STE WILLIAMS

The owner of an iPad-controlled, £900 (USD $1,150) drone who flew it into the path of a police search helicopter has become the first person to be prosecuted under UK drone laws.

At Peterborough Magistrates’ Court on Friday, 37-year-old Sergej Miaun was ordered to pay fines and court costs amounting to £464 (USD $593) and to give up his drone, according to The Independent.

The BBC reports that he was found guilty of failing to maintain direct, unaided visual contact with a drone and flying it without being “reasonably satisfied” that he could do so safely.

Prosecutors told the court that Miaun’s amateurish flight could have caused “catastrophic” consequences, similar to the helicopter crash that left five people dead in Leicester City. The cause of that deadly crash hasn’t yet been determined, but aviation experts have suggested that the helicopter’s loss of power to the tail rotor could have been caused by a large bird or a large drone.

With regards to the UK’s first-ever conviction on unsafe drone flying, on 9 December, a police search helicopter had been out looking for a missing woman near a river in Cambridgeshire when the pilot was forced to take evasive action to avoid a drone that narrowly passed beneath it. Police followed the drone back to a home in Guyhim – a town in Cambridgeshire – and searched until they found the Phantom 4 drone hidden in a loft hatch above the bath in Miaun’s home.

Miaun denied that the device had ever gotten more than 420 meters away from his home, but the flight path said otherwise: it revealed that the unmanned aerial vehicle had drifted half a mile away from his home.

Acting Sergeant Darren Gore told the court that the police helicopter pilot – Captain Lee Holmes – had testified that for a good five minutes, he lost sight of the drone. That’s where he would have lost the ability to evade it, he said:

For five minutes I don’t know where the drone is. You see in Leicester, when it goes wrong? It’s catastrophic.

Chief Magistrate Hilary Glover:

We consider this to be reckless, especially considering the possible serious consequences of your actions.

As far as unsafe drone flying in the US goes, in February, a 38-year-old man from the state of Washington was sentenced to 30 days in jail after knocking out a woman at a Gay Pride event in Seattle. He was the first US person to be charged with mishandling a drone in a public space, Seattle prosecutors said when he was convicted in January 2017.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/RlWdp2Cny7k/

Get patching: data protection offerings in the Dell EMC Avamar range have four exploitable security bugs – one enabling remote code execution – and VMware’s inherited the vulnerabilities, with fixes now available.

The first two bugs were described in this post on the Full Disclosure mailing list on Tuesday. There’s one remote code execution (RCE) vulnerability (CVE-2018-11066), and one open redirection vulnerability (CVE-2018-11067). Nine Dell Avamar releases – six versions of its server, and three integrated data protection appliances – are affected, and patches for all versions are available from support.emc.com.

Details on the RCE were scant, but we’re told it can be exploited by an unauthenticated attacker to run arbitrary commands on the server. So, total pwnage, then. The open redirect bug would be useful to attackers bent on a phishing campaign: “A remote unauthenticated attacker could potentially exploit this vulnerability to redirect application users to arbitrary web URLs by tricking the victim users to click on maliciously crafted links,” the Dell advisory stated.

I’ve got the key, I’ve got the secret

Separate posts to Full Disclosure cover the other two flaws: CVE-2018-11076 and CVE-2018-11077.

CVE-2018-11076 is a nasty information disclosure bug in the Avamar Java management client package – it can be leveraged to leak the management console’s SSL/TLS private key. That exposes the management console to man-in-the-middle attacks by unauthenticated users on the “same data link layer” (that is, the same network.)

CVE-2018-11077 is an operating system command injection vulnerability that affects nine versions of the Avamar server, and three data protection appliance variants. The post explained the bug was in the products’ getlogs utility, and would allow a malicious Avamar admin to “execute arbitrary commands under root privilege.”

VMware’s advisory said its Avemar-based vSphere Data Protection products, versions 6.0.x and 6.1.x, need patches against the four bugs.

The security holes were turned up by Australian security research outfit TSS Cyber.

As SANS Senior ISC Handler Xavier Mertens remarked, “This is a perfect example of how a product ‘A’ can affect a product ‘B’ when technologies are reused across multiple solutions.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/11/21/vmware_dell_security_patches/

Special report Computer science boffins have demonstrated a side-channel attack technique that bypasses recently-introduced privacy defenses, and makes even the Tor browser subject to tracking. The result: it is possible for malicious JavaScript in one web browser tab to spy on other open tabs, and work out which websites you’re visiting.

This information can be used to target adverts at you based on your interests, or otherwise work out the kind of stuff you’re into and collect it in safe-keeping for future reference.

Researchers Anatoly Shusterman, Lachlan Kang, Yarden Haskal, Yosef Meltser, Prateek Mittal, Yossi Oren, Yuval Yarom – from Ben-Gurion University of the Negev in Israel, the University of Adelaide in Australia, and Princeton University in the US – have devised a processor cache-based website fingerprinting attack that uses JavaScript for gathering data to identify visited websites.

The technique is described in a paper recently distributed through ArXiv called “Robust Website Fingerprinting Through the Cache Occupancy Channel.”

“The attack we demonstrated compromises ‘human secrets’: by finding out which websites a user accesses, it can teach the attacker things like a user’s sexual orientation, religious beliefs, political opinions, health conditions, etc.,” said Yossi Oren (Ben-Gurion University) and Yuval Yarom (University of Adelaide) in an email to The Register this week.

It’s thus not as serious as a remote attack technique that allows the execution of arbitrary code or exposes kernel memory, but Oren and Yarom speculate that there may be ways their browser fingerprinting method could be adapted to compromise computing secrets like encryption keys or vulnerable installed software.

You like HTTPS. We like HTTPS. Except when a quirk of TLS can smash someone’s web privacy

READ MORE

In any event, the attack could have serious consequences for those using Tor in the belief that their website visits can be kept secret.

A side-channel attack (or “transient execution attack“) involves observing some portion of a computing system to collect measurements that can be used to infer otherwise privileged information. The Spectre, Meltdown, and Foreshadow vulnerabilities revealed this year all have the potential to be exploited via side-channel attack techniques.

Oren and Yarom explained their approach works at a more fundamental level than Spectre. “It works in places where Spectre cannot work (for example, across process boundaries), and the CPU patches built to protect against Spectre cannot stop it,” they said. “On the other hand, the Spectre attack is capable of recovering information at a much higher resolution than our attack.”

One of the ways these attacks have been mitigated is by limiting access to high-precision timers, by which side-channel data can be collected. When the Spectre and Meltdown vulnerabilities were first disclosed, for example, Mozilla said it would disable or reduce the precision of time sources in its Firefox browser.

But this latest browser fingerprinting technique doesn’t need a high-precision timer because it focuses on processor cache occupancy.

“Cache occupancy measures what percentage of the entire cache has been accessed over a certain time period,” explained Oren and Yarom. “The browser is very memory intensive, since it receives large amounts of data from the network and draws various outputs to the screen. This means it uses a significant portion of the cache as it loads a page.”

What’s more, it doesn’t depend on the layout of the cache, which makes cache layout randomization – a risk mitigation technique – useless for this particular approach. The attack is also unaffected by defenses against network-based fingerprinting, as when a browser fetches data from its response cache rather than the network or when network traffic shaping is employed.

Automatic identification

This fingerprinting attack involves using JavaScript to measure processor cache access latency over time as websites are loaded. These “memorygrams” are then compared via deep-learning techniques to a set of memorygrams collected by the attacker, with an eye toward automatically identifying similarities to establish a website visit. In other words, it is possible to determine which website someone’s looking at by the way their browser accesses the processor’s CPU cache while fetching and rendering on-screen the web pages. Malicious JavaScript in one tab can monitor cache accesses to identify patterns and fingerprint the sites visited by other tabs.

“‘Classical’ machine learning techniques require a human expert to find out which ‘features’ in the data are relevant for the attack,” explained Oren and Yarom. “There is a lot of research on the best features to use when performing other types of attacks. In deep learning, the computer acts as the expert and tries to find these features itself. This allows us to go straight from the data to the results. Perhaps a human researcher will be able to find better features than our deep learning algorithm did, and improve the attack even further.”

The boffins considered two scenarios: a closed world data set, where 100 memorygrams for each of 100 websites, are evaluated; and an open world data set, where 100 sensitive web pages must be distinguished from 5,000 other websites.

It’s not just your browser: Your machine can be fingerprinted easily

READ MORE

Using mainstream browsers on the closed set, the researchers were able to accurately classify 70 to 90 per cent of website visits. Applied to Tor, the attack managed accuracy of only 47 per cent, but when other data was considered, accuracy increased to 72 per cent. Results were similar for the open world data set – 70 to 90 per cent, with Tor identification at 83 per cent if the researchers considered not only the top output, but also checked to see whether it’s one of the top five detected results.

If the goal was simply to determine whether the website visited was sensitive or non-sensitive, accuracy increased to more than 99 per cent in the open world data set.

Oren and Yarom say their work shows that efforts to defend against side-channel attacks by reducing access to precision timing have been for naught.

“In this work we show that the whole approach is futile – we simply do not need high-resolution timers for the attack,” they said. “Similarly, some approaches for protecting from Spectre segregate sites into multiple processes. We show that this is not sufficient. We show that we can spy from one browser tab on another and even from one browser on other browsers running on the computer.”

The takeaway, they contend, is that anything short of running a single browser tab at any one point in time poses a privacy risk: if you open a second tab, JavaScript in it can snoop on the other tab. Disabling JavaScript completely will kill off the attack, but also kill off a lot of websites, which rely on JS functionality to work. And they say virtualization should be seen as a convenience feature rather than a security feature.

“If you want to visit sensitive and non-sensitive websites at the same time, use two different computers,” they said. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/11/21/unmasking_browsers_side_channels/

Oh the irony. A channel account rep trying to drum up business for security awareness training scored an own goal this week when he pressed the send to all option on an email to prospective clients.

The rep, Charlie Hollinrake, works for KnowBe4, which describes itself as the “world’s most popular integrated Security Awareness Training and Simulated Phishing platform”, and might do worse than eat his own dog food.

“Hi, I saw you’d attended our stand at the IP exp event, thanks for much for taking an interest,” the mailer stated. “Are you open to evaluating other security awareness training vendors at this time?”

The problem was he accidentally sent the message to his list of leads, all 79 of them, including to some potential customers in West Yorkshire Police, the Cabinet Office and resellers/integrators.

The National Security Secretariat’s Ben Holland, who was among the list, also replied all to Hollinrake’s gaffe, letting him down gently on the evaluation request.

“Unlikely I’m afraid in light of the fact that you have disclosed everyone’s email address… bcc is your friend although not on this occasion it would appear. Please remove me from your mailing list.”

Working for the Cabinet Office, Holland should know better himself than to “reply all” to the earlier mail, but perhaps he was making a point.

Another on the list agreed: “I’m with Ben on this one. Mistakes happen, but the level of irony here is hard to [deny]. Please also remove me from your mailing list.”

Ruth Schofield, UK and Ireland MD at KnowBe4, told us that “team members” can be an organisation’s “greatest asset” but are “sometimes its weakest link when it comes to security”.

“This particular new employee who was responsible for the communication is due to begin his internal KnowBe4 security awareness and training programme. It’s my clear priority to ensure that this does not happen again, she added.

Hat-tip to Doug Johnson who made us aware of the email blunder. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/11/21/security_awareness_train_reply_all_gaffe/

Stop us if you’ve heard this one, but Microsoft has pulled a couple of buggy patches in Office, but left a crash-worthy security fix in place.

The two non-security patches were part of this month’s Patch Tuesday, both for Office 2010. The patches in question were supposed to support Japan’s upcoming epochal turnover.

Last year, Japanese Emperor Akihito announced that he would abdicate in favour of his son, Naruhito. As Microsoft explained in this blog post, that will bring the “Heisei era”* to a close, something that’s never happened “in the history of .NET” – meaning a calendar transition would be needed.

Microsoft laudably decided to get ready early, and predictably, mishandled its first attempt, so it has pulled KB 4461522 and KB 2863821.

In both cases, the patches caused application crashes:

After you install this update, you may experience crashes in Microsoft Access or other applications. To resolve this issue, uninstall the update by following the instructions in the “More information” section.

Another patch that has been causing crashes, but hasn’t yet been pulled, is Outlook 2010 KB 4461529.

Microsoft’s knowledge base post warned that if the 64-bit version of that patch has been installed, Outlook might crash on start-up.

That was a security patch covering CVE-2018-8522, CVE-2018-8524, CVE-2018-8576, and CVE-2018-8582 – a collection of vulnerabilities that allowed remote code execution if the user opened a crafted Office file.

Rather than withdraw the patch, Redmond said it’s researching the problem – a hint, perhaps, at the seriousness of the vulnerability. ®

* which started on 8 January 1989, the day after the death of the Emperor Hirohito and the ascension of Akihito.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/11/21/a_new_era_a_familiar_problem_microsoft_pulls_crashabulous_patches/

Australia’s home affairs minister Peter Dutton wants the parliamentary inquiry into his proposed crypto-busting law to wind up its work, and send the draft rules back to legislators to approve, stat.

This is the law that will let Aussie cops and intelligence agents pressure communication service providers into coughing up access to unencrypted messages under an escalating set of notices, from voluntary compliance all the way to a court order. How exactly that can happen with strong and secure end-to-end cryptography is something for you nerds to somehow figure out.

Another sticking point is that what exactly is a communication service provider is left a little vague: it could be an app maker, a chat server, or a website.

TWAT: The War Against Terror

Dutton seized on the arrest in Melbourne of three men accused of trying to get their hands on a semi-automatic rifle for a mass shooting to strengthen his hand. According to the ABC, Victoria Police told a magistrate they will use 15,000 intercepted phone calls and 10,000 text messages as evidence that brothers Ertunc and Samed Eriklioglu and Hanifi Halis were allegedly planning an Islamic State-inspired attack.

Right on cue, the minister claimed the investigation was hampered by the three using encrypted chat apps, something backed up by Victoria Police’s counter-terrorism assistant commissioner Ross Guenther. Something, of course, must be done about it.

Guenther told the ABC: “The likes of Telegram and WhatsApp are very commonly used as a mechanism of communication between plotters,” and said access to those messages would let police “disrupt” terror plotters sooner.

“I want to get it through as quickly as possible”, Dutton added yesterday. “The Joint Committee on Intelligence and Security needs to deal with this very quickly so they can return it back, so the government can deal with this in the parliament.”

Dutton last week accused Australia’s opposition Labor party of working against passing the legislation, last week telling Sky News “Labor said they’re opposing” the laws. That brought an angry response from shadow attorney-general Mark Dreyfus, who released a letter refuting Dutton’s accusation.

Oz government rushes its anti-crypto legislation into parliament

READ MORE

Dreyfus noted that the legislation is still in committee, and said his party “would never announce a final position” on laws that “might change substantially following the inquiry and report.”

Dreyfus asked attorney-general Christian Porter to get the home affairs minister to rein in his rhetoric, asking that Porter “urge him to refrain from any further politicisation of national security matters.”

Parliamentary Joint Committee on Intelligence and Security chair Andrew Hastie didn’t commit to how soon the hearings would be wound up: “I’ve heard what the minister had to say, and we’re working on it. We’re working through the process now … we’ll bring that to a conclusion soon,” he told Sky News yesterday.

Australia isn’t the only country with encryption in its sights. Our friends at Heise yesterday reported on a speech by the new president of Germany’s Federal Office for the Protection of the Constitution, in which he also said criminals are “going dark,” and law enforcement needs technical capabilities to access encrypted communications.

Australia’s effort to intensify its “war on cryptography” came at a time where Oz’s mainstream press has turned its attention to the problem of BGP hijacking-slash-misconfiguration.

The recent BGP hijacking report by the US Naval War College and Tel Aviv University, confirmed by Oracle Internet Intelligence, noted that Australia was one of the countries that had its internet traffic routed through China Telecom. The Sydney Morning Herald has caught up with that story, and Google’s recent incident, in which Nigerian telco Main One announced routes that took The Chocolate Factory’s traffic on a magical mystery tour through Russia and China.

El Reg would think a country would argue for more encryption, not less, if its internet traffic was at risk of redirection for espionage. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/11/21/dutton_wants_crypto_laws_now/

Roundup As America prepares for Thursday’s Thanksgiving rituals of turkey, football, and awkward conversations with extended family, three organisations are going to have admins working overtime to clean up security messes.

White House staffer Ivanka Trump joins tech icons Tesla and Tumblr in reporting embarrassing security-related-ish gaffes this week.

Good guy Elon Musk gifts user access to 1.5 million Tesla customer accounts

Leccy car firm Tesla is already getting into the giving spirit of the holidays by providing one of its forum users with access to the email accounts 1.5 million customers.

Dan Eleff, owner of coupon site DansDeals, wrote that after filing a complaint with Tesla regarding his Model 3 purchase, he was mistakenly made a moderator on the company’s forum with access to all user accounts.

In a post to his site, Eleff described how an apparent cock-up from Tesla’s customer service department resulted in him being registered on Tesla’s site as a customer service agent rather than a car owner.

TalkTalk hackhack duoduo thrownthrown in the coolercooler: ‘Talented’ pair sentenced for ransacking ISP

READ MORE

With that role, Eleff said he was able to look up things like the customer profiles of friends and family, and look at Tesla employee

“Incredibly, the website allows Customer Service agents to assign any roles they want anyone to take on,” Eleff noted. “That is an incredibly bad security flaw.”

The dealmonger was not quite a benevolent dictator, either. At one point Dan says he tried to take down one of his posts, and instead inadvertently deleted thousands of previous threads from the forum.

Needless to say, this was a bad look for everyone involved. The issue has since been remedied, and Dan no longer enjoys God Mode on the forum.

“Our bug bounty program is set up specifically to encourage this type of reporting, as well as more in-depth research from the security community. In this case, the customer was inadvertently granted a higher level of permissions than he should have had to the Tesla forum, which is not connected to our vehicles, main website, or other digital channels,” Tesla said in a statement to El Reg.

“We revoked the access as soon as it was reported, and made other changes to adjust privileges accordingly following a full audit. We have no reason to believe that there was any abuse of accounts or content on our forums, and we have taken steps to ensure this does not happen again. Any customer reporting a potential security vulnerability is encouraged to apply for an award through our bug bounty program.”

Tumblr app goes dark amidst child exploitation crackdown

The mobile edition of moody teen haven Tumblr has been missing from Apple’s iOS App Store for several days now, as the blog site has been working to crack down on illegal content. After keeping fairly quiet about the outage for four days, Tumblr finally shed light on Tuesday as to why it has been off the iOS app service, and the reason was pretty grim.

It turns out that some users had been abusing the site to post images of child sex abuse, requiring Tumblr to update the app in order to be able to filter out the vile illegal content going forward. This also meant that Tumblr has had to pull the app from the iOS App Store.

“Every image uploaded to Tumblr is scanned against an industry database of known child sexual abuse material, and images that are detected never reach the platform,” Tumblr said. “A routine audit discovered content on our platform that had not yet been included in the industry database.”

Tumblr did not say when it would return to the App Store.

But… HER emails?

For those who enjoy a good bit of irony: Trump administration resident and Presidential daughter Ivanka Trump has been caught using a private email server to conduct official administration business.

The Washington Post reports that Ivanka used a private email account on a domain owned by her and husband Jared Kushner to send emails to aides, cabinet members, and personal assistants.

The report, citing US administration officials, claims that Ivanka used the personal account for “much of” the 2017 calendar year, and her attorney says that no classified materials were sent from the account.

Perhaps most amusingly, the report claims that the Trump administration official did not know that using a personal email for official government business was a violation of federal record-keeping laws:

“Some aides were startled by the volume of Ivanka Trump’s personal emails — and taken aback by her response when questioned about the practice. She said she was not familiar with some details of the rules, according to people with knowledge of her reaction.”

That makes perfect sense: it’s not like the Trump campaign made a similar situation the focal point of its White House run in 2016 or anything. How would Ivanka ever know that using a personal email account for government business would get a person into trouble?

Surely the congressional hearings and criminal charges for this incident will be kicking off any minute now.

Bonus T: Tether investigated for alleged Bitcoin pump dump

Get your shocked face ready: last year’s completely random Bitcoin price surge and subsequent plummet may have been maliciously and artificially engineered to line someone’s pockets.

Bloomberg reports that Tether, a company that operates both its own cryptocurrency and the Bitfinex exchange, is the focus of a US Department of Justice probe over price-fixing.

Apparently, the DOJ suspects that Bitfinex and Tether were involved in a scheme to manipulate the price of Bitcoin that culminated with last year’s surge to almost $20k per coin. Since then, Bitcoin has been in a slow decline with its price now sitting at around or just under $5,000 on most exchanges.

While it is easy to joke about internet funbux, a number of people have had their lives profoundly impacted by money lost on cryptocurrency investments, and if the markets were being manipulated illegally, whoever was behind it should be brought to justice. ®

But wait – there’s more! Here’s a quick roundup of other interesting infosec links

• If you use Microchip’s software suite on Linux, and have the Microchip Technology XC License Manager installed, bear in mind this management code runs setuid root with easy-to-exploit vulnerabilities, allowing a malicious logged-in user, or malware already on your system, to gain admin privileges. A zero-day exploit was dropped online this week after attempts by Matthew “Hacker Fantastic” Hickey, cofounder of British security shop Hacker House, to get the flaws fixed up went nowhere. Microchip told us it’s looking into the matter.
• Watch out for spam, phishing messages, and other malicious emails exploiting a Gmail weakness that allows the “From” field in an email to appear blank. A similar shortcoming allows miscreants to direct emails straight into people’s sent boxes. We’re pretty sure this is close to a previously reported Gmail security headache. In any case, mind how you go with suspicious-looking messages in Google’s webmail.
• Sticking to the T theme, Recorded Future has tracked down and outed who they think is the notorious hacker tessa88, who has touted databases swiped in the past from Myspace, Dropbox, LinkedIn, Twitter, and others.
• And more T news: Duo Labs has probed Apple’s T2 security chip that enforces Cupertino-flavored Secure Boot in modern Macs, and documented its weaknesses. Chiefly, it may be possible to modify the chip’s firmware over the wire using hardware implanted on the motherboard and get away with it. (Remind you of anything?)
• And one final T: Thirteen Android games have been fingered by ESET as malicious, downloading extra dodgy code after installation. They’ve been installed 560,000-plus times, and two of them are trending…

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/11/21/thanksgiving_security_roundup/

APT29/Cozy Bear is targeting individuals in military, government, and other sectors via email purporting to be from US State Department.

After a nerly two-year hiatus, Russia-based threat group APT29, or Cozy Bear, is back at it, this time with a large-scale phishing campaign targeting US organizations across multiple sectors.

Researchers from security vendor FireEye say they have recently observed a phishing email purporting to be from the US Department of State being sent to individuals in the military, government, law enforcement, pharmaceutical, transportation, and other sectors.

The tactics, techniques, and procedures being used in the campaign, as well as the targeting, are similar to those used by APT29 shortly after the US general elections in November 2016.

FireEye says it is still analyzing the activity and does not have conclusive attribution yet. But there’s enough overlap between the current phishing campaign and the one in 2016 to strongly suggest that APT29 is behind it. For instance, the construction of the phishing email, the network infrastructure, and the payload have all been directly linked to APT29 in the past.

“We haven’t seen large-scale phishing attacks from this group in two years, but we have seen similar activity from them before,” says Matthew Dunwoody, senior security architect at FireEye. Historically, APT29’s motivation for such attacks has been access to specific types of geopolitical data. “The large scale of the attack suggests that they may be attempting to hide their true targets,” he says.

In a report this week, FireEye described APT29/Cozy Bear’s latest campaign as involving a phishing email purporting to be secure communications from a public affairs official the State Department. Links in the document lead to a zip archive containing a Windows shortcut file that is designed to drop a benign decoy document as well as Cobalt Strike Beacon — a commercial penetration-testing tool — on the compromised system.

The attackers have compromised the email server belonging to a hospital, as well as the corporate website of a consulting company, and are using them as infrastructure for the phishing campaign. The hospital email server was used to send the phishing emails while the consulting company website was used to host the zip files linked in the emails, Dunwoody says.

Significantly for victims, APT28 has a tendency to quickly switch out the first phishing implant with a very different operational malware family after initial compromise, Dunwoody says. “Efforts to find the phishing malware on other systems will come up empty, and if a defender is too eager and doesn’t spend the time to fully understand the activity, they may miss the new malware and declare victory, while APT29 disappears into their network,” he explains.

For reasons that FireEye has not been able to fully understand, the attackers appear to have deliberately reused phishing HTTPs that have already been definitively linked to APT29 in the past. Even the virtual machine or builder that was used to create the weaponized Windows shortcut in the current campaign is the same as the one used in 2016.

“We’ve considered several theories, but we don’t have a definitive answer,” Dunwoody says. “This was definitely deliberate and appears meant to make a splash, but the reasoning remains unclear.” Possible motives include a false flag deception operation or an attempt by the attackers to sow doubt and uncertainty in the research community.

Given the widespread targeting in the latest campaign, organizations that APT29 has targeted previously should take note. But rather than getting hung up on attribution, defenders need to pay attention to the activity and how it might impact them. “The takeaway is that this attack was conducted by a skilled attacker, and it is vital to fully understand the activity,” says Nick Carr, senior manager, adversary methods at FireEye. “Whether or not this activity was conducted by APT29, network defenders at targeted companies should be focusing on properly investigating the intrusion.” 

APT29/Cozy Bear is one of at least two advanced persistent threat groups believed to be working on behalf of Russia’s military intelligence service. The group has been operational since at least 2014 and has been associated with numerous attacks against organizations in the US and elsewhere, including one on the Democratic National Committee (DNC) website in 2016.

Fancy Bear’s New Trojan
The other group believed associated with Russia’s military intelligence apparatus is APT28, aka Fancy Bear or Sofacy—a group known for targeting organizations in critical infrastructure sectors, such as defense, aerospace, energy, and government.

In a report this week, Palo Alto Networks said the group has begun using a new first-stage Trojan dubbed Cannon, in addition to its usual Zebrocy Trojan, in recent attacks against government target in North America and Europe.

Cannon, like Zebrocy, is designed to download additional malware on an already compromised system. But Cannon is different from Zobrocy in that it uses a set of email accounts on legitimate email providers, rather than HTTP, for command-and-control (C2) communications, says Bryan Lee, principal researcher for Unit 42 at Palo Alto Networks.

Using a legitimate email provider as a proxy for C2 communications can make it harder for defenders to detect and stop the activity, Lee says. “Having full visibility into what applications are being allowed or accessed in the network can be extremely effective in these types of scenarios in identifying potential compromises,” he says.

Related Content:

• US Indicts 7 Russian Intel Officers for Hacking Anti-Doping Organizations
• Trump Administration Slaps Sanctions on Russian Hackers, Operatives
• 13 Russians Indicted for Massive Operation to Sway US Election
• 8 Notorious Russian Hackers Arrested in the Past 8 Years

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/russia-linked-group-resurfaces-with-large-scale-phishing-campaign/d/d-id/1333322?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Adobe has emitted software updates to address a critical vulnerability in Flash Player for Windows, Mac, and Linux.

PC owners and admins will want to upgrade their copies of Flash to version 31.0.0.153 or later in order to get the patch – or just dump the damn thing all together.

The November 20 security update addresses a single flaw, designated CVE-2018-15981. It is a type confusion bug that can be exploited to achieve remote code execution. Basically, an attacker could slip the exploit code into a Flash .swf file, put it on a web page, and covertly install malware on any vulnerable machine that visits the page.

Because Adobe does not maintain a fixed patching schedule for Flash Player, this isn’t technically considered an out-of-band band-aid. However, the update does come just one week after Adobe pushed out a handful of fixes for Patch Tuesday, including one for an information disclosure vulnerability in Flash Player.

That Adobe would post another update just one week after their last patch should underscore that CVE-2018-15981 is a serious enough vulnerability to be a priority fix for users and admins.

After installing this latest fix, those who are tired of the constant security threats might also want to consider taking the advice of multiple security experts and developers and at least disable Flash by default if not permanently.

The notoriously vulnerable plugin has long since been surpassed by HTML5, and most major websites have already transitioned away from Flash, leaving it only really useful for specific sites and applications.

Even Adobe wants to kill off Flash. The Photoshop giant has said that by 2020 it plans to formally retire the plugin once and for all. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/11/20/adobe_flash_bug/

LastPass’s cloud service suffered a five-hour outage today that left some people unable to use the password manager to log into their internet accounts.

Its makers said offline mode wasn’t affected – and that only its cloud-based password storage fell offline – although some Twitter folks disagreed. One claimed to be unable to log into any accounts whether in “local or remote” mode of the password manager, while another couldn’t access their local vault.

The solution, apparently, was to disconnect from the network. That forced LastPass to use account passwords cached on the local machine, rather than pull down credentials from its cloud-hosted password vaults. Folks store login details remotely using LastPass so they can be used and synchronized across multiple devices, backed up in the cloud, shared securely with colleagues, and so on.

The problems first emerged at 1408 UTC on November 20, with netizens reporting an “intermittent connectivity issue” when trying to use LastPass to fill in their passwords to log into their internet accounts. Unlucky punters were, therefore, unable to get into their accounts because LastPass couldn’t cough up the necessary passwords from its cloud.

The software’s net admins worked fast, according to the organisation’s status page. Within seven minutes of trouble, the outfit posted: “The Network Operations Center have identified the issue and are working to resolve the issue.”

The biz also reassured users that there was no security vulnerability, exploit, nor hack attack involved:

UPDATE: Our team is still working the case but here’s what we can share: we’ve isolated the issue to be a data center connectivity problem – our team is working hard to fix it as we type. Additionally, we want to clarify any chatter: this is not a security related issue. 1/2

— LastPass (@LastPass) November 20, 2018

Connectivity is a recurrent theme in LastPass outages: in May, LogMeIn, the developers behind LastPass, suffered a DNS error in the UK that locked Blighty out of the service.

The service returned at nearly 2000 UTC today, when the status team posted: “We have confirmed that internal tests are working fine and LastPass is operational. We are continuing to monitor the situation to ensure there are no further issues.”

The Register will watch with interest for LastPass to publish a postmortem. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/11/20/fivehour_outage_frustrates_lastpass_punters/