The keepers of the mobile Obad Trojan realize the window of opportunity they have to spread the malware on Android devices may be closing since the vulnerability the Trojan exploits has been patched in Android 4.3.
That could explain why Kaspersky Lab researchers have spotted a recent spike in infections, an occurrence they attribute to the use of a mobile botnet. This is the first time a botnet of mobile devices has been used to distribute a mobile Trojan, according to Roman Unuchek, a researcher at Kaspersky.
“The owners of [Obad] not only command their own software to spread itself, they also take advantage of Trojans operated by other cybercriminals,” Unuchek wrote on the Securelist blog.
Specifically, 12 versions of Obad have been spotted pairing up and being distributed by devices infected with Opfake, malware found in malicious applications that sends premium-rate SMS messages to a number controlled by the attacker.
Obad, however, exploits an Android vulnerability that allows the malware to have extended Device Administrator privileges on a device, yet stay off a list of privileged apps on the device, making it difficult to delete. Couple that feature with a number of encryption and obfuscation techniques, and Obad is able to gain a firm hold on a smartphone or tablet once it is installed.
Unuchek said Kaspersky Lab disclosed the vulnerability in May to Google, which included a patch for the bug in its late July release of Android 4.3. Currently, the updates are available to Google Nexus devices and most of the major manufacturers such as HTC and Samsung have yet to update devices, most promising to do so by the end of the month.
“Devices which use earlier versions of the platform are still at risk,” Unuchek said.
The Trojan has been found mostly in Russia, Ukraine and Belarus; 83 percent of infections were seen in Russia, Unuchek reports.
Working with a Russian mobile provider, Kaspersky researchers spotted a mass distribution of malicious text messages on its network during a five-hour span on Aug. 10. More than 600 messages containing a modified version of Opfake were sent from infected devices.
“Only a few devices infected with [Opfake] distributed links to [Obad], so we could conclude that the creators of the dangerous Trojan rented part of a mobile botnet to spread their brainchild,” Unuchek wrote.
The attacks begin with a text message “MMS message has been delivered, download from www[.]otkroi[.]com.” If the user clicks through, a file called mms.apk which holds the Opfake malware is loaded onto the device; it will not run, however, until the user executes it. Once that happens, it connects with a command and control server which spams the victim’s address book with another text: “You have a new MMS message, download at – otkroi[.]net/12.” That link automatically loads a file called mms.apk or mmska.apk which contains Obad.
Obad’s encryption and obfuscation frustrates security analysts. The Trojan has a bevy of capabilities gained by getting Device Administrator privileges. Those include the ability to send SMS messages to premium-rate numbers, downloading more malware, installing them on the device or spreading them via Bluetooth. An attacker can also perform commands in the console, Unuchek said.
The Trojan also sends device information via an encrypted JSON object to the command and control server, including operator name, Bluetooth MAC address and more.
Unuchek said more than 120 compromised sites were discovered by Kaspersky Lab, redirecting users to nbelt[.]ru and a user clicking anywhere on the page would infect their mobile device with Obad.
“The owners of [Obad} must have decided to strike while the iron is hot, so they are using both traditional and brand new approaches,” Unuchek said. “[This] demonstrates that cybercriminals continue to adapt and update their infection techniques.”
All but the most recent version of the mobile application for Yahoo’s popular fantasy football service are vulnerable to a session hijack attack in which an unauthenticated person could remotely change team lineups, post messages and perform other mischief on behalf of the legitimate user.
Developers can create session hijack vulnerabilities by failing to correctly implement session tokens or – as is the case here – by implementing weak session tokens that remain valid for too long. Attackers can exploit session hijack vulnerabilities in a number of ways ranging from the simple – stealing an unencrypted cookie as it travels from an app to a server – to the incredibly complicated.
“One of the most common security mistakes made during the development of mobile web applications is related to session management,” said Dan Kuykendall, the researcher that uncovered this bug.
Kuykendall, the co-CEO and CTO of the application security firm NT OBJECTives, explained in a video that Yahoo’s fantasy football service has a Web application that users can log into online. This service communicates with a Yahoo database that does all the real computing work for the fantasy football leagues. The Web app, Kuykenbdall claims, is pretty secure.
However, the mobile app routes its communications through an application programming interface before it accesses Yahoo’s fantasy football database. Kuykenbdall explains in the video that the mobile applications produce data when a user interacts with the app. This information then goes to the API where it is reorganized and sent along to the Yahoo database. At the same time, the API is constantly checking in on the app and pulling information from it. As it turns out, all the traffic between the app and the API travels in plain text, failing to employ secure sockets layer (SSL) or any other encryption.
Kuykenbdall told Threatpost in a phone interview that Yahoo has implemented a new API that uses SSL in the most recent version of its application, but users of old versions remain vulnerable to exploit because Yahoo has not disabled the old, API. Disabling the vulnerable API would render outdated versions of the app useless and compel most users to update to the newest version. Beyond these, there are a number of third-party fantasy football apps that use the same API and are likely vulnerable to attack as well.
Beyond that, the communications were protected by a single, simple session token that was valid for the entire season.
“Once the session token is stolen,” Kuykenbdall says in a video, “anybody can now impersonate this user.”
Using this long-lasting session token, an attacker could log in and out of user accounts and shuffle players around, replacing productive players with unproductive or injured ones in order to gain a competitive advantage.
“Imagine a scenario where the hacker provides WiFi access on draft day and steals everyone’s session tokens,” said Kuykendall. “During the season, he can then change the lineup of his opponents whenever he wants to ensure a win for the week.”
Specifically, there are three broad weaknesses in Yahoo’s application that offered Kuykendall an opportunity to exploit it: the API, of course, failed to use SSL; the session token, which was actually just a static session cookie rather than a more secure private, session-specific token, was valid for the entire season; and requests from the application included full SQL statements that could quite obviously give an attacker a new avenue of attack with SQL injections.
“Mobile web applications store information about the client, like a secret encoder ring, and the server stores all the secret decoder rings,” Kuykendall says, describing session tokens. “If the server recognizes the secret, it knows the request is valid. When using shared secrets, developers must be sure both the client and server know the value, and that once the secret token is given to the client, it is never again transmitted.”
In response to a lawsuit by the Electronic Frontier Foundation, the Department of Justice is preparing to release a trove of documents related to the government’s secret interpretation of Section 215 of the PATRIOT Act. The declassified documents will include previously secret opinions of the Foreign Intelligence Surveillance Court.
The decision by the Justice Department to release the documents is the second legal victory in recent weeks for the EFF related to the National Security Agency’s intelligence collection programs. In August, the group won the release of a 2011 FISC opinion that revealed that the court ruled that some of the NSA’s collection programs were illegal and unconstitutional. The newest decision will result in the release of hundreds of pages of documents related to the way the government has been interpreting Section 215, which is the measure upon which some of the NSA’s surveillance programs are based.
In a status report released Wednesday regarding the EFF’s suit against the Department of Justice, attorneys for the government said that they will release the documents by Sept. 10.
“Orders and opinions of the FISC issued from January 1, 2004, to June 6, 2011, that contain a significant legal interpretation of the government’s authority or use of its authority under Section 215; and responsive ‘significant documents, procedures, or legal analyses incorporated into FISC opinions or orders and treated as binding by the Department of Justice or the National Security Agency’,” the status report says.
It’s not clear at this point exactly what the documents to be released will contain or how much of the information will be redacted. But the decision by the government to release the documents counts as a major milestone in the lawsuit against the Justice Department over the use of Section 215.
“While we applaud the government for finally releasing the opinions, it is not simply a case of magnanimity. The Justice Department is releasing this information because a court has ordered it to do so in response to EFF’s FOIA lawsuit, which was filed on the tenth anniversary of the enactment of the Patriot Act—nearly two years ago,” Trevor Timm of the EFF said.
“For most of the duration of the lawsuit, the government fought tooth and nail to keep every page of its interpretations secret, even once arguing it should not even be compelled to release the number of pages that their opinions consisted of. It was not until the start of the release of documents leaked by NSA whistleblower Edward Snowden that the government’s position became untenable and the court ordered the government to begin the declassification review process.”
In another development related to the NSA’s intelligence-gathering capabilities and methods, Rep. Jim Sensenbrenner (R-Wisc.), the lead author of the PATRIOT Act, submitted an amicus brief in support of the American Civil Liberties Union’s lawsuit against the NSA over the agency’s methods.
“I stand by the Patriot Act and support the specific targeting of terrorists by our government, but the proper balance has not been struck between civil rights and American security,” said Sensenbrenner. “A large, intrusive government-however benevolent it claims to be-is not immune from the simple truth that centralized power threatens liberty. Americans are increasingly wary that Washington is violating the privacy rights guaranteed to us by the Fourth Amendment.”
*Department of Justice image via ryanjreilly‘s Flickr photostream, Creative Commons
Why would a software company require developers to sign code, thereby ensuring a modicum of trust—but not security—and then shatter that trust by allowing signed applets to bypass their own application sandbox?
Welcome to the world of Oracle and Java, where a once healthy programming language has been reduced to rubble. Not only are security researchers, ferocious cybercriminals and nation-state hackers feasting on vulnerable code and broken patches, but also longtime developers are losing faith.
“Bottom line, I’m looking for a new language, probably HTML5,” said Jerry Jongerius, a Java developer since 1996 and owner of Java resource Duckware.com. Jongerius has spent the past week railing on his personal blog against Java’s many security issues and what he says are Oracle’s failed attempts at improving Java security. His frustration is palpable, especially since the latest Java update, which requires code-signing, broke applets he’s had up and running for more than 15 years.
In April, Oracle instituted a number of changes starting with Java 7u21. The new update introduced prompts warning users that an unsigned applet could potentially harm the user’s computer. This came months after Oracle changed Java’s default security settings from medium to high, essentially preventing unsigned applets from executing automatically, requiring instead a user to allow the applet to proceed. Developers must now sign their applets with a certificate from a trusted Certificate Authority.
However, research done since by Jongerius and others such as Will Dormann of CERT at Carnegie Mellon University’s Software Engineering Institute, indicate that the Java sandbox’s wounds are self-inflicted because signed applets bypass the sandbox and have full access to the rest of the host computer.
“The sandbox is a huge problem for Oracle,” Jongerius told Threatpost. “Everyone is breaking in. Their solution is to code-sign and get out of the sandbox. But then, you have full permission to the machine. It doesn’t make sesnse.”
Dormann wrote in an April blogpost that Oracle “conflates” authentication and authorization by allowing signed applets to gain automatic full privileges on a machine.
“Right now, if an attacker wants to repurpose a Java applet, it would need to be a signed applet. But what about Oracle’s vision of a Java future where every Java applet is signed? What this vision means is that every Java applet, which would be signed, would also now be in a state where it could be repurposed because it is now no longer restricted by the sandbox,” Dormann said. “A poorly designed sandboxed Java applet can’t do much of anything. However, a poorly designed signed Java applet can do pretty much anything that native code can.”
And just as bad are the bugs Jongerius uncovered once he started digging into the issues his sites were having. He notes that even with code-signed applets, the Java VM still presents the user with a dialog box information about the applet. He revealed that the name of the application as well as the JAR file name presented inside the security dialog box can be renamed.
“Once a Publisher signs a JAR file, there is NO legitimate reason (other than hacker activity) for Oracle to allow the JAR to be renamed to something else,” Jongerius wrote.
He also wrote that Java will block applets that request to be run in the sandbox, adding that instead the default condition should be to sandbox applets regardless of whether they’re signed. He adds that developers should ask for full access in signed code, and not be granted access by signing code as is the current state.
In the meantime, users are presented with applets he says are confusing and could shy people away from his sites and tools.
“Oracle is absolutely killing off applets. You cannot go to a website and have a popup come up and expect a user to run it,” Jongerius said. “I’ve had a panorama viewer that’s done well over the years and now users are getting a popup in red that says if they run it, it may ham their computer. It’s just gone too far; it’s killing my software.”
The developers behind Bitcoin-QT, a software wallet used to protect and back up Bitcoin currency, have pushed out a new version of the client, fixing a critical denial-of-service bug, three security issues and fortifying password security.
Version 0.8.4 of the original Bitcoin client was posted to SourceForge early this morning and anyone running an out of date version is being instructed to update by either running the Windows installer or copying over the new code on Mac and Linux builds.
According to the update summary, an attacker could have sent a series of messages that would’ve resulted in an integer division-by-zero error in the Bloom Filter handling code. This DoS bug would’ve forced versions 0.8.0 through 0.8.3 of the program to crash. Cryptographically speaking, Bloom Filters are probabilistic structures used for set membership that help send only relevant transactions to lightweight clients.
The update also adds a constant-time algorithm to check RPC password guess attempts (CVE-2013-4165) and a fix for the fill-memory-with-orphan-transactions attack (CVE-2013-4627) that was opened to new vectors of attack by a previous buggy patch.
Bitcoin-QT is the oldest bitcoin client and is often referred to as the gold standard or backbone of the popular, decentralized network. The currency’s website touts Bitcoin-QT as having the “highest levels of security, privacy, and stability,” and users trumpet the service because they can control their own security keys and they’re seen as a node in the network.
Bitcoins, the decentralized virtual currency that popped into the cultural mainstream this summer, has already proved a popular target for attackers. Hackers knocked the Mt. Gox trading exchange offline in April while the dangers of conducting transactions on Android devices were illuminated just last month.
Typing on a smartphone or tablet keyboard lends itself to a lot of fat-fingered mistakes. Recent updates to mobile operating systems and desktop OSes such as Windows 8, however, have tried to better leverage the touch screen for things such as authentication.
Users, for example, have the option of using their fingers to draw lines, circles or tap certain areas on an image in sequence as an alternative to a text-based password. With users often going the simplest, quickest route with text passwords, or burdening help desks with frequent resets, you would think that a framework such as picture-gesture authentication would be heralded as the next-best alternative, especially for consumers.
But a group of researchers from Arizona State University, Delaware State University and GFS Technology Inc., have tapped the brakes on that notion. Their work looks at how human cognition plays into picture-based authentication, especially around picture selection and what areas on an image a person is likely to use for their authentication scheme. They developed an attack framework—which they hope will eventually morph into a strength meter for this type of authentication—that was able to crack almost half the picture-based authentication passwords used in their study.
“The core of our framework is the concept of a selection function that simulates users’ selection processes in choosing their picture passwords,” the researchers, Ziming Zhao, Gail-Joon Ahn, Jeong-Jin Seo and Hongxin Hu, wrote in their paper, ‘On the Security of Picture Gesture Authentication.‘ ”Our approach is not coupled with any specific pictures. Hence, the generation of a ranked password list is then transformed into the generation of a ranked selection function list which is then executed on the target pictures.”
Their work focused on Windows 8’s version of PGA; a similar version is also available on Android devices. Unlike other schemes, Windows 8’s allows users to upload personal photographs, rather than select from an existing repository. Upon registration, the user is asked to draw three gestures with their finger, mouse or stylus that will be used as an authenticator versus a text-based password.
The study also included collecting data from two sets of subjects. The first was a computer science class which participated via a questionnaire that collected not only demographic information, but general feelings toward PGA use, the selection of an background image to be used for authentication and selection of the gestures used for authentication. The other was a crowdsourced effort where 15 pre-selected images were offered subjects as authentication images. More than 700 subjects took part versus 58 in the first set.
The subjects who were allowed to choose personal photographs, the results indicate, did so because the images were special and that made it easier to remember the password gesture sequence, the paper said. The subjects also relayed that it would be easier to remember points on a person rather than a landscape, believing also that made the password more secure because it would be harder for an attacker to guess. Those who did prefer landscapes did so because they were afraid to leak personal information, the paper said.
The gestures are the secret sauce, however, in terms of how guessable picture gesture authentication could be. Like with text-based passwords, users will choose images they relate to (only 10 percent chose a random image in their study) and they will focus gestures on standout facial features such as the eyes or nose, for example, tapping left eye, right eye, nose. Users also gravitate to remarkable shapes, such as circles, and draw circles around them as authenticators, or remarkable colors.
Some notable numbers:
- 60 percent of subjects find locations where special objects cath their eye
- 86 percent of subjects drew on the eyes at least once
- 45 percent of subjects drew on the nose
- 82 percent of gesture types were taps
- 15 percent of gesture types were lines
- 7 percent of gesture types were circles
Picture gesture authentication as it turns out has many of the same limitations of text passwords. The researchers, meanwhile, urged Microsoft and other providers to make this clearer to users and implement a strength measurement, similar to current password meters.
“With a ranked password dictionary, our framework, as the first potential picture-password-strength meter, is capable of quantifying the strength of selected picture passwords,” the paper said. “More intuitively, a user could be informed of the potential number of guesses for breaking a selected password through executing our attack framework.”
Packet Storm made public today a proof-of-concept exploiting a known and patched heap buffer overflow vulnerability in Apple’s Safari browser.
Packet Storm acquired the details of the exploit, which affects Safari version 6.0.1 and possibly earlier versions as well for iOS 6 and OS X 10.7 and 10.8 (Lion and Mountain Lion respectively), from independent security researcher Vitaliy Toropov through their bug bounty program.
Apple patched the buffer overflow vulnerability that this proof-of-concept exploits back in November 2012, so the only Apple users potentially affected by an attack deploying this exploit would be those that have not updated from OS X 10.7 and 10.8 and iOS 6.0.1.
Of course, exploits of known and even patched vulnerabilities are used by cybercriminals and malware and exploit kit creators far more than zero-days. Such attacks are effective because computer users are notoriously stubborn about installing software updates. It’s hard to say just how many Safari users are vulnerable to this attack, but, according to technology research firm Net Market Share, more than one percent of all users on the Internet are browsing with Safari 5.1 and are therefore potentially vulnerable. Beyond that, Net Market Share’s figures indicate that nearly 3.5 percent of Web users surf with Safari 6.0 or better. Any of those that failed top update from 6.01 would remain vulnerable.
Upon further examination, a new banking Trojan variant may not be as commercially viable as it was thought to be.
Researchers at RSA Security have peeled back the layers this week on the Hand of Thief banking Trojan, a piece of malware that made headlines over the summer after it was thought to be targeting Linux distributions.
The firm’s FraudAction team has done further research on its builder, created binaries and tested its functionality and deduced that the malware is really a shell of what it claims to be – in RSA’s words, a “prototype.”
“[It’s] grabbing abilities are very limited if not absent, which would make the malware a prototype that needs a lot more work before it can be considered a commercially viable banking Trojan,” Yotam Gottesman, RSA senior security researcher wrote in a blog entry today.
The post goes on to break down the malware’s builder, configuration file and how its handled on a browser-by-browser basis.
When Hand of Thief was discovered, its creator was still waiting to incorporate its Web injection functionality, something RSA’s Limor Kessem said at the time would be essential if attackers wanted to use it to commit fraud.
There are still no injections in place, but Gottesman insists that while the Trojan is prepared for one – the malware’s configuration parsing routine looks primed for URL filtering – it doesn’t look like it’ll work once they’re added. The reason for this appears to be inconsistency in the browsers it uses.
While the malware’s creator claims he tested the form grabber on browsers such as Chrome and Firefox, along with their experimental builds, Aurora and Chromium, when RSA tested the malware, it caused many of the browsers to freeze and crash.
Chrome on Fedora 19 in particular caused the browser to freeze while Firefox on the same machine managed to “capture only empty requests with no information being delivered to the drop server.”
When the malware did work, it captured so much data in such a “generic matter” that it could potentially “quickly clutter the drop server with useless data.” In other cases the malware didn’t even capture data.
“On some sporadic occasions the malware did capture requests and relayed them to its C&C server, however, even the successful requests sent to the server arrived empty of data,” Gottesman said in the blog.
Machines running Ubuntu weren’t tested by the developer, but RSA notes that a protection mechanism called ptrace scope actually blocked the Trojan, the form grabber and the URL-blocker from working, claiming that “on most sessions, HoT caused Firefox to crash and close.”
RSA also points out that the infection method for HoT is still quite primitive. Its exploit pack is less reliable than the usual exploit packs found in commercial malware campaigns. The developer fails to recommend an infection method and instead casually endorses the idea of just sending the malware to victims via email.
There were initially some questions about Hand of Thief when the Trojan first surfaced last month. Researchers wondered whether the malware would evolve given its narrow Linux attack vector and steep price point. It’s clear now that the answer to that question is more than likely no, pending more work from the Trojan’s developer.
Remote access Trojans, or RATs, are typically stay-at-home creatures. Central to a good many targeted attacks for their ability to steal data from compromised computers, RATs aren’t generally built with the capability to spread to more machines.
A variant of njRAT, however, has broken that mold. Likely written by the same author, njw0rm features all of the same data-stealing capabilities of its forerunner, except this one can detect whether a removable storage device such as a USB drive is connected to the machine and it attempts to copy itself to the device in the hope of spreading to more machines.
The why in all of this does have researchers baffled.
“The only reason I can think of is to jump an air gap between machines on disconnected networks,” said Nart Villeneuve, senior threat intelligence researcher at FireEye. “Typically, RATs don’t have the ability to spread. They are sent to a target and that essentially allows an attacker to take remote control of the computer. We see RATs used typically in a targeted attack because it requires a human on the other side to execute commands and exfiltrate data, unlike crimeware with automated extraction features. You just don’t see RAT spreading automatically.”
Njw0rm constantly checks if a removable device is present on a compromised machine and whether there is enough memory for the malware. If so, it then creates a hidden My Pictures directory that tries to trick the victim into executing the malicious code.
“It then gets a list of 10 folders on the removable drive, hides those 10 folders, and creates shortcut links with the same names for each of them — all pointing to the malware executable,” Villeneuve and fellow researcher Uttang Dawda wrote in a blogpost. “When unsuspecting users click on one of the shortcuts to open what they think is a familiar folder, they execute the worm instead.”
Njw0rm also has an appetite for passwords and will steal them from Chrome browser settings, as well as FTP passwords stored in a XML file on the machine, and account credentials for the No-IP dynamic DNS service.
“The ability to steal No-IP credentials is unique. Many threat actors use dynamic DNS domains for their infrastructure,” Villeneuve and Dawda wrote. “So an attacker with stolen No-IP credentials could use the service to perform reconnaissance or target other systems.”
No-IP is a preferred choice for other similar attacks for command and control infrastructure. No-IP, however, allows only three domains for free to its users. Speculation is that this capability could be in place to enable attackers to have a more robust command and control setup.
“It’s a generic functionality, so it’s hard to determine intent,” Villeneuve said. “This could be just a way to steal No-IP credentials from someone else, possibly to shift the blame to someone else if they get found out, or to take control of another attacker’s compromised machines.”
As for the author of njRAT and njw0rm, he appears to be a freelance coder who goes by the handle on njq8, the q8 likely standing for his current location of Kuwait. While njw0rm has not appeared in attacks as extensively as njRAT, nor has it been seen in any targeted attacks, it is freely available online from its author.
“He re-tweeted the link to our blogpost from his Twitter account,” Villeneuve said. “He claims to be in Kuwait, and he’s coded quite a number of malicious tools.”
In July, security experts at General Dynamics warned of a spike in njRAT attacks targeting government agencies, telecom and energy organizations in the Middle East. These espionage attacks were thorough; the malware dropped a keylogger and was capable of accessing a computer’s camera, stealing credentials stored in browsers, opening reverse shells, stealing files, manipulating processes and viewing the user’s desktop.
Victims fell for spear phishing emails or were infected in drive-by downloads. Each attack was trackable via a unique identifier and the malware could also scan for other vulnerable computers on the same network in order to pivot from resource to resource looking for data to steal.
Cisco issued four, moderate-severity security notices over the weekend, informing users of vulnerabilities in the company’s Adaptive Security Appliance and IOS XR software, its unified computing system, and wireless LAN controllers.
Cisco warned of a vulnerability (CVE-2013-3470), affecting the networking giant’s widely-deployed IOS XR carrier routing software. The bug exists in that software’s routing information protocol processes, and an unauthenticated, remote attacker could exploit it in order to crash the RIP process. The vulnerability arises from insufficient packet input validations and an attacker can exploit it by sending a specially crafted version of this packet, causing the process to crash on vulnerable devices.
The company also issued an advisory warning users that an integral part of its unified computing system (UCS), a piece of software widely deployed on data center servers, contains a memory leak vulnerability (CVE-2013-3467). The flaw lives in the company’s 6100 Series Fabric Interconnects, and an authenticated, local attacker could exploit it to trigger a memory leak. The advisory warns that the vulnerability is exploitable if an attacker executes either the “show monitor session all” or the “show monitor session” command-line interface. The attack would need to be performed locally on an affected device but could cause that device to exhaust its memory and reset.
Cisco also warned users that an unauthenticated, remote attacker could exploit a vulnerability (CVE-2013-3463) in its Adaptive Security Appliance (ASA) software, potentially causing a denial of service condition on affected systems. The attacker could fill in the ASA’s connection table with fake information and prevent new connections from passing through the device. The vulnerability arises from the ASA’s refusal to honor the idle timeout for certain protocol inspected elements.
Cisco’s final advisory warned users that a vulnerability (CVE-2013-3474) in the Web administrator interface of Cisco’s wireless LAN controllers (WLC) could allow an authenticated, remote attacker to cause a denial of service condition. The bug is caused by the software’s failure to properly validate certain parameters ahead of processing on affected devices. To exploit it, an attacker would need to be authenticated to the level of full manager, read only, or lobby ambassador but could then submit a malformed-value-containing request targeting specific parameters to vulnerable devices, causing a denial of service condition during the system reboot process.
It appears that Cisco has built fixes for these bugs, but will not ship the fixes to their customers.
“The Cisco Product Security Incident Response Team (PSIRT) publishes Cisco Security Notices to inform customers of low- to mid-level severity security issues involving Cisco products,” the company says in its notices. “Customers who wish to upgrade to a software version that includes fixes for these issues should contact their normal support channels. Free software updates will not be provided for issues that are disclosed through a Cisco Security Notice.
When NetTravler was unveiled in June, Costin Raiu of Kaspersky Lab warned that the espionage campaign was an “ugly gorilla with a thousand faces” and that we hadn’t seen them all yet.
A little more than two months later, another profile of the malware targeting activists, diplomats, government targets and the scientific research community, has reared its head.
Raiu said today that a variant has been spotted by Kaspersky’s Global Research and Analysis Team and unlike its first go-round which targeted Microsoft Office vulnerabilities, this new take on NetTraveler exploits a recently patched Java bug. The group behind the attacks has also jumped on the watering hole attack bandwagon, having compromised an Uyghur-related website and redirecting victims to an attack site.
“Watering hole attacks have become another popular method to attack unsuspecting victims by the APT operators,” Raiu wrote on Securelist, the Kaspersky Lab research blog. “There is perhaps no surprise that the NetTraveler attacks are now using this method as well.”
NetTraveler has zeroed in on Tibetan and Uyghur activists in addition to a number of manufacturing, research and even military targets. The first version, which spread via spear phishing emails and dropped Office documents carrying malicious attachments, exfiltrated files from victims’ machines and send them to a command and control infrastructure that overlapped with one used by the Gh0st RAT campaign. Office document files such as Word, Excel and PowerPoint files were uploaded to command and control servers; the malware’s configuration files can also be modified to steal design documents such as those done on Corel Draw or AutoCAD files. To date, NetTraveler has infected victims in more than 40 countries, Raiu said.
The variant reported today also targets the same victim demographics, but has expanded beyond spear phishing to watering hole attacks, which provide attackers with the ability to cast a wider net at potential victims by infecting websites they’re likely to visit with exploits that redirect them to an attacker-controlled site where more malware awaits.
The updated NetTraveler was spotted in the last week, Raiu said, targeting several Uyghur activists with an email promising a statement from the World Uyghur Congress on a massacre in the Karghiliq country. The link to the statement spoofs the Uyghur Congress website, and instead points victims to a NetTraveler domain weststock[.]org. A Java exploit called new.jar on the page is for a vulnerability patched in June by Oracle, CVE-2013-2465, that affects Java 7U21 and earlier, Java 6U45 and earlier and Java 5U45 and earlier. The payload is a backdoor dropper called file.temp used by NetTraveler, compiled on May 30, Raiu said.
Once up and running on the victim’s machine, the NetTraveler variant connects to a command and control server hosted at Multacom Corp., in Los Angeles; the IP address is 198[.]211[.]18[.]93. Raiu said that the command server is still operational and that the server exclusively hosts the attack server.
Meanwhile, the NetTraveler group has also apparently compromised a Uyghur-related website at the Islamic Association of Eastern Turkistan with an iframe attack that redirects victims to the weststock[.]org domain.
“The usage of the Java exploit for CVE-2013-2465 coupled with the watering hole attacks is a new, previously unseen development for the NetTraveler group,” Raiu said. “It obviously has a higher success rate than mailing CVE-2012-0158 exploit-ridden documents, which was the favorite attack vector until now. We estimate that more recent exploits will be integrated and used against the group’s targets.”
Neither NetTraveler iteration relied on zero days, Raiu said. The first version of NetTraveler targeted Office vulnerabilities that had been patched almost a year, yet still Kaspersky Lab researchers were able to find more than 22 gigabytes of stolen data on sinkholed command and control servers—a small fraction of the stolen data. More than 30 command and control servers have been discovered between the two versions of the campaign.
New documents leaked by Edward Snowden quantify the resources supporting an extensive intelligence community crypto-cracking program.
Tens of thousands of people and billions of dollars are behind the Consolidated Cryptologic Program, as reported yesterday by The Washington Post. Signals intelligence, otherwise known as SIGINT, remains one of the best-funded initiatives according to the document handed over by the whistleblower Snowden, currently in asylum in Russia. The Post published portions of the 178-page top-secret budget justification document for the fiscal 2013 National Intelligence Program; this the first time such a report has been made public.
The budget was a whopping $52.6 billion, according to the document, which also lays out some of the offensive cyber objectives the National Security Agency and Central Intelligence Agency have established. The Post, however, said it withheld most of the details of such operations after consulting with government officials concerned about protecting its intelligence sources and methods.
Director of National Intelligence James Clapper wrote the opening statement for the document, which is dated February 2012. In it, Clapper said signals intelligence and cybersecurity were two areas where investments were increasing.
“We are bolstering our support for clandestine SIGINT capabilities to collect against high priority targets, including foreign leadership targets,” Clapper wrote. “Also, we are investing in groundbreaking cryptanalytic capabilities to defeat adversarial cryptography and exploit Internet traffic.”
The Post said the document indicates 35,000 code-breakers from the NSA, and the four branches of the armed services are part of the Consolidated Cryptologic Program. In addition, to support not only hacking and code breaking, the NSA said it was devoting close to $50 million to deal with increasing storage costs associated with data collection activities under Section 215 of the Patriot Act and the PRISM program. The Post story also said the CIA devotes more than 11 percent of its budget and almost $2 billion to “technical collection” and referred to joint project with the NSA called CLANSIG, purportedly an initiative central to foreign radio and telephone communication interception.
This is just the latest in a string of top-secret documents Snowden has handed over to major media entities since the first leaks were published in June by the Guardian UK newspaper. This also isn’t Snowden’s first intel drop related to encryption capabilities.
In late June, 2009 documents released by the Guardian outline NSA policy on the retention of data, including encrypted communication. Even messages collected by chance and without a warrant may be held as long as it takes for analysts to decrypt them, the documents said. Also, users of Tor and other online proxy-based anonymity services were put on notice that communication between people whose location is unknown is considered communication between non-U.S. citizens and can be retained.
The documents outlined policy on how the NSA handles data and communication pertaining to forein intelligence matters and what to do with data inadvertently collected.
The documents say that inadvertent communications must be destroyed within five years of acquisition and upon determination that no foreign intelligence information is contained. It stipulates, however, that electronic communication may be retained longer while under cryptanalysis.
“In the context of a cryptanalytic effort, maintenance of technical databases requires retention of all communications that are enciphered or reasonably believed to contain secret meaning, and sufficient duration may consist of any period of time during which encrypted material is subject to, or of use in, cryptanalysis,” the document said.
Image courtesy World Can’t Wait Flickr feed
An attack on the world’s largest social network is drawing users to a third party site with fake tag notifications and prompting victims to download malware masquerading as a video-codec extension.
The malware is reportedly capable of hijacking the Facebook accounts and Chrome Web browsers of affected users once initiated.
The attack, uncovered by a group of Italian security researchers led by Carlo De Micheli and first reported by the New York Times Bits technology blog, is attracting victims with links in emails and Facebook messages claiming that the user has been tagged in a post. If a user chooses to follow one of these links, it will lead to an unaffiliated, third party site informing the user that in order to watch the video hosted there, they will need to download a browser extension or plug-in.
Of course, there is no video. Users who download the extension are actually installing a piece of malware capable of hijacking their Google Chrome browser. The Times reports this attack is particularly troubling given the fact that many users give their browsers permission to store login credentials for their email, social media, and any number of other online accounts. Once the malware takes control of a user’s Chrome browser, the attacker can then leverage any of the credentials stored within the browser to access the accounts to which they grant access.
Micheli told the Times in a phone interview that the malware is proliferating by hijacking the Facebook and – to a lesser extent – email accounts of its victims and using that access to phish the victim’s unsuspecting contacts with messages similar to those that caused their infection in the first place. The malware has proven difficult to mitigate because it blocks Chrome’s settings page where a user could uninstall the malicious plug-in, which also blocks access to the sites of various antivirus providers.
Google is aware of the attack and has disabled the malicious browser extension causing it. Facebook also detected the attack and is working to rid the social network of malicious links.
“In the meantime, we have been blocking people from clicking through the links and have reported the bad browser extensions to the appropriate parties,” said Facebook spokesperson Michael Kirkland. “We believe only a small percentage of our users were affected by this issue, and we are currently working with them to ensure that they’ve removed the bad browser extension.”
Micheli and company said that the attack spread fast, claiming some 40,000 victims per hour at its peak, and infecting more than 800,000 Chrome browser users in all.
Earlier this week, Facebook generated headlines by finally producing a transparency report, giving the wider public a glimpse at how the company handles government requests for its users data and revealing that the social network complies with 79 percent of such requests. The move followed similar ones by other large technology firms like Google and Microsoft as the companies attempt to clarify their level of complicity in and involvement with the National Security Agency’s broad-reaching surveillance programs.
Dennis Fisher and Mike Mimoso discuss the big stories of the last couple of weeks, including the Syrian Electronic Army’s attacks against the registrar for the New York Times and Twitter, and the release of Facebook’s first transparency report.
Researchers have cracked open cloud storage service Dropbox, reverse engineering the encryption protecting the client in order to open it up to further security analysis.
The engineers, Dhiru Kholia of Openwall and Przemyslaw Wegrzyn of CodePainters, also managed to demonstrate how to use code-injection techniques to intercept SSL data, essentially hijacking Dropbox communication, as well as bypass two-factor authentication used to protect accounts. The two researchers presented a paper on their work at the recent USENIX Security Symposium.
“Reversing Dropbox is the main focus of our paper,” Kholia told Threatpost. “The attacks are just side-effects.”
A Dropbox spokesperson said in an email to Threatpost that the duo’s findings do not represent a vulnerability in Dropbox. “In the case outlined here, the user’s computer would first need to have been compromised in such a way that it would leave the entire computer, not just the user’s Dropbox, open to attacks across the board,” the spokesman said.
Kholia concurred that hijacking a Dropbox client first requires hacking an existing vulnerability on the target user’s machine, which can be executed remotely.
“We believe that our biggest contribution is to open up the Dropbox platform to further security analysis and research,” the researchers wrote in their paper. “Dropbox will/should no longer be a black box.”
The research reveals how the internal API used by the Dropbox client works. Using a number of techniques, Kholia and Wegrzyn were able to decompile the Dropbox client source code and examine it. While previous work exists in this field, it’s applicable only to older versions of Dropbox, the researchers said. Patches have been applied by the Dropbox team that prevented them from applying previously successful research in this case.
In addition, they were able to use Reflective DLL injection and LD_PRELOAD on Windows and Linux respectively to intercept SSL traffic.
“Once we are able to execute arbitrary code in Dropbox client context, we patch all SSL objects and are able to snoop on the data before it has been encrypted (on sending side) and after it has been decrypted (on receiving side),” the paper said. “This is how we intercept SSL data. We have successfully used the same technique on multiple commercial Python applications.”
They also learned that the two-factor authentication used to access Dropbox on the Web isn’t supported on the client and the client can be accessed with a value known as host_ID, which they were able to gain.
While the team plans further research into Dropbox security and encourages the security community to take its shots, they acknowledge the client’s security is a constantly moving target, one that has remained fairly safe.
“Overall, Dropbox is just fine,” Kholia said. “There is nothing to worry about. We are still using and loving it.”
Image courtesy JeanbaptisteM.
A string of Arabic text is causing some chaos with iOS and Mac OS X users. It seems wherever the text sequence shows up, whether in a tweet, webpage, or a SMS message on the Apple platform, it’s crashing apps or Safari browser sessions.
The problem has been traced to the Apple Core Text technology which handles page layout and font rendering and has been available since OS X v10.5 and iOS 3.2.
From the online Apple programming guide: “The Core Text layout engine is designed specifically to make simple text layout operations easy to do and to avoid side effects. The Core Text font programming interface is complementary to the Core Text layout engine and is designed to handle Unicode fonts natively, unifying disparate OS X font facilities into a single comprehensive programming interface.”
A post on a Russian site, habrahabr.ru, said crashes are happening on Mac OS 10.8 and iOS 6; newer beta versions of both are not affected, the site said. The post also confirmed that SMS message, iMessages, and opening pages using Safari on iOS or OS X will crash the browser. It also said that renaming a Wi-Fi SSID with the text string will also result in errors while scanning for networks.
The site also said that Apple has known about the bug for six months. Apparently until yesterday, the string had been limited to the Russian site, but it’s quickly spread to social media today causing some denial-of-service angst as Twitter apps, browsers and SMS clients crash. Facebook, meanwhile, has already taken steps to block the code from wall posts and timelines.