A pair of Russian-speaking hackers, likely working in legitimate information security roles, has quietly emerged as a major threat to banks in Russia and numerous other former Soviet republics in recent months.

The duo, who security vendor Group-IB is tracking as “Silence,” is known to have stolen at least $800,000 from banks in Russia, Ukraine, Belarus, Poland, Kazakhstan, and Azerbaijan over the past year. The actual financial damages caused by the pair could be a lot higher given the likelihood that many incidents remain undiscovered or unattributed to Silence because of the group’s relative newness to security researchers, Group-IB said in a report this week.

Group-IB researchers first began tracking Silence in 2016 following a failed attempt to steal money from a Russian bank. The hackers disappeared from sight for more than one year after that, but then resurfaced in October 2017 when they attacked a bank’s ATM network and stole over $100,000 in a single night. Since then, Group-IB says it has identified Silence as being responsible for at least two more bank thefts — one in February 2018, when they netted $550,000 via a bank’s ATM machines, and the second in March, involving $150,000.

Several aspects about Silence make it interesting, Group-IB says. One distinctive feature is its unusually small size, especially considering the damage it has been creating. The Silence group appears to currently comprise just an operator and a developer.

The operator appears to be the one in charge, with in-depth knowledge about tools for conducting pen tests on banking systems, navigating inside a bank’s network, and gaining access to protected systems. The developer seems to be an adept reverse-engineer who is responsible for developing the tools and exploits that Silence has been using to break into bank networks and steal money.

The pair’s tactics and behavior suggest that both are either currently working in a legitimate information security role or were recently in one, says Rustam Mirkasymov, head of dynamic analysis of malicious code at Group-IB. For example, Silence appears to have ready access to unique, non-public malware samples that only security researchers typically have. The developer’s seemingly deep knowledge of ATM machines and processes suggests the individual is an insider or was one recently. The pair’s behavior during incidents also suggest they are analyzing and closely following security reports, Mirkasymov says.

Because of the group’s small size, the hackers have so far been somewhat limited in their ability to carry out attacks. Typically, they have averaged about three months between incidents, which is about three times as long as other financially motivated threat groups, such as Carbanak/Cobalt/FIN7 and MoneyTaker, usually take.

The two-person threat group has also shown a tendency to observe and learn from the actions of other threat actors, Mirkasymov says. Initially, Silence used third-party tools in its attacks but over time developed its own sophisticated toolkit. The unique set of card processing and ATM attack tools Silence has developed includes “Atmosphere,” a tool for getting ATMs to dispense large amounts of cash on demand; “Farse,” a utility for grabbing passwords from infected systems; and “Cleaner,” for getting rid of incriminating logs.

Like many other advanced persistent threat (APT) actors, Silence uses several borrowed tools in its capers, including a bot for conducting initial attacks and a tool for launching distributed denial of service (DDoS) attacks. Initially, the Silence duo used hacked servers and compromised accounts for carrying out its campaigns, but they have evolved to using phishing domains and self-signed certificates to drop malware on target networks.

“Now [that] they have tested the waters, they are formed, experienced, and ready to conduct sophisticated attacks on banking systems,” Mirkasymov says. Rather than reinventing the wheel, “they prefer to use well-known techniques, such as logical attacks on ATMs, and attacks on payment systems and card processing, employed by other financially motivated cybercriminals,” he says.

Silence’s geography of successful attacks so far has been limited to the so-called Commonwealth of Independent States (CIS), or nations that once belonged to the Soviet Union. But its ambitions appear much broader. According to Mirkasymov, the group has sent phishing emails to bank employees in some 25 countries, including Germany, Great Britain, the Czech Republic, Romania, Malaysia, Kenya, Israel, Cyprus, and Greece.

Silence does not only attack banks, Mirkasymov cautions. The group also has shown a tendency to attack online stores, news agencies, and insurance companies, using their infrastructure to conduct attacks on financial institutions.

Related Content:

• Attackers Employ Social Engineering to Distribute New Banking Trojan
• Banks Suffer an Average of 3.8 Data Leak Incidents Per Week
• Necurs Botnet Goes Phishing for Banks
• 9 Banking Trojans Trends Costing Businesses in 2017

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/silence-group-quietly-emerges-as-new-threat-to-banks/d/d-id/1332742?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

There are several good reasons why you shouldn’t post zero-day exploits on social media. For starters, lurking attackers will snatch the code and leverage it in a malware campaign.

Such is the case with a Microsoft Windows zero-day bug shared on Twitter last week. Two days after the vulnerability and proof-of-concept was posted on Twitter and GitHub, respectively, ESET researchers identified the exploit in a campaign from the PowerPool threat group.

The vulnerability, first shared in a (now deleted) tweet on August 27, affects the Advanced Local Procedure Call (ALPC) function within the Windows Task Manager in  Windows 7 through Windows 10. The flaw allows Local Privilege Escalation (LPE), which lets an executable escalate privileges and allows restricted users launch a process to gain administrative control.

Twitter user SandboxEscaper, who sent the initial post, linked back to a GitHub repository with PoC code. It didn’t take long for attackers to modify and recompile the exploit. PowerPool, which has a range of tools already at its disposal, took advantage.

PowerPool has a small bunch of targets, researchers explain in a blog post on the discovery. It may be too early to tell, but few occurrences indicate recipients are carefully chosen and not part of a spam campaign. ESET telemetry and uploads to VirusTotal (experts only accounted for manual uploads from the Web interface) indicate affected countries include Chile, Germany, India, the Philippines, Poland, Russia, the United Kingdom, the United States, and Ukraine.

“We guess this is an espionage campaign, due to the nature of their backdoors,” says ESET malware researcher Matthieu Faou. “However, their malware are basic and cannot be compared to the ones developed by most APT groups.”

While this campaign is more targeted, PowerPool has previously launched spam attacks. ESET data shows the group has been active since 2017 but hasn’t been linked to any public breaches.

But First, They Changed the Code

PowerPool didn’t use the exact binary that SandboxEscaper posted. Instead, they modified and recompiled the source code to insert their own malware and gain system privileges. The binary provided at the time of disclosure is a PoC showing how to exploit the flaw, Faou explains. It’s not really malicious, he says, because it will ultimately execute notepad.exe with system privileges. PowerPool wanted to execute their own malware.

The flaw is in the SchRpcSetSecurity API function, which doesn’t correctly check user permissions. This grants anyone write access to files in the Task Manager regardless of their rights; as a result, people with read-only access can replace content in write-protected files or create a file within the folder to link to, and gain write access to, any target file.

The exploit can also be used to replace content of protected target files with malicious code, giving malware admin rights. PowerPool chose to weaponize the vuln by changing the content of GoogleUpdate.exe, the updater for Google apps typically run under admin privileges by a Microsoft Windows task. Once they have write access, they overwrite GoogleUpdate.exe with a copy of their second-stage malware to gain system rights when the updater is next called.

The group uses a few different tactics for initial compromise, one of which involves emails with their first-stage malware as an attachment. From there, attackers primarily use two different backdoors: one deployed after the initial compromise and a second-stage backdoor.

The first-stage backdoor does reconnaissance on the machine and includes two executables. First of these is the main backdoor; this establishes persistence through a service and collects proxy information. The CC server’s address is included in this binary, which can execute commands and send information on the target device back to the CC server. The second executable captures a screenshot of the target’s display and exfiltrates it through the backdoor.

Next up is the second backdoor, which is malware downloaded via the first stage. Researchers speculate this is when the operators determine the machine is interesting enough to warrant further analysis; however, “it is clearly not a state-of-the-art APT backdoor,” they report.

Once attackers gain persistent access to a machine with the second backdoor, they leverage open-source tools (mostly written in PowerShell) to move laterally throughout the network.

Vulnerability Disclosure 101

Faou says the nature of this disclosure made weaponization simple for PowerPool.

“First, what is really important in this vulnerability disclosure is the release of the source code of the exploit, and not only a compiled version of it,” he explains. “Thus, this is easy for malware developers to reuse it in their malware.”

In contrast, when only a compiled version is available, malware developers first should reverse-engineer the exploit before including their malware. The process can be time-consuming, he says, and difficult to finish before a patch is issued for the bug.

Security researchers who discover vulnerabilities should coordinate disclosure with the vendor, giving them time to issue a fix before the bug is made public, Faou continues. This protects users; it’s unlikely vulnerabilities will be used in massive campaigns before public disclosure.

While this campaign only targets a limited pool of victims, ESET researchers still urge caution: “…it shows that cybercriminals also follow the news and work on employing exploits as soon as they are publicly available,” they say.

Related Content:

• Silence Group Quietly Emerges as New Threat to Banks
• Thoughts on the Latest Apache Struts Vulnerability
• Authentication Grows Up
• 4 Benefits of a World with Less Privacy

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/application-security/powerpool-malware-uses-windows-zero-day-posted-on-twitter/d/d-id/1332743?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The distributed ledger of blockchain has found application in many fields, from cryptocurrency to supply chain. Much of the excitement about blockchain is due to its reputation as an inherently secure technology. But can that inherent security be applied to the field of security itself?

In a growing number of cases, the answer is “yes.” Security professionals are finding that the qualities blockchain brings to a solution are effective in securing data, networks, identities, critical infrastructure, and more. As with other emerging technologies, the biggest question is not seen as whether blockchain can be used in security, but in which applications it is best used today.

Blockchain is being used in a number of security applications, ranging from record-keeping to acting as part of the active data infrastructure, and more options likely are on the horizon.

But while excitement over blockchain’s potential grows, it’s important to keep that potential in perspective.

One of the claims frequently made about blockchain is that it is an “un-hackable” technology. While no intrusive hacks have been demonstrated yet, it’s wrong to say that blockchain can’t be hacked. In early 2018, a “51% attack”, in which a threat actor managed to gain control over more than half of a blockchain’s compute power and corrupt the integrity of the ledger, showed that novel techniques can be effective. While this particular attack is expensive and difficult, the fact that it was effective means that security professionals should treat blockchain as a useful technology – not a magical answer to all problems.

Here are some ways blockchain is being used or considered as a security tool. 

(Image: NicoElNino)

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/application-security/7-ways-blockchain-is-being-used-for-security/d/d-id/1332735?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

About a week ago, a security researcher disclosed a critical remote code execution vulnerability in the Apache Struts web application framework that could allow remote attackers to run malicious code on the affected servers.

The vulnerability (CVE-2018-11776) affects all supported versions of Struts 2 and was patched by the Apache Software Foundation on August 22. Users of Struts 2.3 should upgrade to 2.3.35; users of Struts 2.5 need to upgrade to 2.5.17. They should do so as soon as possible, given that bad actors are already working on exploits.

“On the whole, this is more critical than the highly critical Struts RCE vulnerability that the Semmle Security Research Team discovered and announced last September,” Man Yue Mo, the researcher who uncovered the flaw, told the media, referring to the vulnerability (CVE-2017-9805) that hackers used to compromise Equifax last year, which led to the lifting of personal details of over 148 million consumers.

More Critical than Equifax Vulnerability
Struts, an open source framework for developing web applications, is widely used by enterprises worldwide, including many Fortune 100 companies. In 2017, the Equifax credit reporting agency used Struts in an online portal, and due to Equifax not identifying and patching a vulnerable version of Struts, attackers were able to capture personal consumer information such as names, Social Security numbers, birth dates and addresses of over 148 million US consumers, nearly 700,000 UK residents, and more than 19,000 Canadian customers.

Over the past year, I’ve lost track of the number of people asking whether they should migrate from Apache Struts to some other framework. Behind all those requests was an implicit fear that more critical issues were present.

Unfortunately, changing application frameworks isn’t as easy as adopting a new pizza chain or even buying a new car. Rather its more akin to dumping your favorite sports team for another. The investment your development team made in understanding the framework and implementing features supported by that framework likely won’t transfer to an alternate option — assuming a compatible one even exists.

Instead, development teams need to accept that frameworks will have issues and that those issues are likely the result of attempts by the framework developers to appeal to the broadest audience. This means that you shouldn’t expect the framework to magically protect against security issues you can address in your code. Input validation is a perfect example of this — bad data going in often results in bad data coming out, or in operations that we never anticipated would be performed.

Modern software is increasingly complex, and identifying how data passes through it should be a priority for all software development teams. To give some background, developers commonly use libraries of code, or development paradigms which have proven efficient, when creating new applications or features. This attribute is a positive when the library or paradigm is of high quality, but when a security defect is uncovered this same attribute often leads to a pattern of security issues.

Root Causes
In the case of CVE-2018-11776, the root cause was a lack of input validation on the URL passed to the Struts framework. In both 2016 and 2017, the Apache Struts community disclosed a series of remote code execution vulnerabilities. These vulnerabilities all related to the improper handling of unvalidated data. However, unlike CVE-2018-11776, the prior vulnerabilities were all in code within a single functional area of the Struts code. This meant that developers familiar with that functional area could quickly identify and resolve issues without introducing new functional behaviors.

CVE-2018-11776, on the other hand, operates at a far deeper level within the code, which in turns requires a deeper understanding of not only the Struts code itself but the various libraries used by Struts. It is this level of understanding that is of greatest concern — and this concern relates to any library framework. Validating the input to a function requires a clear definition of what is acceptable.

Equally critical are requirements that the documentation for public functions clearly document how those function use and operate on any data passed to them. This forms a contract between the framework and the consumer, and sets expectations surround proper usage. Absent this contract and associated documentation, it’s difficult to determine if the code is operating correctly or not. This contract becomes critical when patches to libraries are issued because it is unrealistic to assume that all patches are free from behavioral changes.

Shortly after the Apache Software Foundation released its patch, a proof-of-concept (PoC) exploit of the vulnerability was posted on GitHub. The PoC included a Python script that allows for easy exploitation. The firm that discovered the PoC, threat intelligence company Recorded Future, also said that it has spotted chatter on underground forums revolving around of the flaw’s exploitation. Companies that don’t want to become the next Equifax should immediately identify where and what version of Apache Struts they have in use and apply the patch as needed.

Related Content:

• 10 Threats Lurking on the Dark Web
• Proof-of-Concept Released for Apache Struts Vulnerability
• New Apache Struts Vulnerability Leaves Major Websites Exposed

Black Hat Europe returns to London, Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Tim Mackey is a technical evangelist for Black Duck by Synopsys. Within this role, he engages with various technical communities to understand how to best solve application security problems. He specializes in container security, virtualization, cloud technologies, … View Full Bio

Article source: https://www.darkreading.com/application-security/thoughts-on-the-latest-apache-struts-vulnerability-/a/d-id/1332716?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A new version of Google Chrome is rolling out to Windows, Mac, Linux, and Android over the next few weeks, the company announced this week.

Chrome version 69.0.3497.81 is being promoted to the stable channel for Windows, Mac, and Linux. The update packs 40 security fixes, including patches for vulnerabilities an attacker could abuse to assume control over a target system, according to a US-CERT advisory on the update.

In addition to Google’s security team, many of the bugs were detected using AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, or AFL.

Chrome for Android 69 (69.0.3497.76) has also been released and will be available on Google Play over the next few weeks, Google reports. The 10^th anniversary edition aims to improve mobile payment security with third-party payment apps, password generation on more websites, stability and performance improvements, and a cleaner modernized design.

Read more details here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/endpoint/google-issues-chrome-updates-for-windows-mac-linux-android/d/d-id/1332736?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple