro Chapter
• Information Systems Audit and Control Association (ISACA) – New Jersey Chapter
• Information Systems Audit and Control Association (ISACA) – Greater Hartford CT Chapter
• High Technology Crime Investigation Association (HTCIA) – New York City Metro Chapter
• Internet Society (ISOC) – New York Chapter
• Information Systems Security Association (ISSA) – New York Chapter
• Association of Certified Fraud Examiners (ACFE) – New Jersey Chapter

Community Partners:

• (ISC)² – New Jersey Chapter
• Cloud Security Alliance (CSA) – New York Metro Chapter
• Association of Continuity Professionals (ACP) – New York City Metro Chapter

Driven by the collaboration between members of this coalition, the
strength of organizational membership, the provision of desirable CPE
credits and the concurrence of National Cyber Security Awareness Month,
the NYMJCSC promises — once again — to be well-attended by members of
the information technology, information security, audit, academic, and
business communities.

To learn more please go to  http://nymjcsc.org/

Cybersecurity researchers today revealed the
existence of a new and previously undetected critical vulnerability in
SIM cards that could allow remote attackers to compromise targeted
mobile phones and spy on victims just by sending an SMS.

Dubbed “SimJacker,” the vulnerability resides in a particular piece of software, called the S@T Browser (a
dynamic SIM toolkit), embedded on most SIM cards that is widely being
used by mobile operators in at least 30 countries and can be exploited
regardless of which handsets victims are using.

What’s worrisome?
A specific private company that works with governments is actively
exploiting the SimJacker vulnerability from at least the last two years
to conduct targeted surveillance on mobile phone users across several
countries.

S@T Browser, short for SIMalliance
Toolbox Browser, is an application that comes installed on a variety of
SIM cards, including eSIM, as part of SIM Tool Kit (STK) and has been
designed to let mobile carriers provide some basic services,
subscriptions, and value-added services over-the-air to their customers.

you can read the full  article

https://alienskills.com/contents/BewareRedAlertNewSIM_1279477829062.html

    Linux™ operating systems are sometimes overlooked as targets for malware due to the smaller pool of victims compared to more popular operating systems. With the reduced number of targets, the attacker is incentivized to direct their efforts towards a richer hunting ground. But despite that, the lilu (or lilocked) ransomware targets solely Linux based web servers. It has infected over 6000 servers so far and looks to continue for the foreseeable future.

    While the ransomware primarily targets Linux web servers, there is no evidence precluding the ransomware’s ability to infect other Linux systems. The web server’s infected status is visible to web crawlers whereas non-web server systems would not be as publicly visible. The lilu ransomware encrypts files on the victim’s system and leaves a “#README.lilocked” file in each folder in which encrypted files are located. The “#README.lilocked” file is a ransom note that directs the victim to a Tor page with a key to use on said Tor page. The key provides access to a second ransom note that directs the victim to purchase Bitcoin or Electrum to pay a ransom to decrypt the files.

    The ransom has been so far inconsistent and has reportedly requested from .01BTC to .03BTC. So far the ransomware has only encrypted non-essential files and has left the servers running. It targets a few kinds of file extensions such as HTML, SHTML, JS, CSS, PHP, INI, and other image file formats. 

   There has not been any success in the decryption efforts. But one victim, going by Jay Gairson on Twitter, claims that the ransomware uses an Exim exploit and that the ransomware persists despite the system being taken offline and replaced. Exim is an open-source mail transfer agent for Unix-like operating systems. The exploit that is suspected is tracked in CVE-2019-15846 and has since been patched and leads researchers to believe lilu only affects older versions of Exim. There has yet to be any evidence of paying the ransom being a successful method to decrypt one’s files as well, though the attacker is not incentivized to create a reputation of services not rendered.

Sources:

 • https://www.bleepingcomputer.com/news/security/lilocked-ransomwareactively-targeting-servers-and-web-sites/ 

• https://www.zdnet.com/article/thousands-of-servers-infected-with-newlilocked-lilu-ransomware/ 

• https://fossbytes.com/lilocked-ransomware-infected-linux-servers/09

    Keeping track of your child’s whereabouts has never been easier. A quick search on Amazon shows thousands of entries for low-cost GPS trackers designed to be worn by children and linked to an app on the parent’s smartphone. However, the appeal of the low cost comes at a much larger price. Researchers from Avast found a handful of vulnerabilities in 29 models of GPS trackers made by Chinese company Shenzhen i365. The researchers found that an attacker with an internet connection can use the GPS to track the location of the wearer, spoof the location data of the device, and even access the microphone of the device to eavesdrop on the wearer. This is because the communication between the device, the cloud, and the companion mobile app use the unencrypted HTTP protocol. This allows for the exploitation of a man in the middle (MitM) attack where an attacker can listen in on the communication and alter the data being sent or received.

    In addition to this, the user account, which is associated with an ID number, comes shipped with a default password of 123456. The researchers found that the ID number is not assigned randomly, it is associated with the device’s IMEI number. An IMEI number is a 15-digit identifier given to mobile and satellite phones. With this knowledge, the researchers could log into the accounts of about 25% of the devices in the sequence of IMEI numbers. This would allow them to see the real-time location of the devices on that account.  Avast estimated that over half-a-million people are using GPS trackers affected by these vulnerabilities.

    Despite the manufacturer’s location in China, the researchers found that the GPS trackers were also widely used in the United States and elsewhere around the world. Avast attempted to privately contact the manufacturer about these vulnerabilities but have not received a response. A senior researcher stated that “we have done our due diligence in disclosing these vulnerabilities to the manufacturer, but since we have not heard back after the standard window of time, we are now issuing this public service announcement to consumers and strongly advise you to discontinue use of these devices.” When shopping for any IoT devices, it can be tempting to go with the low-cost, off-brand option, especially when that name-brand device can be so much more expensive. However, the cheaper option is often skimped on or has simply not included basic security measures to reduce the cost. The researchers advised consumers to do their research and buy from respected vendors. These devices are designed to provide peace of mind but in reality, they make the wearer more vulnerable, not less.

Sources

 • https://thehackernews.com/2019/09/gps-tracking-device-for-kids.html 

• https://decoded.avast.io/martinhron/the-secret-life-of-gps-trackers/