Feed aggregator

Secure Microkernel seL4 Code Goes Open-Source

Threatpost for B2B - Wed, 07/30/2014 - 09:23
A new and allegedly super secure microkernel was made open source today, a move that could have serious security implications across a number sensitive and increasingly connected fields.

NOAA, Satellite Data, Fraught With Vulnerabilities

Threatpost for B2B - Tue, 07/29/2014 - 15:55
The informational systems that the National Oceanic and Atmospheric Administration (NOAA) runs are fraught with vulnerabilities and what the U.S. Department of Commerce deem “significant security deficiencies.”

New Signal App Brings Encrypted Calling to iPhone

Threatpost for B2B - Tue, 07/29/2014 - 14:56
Open WhisperSystems today released Signal, a free app that brings encrypted calling to the iPhone.

Leahy Introduces Bill to End Bulk Call Record Collection

Threatpost for B2B - Tue, 07/29/2014 - 14:51
Sen. Patrick Leahy has introduced an updated, tougher version of the USA FREEDOM Act that would end the bulk collection of data under Section 215 of FISA.

Threat Intelligence Tool Connects Dots on Pre-Attack Data

Threatpost for B2B - Tue, 07/29/2014 - 12:50
Georgia Tech Research Institute has released an open source threat intelligence gathering tool called BlackForest that automates attack-data mining.

Consumer Groups Urge FTC to Halt Facebook Data Collection Program

Threatpost for B2B - Tue, 07/29/2014 - 09:53
A collection of privacy and consumer groups from the United States and Europe has asked the Federal Trade Commission to force Facebook to suspend a recently installed program that mines information on sites that users' visit around the Web.

Critical Android FakeID Bug Allows Attackers to Impersonate Trusted Apps

Threatpost for B2B - Tue, 07/29/2014 - 08:00
There is a critical vulnerability in millions of Android devices that allows a malicious app to impersonate a trusted application in a transparent way.

Missile Defense Plans Hacked from Israeli Contractors

Threatpost for B2B - Mon, 07/28/2014 - 16:30
A new report claims attackers, apparently based in China, were able to hack into three Israeli defense firms to make off with sensitive military data in 2011.

DEF CON Hosting SOHO Wireless Router Hacking Contest

Threatpost for B2B - Mon, 07/28/2014 - 16:00
ISE will host a two-tracking hacking contest at DEF CON next week that focuses on the security of home and small office wireless routers.

Harnessing the Power of an Android Cluster for Security Research

Threatpost for B2B - Mon, 07/28/2014 - 14:20
When the topic of mobile security comes up, users and researchers often discuss Android as if it’s one monolithic operating system like iOS is. But the fact is that there are nearly as many versions of Android as there are Android devices, which has led to plenty of confusion when it’s time to fix a security […]

Koler Ransomware Infrastructure Complex and Agile

Threatpost for B2B - Mon, 07/28/2014 - 13:08
Researchers at Kaspersky Lab report on the infrastructure supporting the Koler ransomware, which not only has components targeting Android devices, but also redirects desktop browsers to other ransomware and exploit kits.

EFF Files Motion Asking Judge to Rule NSA Data Collection Unconstitutional

Threatpost for B2B - Mon, 07/28/2014 - 10:27
The EFF has asked a federal judge to rule that the NSA's collection of massive amounts of upstream user data is unconstitutional, violating the Fourth Amendment.

Behind the 'AndroidOS.Koler' distribution network

Secure List feed for B2B - Mon, 07/28/2014 - 04:00

Our full Koler report (PDF) 

At the beginning of May 2014 a security researcher named Kaffeine made the first public mention of Trojan.AndroidOS.Koler.a, a ransomware program that blocks the screen of an infected device and requests a ransom of between $100 and $300 in order to unlock the device. It doesn't encrypt any files or perform any kind of advanced blocking of the target device other than blocking the screen.

The malware displays a localized message from the police!

It has customized messages for the following countries:

Australia
Austria
Belgium
Bolivia
Canada
Czech Republic
Denmark
Ecuador
Finland
France Germany
Hungary
Ireland
Italy
Latvia
Mexico
Netherlands
New Zealand
Norway
Poland Portugal
Romania
Slovakia
Slovenia
Spain
Sweden
Switzerland
Turkey
United Kingdom
United States

As of July 23, the mobile part of the campaign has been disrupted and the Command and Control server has started sending an "Uninstall" request to victims.

In this post, instead of focusing on the mobile application itself – we highlight some details at the end – we want to shed light on its distribution infrastructure.  An entire network of malicious porn sites linked to a traffic direction system that redirects the victim to different payloads targeting not only mobile devices but any other visitor. That includes redirections to browser-based ransomware and what we think is an "Angler" exploit kit distribution network.

The diagram below illustrates the bigger picture of the infrastructure used.

The main findings can be summarized as follows:

  • Distribution:      TDS (Traffic Distribution System)
  • Main controller:      video-sartex.us (TDS Controller)
  • Malicious porn sites (redirector):      49 domains detected
  • Exploit kit websites:      700+ URLs (200+ domains)
  • Browser-based screen-lock domains:      49 domains detected
  • Mobile infection domain:      video-porno-gratuit.eu
  • Mobile Current C2:      policemobile.biz.
  • Traffic: almost 200,000 visitors to the mobile infection domain
  • 80% of visitors from the US

The use of a pornographic network for this "police" ransomware is no coincidence: the victims are more likely to feel guilty about browsing such content and pay the alleged fine from the authorities. This psychological factor can be the difference between a failed campaign and a successful one.

With regards to the malicious mobile application, we have found different APKs with the same behavior. Some of them (not yet distributed through this malicious network) have interesting names such as PronHub.com.Apk, whatsapp.apk or updateflash.apk.

This suggests the attackers could expand their campaign in the near future.

Mobile payload distribution

The mobile infection is triggered when the user visits specific pornographic sites from an Android device. Those sites are part of the distribution network created for this campaign and will redirect the victims to a landing page that contains an APK file called animalporn.apk.

All the porn sites in the campaign redirect their traffic to the same server: hxxp://video-porno-gratuit.eu. This domain hosts the malicious APK.

When visited, the website automatically redirects the user to the malicious application. The user still has to confirm the download and installation of the application on their device.

We were able to obtain the statistics showing the geographical distribution of visitors to this malicious site:

According to the same stats, we see that the campaign started and reached peak activity in April 2014.

Redirectors:  The malicious porn network

The pornographic sites of the network are not compromised sites. They all look the same, have the same HTML infrastructure and don´t provide their own pornographic material.

We identified a total of 48 domains in this porn redirecting network.

Almost all the websites used in this infrastructure were created using the same template – in many cases using templates from the legitimate site Tubewizardpro and Webloader for the external resources.

All the content (mainly videos and pictures) on these porn sites is loaded from external sources using Webloader.

Basically, all the porn sites redirect to the "controller" domain videosartex.us.

Videosartex.us then performs a redirect based on the parameter in the URL, the referrer, the user agent and the geographical location of the visitor's IP.

If the IP belongs to any of the 30 affected countries and the user-agent belongs to an Android device, the visitor is redirected to the APK at video-porno-gratuit.eu.

In other cases, the user is either redirected to a porn site on the network, to a screen-locker or to an exploit kit. The attackers use Keitaro TDS (Traffic Distribution System) to redirect users.

Non-mobile payloads

During our analysis we noticed that some domains showed ransomware-themed pop-ups to non-mobile victims. These additional servers are used when the controller (videosartex) detects the following two conditions:

  • The request contains no Internet Explorer user agent.
  • The request is from one of the 30 affected countries, but it doesn't contain an Android user agent.

In this case, the victim is redirected to any of the browser ransomware websites, while a blocking screen identical to the one used for mobiles is displayed on the victim's computer. There is no infection in this case, just a pop-up showing a blocking template.

The following images are examples of the headers used in the ransomware pop-ups:



Exploit kits

The redirection infrastructure used in this campaign contained one final surprise; redirecting visitors using Internet Explorer to sites hosting the Angler exploit kit, which has exploits for Silverlight, Adobe Flash and Java.

The following is an example of such a redirection:

We detected more than 200 domains used for hosting this exploit kit.

During our analysis, the exploit code was not fully functional and it didn´t deliver any payload.

Conclusions

Ransomware for mobile devices appeared on almost every prediction list for 2014. We are not dealing with the most advanced families here such as cryptolocker for Windows. The ransomware is fairly basic, but sufficient to annoy the victim.

Of most interest is the distribution network used in the campaign. Dozens of automatically generated websites redirect traffic to a central hub where users are redirected again. Depending on a number of conditions, this second redirection could be to a malicious Android application, to browser-based ransomware or to a website with the Angler Exploit Kit.

We believe this infrastructure demonstrates just how well organized and dangerous these campaigns are that are currently targeting, but not limited to, Android users. The attackers can quickly create similar infrastructure thanks to full automation, changing the payload or targeting different users. The attackers have also thought up a number of ways for monetizing their campaign income in a truly multi-device scheme.

elasticsearch Vuln Abuse on Amazon Cloud and More for DDoS and Profit

Secure List feed for B2B - Fri, 07/25/2014 - 19:07

A couple weeks ago, my colleague Mikhail K posted on the "versatile linux DDoS trojan", with analysis of several bots, including a bot implementing some extraordinary DNS amplification DDoS functionality. Operators of these bots are currently active, and we observe new variants of the trojan building bigger botnets.

Let's explore some additional offensive details of this crew's activity, and details of the overall situation, in the past week. In general, the DDoS trojans are being distributed to fire on victim profiles that seem to indicate purely cybercrime activity. The compromised hosts used to run the bots we observed have been running Amazon EC2 instances, but of course, this platform is not the only one being attacked and mis-used. It's also interesting that operators of this botnet apparently have no problem working with CN sites, as demonstrated by their use of the site hosting their tools since late 2013. Seven of their eight tools hosted here were uploaded in the past couple of weeks, coinciding with their updated attack activity. Their repository includes recent (cve-2014-0196) and older (cve-2012-0056) Linux escalation of privilege exploit source code, likely compiled on the compromised hosts only when higher privileges are necessary, along with compiled offensive sql tools (Backdoor.Linux.Ganiw.a), multiple webshell (Backdoor.Perl.RShell.c and Backdoor.Java.JSP.k) and two new variants of the "versatile bots" (Backdoor.Linux.Mayday.g), the udp-only "xudp" code being the newer of the two:

But first, how are they getting in to EC2 instances and running their linux DDoS bots from the cloud? They are actively exploiting a known, recent elasticsearch vulnerability in all versions 1.1.x (cve-2014-3120), which happens to still be in active commercial deployment for some organizations. If you are still running 1.1.x, upgrade to the latest 1.2 or 1.3 release, which was released a couple of days ago. Dynamic scripting is disabled by default, and other features added to help ease the migration. From a couple of incidents on Amazon EC2 customers whose instances were compromised by these attackers, we were able to capture very early stages of the attacks. The attackers re-purpose known cve-2014-3120 proof-of-concept exploit code to deliver a perl webshell that Kaspersky products detect as Backdoor.Perl.RShell.c. Linux admins can scan for these malicious components with our server product.

Gaining this foothold presents the attacker with bash shell access on the server. The script "pack.pl" is fetched with wget and saved from the web host above to /tmp/zerl and run from there, providing the bash shell access to the attacker. Events in your index logs may suggest your server has fallen to this attack:

Hosted on the same remote server and fetched via the perl webshell are the DDoS bots maintaining new encrypted c2 strings, detected as Backdoor.Linux.Mayday.g. One of the variants includes the DNS amplification functionality described in Mikhail's previous post. But the one in use on compromised EC2 instances oddly enough were flooding sites with UDP traffic only. The flow is strong enough that the DDoS'd victims were forced to move from their normal hosting operations ip addresses to those of an anti-DDoS solution. The flow is also strong enough that Amazon is now notifying their customers, probably because of potential for unexpected accumulation of excessive resource charges for their customers. The situation is probably similar at other cloud providers. The list of the DDoS victims include a large regional US bank and a large electronics maker and service provider in Japan, indicating the perpetrators are likely your standard financially driven cybercrime ilk.

Siemens Patches Five Vulnerabilities in SIMATIC System

Threatpost for B2B - Fri, 07/25/2014 - 13:32
Siemens released an update for two builds of its SIMATIC automation system this week, addressing a quintet of issues, four of which are remotely exploitable.

Microsoft Exec Says Company Has Never Been Asked to Backdoor a Product

Threatpost for B2B - Fri, 07/25/2014 - 13:28
One of Microsoft's top security executives said the company has never been asked by the United States government to build a backdoor into any of its products, and if the company was asked, it would fight the order in the courts.
Syndicate content