Feed aggregator

Blog: Big box LatAm hack (3rd part – infection by Office files)

Secure List feed for B2B - Tue, 02/04/2014 - 20:21
Cybercriminals from Latin America infect victims via macro-enabled Microsoft Office documents. One of such documents while found in-the-wild had 0 from 48 VirusTotal detection rate!

Tech Giants Update Transparency Reports with FISA Request Numbers

Threatpost for B2B - Tue, 02/04/2014 - 16:34

Google, Microsoft, Facebook, Yahoo and LinkedIn wasted little time in disclosing what they could about requests for customer data made under the secret Foreign Intelligence Surveillance Act.

One week after the Justice Department eased a gag order on reporting of FISA requests, the five tech giants and advocates for greater transparency yesterday published data for the first six months of 2013.

The respective transparency reports are somewhat a victory for the companies, which banded together for much of last year filing lawsuits and signing petitions asking the government to allow them greater transparency on reporting requests for data involving national security. Apple and CloudFlare updated their transparency reports already last week, the same day as the Justice Department’s ruling.

The government finally conceded last week after months of negotiating, giving companies two reporting options. In return, the companies agreed to drop their suits.

The first option brings FISA reporting in line with reporting of National Security Letters in that companies will be able to report the number of FISA orders for content, non-content, as well as the number of customer accounts affected for each in bands of 1,000 requests. The reporting restrictions around National Security Letters were eased last summer and companies are allowed to similarly bundle their reporting.

Reports may be published every six months, however, reporting on national security orders issued against data collected by new company products and services must be delayed two years.

The second option allows companies to report all national security requests, NSLs or FISA orders, and the number of customer accounts affected with exact numbers up to 250 requests, and thereafter in bands of 250.

The companies cried out about the limited reporting options afforded them by the government.

“We were not, for example, permitted to break down the data between conventional law enforcement requests and those related to national security, or indeed even to acknowledge that we had received certain types of national-security related requests at all,” said Facebook general counsel Colin Stretch.

In general, the number of requests reported today involves a tiny percentage of the companies’ respective customers, and the firms hope the updated transparency reports dispel the possibility they may have been secretly cooperating with the government in providing them data on customers’ activity.

“While our customers number hundreds of millions, the accounts affected by these orders barely reach into the tens of thousands.  This obviously means that only a fraction of a percent of our users are affected by these orders,” said Microsoft general counsel Brad Smith. “In short, this means that we have not received the type of bulk data requests that are commonly discussed publicly regarding telephone records.  This is a point we’ve publicly been making in a generalized way since last summer, and it’s good finally to have the ability to share concrete data.”

The requests made each company generally fall within 0-999 for content and non-content requests, as well as National Security Letters. Yahoo, however, is an outlier. The company was the laggard among tech giants in turning on SSL encryption by default last month on its web-based email service. The lag is noteworthy for Yahoo, which is more than three years behind Google’s default implementation of SSL for Gmail. Users of Microsoft’s Outlook.com webmail service have had SSL enabled by default since July 2012 while Facebook made it the default last February.

Experts were quick to criticize Yahoo’s lax encryption implementation for its customers, especially in light of the surveillance carried out by the National Security Agency. SSL, the experts said, should be considered a minimum standard and that other technologies such as Perfect Forward Secrecy and HTTP Strict Transport Security should be implemented as well. Sites and services such as Dropbox, Facebook and Twitter already implement both or plan to in 2014 according to the Electronic Frontier Foundation’s 2013 Encrypt the Web report.

A company-by-company breakdown of requests for the first half of 2013 is as follows:

  • Microsoft:  FISA orders seeking content 0-999; accounts impacted by FISA orders seeking content 15,000-15,999; FISA non-content requests 0-999; accounts impacted by FISA non-content requests 0-999; National Security Letters non-content orders 0-999; accounts impacted by National Security Letters non-content orders 0-999.
  • Yahoo: FISA orders seeking content 0-999; accounts impacted by FISA orders seeking content 30,000-30,999; FISA non-content requests 0-999; accounts impacted by FISA non-content requests 0-999; National Security Letters requests 0-999; accounts impacted by National Security Letters requests 0-999.
  • Facebook: FISA orders seeking content 0-999; accounts impacted by FISA orders seeking content 4,000-4,999; FISA non-content requests 0-999; accounts impacted by FISA non-content requests 0-999; National Security Letters requests 0-999; accounts impacted by National Security Letters requests 0-999.
  • LinkedIn: National Security Letters requests 0-249; accounts impacted by National Security Letter requests 0-249.
  • Google: FISA orders seeking content 0-999; accounts impacted by FISA orders seeking content 9,000-9,999; FISA non-content requests 0-999; accounts impacted by FISA non-content orders 0-999;

PNG Image Metadata Leading to iFrame Injections

Threatpost for B2B - Tue, 02/04/2014 - 16:25

Researchers have discovered a relatively new way to distribute malware that relies on reading  JavaScript code stored in an obfuscated PNG file’s metadata to trigger iFrame injections.

The technique makes it highly unlikely a virus scanner would catch it because the injection method is so deeply engrained in the image’s metadata.

Peter Gramantik, a malware researcher at Securi, described his findings in a blog post Monday.

This particular iFrame calls upon a simple JavaScript file, jquery.js (below) that loads a PNG file, dron.png. Gramantik notes that while there was nothing overly odd with the file – it was a basic image file – what did catch him off guard was stumbling upon a decoding loop in the JavaScript. It’s in this code, in this case the strData variable, that he found the meat and potatoes of the attack.

The iFrame calls upon the image’s metadata to do its dirty work, placing it outside of the browser’s normal viewing area, off the screen entirely, -1000px, according to Gramatik. While users can’t see the iFrame, “the browser itself sees it and so does Google,” something that if exploited could potentially lead to either a drive-by download attack or a search engine poisoning attack.

The payload can be seen in the elm.src part (above) of the data: A suspicious-looking, Russian website that according to a Google Safe Browsing advisory is hosting two Trojans and has infected 1,000-plus domains over the last 90 days.

The strategy isn’t exactly new; Mario Heiderich, a researcher and pen tester at the German firm Cure 53 warned that image binaries in Javascript could be used to hide malicious payloads in his “JavaScript from Hell” con talk back in 2009.

Similarly, Saumil Shah, the CEO at Net-Square described how to embed exploits in grayscale images by inserting code into pixel data in his talk, “Deadly Pixels” at NoSuchCon in Paris last year and at DeepSec in Vienna the year before that.

Still though, it appears Gramantik’s research might be the most thought out example of the exploit to date using this kind of attack vector.

Regardless of how new or old the concept is, Gramantik stresses that it could still be refined and extended to other image files. Because of that the researcher recommends that going forward, IT administrators better understand what files are and aren’t being added and modified on their server.

“Most scanners today will not decode the meta in the image, they would stop at the JavaScript that is being loaded, but they won’t follow the cookie trail,” Gramantik warns in the blog.

Steganography, the science of hiding messages, oftentimes by concealing them in image and media files has been used in several high profile attacks in the past. The actors behind the MiniDuke campaign in 2013 used it to hide custom backdoor code while Shady Rat was found encoding encrypted HTML commands into images to obscure their activity in 2011 .

Emergency Adobe Update Patches Flash Zero-Day

Threatpost for B2B - Tue, 02/04/2014 - 15:21

Adobe today released an out-of-band security update for Flash Player that patches a vulnerability the company said is currently being exploited.

Adobe Flash Player version and earlier for Windows and Mac are affected as is and earlier on Linux.

The vulnerability, CVE-2014-0497, allows an attacker to remotely inject code and take control of the underlying system hosting Flash.

A complete rundown of updates in the Adobe advisory:

  • Users of Adobe Flash Player and earlier versions for Windows and Macintosh should update to Adobe Flash Player
  • Users of Adobe Flash Player and earlier versions for Linux should update to Adobe Flash Player
  • Adobe Flash Player installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player for Windows, Macintosh and Linux.
  • Adobe Flash Player installed with Internet Explorer 10 will automatically be updated to the latest Internet Explorer 10 version, which will include Adobe Flash Player for Windows 8.0.
  • Adobe Flash Player installed with Internet Explorer 11 will automatically be updated to the latest Internet Explorer 11 version, which will include Adobe Flash Player for Windows 8.1.

The vulnerability was reported by Kaspersky Lab researchers Alexander Polyakov and Anton Ivanov.

Researchers from the company’s Global Research and Analysis Team yesterday said details on a new advanced espionage campaign called The Mask will be unveiled next week at the company’s Security Analyst Summit. A post on the Securelist blog said The Mask was above Duqu in terms of sophistication and is one of the most advanced threats in the wild.

“The Mask is leveraging high-end exploits, an extremely sophisticated malware which includes a bootkit and rootkit, Mac and Linux versions and a customized attack against Kaspersky products,” the blog post said.

Facebook Releases to Open Source its Conceal Android Crypto Library

Threatpost for B2B - Tue, 02/04/2014 - 13:25

Facebook has released to open source its Conceal Java crypto libraries for Android devices.

Conceal, according to Facebook, offers developers a lightweight and efficient crypto library. The social media giant developed Conceal to handle encryption of storage on removable SD cards, something that has a negative performance impact on mobile devices, the company said. It also isn’t the ideal security solution because Android treats SD cards as a publicly accessible directory that any mobile app can read if granted appropriate permissions.

“We saw an opportunity to do things better and decided to encrypt the private data that we stored on the SD card so that it would not be accessible to other apps,” Facebook said in a post. “We created Conceal to be small and faster than existing Java crypto libraries on Android while using memory responsibly.”

Conceal, however, isn’t flexible. It provides default options only to developers, rather than the gamut of encryption algorithms other libraries provide.

“We think this makes sense because encryption can be very tricky to get right,” Facebook said.

Developers will see that Conceal has been released under a BSD license that allows it to be modified. Facebook has built Conceal using parts of the OpenSSL crypto library to keep the file sizes down to a minimum, rather than shipping the whole OpenSSL library.

“We believe providing a smaller library will reduce the friction of adopting state of the art encryption algorithms, make it easier to handle different Android platform versions, and enable us to quickly incorporate fixes for any security vulnerabilities in OpenSSL as well,” Facebook said.

“As is true with many crypto libraries, higher-level wrappers that can offer sane cipher suites and modes are extremely valuable to the developer community,” said Jon Oberheide, CTO at Duo Security. “Developers aren’t (and shouldn’t be) experts in cryptography, so preventing them from shooting themselves in the foot with libraries like Conceal is a very welcome development and boost for mobile app security.”

Conceal uses an offshoot of the AES encryption standard known as AES-GCM which, in addition to encrypting data, simultaneously computes a message authentication code (MAC) of the data. Android devices are limited in capability by their hardware making separate AES and MAC computing inefficient, Facebook said, adding that commonly AES is used to encrypt data and then a MAC message using the HMAC algorithm for example, encrypts that data.

“We found that computing an HMAC takes significant time in the encryption of data,” Facebook said in explaining its decision to go with AES-GCM.

Facebook said that this abstraction also gets around known vulnerabilities in the Android random number generator.

“Specifically, Conceal provides default implementations of key management and stores the key in private SharedPreferences by default,” Facebook said. “It also performs authenticated versioning of the encryption libraries so that if we change the encryption algorithms we use in the future, we can retain both compatibility with previously encrypted data and resistance against cross version attacks.”

Chrome Web Store Beset by Spammy Extensions

Threatpost for B2B - Tue, 02/04/2014 - 12:57

UPDATE: Twelve seemingly legitimate Chrome browser extensions installed by more than 180,000 users are injecting advertisements on 44 popular websites.

According to a Barracuda Labs report, the extensions can be found in the official Chrome Web Store. They advertise themselves and operate as games but also require permission to access “your data on all websites,” so that they can inject advertisements into the user’s browser on any website that person visits. All of the allegedly spammy extensions are registered to the same developer organization: www.konplayer[.]com.

Threatpost attempted to reach out to the people responsible for developing the extensions but was not able to. It appears that some of Konplayer’s extensions have been removed from the Chrome Web Store.

You can see a list of affected websites in the following graphic:

The malicious JavaScript responsible for injecting advertisements isn’t contained directly within the extensions themselves. Instead, the extensions contain a reference URL to www[.]chromeadserver[.]com, which contains the malicious JavaScript. As Barracuda Labs research scientist Jason Ding notes, that domain is made to appear as if it is owned and operated by Google but, of course, it is not.

Barracuda Labs then downloaded and decoded the JavaScript contained on URL referenced above. At first the code seemed benign, but a closer examination revealed that it was responsible for injecting banner advertisements into empty spaces in various positions on popular websites visited by users that had downloaded one of the spam extensions.

In an interview with Threatpost, Ding explained that the permissions sought by these extensions are unnecessary considering that actual purpose of the extensions. Furthermore, the extensions constitute a violation of Google’s terms of service because they mislead users about their purpose. Unfortunately, Ding claims that Google does not have a good way of policing for spam in their Web Store.

“If an extension advertises itself as a game, it should NOT ask for any extra permissions,” Ding told Threatpost. “In most cases, it only need to redirect users to the targeted game websites (which has the game or more games). Or it can ask for the permission for a specific website that the game was hosted at, not the permission ‘Access to data on all website’.”

Ding continued:

“Some other extensions do need the ‘Access to data on all website’ permission, such as the Ads Block extension: of course, it need such permission, so it can remove ads (html elements) for all the websites you are browsing.”

The code used by these extensions is similar to the code used by a group of scammers examined in a prior report issued by Baracuda Labs. Ding believes that the group responsible for Konplayer[.]com is the same group that once distributed their malicious extensions from Playook.info.

The graph below contains the names of the allegedly malicious extensions:

Blog: Abused update of GOM Player poses a threat

Secure List feed for B2B - Tue, 02/04/2014 - 10:58
Several media reported the news on January 7th, 2014, that a PC associated with “Monju” (the Fast Breeder Reactor of the Japan Atomic Energy Agency) was infected by malware and there was a suspicion of information leaks. Some pointed out that the infection had possibly been led by the abuse of the legitimate update of "GOM Player", which made it big news. GOM Player is a free media player with popular video/audio codecs built-in, favored by many Japanese people. It is different from similar free media players in some notable points: it supports major file formats such as AVI, DAT, DivX, MPEG, WMV to name just some; and it officially deploys a Japanese version. Its users are said to be more than 6 million in Japan.

GameOver Zeus Now Using Encryption to Bypass Detection

Threatpost for B2B - Mon, 02/03/2014 - 18:28

Cybercriminals have begun to tweak the way the GameOver Zeus Trojan is being delivered to users’ machines, making it easier for the banking malware to evade detection and steal victims’ credentials.

To get the job done the malware has been working in tandem with the malware Upatre.

For about a week now criminals have been changing the .exe files Upatre downloads to non-executable .enc files. According to a computer forensics expert, this is how the malware, which spreads via spam e-mails and malicious attachments, can avoid being spotted by firewalls, Web filters and other security defenses.

Gary Warner, a director of research in computer forensics at the University of Alabama at Birmingham posted about the trick and included a handful of spam email examples on his Cybercrime & Doing Time blog yesterday.

The file, while encrypted, can still be executed after a user opens a .zip file (found in spam e-mail attachments which initiates a domino effect, downloading the GameOver Zeus file.

The .zip files download the .enc files from the internet, decrypts the file, “placing it in a new location with a new file name, and then causing it both to execute and to be scheduled to execute in the future,” Warner says.

As .enc files aren’t inherently malicious, none of the 50 security programs at VirusTotal, Google’s free detection service, are currently marking attachments carrying them as so.

Warner noticed the trend when a colleague, Brendan Griffin, a malware analyst at the firm Malcovery sent along a series of spam messages, some purporting to come from the Better Business Bureau, Skype and the IRS, among other agencies, spreading the malware.

The behavior has been happening consistently since that time and Warner is stressing that both spam campaigns, GameOver and Upatre, are still very much related and are still being powered by the Cutwail botnet.

Spam emails spreading Gameover, a variant of the Zeus malware, have been making the rounds for two years or so. The F.B.I initially sounded the alarm over bogus emails from the FDIC and NACHA carrying it in 2012 and shortly thereafter the Trojan leveraged the Cutwail botnet to spread the spam messages further.

According to Boldizsár Bencsáth, a researcher at Hungary’s CrySys Lab who helped Warner’s research, technically the .enc file is compressed then XOR’ed with a 32-bit key before Upatre reverses the process, in turn creating the .exe file.

Upatre is the malware that popped up last year and was studied extensively by Microsoft and Dell’s SecureWorks. The malware is basically used to download other malware, and like GameOver, is also primarily spread via spam.

Bencsáth notes on CrySys’s blog that while the droppers sent out via spam emails are small, he was able to find a small (5k) downloader that he discovered can connect to a server, download the .enc file, decrypt, decompress and execute it, resulting in GameOver.

In addition to Bencsáth, Warner also gives a tip of the hat to GoDaddy’s William MacArthur and Dell Secure Works’ Brett Stone-Gross, who also assisted in the research.

Last fall, Microsoft noticed the Cutwail botnet distributing Upatre malware via spam and through exploit kits targeting Java and PDF vulnerabilities to the tune of over one million reported infections, a colossal spike over statistics from prior months.

Pwn2Own Paying $150,000 Grand Prize for Microsoft EMET Bypass

Threatpost for B2B - Mon, 02/03/2014 - 13:53

Microsoft has not been shy in the past nine months about advising users to install and use its Enhanced Mitigation Experience Toolkit (EMET) as a temporary mitigation until zero-day vulnerabilities are patched.

Experts have advised enterprises and smaller organizations to deploy EMET as a proactive security measure; Microsoft has recommended it in a number of recent attacks, including a XP zero-day and another previously unreported vulnerability in Internet Explorer that was abused in watering hole attacks against a number of NGOs.

The tables, however, are about to be turned on EMET. At the upcoming CanSecWest Conference, the popular Pwn2Own contest will include a contest that will test the mettle of EMET. Contest sponsors HP announced late last week a $150,000 grand prize for anyone able to bypass the EMET mitigation on a Windows 8.1 machine and Internet Explorer 11.

“We’re hunting the Exploit Unicorn – not because we think there are a lot of researchers out there who can capture it, but because we think there aren’t,” said HP senior security content developer Angela Gunn.

EMET is a mitigation technology that puts up obstacles that hackers must hurdle in order to exploit a vulnerability, including existing mitigations such as ASLR and DEP. EMET forces applications to use these mitigations native to Windows. Recently, Microsoft added a certificate pinning feature called Certificate Trust to EMET 4.0 that wards off man-in-the-middle attacks, and mitigations that handle return-oriented programming.

“With EMET carrying that kind of burden of protection, researchers are getting more interested in testing its limits, and our grand prize reflects that,” Gunn said. “We may not have any successful contestants, but security researchers thrive on insanely difficult challenges; we’re excited to provide one.”

Gunn said in order for contestants to win the grand prize, in addition to breaking EMET, they must break out of the sandbox in Internet Explorer, then locate new vulnerabilities in Windows to view system information, change data, and control its behavior before moving on to EMET.

In 2012, a researcher beat EMET with a pair of techniques; the mitigation bypass was one of the finalists in the first BlueHat Prize, a competition sponsored by Microsoft to encourage researchers to attack a defensive technology rather than beat a vulnerability brought on by poor coding.

The first Blue Hat Prize of $200,000 was paid out at the 2012 Black Hat Briefings to Vasillis Pappas for his kBouncer ROP mitigation technology that beat out two other ROP submissions. Pappas’ kBouncer technology uses the kernel to enforce restrictions about what processes can do, and prevents anything that looks like return-oriented programming from running.

Last October, Microsoft paid out a $100,000 prize to British researcher James Forshaw for a bypass of Windows memory protections, the second major bounty coming out of Redmond for a mitigation bypass.

The Exploit Unicorn is just one phase of the Pwn2Own contest. HP’s Zero Day Initiative announced the rules and prizes last week, revealing there will be three divisions for the competition: browsers, plug-ins and the grand prize.

Payouts in the browser competition are: $100,000 for Google Chrome on Windows 8.1, 64-bit, and Microsoft Internet Explorer 11 on Windows 8.1 64-bit; $65,000 for Apple Safari on OS X Mavericks; and $50,000 for Mozilla Firefox on Windows 8.1 64-bit.

In the plug-ins competition: payouts are $75,000 for Adobe Reader running in Internet Explorer 11 on Windows 8.1 64-bit and Adobe Flash running in Internet Explorer 11 on Windows 8.1 64-bit; and $30,000 for Oracle Java running in Internet Explorer 11 on Windows 8.1 64-bit.

Chrome Pop-Up to Warn Windows Users of Browser Hijacking

Threatpost for B2B - Mon, 02/03/2014 - 12:13

A rising number of online scams involve the modification of browser settings where a hacker spikes a free download or website with malware. The end result is generally a click-fraud scheme of some kind where the new browser settings might include spiked search engine pages or a new home page enticing the user to click on a link where the attacker would profit from the click.

Google says hijacked settings are Chrome users’ No. 1 complaint, and late last week it enhanced an existing feature in the browser to get a little more in your face about fending off hijacking attempts.

Vice president of engineering Linus Upson said from now on, Windows users will be prompted via a dialog box that appears if Chrome settings have been changed. The warning will ask users if they would like to reset their Chrome settings to their original default.

“You should always be in charge of your own Chrome settings,” Upson said.

The up-front warning is an extension to a feature Google added to Chrome in October which buried the reset option on a settings page.

Google explained in October that its motivation for the reset option was an increase in malware being bundled with software such as video plug-ins, toolbars, or even in more serious instances, alleged security updates.

“These malicious programs disguise themselves so you won’t know they’re there and they may change your homepage or inject ads into the sites you browse,” Upson wrote in October. “Worse, they block your ability to change your settings back and make themselves hard to uninstall, keeping you trapped in an undesired state.”

The reset button was originally placed in the Advanced Settings section of the Chrome settings and was part of a Halloween day update to the browser.

Upson said, however, that users in Google help forums and other feedback mechanisms were complaining that the problem was not abating. The main problem, Upson said last week, was the persistence of these attacks.

“Some hijackers are especially pernicious and have left behind processes that are meant to undermine user control of settings,” Upson said. “So you may find that you’re hijacked again after a short period of time.”

While restoration of Chrome settings to essentially factory defaults will wipe away the malicious entries placed there by the hacker, it will also disable any desired customizations. Extensions, apps and themes a user may have installed on Chrome will become deactivated. They, however, are not uninstalled and can be re-enabled via the Chrome menu under tools and extensions. , Upson said.

Scammers Using World Cup as Phishing Lure

Threatpost for B2B - Mon, 02/03/2014 - 11:55

The World Cup is still four months away, but attackers already are ramping up their efforts to defraud fans. As with most major events, such as the Super Bowl, the Olympics and others, attackers are using fans’ enthusiasm for the event as a lure to separate them from their money.

When a major event like the World Cup is on the calendar, scammers typically will register rafts of domain names with some reference to the event and use them to attract victims for a variety of scams. The most recent evidence of this trend is a bunch of scams targeting Brazilian soccer fans looking for tickets for the World Cup, which will be held in Brazil this summer. Researchers at Kaspersky Lab have been tracking these schemes and identified a number of fraudulent domains attackers are using to entice victims to cough up their personal data and some money in exchange for cheap or free tickets, which of course don’t exist.

“The attacks start when a user does a simple search on Google, looking for websites selling World Cup tickets. Bad guys registered the fraudulent domain fifabr.com that is displayed among the first results as a sponsored link,” Fabio Assolini, a Kaspersky Lab researcher in Brazil wrote in an analysis of some recent attacks he’s tracking.

“Kaspersky products are blocking several fraudulent domains daily; all of them are using the theme of the World Cup. Such attacks are focused totally on Brazilian users and the messages generally use the names of local credit card, banks, and big stores, etc. Phishing messages with fraudulent giveaways are getting common as well – some offering free tickets, cash, or even free travel.”

In order to get their non-existent free or discounted tickets, victims need to give up their personal information, such as name, address, birth date and credit-card data. Researchers have been seeing World Cup-themed attacks for nearly a year now, and the lures have been pretty consistent over time. Back in March 2013, Assolini was looking at some similar attacks that were phishing Brazilian soccer fans.

“Offers range from alleged cash prizes, trips and tickets to watch the games, while the attacks involve massive phishing mailings, and, to add spurious credibility, stars of the national soccer team have been ‘signed up’ by the conmen. Here’s one example featuring Neymar, the latest Brazilian hero to be dubbed the new Pelé,” Assolini wrote at the time.

As with most of these schemes that are pegged to a major sporting event, it’s always safer to buy tickets from the official site rather than any brokers or third parties.

Blog: A Glimpse Behind "The Mask"

Secure List feed for B2B - Mon, 02/03/2014 - 07:44
During the past months we have been busy analysing yet another sophisticated cyberespionage operation which has been going on at least since 2007, infecting victims in 27 countries. We deemed this operation "The Mask" for reasons to be explained later.

Blog: Big box LatAm hack (2nd part – Email brute-force and spam)

Secure List feed for B2B - Sun, 02/02/2014 - 21:28
Cybercriminals behind Betabot and other malware in Latin America instead of using zombie machines, brute-force not properly configured email servers and then spamming to the victims.

Blog: World Cup: fake tickets, fake giveaways, real attacks

Secure List feed for B2B - Fri, 01/31/2014 - 16:30
Fraudulent websites offering tickets to the World Cup in Brazil

DailyMotion Still Infected, Serving Fake AV Malware

Threatpost for B2B - Fri, 01/31/2014 - 16:07

More than three weeks after notifying video-sharing site DailyMotion that it was compromised, security company Invincea reports the popular website is still infected.

A spokesperson told Threatpost that Invincea’s original notification was not acknowledged and the company suspects this is a continuation of the same attack and the site was never cleaned up.

Invincea said it has again notified DailyMotion, which is the 96th most popular destination on the Internet according to Alexa. The site allows users to upload and share videos.

The attack was originally reported Jan. 7 when malicious ads were discovered on the site. Those ads were redirecting visitors to a fake AV scam. Invincea said today that the same threat is happening on the site.

A video on the security firm’s website, below, demonstrates what happens to a site visitor. Landing on the DailyMotion homepage, a visitor is presented with a dialog box warning the user that “Microsoft Antivirus” found a problem on the victim’s computer and that it needs to be cleaned. A list of potential problems is shown next and the user is enticed to run an executable pretending to be security software.

A report from Invincea shows a number of files written to the compromised computer were launched and stored in order to maintain persistence at startup. It also shows the computer communicating out to servers in the United States and Romania.

In its original advisory on Jan. 7, Invincea said that the malicious ads redirect to a third-party domain in Poland called webantivirusprorh[.]pl (93[.]115[.]82[.[246). According to VirusTotal, 10 of 47 antivirus products detect the threat; most detect it as a variant of the Graftor Trojan. The initial redirect, Invincea said, is loaded via engine[.]adzerk[.]net.

With fake AV scams, victims are tricked into installing what they think is security software but is instead malware. They’re then informed they must purchase a subscription of some kind in order to clean the computer of the infection.

Other scams, such as ransomware infections, build off this same premise but are much more sinister in that they use harsher tricks to get the user to install the malware. Some ransomware attacks lock down computers and inform the user they’re machine has been taken over by law enforcement because of some illicit activity online and the victim must pay a ransom to get their computer unlocked.

Malicious advertising, also known as malvertising, is becoming a common attack vector for spreading fake AV, ransomware and other malware redirecting victims to exploit kits. One such campaign was uncovered in September with sites including the Los Angeles Times, Women’s Health magazine and others were hosting ads serving malware. Malicious iframes redirected victims to the Blackhole Exploit Kit; Blackhole has since disappeared off the black market after the arrest of its alleged creator, a Russian hacker known as Paunch.

At the Black Hat Briefings last summer, WhiteHat Security researchers demonstrated how to use online advertising networks to distribute JavaScript and build the equivalent of a botnet that could be used to crash webservers or distribute malicious code.

Boasting Better Encryption, Bug Fixes, OpenSSH 6.5 Released

Threatpost for B2B - Fri, 01/31/2014 - 14:07

The OpenBSD Project pushed out a new build on Thursday of the OpenSSH security suite, adding a new private key format, a new transport cipher and fixing 15 bugs in the Secure Shell.

OpenSSH version 6.5 adds support for the key exchange using elliptic-curve Diffie Hellman within cryptographer Daniel Bernstein’s elliptic-curve Curve25519. A 32-byte secret key will now be the default when both the client and server support it.

Many encryption implementations are suspect after alleged subversion of widely used algorithms by the National Security Agency. Documents disclosed  by NSA whistleblower Edward Snowden indicate the NSA inserted weakened crypto algorithms into NIST standards. The most flagrant may be Dual EC DRBG which is the crpto library used by a number of commercial products including RSA BSafe. RSA Security and NIST warned developers to move off the algorithm.

Additionally, according to the release notes, 6.5 also adds support for the elliptic curve signature scheme Ed25519, a tweak that allows better security than the Digital Signature Algorithm (DSA) and its Elliptic Curve Digital Signature Algorithm (ECDSA) variant.

The new OpenSSH build is also set up to refuse old clients and servers that use a weaker key exchange hash calculation, including dated RSA keys from clients and servers “that use the obsolete RSA+MD5 signature scheme.”

The MD5 algorithm has been broken so long that it really hasn’t become an obstacle for hackers looking to crack it. It was last famously exploited in 2012 in an attack which saw the malware Flame forge a certificate from Microsoft.

OpenSSH will refuse connection entirely with anyone using these old clients or servers in a future build, but for the meantime will allow DSA keys.

A new transport cipher – chacha20-poly1305@openssh.com – based on algorithms (ChaCha20 and Poly1305 MAC) devised by Bernstein is also present in the update. Initially committed by OpenSSH developer Damien Miller back in November to replace the disintegrating RC4, the cipher should allow for better encryption going forward.

ChaCha, a variant of the stream cipher Salsa20, has been called faster in low-level implications and more secure than its alternatives, winning the confidence of cryptographers in the last few years.

A new private key format that uses bcrypt, a key derivation method  “to better protect keys at rest,” has also been added to the latest OpenSSH.

Developers are calling 6.5 a “feature-focused release” and urging those who use it to update as soon as they can.

Those looking for a full rundown of the fixes and further information about 6.5’s new features can check out the release notes here.

Chewbacca Point-of-Sale Malware Campaign Found in 10 Countries

Threatpost for B2B - Fri, 01/31/2014 - 12:14

Before you think that RAM scraper malware was a phenomenon specific to the Target breach, think again. A four-month-long crime spree targeting point-of-sale systems in a number of industries has been discovered; the campaign, however, is not related to the mammoth Target break-in or other recently reported hacks at Neiman Marcus or Michaels.

The malware in question is the privately sold Chewbacca Trojan, which is a two-pronged threat that uses the Tor anonymity network to hide its communication with the attackers’ command and control infrastructure. Chewbacca not only infects point-of-sale terminals with the RAM scraping malware in order to steal payment card data before it is encrypted, but also drops keylogging software onto compromised systems.

Researchers at RSA Security discovered the criminal campaign and say it has found malware samples used in 10 countries, primarily in the United States and the Russian Federation. Will Gragido, senior manager at RSA FirstWatch, the company’s research arm, said the command and control server they intercepted has been taken offline—likely by its Ukrainian handlers rather than law enforcement—putting a halt to the campaign. Gragido said the criminals had their hands on 49,330 credit card numbers and there were 24 million transaction records on the attackers’ server.

“It’s actually a mixture of industries that have been hit: some broadband providers were impacted, retailers, supermarkets, gas stations, and other associated businesses,” Gragido said. “It’s a sloppily put-together piece of code; it’s not the most sophisticated code, but it seems effective.”

The original Chewbacca samples were found in October and reported by Kaspersky Lab’s Global Research and Analysis Team in December.  While the original attack vector is not yet understood, Chewbacca’s behaviors are pretty self-evident. Chewbacca finds running processes on compromised computers, reads process memory, drops a keylogger and is able to move that information off of infected machines, said Marco Preuss, director of research for Kaspersky Lab in Europe.

The malware is a PE32 executable compiled with Free Pascal 2.7.1; its 5 MB file includes the Tor executable, which the attackers use to move data and communication between infected POS terminals and servers, and the attackers. Once executed, Chewbacca drops as spoolsv.exe into the victim machine’s startup folder and then launches its keylogger and stores all keystrokes to a log created by the malware, Preuss said. Spoolsv.exe is the same name used by the Windows Print Spooling service; the malware does so to insert itself into the startup process and maintain persistence.

Gragido said RSA FirstWatch had infiltrated the attackers’ original command server, which was using a Tor .onion domain for obfuscation.

“We think we caught this campaign early on,” Gragido said. “Chewbacca has not been out there very long. We’ve seen it established in a few small retailers and service providers.”

The Target breach has elevated awareness around point of sale malware, in particular RAM scrapers. Target admitted shortly before Christmas that attackers has been on its network and stolen 40 million payment card numbers from infected point of sale systems, along with the personal information of 70 million people, putting potentially 110 million at risk for identity theft and fraud.

New details emerged this week on just how burrowed into Target’s network the attackers were. Experts believe the initial compromise was a SQL injection attack that allowed the attackers access to the network. Once there, it’s apparent they took advantage of hard-coded credentials on system management software used by the retailer to set up a control server on the Target network and moved data out in batches.

“We don’t have anything from an evidentiary perspective that this is tied to Target, Neiman Marcus or Michaels,” Gragido said. “The malware is different, the attackers’ MO is different, there’s no common infrastructure or common malware. The gang behind it, we think, is a newer crop of folks with activity in Eastern Europe, but it’s hard to say.”

Attackers Target Yahoo Mail Accounts in ‘Coordinated Effort’ to Own Users

Threatpost for B2B - Fri, 01/31/2014 - 12:04

After years of focusing their attention on Gmail, it seems that attackers have finally gotten around to expending some effort hacking Yahoo mail accounts. Yahoo officials said Thursday that they have reset the passwords on an unspecified number of mail accounts after detecting what they call a “coordinated effort to gain unauthorized access to Yahoo Mail accounts.”

Yahoo officials said that the evidence they have right now suggests that the attackers were trying to steal information such as email addresses and names from users’ sent mail folders.

“Based on our current findings, the list of usernames and passwords that were used to execute the attack was likely collected from a third-party database compromise. We have no evidence that they were obtained directly from Yahoo’s systems. Our ongoing investigation shows that malicious computer software used the list of usernames and passwords to access Yahoo Mail accounts,” Jay Rossiter, SVP of Platforms and Personalization Products at Yahoo wrote in a Tumblr post on the attacks.

Attackers have had a field day going after webmail systems such as Gmail and Hotmail in recent years, going back to the  Aurora targeted attacks four years ago against Google and some Gmail users. There are a variety of ways that attackers have found to go after the accounts of webmail users, many of which begin with some variety of phishing attempt. Depending upon the target, attackers will send highly specific emails to a set of victims, sometimes with the lure of a malicious attachment. Other times, attackers will use fake password-reset messages as a lure, something that could complicate the measures that Yahoo is taking to clean up after this attack.

“We are resetting passwords on impacted accounts and we are using second sign-in verification to allow users to re-secure their accounts. Impacted users will be prompted (if not, already) to change their password and may receive an email notification or an SMS text if they have added a mobile number to their account.,” Rossiter said.

For some users–especially security conscious ones–those emails and texts can look exactly like the scam messages that attackers use to trick victims into clicking on a malicious link to give up their email credentials. Once an attacker has access to a victim’s main email account, he often can take over many of the victim’s other accounts, such as online banking, social media and others that typically will use email addresses as one level of authentication.

Yahoo officials did not specify which third-party company they believe was the source of the compromised information used to attack its users. There have been an number of large-scale data breaches in the last few months in which millions of email addresses and other information was compromised, including the attack on Adobe and the Target data breach.

Rossiter said Yahoo is working with law enforcement to investigate the attacks on its systems and recommended that users take typical precautions with their online accounts.

“In addition to adopting better password practices by changing your password regularly and using different variations of symbols and characters, users should never use the same password on multiple sites or services.  Using the same password on multiple sites or services makes users particularly vulnerable to these types of attacks,” he said.

MediaWiki Remote Code Vulnerability Patched

Threatpost for B2B - Thu, 01/30/2014 - 16:12

A serious remote code execution vulnerability was recently patched by the Wikimedia Foundation. The flaw could have put at risk any of the foundation’s sites running MediaWiki software, including Wikipedia.

Researchers within Check Point Software Technologies’ Vulnerability Research Group discovered the vulnerability on the popular web platform affecting versions 1.8 and up.

“Remote code execution could have allowed malicious use of code on our servers. That may have put user data at risk or made it possible to change our databases somehow,” said Wikimedia Foundation spokesperson Jay Walsh. “Fortunately we’re confident there were no exploits of the vulnerability.”

Walsh said Check Point sent Wikimedia details on the vulnerability and a proof of concept late week, and the foundation’s operations team had a patch deployed on its servers within 45 minutes. On Tuesday, the foundation made a patch available to users of its open source software which hosts wikis and collaboration sites all over the Web.

“On the Foundation’s side, the patch was applied to all of the instances of MediaWiki running on our servers,” Walsh said. “That totals several hundred wikis, including the 280-plus language versions of Wikipedia, and the other Wikimedia projects.”

Check Point’s Shahar Tal, in a thread on Bugzilla, said the vulnerability enabled unrestricted command injection through an incorrectly sanitized parameter.

“We have verified this vulnerability exists with default installations as long as a certain (not common) setting is enabled, as is on Wikimedia.org,” Tal said.

Check Point said in its advisory that an attacker could have injected malware into every Wikipedia page if so desired; the same goes for any wiki site running MediaWiki software with the improper setting.

“The vulnerability discovered by Checkpoint involved possible remote code execution on the Wikimedia’s servers.  A vulnerability like this may have allowed a user to maliciously execute shell commands on the Foundation’s servers,” Wikimedia’s Walsh said. “Based on the foundation’s review, there is no evidence that the vulnerability was actually exploited.”

Check Point said this is the third time in eight years remote code execution vulnerabilities have been found on the MediaWiki platform.

“This vulnerability will be highly prized by the hacker community and quickly turned into attacks that can be aimed at organizations that have yet to apply the patch or implement another form of defense,” Check Point said in its advisory.

Mobile Malware Captures Keystrokes, Screengrabs

Threatpost for B2B - Thu, 01/30/2014 - 15:57

New proof-of-concept mobile malware logs keystrokes and captures screen-grabs on jailbroken iOS and Android devices in order to steal online log-in credentials and other sensitive information from targeted devices.

In an interview with Threatpost, Trustwave senior security consultant Neal Hindocha broadly explained how his proof-of-concept works, which he will present in earnest at the RSA Conference next month.

The genesis for Hindocha’s work emerges from a simple and well-established reality: the mere fact that mobile devices are increasingly used for payment and online banking means that criminals will increasingly design tools to steal payment and other sensitive data from them.

Hindocha explained that one of the central components of widely deployed, desktop-targeting financial malware is keylogging software. In a sense, he merely waondered if keyloggers are on the precipice of becoming as much of a nuisance for mobile users as they currently are for desktop and laptop users. In order to determine this, he needed to know if he could isolate the critical aspects of banking malware and use them to target banking applications on alternative, in this case mobile, operating systems.

Hindocha explained that there are already a number of mobile keylogging utilities, particularly for Android. However, mobile keyloggers are different from Windows-specific ones in that a Windows keylogger quite simply collects every keystroke entered by the user. On the other hand, mobile application developers have the option of creating custom keyboards for their apps. Because of this, Hindocha reasoned that a dynamic mobile banking threat would need to make use of screen-grabs as well as keyloggers.

“If you know the X and Y coordinates of where the user is touching the screen and you know what they are looking at,” Hindocha said, “then basically you see everything the user is seeing and you get all the data the user is inputting.”

The risk this attack poses toward users of devices that are not jailbroken is minimal, but anyone who has rooted a jailbroken device is at risk. It’s possible that a person can be attacked, Hindocha claims, but it’s unlikely to become widespread.

“I don’t think it is viable to infect 100,000 people with this, because what you are getting out of it is X and Y coordinates of where someone touched the screen,” he said. “You can in most instances combine that with screenshots. It’s difficult to do any type of data harvesting on large amounts of data when all you’re looking at are key-strokes and touch coordinates and pictures.”

In other words, it’s more likely that this sort of malware or threat would be deployed in a highly targeted manner, seeking to pilfer information from individuals or companies.

While Hindocha initially believed that screen-grabs were an integral part of his proof-of-concept, he came to realize that he could discern all sorts of information with only the keystrokes as well. For example, he said, if no one touches the screen for an hour, and then logging software picks up between four and eight screen-touches, you can assume the user has just entered the access PIN. More than 20 touches apparently indicates that a user is typing something. Between four and fifteen may indicate a password is being entered. Peripheral touches likely indicate that the user is playing a game. A deeper examination of screen-touching patterns would likely reveal more useful information collected by the keylogger.

Again, Hindocha’s research pertains only to rooted devices. Therefore there really isn’t much that the vendors – Apple and Google – can do to mitigate this sort of attack. He did note however that Apple already has safeguards in place to prevent this from occurring. Google though, Hindocha claims, often trades security for functionality.

“The price of functionality is security in many, many cases,” Hindocha said, mirroring a widely held sentiment. “And I think that it is a difficult balance for [Google]. They want to provide a lot of functionality but at the same time they want to give you security. So I think that there are choices that they have made that have resulted in this being possible. I think they could make the choices differently and that would have a different result but there would be a cost in terms of functionality.”

The good thing about bringing this research to light, Hindocha went on, is that companies with high security requirements are aware of this sort of threat. They can implement safeguards to try and protect their data by actively seeking out vulnerable and infected machines and by detecting certain patterns regarding where network data is going.

“There are things that can be done,” he said. “I don’t think we should rely on Apple or Google to fix them.”

Hindocha also expressed concern that his proof-of-concept could be used to target special platforms, like the mobile-based point-of-sale systems that are increasingly deployed at retail locations.

To be clear, Hindocha’s attack is theoretically possible, albeit far more difficult on non-rooted Android devices. In the case of a standard operating system build, in order to pilfer screen-grabs in addition to keystrokes, the Android device would need to be plugged into a computer, where the screen-grabs would be uploaded. The attacker would then need to locate the folder containing the grabs and steal them from there.

Hindocha’s RSA presentation, in which he’ll detail the finer, technical aspects of his research, is slotted for Feb. 25 at 8 a.m.

Syndicate content