Viewing entries in
web security


NCSC - Weekly Threat Report 22nd June 2018

This report is drawn from recent open source reporting. 

Football or Phishing?

At least two phishing campaigns are taking advantage of this year’s football World Cup.

Fraudsters are attempting to exploit fans’ eagerness to keep up with the games and the results in the expectation that fans might click on links more readily.

Phishing emails are reported to be sending fixture schedules and results mappers to fans, but the links are loaded with adware and malware.

In another example, fraudsters are offering a pair of Adidas shoes in exchange for completing a survey. The victim is then redirected to a fake Adidas website asking them to pay a small fee to receive the shoes (and an ongoing monthly charge, which is hidden in the small print).

The fake Adidas site uses homographic web links, where a character is replaced by a similar looking symbol:

  • Example 1: www. thisisarealwebsite
  • Example 2: www. thisisarea|website

The letter ‘l’ in the second website name is a symbol, but at a quick glance it is not immediately obvious. Fraudsters are increasingly using this technique and we advise readers to study web links carefully before clicking on them.

The NCSC has further information on how to protect yourself from phishing scams here. Keeping your antivirus software up to date will, in most cases, help identify any malicious files that you attempt to download. For further support, please read 10 Steps to Cyber Security.

Is your device earning money for cyber criminals?

Recent reports have suggested a substantial increase in ‘cryptojacking’, where cyber criminals install malware onto a victim’s devices and use them to mine cryptocurrency.

Cryptojacking malware is reportedly becoming harder to detect and sometimes operates to coincide with times where the device is not normally used, and thus remains undetected.

This type of malware is increasingly being found on devices across multiple sectors and is evolving to use the processing power of internet-connected devices, such as TVs. Some aggressive mining malware has also been found to damage devices.

In response to the increase in cryptomining, Apple has recently introduced App Store guidelines prohibiting it. It is uncertain whether other providers will follow.

Cryptomining malware is a low-cost method of earning money and cyber criminals will almost certainly continue to develop and adapt it, as long as cryptocurrencies are of value.

To prevent the installation of criminal malware, please follow the NCSC’s advice and guidance.

Attackers target cryptocurrency software

On 15 June, Syscoin, a cryptocurrency that advertises its instant transactions, announced that its Github account had been compromised just under a week earlier.

An unknown user had uploaded a modified version of the program containing malicious code. The software was otherwise identical to the original program but was detected by Windows Defender SmartScreen due to its lack of signature. As the code had been modified it was no longer recognised as legitimate and designated as being from an 'unknown publisher'.

Github consequently advised developers of cryptocurrencies and other software to implement two factor authentication (2FA) on their accounts where possible. Developers were also advised to check the integrity of published software on repository sites.

Users should be cautious when downloading from online sources. It is good practice to maintain up-to-date antivirus software and avoid software from unknown publishers.

The number of systems infected by the malicious code – and the exact method used to compromise the account in this instance – are not known. The account breach demonstrates the continuing threat posed to cryptocurrency software by attackers exploiting the cryptocurrency boom.

The NCSC has issued guidance on 2FApassword managementmitigating the threat of malwareand identity authentication.

The NCSC website also maintains a general guide on measures to improve security online.

Good cyber hygiene can help fend off LokiBot

Fraudulent account activity and identity theft are some of the most common threats on the internet. Cyber criminals often use credential-stealing malware to obtain usernames and passwords.

Armed with a victim’s credentials, criminals can access their online accounts, including social media or online banking, most often with the intent of making fraudulent payments.

LokiBot, one type of credential-stealing malware, can harvest credentials from browsers, file transfers and even cryptocurrency wallets, and is primarily distributed through malicious Microsoft Office documents attached to spam emails.

Good cyber hygiene is important in mitigating malicious software such as Lokibot, and users should ensure they apply recommended security updates and use antivirus software.

Additional security features such as the use of two factor authentication (2FA) for online accounts significantly reduces the risks users face.

Members of the Cyber Information Sharing Partnership (CiSP) can view the advisory.


.author-name { display: none; }


NCSC Guidance Notice - Increased Cyber Threats: Security steps to take

Measures to protect and prepare your systems in the face of heightened cyber security threats 

This guidance outlines the security steps that your organisation should take in response to an increased threat of cyber attack. It’s aimed primarily at larger organisations, but the advice here is relevant to anyone who feels their systems may be targeted by cyber attack.

So, whether you hold customer data, maintain an online service or simply rely on digital services to keep your business running, these steps will help you to avoid the consequences of a successful cyber attack. And if the worse comes to the worst, they’ll help you determine what went wrong and recover quickly.

The advice we give here selects some priority measures from the comprehensive collection of cyber security advice on our website.

Increased cyber threats

How will you know if you are at an increased risk of cyber attack? There are many sources of information on this subject, including the mainstream media. There are a number of commercial, and industry specific information-sharing resources as well as the CiSP platform detailed below.

Steps to take now:

If you are concerned about the possibility of your organisation coming under cyber attack, the NCSC recommends three actions that you should undertake immediately:

1. Your organisation should undertake a readiness review and identify:

  • all available sources of logging
  • where those logs are stored
  • how long those logs are retained
  • who has access to them
  • that logging events are currently being generated

2. You should review your Denial of Service protection for key platforms, including websites and any digital services you offer.

3. Your organisation should sign up to the Cyber Information Sharing Partnership (CiSP), giving you access to valuable threat information, from your peers and official sources, all in a secure environment. The registration process isn’t instant, so start the sign-up process now.

These measures will help in the detection of cyber attacks and give you some front line protection against Denial of Service (DoS) attacks.

Steps to take in the coming weeks:

1. Improve Defences

The NCSC’s 10 Steps to Cyber Security gives you a comprehensive overview of the areas you need to consider when looking to improve the defensive posture of your organisation’s IT. A few notable areas for consideration are:

  • Your organisation should review its asset and vulnerability management processes and ensure they are in line with the NCSC advice. Where a service is found to be vulnerable and/or not required for business purposes, consider disabling it.
  • Administrators should use ‘normal’ accounts for standard business use. Highly privileged administrative accounts should not be used for high risk, or day to day user activities such as web browsing and email.
  • Create and maintain a whitelist of authorised applications that can be executed. Systems should be capable of preventing the execution of unauthorised software by employing process execution controls. The NCSC has published advice on how to do this on End User Devices.

2. Improve detection capability

Your organisation should securely store and have ready access to logs. We recommend storing key identifying information for three months. It helps to store logs for longer if you can, as this gives you a greater capacity for analysing attacks which may have gone undetected for some time. The logs that should be stored will vary according to the details of your IT estate.

It is important to log events, even if you have no proactive capability to examine them.

If there is a suspected incident the logs will:

  • make it easier to prove an attack has taken place
  • provide detail of how an attacker got into your system and what they were able to access (this information will make remediation more effective)
  • allow the NCSC to release Indicators of Compromise (IOCs) such as malicious IP addresses or email addresses. These can be used by other organisations to identify whether they have also been targeted

3. Improve response capability

Review your backup policy and ensure a systematic approach is implemented. The ability to recover your system from archived data should be tested.

Full packet capture is regularly requested as part of Incident Response. Consider how you would go about performing this on your organisation’s internet connection(s) and take action now to facilitate future packet capture. Identifying how to do this after a breach will delay effective response.

The NCSC is regularly notified of malicious activity observed ‘in the wild’ and operates a service to inform registered network owners. To enable this service, you need to contact who will supply you with a form to complete with your organisation’s details. 

Make sure your staff are familiar with your organisation’s incident management plan and, if necessary, ensure that arrangements are in place to bring in additional technical expertise. The NCSC has a list of certified Cyber Incident Response companies.

If an incident occurs

Please report incidents to the NCSC 24/7 Incident Management team if the following applies:

  • Significant loss of data, system availability, or control of systems
  • Unauthorised access to or malicious software present on IT systems.

Business as usual

Though the measures outlined above are essential first steps towards healthy cyber security for your organisation, they may entail some effort to put in place, and even some disruption to your usual operations. You should take this into account when putting them into action.

You should also ensure that you continue with any planned upgrades, patching regimes and security enhancements in line with the NCSC’s existing guidance.


.author-name { display: none; }


NCSC - Weekly Threat Report 18th May 2018

It’s not just production that needs securing

Most large companies will use an online development environment to build and test code prior to deployment on outward and inward facing networks.

Much of the code found in development environments is sensitive and critical to running and managing a business. The unauthorised disclosure of code could allow cyber actors to identify exploitable weaknesses.

Recent open source reporting has highlighted a compromise of a company’s development environment, resulting in unauthorised access to two million lines of code, application programme interfaces and secret access keys to Amazon Web Services.

A security researcher allegedly gained access to the development environment because both the username and password were set to “admin”, which was most likely the default setting for the environment.

The latest incident follows on from other reported incidents around insecure repositories and third party storage solutions, where users have failed to alter the default settings and/or configure the environments incorrectly and subsequently exposed large volumes of sensitive data.

The failure to secure development environments poses a number of threats to an organisation including:

  • Stealing of sensitive information (such as encryption and access keys, passwords, knowledge of security controls or intellectual property)
  • An attacker embedding malicious code in your project without your knowledge
  • Using a compromised development device as a proxy to further attack your build and deployment pipeline, through to production
  • Understanding how your sensitive applications work - a first step in the planning of an attack

The NCSC has previously issued guidance on securing development environments as well as approaching enterprise technology with cyber security in mind.

GDPR-inspired phishing scams

The imminent arrival of the new EU General Data Protection Regulation (GDPR) has gifted scammers with a new hook for sending phishing emails.

Many internet users are now receiving emails from organisations that they have online dealings with, explaining the new regulations and asking them for permission to carry on storing their information.

Scammers have taken advantage of this to send fake GDPR-themed emails in an attempt to spread malware or steal personal data.

Apple customers, for example, have been sent a link advising users that their accounts had been “limited” due to unusual activity and then asking them to update their security information.

Users are then directed to a fraudulent webpage where they are asked to input security information. Once this has been completed, users are then directed back to a legitimate Apple web page.

The scammers also used Advanced Encryption Standard (AES) protocols when directing users to the page controlled by them, bypassing anti-phishing tools embedded in some antivirus software.

GDPR comes into effect on 25th May 2018, so the scammers have a short window in which to use GDPR as cover for their activities.

The NCSC has published phishing guidance and you can also read the GDPR security outcomesthat have been developed by the NCSC and the Information Commissioners Office (ICO). The ICO is the UK's supervisory authority for the GDPR and has published a lot of helpful guidance on its website.


.author-name { display: none; }


NCSC - Weekly Threat Report 20th April 2018

This report is drawn from recent open source reporting. 

Cyber criminal groups identified on social media

Last week Facebook deleted around 120 private discussion groups - equating to more than 300,000 members - that were promoting a host of illicit cyber criminal activities, including spamming, selling stolen debit and credit account credentials, phony tax refunds, DDoS-for-hire services and botnet creation tools.

The groups had reportedly been operating on Facebook for an average of two years, although some had been in operation for up to nine years. The deletions were a result of analysis work carried out by a cyber security researcher using common terminology for this type of activity and it is likely that there are many more sites of this nature on Facebook and other social media platforms.

The use of social media to advertise illicit goods and services is perhaps not as well reported as the use of darknet criminal marketplaces (such as Alphabay and Hansa that were taken down by law enforcement last year) but it is of no surprise that criminals will seek to utilise whatever means available to peddle their wares.

From past experience, Facebook’s deletion of these groups is unlikely to have a long term impact, as the activity will likely be displaced elsewhere, or the groups will use names that are less obviously associated with cyber crime, to make their detection more difficult.

Airline database hacked by disgruntled former employee

A former employee at the Alaskan airline PenAir hacked her previous employer’s flight reservation system in an apparent retaliation for being fired.

Before leaving the company the individual created a fictitious user profile with escalated privileges to enable future system access. She then used this fictitious account to block other users’ access and to delete critical data.

In a second attack she also deleted seat maps used to allocate passenger seats. PenAir realised their data had been disrupted and worked through the night so that service was resumed by the morning with no impact to customers.

Identified following an FBI investigation, the individual pleaded guilty to the charges against her and was charged with carrying out fraud in ‘connection to computers’.

User privileges should always be managed and reviewed regularly. The principle of ‘least privilege’ should be followed. The NCSC has released guidance for managing user privileges as part of our 10 steps to Cyber Security: 10 Steps: Managing User Privileges.

Thai mobile operator in reported data breach due to poor cloud security

TrueMove H, a major mobile operator in Thailand, suffered a data breach involving the personal data of around 46,000 customers, including images of identity documents such as driving licences and passports.

A security researcher uncovered the breach using open source tools to scan for publicly accessible information on misconfigured Amazon Web Service Simple Storage Service (AWS S3) buckets, a popular cloud storage solution. The researcher claimed there was no security protection for the files and therefore all he needed to gain access to the data was the URL.

The default setting for S3 buckets is 'private'. AWS best practice is to never open access to the public and to control access to S3 resources using a combination of Access Control Lists (ACLs) and bucket policies.

The NCSC advises that anyone seeking to exploit the benefits of cloud storage solutions should ensure that the security of the data is a prime consideration.

If you're using or considering using Cloud technology, we recommend reading the NCSC's Cloud Security Collection and Implementing the Cloud Security Principles.

Attacker dwell time on victim networks still too long

Security company Mandiant's latest M-Trends report has revealed there are, on average, 101 days between an attacker compromising a system and the victim detecting the compromise, with this increasing to 175 days for companies in Europe, the Middle East and Africa.

While this is a decrease from 416 days in 2011 , the current dwell time means attackers still have ample time to achieve their goal.

Attackers are always developing new and improved ways of committing network intrusions, leading to data breaches, but often they are looking for the most simple weaknesses in our defences. Following basic cyber security good practice can prove effective in preventing such breaches from happening.

The NCSC’s Cyber Essentials scheme provides relevant advice to help improve network security, alongside 10 Steps to Cyber Security.


.author-name { display: none; }


NCSC - Weekly Threat Report 5th January 2018

'Meltdown' and 'Spectre' vulnerabilities to microprocessors

Reports of new security flaws affecting microprocessors called ‘Meltdown’ and ‘Spectre’ surfaced this week. Processors in most devices employ a range of techniques to speed up their operation, and the vulnerabilities allow some of these techniques to be abused to obtain information about areas of memory not normally visible to an attacker. As a result, normally difficult actions - such as recovering passwords - are theoretically made easier.

However, an attacker would still need to run code on a device. Access would typically be gained via well-known means, such as phishing attacks or browsing malicious websites. At this stage there has been no evidence of any malicious exploitation and patches are being produced for the major platforms. The NCSC has pro-actively advised that all organisations and home users continue to protect their systems from threats by installing patches as soon as they become available, and has recommended that home users enable automatic updates so future security measures are installed.

Further advice for enterprise administrators and home users can be found on this website.

Cyber-enabled fraud: an increasing threat for 2018

Media reporting highlights an alleged attempt by hackers to steal funds from Russian bank Globex. The hackers appear to have used legitimate credentials to access the SWIFT international payment system to attempt fraudulent wire transfer requests valued at 55 million roubles (c. £700,000).

This attempted theft highlights that poor end user security is still a problem for some global financial institutions.

Increasingly, cyber thieves are attempting to harvest legitimate login credentials, and then commit fraudulent activity using the accesses that these legitimate credentials provide. Most notoriously, around US $81 million was stolen from Bangladesh Bank in February 2016.

Analysis of the Bangladesh Bank theft indicates that the hackers responsible likely implanted malware into the banks servers to steal legitimate SWIFT credentials, which were then used to conduct the fraudulent transactions.

Most organisations in the UK finance sector will have sufficient cyber security measures in place to protect against the type of fraud which occurred against the Bangladesh and Globex banks, however, globally, this trend of cyber-enabled fraud, which seeks to acquire and then abuse legitimate credentials, is likely to continue throughout 2018, and it is likely to be attempted against UK organisations across all sectors.

Cyber attack forces US hospital offline

The Jones Memorial Hospital in the US state of New York was hit by a cyber attack this week impacting some of its information services. The hospital stated that they used standard computer downtime procedures in response, and they believe no patients’ financial or medical information has been compromised.

The exact cause of the incident was not revealed, although similarities can be drawn to previous ransomware attacks against healthcare providers in the US. While all sectors are vulnerable to such attacks, healthcare organisations in the US are more likely to be specifically targeted by cyber criminals because they operate privately, for profit and have a high reliance on access to data. As a result, these organisations also tend to have appropriate response and backup procedures in place, enabling them to limit the operational and financial impact of cyber attacks.

The NCSC has published guidance on how to prevent a ransomware incident and what to do if your organisation is infected.


.author-name { display: none; }


NCSC - Weekly Threat Report 03 November 2017

Fake speeding notices deliver malware

Police forces around the UK are warning motorists not to be taken in by a phishing email falsely informing them that they need to pay a speeding fine. The realistic-looking email, entitled ‘Notice of Prosecution’, claims to have ‘photographic’ evidence, but clicking on the associated link will upload banking malware to the victim’s device.

The email appears official, with the logos of either the local police force or ‘’, but there are several features that indicate that it is fake. Spelling and grammatical errors are fairly obvious, but the speed at which the vehicle was allegedly caught is unrealistic, e.g. travelling at 89mph in an area with a 25mph speed limit.  Phishing emails rely on several factors to be successful, including evading spam filters, the appearance of credibility, and being able to make the recipient take action immediately.

The police have advised that any ‘Notice of Prosecution’ would be posted to the vehicle owner’s address and never sent in an email. They also advised people to delete the email without clicking on any links.

Code-signing certificates worth more than guns on the Dark Web

An investigation by a company specialising in identity protection solutions, into the sale of code-signing certificates on the Dark Web suggests they are selling for up to $1,200, making them more expensive than fake driver’s licences, stolen credit cards, commissioning a targeted cyber attack, or even buying a handgun. This relatively high price presumably reflects customer demand.

This is not the first time that security researchers have highlighted the issue of stolen or fraudulently obtained code-signing certificates. Since at least 2011, they have noted a trend for both cyber criminals and APT cyber actors to sign their malware using stolen or fraudulently obtained certificates to bypass security measures. Signed code tends to be treated as trusted and some operating systems will flag up, or refuse to run, code that is not signed.

Over the years, attackers have managed to sign their malicious executables with certificates obtained by a variety of methods – reportedly stealing them from technology companies (including some well-known names), penetrating the networks of companies and using their signing facilities, or applying for certificates in the names of fake companies or real companies who have no need for them. As far back as 2010, the destructive worm Stuxnet included components that were signed with stolen certificates. More recently, the cyber actors who corrupted an update of clean-up tool CCleaner managed to get the update signed.

Amongst other things, this highlights the fact that, when attackers do manage to penetrate a network, they will often seek out things that facilitate further intrusions – like passwords (not only password caches, but sometimes also emails containing passwords or access codes), cookies, digital certificates and keys. System administrators should make sure they know where these are located.

The Dark Overlord – Systematic cyber-enabled extortion

A cyber crime group called ‘The Dark Overlord’ has claimed responsibility for conducting cyber-enabled extortion campaigns in recent weeks. Victims include a London-based plastic surgery clinic and a Hollywood production studio, both of which are believed to have a number of high-profile clients. The group has a history of hacking organisations to obtain sensitive information before demanding money in exchange for not leaking it into the public domain. They leak snippets of data to the media to encourage them to report on their activity. This is aimed at “proving” that a breach has taken place, and increases the pressure on the victim to pay the ransom. ‘The Dark Overlord’ has been responsible for indiscriminately targeting health institutions, schools and media production companies over the last year.

Any organisation that deals with sensitive personal information (e.g. medical institutions, law firms) is at a higher risk of being targeted, and owes a particular duty of care to its clients because of the risk of severe emotional distress if client data is made public.  Whilst evidence of the stolen data is often provided, the volume and sensitivity of the data may be exaggerated to maximise impact. This may inspire other cyber extortionists to adopt a similar methodology, especially as new opportunities present themselves due to an increasing amount of sensitive data being stored online. Any data breach and the associated media exposure may cause significant reputational damage and loss of business.


.author-name { display: none; }


NCSC - Weekly Threat Report 5th May 2017

This report is drawn from recent open source reporting

Google and Facebook were victims of Business Email Compromise (BEC) or ‘CEO Fraud’

Google and Facebook have been identified as the victims of an email phishing attack for which a Lithuanian man was charged in March 2017.

The attack relied upon social engineering methods rather than technical intrusion techniques. However, the individual was still able to trick the organisations into transferring over $100 million between 2013-2015, highlighting how cyber-enabled social engineering can be effectively used to commit fraud.

The individual posed as a manufacturer which both firms had existing business relationships with, and sent emails which were designed to look like they came from the manufacturer. The emails contained forged invoices and contracts which appeared to have been signed by executives. This is less technically sophisticated than some other cases of BEC whereby the third-party supplier’s legitimate email is compromised and used to request transfers. The phishing emails were highly targeted, sent to Facebook and Google employees who regularly conducted multi-million dollar transactions with the manufacturer the scammer was impersonating.

Large organisations are especially vulnerable to attacks such as this: often suppliers and individuals have less face to face interaction, and therefore may have reduced opportunities to identify bogus or suspicious transfer requests through conversation.

Fraudulent communication to convince organisations to transfer funds is not new, however it is increasingly common as a low cost, high return crime. Other variations on this attack include

  • Spear-phishing emails co-ordinated with phone calls confirming the email request
  • Impersonation of trusted partners beyond suppliers, including charities, law firms, think tanks or academic institutions
  • Impersonation of fellow employee emails, either through compromising an account, or creating a similar looking fake address
  • Use of social media to research or make contact with potential victims

The NCSC has previously issued guidance on phishing attacks aimed at senior executives or payment departments.


Facebook outlines plan to combat information operations

Facebook has outlined measures to combat “information operations”, which it defines as efforts conducted by organisations, including governments, to spread misleading information and falsehoods to “distort domestic or foreign political sentiment". Whilst reporting has focused on the potential impact on democratic processes, manipulation of social media could similarly be used to inflict reputational or even financial damage on organisations. An example of this would be the 2013 fake “alert” from one of America’s most trusted news sources, briefly fooling some news outlets into reporting that an explosion had occurred at the White House and causing the Dow Jones to drop 145 points in two minutes.

Facebook has highlighted that information operations extend beyond the creation of “fake” news stories: other activities such as the dissemination and promotion of stolen information, and targeted data collection on individuals have all been noted. Furthermore, the increased circulation of “fake” news stories to a larger audience is regularly achieved through artificial amplification of posts, whereby paid individuals, often using fake accounts, use techniques such as co-ordinating “likes” to boost the prominence of key postings or creating groups that camouflage propaganda by including legitimate items.

Facebook has stated that it will mitigate the artificial amplification of fake stories using machine learning and analysis to identify bogus accounts, which will then be suspended or deleted. For example, Facebook suspended 30,000 accounts in France prior to the first round of the French presidential election.


Mainly platform agnostic/cross platform updates this week, leaning towards Linux and Unix based systems.

Intel released a fix to their Active Management Technology to address a flaw which could allow remote and local users to gain elevated privileges. A mitigation guide has been published here.

IBM released two updates for WebSphere to fix a browser redirect and cross-site request forgery vulnerability, and an update to DB2 to address a bug that could allow a local user to obtain root privileges.

Xen saw a number of updates to fix elevation of privilege bugs.

HPE updated NonStop Server to address a flaw that could allow a remote user to obtain sensitive information, and updated Intelligent Management Center to fix a flaw that could allow for remote code execution.

Elsewhere this week there were updates from Trend Micro to fix cross-site scripting bugs and an elevation of privilege bug. Drupal updated a flaw that could allow access to the target system and FreeBSD fixed a bug which could cause the target to reload.

Debian updates this week include LibreOffice, Ghostscript, Freetype, weechat, Libxstream-Java, MySQL-Connector-Java, Tomcat7 and Tomcat8.

ICS updates this week came from Advantech, CyberVision and Schneider Electric.

No individual sector is anticipated to be impacted more than any other this week.


.author-name { display: none; }


Two major US technology firms 'tricked out of $100m'

Evaldas Rimasauskas posed as Asian-based hardware manufacturer to trick staff into wiring him money

Evaldas Rimasauskas posed as Asian-based hardware manufacturer to trick staff into wiring him money

A Lithuanian man has been charged with tricking two US technology firms into wiring him $100m (£80.3m) through an email phishing scam.

Posing as an Asian-based manufacturer, Evaldas Rimasauskas tricked staff into transferring money into bank accounts under his control, US officials said.

The companies were not named but were described as US-based multinationals, with one operating in social media.

Officials called it a wake-up call for even "the most sophisticated" firms.

According to the US Department of Justice, Mr Rimasauskas, 48 - who was arrested in Lithuania last week - deceived the firms from at least 2013 up until 2015.

He allegedly registered a company in Latvia which bore the same name as an Asian-based computer hardware manufacturer and opened various accounts in its name at several banks.

'Fake email accounts'

The DoJ said: "Thereafter, fraudulent phishing emails were sent to employees and agents of the victim companies, which regularly conducted multimillion-dollar transactions with [the Asian] company."

The emails, which "purported" to be from employees and agents of the Asian firm, and were sent from fake email accounts, directed money for legitimate goods and services into Mr Rimasauskas's accounts, the DoJ said.

The cash was then "wired into different bank accounts" in locations around the world - including Latvia, Cyprus, Slovakia, Lithuania, Hungary and Hong Kong.

He also "forged invoices, contracts and letters" to hide his fraud from the banks he used.

Officials said Mr Rimasauskas siphoned off more than $100m in total, although much of the stolen money has been recovered.

Acting US Attorney Joon H Kim said: "This case should serve as a wake-up call to all companies... that they too can be victims of phishing attacks by cybercriminals.

"And this arrest should serve as a warning to all cybercriminals that we will work to track them down, wherever they are, to hold them accountable."

The DoJ would not comment on possible extradition arrangements and said that no trial date had been set.


.author-name { display: none; }


Yahoo breach highlights cookie security issues

Last year Yahoo reported several data breaches occurring between 2013 and 2016 which affected a large number of user accounts.  Personal information stolen could have included email addresses, telephone numbers, dates of birth, hashed passwords and encrypted or unencrypted security questions and answers.

Following forensic investigations Yahoo has revealed that fake cookies were a probable method used by attackers to access user accounts without a password. According to Yahoo, the attacker was able to create fake cookies by accessing the company's proprietary source code. 

In response Yahoo invalidated unencrypted security questions and advised affected users to change their passwords. The company also recommended that users adopt its authentication tool instead as it eliminates the need for a password on Yahoo accounts.  It is unclear how the fake cookies managed to evade website security but this advice indicates authorisation and authentication issues.

A cookie is a small file that a website puts on a user's computer to store information, potentially ranging from website links visited to personally identifiable information. Cookies can also be used to store passwords and other login details. They have many functional advantages but if they are not managed correctly with appropriate security measures, attackers may be able to exploit them.

Data leak reveals spam techniques

Security researcher Chris Vickery has reported that almost 1.4 billion user records from River City Media (RCM) were exposed after being backed up online without password protection. The data has since been taken offline, but it is unknown whether other actors have accessed it.

US-based RCM describes itself as an email marketing firm, but is listed in the top 10 of the Spamhaus Register of Known Spam Operations. As a result of the leak, RCM's infrastructure has been blacklisted by anti-spam organisations.

The leak also revealed techniques used to force legitimate mail servers to deliver up to a billion emails daily. The sender's computer sends deliberately slow and incomplete requests to the mail server, keeping existing connections open, while opening as many new connections as possible. Once the sender is ready, they resume normal speed requests and use the open connections to send a flood of emails before they can be blocked. This is very similar to a Denial of Service (DoS) attack known as Slowloris, which uses large numbers of slow connections to consume server resources and prevent other users from gaining access.

Upstream services attacked to target end users card credentials

A reported security breach at the US retail platform provider Aptos has led to malware infecting machines that the company uses to host online retail services. Forty e-commerce stores using Aptos services are said to be affected by the incident, which allowed malicious actors in some cases to access customer names, phone numbers, addresses, email addresses as well as payment card numbers and expiration dates. The malware is reported to have been present on Aptos systems for up to ten months during 2016. The company is working with US authorities to investigate the breach.

This incident illustrates the risk of upstream service and software providers being compromised to reach a broader victim base. A single attack on an upstream provider can deliver a much higher return on investment, compared to attacking each retailer separately. The success of such attacks is likely to encourage cyber criminals to target more upstream service providers.

It also highlights that while services can be outsourced, responsibility for customer data ultimately lies with those who collect it. Businesses need to demand high cyber security standards from third party organisations with access to their customer data, including software and service suppliers.


.author-name { display: none; }


Where Have All The Exploit Kits Gone?

The bloom is off exploit kits.

Once a mainstay for cybercriminals, attacks tied to exploit kits have now dried up to just a trickle. For sure, they haven’t gone away. But researchers say Angler, Neutrino and Nuclear, kits that once dominated the threat landscape, are gone; usurped by new threats and a resurgence in old ones.

“When we compare exploit kit activity from January to December of 2016 there’s a drop of 300 percent in activity. That’s primarily due to these EKs dropping off the face of the Earth,” said Karl Sigler, threat intelligence manager at Trustwave.

Exploit kits are a type of malicious toolkit chockfull of pre-written exploits for targeting various browser plugins such as Java and Adobe Flash. Kits are planted on booby-trapped sites or can be used in malvertising campaigns and spring into action if they can detect a vulnerability in a visitor’s browser or web application.

In their heyday Angler, Magnitude, Neutrino, and Nuclear exploit kits accounted for 96 percent of exploit kit activity at the end of 2015, according data from security firm Infoblox. Today, exploit kits are mostly dormant and development has gone stagnant.

Where did they go and why?

Arrests Send Crooks Scurrying

Some credit the downturn in exploit kit activity in 2016 to high-profile arrests of members of cybercrime outfits such as Lurk, who were behind the Angler Exploit Kit. In the case of Lurk, dozens of hackers were arrested across Russia in June 2016.

According to a detailed report by Kaspersky Lab on the takedown, the gang controlled Angler’s infrastructure and development, and was behind its distribution. At the time, Angler was one of the most notorious exploit kits on the Internet.

“The arrests of Lurk and the subsequent demise of Angler was not the single event that triggered exploit kit gangs to go dormant. But looking back, it’s hard not assume that others behind Neutrino and others didn’t see this as a harbinger,” said Deepen Desai, senior director of research and operations at Zscaler.

But even before the Lurk arrests, the Nuclear crew had all but shut down its operation in the May and June timeframe. That proceeded an in-depth analysis of the gang’s malware-as-a-service infrastructure by Check Point researchers.

The third nail in the coffin for dominant exploit kits was the decline Neutrino. It abruptly shut down in September following a joint Cisco and GoDaddy operation where a large number of malvertising campaigns spreading on the exploit kit were shuttered.

Patrick Wheeler, director of threat intelligence at Proofpoint notes that exploit kit activity has declined 93 percent between January and September last year, but notes activity hasn’t stopped altogether.

Wheeler said after Nuclear and Angler went dormant, criminals behind exploit kits have downsized and gone deeper underground focusing on private development and smaller campaigns. Such is the case with Magnitude, RIG, and Sundown, he said.

Strong Offense and Even Better Defense

It hasn’t been just a strong offense credited for pointing exploit kit gangs back into the shadows. A number of researchers credit a strong defense.

“Crimeware tools are only as good as their target’s defenses,” said Amol Sarwate, director of engineering at Qualys. He said recent efforts to fortify Microsoft’s browsers, Adobe’s Flash and Oracle’s Java browser components against exploit kit activity have paid off.

“There used to be a lot of low hanging fruit,” he said. “For now, that’s not the case.”

“Adobe Flash has been the top target for exploit kits such as RIG and Angler for a long time. Out of more than 3 billion scans that Qualys performs each year we saw that in 2016 Adobe flash vulnerabilities were patched about 40 percent faster as compared to the prior year. This implies that the industry is doing a better job with patching Flash, and although Flash is not dead it is being fixed more quickly,” according to a 2016 Qualys analysis.

Oracle has also taken steps to defend against crimeware used in exploit kits. Last year, the makers of Java announced it was pulling the browser plugin from the next desktop version of Java (Java JRE 9). That meant Java software will no longer plug directly into the user’s Web browser, reducing the number of browser attacks that target outdated Java plugins.

“As much as I’d like to say it’s one thing that we did, it wasn’t,” said Peleus Uhley, lead security strategist within Adobe’s Secure Software Engineering Team. He said work with Microsoft and Google has paid off especially when it comes to mitigating against memory-corruption bugs, a popular target of vulnerabilities exploited by exploit kits.Uhley said Control Flow Guard, a memory corruption security technology baked into Windows 10, has been an effective tool at mitigating against use-after-free attacks, which became a favorite crimeware exploit once ASLR and DEP put a damper in buffer overflow attacks.

“It’s a cumulative effort on our part and the security community. Nobody is resting on their laurels. The attackers continue their development and so will we,” Uhley said.

Crooks Try Different Tactics

Cybercriminals have continued to develop new delivery mechanisms for planting their malicious payloads on targeted systems. But, the focus isn’t currently on exploit kits, rather social engineering-based attacks, said Ryan Olson, intelligence director at Unit 42 of Palo Alto Networks.

“It’s not as if criminals have thrown in the towel,” Olson said. “A big component in a drought of exploit kit development has been the rise of Office macros used to deliver malware. For the past year we just have seen a continuous increase of macro document-based attacks replacing a lot of what exploit kits used to do,” he said.

Locky ransomware, Dridex banking Trojans and Gootkit Trojan information stealers all used to be distributed mainly via exploit kits and are now being spread primarily via spam, phishing and spear phishing campaigns.

“What we are finding it’s much easier to use social engineering to trick people into installing malware than to exploit a vulnerability,” said Proofpoint’s Wheeler. “What attackers have done is replaced the automated exploit with (socially engineered) ploys to get people to click.”

That type of social engineering has moved beyond the inbox as well, Wheeler said. “We saw attackers trying to trick Google Chrome users to install ‘Chrome Font’ malware on compromised websites,” Wheeler said. Instead of being attacked via an exploit kit, attackers presented visitors with a fake prompt to install a Chrome plugin called “Chrome Font” that was actually a type of ad fraud malware known as Fleercivet.

While spam-based ploys that enlist social engineering tricks may seem like a crude alternative to exploit kits, Trustwave’s Singler says they aren’t. “Social engineering attacks have always been popular, especially in phishing attacks. However, I would not say that social engineering attacks are any cheaper or easier to use. Good social engineering attacks require research if it’s a targeted attack or infrastructure like a spam botnet if it’s more of an opportunistic attack,” he said.

In June, Microsoft Malware Protection Center reported a resurgence in the use of Officedocument macro attacks. In December, attackers revived the old spamming techniqueknown as hailstorm and leveraged the Necurs botnet to spread both the Dridex banking malware and Locky ransomware via malicious Word documents.

Despite being a fairly archaic attack vector, it’s managed to work for attackers, said researchers.

Gangs Quietly Regroup

Meanwhile, new exploit kits are quietly under development. One example of this is anexploit kit called DNSChanger, spotted in December and being distributed via malvertising. Researchers at Proofpoint said the exploit kit is unique because the malvertising component of the attack doesn’t target browsers, rather a victim’s router.

Through a complex series of steps, DNSChanger is able to decrypt the target’s router fingerprints to determine if a target is using vulnerable model. “Once it performs the reconnaissance functions, the browser will report back to the DNSChanger kit which returns the proper instructions to perform an attack on the router,” according to Proofpoint. The goal: open ports on the router for malicious purposes.

New exploit kits also continue to surface, such as the Terror EK; identified by Zscaler earlier this year. Terror is an example of a newer exploit kit cobbled together from pieces of other exploit kits such as Sundown and Hunter, according to a Zscaler.

Zscaler’s Desai notes that Terror is typical of newer exploit kits. “It’s smaller, more customized and their target is much more defined and they have chosen a very specific geographic area to target,” he said.

Additional exploit kit innovations spotted by Zscaler are more kits leveraging SSL in order to protect the landing pages and gates to get past network appliances. Desai notes newer exploit kits are adding more anti-analysis fingerprinting code to avoid being detected in sandboxed environments.

“Exploit kits still pose a significant threat. There is nothing new about exploit kit authors hiding their activities and frequently changing tactics,” Desai said. “There is no reason to believe we won’t see a resurgence of exploit kits in the future. The question is when.”


.author-name { display: none; }


Threatpost - Adobe Fixes Six Code Execution Bugs in Flash

Adobe on Tuesday patched seven vulnerabilities in Flash Player, six that could lead to code execution. The company said it isn’t aware of any of the vulnerabilities being exploited in the wild but is still encouraging users to update Flash for Windows, Macintosh, Linux and Chrome OS.

The vulnerabilities exist in versions and earlier of Flash, according to a security bulletin issued by the company Tuesday morning. 

Adobe is warning the six bugs–a buffer overflow vulnerability, two memory corruption vulnerabilities, and a trio of use-after-free vulnerabilities–could be exploited to trigger code execution. The lone bug that doesn’t lead to code execution stems from a random number generator vulnerability. That vulnerability, dug up by two researchers at Nanyang Technological University in Singapore, Wang Chenyu, and Wu Hongjun, could lead to information disclosure if exploited.

Users can apply the update,, through the usual distribution channels. Google Chrome and Microsoft Edge and Internet Explorer 11 users will receive the updates automatically. Devotees of Flash Player Desktop Runtime for Windows, Macintosh and Linux are being urged to update via the program’s update mechanism.

Adobe also shipped an update for Shockwave Player for Windows on Tuesday.

Versions and earlier of the multimedia software plugin contained a vulnerability that if exploited could lead to escalation of privilege, a security bulletin warned. The vulnerability stemmed from Shockwave’s directory search path. The patched version,, is available at Adobe’s Shockwave Player Download Center.

Adobe has stuck by its usual Patch Tuesday patching schedule so far in 2017.

In January it pushed out 13 patches, 12 that could have led to remote code execution; in February the company patched 13 vulnerabilities, all which could have led to code execution in the software.

With this year’s iteration of Pwn2Own, the annual hacking challenge held in tandem with CanSecWest in Vancouver, set to kick off tomorrow it could be only a matter of days until Adobe releases a set of emergency updates for Flash.

Hackers took down Flash on the first day of Pwn2Own last year and earned $13,000 in the process. One group of hackers combined a type confusion bug in Flash with a Windows kernel bug while another group exploited an out-of-bounds bug in the platform and chained it together with an infoleak in Windows kernel.

For this year’s contest competitors can earn $50,000 for exploiting Flash in Microsoft Edge and another $30,000 if their exploit achieves SYSTEM-level code execution.


.author-name { display: none; }


Threatpost - Google Chrome 57 Browser Update Patches ‘High’ Severity Flaws

Google released an updated version of its Chrome browser on Thursday to fix nine high-severity vulnerabilities that if exploited could allow adversaries to take control of targeted systems. As part of the update, Google thanked nearly two dozen bug hunters with bug bounty payments totaling $38,000.

Topping the list of vulnerabilities patched are; a memory corruption flaw in the V8 JavaScript engine, a use after free bug found in Google’s Almost Native Graphics Layer Engine, and an out-of-bounds write flaw found in the PDFium component of the Chrome browser.

Google said its Chrome version 57.0.2987.98 update for Windows, Mac and Linux includes a number of fixes and improvements; and will roll out them over the coming days and weeks. Beta Chrome 57 was introduced in February and included new features CSS grid layout, improved add to home screen, Media Session API. The Chrome 57.0.2987.98 was released to Google’s Stable channel, which means the software is fully tested by the Chrome OS team.

n November, Google said it removed support for SHA-1 certificates in Chrome 56, but will distinguish between certificates chained to a public Certificate Authority and those chained to local CAs. However, with the introduction of Chrome 57, released to the Stable channel in March, Google said at the time, “Features which require a secure origin, such as geolocation, will continue to work, however pages will be displayed as ‘neutral, lacking security.’ Without this policy set, SHA-1 certificates that chain to locally installed roots will not be trusted starting with Chrome 57.”

Google did not mention the additional SHA-1 notification feature Thursday with the rollout of Chrome 57.0.2987.98. However, it said more information regarding Chrome 57 is pending via its Chrome and Chromium blog.

The Chrome security holes were disclosed to Google’s Chromium Project and its bug bounty program. The largest bounty paid was for $7,500 and paid to researcher Brendon Tiszka for the (CVE-2017-5030) memory corruption flaw in the V8 JavaScript engine.

The second highest bounty of $5000 was paid to researcher Looben Yang for the use after free bug (CVE-2017-5031) found in Google’s Almost Native Graphics Layer Engine.


.author-name { display: none; }


Threat Post - Confide Updates App After Critical Security Issues Are Raised

The makers of the popular messaging app Confide said Wednesday that it has patched multiple security vulnerabilities that could have allowed hackers to intercept messages sent using its secure end-to-end messaging platform.

The flaws were identified in two separate reports, both released Wednesday, by security firms IOActive and Quarkslab. Both allege there are critical security vulnerabilities in versions of Confide’s encrypted messaging app, including version 4.0.4 for Android and 1.4.2 for Windows and OS X .

The security of Confide’s platform has taken center stage ever since reports surfaced last month that senior White House staff, including press secretary Sean Spicer, were using the app. Confide claims to offer “battle tested, military grade encryption.” According to Google Play, the Android app has been installed between 100,000 to 500,000 times.

Researchers with IOActive said the Confide suffered from a bevy of security vulnerabilities including:

  • Confide’s notification system did not require a valid SSL server certificate to communicate, therefore opening the door for an attacker to perform a man-in-the-middle attack.
  • The app lacked sufficient notifications when unencrypted messages were sent and received.
  • The application failed to have adequate protections to prevent brute-force attacks on user account passwords.
  • Confide’s website was vulnerable to an arbitrary URL redirection, which could facilitate social engineering attacks against its users.

IOActive also raised issues with Confide’s handling of public keys.

“Confide failed to provide a participant fingerprint authentication mechanism, allowing Confide to conduct man-in-the-middle attacks on encrypted messages by changing the public keys sent to parties of a conversation,” wrote IOActive researchers Mike Davis, Ryan O’Horo and Nick Achatz, who co-authored the report.

Quarkslab also took issue with some of security vulnerabilities highlighted by IOActive, and singled out the way Confide handled public and private encryption keys.

“The most obvious problem… is linked to the fact that the encrypted message origin and the authenticity of the public encryption key transmitted by the server can in no way be verified by the client,” wrote Jean-Baptiste Bédrune, security researcher with Quarkslab.

“The Confide server could generate its own key pair and transmit the public part to a client when the latter requests the public key of a recipient (we only note that Confide is able to do so, not that it does so). This client then unknowingly encrypts a message that can be decrypted by the server. Finally, when the server sends the message to the recipient, it is able to re-encrypt the message with its own key for the actual recipient,” Bédrune wrote.

Similar public key concerns were raised earlier this year when researchers commented on how WhatsApp and earlier versions of iMessage handled key change notifications. In February, Jonathan Zdziarski, an independent security researcher and forensics expert, wrote about Confide’s key exchange approach.

“What seems different about (Confide) encryption is that it appears to regenerate the public key under certain circumstances. It’s unclear why, but unlike Signal and WhatsApp, which consider it something to alert you about if your public key changes, Confide appears to consider this part of its function. Key exchange is always the most difficult part of good encryption routines. Depending on whether or not Confide is able to detect this and warn the user, it’s possible (although not confirmed) that the application could be susceptible to the same types of man-in-the-middle attacks that we’ve seen theorized in WhatsApp (if you leave the alerts off) and iMessage,” Zdziarski wrote.

Bédrune said the confidentiality of the exchanged messages depends on the robustness of TLS.

“Confide can technically read all the messages that pass through its servers. End-to-end encryption, as it is implemented, solely relies on the server through which the messages pass,” he said.

Quarkslab also claims that security features in the Android, iOS and desktop app, such as message deletion and screenshot prevention, can be easily circumvented.

For its part, Confide co-founder Jon Brod told Threatpost via email Wednesday the company was able to fix the issues quickly.

“We were able to detect anomalous behavior and remediate many of the issues during IOActive’s testing in real time starting on February 24. We were able to quickly address the remaining issues after the initial contact and roll out client updates in less than 48 hours. Not only have these issues been addressed, but we also have no detection of them being exploited by any other party. We do acknowledge the findings, but believe that the firm is overstating the severity level of some of them.”

IOActive claims the company privately disclosed its research to Confide in February and that Confide fixed the issues and updated the app on March 3, 2017.

Brod did not address the security concerns raised by Quarkslab.

“All the issues have been reported to Confide, and they are working on fixing them. In the meantime, do not consider your conversations to be so well concealed,” Bédrune wrote.


.author-name { display: none; }


WordPress 4.7.3 Patches Half-Dozen Vulnerabilities

WordPress released a security update on Tuesday that patched a half-dozen bugs, including one that could be chained with the recent REST API Endpoint flaw that led to a million website defacements. Given that more than half of WordPress sites are still not protected against that flaw, odds are that we haven’t heard the last of that vulnerability.

The REST API vulnerability was silently patched in version 4.7.2, yet there are apparently at least one million sites that don’t have automatic updates enabled and were attacked by hackers. The defacements came quickly after the Jan. 27 release of 4.7.2 and disclosure of the issue, as hackers took advantage of unpatched sites to leave behind defacements pointing to spam and phishing sites such as rogue pharmaceutical solicitations.

According to WordPress statistics, 44.8 percent of sites are on at least version 4.7, meaning that the remainder are exposed to a litany of vulnerabilities addressed in older versions.

Yesterday’s 4.7.3 update included a fix for a cross-site scripting vulnerability privately disclosed by researchers at Sucuri, who also found the REST API bug. Marc Montpas, a researcher with Sucuri, said the new XSS vulnerability was found during research on the REST API flaw and could be triggered by a URL included in YouTube embeds. Montpas said the vulnerability could be exploited by users with certain privileges such as contributors or authors. An attacker could insert malicious short codes in a post that would bypass cross-site scripting protections native to WordPress.

“When an administrator visits the affected post, the XSS payload will execute and may force his browser to perform administrative actions on his behalf, like storing backdoors on the site and creating new administrator accounts,” Montpas told Threatpost. “This vulnerability alone isn’t very risky, because it requires the attacker to have very specific privileges on the site. But combined with the REST API vulnerability we found last month, which basically allowed any visitor to edit a site’s posts, it could have caused quite a mayhem.”

The REST API vulnerability allows an attacker with one line of exploit code to access the API and change site content and URL permalinks. The issue lies in the way the REST API manages access. It does so by favoring values such as GET and POST rather than existing values. Any request with letters in its ID would bypass a permission check and essentially grant an attacker admin privileges.

Researchers at SiteLock said that about 20 different hackers were trying to monetize the defacements with links to rogue pharmaceutical websites.

The REST API endpoint vulnerability was introduced in WordPress 4.7 in December, and silently patched on January because of its severity. Since WordPress is packaged with automatic updates turned on by default, most installations are updated and secured. Those that have disabled the feature, or any updates that failed, remain vulnerable.

Another cross-site scripting vulnerability that was patched yesterday, one that could be exploited through media file metadata, was originally reported by researcher Chris Andre Dale in December 2014. Researcher Yorick Koster reported the bug again to WordPress which discovered that the original patch only partially addressed the issue, said Aaron Campbell, recently appointed as WordPress’ new lead of security triage and resolution.

“What would happen is that an administrator or author would upload my picture, and I would then have my JavaScript running 100 percent stealthy in their browser,” Dale told Threatpost. His original disclosure explained how an attacker could embed a cross-site scripting payload into image metadata, EXIF data JPEG.

The remainder of the 4.7.3 update addressed another bug reported by student researcher Daniel Chatfield who disclosed that control characters could trick redirect URL validation. Also patched was an issue where unintended files could be deleted by a site admin using the plugin deletion functionality. Separate cross-site scripting (via taxonomy term names) and cross-site request forgery (in Press This which could exhaust server resources) vulnerabilities were also patched.


.author-name { display: none; }


Threatpost - New Fileless Attack Using DNS Queries to Carry Out PowerShell Commands

A unique attack called DNSMessenger uses DNS queries to carry out malicious PowerShell commands on compromised computers, a method that researchers said makes it difficult to detect that a remote access Trojan is being dropped onto targeted systems.

According to experts at Cisco’s security research outfit Talos, the infection chain begins with a rigged Word document sent to recipients who are encouraged to “enable content” so they can view a message. If enabled, the document launches a Visual Basic for Applications macro that opens the initial PowerShell command that ultimately leads to the multistage attack and the eventual installing of a remote access Trojan.

“This is an extremely uncommon and evasive way of administering a RAT. The use of multiple stages of Powershell with various stages being completely fileless indicates an attacker who has taken significant measures to avoid detection,” wrote Cisco’s Edmund Brumaghin and Colin Grady.

The initial PowerShell instructions that are executed are contained within the Word document itself.

Researchers said the attack is unique because it does not involve a typical infection chain that includes files written to the targeted system. Instead, the malware infection technique uses DNS TXT messaging capabilities to request and fetch malicious PowerShell commands stored remotely as DNS TXT records.

Researchers said the malware sample uses DNS TXT record queries and responses creating a bidirectional command and control channel. “This allows the attacker to use DNS communications to submit new commands to be run on infected machines and return the results of the command execution to the attacker,” researchers wrote.

According to a technical analysis, attackers leveraged multiple VBA scripts, each unpacking a unique self-contained PowerShell script. During each of the stages in the infection process, malware would send DNS queries to one of multiple domains hardcoded in the script.

“The document uses the Document_Open() function to call another VBA function. The called function sets a long string that defines a Powershell command and includes the code to be executed. The command is then executed using the Windows Management Interface (WMI) Win32_Process object using the Create method,” researchers said.

This process, “allows the code to be executed without ever requiring it to be written to the filesystem of the infected system,” according to Talos.

The objective of the multi-stage infection process is to determine access privileges of the targeted system, what version of PowerShell is installed on the system, make changes to the Windows Registry and open a backdoor in order to maintain persistence.

Cisco notes that DNSMessenger demonstrates the ingenuity and lengths attackers are going to avoid detection. “It also illustrates the importance that in addition to inspecting and filtering network protocols such as HTTP/HTTPS, SMTP/POP3, etc. DNS traffic within corporate networks should also be considered a channel that an attacker can use to implement a fully functional, bidirectional C2 infrastructure,” researchers wrote.

“This appears to have been a fairly targeted attack and was not very widespread compared to other campaigns we regularly observe,” said Brumaghin. He added the intent of the malware is unclear. “We were unable to get the C2 infrastructure to send commands to execute. This is common with targeted attacks as the attackers will only choose to send commands to their intended victim.”


.author-name { display: none; }



InterContinental Hotels Group (IHG), parent company to Crowne Plaza, Holiday Inn and Kimpton Hotels and Resorts, confirmed on Friday a breach of payment card systems used in 12 of its hotels located in North America and the Caribbean.

According to IHG, which operates 5,000 hotels worldwide, malware was found on servers used to process credit cards. The servers were infected between last August and December; the company declined to say how many payment cards were impacted.

In a statement released Friday, IHG said it found malware installed on servers used at popular destinations such as Michael Jordan’s Steak House and Bar in Chicago, the Holiday Inn San Francisco Fisherman’s Wharf, the Copper Lounge in Los Angeles, and the Palm Bar in Aruba.

The hotelier reported on Dec. 28 that it was investigating customer complaints of unauthorized charges on credit cards. At the time, the company said only a limited number of destinations were impacted before revealing more details on Friday.

“Findings show that malware was installed on servers that processed payment cards used at restaurants and bars of 12 IHG managed properties,” according to a statement. “Cards used at the front desk of these properties were not affected.”

According to IHG, the malware searched for magnetic stripe track data as it was being routed through servers. Track data included cardholder name, card number, expiration date and internal verification code. There is also no information provided on the strain of malware used in the attacks.

Hotels, restaurants and other hospitality outlets are frequently singled out as victims of opportunistic hackers. Last year alone there were nearly a dozen reports of card breaches. One of those breaches occurred in August and included 20 hotels run by HEI Hotels and Resorts, which owns chains Marriott, Sheraton, and Westin. Similarly, malware was used to siphon payment card data.

The prevalence of malware use to steal payment card data hit a peak in 2014 when it was at the center of several high-profile breaches, including Target and Neiman Marcus.

As recently as last November, security researchers at Trustwave said the Carbanak cybercrime gang, first discovered by Kaspersky Lab, had shifted strategy and began targeting the hospitality and restaurant industries with new techniques and malware. Part of the Carbanak tactics involved targeting hospitality call centers with elaborate ploys to get customer service representatives to accept and download emails with malicious macro-laced documents. The target was credit card data scraped from the memory of point-of-sale systems.

“We have been working with the security firms to review our security measures, confirm that this issue has been remediated, and evaluate ways to enhance our security measures,” IHG wrote in a statement regarding the breach.


.author-name { display: none; }



Ubuntu users are being urged to update their operating systems to address a handful of recently patched OpenSSL vulnerabilities which affect Ubuntu and its derivatives.

Developers with Canonical, the company that oversees the Linux distribution, announced the updates on Tuesday, encouraging users to install the latest OpenSSL package versions depending on which distribution they’re running.

The updates resolve several of the vulnerabilities fixed by the cryptographic library OpenSSL last Thursday.

Three of the vulnerabilities fixed were branded “medium” severity by OpenSSL’s maintainers as they could lead to several outcomes, including a timing attack, a denial of service attack, and help an attacker potentially recover private keys.

One issue (CVE-2016-7056) was tied to the fact that OpenSSL didn’t properly use constant-time operations when it performed Elliptic Curve DSA (ECDSA) with a Curve P-256 signing. Because of this, at least on Ubuntu 12.04 LTS and Ubuntu 14.04, an attacker could have performed a timing attack to recover private keys.

OpenSSL maintainers said last week when it pushed the updates that achieving such an attack would be difficult, however.

“Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely,” OpenSSL said, “The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients.

It was discovered that the library also mishandled select truncated packets, something that could have been exploited to cause a denial of service condition. It also incorrectly performed something called the x86_64 Montgomery squaring procedure, a component that also could have been taken advantage to steal private keys. The issue only affects systems based on x86_64 architecture, like Ubuntu 16.04 LTS, and Ubuntu 16.10, however.

The rest of the fixes were relatively small potatoes and all marked “low” severity.

Another separate, less pressing issue (CVE-2016-7055) also affected how OpenSSL handles Montgomery multiplication and could lead to what Ubuntu calls “transient failures.”

The update also fixes an issue in which OpenSSL used “undefined behavior when performing pointer arithmetic,” and another in which it incorrect handled certain warning alerts. A remote attacker could exploit both vulnerabilities and cause a denial of service, according to Ubuntu’s advisory.

Ubuntu 16.10, Ubuntu, 16.04 LTS, Ubuntu 14.04, LTS Ubuntu, 12.04 LTS are all considered vulnerable under updated, the advisory warns.

The OpenSSL patches came just days after news surfaced that despite being patched three years ago, almost 200,000 servers and devices are still vulnerable to Heartbleed. The numbers came via analysis gathered by the search engine Shodan, a service that searches open ports for vulnerabilities.

According to the report roughly 52,000 Apache HTTPD servers remain vulnerable, in addition to 6,380 Amazon Web Services devices, and 4,330 Verizon Wireless devices.

The encryption library is used in a slew of devices and software; it’s up to each vendor when it wants to patch vulnerabilities however.

Cisco issued a security advisory around the vulnerabilities on Monday as many of its products incorporate OpenSSL packages. The company is unclear exactly which software is affected by the vulnerabilities but says its conducting an investigation into nearly 200 different products to determine whether they’re affected.


.author-name { display: none; }