Threatpost for B2B
Google is reportedly looking into a problem with the latest versions of Nexus smartphones that could force the devices to restart, lock or fail to connect to the Internet.
All Galaxy Nexus, Nexus 4 and Nexus 5 devices that run Android 4.0 contain a flaw that can render the phones vulnerable to a denial-of-service attack when a large number of Flash SMS messages are sent to them.
According to a description on the programming site Stack Overflow, Flash SMS messages, also known as Class 0 SMS, are messages that show up – or flash – on screens immediately and dim the screen around the text. The messages are part of the GSM messaging infrastructure and are often used for sending emergency messages. Since the messages are not saved in phone’s inboxes by default and simply appear, users can elect to read or dismiss them. If a message is received on top of another however, they can stack up quickly.
If a phone receives a certain number of these messages, around 30 in this case, the phone will restart itself. In some cases if a PIN is required to unlock the SIM card, the device will not connect to the Internet after the reboot. On “rare occasions” the phone can also lose connection to the mobile network and the messaging app can crash.
Bogdan Alecu, a Romanian independent security researcher who also works as a system administrator at the Dutch IT firm Levi9 discovered the issue and discussed it in a panel (.PDF) on Friday at DefCamp, a security conference in Bucharest, Romania.
Alecu told PC World last week that while he found the problem more than a year ago (the video above was first published five months ago) and has tested it on a handful of Nexus phones since then, Google has largely ignored his research. A fix in Android 4.3 was promised to Alecu by a member of Google’s Security Team in July but never surfaced when 4.3 (Jellybean) was released later that month.
Now Google claims it’s looking into the vulnerability.
“We thank him [Alecu] for bringing the possible issue to our attention and we are investigating,” a Google representative told PC Magazine via email.
In the meantime Alecu has developed and published a proof of concept firewall application for Android that should prevent most Nexus devices from being exploited by the Flash SMS attack vector.
Class0Firewall, posted today on Google’s Play marketplace, lets Nexus users determine how many Flash SMS messages they can receive from a certain number before blocking them entirely. The app can also be set to block Flash SMS messages for a set amount of time.
Alecu warns that while his app isn’t foolproof, he hopes to release an update for it soon that addresses a few remaining issues.
For example Alecu aims to include a fix in a future version that will let users know if a Flash SMS attacker is spoofing their own number, thus preventing messages from being blocked. Alecu also hopes to find a workaround for an SMS API change in Android 4.4 (KitKat) that still puts Nexus users running that build of Android in danger.
D-Link has patched a backdoor present in a number of its routers that was publicized almost two months ago and could allow an attacker to remotely access the administrative panel on the hardware, run code and make any number of changes.
The Thanksgiving patch parade addressed the issue in a number of affected routers, most of them older versions that are still in circulation and largely untouched by consumers in particular.
Customer premise equipment such as wireless routers, modems and other set-top devices pose a real security issue because patches require a firmware update that are often ignored. There’s plenty of research too that examines the risks posed not only by buggy routers, but by other home and small business networking equipment.
Using available tools and online search engines such as Shodan, attackers can easily find Internet-facing equipment that’s vulnerable, and target those boxes with any number of exploits or scripts focusing on weak or default credentials, giving someone remote access to the gear.
The D-Link issue is much more serious given the access it could afford a remote attacker. Researcher Craig Heffner reported finding the vulnerability in October; he said that an attacker using a certain string “xmlset_roodkcableoj28840ybtide” could access the Web interface of a number of different D-Link routers without credentials.
D-Link routers DIR-100, DIR-120, DI-624S, DI-524UP, DI-604S, DI-604UP, DI-604+ and TM-G5240, along with Planex routers BRL-04R, BRL-04UR and BRL-04CW also use the same firmware, Heffner said. The firmware revisions issued last Thursday are for DI-524, DI-524UP, DIR 100 and DIR-120 routers, D-Link said in its advisory.
“Various D-Link routers allow administrative web actions if the HTTP request contains a specific User-Agent string,” the company’s original advisory said. “This backdoor allows an attacker to bypass password authentication and access the router’s administrative web interface.”
Backdoors in hardware such as networking gear are generally for remote administration purposes. Researcher Travis Goodspeed told Heffner that this backdoor is used by a particular binary in the firmware enables an administrator to use this particular string to automatically reconfigure the device’s settings.
“My guess is that the developers realized that some programs/services needed to be able to change the device’s settings automatically; realizing that the web server already had all the code to change these settings, they decided to just send requests to the web server whenever they needed to change something,” Heffner wrote. “The only problem was that the web server required a username and password, which the end user could change.”
After opening a malicious attachment in a phishing email, an employee at University of Washington Medicine in Seattle may have exposed the personal information of more than 90,000 Harborview Medical Center and University of Washington Medical Center patients.
The breach took place in October. According to a press release on the UW Medicine website, upon opening the malware-laden attachment, the unnamed piece of malicious software then “took control of the computer.” The infected computer contained patient data and the malware went unnoticed for one day before staff members “took measures to prevent any further malicious activity.”
UW Medicine says that it conducted an internal investigation and does not believe that patient data was sought or targeted in the attack. Despite this belief, the malware is said to have accessed the personal information of more than 90,000 current and former patients. The potentially exposed data include names, medical record numbers, “other demographics (which may include address, phone number),” dates of service, charge amounts for services received, dates of birth, and Social Security Numbers or Health Insurance Claim (Medicare) numbers.
The press release also announces that UW Medicine has implemented a review and is conducting employee training and other outreach efforts in response to the incident.
UW Medicine apologized for the breach, saying it will attempt to contact each individual affected via email. As is the industry standard, the company has also hired a firm specializing in data breach prevention and response to manage a call center on behalf of UW Medicine.
Threatpost attempted to contact UW Medicine for comment and clarification, but the company’s spokesperson was not available at the time of publication.
If your organization needed more incentive to move off Windows XP, a new zero-day vulnerability made public recently may be it.
The bug, which is being exploited in the wild, allows local privilege escalation and kernel access. But in the bigger picture, it’s another indicator that attackers might be readying a cache of attacks for the impending April 8, 2014 end-of-support deadline for the aged operating system.
Microsoft began an overt campaign with the release of its latest Security Intelligence Report explaining the dangers of keeping endpoints and servers on the OS, which is now a dozen years old.
“From a security perspective, this is a really important milestone,” Microsoft spokesperson Holly Stewart said. “Attackers will start to have a greater advantage over defenders. There were 30 security bulletins for XP this year, which means there would have been 30 zero-day vulnerabilities on XP [without support].”
In the October SIR, Microsoft said computers running XP Service Pack 3 are six times more vulnerable to malware infection than a computer running on Windows 8; Microsoft said data from its Malicious Software Removal Tool indicates that 9.1 XP computers are disinfected by MSRT versus 1.6 Windows 8 machines.
“The real story is that this zero day is just the tip of the iceberg. Malware authors today are sitting on their XP zero day vulnerabilities and attacks, because they know that after the last set of hotfixes for XP is released in April 2014 that their exploits will work forever against hundreds of thousands (millions?) of XP workstations,” wrote Rob VandenBrink on the SANS Internet Storm Center website. “If you are still running Windows XP, there is no project on your list that is more important than migrating to Windows 7 or 8. The ‘never do what you can put off until tomorrow’ project management approach on this is on a ticking clock, if you leave it until April comes you’ll be migrating during active hostilities.”
Microsoft released an advisory late Wednesday on the latest zero-day after an earlier report from security company FireEye identified the vulnerability. FireEye researchers said they found an exploit in the wild being used alongside a PDF-based exploit against a patched Adobe Reader vulnerability. Reader versions 9.5.4, 10.1.6, 11.0.02 and earlier on XP SP3 are affected, later versions are not, FireEye said, adding that this exploit gives a local user the ability to execute code in the kernel, such as install new software, manipulate data, or create new accounts. The exploit cannot be used remotely.
Microsoft said it is working on a patch and urged XP users to delete NDProxy.sys and reroute to null.sys in the system registry. NDProxy.sys is a driver that aids in the management of Microsoft Telephony API (TAPI). The mitigation will of course impact TAPI operations.
“For environments with non-default, limited user privileges, Microsoft has verified that the following workaround effectively blocks the attacks that have been observed in the wild,” Microsoft group manager Trustworthy Computing Dustin Childs said.
There is a vulnerability in Android 4.3 Jelly Bean that enables a malicious app to disable all of the security locks on a given device, leaving it open to further attacks. Jelly Bean is the most widely deployed version of Android right now.
The vulnerability in Android exists in the way that the operating system handles the flow of events when a user wants to change one of the security locks on a device. There are several different kinds of security locks on Android devices, including PIN codes, facial recognition and gesture locks. When a user wants to change one of these locks, he is asked to enter one of the other ones in order to confirm his control of the device. The vulnerability in Jelly Bean, discovered by researchers at Curesec in Germany, allows a malicious app to skip this step and disable the other security locks.
“The bug exists on the ‘com.android.settings.ChooseLockGeneric class’. This class is used to allow the user to modify the type of lock mechanism the device should have. Android implements several locks, like pin, password, gesture and even face recognition to lock and unlock a device. Before a user can change these settings, the device asks the user for confirmation of the previous lock (e.x. If a user wants to change the pin or remove it it has to first enter the previous pin),” the advisory from Curesec says.
If a malicious app is installed on a vulnerable device, it could control the code flow that determines whether Android enables the mechanism that requires a security code in order to change one of the other security locks. A Google representative said the problem was fixed in Android Kit Kat 4.4.
“We can control the flow to reach the updatePreferencesOrFinish() method and see that IF we provide a Password Type the flow continues to updateUnlockMethodAndFinish(). Above we can see that IF the password is of type PASSWORD_QUALITY_UNSPECIFIED the code that gets executed and effectively unblocks the device. As a result any [rogue] app can at any time remove all existing locks,” the advisory says.
The researchers at Curesec said that they reported the vulnerability to the Android security team at Google on Oct. 11, received a reply the next day and then didn’t get any further feedback from Google after that. The advisory includes a short bit of proof-of-concept code which the researchers say could be used by an installed malicious app. In the comments of their blog post on the bug, the researchers explained that the permissions model in Android can be bypassed with this bug.
“The commandline shown is just a simple PoC so the problem is understood by anyone without needing to write his own application to test it. For executing actions in Android your application needs the exact permission to do this.
For instance an app wants to read SMS or use the Internet, there is a Permission for that. However due the bug you do not need any permission to remove all device locks,” the researchers said.
If CryptoLocker is teaching enterprise IT and security people anything, it’s that backup is king.
The ransomware is unforgiving; it will find and encrypt documents on local and shared drives and it will not give them back. Experts don’t advise victims to pay the ransom, which means infected computers must be wiped, and lost files must be recovered from backup.
However, one Boston-area forensics specialist and malware analyst working for a large enterprise may have found a clue as to identifying the files CryptoLocker encrypts, which could mean the difference between restoring terabytes of backup data versus a few gigabytes.
The infection at this particular enterprise happened in October. A user fell victim to a phishing email and followed a link to a site where CryptoLocker awaited. The malware was detected within a couple of hours by the firm’s antivirus, but not before it had encrypted thousands of files on the local drive and drives mapped to the user’s laptop, and presented the user with the now-familiar bitmap image explaining the attacker’s demand for ransom.
The laptop was pulled from the network, wiped and analyzed. That’s when the analyst, who goes by the Twitter handle @Bug_Bear and asked not to be otherwise identified, noticed that the NTFS Master File Table creation and file modified dates on the encrypted files were unchanged. He then compared those results to the Master File Table from the Windows file server as well, using a pair of tools, analyzeMFT and MFTParser, to go through close to 10GB of Master File Table data.
“Identifying some known encrypted files by the $FN file name, I noted the only date in the MFT record that coincided with the infection was the MFT Entry Date or date the MFT record itself was modified,” he wrote on his Security Braindump blog. “Using this, I filtered out all records that had $SI or $FN time stamps that preceded this.”
Through this method, he was able to identify more than 4,000 files that had been encrypted by CryptoLocker and recover those files from backup.
He told Threatpost that he believes the malware uses a technique called File System Tunneling to avoid detection, and that’s what led him to find the encrypted files.
“In NTFS, if you delete a file and then recreate it with the same name in the same folder within 15 seconds, it takes on the attributes of the original files; all the file dates would match up,” he said. “I think that’s what we’re seeing. The only date that won’t change is the NTFS Master File Table date which is the date it was created in the database for NTFS itself. That will change and that’s what I’m seeing and that’s what I used to find these files.”
CryptoLocker, unlike other ransomware, encrypts files and then demands a ransom for the decryption key. It is spreading primarily through phishing campaigns heralding phony Federal Express or UPS tracking notifications. Victims are told they must make payments via MoneyPak or Bitcoin before a 72-hour payment deadline expires and the files are lost forever.
Bug_Bear called the attack straightforward, efficient and effective. He also said backup is a company’s best defense, along with a solid incident response plan.
“The only way I know of to find these files is what I used,” he said. “I’m thankful for other people out there writing these tools because if I didn’t have these tools, [parsing] 10GB of hexadecimal would be quite the chore.”
The European Commission is urging the United States government to make some changes to the way it handles surveillance to help restore the trust in the relationship between the EU and the U.S. The commission is asking for the U.S. to promote privacy rights internationally, adopt the EU’s data protection reforms and respond to the commission’s problems with the U.S.’s surveillance reform process.
Since the public exposures of the NSA’s widespread surveillance programs and collection methods began in June, there have been a number of pronouncements from politicians in various European countries about the privacy and economic effects the programs might have. The volume has increased in recent months after news broke that the agency, and others it is allied with, may have been conducting surveillance on European leaders’ mobile phones. But this represents one of the first public statements from a European government body on the subject.
“Large-scale US intelligence collection programmes, such as PRISM affect the fundamental rights of Europeans and, specifically, their right to privacy and to the protection of personal data. These programmes also point to a connection between Government surveillance and the processing of data by private companies, notably by US internet companies. As a result, they may therefore have an economic impact. If citizens are concerned about the large-scale processing of their personal data by private companies or by the surveillance of their data by intelligence agencies when using Internet services, this may affect their trust in the digital economy, with potential negative consequences on growth. These developments expose EU-US data flows to new challenges,” the communication from the EC says.
The communication is the result of a joint working group of U.S. and EU members that looked at ways that the two parties could restore trust in the flow of data that is vital to the economic health of both the EU and America. The group found that there are a number of thing that should be done to fix the problem:
- A swift adoption of the EU’s data protection reform
- Making Safe Harbour safe
- Strengthening data protection safeguards in the law enforcement area
- Using the existing Mutual Legal Assistance and Sectoral agreements to obtain data
- Addressing European concerns in the on-going U.S. reform process
- Promoting privacy standards internationally
The working group noted that one of the main issues is that there are different standards and protections applied to U.S. citizens and Europeans, which leads to problems for EU citizens.
“There is a lower level of safeguards which apply to EU citizens, as well as a lower threshold for the collection of their personal data. In addition, whereas there are procedures regarding the targeting and minimisation of data collection for U.S. citizens, these procedures do not apply to EU citizens, even when they have no connection with terrorism, crime or any other unlawful or dangerous activity. While U.S. citizens benefit from constitutional protections (respectively, First and Fourth Amendments) these do not apply to EU citizens not residing in the U.S.,” the working group’s statement says.
The statements from the EC come a day after the EFF and other digital and human rights groups formed a new coalition to urge politicians to reform the mass surveillance programs run by the NSA. And while much has been made of the privacy and civil rights effects of the surveillance, it’s just recently that more of the attention has been focused on the economic effects of what’s been going on.
“Massive spying on our citizens, companies and leaders is unacceptable. Citizens on both sides of the Atlantic need to be reassured that their data is protected and companies need to know existing agreements are respected and enforced. Today, the European Commission is setting out actions that would help to restore trust and strengthen data protection in transatlantic relations,” said Vice-President Viviane Reding, the EU’s Justice Commissioner. “There is now a window of opportunity to rebuild trust which we expect our American partners to use, notably by working with determination towards a swift conclusion of the negotiations on an EU-U.S. data protection ‘umbrella’ agreement. Such an agreement has to give European citizens concrete and enforceable rights, notably the right to judicial redress in the U.S. whenever their personal data are being processed in the U.S.”
Image from Flickr photos of Thomas Quine.
A large group of privacy and digital rights organizations has put together a new effort to urge politicians to curtail the mass surveillance operations that have been exposed in the last few months. The new coalition has developed a set of 13 principles for governments to follow in their intelligence gathering efforts and started a petition that it plans to deliver to the United Nations and governments around the world.
Known as Necessary and Proportionate, the anti-surveillance group includes the EFF, Privacy International, Access, the Chaos Computer Club and many others. The petition that the group has started has been signed by a slew of other organizations and privacy and security experts from around the world, including the Citizen Lab, Digital Courage, the Internet Governance Project, Bruce Schneier, Morgan Marquis-Boire and Jennifer Granick.
“Surveillance can and does threaten human rights, ” EFF International Rights Director Katitza Rodriguez said in a statement. “Even laws intended to protect national security or combat crime will inevitably lead to abuse if left unchecked and kept secret. The Necessary and Proportionate Principles set the groundwork for applying human rights values to digital surveillance techniques through transparency, rigorous oversight and privacy protections that transcend borders.”
The Necessary and Proportionate effort is just the latest response to the revelations of the surveillance methods employed by the National Security Agency, GCHQ in the U.K. and other intelligence agencies. There have been other petitions started, including one to demand the resignation of NSA Director Keith Alexander. The Necessary and Proportionate coalition has put together a list of 13 principles that the groups involved say should be used to guide the “determination of whether the State may conduct communications surveillance that interferes with protected information”.
The principles include legality, legitimate aim, necessity, adequacy and proportionality. The latter principle is at the center of what the coalition is trying to achieve.
“Communications surveillance should be regarded as a highly intrusive act that interferes with the rights to privacy and freedom of opinion and expression, threatening the foundations of a democratic society. Decisions about communications surveillance must be made by weighing the benefit sought to be achieved against the harm that would be caused to the individual’s rights and to other competing interests, and should involve a consideration of the sensitivity of the information and the severity of the infringement on the right to privacy,” the principle’s text says.
Once the petition is finished, the group plans to deliver copies to the U.N. and government leaders around the world to ask for their support.
“In 2013, we learned digital surveillance by world governments knows no bounds. Their national intelligence and other investigative agencies can capture our phone calls, track our location, peer into our address books, and read our emails. They do this often in secret, without adequate public oversight, and in violation of our human rights. We won’t stand for this anymore,” Rodrigues wrote in a blog post.
Image from Flickr photos of Frederic Bisson.
A lingering security issue in Ruby on Rails that stems from a setting in the framework’s cookie-based storage mechanism is still present in almost 2,000 websites.
Sites using an old version of Ruby on Rails that relies on CookieStore, the framework’s default cookie storage mechanism, are at risk. CookieStore saves each user’s session hash in the cookie on the client side, something that keeps each cookie valid for life. This makes it possible for an attacker to glean a user’s log-in information – either via cross-side scripting or session sidejacking – and log in as them at a later date.
Security researcher G.S. McNamara, who detailed the initial vulnerability on his MaverickBlogging site in September recently spent four days scouring 90,000 sites, running specialized scripts and analyzing data from each domain. When all was said and done, he found 1,897 sites that use old versions of Ruby on Rails (version 2.0 to version 4.0) that do not encrypt its users’ cookie values.
Some of the sites even fail to use SSL after their log-in pages, meaning they are communicating each user’s permanent session cookie without encryption for anyone to sniff and steal.
Most of the websites McNamara found belong to small startup companies but some, such as crowdsourcing site Kickstarter.com, restaurant review site Urbanspoon.com, and the site that belongs to the motion picture studio Warner Brothers (WarnerBros.com) are affected by the vulnerability.
McNamara has reached out to a handful of the sites but with more than 1500 affected, it’s a lengthy list to go through. Kickstarter for example – one of the sites that doesn’t use SSL the entire time a user is logged in – is aware of the issue. Meanwhile sites such as Urbanspoon.com and 500px.com, an online photo community with more than 10 million monthly users, still have not responded to the researcher.
In addition to the sites, McNamara also found a handful of online tools and utilities, applications such as Redmine, Zendesk and Spiceworks that also store user session hashes on the client side. While the last two use SSL as an added layer of security, on Redmine, it’s up to the user to properly configure the software’s security.
While Ruby on Rails moved to encrypt cookies by default in version 4.0, it doesn’t change the fact that users’ information is still at risk. Just because users’ cookies are encrypted and therefore unreadable doesn’t make the cookies useless to an attacker.
“Version 4.0 and beyond still have this problem,” McNamara told Threatpost in an email. “The attacker could save the encrypted cookie and send it to the server to log in as the victim without having to read the contents of the cookie.”
“The encryption does not protect against reusing the cookie after logout,” McNamara warned, comparing an encrypted cookie to a black box that a hacker simply needs to plug into the correct hole to work.
The technical classification for this problem is defined by the Web Application Security Consortium as an Insufficient Session Expiration weakness, basically stating that on sites “the log-out function should… disallow reuse of the session token,” something these sites clearly don’t do.
McNamara points out that anyone looking to see if the Ruby on Rails site they’re visiting is using CookieStore just needs to look for the string “Bah7” at the beginning of the value of the cookies. He adds that a cursory search on SHODAN, the search engine that gained notoriety a few years ago for sniffing out unprotected SCADA devices, reveals 60,000+ vulnerable sites.
NcNamara’s list isn’t exhaustive. In this case it’s only limited to Rails sites, not sites run on Django, another web framework the D.C.-based researcher has also found cookie-centric vulnerabilities in as of late.
To fix the issue McNamara has previously advocated that Rails developers switch to a different cookie storage mechanism, one that stores session information on the server side of the database instead of the client side.
Researchers at FireEye have been reporting on intrusive ad clients for more than a month, shedding some light on the potential risks with these programs that come packaged with mobile applications in order to simplify the display of mobile advertisements. The clients may not be malicious, but they do expose apps, devices and users to unnecessary risk, the company said.
“They are aggressive at collecting sensitive data, embedding functionalities and capabilities to perform dangerous operations such as downloading and running new code on demand, and they are also plagued with various classes of vulnerabilities that enable attackers to turn their aggressive behaviors against users,” researchers, Yulong Zhang, Hui Xue, Tao Wei and Dawn Song wrote today on the company’s blog. The researchers also point out that the 2,000 Google Play apps have been downloaded more than 100,000 times each, putting 2.56 billion total downloads at risk. FireEye said it has informed Google and InMobi.
“InMobi builds a sidedoor in host apps with these aggressive features to endow content in WebViews with these capabilities,” the FireEye researchers wrote.
InMobi responded with a new SDK,version 4.0.4 which changed its methods for making phone calls, requiring user permission and added a downloads folder storing files grabbed from the Internet, FireEye said. FireEye said the changes are a step in the right direction, but still leave users vulnerable to social engineering attacks.
“We understand that library vendors like InMobi have the incentive to add rich functionality, however, it is important for the vendors to advise app developers about such features and functionality that cause sensitive security and privacy risks, so that app developers can make informed decisions,” the FireEye researchers wrote.
Banking malware with a particular liking for Fidelity Investments has infected several thousand victims worldwide, and has the capacity for much greater harm, in particular during the upcoming holidays, according to researchers at Kaspersky Lab.
A report released today describes the threat posed by a Trojan called Neverquest, which is self-replicating malware programmed to activate when a victim visits any of more than 100 banks and financial institutions. The malware sends credentials and other personal information back to the attackers, who then via a VNC connection established by the Trojan, are able to conduct transactions on the victim’s behalf and wipe accounts clean.
“This threat is relatively new, and cybercriminals still aren’t using it to its full capacity,” wrote researcher Sergey Golovanov. “In light of Neverquest’s self-replication capabilities, the number of users attacked could increase considerably over a short period of time.”
The threat was spotted in July on an underground forum where the attackers had posted the Trojan for sale, boasting that it could be used to attack 100 banks by plugging in code onto websites viewed with Internet Explorer or Firefox.
When a user on an infected machine visits one of the sites on the list, the malware controls the browser’s connection with the server. Malicious users can obtain usernames and passwords entered by the user, and modify webpage content,” Golovanov wrote. “All of the data entered by the user will be entered onto the modified webpage and transmitted to malicious users.”
Illicit transactions are conducted over a SOCKS server that is remotely connected to the infected computer via VNC, Golovanov wrote. Stolen funds are either wired directly to the attackers, or to other stolen accounts.
After gaining access to a user’s account with an online banking system, cybercriminals use a SOCKS server and connect remotely to the infected computer via a VNC server, then conduct transactions and wire money from the user to their own accounts, or — in order to keep the trail from leading directly to them — to the accounts of other victims.
The list of targeted banks can be expanded, Golovanov said. The configuration file also comes equipped with a list of keywords related to banking activity, i.e., “available balance,” “checking account,” “account summary,” and many others, that if show in a webpage, the malware will send the page back to the attackers. The attackers may then use that page to develop attacks specific to the bank in question if it’s not already on the list, which is then added back to the configuration file for future infection attempts. Most of the attacks so far, Golovanov wrote, have been against Fidelity customers.
As for Neverquest’s replication capabilities, it moves about similarly to Bredolab, a botnet blamed for millions of infections worldwide via a three-pronged approach. Neverquest uses any of dozens of programs to access FTP servers in order to steal credentials that are used to distribute the malware via the Neutrino Exploit Kit. Also, it can harvest data from victims’ email clients during SMTP/POP sessions, including credentials, which are then used to spam out the Neverquest dropper. It is also designed to harvest credentials from social networks, including Facebook, Live.com, Twitter, Amazon Web Services and many others to spread links via social networks to infected online resources.
“As early as November, Kaspersky Lab noted instances where posts were made in hacker forums about buying and selling databases to access bank accounts and other documents used to open and manage the accounts to which stolen funds are sent,” Golovanov wrote. “We can expect to see mass Neverquest attacks towards the end of the year, which could ultimately lead to more users becoming the victims of online cash theft.”
When authorities in Russia arrested Paunch, the alleged creator of the Blackhole exploit kit, last month, security researchers and watchers of the malware underground predicted that taking him off the board would put a dent in the use of Blackhole and force its customers onto other platforms. Six weeks later, it now appears that Blackhole is almost gone and the Cool exploit kit, another alleged creation of Paunch, has essentially disappeared, as well.
The Cool exploit kit isn’t as well-known as Blackhole, but it is just as dangerous and was being sold at a much higher price during its heyday. Blackhole is one of the more venerable exploit kits for sale on the underground markets and it has been very popular with a variety of attackers and malware gangs over the years. It’s often used in drive-by download scenarios to compromise users’ machines through the use of browser exploits or exploits for plug-ins such as Java or Flash. Blackhole customers could buy a yearly license for about $1,500 or even just rent it for a day for $50. Cool could rent for as much as $10,000 a month.
A malware researcher who uses the name Kafeine and closely follows the sale and use of exploit kits has looked at the major groups that have been using Cool and Blackhole in recent years and found that Cool is virtually gone from the exploit kit landscape. The only crew still using Cool is the Reveton gang, which Kafeine said was the first major customer for the exploit kit, and has been using it for more than a year to push their ransomware. Reveton has taken many forms in its lifetime, showing up as fake FBI or Justice Department warnings about illegal content on a user’s machine.
The Reveton gang is still using Cool, but it’s not the main version of the kit. Like many of the other exploit kits, there are so-called private versions of Cool available for sale to premium customers at premium prices. They often will include private zero day vulnerabilities not available to other users and extra features. Kafeine said via email that the Reveton crew is using its own version of Cool these days.
“Cool has disappeared with Paunch. Main user (reveton Team) is now on a ‘private’ EK that we decided to name Angler EK,” Kafeine said.
The Angler exploit kit was the first to add the Microsoft Silverlight vulnerability CVE-2013-0074. As for Blackhole, there are still a handful of attack groups using it, but Kafeine said that he has seen about a 98 percent drop in the usage of that exploit kit since the arrest of Paunch.
“[Blackhole] is almost dead,” he said.
The one main group that’s using Blackhole is known as /closest/ and has been pushing out LinkedIn spam with malicious links to pages that deliver the exploits. The crew is using Blackhole for a variety of purposes, including pushing the Cutwail bot, some pay-per-click malware and other threats.
Image from Flickr photos of NASA Goddard Space Flight Center.
Yet another commercial crimekit has been spotted making the rounds on the underground malware forums that uses the anonymity network Tor to stealthily communicate with its command and control servers.
While it isn’t the first of its kind to use Tor, the kit, nicknamed Atrax, is cheap and comes with a slew of capabilities including browser data extraction, Bitcoin mining and the capability to launch DDoS attacks.
Named after an Australian subfamily of spiders, Atrax runs for about $250 – Bitcoin only – making it one of the more relatively affordable kits available. Atrax comes with a few add-ons, including a plugin stealer ($110), an experimental add-on for coin mining ($140) and a form grabber ($300), according to Jonas Mønsted of the Danish security firm CSIS, who described the kit in depth in a blog entry earlier today.
While some of the add-ons, notably the form grabber, cost more than the actual kit, Atrax comes with free updates, support and bug fixes, perks that could catch an attacker’s eye.
In the Atrax rundown, Mønsted writes that “communication over TOR is already encrypted, so no extra communication encryption” is needed and that the kit doesn’t use “suspicious Windows APIs.”
The kit’s author claims Atrax’s size (1.2 MB) is due to “TOR integration and x64/x86 code.”
The plug-in stealer looks to have a wealth of functionality, boasting the ability to steal information from Chrome, Firefox, Safari, Internet Explorer and Opera browsers.
Atrax has opened its arms to the burgeoning world of Bitcoin as well as the kit’s author claims, it can steal information from users’ Bitcoin wallets (such as Armory, Bitcoin-Qt, Electrum and Multibit) and also mine for Bitcoin and a lesser known alternative, Litecoin.
While CSIS has yet to track down an active sample of the Atrax kit, it sounds like it should fit alongside other recently discovered botnets and malware tools that also rely on the Tor network to propagate.
Mevade, one of the more popular Tor-based botnets gained unwanted publicity when it shifted to the covert communication protocol at the end of this past summer. Tor saw a gigantic uptick in users, up to 2.5 million from 500,000 in August thanks to the botnet, something that got it detected but didn’t prove to be its complete undoing.
Activity stemming from MEvade was later spotted in September by Microsoft lending a hand to Sefnit, a long thought dead strain of malware that was revived after it found a new component to carry out click fraud.
Twitter took another step toward not only securing the privacy of its users’ communication over the social network, but in warding off the prying eyes of government surveillance with the implementation of Perfect Forward Secrecy. The technology thwarts the efforts of anyone who may be collecting Twitter traffic today with the hope of cracking the private key securing it tomorrow.
“At the end of the day, we are writing this not just to discuss an interesting piece of technology, but to present what we believe should be the new normal for web service owners,” said Twitter security engineer Jacob Hoffman-Andrews. “A year and a half ago, Twitter was first served completely over HTTPS. Since then, it has become clearer and clearer how important that step was to protecting our users’ privacy.”
Perfect Forward Secrecy ensures that private session keys securing an encrypted connection are random and if one is compromised, it cannot be used to compromise other messages.
“When an encrypted connection uses perfect forward secrecy, that means that the session keys the server generates are truly ephemeral, and even somebody with access to the secret key can’t later derive the relevant session key that would allow her to decrypt any particular HTTPS session,” wrote Parker Higgins, an activist with the Electronic Frontier Foundation. “So, intercepted encrypted data is protected from prying eyes long into the future, even if the website’s secret key is later compromised.”
While Yahoo and other laggards have either only recently deployed HTTPs across their web services or have yet to do so, Twitter extends its leadership among Internet companies. Twitter announced that forward secrecy has been enabled not only on twitter.com but on api.twitter.com and mobile.twitter.com. A recent EFF crypto report shows that Twitter is among a handful of major companies that deploys forward secrecy; others include Facebook, Dropbox, Google, Tumblr and SpiderOak.
Twitter encouraged other companies to implement not only HTTPS as the default, but harden it with HSTS, certificate pinning and forward secrecy.
“Security is an ever-changing world. Our work on deploying forward secrecy is just the latest way in which Twitter is trying to defend and protect the user’s voice in that world,” Twitter’s Hoffman-Andrews said.
Hoffman-Andrews explained in his blogpost that Twitter has enabled the EC Diffie-Hellman cipher suite to support forward secrecy.
“Under those cipher suites, the client and server manage to come up with a shared, random session key without ever sending the key across the network, even under encryption,” he said. “The server’s private key is only used to sign the key exchange, preventing man-in-the-middle attacks.”
The Snowden leaks have demonstrated that the NSA is adept at not only collecting phone call metadata, but practically any data it chooses, from email address books, to searches and other Internet traffic. HTTPS and other encryption offshoots put up hurdles for the NSA. Meanwhile, major web services providers such as Yahoo, which will only deploy HTTPS by default on its services at the start of the new year, don’t put up a barrier at all.
EFF staff attorney Seth Schoen told Threatpost that HTTPS—SSL and/or TLS encryption—is something that users should demand and developers should consider normal and standard with new applications. But, he cautioned, that HTTPS is a minimum standard of protection and that forward secrecy and HSTS, for example, should be considered as well.
Schoen said that enabling Perfect Forward Secrecy requires computational resources and additional costs, but he also said that those were some of the same arguments companies used as a counter to enabling HTTPS. However, Schoen said, computers are getting faster and there’s less of a CPU resource burden today than a half-dozen years ago.
“There’s been a lot of speculation about Moore’s Law and how long that curve will last,” Schoen said. “But as long as we are on the curve for the time being, cryptography that seemed so intensive may not be so if we look again. Five or six years ago, that might have seemed like a huge computational burden, but today that might not be because CPUs are a lot faster.”
Researchers have discovered a mature attack platform that’s enjoyed great success eluding detection and made good use of an exploit present in a number of espionage campaigns.
The attacks have concentrated largely on the automotive industry, hitting large companies primarily in Asia and only after being tested against activist targets in the region. Nicknamed Grand Theft Auto Panda by researcher Jon Gross of Cylance, the attacks rely on the well-worn exploits used against CVE-2012-0158. Malicious Microsoft Office documents are sent to the victim, who must interact with the .xls, .doc, or other file in a phishing email or website in order to exploit the vulnerability and inject malware or cause a service disruption.
These attacks are not carried out on the same scale as those by the Comment Crew or other high profile APT gangs. Specific targets are chosen in these campaigns, and those targets are phished with convincing messaging, such as a negative customer service review as in one attack spotted by Cylance.
The platform has been around for a few years and can be used to steal not only system and network information, but documents and credentials, in addition to opening a backdoor connection to the attacker in order to move stolen data.
“It’s more of an extensible platform to where they can add in any functionality they want as a plug-in. It’s more of an infection framework than any specific Trojan,” Gross said. “They can modify the components over time and not have to really worry about it if the main component is never detected. This is more like extensible platform where they add in functionality, screen capture, key logging, they just send it up as a plug in.”
CVE-2012-0158, meanwhile, has been a favorite among nation-state attackers seeking to infiltrate corporations or activist groups for espionage or surveillance. It was detected in the Icefog and NetTraveler campaigns discovered by Kaspersky Lab. Both were linked to operatives in China and follow similar patterns as GTA Panda in that that they’re attacking both activists and manufacturing companies.
“We see a lot people who are attacking industries, also attacking human rights groups. We’ve always thought it just comes down as a directive from whomever to test this against them,” Gross said. “We see a lot of new malware tested against human rights activists before it ever makes its way to the corporate environments. The original stuff I found was not targeted against human rights, but as I dug into it, I saw more and more stuff that was also additionally targeting human rights; and that was older stuff before they moved on to corporations.”
NetTraveler, for example, made use of the CVE-2012-0158 Office exploits to target the Uyghur and Tibetan activists, before moving on to oil and energy companies as well as diplomats and government agencies around the world.
“It’s kinda like a Darwinian evolution of malware. If it passes the first test, it’s survival of the fittest. The things that don’t get detected get reused,” Gross said. “Human rights are almost like a playground. They’re always a target, and we see a lot of malware that’s used against them before anyone else.”
As for the platform, its staying power is due to its stealth.
“The big thing is moving functionality out of the actual files that get loaded into [victims’ machines] because then it doesn’t look suspicious until that file subsequently loads something else that performs the malicious activity,” Gross said. “The malicious components are sitting there encrypted on disk, where your typical security product is not going to find that unless they already know about it.”
There are also layers of encryption protecting the attack that shield it from detection, Gross said. As for the exploits, lax patching is likely the biggest culprit; in this case, CVE-2012-0158 was patched more than 18 months ago by Microsoft. Combine that with effective social engineering in the phishing messaging—in particular from spoofed, trusted email addresses—and that’s a potent cocktail for trouble.
“If you get emails that look like they’re coming from trusted parties and people you usually communicate with, then our guard drops and we’re much more likely to say OK, I’ll open that,” Gross said. “I think they rely on that really heavily, especially with the activist community because they know all these people and they know who they communicate with on a regular basis and they try to make it look like it comes from them. Their guard’s totally down and they’re not worried about it.”
A recent set of Google patches included a fix for a serious Gmail account recovery vulnerability, the details of which have been disclosed.
Researcher Oren Hafifi of Israel points out in his disclosure that unlocking a Google password opens the door to much more than email, elevating the risk.
“Did you ever stop and ask what does GMAIL stand for? It’s the Global Main Authentication and Identification Library. Seriously, if someone got access to your Gmail account, he can ‘password recover’ his way to any other web/mobile application out there,” Hafifi wrote on his blog.
Hafifi combined cross-site scripting, cross-site request forgery, and password flow bypass to pull off this hack.
The attack starts with a spoofed Google phishing email sent to a Gmail user. Hafifi explains the gory details in his blog about the ins and outs of why his attack works, but essentially the phishing email must be customized with the victim’s email address in the URL.
The link, however, should refer to the attacker’s site where a cross-site request forgery (CSRF) is requested. Next a cross-site scripting attack launches and the user is presented with a phony password reset option.
“The user clicks ‘Reset Password’ and from here, the sky is the limit,” Hafifi wrote.
Once the user tries to reset their password and recover their account, the attacker is in the background receiving the new password and cookie information.
Hafifi said Google patched the vulnerability within 10 days and he is in line to receive a bug bounty and another Hall of Fame recognition from Google.
Encryption, once a tool used mainly by security professionals, activists and others with reason to suspect their communications may be at risk, has been moving ever deeper into the mainstream in recent months. Now, Microsoft is planning to roll out a new encrypted email service on its Office 365 site that will make sending and receiving secure email much simpler.
The new service, known as Office 365 Message Encryption, is designed to simplify the process of using encrypted email, something that hasn’t been as easy as most users would like. Setting up and using many secure email applications can be an arduous and confusing process, particularly for users who may not be familiar with security. Microsoft’s new service, which will be available in the first quarter of 2014, uses a system that’s somewhat similar to other secure email systems, wherein a user receives an email with an encrypted attachment and instructions for opening it.
“No matter what the destination-Outlook.com, Yahoo, Gmail, Exchange Server, Lotus Notes, GroupWise, Squirrel Mail, you name it-you can send sensitive business communications with an additional level of protection against unauthorized access. There are many business situations where this type of encryption is essential,” Microsoft’s Shobhit Sahay said in a blog post explaining the new service.
“When an external recipient receives an encrypted message from your company, they see an encrypted attachment and an instruction to view the encrypted message. You can open the attachment right from your inbox, and the attachment opens in a new browser window. To view the message, you just follow the simple instructions for authenticating via your Office 365 ID or Microsoft Account.”
Since the start of the summer, when the Edward Snowden NSA leaks began, encrypted communications have become a hot topic in the security and privacy communities, as well as in the wider user community. The secure email service reportedly used by Snowden, Lavabit, shut down in August, as did the Silent Mail system run by Silent Circle, both moves coming on the heels of government demands for Lavabit’s SSL keys.
Microsoft’s new service isn’t really the same kind of system as those, but it’s meant to help businesses secure their sensitive communications through the use of a variety of encryption schemes. When the data is at rest in Microsoft’s data center, it will be protected by BitLocker. The connection between the client and the Office 365 servers is protected by SSL ad the messages will be encrypted and signed using S/MIME.
The system will use a simple Web interface for administration, and enterprise administrators have the ability to set up riles that determine which emails will be encrypted.
“The Message Encryption interface, based on Outlook Web App, is modern and easy to navigate. You can easily find information and perform quick tasks such as reply, forward, insert, attach, and so on. As an added measure of protection, when the receiver replies to the sender of the encrypted message or forwards the message, those emails are also encrypted,” Sahay said.
Image from Flickr photos of FutUndBeidl.
Dennis Fisher and Mike Mimoso discuss the major security stories of the last two weeks, including the BGP route hijacking, why Do Not Track doesn’t work and the We Are the Cavalry movement.http://threatpost.com/files/2013/11/digital_underground_135.mp3
Debian has released patches for a pair of security vulnerabilities in the free operating system, including a security bypass flaw in the Nginx Web server. The other vulnerability lies in a Perl module used in the OS.
The vulnerability in the HTTP: :Body Perl module could allow an attacker to run arbitrary commands on a vulnerable Debian server.
“The HTTP body multipart parser creates temporary files which preserve the suffix of the uploaded file. An attacker able to upload files to a service that uses HTTP::Body::Multipart could potentially execute commands on the server if these temporary filenames are used in subsequent commands without further checks. This update restricts the possible suffixes used for the created temporary files,” the Debian advisory says.
The second vulnerability is a bug in the Nginx Web server that enables an attacker to bypass the security restrictions in Debian. Found by Ivan Fratric of the Google security team, the vulnerability is a serious one. It “might allow an attacker to bypass security restrictions by using a specially crafted request,” Debian said in its advisory.
Users running vulnerable versions of Debian are encouraged to upgrade as soon as possible.
Stuxnet was a two-headed beast as it turns out, one that could have laid waste to the Natanz nuclear facility which it infected, and one that should have, by expert accounts, remained undetected if not for the noisier yet less complex second attack routine that is now familiar to the world.
Industrial control system and SCADA expert Ralph Langner wrote an article for Foreign Policy magazine and a paper on his website published this week that throws back the covers on an older, more complex and stealthier version of the malware, which is markedly different from the second attack routine, which emerged in 2010..
“It turns out that it was far more dangerous than the cyberweapon that is now lodged in the public’s imagination,” Langner wrote. “Without that later and much simpler version, the original Stuxnet might still today sleep in the archives of antivirus researchers, unidentified as one of the most aggressive cyberweapons in history.”
Langner said the older, lesser known Stuxnet—put in place in 2007—targeted the protection systems around cascades of centrifuges used to enrich uranium at the plant. The attackers were keenly aware of weaknesses in plant design and process execution. They knew the Iranians were content in accepting a percentage of faulty centrifuges because they had designed a protection system that enabled enrichment to continue amidst the breaking centrifuges, Langner said.
“The system might have keep Natanz’s centrifuges spinning, but it also opened them up to a cyberattack that is so far-out, it leads one to wonder whether its creators might have been on drugs,” Langner wrote.
Ingeniously, the malware had the capability of recording 21 seconds of activity from the protection system’s sensors, showing a healthy stream of activity. That 21 seconds was looped over and over on monitoring screens while the attack was executed. Engineers thought they were watching an enrichment process hum along as designed that instead was spinning out of control. The malware attacked industrial controllers built by Siemens, closing crucial valves causing pressure to go up, gases to collect, and centrifuges to figuratively blow up.
The attackers, Langner said, could have let them literally blow up, causing catastrophic destruction. They didn’t, keeping their cover as a result, he said. “The implementation of the attack with its extremely close monitoring of pressures and centrifuge status suggests that the attackers instead took great care to avoid catastrophic damage,” Langner wrote.
Langner’s analysis of the attack called it over-engineered for the task and that any slip-up would have risked detection by the Iranians. Two years after the first Stuxnet was in place, in 2009, the second phase was introduced.
The variant attacked another process control system that controlled rotor speeds in the centrifuges and was a self-replicating worm that moved within the plant’s network and on portable USB drives; the older version, Langner said, was deliberately installed on plant computers, likely by an agent of the attackers.
“This suggests that the attackers had lost the capability to transport the malware to its destination by directly infecting the systems of authorized personnel, or that the centrifuge drive system was installed and configured by other parties to which direct access was not possible,” Langner wrote.
This version of Stuxnet has been well documented, from its use of a number of Windows zero-day exploits and malware signed with stolen Microsoft digital certificates. Langner said this version of Stuxnet was written by hackers, skilled in writing malicious code, while the first attack was coded alongside experts adept in industrial control systems, not IT. Langner points a finger at the National Security Agency as the authors of Stuxnet, calling it the only logical location for its development.
This version and approach to attacking the Iranians’ nuclear capabilities left fingerprints—strange behavior in the industrial processes that could, and would, be detected. And while the attackers could have caused catastrophic destruction at any time, Langner estimates they instead set the country’s nuclear program back by only two years.
“The attackers were in a position where they could have broken the victim’s neck, but they chose continuous periodical choking instead,” Langner wrote. “Stuxnet is a low-yield weapon with the overall intention of reducing the lifetime of Iran’s centrifuges and making the Iranians’ fancy control systems appear beyond their understanding.”
Langner also speculates that Stuxnet was not built to escape beyond Natanz’s walls, yet it did, likely through contractors who worked at the plant leaving with laptops infected with Stuxnet and plugging them in at other industrial facilities where they were contracted. Stuxnet was designed to spread only on local networks, or via portable drives, Langner said.
He also wrote that it was likely the attackers’ intention to allow Stuxnet to spread since the malware reports IP addresses and hostnames of infected systems to a command infrastructure. The attackers could monitor the movement of contractors, likely in the hopes of spotting other nuclear facilities in Iran operating under the radar, he wrote.
The danger too is that future weaponized attacks such as Stuxnet can follow this same path into a facility because, as Langner put it, contractors are good at engineering tasks but lousy at cybersecurity and could be unwitting pawns in deploying another such weapon at any time.
Langner estimates that 50 percent of the investment into Stuxnet was put into hiding the attack; future attacks may not require the same kind of investment, and therefore may not need the resources of a nation-state such as Stuxnet did, Langner wrote.
“And unlike the Stuxnet attackers, these adversaries are also much more likely to go after civilian critical infrastructure. Not only are these systems more accessible, but they’re standardized,” he wrote.
Ultimately, Langner said, Stuxnet may have served two purposes: 1) disrupt the Iranian nuclear program; and 2) allow the attacker to flex its cyberweaponry muscle.
“Operation Olympic Games started as an experiment with an unpredictable outcome. Along the road, one result became clear: Digital weapons work. And different from their analog counterparts, they don’t put military forces in harm’s way, they produce less collateral damage, they can be deployed stealthily, and they are dirt cheap,” Langner wrote. “The contents of this Pandora’s box have implications much beyond Iran; they have made analog warfare look low-tech, brutal, and so 20th century.”