More than three weeks after notifying video-sharing site DailyMotion that it was compromised, security company Invincea reports the popular website is still infected.
A spokesperson told Threatpost that Invincea’s original notification was not acknowledged and the company suspects this is a continuation of the same attack and the site was never cleaned up.
Invincea said it has again notified DailyMotion, which is the 96th most popular destination on the Internet according to Alexa. The site allows users to upload and share videos.
The attack was originally reported Jan. 7 when malicious ads were discovered on the site. Those ads were redirecting visitors to a fake AV scam. Invincea said today that the same threat is happening on the site.
A video on the security firm’s website, below, demonstrates what happens to a site visitor. Landing on the DailyMotion homepage, a visitor is presented with a dialog box warning the user that “Microsoft Antivirus” found a problem on the victim’s computer and that it needs to be cleaned. A list of potential problems is shown next and the user is enticed to run an executable pretending to be security software.
A report from Invincea shows a number of files written to the compromised computer were launched and stored in order to maintain persistence at startup. It also shows the computer communicating out to servers in the United States and Romania.
In its original advisory on Jan. 7, Invincea said that the malicious ads redirect to a third-party domain in Poland called webantivirusprorh[.]pl (93[.]115[.]82[.[246). According to VirusTotal, 10 of 47 antivirus products detect the threat; most detect it as a variant of the Graftor Trojan. The initial redirect, Invincea said, is loaded via engine[.]adzerk[.]net.
With fake AV scams, victims are tricked into installing what they think is security software but is instead malware. They’re then informed they must purchase a subscription of some kind in order to clean the computer of the infection.
Other scams, such as ransomware infections, build off this same premise but are much more sinister in that they use harsher tricks to get the user to install the malware. Some ransomware attacks lock down computers and inform the user they’re machine has been taken over by law enforcement because of some illicit activity online and the victim must pay a ransom to get their computer unlocked.
Malicious advertising, also known as malvertising, is becoming a common attack vector for spreading fake AV, ransomware and other malware redirecting victims to exploit kits. One such campaign was uncovered in September with sites including the Los Angeles Times, Women’s Health magazine and others were hosting ads serving malware. Malicious iframes redirected victims to the Blackhole Exploit Kit; Blackhole has since disappeared off the black market after the arrest of its alleged creator, a Russian hacker known as Paunch.
The OpenBSD Project pushed out a new build on Thursday of the OpenSSH security suite, adding a new private key format, a new transport cipher and fixing 15 bugs in the Secure Shell.
OpenSSH version 6.5 adds support for the key exchange using elliptic-curve Diffie Hellman within cryptographer Daniel Bernstein’s elliptic-curve Curve25519. A 32-byte secret key will now be the default when both the client and server support it.
Many encryption implementations are suspect after alleged subversion of widely used algorithms by the National Security Agency. Documents disclosed by NSA whistleblower Edward Snowden indicate the NSA inserted weakened crypto algorithms into NIST standards. The most flagrant may be Dual EC DRBG which is the crpto library used by a number of commercial products including RSA BSafe. RSA Security and NIST warned developers to move off the algorithm.
Additionally, according to the release notes, 6.5 also adds support for the elliptic curve signature scheme Ed25519, a tweak that allows better security than the Digital Signature Algorithm (DSA) and its Elliptic Curve Digital Signature Algorithm (ECDSA) variant.
The new OpenSSH build is also set up to refuse old clients and servers that use a weaker key exchange hash calculation, including dated RSA keys from clients and servers “that use the obsolete RSA+MD5 signature scheme.”
The MD5 algorithm has been broken so long that it really hasn’t become an obstacle for hackers looking to crack it. It was last famously exploited in 2012 in an attack which saw the malware Flame forge a certificate from Microsoft.
OpenSSH will refuse connection entirely with anyone using these old clients or servers in a future build, but for the meantime will allow DSA keys.
A new transport cipher – firstname.lastname@example.org – based on algorithms (ChaCha20 and Poly1305 MAC) devised by Bernstein is also present in the update. Initially committed by OpenSSH developer Damien Miller back in November to replace the disintegrating RC4, the cipher should allow for better encryption going forward.
ChaCha, a variant of the stream cipher Salsa20, has been called faster in low-level implications and more secure than its alternatives, winning the confidence of cryptographers in the last few years.
A new private key format that uses bcrypt, a key derivation method “to better protect keys at rest,” has also been added to the latest OpenSSH.
Developers are calling 6.5 a “feature-focused release” and urging those who use it to update as soon as they can.
Those looking for a full rundown of the fixes and further information about 6.5’s new features can check out the release notes here.
Before you think that RAM scraper malware was a phenomenon specific to the Target breach, think again. A four-month-long crime spree targeting point-of-sale systems in a number of industries has been discovered; the campaign, however, is not related to the mammoth Target break-in or other recently reported hacks at Neiman Marcus or Michaels.
The malware in question is the privately sold Chewbacca Trojan, which is a two-pronged threat that uses the Tor anonymity network to hide its communication with the attackers’ command and control infrastructure. Chewbacca not only infects point-of-sale terminals with the RAM scraping malware in order to steal payment card data before it is encrypted, but also drops keylogging software onto compromised systems.
Researchers at RSA Security discovered the criminal campaign and say it has found malware samples used in 10 countries, primarily in the United States and the Russian Federation. Will Gragido, senior manager at RSA FirstWatch, the company’s research arm, said the command and control server they intercepted has been taken offline—likely by its Ukrainian handlers rather than law enforcement—putting a halt to the campaign. Gragido said the criminals had their hands on 49,330 credit card numbers and there were 24 million transaction records on the attackers’ server.
“It’s actually a mixture of industries that have been hit: some broadband providers were impacted, retailers, supermarkets, gas stations, and other associated businesses,” Gragido said. “It’s a sloppily put-together piece of code; it’s not the most sophisticated code, but it seems effective.”
The original Chewbacca samples were found in October and reported by Kaspersky Lab’s Global Research and Analysis Team in December. While the original attack vector is not yet understood, Chewbacca’s behaviors are pretty self-evident. Chewbacca finds running processes on compromised computers, reads process memory, drops a keylogger and is able to move that information off of infected machines, said Marco Preuss, director of research for Kaspersky Lab in Europe.
The malware is a PE32 executable compiled with Free Pascal 2.7.1; its 5 MB file includes the Tor executable, which the attackers use to move data and communication between infected POS terminals and servers, and the attackers. Once executed, Chewbacca drops as spoolsv.exe into the victim machine’s startup folder and then launches its keylogger and stores all keystrokes to a log created by the malware, Preuss said. Spoolsv.exe is the same name used by the Windows Print Spooling service; the malware does so to insert itself into the startup process and maintain persistence.
Gragido said RSA FirstWatch had infiltrated the attackers’ original command server, which was using a Tor .onion domain for obfuscation.
“We think we caught this campaign early on,” Gragido said. “Chewbacca has not been out there very long. We’ve seen it established in a few small retailers and service providers.”
The Target breach has elevated awareness around point of sale malware, in particular RAM scrapers. Target admitted shortly before Christmas that attackers has been on its network and stolen 40 million payment card numbers from infected point of sale systems, along with the personal information of 70 million people, putting potentially 110 million at risk for identity theft and fraud.
New details emerged this week on just how burrowed into Target’s network the attackers were. Experts believe the initial compromise was a SQL injection attack that allowed the attackers access to the network. Once there, it’s apparent they took advantage of hard-coded credentials on system management software used by the retailer to set up a control server on the Target network and moved data out in batches.
“We don’t have anything from an evidentiary perspective that this is tied to Target, Neiman Marcus or Michaels,” Gragido said. “The malware is different, the attackers’ MO is different, there’s no common infrastructure or common malware. The gang behind it, we think, is a newer crop of folks with activity in Eastern Europe, but it’s hard to say.”
After years of focusing their attention on Gmail, it seems that attackers have finally gotten around to expending some effort hacking Yahoo mail accounts. Yahoo officials said Thursday that they have reset the passwords on an unspecified number of mail accounts after detecting what they call a “coordinated effort to gain unauthorized access to Yahoo Mail accounts.”
Yahoo officials said that the evidence they have right now suggests that the attackers were trying to steal information such as email addresses and names from users’ sent mail folders.
“Based on our current findings, the list of usernames and passwords that were used to execute the attack was likely collected from a third-party database compromise. We have no evidence that they were obtained directly from Yahoo’s systems. Our ongoing investigation shows that malicious computer software used the list of usernames and passwords to access Yahoo Mail accounts,” Jay Rossiter, SVP of Platforms and Personalization Products at Yahoo wrote in a Tumblr post on the attacks.
Attackers have had a field day going after webmail systems such as Gmail and Hotmail in recent years, going back to the Aurora targeted attacks four years ago against Google and some Gmail users. There are a variety of ways that attackers have found to go after the accounts of webmail users, many of which begin with some variety of phishing attempt. Depending upon the target, attackers will send highly specific emails to a set of victims, sometimes with the lure of a malicious attachment. Other times, attackers will use fake password-reset messages as a lure, something that could complicate the measures that Yahoo is taking to clean up after this attack.
“We are resetting passwords on impacted accounts and we are using second sign-in verification to allow users to re-secure their accounts. Impacted users will be prompted (if not, already) to change their password and may receive an email notification or an SMS text if they have added a mobile number to their account.,” Rossiter said.
For some users–especially security conscious ones–those emails and texts can look exactly like the scam messages that attackers use to trick victims into clicking on a malicious link to give up their email credentials. Once an attacker has access to a victim’s main email account, he often can take over many of the victim’s other accounts, such as online banking, social media and others that typically will use email addresses as one level of authentication.
Yahoo officials did not specify which third-party company they believe was the source of the compromised information used to attack its users. There have been an number of large-scale data breaches in the last few months in which millions of email addresses and other information was compromised, including the attack on Adobe and the Target data breach.
Rossiter said Yahoo is working with law enforcement to investigate the attacks on its systems and recommended that users take typical precautions with their online accounts.
“In addition to adopting better password practices by changing your password regularly and using different variations of symbols and characters, users should never use the same password on multiple sites or services. Using the same password on multiple sites or services makes users particularly vulnerable to these types of attacks,” he said.
A serious remote code execution vulnerability was recently patched by the Wikimedia Foundation. The flaw could have put at risk any of the foundation’s sites running MediaWiki software, including Wikipedia.
Researchers within Check Point Software Technologies’ Vulnerability Research Group discovered the vulnerability on the popular web platform affecting versions 1.8 and up.
“Remote code execution could have allowed malicious use of code on our servers. That may have put user data at risk or made it possible to change our databases somehow,” said Wikimedia Foundation spokesperson Jay Walsh. “Fortunately we’re confident there were no exploits of the vulnerability.”
Walsh said Check Point sent Wikimedia details on the vulnerability and a proof of concept late week, and the foundation’s operations team had a patch deployed on its servers within 45 minutes. On Tuesday, the foundation made a patch available to users of its open source software which hosts wikis and collaboration sites all over the Web.
“On the Foundation’s side, the patch was applied to all of the instances of MediaWiki running on our servers,” Walsh said. “That totals several hundred wikis, including the 280-plus language versions of Wikipedia, and the other Wikimedia projects.”
Check Point’s Shahar Tal, in a thread on Bugzilla, said the vulnerability enabled unrestricted command injection through an incorrectly sanitized parameter.
“We have verified this vulnerability exists with default installations as long as a certain (not common) setting is enabled, as is on Wikimedia.org,” Tal said.
Check Point said in its advisory that an attacker could have injected malware into every Wikipedia page if so desired; the same goes for any wiki site running MediaWiki software with the improper setting.
“The vulnerability discovered by Checkpoint involved possible remote code execution on the Wikimedia’s servers. A vulnerability like this may have allowed a user to maliciously execute shell commands on the Foundation’s servers,” Wikimedia’s Walsh said. “Based on the foundation’s review, there is no evidence that the vulnerability was actually exploited.”
Check Point said this is the third time in eight years remote code execution vulnerabilities have been found on the MediaWiki platform.
“This vulnerability will be highly prized by the hacker community and quickly turned into attacks that can be aimed at organizations that have yet to apply the patch or implement another form of defense,” Check Point said in its advisory.
New proof-of-concept mobile malware logs keystrokes and captures screen-grabs on jailbroken iOS and Android devices in order to steal online log-in credentials and other sensitive information from targeted devices.
In an interview with Threatpost, Trustwave senior security consultant Neal Hindocha broadly explained how his proof-of-concept works, which he will present in earnest at the RSA Conference next month.
The genesis for Hindocha’s work emerges from a simple and well-established reality: the mere fact that mobile devices are increasingly used for payment and online banking means that criminals will increasingly design tools to steal payment and other sensitive data from them.
Hindocha explained that one of the central components of widely deployed, desktop-targeting financial malware is keylogging software. In a sense, he merely waondered if keyloggers are on the precipice of becoming as much of a nuisance for mobile users as they currently are for desktop and laptop users. In order to determine this, he needed to know if he could isolate the critical aspects of banking malware and use them to target banking applications on alternative, in this case mobile, operating systems.
Hindocha explained that there are already a number of mobile keylogging utilities, particularly for Android. However, mobile keyloggers are different from Windows-specific ones in that a Windows keylogger quite simply collects every keystroke entered by the user. On the other hand, mobile application developers have the option of creating custom keyboards for their apps. Because of this, Hindocha reasoned that a dynamic mobile banking threat would need to make use of screen-grabs as well as keyloggers.
“If you know the X and Y coordinates of where the user is touching the screen and you know what they are looking at,” Hindocha said, “then basically you see everything the user is seeing and you get all the data the user is inputting.”
The risk this attack poses toward users of devices that are not jailbroken is minimal, but anyone who has rooted a jailbroken device is at risk. It’s possible that a person can be attacked, Hindocha claims, but it’s unlikely to become widespread.
“I don’t think it is viable to infect 100,000 people with this, because what you are getting out of it is X and Y coordinates of where someone touched the screen,” he said. “You can in most instances combine that with screenshots. It’s difficult to do any type of data harvesting on large amounts of data when all you’re looking at are key-strokes and touch coordinates and pictures.”
In other words, it’s more likely that this sort of malware or threat would be deployed in a highly targeted manner, seeking to pilfer information from individuals or companies.
While Hindocha initially believed that screen-grabs were an integral part of his proof-of-concept, he came to realize that he could discern all sorts of information with only the keystrokes as well. For example, he said, if no one touches the screen for an hour, and then logging software picks up between four and eight screen-touches, you can assume the user has just entered the access PIN. More than 20 touches apparently indicates that a user is typing something. Between four and fifteen may indicate a password is being entered. Peripheral touches likely indicate that the user is playing a game. A deeper examination of screen-touching patterns would likely reveal more useful information collected by the keylogger.
Again, Hindocha’s research pertains only to rooted devices. Therefore there really isn’t much that the vendors – Apple and Google – can do to mitigate this sort of attack. He did note however that Apple already has safeguards in place to prevent this from occurring. Google though, Hindocha claims, often trades security for functionality.
“The price of functionality is security in many, many cases,” Hindocha said, mirroring a widely held sentiment. “And I think that it is a difficult balance for [Google]. They want to provide a lot of functionality but at the same time they want to give you security. So I think that there are choices that they have made that have resulted in this being possible. I think they could make the choices differently and that would have a different result but there would be a cost in terms of functionality.”
The good thing about bringing this research to light, Hindocha went on, is that companies with high security requirements are aware of this sort of threat. They can implement safeguards to try and protect their data by actively seeking out vulnerable and infected machines and by detecting certain patterns regarding where network data is going.
“There are things that can be done,” he said. “I don’t think we should rely on Apple or Google to fix them.”
Hindocha also expressed concern that his proof-of-concept could be used to target special platforms, like the mobile-based point-of-sale systems that are increasingly deployed at retail locations.
To be clear, Hindocha’s attack is theoretically possible, albeit far more difficult on non-rooted Android devices. In the case of a standard operating system build, in order to pilfer screen-grabs in addition to keystrokes, the Android device would need to be plugged into a computer, where the screen-grabs would be uploaded. The attacker would then need to locate the folder containing the grabs and steal them from there.
Hindocha’s RSA presentation, in which he’ll detail the finer, technical aspects of his research, is slotted for Feb. 25 at 8 a.m.
Bug bounty programs are springing up in more and more places every day, and the latest site to join the list is GitHub. The site is offering bounties of up to $5,000 to researchers who find vulnerabilities in the main GitHub Web property or some other applications.
The program is similar to ones run by many other companies such as Facebook, Google, PayPal and others, rewarding people who report vulnerabilities directly to the company. GitHub said most bounties will fall in the $100-$5,000 range, but the reward may go higher if there are unique circumstances.
“We are excited to launch the GitHub Bug Bounty to better engage with security researchers. The idea is simple: hackers and security researchers (like you) find and report vulnerabilities through our responsible disclosure process. Then, to recognize the significant effort that these researchers often put forth when hunting down bugs, we reward them with some cold hard cash,” the company said.
“For example, if you find a reflected XSS that is only possible in Opera, which is < 2% of our traffic, then the severity and reward will be lower. But a persistent XSS that works in Chrome, which accounts for > 60% of our traffic, will earn a much larger reward.”
The open bounties right now consist of the main Github.com site, the GitHub API and the Gist product. GitHub is used by individual developers and groups to share code and manage projects. The company also is offering researchers points for the vulnerabilities that they report, and is maintaining a leader board of bug finders. Like most other bug bounty programs, the GitHub system requires that researchers not disclose a vulnerability publicly before it’s been fixed. The company also asks that researchers not use automated scanners or try to get access to another user’s account as part of the program.
Image from Flickr photos of Othree.
Attorney General Eric Holder told members of a Senate Judiciary Committee yesterday that the U.S. Justice Department is investigating the Target data breach.
Target has already brought in the Secret Service and a computer forensics company to look into the break-in, which reportedly lasted between Nov. 27 and Dec. 15, the height of the Christmas shopping season.
Holder’s confirmation comes on the same day that website Krebs on Security reported that the hackers behind the breach deeply penetrated Target’s network to set up a command server and steal credit card numbers and personal information from infected point of sale systems.
Journalist Brian Krebs said a hardcoded user name and default password associated with a malware sample matches that used by a product called Performance Assurance for Microsoft Servers from system management software maker BMC Software.
The user account associated with the user name Best1_user is installed by the product to perform routine management, and its only privilege is to run batch jobs. Experts have speculated that the attackers could have been moving the stolen data in this way to outside servers.
Target spokesperson Molly Snyder told Threatpost this morning that the company had no comment on Krebs’ report. “The criminal and forensic investigations are active and ongoing,” Snyder said.
Krebs’ report also quotes a private reportDell SecureWorks shared with its customers that includes an analysis of the malware used. Dell SecureWorks said two types of malware were used: the first is uploaded to point of sales systems and steals payment card data from memory; the second is used to exfiltrate the data to the attackers’ servers. The secret report confirms the attackers likely used the BMC software to move laterally on the Target network.
The report also goes into detail about the memory-scraping malware used to grab card data from point of sale systems before it is encrypted and sent to a payment processor. There are similarities, Dell SecureWorks said, to the BlackPOS malware which is being sold underground by a criminal who goes by the handle ree4. Similar strings in BlackPOS and the Target malware samples suggest a link, but the report says that is not likely.
“A more likely scenario is that the threat actors responsible for the Target breach possess the original memory monitor source code and used it as a foundation for their custom malware,” the report said.
RAM-scraper malware goes back a half-dozen years and experts said it has been a plague in the retail and hospitality industries, which often run point-of-sale systems on woefully unpatched Windows software. The Target hackers, Krebs reported, citing sources at Malcovery, likely broke into the corporate network via SQL injection attacks. Experts told Threatpost when reports of the memory-parsing malware were part of the Target attack that the hackers would have had access to the Target network for some time in order to install malware on the POS terminals.
“The Target breach is so huge, either the attackers used some kind of bulk method like access to Target’s servers or somewhere else where the credit card data is being stored, or they had broad access to a large number of their point of sale terminals for an ongoing basis,” said Nate Lawson of Root Labs.
The Target breach grew quickly from 40 million credit and debit card numbers to also include personal information on as many as another 70 million, potentially putting 110 million at risk for identity theft and fraud.
“In the case of an organization like Target, you’re looking at an extremely complex environment with hundreds of thousands of employees, systems, sites, and vendors; every aspect represents some level of risk,” said Rapid7 global security strategist Trey Ford. “The problem is that it’s impossible to make every one of those elements bulletproof and traditional incident detection systems aren’t looking for deceptive activity. Attackers left undetected for a sufficient amount of time can do just about anything they want.”
There are two vulnerabilities in some of Oracle’s older database packages that allow an attacker to access a remote server without a password and even view the server’s filesystem and dump arbitrary files. Oracle has not released a patch for one of the flaws, even though it was reported by a researcher more than two years ago, and the researcher said the potential attack scenarios are frightening.
The first vulnerability, which affects Oracle Forms and Reports 10g and 11g–and perhaps older versions, as well–allows an attacker to dump the list of database passwords without authenticating. The researcher who discovered the bugs, Dana Taylor, reported the issue to Oracle in April 2011, but the company’s security response team told her they didn’t consider it an actual vulnerability but just a configuration error.
“They made the claim it was simply a configuration error? I was absolutely shocked by their reply. They basically forgot about the first vulnerability and then came along a second vulnerability I discovered and reported to them in October 2011,” Taylor wrote in her rundown of the interactions with Oracle regarding these vulnerabilities.
The second bug she found was even more worrisome. Rather than allowing her to grab the list of database passwords, the second flaw also gave here the ability to view the server’s file system form an unauthenticated browser, dump any file that the Oracle account can access and take other unintended actions on the server and network. Taylor sent the new details to Oracle In October 2011, and also refreshed their memory on the original bug she’d reported. She asked whether the company still thought this was just a configuration problem rather than a vulnerability and said that she was considering publicly disclosing the issues, as Oracle didn’t consider them vulnerabilities. This time, she got an immediate response.
“As you requested, we have reviewed your original report and had additional discussions with our development group. We have concluded that this issue does in fact constitute a vulnerability,” Oracle said in an email to Taylor.
The company said it was tracking both of her reported issues as vulnerabilities and sent Taylor monthly status updates up until it released its patch, which Taylor says didn’t actually fix the vulnerability. In an email interview, Taylor said that she has no doubt Oracle only chose to acknowledge these issues as bugs because she had mentioned the possibility of disclosing.
“Yes, absolutely. When I reported the parsequery vulnerability they said it wasn’t a vulnerability but a configuration error. So I told them okay, then I am going to publish this. They came back the same day and stated that in fact, it is a vulnerability and gave me a tracking number. From what I can tell they didn’t actually fix this vulnerability but obfuscated it by instructing customers to disable “diagnostic output”. I have tested this on their latest release of Weblogic/Oracle Reports 11g. The vulnerability still exists. Some customers may not be able to disable diagnostic output for one reason or another and could still be vulnerable. And to clarify, this didn’t just affect 11g but 9i to 11g,” Taylor said.
Oracle eventually released a patch for version 11.x, but only workarounds for older versions, suggesting that customers upgrade to newer versions in order to protect themselves. In the meantime, Taylor had shared the details privately with some other security folks, and the team at the University of Texas found a method for using the vulnerability to plant files on a vulnerable server. But that’s only one portion of what an attacker could do with these flaws, Taylor said. After publishing some details of the bugs, Taylor said that someone else sent her a video that shows an attack using Shodan to find vulnerable servers and retrieve passwords.
Also, the folks at Metasploit are working on remote code execution exploits for these vulnerabilities right now.
“The author of the exploit and video above was brilliant but it put me into a state of shock to see the real impact of these vulnerabilities on such a massive scale. I did NOT want to release these exploits and was under great distress in even thinking about it. I felt I had no choice, however. So seeing this video didn’t put a smile on my face but made me aware of how devastating these vulnerabilities actually are,” Taylor said.
“Oracle servers often have ssh keys that allow sharing of data between other trusted Oracle servers and require no password. So, if you break into one Oracle server on a network you are likely able to break into numerous others. For Windows servers exploiting ‘pass the hash attacks’ are being discussed. Another thing that is frightening is that once you gain a remote shell on an Oracle server you can use sqlplus.sh /nolog to gain sysdba privileges to the database.”
Taylor said that because the vulnerabilities were given a low priority by Oracle, even the workarounds that the company released for older versions of vulnerable products likely won’t be implemented quickly. That means a large potential target base for attackers.
“To be honest, there are so many things you can do with this it is hard to come up with a complete list. If here is a remote code execution vulnerability then that means it could be wormable. The first Oracle Botnet might be born. I used to chase botnets years ago and know this could be possible,” Taylor said.
Other researcher say that this chain of events isn’t surprising.
“I’ve not tested these yet but I trust that the researcher is correct. Given that, I’d rate these as critical; fortunately for Oracle though most Reports servers are not exposed to the Internet and the threat would be internal. That provides little comfort to those that are exposed however,” said security researcher David Litchfield. who has spent more than a decade doing research on Oracle security.
“That Oracle has not given these flaws the attention they are due is not atypical. They still approach security wearing “common criteria” t-shirts and hats. They need to adapt to the realities of the Internet in 2014 – protection profiles that they wrote (and assumes the existence of a “non-hostile network”) are not and have never been realistic.”
Traps are constantly set on the Internet to snare hackers in order to research their behavior and tactics. Many of these traps are honeypots or honeynets that take the form of deliberately unpatched computers or infrastructure exposed to the Internet that lure attackers to break in while their actions are recorded.
In very few instances are decoys built into security processes. However, two experts are in the research phase of building a tool that they say will do just that.
The project is called Honey Encryption and it will be formally rolled out at the Eurocrypt conference in Copenhagen this spring by former RSA Security chief scientist Ari Juels and Thomas Ristenpart of the University of Wisconsin. The concept involves pulling a bit of deceit against an attacker who has stolen some set of data encrypted with Honey Encryption. The tool produces a ciphertext, which, when decrypted with an incorrect key as guessed by the attacker, presents a plausible-looking yet incorrect plaintext password or encryption key.
With traditional encryption, an attacker making an incorrect guess gets gibberish in return to their request. “With Honey Encryption,” Juels told Threatpost, “he gets something that looks like real context.” An attacker would have no way of knowing which plausible-looking value is the correct one.
Juels said the initial motivation behind the project was the security of password vaults. Services such as LastPass, which was breached in 2011, enable users to secure a number of passwords with a master; synchronization of these services is often done in the cloud. If one of these providers is breached, an attacker can crack the master password associated with any vault and extract all of their passwords.
“We had the idea of exploring the possibility of encrypting a vault in such a way where if it were decrypted using the wrong master password, it would decrypt to something that looks plausible,” Juels said.
The trick is to build the capability into Honey Encryption to understand the appropriate structure of the messages an encryption system would try to recover.
“With credit card numbers, we understand them well. For all intents and purposes, they look like a uniformly random number,” Juels said. “You can construct a tight model for that. With a vault, for example, that’s trickier. You need to model how passwords are selected and stored for the particular vault.
“You need a good understanding of message-specific construction; encryption keys and credit card numbers are different than password vaults,” Juels said. “If you use ordinary encryption, it’s agnostic to the distribution of messages. You need to know what it means for a message to be plausible and application dependent.”
Luckily, research exists on password selection, and researchers can also learn from breaches such as the 2009 break-in at game developer RockYou where 32 million cleartext passwords were stolen. That kind of sample gives researchers a fairly accurate understanding of how well users compose secrets used as passwords, including how often words are phrases are re-used or appended according to a particular account.
“The model doesn’t have to be perfect to be good,” Juels said. “If just half of the decryption attempts yield something plausible, you still achieve the desired bafflement of the attacker.”
Some USB modems can be leveraged to send malicious SMS messages and even carry out spear-phishing attacks – sometimes in conjunction with each other – thanks to a cross-site request forgery vulnerability present in the device’s web interfaces.
According to Swedish security researcher Andreas Lindh, who wrote about his findings on 3VILDATA, an information security blog he shares with a fellow Swede, the problem is present in 3G and 4G modems that plug into machines and connect to the Internet through a built-in SIM card.
Lindh claims he hasn’t had time to notify the vendor yet so has held off on naming the specific USB modem used in his exploit but does claim it’s a “high-end one” that is “quite expensive” and “mostly used by corporate custumers.”
The web interface of the USB modem in question allows for configuration. Lindh notes that he can set a PIN, change it, enable it, re-enable it, add a profile, etc. The CSRF vulnerability he found also grants him the ability to send text messages through the modem, using its Web interface, to any phone number. This is done by getting the user to go to a website under his control that he can easily obfuscate the URL.
The vulnerability lets Lindh edit the HTTP POST request method without having to worry about bypassing authentication because there isn’t any–the functionality doesn’t exist.
In the code Lindh posted, the International Mobile Subscriber Identity (IMSI) – or phone number – is blacked out but the msg_content parameter, the function Lindh realized he could supply with text message content and send to users, can be seen:
Lindh also realized that he could employ the same exploit in a phishing attack.
Using a data URI scheme, Lindh was able to put together a fake Facebook login site. Data URI schemes, supported on most browsers (Chrome, Firefox, Safari, etc.) basically give web developers a way to create the illusion of a legitimate web site; the site data is displayed inline as if it’s coming from external sources but it’s not. Lindh’s scheme has all of its HTML loaded into the address bar – in this case the fake Facebook mockup – and doesn’t have to rely on being attached to a domain or hosted on a server.
Lindh then rigged a way for the fake site to steal user credentials from the log-in form fields after they’re entered and have that information passed along to him in a text message.
To test his exploit he obscured the fake Facebook site’s long URL with TinyURL and sent it along to dummy email account. From there, after clicking through and logging in, the login information was sent to his phone via the modem SMS vulnerability.
Lindh notes in the blogpost that it’s an “attack completely without infrastructure requirements; no web server to host the spoofed website, no server to post the stolen credentials to,” writing that all that’s needed is an “email address or some other way to distribute the URL, and a pre-paid phone to receive the text messages.”
Lindh acknowledges to get the trick to really work, it’d have to be a highly targeted attack but insists it may not be “as unlikely as it may seem at first.”
Aleksandr Andreevich Panin, one of the alleged masterminds behind the notorious SpyEye banking trojan, pleaded guilty in an Atlanta courtroom yesterday to conspiracy charges relating to the development and distribution of the the malware.
Panin pleaded guilty to conspiring to commit wire and bank fraud. He will be sentenced April 29, 2014, before United States District Judge Amy Totenberg.
Second only to the infamous and related Zeus banking trojan, SpyEye is among the most prominent pieces of financial malware to emerge in recent years. It essentially gives attackers the ability to steal online banking credentials from its victim’s machines, which criminals can use in turn transfer money out of those accounts. Certain versions of SpyEye are said to be capable of bypassing two-factor authentication mechanisms. According to the FBI, the SpyEye trojan has facilitated the infection of more than 1.4 million computers and the compromise of more than 10,000 online bank accounts, mostly located in the United States.
“As several recent and widely reported data breaches have shown, cyber attacks pose a critical threat to our nation’s economic security,” said United States Attorney Sally Quillian Yates. “Today’s plea is a great leap forward in our campaign against those attacks.”
“Panin was the architect of a pernicious malware known as SpyEye that infected computers worldwide. He commercialized the wholesale theft of financial and personal information. And now he is being held to account for his actions. Cyber criminals be forewarned—you cannot hide in the shadows of the Internet. We will find you and bring you to justice.”
Panin – also known by the pseudonyms ‘Gribodemon’ and ‘Harderman’ – is not the first man arrested in connection with the SpyEye trojan. In the summer of 2012, three Baltic men were arrested and charged with violating the United Kingdom’s computer misuse act after allegedly using the malicious software program to steal online banking credentials. In the spring of 2013, an alleged co-conspirator of Panin’s, Hamza Bendelladj of Algeria, was arrested in Thailand and extradited to the United States where he had been indicted in late 2011, and faced more than 30 counts related to botnet operation and bank fraud.
The FBI managed to catch Panin after conducting an investigation with international law enforcement and private sector partners, culminating in a search warrant that led to the seizure of a key SpyEye server. The FBI described this server as “very incriminating” because it “contained the full suite of features designed to steal confidential financial information, make fraudulent online banking transactions, install keystroke loggers, and initiate distributed denial of service (or DDoS) attacks from computers infected with malware.”
Several months after that, the FBI compelled the suspect to sell his wares to an undercover FBI agent. The suspect was arrested while flying through Hartsfield-Jackson Atlanta International Airport.
The FBI claims that Panin and others conspired to develop various versions of the SpyEye trojan which they would then advertise for sale in online criminal forums. Panin is said to have sold various versions of the SpyEye malware for anywhere between $1500 and $8500 to more than 150 customers. The exact amount of money stolen by the SpyEye trojan and the total profit earned by Panin are not known, though, one of Panin’s clients, “Soldier,” is reported to have made over $3.2 million in a six-month period using the SpyEye virus.
Threatpost reached out to the FBI’s Atlanta media contact, but a request for comment was not returned by the time of publication.
It seems the exaggerated volume of bad traffic used in politically motivated DDoS attacks last year was not an isolated phenomenon.
Distributed denial-of-service attacks that congest Internet connectivity and disrupt online services topped unprecedented levels in 2013, shoving aside stealthier attacks against the application layer preferred by hackers in previous years.
“It seems that attackers are trying to achieve a goal, be it to impact service availability or as part of a much broader attack campaign, distract from financial fraud and theft,” said Arbor Networks solutions archictect Darren Anstee. “They’ve gone back to volumetric attacks because they are aware that better defenses are in place and this is a way to get around those.”
Arbor released its Worldwide Infrastructure Security Report this week and regardless of whether respondents were in service provider or enterprise environments, DDoS attacks were the No. 1 operational threat to these organizations.
While it’s generally accepted that a 20 Gbps attack is enough to overrun a website or a Web-based service, a substantial number of attacks were more than 100 Gbps, topping out at 309 Gbps in an attack against spam blacklist provider Spamhaus.
“Far more respondents are telling us about larger attacks than 100 Gbps than in 2011 and 2012,” Anstee said. “We saw others at 191, 152 and 130 Gbps.”
Attacks such as the Spamhaus takedown are outliers to be sure with three times the traffic used there than in multiple attacks targeting Bank of America, PNC, Wells Fargo and other large American financial institutions allegedly by the the al-Qassam Cyber Fighters. Spikes in the Spamhaus DDoS attack reached 309 Gbps as attackers took advantage of open DNS resolvers to amplify attacks against the Swiss volunteer organization.
The availability of open DNS resolvers gave the Spamhaus attackers the ability to spoof Spamhaus IP addresses to send the site massive volumes of DNS requests; there was collateral damage in those attacks as well, impacting online streaming media services such as Netflix.
“Spamhaus made people aware of the threat of reflection amplification attacks. It does appear attackers have learned to leverage the infrastructure available on the Internet to help them in attacks,” Anstee said.
Within the last month, NTP amplification attacks have been used to take down sites as well, causing US-CERT to issue an advisory warning enterprises and service providers of the risk. Attackers are taking advantage of a weakness in NTP servers that allows an administrator to query for the IP address of the last 600 machines interacting with an NTP server. By sending a GETLIST command to an NTP server that is spoofed with a victim’s source address, that IP can be overrun with uncalled for traffic in no time.
Arbor’s report indicates that few companies have security staff dedicated to infrastructure such as DNS and locking down those and related services. Coupled with the availability of open DNS resolvers, that presents a problem for high-value targets.
“If you’ve got open DNS resolvers you can use and if you’ve got a botnet that can generate a good volume of traffic and point it at a list of open DNS resolvers, you can use those resolvers to amplify the capabilities you have for your botnet,” Anstee said, adding that attackers can get a 30x improvement with amplification in some cases. “Unfortunately, it’s not that hard; the know-how is available.”
Survey respondents said their top concern for 2014 is DDoS attacks against infrastructure given the ease at which amplification attacks have been happening. Volumetric attacks that consume bandwidth are a top attack vector, along with TCP state-exhaustion attacks that consume connection state tables in load balancers, firewalls and applications servers, and application layers that target aspects of applications or services. A good number of those attacks are even conducted against HTTPS websites and services.
“Well-formed attacks that targeted encrypted Web services were much higher than expected,” Anstee said. Such attacks, like those carried out in Operation Ababil by al-Qassam Cyber Fighters, require a bit of reconnaissance by the attacker who must determine firsthand which files such as log-in forms, or PDFs of annual reports and investment details, are available on an open page. The attacker then uses a GET request over an over to that file putting a load on the server until it is overrun.
“They are carrying out a normal operation over an encrypted connection,” Anstee said, adding such attacks are difficult to detect. “You don’t see bots doing much of that.”
In a hearing before the Senate Intelligence Committee to discuss the public portions of a new national security threat assessment, top intelligence and law enforcement officials said that attacks against financial networks and the critical infrastructure are major threats to the United States’ security. But those threats, as serious as they may be, were not the ones that many of the committee members wanted to discuss. Instead, they were mainly interested in talking about Edward Snowden and the damage his disclosures may have caused to the country and its intelligence-gathering and security capabilities.
The committee, which ostensibly was there to discuss the intelligence community’s latest threat assessment, spent much of the hearing discussing Snowden’s disclosures, the need–or lack thereof–for intelligence reform and whether the leaks of the documents he stole have harmed the country’s security. James Clapper, the director of national intelligence, and Lt. Gen. Michael Flynn, director of the Defense Intelligence Agency, both asserted that Snowden’s leaks have caused serious damage to U.S. security and placed the lives of soldiers and intelligence officers in danger.
Clapper, who has come under fire for his statements to Congress about the NSA’s collection of intelligence on Americans, called Snowden’s actions “the most massive and most damaging theft of intelligence information in our history” and said that the disclosures have caused “profound damage”.
“As a result, we’ve lost critical intelligence sources,” Clapper said during the hearing Wednesday morning. “The intelligence community is going to have less capacity to protect our nation.”
Flynn echoed those sentiments, saying in response to a question that Snowden’s leaks have had serious consequences that may not be felt for years to come.
“This has caused grave damage to our national security,” Flynn said. The true cost, he added, will likely come in the form of “human lives on tomorrow’s battlefields.”
The questions and statements about Snowden’s actions overshadowed some other issues that were raised during the hearing. Sen. Ron Wyden (D-Ore.), a frequent vocal critic of the NSA’s collection programs, used his time toward the beginning of the hearing to ask several pointed questions about domestic surveillance. Specifically, he questioned CIA Director John Brennan about the agency’s activities in the U.S.
“Does the Computer Fraud and Abuse Act apply to the CIA?” Wyden asked, referring to the main U.S. statute that applies to computer crimes.
Brennan said he wasn’t sure and would have to check and get back to Wyden later with an answer. The CIA, like the NSA, is chartered to conduct foreign intelligence operations, not domestic surveillance.
Responding to another question from Sen. Mark Udall (D-NM), who also has been outspoken in his criticism of intelligence methods, about whether the CIA conducts domestic surveillance, Brennan said that the agency follows the law.
The newly published threat assessment from the intelligence community focuses quite a bit of attention on information security issues, especially attacks on financial systems and cyber espionage operations. The report stresses that online crime and intellectual property theft through cyber espionage operations represent serious threats to U.S. security and economic viability.
“Internationally, China also seeks to revise the multi-stakeholder model Internet governance while continuing its expansive worldwide program of network exploitation and intellectual property theft. Iran and North Korea are unpredictable actors in the international arena. Their development of cyber espionage or attack capabilities might be used in an attempt to either provoke or destabilize the United States or its partners. Terrorist organizations have expressed interest in developing offensive cyber capabilities. They continue to use cyberspace for propaganda and influence operations, financial activities, and personnel recruitment,” the report says.
The threat assessment, which also includes discussion of the major physical threats to the U.S., doesn’t go into much in the way of specifics, but says that attacks on critical infrastructure networks represent a serious threat.
“Critical infrastructure, particularly the Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems used in water management, oil and gas pipelines, electrical power distribution, and mass transit, provides an enticing target to malicious actors. Although newer architectures provide flexibility, functionality, and resilience, large segments of legacy architecture remain vulnerable to attack, which might cause significant economic or human impact,” the report says.
Photo from Flickr images of John D. Rockefeller.
The Israeli researchers who last week discovered a VPN bypass bug in Android’s Jelly Bean 4.3 build have done some further testing and said the vulnerability also affects Android’s most recent variety of the operating system, KitKat 4.4.
Like the Jelly Bean bypass bug, this vulnerability allows a malicious app to bypass a VPN configuration to redirect traffic to another network address.
Since KitKat has a modified security implementation the researchers were unable to use the same vulnerability code as they used for Jelly Bean, but were able to find one that worked. The vulnerability relies on getting a malicious app to bypass VPN configuration without needing root permission, to “redirect secure communications to a different network address.”
Dudu Mimran, the CTO of Cyber Security Labs, a division of Ben Gurion University in Be-er Sheva, Israel, initially discussed the Jelly Bean bug last week in a disclosure report.
Just like with that vulnerability, Mimran reports that the communications that pass between the VPN configuration on KitKat are done in clear text and without encryption, unbeknownst to the user.
The researchers have outlined their exploit in a video, first pointing out the build (4.4.2 in this case) before going on to trigger the exploit, connecting to the VPN and demonstrating how to collect sensitive SMTP information via a packet capturing tool.
According to the researchers, the way the KitKat vulnerability works borrows a bit from another vulnerability they found last year in Samsung’s Knox security platform. That vulnerability allowed an attacker to intercept communication between Knox and the outside files on Samsung S4 devices, and in turn, bypass Knox
Samsung and Google dismissed Ben Gurion and Cyber Security Labs’ Knox findings earlier this month claiming the exploit “uses Android network functions in an unintended way” and that the research presented was not a bug or flaw, but a classic man in the middle (MitM) attack. In a public response penned by the two firms, it was stressed that “Android provides built-in VPN and support for third-party VPN solutions to protect data” and that using either of them would “have prevented an attack based on a user-installed local application.” Cyber Security Labs countered Google and Samsung’s opinions with their own response last week.
So far the group has reported both VPN issues to Google via its vulnerability reporting tools but has yet to hear any other than the company is still looking into it. Given Google and Samsung’s response to the group’s Knox discovery, it should be interesting to see what they have to say once the dust settles.
Cyber Security Labs has clarified in the past that follows what it calls a “Responsible Full Disclosure Policy.” In situations like these it notifies the public of each issue it finds, without disclosing critical details that could lead someone to recreate the attack, and updates their blog with the company’s input throughout.
Java-related security issues have remained relatively quiet during the past few months, especially after a rocky start to 2013 seemingly had one Java flaw after another in the news.
Things might be starting to ramp up again with the discovery of a cross-platform Java-based botnet.
Researchers at Kaspersky Lab’s Global Research and Analysis Team reported today their analysis of HEUR:Backdoor.Java.Agent.a, a malicious Java application that infects machines for the purpose of building a DDoS botnet.
The botnet communicates over IRC and can carry out distributed denial of service attacks using either HTTP or UDP flood attacks.
Researcher Anton Ivanov said today that the malicious Java application is capable of running on Windows, Linux and Mac OS X machines, and that the malware exploits a patched Java vulnerability, CVE-2013-2465.
The vulnerability is found in Java 7 u21 and earlier, as well as on different versions of Java 6 and 5. An exploit could allow an attacker to remotely run code on compromised machines through a bypass of the Java sandbox leading to disruption of service and information disclosure. The bug was patched as part of Oracle’s June 2013 Critical Patch Update.
Ivanov said one of the more notable features of the bot sample he analyzed as its use of the PircBot open framework for communication over IRC.
“The malware includes all the [Java] classes needed for the purpose,” Ivanov said. PircBot is a Java-based framework used to write IRC bots.
A passage on the Jibble website which hosts PircBot says: “PircBot allows you to perform a variety of fun tasks on IRC, but it is also used for more serious applications by the US Navy, the US Air Force, the CIA (unconfirmed), several national defence agencies, and inside the Azureus bittorrent client. But don’t let that put you off – it’s still easy to use!”
Once the bot infects a machine and launches, it copies itself into the autostart directories for the various platforms it supports, giving it persistence at startup for each. It then establishes a backdoor connection to the attackers and generates a unique identifier for each machine it compromises. Ivanov said it then connects to an IRC server and joins a channel that is predefined in the bot, awaiting commands.
The attacker uses this channel to specify not only whether it should use an HTTP or UDP flood attack, but also specifies a number of parameters for an attack, including the target’s IP address, port number over which the attack is carried out, attack duration, and how many threads are to be used in the attack, Ivanov said.
Complicating matters for researchers, the botnet uses the Zelix Klassmaster obfuscator.
“In addition to obfuscating bytecode, Zelix encrypts string constants,” Ivanov said. “Zelix generates a different [encryption] key for each class—which means that in order to decrypt all the strings in the application, you have to analyze all the classes in order to find the decryption keys.”
This is not the first time Kaspersky researchers have run into a Java exploit for CVE-2013-2465. A Java exploit called new.jar that as part of the NetTraveler espionage campaign also went after this particular Java vulnerability, dropping a backdoor onto victimized machines.
NetTraveler was publicly disclosed in June and another update was provided in September. The malware targeted diplomats, activists, government agencies and the scientific research community. The first version unveiled by Kaspersky researchers targeted Microsoft Office vulnerabilities; a second wave targeted this Java vulnerability. The NetTraveler attackers used watering hole attacks, compromising Uyghur-related websites to drop malware on machines that steals Office document files, as well as design documents done on Corel Draw or AutoCAD files.