Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

SSH backdoor discovered in Fortinet FortiOS firewalls

Within a month's span since Juniper Network found an unauthorised backdoor in their Netscreen firewall, researchers from all over the globe have been working hard and have found similar faulty codes in Juniper's top competitor Fortinet.

This code comprises of a certain "challenge and response" authentication routine in order to log in to the server with an enabled secure shell (SSH) protocol. A hard-coded password for FGTAbc11*xy+Qqz27 was extracted by researchers after reviewing it when it was exploited and the code was later posted online on Saturday. On Tuesday, a researcher claimed that by using the exploited code, one can gain access to a server running Fortinet's FortiOS software.

According to Ralf-Philipp Weinmann, a security researcher who contributed in unraveling the innerworkings of the Juniper vulnerability, took to Twitter on Tuesday and has been continuously referring to the custom SSH authentication as a "backdoor." In one of his posts, he confirmed that he was able to make the backdoor work as reported for older versions of FortiOS.

According to the exploited code, the undisclosed authentication worked from versions 4.3, up to 5.0.7. If the days stand undisputed, the surreptitious access method would active in FortiOS versions as well in the current 2013 and 2014 time frame and possibly earlier. The vulnerability was eventually patched, but still, researchers are unable to locate a security advisory that could disclose the alternative authentication method or the hard-coded password. While one researcher started that the exploit no longer works in version 5.2.3, the release is still suspicious as it contained the same hard-coded string.

"So a lot of parts of this auth mechanism are still in the later firmware," said the researcher, who requested to be anonymous. The most recent version of FortiOS 5.4.0, was released this month.

Read more »
IT Security News
IT Security IT Security News

IT security firm Trustwave sued for Failing to Stop Data Breach

IT security firm Trustwave has been accused of failing to properly investigate the card breach suffered by the Las Vegas-based casino operator Affinity Gaming in 2013.

Affinity Gaming filed a complaint in the district court of Nevada in December alleged Trustwave of misrepresenting themselves and failed to perform the adequate investigation, identify the breach, and falsely misinform them about the correction of the breach.

In December 2013, Affinity Gaming suffered a security breach that penetrated their payment card systems. They called Trustwave to investigate the matter.

According to the complaint filed “Trustwave informed the company that the malware was removed from its systems and that the breach was contained.”

After Trustwave completed its investigation, Affinity Gaming called Ernst & Young to conduct penetration testing. While penetration testing testers identified suspicious activity associated with a piece of malware.

Now Affinity Gaming  called FireEye-owned forensic specialist Mandiant  for further investigation.

The complaint was filed based on the latest investigation done by Mandiant.

“Trustwave had failed to diagnose that the data breach actually was the result of unidentified outside persons or organizations who were able to compromise Affinity’s data through Affinity Gaming’s Virtual Private Network (VPN), and that the ‘backdoor’ these persons/organizations had created — which Trustwave had speculated may have existed but concluded was ‘inert’ — was very real and accessible,” reads the complaint.

“Mandiant also determined that the unauthorized access and renewed data breach occurred on a continuous basis both before and after Trustwave claimed that the data breach had been contained,” it continues.

Affinity is looking for damages in excess of $100,000 / €92,000.
Read more »

Hackers caused power cut in western Ukraine

Department of Homeland security’s (DHS’s) Industrial Control systems cyber emergency response team (ICS-CERT) has identified a piece of malicious code known as ‘BlackEnergy’ in the networks of a power company in western Ukraine.

The code came to light when the intelligence community of United States investigated a cyber attack on the Ukrainian power grid which was caused last year in December.

BlackEnergy, which is a sophisticated malware campaign, has been ongoing since at least 2011. It targets industrial control systems and has been identified on Internet-connected human-machine interfaces in the United States.

The investigation shows that the power outages were caused by a series of network-centric attacks against multiple utilities which disrupted Supervisory control and data acquisition (SCADA) and phone systems.
ICS-CERT and US-CERT along with Ukrainian CERT are still analyzing the malware which was likely used to prevent system operators from detecting the attack while a remote attacker opened breakers.

The not so sophisticated malware may have been used to shield the perpetrators.

On December 23 a power cut affected 80,000 customers for six hours. The attacks cut at least seven 110 Kilo volt (kV) and twenty three 35 kV substations.

Russian government was blamed for this incident by Ukraine’s security service, but later it was noted that BlackEnergy was associated with the incident which is associated with the ethnic Russian hacking group ‘Sandworm’. In October 2014, Sandworm reportedly compromised industrial control systems in the US for up to three years.

The malware has been found attacking utilities and media organizations with the hard-drive nuking killdisk componentry.

Former NSA and CIA head, retired Gen. Michael Hayden warned about the increasing threat of physical damages by malware infections.
Read more »
IT Security News
IT Security News

A trojan that evades security products and stole data

Spymel, a new Trojan discovered by Zscaler (a US-based cyber-security vendor), reaches computer through spam emails and remain undetected from security products.

This Trojan is attached to emails as an archive file. Once it is downloaded and decompressed, the archive file starts executing a JavaScript file that downloads and installs the actual malware executable, a .NET binary.
It is notion that the  archive file does not contain the malware, so the antivirus products fails to flag the danger. .Net binary is also not detected because of the  digital certificate that is issued by  SBO INVEST via DigiCert.

According to Zscaler  Spymel infections was  first detected in early December 2015. As soon as they informed the case to DigiCert and had the certificate revoked. But the group behind Spymel quickly updated their certificate
.
Spymel can act like a malware payload downloader , make screenshots of a user's desktop, record videos of the desktop, log keystrokes, and upload stolen data to a remote server.

Spymel is a perfect example of  malware, where malware can use archive files boobytrapped with JavaScript code and digital certificates to hide.
Read more »
Cyber Security News
Breaking News Cyber Security News

Mozilla awarded $2,500 to security researcher

Security Researcher Ashar Javed, recently discovered three bugs with Mozilla add-ons portal and that had been exploited via "Create new collection" feature.

It was discovered that malicious codes could be inserted in collection of  Mozilla Add - ons . These ad - ons are basically used to organize add-ons for business and personal purposes and can be shared on social media as well.

“Given that the Mozilla add-on site has millions of downloads, it is easily possible for the attacker to convince the victim to visit the collection page,” the expert told SecurityWeek.

Users were later exposed with all kinds of virus attack that could be carried via XSS flaws  and most common attack was cookie theft.

Websites are generally vulnerable to  XSS flaw, add-on collections are very useful for Firefox users, so for discovering the issue Mr Javed recieved $2,500 from Mozilla. There were two other bugs discovered about which Mozilla did not reveled any information apart from the location.

This is not the first time that he had received the heavy amount, Google awarded him $3,000 for a reflected XSS in the main search bar of the YouTube Gaming website.
Read more »

Malware targeting Android-powered Smart TVs

With the end to the festive season, a lot of homes are now quipped with smart gadgets, making people lazier than ever. Out of all the new gadgets that rolled out on the streets, one of the most popular choices were smart TVs. Having access to Android apps and functioning as well as to any other Android device, these TVs are a hit in the market as they provide the high resolution experience with the beloved Android interface. However, these devices have their own vulnerabilities to malwares.

These TVs have abilities that a normal TV doesn't have access to. These smart TVs can use certain apps that allow users to watch channels from other parts of the world (that would otherwise be unavailable via other methods) . However, some of these apps may put users at risk. These apps contain a backdoor that abuses an old flaw (CVE-2014-7911) in Android versions before Lollipop 5.0 (Cupcake 1.5 to Kitkat 4.4W.2). (We detect these malicious apps as ANDROIDOS_ROOTSTV.A.) Most smart TVs today use older versions of Android, which still contain this flaw. In addition, other Android devices with older versions installed are also at risk: it just happens to be that  these kinds of apps are mainly used in smart TVs or smart TV boxes. The sites that distribute these malicious apps are located at the following URLs. These sites are under the H.TV name, with most visitors located in the United States or Canada.

To successfully distribute the malware, attackers lure users to websites that distribute it and get them to install the applications that are infected with the backdoor. As soon as the malicious applications have been installed, the attacker triggers the vulnerability in the system and use well-known exploit techniques like heap sprays or return-oriented programming to gain elevated privileges in the system.

Samsung had recently launched the three tiered security solution for its latest Tizen-based Smart TVs. According to the company's statement, this service is meant to give its consumers access to the necessary protection across the Smart TV ecosystem, covering both software and hardware.
Read more »
Security News
Security News

Security flaw in Trend Micro unveiled by Google security Researcher

Google security researcher, Tavis Ormandy has found bugs in Password Manager of global security software company, Trend Micro.

Password Manager is a component installed by default with Trend Micro’s Premium Security and Maximum Security home products.

Ormandy informed Trend Micro about his findings on January 05.

The bug which is primarily written in JavaScript with node.js could allow remote code execution by any website and steal all passwords of a user. He also noted that it was also possible to bypass Internet Explorer’s Mark of the web (MOTW) security feature and execute commands without letting the victim receive any notification.

Ormandy took 30 seconds to identify an API that could be leveraged for remote code execution (RCE).  Overall, Ormandy found over 70 APIs exposed to the Internet.

Exploiting a vulnerability can give an attacker deep access to a computer.

Several serious vulnerabilities have been found in the last seven months in antivirus products from vendors including Kaspersky Lab, ESET, Avast, AVG Technologies, Intel Security (formerly McAfee) and Malwarebytes.
Read more »

Europol dismantles ATM malware gang

A recent malware known as Tyupkin and Padpin has been discovered by Europol, which is being used by attackers to conduct a new type of attack which is commonly being known as "jackpotting attacks". This malware was first analyzed in 2014 by the Kaspersky labs since its presence was noted in more than 50 machines in eastern europe. It is known for its capability to enable its operators to withdraw money from ATMs without cards.

Romania's Directorate for Investigating Organised Crime and Terrorism (DIICOT) stated that the arrested individual are under suspicion of establishing an organised criminal group, illegally accessing computer systems, causing computer fraud,  disrupting information systems, alternating data integrity, operating devices and software illegally and destructing property.

A damage of approximately $217,000 is claimed to have caused by the suspects, residents of Romania and the Republic of Moldova. A group, led by the Moldovan national Solozabal Cuartero Rodion and Romanian national Mihaila Sorin, have been targeting various ATMs in Europian countries, primarily Romania, Hungary, the Czech Republic, Spain and Russia, as reported by the Romanian prosecutors.

(pc-google images)
The first phase of the attack started to take place in weekdays, members of the group scouted ATMs, which specifically targeted the 24-hr cash machines with possibilities of manipulation. After locating an ATM, tamperings were made accordingly to the machines in order to gain access to its CD-ROMs, which is then used as the site of planting the malware. The group used to deactivate all the existing alarm systems with duct tape. The malware planted on weekdays, started its function on weekend. Once it was planted on an ATM, the group sent commands to the malware, instructing the machine to dispense cash automatically.

The group set a characteristic method of dispensing cash in small transactions of $1000 rather than sweeping the machines in one go. Once the machine dispenses all the cash, the malware would automatically be removed from the machine. Since these attacks cause serious harm to the ATMs, European ATM Security Team (EAST) and Europol had published certain guidelines last year to help the members of law enforcement and the industry to counter the threat and in September, the security firms started reporting two new malware families. One of these, known as GreenDispense, is found similar to Tyupkin as it uses the machine's PIN pad to empty the vault. The other, called Suceful, acts as a captor for cards inserted by cardholders into ATMs.
Read more »

Time Warner Cable says 320000 passwords possibly stolen

American Telecommunications Company, Time Warner Cable Inc has declared that up to 320,000 customers may have their email passwords got stolen.

The company has not yet determined the source of theft but it said that the theft might have occurred either through malware downloaded during phishing attacks or indirectly through data breaches of other companies that stored customer’s information.

The company came to know about the breach after it was notified by the Federal Bureau of Investigation.

The company is sending emails to encourage customers to update their email passwords as a precaution.
Read more »

NEWLY DISCOVERED RANSOMWARE FACILITATES MALWARES FOR SECURITY BREACH

Security researchers have discovered a newly discovered Ransomware-as-a-Service campaign that uses malware written in JavaScript for the first time. Fabian Wosar of Emsisoft has explained in his blog post that Ransom32 is used to sign up to on a Tor site using just a Bitcoin address to which the spoils will be sent without a 25% cut.


(pc-google images)
After the sign up, the users get access to basic admin page that enabled them to see how many systems are infected; observe how much money has been collected; and tweak various settings for the ransomware. These include how much BTC to request from victims, and whether to completely lock the computer or allow a victim to minimize the lock screen, giving them the ability to check whether their files are fully encrypted or not. Ransom32 is a 22MB self-extracting RAR file, which weighs in at over 67MB when extracted. Once run, the executable creates a shortcut, ChromeService, which points to a chrome.exe package.

that is actually a NW.js package that contains Javascript code that will encrypt the victim's data and then display a ransom note.

The files extracted into the Chome Browser folder are:

    chrome - The Chromium license agreement.
    chrome.exe - This is the main executable for the malware and is a packaged NW.js application bundled with Chromium.
    ffmpegsumo.dll - HTML5 video decoder DLL that is bundled with Chromium.
    g - The settings file that contains various information used by the malware. This information includes the affiliate's ransom amount, bitcoin address that they receive payments on, and error message that is shown in a messagebox if the Show a message Box setting was enabled.
    icudtl.dat - File used by Chromium
    locales - Folder containing various language packs used by Chrome.
    msgbox.vbs - The messagebox displayed if the affiliate enabled the Show a message Box setting.
    nw.pak - Required for the NW.JS platform.
    rundll32.exe - Renamed TOR executable so that the malware can communicate with the TOR Command and Control server.
    s.exe - Renamed Shortcut.exe from OptimumX. This is a legitimate program used by the malware to create the ChromeService shortcut in the Startup folder.
    u.vbs - A VBS script that deletes a specified folder and its contents.
Read more »

Rasberry Pi Foundation was offered money to install Malware

The Raspberry Pi Foundation has been offered money to install malware into the mini computers before they are shipped out to users.

The foundation makes extremely simple computer which looks and feels very basic, but could be built into many geeky projects and due to its low-cost appeal, it has sold approximately 4 million units.

Last month, the foundation unveiled a programmable computer, The Raspberry Pi Zero which priced just $5. It may also rank as the world's cheapest computer.

The shocking revelation was made when the foundation last Wednesday tweeted a screenshot of an email in which a business officer, Linda asked Raspberry Pi’s director of communications, Liz Uptonto to install a suspicious executable file onto machines for which they will be offered a ‘price per install’
.


However, the foundation declined the offer of the unknown company but it raises the question about the common, widespread issue.
Read more »
Subscribe to: Comments (Atom)