STE WILLIAMS

Google has announced plans to tell Gmail users which emails have been sent through an encrypted connection and which have not.

In a recent announcement, Google said that it would issue a warning to a user if they had received a message through a non-encrypted connection.

In a Google blog post, authors Elie Bursztein from the Google Anti-Fraud and Abuse Research division, and Nicolas Lidzborski, a Gmail Security Engineering Lead, said that Google is constantly facing new security challenges and is working partners through the the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) to promote better email security.

Gmail uses Transport Layer Security (TLS) to create an encryption ‘tunnel’ between its own mail servers and everyone else’s. When emails are in the tunnel they can’t be spied upon.

TLS (Transport Layer Security) is a way of encrypting the communications between email servers in the delivery chain, keeping the content of messages secure in transit.

TLS does have some limitations – emails sent using TLS aren’t encrypted before they leave your computer, while they’re being processed by the email servers that pass them along, or after they reach their final server.

But they also can’t be intercepted when they’re travelling between servers, which is a good thing.

The warnings aren’t the only thing Google is working on to improve email security.

Google previously announced that in June 2016 it would start rejecting emails that do not satisfy DMARC (Domain-based Message Authentication, Reporting, and Conformance) specifications.

Essentially DMARC is a system designed to detect spoof emails by allowing companies to determine if an email is authorised and the content of the email has not been modified. This fits neatly into Gmail’s secure thinking, as it will offer a more robust Gmail service with fewer opportunities for tampering or the bad stuff landing inside inboxes.

In particular, Gmail will support the draft Authenticated Received Chain (ARC) protocol to help mailing list operators adapt to the need for strong authentication, with Google, Microsoft and Yahoo those deploying the draft initially.

This permits an organisation who is creating or handling email to indicate their involvement with the handling process, by adding a cryptographically signed header.

The new warnings will alert users to whether or not their messages are legitimate, and give them a heads up if they’ve been censored or altered.

This is one of a series of announcements to improve email security by Google, after it announced last week that its expanding its Safe Browsing Protection to include social engineering protection. If Google determines a page to be bad, Chrome will display a warning which will be similar to the malware and phishing notifications already issued.

All in all, these are very positive moves from Google to offer a more secure service and better security to users.

Google’s offering is about it making efforts to ensure that the bad stuff is filtered out and, if it works and the protocols are deployed elsewhere with Google’s stamp of approval firmly on it, then a more secure email service may be likely.

The warnings will be rolled out to all users over the next couple of months.

Follow @danraywood

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/9oVlau3dQOc/

Exploit kit CC infrastructure expanded by 75% in Q3.

Exploit kit activity is on a massive upswing as figures from a new report out today from Infoblox and IID show that the command and control infrastructure behind these kits mushroomed last quarter.

The study shows that the creation of DNS infrastructure for exploit kits jumped by 75% year-over-year in Q3. As a result, the report’s authors say that enterprises and users at large should steel themselves for a surge of activity as attackers begin to take advantage of this built-up infrastructure.

The black market engines for the cybercrime economy, exploit kits offer criminals a turnkey method of propagating malware, exploiting victim machines, and controlling these machines to carry out further attacks such as theft, distributed denial of service attacks, and lateral attacks into networks to which these compromised machines are connected. When exploit kits first coming to prominence in 2012 with the Blackhole kit’s explosion, licensing ran for as much as $10,000 per month. But as competition from numerous exploit kit developers has crowded the market, pricing has come down considerably, with prices anywhere from $30 to $500 per month, according to experts with Trustwave. They say that small investment can yield income of over $80,000 per month if criminals use their kits effectively.

The report today showed that four malware families in particular drove this increase: Angler, Magnitude, Neutrino, and Nuclear. This year, Angler in particular has stepped into the void that was left behind by Blackhole after its creators were arrested in October 2013. According to a report from Sophos this summer, Angler at that time comprised 82% of the exploit kit market.

“The Angler exploit kit is one of the most sophisticated currently used by cybercriminals and leads exploit kit DNS activity for Q3,” Infoblox researchers wrote. “Angler exploit kits are often quickly updated with the 
latest zero-day vulnerabilities in popular software and use sophisticated obfuscation techniques, making it difficult for traditional antivirus technologies to detect.”

For example, the success of Cryptowall 3.0 has risen a lot in thanks to Angler, which has been widely used to launch these ransomware attacks, the report says.

According to Infoblox, exploit activity tends to track along a predictable cycle.

“Cybercriminals usually go through a cycle of ‘planting’ and ‘harvesting’ when it comes to malicious infrastructure. During the planting phase, there is a significant rise in the number of malicious domains created for malware and exploit kits,” the report explains. “Once this phase ends, the attackers begin to harvest the extensive infrastructure they have built to launch attacks, steal data, and generally cause harm to their victims.”

If these patterns remain consistent, expect to see a ramping-up in the execution of attacks by exploit kits in the coming months as attackers take advantage of the empire building they did in Q3 to support future attacks. 

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/exploit-kit-explosion-will-keep-victims-off-kilter/d/d-id/1323207?_mc=RSS_DR_EDT

In less than 30 seconds, anyone with access to an Apple iPhone or iPad can extract a lot of personal data using Siri, Trend Micro says.

Security vendor Trend Micro has sounded the alarm once again on a continuing issue with Apple’s Siri digital assistant that lets anyone with physical access to an iOS device to interact with it and easily extract data even if the device is locked.

In a blog post today, security researchers from the company said it takes just 30 seconds for someone to extract names, phone numbers, and calendar entries — or even post to a connected social media account — from a locked iOS device using simple voice commands.

“A locked device should not disclose the owner’s identity and contact information, as well those of the owner’s friends, family, and contacts,” the researchers wrote. “Siri bypasses this and provides detailed information and other functions on a locked mobile device.”

The Trend Micro blog lists several voice commands that someone could use to extract data from iOS devices to which they have physical access. For example, by simply asking, “what’s my name” or “what’s my email address,” an attacker could get the device to disclose the owners’ first and last name and email address.

Similarly, to make a call, post a Facebook status update on the device owner’s account or to carry out any task that the legitimate owner would be able to do, an individual only has to verbalize the appropriate commands.

Though a passcode is supposed to prevent strangers from accessing a locked iOS device, Siri offers a way around it and provides attackers with the same access that the device owner would have, the researchers wrote.

This is by far not the first time that someone has shown how to exploit a locked iOS device using Siri. As the researchers themselves have noted in their blog, discussions on this topic have been going on since Siri was first introduced. 

So far at least, the company has not taken any measures to ensure that Siri cannot be exploited to bypass a locked device. Instead its response has been to recommend that users concerned about the issue simply disable Siri on the lockscreen, Trend Micro says.

The goal in bringing up the issue now is to remind iPhone and iPad users that more and more vectors are available to attackers for breaching Apple’s walled garden these days, says Tom Kellermann, chief cybersecurity officer at Trend Micro.

One example is recent research from French Network and Information Security Agency-ANSSI showing how Siri and other digital assistants like Google Now can be remotely controlled using electromagnetic waves. In a research paper, the ANSSI researchers described how someone using a cheap radio transmitter could issue commands to Siri and Google Now from up to 18 feet away.

 “What the blog highlights is another amazing feature of the iOS ecosystem that can be turned against the user,” Kellermann says. “It is an ecosystem that has been the most secure and many believe it to be impenetrable. That has dramatically changed.”

In order to better protect personal information, Apple should consider implementing voice identity recognition or require some form of user authentication when someone attempts to use Siri to make calls, send texts post to Facebook, or carry out similar commands from a locked phone, Trend Micro says.

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: http://www.darkreading.com/vulnerabilities---threats/siris-lockscreen-bypass-a-growing-privacy-issue-for-ios-users/d/d-id/1323213?_mc=RSS_DR_EDT

Billions of dollars in ad revenue overall could be lost to botnet that exploits ‘Amnesia’ bug.

Online fraudsters have amassed a botnet of millions of infected machines that exploits a security flaw in a digital advertising technology in order to execute phony online ad impressions.

The so-called Xindi botnet was designed  to exploit a known vulnerability called Amnesia (CVE-2015-7266) in implementations of the Open RTB Internet advertising protocol. Unlike most online ad fraud attacks, it doesn’t use clickjacking-based click fraud, but rather, generates large numbers of phony ad impressions. According to researchers at Pixalate, which published a report today on the botnet, some 6- to 8 million machines at more than 5,000 enterprises are at risk of being used as bots in Xindi.

Jalal Nasir, CEO of Pixalate, says his firm has spotted traffic from the IP addresses of major Fortune 500 firms, government agencies, and universities, associated with Xindi. While it’s unclear if the IP addresses are spoofed or legitimate, he says the IP addresses used by Xindi are owned by those organizations, which include Citigroup; General Motors; Lowe’s; Marriott; Wells Fargo; California State University’s Office of the Chancellor; Columbia University; the University of Maryland; and many other big-name corporations and colleges.

“We are seeing some of those traffic patterns from IP addresses from these organizations,” Nasir says. “They [the attackers] could be doing IP-level spoofing” or are sitting behind these networks, he says. “We’re starting to share some of this data with those companies to investigate.”

Xindi, which was first spotted in October of 2014, is mostly hitting some big-name advertisers in the wallet, though, including Home Depot, Uber, McDonald’s, Pandora, Honda, Verizon, Nissan, and Monster, the report says.

Online advertising fraud has been thriving for some time: a study conducted last year by the Association of National Advertisers and security firm White Ops found that advertisers are losing $6.3- to $10 billion per year in online ad abuse.  One-fourth of bots conducting phony ad traffic were operating on Alexa Top 1000 sites, and the bots inflated monetized ad traffic by anywhere from five- to 50%. The bots were posting phony impressions that gave the illusion of actual ad views, and the fraudsters made money via cash-out points.

Other notorious ad-fraud botnets such as Chameleon and ZeroAccess have employed clickjacking and other ad-infection methods fpr their click-fraud activity.

Xindi’s M.O. represents a shift in ad fraud, Nasir says. “We are seeing a shift in compromising ad traffic and transactional-level knowledge not seen before,” he says.

Xindi’s ad-impression fraud works by exploiting the Amnesia vulnerability:  “This vulnerability allows Xindi to conceal the true status of an ad transaction, which in turn causes bidding engines to bid on more impressions per compromised host than originally intended. Xindi achieves this by hoarding multiple ad markups in a transient state for hours on end and replaying them in a burst,” the report says.

Nasir says the underlying issue is in how the Open RTB protocol is implemented. The protocol as-is does not include a “timeout” option, which allows phony ad impressions to “linger for hours,” he says. “There should be guidelines for what the timeout should be. That’s a proposal we have submitted” to the organization in charge of the Open RTB specification, he says.

Meantime, the researchers aren’t sure just how Xindi initially infects its bots. “That is difficult to find,” Nasir says. “We suspect it could be a malicious browser add-on.”

Fraud increased by 300% in online ad campaigns where Xindi was spotted, and Pixalate estimates that at the current rate, the ad industry could use up to $3 billion by the end of 2016 at the hands of Xindi.

Its activity has been increasing over the past year as well. The last big attack–in August of this year–executed billions of fake impressions, with 90% of the activity targeting US-focused ad campaigns.

“The digital advertising channel is the missing link to identifying new, emerging threats in cyber security. Until traditional anti-virus companies incorporate this channel, threats such as Xindi will continue to be overlooked,” says Branden Spikes, founder and CEO of Spikes Security. 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/xindi-online-ad-fraud-botnet-exposed/d/d-id/1323212?_mc=RSS_DR_EDT

Back in April 2015, at the RSA conference, Google did a strange thing.

The makers of Android as good as denied the existence Android malware by re-defining it into a category called PHAs, or Potentially Harmful Applications.

In any case, said Google, PHAs were hardly worth worrying about because “less than 1% of devices have a PHA installed.” [Shouldn’t that be “fewer”? – Ed.]

Of course, 1% of of more than 1 billion devices still adds up to more than 10,000,000 PHA-infected Androids in the wild at any time.

And with PHAs lumped into subcategories including spyware, backdoor, call_fraud, sms_fraud, phishing, DDoS and ransomware…

…it certainly sounds as though most of us would be happy with the word malware as shorthand for Potentially Harmful Application. (Ironically, Google even lists generic_malware as a named subcategory of PHAs.)

In fact, Google probably agrees with us, because its own online malware processing service, VirusTotal, will accept Android malware samples.

VirusTotal attempts to analyse and classify malware automatically by scanning incoming samples with a battery of security products, which helps to match up which products use what names.

The service also runs certain sample types in a controlled research environment often called a sandbox.

If a suspicious new file is spotted that isn’t yet known to the security research community, samples of the file can quickly be distributed to those with a need to know.

→ Malware sandboxing isn’t for the faint-hearted. Don’t be tempted to get started in anti-virus research simply by grabbing some malware samples and running them in a virtual machine (VM) on a spare computer at home to see what happens. If you aren’t careful, the malware could end up attacking other people’s networks. For example, if you deliberately run spam zombie malware in a VM to monitor what it does, you don’t want any of its spam to escape and reach innocent users. If that happens, you become part of the problem, not the solution!

Loosely speaking, the malware types that VirusTotal itself knows how to analyse are those most likely to be encountered in real life, and fretted about, by users around the world.

Automatic processing of Windows programs (known in the trade as PE files, short for Portable Execution format, even though they’re Windows-specific) was added to Virus Total in 2012, and of Android programs in 2013.

And now – don’t shoot the messenger – Google has added OS X apps to VirusTotal’s capabilities.

You can upload:

• DMGs. (Mac disk images, commonly used for distributing Mac apps.)
• Mach-O files. (Mach-O is the OS X equivalent of a PE file – the native executable binary format.)
• A zipped-up Mac app. (Most officially-installed Mac apps exist as a self-contained directory tree stored in /Applications.)

We’ll be quite frank, and say that your risk of malware infection on a OS X is very much lower than on a Windows or Linux computer.

Infected Linux servers are depressingly common these days, and the main motivation that crooks have for infecting them is to pass malware on in bulk to Windows users.

YOU MIGHT ALSO LIKE:

Malware on Linux – When Penguins Attack

(Audio player not working? Download MP3, listen on Soundcloud, or read the transcript.)

So, with Windows and Linux locked in an unhealthy “cybercrime symbiosis,” it’s easy to assume that the risk of OS X malware, or of Mac-specific phishing, or any other Apple-directed cybercriminality, is low enough to be written off as zero.

We think that’s a dangerous assumption, and we’re not just saying that because we have Mac threat protection software to sell you.

(Actually, for home use, Sophos Anti-Virus for Mac is 100% free, but that’s still not why we’re saying that Mac malware is worth taking seriously.)

It’s the other way around: we think Mac malware is worth taking seriously, and that’s why we have Sophos Anti-Virus for Mac.

But don’t ask us if there really is Mac malware out there…ask Google :-)

Follow @NakedSecurity

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/buCfkbvoJqQ/

$250 for nude images stolen from “6 guys and 6 girls”: that’s the kind of fee that Charles “Gary” Evens charged revenge porn king Hunter Moore.

As Evens admitted when he pleaded guilty in July to one charge of aggravated identity theft and one charge of hacking a computer for financial gain, he pried those images out of victims’ email accounts using tactics such as posing as their friends.

Then, he passed the photos on to Moore, who in turn posted the images onto his site, isanyoneup.com.

Followers of the revenge porn site would post crude remarks, taunting the victims as “fat cows,” “creatures with nasty teeth,” “ugly wh*res,” “white trash sl*ts” and “whales.”

On Monday, Moore’s thieving henchman, the man responsible for subjecting unwilling people to this fate, was sentenced to 25 months in federal prison.

According to the US Attorney’s office of Los Angeles, Evens, 26, of Studio City in California’s San Fernando Valley, has also been ordered to pay a $2000 fine, to perform 20 hours of community service, and to pay $147.50 in restitution to one of the victims.

He got off easy.

Evens faced a statutory minimum of two years and a maximum of seven years in federal prison.

US District Judge Dolly M. Gee imposed a one-month sentence for the hacking count and the mandatory two-year term for the count of identity theft.

Moore, 29, of Woodland, California, pleaded guilty in February to the same two offenses that Evens admitted to.

His sentencing is scheduled for 30 November.

His scheme began in 2011, when Moore emailed Evens, asking for as many nude pictures as possible, according to a 15-count indictment handed down by a grand jury in October 2013.

The result was that between Evens, Moore and others who weren’t identified in the indictment, the Gmail and Yahoo email accounts of hundreds of (mostly) women were broken into.

For the convictions of Evens and Moore, we have Charlotte Laws, aka the “Erin Brockovich” of revenge porn, to thank.

Laws is the mother of a victim referred to as “K.L.” in the indictment, for Kayla Laws.

Ms. Laws, an aspiring actress, went public after her nude selfies wound up on the site, though she claimed she’d emailed the photos only to herself.

Her mother believed her, determining that the photos had been hacked from her daughter’s account.

So Charlotte Laws began an FBI investigation into Moore’s activities. Following the launch of the investigation, Moore suddenly went rather quiet, and that’s when he transferred the site.

Specifically, Moore sold isanyoneup.com in April 2011 to the anti-bullying charity, BullyVille.

The site was for a time redirecting to BullyVille.com, which provided a history of IsAnyoneUp and of Moore’s legal troubles and alleged bullying incidents, both online and in real life.

The domain has apparently since been sold and is now hosting a GIF of what looks to be Supreme Leader Kim Jong-un clapping, a woman whose photos have hopefully not been stolen, and terms of service that prohibit publishing sexually explicit material about another person without consent.

But Laws’ tireless work didn’t stop at getting these two guys behind bars.

A 2013 state law had made publishing these types of photos a misdemeanor.

In December 2014, prosecutors reached their first conviction under the law, jailing a Los Angeles man named Noe Iniguez after he hid behind a pseudonym to post topless photos of his ex to her employer’s Facebook page.

In September this year, California Gov. Jerry Brown also signed SB 676: a law that allows prosecutors to seek forfeiture of unauthorized images as well as the storage devices they’re on.

The ripples continue to widen: in October, Attorney General Kamala Harris launched a state website to help victims of revenge porn get the images deleted from websites.

Follow @NakedSecurity

Follow @LisaVaas

Image of woman in underwear on computer screen courtesy of Shutterstock.com

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/-M_YauU_Cjw/

Direct Messages on Twitter are a way for users to send messages to individuals or a group of users privately, as opposed to regular tweets, which can be seen by everyone.

Twitter has expended a lot of effort to stamp out the predictable abuses of the Direct Message medium – namely spam and phishing attacks.

But now, self-styled security researcher Paul Amar has created a free Python-based tool called Twittor that uses Direct Messages on Twitter as a command-and-control server for botnets.

As you probably know, cybercriminals use botnets in a variety of ways to launch attacks.

For example, a cybercriminal could tell the computers in his botnet (called bots or zombies) to send out spam, or he could rent the botnet to other cybercriminals who might use it to generate fraudulent traffic that can cause a website to crash.

A crook could also drop malware on the bots he controls to steal data like passwords and banking credentials, or infect the bots with ransomware.

For a botnet to do any of these things, the bots need to “call home” for instructions to a command and control (CC) server, which typically uses the HTTP protocol to send messages over the web, or via HTTPS for encrypted communications.

Now, using Twittor, a cybercrook could send messages over Twitter Direct Message, which Amar says could help botnet masters hide their activities among legitimate Twitter traffic.

Amar got the idea for his Direct Message CC server from a similar tool called Gcat, which does the same thing using a Gmail account, according to Amar’s post on the code-sharing site GitHub, where he provides the Twittor tool and instructions on how to use it.

Amar was looking for ways third-party services could hide malicious traffic, he told Dark Reading.

The opportunity to use Twitter opened up in August when Twitter announced that it was lifting the 140-character limit on Direct Messages, which Amar says “allows for more malicious activity.”

There are some limitations: Twitter does limit users to 1000 Direct Messages per day, so a bot master would be able to control only about 100 bots per account.

But a bot master might find the stealth of using Twitter Direct Messages appealing because those communications would be very hard to detect.

Amar told Dark Reading that his tool uses the Twitter API, so IP filtering won’t catch it; and because Direct Messages are private, “there’s no public malicious activity.”

But the one thing we don’t quite get in all of this is, “Why?”

Many security tools, like Nmap and Metasploit, cut both ways, being useful for researchers and penetration testers but also handy for crooks.

But publishing a free tool that helps you operate a botnet via Twitter Direct Message seems a strange way to conduct security research, especially when Twitbots are nothing new.

Learn more about botnets

Listen to our Techknow podcast, Understanding Botnets. We explain, in plain English, the what, why and how of botnets – the money-making machinery of modern cybercrime.

(Audio player above not working for you? Download to listen offline, or listen on Soundcloud.)

Follow @NakedSecurity

Follow @JohnZorabedian

Image of birds and speech bubbles courtesy of Shutterstock.com.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/q8BRWrNW2lE/

Security researcher Yan Zhu is reporting a flaw in Gmail’s Android app that lets a sender pretend to have someone else’s email address.

That’s known as spoofing, and it’s incredibly handy for scammers and phishers, who can make it look as though they really do come from, say, legit.example.com instead of from random.free.account.example.

Zhu reported the bug to Google at the end of October, but Google Security told her that it’s not a security vulnerability, according to screenshots of an email conversation that she shared with Motherboard.

Zhu disclosed it on Twitter last week:

filed a gmail android bug that lets me fake sender email address. they said it’s not a security issue. ¯_(ツ)_/¯

— yan⚠ (@bcrypt) November 11, 2015

To take advantage of the bug, a user simply changes their display name under account settings.

The sender’s real email address will be hidden, and the receiver won’t be able to reveal it by even by opening the email and expanding the contents.

To concoct a sender’s email address like the one displayed in the tweet below, Zhu told Motherboard that she changed her display name to yan “”[email protected]” with an extra quotation mark.

It’s that extra quotation mark that does the trick, she said:

The extra quotes triggers a parsing bug in the gmail app, which causes the real email to be invisible.

no dkim validation error, etc. anyway i am prolly gonna stop bugging them. pic.twitter.com/2VmEk8u4kB

— yan⚠ (@bcrypt) November 11, 2015

Her mention of DKIM in that tweet refers to DomainKeys Identified Mail (DKIM) signature, which digitally signs emails for a given domain and establishes authenticity.

As Naked Security’s John Shier noted when he dissected a set of emails to discern whether they were phish or legit, DKIM was one of the clues that led him to the conclusion that one of the emails in question was for real.

DKIM doesn’t filter or identify spoofed emails, per se, but it can be helpful in approving legitimate email.

In fact, Google has used it to authenticate email coming from eBay and PayPal: both heavily phished properties.

If a message comes in to Gmail purporting to be from either but lacks DKIM, out it goes – it doesn’t even make it into the Spam folder.

Email spoofing is nothing new, but spam filters often catch spoofed messages, or they typically trigger an alert in Gmail.

If Zhu’s newly found bug allows phishers to get around the DKIM roadblock, their scammy-but-convincing messages are more likely to trick people into dangerous activities.

Scott Greenstone, a Top Contributor in multiple Google projects, replicated the bug and told Zhu that he’d “let the team know.”

Be even more careful than usual, Android users: until Google fixes the bug, the tables have been tilted in the favor of phishers trying to get you to click on links sent in email.

Is payroll really warning you about your paycheck? Is that really your boss telling you to go read an important article by following the link she supposedly sent?

Study the email address carefully. Don’t hit reply to ask for verification. Walk over and have a chat, or send a note using what you know is their real email address.

Follow @NakedSecurity

Follow @LisaVaas

Image of Android logo courtesy of tanuha2001 / Shutterstock.com

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/QVeXtNwLQLI/

The seemingly long-defunct Blackhole Exploit Kit has resurfaced in a fresh run of drive-by download attacks, according to research carried out by security firm Malwarebytes.

The cybercrime tool was widely used by hackers to push malware from compromised websites onto the Windows machines of visiting surfers for years up to October 2013, when the arrest of its alleged author Paunch in Russia spelled the end to updates.

Without new modules to take advantage of the latest software vulnerability, Blackhole rapidly loss its edge. Cybercrooks quickly switched to other exploit kits such as Angler instead, signalling the long-term decline of Blackhole.

That, it seemed, was the end of the story. Or so we thought. However, Malwarebytes has spotted an active drive-by download campaign via compromised websites bearing the hallmarks of the Blackhole Exploit Kit.

“We noticed Java and PDF exploits collected by our honeypot which we haven’t seen in ages,” Jérôme Segura, a senior security researcher at Malwarebytes, explains in a blog post. “Looking closer at the structure of this attack, we were surprised when we realised this was the infamous Blackhole.”

“The new drive-by download attacks we caught over the weekend rely on the same structure as the original Blackhole, even reusing the old PDF and Java exploits. The only difference is the malware payload being dropped, which is current and had very low detection on VirusTotal,” he added.

Closer analysis of an exploit server by Malwarebytes revealed that the attack was put together using leaked source for the Blackhole Exploit Kit.

“Although the exploits are old, there are probably still vulnerable computers out there who could get compromised,” he added.”We also noticed that the author behind this Blackhole edition was working on new landing pages, so it is possible there might be additional changes in the future.”

It’s unclear why an old exploit kit is being used in live attacks considering the infection rate would be quite low due to the ageing exploits. An alternative up-to-date tool would yield far better results for cybercrooks without entailing any extra effort.

One hypothesis could be that with the source code being public, it is a free platform that can be built upon and updated. ®

Bot note

VirusTotal allows anyone to upload suspicious files. The Google-owned service aggregates data on suspicious files before sharing the resulting intelligence with security firms.

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/18/blackhole_exploit_kit_back_from_dead/

Black Hat Europe Hackers might be able to bridge the gap between supposedly air-gapped systems in oil and gas production by pivoting from enterprise planning onto production systems.

Vulnerabilities and insecure installations in SAP business software and other enterprise systems might be used to interfere with loosely-couple but nonetheless connected industrial control systems, security researchers from ERPScan warn.

Alexander Polyakov and Mathieu Geli outlined the risk during a presentation at last week’s Black Hat Europe conference in Amsterdam. As a worse case scenario, insecure setups might be exploited to interfere with operational processes and lead to disruptions in production or even sabotage.

High profile cyber attacks on the oil and gas industry against Saudi Aramco and RasGas involved the use of wiper-style malware to trash corporate computers.

Production was unaffected even though PC systems used for sales and accounts were rendered unusable.

Yet the little-publicised security risks highlighted by Polyakov and Geli had no part to play in either of those attacks, the two researchers told El Reg. Instead, the risks are more comparable to the way the Target hackers used a HVAC management system to infiltrate a corporate network before planting malware on point of sale terminals.

SAP bugs and SCADA exploits

Polyakov and Geli’s research focused on SAP and Oracle systems are widely used in oil and gas industries. There are even specific SAP modules for oil and gas such as SAP Upstream Operations Management (UOM) or SAP PRA (Production and Revenue Accounting), Oracle Field Service, and Oracle Enterprise Asset Management.

An estimated 75 per cent of oil production (70 million barrels a day) is controlled by SAP systems.

Mission-critical business applications are often connected between each other using different types of integration technologies. Enterprise applications which are located in the corporate network are usually connected with devices in industrial control systems.

Plant devices that collect data about oil volumes, for example, interface with corporate resource systems.

Explanation: Here’s a plan of how miscreants could hack into an SAP network

“That’s why even if you have a firewall between IT and OT [Operations Technology] there are some applications which are connected,” a whitepaper put together by the two researchers explains. “That is why it’s possible to conduct such attack and pivot from IT network (or even the net) into OT network, up to field devices and smart meters.”

At worst the risk exists that hackers might be able to gain access to upstream oil and gas exploration facilities, mid stream transport and processing plants, and downstream refineries and sales operations.

Within the upstream the ERPScan researchers said that attackers could cause mayhem with burner management system by controlling the ratio of flammable mixtures. The simplest attack here is to turn off purge functions, but other attacks against industrial control systems create even more serious risks not excluding sabotage or the shutdown of refineries, the ERPScan duo warned.

SAP’s xMII (Manufacturing, Integration and Intelligence) system, SAP Plant Connectivity, SAP HANA Database, SAP Oil and Gas extension for ERP, and other enterprise resource planning apps were studied by the two researchers.

Problems arise because enterprise management systems and industrial control systems, although theoretically air-gapped, are often linked in practice so that management can easily get real-time info on what’s happening in plants, among other reasons.

SAP xMII systems collect process data, feeding it to OPC [OLE for Process Control] servers that manage programmable logic controllers and other industrial control devices. ERPScan discovered a now resolved SQL injection security flaw in the J2EE engine of SAP xMII. It might be able to hack the internet-facing SAP portal to gain access to SAP xMII systems.

Separately, ERPScan discovered a memory corruption and execution vulnerability in the SAP HANA database.

ERPScan has become well known as a specialist in security research in ERP systems, not infrequently turning up flaws in systems from SAP and Oracle.

Misconfigurations in systems represent an even bigger risk than software flaws for oil and gas firms. As well as hard-coded passwords there are examples of ERP systems and industrial control systems running on the same physical box, according to ERPScan.

“We have SAP system such as SAP ERP, which is located in IT network and is connected to SAP xMII,” Polyakov, ERPScan chief technology officer, told El Reg.

“From this Windows server an attacker can send commands to PLC devices which are usually insecure. For example, by using the modbus protocol without authentication. So, a hacker would only need to hack SAP PCo [SAP Plant Connectivity] server to be inside OT [Operations Technology] network. He can do this by hacking SAP xMII and extracting users and passwords from the PCo,” he added.

SAP Plant Connectivity acts as a hub and a link between industrial data to the business applications, according to ERPScan.

“It’s a practical observation that often both SAP PCo + OPC [OLE for Process Control] servers sit on the same hardware,” Geli, a security engineer, added. “To have a working setup where PCo sits on a box and speaks to an OPC server on another is tedious, and often people circumvent that problem by setting up both on the same, having probably the (bad) feeling that it’s not that critical because the machine is on the OT side.”

The oil and gas sectors are also threatened by frauds involving the theft of resources during upstream or downstream processes, the researchers warn.

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/18/oil_industry_erp_production_link_hack_risk/