Vulnerable Smart Home IoT Sockets Let Hackers Access Your Email Account

Researchers have discovered critical security flaws in connected smart plugs which can give attackers access to a full home network — as well as your email account.

Bitdefender researchers Dragos Gavrilut, Radu Basaraba, and George Cabau said on Thursday that one particular device uses no encryption and weak default passwords, with no alerts issued to users to change them in the interests of security.

Internet of Things (IoT) devices are products with network capabilities. While these now range from smartphones to fridges, the use of smart plugs is also on the rise.

IoT-based smart outlets can be used to monitor energy usage, schedule devices to turn on and off at the user’s convenience, and can be used to power and control gadgets including security cameras, smart TVs and coffee makers, among others.

According to the security firm, a popular, but undisclosed, electrical outlet currently on the market not only has poor security in place but is also susceptible to malicious firmware updates which permit attackers to control devices remotely and gain an entry point into your home networks and activity.

To set up the device, users must plug it in, download the accompanying Android or iOS app, and then go through the installation process. The device requests the credentials to the user’s home network and then registers to vendor servers through UDP messages containing the device name, model, and MAC address. The server then replies with the firmware version, port, and local IP address.

Bitdefender noted that the device’s Wi-Fi hotspot is secured with a weak username and password, and during configuration, the Wi-Fi network credentials are transferred in cleartext rather than using any encryption to speak of. To make matters worse, the device-to-application communication which passes through the vendor’s servers are only encoded and not encrypted.

“Encoding can be easily reversed using a scheme that is publicly available, while encryption keeps data secret, locked with a key available for a selected few,” the researchers note.

In addition, a feature of the smart plug has been poorly managed. The outlet can be configured to send email notifications every time there is a state change — such as turning on or off — but this requires access to the user’s email account credentials, further expanding the potential attack surface.

If an attacker knows the MAC address of the device and the default credentials, they can gain control of the device, plundering all of the user information stored within — which includes the user’s email credentials if the alert feature is enabled.

Due to these security flaws — and a lack of password sanitization — new passwords can also be set to override the root password and access the embedded Telnet service. When access to the network protocol is in hand, attackers can then remotely send commands to stop, start, and schedule the device, as well as execute malicious code. In addition, the outlet is vulnerable to malicious firmware updates.

The researchers note that attackers could use the device to perform attacks on other devices connected to the same local network. It may even be the case that we could see power outlets become another element of botnets, which have already included home and office routers.

“One of the most destructive actions an attacker can take is to rip off the existing software and plant malicious software in its place,” says Cabau. “For users, the consequences can extend to losing control of all their network-connected devices as they become weapons of attack in a cyber-criminal network, as well as to exposing their email accounts and their contents.”

Bitdefender reported the vulnerabilities to the vendor before public disclosure 30 days later. The vendor is working on a fix due to be released in Q3 2016.


Source: ZDNet Warns of Possible State-Sponsored Attacks, the organization that oversees the development of the Bitcoin software, has warned users that state-sponsored attackers will likely target the upcoming release.

Bitcoin Core, the open source client for Bitcoin, validates the blockchain and all transactions. Bitcoin Core 0.12.1 was released in April and developers will soon make available version 0.13.0.

In a security notice published on Wednesday, said it has reason to believe that the Bitcoin Core 0.13.0 binaries will be targeted by state-sponsored threat actors. Users have been provided an encryption key that can help verify the legitimacy of Bitcoin Core binaries.

“We ask the Bitcoin community, and in particular the Chinese Bitcoin community to be extra vigilant when downloading binaries from our website,” the security notice reads.

“In such a situation, not being careful before you download binaries could cause you to lose all your coins. This malicious software might also cause your computer to participate in attacks against the Bitcoin network. We believe Chinese services such as pools and exchanges are most at risk here due to the origin of the attackers,” warned.

Experts pointed out that the website does not use HTTP Public Key Pinning (HPKP), which allows a government that controls a certificate authority (CA) to generate its own certificate for the site. The attacker can hijack the website’s IP and replace the key provided by with their own.

China, which appears to be the main suspect in this case, does control a CA, namely the China Internet Network Information Center (CNNIC). CNNIC’s new certificates were banned last year by Mozilla and Google after one of the organization’s intermediate certificates was used to issue fake Google certificates.

Bitcoin’s popularity and high value has made it a tempting target for various types of threat actors. Several Bitcoin exchanges have been attacked over the past months and some of them were even forced to shut down their operations due to the breaches they suffered.

The latest victim is Hong Kong-based Bitfinex, one of the world’s largest digital currency exchanges. The company had tens of millions of dollars worth of Bitcoin stolen as a result of a hack that is still being investigated.

By Eduard Kovacs

Source: Security Week

Cisco, Fortinet Issue Patches Against Alleged Equation Group Malware

Customers of certain Cisco and Fortinet security gear need to  patch exploits made public this week after a purported hack of NSA malware.

Both companies have issued fixes to address exploits that were posted online and after they found the exploits represent real threats to some of their products, including versions of Cisco’s popular PIX and ASA firewalls and versions of Fortinet’s signature Fortigate firewalls.

Other exploits may affect Watchguard and TOPSEC products, but those companies did not immediately respond to inquiries. When they do this story will be updated. The exploits were posted as proof that a group called Shadow Brokers actually had in its possession malware that it claimed it hacked from the NSA.

While the exploits date from 2013 at the latest, Cisco says it just learned about one of them when Shadow Brokers made it public. Cisco already knew about a second one and had patched for it. Fortinet’s lone security advisory is fresh.

Speculation is that Russia is behind releasing the exploits as a political move to blunt U.S. reaction to Russia’s alleged hack of the Democratic National Committee.


Cisco rates the threat level of the newly discovered vulnerability – Cisco Adaptive Security Appliance SNMP Remote Code Execution Vulnerability – as high because it could allow execution of remote code on affected devices and obtain full control. “The vulnerability is due to a buffer overflow in the affected code area. An attacker could exploit this vulnerability by sending crafted SNMP packets to the affected system,” the advisory says.

Here is a list of the affected Cisco devices:

  • Cisco ASA 5500 Series Adaptive Security Appliances
  • Cisco ASA 5500-X Series Next-Generation Firewalls
  • Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
  • Cisco ASA 1000V Cloud Firewall
  • Cisco Adaptive Security Virtual Appliance (ASAv)
  • Cisco Firepower 9300 ASA Security Module
  • Cisco PIX Firewalls
  • Cisco Firewall Services Module (FWSM)

The other vulnerability – Cisco ASA CLI Remote Code Execution Vulnerability – is one Cisco has known about since 2011 when it issued a fix for it. The company has issueda fresh security advisory for it in order to raise awareness so customers will make sure they’ve got software versions that patch the problem.

This vulnerability is ranked medium, and if exploited “could allow an authenticated, local attacker to create a denial of service (DoS) condition or potentially execute arbitrary code. An attacker could exploit this vulnerability by invoking certain invalid commands in an affected device,” the advisory says.

Cisco has posted a blog that details its vulnerabilities and fixes.


Fortinet has issued a security advisory for what it calls the Cookie Parser Buffer Overflow Vulnerability, whose importance it rates as high because it allows remote administrative access.

It affects certain Fortigate firmware called FOS released before August 2012. The affected versions are:

  • FOS 4.3.8 and below
  • FOS 4.2.12 and below
  • FOS 4.1.10 and below

“Customers running FortiGate firmware 5.0 and above, released in August 2012 are not impacted,” according to an emailed statement from Fortigate. “We continue to investigate this exploit and are conducting an additional review of all of our Fortinet products. If we identify any new information useful to our customers, we will share it through our responsible disclosure policy.”


Source: CSO Online

Twitter Shuts 235,000 More ‘Extremist’ Accounts

Twitter has suspended 235,000 accounts for violating its policies on the promotion of terrorism, the social network has said in a blog.

In February, Twitter announced that 125,000 accounts since mid-2015 had been banned for the same reasons. “Daily suspensions are up over 80% since last year, with spikes in suspensions immediately following terrorist attacks,” said the firm.

It added that it continued to work with authorities on the issue of extremism.

In the past, Twitter has faced criticism over the level of extremist content that has been detected on its network. Besides increased human efforts, Twitter said it had benefited from the use of spam-fighting tools that can help automatically detect problem accounts.

One third of the recent batch of suspensions were identified via such methods, the firm added. “We have expanded the teams that review reports around the clock, along with their tools and language capabilities,” said Twitter in its blog.

“We also collaborate with other social platforms, sharing information and best practices for identifying terrorist content.”

However, the move was described as a “short term solution” by Nikita Malik, a senior researcher at the Quilliam Foundation, an anti-extremist group.

“What we’re trying to do as an organisation when we work with social media companies like Google and Twitter is to help them have a more pro-active role,” she said.

She added that it would potentially be more beneficial to focus on promoting counter narratives that challenged the message of extremist propaganda.

By Technology

Source: BBC

Locky Targets Hospitals in Massive Wave of Ransomware Attacks

A massive Locky ransomware campaign spotted this month targets primarily the healthcare sector and is delivered in phishing campaigns.

The payload, researchers at FireEye said, is dropped via .DOCM attachments, which are macro-enabled Office 2007 Word documents. Especially hard hit are hospitals in the United States followed by Japan, Korea and Thailand, according to research published Wednesday by FireEye.

Researcher Ronghwa Chong said this blitz of macro-based Locky ransomware is a new tactic for cybercriminals who in March primarily distributed Locky ransomware via spam campaigns with the payload delivered via JavaScript attachments.

“These detection spikes and change in tactics suggest that the cybercriminals are investing more to infect systems and maximize their profits,” Chong wrote. “Additionally, we have observed that the delivery of Dridex via this distribution channel seems to have stopped, or nearly so, which could explain why we are seeing the Locky uptick.”

It was just this June when researchers at Proofpoint observed an uptick in the distribution of the Dridex banking Trojan and a new version of the Locky ransomware being distributed via a resurgence of the Necurs botnet. By taking a closer look at the Locky spoofed emails, network pattern of the ransomware and the DOCM attachment, researchers were able to find a distinct connection between major waves spam pushed out by attackers this month that indicate coordinated efforts by single or multiple attackers.

“Each email campaign has a specific ‘one-off’ campaign code that is used to download the Locky ransomware payload from the malicious malware server,” Chong noted. Researchers also noted a malicious URL embedded within the Locky macro code that is encoded using an identical encoding function that varies by a specific key for each campaign. Along with the healthcare sector, also hit hard this month by Locky are the telecom, transportation and manufacturing industries. Locky ransomware is best known for a high-profile infection at Hollywood Presbyterian Medical Center in California in February; the hospital paid a $17,000 ransom to recover its files.

According to security experts, the healthcare sector has been singled out by attackers who view the industry as low hanging fruit when it comes to relying on outdated security procedures coupled with high-value assets. Locky meanwhile has made notable gains over the last several months and now ranks a top malware threat, according to a recent Proofpoint report (PDF).  The research said that among email attacks observed in Q2 that used malicious document attachments, 69 percent featured Locky ransomware.

“This is a 45 percent increase over Q1 for Locky alone,” Proofpoint said. “The volume of Locky ransomware downloaders is increasing and the tools and techniques being used in campaigns are constantly changing. In this instance, we are seeing a shift from using a JavaScript based downloader to infect victims to using the DOCM format. On top of that, cybercrime trends have shown that attackers are distributing more ransomware these days than banking trojans, as the former appears to be more lucrative,” Chong wrote.


Source: Threat Post


Adwind RAT Rebrands Yet Again, This Time as JBifrost

The criminal group behind the Adwind RAT, one of the most actively deployed remote access trojans, has re-branded its product once again, this time returning to the malware market with the name of JBifrost.

This particular malware appeared in January 2012, under the name of Frutas RAT, and the following year, in January 2013, it rebranded as the Adwind RAT, a moniker that would stick with all security vendors.

As malware campaigns and the RAT’s activity were exposed across the years, the crooks would always change the malware’s name time and time again. Adwind rebranded as the Unrecom RAT in February 2014, as AlienSpy in October 2014, and as JSocket RAT in June 2015.

JSocket shuts down, and JBifrost appears three months later

After a scorching in-depth report published by Kaspersky in February 2016, the latest incarnation of this RAT known as JSocket shut down soon after.

According to researchers from security vendor Fortinet, the people behind Adwind have gone through the old motions of rebranding their product once again, which, three months later, reappeared on the market on May 15, 2016, as the JBifrost RAT.

Fortinet researchers are 100 percent positive this is a rebranded Adwind RAT, with a new GUI, and only a small set of new features when compared with its previous reincarnation, JSocket.

Adwind (JBifrost) website is now a closed community

The JBifrost website is not available to anyone anymore, and unlike previous instances where anyone could buy the RAT, users now need an invitation code to register on the JBifrost website and purchase the RAT.

Crooks are selling JBifrost as a monthly subscription, $45 for the first month and $40 for a subscription renewal.

Another big change in how the crooks operate is in how they collect their money. Previously, they accepted payments via PerfectMoney, CoinPayments, Advcash, EntroMoney, and Bitcoin.

This time around, they only take Bitcoin, most likely because the other payment methods are not anonymous and may lead law enforcement back to the crooks.

Taking into account Kaspersky’s long-standing cooperation with law enforcement agencies around the world, the Adwind gang seems to be legitimately scared and have taken precautions to hide their operations like never before.

JBifrost comes with minimal changes compared to Adwind

As for the JBifrost changes compared to JSocket, Fortinet said it detected only minor changes that include a new column that shows an infected victim’s keyboard status (in use or not), and a new column that shows the title of the victim’s current window.

There is also a new tab called Misc that allows users to configure additional JBifrost servers, as well as a new feature that lets attackers grab data from web forms displayed inside the Google Chrome browser.

At the time of its analysis, Fortinet says the JBifrost malware had been downloaded from the homepage 1,566 times, and that it has been detected in live malware distribution campaigns.

“Based on our findings, it is clear that Adwind perpetrators intend to stay in business by simply re-branding their RAT whenever they appear in the news. They do so by migrating their current subscribers’ accounts to a new website,” Fortinet’s Rommel Joven and Roland Dela Paz note. “As of this writing, we can confirm that JBifrost RAT is currently being utilized in active attacks, including attacks related to business email compromise (BEC) schemes.”

By Catalin Cimpanu

Source: Softpedia

Organizations in 30 Countries Targeted in “Operation Ghoul”

Industrial, engineering and other types of organizations from around the world have been targeted in a profit-driven campaign dubbed by Kaspersky Lab “Operation Ghoul.”

The threat group, whose activities have been traced back to March 2015, has been trying to make money by hijacking bank accounts and stealing intellectual property that they can sell to interested parties. The cybercrime gang has targeted more than 130 organizations in over 30 countries.

According to the security firm, Operation Ghoul attacks start with a malicious email coming from a spoofed address that appears to belong to a bank. The emails typically carry a file attachment or contain links that point to phishing websites. The fake messages are mostly sent to executives, managers and other employees that could have access to valuable information.

The piece of malware delivered by the attackers is HawkEye, a commercial spyware capable of collecting keystrokes, screenshots, clipboard data, FTP credentials, app license information, and account data from browsers, messaging apps and email clients.

Kaspersky Lab has identified victims in Spain, Pakistan, UAE, India, Egypt, UK, Germany, Saudi Arabia, Portugal, Qatar and other countries. The targeted organizations are typically small and medium-sized businesses (SMBs) with 30 to 300 employees.

Roughly half of the Operation Ghoul victims are in the industrial sector, including petrochemical, naval, military, aerospace, solar energy and heavy machinery firms. The threat group has also targeted companies in the engineering, shipping, pharmaceutical, manufacturing, trade, education, IT and technology, and tourism sectors.

The latest attack waves, which Kaspersky spotted in June, focused on the Middle East, particularly the United Arab Emirates.

Operation Ghoul

“In ancient Folklore, the Ghoul is an evil spirit associated with consuming human flesh and hunting kids, originally a Mesopotamian demon, and today, the term is sometimes used to describe a greedy or materialistic individual,” said Kaspersky researcher Mohammad Amin Hasbini.

“This is quite a precise description of the group behind Operation Ghoul. Their main motivation is financial gain resulting either from sales of stolen intellectual property and business intelligence, or from attacks on their victim’s banking accounts.

Unlike state-sponsored actors, which choose targets carefully, this group and similar groups might attack any company. Even though they use rather simple malicious tools, they are very effective in their attacks. Thus companies that are not prepared to spot the attacks, will sadly suffer,” the expert added.

Attribution is often difficult, but even more so in this case as the attackers have been using off-the-shelf malware such as HawkEye. The HawkEye spyware has been used to target entities all around the world in various types of campaigns.

By Eduard Kovacs

Source: Security Week

High-End Banking Malware Hits Brazil

In the past two weeks, IBM’s X-Force security team has spotted the high-end banking trojans Zeus Sphinx and Zeus Panda targeting Brazilian financial institutions, according to a new report.

Brazil just can’t catch a break. We’ve already seen flesh-eating bacteria in the water, athletes getting robbed on the streets, and police officers holding up a “welcome to hell” sign at the airport. Plus a wide variety of cybercrime, including phishing attacks and credit card skimming machines.

Now the criminals are getting even more sophisticated. In the past two weeks, IBM’s X-Force security team has spotted the high-end banking trojans Zeus Sphinx and Zeus Panda, according to a new report.

“This is considered sophisticated malware, and this kind of sophistication is not typical for Brazil,” said Limor Kessem, executive security advisor for IBM Security. “This is definitely a step up from what we usually see in Brazil.”

Brazilian malware is typically scripts or browser extensions, not a complex modular software product like Zeus, she said.

The way that it works is that both strains of malware target Brazilian computer users, then wait for the users to access their online banking or payments accounts. They then intercept the communications, modify the websites, steal credentials, and redirect the payments.

It is likely that the attackers are based in Brazil or have local partners, she said.

The malware communicates back to central command-and-control servers to download customized configuration files, she explained. In these two cases, the files have been customized to attack three major Brazilian banks and a Brazilian payment system, as well as one bank in Colombia.

Adding a new banking target requires the the attackers create a social engineering injection that precisely mimics a bank’s look and feel and requires an understanding of the bank’s authentication methods.

“They are able to manipulate what the persons sees when they visit the page,” Kessem said. “For example, in addition to a login and password, they might also ask for a Social Security number and their mother’s maiden name.”

This is where local knowledge comes in handy.

“In the past, a lot of times, cybercriminals going after countries where they don’t speak the language would have a lot of spelling mistakes, and that would be a sign that something isn’t right,” she said. “Now that they collaborate with people who are local, they have more of an ability to say the right things in the right way, and have more knowledge of how that bank works and have a better chance of defrauding accounts.”

As a result, adding a new target becomes fairly easy, she said. All the criminals have to do is modify the configuration file. “It’s fairly easy to do and criminals can do that at any time.”

The core source is the same for both Panda and Sphinx, and both are based on the Zeus source code that was leaked in 2011 and has become a popular base for commercial malware sold on underground boards, she said.

Zeus Panda is extremely localized, she said. In addition to local banks, it targets a supermarket that delivers food, a police agency, and a Bitcoin exchange.

The Bitcoin exchange is probably being used to help the criminals launder their ill-gotten gains, Kessem suggested.

Zeus Sphinx targets Brazilian banks as well, but also goes after the popular Boleto Bancário payment platform, which allows users to go online and send money orders.

Sphinx first emerged a year ago, first attacking banks in Australia and the U.K.

Kessem did not have any data about how much financial damage these attackers are causing Brazil. In 2014, however, RSA issued a report that a Boleto malware fraud ring had compromised nearly $4 billion worth of transactions over the previous two years.

IBM currently monitors 270 million endpoints worldwide, Kessem said. After spotting the malware, the company notified the targeted institutions and local law enforcement authorities.

She declined to name the specific institutions targeted by the malware.


Source: CSO Online

Cerber Ransomware Set to Net Black Hats $2 Million Per Year

The Cerber ransomware variant is on track to earn its developer and network of affiliates over $2 million per year, according to the latest stats from Check Point.

The security vendor’s latest report, CerberRing: An In-Depth Exposé on Cerber Ransomware-as-a-Service, aims to lift the lid on the ransomware.

Unlike most variants it’s operated on a highly distributed model, with 161 active campaigns spotted in July alone, targeting 150,000 users in 201 countries.

This is made possible via a private affiliate program, with new recruits offered up to 60% of profits in return for disseminating the malware plus a possible extra 5% for recruiting new members to the scheme.

The developer is said to get the rest of the takings, with Bitcoin accounts used to receive and launder the money. A new Bitcoin wallet is created for each victim, making it virtually impossible to trace individual payments, according to Check Point.

The ransomware itself is designed for non-technical participants to get involved via an easy-to-use control panel, and the fact it is pre-translated into 12 different languages, with online help available in each.

Despite only 3% of victims electing to purchase the decryption key, it’s enough to turn a tidy profit.

With the average payment coming in at $500, total revenue is estimated at $195,000 for July, meaning well over $2 million per year.

The ransomware is mainly spread by exploit kit drive-by-download campaigns and traditional malicious attachments.

A Check Point spokesperson told Infosecurity that regular back-ups are now a must for firms, urging IT teams to ensure at least one copy is made offline.

“Exercise caution. Don’t open e-mails you don’t expect to receive, and if you are asked to run macros on an Office file, don’t. The only situation in which you should run macros is in the rare case that you know exactly what those macros will do,” they added.

“Have a comprehensive, up-to-date, security solution. High quality security solutions and products protect you from a variety of malware types and attack vectors. And if you do get infected, search for decryption tools which could help get your data back.”


Source: Info Security Magazine

Shakti Info Stealer Designed for Corporate Espionage

Bleeping Computer researchers spotted an information-stealing trojan, dubbed Shakti, that is designed for corporate espionage and may have originated in India.

Once infected, the malware will configure itself to start automatically on login by configuring an entry in the Windows Registry and will then inject itself into a running process such as a web browser process, according to an Aug. 12 blog post.

Shakti then scans a victim’s drive for files with specific extensions and, when detected, will upload the entire file to the Command & Control server. Based on targeted file types researchers believe the malware is looking to steal trade secrets and corporate data.

Researchers said Shakti is currently detected by 34 out of 55 security programs but said most misidentify the malware as a generic trojan or downloader, rather than as an information stealer.


Source: SC Magazine