Feed aggregator

DNI, Justice Department Deny Targeting Americans for Surveillance Based on Religion, Politics

Threatpost for B2B - Wed, 07/09/2014 - 10:04
The Director of National Intelligence and the Department of Justice have denied a report based on leaked documents from Edward Snowden that United States intelligence and law enforcement agencies conduct surveillance of Americans based on their ethnicity, religious affiliation or political stances.

Cloud Services: Holes in Corporate Network Security

Secure List feed for B2B - Wed, 07/09/2014 - 07:00

The most popular uses of cloud services include: storing image scans of passports and other personal documents; synchronization of password, contact list, and email/message databases; creating sites; storing versions of source codes, etc. When cloud-based data storage service Dropbox announced a patched vulnerability in its link generator, it once again sparked online discussions about how important it is to encrypt confidential data before uploading it to an online storage, even a private one. Well, File encryption (FLE) does indeed protect confidential information stored in the cloud, even if there are vulnerabilities in controlling access to user documents with certain cloud storage services.

It's tempting to think that you can secure yourself against all possible risks by encrypting your data before you upload it to a cloud storage service, or by foregoing cloud services altogether. But is that really true? As it turns out, no, it isn't.

The Internet is full of recommendations on how to "effectively use cloud-based storage services" including advice on how to remotely control a PC, monitor your computer while you are away, manage your torrent downloads, and many other things. In other words, users create all types of loopholes all by themselves. These loopholes can then be easily exploited by a Trojan, a worm, not to mention a cybercriminal, especially in targeted attacks.

So we asked ourselves: how likely is it that a corporate network can be infected via a cloud service?

At the Black Hat 2013 conference, Jacob Williams, Chief Scientist at CSRgroup Computer Security Consultants, gave a presentation on using Dropbox to penetrate a corporate network. While conducting a trial penetration test (pen test), Jacob used the Dropbox thin client installed on a laptop located outside of a corporate network to spread malware to devices within that network.

Jacob first used phishing to infect an employee's computer, then embedded malicious scripts into documents stored in the laptop's cloud-hosted folder. Dropbox automatically updated (synchronized) the infected documents on all the devices attached to the user's account. Dropbox is not unique in this respect: all applications providing access to popular cloud file services have an automatic synchronization feature, including Onedrive (aka Skydrive), Google Disk, Yandex Disk, etc.

When the user opened the infected document on a workstation located within the corporate network, the malicious scripts embedded in the document installed the backdoor DropSmack on that workstation - it was specifically crafted by Jacob for this pen test. As its name suggests, DropSmack's main feature is that it uses the Dropbox cloud file storage service as a channel to manage the backdoor and leak corporate documents through the corporate firewall.




Flow chart of Jacob Williams's experiment

In the pen test, Jacob used a stunningly simple method to penetrate the corporate network - it is an obvious loophole!

We also decided to check if cybercriminals are using Dropbox, OneDrive, Yandex Disk or Google Disk to spread malware for real. We collected information from KSN about instances of malware detected in cloud-based folders belonging to Kaspersky Lab product users, and found out infections like these were detected for very few users: in May this year, only 8,700 people encountered an infection in their cloud-based folder. Among Kaspersky Lab's home product users, such instances account for only 0.42% of all malware detection cases, and 0.24% for corporate product users.

We should point out one important detail: if a piece of malware is uploaded from one device, all clients connected to the infected account will download it to their devices, and they will do so via HTTPS. Even if a security solution detects the malware in the synchronization folder and deletes it, the cloud client will keep downloading it from the cloud in an endless loop.

According to the data we collected, some 30% of malware detected in cloud folders on home computers had penetrated to these computers via synchronization mechanisms. For corporate users this number reaches 50%. Thus, the infection mechanism demonstrated by Jacob Williams in his demonstration malware, does cause infections in real life. Fortunately, we have not (yet) detected targeted attacks launched using cloud-based data storage services.

If we look into the malware we detected in the cloud folders on users' computers, files for Win32, MSIL, VBS, PHP, JS, Excel, Word and Java dominate. It should be noted that there is a small difference between corporate and home users: for corporate users, infected MS Office files occur more often, while home users also face unique threats on their lists in the form of malicious Android applications.

TOP 10 verdicts:

 

Consumer Corporate 1 Email-Worm.Win32.Runouce.b Email-Worm.Win32.Brontok.dam.a 2 Email-Worm.Win32.Brontok.q Virus.Win32.Sality.gen 3 not-a-virus:AdWare.Win32.RivalGame.kr Virus.Win32.Tenga.a 4 Virus.Win32.Nimnul.a Trojan-Dropper.VBS.Agent.bp 5 Trojan-Clicker.HTML.IFrame.aga Trojan.Win32.Agent.ada 6 Exploit.Win32.CVE-2010-2568.gen Trojan.Win32.MicroFake.ba 7 Virus.Win32.Sality.gen Exploit.Win32.CVE-2010-2568.gen 8 Worm.Win32.AutoRun.dtbv Worm.Win32.AutoRun.dtbv 9 Trojan-Dropper.VBS.Agent.bp Trojan.Win32.Qhost.afes 10 Trojan.Win32.Genome.vqzz Virus.Win32.Nimnul.a

More often than not, virus writers use cloud storage as a place to host their malware rather than a platform to spread them. During the research, we did not encounter a single worm or backdoor (except DropSmack) specifically targeting cloud-based file storages. Naturally, these services try to counter malware which takes up storage room in the cloud. In addition hosting malware affects the service's reputation, although cloud services are not formally responsible for what files their clients upload to the storage. Regular scans of all files contained in the cloud will obviously require a lot of resources that the services would rather use to store data.

As a result of this research, we concluded that there is a relatively low risk of a corporate network being infected via cloud storage: over a period of a year, just 1 out of 1,000 corporate users using cloud services risks infection. It should be remembered, however, that in some cases even a single infected computer in a corporate network can lead to substantial damage.

Here are some measures that can be used to protect corporate networks:

  • Tighten up Firewall/IDS security settings, block access to popular online storage services. The big disadvantage this approach has is that it requires constant and close monitoring of new blacklist candidates as they emerge online.
  • Install a multi-purpose Security Suite. It must incorporate a heuristic and behavior-based antivirus, access restriction features (HIPS), a tool to control the functioning of the operating system (System Watcher or Hypervisor), and a tool to prevent exploitation of vulnerabilities, etc. Once installed, the product must be carefully configured.
  • Remember that even the most sophisticated Security Suite can miss an APT attack. Therefore, attention should be paid to Application Control (it should be configured at Default deny). This is perhaps one of the most reliable tools that will block any unknown software, including malware spread during a targeted attack. The most difficult task arising while deploying Application Control is to configure appropriate rules so that all permitted applications can be launched and updated without problems. To this end, the manufacturers of products which include the Application Control feature have developed dedicated tools: software updates via trusted update programs, preset software whitelists including all possible system and user files, access to huge cloud services and information databases about the entire diversity of whitelisted software.
  • In special cases, Application control should be used to restrict the use of cloud clients within the corporate network. Only trusted employees should be allowed to launch the applications with which to synchronize cloud folders.

As for networks with the most rigorous security requirements, such as those managing power plant operations and water supplies, which guard state secrets or control defense facilities - for all of these we thoroughly recommend not using cloud-based file storage services at all.

Yahoo Patches Bugs in Mail, Messenger, Flickr

Threatpost for B2B - Tue, 07/08/2014 - 16:49
Yahoo recently fixed a trio of remotely exploitable vulnerabilities in its services that could have let attackers execute a handful of nefarious tricks.

Microsoft July Patch Tuesday Updates Patch 29 IE Vulnerabilities

Threatpost for B2B - Tue, 07/08/2014 - 15:23
Microsoft fixes 29 security vulnerabilities in Windows, Internet Explorer, and Server Software in its July 2014 Patch Tuesday release.

Google Finds, Blocks Unauthorized Certificates

Threatpost for B2B - Tue, 07/08/2014 - 14:43
Phony digital certificates for a number of Google domains were discovered and blocked. The certs were issued by the National Informatics Centre of India and were in the Microsoft Root Store.

New Verizon Transparency Report Shows Large Government Appetite for Location, Content Data

Threatpost for B2B - Tue, 07/08/2014 - 13:49
The second transparency report from Verizon claims the company received nearly 150,000 total orders in the first half of 2014.

Adobe Patches Flash Vulnerability Exploited by Rosetta Flash Tool

Threatpost for B2B - Tue, 07/08/2014 - 13:27
Adobe patched Flash Player today, adding validation checks to the software so that it rejects malicious content from vulnerable JSONP callback APIs.

China Hackers Compromise Iraq Experts at National Security Think Tanks

Threatpost for B2B - Tue, 07/08/2014 - 10:53
A China-linked hacker group known as Deep Panda has compromised a number of national security think tanks seeking information on U.S. policy in Iraq.

Phishers Use Luis Suarez Bite as Bait

Threatpost for B2B - Tue, 07/08/2014 - 10:23
The World Cup is the most popular sporting event on the planet, and not just among sports fans; attackers and scammers of all stripes love it as well, as it presents a unique opportunity to separate victims from their money. Phishing and malware scams tied to the World Cup in Brazil have been running rampant […]

Suarez phishing 'petition' dupes users and their friends

Secure List feed for B2B - Tue, 07/08/2014 - 04:00

At the end of last week we came across a curious method of distributing links to a phishing page that collects users’ personal data.

The FIFA World Cup in Brazil is attracting not only football fans in all parts of the world, but cybercriminals too. The phishing page is designed to imitate the FIFA website. Visitors are asked to sign a petition in defense of Luis Alberto Suárez, a forward for the Uruguayan national team. (On June 24, in a last group stage match between Uruguay and Italy, Suarez bit Italy defender Giorgio Chiellini on the shoulder. As a result, Suarez was disqualified for nine official matches for the national team and banned from all football-related activity for four months. He was also slapped with a fine).

To sign the petition, the user needs to fill out a form, entering his or her name, country of residence, mobile phone number and email address:


Phishing page asking football fans to sign a petition

The phishing page matches the design of the official website and all links on it redirect users to FIFA’s official site, fifa.com. The phishing domain was created on June 27, 2014. According to the whois database, it was registered in the name of a person residing in London. The data collection form was developed by the phishers using Google.Docs. Personal data obtained from the form can be used to send spam, phishing and SMS messages, as well as malicious apps. In addition, armed with users’ email addresses and telephone numbers the cybercriminals can conduct targeted attacks involving banking Trojans for computers and mobile devices. This technique is used to get round two-factor authentication in online banking systems in cases when a one-time password is sent via SMS.

After filling out the ‘petition’ form, victims were encouraged to share a link to the page with their friends on Facebook:


Window prompting users to share the link to the ‘petition’ with friends


Pop-up Facebook window

Unsuspecting fans shared links to the fake petition on their Facebook pages. This enabled the phishing link to spread widely across Facebook in a matter of days.


Example of an unsuspecting user sharing a link to the phishing page on a social network

Messages with links to the phishing page were also seen on dedicated forums, from which users probably reached the phishing page originally.

Motives Behind Havex ICS Malware Campaign Remain a Mystery

Threatpost for B2B - Mon, 07/07/2014 - 15:36
Experts question whether the Havex malware campaign targeting three European industrial control system software vendors is merely a dry run for something bigger.

Hard-Coded Password Vulnerability Plagues Some Netgear Switches

Threatpost for B2B - Mon, 07/07/2014 - 14:01
A vulnerability in Netgear-branded ethernet switches could give an attacker full access to the hardware.

Expect IE Rollup, Azure Service Bus Update on Patch Tuesday

Threatpost for B2B - Mon, 07/07/2014 - 10:10
Microsoft will release two critical bulletins tomorrow as part of its July 2014 Patch Tuesday security updates.

All Seized Domains Returned to No-IP

Threatpost for B2B - Mon, 07/07/2014 - 10:04
Less than a week after Microsoft seized nearly two dozen domains owned by a small hosting provider as part of a takedown of a malware operation, all of those domains are back in the control of the provider, No-IP.

Threatpost News Wrap, July 4, 2014

Threatpost for B2B - Fri, 07/04/2014 - 09:00
Dennis Fisher and Mike Mimoso discuss the Microsoft malware takedown, its legal and security implications and the revelation of a massive financial fraud campaign in Brazil.

Remote Access Hack Compromises POS Vendor

Threatpost for B2B - Thu, 07/03/2014 - 13:07
A popular point of sale vendor may have suffered a data breach earlier this year that could affect the customers of a handful of restaurants.

Miniduke APT Campaign Returns with New Targets, Hacking Tools

Threatpost for B2B - Thu, 07/03/2014 - 13:00
The Miniduke APT campaign is back in business with new tools to steal data from new targets in an assortment of countries from all over the globe.
Syndicate content