The Malware Battle Is Mostly Silent

Malware’s success relies on the ability to remain stealthy, and the authors of malicious programs go to great lengths to make that happen, while also ensuring that their identity remains hidden.

As a general rule, malware developers tend to avoid contact with security researchers to avoid stepping into the spotlight, but this rule can be broken occasionally. Having worked before with software developers, I know how keen some are about correctly presenting the capabilities of their creations. At the time, that made perfect sense, because an application’s popularity (and sometimes price) is influenced not only by the included capabilities and looks, but also by accurate reviews.

It was surprising to see there are malware developers who would come out of the shadows to voice discontent regarding a report on their “product.” However, such developers exist, and the creator of a piece of mobile malware called Bilal Bot is one example. Seeing that IBM’s report on the malware is outdated, the author decided to contact the security firm to address this.

Bilal Bot was detailed back in April, alongside other mobile malware targeting Android, when researchers suggested that it was less sophisticated than its competitors GM Bot and KNL Bot, and that it was also cheaper. Now the malware developer says that, because the product moved from the beta state it was in April, its feature list and price changed, and IBM’s report should be updated. Moreover, the developer said he was open to an interview about the malware, IBM reveals.

Usually, when a developer requests an update to a report on their software specifically to bring new features into the spotlight, it means they want to increase the buzz around the program, and this is exactly what Bilal Bot’s developer seems to have attempted here as well.

As it turns out, however, this case represents an exception to the rule, as most malware developers would rather stay in the shadows than talk to security researchers. Most don’t like the kind of publicity security reports provide, because these reports don’t allow malware developers to stay under the radar, a malware hunter said, responding to SecurityWeek inquiry.

The security researcher also told us that malware creators would leave messages in their code if they want to, but that they would normally try to avoid attention from the anti-virus/security community, because it could hurt their business. What’s more, he says, threats that make it constantly to the headlines evolve to better avoid detection, so reporting on malware could turn into a double-edged sword.

Cybercriminals would certainly use anything to increase their legitimacy, including abusing security reports as “social proof,” Heimdal Security’s Andra Zaharia tells SecurityWeek. Although it’s still surprising that Bilal Bot’s creator adopted this behavior, it’s clear that a malware developer exhibiting the characteristics of a legitimate business owner would want their product to be correctly portrayed, otherwise pricing would be impacted.

Instead of abusing news reports for fame, cybercriminals usually go quiet after security researchers report on their creations, Maya Horowitz, Group Manager, Threat Intelligence at Check Point, told SecurityWeek.

“We have seen malware disappear after our reports, as in the case of the Nuclear Exploit Kit this last spring. Most recently, we saw the Cerber ransomware developers adapt to counter our research and decryption tool. The developers even left a message to anyone using our decryption tool, saying that they had modified the malware. Usually malware developers try to lower their profile after the malware is revealed and attempt to upgrade it to avoid discovery,” Horowitz says.

However, she does agree that security reports can be abused as well, because “breaches demonstrate the malware’s efficiency.” Stuxnet, she says, is a great example of how hackers can learn from reports about other malware and implement the same tactics in their own products.

Kaspersky Lab’s Anton Ivanov, senior malware analyst, also believes that threat actors always keep an eye on security blogs to find new techniques for their malware. Thus, as soon as detailed information about a vulnerability is published, an increase in the usage of that vulnerability can be observed, he says.

Security reports, Ivanov says, tend to be bad advertising for the malware, because that malicious program becomes known to security researchers. However, he also reveals that malware developers would sometime contact Kaspersky via embedded data, “which is usually encrypted and located in some part of malware module.” These messages, he says, usually contain greetings to researchers, and one came from Angler’s developers, located in FLV exploit.

However, not all such messages are greetings, as Emsisoft Malware Lab’s researches have often discovered. Most recently, angry with the researcher’s ability to break the encryption of their ransomware called Apocalypse, the creator of this threat decided not only to include abusive comments in the malware’s code, but also to rename the malicious program to “Fabiansomware.” The coder’s hate was focused at Fabian Wosar, Emsisoft CTO and head of the company’s Malware Research Lab.

For security researchers, the fact that malware authors include abusive messages in their code comes as an acknowledgement of their work. Thus, researchers will continue to report on new and updated malware, regardless of whether developers are dissatisfied with how their malware is portrayed or are unhappy that they made it to the headline.

“We believe it’s crucial to inform Internet users, whether home users or people involved in companies, of emerging cyber threats. It’s not only about building awareness, but it’s also an essential tool to help people learn how to get protected,” Andra Zaharia said. “We believe that spreading correct and relevant information about new and improved malware is an important part of helping people become more aware of the issue and its potential impact.”

The general consensus is that while security researchers will continue to publish relevant information about discovered threats, already established malware families will continuously evolve in their attempt to avoid detection. Their developers will certainly try to stay as hidden as possible. Hungry enough for attention, newcomers might contact security researchers to point out incorrect reports, but the battle with malware remains mostly a silent one.

By Ionut Arghire


HDDCryptor Leverages Open Source Tools to Encrypt MBR

Malware that uses open source tools for malicious purposes isn’t new, yet ransomware leveraging such tools to encrypt the entire hard drive by rewriting the MBR (Master Boot Record) is, researchers warn.

The new malicious program that combines the two is called HDDCryptor, but also known as HDD Cryptor or Mamba ransomware. The threat was spotted for the first time in the beginning of this year, although it caught the attention of researchers in the past several weeks after was featured in a larger campaign.

Earlier this year, researchers detailed disk-level ransomware variants such as Petya, which emerged in March, but only manipulated the MBR to take over the boot process but didn’t encrypt user’s files. To encrypt user files too, Petyastarted dropping additional ransomware, called Mischa, and their modus operandi was already adopted by a ransomware variant called Satana.

HDDCryptor, however, leverages the DiskCryptor open source tool to strongly encrypt user’s data and to overwrite the MBR, Renato Marinho, Director at Morphus Segurança da Informação, explains.

According to Trend Micro researchers, the new piece of ransomware targets resources in network shares such as drives, folders, files, printers, and serial ports via Server Message Block (SMB), while also locking the drive. Because of its damaging routine, the ransomware should be treated as a “very serious and credible threat not only to home users but also to enterprises,” Trend Micro says.

HDDCryptor is being distributed via files downloaded from malicious websites, and is installed by dropping multiple components to the system’s root folder. These components include dcapi.dll (detected as Ransom_HDDCRYPTOR.A), dccon.exe(to encrypt the disk drive), dcrypt.exedcrypt.syslog_file.txtMount.exe (scans mapped drives and encrypts files stored on them), netpass.exe (to scan for previously accessed network folders), netuse.txt (to store information about mapped network drives), and netpass.txt (to store user passwords).

To gain persistence, the malware adds a new service called DefragmentServiceand executes it via command line. Some of the analyzed samples, researchers say, also showed network-encrypting behavior, though others had no propagation routines. However, the Mount.exe component was clearly meant for enumerating mounted drives to encrypt their files, as well as for discovering previously connected drives or cached disconnected network paths and connecting to them using all credentials captured using the tool netpass.exe.

In addition to leveraging DiskCryptor (which supports AES, Twofish and Serpent encryption, including their combinations, in XTS mode) for disk and network file-level encryption, the ransomware abuses the open source disk encryption software to overwrite the Master Boot Record (MBR). The malware displays its ransom note by adding a modified bootloader instead of using the system’s normal log-in screen.

The security researchers also observed that the ransomware would forcefully reboot the compromised system after two hours of full disk activity (no user interaction needed), and that it would reboot the machine twice in some cases. Moreover, they reveal that the copy of the DiskCryptor dropped by the malware was the same file available on the open source tool’s download page (the software hasn’t been updated since September 7, 2014, it appears), but that a modified version of netpass.exe was used.

“HDDCryptor, like ransomware as a service (RaaS), embodies how little effort can go a long way. At the crux of it is how HDDCryptor utilizes commercially available software to do its nefarious bidding, and ultimately how affected end users and businesses foot the bill for these cybercriminals,” Trend Micro researchers note.

According to Marinho, the password used to encrypt the disk is given as a parameter. The researcher also notes that there is a chance that the same password is used on all compromised machines, or that the password is “something related to the victims’ environment, like the hostname, or something like that.” He also notes that the ransomware’s authors might be focused on servers and that they have already received payment from at least four victims.

By Ionut Arghire


Yahoo Pressed to Explain Huge ‘State Sponsored’ Hack

Yahoo faced pressure Friday to explain how it sustained a massive cyber-attack one of the biggest ever, and allegedly state-sponsored allowing hackers to steal data from half a billion users two years ago.

The US online giant said its probe concluded that “certain user account information was stolen” and that the attack came from “what it believes is a state-sponsored actor.”

The comments come after a report earlier this year quoted a security researcher saying some 200 million accounts may have been accessed and that hacked data was being offered for sale online.

“Yahoo is working closely with law enforcement on this matter,” said Yahoo, adding it believes data linked to at least 500 million user accounts was stolen — in what could be the largest-ever breach for a single organization.

Yahoo said the stolen information may have included names, email addresses, birth dates, and scrambled passwords, along with encrypted or unencrypted security questions and answers that could help hackers break into victims’ other online accounts.

While there is no official record of the largest breaches, many analysts have called the Myspace hack revealed earlier this year as the largest to date, with 360 million users affected.

In 2014 a US firm specialised in discovering breaches said that a Russian group has hacked 1.2 billion usernames and passwords belonging to more than 500 million email addresses.

The firm, Hold Security, gave no details of the companies affected by the hack.

Ammunition for hackers

Computer security analyst Graham Cluley said the stolen Yahoo data “could be useful ammunition for any hacker attempting to break into Yahoo accounts, or interested in exploring whether users might have used the same security questions/answers to protect themselves elsewhere on the web.”

He noted that while Yahoo said that it believes the hack was state-sponsored, the company provided no details regarding what makes them think that is the case.

“If I had to break the bad news that my company had been hacked… I would feel much happier saying that the attackers were ‘state-sponsored,'” rather than teen hackers, Cluley said in a blog post.

University of Notre Dame associate teaching professor and data security specialist Timothy Carone told AFP that the Yahoo hack fit the “big picture” when it comes to cyberattacks launched by spy agencies in Russia, China, North Korea or other countries.

“It just smacks of traditional trade craft,” Carone said. Chinese hackers have been accused of everything from stealing corporate secrets to an enormous breach of US government personnel files that affected a staggering 21.5 million people and reportedly led Washington to pull its intelligence operatives out of China.

North Korea is known to operate an army of thousands of elite hackers accused of launching crippling cyber-attacks on South Korean organisations and officials over the years.

But it was the high-profile hacking attack on Sony Pictures in December 2014 that shed light on the growing threat of the North’s hacking capability, although Pyongyang denied responsibility for the attacks.

It appeared that looted Yahoo data did not include unprotected passwords or information associated with payments or bank accounts, the Silicon Valley company said.

Yahoo is asking affected users to change passwords, and recommending anyone who has not done so since 2014 to take the same action as a precaution.

Users of Yahoo online services were urged to review accounts for suspicious activity and change passwords and security question information used to log in anywhere else if it matched that at Yahoo.

“Online intrusions and thefts by state-sponsored actors have become increasingly common across the technology industry,” Yahoo said in a statement.

“Yahoo and other companies have launched programs to detect and notify users when a company strongly suspects that a state-sponsored actor has targeted an account.”

Yahoo being bought

Confirmation of the major cyber breach comes two months after Yahoo sealed a deal to sell its core internet business to telecom giant Verizon for $4.8 billion, ending a two-decade run as an independent company. It was not immediately clear if the data breach could impact the closing of the deal or the price agreed by Verizon.

“Frankly, the timing couldn’t be worse for Yahoo,” Cluley said. The telecom firm said it was reviewing the new information. “Within the last two days, we were notified of Yahoo’s security incident,” Verizon said in a statement.

“We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities.”



Version 3 of Qadars Trojan Targets UK Banks

The customers of 18 banks in the United Kingdom have been targeted by cybercriminals in a campaign leveraging the latest major version of the Qadars banking Trojan.

Qadars has been around since 2013, but IBM X-Force researchers said the third major version of the malware was only released in the first quarter of 2016. Since 2015, cybercriminals have been using the malware in attacks aimed at Australia, Canada, the United States and the Netherlands, but the latest variant has been set up to target the U.K. as well.

The malware has a modular architecture and provides all the features needed by cybercriminals to steal money from bank accounts, including web injections fetched in real time from a remote server, systems for monitoring and manipulating browser activity, SMS hijacking apps for bypassing 2FA, and automated transfer system (ATS) panels that make it easier to manage operations.

In addition to banks, the Trojan has been used to steal credentials for social networks, sports betting websites, e-commerce platforms and payment services.

Qadars v3 variants bring improved performance for web injection mechanisms, and they are better at evading detection and preventing researchers from analyzing them. Obfuscation has been enhanced, and the Tor network is used for downloading modules and for C&C communications.

In order to gain administrator rights on the targeted machine, the Trojan displays a fake Windows security update, which triggers a user account control (UAC) dialog that keeps popping up until the victim clicks “Yes” and grants Qadars elevated privileges.

“Qadars attack volumes, compared to Trojans like Neverquest or Dridex, are more humble. While it is not one of the top 10 financial malware threats on the global list, however, this Trojan has been flying under the radar for over three years, attacking banks in different regions using advanced features and capabilities,” explained IBM’s Limor Kessem and Hanan Natan. “It’s possible that Qadars attack volumes remain limited because its operators choose to focus on specific countries in each of their infection sprees, likely to keep their operation focused and less visible.”

Based on the Qadars v3 release notes published in May 2016, researchers believe the malware’s author is most likely a Russian-speaking black hat.

Qadars is not the only banking Trojan spotted recently in attacks aimed at the U.K. The list of threats configured to target the country also includes Panda Banker, Marcher and Ramnit.

By Eduard Kovacs


Ursnif Banking Trojan Uses New Sandbox Evasion Techniques

The actor behind the Ursnif banking Trojan has been using new evasive macros in their latest infection campaign, demonstrating continuous evolution of tools and techniques, Proofpoint researchers reveal.

In the latest observed distribution campaign, the Trojan is dropped onto the victim’s computer via weaponized Word documents. Before the infection takes place, however, the malicious macros in these documents check the machine to ensure that the Trojan can successfully evade detection and hinder analysis.

Previously, the threat would check for the public IP address of the infected machine and for the number of accessed Microsoft Word files to determine whether it was running inside a virtual environment. Now, the actor behind it, known as TA530, decided to add new sandbox evasion checks to the malicious macros, to better tailor the threat for evasion, researchers explain.

Following the recent update, the macro checks whether the filename contains only hexadecimal characters before the extension and ensures that there are at least 50 running processes with a graphical interface via Application.Tasks.Count. Moreover, it includes a process blacklist using Application.Tasks and has also expanded the list of strings it checks using MaxMind.

In the newly spotted campaign, the threat actor also used a Painted Event control (observed as Img_Painted) for macro execution when the user opened the document. Usually, malware uses autorun options for macro execution like Document_Open(), but Ursnif has decided to adopt said ActiveX control instead.

This week, a highly personalized spam campaign associated with this threat has been observed utilizing company names, personal names, titles, etc., to deliver the malicious Word documents. To lure the unsuspecting user to enable the macro, the document claims to be protected against unauthorized use. Once the user allows the macro to run, Ursnif ID “30030” is dropped, targeting Australian banking sites with web injects.

Following the update, the malicious macro checks if the Word filename contains only hexadecimal characters, because files submitted to sandboxes often use SHA256 or MD5 hash as the filename. Thus, the malicious payload is dropped onto the target system only if the filename contains letters after “f”, underscores, or spaces and if an extension is appended to it.

The macro also checks the number of running processes with a graphical interface, because real systems usually have more than 50 tasks, while sandboxes have as few as possible. Next, the macro performs a case-insensitive check against a blacklist of processes that could be present in a sandboxed environment, such as “fiddler”, “vxstream”, “vbox”, “tcpview”, “vmware”, “process explorer”, “vmtools”, “autoit”, “wireshark”, “visual basic”, and “process monitor”.

The macro also abuses the well-known geo-location service MaxMind to check whether the target machine is located in Australia, because it is targeting only this country in the latest campaign. More specifically, the macro checks that the results returned by MaxMind include “OCEANIA,” the region of the tropical Pacific Ocean that includes Australia.

The results are checked against an expanded list of blacklisted networks and the infection process is dropped if the target machine is located in one of these networks. Interestingly, in addition to security vendors, the list also includes networks belonging to “hospital”, “university”, “school”, “science”, “army”, “veterans”, “government”, and “nuclear.” Most probably, this check was included to minimize exposure to researchers and military or government entities, researchers say.

The actor behind this Ursnif campaign is also responsible for various other large-scale personalized attacks and is constantly adding new evasion techniques to the malicious macros used in infection campaigns. At the moment, the actor appears focused on preventing the execution of its malware on sandbox systems and on avoiding networks associated with security vendors and other entities.

“Over the last few years, malware sandboxes have become a more common component of the defenses that organizations and enterprises deploy to protect their users and their data. As the examples from this analysis demonstrate, threat actors are concentrating their research and innovation of malware sandbox evasion in an effort to remain ahead of their victims’ defenses,” Proofpoint researchers concluded.

By Ionut Arghire


Windows Trojan Targets Android, iOS Devices via USB Connection

A relatively new Windows Trojan is capable of loading malicious applications onto Android and iOS devices connected to the infected machine via USB.

The threat, dubbed “DualToy” by Palo Alto Networks, has been around since January 2015. While the malware has mainly targeted users in China, the security firm reported that individuals and organizations in the United States, United Kingdom, Thailand, Spain and Ireland were also impacted.

Researchers discovered more than 8,000 unique DualToy samples. Earlier variants were only capable of infecting Android devices, but the Trojan’s developers added iOS capabilities within six months after the threat was first spotted.

On infected Windows PCs, DualToy injects processes, modifies browser settings and displays ads. When an Android or iOS device is connected to the infected PC via USB, the malware starts conducting various activities.

The malware’s developers are counting on the fact that when a user connects a mobile device to the infected computer, that device is likely already authorized, making it easier to use existing pairing records to interact with it in the background.

“Although this attack vector’s capability can be further limited by additional mechanisms (e.g., ADB enabling, iOS sandbox) which make this threat not so severe, DualToy reminds us again how attackers can use USB sideloading against mobile devices and how malware can be spread between platforms,” Palo Alto Networks researcher Claud Xiao explained in a blog post.

In order to infect Android and iOS devices, the Trojan checks for the presence of the Android Debug Bridge (ADB) and iTunes on the compromised Windows machine. If these applications are not found, the malware downloads and installs them.

ADB and iTunes are used by DualToy to install various applications on Android and iOS devices connected via USB to the infected computer. In the case of Android, several Chinese-language games were downloaded from a third-party app store.

On iOS phones and tablets, the malware collects system information and sends it back to its command and control (C&C) server. The data includes the device’s name, type, version, model number, serial number, IMEI, IMSI, firmware, and phone number.

DualToy also downloads several .ipa files (iOS application archives), including one that asks users to provide their Apple ID and password. The harvested credentials are encrypted and sent to a remote server.

This app, named Kuaiyong, is a third-party iOS app store, similar to ZergHelper, which in February managed to slip through Apple’s review process and made it onto the official App Store.

Palo Alto Networks has compared DualToy to AceDeceiver and WireLurker, both of which target iOS devices when they are connected to an infected computer.

By Eduard Kovacs


Sophos Unveils Next-Gen Security Product “Intercept X”

In cyber security, the enemy is continually changing and evolving — and defenses against that enemy must adapt and evolve to meet the new threats. Unveiled today, Sophos Intercept X is an example of that evolution, bringing next-gen techniques to the latest threats.

‘Next-gen’ itself is difficult to define. “One of the areas we struggle with,” said Dan Schiappa, senior vice president of the Sophos Enduser Security Group in conversation with SecurityWeek, “is finding a real unified definition for the term. There is a unified definition for a next gen firewall, but for endpoint products there’s just a variety of different flavors.”

“You have to be able to tackle three critical areas covering the whole spectrum,” said Schiappa: “prevention, detection, and clean and respond — and all with the latest technologies. Only when you do that can you be called ‘next-gen’.”

Intercept X is designed to bring new technology to solving the last three of the Nasty Nine elements: crypto ransomware, exploits and clean and respond; and it does so with zero reliance on malware signatures.

All crypto ransomware has one particular characteristic: it encrypts files. Intercept X continuously monitors for the start of an encryption process. “When a process starts to encrypt,” explained Schiappa, “we create a mechanism that does behavioral analysis on that process. At the same time, we save a pre-encrypted version of the affected file into a safe store in an obfuscated area. If we decide that it is a malicious process and we need to evict it, we’ll shut the process down and we’ll clean it up; but we’ll also return the files back to their pre-encrypted state.” Intercept X stops any ransomware, whether it’s known or unknown, and cleans and restores the original files. “If our behavioral analysis indicates that the process is legitimate,” he added, “we just let it continue.”

The anti-exploit part of Intercept X is new. Statistically, 90% of breaches involve exploits; and 90% of the exploited vulnerabilities are already known. But there’s an average delay of 193 days between publication of a vulnerability and that vulnerability being patched on site. Since all Patch Tuesdays are followed by Exploit Wednesdays, there is a huge window of opportunity for vulnerabilities to be exploited. Rather than tackle the vulnerabilities or the exploits directly, Sophos has determined 24 different techniques used within exploits.

“There were about 7000 vulnerabilities published last year,” explained Schiappa, “attacked in hundreds of thousands of different ways — but all using one or more of the 24 techniques.” By monitoring and blocking the exploit techniques, Intercept X is able stop zero-day exploit attacks without any reference to malware file signatures. Schiappa expects one or two new techniques to appear each year, which will be analyzed and countered, “but we’re no longer on the treadmill of malware and variants continually changing.”

According to Sophos, 66% of IT staff lack incident response skills. Since no security is perfect, companies will get breached regardless of their security defenses. Incident response has become an important part of security’s armory — and the third part of Intercept X is designed to help companies operate a meaningful response. This provides both clean-up and forensics.

“If we see a hacker or piece of malware trying to use one of the known exploit techniques, a data recorder running on the endpoint sends a ‘root-cause chain’ of data up to Sophos Central where we build a report on what happens. We provide the report in different levels of depth suitable for anything from a defense contractor to a small retail store.” At one level, the user can click on the alert notification and Intercept X will show “what happened, where and when it happened, who was logged on at the time, and how it happened. It also provides a list of next steps for the novice incident responder.”

More advanced users can delve deeper. “We provide an asset-based table-driven report for the experts,” said Schiappa. This provides specifics, like what registry changes were made, what processes were launched, and so on. “You can click on specifics to get more detail and see the course the attack.” The final level is a complete visualization of the attack that can be viewed in its entirety.

Intercept X can be installed as a self-contained stand-alone product. Where the primary Sophos central endpoint product is already installed, the agents from both products will merge to provide a single endpoint security product. Alternatively it can run alongside competitor products, without any interference, for a layered security approach.

By Kevin Townsend


Flaw Allows Hackers to Alter “Signal” Attachments

Vulnerabilities discovered by a couple of researchers in the Android version of the secure messaging application Signal can be exploited by remote hackers to alter attachments and cause the app to crash.

Developed by Moxie Marlinspike’s Open Whisper Systems, Signal is a privacy-focused application that provides encrypted instant messaging and voice calling features for iOS and Android. The app is recommended by several renowned privacy advocates, including Edward Snowden, and cryptography experts.

Researchers Markus Vervier and Jean-Philippe Aumasson have analyzed the Android version of Signal and discovered several security issues. One of them is related to the message authentication code (MAC) used to verify attachments.

When users send a file, the attachment is first encrypted and then assigned a MAC that is used to verify the sender and the file’s integrity. The attached file is stored on Amazon’s S3 storage servers and downloaded from there via HTTPS to the recipient’s device.

Vervier and Aumasson determined that a man-in-the-middle (MitM) attacker who has access to the Amazon S3 storage or any of the CA certificates trusted by Android can serve the targeted user an altered attachment. The problem is that the MAC verification function can be bypassed by padding the attachment with 4 Gb plus 1 byte of data.

Experts noted that in practice the attacker does not need to send 4 Gb of data to the victim – they can use HTTP stream compression to reduce the attachment to just 4 Mb.

Another flaw disclosed by Vervier and Aumasson is related to the application’s CallAudioManager class and how it handles Real-time Transport Protocol (RTP) packets. The security hole allows a remote attacker to crash the messaging app, but experts believe it could also be possible to exploit it for other purposes. The problematic code may be present in other applications as well.

The vulnerabilities were reported to Signal developers on September 13 and fixes were committed to GitHub on the same day, but the latest version of the app available on Google Play was released on September 9, which means that a patched Android version has yet to be released. Other issues discovered by the researchers in Signal will be disclosed at a later time.

By Eduard Kovacs


Chinese Researchers Remotely Hack Tesla Model S

Security researchers from China-based tech company Tencent have identified a series of vulnerabilities that can be exploited to remotely hack an unmodified Tesla Model S while it’s parked or on the move.

An 8-minute video published on Monday by Tencent’s Keen Security Lab shows that researchers managed to perform various actions. While the vehicle was parked, the experts demonstrated that they could control the sunroof, the turn signals, the position of the seats, all the displays, and the door locking system.

While the car was on the move, the white hat hackers showed that they could activate the windshield wipers, fold the side view mirrors, and open the trunk. They also demonstrated that a remote hacker can activate the brakes from a long distance (e.g. 12 miles, as shown in the experiment).

According to Keen Lab researchers, the attacks they demonstrated are possible due to a series of vulnerabilities that have been chained together.

“As far as we know, this is the first case of remote attack which compromises CAN Bus to achieve remote controls on Tesla cars,” the researchers said. “We have verified the attack vector on multiple varieties of Tesla Model S. It is reasonable to assume that other Tesla models are affected.”

Based on the video made available by Keen Lab, it appears that a specific Tesla Model S can be identified and hacked while its owner is searching for nearby charging stations.


The vulnerabilities have been disclosed to Tesla Motors through the company’s Bugcrowd-hosted bug bounty program. According to Keen Lab, Tesla has confirmed the flaws and is working on addressing them. Fortunately, Tesla can release over-the-air firmware updates, which means that, unlike other carmakers, the company does not need to recall vehicles to apply security patches.

SecurityWeek has reached out to Tesla for comment and will update this article if the company’s representatives respond.

Tesla launched its bug bounty program in June 2015, more than a year after researchers started demonstrating that its vehicles could be hacked. After initially offering only up to $1,000 per vulnerability, in August 2015, the company decided to increase bug bounty payouts to a maximum of $10,000 for each flaw found in websites, mobile applications and vehicle hardware.

Research conducted over the past years by several experts – the most well-known are Charlie Miller and Chris Valasek, who have managed to hack cars both locally and remotely – has led to the launch of companies and departments that specialize in automotive security. Earlier this month, Volkswagen announced that it has teamed up with Israeli security experts to launch a new firm called CYMOTIVE Technologies.

UPDATE. Tesla told SecurityWeek that it addressed the vulnerabilities found by Keen Lab within 10 days after learning of their existence. The company pointed out that the attacks are not “fully” remote and they are not as easy to conduct as the researchers have suggested. The company has provided the following statement:

“Within just 10 days of receiving this report, Tesla has already deployed an over-the-air software update (v7.1, 2.36.31) that addresses the potential security issues. The issue demonstrated is only triggered when the web browser is used, and also required the car to be physically near to and connected to a malicious wifi hotspot. Our realistic estimate is that the risk to our customers was very low, but this did not stop us from responding quickly.


We engage with the security research community to test the security of our products so that we can fix potential vulnerabilities before they result in issues for our customers. We commend the research team behind today’s demonstration and plan to reward them under our bug bounty program, which was set up to encourage this type of research.”

The attack launched from 12 miles contradicts Tesla’s claims that the targeted vehicle must be connected to a malicious hotspot. This has led experts to believe that Keen Lab may have found a way to gain persistence.

“At first glance, it would appear that the details provided by the researchers conflicts somewhat with the information released by Tesla. While the researchers indicated that they could compromise a car from 20km, Tesla has reported that the car must be connected to a malicious Wi-Fi and the standard range for this is at most 300m. This could indicate that the attackers found a way to gain persistence on the car after it has disconnected, but then the 20km range seems oddly short. Instead I suspect that the attack may have actually been possible by another user on the same cell tower or with a cell site simulator,” Tripwire researcher Craig Young told SecurityWeek.

“In this case, I hope that the researchers do release further details to help understand the automotive attack surface better.The disclosure definitely is a cause for alarm as the attack definitely involved exploitation of a web browser leading to physical control over the car. Ideally these systems should be completely isolated from one another,” Young added.

By Eduard Kovacs


Flaw Allowed Hackers to Hijack Facebook Pages

An Indian researcher earned a significant bug bounty from Facebook after discovering a serious vulnerability that could have been exploited to hijack Facebook pages.

The flaw, identified by Arun Sureshkumar, affected Facebook Business Manager, a free tool that allows users to manage ad accounts, pages, apps and the people who work on them.

When users assign a partner to their page via Business Manager, they need to specify the partner’s business ID and their role. The problem, according to the expert, was that the request sent in the process contained several parameters that could have been easily manipulated due to an insecure direct object reference (IDOR) vulnerability.

An attacker could generate a request using test accounts, intercept it, and modify the value of various parameters in order to assign an arbitrary page to their own Facebook Business Manager account. Once the modified request was resubmitted, the hacker would gain control of the targeted page.

Sureshkumar claims the technique could have been used to hack any Facebook page, including ones belonging to high-profile individuals. The expert has published a video to demonstrate his findings:

The vulnerability was reported to Facebook on August 29 and it was fully patched by September 6. The social media giant has decided to award the researcher a $16,000 bounty. The company said the bounty was higher because it discovered and fixed another issue while investigating Sureshkumar’s report.

This was not the first time the expert received a significant bounty from Facebook. Earlier this year, he reported getting $10,000 after responsibly disclosing a serious account takeover vulnerability.

By the end of 2015, Facebook had paid out more than $4.3 million to researchers since the launch of its bug bounty program in 2011.

By Eduard Kovacs