Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

RIG EK delivers Grobios trojan

Exploit kit activity has been declining since the latter half of 2016, but we do still periodically observe significant developments in this space and the RIG EK seems to buck the trend. It’s been involved in an ongoing activity involving a wide range of crimeware payloads; and the latest campaign saw RIG dropping the Grobios malware, which is tailored to be a really stealthy backdoor and takes great pains to avoid detection and evade virtual and sandbox environments.

The campaign was first seen on March 10 by FireEye Labs, redirecting victims to a compromised domain, latorre[.]com[.]au, with a malicious iframe injected into it. That iframe, in turn, loads a malvertisement domain, which communicates over SSL and leads to the RIG EK landing page. RIG then loads a malicious Flash file which when opened drops the Grobios trojan.

The Trojan’s main hallmark is an impressive arsenal of evasion and anti-sandbox techniques, according to FireEye researchers. Researchers and blog post co-authors Irshad Muhammad, Shahzad Ahmed, Hassan Faizan, Zain Gardezi, report that the developers clearly tried to impede any attempts to dissect the malware, as it was well-protected with multiple anti-debugging and anti-analysis and anti-VM techniques to hide its behaviour and C2 traffic.

“The main purpose of Grobios malware is to help attacker establish a strong foothold in the system by employing various kinds of evasions and anti-VM techniques,” Ali Islam, director of FireEye, told Threatpost. “Once a strong foothold is established, an attacker can drop a payload of his/her choice, which can be anything from an info stealer to ransomware, etc.”

In an effort to evade static detection, the studied Grobios sample was packed with the Windows executables compression tool PECompact. "The unpacked sample has no function entries in the import table," the blog post states. "It uses API hashing to obfuscate the names of API functions it calls and parses the PE header of the DLL files to match the name of a function to its hash. The malware also uses stack strings."
Read more »
Vulnerability
DHCP. Google Vulnerability

A Command Injection Critical Vulnerability Discovered In DHCP




The Dynamic Host Configuration Protocol (DHCP) client incorporated in the Red Hat Enterprise Linux has been recently diagnosed with an order infusion vulnerability (command injection ), which is capable enough to  permit a vindictive mime proficient for setting up a DHCP server or generally equipped for satirizing DHCP reactions and responses on a nearby local network to execute summons with root benefits.

The vulnerability - which is denominated as CVE-2018-1111 by Red Hat - was found by Google engineer Felix Wilhelm, who noticed that the proof-of-exploit code is sufficiently little to fit in a tweet. Red Cap thinks of it as a "critical vulnerability", as noted in the bug report, demonstrating that it can be effectively misused by a remote unauthenticated attacker.

DHCP is utilized to appoint an IP address, DNS servers, and other network configuration ascribes to gadgets on a network. DHCP is utilized as a part of both wired and remote systems. Given that the necessities of utilizing this exploit are basically being on a similar network, this vulnerability would be especially concerned on frameworks prone to be associated with distrustful open Wi-Fi systems, which will probably influence Fedora clients on laptops.

Eventually, any non-isolated system that enables gadgets and various other devices to join without explicit administrator approval, which is ostensibly the purpose of empowering DHCP in any case, is at last a hazard.

This bug influences RHEL 6.x and 7x, and in addition to CentOS 6.x and 7.x, and Fedora 26, 27, 28, and Rawhide. Other operating frameworks based over Fedora/RHEL are probably going to be influenced, including HPE's ClearOS and Oracle Linux, as well as the recently interrupted Korora Linux. Since the issue identifies with a Network Manager Combination script, it is probably not going to influence Linux circulations that are not identified with Fedora or RHEL as they aren’t easily influenced.


Read more »

UPnP buys more bad name

Universal Plug and Play Networking Protocols takes the centre-stage of yet another controversy forcing the Infosec fraternity to keep themselves away from the set of networking protocols. 
After a brief gap, many cyber security experts have found out more and more stunning facts raising doubts over the way UPnP works these days. 
The InoSec community is quick to target the networking protocol acting on the recent disturbing revelations by Imperva that provides cyber security software and services. 
The experts doing an extensive study on the cyber security related issues have, of late, devised an effective mechanism to exploit the UPnP protocol. Acting on the incident of 2017 DDoS attack, Imperva claimed to have attained a proof of concept which helped it decipher the UPnP technical tricks. 
It was Imperva only which spotted the DDoS attack. Imperva’s study and analysis are based on the amplification system with Domain Name System servers and Simple Service Discovery Protocol (SSDP).
 
According to what the cyber security experts say, blocking the packets with sources port 53 is an effective mechanism that can mitigate the DNS amplification assault. 
They further have observed an amount of SSDP payloads at an unspecified source other than UDP/1900. That’s how, they took on the unconventional SSDP amplification attack in April. 
Imperva has put in place a system to counter the 2017-like attack by UPnP. Another massive DDoS attack struck the cyber world in March where the worst-hit was GitHub with a sustained 1.3 tbps traffic which lasted for less than ten minutes. 
According to the researchers, the moment a rootDesc.xml file is spotted, the hackers can easily use it in a device to run. 
They keep saying that the scheme, a request can be made for forwarding rule that reroutes all UDP packets sent to the port of an external DNS server.
Read more »
CyberCrime and Law
Cyber Crime Cyber Security cyber threat CyberCrime and Law

BT and Europol sign agreement to share cybersecurity intelligence data


The European Union Agency for Law Enforcement Cooperation (Europol) and communications company BT have joined forces in an agreement to exchange threat intelligence data.

A Memorandum of Understanding (MoU) was signed by both parties at Europol’s in The Hague in the Netherlands, which along with the creation of a framework to share knowledge of cybersecurity threats and attacks, will also help in facilitating sharing of information relating to cybersecurity trends, measures, technical expertise, and industry practices to reinforce cybersecurity in Europe.

To this end, BT will work alongside Europol’s European Cybercrime Centre (EC3), helping in identifying cyber threats and strengthening law enforcement response to cyber crimes.

“The signing of this Memorandum of Understanding between Europol and BT will improve our capabilities and increase our effectiveness in preventing, prosecuting and disrupting cybercrime,” said Steve Wilson, Head of Business at EC3. “Working co-operation of this type between Europol and industry is the most effective way in which we can hope to secure cyberspace for European citizens and businesses. I am confident that the high level of expertise that BT bring will result in a significant benefit to our Europe wide investigations.”

BT became, earlier in the year, the first telecom provider to share information on malicious websites and softwares with other internet service providers (ISPs) via a free online portal, called the Malware Information Sharing Platform (MISP), to help them in tackling cyber threats.

The company will now share that information with Europol to aid in cybercrime investigations.

“We at BT have long held the view that coordinated, cross border collaboration is key to stemming the global cyber-crime epidemic,” Kevin Brown, VP, BT Security Threat Intelligence, said. “We’re working with other law enforcement agencies in a similar vein to better share cybersecurity intelligence, expertise and best practice to help them expose and take action against the organised gangs of cybercriminals lurking in the dark corners of the web.”

BT currently has a team of more than 2,500 cybersecurity experts who have so far helped to identify and share information on more than 200,000 malicious domains.

Read more »

Malicious apps return to Google play Store

Security researchers from a software company, Symantec, recently discovered two new sets of malicious apps on the Google Play store. The first set of seven apps seems to have been re-uploaded under different names after being reported earlier. The other set of 38 apps, disguised as games and education apps, redirected victims to install other apps from the Play Store. They display advertisements and aim to drive traffic to some sites and the blog URLs are loaded in the background without the knowledge or permission of the user. There's also another set of 15 malicious apps reported that seem to open ads and download payload without the consent of the user.

All these apps wait four hours before launching the “malicious activity” to evade any user suspicion.

One may think that this may be because the people behind these apps may be using some sophisticated technology to fool Google. But, you may be surprised to know that the only thing these people do is to change the name of the app and use a different publisher to put these malicious apps back on Google Play. What is surprising is the fact that people responsible for this use the same code as they used in the apps before the app listings were reported to Google.
It's quite alarming, given the security checks Google performs before allowing an app on the Play Store. These apps, after being installed, ask for all the necessary admin permissions, and then take the user to a Google ad or load scam sites on the smartphone browser. These malicious apps are falsely promoted as calculators, apps lockers, call recorders, space cleaners, and emoji keyboard additions on the Google Play store.

Symantec goes to give an example of “Android.Reputation.1” malware which appears to be “hidden in at least seven apps in the U.S”. The company tested these apps to note that none of the “samples” tested worked as advertised and tried to implement a number of measures to ensure that the app stays on the smartphone. These measures included disappearing and erasing its tracks.
Read more »
malware
Financial Data Breach. Firefox Google Chrome malware

New Malware Variant Designed To Swindle Financial Data from Google Chrome and Firefox Browsers



Researchers have as of late discovered Vega Stealer a malware that is said to have been created in order to harvest financial information from the saved credentials of Google Chrome and Mozilla Firefox browsers.

At present,  the Vega Stealer is just being utilized as a part of small phishing campaigns, however researchers believe that the malware can possibly bring about major hierarchical level attacks as it is just another variation of August Stealer crypto-malware that steals credentials, sensitive documents, cryptocurrency wallets, and different subtle elements put away in the two browsers.

On May 8 this year, the researchers observed and obstructed a low-volume email campaign with subjects, for example, 'Online store developer required'. The email comes with an attachment called 'brief.doc', which contains noxious macros that download the Vega Stealer payload.

The Vega Stealer ransomware supposedly focuses on those in the marketing, advertising, public relations, and retail/ manufacturing industries. Once the document is downloaded and opened, a two-step download process begins.

The report said "...The first request executed by the document retrieves an obfuscated JScript/PowerShell script. The execution of the resulting PowerShell script creates the second request, which in turn downloads the executable payload of Vega Stealer, the payload is then saved to the victim machine in the user's "Music" directory with a filename of 'ljoyoxu.pkzip' and once this file is downloaded and saved, and it is executed automatically via the command line."

At the point when the Firefox browser is in utilization, the malware assembles particular documents having different passwords and keys, for example, "key3.db" "key4.db", "logins.json", and "cookies.sqlite".

Other than this, the malware likewise takes a screenshot of the infected machine and scans for any records on the framework finishing off with .doc, .docx, .txt, .rtf, .xls, .xlsx, or .pdf for exfiltration.
While the researchers couldn't ascribe Vega Stealer to any particular group, regardless they guarantee that the document macro and URLs associated with the crusade propose that a similar threat actor is responsible for campaigns spreading financial malware.

So as to be protected, Ankush Johar, Director at Infosec Ventures, in a press statement said that "...Organisations should take cyber awareness seriously and make sure that they train their consumers and employees with what malicious hackers can do and how to stay safe from these attacks. One compromised system is sufficient to jeopardize the security of the entire network connected with that system."

Because while Vega Stealer isn't the most complex malware in use today, but it does demonstrates the adaptability and flexibility of malware, authors, and actors to accomplish criminal objectives.


Read more »

Texas police department server again attacked by ransomware

Ransomware attack again took place on the Riverside Fire and Texas Police department computer server on May 4. The police department had already lost around 10 months of sensitive data related to active investigations by previous ransomware attack that happened on April 23.

Ransomware has locked the files and even deleted some of them which were stored on the infected computer server.

The second ransomware attack only came to light when US Secret Service agents, involved in this case, arrived in Ohio town to help with the investigation. The investigation has been conducted on the infected servers.

Officials said they didn't pay the ransom and were able to recover some of the data from previous backups. Other data they recovered from public court records, but to this day, the Riverside Fire and Police department have not fully recovered from the first attack.

This time around officials appears to have learned their lesson and were actively making backups on a daily basis. Officials said the second ransomware infection only locked up data for the last eight hours of work, and the department fully recovered after the second attack.

"Everything was backed-up, but we lost about eight hours worth of information we have to re-enter," City Manager Mark Carpenter told local media. "It was our police and fire records, so we just re-enter the reports."

Cyber Criminals infected the police department computer server via Email based infection vectors and demanded to pay ransom amount in bitcoin.

Riverside officials have determined that it was unclear how this attack has taken place and they planned to meet on May 15 with the city’s third-party information technology company.

Riverside Carpenter said, “We’re still trying to get to the bottom of how the attack was initiated and the recent virus attacked the city’s server Friday afternoon and erased about eight hours worth of data.”
Read more »

IBM eschews removable memory devices





The International Business Machines has restricted its employees from using SD cards, flash drives and USB sticks fearing security breach even as the cyber security experts have called it an impractical approach to prevent one from stealing data.    
The employees with the American multi national technology titan posted across the world have already received a set of guidelines asking them to be refrained from using these removable memory devices from May-end apprehending mess in financial and reputational corners. 
Issued by the company’s global chief security officer Shamla Naidoo, the advisories have, however, allowed the employees to take the help of internal network which the company calls safe and secured. 
The computer giant says an impending threat to cyber security standard has forced it to take this course of action which the authorities call a long term measure to counter the possible mess. 
A school of cyber security experts have called it a step in right direction to counter the menace adding that these devices can help anybody steal sensitive data from the company much to the mileage of the hackers to develop malicious software. 
But in the same breath, they observed that the company would have to face some hurdles and hic cups to implement these guidelines in the initial stage. 
Some other experts, doing extensive studies on the cyber security threats, have called it a problematic approach adding that an IBM staff who keeps using these devices for legitimate purpose might be forced to change the work place. 
They further have said stopping these devices alone won’t help somebody from stealing data and that the measure is an “unwanted” and complete “over reaction” by the company authorities. 
The company says as of now, the slew of measures, are confined to a few departments only. But the same would be applicable for all the IBM departments worldwide, where the employees won’t be allowed to use these devices.
Read more »

Researchers Demonstrate How To Bypass Two-factor Authentication





We are switching to Two-factor authentication (2FA) for securing our data and system, but does it provide fool-proof security?

No, according to Kevin Mitnick, a security researcher at KnowBe4 it is very easy to deceive this defensive measure.

While showcasing his new exploit, he proved that hackers could easily spoof the 2FA requests by sending users a fake login page which appears to be a legitimate one to the victims. This could lead to exposure of sensitive data like username, password and session cookie.

 2FA is a technique which provides an extra layer of security famously known as “multi-factor authentication” it requires not only a password and username but also a phone number that is only with user immediately as they send some kind of code or OTP.


“Two-factor authentication is intended to be an extra layer of security, but in this instance, we clearly see that you can’t rely on it alone to protect your organization,” said Kuba Gretzy, a white hat hacker.


"The tool is called evilginx. The attack method is based upon proxying the user via the hacker’s system through a credentials phishing technique, which requires the use of a typo-squatting domain. The idea is to let the user give away his/her credentials so that the hacker could steal a session cookie," added Gretzy.

Read more »

EE left a critical code system exposed

EE, a British mobile network giant owned by BT Group has been accused of leaving a critical code repository on an open-source tool protected by a default username and password. The company has over 30 million UK customers.

The code repository contained two million lines of code across EE’s website and customer portal, including access to the company’s private employee and developer APIs and Amazon Web Service (AWS) secret keys, revealed a teenage security researcher.

The security researcher going by the Twitter handle of “six” who is also the founder of Project Insecurity, found a Sonarqube portal (an open source platform developed by SonarSource) on an EE subdomain, which the cell giant uses to audit the code and discover vulnerabilities across its website and customer portal.

He said that obtaining those keys could let a malicious hacker gain a greater foothold into the company's storage buckets, web servers, and other sensitive data, like debug logs. The hacker could analyse the code of their payment systems, and find major holes that could lead to theft of payment information.

"You trust these guys with your credit card details, while they do not care about security or customer privacy," he said in a tweet.

Luke Brown, VP EMEA at enterprise security specialists WinMagic said in an emailed statement: “We’ve seen quite a number of incidents these past few months where data has been left exposed on servers and open-source tools, but to have kept the default password on a repository created to audit code for flaws and vulnerabilities…. The irony won’t be lost on anyone! ”

He added: “That a company as reputable as EE could have made this mistake underlines the importance of proper configuration and security for any public facing services. It should also serve as a reminder that under the shared responsibility model of cloud security, responsibility for data stored in these repositories falls to the organisation, not the cloud provider. As a result, the need for consistent policies, password rules and specialised data encryption management has never been greater.”

An EE spokesperson said: "No customer data is, or has been, at risk."
Read more »
Rowhammer
Android devices. Exploits Hacks Rowhammer

The Exploitation of Rowhammer Attack Just Got Easier




With an increase in the number of hacks and exploits focused solely on fundamental properties of underlying hardware, Rowhammer, is one such attack known since 2012 which is a serious issue with recent generation dynamic random access memory (DRAM) chips which oftentimes while accessing a column of memory can cause "bit flipping" in a contiguous line, enabling anybody to alter the contents of the PC memory.

All previously known Rowhammer attack methods required privilege acceleration, which implies that the attacker needed to have effectively found and exploited a weakness within the framework. Lamentably, that is no longer true as researchers have discovered that you can trigger a Rowhammer attack while utilizing network packets.

Termed as 'Throwhammer,' the newfound technique could enable attackers to dispatch Rowhammer attack on the said focused frameworks just by sending uniquely crafted packets  to the vulnerable system cards over the Local Area Network.

A week ago, security researchers point by point developed a proof-of-concept Rowhammer attack strategy, named GLitch, that uses installed graphics processing units (GPUs) to carry out the Rowhammer attacks against Android gadgets.

Be that as it may, all previously known Rowhammer attack methods required privilege acceleration on a target device, which means that the attackers needed to execute code on their focused machines either by drawing casualties to a pernicious site or by deceiving them into installing a malignant application.



Tragically, this limitation has now been eliminated, at least for some devices.
Researchers at the Vrije Universiteit Amsterdam and the College of Cyprus have now discovered that sending despiteful packets over LAN can trigger the Rowhammer attack on systems running Ethernet network cards outfitted with Remote Direct Memory Access (RDMA), which is generally utilized as a part of clouds and data centres.

Since RDMA-enabled network cards allow computers in a system to trade information (with read and write privileges) in the fundamental memory, mishandling it to get to host's memory in fast progression can trigger bit flips on DRAM.

"We rely on the commonly-deployed RDMA technology in clouds and data centres for reading from remote DMA buffers quickly to cause Rowhammer corruptions outside these untrusted buffers, these corruptions allow us to compromise a remote Memcached server without relying on any software bug." researchers said in a paper [PDF] published Thursday.

Since activating a bit flip requires a huge number of memory accesses to particular DRAM locations within milliseconds, a fruitful  Throwhammer attack would require a very high-speed network of no less than 10Gbps.

In their experimental setup, the researchers achieved bit flips on the said focused server subsequent to accessing its memory 560,000 times in 64 milliseconds by sending packets over LAN to its RDMA-empowered network card.

Since Rowhammer exploits a computer hardware weakness no software fix can completely settle the issue once and for all. Researchers trust that the Rowhammer risk isn't just genuine but also has the potential to cause serious damage.

For additional in-depth knowledge on this new attack technique, the users' can access this paper published by the researchers on Thursday [PDF], titled
 "Throwhammer: Rowhammer Assaults over the System and Resistances"

Read more »
Subscribe to: Comments (Atom)