STE WILLIAMS

Roundup It wasn’t just fake CIA agents, database mega-hacks and Bing flings in the security world last week. Here are a few tidbits beyond what you’ve read in El Reg.

Exim bug resurfaces with improbable exploit

Are you running the latest version (4.9.2) of Exim on your Linux box? If so, you can go ahead and skip down to the next item, because you’re already clear of danger.

Everyone else may want to consider updating, because older versions of the mail server software have been found to contain a command execution vulnerability that is remotely and locally exploitable.

The bug was first addressed in February of this year when the latest Exim build was released. At the time, it was not considered to be a security issue, but rather a minor bug that wouldn’t need to be addressed in older versions.

Fast-forward to May 27, when a team at Qualys discovered and reported a way to locally and remotely exploit the bug to execute commands. This necessitated a patch from Exim for all affected supported versions that was slated to arrive on June 11, but had to be moved up to the 5th after the issue was accidentally made public.

Fortunately, there is little actual danger of remote exploitation at this moment, thanks to the complicated nature of remote-based attack. Actually exploiting the vulnerability over the network would take around seven days of continuous connection to the vulnerable server. Still, it would be a good idea to update your software sooner than later: local exploitation is instant and trivial.

Firefox smacks down trackers

Mozilla is continuing the campaign to paint itself as the good guy of the browser world by emphasizing privacy protections. This time, it is a new rule in Firefox that blocks third-party web trackers by default.

While it won’t make advertisers or marketing heads happy, the new setting will appeal to users tired of having their comings and goings monitored by sketchy sites and ad agencies. Mozilla is also going out of its way to assure users the new feature won’t break their favorite sites.

“Because we are modifying the fundamental way in which cookies and browser storage operate, we’ve been very rigorous in our testing and roll-out plans to ensure our users are not experiencing unforeseen usability issues,” said Mozilla’s Peter Dolanjski.

“If you’re already using Firefox and can’t wait, you can turn this feature on by clicking on the menu icon marked by three horizontal lines at the top right of your browser, then Content Blocking.”

Sandbox Escaper strikes again with Edge EoP disclosure

Bug-hunter SandboxEscaper has once again lived up to their moniker by disclosing an exploit that lets users break account protections via a race condition in Edge. The researcher has posted details and a video PoC showing how the flaw can be used to allow an unprivileged user to get admin privileges.

Apple loosens MDM rules for parental control

The notorious control freak Apple has decided to ease up a bit on the restrictions it placed around mobile device management (MDM) tools. In this case, the Cupertino iPhone maker is allowing some parental control tools to once again use its MDM APIs, provided they agree to strict privacy protections − something that had previously caused Apple to block several parental control tools it had deemed were posing a privacy risk to kids.

Citrix gets sued in fallout from employee data leak

Enterprise software house Citrix is the defendant in a class-action complaint accusing it of mishandling the sensitive data of its employees.

Their details were among the 6TB of data apparently pilfered by Iranian hackers. The complaint, filed on behalf of all employees whose data was included in the leak, seeks a jury trial to determine damages, but more likely will be dismissed or settled long before that happens.

Android malware did slip into a phone factory after all

Back in 2017, researchers found that a handful of Android phones appeared to be shipping with a piece of adware already installed. This week, that was confirmed when Google admitted hackers had managed to get the malware into the firmware at the factory level. Fortunately, the phones in question (Leagoo M5/M8 and Nomu S10/S20) weren’t particularly popular, so the outbreak wasn’t catastrophic.

Yet another RDP attack surfaces

No, you’re not having déjà vu and we aren’t just getting around to BlueKeep. This week an entirely new issue in Windows Remote Desktop was disclosed, when Joe Tammariello of SEI showed that an attacker could circumvent a locked RDP session by interrupting and resuming the network connection, thus forcing the session to be unlocked.

Microsoft, however, says this is not a bug, but rather its networking protocols working as designed:

“After investigating this scenario, we have determined that this behavior does not meet the Microsoft Security Servicing Criteria for Windows. What you are observing is Windows Server 2019 honoring Network Level Authentication (NLA). Network Level Authentication requires user creds to allow connection to proceed in the earliest phase of connection. Those same creds are used logging the user into a session (or reconnecting). As long as it is connected, the client will cache the credentials used for connecting and reuse them when it needs to auto-reconnect (so it can bypass NLA).”

To prevent this trick, Microsoft recommends disconnecting RDP sessions when finished, rather than just locking them down.

BlackSquid attack darkens the waters of cryptocoin mining

A particularly nasty strain of coin-mining malware caught the eye of Trend Micro this week.

Dubbed BlackSquid, the infection uses a whopping eight different bug exploits and also employs a litany of evasion techniques to help it avoid detection by antivirus tools. This, the researchers said, allows the malware to run longer and thus generate more digital funbux for the attackers. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/06/10/security_roundup/

A Welsh man who hacked British ISP TalkTalk in 2015 and siphoned off subscribers’ personal data has been sent down for four years.

A judge at the Old Bailey in London sentenced Daniel Kelley, 22, of Heol Dinbych, Llanelli, on Monday. Kelley pleaded guilty to 11 computer crime charges in 2016, and has waited more than two and a half years on conditional bail to be sentenced.

Kelley, who was previously described by prosecutors as a “prolific, skilled and cynical cyber-criminal,” will serve the four-year term in a young offenders’ institution, as he was 18 at the time of his arrest.

Back in 2015, Kelley was among the five young men – all aged between 15 and 20 at the time – collared by the plod, and accused of breaking into broadband provider TalkTalk’s customer database and stealing a copy of its contents.

Among the pilfered records were customer names and addresses, dates of birth, payment card details, phone numbers, and email addresses. In total, roughly 157,000 customers in the UK were caught up in the hack, which was said to have cost TalkTalk £77m to clean up.

Here’s how TalkTalk ducked and dived over THAT gigantic hack

READ MORE

It was also claimed Kelley reached out to TalkTalk’s then-CEO Dido Harding and demanded a substantial cash payout in Bitcoins, 465 to be precise, in exchange for not leaking the swiped customer database onto the web.

In addition to the TalkTalk network raid, Kelley was alleged to have been involved with hacking and extorting at least six other organizations in the UK and internationally. The targets included Zippo Lighters, RC Hobbies, ISP JISC, and TAFE Queensland. It was also claimed Kelley, when aged 16, compromised systems at his college, and disrupted the Welsh Government Public Sector computer network, disabling communications between hospitals and preventing radiologists from accessing images.

The court also heard that Kelley has been diagnosed with Asperger’s syndrome and, since his legal woes began, has suffered bouts of depression and extreme weight loss.

The prosecution told the judge Kelley would “bully, intimidate, and then ruin his chosen victims from a perceived position of anonymity and safety.” He was eventually caught when the police traced an IP address used during an attack back to his home internet connection.

The court was also told by Kelley’s lawyers that the young crook had turned to hacking out of spite when he failed to get the GCSE grades required to take a BTEC college computer course he wanted to enroll in: he wanted to take a level 3 course, but only made the grades for a lower level 2. Prosecutors said that spite later evolved into a power trip, and an “utterly ruthless” hacking approach by Kelley. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/06/10/talktalk_hacker_jailed/

Symantec is working to restore its Email Security.cloud service following a major slowdown that has lasted throughout the US morning and into the afternoon.

The security software giant said unspecified gremlins knackered its cloud-hosted email filtering service, resulting in email flows slowing to a trickle for customers in North America and EMEA. Those who were able to reach the service may have experienced a backlog of emails all arriving at once.

By 1300 Pacific time, Symantec said it had added additional “processing capacity” to help get the enterprise mail filtering service back online.

“Existing queued emails continue to be delivered but at a reduced rate. In the meantime, our engineers continue to manually load balance email traffic and have taken impacted infrastructure out of service where possible,” a Symantec system status update read.

“Some customers may continue to experience delays sending or receiving emails.”

The incident began at around 0615 PDT, or 1215 UTC, when Symantec said it had begun fielding reports from North America and EMEA customers that their emails were not being sent or received in a timely matter.

An hour later, Symantec reported its engineers had identified and begun to mitigate the issue, but email service remained slowed. The company noted that no other services, including the threat monitoring part of the security offering, were being affected. So the emails were being scanned and cleaned, they were just slow to be delivered.

About four hours after first reporting the issue, the service was beginning to speed up a bit, though significant delays remained. At five hours, the emails that had been backlogged in the queue were finally ready to start delivery.

Now, roughly seven hours after the outage began, Symantec says it is still working to get everything up to speed, and Register readers report they are still having problems sending and receiving mail.

The company did not respond to a Reg request for comment on what caused the issue or when it might be fully resolved.

Gobbled up in the MessageLabs acquisition of 2008, the Symantec.cloud email service is pitched as an additional layer of mail filtering and security that sits outside of the network firewall, allowing for emails to be scanned and cleaned before they even reach the customer’s on-prem systems.

This is an ongoing story, and we will provide updates as warranted. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/06/10/symantec_security_cloud_outage/

A one-man 419 scam evolved into a lucrative social-engineering syndicate over the past decade that conducts a combination of business email compromise, romance, and financial fraud.

This wasn’t the first time the chief financial officer of email security vendor Agari had been targeted in a business email compromise (BEC) scam. As with the first incident in August 2018, three months later Agari’s software tool flagged a suspicious email meant for its CFO, Raymond Lim, that posed as a supplier requesting a wire transfer for an invoice payment.

Agari researchers played along with the scammers as they had done in the August incident, impersonating the CFO’s administrative assistant and stringing them along for about a month, gathering intel on the people and operation behind the November emails. The researchers were able to identify the BEC attackers as a Nigeria-based cybercrime gang they nicknamed Scattered Canary, a group of some 35 individuals they believe may be a subgroup of an even larger criminal organization.

They discovered that this group wasn’t just sending BEC emails to make money. Scattered Canary also conducts romance scams, credit card fraud, check fraud, fake job listings, credential harvesting, and tax schemes, among other online cons.

“What we recognized when we looked at this group … was that BEC is just one type of attack these guys use at any given time. There can be dozens of [different] scams they can be doing [simultaneously],” says Crane Hassold, senior director of threat research at Agari.

The researchers kept in touch with Scattered Canary for a couple more months and were able to obtain from them eight mule accounts, which they then passed on to law enforcement as well as to financial organizations to help shut down the money-laundering.

Agari traced back the group’s founding, which began in 2008 when a lone individual, who they dubbed “Alpha,” ran rudimentary but lucrative Craigslist scams that duped victims into wiring him money or mailing him cashier’s checks for items sold on the forum. Alpha then expanded into romance scams and brought on a fellow fraudster (“Beta”). The pair laundered their pilfered funds via money mules and then ultimately set their sights on bigger targets, mainly businesses and government agencies via BEC scams, the centerpiece of the group’s operation today. In the past two years, the group doubled in size as it harvested new mule accounts and expanded into other crimes, such as tax return fraud.

Scattered Canary’s scams are rooted in pure social engineering: no malware required.

“We’ve not seen Scattered Canary using malware,” says Ronnie Tokazowski, senior threat researcher at Agari. “They are using compromised RDP [remote desktop protocol] credentials and compromised websites to host phishing kits,” but they don’t have a full-blown hacking infrastructure per se, he explains. Scattered Canary mostly employs specific scam scripts and templates they copy and paste in emails they send to their targeted victims.

BEC and email compromise scams have been on the rise worldwide: The FBI Internet Crime Complaint Center last year received more than 20,000 reports from victims who lost more than $1.2 billion to these scams. Interestingly, in the US, half of BEC victims actually recovered 99% of their money, according to Verizon’s “Data Breach Investigations Report.” Barely 10% of them didn’t recover any of their money in the scams. But it only takes a few successful hits to be lucrative. As Verizon points out in its report, even if just 1% of 1,000 BEC attacks are successful, the BEC scammer can still net thousands of dollars.

London Blue Calling
Prior to the November incident, Agari researchers turned the tables on a BEC scam on Aug. 7, 2018, when their email security platform caught a BEC email sent to CFO Lim that posed as Agari CEO Ravi Kahtod. The team was able to extract enough information from their email interactions with the attackers to pinpoint the physical location of two of the main operators of the gang, who live and work in London. 

London Blue at the time had 20 to 25 individuals, including 17 money mules spread around the US and Western Europe.

But Scattered Canary is a much larger operation than London Blue, according to Agari. “Scattered Canary is likely an arm of a bigger entity. We are still trying to research that a little more heavily,” Hassold notes.

Scattered Canary over time had adjusted and reset its tactics. For example, after years of spoofing a targeted company’s domain, the group began employing webmail or other email accounts in the fall of 2016. They also take advantage of how Google doesn’t spot periods in email addresses — [email protected] and [email protected], for example, are seen by Gmail as the same address, according to Agari’s report. “This allows scammers to scale their operations more effectively by removing the need to create and monitor a different email account for every account they create on a website,” the company states in its recently published report on Scattered Canary.

A recent Cisco Systems report found that two-thirds of BEC scams employ free webmail and 28% use registered domains. 

Meanwhile, starting in July 2018, Scattered Canary shifted from wire transfers to gift cards as a way to cash out its stolen funds. They duped business victims with emails purportedly from the CEO asking them to purchase Amazon and Apple iTunes gift cards. “Like other scammers involved in gift card BEC scams, Scattered Canary laundered the gift cards they received from victims through a peer-to-peer online cryptocurrency exchange called Paxful,” Agari wrote in its report on the gang. Scattered Canary was able to get 132 gift cards from victims valued at two bitcoin apiece on Paxful, or some $12,000 to $14,000.

The BEC gang halted the gift card cashout approach in November 2018 when the price of bitcoin dropped.

BEC ROI
Hassold says it’s possible well-established cybercrime organizations in Eastern Europe and Russia could pivot to BEC scams as well. Given their size and resources, those gangs could perform even more convincing attacks.

“The ROI for BEC is significantly higher than any of the other more technical cyberattacks. I think that’s going to be the next step. We’ll see other groups move into this space,” Hassold says, which will mean more professional and difficult-to-spot BEC emails.

Cybercriminals already have been moving away from pricey zero-day attacks to lower-tech, cheaper weapons, such as malware-laden file attachments. “They’re going back to basics. I don’t need to develop an 0-day if I can put a macro in a Word file and a victim will click on it,” Agari’s Tokazowski notes. Hassold recommends that organizations include social engineering in their cyberthreat training and conversation in order to defend against BEC and other email-borne scams targeting businesses today.

“These nontechnical type attacks are now the predominant mode of cyberattacks today,” he says. “This is the type of attack employees will see, so they should include them in education and awareness training.”

Related Content

• 6 Security Scams Set to Sweep This Summer
• New, Improved BEC Campaigns Target HR and Finance
• 6 Ways to Beat Back BEC Attacks
• Inside the Criminal Businesses Built to Target Enterprises

 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/lone-wolf-scammer-built-a-multifaceted-bec-cybercrime-operation-/d/d-id/1334916?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Botnets are scanning the Internet for servers exposing RDP and using weak, reused passwords to obtain access.

Security researchers are watching a new botnet, GoldBrute, which is currently brute-forcing a list of roughly 1.5 million remote desktop protocol (RDP) servers exposed online. The ongoing campaign is one of many scanning for vulnerable servers and using weak or reused passwords to access them.

RDP has been making headlines since Microsoft disclosed “BlueKeep,” a remote code execution vulnerability that includes RDP in its attack chain. But botnets have been hunting vulnerable RDP servers for years, explains Renato Marinho, chief research officer at Morphus Labs, in a blog post. GoldBrute uses its own list, which it continues to build as it scans for credentials.

The botnet initially scans for random IP addresses to find hosts with exposed RDP servers; these addresses are sent back to the command-and-control (C2) server. Once the bot reports 80 victims, the C2 assigns it a set of targets to brute-force. Each bot only tries one specific username and password, which researchers expect is a strategy to bypass security tools.

After the RDP target is successfully brute-forced, it downloads a large zip file with the GoldBrute Java code and Java runtime then runs a jar file (“bitcoin.dll”). The new bot then starts to scan for open RDP servers they call “brutable,” and these are sent to the C2 via WebSocket connection. When the bot reaches 80 brutable servers, it begins the brute-force phase: This means the bot continuously receives and brute-forces “host + username + password” combos,” which are passed along to the attackers to continue building the list of valid combinations.

Read more details here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/goldbrute-botnet-brute-forcing-15m-rdp-servers-/d/d-id/1334921?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

You’re sitting at your computer when it occurs to you that you really need to buy more tube socks, so you click yourself on over to Tube-Socks-R-Us.com and fill your cart full of socks.

But wait, what’s this? You’re being asked for another sign of authentication before you can check out? Why, that means you have to get up! You need to go get your phone for that one-time PIN! And that darn phone is all the way over there! Well, just forget it, you say, and yet another abandoned cart gets added to the heaps of can’t-be-bothered purchase exhaustion that’s (reportedly) the stuff of online merchant nightmares.

Well, that’s the dystopian, dys-profitable e-commerce future envisioned by Stripe, at any rate. Stripe, maker of online payment technology, recently commissioned research from 451 Research. Based on input from 500 businesses and 1,000 consumers, 451 Research concluded that the EU’s online economy risks losing €57 billion (US $64.6 billion) when Strong Customer Authentication (SCA) goes into effect on 14 September 2019 and ushers what will potentially be forget-the-socks-inducing friction into the checkout process.

SCA is all about protecting consumers by clamping down on fraud. One of the new requirements of the second Payment Services Directive (PSD2) that was passed by the EU in November 2015, it involves introducing additional authentication into online checkout. That can be as simple as a one-time PIN code generated by, say, a text message, by a code generator with an authenticator app such as Sophos Authenticator, or it could be fingerprint confirmation on those devices that support it.

Here’s the definition of SCA from the current guidelines published by the European Banking Authority (EBA), the EU body tasked with supervising and regulating the banking sector:

Strong customer authentication is, for the purpose of these guidelines, a procedure based on the use of two or more of the following elements – categorised as knowledge, ownership and inherence: i) something only the user knows, e.g. static password, code, personal identification number; ii) something only the user possesses, e.g. token, smart card, mobile phone; iii) something the user is, e.g. biometric characteristic, such as a fingerprint. In addition, the elements selected must be mutually independent, i.e. the breach of one does not compromise the other(s).

At least one of the elements should be non-reusable and non-replicable (except for inherence), and not capable of being surreptitiously stolen via the internet. The strong authentication procedure should be designed in such a way as to protect the confidentiality of the authentication data.

Reducing the security of online payments is a laudable goal, the 451 Research report agreed, but yikes, we’re going to be looking at a lot of transactions declined by banks:

While these objectives are laudable, SCA brings with it deep consequences for the customer experience and a far-reaching impact on Europe’s online economy. Online businesses that fail to abide by these requirements to build additional authentication into their checkout flow will see a dramatic drop in approvals as banks become obligated to decline their transactions outright.

We heartily support SCA

This will come as no shocker: at Naked Security, we believe that anything that makes fraud harder is to be applauded.

“The best way to approach this whole issue is for us all to agree to ditch the word ‘frictionlessness’ from our cybersecurity jargon,” said our very own Paul Ducklin…

I’m not suggesting that we make online spending so hard that no one wants to do it, but if €57 billion of turnover really does pivot on keeping online payments stripped back to a single, effortless click, then we’re softening up a whole generation of young computer users to the idea that cybersecurity is ‘someone else’s problem’ to be solved entirely behind the scenes. We’d do better to embrace an online world where the motto ‘Stop. Think. Connect’ is the one we live by.

If you’d like to learn more about two-factor authentication (2FA), we’ve got you covered. Read on!

Learn more about two-factor authentication

• All you need to know about 2FA
• 2FA: Understanding the options

(Audio player above not working? Download or listen on Soundcloud.)

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/mToi_3O8lAo/

More than two and a half years after the fact, the Feds are finally going to investigate the failure of voter registration software – from a ­company that had been cyber-attacked by Russians just days before the November 2016 US presidential election – in the swing state of North Carolina.

Politico has reviewed a document and spoken to somebody with knowledge of the episode, both of which suggest that the vendor, VR Systems, “inadvertently opened a potential pathway for hackers to tamper with voter records in North Carolina on the eve of the presidential election.”

Specifically, VR Systems used remote-access software to connect for several hours to a central computer in Durham County so as to troubleshoot problems with the company’s voter registration software. In fact, election officials would come to find out that this was common practice, according to Politico’s source, in spite of the fact that election technology security experts agree that it opens up systems to hacking.

Election Day 2016: Dunham County

When the polls opened in Dunham County on 8 November 2016, election officials discovered that the laptop computers used by precincts to verify voter registration had malfunctioned. They were forced to cross-check voter registration with old-fashioned paper poll registries and to extend voting hours.

It was suspicious, and it wasn’t an isolated incident. Five or six precincts reported the same problem with the computerized check-in system from VR Systems, a Florida-based e-voting vendor with customers in eight states. The county, which leans heavily to the Democrats, had delivered 75% of its votes to Barack Obama during both of his presidential runs, and North Carolina was considered a key swing state in the 2016 presidential election.

At the time, state election officials hadn’t taken the 21 affected laptops as evidence. If there were any forensic analysis done on those laptops before now, it wasn’t publicly disclosed, making last week’s announcement the first known federal probe of the malfunctioning technology.

The Associated Press last week reported that the US Department of Homeland Security (DHS) will be conducting the forensic analysis to find out what happened with those laptops during an election that special counsel Robert Mueller has said the Russians had tried to push toward a win for Donald Trump.

More than a year for attackers to erase their tracks

It wasn’t until 2017 that the state election officials seized those 21 laptops, following the Intercept having published a leaked report from the National Security Agency (NSA). In that report, the NSA described how Russian hackers had launched a spearphishing attack against employees of VR Systems just days before the 2016 election.

Josh Lawson, who was general counsel of the North Carolina board of elections at the time, says that following the leaked report, state election officials seized those 21 laptops as evidence. But it was more than a year after the Election Day episode – plenty of time for hackers to erase their tracks.

On Thursday, Lawson said that his office had asked federal officials to do a forensic exam of those laptops, and that the state, working with the FBI, had taken images of the hard drives.

Did those 12 indicted Russian intelligence officers hack VR Systems?

As recently as June 2018, VR Systems reportedly denied that the attackers had succeeded in hijacking any of its systems.

But they apparently did, judging by the indictment of 12 Russian intelligence officers prepared by former Special Counsel Robert Mueller and handed down by a grand jury in July 2018.

According to the Intercept’s report, the Russian hackers used a VR Systems account to send spearphishing emails to more than 100 local election officials.

Politico’s source told the publication that VR Systems finally agreed to stop using remote-access software to troubleshoot its customers’ systems – at least, in North Carolina. The company reportedly considers remote support a feature, not a bug, in spite of the fact that election security experts generally condemn remote connections to election-related computer systems.

Paperless problems

In fact, they don’t like internet-anything when it comes to election technology. In September 2018, an expert panel at the National Academy of Sciences called for sweeping election reforms, including one, specific recommendation that should come as no surprise: use paper ballots.

From the panel’s report:

Ballots that have been marked by voters should not be returned over the internet or any network connected to it, because no current technology can guarantee their secrecy, security, and verifiability.

DHS to the rescue?

The state election board’s spokesperson, Patrick Gannon, last month told Politico that state investigators believe that “human error on the part of Durham County election and poll workers likely contributed to the 2016 incident,” but that the investigation remains open because the agency “does not have the technical expertise to conduct a forensic examination of the laptops.”

DHS told Politico that it plans to work with the state election board “to analyze the laptops used in Durham County elections in 2016. This support may help to provide a better understanding of previous issues and help to secure the 2020 election.”

Senator Ron Wyden, a leading critic of VR Systems, told Politico that the e-voting technology company is “serving up our democracy on a silver platter to foreign hackers” by remotely accessing voting systems the day before Election Day, as the company did. Remote access the day before elections, that is, and after they’d discovered that they’d been targeted in a spearphishing attack (an attack that, again, the company says didn’t succeed in breaching its systems).

Wyden:

No company that plays such a critical role in our elections should be taking such a reckless shortcut with the cybersecurity of its state and local customers.

The fact that we’re just learning about this practice two years after the election, and after any evidence of hacking has likely been destroyed, is inexcusable. Americans need to know if VR Systems still has remote access to election computers in other states, and how often this occurred.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/SeNlQbXvH9U/

Cryptocurrency users narrowly escaped losing all their funds last week after an attacker poisoned a digital wallet with malicious code that stole their blockchain access details.

The attacker injected malicious code into Agama, a cryptocurrency wallet created by Komodo. If successful, they could have stolen around $13m of Komodo’s KMD cryptocurrency, which is a privacy-centric coin. Luckily, they were thwarted by quick action from both Komodo and software repository npm.

On 8 March 2019, the sneaky developer published what appeared to be a useful update to a software component used by the Agama wallet. The attacker, who called themselves ‘sawlysawly’, posted the update on the GitHub developer collaboration website where Komodo hosts its source code.

Open source developers like to reuse each others’ software rather than reinventing the wheel. When a software application relies on a third party to do something, it’s called a dependency. The third-party building blocks on which applications depend are known as packages or modules, and people publish them in central repositories for developers to find. One of those repositories is npm. Started in 2009, it deals with JavaScript packages.

An npm package called electron-native-notify was introduced by sawlysawly as a dependency in the Agama wallet, meaning that the new version of the wallet would use that code.

At the time of the commit, the version of electron-native-notify (1.1.5) on npm was legit, but 15 days after making the commit, the npm package was updated to 1.1.6, which included a malicious payload. The next version of Agama was released on 13 April 2019.

The change in electron-native-notify enabled the attacker to steal the wallet seed, which is a secret phrase that enables users to retrieve their coins using any wallet.

Wallet seeds are a great way to get at your coins from anywhere, meaning that if your hard disk crashes and your wallet is erased, you can still get your coins back (unlike this guy). The downside is that if anyone gets your seed, they can use it to pilfer your cryptocurrency by accessing your addresses and transferring the coins out.

The attacker configured the malicious code to copy the seed phrases from infected Agama wallets to a public server. That way, the attacker could visit the site and access the seeds, but no one could pin the crime on them. They then began emptying peoples’ accounts, said Komodo.

The npm team discovered the problem in early June after its own security analysis software alerted it. It told Komodo, which then raced to secure the vulnerable funds. It used the seeds stored on the public server to retrieve the compromised funds, moving them to a secure wallet.

This was a well thought out attack, explained Komodo in its own post on the topic:

It now seems clear that the bug was created intentionally to target Komodo’s version of Agama wallet. A hacker spent several months making useful contributions to the Agama repository on GitHub before inserting the bug. Eventually, the hacker added malicious code to an update of a module that Komodo’s Agama was already using.

The company has begun returning coins, urging affected users to fill out an online form. It has prioritised accounts with smaller amounts, under 7777 KMD, promising to return these accounts’ funds by 15 June. As of Sunday 9 June, it explained on its Discord channel that it had returned these users’ KMD in full, amounting to around $1m in funds, beating its own deadline by a week. Now it can begin on the larger accounts.

Komodo was eager to point out that only the Komodo Agama wallet was affected, and that another version of Agama, supporting a different Komodo project called VerusCoin, was not affected.

This shows how important it is for developers to test any third-party package on which their software depends. The more dependencies you use, the larger your potential attack surface becomes. Repositories can do some of the security work, but then you’re relying on a third party working on its own schedule to verify the software that you’re using. Props to npm for flagging this when it did, and to Komodo’s team for acting so quickly to fix the issue.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/FX8MdUj0l-Q/

Even its most optimistic users would have to concede that it’s been a bracing few weeks for anyone who relies on Microsoft’s Remote Desktop Protocol (RDP).

The latest round of bad news emerged last week when Morphus Labs’ researcher Renato Marinho announced the discovery of an aggressive brute force campaign against 1.5 million RDP servers by a botnet called ‘GoldBrute’.

That came hot on the heels of Microsoft’s urgent warning in May about the risk of a dangerous “wormable” vulnerability called BlueKeep (CVE-2019-0708) in Windows XP and 7’s Remote Desktop Services (RDS) which use RDP.

Underlining the worry, two weeks after the initial alert, Microsoft issued a second anxious nudge when it discovered at least one million vulnerable systems had yet to apply the available patch.

By the time the US National Security Agency (NSA) chipped in with its own mildly apocalyptic BlueKeep alert on 4 June 2019, it was clear they believed something unpleasant might be brewing.

It’s behind you

The mega-attack exploiting BlueKeep has yet to materialise, but what users have got in the meantime is GoldBrute, a much more basic threat that targets the problem of RDP servers left exposed to the internet.

A search on Shodan puts the number of servers in this vulnerable state at 2.4 million, 1,596,571 of which, Morphus discovered, had been subjected to an attempted brute force attack targeting weak credentials.

On each server where this is successful, the command and control uploads the GoldBrute code in zip form, which it uses as a launch pad for more RDP server scans, followed by a new list of IPs and servers to attempt brute-force against. Wrote Marinho:

Each bot will only try one particular username and password per target. This is possibly a strategy to fly under the radar of security tools as each authentication attempt comes from different addresses.

Morphus doesn’t know how many attacks were successful, which is necessary to estimate the bot’s size. However, the company did geolocate the servers on the global target list with major hot spots in China (876,000 servers) and the US (434,000).

GoldBrute uses its own list and is extending it as it continues to scan and grow.

RDP has had its problems over the years – in 2017 we dubbed it the ‘Ransomware Desktop Protocol’ in honour of its use by extortion malware – but events of recent weeks suggest the threat is getting worse, or at least more high profile.

What you don’t know can hurt you

Inevitably, some of the servers turning up on Shodan have simply been turned on and forgotten about, exposing their owners to the danger of the “out of sight, out of mind” risk.  The first task, then, is to see whether the same is true on your network.

If RDP isn’t needed, turn it off while it’s not being used, perhaps setting a firewall rule to block RDP on port 3389 for safe measure.

If RDP is needed, consider using it across a VPN gateway so it’s not exposed on the internet.

Ideally, also turn on some form of network multi-factor authentication which dramatically reduces the risk in the event that server credentials are somehow compromised.

Normally, it’s a good idea to limit the number of times passwords can be guessed although, as noted above, GoldBrute is trying to fly under the radar by limiting itself to one attempt per compromised host.

If there’s one piece of good news regarding RDP threats it’s that they’re coming to light before mass exploitation – there is still time to act.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/wxnKlqTawX0/

Thanks to Graham Chantry of SophosLabs for his help with this article.

Remember Microsoft’s Equation Editor?

It was written way back in 2000, before Bill Gates’s famous 2002 “trustworthy computing” email.

That email was a message to everyone at Microsoft to start writing software with security in mind up front, rather than merely as an afterthought.

In other words, the Equation Editor predated both DEP, short for Data Execution Prevention, and ASLR, short for Address Space Layout Randomisation.

These two techniques alone have made bugs such as buffer overflows much harder to exploit.

DEP means that blobs of data can no longer be directly executed as if they were programs, so hackers have to try to deflect the flow of execution into software that the operating system has already loaded.

That means the crooks have to predict in advance where Windows will load its system code for making network connections, opening files, editing the registry, and so on.

But ASLR tells Windows to pick different memory locations for its system functions every time you boot up, so the crooks can’t predict, or even reliably guess, where to go to after a buffer overflow.

Unfortunately, even though Microsoft Office had its security posture beefed up back in 2010, the Equation Editor, also known as EQNEDT32.EXE, did not.

In other words, the otherwise-secure Office apps (including, as it happened, the stripped-down WordPad document editor) could be tricked into launching an insecure sub-process…

…simply by sticking a mathematical equation into a document and saying, “This bit needs the equation editor.”

One rotten apple, as they say, spoils the barrel.

Fortunately, it took 17 years for anyone to figure out this loophole, until late in 2017 when exploits based on abusing EQNEDT32.EXE first showed up.

Microsoft promptly squashed the bug, dubbed CVE-2017-11882 (and offered instructions on how to turn off the equation editor for those who were hesitant to apply the November 2017 Patch Tuesday updates), and that should have been that.

Except that it wasn’t.

Nearly a year after the patch came out, SophosLabs researcher Gabor Szappanos lamented that CVE-2017-11882 had become the most popular document-based attack tool on the underweb.

Tools such as the NebulaOne exploit builder made it easy even for non-technical cybercrooks to churn out malware that was activated by the buggy EQNEDT32.EXE program.

Unlike Office macro macros, which are embedded document programs that you have to approve before they’ll run, booby-trapped equations can exploit the CVE-2017-11882 bug without any warning dialogs popping up.

Sadly, the equation editor bug still seems to be widely unpatched, to the point that Microsoft itself has warned of “increased activity in the past few weeks”:

The CVE-2017-11882 vulnerability was fixed in 2017, but to this day, we still observe the exploit in attacks. Notab… twitter.com/i/web/status/1…

—
Microsoft Security Intelligence (@MsftSecIntel) June 07, 2019

We’ve seen a similar uptick, too, with SophosLabs receiving emails like this one that tries to trick you into opening a booby-trapped attachment:

In the sample above – remember, though, that subject lines, email content and filenames change all the time – the attachment is a RAR archive that contains a .doc file.

Ironically, the RAR file has been given the name of a different archive format, .gz (short for Gzip), and the .doc file is actually in Rich Text Format (longhand for RTF), but the combination is nevertheless effective.

The booby-trapped file is blocked by Sophos products as Troj/RTFExp-EP, where RTFExp is shorthand for Rich Text Format exploit.)

Archive extraction tools will typically offer to open any file that has an archive-related extension, even if it’s mis-named, and figure out which unarchiving algorithm to use when you click on it.

Likewise, Office and WordPad will happily open .doc files on the basis of their name, and automatically recognise them as RTF files if needed.

Simply put, RTF files don’t need a .RTF extension, and RAR files don’t have to be called .RAR – the programs that handle them take care of the how once you have decided on the what.

Becuase CVE-2017-11882 can be exploited to trick EQNEDT32.EXE into doing almost anything, the details of what happens next can be altered by the crooks as easily as they can change the email subject or the attachment name.

In the example above, the booby-trapped attachment used EQNEDT32.EXE to try to download and execute a Windows program, which was given a name consisting of random string of digits followed by .EXE.

The site used to host the donwloaded malware seems to be an improperly configured home user’s website in Poland. (Both the site and the download were blocked by Sophos products.)

What to do?

• Don’t skip patches. Whether by accident or design, it’s easy to miss out on a patch along the way and never go back to check that you really are up-to-date. Don’t make life easy for the crooks by leaving a door open that you could have closed 18 months ago!
• Use a on-access (real-time) anti-virus. Lots computers come with built-in security software these days, but one-size-fits-all cybersecurity should be treated as a basic layer that you use to tide you over until you can apply defence in depth.
• Filter your email. Don’t just look for known malware – take your safety one step further. If you rarely or never use RAR files, for example, or if you prefer PDFs to RTFs, block the file types you don’t need and you will end up with less to worry about.
• Keep track of your websites. Don’t enable online services or create online accounts just because they come free with your internet access contract. Crooks will happily take over forgotten or neglected accounts, leaving you to take the blame for helping them to attack the next guy.

---

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/O3vGi3g41ds/