Internet threat news
As of the first of May 2017 a new version of the CryptoMix, or CryptFile2, ransomware has been detected. This new version uses the Wallet extension for encrypted files. Previously, the Wallet extension was used on Dharma/Crysis and Sanctions ransomware. This new version of CryptoMix is currently using the following payment email addresses: email@example.com, firstname.lastname@example.org, and email@example.com. This variant was first detected by Robert Rosenborg an independent security researcher and later confirmed by MalwareHunterTeam. Lawrence Abrams conducted some research into the new version and contends that what makes this version so frustrating and insidious is that it makes it harder for victims to detect what ransomware they are infected with.
Currently, at the time of writing, no guides exist to remove this version from the affected systems. If you believe you have been infected with this new version you must lock down the network you are on as Wallet will also scan unmapped network shares for files to encrypt.
Last year hackers were caught on camera using their smartphones to empty ATMs. The thieves stole $2.2 million USD before they fled the country. Nixdorf, the ATM maker, said three different strains of malware were found on the devices. Software on the smartphone enabled the malware.
Security researchers speculated how the hackers were able to load the malware. Some said that networking devices on the device have well-known default passwords. Another said all you needed to do was attach a USB device and boot from that.
Now hackers have done some variation of both by drilling an 8 cm hole into the front and then passing a cable inside and connecting that to a 10-pin connector. They then connect the cable to a computer and send instructions that causes the machine to dispense cash.
Cross-Site Request Forgery (CSRF) is a hacking technique of getting a user who is logged into an application to execute certain commands while authenticated and logged in. The Magento shopping cart (version 2.1.6 and below) has a security issue that allows that. Magento has known about this for some months but as of April 2017 still had not fixed it. Defense Code contacted the company and told them this is a red critical security problem.
Magento is an ecommerce engine for web sites. Defense Code reports that a hacker can exploit the site by using a feature that previews a video before it loads a Vimeo video. The hacker can change the POST to a GET, either in a malicious web page or HTML embedded in an email) and request a file that is an invalid image file, like a .php program. The system will respond saying the file type is invalid but will download it anyway.
Threat Intelligence feeds are designed to provide real time updates on hostile domains, IP addresses, and active malware on the internet. These are two kinds of data feeds: free and paid.
The idea with data feeds is you use those to block IP addresses and IP address ranges, domains with certain registrar email addresses, etc. But just doing that will block legitimate traffic too. So you need to train machine learning algorithms with legitimate sources of data too. For example, you can get firewall logs from all over the word at DShield here and build a list of IP addresses from that. (They will ask you to fill out a form as hackers would like to get their hands on such a list as well.). Dshield users are encouraged to contribute their own firewall logs there to help build up their database.
The SANS Internet Storm website publishes various feeds here.
Heimdal Security says the Rig Exploit Kit has been used to plant Cerber ransomware on domains ending with the .news suffix, including the shortened list shown below. (Cerber has the unique feature of talking to its victims.)
An exploit kit is a set of tools developed by criminal gangs. They keep a staff of programmers to keep the product up-to-date and add improvements.
Virustotal reports show that only 2-5 out of 68 Anti-Virus products they tested can detect this type of attack. (You can enter the URL of any site here and Virustotal will check it.)
The Rig Exploit kits looks for and then attacks any of the products shown below to gain remote code execution privileges.
Wikileaks still has not published all of the source code of the CIA zero-day defects that they mentioned a few weeks ago. This is while Julian Assange negotiates with affected hardware and software vendors when to give them this code so they can fix these security weaknesses before Wikileaks publishes all of that. There is some pushback from the vendors who worry about the legal implications of using stolen classified material themselves and some unknown conditions insisted upon by Mr Assange.
Now WikiLeaks has published the second batch of Vaul 7 documents, which they call “Dark Matter.” These detail how the CIA has been hacking iPhones and Macs.
There is not much danger that hackers are going to be able to replicate what the CIA has done as they are using old fashioned spycraft. The CIA has managed to plug itself into the Apple supply chain to physically get their hands on these Apple devices and modify their firmware so that the CIA can use them to spy on their targets. This means they either have someone working with them in the chip manufacturing and distribution process or are attacking these devices in the mails as they are shipped to customers.
On the Mac, the attack is against EFI/UEFI. This is also called bios. This is the hardware part of the boot up process that loads before OS X loads. Even if a Mac user suspects that their device has been infected, if they wipe the device or upgrade the OS they cannot eliminate the firmware, because it is built into the CPU. That is the same for the iPhone.
Unlike the first publication of CIA documents, this time we have complete instruction manuals for the Sonic Screwdriver, DerStarke, Triton, and DarkSeaSkies exploits published online, as web pages and PDFs.
A watering hole attack is one way that hackers can go after an individual organization or type of organization. Unlike a phishing attack it is designed to infect websites that people are known to frequent based upon where they work. For example, they could infect the website of a delivery pizza service near the bank or another intended target. Or they could infect a website that lawyers might frequent, like the county civil court. A watering hole attack too can work when phishing is not working, because employees have been carefully trained to look out for that.
The watering hole principle is target to the weakest link, an approach that has been shown to work in cyber or any kind of attack. The term “watering hole” means a bar people frequent as well as a source of water where animals can drink.
If the target is a bank - who presumably has the best security available - then one way to attack the bank is to attack websites bank employees use. Then they can download malware onto the employee’s computer and proceed to attack other computers and networks from there.
In Outside the Closed World: On Using Machine Learning for Network Intrusion Detection the authors write: "In network intrusion detection research, one popular strategy for finding attacks is monitoring a network's activity for anomalies: deviations from profiles of normality previously learned from benign traffic, typically identified using tools borrowed from the machine learning community. However, despite extensive academic research one finds a striking gap in terms of actual deployments of such systems: compared with other intrusion detection approaches, machine learning is rarely employed in operational "real world" settings."
This paragraph points out the problem of using intrusion detection, anti-malware, anti-spam, and firewalls by themselves to protect one’s infrastructure “despite extensive academic research” and given the availability of machine language tools.
A security researcher at Google was doing security research when he noticed that data coming from CloudFlare included passwords and other private data. He conferred with his colleges who confirmed the problem. Then he quickly got on Twitter and sent an urgent message to CloudFlare asking them to contact him right away.
The media was quick to proclaim this another HeartBleed bug and sounded the alarm.
CloudFlare is a Content Distribution Network (CDN) used by such mega companies as Uber. Many smaller companies use it too. What CloudFlare does is route web traffic through its global network thus bringing the web pages closer to its users and reducing latency. In other words it makes web pages load faster in, say, Germany than having to make the round trip to Silicon Valley. That shaves as much as 500 milliseconds (½ second) off the load time.
This episode was an embarrassment for CloudFlare. The data that was leaked included instant messages from dating websites like OKCupid. It also included cookies, encryption keys, and authentication tokens.
The Deep Web is that part of the internet where hackers sell exploit kits and stolen data. Such sites are often hard to find. Many require an invitation from someone else to join. Some, like AlphaBay, hide behind the Tor network.
TrendLabs Security reports that data stolen from US hospitals is showing up on markets there. Prices range from $1 for a patient profile to $500,000 for a complete database.
This data has value on several fronts. This data has lasting value because it includes Social Security numbers, which, unlike credit card numbers, is something that people cannot change. It is also harder to obtain since retailer databases do not store those. Thieves can sometimes use prescription information to obtain controlled substances dispensed using the mails. But more valuable is the personally identifiable information (PII) which can be used for identity theft. This includes making fake tax returns and then applying for a refund from the government under that person’s name. They can also make fake claims to an insurance company for reimbursement. And they can create identities for criminals on the run, terrorists, or whoever by using the data of people who are deceased. That is called a farmed identity and sells for about $1,000.
The massive DDOS attack on the Akamai CDN (content distribution network) that last year took down Netflix, Amazon, and others because of compromised IP cameras that were using a default password shined the spotlight on IoT security. In particular, there is the concern about attacks on heavy industrial machinery, valves, gas pipelines, turbines, electric grids, etc. and other equipment. Many if not most of these use the ModBus protocol to communicate between PLC and SCADA devices, which control this equipment. ModBus has no authentic at all and transmits its data in clear text.
Most industrial machines do not have a public IP address. Ethernet does not even work throughout all of the plant as part of the industrial network is serial and other protocols that a hacker could not attack using tools written for Linux or Windows.
The most famous of all industrial ICS hacking was the Stuxnet worm launched by the USA and Israel against Iran’s nuclear fuel enrichment program. By hacking PLC controllers the spies were able to cause expensive centrifuges used to separate fuel to rotate at such high speed that they broke.
As we have said before, it seems hardly a week goes by without an announcement of another security weakness found in Adobe Flash. This week we discuss two.
HTML5 was supposed to replace Adobe Flash. The goal was to have a standard that browser designers could use to process video without having to rely on 3rd-party software for that. But for different reasons, most sites still use Flash. Steve Jobs at Apple famously wrote in 2010 that he would not allow Flash onto the iPhone or iPad. He later backtracked, in part because of the threat of anti-competitive litigation. Plus website owners whose videos would no longer work complained in large numbers.
The Flash Player is built into most browsers. For example in Google Chrome you can type chrome://plugins/ and you will see something like:
Adobe Flash Player - Version: 220.127.116.11
Shockwave Flash 24.0 r0
The two new exploits are CVE-2016-4117 Flash Zero-Day Exploited in the Wild and CVE-2016-1019 A New Flash Exploit Included in Magnitude Exploit Kit, reports FireEye. Those vulnerabilities are in version 18.104.22.168 and and 22.214.171.124 and older. They have been fixed by Adobe.
Adobe thanked the security researcher @kafeine for finding the second one. It is related to some of the hacking techniques leaked to WikiPedia by The Italian Team, author of million dollar exploits sold to governments and others.
Metasploit is a tool that white hat hackers use to do penetration testing. No doubt criminals use it too.
What Metasploit does is take exploits gathered by thousands of contributors and package them into scripts and a command line and web interface so that security admins and analysts can test if any of the computers on their network are subject to any known vulnerabilities. If they are then they need to be patched against that vulnerability.
The product is open-sourced, Metasploit says, but you still have to pay for it. You can download the Community Edition and use that free for 1 year. The Professional version is free for 14 days. Both are open-sourced in that anyone can write code that exploits a vulnerability and then contribute that to Metasploit.
To get you started with learning this tool, Metasploit provides a virtual machine called Metasploitable that you can run with VMWare or VirtualBox. This is an Ubuntu VM that has been deliberately loaded up with security flaws, such as out-dated versions of software and misconfigured software and using default passwords that Metasploit can guess.
You download and install Metasploit. Then it sets up a web interface. But that is mainly useful for scanning hosts. It’s easier to run exploits from the command line. On Ubuntu, that is /opt/metasploit/msfpro. The name is “pro” even for the Community Edition. You have to remember to run this with sudo privileges or it will throw an error.
“To improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release.”
Microsoft says that Security Advisories flag security problems with Microsoft products. They are released as issues are found. Security Bulletins are issued monthly as a update for the issues found that month. The Advisory updates only the component mentioned in the Advisory. Bulletins update the whole OS or a packaged bundle, like the .Net runtime. Advisories are targeted to programmers who can update the single subroutine mentioned in the advisory. So it is a way to issue the fix ahead of the bulletin. But it is not always going to help people who are using apps written by 3rd parties until the 3rd parties update those. Microsoft keeps older versions of its run-time components in Windows to support apps that have not been updated to use the newer components.
Page 2 of 11<< Start < Prev 1 2 3 4 5 6 7 8 9 10 Next > End >>