NCSC - Weekly Threat Report 9th June 2017

Fireball malware

More than 250 million computers worldwide have been infected with malicious adware called Fireball, according to recent reporting.  Produced by Rafotec, a Beijing-based digital marketing firm, the malware is spread mostly via bundling. That is, when a user downloads a product they want, the Fireball malware is ‘bundled’ in without the user’s knowledge or consent.

Once infected, Fireball hijacks the user’s browser, installs extra plug-ins and manipulates the user’s web traffic. By redirecting traffic to Rafotec’s fake search engines, Fireball is able to generate additional advertising revenue for the company. A greater concern is the fact that Fireball can, in theory, be repurposed to serve as a fully functioning malware downloader.

Should Fireball be repurposed for further malicious activity it could be used to harvest sensitive data, such as financial credentials, medical records, or corporate business plans for example. Whilst estimates are that Indonesia, India and Brazil have the highest infection rates at present, other countries have been impacted.

In line with NCSC guidance, make sure you only install software from trusted sources.

Single Sign On provider OneLogin is compromised

In late May, OneLogin, an online access and identity manager, experienced a security breach where sensitive customer data in its US region may have been compromised.  OneLogin primarily provides Single Sign On (SSO) and identity management services for corporate customers using cloud based applications.  It is not yet clear how the unauthorised access happened nor the impact, but it is suspected that a threat actor obtained access to Amazon Web Store (AWS) keys and used them to gain access to the AWS Application Programme Interface (API) via another smaller provider in the US.  The actor was then able to access database tables containing information about users, apps and various types of keys.  This may have included the ability to decrypt encrypted customer data.

To minimise damage OneLogin issued advice to customers which included generating new keys, authorisation tokens, security certificates and credentials and updating passwords.

This is not the first time an SSO or similar service has been targeted.  Although, like password managers, they are increasingly considered to be a better way of managing accesses, they are a tempting target for attackers, and the consequences of compromise can be severe.

A new variant of Qakbot malware is bringing down enterprise networks

A new variant of the Qakbot (aka Qbot or PinkSlip) trojan, first seen in 2009, is stealing user information and installing backdoors on Microsoft Windows operating systems. Qakbot malware is used to target online bank accounts of businesses and individuals. Victims are initially infected through an exploit kit, phishing campaign or malicious download.

This new variant has worm-like, self-replicating capabilities similar to WannaCry but it is not ransomware and does not encrypt user hard drives. In its attempts to steal or brute force login details it can cause mass Active Directory lockouts. Some organisations have had thousands of users prevented from using corporate systems as a result.

According to researchers, Qakbot code has been totally re-written and is even more advanced and effective. The new features make it difficult to detect by using obfuscating code and constantly evolving file structure and signatures.

We assess it likely that other malware campaigns will make use of these antivirus avoiding techniques. Users should stay on their guard against suspicious emails and activity and keep their systems up-to-date to help prevent infection.


This week’s summary starts with Google and multiple flaws fixed in both Chrome and Android leading to URL spoofing, obtaining of sensitive information and remote code execution.

Cisco released updates for a number of different products; TelePresence, AnyConnect, Email Security Appliance, Prime Data Center Network Manager, NX-OS, Content Security ManagementAppliance, and 8800 Series IP phones, to address cross-site scripting, bugs that cause the target to crash, allow unauthorised access or remote code execution.

IBM released updates for their Security Access Manager Appliance, Spectrum Project (IBM Tivoli Storage Manager) and Domino TLS Server to prevent elevation of privilege, the viewing passwords, obtaining of sensitive information, and obtaining of authentication credentials.

Elsewhere this week there were updates for Wireshark, Apache Tomcat, VMware vSphere and Irssi.

Debian specific updates this week came from perl, nss and zookeeper.

ICS specific updates for Digital Canal Structural Wind Analysis and Rockwell Automation PanelView.

.author-name { display: none; }

NCSC - Weekly Threat Report 2nd June 2017

Android app malware

According to IT security company Check Point, as many as 36 million Android devices may have been infected with ad-click malware. The malware, dubbed Judy, is reported to have been present in approximately 50 apps in Google’s play store, but the total number of infections cannot be accurately determined as it is not known for how long the apps have been malicious.

Those responsible generate money through ad-clicks – in this instance Judy silently imitated a browser and clicked on banners from Google’s ad infrastructure to generate revenue for the malware author. The malware has had little real impact upon the end user, though it does equate to an illegitimate use of a device, and could potentially be exploited for more sophisticated attacks, including: gaining control of devices for additional malware download, conducting DDoS attacks or gaining access to private networks.

Google’s protection system did not immediately identify the problem because the apps themselves did not contain any malicious code. Rather, once downloaded from the play store, the affected apps are designed to call out to a remote server which then delivers malicious ad-click software to devices.

This type of two-stage delivery is increasingly common. Last month, FalseGuide malware was discovered hidden inside apps and games on the play store. Following download, these compromised apps allow malicious actors to install additional malicious software. App stores may come under increased pressure to enhance their scrutiny of apps before permitting them to feature, particularly if the number of instances of adware infections increases.

The NCSC recommends that users only install apps from the official application store for your device. Malicious apps in official stores are more likely to be discovered, and subsequently removed from the store and the device.

RoughTed Malvertising Campaign

Threat researchers at internet security firm Malwarebytes have recently highlighted a significant malvertising campaign, called RoughTed, which has been running for over a year.

Malvertising (or ‘malicious advertising’) uses online advertising as a delivery method for malware. Malware-infected ads can be inserted into popular, legitimate websites, and often do not require user action to be effective: simply visiting an infected site can be enough to get infected.

Criminal use of malvertising as a vector for malware delivery has been an increasing trend since it was first observed in approximately 2007 with the exploitation of a vulnerability in Adobe Flash. In 2015 Google disabled more than 780 million ads that violated their policies, some of which carried malware, up from 524 million in 2014.

RoughTed is notable for its prolific distribution, with associated domains accumulating in excess of half a billion visits in a three month period. According to researchers, traffic diverted to RoughTed-related domains comes from thousands of different websites, some of which ranked in the electronic personal assistant, Alexa’s, top 500 websites. RoughTed can reportedly target a wide array of users according to their operating system, browser and geolocation before delivering a variety of payloads, including exploit kits and malware. Moreover, RoughTed has been circumventing adblockers, broadening the pool of potential victims.

.author-name { display: none; }

NCSC - Weekly Threat Report 26th May 2017

This report is drawn from recent open source reporting.

Russian government reaction to cyber criminals

This week Russia revealed it had arrested a cyber crime gang in November last year for a campaign that raised nearly USD900, 000. The gang was nicknamed ‘Cron’ after the malware it used, which infected over a million Android mobile devices of Russian bank customers. Users unwittingly downloaded the malware via fake mobile banking apps, pornography and e-commerce programmes. The ‘Cron’ gang exploited a Russian bank service which allows users to move small amounts of money to other accounts by sending an SMS message. The criminals sent SMS messages from infected devices instructing banks to transfer funds to their own accounts. According to Group-IB, the Russian cyber security company that worked with Russian law enforcement on the investigation, the ‘Cron’ gang were planning to rent a further piece of malware adapted to target banks in France, Germany, the UK and the US amongst other unnamed countries.

Fake applications that impersonate a brand or organisation are not new. Purchasing from legitimate sources can reduce the risk of acquiring bogus applications.

Fake malware fixes

WannaCry ransomware may not have generated the wealth the scammers responsible were hoping for but since the attack enterprising criminals have been attempting to cash in on the heightened public awareness of WannaCry. Targeting concerned users, scammers have been offering a range of fake ‘fixes’ and ‘support services’.

This type of social engineering is a common methodology for cybercriminals. Whether viral social media posts, malicious pop-ups or well-crafted phishing campaigns, high profile events such as the WannaCry attack offer cyber criminals a hook to spread malware or to solicit funds.

It’s not only online incidents that criminals seek to take advantage of. Following news of high profile disasters such as hurricane Catrina in 2005, the 2014 Ebola outbreak and the 2015 Nepal earthquake, scammers set up fake charity websites and sent phishing emails in attempts to steal funds donated to the victims.

Recent examples of scams piggybacking on the WannaCry incident include:

  • Alerts circulating of social media directing users to fake WannaCry patches which deliver malware;
  • A phishing email posing as a BT customer service email which informs the user they are locked out of their BT account and directs them to a malicious link to obtain a ‘security upgrade’ to re-establish full access;
  • Third party app stores offering ‘patches’ for mobile users - despite the fact no mobile operating systems are believed to be vulnerable to WannaCry.

The recent UK Action Fraud alert has more information on specific fraud attempts.

The NCSC guidance page has further information on how to protect against phishing attempts as well as our recent blog on social engineering.

Europol arrest 27 individuals involved in black box ATM attacks

An international law enforcement effort has resulted in the arrest of 27 individuals in connection with a string of successful black box attacks against ATMs across Europe. These attacks are thought to have generated up to EUR 0.5 million for the criminals responsible. Black Box attacks are cyber-enabled and involve physically penetrating an ATM’s casing to obtain access to exposed cables and ports. A laptop can then be connected and used to issue instructions to an ATM to cash out its bank notes. These attacks are less sophisticated and more common than cyber-dependant attacks that deploy malware to ATMs remotely, over a financial institution’s network. For more information on the cyber threat to UK ATMS, please see our recent assessment on CiSP.

.author-name { display: none; }

NCSC - Weekly Threat Report 19th May 2017

WannaCry ransomware attack illustrates risk of using unlicensed software

The WannaCry international ransomware attack has highlighted the risks of relying on unpatched software. The scale of the outbreak has been blamed in part on the widespread use of unlicensed software. Pirated software is often insecure as it does not benefit from manufacturers’ updates to fix vulnerabilities.

Several of the countries reported by cyber security companies to be worst affected are also amongst the countries where unlicensed software is most widely used.

This incident illustrates that while using unlicensed software might be seen as a way of saving money in the short term, it can put cyber security at serious risk and may potentially lead to losses far outweighing any savings.

The NCSC's guidance on protecting your organisation from ransomware can be found here. Further guidance for home users and small businesses as well as enterprise administrators is also available.

.author-name { display: none; }

NCSC Guidance - Protecting your organisation from ransomware

Protecting your organisation from ransomware

Created:  17 Oct 2016

Updated:  17 Oct 2016

How to prevent a ransomware incident, and what to do if your organisation is infected.

Ransomware is a growing global cyber security threat, and one which could affect any organisation that does not have appropriate defences. The first half of 2016 saw an almost threefold increase in ransomware variants compared to the whole of 2015[1].  While ransomware against Windows operating systems has been commonplace for some years, attacks against Mac and Linux systems are also seen.

The methods for infecting systems with ransomware are similar to other types of malicious software, as are the steps organisations can take to protect themselves. Depending on your level of preparation, ransomware infection can cause minor irritation or wide-scale disruption.

This guidance provides an overview of ransomware, suggests some simple steps to prevent a ransomware incident, and advises on what to do if your organisation is infected by ransomware.

What is ransomware?

There are two types of ransomware; the first type encrypts the files on a computer or network. The second type locks a user's screen. Both types require users to make a payment (the 'ransom') to be able to use the computer normally again. The ransom is often demanded in a cryptocurrency such as Bitcoin.

In many cases, the ransom amount is quite modest. This is designed to make paying the ransom the quickest and cheapest way to return to normal use. However, there is no guarantee that the key or password (to 'unlock' the computer) will be provided upon payment of the ransom.

The scale and automated nature of a ransomware attack makes it profitable through economies of scale, rather than through extorting large amounts from targeted victims. In some cases, ransomware has been known to strike the same victim more than once in succession. Ransomware attacks are not normally targeted at specific individuals or systems, so infections can occur in any sector or organisation.

How does ransomware infect your system?

Computers are infected with ransomware via a number of routes. Sometimes users are tricked into running legitimate-looking programs, which contain the ransomware. These may arrive via authentic-looking email attachments or links to apparently genuine websites (otherwise known as phishing). More recently, we have seen ransomware infections which rely on unpatched vulnerabilities in computers, and simply visiting a malicious website can be enough to cause a problem.

Although less common, data transfers between computers (such as via USB memory sticks) can also cause ransomware to spread.

Preventing ransomware using good enterprise security

Ransomware is one of many types of malware, and the methods for its delivery are common to most other types. You can minimise the risk of being infected by ransomware by taking the same precautions necessary to guard against malware in general.

The following mitigations are examples of good security practice, and link to other NCSC guidance where available:

  • Vulnerability management and patching - some ransomware gains control by exploiting software vulnerabilities in operating systems, web browsers, browser plug-ins or applications. Often these vulnerabilities have been publicly known about for some time and the software providers will have made patches available to mitigate them. Deploying these patches, or otherwise mitigating the vulnerabilities, is the most effective way of preventing systems being compromised. However, as well as patching the devices used for web browsing and email, it's important to patch the systems they are connected to, since some ransomware is known to move around systems, encrypting files as it goes.
  • Controlling code execution - consider preventing unauthorised code delivered to end user devices from running.  One common way that attackers gain code execution on target devices is to trick users into running macros. You can prevent these attacks from being successful in your organisation by preventing all macros from executing - unless you have explicitly trusted them. It's also good practice to ensure users do not have privileges to install software on their devices without the authorisation of an administrator. Remember that users may sometimes legitimately need to run code that you have not pre-authorised; consider how you will enable them to do this, so that they are not tempted to do it secretly, in ways you can't see or risk-manage. See our End User Device security guidance for recommended configuration of the platforms you are running.
  • Filter web browsing traffic - we recommend using a security appliance or service to proxy your outgoing web browsing traffic. Filter attempted connections based on categorisation or reputation of the sites which your users are attempting to visit.
  • Control removable media access - see our advice on management of removable media to prevent ransomware from being brought in to an organisation via this channel.

For more information see Approaching enterprise technology with cyber security in mind.

What impact does ransomware have?

Ransomware will prevent access to systems or data until a solution is found. If systems are delivering critical services, this can have serious reputational, financial and safety impacts on affected organisations and their customers. Even if the victim has a recent backup of their system, it may still take considerable time to restore normal operations. During this time, organisations may have to invoke their Business Continuity processes.

It is worth noting that if a criminal organisation has carried out a successful ransomware attack, questions should be raised about the possibility of more indirect and lasting impacts. For example, how many instances of the ransomware are still present in the system waiting to be activated? How should they be removed, and how should users be warned? Were other types of malware also deployed at the same time? What are they and what will they do? And when?

Limiting the impact of a ransomware attack

The following measures can all help to limit the impact of a ransomware attack.

  • Good access control is important. The compartmentalisation of user privileges can limit the extent of the encryption to just the data owned by the affected user.  Re-evaluate permissions on shared network drives regularly to prevent the spreading of ransomware to mapped and unmapped drives. System administrators with high levels of access should avoid using their admin accounts for email and web browsing.
  • Ransomware doesn’t have to go viral in your organisation; limit access to your data and file systems to those with a business need to use them. This is good practice anyway and, like many of the recommendations we make here, prevents against a range of cyber attacks.
  • Have a backup of your data. Organisations should ensure that they have fully tested backup solutions in place. Backup files should not be accessible by machines which are at risk of ingesting ransomware. It is important to remember backups should not be the only protection you have against ransomware - the adoption of good security practices will mean not getting ransomware in the first place. For further guidance on backups, please see our Securing Bulk Data guidance, which discusses the importance of knowing what data is most important to you, and how to back it up reliably.

What to do if your organisation has been infected with ransomware

If you need to know more about ransomware and its effects, or you have a ransomware issue, there are a number of sources of further advice and guidance:

  • The National Crime Agency encourages anyone who thinks they may have been subject to online fraud to contact Action Fraud at  It is a matter for the victim whether to pay the ransom, but the NCA encourages industry and the public not to pay.
  • The National Cyber Security Centre (NCSC) runs a commercial scheme called Cyber Incident Response, where certified companies provide crisis support to affected organisations.
  • The Cyber Security Information Sharing Partnership (CiSP) offers organisations in the UK a safe portal in which to discuss and share intelligence that can assist the community and raise the UK's cyber resilience. We encourage our members to share technical information and indicators of compromise so that the effects of new malware, and particularly ransomware, can be largely reduced. 

Here at the NCSC, we welcome those who would like to share their experiences of ransomware in confidence. NCSC Operations provide threat intelligence to government, industry and the public. Case studies - even anonymised - can be very helpful.

.author-name { display: none; }

UK hospital meltdown after ransomware worm uses NSA vuln to raid IT

UK hospital meltdown after ransomware worm uses NSA vuln to raid IT

Docs use pen and paper after computers scrambled amid global outbreak

Final update UK hospitals have effectively shut down and are turning away non-emergency patients after ransomware ransacked its networks.

Some 16 NHS organizations across Blighty – including several hospital trusts such as NHS Mid-Essex CCG and East and North Hertfordshire – have had their files scrambled by a variant of the WannaCrypt, aka WanaCrypt aka Wcry, nasty. Users are told to cough up $300 in Bitcoin to restore their documents.

Doctors have been reduced to using pen and paper, and closing A&E to non-critical patients, amid the tech blackout. Ambulances have been redirected to other hospitals, and operations canceled.

It is understood WannaCrypt, which is raiding companies and organizations across the planet today, is being spread by a worm that exploits unpatched vulnerabilities in Windows machines – particularly MS17-010, an SMB bug attacked by the leaked NSA tool, EternalBlue. The security hole has been patched for modern Windows versions, but not WindowsXP – and the NHS is a massive user of the legacy operating system.

A spokesperson for NHS Digital said: "We're aware that a number of trusts that have reported potential issues to the CareCERT team. We believe it to be ransomware."

East and North Hertfordshire NHS confirmed in a press statement: "Today, the trust has experienced a major IT problem, believed to be caused by a cyber attack. Immediately on discovery of the problem, the trust acted to protect its IT systems by shutting them down; it also meant that the trust's telephone system is not able to accept incoming calls.

"The trust is postponing all non-urgent activity for today and is asking people not to come to A&E – please ring NHS111 for urgent medical advice or 999 if it is a life-threatening emergency."

It said the trust's IT specialists were working to clean up the mess.

"I'm led believe that there is a major attack underway on the NHS with systems down nationwide," one reader told us. "My wife is a GP and their systems were just shut down and they were told it was because of a 'National hack of the computer health care system'."

Updated to add

Payments appear to be being made to the Bitcoin addresses given in the NHS ransomware attack – which in turn confirms that the same strain of malware has infected Telefónica Spain, Gareth Corfield reports.

This same address is seen on computer screens in Spain and other countries hit by the WannaCrypt variant. A payment of 0.15 Bitcoin – worth roughly $266 dollars at the time of writing – was made to that address two hours ago, as the Blockchain tracker shows. It is not possible to say who paid this amount. The NHS attackers are asking for $300 worth of Bitcoin in ransom payments.

NHS Digital response

NHS Digital confirmed a number of organisations have reported they have suffered a ransomware attack which is affecting a number of different organisations.

It said: "The investigation is at an early stage but we believe the malware variant is Wanna Decryptor. At this stage we do not have any evidence that patient data has been accessed. We will continue to work with affected organisations to confirm this. NHS Digital is working closely with the National Cyber Security Centre, the Department of Health and NHS England to support affected organisations and to recommend appropriate mitigations. This attack was not specifically targeted at the NHS and is affecting organisations from across a range of sectors.

"Our focus is on supporting organisations to manage the incident swiftly and decisively, but we will continue to communicate with NHS colleagues and will share more information as it becomes available." ®

.author-name { display: none; }

Sophos waters down 'NHS is totally protected' by us boast

Watered down homeopathy for computers is more powerful, m'kay?

Updated Sophos updated its website over the weekend to water down claims that it was protecting the NHS from cyber-attacks following last week's catastrophic WannaCrypt outbreak.

Proud website boasts that the "NHS is totally protected with Sophos" became "Sophos understands the security needs of the NHS" after the weekend scrub-up.

Security-watchers, including former staffer Graham Cluley, noticed the reverse ferret.

Sophos didn't publish a definition update until 1825 BST, hours after an outbreak that forced hospitals to postpone scheduled treatments and appointments in scores of NHS Trusts. Sophos Live Protection functionality, if enabled, could detect WannaCrypt earlier than that.

Signature updates aren't the only layer of security in modern anti-malware but this only raises further questions about why Sophos's technology didn't pick up an attack based on a known exploit patched by Microsoft two months prior.

Sophos has been talking a lot about building better anti-ransomware defences over recent weeks, most particularly following the Invincea purchase back in February. Last month the company launched anti-ransomware CryptoGuard technology, a paid add-on to its Sophos Server Protection products.

El Reg asked Sophos to comment on what seemingly went wrong with its security defences but we're yet to hear back beyond an acknowledgement of our query.

Sophos's social media staff were tweeting about how its tech could protect against ransomware attacks on Thursday, a day before disaster struck.

It's all a bit awkward.

Sophos executives can, however, console themselves that the security firm's share price has risen markedly since the outbreak, rising 7.5 per cent in pre-lunchtime trading on Monday alone to reach 366.80 at the time of writing. ®

Updated at 15.05 UTC to add: Sophos has contacted us to say that customers using Sophos Intercept X or Exploit Prevention (EXP) "were protected proactively against the ransomware behaviour from the very first instance".

It added: "Sophos Endpoint Protection already detected some variants of the WannaCry ransomware. We added further detection at 15.58 UTC on Friday 12th May for samples in the new attack that we missed. This was a complex set of executables and exploits which took some time to analyse. We also thoroughly test all identity and rule updates before releasing them to our customers. The 17.25 UTC time in the KBA on our website is the time by which all our customers should have been updated. We are in the process of updating this wording in the KBA to be clearer.

"Sophos has added subsequent identities and generic detection rules to Sophos Endpoint Protection since then to block potential future variants of the malware and its techniques. We have also proactively contacted all our customers to advise them to deploy the Microsoft patch that mitigates the underlying vulnerability in the Microsoft OS."

.author-name { display: none; }

NCSC - Weekly Threat Report 5th May 2017

This report is drawn from recent open source reporting

Google and Facebook were victims of Business Email Compromise (BEC) or ‘CEO Fraud’

Google and Facebook have been identified as the victims of an email phishing attack for which a Lithuanian man was charged in March 2017.

The attack relied upon social engineering methods rather than technical intrusion techniques. However, the individual was still able to trick the organisations into transferring over $100 million between 2013-2015, highlighting how cyber-enabled social engineering can be effectively used to commit fraud.

The individual posed as a manufacturer which both firms had existing business relationships with, and sent emails which were designed to look like they came from the manufacturer. The emails contained forged invoices and contracts which appeared to have been signed by executives. This is less technically sophisticated than some other cases of BEC whereby the third-party supplier’s legitimate email is compromised and used to request transfers. The phishing emails were highly targeted, sent to Facebook and Google employees who regularly conducted multi-million dollar transactions with the manufacturer the scammer was impersonating.

Large organisations are especially vulnerable to attacks such as this: often suppliers and individuals have less face to face interaction, and therefore may have reduced opportunities to identify bogus or suspicious transfer requests through conversation.

Fraudulent communication to convince organisations to transfer funds is not new, however it is increasingly common as a low cost, high return crime. Other variations on this attack include

  • Spear-phishing emails co-ordinated with phone calls confirming the email request
  • Impersonation of trusted partners beyond suppliers, including charities, law firms, think tanks or academic institutions
  • Impersonation of fellow employee emails, either through compromising an account, or creating a similar looking fake address
  • Use of social media to research or make contact with potential victims

The NCSC has previously issued guidance on phishing attacks aimed at senior executives or payment departments.


Facebook outlines plan to combat information operations

Facebook has outlined measures to combat “information operations”, which it defines as efforts conducted by organisations, including governments, to spread misleading information and falsehoods to “distort domestic or foreign political sentiment". Whilst reporting has focused on the potential impact on democratic processes, manipulation of social media could similarly be used to inflict reputational or even financial damage on organisations. An example of this would be the 2013 fake “alert” from one of America’s most trusted news sources, briefly fooling some news outlets into reporting that an explosion had occurred at the White House and causing the Dow Jones to drop 145 points in two minutes.

Facebook has highlighted that information operations extend beyond the creation of “fake” news stories: other activities such as the dissemination and promotion of stolen information, and targeted data collection on individuals have all been noted. Furthermore, the increased circulation of “fake” news stories to a larger audience is regularly achieved through artificial amplification of posts, whereby paid individuals, often using fake accounts, use techniques such as co-ordinating “likes” to boost the prominence of key postings or creating groups that camouflage propaganda by including legitimate items.

Facebook has stated that it will mitigate the artificial amplification of fake stories using machine learning and analysis to identify bogus accounts, which will then be suspended or deleted. For example, Facebook suspended 30,000 accounts in France prior to the first round of the French presidential election.


Mainly platform agnostic/cross platform updates this week, leaning towards Linux and Unix based systems.

Intel released a fix to their Active Management Technology to address a flaw which could allow remote and local users to gain elevated privileges. A mitigation guide has been published here.

IBM released two updates for WebSphere to fix a browser redirect and cross-site request forgery vulnerability, and an update to DB2 to address a bug that could allow a local user to obtain root privileges.

Xen saw a number of updates to fix elevation of privilege bugs.

HPE updated NonStop Server to address a flaw that could allow a remote user to obtain sensitive information, and updated Intelligent Management Center to fix a flaw that could allow for remote code execution.

Elsewhere this week there were updates from Trend Micro to fix cross-site scripting bugs and an elevation of privilege bug. Drupal updated a flaw that could allow access to the target system and FreeBSD fixed a bug which could cause the target to reload.

Debian updates this week include LibreOffice, Ghostscript, Freetype, weechat, Libxstream-Java, MySQL-Connector-Java, Tomcat7 and Tomcat8.

ICS updates this week came from Advantech, CyberVision and Schneider Electric.

No individual sector is anticipated to be impacted more than any other this week.

.author-name { display: none; }

NCSC - Weekly Threat Report 28th April 2017

This report is drawn from recent open source reporting

Increase in Homographic Phishing Attacks

Recent media reporting highlights a threefold increase in homographic phishing attacks over the past fourteen months.

Homographic attacks have been widely known about for many years, and rely on the fact there are visual similarities between many different Unicode characters to spoof well-known web addresses using similar-looking Punycode domains. For example, by registering the Unicode domain “” an attacker would be in control of a web address, which will render in browsers as “www.googlė.com”, almost indistinguishable from the real thing.

Moreover, researchers have recently demonstrated they can use this technique to convert Unicode into ASCII characters in some browsers. By choosing letters from a single foreign language set, an attacker can register a domain that looks identical to a targeted one when rendered by vulnerable browsers. For example, proving the concept, a researcher recently registered the domain name “”, which renders as “”.

Mitigations such as using password managers can help users spot fake websites, and therefore help mitigate this threat. In addition, email anti-spoofing measures can help prevent phishing email attacks from reaching users in the first place.


An altogether quieter week than we have seen for a while on the vulnerabilities front. There were a number of updates from Cisco for IOS, ASA, Prime Infrastructure and Prime Network Registrar to fix cross-site scripting attacks, denial of service or target restart vulnerabilities. IBM updated WebSphere and Security Guardium this week to fix escalation of privilege bugs and also updated Domino to fix a remote code execution bug.

Palo Alto fixed an input validation flaw in PAN-OS to prevent cross-site scripting attacks and F5 Networks fixed a denial of service bug in BIG-IP and let users know about a bug in F5 Enterprise Manager which could lead to denial of service conditions, but for which no fix is currently available.

Elsewhere there were updates for Adobe ColdFusion, Apache Batik, Novell NetIQ and cURL/libcurl.

In terms of Debian this week there were updates for MySQL, Python-Django, Icedove/Thunderbird and libav.

Also a quiet week with regard to ICS-specific updates with just two: one for BLF-Tech and one for Sierra Wireless AirLink Raven.

.author-name { display: none; }

NCSC - Weekly Threat Report 21st April 2017

Hajime – What is the intent of this IoT Botnet?

In October 2016 the security research group at Rapidity Networks discovered a new malware, called Hajime, with similarities to the Mirai botnet: it targets Internet of Things (IoT or internet-connected) devices by scanning the Internet for devices with network vulnerabilities and attempts to connect to them using known default username/password combinations. According to Symantec, Hajime is believed to have infected between 130, 000 and 180,000 devices worldwide with Brazil and Iran having the most infections followed by Thailand and Russia. Industry partners have suggested that the number of UK devices infected currently stands at approximately 5,000.

Hajime is being compared to the Mirai malware for a number of reasons including: similarities between initial infection vectors; the targeting of internet connected devices and the use of command and control (C2) servers to communicate and send instructions out to infected devices.  Hajime however differs as it adopts a decentralized approach with a Peer to Peer (P2P) model where communication and instructions are passed between infected nodes rather than the more traditional client-server architecture.  It is believed that this type of approach makes the malware much more resilient to take down as it does not rely on just one central server to control the malware.

The Hajime malware is also different because it doesn’t, as yet, appear to have been used for malicious intent.  Researchers have hypothesised that the controllers could be waiting for more devices to be infected before launching an attack.  A more recent theory by researchers is that Hajime has been created by ethical hackers who are targeting Mirai-infected devices with Hajime in order to deny the malware of any harmful activity.

Malware targeting of IoT devices is not new and as these products are becoming more popular amongst consumers, manufacturers and suppliers should be aware of the emerging risks and cyber threats posed when attention is not paid to IoT security.

See the NCSC website for guidance on malware prevention.

Insider steals employer’s proprietary trading code

A computer engineer has been charged with illegally exfiltrating the proprietary algorithmic trading model code from a global financial services firm headquartered in New York, where he worked. The code is used by the firm to generate income by predicting market movements.

From December 2016 to March 2017, the engineer took steps to obfuscate his presence on areas of the company’s network that he was not authorised to access. He used discrete areas of the network to collect over three million files, including unencrypted portions of the algorithmic source code, before exfiltrating it.

The motivation for this activity has not been conclusively reported, nor whether this individual acted alone, or on behalf of another. The tasking of insiders by criminals to exploit access to corporate networks is a common occurrence. But the exfiltration of this particular source code is significant because trading platforms could be manipulated to allow vast amounts of money to be stolen in a single attack. Alternatively the intellectual property (IP) could be sold to a rival company.

Companies can mitigate against the insider threat by incorporating security policies that restrict access to the most classified data and installing alerts when unusual activity is taking place.

Hotpoint service site compromise

Recent reporting by cyber security company Netcraft noted the compromise of domestic appliance manufacturer Hotpoint’s UK and Irish service websites, which has since been confirmed by Hotpoint in a statement via the Register. Customers accessing the service website were reportedly presented with fake Java dialogs, which if clicked, directed users to possibly malicious third party websites, presenting a risk that users could be infected with malware. Netcraft note that the compromise occurred shortly before the Easter weekend, suggesting that this may have been done deliberately to maximise the impact.

According to the company’s statement, no customer data was compromised and the vulnerabilities were quickly resolved. Netcraft suggest that the site’s WordPress installation may have been responsible. The NCSC provides guidance on minimising the vulnerabilities to WordPress, including the recommendation to implement regular security updates of WordPress as well as any plug-ins, only using trusted plug-ins and replacing default or easy to crack passwords.


There have been a large number of updates over the last week, thanks in part at least to Oracle’s quarterly update cycle falling this week. Oracle’s updates affect multiple bugs in many of their products, from PeopleSoft, E-Business Suite, Financial Services, Java SA to MySQL, WebLogic and Solaris.

Both Mozilla and Google released updates to fix multiple vulnerabilities, the most serious of which could allow remote code execution, in their browser products, Firefox and Chrome respectively and there were three updates for BIND.

Magento saw an update to prevent the uploading of arbitrary files and remote users conducting cross-site request forgery attacks. There were also a number of updates from Cisco for ASA, IOS and Unified Communications Manager. Juniper released a number of updates for Junos.

On the virtualisation front there were updates this week for both VMware and VirtualBox.

Elsewhere this week there were updates for SquirrelMail, WatchGuard, Nessus, Wireshark and MatnisBT.

On the Debian side this week saw updates for Firefox-ESR and ICU. ICS specific updates this week came from Belden Hirschmann, Schneider Electric and Wecon.

.author-name { display: none; }

Advisory: ‘Dirty COW’ Linux privilege escalation vulnerability being actively exploited

Executive Summary

A vulnerability has been discovered in the Linux kernel which could give untrusted users unfettered root access. This vulnerability has been present in the Linux kernel for nine years but has only just been discovered. The vulnerability allows for privilege escalation that can be exploited easily and reliably. The fact that this flaw exists in nearly every version of Linux from at least the last nine years means this vulnerability should be taken seriously and patched as soon as distribution specific patches are available.

What it is?

As their names suggest, privilege escalation vulnerabilities allow attackers with only limited access to target a computer and gain much greater access rights, and therefore control over the system. The vulnerability itself, known as a race condition, involves the way Linux memory handles a duplication technique called copy-onwrite. Untrusted users can exploit it to gain highly privileged write-access rights to memory mappings that would normally be read-only. More technical details about the vulnerability and exploit are available below. Using the acronym derived from ‘copy-onwrite’, some researchers have dubbed the vulnerability ‘Dirty COW’.

Which products are affected?

The vulnerability affects most versions of Linux released in the last nine years, which given the ubiquity of the open source operating system, means a large number of unpatched systems are potentially exposed to the exploit. Researchers are already claiming to see the Dirty COW vulnerability being exploited out in the wild.

What could happen if the vulnerabilities were exploited?

These exploits could be used against Web hosting providers that provide shell access, such that one customer could attack other customers or service administrators.

Privilege escalation exploits can also be combined with other attacks to target other vulnerabilities. A SQL injection weakness in a website, for instance, often allows attackers to run malicious code only as an untrusted user. Combined with an escalation exploit an attacker could achieve root access.

How can I find out if I am at risk?

If you are using a Linux distribution released in the last nine years then this system is likely to be vulnerable if it hasn’t been recently patched.

How can I tell if this exploit has been used against me?

It would be very difficult to determine if you have been the victim of this type of attack since exploitation of this bug does not leave any trace of anything abnormal in the logs. Further activity or attacks following post-privilege exploitation itself could leave more evidence of exploitation.

What can I do?

The underlying bug was patched this week by the maintainers of the official Linux kernel. Downstream distributors are in the process of releasing updates that incorporate the fix. Red Hat has classified the vulnerability as "important". Other distributions have released patches and these should be tested and applied as soon as possible.

.author-name { display: none; }

Threat to Managed Service Providers

Threat to Managed Service Providers

A major cyber campaign against Managed Service providers has been detected that may present risks to organisations using outsourced IT services. 

Media references to terrorist cyber capability

There have been numerous reports on the recently imposed restrictions on electronic devices larger than a smartphone being allowed in cabin baggage on flights from certain countries in the Middle East, North Africa and Turkey. A statement from the US Department of Homeland Security (DHS) said: "Evaluated intelligence indicates that terrorist groups continue to target commercial aviation, to include smuggling explosive devices in various consumer items". This physical terrorist threat to aviation is entirely separate from news reports suggesting a raised cyber terrorist threat against the civil nuclear sector. As highlighted in the recent NCSC/NCA Annual Report, the NCSC assesses that terrorist organisations currently have limited cyber capability. While they may aspire to cause a destructive cyber attack, this remains unlikely.

Malware Threat to ATMs

A fileless malware campaign that successfully targeted 140 organisations worldwide earlier this year has evolved. Criminals are now exploiting their remote access to banks' networks to drop additional malware called ATMitch, enabling them to issue remote commands to compromised ATMs to dispense cash. Banks in Russia and Kazakhstan have reportedly been victims of this malware.

Although we have previously seen cyber-criminals use malware to steal cash from ATMs, their use of a banks' internal network to remotely deliver ATM malware is a new and more sophisticated form of attack. Also, the use of fileless malware allows criminals to delete malicious commands from the ATM's hard drive, removing all traces of an attack.

There have been no reported incidents of network-delivered ATM malware attacks against UK ATMs to date. The most common attacks seen against UK ATMs continue to be more traditional physical attacks, which criminals carry out to varying levels of success. For more information on the malware threat to UK ATMs, log in to the Cyber-security Information Sharing Partnership (CiSP) to view our recently published report. Please see details on how to become a member of CiSP.

Rise in compromised websites

According to a recent Google report, the number of websites that were hacked in 2016 was 32% higher than in 2015. Google assess this trend is unlikely to lose momentum "as hackers get more aggressive and more sites become outdated".

Although it is difficult to corroborate this statistic or clarify what proportion of the allegedly compromised websites were active, the threat to websites from cybercriminals has definitely risen over recent years, with ransomware and financial scams particularly strong incentives for them to compromise websites in order to facilitate cybercrime.

Google say this problem was compounded by the fact that 61% of webmasters, whose websites were breached had not registered with Google's channel for communicating site health alerts, Search Console, and were therefore not notified by Google of the compromise.

The NCSC recommend that website owners follow NCSC guidance and regularly patch known vulnerabilities to reduce the risk of a compromise. We recommend that the public follow the malware prevention advice in 10 steps to cyber security to reduce the risk of being infected by malware from infected websites, and you may also find our guidance on designing digital services useful. Following the guidance can help prevent some of the most prevalent types of web attacks that are being carried out currently.

Website owners may also find OWASP's Top 10 project, which represents a broad consensus about what the most critical web application security flaws are, useful.


Reports came in this week of a WebDAV buffer overflow vulnerability affecting Microsoft's Internet Information Server (IIS). There are reports that this vulnerability is being actively exploited and at the time of writing Microsoft do not yet have a fix available. NIST's National Vulnerability Database (NVD) has details. NCSC recommends where there is still a need for on premises installs, that people use the latest versions of software (Server 2016 in this case) as it more secure by default. If we receive more information on this vulnerability we will update accordingly.

Apple released an update for their iOS mobile operating system to fix a bug that could allow remote code execution within Wi-Fi range of the device.

McAfee ePolicy Orchestrator fixed a flaw in the anti-malware engine that could allow local users to cause denial of service conditions. RSA Archer GRC Security Operations Management resolved an error where local users could view passwords. Django suffered from an input validation error that could lead to remote users conducting cross-site scripting and open redirect attacks.

Elsewhere this week there were updates from HPE Business Process Monitor, Asterisk, MantisBT, PHP, WebsiteBaker, the Linux Kernel and Splunk.

Debian specific updates this week were for Samba to fix a regression bug, Firebird2.5 and Tryton-server.

ICS updates this week included several from Schneider Electric (Wonderware, Modicon Interactive Graphical SCADA), Siemens RUGGEDCON ROX I, Rockwell Automation Allen-Bradley Stratix Allen-Bradley ArmorStratix, Miele, Marel Food Processing, LCDS, BD Kiestra and 3S-Smart.

.author-name { display: none; }

Criminals target US healthcare sector

Criminals target US healthcare sector

The cyber division of the FBI recently issued an alert warning of criminal activity targeting File Transfer Protocol (FTP) servers operating in ‘anonymous’ mode, associated with the US medical and dental facilities.

The criminals involved are reportedly motivated by the potential to access protected health information (PHI) and personally identifiable information (PII). This data is then used by criminals to extort healthcare business owners, and to conduct financial fraud and identity theft.

The US healthcare sector has previously been targeted by ransomware campaigns, however this attack methodology is more aggressive in nature. Rather than encrypting data and releasing it following payment of a ransom, criminals are stealing sensitive data and in some instances threatening to expose it or sell it, to pressure victim companies to pay.

FTP is a protocol widely used in the transfer of data and files. However, when FTP servers are configured in a way that enables user authentication with generic usernames and no passwords, it leaves data stored on these servers vulnerable. This was highlighted by research conducted by the University of Michigan in 2015, which showed more than one million FTP servers were misconfigured, potentially allowing unauthorised access to data.

The US healthcare sector is singled out in the FBI report as the target of an active criminal campaign, however any organisation storing sensitive data on a misconfigured FTP server could similarly be exposed to extortion or fraud.

Asian cyber criminals demonstrate ongoing professionalisation

According to a report by security research group Check Point, cyber criminals in Asia are using fake mobile base stations to impersonate legitimate telecommunications companies while conducting SMS phishing ('SMiShing') campaigns. Their text messages link to malware dubbed the "Swearing Trojan" (due to the profanity included in its code) which steals bank details. It circumvents mobile-based two-factor authentication by replacing text messenger apps with malicious duplicates.

SMS spam is a lucrative business for criminals in Asia, who can also mount fake base stations in a vehicle and drive through cities. Nearby mobile devices mistakenly connect to the high power signal, allowing the spammers to transmit large numbers of SMS messages, often displaying false sender information, without paying network fees.

SMS spam is currently less common in the UK and, unlike email spammers, operators rarely operate across national borders due to the cost of sending text messages internationally. Nevertheless, this development abroad illustrates the ongoing professionalisation of cyber crime, and the readiness of criminals to combine existing techniques in innovative ways to exploit their victims. One of the themes over the last year, as reported in the joint NCA/NCSC cyber threat report 2016-17 is that the risk from cyber crime is growing as criminals become more creative.

.author-name { display: none; }

Two major US technology firms 'tricked out of $100m'

Evaldas Rimasauskas posed as Asian-based hardware manufacturer to trick staff into wiring him money

Evaldas Rimasauskas posed as Asian-based hardware manufacturer to trick staff into wiring him money

A Lithuanian man has been charged with tricking two US technology firms into wiring him $100m (£80.3m) through an email phishing scam.

Posing as an Asian-based manufacturer, Evaldas Rimasauskas tricked staff into transferring money into bank accounts under his control, US officials said.

The companies were not named but were described as US-based multinationals, with one operating in social media.

Officials called it a wake-up call for even "the most sophisticated" firms.

According to the US Department of Justice, Mr Rimasauskas, 48 - who was arrested in Lithuania last week - deceived the firms from at least 2013 up until 2015.

He allegedly registered a company in Latvia which bore the same name as an Asian-based computer hardware manufacturer and opened various accounts in its name at several banks.

'Fake email accounts'

The DoJ said: "Thereafter, fraudulent phishing emails were sent to employees and agents of the victim companies, which regularly conducted multimillion-dollar transactions with [the Asian] company."

The emails, which "purported" to be from employees and agents of the Asian firm, and were sent from fake email accounts, directed money for legitimate goods and services into Mr Rimasauskas's accounts, the DoJ said.

The cash was then "wired into different bank accounts" in locations around the world - including Latvia, Cyprus, Slovakia, Lithuania, Hungary and Hong Kong.

He also "forged invoices, contracts and letters" to hide his fraud from the banks he used.

Officials said Mr Rimasauskas siphoned off more than $100m in total, although much of the stolen money has been recovered.

Acting US Attorney Joon H Kim said: "This case should serve as a wake-up call to all companies... that they too can be victims of phishing attacks by cybercriminals.

"And this arrest should serve as a warning to all cybercriminals that we will work to track them down, wherever they are, to hold them accountable."

The DoJ would not comment on possible extradition arrangements and said that no trial date had been set.

.author-name { display: none; }

Abta website: Holidaymakers hit by cyber attack

The travel trade organisation, Abta, says a cyber attack on its website may have affected about 43,000 people.

About 1,000 files accessed may include personal identity information of individuals who have made a complaint about an Abta-registered travel agent.

It says it is contacting those affected by the hack which happened on 27 February and has a dedicated helpline.

It has also alerted the police and the Information Commissioner's Office (ICO).

Part of the ICO's role is to help the public manage their personal data.

Abta chief executive Mark Tanzer said he would "personally like to apologise for the anxiety and concern" caused to Abta customers and members.

"It is extremely disappointing that our web server, managed for Abta through a third party web developer and hosting company, was compromised and we are taking every step we can to help those affected."

Mr Tanzer said the organisation was not aware of any of the information being shared beyond the infiltrator.

ABTA is the UK's largest travel association, representing travel agents and tour operators who sell £32bn of holidays and other travel arrangements each year, according to its website.

The organisation gives advice and guidance to holidaymakers, sets standards for travel firms and promotes responsible tourism in the UK and abroad.

It said the type of data which may have been accessed included:

  • Email addresses and encrypted passwords of Abta customers and members registered on the website
  • Contact details of customers of Abta members who have used the website to register a complaint
  • Data uploaded to support a complaint made about an Abta member since 11 January 2017
  • Data uploaded by Abta members in support of their membership

Abta said the "vast majority" of the 43,000 people affected were those who had registered with email addresses and encrypted passwords or had filled in an online form with basic contact details.

It said there was "a very low exposure risk to identity theft or online fraud" with this kind of data.

It advised customers and ABTA members registered on the site to change their passwords as a "precautionary measure".

Abta said those who had uploaded contact details or documentation on the website should actively monitor their bank accounts, social media and email accounts, and "remain vigilant".

It has also offered people who may be affected a free-of-charge identity theft protection service.

.author-name { display: none; }


Update Ubiquiti Networks, a maker of networking gear for service providers, has been since November dealing with a critical command-injection vulnerability in the administration interface of more than 40 of its products.

Researchers at SEC Consult went public with the issue this week after privately disclosing the flaw to the vendor via its HackerOne bug bounty program. According to a timeline published by the researchers, Ubiquiti initially marked the issue as a duplicate, then promised a patch in a future stable release.

“We take network security very seriously and are in the process of fixing this vulnerability for all products affected,” a Ubiquiti Networks representative told Threatpost.

The company said it has patched 37 of the 44 affected products starting Feb. 3 with an update for airMAX 11ac and patches for the remaining products are imminent.

“Once this update is released, we will inform our customers through a newsletter to remind them to update their firmware,” the representative said. “We are also improving our vetting process for security issue reports to speed up our response time.”

A post to a Reddit thread about the vulnerability from a Ubiquiti employee cited a communication breadown between the company’s internal ticket on the issue and the initial submission to HackerOne.

“We’re reviewing the process of getting updates from our internal ticket system back to HackerOne reporters, to ensure that doesn’t happen in the future. And making sure all updates back from submitters make it to the appropriate development team,” the post said. “Agree this looks very bad, but I can assure you the optics of this aren’t an accurate reflection of how security issue reports are handled. We did drop the ball in communication here, but it wasn’t due to the issue being ignored.”

As egregious as the four-month wait for a patch, was the fact that the root cause of the vulnerability is the use of a 20-year-old PHP script in the interface. According to SEC Consult, the vulnerability lives in the pingtest_action.cgi script, which is using PHP/FI 2.0.1 which was built in 1997.

“The vulnerability can be exploited by luring an attacked user to click on a crafted link or just surf on a malicious website,” SEC Consult said in its advisory. “The whole attack can be performed via a single GET-request and is very simple since there is no CSRF protection.”

SEC Consult previously disclosed the lack of cross-site request forgery and cross-site scripting protection in January. Most of the same Ubiquiti gear was impacted as well, and the vendor told SEC that it considered this a low-risk threat and had no estimate for a patch. The researchers went public with an advisory Jan. 30.

The command injection flaw exposes the Ubiquiti admin interface to a number of risky attacks, SEC Consult said. For example, an attacker could connect to a vulnerable device by opening a port binding or reverse shell, and also change the password because the service runs as root.

“Low privileged read-only users, which can be created in the web interface, are also able to perform this attack,” SEC Consult said. “If the Ubiquiti device acts as router or even as firewall, the attacker can take over the whole network by exploiting this vulnerability.”

The Reddit post, meanwhile, indicates that Ubiquiti is working on patches, and that the vulnerability has been addressed in AirOS 8.0.1, the operating system running in Ubiquiti airMAX products, and that additional patches were imminent.

This article was updated March 17 with comments from Ubiquiti Networks regarding currently available patches.

.author-name { display: none; }

Hackers Take Down Reader, Safari, Edge, Ubuntu Linux at Pwn2Own 2017

Hackers took down Adobe Reader, Apple Safari, Microsoft Edge, and Ubuntu Linux over the course of 11 hours on Wednesday, the first day of Pwn2Own, the annual hacking competition held in tandem with the CanSecWest conference in Vancouver.

Contestants with the Chinese security firm Qihoo 360 were the first to strike; exploiting a heap overflow in the way Reader parsed JPEG200, an image compression standard and coding system used by software. Hackers combined the heap overflow with a Windows kernel information leak and a remote code execution vulnerability in the Windows kernel to earn $50,000.

The attack would be the first of two to be carried out against Reader on the day. Later in the afternoon hackers working with Tencent Security used an info leak bug and a use-after-free bug to achieve code execution. They followed that up with leveraging another use-after-free in the kernel to gain SYSTEM-level privileges, earning $25K.

Another group of hackers working with Tencent, Team Ether, broke Microsoft Edge earlier in the day. The bug they found earned the group the largest payout of the day, $80,000 and was tied to an arbitrary write in Chakra core and a logic bug that escaped the sandbox. Chakra is the JavaScript engine that powers Edge and other Windows apps written in HTML, CSS, and JS.

Hackers with another China-based group, Chaitin Security Research Lab, took down both Ubuntu Linux and Apple’s Safari browser, in two attempts on Wednesday.

The Linux bug was a heap out-of-bound access bug in the Linux kernel which earned the group $15,000.

The Safari bug was a little more involved. The group had to chain together six different bugs, including an information disclosure in Safari, four different type confusion bugs in the browser, and a use-after-free in WindowServer – a component that manages requests between OS X apps and the machine’s graphics hardware – to carry it out. The group was able to achieve root access on macOS through the exploit and earn $35,000.

Wednesday’s other Safari hack, like Chaitin’s, involved chaining together multiple Apple bugs.

Two German hackers, Samuel Groß and Niklas Baumstark, Capture the Flag players from the Karlsruhe Institute of Technology, got partial credit for hacking the browser early on the first day. The two were able to broadcast a special message across a MacBook Pro’s Touch Bar by chaining together five bugs, a use-after-free in Safari, three logic bugs and a null pointer dereference, something which allowed them to elevate to root in macOS. Apple has apparently already fixed the use-after-free in a beta version of Safari, hence the partial credit.

Two groups withdrew attacks planned against Windows and Edge on Wednesday, mounting speculation over whether Microsoft’s delayed Patch Tuesday updates broke attack vectors the entrants were planning on using.

Unlike last year, when it was partially broken, it appears Google Chrome will emerge from this year’s Pwn2Own unscathed. There are currently no exploits scheduled against the browser for the competition’s second day today. Tencent’s Team Sniper attempted to break the browser with a SYSTEM-level escalation hack yesterday but couldn’t complete their exploit chain in time.

Given the large number of entrants – 17 – the competition’s sponsors, Trend Micro and Zero Day Initiative, are splitting Pwn2Own’s second day into two tracks. Attacks against Mozilla’s Firefox, both Microsoft Windows and Edge, Apple’s macOS and Safari, and Adobe Flash are on tap for Thursday.

.author-name { display: none; }

Yahoo breach highlights cookie security issues

Last year Yahoo reported several data breaches occurring between 2013 and 2016 which affected a large number of user accounts.  Personal information stolen could have included email addresses, telephone numbers, dates of birth, hashed passwords and encrypted or unencrypted security questions and answers.

Following forensic investigations Yahoo has revealed that fake cookies were a probable method used by attackers to access user accounts without a password. According to Yahoo, the attacker was able to create fake cookies by accessing the company's proprietary source code. 

In response Yahoo invalidated unencrypted security questions and advised affected users to change their passwords. The company also recommended that users adopt its authentication tool instead as it eliminates the need for a password on Yahoo accounts.  It is unclear how the fake cookies managed to evade website security but this advice indicates authorisation and authentication issues.

A cookie is a small file that a website puts on a user's computer to store information, potentially ranging from website links visited to personally identifiable information. Cookies can also be used to store passwords and other login details. They have many functional advantages but if they are not managed correctly with appropriate security measures, attackers may be able to exploit them.

Data leak reveals spam techniques

Security researcher Chris Vickery has reported that almost 1.4 billion user records from River City Media (RCM) were exposed after being backed up online without password protection. The data has since been taken offline, but it is unknown whether other actors have accessed it.

US-based RCM describes itself as an email marketing firm, but is listed in the top 10 of the Spamhaus Register of Known Spam Operations. As a result of the leak, RCM's infrastructure has been blacklisted by anti-spam organisations.

The leak also revealed techniques used to force legitimate mail servers to deliver up to a billion emails daily. The sender's computer sends deliberately slow and incomplete requests to the mail server, keeping existing connections open, while opening as many new connections as possible. Once the sender is ready, they resume normal speed requests and use the open connections to send a flood of emails before they can be blocked. This is very similar to a Denial of Service (DoS) attack known as Slowloris, which uses large numbers of slow connections to consume server resources and prevent other users from gaining access.

Upstream services attacked to target end users card credentials

A reported security breach at the US retail platform provider Aptos has led to malware infecting machines that the company uses to host online retail services. Forty e-commerce stores using Aptos services are said to be affected by the incident, which allowed malicious actors in some cases to access customer names, phone numbers, addresses, email addresses as well as payment card numbers and expiration dates. The malware is reported to have been present on Aptos systems for up to ten months during 2016. The company is working with US authorities to investigate the breach.

This incident illustrates the risk of upstream service and software providers being compromised to reach a broader victim base. A single attack on an upstream provider can deliver a much higher return on investment, compared to attacking each retailer separately. The success of such attacks is likely to encourage cyber criminals to target more upstream service providers.

It also highlights that while services can be outsourced, responsibility for customer data ultimately lies with those who collect it. Businesses need to demand high cyber security standards from third party organisations with access to their customer data, including software and service suppliers.

.author-name { display: none; }

Intel, Microsoft Announce New Bug Bounties

Intel announced its first bug bounty program, offering up to $30,000 to researchers who find critical vulnerabilities in its hardware.

The invite-only program, which is being run on the HackerOne platform, was announced today at the CanSecWest conference in Vancouver.

Intel said its software, firmware and hardware are in scope for rewards, with critical software and firmware finds being worth $7,500 and $10,000 respectively.

“We want to encourage researchers to identify issues and bring them to us directly so that we can take prompt steps to evaluate and correct them, and we want to recognize researchers for the work that they put in when researching a vulnerability,” Intel said. “By partnering constructively with the security research community, we believe we will be better able to protect our customers.”

Intel announced further pricing for its bounty: up to $10,000 for high-severity hardware bugs, up to $2,000 for medium-severity issues and up to $1,000 for low severity.

High-severity firmware bugs could be worth up to $5,000 while high-severity software flaws could fetch up to $2,500.

Intel said that its Intel Security products, the former McAfee, are not in scope for a bounty, nor are Intel’s web infrastructure, or recent acquisitions.

Microsoft also announced today that it was launching a bug bounty for its Office Insider Builds on Windows.

Insider Builds, Microsoft said, provides users with early access to new Office capabilities and security features. Microsoft said it hopes researchers will test early Office builds for vulnerabilities before they drop into production.

Microsoft said it would pay up to $15,000 for high-severity elevation of privilege vulnerabilities via Office Protected View and for macro execution vulnerabilities that bypass security policies already in place that block macros by default. Other high-severity bugs that enable code execution that bypass Outlook’s attachment block policies will be worth up to $9,000.

The program opens today and will run for three months until June 15.

“The Office Bug Bounty Program complements our continuous internal engineering investments that include designing secure features through threat modeling, security in code reviews, security automation, and internal penetration testing,” Microsoft said.

.author-name { display: none; }

WhatsApp, Telegram Vulnerabilities Exposed Users to Account Takeover

Encrypted messaging services WhatsApp and Telegram patched vulnerabilities in the last week that could have let an attacker take over a user’s account, access personal and group conversations, along with photos, videos and other files.

A trio of researchers with Check Point Software Technologies, Eran Vaknin, Roman Zaikin and Dikla Barda, disclosed the vulnerability on Wednesday. The flaw, they said, stemmed from the way the web versions of WhatsApp and Telegram parsed attachments.

Researchers said an attacker could have exploited the vulnerability in both services by sending a user a file laced with malicious code. Once opened, the file could grant an attacker access to the victim’s local storage and from there, personal chats and photos.

Researchers with the firm were able to bypass WhatsApp’s file upload mechanism by sending a malicious HTML document disguised as an image preview.

According to the researchers, after an attacker has tricked a user into clicking through the phony image, the victim would be brought to a unique BLOB URL with the file content. FileReader HTML 5, an API call that WhatsApp uses, generates the BLOB URL. The FileReader object is located at, something that could ultimately hand the attacker access to that user’s account. Because WhatsApp thinks the same user is signed in at two locations, they’ll be prompted by the service to either log out or stay logged in but researchers say attackers can get around this prompt with another bit of malicious JavaScript code.

The researchers said they were able to add a MIME type, a mechanism that tells the client what kind of document is being transmitted, to bypass the web client’s restriction. In this case the attackers added “text/html” and were able to upload an additional malicious HTML document.

“Just by viewing the page, without clicking on anything, the victim’s Local storage data will be sent to the attacker, allowing him to take over his account,” Vaknin, Zaikin, and Barda write, “The attacker creates a JavaScript function that will check every 2 seconds if there is new data in the backend, and replace his local storage to the victim.”

The attack on Telegram was strikingly similar. Researchers were able to bypass the web app’s upload policy to upload a malicious HTML document, this time with a MIME type that looked like a “video/mp4” instead of an image. As soon as a victim opened the video, it again was possible for an attacker to modify the MIME type and bypass client restriction. While the attackers uploaded an additional malicious HTML document to Telegram, the victim was taken to the video, which opened in a new tab – while their session data was sent to the attacker.

Telegram, unlike WhatsApp, allows users to keep multiple active sessions at once, so a user wouldn’t be aware if their account had been hijacked.

Telegram contended Check Point’s claims in a blog post Wednesday afternoon and stressed the attack would require “very special conditions and very unusual actions from the targeted user to succeed.” The messaging service said that a user would have had to have clicked through to the video and opened it in a new tab in order for their account to have been compromised. The attack also only worked in Chrome, Telegram said.

Check Point amended its blog post on Thursday to clarify that a victim would have had to have opened the video in a new tab in order for their local storage data to be sent to an attacker.

It’s unclear exactly when WhatsApp and Telegram rolled out fixes for the vulnerabilities, but based on the companies’ interactions with Check Point researchers it must have been at some point in the last six days. Researchers said they disclosed the vulnerabilities to WhatsApp and Telegram on March 7. Both companies “verified and acknowledged the security issue and developed a fix for web clients worldwide soon after.”

While WhatsApp and Telegram’s web versions can only be accessed via a browser, the services contain the same content as the services on a user’s device, including personal messages, photos, and files.

News of the vulnerabilities follow of a tense couple of weeks of scrutiny around the security of encryption apps.

A slew of misleading articles surfaced last week, following Wikileaks’ massive Vault 7 dump, claiming the CIA could bypass encrypted messaging apps such as Signal, Telegram, WhatsApp, and Confide. The treasure trove of hacks stemmed largely from exploiting vulnerabilities on devices – cellphones, even TVs – themselves, not the actual encryption apps. Open Whisper Systems, the Moxie Marlinspike-founded software organization that developed the Signal protocol, was quick to dispel any contrasting rumors last Tuesday.

“The CIA/WikiLeaks story today is about getting malware onto phones, none of the exploits are in Signal or break Signal Protocol encryption,” the company said on Twitter, “The story isn’t about Signal or WhatsApp, but to the extent that it is, we see it as confirmation that what we’re doing is working.”

In mid-January WhatsApp had to fire back at the news outlet The Guardian to contend claims made by the paper the app had a backdoor that could be used for third-party spying. Later that same week a list of respected cryptographers, including Bruce Schneier and Matthew Green, called the publication’s stance “reckless” and “uncontextualized,” and urged the The Guardian to retract the story. The Guardian didn’t apologize, nor did it issue a retraction, but did change how it used the word “backdoor” in its story.

.author-name { display: none; }