*** The Security News Thread ***

[harrybarracuda]

So dump it.

https://protonmail.com/

[harrybarracuda]

SIEMonster are pleased to announce a new product range of affordable Micro SIEM appliances designed to monitor the Internet of Things (IoT) in your home or business.SIEMonster have developed a low cost SIEM appliance codenamed “Redback” for (IoT) security monitoring. Customers can now receive device alerts, hacker attempts or firmware updates instantly to their smart phones or mobile devices using the SIEMonster Redback smartphone application.



My fridge is as dumb as a fucking rock.





https://siemonster.com/siemonster-mi...em-appliances/

[harrybarracuda]

Windows Defender Browser Protection for Google Chrome first look

by Martin Brinkmann on April 19, 2018 in Google Chrome - Last Update: April 19, 2018 - No comments

Microsoft published the new security extension Windows Defender Browser Protection for Google Chrome yesterday which adds another link vetting mechanism to Chrome to protect users against phishing and other malicious types of sites.

Google Chrome protects users against malicious and deceptive sites already but Microsoft believes that its technology offers better protection against phishing attacks than Google's does.

The company cites a 2017 study by NSS Labs in which Microsoft Edge blocked 99% of all phishing attacks while Chrome and Firefox blocked only 87% and 70% of all attacks respectively.

Microsoft published the extension for Google Chrome exclusively but it installs in other Chromium-based browsers as well albeit with some issues. In Vivaldi, for instance, it did not display the extension icon. The missing icon does not mean that the extension's checking of sites does not work, but that you can't interact with the icon directly.

Initial user reviews indicate, however, that the extension does not work on Chrome OS right now.

Windows Defender Browser Protection adds an icon to Chrome's main toolbar when it is installed. You can interact with the icon, but the only options that it provides is to enable or disable the protection, and to click on links to open the privacy statement, give feedback to Microsoft, or open "learn more" links.

The browser extension adds its capabilities to Chrome without interfering with the browser's built-in protection against deceptive sites which means, at least in theory, that the protection won't get worse after installing Microsoft's extension for Chrome. I don't really know what happens if Microsoft's extension and Google's built-in protection are triggered on the same page, though. My best guess is that Chrome's built-in functionality will kick in then but that remains to be tested.

Windows Defender Browser Protection brings the phishing protection that Microsoft uses for Edge to Google Chrome and therefore also to non-Windows systems. I'm not sure why Microsoft would bring one of the few advantages that Edge has over Google Chrome to the competing browser but the most likely explanation is that Microsoft gets additional data out of it that it will process, and that the collected data trumps giving up that advantage.

The extension has no privacy policy of its own which makes it impossible to tell which data Microsoft collects and how the company processes the data.

https://www.ghacks.net/2018/04/19/wi...me-first-look/

[harrybarracuda]

Dubai's Careem hit by cyber attack affecting 14 million users





Reuters Staff
2 MIN READ

DUBAI (Reuters) - Careem, Uber’s main ride-hailing app rival in the Middle East, was hit by a cyber attack that compromised the data of 14 million users, it said on Monday.







The company learned of the breach, in which access was gained to a computer system that stored customer and driver account information, on January 14, it said in statement.

Names, email addresses, phone numbers and trip data were stolen, though there was no evidence that passwords or credit card information - held on external third-party servers - were compromised, it said.




At the time of the attack, Careem had 14 million customers and 558,000 drivers on its platform operating in 78 cities across the region, a company spokesman told Reuters. Users who have signed up since the attack were not affected.




The company, one of the region’s most prominent start-ups, apologized to its users, saying it “has learned from this experience and will come out of it a stronger and more resilient organization”.

News of the attack comes at a sensitive time for Careem, as it tests investor appetite for a bid to raise as much as $500 million to fund new business lines. It completed a funding round of the same amount last year.

Careem, founded in 2012, already counts Saudi Arabia’s Kingdom Holding, German carmaker Daimler and Chinese ride-hailer DiDi Chuxing among its investors.


The company has previously said it is targeting profitability in the second half of 2018. It has also said that an initial public offering is an option under consideration.

Reporting by Katie Paul; Editing by Ghaida Ghantous and David Goodman

https://www.reuters.com/article/us-c...-idUSKBN1HU1WJ

[harrybarracuda]

Millions of Hotel Rooms Are at Risk of 'Master Key' Hack

Millions of hotel rooms are at risk of being unlocked with a “master key” hack.

Security researcher F-Secure revealed on Wednesday that hotel rooms in 166 countries and 40,000 locations are at risk of being unlocked and opened by hackers who have exploited software in electronic keys created by Assa Abloy, formerly known as VingCard. According to the researchers, whose claims were earlier reported on by Gizmodo, the software running on those keys, called Vision, has a vulnerability that allows criminals to create master keys and open any door in the facility.

In order to exploit the flaw, hackers need a single hotel room key. They then use an RFID reader to try several key combinations to decode the card. In most cases, according to the security researchers, about 20 key combinations are required before the code is determined and the master key is created for the hotel. Worse yet, the whole process takes only one minute to complete.

Breaking into hotel rooms is nothing new. But electronic key cards have taken the place of traditional locks and keys due in large part to the assumption of improved security. But with technology comes the possibility of software or hardware failing to provide enough security and causing problems. And according to F-Secure, that’s what happened with the hotel room keys it’s analyzed.


It’s unknown whether anyone has actually exploited the threat and F-Secure has not released its techniques. The researchers are, however, working with Assa Abloy to address the problem. In an interview with Gizmodo, the researchers said Assa Abloy has taken their findings “very seriously from the beginning.”

A software patch has been developed and hotels are now being urged to update their software. Once the patch is applied, their hotel rooms will no longer be susceptible to the hack.

Assa Aboly did not respond to a Fortune request for comment on the findings.

'Master Key' Hack Opens Millions of Hotel Rooms | Fortune

[parryhandy]

^ so do outfits like f secure get paid by these companies for finding exploits or are they kind of blackmailing them when they find vulnerabilities ?

[harrybarracuda]

^ so do outfits like f secure get paid by these companies for finding exploits or are they kind of blackmailing them when they find vulnerabilities ?

They get publicity for their products by finding these vulnerabilities.

[harrybarracuda]

New Gmail has automated scans -- here’s what you can and can’t turn off
Google releases several new features for its Gmail update, including scans through your emails to help with convenience and security. Some are there for good.


The refreshed Gmail has multiple new features designed to make sorting through your inbox more convenient. But it also means having Google's artificial intelligence automatically sifting through your messages.


Google announced the Gmail update on Wednesday, giving a major facelift to more than 4 million paying businesses that use G Suite, the professional version of Google's productivity apps. One of the new features includes using AI scans for emails, for Smart Nudge, Smart Reply and high-priority notifications.


Smart Nudge reminds people if they didn't respond to an email after a set amount of days. High-priority notifications looks through your emails, determines what's important, and chooses which ones to notify you about. Smart Reply, which offers canned responses to emails, has been available on mobile platforms since the introduction of Google's standalone Inbox app in May 2017.


Considering how much data Google has on its users -- which often exceeds data collected from Facebook -- the new features' scans might not be worth giving up your privacy. This debate arises as Facebook deals with a firestorm over how it handles user data, which has forced people to reassess how our data is being collected and used.


The good news: the new Gmail gives users the option to shut off some of these scans. The bad news: you don't have complete control.


What you can control


- Smart reply
- Nudging
- High priority notifications


"There isn't a way to turn off security processing, but users may turn off features like Smart Reply and Nudging in Settings," Brooks Hocog, a Google spokesman, said.


You'll be able to do it in your settings on the new Gmail once the features are available. They haven't rolled out yet, but should be available in coming weeks, Google said.


What you can't turn off


- Security features


Google introduced its AI security features last May, blocking anything it determines is spam, phishing or malware.


There's some justification for why those security settings are mandatory. With more than 1.2 billion users, Gmail is a major target for cybercriminals. About 50 percent to 70 percent of messages in Gmail's inboxes are spam, according to the company.


Google declined to disclose how long it keeps data from Gmail scans.


The company also stressed that none of the scans will contribute to advertising. Google used to scan Gmail messages to help serve ads based on your personal information, but stopped last June.


Privacy concerns with big tech have moved into the spotlight as people start to take issues with just how much companies know about us. Facebook served as a catalyst to the debate after its Cambridge Analytica scandal, where information on 87 million people was obtained through an oversight on how much data its apps could get.


So even if you turn off Gmail's newest AI scanning features, you should know: Google's algorithms are still searching through your messages -- just for other purposes.


https://www.cnet.com/news/the-new-gm...cant-turn-off/

[misskit]

Computer users warned against GhostSecret operation

BANGKOK, 1st May 2018 (NNT) - The Ministry of Digital Economy and Society has warned computer users of a new malware, which can damage information on computers, under Operation GhostSecret by a group of hackers named Hidden Cobra.

The Deputy Permanent Secretary for Digital Economy and Society, Gp. Capt. Somsak Khaosuwan, said Thailand Computer Emergency Response Team (ThaiCERT) had reported on the investigation conducted by experts at McAfee that identified the Operation GhostSecret.

The GhostSecret was found using servers in Thailand to attack and destroy infrastructure agencies, entertainment industry and financial and public health sectors. It has attacked more than 17 countries, including Thailand.

People are advised not to download unknown files and to regularly update their operating systems and antivirus softwares.



National News Bureau Of Thailand | Computer users warned against GhostSecret operation

[harrybarracuda]

Heheheh

Further investigation into the control server infrastructure reveals the SSL certificate d0cb9b2d4809575e1bc1f4657e0eb56f307c7a76, which is tied to the control server 203.131.222.83, used by the February 2018 implant. This server resides at Thammasat University in Bangkok, Thailand.

https://securingtomorrow.mcafee.com/...ata-worldwide/

[harrybarracuda]

Twatter fans take note:

https://blog.twitter.com/official/en...nt-secure.html

(Translation: They fucked up again).

[harrybarracuda]

New Rowhammer attack can be used to hack Android devices remotely

Researchers from Vrije Universiteit in Amsterdam have demonstrated that it is possible to use a Rowhammer attack to remotely hack Android phones.


What is a Rowhammer attack?

“The Rowhammer attack targets the design of DRAM memory. On a system where the DRAM is insufficiently refreshed, targeted operations on a row of DRAM memory may be able to influence the memory values on neighboring rows,” the CERT Division of the Software Engineering Institute (SEI) at Carnegie Mellon University succinctly explained.


The result of such an attack is that the value of one or more bits in physical memory (in this case GPU memory) is flipped, and may offer new access to the target system.

Successful Rowhammer attacks have been previously demonstrated against local machines, remote machines, and Linux virtual machines on cloud servers.
The GLitch attack

The researchers dubbed their attack “GLitch,” as it leverages WebGL, a JavaScript API for rendering interactive graphics in web browsers, to determine the physical memory layout of the DRAM memory before starting the targeted Rowhammer attack.

Vulnerable smartphones can be targeted by tricking users into visiting a website hosting a malicious JavaScript. A successful exploitation results in malicious code being run on the devices, but just within the privilege of the browser, meaning that a complete compromise of the device is not possible but password theft is.

“The impact of combining both the side-channel attack and rowhammer attack has been demonstrated to bypass the Firefox sandbox on the Android platform,” the SEI CERT division noted.

“It is important to realize that the GLitch attack has only successfully been demonstrated on the Nexus 5 phone, which was released in 2013. The Nexus 5 phone received its last software security update in October, 2015, and is therefore an already unsafe device to use. Several other phones released in 2013 were tested, but were not able to successfully be attacked with the GLitch attack. Success rates on phones newer than 2013 models were not provided. Non-Android devices were not tested as well.”

The researchers have told Wired that the attack can be modified to target different phone architectures and different browsers.

To mitigate the risk of this particular attack, Google and Mozilla have already released updates for Chrome and Firefox that disable the high precision WebGL timers leveraged to leak memory addresses.

More technical details about GLitch can be found in this paper.

https://www.helpnetsecurity.com/2018...ttack-android/

[harrybarracuda]

Cheeky Russian fuckers....

"The ransomware targets users in the USA, Kuwait, Germany, Iran and avoids targeting user in Russia, Belarus, Ukraine, Georgia, Tajikistan, Kazakhstan, and Uzbekistan".

New Variant of SynAck Ransomware uses the Doppelgänging technique

Researchers have discovered a new variant of SynAck ransomware which uses the Process Doppelgänging technique.

Process Doppelgänging is a new code injection technique which utilized the windows mechanism NTFS transaction to create a malicious process from the transacted file to avoid detection from security products.

This attacking technique works on all version Microsoft Windows including Windows 10 and can bypass most of the modern security solutions.

<snip>

Always follow these basic instructions to protect yourself from any ransomware attack:

• Perform regular backups. Ideally, this data should be kept on a separate device, and backups should be stored offline

• Maintain updated Antivirus software for all systems

• Don’t open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited email, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organization’s website directly through the browser.

• Keep the operating system and third-party applications (MS office, flash player, browsers, browser Plugins) up-to-date with the latest patches.

https://securereading.com/new-varian...ing-technique/

[harrybarracuda]

Eight new Spectre variants affecting Intel chips discovered, four are "high risk"

Intel is already working on fixes

Spectre and Meltdown may not be getting as many headlines as they were a few months ago, but that could soon all change following the discovery of eight Spectre-style security issues in Intel’s CPUs.

German website Heise reports that the vulnerabilities, called Spectre Next Generation, or Spectre NG, were recently reported to Intel. The chip maker gave four of them a severity rating of high, while the remaining four were rated as medium severity.

The technical details haven’t been revealed, but the vulnerabilities’ risks and attack scenarios are similar to the original Spectre. Cloud hosting and cloud services providers are most at risk from Spectre NG, as attackers could use the exploit to gain access to data transfers and compromise secure data.

Heise writes that some ARM CPUs are also vulnerable to Spectre NG, though it’s unclear if AMD’s processors are also at risk, and if so, to what extent.

Intel is said to be working on fixes for Spectre Next Generation, while other patches are being developed alongside operating system manufacturers such as Microsoft. The report suggests that these will be released in two batches. The first could arrive as soon as this month, with the second arriving sometime in August, though these dates could always change.

As with Spectre and Meltdown, one of the biggest concerns for everyday users with Spectre NG is how the fixes could affect system performance, and whether any result in the same problems as before: Intel's microcode caused random system restarts and the company recommended users stop installing it. Microsoft eventually had to release a software update for Windows 7, Windows 8.1, and Windows 10 to disable Intel's mitigation against Spectre variant 2.

Update: Intel provided this statement to TechSpot via email:

“Protecting our customers’ data and ensuring the security of our products are critical priorities for us. We routinely work closely with customers, partners, other chipmakers and researchers to understand and mitigate any issues that are identified, and part of this process involves reserving blocks of CVE numbers. We believe strongly in the value of coordinated disclosure and will share additional details on any potential issues as we finalize mitigations. As a best practice, we continue to encourage everyone to keep their systems up-to-date.”

https://www.techspot.com/news/74447-...iscovered.html

[harrybarracuda]

IBM bans all removable storage, for all staff, everywhere

Risk of ‘financial and reputational damage’ is too high, says CISO

By Simon Sharwood, APAC Editor 10 May 2018 at 05:01
201 SHARE ▼



IBM has banned its staff from using removable storage devices.

In an advisory to employees, IBM global chief information security officer Shamla Naidoo said the company “is expanding the practice of prohibiting data transfer to all removable portable storage devices (eg: USB, SD card, flash drive).”

The advisory stated some pockets of IBM have had this policy for a while, but “over the next few weeks we are implementing this policy worldwide.”

Big Blue’s doing this because “the possible financial and reputational damage from misplaced, lost or misused removable portable storage devices must be minimised.”

IBMers are advised to use Big Blue’s preferred sync ‘n’ share service to move data around.

But the advisory also admitted that the move may be “disruptive for some.”

She’s not wrong: The Register understands that frontline IBM staff sometimes need to download patches so they can be installed on devices they manage for clients and that bootable USB drives are one means of installing those patches.

Indeed, IBM offers advice on how to install Linux on its own POWER 9 servers using a USB key. ®

UPDATE: Since publishing this story we've heard whispers that IBM has taken note of staff objections to the removable storage ban, especially when doing software updates, and is considering making a few exemptions.



https://www.theregister.co.uk/2018/0...ff_everywhere/

[harrybarracuda]

Brutal cryptocurrency mining malware crashes your PC when discovered

WinstarNssmMiner not only leeches your processing power but will maliciously crash your system if you attempt to remove it.

By Charlie Osborne for Zero Day | May 17, 2018 -- 09:15 GMT (10:15 BST) | Topic: Security




A new form of cryptominer has been discovered which crashes systems the moment antivirus products attempt to remove the malware.

The malware, dubbed WinstarNssmMiner by 360 Total Security researchers, has been used in half a million attempted attacks leveraged at PCs in only three days.


On Wednesday, the cybersecurity firm said the cryptomining malware aims to infect PCs in order to steal processing power for the purpose of mining the Monero cryptocurrency.

WinstarNssmMiner is brutal code as it will crash victim PCs the moment antivirus products detect and attempt to remove it.

The cryptominer launches the svchost.exe process -- used to manage system services -- and injects malicious code into the file. One injected process begins mining cryptocurrency while the other runs in the background to avoid detection and scan for antivirus protection.

In the second stage, WinstarNssmMiner then tampers with CriticalProcess, adding a process attribute which allows the malware to crash the system at whim.

However, the malware is a coward at heart. As 360 Total Security writes, WinstarNssmMiner "turns off antivirus protection of defenseless foes and backs off when facing sharp swords."


The malware scans compromised systems for antivirus products. Any "decent" solutions offered by reputable companies -- such as Kaspersky Lab and Avast -- and will quit automatically if these types of antivirus products are discovered.

However, if weaker antivirus systems are in use, the crash process starts up and victims have to live with crippling slowness and blue screens while the malware cheerfully steals their power and mines Monero on the attacker's behalf.

"Due to the nature of digital currency mining, cryptominers use up victims' processing power for the sake of their distributors," the researchers note. "Some savvy users are able to identify and terminate the CPU consuming applications. Hence, WinstarNssmMiner protects itself by configuring its mining processes' attribute to CriticalProcess so infected computers crash when users terminate it."

Four mining pools have been linked to the malware at present. At the time of writing, the threat actors behind the spread of WinstarNssmMiner have mined 133 Monero, which is equivalent to roughly $26,500.

The malware is based on XMRig, a legitimate open-source cryptocurrency mining project. This legitimate script, however, has been hijacked by malware developers for fraudulent cryptocurrency mining purposes.

IBM, for example, has connected XMRig to cryptocurrency mining malware RubyMiner and Waterminer.


Earlier this week, researchers from RedLock warned that cryptojacking attacks are on the rise against enterprise players which utilize cloud environments.

Up to 25 percent of organizations are thought to have experienced cryptojacking activity within their cloud environments this year alone. Insecure databases and the failure to rotate access keys are often at fault.

https://www.zdnet.com/article/brutal...en-discovered/

[harrybarracuda]

Oh great.

The introduction of GDPR next week could see a future increase in the amount of malicious spam, due to the end of blocking malicious domains by registrar.

Speaking to Infosecurity this week, Caleb Barlow, vice president of threat intelligence at IBM Security, said that the Whois database “is the fundamental ethos of how we protect the internet and we are seeing those services get shut down” as GDPR offers the ability to protect the identity of the domain owner.

Barlow called this an “unintended consequence of this privacy law” and that the end of disclosure of who owns the domain will prevent tracking the owners.

He said: “Millions of emails come in every day and we use Whois to see who sent it and block spammers, so the message doesn’t even make it in as it is blocked at the network layer. When a new domain gets registered we look at the Whois information and name and address.”

This issue was addressed by David Redl, the new head of the US National Telecommunications and Information Administration, earlier this year. He said: “The Whois service can, and should, retain its essential character while complying with national privacy laws, including the GDPR. It is in the interests of all internet stakeholders that it does.”

In April, ICANN president and CEO Goran Marby said: “Without a moratorium on enforcement, Whois will become fragmented and we must take steps to mitigate this issue”

The ICANN statement said that a moratorium on enforcement action by data protection acts would potentially allow for the introduction of an agreed-upon accreditation model, and for the registries and registrars to implement the accreditation model in conjunction with the measures in the agreed final interim compliance model.

“A fragmented Whois would no longer employ a common framework for generic top-level domain (gTLD) registration directory services,” ICANN said. “Registries and registrars would likely implement varying levels of access to data depending on their interpretations of the law.”

Barlow explained that while a malicious registrant will not use their real name, but there will be some consistency if they register 1000 domains, so the phone number or email would be the same “and when we detect one we can flag them all as bad, and this proliferates across the internet in minutes.”

Barlow said that losing the ability to know who registered a domain will hit the efficacy of malicious domain takedowns, and this could lead to two bad scenarios: one is where the amount of spam and attacks go up and companies block everything, including those who legitimately want to keep their details private; and the second issue will be more spam carrying malicious links or ransomware.

“This gives bad guys a free reign, as most domains are malicious,” Barlow said. “We need to filter them out, and the only way is with Whois.”

He concluded by saying that the cybersecurity industry can get in front of this, and monitor new domains and their activity “as bad guys register domains anonymously and wait a few months so test it, put legit traffic on it and then flip it to be malicious.”

However, we can expect a lot of spam in a few months with no way to block it. “Ironically the new privacy law could cause further loss through cyber-attack.”

https://www.infosecurity-magazine.co...pr-spam-whois/

[harrybarracuda]

Early release of this one because it's already infected 500,000 devices....

WEDNESDAY, MAY 23, 2018

New VPNFilter malware targets 100,000s of networking devices worldwide


INTRO


For several months, Talos has been working with public- and private-sector threat intelligence partners and law enforcement in researching an advanced, likely state-sponsored or state-affiliated actor's widespread use of a sophisticated modular malware system we call "VPNFilter." We have not completed our research, but recent events have convinced us that the correct way forward is to now share our findings so that affected parties can take the appropriate action to defend themselves. In particular, the code of this malware overlaps with versions of the BlackEnergy malware — which was responsible for multiple large-scale attacks that targeted devices in Ukraine.

While this isn't definitive by any means, we have also observed VPNFilter, a potentially destructive malware, actively infecting Ukrainian hosts at an alarming rate, utilizing a command and control (C2) infrastructure dedicated to that country. Weighing these factors together, we felt it was best to publish our findings so far prior to completing our research. Publishing early means that we don't yet have all the answers — we may not even have all the questions — so this blog represents our findings as of today, and we will update our findings as we continue our investigation.


Both the scale and the capability of this operation are concerning. Working with our partners, we estimate the number of infected devices to be at least 500,000 in at least 54 countries. While the list may not be complete, the known devices affected by VPNFilter are Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office (SOHO) space, as well at QNAP network-attached storage (NAS) devices.

The behavior of this malware on networking equipment is particularly concerning, as components of the VPNFilter malware allows for theft of website credentials and monitoring of Modbus SCADA protocols. Lastly, the malware has a destructive capability that can render an infected device unusable, which can be triggered on individual victim machines or en masse, and has the potential of cutting off internet access for hundreds of thousands of victims worldwide.


The type of devices targeted by this actor are difficult to defend. They are frequently on the perimeter of the network, with no intrusion protection system (IPS) in place, and typically do not have an available host-based protection system such as an anti-virus (AV) package. We are unsure of the particular exploit used in any given case, but most devices targeted, particularly in older versions, have known public exploits or default credentials that make compromise relatively straightforward. All of this has contributed to the quiet growth of this threat since at least 2016.


This post provides the technical findings you would normally see in a Talos blog. In addition, we will detail some thoughts on the tradecraft behind this threat, using our findings and the background of our analysts, to discuss the possible thought process and decisions made by the actor. We will also discuss how to defend against this threat and how to handle a device that may be infected. Finally, we will share the IOCs that we have observed to this point, although we are confident there are more that we have not seen.


Brief technical breakdown


The VPNFilter malware is a multi-stage, modular platform with versatile capabilities to support both intelligence-collection and destructive cyber attack operations.


The stage 1 malware persists through a reboot, which sets it apart from most other malware that targets internet-of-things devices because malware normally does not survive a reboot of the device. The main purpose of stage 1 is to gain a persistent foothold and enable the deployment of the stage 2 malware. Stage 1 utilizes multiple redundant command and control (C2) mechanisms to discover the IP address of the current stage 2 deployment server, making this malware extremely robust and capable of dealing with unpredictable C2 infrastructure changes.


The stage 2 malware, which does not persist through a reboot, possesses capabilities that we have come to expect in a workhorse intelligence-collection platform, such as file collection, command execution, data exfiltration and device management. However, some versions of stage 2 also possess a self-destruct capability that overwrites a critical portion of the device's firmware and reboots the device, rendering it unusable. Based on the actor's demonstrated knowledge of these devices, and the existing capability in some stage 2 versions, we assess with high confidence that the actor could deploy this self-destruct command to most devices that it controls, regardless of whether the command is built into the stage 2 malware.


In addition, there are multiple stage 3 modules that serve as plugins for the stage 2 malware. These plugins provide stage 2 with additional functionality. As of this writing, we are aware of two plugin modules: a packet sniffer for collecting traffic that passes through the device, including theft of website credentials and monitoring of Modbus SCADA protocols, and a communications module that allows stage 2 to communicate over Tor. We assess with high confidence that several other plugin modules exist, but we have yet to discover them.


Tradecraft discussion


We assess with high confidence that this malware is used to create an expansive, hard-to-attribute infrastructure that can be used to serve multiple operational needs of the threat actor. Since the affected devices are legitimately owned by businesses or individuals, malicious activity conducted from infected devices could be mistakenly attributed to those who were actually victims of the actor. The capabilities built into the various stages and plugins of the malware are extremely versatile and would enable the actor to take advantage of devices in multiple ways.


Advanced threat actors, including nation-states, will try to make attribution of their cyber activities extremely difficult, unless it is in their interest for it to be openly known that they conducted a specific act. To this end, advanced threat actors use multiple techniques, including co-opting infrastructure owned by someone else to conduct their operations. The actor could easily use devices infected with this malware as hop points before connecting to their final victim in order to obfuscate their true point of origin.


The malware can also be leveraged to collect data that flows through the device. This could be for straightforward data-collection purposes, or to assess the potential value of the network that the device serves. If the network was deemed as having information of potential interest to the threat actor, they may choose to continue collecting content that passes through the device or to propagate into the connected network for data collection. At the time of this posting, we have not been able to acquire a third-stage plugin that would enable further exploitation of the network served by the device. However, we have seen indications that it does exist, and we assess that it is highly likely that such an advanced actor would naturally include that capability in malware that is this modular.


Finally, this malware could be used to conduct a large-scale destructive attack by using the "kill" command, which would render some or all of the physical devices unusable. This command is present in many of the stage 2 samples we've observed, but could also be triggered by utilizing the "exec" command available in all stage 2 samples. In most cases, this action is unrecoverable by most victims, requiring technical capabilities, know-how, or tools that no consumer should be expected to have. We are deeply concerned about this capability, and it is one of the driving reasons we have been quietly researching this threat over the past few months.


Observed activities of concern


As we have researched this threat, we have put into place monitoring and scanning to gain an understanding of the scope of this threat and the behaviors of infected devices. Our analysis has shown that this is a global, broadly deployed threat that is actively seeking to increase its footprint. While our research continues, we have also observed activity potentially associated with this actor that indicates possible data exfiltration activity.


In early May, we observed infected devices conducting TCP scans on ports 23, 80, 2000 and 8080. These ports are indicative of scanning for additional Mikrotik and QNAP NAS devices, which can be found using these ports. These scans targeted devices in more than 100 countries.


We also used our telemetry to discover potentially infected devices globally. We evaluated their collective behavior to try and identify additional features of the C2 infrastructure. Many of these victim IPs appeared to demonstrate behavior that strongly indicated data exfiltration.


Finally, on May 8, we observed a sharp spike in VPNFilter infection activity. Almost all of the newly acquired victims were located in Ukraine. Also of note, a majority of Ukrainian infections shared a separate stage 2 C2 infrastructure from the rest of the world, on IP 46.151.209[.]33. By this point, we were aware of the code overlap between BlackEnergy and VPNFilter and that the timing of previous attacks in Ukraine suggested that an attack could be imminent. Given each of these factors, and in consultation with our partners, we immediately began the process to go public before completing our research.


As we continued to move forward with the public disclosure, we observed another substantial increase in newly acquired VPNFilter victims focused in Ukraine on May 17. This continued to drive our decision to publish our research as soon as possible.


Defending against this threat


Defending against this threat is extremely difficult due to the nature of the affected devices. The majority of them are connected directly to the internet, with no security devices or services between them and the potential attackers. This challenge is augmented by the fact that most of the affected devices have publicly known vulnerabilities which are not convenient for the average user to patch. Additionally, most have no built-in anti-malware capabilities. These three facts together make this threat extremely hard to counter, resulting in extremely limited opportunities to interdict malware, remove vulnerabilities, or block threats.


Despite these challenges, Talos has released protections for this threat from multiple angles, to try to take advantage of the limited options that exist. We developed and deployed more than 100 Snort signatures for the publicly known vulnerabilities for the devices that are associated with this threat. These rules have been deployed in the public Snort set, and can be used by anyone to help defend their devices. In addition, we have done the usual blacklisting of domains/IPs as appropriate and convicting of the hashes associated with this threat to cover those who are protected by the Cisco Security ecosystem. We have reached out to Linksys, Mikrotik, Netgear, TP-Link and QNAP regarding this issue. (Note: QNAP has been aware of certain aspects of VPNFilter and previously done work to counter the threat.) Finally, we have also shared these indicators and our research with international law enforcement and our fellow members of the Cyber Threat Alliance in advance of this publication so they could move quickly to help counter this threat more broadly.


Recommendations


We recommend that:


Users of SOHO routers and/or NAS devices reset them to factory defaults and reboot them in order to remove the potentially destructive, non-persistent stage 2 and stage 3 malware.


Internet service providers that provide SOHO routers to their users reboot the routers on their customers' behalf.


If you have any of the devices known or suspected to be affected by this threat, it is extremely important that you work with the manufacturer to ensure that your device is up to date with the latest patch versions. If not, you should apply the updated patches immediately.


ISPs work aggressively with their customers to ensure their devices are patched to the most recent firmware/software versions.


Due to the potential for destructive action by the threat actor, we recommend out of an abundance of caution that these actions be taken for all SOHO or NAS devices, whether or not they are known to be affected by this threat.


https://blog.talosintelligence.com/2...VPNFilter.html

[Latindancer]

US disrupts Russian botnet of 500,000 hacked routers

US Justice Department seizes "VPNFilter" botnet set up by a hacking group variously called APT28, Pawn Storm, Sandworm, Fancy Bear and the Sofacy Group.


The US Justice Department said Wednesday that it had seized an internet domain that directed a dangerous botnet of a half-million infected home and office network routers, controlled by hackers believed tied to Russian intelligence.
The move was aimed at breaking up an operation deeply embedded in small and medium-sized computer networks that could allow the hackers to take control of computers as well as easily steal data.


The Justice Department said the "VPNFilter" botnet was set up by a hacking group variously called APT28, Pawn Storm, Sandworm, Fancy Bear and the Sofacy Group.
The group is blamed for cyber attacks on numerous governments, key infrastructure industries like power grids, the Organization for Security and Co-operation in Europe, the World Anti-Doping Agency, and other bodies.
US intelligence agencies also say it was involved in the operation to hack and release damaging information on the Democratic Party during the 2016 US presidential election, and has engineered a number of computer network disruptions in Ukraine.
"According to cybersecurity researchers, the Sofacy Group is a cyber-espionage group believed to have originated from Russia," the Department of Justice said in a court filing.


"Likely operating since 2007, the group is known to typically target government, military, security organizations, and other targets of intelligence value, through a variety of means," it said.
The Justice filing did not say who was behind Sofacy Group, but US intelligence has in the past linked it to Russia's GRU military intelligence agency, and numerous private computer security groups have made the same connection.
In Wednesday's action, the Justice Department said it had obtained a warrant authorizing the FBI to seize a computer domain that is part of the command and control system of the VPNFilter botnet.
The botnet targets home and office routers, through which it can relay orders from the botnet's controllers and intercept and reroute traffic back to them, virtually undetected by the users of a network.


In a report released in parallel to the Justice announcement, network equipment giant Cisco said VPNFilter had infected at least 500,000 devices in at least 54 countries.
It has targeted popular router brands like Linksys, MikroTik, NETGEAR and TP-Link.
"The behavior of this malware on networking equipment is particularly concerning, as components of the VPNFilter malware allows for theft of website credentials," Cisco said.
It also has "a destructive capacity that can render an infected device unusable, which can be triggered on individual victim machines or en masse."
Both Justice and Cisco said they were releasing details of the problem before having found a strong, permanent fix. Justice said that by seizing control of one of the domains involved in running VNPFilter, it will give owners of infected routers a chance to reboot them, forcing them to begin communicating with the now-neutralized command domain.


The vulnerability will remain, Justice said, but the move will allow them more time to identify and intervene in other parts of the network.
US Justice Department seizes "VPNFilter" botnet set up by a hacking group variously called APT28, Pawn Storm, Sandworm, Fancy Bear and the Sofacy Group

https://au.news.yahoo.com/us-disrupt...7390--spt.html

[harrybarracuda]

I doubt there's just one domain involved.

All depends if they want to blow their cover by triggering it now.

[harrybarracuda]

List of devices that come preinstalled with Adware according to Avast post (Second link).

https://docs.google.com/spreadsheets...f50/edit#gid=0

https://blog.avast.com/android-devic...talled-malware

[harrybarracuda]

Currently only targeting Poland, but I dare say this malware is for sale in some murky corner of the Dark Web.

BackSwap Trojan exploits standard browser features to empty bank accounts

Creating effective and stealthy banking malware is becoming increasingly difficult, forcing malware authors to come up with innovative methods. The latest creative burst in this malware segment comes from a group that initially came up with malware stealing cryptocurrency by replacing wallet addresses in the clipboard.
About the BackSwap banking malware

“To steal money from a victim’s account via the internet banking interface, typical banking malware will inject itself or its specialized banking module into the browser’s process address space,” ESET malware researcher Michal Poslušný notes.


The success of this approach depends on the injection not be detected by security solutions, modules matching the bitness of the target browser, and the banking module hooking browser functions, and their location varies from browser to browser.

BackSwap eschews the usual “process injection for monitoring browsing activity” trick. Instead, it handles everything by working with Windows GUI elements and simulating user input.

“This might seem trivial, but it actually is a very powerful technique that solves many ‘issues’ associated with conventional browser injection,” the researcher notes.

“First of all, the malware does not interact with the browser on the process level at all, which means that it does not require any special privileges and bypasses any third-party hardening of the browser, which usually focuses on conventional injection methods. Another advantage for the attackers is that the code does not depend either on the architecture of the browser or on its version, and one code path works for all.”

BackSwap monitors the visited URLs, looks for and detects bank-specific URLs and window titles by hooking key window message loop events.

Once banking activity is detected, the malware injects malicious JavaScript into the web page, either via the browser’s JavaScript console or directly into the address bar (via JavaScript protocol URLs, a little-used feature supported by most browsers). Also interesting is that the malware cleverly bypasses several countermeasures browser makers have implemented to prevent the exploitation of that last feature.

Finally, the injected JavaScript replaces the recipient’s bank account number with the number of an account opened by the attackers or their mules. If the user doesn’t notice the switch and authorizes the transaction, the attack is successful.
BackSwap distribution

At the moment, the malware is made to target customers of five Polish banks (PKO Bank Polski, Bank Zachodni WBK S.A., mBank, ING and Pekao), and will only steal money if the wire transfer amount is between 10,000 and 20,000 Polish zloty (i.e., $2,800 – $5,600).
The targets get infected with the malware by opening malicious attachements attached to spam email, containing the Nemucod or other downloader Trojans.

“The payload is delivered as a modified version of a legitimate application that is partially overwritten by the malicious payload. The application used as the target for the modification is being changed regularly – examples of apps misused in the past include TPVCGateway, SQLMon, DbgView, WinRAR Uninstaller, 7Zip, OllyDbg, FileZilla Server,” the researcher shared.

The app is modified to jump to the malicious code during its initialization and control is transferred to the malware (the legitimate app will not work).

According to Poslušný, the intent of this approach is not to fool users into thinking they are running the legitimate app, but to minimize the possibility of the malware being detected and analyzed.

“This makes the malware harder for an analyst to spot, as many reverse engineering tools like IDA Pro will show the original main() function as a legitimate start of the application code and an analyst might not notice anything suspicious at first glance,” he explained.

https://www.helpnetsecurity.com/2018...ckswap-trojan/

[harrybarracuda]

Well if you ever needed an excuse to have a secure gateway inside your ISP's router...

Mind you I'm surprised they didn't lock up the bloke who found out about it.

ISP popped router ports, saving customers the trouble of making themselves hackable

SingTel then left them open for a while, because ... well there's no excuse is there?

By Richard Chirgwin 29 May 2018 at 02:08
15 SHARE ▼



Singaporean broadband users were left vulnerable to attackers after their ISP opened remote access ports on their modems and forgot to close them.

The discovery was made by NewSky Security researcher Ankit Anubhav, who used Shodan to scan for SingTel routers open on port 10,000 – the default Network Data Management Protocol TCP/UDP port.

Anubhav said the scan yielded 975 devices that had port 10,000 open with no protection, as a result of a fault-finding exercise gone wrong (that number is only those found on the scan).

When NewSky alerted Singapore's CERT, and that body took the issue to SingTel, Anubhav said the root cause was that SingTel enabled port 10,000 to troubleshoot a problem with the SingTel-branded routers (the “Wi-Fi Gigabit Router” is supplied by Arcadyan).
The carrier neglected to close the port once the issues were resolved, leaving the customers vulnerable.

The NewSky post quotes SingCERT's Douglas Mun as saying: “Port forwarding was enabled by their customer service staff to troubleshoot Wi-Fi issues for their customers and was not disabled when the issues were resolved. ISP SingTel will be taking measures to ensure that port forwarding is disabled after troubleshooting has completed.”

Mun added that the ISP had since closed the ports. ®

https://www.theregister.co.uk/2018/0...er_ports_open/

[harrybarracuda]

Simple walkthrough for those with devices listed as VPNFilter-vulnerable, although the steps apply even if your Router is not on the list.

How to remove VPNFilter and protect your router or NAS

To completely remove VPNFilter and protect your router from being infected again, you should follow these steps:

1. Reset Router to Factory Defaults: Linksys * Netgear * QNAP * TP-Link
2. Upgrade to the latest firmware: Linksys * Netgear * QNAP * TP-Link
3. Change the default admin password: Linksys * Netgear * QNAP * TP-Link
4. Disable Remote Administration: Linksys * Netgear * QNAP * TP-Link
   The Linksys and Netgear links are for enabling remote administration, which we do not want to do. I only listed them as it shows how to get to a page where you can check if its enabled or not. Typically, remote administration is disabled by default.

https://www.bleepingcomputer.com/new...ts-not-enough/

[harrybarracuda]

Muppets. Cloudflare blocked their own traffic thinking it was a DDOS attack.

When is a DDoS attack not a DDoS attack?


In the case of Cloudflare’s much-vaunted and recently-launched 1.1.1.1 DNS service, the answer is when the company diligently starts blocking a DDoS event which turns out to have been caused by something much closer to home.

Users pointing their DNS resolution at 1.1.1.1 (or 1.0.0.1) at router level on 31 May would have noticed a 17-minute disruption to DNS resolution for all network devices, starting at 17:58 UTC.

Users doing the same from a Windows, Linux or Mac computer would have noticed the same effect but only on that device.

Anyone who had the presence of mind to switch to a different DNS service – the Global Cyber Alliance’s 9.9.9.9 or their ISP’s default, say – would have noticed that website domains were suddenly resolving again. This would have been a good clue that something wasn’t quite right.

A DNS resolver disappearing for that long might indicate some kind of DDoS attack which, given that Cloudflare offers tier-one DDoS mitigation through something called Gatebot, would have to have been pretty remarkable to make any headway.

Cloudflare has now posted a blog in which it admitted it suffered an unusual and rare type of DDoS attack – an imaginary one.
Explained simply, Cloudflare’s Gatebot suddenly started interpreting traffic to 1.1.1.1 (that is, sent to and from its users) as a DDoS attack on its infrastructure.

Whoops! It sounds bizarre at first but, as the company explains, Gatebot normally queries a hard-coded list of IP address ranges to check whether traffic is emanating from Cloudflare or is external.


On 31 May, Gatebot was pointed at a new Provision API, an innovation intended to reduce the overheads and risks of the old system’s manual updating process.

Unfortunately, the range 1.1.1.0/24 and 1.0.0.0/24 used by its 1.1.1.1 service required an exception to be added:

As you might be able to guess by now, we didn’t implement this manual exception while we were doing the integration work. Remember, the whole idea of the fix was to remove the hardcoded gotchas!

As a result, Gatebot saw the DNS queries as an attack and did the job it was built for.

While Gatebot, the DDoS mitigation system, has great power, we failed to test the changes thoroughly. We are using today’s incident to improve our internal systems.

This is not the first incident to affect 1.1.1.1 since it launched on 1 April. As well as the occasional BGP leak (a type of rerouting which can be malicious but usually isn’t), the service was inadvertently blocked by home gateways supplied by AT&T.


But why do DNS services such as 1.1.1.1 matter anyway?

The traditional reason was performance, with users dissatisfied by the speed at which their ISP’s DNS server would resolve web domain names (e.g. nakedsecurity.sophos.com) to their underlying IP addresses.

Cloudflare’s service was intended to offer a second benefit – privacy. Although very much a work in progress (DNS queries are not encrypted and are collected in the UK and US by ISPs for a variety of reasons), long term its existence lays the foundation for new encrypted DNS standards – principally DNS-over-HTTPS and DNS-over-TLS – to build on.

But alternative DNS resolvers always stand and fall on their availability and reliability. There is no point in offering faster and more private DNS if it’s not there when users need it. Which is why Cloudflare has earnestly promised:

The next time we mitigate 1.1.1.1 traffic, we will make sure there is a legitimate attack hitting us.

https://nakedsecurity.sophos.com/201...ty+-+Sophos%29