Terror groups likely to be first to unleash cyber weapons

Terror groups, not nation states, are the most likely to unleash devastating cyber weapons, according to Eugene Kaspersky, chief executive and co-founder of security firm Kaspersky Lab.

“I am 99.99% sure some nation states have developed top secret cyber weapons,” he told attendees of IPExpo at Excel in London. Unlike traditional weapons, cyber weapons can be reverse engineered, improved and used on those who developed them, so nation states are unlikely to use them on each other.

“But I am really afraid some terrorist group will pay cyber criminals to develop and deploy such weapons on their behalf,” he said, noting that some cyber criminals work like mercenaries, providing cyber crime services to anyone who is willing to pay.

Kaspersky said cyber weapons are likely to fall in one of three categories: those aimed at causing physical damage, destroying critical data and telecommunications.

He cited Stuxnet and attacks on power suppliers in Ukraine as examples of the first, the attack on Saudi Aramco an example of the second, and the telecommunication blackout in Estonia in 2007 an example of the third.

“We are living in a dangerous world, where we can’t trust anything. Cyber is now just about everywhere, and it is vulnerable. Everything can be stolen and is open to compromise,” said Kaspersky.

Critical infrastructure is the most “problematic” and probably the “scariest” area, he said, because cyber criminals are well-resourced and can attack even well-protected networks.

“Cyber criminal groups are very professional and have shown that they can get past the security of well-known companies that typically invest a lot in cyber defence,” said Kaspersky.

He warned that all operating systems are under attack. “It is not only Microsoft Windows, but also Android, Mac OS, Linux and iOS,” he said.

According to Kaspersky, the vast majority (384 million) of malicious files detected are aimed at Windows, compared with Android (18 million) and Mac OS (30,000).

There are still only around 600 aimed at iOS, but Kaspersky believes nation states are behind most of those. He also blamed the lack of Mac OS threat on the lack of good Mac OS engineers.

“We struggle to find good Mac OS engineers to work for us, and I am guessing that cyber criminals have the same problem.”

Despite painting a gloomy picture, Kaspersky said the situation was far from hopeless because there are things that can be done to reduce the likelihood and impact of cyber attacks.

According to Kaspersky, essential practices for enterprises for protecting critical data include regular security audits and sound cyber security strategies, minimising all network connections by allowing only those that are absolutely necessary for the business to function, and allowing only trusted applications and processes because “endpoint security controls are not enough on their own”.

Essential practices for operators of industrial control systems, particularly operators of critical infrastructure, include air-gapping critical systems, continually monitoring trusted processes using a secure operating system, and putting all new equipment onto secure operating systems.

In support of this approach, Kaspersky Lab has developed a secure operating system for it process monitoring system, which is a combination critical infrastructure operators can use until they are able to migrate all systems to a secure operating system.

“This migration process will take years, but the sooner we start, the sooner we will be in a position that is much more secure,” he said.

By Warwick Ashford

Source http://www.computerweekly.com/news/450400518

FBI confirms more state voter databases targeted by attackers

A patch for a low-severity OpenSSL vulnerability issued last week actually made things worse and created a new, more severe vulnerability in the open source cryptographic library.

In an unusual move, the OpenSSL Project bypassed its usual process for announcing vulnerabilities and patch availability, and it instead rushed out a new set of emergency patches to fix the new critical vulnerability.

“This security update addresses issues that were caused by patches included in our previous security update, released on 22nd September 2016,” the OpenSSL Project wrote. “Given the critical severity of one of these flaws, we have chosen to release this advisory immediately to prevent upgrades to the affected version, rather than delaying in order to provide our usual public pre-notification.”

The original flaw, one of 14 fixed in the OpenSSL patch release on Sept. 22, enabled a transitory denial-of-service attack through memory exhaustion and had a low severity rating; the new vulnerability introduced by the patch could allow an attacker to execute arbitrary code on a victim system.

“Due to the way memory is allocated in OpenSSL, this could mean an attacker could force up to 21 MB to be allocated to service a connection. This could lead to a denial of service through memory exhaustion,” according to the original OpenSSL vulnerability advisory. “However, the excessive message-length check still takes place, and this would cause the connection to immediately fail.” Although, the excessive memory allocation is freed immediately, as long as the application uses the SSL_free() function to free up that allocated memory. “Therefore, the excessive memory allocation will be transitory in nature.”

The new critical OpenSSL vulnerability opened by the patch “resulted in an issue where if a message larger than approximately 16 KB is received, then the underlying buffer to store the incoming message is reallocated and moved,” OpenSSL wrote. “Unfortunately, a dangling pointer to the old location is left, which results in an attempt to write to the previously freed location. This is likely to result in a crash; however, it could potentially lead to execution of arbitrary code.”

By Peter Loshin

Source http://searchsecurity.techtarget.com/news/450400177

DNS monitoring can help deanonymize Tor users

New research claims the efforts expended on the Tor project may be focusing on the wrong issues because “its use of DNS has received little attention,” and researchers have proven DNS monitoring can be used to deanonymize Tor users.

The finding, published in the paper “The Effect of DNS on Tor’s Anonymity,” was a collaborative effort between researchers at the KTH Royal Institute of Technology in Stockholm, Sweden; Karlstad University in Karlstad, Sweden; and Princeton University in Princeton, N.J.

In a blog post on the topic, one of the researchers, Philipp Winter, postdoctoral researcher in computer science at Princeton University, said a significant fraction of Tor exit relays send DNS requests to Google’s public domain name resolvers, which creates a centralized point of control and observation where DNS monitoring can be used in an attack — something Tor was designed to avoid.

“It is well-understood that low-latency anonymity networks such as Tor cannot protect against so-called global passive adversaries,” Winter wrote. “We define such adversaries as those with the ability to monitor both network traffic that enters and exits the network. Then the adversary can run a correlation attack, meaning that it can match packets that go into the network to packets that leave it, or in other words, it can link a client’s identity (her IP address) to her activity (e.g., visiting Facebook), and thus, break anonymity.”

Lance James, chief scientist at Flashpoint, told SearchSecurity DNS monitoring attacks have commonly been an issue for Tor.

“This attack isn’t completely new in nature. There is research from multiple parties that have known this for a while, specifically using Google’s [resolver,]” James said. “In reality, Google’s DNS probably has the widest view of Tor-leaked traffic on the internet, and with a data set of that size and detail one can do amazing research with traffic analysis — not that they would per se.”

According to the research, Google’s public DNS servers can at times comprise 40% of exit bandwidth of Tor users, which they said is “an alarmingly high number for a single organization” and that Tor relay operators “should take steps to ensure that the network maintains more diversity into how exit relays resolve DNS domains.”

“We show how an attacker can use DNS requests to mount highly precise website fingerprinting attacks,” researchers wrote. “Mapping DNS traffic to websites is highly accurate even with simple techniques, and correlating the observed websites with a website fingerprinting attack greatly improves the precision when monitoring relatively unpopular websites.”

James said these DNS monitoring techniques aren’t trivial and require access to controlling the autonomous system network like Google or an ISP.

“This attack will likely be deployed at a specific target, not a general Tor user. In many cases in the U.S., if you are targeted specifically it is due to breaking the law or doing something that causes concern to national security,” James said. “In other countries this rule tends to apply as well. Dissidents that expect protection from Tor could be in danger, but in the reality, using Tor in itself is already a fingerprint and this attack would not matter if the adversary is at the ISP level.”

Winter said this research shouldn’t necessarily create immediate cause for concern.

“Adversaries that can already monitor large fractions of the internet — for many people, the biggest threat — will not do any better with our attack,” Winter wrote. “Instead, we investigate how ‘semi-global’ adversaries can get the most out of the data they have. Finally, the Tor Project is already working on techniques to make website fingerprinting attacks harder.”

By Michael Heller

Source http://searchsecurity.techtarget.com/news/450400404

Release of Mirai IoT botnet malware highlights bad password security

The malware code behind the IoT botnet responsible for the recent, massive DDoS attacks has been released. And although there are lessons to be learned from it, experts suspect the release will cause more harm than good.

The Mirai botnet malware was released in the hacking-community website Hack Forums by a user named Anna-senpai, who claims to be the author of the code. Mirai was the botnet malware used in the distributed denial-of-service (DDoS) attack that took down the site of infosec journalist Brian Krebs and was clocked at 620 Gbps. Both names Anna and Mirai reference Japanese anime. Anna-senpai adopted the honorific senpai because the hacker sees himself or herself as a teacher for those wanting to use the Mirai malware. But the Japanese word for teacher is sensei, not senpai.

Anna-senpai did not take responsibility for that attack and said it was time to leave the game. In the forum post, Anna-senpai wrote, when he or she first got into the DDoS industry, “I wasn’t planning on staying in it long. I made my money,” and now it’s time to get out. “So, today, I have an amazing release for you. With Mirai, I usually pull max 380k [380,000] bots from Telnet alone. However, after the Kreb [sic] DDoS, ISPs [have] been slowly shutting down and cleaning up their act. Today, max pull is about 300k [300,000] bots and dropping.”

Anna-senpai went on to describe the system requirements for running the malware and tips for configuring the Mirai botnet malware. Anna-senpai claimed someone should be able to set up a working botnet in under one hour with the scripts and code provided.

Experts said the malware does take skill to implement properly, but Rick Holland, vice president of strategy for San Francisco-based Digital Shadows Ltd., said the “code release is particularly dangerous, since it once again lowers the barrier to entry for threat actors.”

“This release will cause more harm than good. The good that will come out of it is that it will raise awareness around denial-of-services attacks,” Holland told SearchSecurity. “Of course, awareness isn’t a security control and won’t be able to prevent DDoS attacks. Organizations will need to move from awareness to actual mitigation.” MalwareTech said on Twitter it might not be so easy for threat actors to get started with the code.

Jean-Philippe Taggart, senior security researcher at Malwarebytes, based in Santa Clara, Calif., said this opens the possibility of more large botnets, as well as the possibility that “a less experienced attacker might accidentally damage these IoT [internet of things] devices through poor coding and lack of experience.”

“Mitigating against an IoT DDoS is difficult, as these machines can have legitimate IP addresses, making filtering bona fide traffic difficult,” Taggart told SearchSecurity. “A more advanced threat actor could also patch these IoT devices in such a way as to only allow them to be accessible by them.”

Gunter Ollmann, CSO of Vectra Inc., based in San Jose, Calif., said the Mirai IoT botnet malware could be modified in unknown ways in the future.

“The botnet agent is particularly versatile and has a number of precoded install packages for a wide variety of common system-on-chip platforms,” Ollmann told SearchSecurity. “This means that copycat botnet operators will not need to learn or understand the differences of the platforms, but can target them anyway; in essence, dumbing down the skill level needed to launch such attacks going forward.”

Anna-senpai said the Mirai malware propagated by brute-forcing IoT device passwords via Telnet in a way that is 80 times faster and 20 times less resource-intensive than traditional botnet malware Qbot.

Ollmann said one impressive feature of the malware was the ability to use multiple IP address to bypass port exhaustion in Linux.

“The purpose here is to increase the total number of outbound connections that can be created and to overload the receiving device by exhausting their number of inbound connections, which will likely be maxed out at 65k [65,000] for a single port or protocol,” Ollmann said. “DDoS caused by connection saturation is often preferred as an attack vector because it doesn’t require high volumes of traffic. Therefore, a DDoS state can be achieved using a smaller number of attacking devices and requires less bandwidth to achieve the desired goals.”

Jerry Gamblin, lead security analyst at CARFAX, based in Centreville, Va., said the Mirai code highlighted troubles with users leaving the default passwords on IoT devices.

“The fact that devices are still running Telnet should be shocking, but, unfortunately, it isn’t,” Holland said. “The same is true for admin:admin credentials. All too often, we see nonexistent or poor security on these types of devices.”

Ollmann said this is a design flaw that IoT makers will have to consider in the future.

“All such devices need to ship with some kind of default credentials, so that the purchaser can configure the device for their own network environment. The real problem is that the owners are negligent in not changing these accounts after installation,” Ollmann said. “Future vendors of products like this should perhaps adopt practices which force the owner of the device to change the default password before they’re allowed to proceed further with configuration — and also to do some basic password integrity checking to prevent common or reused passwords. This would be pretty easy to do.”

Ollmann suggested a few basic security procedures to mitigate risk.

“The obvious advice for reducing the probability of compromise today is change the default admin credentials on the IoT device, or change or remove any other nonadmin credentials on the device,” Ollmann said. “And ensure that the IoT device sits behind a firewall and that the firewall is configured to drop by default all protocols not absolutely required for the operation of the IoT device.”

Holland said the first step toward mitigating the risk of having your IoT devices used in a DDoS botnet is to be aware of your IoT footprint.

“Far too often, organizations aren’t aware of the actual IoT inventory within their environments. The next step is to understand the available configuration settings of the devices that are deployed. These could be quite limited, given the lack of security practices within IoT,” Holland said. “Ultimately, we will need to apply pressure to IoT vendors that security must be built into the devices, because unlike many traditional IT assets — like endpoints or servers — bolting on security isn’t an option.”

by Michael Heller

Source http://searchsecurity.techtarget.com/news/450400369

The Malware Battle Is Mostly Silent

Malware’s success relies on the ability to remain stealthy, and the authors of malicious programs go to great lengths to make that happen, while also ensuring that their identity remains hidden.

As a general rule, malware developers tend to avoid contact with security researchers to avoid stepping into the spotlight, but this rule can be broken occasionally. Having worked before with software developers, I know how keen some are about correctly presenting the capabilities of their creations. At the time, that made perfect sense, because an application’s popularity (and sometimes price) is influenced not only by the included capabilities and looks, but also by accurate reviews.

It was surprising to see there are malware developers who would come out of the shadows to voice discontent regarding a report on their “product.” However, such developers exist, and the creator of a piece of mobile malware called Bilal Bot is one example. Seeing that IBM’s report on the malware is outdated, the author decided to contact the security firm to address this.

Bilal Bot was detailed back in April, alongside other mobile malware targeting Android, when researchers suggested that it was less sophisticated than its competitors GM Bot and KNL Bot, and that it was also cheaper. Now the malware developer says that, because the product moved from the beta state it was in April, its feature list and price changed, and IBM’s report should be updated. Moreover, the developer said he was open to an interview about the malware, IBM reveals.

Usually, when a developer requests an update to a report on their software specifically to bring new features into the spotlight, it means they want to increase the buzz around the program, and this is exactly what Bilal Bot’s developer seems to have attempted here as well.

As it turns out, however, this case represents an exception to the rule, as most malware developers would rather stay in the shadows than talk to security researchers. Most don’t like the kind of publicity security reports provide, because these reports don’t allow malware developers to stay under the radar, a malware hunter said, responding to SecurityWeek inquiry.

The security researcher also told us that malware creators would leave messages in their code if they want to, but that they would normally try to avoid attention from the anti-virus/security community, because it could hurt their business. What’s more, he says, threats that make it constantly to the headlines evolve to better avoid detection, so reporting on malware could turn into a double-edged sword.

Cybercriminals would certainly use anything to increase their legitimacy, including abusing security reports as “social proof,” Heimdal Security’s Andra Zaharia tells SecurityWeek. Although it’s still surprising that Bilal Bot’s creator adopted this behavior, it’s clear that a malware developer exhibiting the characteristics of a legitimate business owner would want their product to be correctly portrayed, otherwise pricing would be impacted.

Instead of abusing news reports for fame, cybercriminals usually go quiet after security researchers report on their creations, Maya Horowitz, Group Manager, Threat Intelligence at Check Point, told SecurityWeek.

“We have seen malware disappear after our reports, as in the case of the Nuclear Exploit Kit this last spring. Most recently, we saw the Cerber ransomware developers adapt to counter our research and decryption tool. The developers even left a message to anyone using our decryption tool, saying that they had modified the malware. Usually malware developers try to lower their profile after the malware is revealed and attempt to upgrade it to avoid discovery,” Horowitz says.

However, she does agree that security reports can be abused as well, because “breaches demonstrate the malware’s efficiency.” Stuxnet, she says, is a great example of how hackers can learn from reports about other malware and implement the same tactics in their own products.

Kaspersky Lab’s Anton Ivanov, senior malware analyst, also believes that threat actors always keep an eye on security blogs to find new techniques for their malware. Thus, as soon as detailed information about a vulnerability is published, an increase in the usage of that vulnerability can be observed, he says.

Security reports, Ivanov says, tend to be bad advertising for the malware, because that malicious program becomes known to security researchers. However, he also reveals that malware developers would sometime contact Kaspersky via embedded data, “which is usually encrypted and located in some part of malware module.” These messages, he says, usually contain greetings to researchers, and one came from Angler’s developers, located in FLV exploit.

However, not all such messages are greetings, as Emsisoft Malware Lab’s researches have often discovered. Most recently, angry with the researcher’s ability to break the encryption of their ransomware called Apocalypse, the creator of this threat decided not only to include abusive comments in the malware’s code, but also to rename the malicious program to “Fabiansomware.” The coder’s hate was focused at Fabian Wosar, Emsisoft CTO and head of the company’s Malware Research Lab.

For security researchers, the fact that malware authors include abusive messages in their code comes as an acknowledgement of their work. Thus, researchers will continue to report on new and updated malware, regardless of whether developers are dissatisfied with how their malware is portrayed or are unhappy that they made it to the headline.

“We believe it’s crucial to inform Internet users, whether home users or people involved in companies, of emerging cyber threats. It’s not only about building awareness, but it’s also an essential tool to help people learn how to get protected,” Andra Zaharia said. “We believe that spreading correct and relevant information about new and improved malware is an important part of helping people become more aware of the issue and its potential impact.”

The general consensus is that while security researchers will continue to publish relevant information about discovered threats, already established malware families will continuously evolve in their attempt to avoid detection. Their developers will certainly try to stay as hidden as possible. Hungry enough for attention, newcomers might contact security researchers to point out incorrect reports, but the battle with malware remains mostly a silent one.

By Ionut Arghire

Source http://www.securityweek.com/malware-battle-mostly-silent

HDDCryptor Leverages Open Source Tools to Encrypt MBR

Malware that uses open source tools for malicious purposes isn’t new, yet ransomware leveraging such tools to encrypt the entire hard drive by rewriting the MBR (Master Boot Record) is, researchers warn.

The new malicious program that combines the two is called HDDCryptor, but also known as HDD Cryptor or Mamba ransomware. The threat was spotted for the first time in the beginning of this year, although it caught the attention of researchers in the past several weeks after was featured in a larger campaign.

Earlier this year, researchers detailed disk-level ransomware variants such as Petya, which emerged in March, but only manipulated the MBR to take over the boot process but didn’t encrypt user’s files. To encrypt user files too, Petyastarted dropping additional ransomware, called Mischa, and their modus operandi was already adopted by a ransomware variant called Satana.

HDDCryptor, however, leverages the DiskCryptor open source tool to strongly encrypt user’s data and to overwrite the MBR, Renato Marinho, Director at Morphus Segurança da Informação, explains.

According to Trend Micro researchers, the new piece of ransomware targets resources in network shares such as drives, folders, files, printers, and serial ports via Server Message Block (SMB), while also locking the drive. Because of its damaging routine, the ransomware should be treated as a “very serious and credible threat not only to home users but also to enterprises,” Trend Micro says.

HDDCryptor is being distributed via files downloaded from malicious websites, and is installed by dropping multiple components to the system’s root folder. These components include dcapi.dll (detected as Ransom_HDDCRYPTOR.A), dccon.exe(to encrypt the disk drive), dcrypt.exedcrypt.syslog_file.txtMount.exe (scans mapped drives and encrypts files stored on them), netpass.exe (to scan for previously accessed network folders), netuse.txt (to store information about mapped network drives), and netpass.txt (to store user passwords).

To gain persistence, the malware adds a new service called DefragmentServiceand executes it via command line. Some of the analyzed samples, researchers say, also showed network-encrypting behavior, though others had no propagation routines. However, the Mount.exe component was clearly meant for enumerating mounted drives to encrypt their files, as well as for discovering previously connected drives or cached disconnected network paths and connecting to them using all credentials captured using the tool netpass.exe.

In addition to leveraging DiskCryptor (which supports AES, Twofish and Serpent encryption, including their combinations, in XTS mode) for disk and network file-level encryption, the ransomware abuses the open source disk encryption software to overwrite the Master Boot Record (MBR). The malware displays its ransom note by adding a modified bootloader instead of using the system’s normal log-in screen.

The security researchers also observed that the ransomware would forcefully reboot the compromised system after two hours of full disk activity (no user interaction needed), and that it would reboot the machine twice in some cases. Moreover, they reveal that the copy of the DiskCryptor dropped by the malware was the same file available on the open source tool’s download page (the software hasn’t been updated since September 7, 2014, it appears), but that a modified version of netpass.exe was used.

“HDDCryptor, like ransomware as a service (RaaS), embodies how little effort can go a long way. At the crux of it is how HDDCryptor utilizes commercially available software to do its nefarious bidding, and ultimately how affected end users and businesses foot the bill for these cybercriminals,” Trend Micro researchers note.

According to Marinho, the password used to encrypt the disk is given as a parameter. The researcher also notes that there is a chance that the same password is used on all compromised machines, or that the password is “something related to the victims’ environment, like the hostname, or something like that.” He also notes that the ransomware’s authors might be focused on servers and that they have already received payment from at least four victims.

By Ionut Arghire

Source http://www.securityweek.com/hddcryptor-leverages-open-source-tools-encrypt-mbr

Yahoo Pressed to Explain Huge ‘State Sponsored’ Hack

Yahoo faced pressure Friday to explain how it sustained a massive cyber-attack one of the biggest ever, and allegedly state-sponsored allowing hackers to steal data from half a billion users two years ago.

The US online giant said its probe concluded that “certain user account information was stolen” and that the attack came from “what it believes is a state-sponsored actor.”

The comments come after a report earlier this year quoted a security researcher saying some 200 million accounts may have been accessed and that hacked data was being offered for sale online.

“Yahoo is working closely with law enforcement on this matter,” said Yahoo, adding it believes data linked to at least 500 million user accounts was stolen — in what could be the largest-ever breach for a single organization.

Yahoo said the stolen information may have included names, email addresses, birth dates, and scrambled passwords, along with encrypted or unencrypted security questions and answers that could help hackers break into victims’ other online accounts.

While there is no official record of the largest breaches, many analysts have called the Myspace hack revealed earlier this year as the largest to date, with 360 million users affected.

In 2014 a US firm specialised in discovering breaches said that a Russian group has hacked 1.2 billion usernames and passwords belonging to more than 500 million email addresses.

The firm, Hold Security, gave no details of the companies affected by the hack.

Ammunition for hackers

Computer security analyst Graham Cluley said the stolen Yahoo data “could be useful ammunition for any hacker attempting to break into Yahoo accounts, or interested in exploring whether users might have used the same security questions/answers to protect themselves elsewhere on the web.”

He noted that while Yahoo said that it believes the hack was state-sponsored, the company provided no details regarding what makes them think that is the case.

“If I had to break the bad news that my company had been hacked… I would feel much happier saying that the attackers were ‘state-sponsored,'” rather than teen hackers, Cluley said in a blog post.

University of Notre Dame associate teaching professor and data security specialist Timothy Carone told AFP that the Yahoo hack fit the “big picture” when it comes to cyberattacks launched by spy agencies in Russia, China, North Korea or other countries.

“It just smacks of traditional trade craft,” Carone said. Chinese hackers have been accused of everything from stealing corporate secrets to an enormous breach of US government personnel files that affected a staggering 21.5 million people and reportedly led Washington to pull its intelligence operatives out of China.

North Korea is known to operate an army of thousands of elite hackers accused of launching crippling cyber-attacks on South Korean organisations and officials over the years.

But it was the high-profile hacking attack on Sony Pictures in December 2014 that shed light on the growing threat of the North’s hacking capability, although Pyongyang denied responsibility for the attacks.

It appeared that looted Yahoo data did not include unprotected passwords or information associated with payments or bank accounts, the Silicon Valley company said.

Yahoo is asking affected users to change passwords, and recommending anyone who has not done so since 2014 to take the same action as a precaution.

Users of Yahoo online services were urged to review accounts for suspicious activity and change passwords and security question information used to log in anywhere else if it matched that at Yahoo.

“Online intrusions and thefts by state-sponsored actors have become increasingly common across the technology industry,” Yahoo said in a statement.

“Yahoo and other companies have launched programs to detect and notify users when a company strongly suspects that a state-sponsored actor has targeted an account.”

Yahoo being bought

Confirmation of the major cyber breach comes two months after Yahoo sealed a deal to sell its core internet business to telecom giant Verizon for $4.8 billion, ending a two-decade run as an independent company. It was not immediately clear if the data breach could impact the closing of the deal or the price agreed by Verizon.

“Frankly, the timing couldn’t be worse for Yahoo,” Cluley said. The telecom firm said it was reviewing the new information. “Within the last two days, we were notified of Yahoo’s security incident,” Verizon said in a statement.

“We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities.”


Source http://www.securityweek.com/yahoo-pressed-explain-huge-state-sponsored-hack

Version 3 of Qadars Trojan Targets UK Banks

The customers of 18 banks in the United Kingdom have been targeted by cybercriminals in a campaign leveraging the latest major version of the Qadars banking Trojan.

Qadars has been around since 2013, but IBM X-Force researchers said the third major version of the malware was only released in the first quarter of 2016. Since 2015, cybercriminals have been using the malware in attacks aimed at Australia, Canada, the United States and the Netherlands, but the latest variant has been set up to target the U.K. as well.

The malware has a modular architecture and provides all the features needed by cybercriminals to steal money from bank accounts, including web injections fetched in real time from a remote server, systems for monitoring and manipulating browser activity, SMS hijacking apps for bypassing 2FA, and automated transfer system (ATS) panels that make it easier to manage operations.

In addition to banks, the Trojan has been used to steal credentials for social networks, sports betting websites, e-commerce platforms and payment services.

Qadars v3 variants bring improved performance for web injection mechanisms, and they are better at evading detection and preventing researchers from analyzing them. Obfuscation has been enhanced, and the Tor network is used for downloading modules and for C&C communications.

In order to gain administrator rights on the targeted machine, the Trojan displays a fake Windows security update, which triggers a user account control (UAC) dialog that keeps popping up until the victim clicks “Yes” and grants Qadars elevated privileges.

“Qadars attack volumes, compared to Trojans like Neverquest or Dridex, are more humble. While it is not one of the top 10 financial malware threats on the global list, however, this Trojan has been flying under the radar for over three years, attacking banks in different regions using advanced features and capabilities,” explained IBM’s Limor Kessem and Hanan Natan. “It’s possible that Qadars attack volumes remain limited because its operators choose to focus on specific countries in each of their infection sprees, likely to keep their operation focused and less visible.”

Based on the Qadars v3 release notes published in May 2016, researchers believe the malware’s author is most likely a Russian-speaking black hat.

Qadars is not the only banking Trojan spotted recently in attacks aimed at the U.K. The list of threats configured to target the country also includes Panda Banker, Marcher and Ramnit.

By Eduard Kovacs

Source http://www.securityweek.com/version-3-qadars-trojan-targets-uk-banks

Ursnif Banking Trojan Uses New Sandbox Evasion Techniques

The actor behind the Ursnif banking Trojan has been using new evasive macros in their latest infection campaign, demonstrating continuous evolution of tools and techniques, Proofpoint researchers reveal.

In the latest observed distribution campaign, the Trojan is dropped onto the victim’s computer via weaponized Word documents. Before the infection takes place, however, the malicious macros in these documents check the machine to ensure that the Trojan can successfully evade detection and hinder analysis.

Previously, the threat would check for the public IP address of the infected machine and for the number of accessed Microsoft Word files to determine whether it was running inside a virtual environment. Now, the actor behind it, known as TA530, decided to add new sandbox evasion checks to the malicious macros, to better tailor the threat for evasion, researchers explain.

Following the recent update, the macro checks whether the filename contains only hexadecimal characters before the extension and ensures that there are at least 50 running processes with a graphical interface via Application.Tasks.Count. Moreover, it includes a process blacklist using Application.Tasks and has also expanded the list of strings it checks using MaxMind.

In the newly spotted campaign, the threat actor also used a Painted Event control (observed as Img_Painted) for macro execution when the user opened the document. Usually, malware uses autorun options for macro execution like Document_Open(), but Ursnif has decided to adopt said ActiveX control instead.

This week, a highly personalized spam campaign associated with this threat has been observed utilizing company names, personal names, titles, etc., to deliver the malicious Word documents. To lure the unsuspecting user to enable the macro, the document claims to be protected against unauthorized use. Once the user allows the macro to run, Ursnif ID “30030” is dropped, targeting Australian banking sites with web injects.

Following the update, the malicious macro checks if the Word filename contains only hexadecimal characters, because files submitted to sandboxes often use SHA256 or MD5 hash as the filename. Thus, the malicious payload is dropped onto the target system only if the filename contains letters after “f”, underscores, or spaces and if an extension is appended to it.

The macro also checks the number of running processes with a graphical interface, because real systems usually have more than 50 tasks, while sandboxes have as few as possible. Next, the macro performs a case-insensitive check against a blacklist of processes that could be present in a sandboxed environment, such as “fiddler”, “vxstream”, “vbox”, “tcpview”, “vmware”, “process explorer”, “vmtools”, “autoit”, “wireshark”, “visual basic”, and “process monitor”.

The macro also abuses the well-known geo-location service MaxMind to check whether the target machine is located in Australia, because it is targeting only this country in the latest campaign. More specifically, the macro checks that the results returned by MaxMind include “OCEANIA,” the region of the tropical Pacific Ocean that includes Australia.

The results are checked against an expanded list of blacklisted networks and the infection process is dropped if the target machine is located in one of these networks. Interestingly, in addition to security vendors, the list also includes networks belonging to “hospital”, “university”, “school”, “science”, “army”, “veterans”, “government”, and “nuclear.” Most probably, this check was included to minimize exposure to researchers and military or government entities, researchers say.

The actor behind this Ursnif campaign is also responsible for various other large-scale personalized attacks and is constantly adding new evasion techniques to the malicious macros used in infection campaigns. At the moment, the actor appears focused on preventing the execution of its malware on sandbox systems and on avoiding networks associated with security vendors and other entities.

“Over the last few years, malware sandboxes have become a more common component of the defenses that organizations and enterprises deploy to protect their users and their data. As the examples from this analysis demonstrate, threat actors are concentrating their research and innovation of malware sandbox evasion in an effort to remain ahead of their victims’ defenses,” Proofpoint researchers concluded.

By Ionut Arghire

Source http://www.securityweek.com/ursnif-banking-trojan-uses-new-sandbox-evasion-techniques

Windows Trojan Targets Android, iOS Devices via USB Connection

A relatively new Windows Trojan is capable of loading malicious applications onto Android and iOS devices connected to the infected machine via USB.

The threat, dubbed “DualToy” by Palo Alto Networks, has been around since January 2015. While the malware has mainly targeted users in China, the security firm reported that individuals and organizations in the United States, United Kingdom, Thailand, Spain and Ireland were also impacted.

Researchers discovered more than 8,000 unique DualToy samples. Earlier variants were only capable of infecting Android devices, but the Trojan’s developers added iOS capabilities within six months after the threat was first spotted.

On infected Windows PCs, DualToy injects processes, modifies browser settings and displays ads. When an Android or iOS device is connected to the infected PC via USB, the malware starts conducting various activities.

The malware’s developers are counting on the fact that when a user connects a mobile device to the infected computer, that device is likely already authorized, making it easier to use existing pairing records to interact with it in the background.

“Although this attack vector’s capability can be further limited by additional mechanisms (e.g., ADB enabling, iOS sandbox) which make this threat not so severe, DualToy reminds us again how attackers can use USB sideloading against mobile devices and how malware can be spread between platforms,” Palo Alto Networks researcher Claud Xiao explained in a blog post.

In order to infect Android and iOS devices, the Trojan checks for the presence of the Android Debug Bridge (ADB) and iTunes on the compromised Windows machine. If these applications are not found, the malware downloads and installs them.

ADB and iTunes are used by DualToy to install various applications on Android and iOS devices connected via USB to the infected computer. In the case of Android, several Chinese-language games were downloaded from a third-party app store.

On iOS phones and tablets, the malware collects system information and sends it back to its command and control (C&C) server. The data includes the device’s name, type, version, model number, serial number, IMEI, IMSI, firmware, and phone number.

DualToy also downloads several .ipa files (iOS application archives), including one that asks users to provide their Apple ID and password. The harvested credentials are encrypted and sent to a remote server.

This app, named Kuaiyong, is a third-party iOS app store, similar to ZergHelper, which in February managed to slip through Apple’s review process and made it onto the official App Store.

Palo Alto Networks has compared DualToy to AceDeceiver and WireLurker, both of which target iOS devices when they are connected to an infected computer.

By Eduard Kovacs

Source http://www.securityweek.com/windows-trojan-targets-android-ios-devices-usb-connection