China Launches ‘Hack-Proof’ Communications Satellite

China on Tuesday launched the world’s first quantum satellite, which will help it establish “hack-proof” communications between space and the ground, state media said, the latest advance in an ambitious space program.

The program is a priority as President Xi Jinping has urged China to establish itself as a space power, and apart from its civilian ambitions, it has tested anti-satellite missiles.

The Quantum Experiments at Space Scale, or QUESS, satellite, was launched from the Jiuquan Satellite Launch Centre in the remote northwestern province of Gansu in the early hours of Tuesday, the official Xinhua news agency said.

“In its two-year mission, QUESS is designed to establish ‘hack-proof’ quantum communications by transmitting uncrackable keys from space to the ground,” it said.

“Quantum communication boasts ultra-high security as a quantum photon can neither be separated nor duplicated,” it added. “It is hence impossible to wiretap, intercept or crack the information transmitted through it.”

The satellite will enable secure communications between Beijing and Urumqi, Xinhua said, referring to the capital of China’s violence-prone far western region of Xinjiang, where the government says it is battling an Islamist insurgency.

“The newly-launched satellite marks a transition in China’s role – from a follower in classic information technology development to one of the leaders guiding future achievements,” Pan Jianwei, the project’s chief scientist, told the agency.

Quantum communications holds “enormous prospects” in the field of defense, it added.

China insists its space program is for peaceful purposes, but the U.S. Defense Department has highlighted its increasing space capabilities, saying it was pursuing activities aimed to prevent adversaries from using space-based assets in a crisis.

By Ben Blanchard

Source: Reuters

Vawtrak Banking Trojan Uses SSL Pinning, DGA

A new version of the Vawtrak banking Trojan includes some significant improvements, such as a domain generation algorithm (DGA) and additional protection for command and control communications.

According to researchers at security firm Fidelis, the new version of Vawtrak includes a DGA that generates .ru domains with a length ranging between 7 and 12 characters (excluding the domain suffix). The domain names are generated using a pseudorandom number generator (PRNG) found in the Trojan’s loader.

Another noteworthy feature is the use of HTTPS to protect C&C communications. While this is not uncommon, Vawtrak also leverages certificate pinning, or SSL pinning, which is fairly unusual.

Normally, when an SSL connection is made, the client checks if the server’s certificate matches the requested hostname and that it has a verifiable chain of trust. SSL pinning provides extra protection against man-in-the-middle (MitM) attacks by ensuring that only a certificate specified by the user is accepted.

In the case of Vawtrak, the use of SSL pinning helps the malware evade detection by enterprise security solutions that use their own certificates to intercept communications.

In order to ensure that no other certificates are accepted, the Trojan conducts some checks based on the Common Name, which identifies the domain names associated with the certificate. It also uses a public key found in a header from the initial inject performed by the malware loader.

“Vawtrak has been a very successful banking trojan, delivered via both mass-spam campaigns as well as through exploit kits. Keeping this in consideration, it’s not surprising that new features and techniques are being introduced. The use of DGAs and TLS is widespread across various crime families, but SSL pinning is still rare,” Fidelis said in a blog post.

Vawtrak, also known as Neverquest and Snifula, has been used to target online banking customers from across the world. The threat has been around for several years and it has been continually improved by its developers.

By Eduard Kovacs

Source: Security Week

TCP Flaw in Linux Extends to 80 Percent Of Android Devices

Eight out of 10 Android devices are affected by a critical Linux vulnerability disclosed last week that allows attackers to identify hosts communicating over the Transmission Control Protocol (TCP) and either terminate connections or attack traffic.

The flaw has been present in the TCP implementation in Linux systems since 2012 (version 3.6 of the kernel), and according to researchers at mobile security company Lookout, 80 percent of Android devices—going back to KitKat—run the same version of the kernel.

The issue was publicly disclosed last week during the USENIX Security Symposium where researchers from the University of California Riverside and the U.S. Army Research Laboratory presented a paper entitled “Off-Path TCP Exploits: Global Rate Limit Considered Dangerous.”

While an attacker would need to be able to identify both ends of a TCP connection before initiating an attack, successful exploits would not need that attacker to be in a man-in-the-middle position on the network, the researchers said.

Lookout security researcher Andrew Blaich said that some other Android vulnerabilities such as Stagefright, Quadrooter or other kernel and driver flaws that are being patched on a monthly may be more severe, but this attack is practical and within reach of hackers.

“This is about information disclosure and an attacker being able to infer where you’re going, what you’re viewing and having the ability to inject code,” Blaich said, adding that chaining this vulnerability with a WebKit or browser-related bug could allow for remote code execution. “All you need is one of those and this is where this bug gets interesting.”

A patch has been pushed to the Linux kernel, but Lookout said that as of Friday, the latest developer preview of Android Nougat still remains vulnerable, and the Android Open Source Project has yet to receive the patch as well. Android updates are released monthly to carriers and handset makers, and over-the-air security updates for Nexus devices are sent by Google the first of every month.

The Cal-Riverside and Army researchers said last week the problem is linked to the introduction of challenge ACK responses and the imposition of a global rate limit on TCP control packets. “

At a very high level, the vulnerability allows an attacker to create contention on a shared resource, i.e., the global rate limit counter on the target system by sending spoofed packets. The attacker can then subsequently observe the effect on the counter changes, measurable through probing packets,” the researchers wrote. “Through extensive experimentation, we demonstrate that the attack is extremely effective and reliable. Given any two arbitrary hosts, it takes only 10 seconds to successfully infer whether they are communicating. If there is a connection, subsequently, it takes also only tens of seconds to infer the TCP sequence numbers used on the connection.”

Blaich cautioned that in some instances where connections must be long-lived such as video conferencing or large file-sharing, attackers could take advantage of those scenarios to exploit this bug.

Lookout recommends that until a patch is ready, Android users should rely on encrypted communications, in particular, deploy a VPN. For rooted Android devices, Lookout recommends using the sysctl tool to change the value for net.ipv4.tcp_challenge_ack_limit a large value such as 999999999. Blaich said he expects a patch to be ready for the next monthly Android update, which is set for Sept. 1.


Source: Threat Post

Hackers Insert SEO Spam on Legitimate Sites via WordPress Core Files

As a reminder that crooks will try everything to go undetected, Sucuri revealed last week a new method of inserting SEO spam on hacked WordPress sites using the /wp-includes/load.php file, one of WordPress’ core files.

Unsecured WordPress sites are all around us thanks to the huge market share the CMS has compared to all other products. Crooks leverage this large number of unsecured sites to hack into WordPress installations, either via outdated plugins, vulnerable themes, or via weak admin passwords.

After hacking their target, crooks tend to use these sites as bots in DDoS attacks, as command and control servers for criminal operations, and as malware download sites, to host malvertising or hijack SEO results.

SEO spam relies on unsecured WordPress sites

They achieve the last by forcing hacked websites to load content that’s hidden by default from human users but shows up for search engine crawlers.

These hacked websites present different text to search bots than what regular users would see, usually with completely different topics, descriptions, and links to other sites for which crooks want to boost search engine rankings.

This happens to the detriment of the hacked website, which now loses traffic and has its public description altered on Google, Bing or other sites.

In one case Sucuri investigated, the company’s analysts discovered a successful business portal showing pornographic content in its Google search results description.

Getting down to the bottom of the infection, Sucuri discovered that crooks weren’t content with just loading a simple JavaScript or PHP file in the website’s header or footer, but actually went as far as to modify WordPress core files, a place where very few site admins tend to look.

Crooks hijack WordPress core files to do all the dirty work

These particular hackers modified /wp-includes/load.php, a core WordPress file that runs for every site visitor and loads other files, putting together the final website.

“The attacker hopes you will focus on the theme files (i.e. header.php, footer.php) and the files in the root of the WordPress install (i.e. index.php, wp-load.php),” Sucuri’s Luke Leal explains the crook’s decision to modify this particular file.

Hackers modified /wp-includes/load.php to load another file /wp-admin/includes/class-wp-text.php, which should never exist in normal WordPress installations but which the crooks hid among other WordPress core files.

This, in turn, loaded all the SEO spammy content, but only for Google’s search engine crawler, leaving the site as is for regular visitors. This procedure explains why the site showed up in search results as you can see in the image below but looked perfectly normal for everyone accessing it.

“At this point, I would like to mention that manually auditing your website files for modifications would be very exhaustive and this is why we recommend using file monitoring,” Leal advises other site admins. “This system would alert you that a new file (./wp-admin/includes/class-wp-text.php) was created and a core file was modified (./wp-includes/load.php). Instead of having to manually go through over a thousand WordPress files, you already know which ones were modified and so can begin there.”

By Catalin Cimpanu

Source: Softpedia

A Nasty Android Malware is Spreading Using Google’s Online Ad Network

Researchers discovered a campaign that delivers a malicious banking Trojan to Android devices using Google AdSense advertisements. The campaign, discovered by Kaspersky Lab researchers, delivers the Svpeng Android banking Trojan.

The campaign was launched by the criminal group that developed the Svpeng Trojan and Android users are infected with the malware when they visit mainstream websites, wrote Kaspersky Lab malware analysts Nikita Buchka and Mikhail Kuzin in a SecureList blog post.

The analysts refer to the campaign as “a gratuitous act of violence against Android users.” The payload is delivered to Android devices without requiring users to click on the malicious advertisements.

Cybercriminals “are turning the ad networks into incredibly efficient malware delivery vehicles,” wrote Michael Covington, VP of Product, Wandera. Malware is incorporated into the ad networks “without actually breaking into the distribution sites directly.”

Malvertising campaigns such as these continue “to plague businesses and consumers,” wrote Carbon Black co-founder and chief security strategist Ben Johnson, in an email to Targeting Android devices can yield “access to millions (potentially billions) of devices to exploit,” Johnson wrote. “The downside for attackers is that each carrier often has different versions of the operating system and there are many different versions of Android. Exploits are often pretty specific to the version of the operating system they provide.”

Svpeng was initially discovered by Kaspersky in July 2013 as a Trojan for the theft of payment card information from Russian bank customers. A ransomware version of the malware was discovered a year later in the U.S.


Source: SC Magazine

Thousands of Guests’ Data May Have Been Hacked at Starwood, Marriott and Hyatt Hotels

The Westin Lombard Yorktown Center is pictured in Lombard, Illinois

A data breach at 20 U.S. hotels operated by HEI Hotels & Resorts for Starwood, Marriott, Hyatt and Intercontinental may have divulged payment card data from tens of thousands of food, drink and other transactions, HEI said on Sunday.

The breach follows similar attacks at Hyatt Hotels and Starwood Hotels & Resorts in recent months. Norwalk, Connecticut-based HEI, which is privately held, said malware designed to collect card data was found on HEI’s systems.

The malware was discovered in early to mid-June on payment systems used at restaurants, bars, spas, lobby shops and other facilities at the properties, Chris Daly, a spokesman for HEI, said in emails and phone calls.

The number of customers affected is difficult to calculate because they might have used their cards multiple times, Daly said. About 8,000 transactions occurred during the affected period at the Hyatt Centric Santa Barbara hotel in California, and about 12,800 at the IHG Intercontinental in Tampa, Florida, Daly said.

The malware affected 12 Starwood hotels, six Marriott International properties, one Hyatt hotel and one InterContinental hotel. It was active from March 1, 2015 to June 21, 2016, with 14 of the hotels affected after Dec. 2, 2015, HEI said on its website.

Marriott and IHG declined to comment. Representatives from the other hotel groups did not respond to requests for comment.

HEI said outside experts investigated the breach and determined that hackers might have stolen customer names, account numbers, payment card expiration dates and verification codes. The hackers did not appear to have gained PIN codes, since those are not collected by its system, it added.

The company has informed federal authorities and has installed a new payment processing system that is separate from other parts of its computer network.

Among the properties affected were Starwood’s Westin hotels in Minneapolis; Pasadena, California; Philadelphia; Snowmass, Colorado; Washington, D.C.; and Fort Lauderdale, Florida. Also affected were Starwood properties in Arlington, Virginia; Manchester Village, Vermont; San Francisco; Miami; and Nashville, Tennessee.


Source: NBC

“HOMEKit” Exploit Generator Used to Deliver Espionage Malware

Researchers have come across a document exploit generator that has been used over the past few years by several threat actors to deliver malware in cyber espionage campaigns.

The toolkit, dubbed “HOMEKit” by Palo Alto Networks, is believed to have been used to generate malicious Microsoft Word documents for various campaigns since 2013. Similar to the MNKit exploit generator, HOMEKit relies on the CVE-2012-0158 vulnerability in Office to deliver malware.

The most recent attack involving HOMEKit was observed by Palo Alto Networks in late June, when researchers found an email apparently coming from the United Nations Environment Programme (UNEP). The email carried a Word document and an Excel spreadsheet containing a global directory for residents of North Korea under UNEP.

While the Excel file turned out to be harmless, the Word document attempted to exploit CVE-2012-0158, which Microsoft patched in 2012, to deliver a new Trojan named “Cookle” by Palo Alto Networks.

Cookle is a newly discovered downloader that can collect information on the infected system, and download and execute files. In order to avoid being detected, the threat waits 20 minutes before contacting its command and control (C&C) server. Attackers can also configure the malware to change its sleep interval between C&C communications.

HOMEKit is designed to exploit a vulnerability in the TreeView ActiveX control. If the flaw is exploited successfully, a shellcode is executed and a decoy document is opened. In the meantime, a payload (.dat file) is executed on the system.

An analysis of the documents generated with HOMEKit showed that it had been leveraged to deliver various payloads used in the past years in cyber espionage campaigns, includingPlugX, which is often used by Chinese APTs, Surtr, seen in attacks targeting Tibetan organizations, and Mirage, which in 2012 was observed targeting energy, military and other organizations worldwide.

The exploit generator has also been used to deliver Tapaoux, a Trojan associated with theDarkHotel group, which in 2014 was spotted spying on business travelers in the Asia-Pacific region.

Researchers discovered many similarities between the documents that installed the DarkHotel malware and the ones that delivered Cookle. They determined that the functional shellcodes were more than 90 percent similar.

“The difference between the functional shellcode that installs Cookle and DarkHotel lies in the way a process is created to execute the payload and to open the decoy document,” Palo Alto’s Bryan Lee and Robert Falcone explained in a blog post. “While the difference between the two is very minor, it is worth discussing as it suggests the author of the Cookle shellcode intentionally modified the DarkHotel shellcode, possibly as an anti-analysis technique.”

Experts believe HOMEKit might have been made available to multiple threat groups by a common intermediary.

By Eduard Kovacs

Source: Security Week

New Air-Gap Jumper Covertly Transmits Data in Hard-Drive Sounds

Researchers have devised a new way to siphon data out of an infected computer even when it has been physically disconnected from the Internet to prevent the leakage of sensitive information it stores.

The method has been dubbed “DiskFiltration” by its creators because it uses acoustic signals emitted from the hard drive of the air-gapped computer being targeted. It works by manipulating the movements of the hard drive’s actuator, which is the mechanical arm that accesses specific parts of a disk platter so heads attached to the actuator can read or write data. By using so-called seek operations that move the actuator in very specific ways, it can generate sounds that transfer passwords, cryptographic keys, and other sensitive data stored on the computer to a nearby microphone. The technique has a range of six feet and a speed of 180 bits per minute, fast enough to steal a 4,096-bit key in about 25 minutes.

“An air-gap isolation is considered to be a hermetic security measure which can prevent data leakage,” Mordechai Guri, a security researcher and the head of research and development in the cyber security labs at Israel’s Ben-Gurion University, told Ars. “Confidential data, personal information, financial records and other type of sensitive information is stored within isolated networks. We show that despite the degree of isolation, the data can be ex filtrated (for example, to a nearby smart phone).”

Besides working against air-gapped computers, the covert channel can also be used to steal data from Internet-connected machines whose network traffic is intensively monitored by intrusion prevention devices, data loss prevention systems, and similar security measures.

DiskFiltration is only the latest method devised by Ben-Gurion University researchers to bridge air gaps. Other techniques include AirHopper, which turns a computer’s video card into an FM transmitter; BitWhisper, which relies on the exchange of heat-induced “thermal pings”; GSMem, which relies on cellular frequencies; and Fansmitter, which uses noise emitted by a computer fan to transmit data. In 2013, researchers with Germany’s Fraunhofer Institute for Communication, Information Processing, and Ergonomics devised a technique that used inaudible audio signals to covertly transmit keystrokes and other sensitive data from air-gapped machines.

The techniques are effective, but their utility in real-world situations is limited. That’s because the computers they target still must be infected by malware. If the computers aren’t connected to the Internet, the compromise is likely to be extremely difficult and would require the help of a malicious insider, who very well may have easier ways to obtain data stored on the machine. Still, the air-gap jumpers could provide a crucial means to bypass otherwise insurmountable defenses when combined with other techniques in a targeted attack.

Receiving data transmitted by sound generated from a hard drive is generally not efficient. DiskFiltration improves the signal-to-noise ratio by focusing on a narrow range of acoustic frequencies, a feature that effectively strips out background noise. DiskFiltration works even when a hard drive’s automatic acoustic management, which reduces acoustic noise, is at its default setting. Still, casual noise emissions from other running processes can sometimes interfere or interrupt the DiskFiltration transmissions.

The most effective way to prevent DiskFiltration-style data ex filtration is to replace hard drives with solid-state drives, since the latter aren’t mechanical and generate virtually no noise. Using particularly quiet types of hard drives or installing special types of hard drive enclosures that muffle sound can also be an effective countermeasure. It may also be possible to jam hard-drive signals by generating static noise. Intrusion prevention systems may also be programmed to detect suspicious hard-drive seek patterns used to create the transmissions. Yet another solution is to isolate air-gapped computers from smart phones and other devices with a microphone.


Source: Arstechnica

Hackers Target World Anti-Doping Agency and Sports Court

RIO DE JANEIRO (AP) — The World Anti-Doping Agency and Court of Arbitration for Sport say they have been targeted by hackers, with an attempt made to obtain access credentials for the database which tracks athletes for drug testing.

WADA said it learned “this week,” during the Olympics, that it had been targeted, though it was not immediately clear when the attacks took place.

WADA communications coordinator Maggie Durand told The Associated Press in an email that the agency was notified of a YouTube video claiming WADA’s website had been hacked. She says an investigation “was quickly able to determine that the website had not been compromised, although we continue to monitor activity.”

Durand says WADA’s ADAMS database of doping results “has not been compromised,” but that so-called phishing emails were sent to users of the database disguised as official WADA communications requesting their login details.

WADA did not immediately respond to requests for comment on how many users were targeted by the e-mails, whether athletes had been targeted, or what WADA’s plan was if credentials had been leaked. WADA said it had notified all users of the database about the phishing attempt, and posted a warning on the database website.

Athletes use the database to enter so-called “whereabouts” information which they are obliged to provide in order to make themselves available for drug testing outside competitions. Someone with an athlete’s credentials could potentially change that information, sending testers to the wrong location, potentially leading to athletes being wrongly blamed for missing a test.

Meanwhile, CAS secretary general Matthieu Reeb told the AP “there has been an attempt to hack the CAS website. It is not the first time, and certainly not the last time.”

He says the attempt “was apparently unsuccessful but investigations are being made … to make sure that we have not suffered any damage.”

Reeb says information on the CAS website “is intended for the public and is not confidential.”

A video posted to YouTube, by a user claiming to represent Polish hackers, seems to show the CAS website doctored to display the message: “We forgot the sport is out of the politic (sic). Please forgive us.” The CAS site was not accessible late Thursday.

Both WADA and CAS have been in the headlines recently over their handling of doping cases ahead of the Olympics, particularly regarding bans for Russian athletes following the country’s doping scandals.


Source: USA News

Shade Ransomware Adds RAT Features to Spy on High-Value Victims

The crooks behind the most recent versions of Shade have added an interesting new tidbit to their malware, installing a modified version of TeamViewer on infected systems so they could spy on their targets and adjust the ransom note accordingly.

This new Shade version only targets Russian companies that are running accounting software on their computers. Kaspersky researchers say that this new Shade version, prior to infecting the target, during its installation routine, actively scans the computer name for strings such as “BUH,” “BUGAL,” “БУХ,” “БУГАЛ.” These strings are likely to be found on computers used by the accounting departments at Russian-speaking companies.

If Shade finds any of these strings, it stops the ransomware installation process and delivers another trojan called Teamspy, also known TVSPY, TVRAT, or SpY-Agent. The trojan contains a modified version of TeamViewer 6 that the malware authors have altered to hide its GUI. The trojan also includes the legitimate 7Zip archiving tool and the NirCmd command-line utility.

Furthermore, the crooks are also installing the TeamViewer VPN driver and the RDP Wrapper Library, used to open VPN connections and interact with the RDP protocol. All of these utilities delivered inside Teamspy allow the crooks to modify OS settings on infected systems, open an RDP connection, and use TeamViewer to connect to the infected system.

Crooks using Teamspy to determine the proper ransom sum

Kaspersky suggests that the crooks are using Teamspy’s RAT (Remote Access Trojan) features to gather intelligence on the infected computer, to determine the appropriate ransom sum.

“The option of remote access to an infected accounting system allows the malefactor to secretly keep an eye on the victim’s activities and collect detailed information on the victim’s solvency in order to use the most efficient way of getting cash,” suggests Kaspersky‘s Fedor Sinitsyn.

Teamspy is quite a powerful RAT and allows a crook to record audio from infected systems, record the victim’s desktop, run terminal commands, and download and install other executables.

Crooks are delivering the Shade ransomware at a later point

This last feature is most likely used to deliver the Shade ransomware at a later point in time, after crooks deemed the target important and decided on the ransom amount.

Shade is one of today’s most popular ransomware families, but Kaspersky researchers cracked its encryption and have provided a free decrypter via the No More Ransom initiative. Another name for the Shade ransomware is Troldesh.

This is not the first time malware specifically targets Russian businesses. During late June, Dr.Web discovered a trojan coded in 1C, a programming language used mostly in Russa. This trojan was delivering ransomware to companies using 1C:Enterprise, a popular accounting software in Russia.

Source: Softpedia