There’s a hole in my bucket: Bitcoin scams aim to exploit volatile market

Bitcoin! Black gold! Texas tea!

Only one of these is currently worth ridiculous amounts of money (and technically numbers two and three are the same thing). Whether you’re in possession of lots of Bitcoins, or in full bandwagon panic “must buy 20 graphics cards before the bubble bursts” mode, you should be aware that lots of awful people want in on your precious haul. Indeed, the past week or so has seen an explosion of Bitcoin-centric scams, fakeouts, and all-around bad behaviour as scammers look to cash in at your expense.

The huge value of Bitcoin, plus the launch of Bitcoin futures, has attracted so many scammers that it’s difficult to keep up, whether it’s fake endorsements from well-known traders or plain-old RATs targeting would-be investors. Fake news, malware, bogus wallets, and even Bitcoin laundering via self-made music loaded onto the iTunes store—everyone seems to have gone a little Bitcoin crazy.

Bitcoin is here to stay—but what is it?

Bitcoin is a digital currency created by someone claiming to be Satoshi Nakamoto (which may well be an alias), and it’s all about digital wallets, mining, and hoping someone doesn’t steal millions overnight. It’s even being used as a volatile talking point related to ads, scripts, and blocking—from random websites to free wi-fi services, everyone is getting in on the action.

In this chaotic mess of bubbles, adverts, scams, and mistaken identities, the price of Bitcoin has gone through the roof. The reasons for which are multifaceted and also involve people endlessly talking about it. It may well be something off in the distance for many people, or some weird Internet thing you keep hearing people mention in horribly confusing terms, but make no mistake, it’s becoming mainstream. In fact, Bitcoin is rising so suddenly that people are taking out mortgages so they can get in on the Bitcoin action .(Tip: You probably don’t want to do this).

An avalanche of chicanery

This past week, we’ve seen quite a few things you may want to steer clear of—from mobile to survey scams. It’s frankly overwhelming and for many of us, there’s simply no way to tell the good from the bad from the mildly shoulder shrugging.

For example, someone has taken ye olde survey scam and remixed it for the coin collective:

Coins and Youtube, oh my

Advertised on Youtube (until the video was pulled down, anyway), this site claims to generate Bitcoins with a 100 percent success rate. Sure does beat all that cumbersome mining and electricity use, and this is a definite boon for someone trying to jam a GTX1080 graphics card into a netbook. The site itself, located at bitcoingenerator(dot)space, is exactly what you’d expect a survey scam to look like, except it’s asking for Bitcoin addresses instead of how many Xbox Live points you want.

Coin survey

Users need to be verified by filling in a selection of geotargeted surveys. You don’t need me to tell you that survey scams are junk. They’ve been around forever, and are the absolute bottom rung of unimaginative, cookie-cutter fakeouts that never give you what you want. They’re the first thing to fall out of the “In case of scam emergency, break glass” box.

Seeing one suddenly throwing itself on the Bitcoin bandwagon is a bit of an eye-opener though, and something we should take notice of. People will seemingly do pretty much anything to nab some free coins, including clicking this shortened link roughly 34k times to play a game of snake-as-Bitcoin-faucet.

Snake coin

Sadly, the landing page is dead at time of writing, so we have no way of knowing if this one ever got off the ground. It could well be legit, but keep in mind that sites and videos will claim to offer up all manner of faucets. Not all of them will play nice, so on your own snakey visage be it, and be especially cautious around any downloadable executables.

Repackaging the tech support scam

Elsewhere, we have our old friend the tech support scam marching in the direction of coin-related antics. Or at least, scammers using some of the hallmarks of the tech support scam in an effort to part Bitcoin traders using Kraken from their digital currency. A good while ago, I covered fake EA support accounts who wait for the real thing to go “out of office,” then slide into conversations before directing victims to phishing links. This has a bit of a similar feel, with scammers waiting for trading sites to go offline due to maintenance/bad luck/DDoS/whatever, then jump into hashtags on social media with links to fake support sites, including phony “support” over the phone. It all ends in phishing and vanished coins.

Old tricks, new victims, unfortunately.

Ignore that part of your brain that says, “Well, it’s just one coin or whatever,” because the problem is these things are so highly-valued right now that takes just one being swiped to cause major problems. And that, in turn, makes coins the absolute number one hot target on the block right now. Or, to put it another way:

Ouch

That is an astonishing amount of cash to be cheated out of, and it’ll only get worse as scammers come up with the path of least resistance for obtaining illicit Bitcoins. It also seems like this has been going on for a while, so sites dealing in and around coins should consider bulking out their security hints and tips for new (and even experienced) Bitcoiners.

If you’re feeling a little swamped with the perils of Bitcoin, that’s understandable. Potential bubble + massive bandwagon + huge array of services + large corporations taking an interest + hordes of newcomers who have no idea what’s legit and what isn’t charging into the fray = please pass me the headache tablets.

Something we’ve been seeing recently is sites offering “crypto debit cards” if visitors invest certain amounts into their linked wallets. Is that real? Fake? A good deal? What’s the benefit for doing this? What on earth does this mean in the terms and conditions?

Help

Why do you have to be in a SEPA country? What is a SEPA country? All of these questions and more can be yours, for the low, low price of total and utter confusion. Make no mistake: if you want to make serious cash, you’re going to have to do some serious research.

Cornering the market on best practices

If you’re totally new to Bitcoin, your most likely first port of call may well be one of the numerous exchanges out there. You’d do well to heed the following advice from digital crime writer Joseph Cox:

  • use unique password
  • create a new email account (don’t share it)
  • put 2FA on both the email and the exchange account (if SMS, don’t share number, but preferably Google Auth)
  • don’t trade over PayPal (scam)

— Joseph Cox (@josephfcox) December 8, 2017

  • Don’t log into exchanges over Tor, unless you really have to for some reason, and can use a hidden service (malicious exit nodes to steal logins, etc)Verification on exchanges helps you and the seller, do it
  • Keep trades through the exchange’s system, to ensure you get $$

— Joseph Cox (@josephfcox) December 8, 2017

Whatever your way in, please take some time to read up on the pros and cons of digital currency. Unless you understand the basics, even the simplest of easy-to-spot Bitcoin scams may well elude your radar until it’s too late. Considering the huge sums at play, and the breakneck pace being set by all things digital currency, it’s never been more important to be fully aware of the risks as well as the benefits of cashing in your crypto-chips.

The post There’s a hole in my bucket: Bitcoin scams aim to exploit volatile market appeared first on Malwarebytes Labs.

Go to Source
Author: Christopher Boyd

Password Stealing Apps With Over A Million Downloads Found On Google Play Store

Even after so many efforts by Google like launching bug bounty program and preventing apps from using Android accessibility services, malicious applications somehow manage to get into Play Store and infect people with malicious software.

The same happened once again when security researchers discovered at least 85 applications in Google Play Store that were designed to steal credentials from users of Russian-based social network VK.com and were successfully downloaded millions of times.

The most popular of all masqueraded as a gaming app with more than a million downloads. When this app was initially submitted in March 2017, it was just a gaming app without any malicious code, according to a blog post published Tuesday by Kaspersky Lab.

However, after waiting for more than seven months, the malicious actors behind the app updated it with information-stealing capabilities in October 2017.

Besides this gaming app, the Kaspersky researchers found 84 such apps on Google Play Store—most of them were uploaded to the Play Store in October 2017 and stealing credentials for VK.com users.

Other popular apps that were highly popular among users include seven apps with between 10,000 and 100,000 installations, nine with between 1,000 and 10,000 installations, and rest of all had fewer than 1,000 installations.

Here’s How Cyber Criminals Steal Your Account Credentials:

The apps used an official SDK for VK.com but slightly modified it with malicious JavaScript code in an effort to steal users’ credentials from the standard login page of VK and pass them back to the apps.

Since these apps looked like they came from VK.com – for listening to music or for monitoring user page visits, requiring a user to login into his/her account through a standard login page did not look suspicious at all.

The stolen credentials were then encrypted and uploaded to a remote server controlled by the attackers.

“The interesting thing is that although most of these malicious apps had a described functionality, a few of them were slightly different—they also used malicious JS code from the OnPageFinished method, but not only for extracting credentials but for uploading them too,” Kaspersky said.

Researchers believe that the cybercriminals use stolen credentials mostly for promoting groups in VK.com, by silently adding users to promote various groups and increase their popularity by doing so, since they received complaints from some infected users that their accounts had been silently added to unknown groups.

The cybercriminals behind these apps had been publishing their malicious apps on the Play Store for more than two years, so all they had to do is modify their apps to evade detection.

Since VK.com is popular mostly among users in CIS countries, the malicious apps were targeting Russian, Ukrainian, Kazakh, Armenian, Azerbaijani, Romanian, Belarusian, Kyrgyz, Tajik, and Uzbek users.

The apps did so by first checking the device language and asked for login credentials from users with one of the above-mentioned languages.

In addition, researchers also noted that they found several other apps on Google Play Store that were submitted by the same cyber criminals and published as unofficial clients for the popular messaging app Telegram.

“These apps were not only masquerading as Telegram apps, they were actually built using an open source Telegram SDK and work almost like every other such app,” the researchers said, adding that these apps also add infected users to promoted groups/chats based on a list received from their server.

How to Protect Your Device From Such Malicious Apps

All the apps, including the credential-stealing apps (detected as Trojan-PSW.AndroidOS.MyVk.o) and malicious Telegram clients (detected as not-a-virus:HEUR:RiskTool.AndroidOS.Hcatam.a), have since been removed by Google from the Play Store.

However, those who have already installed one of the above apps on their mobile devices should make sure their devices have Google Play Protect enabled.

Play Protect is Google’s newly launched security feature that uses machine learning and app usage analysis to remove (uninstall) malicious apps from users Android smartphones to prevent further harm.

Although it is a never-ending concern, the best way to protect yourself is always to be vigilant when downloading apps from Google’s official Play Store, and always verify app permissions and reviews before you download one.

Moreover, you are strongly advised to always keep a good antivirus app on your mobile device that can detect and block such malicious apps before they can infect your device, and always keep your device and apps up-to-date.

Go to Source

Microsoft Patch Tuesday – December 2017

Today, Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month’s advisory release addresses 34 new vulnerabilities with 21 of them rated critical and 13 of them rated important. These vulnerabilities impact Edge, Exchange, Internet Explorer, Office, Scripting Engine, Windows, and more.

In addition to the 33 vulnerabilities addressed, Microsoft has also released an update for Microsoft Office which improves security by disabling the Dynamic Data Exchange (DDE) protocol. This update is detailed in ADV170021 and impacts all supported versions of Office. Organizations who are unable to install this update should consult the advisory for workaround that help mitigate DDE exploitation attempts.

VULNERABILITIES RATED CRITICAL

Microsoft has assigned the following vulnerabilities a Critical severity rating:

The following is a brief description of each vulnerability.

Multiple CVEs – Scripting Engine Memory Corruption Vulnerability

Multiple vulnerabilities have been identified in the scripting engines of Edge and Internet Explorer that could allow an attacker to remotely execute arbitrary code. These vulnerabilities all manifest due to the scripting engines in Edge and Internet Explorer improperly handling objects in memory. As a result, successful exploitation could lead to arbitrary code execution in the context of the current user. Scenarios where these vulnerabilities would likely be exploited include web-based attacks where the user navigates to a malicious web page designed to exploit of these vulnerabilities or, in some cases, opens a Microsoft Office document containing an embedded ActiveX control marked “safe for initialization.”

The following is a list of CVEs related to these vulnerabilities:

  • CVE-2017-11886
  • CVE-2017-11889
  • CVE-2017-11890
  • CVE-2017-11893
  • CVE-2017-11894
  • CVE-2017-11895
  • CVE-2017-11901
  • CVE-2017-11903
  • CVE-2017-11905
  • CVE-2017-11907
  • CVE-2017-11908
  • CVE-2017-11909
  • CVE-2017-11910
  • CVE-2017-11911
  • CVE-2017-11912
  • CVE-2017-11914
  • CVE-2017-11918
  • CVE-2017-11930

CVE-2017-11888 – Microsoft Edge Memory Corruption Vulnerability

A vulnerability have been identified in the scripting engines of Edge and Internet Explorer that could allow an attacker to remotely execute arbitrary code. This vulnerability manifests due to the scripting engines in Edge and Internet Explorer improperly handling objects in memory. As a result, successful exploitation could lead to arbitrary code execution in the context of the current user. Users could be exploited if they navigate to a malicious web page designed to exploit of these vulnerabilities.

Multiple CVEs – Microsoft Malware Protection Engine Remote Code Execution Vulnerability

Two arbitrary code execution vulnerabilities have been identified within the Microsoft Malware Protection Engine that could allow an attacker to execute code in the context of the LocalSystem account. These vulnerabilities manifest as a result of the engine improperly scanning files. Exploitation of these vulnerabilities is achievable if the system scans a specially crafted file with an affected version of the Microsoft Malware Protection Engine. Note that these update typically will not require action by users or administrators as the the built-in mechanism for automatic deployment of these updates will account within 48 hours of release.

  • CVE-2017-11937
  • CVE-2017-11940

VULNERABILITIES RATED IMPORTANT

Microsoft has assigned the following vulnerabilities an Important severity rating:

The following is a brief description of each vulnerability.

CVE-2017-11885 – Windows RRAS Service Remote Code Execution Vulnerability

A vulnerability has been identified that exists in RPC on systems where Routing and Remote Access is enabled. Successful exploitation of this vulnerability could result in code execution. In order to exploit this vulnerability, an attacker would need to run an application specifically designed to exploit this vulnerability. Routing and Remote access is not enabled in default configurations of Windows. On systems where Routing and Remote Access is disabled, the system is not vulnerable.

Multiple CVEs – Scripting Engine Information Disclosure Vulnerability

Multiple vulnerabilities have been identified in the scripting engines of Edge and Internet Explorer that could allow an attacker to obtain information to further compromise a user’s system. These vulnerabilities all manifest due to the scripting engine improperly handling objects in memory. Successful exploitation would give an attacker sensitive information that could then be used in other exploits. A scenario where users could be exploited include web-based attacks, where a user navigates to a malicious web page designed to exploit of one of these vulnerabilities.

The following is a list of CVEs related to these vulnerabilities:

  • CVE-2017-11887
  • CVE-2017-11906
  • CVE-2017-11919

CVE-2017-11899 – Microsoft Windows Security Feature Bypass Vulnerability

A vulnerability has been identified that affects Device Guard. Successful exploitation of this vulnerability could result in Device Guard incorrectly validating untrusted files. As Device Guard uses signatures to determine whether a file is benign or malicious, this could cause Device Guard to allow a malicious file to execute on vulnerable systems. An attacker could leverage this vulnerability to cause an untrusted file to appear as if it is trusted.

Multiple CVEs – Scripting Engine Memory Corruption Vulnerability

Multiple vulnerabilities have been identified in the scripting engines of Edge and Internet Explorer that could allow an attacker to remotely execute arbitrary code. These vulnerabilities all manifest due to the scripting engines in Edge and Internet Explorer improperly handling objects in memory. As a result, successful exploitation could lead to arbitrary code execution in the context of the current user. Scenarios where these vulnerabilities would likely be exploited include web-based attacks where the user navigates to a malicious web page designed to exploit of these vulnerabilities or, in some cases, opens a Microsoft Office document containing an embedded ActiveX control marked “safe for initialization.”

The following is a list of CVEs related to these vulnerabilities:

  • CVE-2017-11913
  • CVE-2017-11916

CVE-2017-11927 – Microsoft Windows Information Disclosure Vulnerability

An information disclosure vulnerability has been identified that affects the Windows its:// protocol handler. This vulnerability manifests due to the protocol handler sending network traffic to a remote site when determining the zone associated with a URL that is provided to the protocol handler. An attacker could attempt to leverage this vulnerability to obtain sensitive information. This vulnerability could be leveraged to obtain NTLM hash values associated with a victim’s account.

CVE-2017-11932 – Microsoft Exchange Spoofing Vulnerability

A spoofing vulnerability has been identified that affects Microsoft Exchange. This vulnerability manifests due to Outlook Web Access (OWA) failing to properly handle certain web requests. This vulnerability could be leveraged by attackers to inject scripts and content. This vulnerability could also be leveraged to redirect clients to a malicious web site. Successful exploitation of this vulnerability would require an attacker to send victims a specially crafted email containing a malicious link.

CVE-2017-11934 – Microsoft PowerPoint Information Disclosure Vulnerability

An information disclosure vulnerability has been identified that affects Microsoft Office. This vulnerability manifests due to Microsoft Office improperly disclosing contents in memory. This vulnerability could be leveraged by an attacker to obtain sensitive information that could be used to launch additional attacks against a target system. Successful exploitation of this vulnerability would require an attacker to send a specially crafted file to a victim and convince them to open the file.

CVE-2017-11935 – Microsoft Excel Remote Code Execution Vulnerability

An arbitrary code execution vulnerability has been identified in Microsoft Excel which manifests as a result of improperly handling objects in memory. An attacker could exploit this vulnerability by creating a specially crafted Excel document which triggers the vulnerability. Successful exploitation would allow an attacker to execute arbitrary code in the context of the current user. Scenarios where this could occur include email-based attacks or attacks where users download malicious files off of a site hosting user-created content (DropBox, OneDrive, Google Drive).

CVE-2017-11936 – Microsoft SharePoint Elevation of Privilege Vulnerability

A privilege escalation vulnerability has been identified in Microsoft SharePoint Server that could potentially allow an attacker to impersonate a user and perform restricted actions. This vulnerability manifests due to SharePoint improperly sanitizing specially crafted web requests. An authenticated user who exploits this vulnerability could proceed to perform a cross-site scripting attack to cause other users to execute arbitrary JavaScript in the context of that user. This could then allow an attacker to read content, change permissions, or inject other malicious content on behalf of that user if permitted.

CVE-2017-11939 – Microsoft Office Information Disclosure Vulnerability

An information disclosure vulnerability has been identified in Microsoft Office that could leak a user’s private key. This vulnerability manifests as a result of Visual Basic macros in Office incorrectly exporting a user’s private key from the certificate store while saving a document. Note that an attacker would need to exploit another vulnerability or socially engineer the user to obtain the document containing the leaked private key in order to leverage it.

Go to Source
Author: Talos Group

ROBOT Attack: 19-Year-Old Bleichenbacher Attack On RSA Encryption Reintroduced

bleichenbacher-robot-rsa-attack

A 19-year-old vulnerability has been re-discovered in the RSA implementation from at least 8 different vendors—including F5, Citrix, and Cisco—that can give man-in-the-middle attackers access to encrypted messages.

Dubbed ROBOT (Return of Bleichenbacher’s Oracle Attack), the attack allows an attacker to perform RSA decryption and cryptographic operations using the private key configured on the vulnerable TLS servers.

ROBOT attack is nothing but a couple of minor variations to the old Bleichenbacher attack on the RSA encryption protocol.

First discovered in 1998 and named after Swiss cryptographer Daniel Bleichenbacher, the Bleichenbacher attack is a padding oracle attack on RSA-based PKCS#1 v1.5 encryption scheme used in SSLv2.

Leveraging an adaptive chosen-ciphertext attack which occurred due to error messages by SSL servers for errors in the PKCS #1 1.5 padding, Bleichenbacher attack allows attackers to determine whether a decrypted message is correctly padded.

This information eventually helps attackers decrypt RSA ciphertexts without recovering the server’s private key, completely breaking the confidentiality of TLS when used with RSA encryption.

“An attacker could iteratively query a server running a vulnerable TLS stack implementation to perform cryptanalytic operations that may allow decryption of previously captured TLS sessions.” Cisco explainsin an advisory.

In 1998, Bleichenbacher proposed to upgrade encryption scheme, but instead, TLS designers kept the vulnerable encryption modes and added a series of complicated countermeasures to prevent the leakage of error details.

Now, a team of security researchers has discovered that these countermeasures were incomplete and just by using some slight variations, this attack can still be used against many HTTPS websites.

“We changed it to allow various different signals to distinguish between error types like timeouts, connection resets, duplicate TLS alerts,” the researchers said.

“We also discovered that by using a shortened message flow where we send the ClientKeyExchange message without a ChangeCipherSpec and Finished message allows us to find more vulnerable hosts.”

According to the researchers, some of the most popular websites on the Internet, including Facebook and Paypal, are affected by the vulnerability. The researchers found “vulnerable subdomains on 27 of the top 100 domains as ranked by Alexa.

ROBOT attack stems from the above-mentioned implementation flaw that only affects TLS cipher modes using RSA encryption, allowing an attacker to passively record traffic and later decrypt it.

“For hosts that usually use forward secrecy, but still support a vulnerable RSA encryption key exchange the risk depends on how fast an attacker is able to perform the attack,” the researchers said.

“We believe that a server impersonation or man in the middle attack is possible, but it is more challenging.”

The ROBOT attack has been discovered by Hanno Böck, Juraj Somorovsky of Ruhr-Universitat Bochum/Hackmanit GmbH, and Craig Young of Tripwire VERT, who also created a dedicated websiteexplaining the whole attack, its implications, mitigations and more.

The attack affects implementations from several different vendors, some of which have already released patches and most have support notes acknowledging the issue.

You will find the list of affected vendors on the ROBOT website.

The researchers have also released a python tool to scan for vulnerable hosts. You can also check your HTTPS server against ROBOT attack on their website.

Go to Source

Collection of 1.4 Billion Plain-Text Leaked Passwords Found Circulating Online

password-reuse-list

Hackers always first go for the weakest link to quickly gain access to your online accounts.

Online users habit of reusing the same password across multiple services gives hackers opportunity to use the credentials gathered from a data breach to break into their other online accounts.

Researchers from security firm 4iQ have now discovered a new collective database on the dark web (released on Torrent as well) that contains a whopping 1.4 billion usernames and passwords in clear text.

The aggregate database, found on 5 December in an underground community forum, has been said to be the largest ever aggregation of various leaks found in the dark web to date, 4iQ founder and chief technology officer Julio Casal noted in a blog post.

Though links to download the collection were already circulating online over dark-web sites from last few weeks, it took more exposure when someone posted it on Reddit a few days ago, from where we also downloaded a copy and can now verify its authenticity.

Researchers said the 41GB massive archive, as shown below, contains 1.4 billion usernames, email, and password combinations—properly fragmented and sorted into two and three level directories.

The archive had been last updated at the end of November and didn’t come from a new breach—but from a collection of 252 previous data breaches and credential lists.

data-breach-password-list

The collective database contains plain text credentials leaked from Bitcoin, Pastebin, LinkedIn, MySpace, Netflix, YouPorn, Last.FM, Zoosk, Badoo, RedBox, games like Minecraft and Runescape, and credential lists like Anti Public, Exploit.in.

“None of the passwords are encrypted, and what’s scary is that we’ve tested a subset of these passwords and most of the have been verified to be true,” Casal said. “The breach is almost two times larger than the previous largest credential exposure, the Exploit.in combo list that exposed 797 million records.”

“This new breach adds 385 million new credential pairs, 318 million unique users, and 147 million passwords pertaining to those previous dumps.”

The database has been neatly organized and indexed alphabetically, too, so that would-be hackers with basic knowledge can quickly search for passwords.

For example, a simple search for “admin,” “administrator” and “root,” returned 226,631 passwords used by administrators in a few seconds.

Although some of the breach incidents are quite old with stolen credentials circulating online for some time, the success ratio is still high for criminals, due to users lousy habit of re-using their passwords across different platforms and choosing easy-to-use passwords.

The most common yet worst passwords found in the database are “123456”, “123456789”, “qwerty,” “password” and “111111.”

worst-password-list

It is still unclear who is responsible for uploading the database on the dark web, but whoever it is has included Bitcoin and Dogecoin wallets for any user who wants to donate.

To protect yourself, you are strongly advised to stop reusing passwords across multiple sites and always keep strong and complex passwords for your various online accounts.

If it’s difficult for you to remember and create complex passwords for different services, you can make use of the best password manager. We have listed some good password managers that could help you understand the importance of such tool and choose one according to your requirement.

Go to Source

Google Researcher Releases iOS Exploit—Could Enable iOS 11 Jailbreak

iOS 11 jailbreak exploit

As promised last week, Google’s Project Zero researcher Ian Beer now publicly disclosed an exploit that works on almost all 64-bit Apple devices running iOS 11.1.2 or earlier, which can be used to build an iOS jailbreak, allowing users to run apps from non-Apple sources.

On Monday morning, Beer shared the details on the exploit, dubbed “tfp0,” which leveraged double-free memory corruption vulnerabilities in the kernel, the core of the operating system.

Here, “tfp0” stands for “task for pid 0” or the kernel task port—which gives users full control over the core of the operating system.

The Project Zero researcher responsibly reported these vulnerabilities to Apple in October, which were patched by the company with the release of iOS 11.2 on 2nd December.

While Beer says he has successfully tested his proof of concept exploit on the iPhone 6s and 7, and iPod Touch 6G, he believes that his exploit should work on all 64-bit Apple devices.

Another security researcher confirmed that the exploit released by Beer also works on his Apple TvOS 11.x and TV 4K running iOS 11.1.2.

What’s worse? Since Apple’s iOS mobile operating system and macOS desktop operating system share the same code base, the kernel for macOS is also vulnerable to the bug, according to a report published by Project Zero on Google’s Chromium Blog.

Beer said he has also successfully tested the vulnerability on macOS 10.13, running on a MacBook Air 5.2, which Apple patched in macOS 10.13.1.

Earlier versions of the operating systems are still vulnerable to the exploit, which basically grants complete core access to the operating system and that is really what the jailbreak community requires.

Although we have not heard any news about iOS jailbreaks from the jailbreak community from very long, Beer’s exploit could be the basis for a future iOS 11 jailbreak, allowing iPhone and iPad users to install third-party OS customizations via apps that are restricted by Apple.

If iOS 11.1.2 jailbreak surfaces in upcoming days, you can still downgrade to iOS 11.1.2 using iTunes even if you have updated to iOS 11.2 because Apple is still signing the operating system.

Go to Source

Newly Uncovered ‘MoneyTaker’ Hacker Group Stole Millions from U.S. & Russian Banks

hacking-bank-account

Security researchers have uncovered a previously undetected group of Russian-speaking hackers that has silently been targeting Banks, financial institutions, and legal firms, primarily in the United States, UK, and Russia.

Moscow-based security firm Group-IB published a 36-page report on Monday, providing details about the newly-disclosed hacking group, dubbed MoneyTaker, which has been operating since at least May 2016.

In the past 18 months, the hacking group is believed to have conducted more than 20 attacks against various financial organisations—stolen more than $11 Million and sensitive documents that could be used for next attacks.

According to the security firm, the group has primarily been targeting card processing systems, including the AWS CBR (Russian Interbank System) and SWIFT international bank messaging service (United States).

Criminals stole documentation for OceanSystems’ FedLink card processing system, which is used by 200 banks in Latin America and the US.” Group-IB says in its report.

Group-IB also warned that the MoneyTaker attacks against financial organizations appear to be ongoing and banks in Latin America could be their next target.

MoneyTaker: 1.5 Years of Silent Operations

Since its first successful attack in May last year, MoneyTaker has targeted banks in California, Illinois, Utah, Oklahoma, Colorado, South Carolina, Missouri, North Carolina, Virginia and Florida, primarily targeting small community banks with limited cyber defenses.

Even after a large number of attacks against so many targets, MoneyTaker group managed to keep their activities concealed and unattributed by using various publicly available penetration testing and hacking tools, including Metasploit, NirCmd, psexec, Mimikatz, Powershell Empire, and code demonstrated as proof-of-concepts at a Russian hacking conference in 2016.

“To propagate across the network, hackers used a legitimate tool psexec, which is typical for network administrators.” Group-IB says in its report.

money-taker

Besides using open-source tools, the group has also been heavily utilizing Citadel and Kronos banking trojansto deliver a Point-of-Sale (POS) malware, dubbed ScanPOS.

“Upon execution, ScanPOS grabs information about the current running processes and collects the user name and privileges on the infected system. That said, it is primarily designed to dump process memory and search for payment card track data. The Trojan checks any collected data using Luhn’s algorithm for validation and then sends it outbound to the C&C server.”

The group uses ‘fileless’ malware only existing in RAM and is destroyed after reboot. To ensure persistence in the system MoneyTaker relies on PowerShell and VBS scripts – they are both difficult to detect by antivirus and easy to modify. In some cases, they have made changes to source code ‘on the fly’ – during the attack,

 “To escalate privileges up to the local administrator (or SYSTEM local user), attackers use exploit modules from the standard Metasploit pack, or exploits designed to bypass the UAC technology. With local administrator privileges they can use the Mimikatz program, which is loaded into the memory using Meterpreter, to extract unencrypted Windows credentials.

Moreover, MoneyTaker also makes use of SSL certificates generated using names of well-known brands—including as Bank of America, Microsoft, Yahoo and Federal Reserve Bank—to hide its malicious traffic.

hacking-banks

The hacking group also configure their servers in a way that malicious payloads can only be delivered to a predetermined list of IP addresses belonging to the targeted company. Also, it relies on PowerShell and VBS scripts to ensure persistence in the targeted system.

The very first attack, which Group-IB attributes to MoneyTaker was conducted in May 2016, when the group managed to gain access to First Data’s STAR—the largest U.S. bank transfer messaging system connecting ATMs at over 5,000 organizations—and stole money.

In January 2017, the similar attack was repeated against another bank.

Here’s how the attack works:

“The scheme is extremely simple. After taking control over the bank’s network, the attackers checked if they could connect to the card processing system. Following this, they legally opened or bought cards of the bank whose IT system they had hacked,” Group-IB explains.

“Money mules – criminals who withdraw money from ATMs – with previously activated cards went abroad and waited for the operation to begin. After getting into the card processing system, the attackers removed or increased cash withdrawal limits for the cards held by the mules.”

The money mules then removed overdraft limits, which made it possible for them to overdraw cash even with debit cards. Using these cards, they “withdrew cash from ATMs, one by one.”

According to the report, the average money stolen by MoneyTaker from United States banks alone was about $500,000, and more than $3 million was stolen from at least three Russian banks.

The report also detailed an attack against a Russian bank, wherein the MoneyTaker group used a modular malware program to target the AWS CBR (Automated Work Station Client of the Russian Central Bank)—a Russian interbank fund transfer system similar to SWIFT.

The modular tool had capabilities to search for payment orders and modify them, replace original payment details with fraudulent ones, and carefully erase malware traces after completing its tasks.

While it is still unclear how MoneyTaker managed to get its foothold in the corporate network, in one specific case, the entry point of compromise of the bank’s internal network was the home computer of the bank’s system administrator.

Group-IB believes that the hackers are now looking for ways to compromise the SWIFT interbank communication system, although it found no evidence of MoneyTaker behind any of the recent cyber attacks on SWIFT systems.

Go to Source

Android Flaw Lets Hackers Inject Malware Into Apps Without Altering Signatures

Android Flaw Lets Hackers Inject Malware Into Apps Without Altering Signatures

Millions of Android devices are at serious risk of a newly disclosed critical vulnerability that allows attackers to secretly overwrite legitimate applications installed on your smartphone with their malicious versions.

Dubbed Janus, the vulnerability allows attackers to modify the code of Android apps without affecting their signature verification certificates, eventually allowing them to distribute malicious update for the legitimate apps, which looks and works same as the original apps.

The vulnerability (CVE-2017-13156) was discovered and reported to Google by security researchers from mobile security firm GuardSquare this summer and has been patched by Google, among four dozen vulnerabilities, as part of its December Android Security Bulletin.

However, the worrisome part is that majority of Android users would not receive these patches for next few month, until their device manufacturers (OEMs) release custom updates for them, apparently leaving a large number of smartphone users vulnerable to hackers.

The vulnerability affects apps using APK signature scheme v1 installed on devices running Android versions 5 (Lollipop) and 6 (Marshmallow).

Explained: How Android Janus Vulnerability Works?

android-malware-hacking

The vulnerability resides in the way Android handles APK installation for some apps, leaving a possibility to add extra bytes of code to an APK file without affecting the application’s signature.

Before proceeding further, you need to know some basics about an APK file.

A valid APK file is a type of archive file, just like Zip, which includes application code, resources, assets, signatures, certificates, and manifest file.

Earlier versions of Android operating system 5.0 (Lollipop) and 6.0 (Marshmallow) also support a process virtual machine that helps to execute APK archives containing a compiled version of application code and files, compressed with DEX (Dalvik EXecutable) file format.

While installing an Android app or its update, your device checks APK header information to determine if the archive contains code in the compressed DEX files.

If header says APK archive contains DEX files, the process virtual machine decompiles the code accordingly and executes it; otherwise, it runs the code as a regular APK file.

It turns out that an APK archive can contain DEX files as well as regular application code simultaneously, without affecting its validity and signatures.

Researchers find that this ability to add extra bytes of code due to lack of file integrity checking could allow attackers to prepend malicious code compiled in DEX format into an APK archive containing legitimate code with valid signatures, eventually tricking app installation process to execute both code on the targeted device without being detected.

In other words, the hack doesn’t require attackers to modify the code of legitimate applications (that makes signatures invalid)—instead, the vulnerability allows malware authors to merely add some extra malicious lines of code to the original app.

Attack Scenarios

After creating malicious but valid versions of legitimate applications, hackers can distribute them using various attack vectors, including spam emails, third-party app stores delivering fake apps and updates, social engineering, and even man-in-the-middle attacks.

According to the researchers, it may be “relatively easy to trick some users because the application can still look exactly like the original application and has the proper signature.”

I find man-in-the-middle attack more interesting, as it could allow hackers to push malicious installation for the apps designed to receive its updates over an unencrypted HTTP connection.

“When the user downloads an update of an application, the Android runtime compares its signature with the signature of the original version. If the signatures match, the Android runtime proceeds to install the update,” GuardSquare explains.

“The updated application inherits the permissions of the original application. Attackers can, therefore, use the Janus vulnerability to mislead the update process and get an unverified code with powerful permissions installed on the devices of unsuspecting users.”

“For experts, the common reverse engineering tools do not show the injected code. Users should always be vigilant when downloading applications and updates,” the security firm added.

Since this vulnerability does not affect Android 7 (Nougat) and latest, which supports APK signature scheme version 2, users running older Android versions are highly recommended to upgrade their device OS (if available).

It’s unfortunate, but if your device manufacturer neither offers security patches nor the latest Android version, then you should not install apps and updates from outside of Google Play Store to minimise the risk of being hacked.

Researchers also advised Android developers always to apply signature scheme v2 in order to ensure their apps cannot be tampered with.

Go to Source

Pre-Installed Keylogger Found On Over 460 HP Laptop Models

Keylogger

HP has an awful history of ‘accidentally’ leaving keyloggers onto its customers’ laptops. At least two times this year, HP laptops were caught with pre-installed keylogger or spyware applications.

I was following a tweet made by a security researcher claiming to have found a built-in keylogger in several HP laptops, and now he went public with his findings.

A security researcher who goes by the name of ZwClose discovered a keylogger in several Hewlett-Packard (HP) laptops that could allow hackers to record your every keystroke and steal sensitive data, including passwords, account information, and credit card details.

The Keylogger was found embedded in the SynTP.sys file, a part of Synaptics touchpad driver that ships with HP notebook computers, leaving more than 460 HP Notebook models vulnerable to hackers.

Although the keylogger component is disabled by default, hackers can make use of available open source tools for bypassing User Account Control (UAC) to enable built-in keylogger “by setting a registry value.”

Here’s the location of the registry key:

  • HKLM\Software\Synaptics\%ProductName%
  • HKLM\Software\Synaptics\%ProductName%\Default

The researcher reported the keylogger component to HP last month, and the company acknowledges the presence of keylogger, saying it was actually “a debug trace” which was left accidentally, but has now been removed.

A potential security vulnerability has been identified with certain versions of Synaptics touchpad drivers that impact all Synaptics OEM partners,” HP says in its advisory, calling the keylogger as a potential, local loss of confidentiality.

A party would need administrative privileges in order to take advantage of the vulnerability. Neither Synaptics nor HP has access to customer data as a result of this issue.

The company has released a Driver update for all the affected HP Notebook Models. If you own an HP laptop, you can look for updates for your model. The list of affected HP notebooks can be found at the HP Support website.

This is not the very first time when a keylogger has been detected in HP laptops. In May this year, a built-in keylogger was found in an HP audio driver that was silently recording all of its users’ keystrokes and storing them in a human-readable file.

Go to Source

Napoleon: a new version of Blind ransomware

The ransomware previously known as Blind has been spotted recently with a .napoleon extension and some additional changes. In this post, we’ll analyze the sample for its structure, behavior, and distribution method.

Analyzed samples

31126f48c7e8700a5d60c5222c8fd0c7 – Blind ransomware (the first variant), with .blind extension

9eb7b2140b21ddeddcbf4cdc9671dca1 – Variant with .kill extension

235b4fa8b8525f0a09e0c815dfc617d3.napoleon (main focus of this analysis)

//special thanks to @demonslay335  for sharing the older samples

Distribution method

So far we are not 100 percent sure about the distribution method of this new variant. However, looking at the features of the malware and judging from information from the victims, we suspect that the attackers spread it manually by dropping and deploying on the hacked machines (probably via IIS). This method of distribution is not popular or efficient, however we’ve encountered similar cases in the past, such as DMALocker or LeChiffre ransomware. Also, few months ago, hacked IIS servers were used as a vector to plant Monero miners. The common feature of samples dropped in this way is that they are not protected by any cryptor (because it’s not necessary for this distribution method).

Behavioral analysis

After the ransomware is deployed, it encrypts files one-by-one, adding its extension in the format [email].napoleon.

Looking at the content of the encrypted test files, we can see that the same plaintext gave different ciphertext. This always indicates that different key or initialization vectors were used for each file. (After examining the code, it turned out that the difference was in the initialization vector).

Visualizing the encrypted content helps us guess the algorithm with which the files were encrypted. In this case, we see no visible patterns, so this leads us to suspect an algorithm with some method of chaining cipher blocks. (The most commonly used is AES in CBC mode, or eventually in CFB mode). Below, you can see the visualization made with the help of the file2png script: On the left is a BMP file before encryption. And on the right, after encryption by Napoleon:

At the end of each file, we found a unique 384-long block of alphanumeric characters. They represent 192 bytes written in hexadecimal. Most probably this block is the encrypted initialization vector for the particular file):

The ransom note is in HTA format and looks like this:

It also contains a hexadecimal block, which is probably the victim’s key, encrypted with the attackers’ public key.

The GUI of Napoleon looks simplified in comparison to the Blind ransomware. However, the building blocks are the same:

It is common among ransomware authors to prepare a tor-base website that allows automatic processing for payments and better organizes communication with the victim. In this case, the attackers decided to use just an email—probably because they planned for the campaign to be small.

Among the files created by the Napoleon ransomware, we will no longer find the cache file (netcache64.sys) that in the previous editions allowed to recover the key without paying the ransom.

Below is the cache file dropped by the Blind ransomware (the predecessor of Napoleon):

Inside the code

The malware is written in C++. It is not packed by any cryptor.

The execution starts in the function WinMain:

The flow is pretty simple. First, the ransomware checks the privileges with which it runs. If it has sufficient privileges, it deletes shadow copies. Then, it closes processes related to databases—Oracle and SQL Server—so that they will not block access to the database files it wants to encrypt. Next, it goes through the disks and encrypts found files. At the end, it pops up the dropped ransom note in HTA format.

Comparing the code of Napoleon with the code of Blind, we see that not just the extension of encrypted files has has changed, but also many functions inside have been refactored.

Below is a fragment of the view from BinDiff: Napoleon vs Blind:

What is attacked?

First, the ransomware enumerates all the logical drives in the system and adds them into a target list. It attacks both fixed and remote drives ( type 3 -> DRIVE_FIXED  and 4 -> DRIVE_REMOTE):

This ransomware does not have any list of attacked extensions. It attacks all the files it can reach. It skips only the files that already have the extension indicating they are encrypted by Napoleon:

The email used in the extension is hardcoded in the ransomware’s code.

Encryption implementation

Just like the previous version, the cryptographic functions of Napoleon are implemented with the help of the statically-linked library Crypto++ (source).

Referenced strings pointing to Crypto++:

Inside, we found a hardcoded blob—the RSA public key of the attackers:

After conversion to a standardized format, such as PEM, we were able to read its parameters using openssl, confirming that it is a valid 2048 bit–long RSA key:

Public-Key: (2048 bit)
Modulus:
 00:96:c7:3f:aa:71:b1:e4:2c:2a:f3:22:0b:c2:88:
 8c:87:63:b3:fa:31:97:9b:48:1b:64:2a:14:b9:85:
 0a:2e:30:b2:22:c2:ee:fe:ce:de:db:b9:b7:68:3f:
 12:a6:b3:e1:2b:db:ac:90:ea:3e:0a:07:25:3d:19:
 f2:98:b3:b2:e3:1b:22:e6:0d:ad:d5:97:6f:57:cd:
 77:6c:68:16:49:db:7d:c0:b8:03:e3:81:f5:62:ce:
 22:ae:d9:71:f4:ed:28:f0:29:0b:e3:3c:ea:2d:d8:
 13:fd:00:ff:da:4a:55:b8:70:c3:9f:ef:32:43:4b:
 3f:82:fe:26:31:03:99:fd:b0:1a:2d:7b:f8:b6:65:
 ab:d8:65:f3:c6:f3:e3:06:a9:58:5f:3e:35:0e:4c:
 f0:9e:94:49:66:2e:9c:6c:51:27:62:c1:39:02:cc:
 fb:32:4f:9a:92:f5:f9:99:96:5d:a7:65:5f:1c:fc:
 0a:1e:8b:45:53:06:89:9f:50:11:d6:06:84:a2:f2:
 5f:ab:e4:fb:cf:0d:09:64:d7:7c:99:f9:2a:b7:f5:
 c6:e4:c1:23:24:4e:2b:9f:0b:98:c3:94:93:4f:ca:
 c3:ff:ec:70:9d:df:78:37:56:0d:8b:c4:db:6d:b3:
 73:ac:0a:cb:ac:28:b2:d4:54:61:3e:3c:7e:67:97:
 f5:d9
Exponent: 17 (0x11)

This attacker’s public key is later used to encrypt the random key generated for the particular victim. The random key is the one used to encrypt files – after it is used and destroyed, it’s encrypted version is stored in the victim’s ID displayed in the ransom note. Only the attackers, having the private RSA key, are capable to recover it.

The random AES key (32 bit) is generated by the function provided by Crypto++ library:

It uses underneath the secure random generator: CryptGenRandom:

All the files are encrypted with the same key, however the initialization vector is different for each.

Encrypting single file:

Inside the function denoted as encrypt_file, the crypto is initialized with a new initialization vector:

The fragment of code responsible for setting the IV:

Setting initialization vector:

Encrypting file content:

The same buffer after encryption:

Conclusion

Napoleon ransomware will probably not become a widespread threat. The authors prepared it for small campaigns—lot of data, like email, are hardcoded. It does not come with any external configuration like Cerber that would allow for fast customization.

So far, it seems that the authors fixed the previous bug in Blind of dropping the cache file. That means the ransomware is not decryptable without having the original key. All we can recommend is prevention.

This ransomware family is detected by Malwarebytes as Ransom.Blind.

Appendix

Read about how to decrypt the previous Blind variant here.

The post Napoleon: a new version of Blind ransomware appeared first on Malwarebytes Labs.

Go to Source
Author: Malwarebytes Labs