My information Resource (blog.mir.net)

    A hacker called SandboxEscaper disclosed an unpatched zero-day exploit affecting the Windows® operating system. This is the third zero-day exploit SandboxEscaper has disclosed in the last six months. The first exploit was a privilege escalation vulnerability taking advantage of the Advanced Local Procedure Call. SandboxEscaper also released a proof-of-concept (PoC) confirming that the first exploit worked on a fully-patched 64-bit version of Windows 10. The second exploit was another privilege escalation flaw that resided in Microsoft® Data Sharing (dssvc.dll). This exploit allowed lower-privileged users to delete files that normally would only be available to admin level users. They also released a PoC, confirming that the exploit works on a fully patched version of Windows 10, Server 2016, and Server 2019, but doesn’t affect older versions of Windows because dssvc.dll was introduced in Windows 10. 
    The most recent exploit is “…an arbitrary file read issue” that could allow a malicious program to read the content of any file on a targeted Windows computer that would normally only be accessible with admin privileges. This vulnerability exists within a function in Windows called MsiAdvertiseProduct, which is used to generate advertising scripts, advertise products to the computer, and enable the installer to write the registry and shortcut information used to assign or publish a product to a script. According to SandboxEscaper, this exploit could allow a malicious program to force the installer to make a copy of any file in the system, regardless of privileges, and read its content. They also released a PoC, however, their GitHub account has been taken down since releasing this exploit. Their Twitter account has been suspended, as well as their alternate account. Finally, SandboxEscaper may be under investigation by the FBI. They posted a screenshot of an email from Google stating “Google has received legal process by the Federal Bureau of Investigation (Eastern District of New York) compelling the release of information related to your Google account.”
   This blog post has since been removed, as has the blog posts disclosing the various exploits, but the screenshot can still be found on Twitter reposted by other hackers. The motive of this subpoena is unknown at the moment, though, as SandboxEscaper allegedly tweeted something containing a threat against the President of the United States. The tweet was quickly deleted and we are unable to locate any screenshot or mention of the specific contents of the tweet.   
Sources: 
• https://thehackernews.com/2018/08/windows-zero-day-exploit.html  
• https://thehackernews.com/2018/10/windows-zero-day-exploit.html  
• https://thehackernews.com/2018/12/windows-zero-dayexploit.html  
• http://www.ncsl.org/research/telecommunications-andinformation-technology/cybersecurity-legislation-2018.aspx

    Oil and gas companies within the Middle East and Russia have once again been targeted and attacked by various strains of malware. One of the strains appears to be the third version of the Shamoon worm that ran rampant in 2016, and the other one is known as Seedworm, named after the cyber espionage group that created it.

    Shamoon was built as a master boot record eraser that infected Windows® based machines so that once exploited they could not reboot once turned off. Back in 2016, Shamoon spread by using a list of hostnames taken directly from the Active Directory of a compromised host. Version 3 has discarded this method of infection and follows in the footsteps of WannaCry and NotPetya, propagating over compromised networks using the Server Message Block protocol within Windows. 300 servers and 100 personal computers out of a total of 4000 machines have been crippled in the attack against Italian oil and gas contractor Saipem. Luckily no data was lost due to the company backing up their systems, proving the importance of having proper disaster recovery policies in place.
Seedworm has infiltrated more than 30 organizations already, with most of the targets within the Middle East and Russia. Telecommunications and IT services were the main targets due to the fact that agencies could provide the hackers with additional targets to attack, but the second target were businesses in the oil and gas industry. Seedworm uses a tool called Powermud, a custom made script that allows the threat actors to evade detection in systems that Seedworm compromises. Once compromised, Seedworm executes a payload that scans through web browsers and email to steal credentials, giving researchers the opinion that gaining access to victim personal information is the hacker group’s primary goal. Seedworm, also known as MuddWater or Zagos, is well known for constantly changing tactics. By relying on public tools available on repositories such as GitHub allows the group to quickly update and alter operations through only applying small changes to the code.

    The security of the gas and oil industries is essential to maintain stability in the nation’s critical infrastructure. As more and more malware strains become increasingly sophisticated in their execution, so should the enforcement of the policies and procedures to defend against them. With the digitization of the industry, over 50 percent of the managers responsible for the protection of the industry have said they are more vulnerable to cyber attacks then ever before.
Sources:
https://thehill.com/policy/cybersecurity/420616-security-firm-unveils-newtactics-of-active-cyber-espionage-group

https://www.bleepingcomputer.com/news/security/shamoon-disk-wiperreturns-with-second-sample-uncovered-this-month/

https://thehackernews.com/2018/12/shamoon-malware-attack.html?m=1

    Three months ago, security researcher Travis Ormandy from Google Project Zero detailed a significant flaw of which Logitech has finally released a patch. In his September 18th meeting the engineers at Logitech gave the impression that they understood the problem and had a fix in mind and were ready to roll out a patch immediately.

    The flaw in the Logitech Options application resides in the users ability to customize the behavior or buttons on their mice and keyboards. This feature is enabled by an app that leaves a WebSocket server on the system that the app is installed upon. That server supports several intrusive commands, auto-starts due to a registry entry, and has a very flimsy authentication method. 
Travis details in his report: “The only ‘authentication’ is that you have to provide a Process ID (PID) of a process owned by your user, but you get unlimited guesses so you can brute force it in microseconds.” Once a malicious actor puts in the microseconds of work needed to gain access they can send commands, change options or even send keystrokes. This suggests that the app could be a fantastically powerful attack platform locally or even remotely through the use of keystroke injection attacks.

     Injection attacks can give an actor the ability to create other attack vectors within an organization. They can farm information from infected systems like email and contact information, install additional malware like keyloggers or botnets, or even perform a total system take over. An exploit like this can very easily be used to gain additional access to other systems or servers within an organization. In turn, that can easily turn into a massive data breach and/or loss of customer data. Alternatively it can be used to gain banking information or even direct access, turning your keyboard or mouse into a platform to exploit a less security-conscious home user’s banking or credit card information, access medical records or log passwords, or even add them to a botnet.

     Ormandy details that the issue was not resolved in the October 1st release of the Options app. After giving Logitech three months to fix the issue, he decided to go public with his bug report. It seems that the bug report had some traction on twitter by Dec 11th pointing out that the problem exists on the Mac versions as well. The patch was released Thursday Dec 13th. Ormandy continues to show skepticism that Logitech will act promptly without the threat of bad publicity.

Sources:

https://www.zdnet.com/article/logitech-app-security-flaw-allowed-keystrokeinjection-attacks/

https://threatpost.com/logitech-keystroke-injection-flaw/139928/

If you every attended any of my security talks i talk about the risks of surfacing the web or installing software you not sure of… Well Microsoft gave us a gift this week on the windows 10 Beta Build 18305 they have introduced an great new feature Windows Sandbox !

Windows Sandbox is a new lightweight desktop environment tailored for safely running applications in isolation.

How many times have you downloaded an executable file, but were
afraid to run it? Have you ever been in a situation which required a
clean installation of Windows, but didn’t want to set up a virtual
machine?

At Microsoft, we regularly encounter these situations, so we
developed Windows Sandbox: an isolated desktop environment where you can
run untrusted software without the fear of lasting impact to your
device. Any software installed in Windows Sandbox stays only in the
sandbox and cannot affect your host. Once Windows Sandbox is closed, all
the software with all of its files and state are permanently deleted.

Windows Sandbox has the following properties:

• Part of Windows – everything required for this feature ships with Windows 10 Pro and Enterprise. No need to download a VHD!
• Pristine – every time Windows Sandbox runs, it’s as clean as a brand-new installation of Windows
• Disposable – nothing persists on the device; everything is discarded after you close the application
• Secure – uses hardware-based virtualization for
  kernel isolation, which relies on the Microsoft Hypervisor to run a
  separate kernel which isolates Windows Sandbox from the host
• Efficient – uses integrated kernel scheduler, smart memory management, and virtual GPU

To install Windows Sandbox, go to Settings > Apps > Apps & Features > Programs and Features > Turn Windows Features on or off, and then select Enable Windows Sandbox.

To start Windows Sandbox, open the Start menu, enter Windows Sandbox and then select it.

For more info and details go here

Dropbox recently revealed three critical security vulnerabilities in MacOS that would allow execution of arbitrary programs on a target machine triggered just by visiting a webpage. The vulnerabilities were found by the cybersecurity firm Syndis, who were hired for red team exercises on Dropbox’s infrastructure. The three vulnerabilities by themselves were of minimal actual security impact on their own but when chained together could be used to compromise a target machine by simply getting them to visit a webpage.
The first vulnerability found (CVE-201713890) allowed a malicious webpage to force the target machine to mount an arbitrary disk image. This was due to a content identifier conflict in the Safari web browser. When known filetypes are handled in the Safari browser actions are taken to handle the media automatically. Usually this results in things like a media player opening to handle a download or a PDF client opening a document. But due to the same identifier being defined in multiple locations the wrong action was taken when downloading a .smi file.
The second vulnerability (CVE-20184176) starts the execution path of the arbitrary files in the disk image downloaded by the first vulnerability. During creation of a disk image the creator is able to use the bless utility to set specific options. One of those is —openfolder which allows Finder to open an arbitrary folder upon mounting a disk image. By pointing to a bundle file instead of a folder it will be executed when the image is mounted. Being able to launch the application isn’t quite enough though because the Gatekeeper utility prevents unsigned code from actually launching until it is whitelisted. 
The third vulnerability (CVE-2018-4175) allows launch of an arbitrary program from the malicious disk image without any security checks. The first step is to include a legitimate signed binary in the image, like the Terminal app. At this point the researchers tried launching a malicious script through the Terminal app but it was still blocked due to the quarantine flag being set. This is set when applications are downloaded from the internet and is cleared when the user explicitly says that the application is safe. By modifying the Info.plist for the bundle they were able to associate a new filetype with the Terminal app. When launching the newly associated filetype the quarantine flag was not checked and code execution was achieved.
This vulnerability chain highlights how a string of seemingly not serious vulnerabilities can often be strung together to achieve a compromise. The vulnerabilities were reported to Apple in February and patched in their March security update.

Sources
https:// thehackernews.com/2018/11/applemacos-zeroday.html
https://blogs.dropbox.com/ tech/2018/11/offensive-testing-tomake-dropbox-and-the-world-asafer-place/
and Peraton

This is an article from Microsoft that i thought was intresting..

Anyone may receive an unwanted phone call or experience a pop-up window on your device with a “warning” that your computer has a problem requiring immediate tech support. These messages are often very convincing and use scare tactics to entice consumers into contacting a fraudulent “tech support” call center. Call center operators typically encourage the victim to provide remote access to their device for “further diagnosis” before charging the victim a fee – typically between $150 – $499 – for unnecessary tech support services. In addition to losing money, victims leave their computer vulnerable to other attacks, such as malware, during a remote access session.

Tech support fraud operations typically involve multiple entities including those engaged in marketing, payment processing and call centers. Recent law enforcement successes in India build on a solid track record of global law enforcement taking action to combat the multiple layers of tech support fraud supported by referrals from Microsoft and other industry partners. For example, the U.S. Federal Trade Commission and multiple partners announced 16 separate civil and criminal enforcement actions against tech support fraudsters in May 2017 as part of “Operation Tech Trap.”  And, in June 2017, the City of London Police announced the arrest of four individuals engaged in computer software services fraud.
Our work to partner with law enforcement agencies in addressing this problem is driven by a combination of technology and action taken by our customers. In 2014, Microsoft launched an online “report a scam” portal to enable victims to share their tech support fraud experiences directly with our Digital Crimes Unit team. The reports have been a critical starting point for our international investigations and referrals. Our data analytics and innovation team has added additional tools to proactively hunt and pull data from approximately 150,000 suspicious pop-ups daily targeting millions of people and use machine learning to identify those related to tech support fraud.
In addition to making referrals to law enforcement based on this data, we are building what we learn about cybercriminals’ behavior into improved products and services for consumers. Microsoft has built-in protection in Windows 10 which includes more security features, safer authentication and ongoing updates delivered for the supported lifetime of a device. Windows Defender delivers comprehensive, real-time protection against software threats across email, cloud and the web. The SmartScreen filter, built into Windows, Microsoft Edge and Internet Explorer, helps protect against malicious websites and downloads, including many of those frustrating pop-up windows. People who have experienced tech support scams should know they aren’t alone, but there are steps you can take to identify and help defend yourself against criminals looking to impersonate legitimate companies. According to our recently released 2018 global survey, three out of five consumers have experienced a tech support scam in the previous 12 months. Although this reflects movement in the right direction, and a 5-point reduction since 2016, these scams persist and successfully target people across all ages and geographies. The best thing you can do to help protect yourself from fraud is to educate yourself. If you receive a notification or call from someone claiming to be from a reputable software company, here are a few key tips to keep in mind:

• Be wary of any unsolicited phone call or pop-up message on your device.
• Microsoft will never proactively reach out to you to provide unsolicited PC or technical support. Any communication we have with you must be initiated by you.
• Do not call the phone number in a pop-up window on your device and be cautious about clicking on notifications asking you to scan your computer or download software. Many scammers try to fool you into thinking their notifications are legitimate.
• Never give control of your computer to a third party unless you can confirm that it is a legitimate representative of a computer support team with whom you are already a customer.
• If skeptical, take the person’s information down and immediately report it to your local authorities

Go here
for more information

National Cyber Awareness System:

Systems Affected

Microsoft Windows

Overview

This joint Technical Alert (TA) is the result of analytic efforts between
the Department of Homeland Security (DHS) and the Federal Bureau of
Investigation (FBI). DHS and FBI are releasing this TA to provide
information about a major online ad fraud operation—referred to by the U.S.
Government as “3ve”—involving the control of over 1.7 million
unique Internet Protocol (IP) addresses globally, when sampled over a
10-day window.

Description

Online advertisers desire premium websites on which to publish their ads and
large numbers of visitors to view those ads. 3ve created fake versions of both
(websites and visitors), and funneled the advertising revenue to cyber
criminals. 3ve obtained control over 1.7 million unique IPs by
leveraging victim computers infected with Boaxxe/Miuref and Kovter malware, as
well as Border Gateway Patrol-hijacked IP addresses. 

Boaxxe/Miuref
Malware

Boaxxe malware is spread through email attachments and drive-by downloads.
The ad fraud scheme that utilizes the Boaxxe botnet is primarily located in a
data center. Hundreds of machines in this data center are browsing to
counterfeit websites. When these counterfeit webpages are loaded into a
browser, requests are made for ads to be placed on these pages. The machines in
the data center use the Boaxxe botnet as a proxy to make requests for these
ads. A command and control (C2) server sends instructions to the infected
botnet computers to make the ad requests in an effort to hide their true data
center IPs.

Kovter Malware

Kovter malware is also spread through email attachments and drive-by
downloads. The ad fraud scheme that utilizes the Kovter botnet runs a hidden
Chromium Embedded Framework (CEF) browser on the infected machine that the user
cannot see. A C2 server tells the infected machine to visit counterfeit
websites. When the counterfeit webpage is loaded in the hidden browser,
requests are made for ads to be placed on these counterfeit pages. The infected
machine receives the ads and loads them into the hidden browser.

Impact

For the indicators of
compromise (IOCs) below, keep in mind that any one indicator on its own may not
necessarily mean that a machine is infected. Some IOCs may be present for legitimate
applications and network traffic as well, but are included here for
completeness.

Boaxxe/Miuref
Malware

Boaxxe malware leaves several executables on the infected machine. They may
be found in one or more of the following locations:

• %UserProfile%AppDataLocalVirtualStorelsass.aaa
• %UserProfile%AppDataLocalTemp lt;RANDOM>.exe
• %UserProfile%AppDataLocal lt;Random eight-character folder
name> lt;original file name>.exe

The HKEY_CURRENT_USER (HKCU) “Run” key is set to the path to one of the
executables created above.

• HKCUSoftwareMicrosoftWindowsCurrentVersionRun lt;Above path
to executable>

Kovter Malware

Kovter malware is found mostly in the registry, but the following files may
be found on the infected machine:

• %UserProfileAppDataLocalTemp lt;RANDOM> .exe/.bat
• %UserProfile%AppDataLocalMicrosoftWindowsTemporary Internet
FilesContent.IE5 lt;RANDOM> lt;RANDOM FILENAME>.exe
• %UserProfile%AppDataLocal lt;RANDOM> lt;RANDOM>.lnk
• %UserProfile%AppDataLocal lt;RANDOM> lt;RANDOM>.bat

Kovter is known to hide in the registry under:

• HKCUSOFTWARE lt;RANDOM> lt;RANDOM>

The customized CEF browser is dropped to:

• %UserProfile%AppDataLocal lt;RANDOM>

The keys will look like random values and contain scripts. In some values, a
User-Agent string can be clearly identified. An additional key containing a
link to a batch script on the hard drive may be placed within registry key:

• HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun

There are several patterns in the network requests that are made by Kovter
malware when visiting the counterfeit websites. The following are regex rules
for these URL patterns:

• /?ptrackp=d{5,8}
• /feedrsd/click?feed_id=d{1,5}&sub_id=d{1,5}&cid=[a-f0-9-]*&spoof_domain=[w.d-_]*&land_ip=d{1,3}.d{1,3}.d{1,3}.d{1,3}
• /feedrsd/vast_track?a=impression&feed_id=d{5}&sub_id=d{1,5}&sub2_id=d{1,5}&cid=[a-fd-]

The following is a YARA rule for detecting Kovter:

Solution

If you believe you may be a victim of 3ve and its associated malware or
hijacked IPs, and have information that may be useful to investigators, submit
your complaint to www.ic3.gov and use the
hashtag 3ve (#3ve) in the body of your complaint.

DHS and FBI advise users to take the following actions to remediate malware
infections associated with Boaxxe/Miuref or Kovter:

• Use
  and maintain antivirus software. Antivirus software recognizes and protects your
  computer against most known viruses. Security companies are continuously
  updating their software to counter these advanced threats. Therefore, it
  is important to keep your antivirus software up-to-date. If you suspect
  you may be a victim of malware, update your antivirus software definitions
  and run a full-system scan. (See Understanding Anti-Virus
  Software for more information.)
• Avoid
  clicking links in email. Attackers have become very skilled at making phishing
  emails look legitimate. Users should ensure the link is legitimate by
  typing the link into a new browser. (See Avoiding Social
  Engineering and Phishing Attacks.)
• Change
  your passwords. Your
  original passwords may have been compromised during the infection, so you
  should change them. (See Choosing and Protecting
  Passwords.)
• Keep
  your operating system and application software up-to-date. Install software patches
  so that attackers cannot take advantage of known problems or
  vulnerabilities. You should enable automatic updates of the operating
  system if this option is available. (See Understanding Patches and
  Software Updates for more information.)
• Use
  anti-malware tools. Using a legitimate program that identifies and removes
  malware can help eliminate an infection. Users can consider employing a
  remediation tool. A non-exhaustive list of examples is provided below. The
  U.S. Government does not endorse or support any particular product or
  vendor.
• ESET Online Scanner
• F-Secure
• Malwarebytes
• McAfee
• Microsoft
  Safety Scanner
• Norton Power Eraser
• Trend Micro HouseCall

References

• DOJ
  Press Release
• ewhitehats
  White Paper on Kovter Malware
• ewhitehats: THE
  HUNT FOR 3VE
• Google
  Security Blog: Industry collaboration leads to takedown of the “3ve” ad
  fraud operation