*** The Security News Thread ***

[harrybarracuda]

Allentown Struggles with $1 Million Cyber-Attack


The city of Allentown, Pennsylvania, is struggling to remediate a malware attack that could cost nearly $1 million to mitigate.
According to local paper The Morning Call, the city’s critical systems have been hit by the malware known as Emotet, impacting both financial and public safety operations, according to Mayor Ed Pawlowski. Allentown’s finance department can’t complete any external banking transactions, the city’s 185 surveillance cameras are impacted and the police department can’t access Pennsylvania State Police databases, Pawlowski said.
Emotet spread like wildfire around the city’s networks, self-replicating (Emotet can spread itself to other systems by stealing an address book from a computer on the network) and harvesting city employees’ credentials along the way. There’s an intimation that phishing was the initial infection vector: Pawlowski warned city residents not to open emails and attachments from city employees. In the past Emotet has been spread via weaponized Microsoft Word documents.
The virus impacted all city systems that run Microsoft, so the city has hired Microsoft engineers to handle emergency response to the crisis for an initial $185,000. Though the virus has now been contained, Pawlowski said it will cost $800,000 to $900,000 to fully remediate the damage.
Further details remain shadowy.
“I’m not trying to in any way shape or form hide anything from the public,” Pawlowski told the city council. “But we just don’t want to divulge how we’re aggressively attacking this because if it is a hacker, they can always modify their attack.”
“Shame on us for doing a disservice to our intelligence community,” said Allentown IT director Matthew Leibert, chastising the council for holding an open hearing on the incident, given that there’s an ongoing criminal investigation into where the virus came from.
Pawlowski also said the virus evaded the city’s “extensive” antivirus and firewall systems.
“This particular virus actually is unlike any other virus,” he said. “It has intelligence built in, so it keeps adapting to our systems, thus evading any firewalls that we have up.”
Emotet first emerged in 2014 as a Trojan designed to steal banking credentials from targets in Austria and Germany. It searches the targeted system for sensitive information that will be exfiltrated to the command-and-control (C2) servers under the attackers’ control. The attacker can then sell the information harvested or log into the account themselves to steal more information.
Starting late last year, the malware began spreading beyond financial targets and into the US and other arenas, while adding new capabilities, including a new dropper, sandbox awareness and anti-analysis capabilities.

https://www.infosecurity-magazine.co...ith-1-million/

[baldrick]

^ obviously they did not seperate their networks via VPNs and some numbnut has connected his latest aliexpress IoT device

[bsnub]

the city’s 185 surveillance cameras are impacted and the police department can’t access Pennsylvania State Police databases

Good! Fuck that city! They got what they deserved.

[harrybarracuda]

^ obviously they did not seperate their networks via VPNs and some numbnut has connected his latest aliexpress IoT device

..... Or not.

Emotet can spread itself to other systems by stealing an address book from a computer on the network) and harvesting city employees’ credentials along the way. There’s an intimation that phishing was the initial infection vector: Pawlowski warned city residents not to open emails and attachments from city employees.

[harrybarracuda]

Security flaw in uTorrent allows hackers remote access

on Thursday, February 22, 2018 |

Tavis Ormandy, a vulnerability researcher at Google and a part of Google Project Zero, a team of security analysts specializing in finding zero-day vulnerabilities, revealed on Wednesday a vulnerability in BitTorrent’s uTorrent Windows and web client that allows hackers to either plant malware on the user’s computer or see their download activity.

Google Project Zero published their research once the 90-day window that it gave to uTorrent to fix the flaw before publicly disclosing it was over.

According to Ormandy, the flaws are easy to exploit and make it possible for hackers to remotely access downloaded files or download malware on their computers using the random token generated upon authentication.

He reported on Twitter that the initial fix that BitTorrent rolled out seemed to only generate a second token, which did not fix the flaw and said, “you just have to fetch that token as well.”

✔@taviso



Hmm, it looks like BitTorrent just added a second token to uTorrent Web. That does not solve the DNS rebinding issue, it just broke my exploit.
12:08 AM - Feb 21, 2018

• 
  

• 
  

BitTorrent issued a statement on Wednesday regarding the issue:

On December 4, 2017, we were made aware of several vulnerabilities in the uTorrent and BitTorrent Windows desktop clients. We began work immediately to address the issue. Our fix is complete and is available in the most recent beta release (build 3.5.3.44352 released on 16 Feb 2018). This week, we will begin to deliver it to our installed base of users. All users will be updated with the fix automatically over the following days. The nature of the exploit is such that an attacker could craft a URL that would cause actions to trigger in the client without the user’s consent (e.g. adding a torrent).

Security flaw in uTorrent allows hackers remote access - E Hacking News

[harrybarracuda]

Intel releases Spectre 2 microcode updates for Kaby Lake, Coffee Lake, Skylake

Intel has released to OEMs a new set of Spectre firmware updates. They include microcode for Kaby Lake, Coffee Lake, and Skylake processors.


“This represents our 6th, 7th, and 8th Generation Intel Core product lines as well as our latest Intel Core X-series processor family. It also includes our recently announced Intel Xeon Scalable and Intel Xeon D processors for data center systems,” Navin Shenoy, general manager of the Data Center Group at Intel Corporation, pointed out.
The release follows that of microcode updates for some Skylake-based platforms in early February, and Intel’s January advice to stop deploying initial firmware updates that addressed Spectre (variant 2) due to a higher than expected incidence of reboots and other unpredictable system behavior.
Shenoy advised users to implement OEM firmware updates as the OEMs release them.
Intel also offers a constantly updated document that offers insight into the current situation regarding Spectre patches, i.e., released microcode. As can be seen, the status of the various updates varies from “planning” and “pre-beta” to “production.”
Microsode updates for older processors using the Broadwell and Haswell cores are still in “beta”.
Mitigation instead of an update?

Shenoy also noted the existence of a Google-developed mitigation technique for Variant 2 called Retpoline.
“‘Retpoline’ sequences are a software construct which allow indirect branches to be isolated from speculative execution. This may be applied to protect sensitive binaries (such as operating system or hypervisor implementations) from branch target injection attacks against their indirect branches,” Google explains.
“The name ‘retpoline’ is a portmanteau of ‘return’ and ‘trampoline.’ It is a trampoline construct constructed using return operations which also figuratively ensures that any associated speculative execution will ‘bounce’ endlessly.”
Intel has provided more information on Retpoline in a newly published white paper.

https://www.helpnetsecurity.com/2018...ocode-updates/

[harrybarracuda]

Google Chrome ALERT - Password stealing malware hits ‘thousands’ of PCs, are YOU affected?


GOOGLE Chrome users have been put on alert about a strain of password stealing malware.
By DION DASSANAYAKE
PUBLISHED: 08:01, Sat, Feb 24, 2018




Google Chrome fans are being warned about password stealing malware that could have made its way onto their machines.


Google Chrome is without a doubt the most popular internet browser in the world right now.


NetMarketShare stats for the whole of last year show Google Chrome as having a staggering 58.90 per cent chunk of the internet browser marketplace.


Its nearest rival, Mozilla’s FireFox, has a 13.29 per cent share while Internet Explorer is on 13 per cent.


Microsoft’s newer Edge browser, which is bundled in with Windows 10, lags behind with a 3.78 per cent market share.


These stats underline how Chrome’s crown as the world’s most popular internet browser is undisputed.


And fans of Google Chrome have been put on alert about a strain of password stealing malware.


However, the way the malware may have been distributed onto Google Chrome users’ machines could leave them stunned.


The malware warning first emerged on Reddit, with user crankyrecursion making the discovery.


They claimed to have found a suspicious file hidden away on an add-on installer for a flight-simulator.


FlightSimLabs (or FSLabs) make add-ons for the hugely popular Microsoft Flight Simulator.


And they were accused by the Reddit user of adding a file called ‘test.exe’, which is allegedly a password stealer, to their A320X add-on installer.


Andrew Mabbitt, founder of cybersecurity company Fidus Information Security, also flagged the issue to Motherboard.


Mabbitt said he scanned the file through malware search engine VirusTotal, and it was flagged up by a number of anti-virus products as malicious.


He said: “When run, the programme extracts all saved usernames and passwords from the Chrome browser and appears to send them to FSLabs.


“This is by far one of the most extreme, and bizarre, methods of Digital Rights Management (DRM) we've ever seen.”


Founder and owner of FSLabs Lefteris Kalamaras took to the flight simulator’s forums to speak out about the malware claims.


He said: “First of all—there are no tools used to reveal any sensitive information of any customer who has legitimately purchased our products.


“We all realise that you put a lot of trust in our products and this would be contrary to what we believe.


“There is a specific method used against specific serial numbers that have been identified as pirate copies and have been making the rounds on ThePirateBay, RuTracker and other such malicious sites.”


Google Chrome users have been warned the malware could have reached 'thousands' of PCs


Kalamaras explained the installer would check whether a user entered in a serial number that had previously been identified as one used by pirates.


If a serial number was entered that matched one that had been flagged up, then the Chrome password dump tool would kick in.


Kalamaras said this was only meant to target specific pirates that were trying to bypass its DRM (digital rights management) system.


He added: “Test.exe is part of the DRM and is only targeted against specific pirate copies of copyrighted software obtained illegally.


“That programme is only extracted temporarily and is never under any circumstances used in legitimate copies of the product.


“The only reason why this file would be detected after the installation completes is only if it was used with a pirate serial number (not blacklisted numbers).”


Kalamaras admitted his firm’s approach to DRM was “overly heavy-handed” and a new installer has been released without the Text.exe file.


He wrote: ”We have already replaced the installer in question and can only promise you that we will do everything in our power to rectify the issue with those who feel offended, as well as never use any such heavy-handed approach in the future.


“Once again, we humbly apologise."


However, cybersecurity expert Mabbitt told ZDNet that what had been done was “incomprehensible”.


He also said the malware itself, while not activated, would have been “dropped on every single PC it [the FSLabs software] was installed on”.


He said: "Their statement is more a personal justification of what they've done, and they're not comprehending what exactly they just did.


“The fact is they dropped malware on [potentially] thousands of machines, secretly, in an attempt to gather information on a single target.


"Regardless if the target in question was pirated copies of the game or not, dumping their Chrome usernames/passwords and siphoning them off, insecurely too, to servers under their control is incomprehensible.


"They've noted they knew what serials the pirate was using. Surely, the logical next step was simply to blacklist those serials and prevent them from being used."

https://www.express.co.uk/life-style...alware-warning

[harrybarracuda]

AutoSploit: Making Massive Cyber Attacks Too Easy?


he introduction on January 30th of AutoSploit, a self-described "automated mass exploiter" that makes it disturbingly easy for less technical hackers to launch cyber attacks, caused some panic in the security community.
The tool leverages the Shodan search engine to find potential targets, and can provide targets in response to search terms. "After [the search] operation has been completed the 'Exploit' component of the program will go about the business of attempting to exploit these targets by running a series of Metasploit modules against them," AutoSploit author VectorSEC wrote.
In an analysis of the tool, Rapid7 research director Tod Beardsley noted that AutoSploit "doesn't appear to offer any mechanism to assess and exploit targets that aren't picked essentially at random."
"In the end, I can't figure out how to use Autosploit.py in a way that isn't merely a random act of vandalism," Beardsley added. "As a user, I have little to no control over target selection, which means I am necessarily going to cause headaches and harm to innocent bystanders."

In response, VectorSEC tweeted, "Don't worry guys. The new version will have an option included that will allow the user to select a custom list of targets."
Regardless, it's worth questioning how much of a threat AutoSploit presents on its own. British security architect Kevin Beaumont suggested, "If anybody is concerned about this, your threat model collapses at kids being bored running python scripts."
An opportunity for script kiddies

Still, AutoSploit could provide a less skilled attacker with an unprecedented amount of power. Stephanie Weagle, vice president of Corero, told eSecurity Planet by email that AutoSploit "provides an unending opportunity for cybercriminals and script kiddies to hijack vulnerable devices and subsequently launch attacks against online organizations with ease."
And Weagle said companies have to respond. "It is now imperative for organizations to implement a next generation Internet gateway that includes a DDoS layer of security to immediately detect and mitigate DDoS attacks," she said. "Without this DDoS mitigation layer, companies who are hit with a DDoS attack could face significant loss of revenues and reputation due to outages."
At the same time, Plixer director of strategic relationships and marketing Bob Noel said it's important to remember that AutoSploit doesn't introduce anything new in terms of malicious code or attack vectors. "What it does present is an opportunity for those who are less technically adept to use this tool to cause substantial damage," he said.
Ultimately, Noel said, AutoSploit expands the threat landscape by allowing a wider range of people to launch major attacks. "It also demonstrates that it is impossible for organizations to prevent all cyber attacks, and this should act as a wake-up call to invest in incident response technologies, people and best security practices," he said.
But Synopsys vice president of security technology Gary McGraw cautioned against overreacting to the news. "Tools for improving computer security can also be used to do bad things," he said. "Try to do good things with them."
"Oh, and fix the broken software," he added. "Really."

https://www.esecurityplanet.com/thre...-too-easy.html

[harrybarracuda]

Some interesting facts in a report about Phishing:

The company based the report on data from tens of millions of simulated phishing attacks, and they found that:

• Personalized phishing tests (personalized email address, first name or last name) are no more effective than non-personalized ones.
• End users are most likely to report suspicious emails in the middle of the week.
• The topics and themes that are most tempting to end users are “online shopping security updates,” “corporate voicemail from an unknown caller,” and “corporate email improvements.”
• Two simulated phishing templates had a near 100% click rate: one that masqueraded as a database password reset alert, and another that claimed to include an updated building evacuation plan.
• Organizations in the telecommunications, retail, consumer goods, government, and hospitality industries have, on average, the worst click rate (15% to 13%), while those in the energy, finance, transportation and defense industrial base industries have the best (8% to 3%).

https://www.helpnetsecurity.com/2018/02/23/phishing-messages/

[harrybarracuda]

German government confirms hackers blitzkrieged its servers to steal data

Probably-Russian Fancy Bear team fingered for attack

By Iain Thomson in San Francisco 1 Mar 2018 at 06:03

]

The German Interior ministry has confirmed that it has identified a serious attack against its servers, amidst reports that the culprits were the Russian APT28 – aka Fancy Bear – hacking group.
On Wednesday local news site DPA International reported that the German government discovered a serious intrusion into its servers in December 2017. The attack is thought to have seen data exfiltrated for up to a year before its discovery.
Johannes Dimroth, a spokesman for the ministry, confirmed that "government information technology and networks," had been affected by an intrusion. "The incident is being treated as a high priority and with substantial resources," he said.
Fancy Bear has been active for at least a decade. Its activities have often non-Russian government targets. The group was fingered for the Democratic National Committee hack ahead of the 2017 US Presidential election, attacks during the 2017 French election, brazen rummaging in Finnish security forces' servers and even attacks on the sports doping authorities.
In December 2016 Germany's Federal Office for the Protection of the Constitution took the unusual step of issuing a public warning about hacking ahead of national elections in September 2017. That warning named Russia as the likely culprit.
Russia has always denied that it has anything to do with Fancy Bear, but the types of malware used, the software and coding styles, and its choice of targets suggest that Putin and his pals might have Fancy Bear dancing to their tune.
This latest attack on Germany will not serve to warm relations between these two historical enemies. With Russia looking to take an increasingly muscular role in European affairs, hopefully such conflicts will not leave the online realm. ®

https://www.theregister.co.uk/2018/0...to_steal_data/

[harrybarracuda]

In a major win for US law enforcement, Israeli cyber forensics firm, Cellebrite, which is a major government contractor, claims to have found a way to break into any iPhone in the market. The company says that it can get around the security of devices running from iOS 5 to iOS 11.


The company is allegedly actively advertising to law enforcement and private forensics from across the globe.


This reportedly includes the iPhone X, which Forbes reported had been successfully breached by the Department of Homeland Security in November 2017 with suspected involvement of Cellebrite technology.


The reporter was able to dig up a warrant for the same, which notes that the department’s Cellebrite specialist performed a “forensic extraction” in December, although the exact method of unlocking the iPhone is not mentioned.


Apple has repeatedly refused to help law enforcement agencies break into iPhones, stating the need its customers’ privacy. This decision has often led to clashes between the two.


In the past, there have been various cases when law enforcement called upon Apple to provide a way to unlock the iPhones to access necessary information, even going so far as to obtain a court order to help disable to PIN feature. However, Apple has always refused.


If Cellebrite has indeed found a way to hack into iPhones, it could lead to a major change in their interactions.

Israeli company says it can break into any iPhone ? and can help law do the same - E Hacking News

[david44]

Certainly won't do their stocks any harm .

[harrybarracuda]

Microsoft Resumes Issuing Windows Patches to Fix Meltdown, Spectre

By: Pedro Hernandez| March 02, 2018

Microsoft has resumed issuing patches to fix Meltdown and Spectre CPU vulnerabilities in PC CPUs after the software giant and its hardware partners have had time to evaluate the best ways fix what proved to be a complex cyber-security problem.
Like most major software vendors, Microsoft rushed to update its Windows operating systems after the software giant was notified of the vulnerabilities in modern-day computer processors.
That’s because it was clear after the vulnerabilities were disclosed in early days of 2018 that they can undermine some of the most fundamental data protection mechanisms found in today's CPUs, including those from Intel, Advanced Micro Devices (AMD) and Arm.

Meltdown and Spectre essentially dissolve the barriers that prevent applications and attackers from arbitrarily accessing system memory. If exploited, the flaws could potentially allow attackers and malicious software to access memory locations that are ordinarily off limits, exposing sensitive information.
Although few Meltdown- and Spectre-based attacks have been detected so far, the risk posed by flaws have the IT industry on high alert and still dealing with the fallout. Microsoft released an emergency patch for Windows in January to reverse an earlier microcode patch from Intel that caused instability in some systems with Broadwell and Haswell processors.
Now, Microsoft is taking a more cautious approach to issuing Windows patches that touch both the operating system and any Intel-based hardware it runs on.
"While firmware (microcode) security updates are not yet broadly available, Intel recently announced that they have completed their validations and started to release microcode for newer CPU platforms," wrote John Cable, director of Program Management, Windows Servicing and Delivery, at Microsoft in a March 1 blog post.
"Today, Microsoft will make available Intel microcode updates, initially for some Skylake devices running the most broadly installed version of Windows 10—the Windows 10 Fall Creators Update—through the Microsoft Update Catalog, KB4090007."
First introduced in 2015, Skylake is the codename of Intel's sixth-generation Core processors. According to the support document pertaining to KB4090007, the patch will target the Skylake H and S processors for notebooks and desktops, along with power-sipping Intel Core m processors, Skylake U/Y and U23e chips. The patch applies to version 1709 of Windows 10 and the Datacenter and Standard editions of Windows Server.
Of course, Microsoft is just one of several operating system makers that have had to issues fixes for Meltdown and Spectre.
On Jan. 28, and a little later than usual, Linus Torvalds released Linux 4.15 with patches addressing the CPU flaws. In his release announcement, he acknowledged that the process for releasing the new Linux kernel "was not a pleasant release cycle, with the whole Meltdown/Spectre thing coming in in the middle of the cycle."
A day later, Apple announced it had released a series of updates for various macOS operating systems and other software, including macOS Sierra, High Sierra, El Capitan, iOS and the Safari browser on select versions of macOS.
Google, whose Project Zero cyber-security research unit had a hand in unearthing the CPU vulnerabilities, was quick to address them across its product portfolio, including Android and Chrome OS, the company revealed on Jan. 3.

Microsoft Adds Intel Firmware Fix to Meltdown and Spectre Patch

[harrybarracuda]

Time to update Adobe Flash Player if you have it.

Cybercriminals are leveraging a recently patched critical Adobe Flash Player vulnerability in a massive spam campaign targeting unpatched computers.
According to cybersecurity firm Morphisec, cybercriminals are blasting spam messages that urge recipients to click a link to download a Word document. And when a victim opens the document and enables macros, malware attempts to exploit an Adobe Flash Player bug (CVE-2018-4878) patched by Adobe earlier this month. Victims who fall for the ploy could ultimately hand over control of their systems to an attacker, according to researchers.
Adobe classified the bug as critical, describing it as a use-after-free vulnerability impacting its Adobe Flash Player running on Windows 10, macOS, Linux and Chrome OS systems. The flaw was originally found by the South Korean Computer Emergency Response Team on Jan. 31 and identified as a Flash SWF file embedded in Microsoft Word and Excel documents.


Michael Gorelik, chief technology officer and vice president of Research and Development at Morphisec, said that as part of the recent spam campaign victims were sent emails with short links to the malicious Word documents for download. He added, the malicious attachments were able to, for the most part, circumvent AV protection – showing a low detection ratio on VirusTotal.
“After downloading and opening the Word document, the attack exploits the Flash vulnerability 2018-4878 and opens a (command prompt) which is later remotely injected with a malicious shellcode that connects back to a malicious (C2) domain,” Gorelik wrote in a technical write-up outlining the attacks. “The next step, the shellcode downloads a ‘m.db’ dll from the same domain, which is executed using regsvr32 process in order to be able to bypass whitelisting solutions.”
A regsvr32 (Microsoft Register Server) process is a command-line utility that is part of the Windows OS and is used for registering and unregistering DLLs and ActiveX controls within the context of the Windows Registry.
Researchers said the analytics for the short links used in the email spam campaign shows the same pattern as a legitimate email campaigns, making them hard to detect. “Clickthroughs spike in the first couple of hours after emails are sent. Signature-based defenses, like antiviruses, cannot cope with this pace,” Gorelik wrote.
The campaign tracked by Morphisec was “just a few hours long” and targeted inboxes in the U.S. and Europe. “The documents were downloaded from the safe-storge[.]biz domain and went almost entirely undetected with an 1/67 detection ratio,” according to Gorelik.
An Adobe spokesperson when asked to comment on the spam campaign said,”the majority of exploits are targeting software installations that are not up-to-date on the latest security updates. We always strongly recommend that users install security updates as soon as they are available.”
Looking forward, Gorelik said that he expects CVE-2018-4878 to cause more headaches in the years to come.
“Adobe released a patch early February, but it will take some companies weeks, months or even years to rollout the patch and cyber criminals keep developing new ways to exploit the vulnerability in this window,” he said.

https://threatpost.com/massive-malsp...ystems/130136/

[harrybarracuda]

Microsoft starts releasing Microcode patches for certain processors to fix Spectre.

The Knowledgebase page is:

https://support.microsoft.com/en-us/...rocode-updates

At present there are only a couple on it, but the list will be amended as new fixes arrive.

If you're not sure what your processor is, then I would try this (Windows):

https://www.cpuid.com/softwares/cpu-z.html

[baldrick]

If you're not sure what your processor is

if you're not sure what a processor is - have another beer

[Latindancer]

Belarc Advisor is telling me that I have a 2.67 Gigahertz Intel Core Quad Q9450.

Is Q9450 the ID ?

And I should wait and check that website to see if a patch is made ?

[harrybarracuda]

Belarc Advisor is telling me that I have a 2.67 Gigahertz Intel Core Quad Q9450.

Is Q9450 the ID ?

And I should wait and check that website to see if a patch is made ?

Fuck knows.

[baldrick]

It is about 10 years old and is affected by spectre

Doubt you will get any sort of patch. No chance of firmware
Maybe Windows updates are your only chance

[harrybarracuda]

Malware was discovered on point of sales systems at more than 160 Applebee’s restaurants, exposing credit card information from unknowing diners.

RMH Franchise Holdings, which owns and operates more than 160 Applebee’s stores across the U.S., said that it recently discovered malware infecting its point of sale systems (POS). The malware may have enabled hackers to steal certain guests’ names, credit or debit card numbers, expiration dates and card verification codes processed during limited time periods.

Stores were impacted on varying dates, with most POS systems first hit in either November or December 2017 until January, according to RMH’s website.

“RMH believes that unauthorized software placed on the point-of-sale system at certain RMH-owned and -operated Applebee’s restaurants was designed to capture payment card information and may have affected a limited number of purchases made at those locations,” the company said in a statement.

Upon learning of a potential incident, RMH told Threatpost it promptly launched an investigation, obtained the help of leading cyber security forensics firms, and reported the matter to law enforcement.

“Due to existing security measures that were already in place at RMH, the incident had been contained by the time that it was discovered on February 13, 2018,” an RMH spokesperson told Threatpost.

RMH said it operates its point-of-sale systems isolated from the broader Applebee’s network, and this notice applies only to RMH-owned Applebee’s restaurants. The company did not respond to a question asking what type of POS device or malware was used in its Applebee’s stores targeted in the attack.

POS malware is a growing menace for retailers in the hospitality industry. Most recently, in January, fashion retailer Forever 21 revealed that malware had sat on certain POS terminals for almost eight months in its stores, allowing hackers steal consumer credit card data from the company.

Other impacted companies in 2017 include Intercontinental Group, which said its payment card systems in 12 of its hotels had been breached. The Hard Rock Hotels and Casinos franchise also was stung by POS malware that managed to infect the chain’s inventory management SaaS application.

“We’re seeing more of these types of breaches happening… it’s an industry wide problem as more retailers look to an ecosystem of providers to bring in third party systems like point of sale and inventory management solutions,” Fred Kneip, CEO of security firm CyberGRX told Threatpost. “As of today a lot of stores are playing catch up with security, and it can take months or years to realize that compromises have happened on third party systems.”

In a statement, RMH urged customers to monitor their bankcard statements. But the ultimate security safeguards against POS malware must come from retailers themselves, Kneip said.

“Chain restaurants not only need a real-time feed of threats emanating from vendors to mitigate malicious access to their networks, they need to measure and monitor how other third parties like franchisees and divisions are managing this type of risk,” he said.

https://threatpost.com/pos-malware-f...ations/130281/

[harrybarracuda]

An interesting one. I always turn Cortana off, but mainly because I find it as irritating as that fucking paper clip.

Researchers Bypassed Windows Password Locks With Cortana Voice Commands

Two independent Israeli researchers found a way for an attacker to bypass the lock protection on Windows machines and install malware by using voice commands directed at Cortana.

One of the most basic steps a computer user can take to secure their system against someone with physical access to it is to configure it to password-lock after an interval of inactivity. This prevents nosy office colleagues and Starbucks patrons from peering at your screen when you step away, and also helps protect against most "evil maid" attacks—where a malicious hotel worker, airport security agent, or someone else with brief access to your machine plugs a malicious USB stick into it to implant spyware.

But two independent Israeli researchers found a way for an attacker to bypass the lock protection on Windows machines and install malware by using voice commands directed at Cortana, the multi-language, voice-commanded virtual assistant that comes embedded in Windows 10 desktop and mobile operating systems.

Tal Be'ery and Amichai Shulman found that the always-listening Cortana agent responds to some voice commands even when computers are asleep and locked, allowing someone with physical access to plug a USB with a network adapter into the computer, then verbally instruct Cortana to launch the computer's browser and go to a web address that does not use https—that is, a web address that does not encrypt traffic between a user's machine and the website. The attacker's malicious network adapter then intercepts the web session to send the computer to a malicious site instead, where malware downloads to the machine, all while the computer owner believes his or her machine is protected.

"We still have this bad habit of introducing new interfaces into machines without fully analyzing the security implications of it."
"We start with proximity because it gives us the initial foothold in [a] network," Shulman told me in a call. "We can attach the computer to a network we control, and we use voice to force the locked machine into interacting in an insecure manner with our network."

The attacker can also connect the targeted computer to a Wi-Fi network the attacker controls. An attacker can do this by simply clicking on the chosen network with the mouse, even when the computer is locked.

"One of the things we saw was that even when a machine is locked, you can choose the network to which that machine is attached," he notes. The researchers plan to present their findings this Friday at the Kaspersky Analyst Security Summit in Cancun.

Voice-command systems like Cortana and Siri have made computer tasks simple and quick, without the annoying need to type every command into a keyboard or maneuver and click a mouse. But with ease of use comes new ways for hackers to seize control of computers and smartphones.

In Windows 10, the default setting tells Cortana to respond to any voice calling "Hey Cortana," even when the computer is locked. An alternate setting tries to limit this to just the computer owner by telling Cortana to "try to respond only to me." With this setting, the user provides voice-command samples to help the virtual assistant fingerprint and recognize it.

The attack Be'ery and Shulman designed works because Cortana allowed direct browsing to web sites, even when a machine was locked—or at least it did until Microsoft fixed the problem after the researchers disclosed it to the company.

Although anyone in the vicinity of a voice attack might hear someone issuing verbal commands to Cortana, this wouldn't be the case if the attacker employed a technique developed by Chinese researchers last year called the DolphinAttack. This technique uses silent, covert ultrasound commands sent to a computer in frequencies that a computer microphone can detect but not the human ear. They successfully tested the technique on all of the top voice-command systems, including Siri, Google Now, Cortana, and Alexa.

Once an attacker compromises a Cortana machine, per Be'ery and Shulman's technique, and has this initial foothold, he or she can use the same concept to amplify the attack and move laterally to infect other computers in a room where that computer resides or on a local network.

"It's interesting if it's to abuse a locked computer, but if it requires physical proximity or physical access, it's less interesting, of course," says Shulman. "It's more interesting if it can be done remotely."

They would do this by downloading malware to the initial machine that allows them to do ARP poisoning—a method that tricks other machines on a local network into sending traffic through a machine the attacker controls. Be'ery and Shulman created a proof-of-concept tool they call Newspeak or "Fake News" Cortana that monitors all Cortana requests and responses on every machine on a network. If a user tells Cortana to go to CNN.com, the attacker's malicious proxy intercepts this and directs them to a malicious page instead, where they get infected.

"[It] very much could be like a Hollywood movie where everyone is asleep and no one is in the office and the computers come to life and are shouting at each other."

An attacker could also force a Cortana session on other machines by playing a sound file over the infected computer's speakers that tells the Cortana agent on those machines to launch their browsers and visit a web site—a session that then gets intercepted and redirected by the Newspeak tool.

"So this attack is not only limited to the physical access scenario but also can be used by attackers to expand their access and jump from one computer to another," Be'ery says. "[It] very much could be like a Hollywood movie where everyone is asleep and no one is in the office and the computers come to life and are shouting at each other."

Microsoft fixed the issue Be’ery and Shulman found by forcing all browsing done through Cortana and a locked machine to go to its Bing search engine instead of directly to a web page. But the researchers say Cortana still responds to other commands when locked, and they're currently researching what else they might get Cortana to do in a locked state.

The researchers say the Cortana flaw highlights an ongoing problem with new interfaces software makers introduce without understanding the security issues they can create. They say it's only a matter of time before new command interfaces that use things like hand gestures, instead of voice commands, become available that could open systems to the same kinds of attacks.

"We still have this bad habit of introducing new interfaces into machines without fully analyzing the security implications of it," says Be'ery. "Every new machine interface that we introduce creates new types of vehicles to carry an attack vector into your computer."

https://motherboard.vice.com/en_us/a...voice-commands

[harrybarracuda]

Paying off a ransomware demand is a great way to end up losing both your money and your files.


This according a study from security company CyberEdge, which found that for those hit by a ransomware infection the best bet is probably to just restore from a backup. The survey, based on a poll of information security professionals, found that less than half of those who pay a ransom demand end up getting their data back.

The report says that 55 per cent of the people it surveyed reported a malware infection hitting their systems in 2017. Spain had the highest rate, with 80 per cent of respondents reporting malware, followed by companies in China (74 per cent) and Mexico (71.9 per cent.) In the US, 53.8 per cent of respondents were hit by ransomware, while slightly under half of those in the UK, 49.5 per cent, were hit.

Overall, 72.4 per cent of those who were infected with ransomware were able to get their data back. Most of those, however, were companies that simply ignored the ransom demands, then restored their systems with uninfected backup copies. The study found that 86.9 per cent of those who refused to pay the demand ended up recovering their data.

Of those who caved to the demand and paid the ransom, 49.4 per cent said they could recover their data, while 50.6 ended up losing it anyway. The not-so-shocking conclusion is that criminals don't always stay true to their word.

"It's like flipping a coin twice consecutively – once to determine if your organization will be victimized by ransomware, and then, if you decide to pay the ransom, flip it again to determine if you'll get your data back," CyberEdge says.

"The clear lesson here is the critical importance of maintaining up-to-date offline backups."

There is some good news to be had in the report, at least. CyberEdge notes that, for the first time in the five years it has been doing the annual report, the number of respondents reporting at least one attack was down (from 79.2 per cent to 77.2) and the number of companies that were frequently attacked, more than six times in a year, was also down.

"Perhaps this is more evidence that IT security has finally stopped the bleeding of rising cyberattacks," CyberEdge says.

We can only hope so. ®

https://www.theregister.co.uk/2018/0...ir_files_back/

[harrybarracuda]

Now it's AMD's turn....

What happened?

13 Critical Security Vulnerabilities and Manufacturer Backdoors discovered throughout AMD Ryzen & EPYC product lines.


Am I affected?

Any consumer or organization purchasing AMD Servers, Workstations, or Laptops are affected by these vulnerabilities.


What is this site for?

This site is to inform the public about the vulnerabilities and call upon AMD and the security community to fix the vulnerable products.

https://amdflaws.com/

[harrybarracuda]

As part of Patch Tuesday, Microsoft today released a patch for CVE-2018-0886, a remote code execution vulnerability in the company's authentication processing Credential Security Support Provider (CredSSP) protocol, which is used by Remote Desktop Protocol (RDP) and Windows Remote Management (WinRM).

The flaw could allow an attacker to steal user credentials and execute code on a target system.

"Any application that depends on CredSSP for authentication may be vulnerable to this type of attack," Microsoft warned.

To mitigate the threat, Microsoft is urging admins to enable Group Policy systems on their systems and update all Remote Desktop clients. "We recommend that administrators apply the policy and set it to 'Force updated clients' or 'Mitigated' on client and server computers as soon as possible," the company advised. "These changes will require a reboot of the affected systems."

The vulnerability also highlights the importance of patch management systems.

Broad exposure

The vulnerability was first uncovered by Preempt Security researchers, who noted that it affects all versions of Windows.

"In terms of the vastness of this issue, we can note that RDP is the most popular application to perform remote logins," Preempt lead security researcher Yaron Zinar wrote in a blog post. "To further highlight this, in Preempt internal research we found that almost all enterprise customers are using RDP, making them vulnerable to this issue."

Zinar noted that blocking the relevant application ports/service (RDP, DCE/RPC) would block the attack. "It is recommended to apply the proper network segmentation policy and block unnecessary ports/services," he wrote.

Similarly, the attack relies on privileged users using their credentials to perform IT operations. "In order to better protect your network, you should reduce privileged account usage as much as possible and use non-privileged accounts whenever applicable," Zinar added.

The researchers plan to demonstrate the attack next week at Black Hat Asia 2018.

Limiting access

Nathan Wenzler, chief security strategist at AsTech, told eSecurity Planet by email that vulnerabilities like these serve as yet another example of how dangerous it can be to rely on security or admin tools without locking them down with hardened configurations.
"Of course, Microsoft has an obligation to ensure the vulnerability is fixed, which they're doing, but it's imperative that admins and security practitioners are doing more to reduce the amount of privileged access their administrators possess, that tools such as RDP are disabled if they're not being used, and doing whatever else they can to limit the amount of administrator-level exposure that an attacker might be able to compromise anywhere along the chain and then use to wreak havoc on the rest of the network," Wenzler said.

Still, Vectra head of security analytics Chris Morales noted that several variables have to be right for this attack to succeed. "Most importantly, the attacker needs to already be on the network and in a position between the clients and servers," he said. "If an attacker is already that deep in the network, there are many other things they could do scope out a network, find authentication accounts and compromise a server."

As a result, Morales suggested, this threat might be best classified as an internal reconnaissance activity, one of many that an attacker might use. "As long as a company is properly monitoring their internal environment for attacker behaviors, and can correlate this type of behavior with other attacker behaviors, they should have sufficient visibility to detect and respond to this type of reconnaissance behavior," he said.

https://www.esecurityplanet.com/thre...erability.html

[harrybarracuda]

Security researchers have discovered a massive continuously growing malware campaign that has already infected nearly 5 million mobile devices worldwide.

Dubbed RottenSys, the malware that disguised as a 'System Wi-Fi service' app came pre-installed on millions of brand new smartphones manufactured by Honor, Huawei, Xiaomi, OPPO, Vivo, Samsung and GIONEE—added somewhere along the supply chain.

All these affected devices were shipped through Tian Pai, a Hangzhou-based mobile phone distributor, but researchers are not sure if the company has direct involvement in this campaign.





According to Check Point Mobile Security Team, who uncovered this campaign, RottenSys is an advanced piece of malware that doesn't provide any secure Wi-Fi related service but takes almost all sensitive Android permissions to enable its malicious activities.

"According to our findings, the RottenSys malware began propagating in September 2016. By March 12, 2018, 4,964,460 devices were infected by RottenSys," researchers said.

To evade detection, the fake System Wi-Fi service app comes initially with no malicious component and doesn’t immediately start any malicious activity.

Instead, RottenSys has been designed to communicate with its command-and-control servers to get the list of required components, which contain the actual malicious code.

RottenSys then downloads and installs each of them accordingly, using the "DOWNLOAD_WITHOUT_NOTIFICATION" permission that does not require any user interaction.

Hackers Earned $115,000 in Just Last 10 Days


At this moment, the massive malware campaign pushes an adware component to all infected devices that aggressively displays advertisements on the device’s home screen, as pop-up windows or full-screen ads to generate fraudulent ad-revenues.

"RottenSys is an extremely aggressive ad network. In the past 10 days alone, it popped aggressive ads 13,250,756 times (called impressions in the ad industry), and 548,822 of which were translated into ad clicks," researchers said.

According to the CheckPoint researchers, the malware has made its authors more than $115,000 in the last 10 days alone, but the attackers are up to "something far more damaging than simply displaying uninvited advertisements."



Since RottenSys has been designed to download and install any new components from its C&C server, attackers can easily weaponize or take full control over millions of infected devices.

The investigation also disclosed some evidence that the RottenSys attackers have already started turning millions of those infected devices into a massive botnet network.

Some infected devices have been found installing a new RottenSys component that gives attackers more extensive abilities, including silently installing additional apps and UI automation.

"Interestingly, a part of the controlling mechanism of the botnet is implemented in Lua scripts. Without intervention, the attackers could re-use their existing malware distribution channel and soon grasp control over millions of devices," researchers noted.

This is not the first time when CheckPoint researchers found top-notch brands affected with the supply chain attack.

Last year, the firm found smartphone belonging to Samsung, LG, Xiaomi, Asus, Nexus, Oppo, and Lenovo, infected with two pieces of pre-installed malware (Loki Trojan and SLocker mobile ransomware) designed to spy on users.

How to Detect and Remove Android Malware?


To check if your device is being infected with this malware, go to Android system settings→ App Manager, and then look for the following possible malware package names:

• com.android.yellowcalendarz (每日黄历)
• com.changmi.launcher (畅米桌面)
• com.android.services.securewifi (系统WIFI服务)
• com.system.service.zdsgt

If any of above is in the list of your installed apps, simply uninstall it.

https://thehackernews.com/2018/03/android-botnet-malware.html