My information Resource (blog.mir.net)

    In the world of malware, almost all malicious software is based around Windows desktop or Linux server systems. Part of this is due to the widespread use of these systems as well as the architecture of the Linux core operating system. This makes it even more surprising when researchers from Intezer recently discovered a desktop Linux spyware application dubbed EvilGnome that no security or antivirus scanners detect yet.

    EvilGnome is a collection of modules designed to spy on a user’s system and exfiltrate data to an external Command & Control (C2) server controlled by the attacker. It is designed to appear as an extension of the Gnome GUI environment for Linux desktop.

    The malware is a self-extracting archive shell script that installs the modules and sets up persistence through use of the crontab. The modules are: • ShooterSound—records audio clips from the user’s microphone using PulseAudio. • ShooterImage—captures screenshots of the user’s desktop. • ShooterFile—scans the filesystem and is capable of filtering files by type and creation date. • ShooterPing—data exfiltration module, also capable of receiving new commands from the C2 server and stopping other modules from running. • ShooterKey—possible keylogger module that appears to be unfinished.

    Many of the modules appear to be very limited or missing some functionality. Also, metadata about the malware’s creation was included in the upload to VirusTotal, leading the researchers to believe this was a prototype version of the malware that was mistakenly released.

    Intezer researchers believe the malware to be tied to the Russian-affiliated group Gamaredon. Not only does EvilGnome use the same hosting provider as Gamaredon for C2 servers and similar domain names such as .space and .ddns, it was also found on an IP address controlled by Gamaredon 2 months ago and uses techniques and modules similar to Gamaredon’s collection of Windows tools. 
To check if a Linux system is infected, look for an executable called gnome-shell -ext in the ~/.cache/gnome-software/gnome-shell-extensions  directory.

Sources:

• https://thehackernews.com/2019/07/linux-gnome-spyware.html

• https://www.bleepingcomputer.com/news/security/new-evilgnome-backdoor-spies-on-linux-users-steals-their-files/

• https://www.intezer.com/blog-evilgnome-rare-malware-spying-on-linux-desktop-users/

Hardware/Server
Virtualization is a foundational technology in a cloud computing environment
and the hypervisor is the key software in that virtualized infrastructure.
However, hypervisors are large pieces of software with several thousand lines
of code and are therefore known to have vulnerabilities. Hence, a capability to
perform forensic analysis to detect, reconstruct and prevent attacks based on
vulnerabilities on an ongoing basis is a critical requirement in cloud
environments.

To gain a better understanding of
recent hypervisor vulnerabilities and attack trends, identify forensic
information needed to reveal the presence of such attacks, and develop guidance
on taking proactive steps to detect and prevent those attacks, NIST has
published NIST Internal Report (NISTIR) 8221, “A Methodology
for Enabling Forensic Analysis Using Hypervisor Vulnerabilities Data.”
NISTIR 8221 outlines a methodology to enable this forensic analysis, and
illustrates the methodology using two open-source hypervisors—Xen and Kernel-based
Virtual Machine (KVM). The source for vulnerability data is NIST’s National
Vulnerability Database (NVD).

Publication details:
https://csrc.nist.gov/publications/detail/nistir/8221/final

CSRC Update:
https://csrc.nist.gov/news/2019/nist-publishes-nistir-8221 

NIST
announces the release of a Draft Cybersecurity White Paper, A Taxonomic Approach to Understanding
Emerging Blockchain Identity Management Systems (IDMS), which
provides an overview of the standards, building blocks, and system
architectures that support emerging blockchain-based identity management
systems and selective disclosure mechanisms. The document also considers the full spectrum of top-down versus bottom-up
governance models for both identifier and credential management and addresses
some of the risks and security concerns that may arise. The terminology, concepts, and properties introduced in
this work can facilitate communications amongst business owners, software
developers, cybersecurity professionals within an organization, and individuals
who are or will be using such systems.

A public comment period for this document is
open until August 9, 2019. See the publication details link for
a copy of the document and instructions for submitting comments.

Publication details:
https://csrc.nist.gov/publications/detail/white-paper/2019/07/09/a-taxonomic-approach-to-understanding-emerging-blockchain-idms/draft

CSRC update:
https://csrc.nist.gov/news/2019/draft-white-paper-emerging-blockchain-idms

The United Kingdom’s National Cyber Security Centre (NCSC) has released an
advisory about an ongoing Domain Name System (DNS) hijacking campaign. The
advisory details risks and mitigations for organizations to defend against this
campaign, in which attackers use compromised credentials to modify the location
to which an organization’s domain name resources resolve to redirect users,
obtain sensitive information, and cause man-in-the-middle attacks.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages
administrators to review the NCSC
Advisory, apply the recommended mitigations, and refer to CISA’s Alert AA19-024A – DNS
Infrastructure Hijacking Campaign for more information.

    NIST
announces the release of a Draft Cybersecurity White Paper, A Taxonomic Approach to Understanding
Emerging Blockchain Identity Management Systems (IDMS), which
provides an overview of the standards, building blocks, and system
architectures that support emerging blockchain-based identity management
systems and selective disclosure mechanisms. The document also considers the full spectrum of top-down versus bottom-up
governance models for both identifier and credential management and addresses
some of the risks and security concerns that may arise. The terminology, concepts, and properties introduced in
this work can facilitate communications amongst business owners, software
developers, cybersecurity professionals within an organization, and individuals
who are or will be using such systems.

    A public comment period for this document is
open until August 9, 2019. See the publication details link for
a copy of the document and instructions for submitting comments.

Publication details:
https://csrc.nist.gov/publications/detail/white-paper/2019/07/09/a-taxonomic-approach-to-understanding-emerging-blockchain-idms/draft

CSRC update:
https://csrc.nist.gov/news/2019/draft-white-paper-emerging-blockchain-idms

                Go Here to read about this from Catalin Cimpanu @ ZDnet.

    The U.S. Food and Drug Administration released a warning last week recalling certain Medtronic MiniMed insulin pumps over concerns that the device may be vulnerable to cyber attacks. The warning comes after researchers found that an attacker with adjacent access was able to wirelessly communicate with the device and alter the pump settings, either providing or restricting insulin to a patient. These insulin pumps are meant to communicate wirelessly with other medical devices such as blood glucose meters, glucose sensor transmitters, and CareLink USB devices. The models specifically impacted are the Medtronic MiniMed insulin pumps, the MiniMed 508 insulin pump, and the MiniMed Paradigm series which are collectively used by approximately 4,000 patients in the U.S., according to Medtronic. 

    This vulnerability is described by CVE2019-10964 and has been assigned a score of 7.1 out of 10, designating it as a high severity vulnerability. The core of the vulnerability revolves around improper access control when associating with other devices. The researchers state that the wireless RF communication protocol doesn’t properly implement authentication or authorization, two important factors that mediate network access. In computer security, authentication refers to the mechanism by which a device is proven to be a legitimate user and authorization refers to the resources that the device has access to. The researchers found that an attacker with sufficient access can inject, replay, alter, or interpret data from the vulnerable insulin pumps. Medtronic is urging patients affected by this vulnerability to talk to their healthcare provider about exchanging their insulin pump for a newer model with appropriate security measures.

    While this exploit has not been seen in the real world and there are no known reports of patient harm resulting from it, there are precautions that users of wirelessly connected medical equipment can take to protect themselves. Ensuring that no one tampers with the medical device or other devices connected to it, refrain from sharing the serial number, noticing any alarms or alerts made by the device, and immediately canceling any unintended actions that are made by the medical device are all good steps to take. While it is always important for companies to implement proper security protocols in their devices, it’s even more important when there is the potential for serious harm to an end user, such as in the medical field. As more of these important systems become connected, the need for good security implementation becomes more and more important.

Sources
• https://threatpost.com/fda-warns-ofpotentially-fatal-flaws-in-medtronicinsulin-pumps/146109/

• https://www.fda.gov/news-events/Press-announcements/fda-warnspatients-and-health-care-rovidersabout-potential-cybersecurityconcerns-certain

• https://www.us-cert.gov/ics/advisories/icsma-19-178-01

    Smart locks have been increasing in popularity for the last few years. They provide a number of conveniences that make them an enticing option for people looking to replace their current locks. Things like automatically unlocking as you approach with your hands full or allowing a friend to unlock the door only when you’re on vacation sound great at first. But the risks of poorly secured and designed smart locks may outweigh those conveniences.

    Pen Test Partners along with 2 additional researchers, @evstykas and @cybergibbons, recently took a look at the U-tec Ultraloq and found a number of critical vulnerabilities that would allow an unauthorized person to bypass the lock. The first vulnerability they found was that their application API leaks data about the users of the locks, including the physical location of where the lock is. The second vulnerability found in their API is much more interesting though. By simply changing the user ID value during the login process you can impersonate any other user and have full control of their locks. Pairing these 2 vulnerabilities together means you would first be able to find installations of these locks and then unlock them when you get there.

    The researchers also spent some time looking at the Bluetooth based proximity unlocking feature. Due to a poor encryption implementation in the app and lock they were able to develop a brute force attack capable of unlocking the lock. This attack would allow someone to open an Ultraloq without requiring knowledge of who the lock belongs to like in the first attack. These 2 attacks alone allow complete bypass of the smart lock, but what if the attacker isn’t very technical? No problem, the lock is also easily picked. By inserting a thin pick into the body of the lock an attacker is able to shim the mechanism and open the lock with ease. The fallback physical lock mechanism was also easily picked by the researchers using only basic lockpicking techniques.

    The Ultraloq isn’t the only smart lock smart lock to have showstopping vulnerabilities and probably won’t be the last. Smart home products, especially security related ones have been a popular target for researchers since they first hit the market. If you’re considering a smart lock it is important to research the specific model being considered and stick to trusted manufacturers. Even still there is no guarantee that the lock won’t have a vulnerability found at some point so it is also important to apply firmware updates when they become available from the manufacturer. Ultraloq released a fix for their API last week but have not provided an update for the Bluetooth vulnerability yet.

Sources:

• https://threatpost.com/smart-lock-turns-out-to-be-not-so-smart-orsecure/146091/

• https://www.pentestpartners.com/security-blog/the-not-so-ultra-lock/

    When something is free, chances are pretty high that “the user” is the product. Services that are free usually generate value for the creator or provider by sharing exposure with advertisers or perhaps using the data collected from the “free” product for other means such as market studies or product testing before a final product. But sometimes free is the juicy apple with a parasite waiting to land its hook inside the consumer’s gut.

    Researchers from ESET and Malwarebytes labs have found cryptominers within high end music production software products provided for free to download and use. Named LoudMinerby ESET and simultaneously named Bird Miner by MalwareBytes Labs, the cryptominer hides by bundling itself inside already large files. The pirated versions of Virtual Studio Technology programs seem to function normally except that they are slower due to increased processor load. This obfuscation not only hides the existence of the additional malicious installation software, but also focuses their targets on users with high processing power: users who need to process visual and audio media. These two operate themselves within a lightweight virtual machine(VM) in the background. This keeps it hidden from the user, but also generalizes itself for both Mac, Windows, and Linux users, lowering the skill threshold of the developer.

    The cryptominer hides itself once installed by watching the usage of the Activity Monitor, pausing its functions when it might be watched and can consume of up to 90% of the CPU. While the user might notice difficulties, troubleshooting it will be more troublesome than just looking at what’s running. It can even detect what kind of CPU is used and how many cores are available, running up to two VMs simultaneously to more efficiently siphon off processing power. The Mac version runs QEMU, and the Windows version runs VirtualBox, and while the installation of the emulators require a trust verification, they name themselves “Oracle Corporation Network Service” to disguise their clandestine nature while setting the folders to which they are installed to hidden. The VM runs a version of Linux called Tiny Core Linux 9.0 and is set to mine Monero using XMRig, mining to a Mining pool. Profits are shared with other Monero users in the mining pool, but they are also untraceable to the attacker.

    It is always inadvisable to use pirated software, but if one ends up using software from less than reputable sources, be wary of unexpected CPU consumption, trust requests, services, or launch Daemons. While it can be nice to provide some value to a service that is otherwise free, it’s definitely better when you’re an aware and willing participant.

Sources

• https://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/
• https://blog.malwarebytes.com/mac/2019/06/new-mac-cryptominer-malwarebytes-detects-as-bird-miner-runs-by-emulating-linux/