Where Have All The Exploit Kits Gone?

The bloom is off exploit kits.

Once a mainstay for cybercriminals, attacks tied to exploit kits have now dried up to just a trickle. For sure, they haven’t gone away. But researchers say Angler, Neutrino and Nuclear, kits that once dominated the threat landscape, are gone; usurped by new threats and a resurgence in old ones.

“When we compare exploit kit activity from January to December of 2016 there’s a drop of 300 percent in activity. That’s primarily due to these EKs dropping off the face of the Earth,” said Karl Sigler, threat intelligence manager at Trustwave.

Exploit kits are a type of malicious toolkit chockfull of pre-written exploits for targeting various browser plugins such as Java and Adobe Flash. Kits are planted on booby-trapped sites or can be used in malvertising campaigns and spring into action if they can detect a vulnerability in a visitor’s browser or web application.

In their heyday Angler, Magnitude, Neutrino, and Nuclear exploit kits accounted for 96 percent of exploit kit activity at the end of 2015, according data from security firm Infoblox. Today, exploit kits are mostly dormant and development has gone stagnant.

Where did they go and why?

Arrests Send Crooks Scurrying

Some credit the downturn in exploit kit activity in 2016 to high-profile arrests of members of cybercrime outfits such as Lurk, who were behind the Angler Exploit Kit. In the case of Lurk, dozens of hackers were arrested across Russia in June 2016.

According to a detailed report by Kaspersky Lab on the takedown, the gang controlled Angler’s infrastructure and development, and was behind its distribution. At the time, Angler was one of the most notorious exploit kits on the Internet.

“The arrests of Lurk and the subsequent demise of Angler was not the single event that triggered exploit kit gangs to go dormant. But looking back, it’s hard not assume that others behind Neutrino and others didn’t see this as a harbinger,” said Deepen Desai, senior director of research and operations at Zscaler.

But even before the Lurk arrests, the Nuclear crew had all but shut down its operation in the May and June timeframe. That proceeded an in-depth analysis of the gang’s malware-as-a-service infrastructure by Check Point researchers.

The third nail in the coffin for dominant exploit kits was the decline Neutrino. It abruptly shut down in September following a joint Cisco and GoDaddy operation where a large number of malvertising campaigns spreading on the exploit kit were shuttered.

Patrick Wheeler, director of threat intelligence at Proofpoint notes that exploit kit activity has declined 93 percent between January and September last year, but notes activity hasn’t stopped altogether.

Wheeler said after Nuclear and Angler went dormant, criminals behind exploit kits have downsized and gone deeper underground focusing on private development and smaller campaigns. Such is the case with Magnitude, RIG, and Sundown, he said.

Strong Offense and Even Better Defense

It hasn’t been just a strong offense credited for pointing exploit kit gangs back into the shadows. A number of researchers credit a strong defense.

“Crimeware tools are only as good as their target’s defenses,” said Amol Sarwate, director of engineering at Qualys. He said recent efforts to fortify Microsoft’s browsers, Adobe’s Flash and Oracle’s Java browser components against exploit kit activity have paid off.

“There used to be a lot of low hanging fruit,” he said. “For now, that’s not the case.”

“Adobe Flash has been the top target for exploit kits such as RIG and Angler for a long time. Out of more than 3 billion scans that Qualys performs each year we saw that in 2016 Adobe flash vulnerabilities were patched about 40 percent faster as compared to the prior year. This implies that the industry is doing a better job with patching Flash, and although Flash is not dead it is being fixed more quickly,” according to a 2016 Qualys analysis.

Oracle has also taken steps to defend against crimeware used in exploit kits. Last year, the makers of Java announced it was pulling the browser plugin from the next desktop version of Java (Java JRE 9). That meant Java software will no longer plug directly into the user’s Web browser, reducing the number of browser attacks that target outdated Java plugins.

“As much as I’d like to say it’s one thing that we did, it wasn’t,” said Peleus Uhley, lead security strategist within Adobe’s Secure Software Engineering Team. He said work with Microsoft and Google has paid off especially when it comes to mitigating against memory-corruption bugs, a popular target of vulnerabilities exploited by exploit kits.Uhley said Control Flow Guard, a memory corruption security technology baked into Windows 10, has been an effective tool at mitigating against use-after-free attacks, which became a favorite crimeware exploit once ASLR and DEP put a damper in buffer overflow attacks.

“It’s a cumulative effort on our part and the security community. Nobody is resting on their laurels. The attackers continue their development and so will we,” Uhley said.

Crooks Try Different Tactics

Cybercriminals have continued to develop new delivery mechanisms for planting their malicious payloads on targeted systems. But, the focus isn’t currently on exploit kits, rather social engineering-based attacks, said Ryan Olson, intelligence director at Unit 42 of Palo Alto Networks.

“It’s not as if criminals have thrown in the towel,” Olson said. “A big component in a drought of exploit kit development has been the rise of Office macros used to deliver malware. For the past year we just have seen a continuous increase of macro document-based attacks replacing a lot of what exploit kits used to do,” he said.

Locky ransomware, Dridex banking Trojans and Gootkit Trojan information stealers all used to be distributed mainly via exploit kits and are now being spread primarily via spam, phishing and spear phishing campaigns.

“What we are finding it’s much easier to use social engineering to trick people into installing malware than to exploit a vulnerability,” said Proofpoint’s Wheeler. “What attackers have done is replaced the automated exploit with (socially engineered) ploys to get people to click.”

That type of social engineering has moved beyond the inbox as well, Wheeler said. “We saw attackers trying to trick Google Chrome users to install ‘Chrome Font’ malware on compromised websites,” Wheeler said. Instead of being attacked via an exploit kit, attackers presented visitors with a fake prompt to install a Chrome plugin called “Chrome Font” that was actually a type of ad fraud malware known as Fleercivet.

While spam-based ploys that enlist social engineering tricks may seem like a crude alternative to exploit kits, Trustwave’s Singler says they aren’t. “Social engineering attacks have always been popular, especially in phishing attacks. However, I would not say that social engineering attacks are any cheaper or easier to use. Good social engineering attacks require research if it’s a targeted attack or infrastructure like a spam botnet if it’s more of an opportunistic attack,” he said.

In June, Microsoft Malware Protection Center reported a resurgence in the use of Officedocument macro attacks. In December, attackers revived the old spamming techniqueknown as hailstorm and leveraged the Necurs botnet to spread both the Dridex banking malware and Locky ransomware via malicious Word documents.

Despite being a fairly archaic attack vector, it’s managed to work for attackers, said researchers.

Gangs Quietly Regroup

Meanwhile, new exploit kits are quietly under development. One example of this is anexploit kit called DNSChanger, spotted in December and being distributed via malvertising. Researchers at Proofpoint said the exploit kit is unique because the malvertising component of the attack doesn’t target browsers, rather a victim’s router.

Through a complex series of steps, DNSChanger is able to decrypt the target’s router fingerprints to determine if a target is using vulnerable model. “Once it performs the reconnaissance functions, the browser will report back to the DNSChanger kit which returns the proper instructions to perform an attack on the router,” according to Proofpoint. The goal: open ports on the router for malicious purposes.

New exploit kits also continue to surface, such as the Terror EK; identified by Zscaler earlier this year. Terror is an example of a newer exploit kit cobbled together from pieces of other exploit kits such as Sundown and Hunter, according to a Zscaler.

Zscaler’s Desai notes that Terror is typical of newer exploit kits. “It’s smaller, more customized and their target is much more defined and they have chosen a very specific geographic area to target,” he said.

Additional exploit kit innovations spotted by Zscaler are more kits leveraging SSL in order to protect the landing pages and gates to get past network appliances. Desai notes newer exploit kits are adding more anti-analysis fingerprinting code to avoid being detected in sandboxed environments.

“Exploit kits still pose a significant threat. There is nothing new about exploit kit authors hiding their activities and frequently changing tactics,” Desai said. “There is no reason to believe we won’t see a resurgence of exploit kits in the future. The question is when.”


.author-name { display: none; }


Patch Tuesday Returns; Microsoft Quiet on Postponement

Patch Tuesday returned today as expected after last month’s postponement with a giant release of fixes that includes patches for vulnerabilities disclosed and exploited since the last set of updates in January.

Microsoft, however, was relatively silent on the reasons why the February updates were suddenly yanked at the last-minute. The company pushed out a brief blog post last month that explained there was an issue that could impact customers that could not be resolved in time.

Today, a Microsoft representative sent a less-than-satisfying response to a request for an interview or comments on last month’s postponement: “Our top priority is to provide the best possible experience for customers in maintaining and protecting their systems. We extensively test our updates prior to release and are confident that our systems are working as expected and the issue that delayed the February updates is resolved.”

Since the January updates, Google’s Project Zero research team had publicly disclosed details and proof-of-concept exploits for two vulnerabilities, a code execution flaw in its Microsoft Edge and Internet Explorer browsers, and a memory leak issue in the Windows GDI library. Another flaw in the SMB file-sharing protocol was also publicly disclosed after it was discovered the original patch released last year for the bug was incomplete. The Department of Homeland Security released an advisory upon disclosure of the SMB bug, a memory corruption issue which could crash Windows systems.

The worry expressed by a number of experts centered on the time users were exposed and the public availability of proof-of-concept code accelerating in-the-wild attacks.

“While there may not be active campaigns to exploit these issues today, the clock does appear to be ticking,” said Tod Beardsley, senior research director at Rapid7 in a Feb. 23 interview with Threatpost.

Among today’s 18 security bulletins, eight were rated critical, including separate bulletins for Edge and IE that patched the two Google-disclosed bugs. MS17-006 patches 12 vulnerabilities in IE, including CVE-2017-0037—which is also patched in Edge—disclosed by researcher Ivan Fratric, who privately disclosed the flaw to Microsoft last Friday and expressed surprise the company was not able to patch it sooner. The flaw is a type-confusion bug in Edge for Windows 10 and in IE 11 that allows for arbitrary code execution.

Microsoft said four other bugs addressed in the IE bulletin were also publicly disclosed, a privilege escalation flaw (CVE-2017-0154), an information disclosure bug (CVE-2017-0008) and two browser spoofing vulnerabilities (CVE-2017-0012 and CVE-2017-0033).

The Edge bulletin, meanwhile, patched 32 vulnerabilities, with four of the same bugs patched in the IE bulletin. Eighteen memory corruption vulnerabilities were patched in the Edge scripting engine alone, while three browser spoofing issues were publicly disclosed (CVE-2017-0012 and CVE-2017-0033 as in IE, and CVE-2017-0069). The Edge bulletin patches remote code execution, elevation of privilege, information disclosure and security feature bypass vulnerabilities.

The disclosed Windows GDI library vulnerability (CVE-2017-0038) was patched in MS17-013; the bug discloses data through memory and was disclosed by Google engineer Mateusz Jurczyk. Microsoft originally patched this issue in June 2016, but the fix was incomplete. The GDI bulletin patches 20 CVEs overall.

In Jurczyk’s proof-of-concept exploit, multiple bugs related to the handling of DIBs (Device Independent Bitmaps) embedded in EMF (Enhanced Metafile Format) records created conditions where “255 pixels are drawn based on junk heap data, which may include sensitive information, such as private user data or information about the virtual address space,” the researcher said.

The SMB vulnerability, meanwhile, was patched in MS17-012, one of six vulnerabilities addressed in the bulletin. The denial-of-service vulnerability was privately disclosed Feb. 2 by researcher Laurent Gaffie, who found the flaw in SMB 2.0 and 3.0.

“The vulnerability is due to improper handling of certain requests sent by a malicious SMB server to the client,” Microsoft said in the advisory. “An attacker who successfully exploited this vulnerability could cause the affected system to stop responding until it is manually restarted.”

In addition to Gaffie’s original proof-of-concept exploit, other researchers quickly found ways to use it in attacks.

Gaffié’s proof of concept relies on tricking a victim to connect to a malicious SMB server instance, something that could prove challenging for an attacker. Experts with Dell SecureWorks said that it could be more effective for attackers to combine Gaffié’s attack with a redirect to SMB vulnerability from 2015 to crash a victim’s machine.

There are four other bulletins available today rated critical:

MS17-008: Microsoft also patched Hyper-V, the native hypervisor running on Windows that can create virtual machines, addressing 11 vulnerabilities, including four that could allow for code execution, along with a handful of information disclosure and denial-of-service bugs.

MS17-009: Microsoft patched a remote code execution vulnerability in the Windows PDF Library. The memory corruption issue allows an attacker to run arbitrary code on the underlying system; on Windows 10 with Edge as the default browser, an attacker could exploit the flaw by tricking a user into visiting a website hosting attack code.

MS17-010: Microsoft patched a half-dozen flaws in the Windows SMB Server, five of allow for remote code execution because of the way the server handles certain requests. A malicious packet sent to a SMBv1 server could trigger the vulnerability. The bulletin also addresses a separate information disclosure issue.

MS17-011: Microsoft patched 29 vulnerabilities in Uniscribe, a Windows service used to render Unicode. Most of the vulnerabilities are information disclosure issues, but the bulletin also includes patches for eight remote code execution flaws.


.author-name { display: none; }


Threatpost - Adobe Fixes Six Code Execution Bugs in Flash

Adobe on Tuesday patched seven vulnerabilities in Flash Player, six that could lead to code execution. The company said it isn’t aware of any of the vulnerabilities being exploited in the wild but is still encouraging users to update Flash for Windows, Macintosh, Linux and Chrome OS.

The vulnerabilities exist in versions and earlier of Flash, according to a security bulletin issued by the company Tuesday morning. 

Adobe is warning the six bugs–a buffer overflow vulnerability, two memory corruption vulnerabilities, and a trio of use-after-free vulnerabilities–could be exploited to trigger code execution. The lone bug that doesn’t lead to code execution stems from a random number generator vulnerability. That vulnerability, dug up by two researchers at Nanyang Technological University in Singapore, Wang Chenyu, and Wu Hongjun, could lead to information disclosure if exploited.

Users can apply the update,, through the usual distribution channels. Google Chrome and Microsoft Edge and Internet Explorer 11 users will receive the updates automatically. Devotees of Flash Player Desktop Runtime for Windows, Macintosh and Linux are being urged to update via the program’s update mechanism.

Adobe also shipped an update for Shockwave Player for Windows on Tuesday.

Versions and earlier of the multimedia software plugin contained a vulnerability that if exploited could lead to escalation of privilege, a security bulletin warned. The vulnerability stemmed from Shockwave’s directory search path. The patched version,, is available at Adobe’s Shockwave Player Download Center.

Adobe has stuck by its usual Patch Tuesday patching schedule so far in 2017.

In January it pushed out 13 patches, 12 that could have led to remote code execution; in February the company patched 13 vulnerabilities, all which could have led to code execution in the software.

With this year’s iteration of Pwn2Own, the annual hacking challenge held in tandem with CanSecWest in Vancouver, set to kick off tomorrow it could be only a matter of days until Adobe releases a set of emergency updates for Flash.

Hackers took down Flash on the first day of Pwn2Own last year and earned $13,000 in the process. One group of hackers combined a type confusion bug in Flash with a Windows kernel bug while another group exploited an out-of-bounds bug in the platform and chained it together with an infoleak in Windows kernel.

For this year’s contest competitors can earn $50,000 for exploiting Flash in Microsoft Edge and another $30,000 if their exploit achieves SYSTEM-level code execution.


.author-name { display: none; }


Threatpost - Google Chrome 57 Browser Update Patches ‘High’ Severity Flaws

Google released an updated version of its Chrome browser on Thursday to fix nine high-severity vulnerabilities that if exploited could allow adversaries to take control of targeted systems. As part of the update, Google thanked nearly two dozen bug hunters with bug bounty payments totaling $38,000.

Topping the list of vulnerabilities patched are; a memory corruption flaw in the V8 JavaScript engine, a use after free bug found in Google’s Almost Native Graphics Layer Engine, and an out-of-bounds write flaw found in the PDFium component of the Chrome browser.

Google said its Chrome version 57.0.2987.98 update for Windows, Mac and Linux includes a number of fixes and improvements; and will roll out them over the coming days and weeks. Beta Chrome 57 was introduced in February and included new features CSS grid layout, improved add to home screen, Media Session API. The Chrome 57.0.2987.98 was released to Google’s Stable channel, which means the software is fully tested by the Chrome OS team.

n November, Google said it removed support for SHA-1 certificates in Chrome 56, but will distinguish between certificates chained to a public Certificate Authority and those chained to local CAs. However, with the introduction of Chrome 57, released to the Stable channel in March, Google said at the time, “Features which require a secure origin, such as geolocation, will continue to work, however pages will be displayed as ‘neutral, lacking security.’ Without this policy set, SHA-1 certificates that chain to locally installed roots will not be trusted starting with Chrome 57.”

Google did not mention the additional SHA-1 notification feature Thursday with the rollout of Chrome 57.0.2987.98. However, it said more information regarding Chrome 57 is pending via its Chrome and Chromium blog.

The Chrome security holes were disclosed to Google’s Chromium Project and its bug bounty program. The largest bounty paid was for $7,500 and paid to researcher Brendon Tiszka for the (CVE-2017-5030) memory corruption flaw in the V8 JavaScript engine.

The second highest bounty of $5000 was paid to researcher Looben Yang for the use after free bug (CVE-2017-5031) found in Google’s Almost Native Graphics Layer Engine.


.author-name { display: none; }


Threatpost - Hundreds of Thousands of Vulnerable IP Cameras Easy Target for Botnet, Researcher Says

A researcher claims that hundreds of thousands of shoddily made IP cameras suffer from vulnerabilities that could make them an easy target for attackers looking to spy, brute force them, or steal their credentials.

Researcher Pierre Kim disclosed the vulnerabilities Wednesday and gave a comprehensive breakdown of the affected models in an advisory on his GitHub page.

Kim said the vulnerabilities exist in a mass-produced Chinese IP camera called the Wireless IP Camera (P2) WIFICAM. While the cameras more or less physically look the same, vendors resell them with custom software, Kim said, which is where vulnerabilities appear to have been introduced.

The issues are largely tied to an embedded web server that’s used in each camera. While Kim cautions the web server software, GoAhead, isn’t vulnerable, the OEM vendor who implemented it in each camera is likely responsible for introducing vulnerable code.

According to Kim, who conducted a search for the web server on Shodan, nearly 200,000 cameras should be considered vulnerable. While the bulk of the cameras are based in China, roughly 18,000 are based in the U.S., according to the search engine.

“I advise to IMMEDIATELY DISCONNECT cameras to the Internet,” Kim wrote, “Hundreds of thousands cameras are affected by the 0day Info-Leak. Millions of them are using the insecure Cloud network.”

The “Cloud” protocol Kim refers to is a functionality, enabled by default, on what he purports to be millions of IP cameras. The protocol is essentially a set of clear-text UDP tunnels that an attacker could use to send HTTP requests to cameras through.

An attacker could brute force requests and as soon as a camera registers a request as valid, the attacker could fetch the credentials. From there, any future HTTP requests would be sent to .CGI files hosted by the camera.

Since many of the cameras use the same protocols and the infrastructure seems to be managed by a single entity, Kim hints that it could only a matter of time until someone writes proof of concept botnet code, a la Mirai, to ensnare them all.

“This ‘cloud’ protocol seems to be more a botnet protocol than a legit remote access protocol,” Kim writes.

A faulty cloud management protocol is really just the tip of the iceberg when it comes to the cameras however.

Another, potentially worse outcome which affects 1,250 camera models, could come if an attacker chained together a series of vulnerabilities. Because of the way the custom HTTP server is set up on some cameras, an attacker could bypass authentication to steal credentials, FTP accounts, and SMTP accounts. By combining that with a remote code execution bug that exists in the camera’s FTP CGI file, an attacker could execute remote commands against the cameras. Because of the issue, a pre-auth remote code execution vulnerability, an attacker could execute commands through a local area network or via the internet.

Kim claims the exploit–which he posted proof of concept code for–could also extract valid credentials and allow an attacker to execute a payload.

Since some of the camera servers lack authentication, attackers could also stream content from some cameras via its TCP port 10554. Because telnetd is running on some cameras, a backdoor account exists as well, Kim claims.

It’s the second backdoor to be identified in a IP connected camera product line this week. On Monday an independent security researcher disclosed a backdoor he discovered in a collection of CCTV and IP cameras made by Dahua Techology. The company is urging owners to apply firmware updates it began pushing out the same day.

After getting in touch with Embedthis Software, the makers of GoAhead, Kim was able to clarify this week the vulnerabilities weren’t in the web server software and instead stemmed from the vendor-installed proprietary software. Because of the sheer number of vendors, however – almost 400 in total – Kim wasn’t able to contact them all. In lieu of a fix, the researcher is encouraging owners to discontinue use of the cameras.

Kim, who’s based in the Ivory Coast, has demonstrated a knack for unearthing vulnerabilities, mostly in routers, over the years. The researcher discovered a backdoor, backdoor accounts, and a default Wi-Fi Protected Setup PIN in a router made by D-Link last year. He previously discovered backdoors, hardcoded SSH keys, and a handful of remote code execution bugs in routers by TP-Link, Quanta, Huawei, and Totolink as well.


.author-name { display: none; }


Threatpost - Senator Demands Answers About CloudPets Breach

A U.S. senator has called Spiral Toys onto the carpet for its data security practices in light of the recent CloudPets breach.

Sen. Bill Nelson (D-FL), a ranking member of the Committee on Commerce, Science and Transportation and backer of a 2016 report on security and privacy concerns related to children’s toys, sent a letter to Spiral Toys CEO Mark Meyers. Nelson’s letter includes 10 questions he wants Meyers to address by March 23, most of which concern the toy maker’s data collection processes, how they’re secured and whether the system was compliant with the Children’s Online Privacy Protection Act (COPPA), which requires company’s secure personal information collected from children.

“The breach of Spiral Toys raises serious questions concerning how well your company protects the information it collects, especially information collected from children,” Nelson wrote.

Nelson’s report released last year was in response to the 2015 breach of VTech, which exposed the personal information of six million children. Nelson told Meyers that the VTech attack “should have served as a wakeup call for toymakers who were not adequately protecting the consumer information they collect.”

Specifically, Meyers is to provide Congress with a summary of the breach that includes details, not only on the data that was accessed, but when and how consumers were notified, security measures in place to protect against intrusions, whether the company had a security officer in place prior to the attack, and policies to control data collection. Nelson also wants to know whether the company discloses to customers that it collects personal information, whether that data is shared or sold to third parties, and specific security questions about controls and procedures in place to protect data, and whether the company had been breached before.

News broke of the CloudPets breach on Feb. 27 after researchers Troy Hunt and Victor Gevers independently and privately disclosed in December that millions of private messages sent through the internet-connected toy were exposed online, along with personal information of more than 800,000 registered users.

The company failed to acknowledge numerous attempts to reach a Spiral Toys security rep as well as Meyers, prompting the public disclosure two weeks ago.

The breach was related to a spate of attacks against MongoDB instances in which attackers were able to find and access the databases and in many cases, copy and delete the data, leaving behind ransom notes asking for money in exchange for the return of the stolen data.

The private recordings, many of which were made by children and meant for family members or others authorized to receive them, were not stored in the stolen database. But the database did contain reference file paths to the message files which were stored on an Amazon Web Services S3 storage bucket.

“The database contains the business logic to let application work. The database contains the metadata that links (like a ledger) to the random generated files in the AWS bucket system,” Gevers told Threatpost on March 1. “By knowing the paths to the files, you extract the data like that. So if you can write to the database you could change the ledger and point to other URLs.”

The database, Spiral Toys said in a notification letter it sent to California’s Attorney General, did include emails and encrypted passwords, which Hunt counters were not encrypted, but were hashed with bcrypt. Combined with a nonexistent password strength rule on Spiral Toys’ part, the hashed passwords could easily be cracked, Hunt said.

Nelson, meanwhile, was also critical of Spiral Toys’ lax security.

“Because Spiral Toys created no requirements for password strength, the hackers could have easily cracked many passwords by simply checking the data against common passwords,” Nelson wrote. “This information could then be used to access and download the private voice recordings of children and parents.”

It’s likely the attack against the CloudPets data was random and targeted exposed MongoDB instances instead. Spiral Toys said the database in question belong to a contracted third party that was performing a migration on behalf of the company. Spiral Toys said this was a temporary scenario, and as a result, it never received a ransom demand. The company also denied knowing about the breach until Feb. 22.

In the meantime, the case highlights the risks to data belonging to children, something that Nelson has been prominent in demanding protection for.


.author-name { display: none; }


Threat Post - Confide Updates App After Critical Security Issues Are Raised

The makers of the popular messaging app Confide said Wednesday that it has patched multiple security vulnerabilities that could have allowed hackers to intercept messages sent using its secure end-to-end messaging platform.

The flaws were identified in two separate reports, both released Wednesday, by security firms IOActive and Quarkslab. Both allege there are critical security vulnerabilities in versions of Confide’s encrypted messaging app, including version 4.0.4 for Android and 1.4.2 for Windows and OS X .

The security of Confide’s platform has taken center stage ever since reports surfaced last month that senior White House staff, including press secretary Sean Spicer, were using the app. Confide claims to offer “battle tested, military grade encryption.” According to Google Play, the Android app has been installed between 100,000 to 500,000 times.

Researchers with IOActive said the Confide suffered from a bevy of security vulnerabilities including:

  • Confide’s notification system did not require a valid SSL server certificate to communicate, therefore opening the door for an attacker to perform a man-in-the-middle attack.
  • The app lacked sufficient notifications when unencrypted messages were sent and received.
  • The application failed to have adequate protections to prevent brute-force attacks on user account passwords.
  • Confide’s website was vulnerable to an arbitrary URL redirection, which could facilitate social engineering attacks against its users.

IOActive also raised issues with Confide’s handling of public keys.

“Confide failed to provide a participant fingerprint authentication mechanism, allowing Confide to conduct man-in-the-middle attacks on encrypted messages by changing the public keys sent to parties of a conversation,” wrote IOActive researchers Mike Davis, Ryan O’Horo and Nick Achatz, who co-authored the report.

Quarkslab also took issue with some of security vulnerabilities highlighted by IOActive, and singled out the way Confide handled public and private encryption keys.

“The most obvious problem… is linked to the fact that the encrypted message origin and the authenticity of the public encryption key transmitted by the server can in no way be verified by the client,” wrote Jean-Baptiste Bédrune, security researcher with Quarkslab.

“The Confide server could generate its own key pair and transmit the public part to a client when the latter requests the public key of a recipient (we only note that Confide is able to do so, not that it does so). This client then unknowingly encrypts a message that can be decrypted by the server. Finally, when the server sends the message to the recipient, it is able to re-encrypt the message with its own key for the actual recipient,” Bédrune wrote.

Similar public key concerns were raised earlier this year when researchers commented on how WhatsApp and earlier versions of iMessage handled key change notifications. In February, Jonathan Zdziarski, an independent security researcher and forensics expert, wrote about Confide’s key exchange approach.

“What seems different about (Confide) encryption is that it appears to regenerate the public key under certain circumstances. It’s unclear why, but unlike Signal and WhatsApp, which consider it something to alert you about if your public key changes, Confide appears to consider this part of its function. Key exchange is always the most difficult part of good encryption routines. Depending on whether or not Confide is able to detect this and warn the user, it’s possible (although not confirmed) that the application could be susceptible to the same types of man-in-the-middle attacks that we’ve seen theorized in WhatsApp (if you leave the alerts off) and iMessage,” Zdziarski wrote.

Bédrune said the confidentiality of the exchanged messages depends on the robustness of TLS.

“Confide can technically read all the messages that pass through its servers. End-to-end encryption, as it is implemented, solely relies on the server through which the messages pass,” he said.

Quarkslab also claims that security features in the Android, iOS and desktop app, such as message deletion and screenshot prevention, can be easily circumvented.

For its part, Confide co-founder Jon Brod told Threatpost via email Wednesday the company was able to fix the issues quickly.

“We were able to detect anomalous behavior and remediate many of the issues during IOActive’s testing in real time starting on February 24. We were able to quickly address the remaining issues after the initial contact and roll out client updates in less than 48 hours. Not only have these issues been addressed, but we also have no detection of them being exploited by any other party. We do acknowledge the findings, but believe that the firm is overstating the severity level of some of them.”

IOActive claims the company privately disclosed its research to Confide in February and that Confide fixed the issues and updated the app on March 3, 2017.

Brod did not address the security concerns raised by Quarkslab.

“All the issues have been reported to Confide, and they are working on fixing them. In the meantime, do not consider your conversations to be so well concealed,” Bédrune wrote.


.author-name { display: none; }


WordPress 4.7.3 Patches Half-Dozen Vulnerabilities

WordPress released a security update on Tuesday that patched a half-dozen bugs, including one that could be chained with the recent REST API Endpoint flaw that led to a million website defacements. Given that more than half of WordPress sites are still not protected against that flaw, odds are that we haven’t heard the last of that vulnerability.

The REST API vulnerability was silently patched in version 4.7.2, yet there are apparently at least one million sites that don’t have automatic updates enabled and were attacked by hackers. The defacements came quickly after the Jan. 27 release of 4.7.2 and disclosure of the issue, as hackers took advantage of unpatched sites to leave behind defacements pointing to spam and phishing sites such as rogue pharmaceutical solicitations.

According to WordPress statistics, 44.8 percent of sites are on at least version 4.7, meaning that the remainder are exposed to a litany of vulnerabilities addressed in older versions.

Yesterday’s 4.7.3 update included a fix for a cross-site scripting vulnerability privately disclosed by researchers at Sucuri, who also found the REST API bug. Marc Montpas, a researcher with Sucuri, said the new XSS vulnerability was found during research on the REST API flaw and could be triggered by a URL included in YouTube embeds. Montpas said the vulnerability could be exploited by users with certain privileges such as contributors or authors. An attacker could insert malicious short codes in a post that would bypass cross-site scripting protections native to WordPress.

“When an administrator visits the affected post, the XSS payload will execute and may force his browser to perform administrative actions on his behalf, like storing backdoors on the site and creating new administrator accounts,” Montpas told Threatpost. “This vulnerability alone isn’t very risky, because it requires the attacker to have very specific privileges on the site. But combined with the REST API vulnerability we found last month, which basically allowed any visitor to edit a site’s posts, it could have caused quite a mayhem.”

The REST API vulnerability allows an attacker with one line of exploit code to access the API and change site content and URL permalinks. The issue lies in the way the REST API manages access. It does so by favoring values such as GET and POST rather than existing values. Any request with letters in its ID would bypass a permission check and essentially grant an attacker admin privileges.

Researchers at SiteLock said that about 20 different hackers were trying to monetize the defacements with links to rogue pharmaceutical websites.

The REST API endpoint vulnerability was introduced in WordPress 4.7 in December, and silently patched on January because of its severity. Since WordPress is packaged with automatic updates turned on by default, most installations are updated and secured. Those that have disabled the feature, or any updates that failed, remain vulnerable.

Another cross-site scripting vulnerability that was patched yesterday, one that could be exploited through media file metadata, was originally reported by researcher Chris Andre Dale in December 2014. Researcher Yorick Koster reported the bug again to WordPress which discovered that the original patch only partially addressed the issue, said Aaron Campbell, recently appointed as WordPress’ new lead of security triage and resolution.

“What would happen is that an administrator or author would upload my picture, and I would then have my JavaScript running 100 percent stealthy in their browser,” Dale told Threatpost. His original disclosure explained how an attacker could embed a cross-site scripting payload into image metadata, EXIF data JPEG.

The remainder of the 4.7.3 update addressed another bug reported by student researcher Daniel Chatfield who disclosed that control characters could trick redirect URL validation. Also patched was an issue where unintended files could be deleted by a site admin using the plugin deletion functionality. Separate cross-site scripting (via taxonomy term names) and cross-site request forgery (in Press This which could exhaust server resources) vulnerabilities were also patched.


.author-name { display: none; }


NCSC - Weekly Threat Report 3rd March 2017

Drone-enabled hacking

An organisation’s most sensitive information is often stored on ‘air-gapped’ computers, which are physically separated from the internet.  The lack of a connection protects them from most external attackers, and even if the machine is infected with malware, the data is difficult to exfiltrate.

An Israeli researcher has demonstrated a new technique for transmitting information out of air-gapped computers, using malware to force LEDs to flash in a pattern that can be picked up by a drone hovering outside the window.  Other known methods for exfiltrating information over an air gap include varying fan speeds to produce audio signals, and using USB sticks to send RF emissions.  LEDs can transmit information at a much faster rate, however, reaching 4000 bits per second with high quality light detection equipment (corresponding to around an A4 page of text every five seconds).

This attack requires infecting air-gapped machines with specific malware, and can be mitigated by simply covering LEDs with opaque tape. However, it illustrates the potential for emerging technologies, such as drones, to enable compromises.  A potential variation on drone-enabled hacking could involve mounting a Wi-Fi access point on a drone, impersonating a corporate Wi-Fi network, and positioning it in an otherwise secure location.  Employees connecting to it would expose devices and company data to the attacker. The NCSC recommends that security scanning tools may be useful to detect and locate unauthorised or spoof wireless access points.

SHA-1 Collision: Cryptographic standard undermined

Researchers have successfully manipulated a commonly used cryptographic standard.  Google and the Centrum Wiskunde & Informatica (CW) made the widely expected announcement regarding the world’s first SHA-1 collision on 23 February.

SHA-1, or Secure Hash Algorithm 1, is a process that provides a unique digital fingerprint for any set of data, whether that be code, a document or a webpage. Any change to the original data, no matter how small, would produce a change in the SHA-1 identifier.  SHA-1 can therefore show if data has been tampered with between creator and end-user making it useful for a broad array of security applications such as HTTPS verification, digital document signing, version control and backing-up systems.

A ‘collision’ of SHA-1 means that two different inputs have given the same output fingerprint, which should be extremely rare.  The researchers have been able to manipulate SHA-1 to force a collision 100,000 times more quickly than a brute-force approach.

Given the difficulty and cost involved in creating the collision, it’s likely that applying it, or similar methods, for other inputs would only be feasible for determined and well-resourced actors.  It can however be seen as a proof of concept for a potential attack vector in future, as computing power increases and costs decrease.

Hypothetically, an actor could forge a SHA-1 certificate for malign code which they had altered from an original legitimate version.  A victim’s computer would see their malicious version as being identical to the verified original.

SHA-1 is already being phased out, and many web browsers will cease support for it in 2017. But its pervasiveness means that the transition will take time, and the risk is only likely to grow in future.


.author-name { display: none; }


Threatpost - New Fileless Attack Using DNS Queries to Carry Out PowerShell Commands

A unique attack called DNSMessenger uses DNS queries to carry out malicious PowerShell commands on compromised computers, a method that researchers said makes it difficult to detect that a remote access Trojan is being dropped onto targeted systems.

According to experts at Cisco’s security research outfit Talos, the infection chain begins with a rigged Word document sent to recipients who are encouraged to “enable content” so they can view a message. If enabled, the document launches a Visual Basic for Applications macro that opens the initial PowerShell command that ultimately leads to the multistage attack and the eventual installing of a remote access Trojan.

“This is an extremely uncommon and evasive way of administering a RAT. The use of multiple stages of Powershell with various stages being completely fileless indicates an attacker who has taken significant measures to avoid detection,” wrote Cisco’s Edmund Brumaghin and Colin Grady.

The initial PowerShell instructions that are executed are contained within the Word document itself.

Researchers said the attack is unique because it does not involve a typical infection chain that includes files written to the targeted system. Instead, the malware infection technique uses DNS TXT messaging capabilities to request and fetch malicious PowerShell commands stored remotely as DNS TXT records.

Researchers said the malware sample uses DNS TXT record queries and responses creating a bidirectional command and control channel. “This allows the attacker to use DNS communications to submit new commands to be run on infected machines and return the results of the command execution to the attacker,” researchers wrote.

According to a technical analysis, attackers leveraged multiple VBA scripts, each unpacking a unique self-contained PowerShell script. During each of the stages in the infection process, malware would send DNS queries to one of multiple domains hardcoded in the script.

“The document uses the Document_Open() function to call another VBA function. The called function sets a long string that defines a Powershell command and includes the code to be executed. The command is then executed using the Windows Management Interface (WMI) Win32_Process object using the Create method,” researchers said.

This process, “allows the code to be executed without ever requiring it to be written to the filesystem of the infected system,” according to Talos.

The objective of the multi-stage infection process is to determine access privileges of the targeted system, what version of PowerShell is installed on the system, make changes to the Windows Registry and open a backdoor in order to maintain persistence.

Cisco notes that DNSMessenger demonstrates the ingenuity and lengths attackers are going to avoid detection. “It also illustrates the importance that in addition to inspecting and filtering network protocols such as HTTP/HTTPS, SMTP/POP3, etc. DNS traffic within corporate networks should also be considered a channel that an attacker can use to implement a fully functional, bidirectional C2 infrastructure,” researchers wrote.

“This appears to have been a fairly targeted attack and was not very widespread compared to other campaigns we regularly observe,” said Brumaghin. He added the intent of the malware is unclear. “We were unable to get the C2 infrastructure to send commands to execute. This is common with targeted attacks as the attackers will only choose to send commands to their intended victim.”


.author-name { display: none; }


NCSC- Weekly Threat Report 17th February 2017

Official Launch of the National Cyber Security Centre

February 14th marked the official launch of the National Cyber Security Centre (NCSC) HQ by Her Majesty the Queen. The Centre will work to make the UK the safest place to live and do business online.

In acknowledgement that Government alone cannot protect the public from cyber attacks, the Chancellor announced the launch of the Industry 100 initiative. Industry 100 will see the center invite expertise from industry to collaborate with the NCSC in achieving its mandate of enhancing the cyber security of the UK.

A reflection on the diversification of cyber crime

The nature of the cyber-criminal threat to the UK is diversifying: highly skilled actors are becoming increasingly competent and targeted in their attacks, while the barriers to entry for less-skilled actors are lowering.

At the high capability end of the spectrum, banking Trojans are reportedly becoming increasingly targeted, with a focus on financial institutions which offer larger relative rewards than end-user customers. Meanwhile, ransom-ware attacks are said to be specifically targeting those organisations perceived as being more likely to pay due to their timely requirement to access sometimes time-critical data.

At the other end of the skill spectrum, individuals with minimal cyber capability can carry out nefarious activities online using Crimeware-as-a-Service tools. DDoS attacks, email compromises, criminal infrastructure and more can be bought or rented at minimal cost. Notably, sites now offer live chats with support agents, and collect marketing information to better understand their customers. This trend risks further normalizing low level cyber crime.

The diversification of the cyber-crime threat poses challenges for law enforcement and security professionals, who will face highly skilled, targeted threats. Simultaneously, resources are increasingly consumed by low-skilled attackers using services offered by more competent actors. Detailed analysis of this changing cyber-criminal landscape will be published in NCSC Assessment's Annual Report.

Warning of cyber threat from building owners

The US Government Accountability Office (GAO) has warned of the potential threat of cyber intrusions from foreign owners of office buildings. Numerous properties occupied by US law enforcement agencies are owned by firms domiciled abroad, including in China, Israel, South Korea and Japan. Some of the buildings are used for sensitive activities including managing classified operations, hosting data centres and storing high-security material. Most of the agencies were unaware that their buildings were foreign-owned.

The GAO's report highlights concerns from the Department of Homeland Security that "threat actors could coerce owners into collecting intelligence about the personnel and activities of the facilities when maintaining the property." This could potentially include exploiting building infrastructure to facilitate cyber intrusions. The GAO recommends that US government agencies should be informed if their buildings are foreign-owned, so that appropriate security measures can be implemented, where necessary.

While the report focuses on the threat to official bodies, the concerns it raises may also apply to commercial organisations dealing with corporate-sensitive information. Although there are no reported instances so far of such intrusions taking place in the US or UK, this issue highlights the need for precautions regarding landowners' access to buildings hosting sensitive activities.

Weaponised Macros targeting Mac users

Security researchers have reportedly identified the emergence of Microsoft Word documents containing malware-infected macros for installing malicious software on macOS devices.

This technique has been used for some time to infect Windows users with malware. However, it is the first reported in-the-wild instance for Word documents containing malicious macros that execute solely on macOS. When users attempt to open the attachment, they are prompted to enable macros. If macros are enabled the malware executes its payload.

Although not a particularly sophisticated attack technique, this methodology has been successful in delivering ransomware and banking Trojans to Windows users worldwide. It looks like Microsoft Word users on MacOS may also now be victim to such attacks. This is a timely reminder that cyber criminals are regularly looking to enhance their pool of potential victims; regardless of software and hardware, users must be vigilant of the risks.

Watering hole attacks infected a larger pool of victims than first thought

Last week it was reported that the Polish financial sector had been the victim of a malware attack, where the attackers used the web server of the Polish financial regulator as a watering hole. Further investigation has revealed that the attackers intended to target over 100 organisations, mainly banks, in 31 different countries, including the UK.

Vulnerabilities Report

A number of cross-platform updates this week, with a predominant focus on Linux ad Unix-based systems. Microsoft held back their Patch Tuesday release cycle due to last minute complications. The most publicized vulnerability this week concerned F5’s BIG-IP and the ‘TicketBleed’ vulnerability. Adobe released updates for Flash Player and Digital Editions to fix remote code execution vulnerabilities. Elsewhere this week there were updates to BIND, Cisco AnyConnect and Cisco ASA, IBM WebSphere, HPE NonStop Server, Xen and Google’s Android.


.author-name { display: none; }



InterContinental Hotels Group (IHG), parent company to Crowne Plaza, Holiday Inn and Kimpton Hotels and Resorts, confirmed on Friday a breach of payment card systems used in 12 of its hotels located in North America and the Caribbean.

According to IHG, which operates 5,000 hotels worldwide, malware was found on servers used to process credit cards. The servers were infected between last August and December; the company declined to say how many payment cards were impacted.

In a statement released Friday, IHG said it found malware installed on servers used at popular destinations such as Michael Jordan’s Steak House and Bar in Chicago, the Holiday Inn San Francisco Fisherman’s Wharf, the Copper Lounge in Los Angeles, and the Palm Bar in Aruba.

The hotelier reported on Dec. 28 that it was investigating customer complaints of unauthorized charges on credit cards. At the time, the company said only a limited number of destinations were impacted before revealing more details on Friday.

“Findings show that malware was installed on servers that processed payment cards used at restaurants and bars of 12 IHG managed properties,” according to a statement. “Cards used at the front desk of these properties were not affected.”

According to IHG, the malware searched for magnetic stripe track data as it was being routed through servers. Track data included cardholder name, card number, expiration date and internal verification code. There is also no information provided on the strain of malware used in the attacks.

Hotels, restaurants and other hospitality outlets are frequently singled out as victims of opportunistic hackers. Last year alone there were nearly a dozen reports of card breaches. One of those breaches occurred in August and included 20 hotels run by HEI Hotels and Resorts, which owns chains Marriott, Sheraton, and Westin. Similarly, malware was used to siphon payment card data.

The prevalence of malware use to steal payment card data hit a peak in 2014 when it was at the center of several high-profile breaches, including Target and Neiman Marcus.

As recently as last November, security researchers at Trustwave said the Carbanak cybercrime gang, first discovered by Kaspersky Lab, had shifted strategy and began targeting the hospitality and restaurant industries with new techniques and malware. Part of the Carbanak tactics involved targeting hospitality call centers with elaborate ploys to get customer service representatives to accept and download emails with malicious macro-laced documents. The target was credit card data scraped from the memory of point-of-sale systems.

“We have been working with the security firms to review our security measures, confirm that this issue has been remediated, and evaluate ways to enhance our security measures,” IHG wrote in a statement regarding the breach.


.author-name { display: none; }


NCSC - Weekly Threat Report 3rd February 2017

This report is drawn from recent open source reporting.

Shamoon 2

The Saudi Arabian Government warned on 23 January that the destructive wiper malware Shamoon 2 had been detected on its government networks.

Shamoon 2 is an updated version of Shamoon, the disk-wiping malware that disabled thousands of computers at Saudi state-linked energy company Saudi Aramco in 2012.

The Saudi authorities are reporting on these latest compromises publicly and have provided reassurance that the damage is currently limited and mitigation is in place.

The re-emergence of Dridex

The notorious Dridex banking Trojan has returned. Flashpoint researchers observed a small Dridex spear-phishing campaign targeting UK financial institutions on 25 January. This is not the first time Dridex has made a reappearance; there have been peaks and troughs in the distribution of this Trojan since it first emerged in 2014. What has remained consistent, however, is the upgraded capability seen within the malware upon its return.

This Dridex re-emergence is no exception: Flashpoint researchers identified a previously unobserved User Account Control bypass mechanism in the most recent iteration of the malware. This bypass means the Windows user prompt requesting administration access for an application is not displayed, enabling Dridex to gain administrative system access without user approval.

This frequent evolution ensures infection levels are kept high, whilst frustrating the capability of network defenders to respond to attacks. Although relatively resource intensive, these regular changes have so far been worthwhile in establishing Dridex's status as one of the most prolific banking Trojans to feature in the UK, as well as yielding estimated profits of upwards of £20 million.

The Evolution of Ransomware

An earlier weekly threat report predicted further innovations in ransomware, and this has already happened with the targeting of internet-connected devices to create a “Ransomware of Things”. 

Internet of Things (IoT) devices are increasing, many with poor security, which presents opportunities for exploitation by cyber criminals. According to research company, Gartner, there will be more than 26 billion IoT devices by 2020.

Researchers from IT security company ESET predict that the next step in the evolution of ransomware is "jackware" where internet-connected devices are targeted to create a Ransomware of Things (RoT). Recent RoT incidents have locked people out of hotel rooms and left a family unable to access their smart TV.

2016 was dubbed "The Year of Ransomware", but as the number of connected devices continues to increase, this phenomenon will only continue to gather pace.  

Hiding in Plain Sight

According to recent research by Forcepoint Security Labs, the Carbanak Group is now using malware that uses Google cloud services for command and control infrastructure. The group is named after Carbanak (aka Anunak) malware, which is a banking Trojan that has been used to steal hundreds of millions of pounds from international financial institutions.

The new malware issues command and control instructions to and from Google Forms Services, Google Apps Script and Google Sheets to manage infected computers. Investigations suggest that a trojanised RTF document was likely responsible for infecting the computers with the malware.

Using a legitimate third party service like Google helps the attacker hide their communications in plain sight amongst regular traffic that is unlikely to be blocked by an organisation or identified by intrusion detection systems. Detecting such threats will therefore require an evolution in protective monitoring.

This isn't the first time that cloud hosting services have been used as an attack vector, services like DropBox have been used in the past, but it is likely to become more popular as individual users, government departments and industry organisations make increasingly greater use of the cloud.


This was a relatively quiet week for vulnerabilities, with mainly platform-agnostic updates issued for Linux and Unix systems. Google Chrome, OpenSSL and WordPress each fixed multiple flaws addressing remote access, bypassing of security controls, and spoofing of the user interface, among other issues.  Elsewhere there were updates from F5 Networks, RSA, and IBM. No one sector was disproportionately affected this week.


.author-name { display: none; }



WordPress silently fixed a serious content injection vulnerability when it pushed out its latest security release, 4.7.2, last week.

Sucuri, the firm that found the vulnerability, disclosed it Wednesday and said that if exploited, it could have let an attacker modify the content of any WordPress post or page.

A WordPress core maintainer said the company delayed disclosing the vulnerability, technically an unauthenticated privilege escalation vulnerability that existed in a REST API endpoint, to “ensure the safety of millions of additional WordPress sites.”

WordPress introduced REST API endpoints by default to the CMS when it pushed version 4.7 in early December 2016 to allow access to WordPress posts, comments, terms, and other settings

Marc-Alexandre Montpas, a security researcher with Sucuri found the flaw and alerted WordPress on Jan. 20. Aaron Campbell, a WordPress core maintainer, helped breakdown the timeline around the vulnerability and the steps WordPress took to remedy it, on Wednesday.

According to Campbell, WordPress’ security team had a fix implemented fairly quickly; it just needed to be tested. The team spent the weekend coordinating with companies, such as Sucuri, that deploy web application firewalls to block exploits against their customers.

WordPress said it also reached out to Incapsula, Cloudflare, and SiteLock to ensure their customers had rules in place to thwart any exploits. After WordPress gathered data from the companies, it was assured the exploit hadn’t been exploited in the wild.

“On Monday, while we continued to test and refine the fix, our focus shifted to WordPress hosts. We contacted them privately with information on the vulnerability and ways to protect users,” Campbell wrote, “Hosts worked closely with the security team to implement protections and regularly checked for exploit attempts against their users.”

WordPress elected to put off disclosing the vulnerability to make sure that its users – the bulk of which have automatic updates installed on their sites – were protected before going public on Wednesday with the details.

According to Montpas, who described the vulnerability in detail Wednesday, the issue stemmed from the way the REST API managed access. Specifically it favored values such as $_GET and $_POST over the usual routes. That made it so if an attacker wanted to, they could have sent a request that contained letters in its ID. Another issue with the endpoint made it so if a request didn’t specify a post, it could still bypass a permission check in place and continue executing.

Montpas said that WordPress, at least until last week, “casts the ID parameter to an integer before passing it to get_post.” If an attacker had submitted an alphanumerical request, the post would have been translated so it was strictly numbers. From there they could’ve changed the content on a page, exploited further vulnerabilities and even exploited code, he writes.

“From there, they can add plugin-specific shortcodes to exploit vulnerabilities (that would otherwise be restricted to contributor roles), infect the site content with an SEO spam campaign, or inject ads, etc,” Montpas writes, “Depending on the plugins enabled on the site, even PHP code could be executed very easily.”

The rest of WordPress’ 4.7.2 update last week was fairly low-key. In addition to the silently fixed content injection vulnerability, the update fixed several cross-site scripting bugs, a SQL injection vulnerability, and an issue with permissions.


.author-name { display: none; }



Ubuntu users are being urged to update their operating systems to address a handful of recently patched OpenSSL vulnerabilities which affect Ubuntu and its derivatives.

Developers with Canonical, the company that oversees the Linux distribution, announced the updates on Tuesday, encouraging users to install the latest OpenSSL package versions depending on which distribution they’re running.

The updates resolve several of the vulnerabilities fixed by the cryptographic library OpenSSL last Thursday.

Three of the vulnerabilities fixed were branded “medium” severity by OpenSSL’s maintainers as they could lead to several outcomes, including a timing attack, a denial of service attack, and help an attacker potentially recover private keys.

One issue (CVE-2016-7056) was tied to the fact that OpenSSL didn’t properly use constant-time operations when it performed Elliptic Curve DSA (ECDSA) with a Curve P-256 signing. Because of this, at least on Ubuntu 12.04 LTS and Ubuntu 14.04, an attacker could have performed a timing attack to recover private keys.

OpenSSL maintainers said last week when it pushed the updates that achieving such an attack would be difficult, however.

“Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely,” OpenSSL said, “The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients.

It was discovered that the library also mishandled select truncated packets, something that could have been exploited to cause a denial of service condition. It also incorrectly performed something called the x86_64 Montgomery squaring procedure, a component that also could have been taken advantage to steal private keys. The issue only affects systems based on x86_64 architecture, like Ubuntu 16.04 LTS, and Ubuntu 16.10, however.

The rest of the fixes were relatively small potatoes and all marked “low” severity.

Another separate, less pressing issue (CVE-2016-7055) also affected how OpenSSL handles Montgomery multiplication and could lead to what Ubuntu calls “transient failures.”

The update also fixes an issue in which OpenSSL used “undefined behavior when performing pointer arithmetic,” and another in which it incorrect handled certain warning alerts. A remote attacker could exploit both vulnerabilities and cause a denial of service, according to Ubuntu’s advisory.

Ubuntu 16.10, Ubuntu, 16.04 LTS, Ubuntu 14.04, LTS Ubuntu, 12.04 LTS are all considered vulnerable under updated, the advisory warns.

The OpenSSL patches came just days after news surfaced that despite being patched three years ago, almost 200,000 servers and devices are still vulnerable to Heartbleed. The numbers came via analysis gathered by the search engine Shodan, a service that searches open ports for vulnerabilities.

According to the report roughly 52,000 Apache HTTPD servers remain vulnerable, in addition to 6,380 Amazon Web Services devices, and 4,330 Verizon Wireless devices.

The encryption library is used in a slew of devices and software; it’s up to each vendor when it wants to patch vulnerabilities however.

Cisco issued a security advisory around the vulnerabilities on Monday as many of its products incorporate OpenSSL packages. The company is unclear exactly which software is affected by the vulnerabilities but says its conducting an investigation into nearly 200 different products to determine whether they’re affected.


.author-name { display: none; }



Mobile security company Zimperium said Tuesday that it will start buying exploits, but in a departure from most other programs, it will not be buying zero-days.

The company’s N-Days Exploit Acquisition Program will pay researchers from a pool of $1.5 million for exploits targeting vulnerabilities in Android and iOS that have already been patched.

Zuk Avraham, founder of Zimperium, said the program will not only serve to train the company’s core internal Z9 machine learning engine, but also encourage and reward exploit writers to develop proof-of-concept exploits that could nudge carriers and handset makers to improve patch delivery to devices.

“We are not an exploit acquisition company; we don’t do offensive stuff. We get the same value from our perspective working on N-days,” Avraham said. “Right now N-days are worth zero. We are going to help create value for vulnerabilities that sell for zero and make them worth more than that.”

Avraham said exploits for iOS 8 and later, and Android 4.0 and later, will be eligible for the program. Exploits from the program will be first delivered to Zimperium partners and members of its Zimperium Handset Alliance, which includes some large mobile manufacturers such as Samsung and BlackBerry. Within three months, the exploits will be publicly released. Members of Zimperium’s Zlabs research team will evaluate submissions and determine payouts on a case-by-case basis.

“These things need to be shared in order for the community to get better and safer,” Avraham said, pointing to other exploit acquisition programs that do not share exploits publicly. “We have to change that; that’s what triggered creation of this program.”

Having a working proof-of-concept exploit, Avraham said, should add urgency—especially on the Android side of the equation—for handset makers and carriers to deliver patches and improve the overall security of the ecosystem. Exploits coming out of the program, for example, puts more PoCs in the hands of industry, some of which could be hesitant to deliver timely patches without working public exploits, Avraham said.

“Android got better, and much safer if you’re on the latest version, but only .5 percent are on the latest version unfortunately,” Avraham said.

One glance at the monthly Android Security Bulletins will show you the multitude of vulnerabilities Google regularly assesses and remediates for the mobile operating system. And while Google patches its Nexus phones in over-the-air updates, that process represents only a percentage of the mobile market running devices at current patch levels.

The Android ecosystem still lags overall on comprehensive patching, and it’s not alone given that while Apple regularly pushes updates to its devices, it still relies on users to download and install them.

“We are not there yet, and we can get better,” Avraham said, conceding the improvements made since the initiation of the monthly Android patch releases from Google in particular and the number of critical bugs in Mediaserver and Stagefright that have been found and patched. “It’s gotten better, but it’s still very challenging work.”

Avraham said the program is scheduled to run at least one year, but depending on whether it’s successful, it could be extended.

“With this program, we thought we would get creative, support the community and do something different for once,” Avraham said.


.author-name { display: none; }
NCSC - Weekly Threat Report 27th January 2017


NCSC - Weekly Threat Report 27th January 2017

Twitterbots spreading fake news on the internet

Recent reports suggest social media bots are widely spreading fake news on the Internet.

A Twitterbot is a bot program used to create accounts and automated tweets that requires little or no human intervention. This typically means that not all accounts have to be created by humans. Twitterbots can be used for entertainment, marketing, spamming, manipulating Twitter's trending topics list and public opinion, trolling, fake followers, malware distribution, and data set pollution, among other things.

A 'Star Wars' botnet of 350,000 accounts secretly infiltrated Twitter in 2013 and has laid dormant ever since. The Star Wars botnet randomly tweeted quotes from Star Wars novels.

This comes after the reports in June 2016 that a botnet of 3 million accounts, which was created earlier in April 2014, is responsible for a total of 2.6 billion tweets with a daily activity of 500 million tweets. Volumes of this amount could be used to influence public opinion.

It is in Twitter's best interest to monitor accounts and make sure they are legitimate but, with a monthly average of 313 million users, this is almost impossible. Hardware and software is now readily available so that bots can be modified to avoid detection. In the Star Wars example, by tweeting quotes from novels, the bots are able to avoid machine-generated language detection tools.


.author-name { display: none; }
NCSC - Weekly Threat Report 20th January 2017

NCSC - Weekly Threat Report 20th January 2017

This report is drawn from recent open source reporting.

Password security

In November 2016, a study of user passwords exposed by a Yahoo data breach revealed that "123456" was the most common password, followed closely by "password" at number two. A more recent report on the most commonly used passwords revealed that "123456" was still number one, followed by the 'more complex' "123456789".

These reports highlight ongoing problems associated with conventional password policies, which tend to promote the use of complicated passwords that are harder for attackers to discover, but which also place greater burdens on users. This approach may therefore be counterproductive, leading users to opt for simple password strategies, which will also be easy for attackers to guess or brute force. In many cases, imposing technical controls such as blacklisting the most common passwords is a far more effective measure.

Mobile forensics company hacked

The Israeli mobile forensics company, Cellebrite, reports that it has become the latest in a long line of companies to have its data hacked and published online. Cellebrite is a major supplier of forensic tools to law enforcement and other security organisations worldwide. Cellebrite states that it experienced 'unauthorised access to an external web server' and that it is known the information accessed includes 'basic contact information' and 'hashed passwords'. The company advises users to change their passwords as a precaution.

The company's investigation is ongoing. Without commenting on the specifics of this case, the compromise highlights the broader issue that companies must ensure that they protect themselves and customers in a way commensurate to the threat that they face and the sensitivity of the data that they hold. Reporting data breaches is to be strongly encouraged, enabling those affected to take appropriate action, such as changing passwords.

.author-name { display: none; }