STE WILLIAMS

Promo Are you confident you could defend your IT systems against an unexpected attack? Could you spot the early signs of an incursion coming from any direction, as roving bands of hackers, data thieves and other miscreants grow ever more ingenious and determined?

CyberThreat 2018, a new two-day event on 27 and 28 February at the QEII Conference Centre in Westminster, aims to bring security specialists up to date with latest risks, passing on the intelligence they need to combat them.

Hosted by the National Cyber Security Centre, a part of GCHQ, and the IT security training provider, SANS Institute, CyberThreat 2018 has enlisted a prestigious line-up of experts and industry leaders to share their expertise on widely varying aspects of the security landscape.

The programme also includes hands-on challenges such as capture-the-flag events and hackathons for delegates to put their skills to the test.

The conference kicks off with a keynote speech from Stephen Sims, Faculty Fellow of the SANS institute and author of some of their most advanced PenTesting courses, and on day two renowned bug hunter David Litchfield promises a “surprise with something very cool and technically brilliant”.

Scheduled speakers include:

• Alex Davies, senior threat hunter at Countercept, on the ciminal use of memory injection techniques and how to detect them,
• Aatif Khan, cyber security researcher, shining a light on the hacking threat to civil drones,
• Ryan Nolette, security technologist at SQRRL, with tips on how to spot attackers moving sideways into the network,
• Bogdan Necula, operational analyst at European anti-fraud organisation Olaf, with a case study illustrating the workings of DDoS,
• Kevin Breen, head of Content at Immersive Labs, showing how hackers can use Pastebin as a treasure trove of information,
• Rachelle Saunders of Helical Levity, defending the programmer’s trade in a talk entitled “Secure Code: Not Actually That Easy Smarty Pants”,
• Graham Bartlett, senior technical leader at Cisco, on whether VPN architectures have stood the test of time and demonstrating recent attacks, and
• Jason Smart and Rachel Mullan, threat Intel at PWC, provide an account of their investigation into Operation Cloud Hopper, the huge espionage campaigns against IT MSPs.

You can find out a whole lot more and get yourself registered for the event, right here.

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/02/08/cyberthreat18/

What’s This?

However noble the intention, obtaining unauthorized access to devices and making them unusable is illegal and undermines the work of ethical researchers.

Internet of Things (IoT) devices gained infamy almost overnight for their lack of security. This led to their participation in a thingbot (a botnet built out of IoT devices) named Mirai that launched massive distributed denial-of-service (DDoS) attacks against a handful of victims, including Dyn, OVH, KrebsOnSecurity, and Rutgers University in late 2016.

As a result of these attacks, a project dubbed “Internet Chemotherapy,” also known as BrickerBot, was born, believed to be started in November 2016 with the intention of ridding the Internet of vulnerable IoT devices that were low-hanging, infectible hosts for bot herders. The author of the Internet Chemotherapy project, The Janit0r, a.k.a. The Doctor, claims to have “bricked” (cyber attacked electronic devices to cause permanent damage) 10 million devices with BrickerBot. The Janit0r accomplished this by overwriting the firmware of the IoT devices he targeted.

The ethics of the BrickerBot attack are unquestionably wrong. Although members of the information security community understand the rational behind this type of vigilante mindset, even the best intentions cannot justify breaking the law to prove a point. However noble the intention, obtaining unauthorized access to devices and making them unusable, whether temporarily or permanently, is illegal, and it undermines the work of ethical researchers. It is also frustrating to the consumer, government, or business owner who then must replace that device,  efforts that could prove to be ultimately useless if the replacement device is just as insecure.

Internet Vigilantism Versus Ethical Security Research
The Janit0r claims to have disabled more than 10 million vulnerable IoT devices in a little over a year. The number might seem astonishing, but when compared to the 8.4 billion IoT devices Gartner forecast  to be in-use in 2017, 10 million devices is barely a blip on the radar.

“Bad guys are getting more sophisticated, the number of potentially vulnerable devices keep increasing, and it’s only a matter of time before a large-scale Internet-disrupting event will occur,” The Janit0r wrote in a 3000-word retirement essay last December. This is not a profound revelation, as evidenced by the sizeable number of thingbots like Mirai and BrickerBot created in the first place. The difference between vigilante activists like The Janit0r and the rest of the security community is our approach to fixing the problem, which is to continually work to increase the true cost to the attacker. For IoT manufacturers, this means following industry standard security controls that make these devices hard to compromise and not worth it to the attacker to even try.

The BrickerBot Timeline
The Janit0r’s chronological record of the Internet Chemotherapy project details more than twenty instances of attacks, vulnerabilities, and press events that provide insight into BrickerBot’s objective. One example was the mass disruption of Deutsche Telekom in November 2016, which at the time was believed to have been an attempt by attackers to exploit the victim’s equipment to grow Mirai. The Janit0r elaborates on how BrickerBot propagated across these devices, claiming that it infected vulnerable devices and removed the default route for communications, which temporarily removed these devices from further infection by Mirai.

We would love to believe these claims because they would confirm our own data. The Janit0r references the F5 Labs August 2017 report, “The Hunt for IoT: The Rise of Thingbots.” In it, we identified a lull in IoT attack activity and speculated that it might have been the result of vigilante bots like BrickerBot (or Hajime). The Janit0r confirms this hypothesis but criticizes F5 Labs for not drawing more definitive conclusions. If data had existed that modestly allowed us to further expand on our hypothesis, we could have given more credit to the Internet Chemotherapy project.  The reality is that without more data, the only responsible thing we can do is speculate.

The Janit0r’s retirement seems entirely appropriate for more reasons than one—death threats, according to him or her — being the biggest. But methodology, ethics and the law are also important considerations. It’s a good thing to be able to decrease the available pool of devices bot herders could use to advance their networks of minions that launch unwanted attacks. However, the methodology and  practice adopted by the Internet Chemotherapy project is unquestionably illegal. Once you cross that line, is there any turning back?

As the industry continues to evolve, perhaps someday device manufacturers will agree to the proposed Digital Millennium Copyright Act (DMCA)  regulations that provide safeguards, albeit modest ones, to protect researchers who proactively attack IOT devices, even with the best of intentions. Until then, just remember, DMCA alone won’t provide protection if you are attacking equipment you do not own and operate.

Get the latest application threat intelligence from F5 Labs.

 

Justin Shattuck is a Principal Threat Researcher for F5 Labs. He has been an avid advance persistent threat hunter for most of his life and continually tracks global attacks and threat actors. He routinely participates in takedowns and helps to inform various law enforcement … View Full Bio

Article source: https://www.darkreading.com/partner-perspectives/f5/brickerbot-internet-vigilantism-ends-dont-justify-the-means-/a/d-id/1330992?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Analysis Remember when Uber tried to cover up the fact its AWS datastore containing records on 57 million riders and drivers had been hacked? And that it bunged the hackers $100,000 to shut them up, and then disguised the expense as a bug bounty payout?

Who could forget? Certainly not shocked US lawmakers, who held a hearing in Washington, DC on Tuesday to consider whether anything has been learned from the sorry affair, and how legislation may help prevent future computer security cockups.

Given that Congress has all but forgotten about Equifax fumbling sensitive data on 143 million Americans, and millions of others around the world, you may be forgiven for thinking politicians don’t actually care.

Well, the Senate’s subcommittee on consumer protection, product safety, insurance, and data security at least went through the motions this week by inviting experts to testify, and an Uber executive to be contrite, on matters of hacking and whatnot.

It was suggested the proposed Data Security and Breach Notification Act could be effective in cracking down on corporations that are careless with people’s personal files.

Introduced last November, the bill would “impose criminal penalties on corporate officials that willfully disguise breaches from the public,” according to Senator Bill Nelson (D-FL), cosponsor of the legislation and a hearing participant.

For a sense of how many executives may be expected to go to jail over data breach deception if the bill becomes law, consider how many bank leaders responsible for the 2007-2008 financial crisis have been imprisoned: one.

In prepared remarks at a hearing titled, “Data Security and Bug Bounty Programs: Lessons Learned from the Uber Breach and Security Researchers,” subcommittee chairman Senator Jerry Moran (R-KS) said his goal was to learn why Uber had not immediately notified people about its 2016 breach and to have a discussion about how vulnerability disclosure programs can improve cybersecurity.

Ignominy

Uber chief information security officer John Flynn, in prepared remarks, reiterated previous statements from the ride hailing biz’s post-Kalanick leadership that “it was wrong not to disclose the breach earlier.”

He told senators that Uber has learned something from the public ignominy and lawsuits the company has endured as a result of being hacked.

“We recognize that the bug bounty program is not an appropriate vehicle for dealing with intruders who seek to extort funds from the company,” he said.

Flynn said Uber had quit using GitHub to store its proprietary code. The hacker who penetrated Uber’s defenses found credentials for the company’s AWS data store in a private GitHub repository, he explained, without detailing how the private repo was compromised.

He also said the transit-app biz has expanded its use of multi-factor authentication for AWS, implemented IP address whitelisting, refined its identity access management permissions and authentication mechanisms, and implemented credential auto-expiration.

Extortion

Flynn and other hearing participants expressed support for bug bounty programs as a way to improve online security, though some feel legitimate vulnerability disclosure isn’t always easy to separate from extortion.

While supportive of bug bounty programs in general, Justin Brookman, director of privacy and technology policy at Consumers Union, a consumer advocacy group, said that state data breach notification laws, which first came into being in 2002, need to be reconciled with vulnerability disclosure programs to avoid alarming people unnecessarily about security flaws.

Clearly, it would not be useful to mandate customer notifications every time a bug gets found, lest people start treating the messages like all the other app-oriented notifications they ignore.

Brookman also observed that there’s nothing inherently wrong with lobbying for a better bounty, even as he allowed that, “At some point, a request for more money may convey an implicit — or explicit — threat to sell the exploit or compromised data elsewhere if the demands are not met.”

He concluded that Congress needs to pass laws that provide companies with better incentives for investing in security.

Marten Mickos, CEO of HackerOne, a platform for vulnerability disclosure and bug bounty programs, came out in favor of rewarding hackers for security research – to no one’s surprise.

“Hackers are truly the immune system of the internet,” he said, citing numerous successful bug bounty hunting initiatives in government. He advocated for reform of the Computer Fraud and Abuse Act to remove penalties for actions that don’t harm people.

He also called for the harmonization of state data breach notification laws and encouraged companies to develop better channels for reporting bugs.

Bug bounty boffin … Katie Moussouris

Katie Moussouris, founder and CEO of Luta Security and the person who convinced Microsoft to abandon its long-standing antipathy towards bug bounties, told legislators to look beyond bounty programs, noting that rewards create more bug hunters but don’t necessarily lead to more bug fixes.

She recommended that legislative priorities should include support for better security education in all grade levels, and particularly for anyone involved in computer science programs. People have to learn secure coding and practices from the get-go, in other words.

In a phone interview with The Register, Moussouris said, “Everyone has gotten so enamored of bug bounties that they maybe have forgotten other investments in security that they should do first or alongside bounty programs.”

Bug bounty programs, she said, have been over-marketed as a solution to finding bugs. “They’re not a cost effective replacement for penetration testing,” she said.

Moussouris said the hearing accomplished its goal, examining the use of bug bounties with regard to Uber’s payout. Flynn acknowledged Uber had made a mistake and didn’t make any excuses, she explained. “That’s what the public and Congress needed to hear,” she said. “What Congress needed to show was eventually you will be held accountable.”

The extent of that accountability depends on the letter of the law, and there Moussouris said legislators should proceed with care. Noting that Sen. Moran is working on a bill to harmonize the various different state breach notification laws, she said she advised him that any federal law should not aim to be a common denominator by adopting the weakest of state requirements.

She also said over-regulation would be equally problematic because it could encourage companies to remain willfully ignorant of being hacked to avoid liability.

“These are not easy problems to solve,” she said. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/02/08/uber_bug_bounties_senate/

Analysis by mobile device management outfit Wandera has suggested that newly notorious exercise-tracking app Strava’s “location privacy” feature isn’t very good at hiding users’ homes.

Wandera’s analysis comes after Strava released a “heat map” that was found to offer clues to the location of military bases. Such data was only captured because Strava’s privacy feature is off by default. When it’s on, the feature creates a virtual bubble in which users’ activities aren’t tracked.

But as Wandera’s Liarna La Porta wrote, the privacy zone might not be enough: “If an activity on Strava is circular in nature and the return route is from the opposite direction, it is relatively easy to deduce the mid-point and where the privacy zone is centred on. If there are not two exact opposite points, it’s possible to use a third point from a different activity and solve the equation of a circle passing through 3 points.”

As the company’s Dan Cuddeford added: “Assuming Strava’s user base is made up of serious cyclists who invest heavily in the best equipment, the app can be used by criminals as an accurate map of where to find expensive bikes they might want to steal.”

Wandera said it notified Strava about the issue. Strava reportedly responded by saying the feature is working as intended. However, La Porta added, it would probably be better if the Privacy Zone was randomised rather than set to a specific radius.

Another simple fix is to centre Strava’s privacy zone on something other than your home, office or wherever you start to run or ride. By placing it a couple of hundred meters away, you’ll make home-hacking harder. (One Reg operative hit on this idea a while ago, not to preserve privacy but to make his efforts on a tasty hill would be included in Strava’s records.)

This kind of mis-direction probably won’t help military bases, which have large populations of people. But it’s got to be better than the Pentagon’s rushed and embarrassed response to the heat map fiasco. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/02/08/strava_privacy_still_leakable/

Intel’s offered the world some helpful advice about how to handle the Meltdown and Spectre chip design flaws it foisted on the world.

“I can’t emphasize enough how critical it is for everyone to always keep their systems up-to-date,” wrote Navin Shenoy, executive veep and general manager of Intel’s data centre group, bemoaning the fact that punters are slow to install patches and criminals use that tardiness to do their worst.

Sound advice, but a bit hard to swallow given that Shenov’s “Security Issue Update” revealed that Intel is yet to develop properly working microcode updates for many of the CPUs imperilled by Spectre and Meltdown. The effort to do so turned out to be more complicated than Intel thought, as some of its early updates made the silicon unstable. So unstable, in fact, that Intel recommended rollback as the best option.

Chipzilla has managed to sort out sixth-generation Skylakes, as a February 7th Microcode Revision Guidance (PDF) document records.

But Shenov’s post – the first on Meltdown/Spectre to grace Intel’s newsroom since January 22nd – also explained that the company “expects” to have working microcode or other platforms in coming days. Just what will land or when is anyone’s guess.

The post also points out that PC-and-server-makers, not Intel, will be the source of the fixes.

There’s more irony in Shenov’s signoff, which says “We remain as committed as ever to addressing these issues and providing transparent and timely information.”

Given that Intel approved the formation of a small cabal of OEMs to address the problem and kept their efforts secret for months, then dodged questions from the press and has now been asked to explain itself by the US congress, we hope Shenov is talking about some form of transparency other than Intel’s previous action as this crisis unfolded. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/02/08/intel_spectre_meltdown_microcode_update/

WordPress just announced a most embarrassing bug.

Earlier this week, the world’s most widely used blogging and content delivery platform pushed out its Version 4.9.3 Maintenance Release.

There weren’t any critical security patches in this one, but there were 34 bug fixes, and who doesn’t want bugs fixed promptly?

And for more than four years, updating WordPress has been pretty easy – you haven’t had to type a single word or press a single button.

As Naked Security’s Mark Stockley wrote, back in October 2013 when WordPress 3.7 came out:

We’ve all become quite used to the idea of the software on our desktops, tablets, laptops and smartphones silently patching itself in the background and it’s good to see popular web software catching up – it’s long overdue.

What makes background updates for WordPress such a significant step is the software’s sheer popularity. Nobody is quite sure how many of the world’s websites are running on WordPress but the consensus seems to be that it’s about 15% to 20%.

These days, some estimates put the WordPress website share even higher, in the upper 20% range, so automatic updates are even more important than they were back in 2013.

The Catch 22 bug

Unfortunately, the WordPress 4.9.3 update introduced an updating bug: after auto-updating to 4,9.3, WordPress will no longer update automatically.

The good news is that 4.9.4 is already out, published as an emergency fix just one day later…

…but the bad news is that you’ll have to pretend it’s 2012 all over again and update by hand. (Sadly, you’re only pretending, so you won’t be able to pick up a pocketful of bitcoins for $10 each while you’re there.)

Once you get 4.9.4, autoupdating will be restored, so when 4.9.5 comes out, it should take care of itself as you’d expect.

What to do?

WordPress has published an explanation of the bug and detailed instructions for “handraulic” updating; the TL;DR version is:

Simply visit your WordPress Dashboard → Updates and click “Update Now.”

Don’t delay – do it today, so you don’t risk forgetting about it and getting caught out down the road.

If someone else hosts your WordPress server for you, ask them to confirm that they’ve completed this week’s double update, unless they’ve notified you already.

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/fATgemZX9l0/

Thirteen out of 36 individuals indicted for their alleged involvement in a transnational cybercrime group know as Infraud have been arrested, the US Department of Justice announced on Wednesday.

The Infraud Organization, according to prosecutors, coordinated various flavors of internet fraud including identity theft, bank fraud, wire fraud, and related computer crimes through online forums.

It is, in other words, a carding group that peddles lists of stolen credit and debit card data – pilfered from servers, vendor databases, and payment terminal hardware – and serves as an educational resource for tricks of the trade.

The group, it is claimed, is responsible for somewhere between $530m and $2.2bn in losses, related to the compromise of 4.3 million credit cards, debit cards and bank accounts in all fifty US states and beyond America’s borders.

“Operating under the slogan ‘In Fraud We Trust,’ members of the Infraud Organization used the online forum to purchase and sell stolen credit card numbers, financial information, social security numbers, passwords and other personally identifying information,” said David Rybicki, deputy assistant attorney general, in a speech discussing the arrests in Washington, DC on Wednesday.

“They advertised services that facilitated these activities and related, illicit financial transactions; and they disseminated malware,” he said.

The collaring of just over a third of the group’s leadership involved agents from the US Department of Homeland Security working in junction with law enforcement agencies in Albania, Australia, France, Kosovo, Italy, Serbia, and the United Kingdom.

The Infraud Organization, we’re told, includes almost 11,000 members, and was founded in 2010 by Svyatoslav Bondarkeno of Ukraine. Bondarkeno stopped using the Infraud forum in 2015, and it appears his whereabouts are unknown to US authorities.

“After Bondarenko went missing in 2015, [Sergey] Medvedev took his place as owner and administrator of the Infraud Organization,” the indictment read. Medvedev is among those arrested, according to the justice department.

“The criminals involved in such schemes may think they can escape detection by hiding behind their computer screens here and overseas, but as this case shows, cyberspace is not a refuge from justice,” said Derek N. Benner, Acting Executive Associate Director of US Immigration and Customs Enforcement’s Homeland Security Investigations group, in a statement. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/02/08/us_cops_collar_carding_conspiracy/

The Infraud Organization was responsible for over $500 million in losses to institutions and individuals worldwide, the US Department of Justice says.

US law enforcement authorities in collaboration with their counterparts in over a dozen nations have taken down a major cybercrime organization that was responsible for some $530 million in losses over the past seven years.

Thirty-six individuals from 17 countries have been charged in connection with their alleged roles in the so-called Infraud Organization, including five from the US. Thirteen of the 36 individuals have been arrested so far. Eight of them are awaiting extradition to the United States. More arrests are expected to follow.

In a media call announcing the arrests Wednesday morning, Deputy Assistant Attorney General David Rybicki described the Infraud Organization as a global forum for buying and selling stolen payment card data, financial information, Social Security numbers, personal identity data, malware, and other products.

“Infraud was truly the premier one-stop shop for cybercriminals worldwide,” Rybicki said. “Over the course of the Infraud Organization’s seven-year history, its members targeted more than 4.3 million credit cards, debit cards, and bank accounts held by individuals around the world and in all 50 states.”

The 50-page indictment unsealed today does not allege that Infraud members committed any actual data breaches. But those operating on the forum offered tools and services that certainly would have facilitated those activities, Rybicki said.

According to the indictment, Svyatoslav Bondarenko, 34, of Ukraine, founded Infraud in 2010. Over the years, it became the premier destination on the Internet for crooks looking to transact business with stolen credit card, financial, banking, and identity information. In addition to providing a platform that cybercriminals could safely use to sell stolen data, Infraud also provided an escrow service that members could use to transact business using digital currencies.

As of last March, Infraud had over 10,900 members, making it one of the largest such operations on the Internet prior to its takedown this week. The group’s members included individuals from the US, Ukraine, Russia, Australia, United Kingdom, Pakistan, Kosovo, and Bangladesh. The five individuals who have been arrested in the US are from New York, San Diego, Los Angeles, and Alabama.

As has become common with other cybercrime operations these days, Infraud had a formal hierarchy in place with defined roles for members, according to the indictment papers. “Administrators” were responsible for strategic planning operations as well as for managing day-to-day operations. They were also responsible for approving and monitoring membership, and for meting out rewards and punishments to members. Individuals with subject-matter expertise in different areas were assigned “Super Moderator” roles, while “Moderators” were responsible for one or two subforums within their specific areas of expertise, the DOJ indictment noted. The forum also had “vendors” who sold stolen goods, and malware and “members” and “VIP members” worked to facilitate various criminal activities.

“Today’s indictment and arrests mark one of the largest cyber fraud enterprise prosecutions ever undertaken by the Department of Justice,” said John Cronin, acting assistant attorney general of the DOJ’s criminal division.

“Infraud operated like a business to facilitate cyber fraud on a global scale,” Cronin said, noting that the losses the group attempted to cause totaled more than $2.2 billion.

The charges in the case are the result of a joint investigation spearheaded by the US Immigration and Customs Enforcement’s Homeland Security Investigations unit and the Henderson Police Department in Nevada.

The case itself is being prosecuted by the prosecutor’s office in Nevada because of its familiarity with the details and the fact than 9,000 of Infraud’s victims are from the state, said US Attorney Dayle Elieson of the District of Nevada during the media call.

The indictment charges the 36 individuals with racketeering, fraud, and seven other charges. They face a maximum of 20 years in federal prison on the racketeering charges and 10 years for each of the additional counts, Elieson said.

The Infraud takedown continues a string of major law-enforcement successes against cybercrime in recent years. Last year, the FBI and other US law enforcement agencies led an international operation that resulted in the takedown of the AlphaBay and Hansa criminal marketplaces. In December, the FBI, Europol, and others took down Avalanche, a massive malware operation involving 460 attack botnets.

Related content:

• Major Online Criminal Marketplaces AlphaBay and Hansa Shut Down
• FBI, Europol, Microsoft, ESET Team Up, Dismantle One of World’s Largest Malware Operations
• It Takes a Buck to Make a Million on the Dark Web
• Cybercrime: A Black Market Price List from the Dark Web

  

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/us-international-law-enforcement-shut-down-massive-cybercrime-marketplace/d/d-id/1331008?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Recent Adobe Flash exploit discovered against South Korean targets likely purchased, not developed by the hacking group.

It’s rare for nation-state hackers out of North Korea to employ zero-day attacks, so the recent Adobe Flash Player zero-day exploit discovered targeting South Korean individuals was a bit of a novelty. Even so, it wasn’t the first time the hacking team had employed a zero-day attack.

The threat actor group known as ScarCruft (aka Group 123 and Reaper) in June 2016 was spotted by researchers at Kaspersky Lab dropping a zero-day attack exploiting another Flash flaw (CVE-2016-4171), which allowed remote code execution. 

That attack, which Kaspersky dubbed Operation Daybreak, began with targeted spearphishing emails that contained a malicious URL that served up the exploit to the victim’s machine. According to Kaspersky Lab, the attack hit an Asian law enforcement agency; a Dubai restaurant; a US-based mobile advertising and monetization firm; one of the world’s largest trading companies, based in Asia; and members of the International Association of Athletics Federation.

At the time, ScarCruft was a relatively new advanced persistent threat (APT) group that had kept a low profile. ScarCruft is mostly known for cyber espionage and some destructive attacks, and was spotted targeting key South Korean institutions during the presidential election there last year with malicious documents.

“Now we see them with this new attack, and I would say it’s pretty surprising, the use of a zero day,” says Costin Raiu, director of the global research and analysis team at Kaspersky Lab. “Flash zero-days are not that popular anymore.”

The recent attack campaign against South Korean diplomatic targets appears to have concluded on January 31, according to Kaspersky’s telemetry. That’s the same day that South Korea’s Computer Emergency Response Team (KrCERT/CC) first issued an advisory on the zero-day vulnerability in Flash Player ActiveX 28.0.0.137 and earlier versions. The bug (CVE-2018-4878) abused in the attacks is a use-after-free vulnerability that allows remote code execution, according to Adobe’s advisory.

Researchers at Cisco Talos found that the attack came via a rigged Microsoft Excel document that, once opened, downloaded the ROKRAT, a popular remote administration tool (RAT) used by advanced cybercrime gangs.

Raiu believes the attack group most likely purchased the Flash exploit and didn’t discover the vulnerability itself. “I don’t believe they could develop a zero day by themselves. My suspicion is that more likely, they were able to purchase it,” he says. “They have access to cryptocurrency, which allows them to purchase zero days on the dark market.”

He and other researchers say ScarCruft is not part of the infamous and prolific Lazarus Group, which was behind the destructive Sony attack and WannaCry. A spinoff group of Lazarus that Kaspersky Lab calls Bluenoroff is believed to be behind the SWIFT banking attacks. “Lazarus Group has hundreds of different malware variants, and they are incredibly resourceful,” he says. “These guys [ScarCruft] are high-school level. I’m surprised they were able to acquire a zero day.”

Targeting South Korean diplomatic and military individuals traditionally has been the gang’s main mission, notes Benjamin Read, manager of cyber-espionage analysis at FireEye, which named the hacker group Reaper. “This attack is consistent to what they have been doing,” he says. The group also has destructive malware tools, he says, but “we have not seen them use” them.

McAfee senior analyst Ryan Sherstobitoff says he’s watched North Korea’s cyberattack strategy overall mature and evolve since the early days of its distributed denial-of-service (DDoS) attacks against South Korean and US targets as cover for cyber espionage and data theft. The so-called Dark Seoul (aka Operation Troy) attacks in 2013, for example posed as hacktivists knocking websites offline and wiping hard drives — while in the background quietly stealing military secrets about South Korea and the US.

“They [North Korea] are far more aggressive and frequent than both China and Russia, because North Korea doesn’t have any political cares. They don’t care if they upset or interrupt foreign policy,” Sherstobitoff notes.

In addition to mixing up their attack tools to mask their identity, he says North Korean attack groups also have evolved their social media targeting. “They are able to speak in foreign languages to target their victims” now, he says.

Related Content:

• Adobe to Patch Flash Zero-Day Discovered in South Korean Attacks
• Lazarus Group, Fancy Bear Most Active Threat Groups in 2017
• Threats from Russia, North Korea Loom as Geopolitics Spills into Cyber Realm

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/north-korean-apt-group-employed-rare-zero-day-attack/d/d-id/1331011?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Updated Namecheap has admitted it accidentally let miscreants set up and control fraudulent subdomains on websites belonging to other customers.

These hijacked sites were subsequently used to host dodgy material. This caused them to be flagged up as malicious by Google’s search engine, blocking netizens from visiting them, and piling further misery on webmasters.

Namecheap customer Kirk McElhearn found this out to his cost when he received an alert from Google that three subdomains on his website were serving out spammy content and/or malicious software. This was news to him since his hosting administration tool Cpanel was showing no such subdomains existed.

When McElhearn turned to ICANN-accredited registrar Namecheap for help, he got a rather disturbing response. The technical support staff at the US-based biz told him that the issue was down to a “misconfiguration on our nameservers.”

Essentially, some scumbag with a Namecheap account had abused a vulnerability in Namecheap’s DNS setup to tack extra subdomains onto McElhearn’s kirkville.com website, point said subdomains at a web server, and use them to dish out naughty stuff.

“In short, it was another user that added the subdomains to their hosting account,” he was told.

To make matters worse, the subdomains were outside his control. Also, while his legit site uses encrypted HTTPS by default, visitors to the new subdomain were redirected to standard HTTP pages. Ultimately, the subdomains were exploiting McElhearn’s website’s search rankings to lure in netizens.

“If you get a lot of traffic, the bogus pages set up on the sub-domain may inherit some of your website’s prominence, allowing malicious users to serve spam or malware, or to make money by displaying Google ads,” McElhearn explained.

“Interestingly, even though Google flagged these pages as ‘hacked content’ they were still serving Google ads; as if Google really doesn’t care how they make their money.”

After the subdomains were quickly removed, and McElhearn detailed his experiences in a report on Monday, noted infosec pundit Graham Cluley took the registrar to task on Twitter. Namecheap’s response was not what you’d call reassuring:

The issue should be completely resolved very soon. Just an update: https://t.co/K72Dz8mAfI – Additionally, this affected a teeny tiny group of users of our web hosting service, and anyone registering domains are completely safe.

— Namecheap.com (@Namecheap) February 5, 2018

“The issue should be completely resolved very soon,” it said on Twitter. “Additionally, this affected a teeny tiny group of users of our web hosting service, and anyone registering domains are completely safe.”

The biz said it is conducting an audit, and will contact any of its customers who have been affected by its security cockup. Judging from the language used, the issue potentially affected any number of Namecheap’s customer base, it’s just that miscreants only got round to targeting a select bunch, and the registrar is now scrambling to find out who got hit.

“They certainly haven’t contacted me about it, outside of the tweet which isn’t what you’d call official,” McElhearn told The Register. “And teeny tiny is not a useful term.”

Thankfully, the dodgy subdomains on his site turned out to just be categorized spammy links to news articles. But it could have been a lot worse.

So far Namecheap isn’t responding to requests for comment, but if the company is hosting your website you may want to check that you’re not hosting anything nasty. ®

Updated to add

Namecheap’s CEO Richard Kirkendall has been in touch to assure us that the dodgy subdomains were removed on Monday, the same day they were spotted, and insisted only a “minimal” number of customers were hit.

“We are almost done with our scanning of possibly affected users,” he told us. “So far we are currently estimating 100 to 200, more than likely less, domains may have been affected by this issue. We are getting close to fully completing our audit and will give a full report once it’s done.”

And it appears that full report can now be found here, which details an “unexpected gap in our security” that led to a dozen domains being hijacked.

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/02/07/namecheap_subdomain_security_hole/