Viewing entries tagged


NCSC - Weekly Threat Report 29th September 2017

Compromise of Deloitte

The Guardian this week reported that the global accountancy firm Deloitte had been hit by a cyber attack that has revealed client email addresses. The hackers may have also accessed usernames, passwords and personal details.

Deloitte provides auditing, tax consultancy and cyber security advice to some of the world’s biggest banks, multi-national companies, media enterprises, pharmaceutical firms and US government agencies. According to the Guardian, Deloitte clients across these sectors had material in the company email system that was breached. The breach was believed to be US-focussed, affecting well-known companies as well as US Government departments. The compromise was discovered in March this year, but it was reported that the attackers may have had access to Deloitte systems since October or November 2016.

According to the newspaper, the hacker compromised the firm’s Microsoft Azure Cloud global email server through an administrator’s account that, in theory, provided them with privileged, unrestricted access. The account required only a single password and did not have “two-step“ verification. Emails to and from Deloitte’s 244,000 staff were stored in the Azure cloud service which is Microsoft’s equivalent to Amazon Web Service and Google’s Cloud Platform.

Deloitte has stated on its website that only very few clients were impacted and no disruption has occurred to client businesses, to Deloitte’s ability to serve clients, or to consumers. The NCSC statement confirmed that we had engaged with the organisation to better understand the threat and based on current information we understand there to have been minimal UK impact.

Using a single factor authentication system like a username and an easy-to-guess password combination has allowed criminals to gain access to a user's account. Simple passwords based on dictionaries or the same passwords used on other systems that may have been leaked can give cyber attackers easy access to IT systems. Gaining access to the administrator account is the ‘jackpot’ for an attacker and will provide an attacker with unrestricted access to all user accounts.

Two Factor Authentication (or 2FA) is an extra layer of security that requires not only a password and username but also something that only that user has on them, i.e. a piece of information only they should know or have immediately to hand - such as a physical token, keyfob device, fingerprint, facial recognition or SMS confirmation via mobile phone.

A compromise would be highly unlikely if a complex password or 2FA had been implemented. See the NCSC’s Password Guidance.

Banks’ concerns about cloud cyber security

Investment bank Goldman Sachs has in recent days echoed concerns about the number of banks using the same small number of Cloud storage providers – pointing out that those users also include the UK financial regulatory bodies.

The bank’s Head of Technology for Europe, Middle East and Africa argues that the online platforms should be regulated from a resilience perspective, and describes a ‘concentration risk’. The concerns echo those voiced in January by the Bank of England Governor and the chair of the Financial Stability Board, who refer to the risk of a single point of failure if ‘banks come to rely on common hosts of online banking or providers of Cloud computing services’.

The use of an online network, or ‘Cloud’, increases the scale and flexibility of computing capacity, and aligns with the growing desire within the financial services industry for innovative technological business models and processes.

The Financial Stability Board (FSB) alerted the industry in June to the greater reliance on external providers of technology, and hence the potential risk of disruption, specifically citing the Cloud. The FSB highlighted the risks of financial institutions relying on the same third-party Cloud computing and data services providers, and cited other jurisdictions where, for example, guidelines had been issued for Cloud outsourcing, internet banking and technology risk management. Greater co-ordination within finance, and with non-finance partner organisations such as those with a remit for cyber security, was mooted.

Some of the growing concerns voiced within financial services about the Cloud are addressed by the NCSC’s Cloud Security Principles and advice.


Cryptocurrency mining by cyber criminals

Recent IBM reporting observes a sixfold increase in the use of specifically CPU-based cryptocurrency-mining malware since the beginning of 2017, a much faster rise than observed for cryptocurrency-mining malware more generally.

While there are many cryptocurrencies, with different characteristics, all rely on ‘miners’, who carry out large number of calculations to verify transactions. In exchange for contributing computing power, miners are rewarded with cryptocurrency.

Mining many currencies using a CPU has generally become economically unviable for legitimate users, as running costs outweigh their gains, so they now use graphics cards, or specially designed application-specific integrated circuits (ASICs). Running costs are no obstacle to cyber criminals, however, who can use botnets of compromised machines as miners without needing to worry about the electricity bills. Some newer currencies are also more feasible to mine using a CPU only.

In a related trend, an increasing number of website scripts are being observed which mine cryptocurrency inside a web browser. Such scripts can be used in clearly illegal ways when hidden within adverts (a form of malvertising), but some sites have also shown an interest in such scripts as a form of revenue production to replace or supplement online advertising. Torrenting site The Pirate Bay received significant press coverage when it was revealed to have adopted such scripts without the knowledge or consent of its users. There have also been reports of cyber criminals compromising popular websites and hiding mining scripts in their source code, allowing them to profit from their victim’s visitors.


.author-name { display: none; }


NCSC - Weekly threat report 7th July 2017

Scams follow widely reported attempt to compromise parliamentary email accounts

Following reported attempts by hackers to compromise parliamentary email accounts in June, scammers have recently attempted to gain information by cold-calling (or vishing) MPs and their staff. Posing as staff from the Houses of Parliament’s IT department, the scammers have reportedly been requesting the usernames and passwords of MPs. Vishing, like its online equivalent, phishing, attempts to illicit sensitive information, such as passwords, or encourage victims to visit particular (invariably malicious) websites.

Scammers try to capitalise on heightened public awareness of particular issues. Such social engineering techniques often increase in prevalence follow a high-profile incident. For example, following the WannaCry ransomware incident, there were several reported scams, including fake fixes for the malware, and malicious ‘tech support’ services. Phone calls can form part of a blended social engineering campaign, along with emails or social media contact. It is likely that scams such as these will continue to follow widely reported events. 


.author-name { display: none; }


NCSC - Weekly Threat Report 9th June 2017

Fireball malware

More than 250 million computers worldwide have been infected with malicious adware called Fireball, according to recent reporting.  Produced by Rafotec, a Beijing-based digital marketing firm, the malware is spread mostly via bundling. That is, when a user downloads a product they want, the Fireball malware is ‘bundled’ in without the user’s knowledge or consent.

Once infected, Fireball hijacks the user’s browser, installs extra plug-ins and manipulates the user’s web traffic. By redirecting traffic to Rafotec’s fake search engines, Fireball is able to generate additional advertising revenue for the company. A greater concern is the fact that Fireball can, in theory, be repurposed to serve as a fully functioning malware downloader.

Should Fireball be repurposed for further malicious activity it could be used to harvest sensitive data, such as financial credentials, medical records, or corporate business plans for example. Whilst estimates are that Indonesia, India and Brazil have the highest infection rates at present, other countries have been impacted.

In line with NCSC guidance, make sure you only install software from trusted sources.

Single Sign On provider OneLogin is compromised

In late May, OneLogin, an online access and identity manager, experienced a security breach where sensitive customer data in its US region may have been compromised.  OneLogin primarily provides Single Sign On (SSO) and identity management services for corporate customers using cloud based applications.  It is not yet clear how the unauthorised access happened nor the impact, but it is suspected that a threat actor obtained access to Amazon Web Store (AWS) keys and used them to gain access to the AWS Application Programme Interface (API) via another smaller provider in the US.  The actor was then able to access database tables containing information about users, apps and various types of keys.  This may have included the ability to decrypt encrypted customer data.

To minimise damage OneLogin issued advice to customers which included generating new keys, authorisation tokens, security certificates and credentials and updating passwords.

This is not the first time an SSO or similar service has been targeted.  Although, like password managers, they are increasingly considered to be a better way of managing accesses, they are a tempting target for attackers, and the consequences of compromise can be severe.

A new variant of Qakbot malware is bringing down enterprise networks

A new variant of the Qakbot (aka Qbot or PinkSlip) trojan, first seen in 2009, is stealing user information and installing backdoors on Microsoft Windows operating systems. Qakbot malware is used to target online bank accounts of businesses and individuals. Victims are initially infected through an exploit kit, phishing campaign or malicious download.

This new variant has worm-like, self-replicating capabilities similar to WannaCry but it is not ransomware and does not encrypt user hard drives. In its attempts to steal or brute force login details it can cause mass Active Directory lockouts. Some organisations have had thousands of users prevented from using corporate systems as a result.

According to researchers, Qakbot code has been totally re-written and is even more advanced and effective. The new features make it difficult to detect by using obfuscating code and constantly evolving file structure and signatures.

We assess it likely that other malware campaigns will make use of these antivirus avoiding techniques. Users should stay on their guard against suspicious emails and activity and keep their systems up-to-date to help prevent infection.


This week’s summary starts with Google and multiple flaws fixed in both Chrome and Android leading to URL spoofing, obtaining of sensitive information and remote code execution.

Cisco released updates for a number of different products; TelePresence, AnyConnect, Email Security Appliance, Prime Data Center Network Manager, NX-OS, Content Security ManagementAppliance, and 8800 Series IP phones, to address cross-site scripting, bugs that cause the target to crash, allow unauthorised access or remote code execution.

IBM released updates for their Security Access Manager Appliance, Spectrum Project (IBM Tivoli Storage Manager) and Domino TLS Server to prevent elevation of privilege, the viewing passwords, obtaining of sensitive information, and obtaining of authentication credentials.

Elsewhere this week there were updates for Wireshark, Apache Tomcat, VMware vSphere and Irssi.

Debian specific updates this week came from perl, nss and zookeeper.

ICS specific updates for Digital Canal Structural Wind Analysis and Rockwell Automation PanelView.


.author-name { display: none; }


NCSC - Weekly Threat Report 21st April 2017

Hajime – What is the intent of this IoT Botnet?

In October 2016 the security research group at Rapidity Networks discovered a new malware, called Hajime, with similarities to the Mirai botnet: it targets Internet of Things (IoT or internet-connected) devices by scanning the Internet for devices with network vulnerabilities and attempts to connect to them using known default username/password combinations. According to Symantec, Hajime is believed to have infected between 130, 000 and 180,000 devices worldwide with Brazil and Iran having the most infections followed by Thailand and Russia. Industry partners have suggested that the number of UK devices infected currently stands at approximately 5,000.

Hajime is being compared to the Mirai malware for a number of reasons including: similarities between initial infection vectors; the targeting of internet connected devices and the use of command and control (C2) servers to communicate and send instructions out to infected devices.  Hajime however differs as it adopts a decentralized approach with a Peer to Peer (P2P) model where communication and instructions are passed between infected nodes rather than the more traditional client-server architecture.  It is believed that this type of approach makes the malware much more resilient to take down as it does not rely on just one central server to control the malware.

The Hajime malware is also different because it doesn’t, as yet, appear to have been used for malicious intent.  Researchers have hypothesised that the controllers could be waiting for more devices to be infected before launching an attack.  A more recent theory by researchers is that Hajime has been created by ethical hackers who are targeting Mirai-infected devices with Hajime in order to deny the malware of any harmful activity.

Malware targeting of IoT devices is not new and as these products are becoming more popular amongst consumers, manufacturers and suppliers should be aware of the emerging risks and cyber threats posed when attention is not paid to IoT security.

See the NCSC website for guidance on malware prevention.

Insider steals employer’s proprietary trading code

A computer engineer has been charged with illegally exfiltrating the proprietary algorithmic trading model code from a global financial services firm headquartered in New York, where he worked. The code is used by the firm to generate income by predicting market movements.

From December 2016 to March 2017, the engineer took steps to obfuscate his presence on areas of the company’s network that he was not authorised to access. He used discrete areas of the network to collect over three million files, including unencrypted portions of the algorithmic source code, before exfiltrating it.

The motivation for this activity has not been conclusively reported, nor whether this individual acted alone, or on behalf of another. The tasking of insiders by criminals to exploit access to corporate networks is a common occurrence. But the exfiltration of this particular source code is significant because trading platforms could be manipulated to allow vast amounts of money to be stolen in a single attack. Alternatively the intellectual property (IP) could be sold to a rival company.

Companies can mitigate against the insider threat by incorporating security policies that restrict access to the most classified data and installing alerts when unusual activity is taking place.

Hotpoint service site compromise

Recent reporting by cyber security company Netcraft noted the compromise of domestic appliance manufacturer Hotpoint’s UK and Irish service websites, which has since been confirmed by Hotpoint in a statement via the Register. Customers accessing the service website were reportedly presented with fake Java dialogs, which if clicked, directed users to possibly malicious third party websites, presenting a risk that users could be infected with malware. Netcraft note that the compromise occurred shortly before the Easter weekend, suggesting that this may have been done deliberately to maximise the impact.

According to the company’s statement, no customer data was compromised and the vulnerabilities were quickly resolved. Netcraft suggest that the site’s WordPress installation may have been responsible. The NCSC provides guidance on minimising the vulnerabilities to WordPress, including the recommendation to implement regular security updates of WordPress as well as any plug-ins, only using trusted plug-ins and replacing default or easy to crack passwords.


There have been a large number of updates over the last week, thanks in part at least to Oracle’s quarterly update cycle falling this week. Oracle’s updates affect multiple bugs in many of their products, from PeopleSoft, E-Business Suite, Financial Services, Java SA to MySQL, WebLogic and Solaris.

Both Mozilla and Google released updates to fix multiple vulnerabilities, the most serious of which could allow remote code execution, in their browser products, Firefox and Chrome respectively and there were three updates for BIND.

Magento saw an update to prevent the uploading of arbitrary files and remote users conducting cross-site request forgery attacks. There were also a number of updates from Cisco for ASA, IOS and Unified Communications Manager. Juniper released a number of updates for Junos.

On the virtualisation front there were updates this week for both VMware and VirtualBox.

Elsewhere this week there were updates for SquirrelMail, WatchGuard, Nessus, Wireshark and MatnisBT.

On the Debian side this week saw updates for Firefox-ESR and ICU. ICS specific updates this week came from Belden Hirschmann, Schneider Electric and Wecon.


.author-name { display: none; }



Update Ubiquiti Networks, a maker of networking gear for service providers, has been since November dealing with a critical command-injection vulnerability in the administration interface of more than 40 of its products.

Researchers at SEC Consult went public with the issue this week after privately disclosing the flaw to the vendor via its HackerOne bug bounty program. According to a timeline published by the researchers, Ubiquiti initially marked the issue as a duplicate, then promised a patch in a future stable release.

“We take network security very seriously and are in the process of fixing this vulnerability for all products affected,” a Ubiquiti Networks representative told Threatpost.

The company said it has patched 37 of the 44 affected products starting Feb. 3 with an update for airMAX 11ac and patches for the remaining products are imminent.

“Once this update is released, we will inform our customers through a newsletter to remind them to update their firmware,” the representative said. “We are also improving our vetting process for security issue reports to speed up our response time.”

A post to a Reddit thread about the vulnerability from a Ubiquiti employee cited a communication breadown between the company’s internal ticket on the issue and the initial submission to HackerOne.

“We’re reviewing the process of getting updates from our internal ticket system back to HackerOne reporters, to ensure that doesn’t happen in the future. And making sure all updates back from submitters make it to the appropriate development team,” the post said. “Agree this looks very bad, but I can assure you the optics of this aren’t an accurate reflection of how security issue reports are handled. We did drop the ball in communication here, but it wasn’t due to the issue being ignored.”

As egregious as the four-month wait for a patch, was the fact that the root cause of the vulnerability is the use of a 20-year-old PHP script in the interface. According to SEC Consult, the vulnerability lives in the pingtest_action.cgi script, which is using PHP/FI 2.0.1 which was built in 1997.

“The vulnerability can be exploited by luring an attacked user to click on a crafted link or just surf on a malicious website,” SEC Consult said in its advisory. “The whole attack can be performed via a single GET-request and is very simple since there is no CSRF protection.”

SEC Consult previously disclosed the lack of cross-site request forgery and cross-site scripting protection in January. Most of the same Ubiquiti gear was impacted as well, and the vendor told SEC that it considered this a low-risk threat and had no estimate for a patch. The researchers went public with an advisory Jan. 30.

The command injection flaw exposes the Ubiquiti admin interface to a number of risky attacks, SEC Consult said. For example, an attacker could connect to a vulnerable device by opening a port binding or reverse shell, and also change the password because the service runs as root.

“Low privileged read-only users, which can be created in the web interface, are also able to perform this attack,” SEC Consult said. “If the Ubiquiti device acts as router or even as firewall, the attacker can take over the whole network by exploiting this vulnerability.”

The Reddit post, meanwhile, indicates that Ubiquiti is working on patches, and that the vulnerability has been addressed in AirOS 8.0.1, the operating system running in Ubiquiti airMAX products, and that additional patches were imminent.

This article was updated March 17 with comments from Ubiquiti Networks regarding currently available patches.


.author-name { display: none; }


Intel, Microsoft Announce New Bug Bounties

Intel announced its first bug bounty program, offering up to $30,000 to researchers who find critical vulnerabilities in its hardware.

The invite-only program, which is being run on the HackerOne platform, was announced today at the CanSecWest conference in Vancouver.

Intel said its software, firmware and hardware are in scope for rewards, with critical software and firmware finds being worth $7,500 and $10,000 respectively.

“We want to encourage researchers to identify issues and bring them to us directly so that we can take prompt steps to evaluate and correct them, and we want to recognize researchers for the work that they put in when researching a vulnerability,” Intel said. “By partnering constructively with the security research community, we believe we will be better able to protect our customers.”

Intel announced further pricing for its bounty: up to $10,000 for high-severity hardware bugs, up to $2,000 for medium-severity issues and up to $1,000 for low severity.

High-severity firmware bugs could be worth up to $5,000 while high-severity software flaws could fetch up to $2,500.

Intel said that its Intel Security products, the former McAfee, are not in scope for a bounty, nor are Intel’s web infrastructure, or recent acquisitions.

Microsoft also announced today that it was launching a bug bounty for its Office Insider Builds on Windows.

Insider Builds, Microsoft said, provides users with early access to new Office capabilities and security features. Microsoft said it hopes researchers will test early Office builds for vulnerabilities before they drop into production.

Microsoft said it would pay up to $15,000 for high-severity elevation of privilege vulnerabilities via Office Protected View and for macro execution vulnerabilities that bypass security policies already in place that block macros by default. Other high-severity bugs that enable code execution that bypass Outlook’s attachment block policies will be worth up to $9,000.

The program opens today and will run for three months until June 15.

“The Office Bug Bounty Program complements our continuous internal engineering investments that include designing secure features through threat modeling, security in code reviews, security automation, and internal penetration testing,” Microsoft said.


.author-name { display: none; }


Where Have All The Exploit Kits Gone?

The bloom is off exploit kits.

Once a mainstay for cybercriminals, attacks tied to exploit kits have now dried up to just a trickle. For sure, they haven’t gone away. But researchers say Angler, Neutrino and Nuclear, kits that once dominated the threat landscape, are gone; usurped by new threats and a resurgence in old ones.

“When we compare exploit kit activity from January to December of 2016 there’s a drop of 300 percent in activity. That’s primarily due to these EKs dropping off the face of the Earth,” said Karl Sigler, threat intelligence manager at Trustwave.

Exploit kits are a type of malicious toolkit chockfull of pre-written exploits for targeting various browser plugins such as Java and Adobe Flash. Kits are planted on booby-trapped sites or can be used in malvertising campaigns and spring into action if they can detect a vulnerability in a visitor’s browser or web application.

In their heyday Angler, Magnitude, Neutrino, and Nuclear exploit kits accounted for 96 percent of exploit kit activity at the end of 2015, according data from security firm Infoblox. Today, exploit kits are mostly dormant and development has gone stagnant.

Where did they go and why?

Arrests Send Crooks Scurrying

Some credit the downturn in exploit kit activity in 2016 to high-profile arrests of members of cybercrime outfits such as Lurk, who were behind the Angler Exploit Kit. In the case of Lurk, dozens of hackers were arrested across Russia in June 2016.

According to a detailed report by Kaspersky Lab on the takedown, the gang controlled Angler’s infrastructure and development, and was behind its distribution. At the time, Angler was one of the most notorious exploit kits on the Internet.

“The arrests of Lurk and the subsequent demise of Angler was not the single event that triggered exploit kit gangs to go dormant. But looking back, it’s hard not assume that others behind Neutrino and others didn’t see this as a harbinger,” said Deepen Desai, senior director of research and operations at Zscaler.

But even before the Lurk arrests, the Nuclear crew had all but shut down its operation in the May and June timeframe. That proceeded an in-depth analysis of the gang’s malware-as-a-service infrastructure by Check Point researchers.

The third nail in the coffin for dominant exploit kits was the decline Neutrino. It abruptly shut down in September following a joint Cisco and GoDaddy operation where a large number of malvertising campaigns spreading on the exploit kit were shuttered.

Patrick Wheeler, director of threat intelligence at Proofpoint notes that exploit kit activity has declined 93 percent between January and September last year, but notes activity hasn’t stopped altogether.

Wheeler said after Nuclear and Angler went dormant, criminals behind exploit kits have downsized and gone deeper underground focusing on private development and smaller campaigns. Such is the case with Magnitude, RIG, and Sundown, he said.

Strong Offense and Even Better Defense

It hasn’t been just a strong offense credited for pointing exploit kit gangs back into the shadows. A number of researchers credit a strong defense.

“Crimeware tools are only as good as their target’s defenses,” said Amol Sarwate, director of engineering at Qualys. He said recent efforts to fortify Microsoft’s browsers, Adobe’s Flash and Oracle’s Java browser components against exploit kit activity have paid off.

“There used to be a lot of low hanging fruit,” he said. “For now, that’s not the case.”

“Adobe Flash has been the top target for exploit kits such as RIG and Angler for a long time. Out of more than 3 billion scans that Qualys performs each year we saw that in 2016 Adobe flash vulnerabilities were patched about 40 percent faster as compared to the prior year. This implies that the industry is doing a better job with patching Flash, and although Flash is not dead it is being fixed more quickly,” according to a 2016 Qualys analysis.

Oracle has also taken steps to defend against crimeware used in exploit kits. Last year, the makers of Java announced it was pulling the browser plugin from the next desktop version of Java (Java JRE 9). That meant Java software will no longer plug directly into the user’s Web browser, reducing the number of browser attacks that target outdated Java plugins.

“As much as I’d like to say it’s one thing that we did, it wasn’t,” said Peleus Uhley, lead security strategist within Adobe’s Secure Software Engineering Team. He said work with Microsoft and Google has paid off especially when it comes to mitigating against memory-corruption bugs, a popular target of vulnerabilities exploited by exploit kits.Uhley said Control Flow Guard, a memory corruption security technology baked into Windows 10, has been an effective tool at mitigating against use-after-free attacks, which became a favorite crimeware exploit once ASLR and DEP put a damper in buffer overflow attacks.

“It’s a cumulative effort on our part and the security community. Nobody is resting on their laurels. The attackers continue their development and so will we,” Uhley said.

Crooks Try Different Tactics

Cybercriminals have continued to develop new delivery mechanisms for planting their malicious payloads on targeted systems. But, the focus isn’t currently on exploit kits, rather social engineering-based attacks, said Ryan Olson, intelligence director at Unit 42 of Palo Alto Networks.

“It’s not as if criminals have thrown in the towel,” Olson said. “A big component in a drought of exploit kit development has been the rise of Office macros used to deliver malware. For the past year we just have seen a continuous increase of macro document-based attacks replacing a lot of what exploit kits used to do,” he said.

Locky ransomware, Dridex banking Trojans and Gootkit Trojan information stealers all used to be distributed mainly via exploit kits and are now being spread primarily via spam, phishing and spear phishing campaigns.

“What we are finding it’s much easier to use social engineering to trick people into installing malware than to exploit a vulnerability,” said Proofpoint’s Wheeler. “What attackers have done is replaced the automated exploit with (socially engineered) ploys to get people to click.”

That type of social engineering has moved beyond the inbox as well, Wheeler said. “We saw attackers trying to trick Google Chrome users to install ‘Chrome Font’ malware on compromised websites,” Wheeler said. Instead of being attacked via an exploit kit, attackers presented visitors with a fake prompt to install a Chrome plugin called “Chrome Font” that was actually a type of ad fraud malware known as Fleercivet.

While spam-based ploys that enlist social engineering tricks may seem like a crude alternative to exploit kits, Trustwave’s Singler says they aren’t. “Social engineering attacks have always been popular, especially in phishing attacks. However, I would not say that social engineering attacks are any cheaper or easier to use. Good social engineering attacks require research if it’s a targeted attack or infrastructure like a spam botnet if it’s more of an opportunistic attack,” he said.

In June, Microsoft Malware Protection Center reported a resurgence in the use of Officedocument macro attacks. In December, attackers revived the old spamming techniqueknown as hailstorm and leveraged the Necurs botnet to spread both the Dridex banking malware and Locky ransomware via malicious Word documents.

Despite being a fairly archaic attack vector, it’s managed to work for attackers, said researchers.

Gangs Quietly Regroup

Meanwhile, new exploit kits are quietly under development. One example of this is anexploit kit called DNSChanger, spotted in December and being distributed via malvertising. Researchers at Proofpoint said the exploit kit is unique because the malvertising component of the attack doesn’t target browsers, rather a victim’s router.

Through a complex series of steps, DNSChanger is able to decrypt the target’s router fingerprints to determine if a target is using vulnerable model. “Once it performs the reconnaissance functions, the browser will report back to the DNSChanger kit which returns the proper instructions to perform an attack on the router,” according to Proofpoint. The goal: open ports on the router for malicious purposes.

New exploit kits also continue to surface, such as the Terror EK; identified by Zscaler earlier this year. Terror is an example of a newer exploit kit cobbled together from pieces of other exploit kits such as Sundown and Hunter, according to a Zscaler.

Zscaler’s Desai notes that Terror is typical of newer exploit kits. “It’s smaller, more customized and their target is much more defined and they have chosen a very specific geographic area to target,” he said.

Additional exploit kit innovations spotted by Zscaler are more kits leveraging SSL in order to protect the landing pages and gates to get past network appliances. Desai notes newer exploit kits are adding more anti-analysis fingerprinting code to avoid being detected in sandboxed environments.

“Exploit kits still pose a significant threat. There is nothing new about exploit kit authors hiding their activities and frequently changing tactics,” Desai said. “There is no reason to believe we won’t see a resurgence of exploit kits in the future. The question is when.”


.author-name { display: none; }


Patch Tuesday Returns; Microsoft Quiet on Postponement

Patch Tuesday returned today as expected after last month’s postponement with a giant release of fixes that includes patches for vulnerabilities disclosed and exploited since the last set of updates in January.

Microsoft, however, was relatively silent on the reasons why the February updates were suddenly yanked at the last-minute. The company pushed out a brief blog post last month that explained there was an issue that could impact customers that could not be resolved in time.

Today, a Microsoft representative sent a less-than-satisfying response to a request for an interview or comments on last month’s postponement: “Our top priority is to provide the best possible experience for customers in maintaining and protecting their systems. We extensively test our updates prior to release and are confident that our systems are working as expected and the issue that delayed the February updates is resolved.”

Since the January updates, Google’s Project Zero research team had publicly disclosed details and proof-of-concept exploits for two vulnerabilities, a code execution flaw in its Microsoft Edge and Internet Explorer browsers, and a memory leak issue in the Windows GDI library. Another flaw in the SMB file-sharing protocol was also publicly disclosed after it was discovered the original patch released last year for the bug was incomplete. The Department of Homeland Security released an advisory upon disclosure of the SMB bug, a memory corruption issue which could crash Windows systems.

The worry expressed by a number of experts centered on the time users were exposed and the public availability of proof-of-concept code accelerating in-the-wild attacks.

“While there may not be active campaigns to exploit these issues today, the clock does appear to be ticking,” said Tod Beardsley, senior research director at Rapid7 in a Feb. 23 interview with Threatpost.

Among today’s 18 security bulletins, eight were rated critical, including separate bulletins for Edge and IE that patched the two Google-disclosed bugs. MS17-006 patches 12 vulnerabilities in IE, including CVE-2017-0037—which is also patched in Edge—disclosed by researcher Ivan Fratric, who privately disclosed the flaw to Microsoft last Friday and expressed surprise the company was not able to patch it sooner. The flaw is a type-confusion bug in Edge for Windows 10 and in IE 11 that allows for arbitrary code execution.

Microsoft said four other bugs addressed in the IE bulletin were also publicly disclosed, a privilege escalation flaw (CVE-2017-0154), an information disclosure bug (CVE-2017-0008) and two browser spoofing vulnerabilities (CVE-2017-0012 and CVE-2017-0033).

The Edge bulletin, meanwhile, patched 32 vulnerabilities, with four of the same bugs patched in the IE bulletin. Eighteen memory corruption vulnerabilities were patched in the Edge scripting engine alone, while three browser spoofing issues were publicly disclosed (CVE-2017-0012 and CVE-2017-0033 as in IE, and CVE-2017-0069). The Edge bulletin patches remote code execution, elevation of privilege, information disclosure and security feature bypass vulnerabilities.

The disclosed Windows GDI library vulnerability (CVE-2017-0038) was patched in MS17-013; the bug discloses data through memory and was disclosed by Google engineer Mateusz Jurczyk. Microsoft originally patched this issue in June 2016, but the fix was incomplete. The GDI bulletin patches 20 CVEs overall.

In Jurczyk’s proof-of-concept exploit, multiple bugs related to the handling of DIBs (Device Independent Bitmaps) embedded in EMF (Enhanced Metafile Format) records created conditions where “255 pixels are drawn based on junk heap data, which may include sensitive information, such as private user data or information about the virtual address space,” the researcher said.

The SMB vulnerability, meanwhile, was patched in MS17-012, one of six vulnerabilities addressed in the bulletin. The denial-of-service vulnerability was privately disclosed Feb. 2 by researcher Laurent Gaffie, who found the flaw in SMB 2.0 and 3.0.

“The vulnerability is due to improper handling of certain requests sent by a malicious SMB server to the client,” Microsoft said in the advisory. “An attacker who successfully exploited this vulnerability could cause the affected system to stop responding until it is manually restarted.”

In addition to Gaffie’s original proof-of-concept exploit, other researchers quickly found ways to use it in attacks.

Gaffié’s proof of concept relies on tricking a victim to connect to a malicious SMB server instance, something that could prove challenging for an attacker. Experts with Dell SecureWorks said that it could be more effective for attackers to combine Gaffié’s attack with a redirect to SMB vulnerability from 2015 to crash a victim’s machine.

There are four other bulletins available today rated critical:

MS17-008: Microsoft also patched Hyper-V, the native hypervisor running on Windows that can create virtual machines, addressing 11 vulnerabilities, including four that could allow for code execution, along with a handful of information disclosure and denial-of-service bugs.

MS17-009: Microsoft patched a remote code execution vulnerability in the Windows PDF Library. The memory corruption issue allows an attacker to run arbitrary code on the underlying system; on Windows 10 with Edge as the default browser, an attacker could exploit the flaw by tricking a user into visiting a website hosting attack code.

MS17-010: Microsoft patched a half-dozen flaws in the Windows SMB Server, five of allow for remote code execution because of the way the server handles certain requests. A malicious packet sent to a SMBv1 server could trigger the vulnerability. The bulletin also addresses a separate information disclosure issue.

MS17-011: Microsoft patched 29 vulnerabilities in Uniscribe, a Windows service used to render Unicode. Most of the vulnerabilities are information disclosure issues, but the bulletin also includes patches for eight remote code execution flaws.


.author-name { display: none; }


Threatpost - Adobe Fixes Six Code Execution Bugs in Flash

Adobe on Tuesday patched seven vulnerabilities in Flash Player, six that could lead to code execution. The company said it isn’t aware of any of the vulnerabilities being exploited in the wild but is still encouraging users to update Flash for Windows, Macintosh, Linux and Chrome OS.

The vulnerabilities exist in versions and earlier of Flash, according to a security bulletin issued by the company Tuesday morning. 

Adobe is warning the six bugs–a buffer overflow vulnerability, two memory corruption vulnerabilities, and a trio of use-after-free vulnerabilities–could be exploited to trigger code execution. The lone bug that doesn’t lead to code execution stems from a random number generator vulnerability. That vulnerability, dug up by two researchers at Nanyang Technological University in Singapore, Wang Chenyu, and Wu Hongjun, could lead to information disclosure if exploited.

Users can apply the update,, through the usual distribution channels. Google Chrome and Microsoft Edge and Internet Explorer 11 users will receive the updates automatically. Devotees of Flash Player Desktop Runtime for Windows, Macintosh and Linux are being urged to update via the program’s update mechanism.

Adobe also shipped an update for Shockwave Player for Windows on Tuesday.

Versions and earlier of the multimedia software plugin contained a vulnerability that if exploited could lead to escalation of privilege, a security bulletin warned. The vulnerability stemmed from Shockwave’s directory search path. The patched version,, is available at Adobe’s Shockwave Player Download Center.

Adobe has stuck by its usual Patch Tuesday patching schedule so far in 2017.

In January it pushed out 13 patches, 12 that could have led to remote code execution; in February the company patched 13 vulnerabilities, all which could have led to code execution in the software.

With this year’s iteration of Pwn2Own, the annual hacking challenge held in tandem with CanSecWest in Vancouver, set to kick off tomorrow it could be only a matter of days until Adobe releases a set of emergency updates for Flash.

Hackers took down Flash on the first day of Pwn2Own last year and earned $13,000 in the process. One group of hackers combined a type confusion bug in Flash with a Windows kernel bug while another group exploited an out-of-bounds bug in the platform and chained it together with an infoleak in Windows kernel.

For this year’s contest competitors can earn $50,000 for exploiting Flash in Microsoft Edge and another $30,000 if their exploit achieves SYSTEM-level code execution.


.author-name { display: none; }


Threatpost - Google Chrome 57 Browser Update Patches ‘High’ Severity Flaws

Google released an updated version of its Chrome browser on Thursday to fix nine high-severity vulnerabilities that if exploited could allow adversaries to take control of targeted systems. As part of the update, Google thanked nearly two dozen bug hunters with bug bounty payments totaling $38,000.

Topping the list of vulnerabilities patched are; a memory corruption flaw in the V8 JavaScript engine, a use after free bug found in Google’s Almost Native Graphics Layer Engine, and an out-of-bounds write flaw found in the PDFium component of the Chrome browser.

Google said its Chrome version 57.0.2987.98 update for Windows, Mac and Linux includes a number of fixes and improvements; and will roll out them over the coming days and weeks. Beta Chrome 57 was introduced in February and included new features CSS grid layout, improved add to home screen, Media Session API. The Chrome 57.0.2987.98 was released to Google’s Stable channel, which means the software is fully tested by the Chrome OS team.

n November, Google said it removed support for SHA-1 certificates in Chrome 56, but will distinguish between certificates chained to a public Certificate Authority and those chained to local CAs. However, with the introduction of Chrome 57, released to the Stable channel in March, Google said at the time, “Features which require a secure origin, such as geolocation, will continue to work, however pages will be displayed as ‘neutral, lacking security.’ Without this policy set, SHA-1 certificates that chain to locally installed roots will not be trusted starting with Chrome 57.”

Google did not mention the additional SHA-1 notification feature Thursday with the rollout of Chrome 57.0.2987.98. However, it said more information regarding Chrome 57 is pending via its Chrome and Chromium blog.

The Chrome security holes were disclosed to Google’s Chromium Project and its bug bounty program. The largest bounty paid was for $7,500 and paid to researcher Brendon Tiszka for the (CVE-2017-5030) memory corruption flaw in the V8 JavaScript engine.

The second highest bounty of $5000 was paid to researcher Looben Yang for the use after free bug (CVE-2017-5031) found in Google’s Almost Native Graphics Layer Engine.


.author-name { display: none; }


Threat Post - Confide Updates App After Critical Security Issues Are Raised

The makers of the popular messaging app Confide said Wednesday that it has patched multiple security vulnerabilities that could have allowed hackers to intercept messages sent using its secure end-to-end messaging platform.

The flaws were identified in two separate reports, both released Wednesday, by security firms IOActive and Quarkslab. Both allege there are critical security vulnerabilities in versions of Confide’s encrypted messaging app, including version 4.0.4 for Android and 1.4.2 for Windows and OS X .

The security of Confide’s platform has taken center stage ever since reports surfaced last month that senior White House staff, including press secretary Sean Spicer, were using the app. Confide claims to offer “battle tested, military grade encryption.” According to Google Play, the Android app has been installed between 100,000 to 500,000 times.

Researchers with IOActive said the Confide suffered from a bevy of security vulnerabilities including:

  • Confide’s notification system did not require a valid SSL server certificate to communicate, therefore opening the door for an attacker to perform a man-in-the-middle attack.
  • The app lacked sufficient notifications when unencrypted messages were sent and received.
  • The application failed to have adequate protections to prevent brute-force attacks on user account passwords.
  • Confide’s website was vulnerable to an arbitrary URL redirection, which could facilitate social engineering attacks against its users.

IOActive also raised issues with Confide’s handling of public keys.

“Confide failed to provide a participant fingerprint authentication mechanism, allowing Confide to conduct man-in-the-middle attacks on encrypted messages by changing the public keys sent to parties of a conversation,” wrote IOActive researchers Mike Davis, Ryan O’Horo and Nick Achatz, who co-authored the report.

Quarkslab also took issue with some of security vulnerabilities highlighted by IOActive, and singled out the way Confide handled public and private encryption keys.

“The most obvious problem… is linked to the fact that the encrypted message origin and the authenticity of the public encryption key transmitted by the server can in no way be verified by the client,” wrote Jean-Baptiste Bédrune, security researcher with Quarkslab.

“The Confide server could generate its own key pair and transmit the public part to a client when the latter requests the public key of a recipient (we only note that Confide is able to do so, not that it does so). This client then unknowingly encrypts a message that can be decrypted by the server. Finally, when the server sends the message to the recipient, it is able to re-encrypt the message with its own key for the actual recipient,” Bédrune wrote.

Similar public key concerns were raised earlier this year when researchers commented on how WhatsApp and earlier versions of iMessage handled key change notifications. In February, Jonathan Zdziarski, an independent security researcher and forensics expert, wrote about Confide’s key exchange approach.

“What seems different about (Confide) encryption is that it appears to regenerate the public key under certain circumstances. It’s unclear why, but unlike Signal and WhatsApp, which consider it something to alert you about if your public key changes, Confide appears to consider this part of its function. Key exchange is always the most difficult part of good encryption routines. Depending on whether or not Confide is able to detect this and warn the user, it’s possible (although not confirmed) that the application could be susceptible to the same types of man-in-the-middle attacks that we’ve seen theorized in WhatsApp (if you leave the alerts off) and iMessage,” Zdziarski wrote.

Bédrune said the confidentiality of the exchanged messages depends on the robustness of TLS.

“Confide can technically read all the messages that pass through its servers. End-to-end encryption, as it is implemented, solely relies on the server through which the messages pass,” he said.

Quarkslab also claims that security features in the Android, iOS and desktop app, such as message deletion and screenshot prevention, can be easily circumvented.

For its part, Confide co-founder Jon Brod told Threatpost via email Wednesday the company was able to fix the issues quickly.

“We were able to detect anomalous behavior and remediate many of the issues during IOActive’s testing in real time starting on February 24. We were able to quickly address the remaining issues after the initial contact and roll out client updates in less than 48 hours. Not only have these issues been addressed, but we also have no detection of them being exploited by any other party. We do acknowledge the findings, but believe that the firm is overstating the severity level of some of them.”

IOActive claims the company privately disclosed its research to Confide in February and that Confide fixed the issues and updated the app on March 3, 2017.

Brod did not address the security concerns raised by Quarkslab.

“All the issues have been reported to Confide, and they are working on fixing them. In the meantime, do not consider your conversations to be so well concealed,” Bédrune wrote.


.author-name { display: none; }


WordPress 4.7.3 Patches Half-Dozen Vulnerabilities

WordPress released a security update on Tuesday that patched a half-dozen bugs, including one that could be chained with the recent REST API Endpoint flaw that led to a million website defacements. Given that more than half of WordPress sites are still not protected against that flaw, odds are that we haven’t heard the last of that vulnerability.

The REST API vulnerability was silently patched in version 4.7.2, yet there are apparently at least one million sites that don’t have automatic updates enabled and were attacked by hackers. The defacements came quickly after the Jan. 27 release of 4.7.2 and disclosure of the issue, as hackers took advantage of unpatched sites to leave behind defacements pointing to spam and phishing sites such as rogue pharmaceutical solicitations.

According to WordPress statistics, 44.8 percent of sites are on at least version 4.7, meaning that the remainder are exposed to a litany of vulnerabilities addressed in older versions.

Yesterday’s 4.7.3 update included a fix for a cross-site scripting vulnerability privately disclosed by researchers at Sucuri, who also found the REST API bug. Marc Montpas, a researcher with Sucuri, said the new XSS vulnerability was found during research on the REST API flaw and could be triggered by a URL included in YouTube embeds. Montpas said the vulnerability could be exploited by users with certain privileges such as contributors or authors. An attacker could insert malicious short codes in a post that would bypass cross-site scripting protections native to WordPress.

“When an administrator visits the affected post, the XSS payload will execute and may force his browser to perform administrative actions on his behalf, like storing backdoors on the site and creating new administrator accounts,” Montpas told Threatpost. “This vulnerability alone isn’t very risky, because it requires the attacker to have very specific privileges on the site. But combined with the REST API vulnerability we found last month, which basically allowed any visitor to edit a site’s posts, it could have caused quite a mayhem.”

The REST API vulnerability allows an attacker with one line of exploit code to access the API and change site content and URL permalinks. The issue lies in the way the REST API manages access. It does so by favoring values such as GET and POST rather than existing values. Any request with letters in its ID would bypass a permission check and essentially grant an attacker admin privileges.

Researchers at SiteLock said that about 20 different hackers were trying to monetize the defacements with links to rogue pharmaceutical websites.

The REST API endpoint vulnerability was introduced in WordPress 4.7 in December, and silently patched on January because of its severity. Since WordPress is packaged with automatic updates turned on by default, most installations are updated and secured. Those that have disabled the feature, or any updates that failed, remain vulnerable.

Another cross-site scripting vulnerability that was patched yesterday, one that could be exploited through media file metadata, was originally reported by researcher Chris Andre Dale in December 2014. Researcher Yorick Koster reported the bug again to WordPress which discovered that the original patch only partially addressed the issue, said Aaron Campbell, recently appointed as WordPress’ new lead of security triage and resolution.

“What would happen is that an administrator or author would upload my picture, and I would then have my JavaScript running 100 percent stealthy in their browser,” Dale told Threatpost. His original disclosure explained how an attacker could embed a cross-site scripting payload into image metadata, EXIF data JPEG.

The remainder of the 4.7.3 update addressed another bug reported by student researcher Daniel Chatfield who disclosed that control characters could trick redirect URL validation. Also patched was an issue where unintended files could be deleted by a site admin using the plugin deletion functionality. Separate cross-site scripting (via taxonomy term names) and cross-site request forgery (in Press This which could exhaust server resources) vulnerabilities were also patched.


.author-name { display: none; }


Threatpost - New Fileless Attack Using DNS Queries to Carry Out PowerShell Commands

A unique attack called DNSMessenger uses DNS queries to carry out malicious PowerShell commands on compromised computers, a method that researchers said makes it difficult to detect that a remote access Trojan is being dropped onto targeted systems.

According to experts at Cisco’s security research outfit Talos, the infection chain begins with a rigged Word document sent to recipients who are encouraged to “enable content” so they can view a message. If enabled, the document launches a Visual Basic for Applications macro that opens the initial PowerShell command that ultimately leads to the multistage attack and the eventual installing of a remote access Trojan.

“This is an extremely uncommon and evasive way of administering a RAT. The use of multiple stages of Powershell with various stages being completely fileless indicates an attacker who has taken significant measures to avoid detection,” wrote Cisco’s Edmund Brumaghin and Colin Grady.

The initial PowerShell instructions that are executed are contained within the Word document itself.

Researchers said the attack is unique because it does not involve a typical infection chain that includes files written to the targeted system. Instead, the malware infection technique uses DNS TXT messaging capabilities to request and fetch malicious PowerShell commands stored remotely as DNS TXT records.

Researchers said the malware sample uses DNS TXT record queries and responses creating a bidirectional command and control channel. “This allows the attacker to use DNS communications to submit new commands to be run on infected machines and return the results of the command execution to the attacker,” researchers wrote.

According to a technical analysis, attackers leveraged multiple VBA scripts, each unpacking a unique self-contained PowerShell script. During each of the stages in the infection process, malware would send DNS queries to one of multiple domains hardcoded in the script.

“The document uses the Document_Open() function to call another VBA function. The called function sets a long string that defines a Powershell command and includes the code to be executed. The command is then executed using the Windows Management Interface (WMI) Win32_Process object using the Create method,” researchers said.

This process, “allows the code to be executed without ever requiring it to be written to the filesystem of the infected system,” according to Talos.

The objective of the multi-stage infection process is to determine access privileges of the targeted system, what version of PowerShell is installed on the system, make changes to the Windows Registry and open a backdoor in order to maintain persistence.

Cisco notes that DNSMessenger demonstrates the ingenuity and lengths attackers are going to avoid detection. “It also illustrates the importance that in addition to inspecting and filtering network protocols such as HTTP/HTTPS, SMTP/POP3, etc. DNS traffic within corporate networks should also be considered a channel that an attacker can use to implement a fully functional, bidirectional C2 infrastructure,” researchers wrote.

“This appears to have been a fairly targeted attack and was not very widespread compared to other campaigns we regularly observe,” said Brumaghin. He added the intent of the malware is unclear. “We were unable to get the C2 infrastructure to send commands to execute. This is common with targeted attacks as the attackers will only choose to send commands to their intended victim.”


.author-name { display: none; }


NCSC- Weekly Threat Report 17th February 2017

Official Launch of the National Cyber Security Centre

February 14th marked the official launch of the National Cyber Security Centre (NCSC) HQ by Her Majesty the Queen. The Centre will work to make the UK the safest place to live and do business online.

In acknowledgement that Government alone cannot protect the public from cyber attacks, the Chancellor announced the launch of the Industry 100 initiative. Industry 100 will see the center invite expertise from industry to collaborate with the NCSC in achieving its mandate of enhancing the cyber security of the UK.

A reflection on the diversification of cyber crime

The nature of the cyber-criminal threat to the UK is diversifying: highly skilled actors are becoming increasingly competent and targeted in their attacks, while the barriers to entry for less-skilled actors are lowering.

At the high capability end of the spectrum, banking Trojans are reportedly becoming increasingly targeted, with a focus on financial institutions which offer larger relative rewards than end-user customers. Meanwhile, ransom-ware attacks are said to be specifically targeting those organisations perceived as being more likely to pay due to their timely requirement to access sometimes time-critical data.

At the other end of the skill spectrum, individuals with minimal cyber capability can carry out nefarious activities online using Crimeware-as-a-Service tools. DDoS attacks, email compromises, criminal infrastructure and more can be bought or rented at minimal cost. Notably, sites now offer live chats with support agents, and collect marketing information to better understand their customers. This trend risks further normalizing low level cyber crime.

The diversification of the cyber-crime threat poses challenges for law enforcement and security professionals, who will face highly skilled, targeted threats. Simultaneously, resources are increasingly consumed by low-skilled attackers using services offered by more competent actors. Detailed analysis of this changing cyber-criminal landscape will be published in NCSC Assessment's Annual Report.

Warning of cyber threat from building owners

The US Government Accountability Office (GAO) has warned of the potential threat of cyber intrusions from foreign owners of office buildings. Numerous properties occupied by US law enforcement agencies are owned by firms domiciled abroad, including in China, Israel, South Korea and Japan. Some of the buildings are used for sensitive activities including managing classified operations, hosting data centres and storing high-security material. Most of the agencies were unaware that their buildings were foreign-owned.

The GAO's report highlights concerns from the Department of Homeland Security that "threat actors could coerce owners into collecting intelligence about the personnel and activities of the facilities when maintaining the property." This could potentially include exploiting building infrastructure to facilitate cyber intrusions. The GAO recommends that US government agencies should be informed if their buildings are foreign-owned, so that appropriate security measures can be implemented, where necessary.

While the report focuses on the threat to official bodies, the concerns it raises may also apply to commercial organisations dealing with corporate-sensitive information. Although there are no reported instances so far of such intrusions taking place in the US or UK, this issue highlights the need for precautions regarding landowners' access to buildings hosting sensitive activities.

Weaponised Macros targeting Mac users

Security researchers have reportedly identified the emergence of Microsoft Word documents containing malware-infected macros for installing malicious software on macOS devices.

This technique has been used for some time to infect Windows users with malware. However, it is the first reported in-the-wild instance for Word documents containing malicious macros that execute solely on macOS. When users attempt to open the attachment, they are prompted to enable macros. If macros are enabled the malware executes its payload.

Although not a particularly sophisticated attack technique, this methodology has been successful in delivering ransomware and banking Trojans to Windows users worldwide. It looks like Microsoft Word users on MacOS may also now be victim to such attacks. This is a timely reminder that cyber criminals are regularly looking to enhance their pool of potential victims; regardless of software and hardware, users must be vigilant of the risks.

Watering hole attacks infected a larger pool of victims than first thought

Last week it was reported that the Polish financial sector had been the victim of a malware attack, where the attackers used the web server of the Polish financial regulator as a watering hole. Further investigation has revealed that the attackers intended to target over 100 organisations, mainly banks, in 31 different countries, including the UK.

Vulnerabilities Report

A number of cross-platform updates this week, with a predominant focus on Linux ad Unix-based systems. Microsoft held back their Patch Tuesday release cycle due to last minute complications. The most publicized vulnerability this week concerned F5’s BIG-IP and the ‘TicketBleed’ vulnerability. Adobe released updates for Flash Player and Digital Editions to fix remote code execution vulnerabilities. Elsewhere this week there were updates to BIND, Cisco AnyConnect and Cisco ASA, IBM WebSphere, HPE NonStop Server, Xen and Google’s Android.


.author-name { display: none; }



InterContinental Hotels Group (IHG), parent company to Crowne Plaza, Holiday Inn and Kimpton Hotels and Resorts, confirmed on Friday a breach of payment card systems used in 12 of its hotels located in North America and the Caribbean.

According to IHG, which operates 5,000 hotels worldwide, malware was found on servers used to process credit cards. The servers were infected between last August and December; the company declined to say how many payment cards were impacted.

In a statement released Friday, IHG said it found malware installed on servers used at popular destinations such as Michael Jordan’s Steak House and Bar in Chicago, the Holiday Inn San Francisco Fisherman’s Wharf, the Copper Lounge in Los Angeles, and the Palm Bar in Aruba.

The hotelier reported on Dec. 28 that it was investigating customer complaints of unauthorized charges on credit cards. At the time, the company said only a limited number of destinations were impacted before revealing more details on Friday.

“Findings show that malware was installed on servers that processed payment cards used at restaurants and bars of 12 IHG managed properties,” according to a statement. “Cards used at the front desk of these properties were not affected.”

According to IHG, the malware searched for magnetic stripe track data as it was being routed through servers. Track data included cardholder name, card number, expiration date and internal verification code. There is also no information provided on the strain of malware used in the attacks.

Hotels, restaurants and other hospitality outlets are frequently singled out as victims of opportunistic hackers. Last year alone there were nearly a dozen reports of card breaches. One of those breaches occurred in August and included 20 hotels run by HEI Hotels and Resorts, which owns chains Marriott, Sheraton, and Westin. Similarly, malware was used to siphon payment card data.

The prevalence of malware use to steal payment card data hit a peak in 2014 when it was at the center of several high-profile breaches, including Target and Neiman Marcus.

As recently as last November, security researchers at Trustwave said the Carbanak cybercrime gang, first discovered by Kaspersky Lab, had shifted strategy and began targeting the hospitality and restaurant industries with new techniques and malware. Part of the Carbanak tactics involved targeting hospitality call centers with elaborate ploys to get customer service representatives to accept and download emails with malicious macro-laced documents. The target was credit card data scraped from the memory of point-of-sale systems.

“We have been working with the security firms to review our security measures, confirm that this issue has been remediated, and evaluate ways to enhance our security measures,” IHG wrote in a statement regarding the breach.


.author-name { display: none; }


NCSC - Weekly Threat Report 3rd February 2017

This report is drawn from recent open source reporting.

Shamoon 2

The Saudi Arabian Government warned on 23 January that the destructive wiper malware Shamoon 2 had been detected on its government networks.

Shamoon 2 is an updated version of Shamoon, the disk-wiping malware that disabled thousands of computers at Saudi state-linked energy company Saudi Aramco in 2012.

The Saudi authorities are reporting on these latest compromises publicly and have provided reassurance that the damage is currently limited and mitigation is in place.

The re-emergence of Dridex

The notorious Dridex banking Trojan has returned. Flashpoint researchers observed a small Dridex spear-phishing campaign targeting UK financial institutions on 25 January. This is not the first time Dridex has made a reappearance; there have been peaks and troughs in the distribution of this Trojan since it first emerged in 2014. What has remained consistent, however, is the upgraded capability seen within the malware upon its return.

This Dridex re-emergence is no exception: Flashpoint researchers identified a previously unobserved User Account Control bypass mechanism in the most recent iteration of the malware. This bypass means the Windows user prompt requesting administration access for an application is not displayed, enabling Dridex to gain administrative system access without user approval.

This frequent evolution ensures infection levels are kept high, whilst frustrating the capability of network defenders to respond to attacks. Although relatively resource intensive, these regular changes have so far been worthwhile in establishing Dridex's status as one of the most prolific banking Trojans to feature in the UK, as well as yielding estimated profits of upwards of £20 million.

The Evolution of Ransomware

An earlier weekly threat report predicted further innovations in ransomware, and this has already happened with the targeting of internet-connected devices to create a “Ransomware of Things”. 

Internet of Things (IoT) devices are increasing, many with poor security, which presents opportunities for exploitation by cyber criminals. According to research company, Gartner, there will be more than 26 billion IoT devices by 2020.

Researchers from IT security company ESET predict that the next step in the evolution of ransomware is "jackware" where internet-connected devices are targeted to create a Ransomware of Things (RoT). Recent RoT incidents have locked people out of hotel rooms and left a family unable to access their smart TV.

2016 was dubbed "The Year of Ransomware", but as the number of connected devices continues to increase, this phenomenon will only continue to gather pace.  

Hiding in Plain Sight

According to recent research by Forcepoint Security Labs, the Carbanak Group is now using malware that uses Google cloud services for command and control infrastructure. The group is named after Carbanak (aka Anunak) malware, which is a banking Trojan that has been used to steal hundreds of millions of pounds from international financial institutions.

The new malware issues command and control instructions to and from Google Forms Services, Google Apps Script and Google Sheets to manage infected computers. Investigations suggest that a trojanised RTF document was likely responsible for infecting the computers with the malware.

Using a legitimate third party service like Google helps the attacker hide their communications in plain sight amongst regular traffic that is unlikely to be blocked by an organisation or identified by intrusion detection systems. Detecting such threats will therefore require an evolution in protective monitoring.

This isn't the first time that cloud hosting services have been used as an attack vector, services like DropBox have been used in the past, but it is likely to become more popular as individual users, government departments and industry organisations make increasingly greater use of the cloud.


This was a relatively quiet week for vulnerabilities, with mainly platform-agnostic updates issued for Linux and Unix systems. Google Chrome, OpenSSL and WordPress each fixed multiple flaws addressing remote access, bypassing of security controls, and spoofing of the user interface, among other issues.  Elsewhere there were updates from F5 Networks, RSA, and IBM. No one sector was disproportionately affected this week.


.author-name { display: none; }



Ubuntu users are being urged to update their operating systems to address a handful of recently patched OpenSSL vulnerabilities which affect Ubuntu and its derivatives.

Developers with Canonical, the company that oversees the Linux distribution, announced the updates on Tuesday, encouraging users to install the latest OpenSSL package versions depending on which distribution they’re running.

The updates resolve several of the vulnerabilities fixed by the cryptographic library OpenSSL last Thursday.

Three of the vulnerabilities fixed were branded “medium” severity by OpenSSL’s maintainers as they could lead to several outcomes, including a timing attack, a denial of service attack, and help an attacker potentially recover private keys.

One issue (CVE-2016-7056) was tied to the fact that OpenSSL didn’t properly use constant-time operations when it performed Elliptic Curve DSA (ECDSA) with a Curve P-256 signing. Because of this, at least on Ubuntu 12.04 LTS and Ubuntu 14.04, an attacker could have performed a timing attack to recover private keys.

OpenSSL maintainers said last week when it pushed the updates that achieving such an attack would be difficult, however.

“Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely,” OpenSSL said, “The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients.

It was discovered that the library also mishandled select truncated packets, something that could have been exploited to cause a denial of service condition. It also incorrectly performed something called the x86_64 Montgomery squaring procedure, a component that also could have been taken advantage to steal private keys. The issue only affects systems based on x86_64 architecture, like Ubuntu 16.04 LTS, and Ubuntu 16.10, however.

The rest of the fixes were relatively small potatoes and all marked “low” severity.

Another separate, less pressing issue (CVE-2016-7055) also affected how OpenSSL handles Montgomery multiplication and could lead to what Ubuntu calls “transient failures.”

The update also fixes an issue in which OpenSSL used “undefined behavior when performing pointer arithmetic,” and another in which it incorrect handled certain warning alerts. A remote attacker could exploit both vulnerabilities and cause a denial of service, according to Ubuntu’s advisory.

Ubuntu 16.10, Ubuntu, 16.04 LTS, Ubuntu 14.04, LTS Ubuntu, 12.04 LTS are all considered vulnerable under updated, the advisory warns.

The OpenSSL patches came just days after news surfaced that despite being patched three years ago, almost 200,000 servers and devices are still vulnerable to Heartbleed. The numbers came via analysis gathered by the search engine Shodan, a service that searches open ports for vulnerabilities.

According to the report roughly 52,000 Apache HTTPD servers remain vulnerable, in addition to 6,380 Amazon Web Services devices, and 4,330 Verizon Wireless devices.

The encryption library is used in a slew of devices and software; it’s up to each vendor when it wants to patch vulnerabilities however.

Cisco issued a security advisory around the vulnerabilities on Monday as many of its products incorporate OpenSSL packages. The company is unclear exactly which software is affected by the vulnerabilities but says its conducting an investigation into nearly 200 different products to determine whether they’re affected.


.author-name { display: none; }



Mobile security company Zimperium said Tuesday that it will start buying exploits, but in a departure from most other programs, it will not be buying zero-days.

The company’s N-Days Exploit Acquisition Program will pay researchers from a pool of $1.5 million for exploits targeting vulnerabilities in Android and iOS that have already been patched.

Zuk Avraham, founder of Zimperium, said the program will not only serve to train the company’s core internal Z9 machine learning engine, but also encourage and reward exploit writers to develop proof-of-concept exploits that could nudge carriers and handset makers to improve patch delivery to devices.

“We are not an exploit acquisition company; we don’t do offensive stuff. We get the same value from our perspective working on N-days,” Avraham said. “Right now N-days are worth zero. We are going to help create value for vulnerabilities that sell for zero and make them worth more than that.”

Avraham said exploits for iOS 8 and later, and Android 4.0 and later, will be eligible for the program. Exploits from the program will be first delivered to Zimperium partners and members of its Zimperium Handset Alliance, which includes some large mobile manufacturers such as Samsung and BlackBerry. Within three months, the exploits will be publicly released. Members of Zimperium’s Zlabs research team will evaluate submissions and determine payouts on a case-by-case basis.

“These things need to be shared in order for the community to get better and safer,” Avraham said, pointing to other exploit acquisition programs that do not share exploits publicly. “We have to change that; that’s what triggered creation of this program.”

Having a working proof-of-concept exploit, Avraham said, should add urgency—especially on the Android side of the equation—for handset makers and carriers to deliver patches and improve the overall security of the ecosystem. Exploits coming out of the program, for example, puts more PoCs in the hands of industry, some of which could be hesitant to deliver timely patches without working public exploits, Avraham said.

“Android got better, and much safer if you’re on the latest version, but only .5 percent are on the latest version unfortunately,” Avraham said.

One glance at the monthly Android Security Bulletins will show you the multitude of vulnerabilities Google regularly assesses and remediates for the mobile operating system. And while Google patches its Nexus phones in over-the-air updates, that process represents only a percentage of the mobile market running devices at current patch levels.

The Android ecosystem still lags overall on comprehensive patching, and it’s not alone given that while Apple regularly pushes updates to its devices, it still relies on users to download and install them.

“We are not there yet, and we can get better,” Avraham said, conceding the improvements made since the initiation of the monthly Android patch releases from Google in particular and the number of critical bugs in Mediaserver and Stagefright that have been found and patched. “It’s gotten better, but it’s still very challenging work.”

Avraham said the program is scheduled to run at least one year, but depending on whether it’s successful, it could be extended.

“With this program, we thought we would get creative, support the community and do something different for once,” Avraham said.


.author-name { display: none; }
NCSC - Weekly Threat Report 20th January 2017

NCSC - Weekly Threat Report 20th January 2017

This report is drawn from recent open source reporting.

Password security

In November 2016, a study of user passwords exposed by a Yahoo data breach revealed that "123456" was the most common password, followed closely by "password" at number two. A more recent report on the most commonly used passwords revealed that "123456" was still number one, followed by the 'more complex' "123456789".

These reports highlight ongoing problems associated with conventional password policies, which tend to promote the use of complicated passwords that are harder for attackers to discover, but which also place greater burdens on users. This approach may therefore be counterproductive, leading users to opt for simple password strategies, which will also be easy for attackers to guess or brute force. In many cases, imposing technical controls such as blacklisting the most common passwords is a far more effective measure.

Mobile forensics company hacked

The Israeli mobile forensics company, Cellebrite, reports that it has become the latest in a long line of companies to have its data hacked and published online. Cellebrite is a major supplier of forensic tools to law enforcement and other security organisations worldwide. Cellebrite states that it experienced 'unauthorised access to an external web server' and that it is known the information accessed includes 'basic contact information' and 'hashed passwords'. The company advises users to change their passwords as a precaution.

The company's investigation is ongoing. Without commenting on the specifics of this case, the compromise highlights the broader issue that companies must ensure that they protect themselves and customers in a way commensurate to the threat that they face and the sensitivity of the data that they hold. Reporting data breaches is to be strongly encouraged, enabling those affected to take appropriate action, such as changing passwords.

.author-name { display: none; }