Saturday, May 17, 2014

[infosecurity-magazine] NSF Awards $15m to Develop Secure Internet Architecture

The National Science Foundation (NSF) is awarding $15 million in grants for the development, deployment and testing of future internet architectures that are designed to enhance security, respond to emerging service challenges and increase scalability.

In 2010, the Directorate for Computer and Information Science and Engineering (CISE) at the NSF announced awards for four  projects, each worth up to $8 million over three years, as part of the Future Internet Architecture (FIA) program. The awards enabled researchers at dozens of institutions across the US to pursue new ways to build a more trustworthy and robust internet. That was mostly an exploratory phase; now, new grants are funding trial deployments for three of them to test the concepts in a real-world scenario.
“The objective of the new awards is to move the FIA efforts from the design stage to piloted deployments that assess how the designs work at large-scale and within challenging, realistic environments,” the NSF said. “Cities, non-profit organizations, academic institutions and industrial partners across the nation will collaborate with researchers to test the new designs.”
Two notable projects from the cybersecurity perspective are Named Data Networking (NDN) and eXpressive Internet Architecture (XIA). The third awardee is the MobilityFirst project.
"These projects are just the beginning of what it would take to create a full-scale Future Internet," said Keith Marzullo, director for NSF's Computer and Network Systems Division, "but the ultimate goal is the design and deployment of a network that serves all the needs of society."
NDN will trade in the internet’s existing client-server model of interaction for a new model centered on content creation, dissemination and delivery. It will include mechanisms to support secure content-oriented functionality, regardless of the specific physical location where the content resides. The architecture thus moves the communication paradigm from today's focus on "where", i.e., addresses, servers and hosts, to "what", i.e., the content that users and applications care about.
“By naming data instead of their location (IP address), NDN transforms data into first-class entities,” the NSF explained. “While the current Internet secures the communication channel or path between two communication points and sometimes the data with encryption, NDN secures the content and provides essential context for security.”
This approach allows the decoupling of trust in data from trust in hosts and servers, enabling trustworthiness as well as several radically scalable communication mechanisms; for example, automatic caching to optimize bandwidth and the potential to move content along multiple paths to the destination. This project addresses the technical challenges in creating NDN, including routing scalability, fast forwarding, trust models, network security, content protection and privacy, and a new fundamental communication theory enabling its design.
The NDN project is partnering with Open mHealth, a non-profit, patient-centric health ecosystem, and with UCLA Facilities Management, which operates the second largest Siemens building monitoring system on the West Coast, to test actual implementation.

When it comes to XIA, researchers at Carnegie-Mellon University and three other institutions are planning to use a $5 million, two-year grant to test a next-generation internet architecture they've developed, geared to eliminate bottlenecks and incorporate intrinsic security features that can assure users that the websites they access and documents they download are legitimate.
The trials will involve delivering online video on a national scale, and setting up a vehicular network in Pittsburgh.
XIA also includes caching features – the researchers said the network will be able “to directly access content where it is most accessible, not necessarily on a host website.” The details of the actual deployments have yet to be worked out, according to Peter Steenkiste, professor of computer science and electrical and computer engineering at Carnegie-Mellon and XIA's principal investigator. However, in the online video case, it will probably involve various nodes spread across the US.
In that trial, the researchers will test the XIA network's ability to eliminate bottlenecks in the transmission of video, which now accounts for a majority of internet traffic and is slated to grow and strain the network further. Loss of even a few data packets in a high-definition video stream is of course readily apparent, Steenkiste noted, so this will be a critical test of XIA's reliability.
Meanwhile, vehicles can use wireless communication channels called dedicated short-range communications, or DSRC, that are similar to Wi-Fi. Creating DSRC networks is challenging, however, because cars and trucks quickly pass from one DSRC access point to the next. Again, because XIA enables computer users to directly access content wherever it might be on the network, rather than always accessing a host website, it should enable vehicles to solve this issue.
Plans are underway to deploy XIA in a network in and around the CMU campus, or possibly piggybacking atop downtown Pittsburgh's free Wi-Fi network, to enable vehicles to share information about road and traffic conditions and to enable occupants to access the internet and entertainment options.
Simply finding a way to evaluate network architectures will be part of the research effort, Steenkiste said, noting no widely accepted benchmarks yet exist. "It's not like the network is simply faster — it's more abstract than that," he explained. Security and reliability are some of the properties that must be evaluated.
"These deployments will leverage, and enable us to deepen, our work on secure network operations, including providing a highly available infrastructure and secure authentication mechanisms," Steenkiste said. "They will enable us to build and test a robust XIA network and establish best practices for using our architecture, including support for mobility and enhanced cybersecurity."
XIA is designed to evolve with the internet, so that it will enable future users to accommodate communications with entities that no one has dreamed of yet, researchers said. Also it’s being architected so that it can be deployed piecemeal, so that the entire internet need not be transformed before people can start seeing XIA's benefits.

[fireeye] Operation Saffron Rose

There is evolution and development underway within Iranian-based hacker groups that coincides with Iran’s efforts at controlling political dissent and expanding offensive cyber capabilities. The capabilities of threat actors operating from Iran have traditionally been considered limited and have focused on politically motivated website defacement and DDoS attacks.
Our team has published a report that documents the activities of an Iran-based group, known as the Ajax Security Team, which has been targeting both US defense companies as well as those in Iran who are using popular anti-censorship tools to bypass Internet censorship controls in the country.
This group, which has its roots in popular Iranian hacker forums such as Ashiyane and Shabgard, has engaged in website defacements since 2010. However, by 2014, this group had transitioned to malware-based espionage, using a methodology consistent with other advanced persistent threats in this region.
It is unclear if the Ajax Security Team operates in isolation or if they are a part of a larger coordinated effort. We have observed this group leverage varied social engineering tactics as a means to lure their targets into infecting themselves with malware. They use malware tools that do not appear to be publicly available. Although we have not observed the use of exploits as a means to infect victims, members of the Ajax Security Team have previously used exploit code in web site defacement operations.
The objectives of this group are consistent with Iran’s efforts at controlling political dissent and expanding offensive cyber capabilities, but we believe that members of the group may also be dabbling in traditional cybercrime. This indicates that there is a considerable grey area between the cyber espionage capabilities of Iran’s hacker groups and any direct Iranian government or military involvement.
Although the Ajax Security Team’s capabilities remain unclear, we believe that their current operations have been somewhat successful. We assess that if these actors continue the current pace of their operations they will improve their capabilities in the mid-term.
To view a full version of the report on “Operation Saffron Rose,” please visit: http://www.fireeye.com/resources/pdfs/fireeye-operation-saffron-rose.pdf.

[fireeye] Managed Defense – Reducing the Time to Detect and Resolve Threats

Working in FireEye Managed Defense presents an interesting perspective into some of the most advanced threats. Our service meshes a team of experts with a powerful technology stack. We combine host- and network-based forensic technologies with highly experienced and skilled analysts, incident responders, and reverse engineers around the clock and across the globe. The foundation of Managed Defense is our partnership with our customers to detect evil and contain compromise. We work together to investigate the compromise, determine a remediation strategy, extract intelligence, and deploy new intelligence into our operations. This ability to leverage expertise to create intelligence and apply it consistently to the endpoint and to network traffic enables our team to adapt and respond quickly. In the face of a campaign like Operation Clandestine Fox, it ensures our clients are protected from even the most advanced attacker groups.
The last 10 days have shown us once again why our mission of defeating the adversary is so critical. On Friday, April 25, we discovered a new IE 0-day exploited as part of a campaign later dubbed Operation Clandestine Fox. In this post, we present an inside look into the discovery and exploitation of this vulnerability and how we were able to help not only the original Managed Defense customer but also others.
The Initial Detection
This story begins on April 25, when a group of our analysts working with a Managed Defense client detected an active APT backdoor using one of the many indicators of compromise (IOCs) we check for within Managed Defense
At first glance, it might have been reasonable to characterize the initial compromise as fairly typical. We knew at the time that the attackers had been able to deploy at least one backdoor, and were communicating interactively with it to escalate the attack. After containing the host, the usual questions emerged:
  • How was the machine compromised?
  • Was the scope of the compromise limited to a single host?
  • What did the attackers accomplish?
  • Who was the Threat Actor behind the attack?
That evening, a deeper analysis of the host revealed that the backdoor was resident only in memory and communicating out to remote attacker infrastructure. While we had seen similar malware variants, analysis of JavaScript and Flash objects from this host indicated that we were possibly at the forefront of discovering a previously unknown vulnerability being exploited.
Evaluating the malware and the tactics employed pointed to a threat group that we had seen before. This group had been the first group to have access to a select number of browser-based 0-day exploits (e.g. IE, Firefox, and Flash) in the past. They are extremely proficient at lateral movement and are difficult to track, as they typically do not reuse command and control infrastructure.
Expanding Detection Across Managed Defense
The new 0-day was, of course, the big news. But just as important to our Managed Defense customers were lesser-known details that we tend to dig up every day on threats big and small.
For instance, during the early stages of investigation, we produced evidence of the targeted spear phishing campaign that served as the initial attack vector. The campaign morphed four times, altering the content and remote locations of the payloads. Not only were we able to help our initial client detect and contain the threat, but continuously updating our applied intelligence led to other detections of the same campaign elsewhere.
Immediately after we deployed host-based indicators for the first-stage backdoor as well as network-based indicators for the command and control (C2) channels, we found a compromise at two additional Managed Defense customers. This meant we could pivot quickly into a focused investigation and response for our other customers – all of this in a matter of hours.
The analysis performed within the first few hours allowed our team to deploy these network-based indicators across the globe and ensure that we were positioned between our customers and their adversaries to detect the attack early in the attack lifecycle. Not long after, as an added countermeasure, we further augmented our detection capability by deploying host-based indicators specifically focused on rapidly surfacing additional variants of the first-stage backdoor. All told, we built new intelligence around the phishing emails, the backdoors used, use of the 0-day exploit, and evidence of backdoor installation via an in-memory mutex. This is handy as memory-only enterprise sweeps are much faster than filesystem ones.
Within 24 hours, we had gathered and reviewed results from nearly a million endpoints across the Managed Defense customer base. The additional activity we observed solidified our theory that at least one APT threat actor group was broadly and aggressively targeting an array of key industries, including aerospace, energy, financial, and the federal sector.
We published all of the intelligence we could glean as the investigation progressed so our customers could have insight on the threat actor and their tactics. This also supported customers discussing the threat with their peer groups to help drive the ultimate goal of protection, remediation and recovery.
Our work here resulted in new detection capabilities to find compromise through the attack lifecycle, ranging from initial targeting to successful exploitation and subsequent escalation through the establishment of more persistent backdoors. Thanks to our rapid deployment of relevant intelligence across our platform and the quick action of our clients, the eleven Managed Defense clients targeted by this campaign were all able to successfully contain the compromises at the initial stage, preventing further attacker activity within client environments.
Looking Back (and Forward)
Given the relative ubiquity of the vulnerability and the scope of the opportunity presented to attackers, we were unsurprised to see the attackers carry on through the week of April 28th. The Managed Defense team continued to work with our customers in a few ways:
  • We continued to monitor our customers’ global infrastructure 24×7 for related activity;
  • Over the course of 7 days, we published compromise reports that described related attacker activity at a dozen unique enterprises, spanning multiple industries;
  • We were easily able to pivot into Incident Response where necessary and applied additional horsepower to analyze a variety of forensic artifacts and accelerate response time;
  • We published additional intelligence to our customers so that each team could augment their own legacy detection capabilities and potentially prevent compromise.
With Microsoft’s recent patch release, we’ve already witnessed a shift in attacker activity, including a substantial decrease in phishing activity. This once wide-open door is closing shut, but we know our adversaries’ unrelenting search for new attack surfaces undoubtedly continues. For those of us in Managed Defense, events like those detailed above are common occurrences, but they nonetheless serve as inspiring reminders of the gravity of our mission: to help protect our clients from skilled and determined adversaries. The best analysts in the industry, a global deployment of detection technology, superior threat intelligence, and an ability to rapidly escalate and deploy that new intelligence, when combined with the close partnerships we have with our clients ensures we are well prepared for the inevitable next round of attacks.

Thursday, May 8, 2014

[infosecinstitute] Exploiting Windows 2003 Server Reverse Shell

This paper is intended to explain several Metasploit approaches to exploit the vulnerable Windows 2003 server operating system, especially through msfconsole and msfcli modules, and demonstrates how to access the target computer in a comprehensive hacking life-cycle manner. Metasploit is quite useful in penetration testing, in terms of detecting vulnerabilities in the target Windows 2003 operating system, as well as for exploiting its loopholes. Metasploit could be utilized by both offensive and defensive professionals.

[infosecurity-magazine] World’s Most Advanced Hackers are in Russia and Eastern Europe

At Infosecurity Europe 2014, Eleanor Dallaway caught up with Ross Brewer, vice president and managing director for international markets, and Mike Reagan, CMO at LogRhythm to talk insider threats, and the global threat landscape…

Monday, May 5, 2014

[infosecinstitute] Encrypted Code Reverse Engineering: Bypassing Obfuscation

Abstract
Obfuscation is a distinctive mechanism equivalent to hiding, often applied by security developers, to harden or protect the source code (which is deemed as intellectual property of the vendor) from reversing. The goal of such an approach is to transform the source code into new encrypted byzantine source code symbols which have the same computational effect as the original program. By applying effective obfuscation over the source code, it is difficult for a vicious-intentioned person to analyze or subvert the unique functionality of software as per his requirements. Vendors typically seem to be safe by ensuring obfuscation over their intellectual property, but unfortunately, software code is not safe from being modified even after applying obfuscation; it still can be cracked. However, this phenomenon can be illustrated by applying sort of rare tactics to bypass the obfuscation mechanism in order to reverse engineer or alter the inherent functionality of software.

[infosecinstitute] Cloud-Based File Sharing Websites: A Data Security Disaster Waiting to Happen?

Have you ever stopped to consider the sensitivity and potential value of the information you have distributed using the many widely available file sharing websites?
These types of sites have seen considerable uptake in recent years, as users struggle to share large files whilst battling standard email file size and gateway limits imposed by IT departments. Many users would argue that restrictions placed on them by central IT policies leave them with no choice but to look for alternative ways to send ‘must share’ data. However, although these sites may seem easy to use, they also pose a considerable data security and compliancy risk to corporate networks.

[infosecinstitute] iOS Application Security Part 34 – Tracing Method calls using Logify

In the previous articles, we have seen how applications like Snoop-it can trace method calls specific to the application at runtime. This is very important in deducing the flow of the application. The same process can be performed by using a perl script named Logify.pl that comes installed with Theos. The script takes input as a header file and generates the hooking code that we can add in our tweak. We can also specify the classes we want to check. Once the tweak is installed on the device, whenever a method for that particular class is called, the tweak logs out the method along with the arguments to syslog. The first step here is to get the header files for a particular application. You can get the header files by using the -H option in class-dump-z. Once the headers folder is generated, you can copy it to your system.

[fireeye] Ghost-Hunting With Anti-Virus

In October 2012, data security firm Imperva released a controversial report on the efficacy of anti-virus (AV), which concluded that AV solutions only stopped 5 percent of all malware identified. Few reports in the security industry had been as polarizing as this one—many reacting with white-knuckle rage. It was a classic case of Chris Christensen’s “Innovator’s Dilemma,” where old school technologies cling to life, in the face of a new paradigm. Just yesterday, one of the original anti-virus vendors joined the fray in “declaring anti-virus dead” in the Wall Street Journal.

[fireeye] Mobile Phones: Smart Doesn’t Equal Safe

Mobile Phones: Smart Doesn't Equal Safe
http://www.fireeye.com/blog/corporate/2014/05/mobile-phones-smart-doesnt-equal-safe.html

[fireeye] “Operation Clandestine Fox” Now Attacking Windows XP Using Recently Discovered IE Vulnerability

On April 26th, FireEye Research Labs notified the public of a new IE zero-day exploit being used in “Operation Clandestine Fox.” The initial attack targeted users of IE versions 9, 10, and 11 on Windows 7 and 8. Despite attackers only targeting those versions of Microsoft IE and Windows OS, the vulnerability actually impacts all versions of IE from 6 through 11.

Monday, April 28, 2014

[securityaffairs] FireEye discovered a new zero-day exploit for IE in the wild – Operation Clandestine Fox

FireEye Research Labs has identified a new IE zero-day vulnerability exploited in a series of targeted attacks part of the Operation Clandestine Fox.

[securityaffairs] Reading the Verizon Data Breach Investigation Report 2014

Verizon Data Breach Investigation Report 2014, to better understand how attackers can affect company business, and learn the proper countermeasures.

[securityaffairs] A flaw in old versions of NetSupport Manager exposes company data

Researcher David Kirkpatrick discovered a flaw in older versions of NetSupport Manager could expose sensitive configuration settings and lead to compromise.

[securityaffairs] How to abuse Facebook feature to conduct powerful DDoS attack

A researcher discovered a flaw in the section “notes” of the social network Facebook that could be exploited by anyone to conduct a powerful DDoS attack.

[infosecinstitute] Remote Access Tool

Remote Access Tool is a piece of software used to remotely access or control a computer. This tool can be used legitimately by system administrators for accessing the client computers. Remote Access tools, when used for malicious purposes, are known as a Remote Access Trojan (RAT). They can be used by a malicious user to control the system without the knowledge of the victim. Most of the popular RATs are capable of performing key logging, screen and camera capture, file access, code execution, registry management, password sniffing etc.

[infosecinstitute] Step by Step Guide to Application Security Penetration Testing

Introduction
This document will guide you to penetrate web applications step by step. We have followed OWASP (Open Web Application Security Project) and OSSTM (Open Source Security Testing Methodologies) to construct this article.

[infosecurity-magazine] China's Google Equivalent, Sohu, Used For Massive DDoS

Sohu.com, China’s eighth-largest website and currently the 27th most-visited website in the world, was the unwitting originator of a massive distributed denial-of-service (DDoS) attack earlier in the month, which was carried out using traffic hijacking techniques. In all, the application-layer attack consisted of more than 20 million GET requests originating from the browsers of 22,000+ internet users – all turned into unwilling accomplices by the offender.

[securelist] New Flash Player 0-day (CVE-2014-0515) used in watering-hole attacks

In mid-April we detected two new SWF exploits. After some detailed analysis it was clear they didn't use any of the vulnerabilities that we already knew about. We sent the exploits off to Adobe and a few days later got confirmation that they did indeed use a 0-day vulnerability that was later labeled as CVE-2014-0515. The vulnerability is located in the Pixel Bender component, designed for video and image processing.

[fireeye] The Road to Resilience: How Cybersecurity is Moving from the Back Office to the Boardroom

For too long, our industry has framed cybersecurity as a technical issue.
We have measured success on the volume of malware we detect and block, not how we respond to the threats that matter. We have taken a one-size-fits-all approach to security incidents, regardless of who’s attacking, how they work, and what they’re after. We have rarely engaged other business units when responding to incidents — and when we do, we fixate on the technical details rather than weighing their business impact.

[fireeye] New Zero-Day Exploit targeting Internet Explorer Versions 9 through 11 Identified in Targeted Attacks

Summary
FireEye Research Labs identified a new Internet Explorer (IE) zero-day exploit used in targeted attacks.  The vulnerability affects IE6 through IE11, but the attack is targeting IE9 through IE11.  This zero-day bypasses both ASLR and DEP. Microsoft has assigned CVE-2014-1776 to the vulnerability and released security advisory to track this issue.

[fireeye] Zero-Day Attacks are not the same as Zero-Day Vulnerabilities

When it comes to “zero-days,” there is much room for confusion in terms of definition and priority. At FireEye, we follow the industry-standard term of “zero-day attacks.” This term is defined as software or hardware vulnerabilities that have been exploited by an attacker where there is no prior knowledge of the flaw in the general information security community, and, therefore, no vendor fix or software patch available for it.

Thursday, April 24, 2014

[securityaffairs] Viber vulnerable to MITM attack, million users at risk

Security researchers at UNH Cyber Forensics Research & Education Group have discovered a serious flaw in Viber messaging and voice system.

[securityaffairs] NIST removes Dual_EC_DRBG algorithm from Draft Guidance suggesting to abandon it

The NIST announced it will request final public comments before Dual_EC_DRBG generator is officially removed from NIST Special Publication 800-90A, Rev.1

Wednesday, April 23, 2014

[securityaffairs] An overview on the Bad Bot Landscape by Distil Networks

Distil Networks security firm has published an interesting report on the Bad Bot Landscape, it is full of data on the evolution of malicious architecture.

[securityaffairs] Grams, the search engine for the black markets

It has been officially announced the launch of the beta version of Grams Darknet Market Search Engine specialized for researches in the underground markets.

[securityaffairs] Certificate revocation checks aren’t efficient against Heartbleed

Security researcher Adam Langley of Google explained the real efficiency of revocation checking in response to OpenSSL heartbeat bug.

[securityintelligence] Why Context is King for Enterprise IT Security

The importance of context in vulnerability management is imperative. However, the role of context goes far beyond the walls of vulnerability management and, in fact, has significant relevance in all areas of enterprise IT security, especially in security intelligence. The core purpose of security intelligence is to gain knowledge in an effort to efficiently secure networks. In both defense and assessment, this means fewer false positives and more relevant findings. Sadly, many security efforts fail to gain these benefits due to a lack of contextual information.

[infosecinstitute] Android Hacking and Security, Part 3: Exploiting Broadcast Receivers

In the first two articles, we discussed attacks associated with Activity Components, content provider leakage and ways to secure them. In this article, we will discuss attacks on broadcast receivers.

[infosecinstitute] Buffer Overflow Attack & Defense

Abstract
This paper attempts to explain one of the critical buffer overflow vulnerabilities and its detection approaches that check the referenced buffers at run time, moreover suggesting other protection mechanics applied during software deployment configuration. Programs typically written in C or C++ language are inherently susceptible to buffer overflow attacks, in which methods are often passed pointers or arrays as parameters without any indication of their size, and such malpractices are exploited later. Buffer overflows remain one of the most critical threats to systems security, especially for deployed software. Successful mistreatment of a buffer overflow attack often leads to arbitrary code execution in the form of so-called shell code, and thorough control of the vulnerable application in a vicious manner.

[infosecinstitute] API Hooking

API hooking is a technique by which we can instrument and modify the behavior and flow of API calls. API hooking can be done using various methods on Windows. Techniques include memory break point and .DEP and JMP instruction insertion. We will briefly discuss the trampoline insertion techniques.

[infosecinstitute] Subterfuge: The Automated Man-in-the-Middle Attack Framework

Introduction
Surfing the internet through untrustworthy public networks whether wired or wireless has been known to be risky for a long time now. We all think twice before logging into our bank account or accessing any kind of sensitive information, but what about simply browsing our favourite site?

[infosecurity-magazine] Apple Fixes Critical Triple-handshake Flaw

Apple has fixed a critical “triple-handshake” crypto vulnerability with a round of OS X and iOS updates that would allow an attacker with a privileged network position to capture data or change the operations performed in sessions protected by SSL.

[infosecurity-magazine] Millions of Android App Downloads Are Vulnerable to Heartbleed Bug

The Heartbleed vulnerability continues to sap the life force from various sectors, and it looks like the mobile applications space is not immune. New analysis has revealed that approximately 150 million downloads of Android apps contain OpenSSL libraries vulnerable to Heartbleed, a larger number than originally expected.

[securelist] An SMS Trojan with global ambitions

Recently, we’ve seen SMS Trojans starting to appear in more and more countries. One prominent example is Trojan-SMS.AndroidOS.Stealer.a: this Trojan came top in Kaspersky Lab's recent mobile malware ТОР 20. It can currently send short messages to premium-rate numbers in 14 countries around the world.

[fireeye] If an Android Has a Heart, Does It Bleed?

The OpenSSL Heartbleed vulnerability “allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read” [1]. Heartbleed surprised the public by allowing attackers to steal sensitive information from vulnerable websites by sending crafted SSL heartbeat messages. However, due to the fact that servers can send heartbeats to clients as well, malicious servers can, in turn, attack vulnerable clients and steal sensitive information. For the Android platform, we find that roughly 150M downloads of Android apps contain OpenSSL libraries vulnerable to Heartbleed.

[fireeye] Dissecting Advanced Attacks: FireEye Labs and the 2014 DBIR

With the release of this year’s Verizon Data Breach Investigations Report, it is clear that the cybersecurity landscape is once-again experiencing a drastic change in the type of attacks that are threatening organizations’ intellectual property, financial information and customer data.

[fireeye] InfoSecurity Europe 2014: Cybersecurity for the Masses

InfoSecurity Europe is the biggest security event and most important date on the calendar for information security professionals across Europe. The event aims to break through the noise and provide the European audience with all the necessary information to better understand cyber threats to their networks. Join FireEye experts and learn how to prepare for a new frontier of advanced attackers:

Monday, April 21, 2014

[thehackernews] Routers TCP 32764 Backdoor Vulnerability Secretly Re-Activated Again

At the beginning of this year, we reported about the secret backdoor ‘TCP 32764’ discovered in severalrouters including, Linksys, Netgear, Cisco and Diamond that allowed an attacker to send commands to the vulnerable routers at TCP port 32764 from a command-line shell without being authenticated as the administrator.

[securityaffairs] The novelties inside the last critical update for P2P Zeus

Which are the security improvements in the critical update proposed by criminal ecosystem for P2P Zeus Botnet? Fortinet experts detected and analyzed it.

[securityaffairs] Critical Infrastructure security, is it possible a shared regulatory?

Reflession on the necessity to adopt a shared regulatory for the security of critical infrastructure. Eugene Kaspersky point of view on the topic.

[securityaffairs] Millions Feedly users vulnerable to Javascript Injection attack

A security researcher discovered a serious Javascript Injection vulnerability in the popular Feedly Android App impacting Millions Users.

[securityaffairs] Mandiant uncovered Heartbleed based attacks to Hijack VPN sessions

Security experts at Mandiant uncovered attackers exploiting the Heartbleed vulnerability to circumvent Multi-factor Authentication on VPNs.

[securityaffairs] Unflod Baby Panda, the Chinese malware hit jailbroken iphone

Unflod Baby Panda is the name of a new mobile malware which is targeting jailbrokenversions of Apple iPhone. The threat seems to have China origin.

The number of cyber threats against mobile users is in constant increase, on the other hand bad habits like the practice of jailbreak/root the devices and the lack of defense systems are favoring the diffusion of new families of malicious code.
Recently I noted ion the Reddit Jailbreak community discovered a new malware, dubbed ‘Unflod Baby Panda’, affecting some jailbroken Apple iOS devices. A user triggered the alert after noting an unusual activity on his jailbreaked iPhone, as reported by the member of the community Snapchat and Google Hangouts were crashing constantly just after the execution of the jailbreak procedure.
According the members of the communities the Unflod Baby Panda infection was limited to jailbroken Apple iOS devices, the malware was designed to steal victims’credentials, including the Apple IDs.
The threat affects iPhone iPhone 5 and any other 32-bit jailbroken iOSdevice handset.
The malware spread through the‘Unfold.dylib’ file, once has stolen the user’s credentials, it sends them to a C&C servers provided by US hosting companies and managed by Chinese customers.
“This malware appears to have Chinese origin and comes as a library called Unflod.dylib that hooks into all running processes of jailbroken devices and listens for outgoing SSL connections. From these connections it tries to steal the device’s Apple-ID and corresponding password and sends them in plaintextto servers with IP addresses in control of US hosting companies for apparently Chinese customers. Users of reddit have made this malware available to the public, which allowed SektionEins to perform an analysis of this threat. However so far only the malware itself has been found and until now it is unknown how it ends up on jailbroken phones. Rumours that Chinese piracy repositories are involved are so far unverified” states a post published by SektionEins security firm which analyzed the malicious agent.
It has been hypothesized that Unflod Baby Panda malware was spread through a Chinese web site which offer iOS software, another interesting aspect of the infection that malicious code is digitally signed with an iPhone developer certificate.
I have found it curious because the Unflod Baby Panda malware infect only jailbroken iPhones and it was not necessary on such hardware to sign the source code for its execution.
Details of the digital certificate used by to sign Unflod Baby Panda malware are reported below.
$ codesign -vvvv -d Unflod.dylib
Executable=./Unflod.dylib
Identifier=com.your.framework
Format=Mach-O thin (armv7)
CodeDirectory v=20100 size=227 flags=0x0(none) hashes=3+5 location=embedded
Hash type=sha1 size=20
CDHash=da792624675e82b3460b426f869fbe718abea3f9
Signature size=4322
Authority=iPhone Developer: WANG XIN (P5KFURM8M8)
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
Signed Time=14 Feb 2014 04:32:58
Info.plist=not bound
Sealed Resources=none
Internal requirements count=2 size=484
The the signature date is the 14th of February of this year, probably the Unflod Baby Panda is being around without being discovered in the last months.
Unflod Baby Panda 2
The researchers noted that it is possible to manually remove Unflod Baby Panda
  • Download the iFile app for free from Cydia and by using iFile, check whether your device is affected by the malicious software or not.
  • Navigate to /Library/MobileSubstrate/DynamicLibraries/
  • If you spot any files named Unflod.dylib or Unflod.plist and/or framework.dylib and framework.plist then you have been affected.
  • Use iFile to delete Unflod.dylib and Unflod.plist and/or framework.dylib and framework.plist
  • Reboot your device and then change your Apple ID password and security questions immediately and just to be on safe side, use two-step verification method and avoid installing apps from untrusted sources.
“We therefore believe that the only safe way of removal is a full restore, which means the removal and loss of the jailbreak,” reported the researchers.
Be aware … mobile jailbreak could hide numerous pitfalls.

[securityaffairs] Satellite equipment affected by severe vulnerabilities

A study conducted by experts at IOActive uncovered a variety of severe vulnerabilities in Satellite equipment widely used in numerous industries.

[net-security] Organizations remain vulnerable to SQL injection attacks

Privacy and information security research firm Ponemon Institute, along with DB Networks, an innovator of behavioral analysis in database security, today announced the results of the Ponemon Institute’s first-of-its-kind SQL injection threat study. 

[infosecinstitute] iOS Application Security Part 33 – Writing tweaks using Theos (Cydia Substrate)

In some of the previous articles in this series, we have looked at how we can modify the behaviour of an application by patching it using IDA Pro, Hopper etc. However, doing this hasn’t been quite straightforward always. We can also use Cycript to modify the behaviour of an application by changing some of the method implementations, but the change isn’t permanent. This is where writing tweaks for an application comes in handy. A tweak is nothing but a run-time patch to an application using the Cydia Substrate framework. Cydia Substrate consists of 3 major components: MobileHooker, MobileLoader and safe mode. You can read about these 3 major components here. Saurik has also written a complete series of documentation here. Our main focus here would be not to go in depth and learn how to write tweaks for jailbroken devices but to understand there relevance to application security so we can quickly write our own tweaks when necessary.

Thursday, April 17, 2014

[thehackernews] Several Tor Exit Nodes Vulnerable To Heartbleed Bug

Half of the Internet fall victim to the biggest threat, Heartbleed bug and even the most popular online anonymity network Tor is also not spared from this bug.

[thehackernews] The Keen Team - Chinese Hacker Group Reveals their Identities

The Keen Team – a mysterious group of Chinese hackers who hacked Apple’s Safari Mac OS XMavericks system in just 20 seconds and Windows 8.1. Adobe Flash in only 15 seconds during Pwn2OwnHacking Competition this year, are no more mysterious as the team revealed its members identity.

[thehackernews] WhatsApp Flaw leaves User Location Vulnerable to Hackers and Spy Agencies

If you are using WhatsApp to chit-chat with your friends or relatives, then you should be careful about sharing your location with them using WhatsApp ‘Location Share’ feature.

[scmagazine] POS malware risks millions of payment cards for Michaels, Aaron Brothers shoppers

Following an investigation with two independent security firms that dates back to January, arts and crafts retailer Michaels Stores confirmed on Thursday that, much like retail giant Target, its U.S. stores had experienced a payment card breach.

[securityaffairs] Cyber warriors fought between the government and the security industry

The demand for cyber security experts continues to raise, the US Government announced further investment to recruit new cyber talents with many difficulties.

[securityaffairs] New iBanking mobile Trojan exploits Facebook platform

Security experts at ESET detected a new variant ofiBanking Trojan offered in the underground thatexploits Facebookplatform as vector of infection.

[securityaffairs] Intelligence could exploit Whatsapp bug to track users location

A group of researchers discovered a vulnerability in WhatsApp “Location Share” feature which exposes user’s location to the attackers.

[securityaffairs] Samsung Galaxy S5 fingerprint sensor hacked

SRLabs researchers have published a video POC on YouTube to demonstrate how it is easy to bypass the fingerprint sensor on Samsung Galaxy S5.

[net-security] The dismal state of SATCOM security

Satellite Communications (SATCOM) play a vital role in the global telecommunications system, but the security of the devices used leaves much to be desired, says Ruben Santamarta, principal security consultant with IOActive.

[net-security] Attackers use reflection techniques for larger DDoS attacks

Akamai announced a new global DDoS attack report, which shows that in Q1, DDoS attackers relied less upon traditional botnet infection in favor of reflection and amplification techniques.

[net-security] Tor relays vulnerable to Heartbleed dropped from anonymity network

Thanks to the OpenSSL Heartbleed bug, the Tor anonymity network is set to temporarily lose around "12 per cent of the exit capacity and 12 per cent of the guard capacity.” 

[securityintelligence] Identity Management in the Cloud: Top Tips for Secure Identities

The benefits of cloud-based services are manifold. They enable organizations not only to offset costs but also to achieve greater business agility and to reach new markets and customers. But what about identity management in cloud computing?

[accuvant] Drawing Parallels Between Non- IT and Security Engineering Principles (Part 2 of 2)

Continuing on from my last blog post; I was considering non-IT engineering/architecture principles I read in 101 Things I Learned in Architecture School by Matthew Frederick and how they apply to security engineering.

[infosecinstitute] Assembly Programming with Visual Studio.NET

MASM is maintained by Microsoft and is an x86 assembler that consumes Windows and Intel syntax to produce a COFF executable. It is compatible for both 16 bit and 32 bit sources. Fortunately, Microsoft’s Visual Studio IDE endorses MASM programming tasks just by making a couple of project property changes. The prime objective behind this article is to introduce the power of assembly code in terms of speed and full control over programs which are typically not seen in other programming languages. Even though there are numerous editors and software available to do such a task in a standalone way, the aspirant system or security programmers who are only limited to .NET software IDE so far can enter into the real system programming world by using none other than visual studio IDE.

[infosecinstitute] Murdering Dexter

In this article we are going to solve a Bot challenge. The name of the bot is Dexter and the vulnerable VM which we are going to use is created by Brian Wallace. The challenge is to gain root privileges of the bot command and control center and the system’s also.

[infosecinstitute] Virtualization and Cloud Computing

In cloud computing, there are a number of components used to build the cloud infrastructure. At the lowest layer there are actual hardware components like servers, network attached storage and network components. In order to limit the possibility of spreading an infection, networks need be properly separated into multiple DMZs with limiting rules of connectivity between two networks. The very core of cloud computing is virtualization, which is used to separate a single physical machine into multiple virtual machines in a cost-effective way. Don’t get me wrong, running and operating a cloud is certainly possible without virtualization, but requires more work and time to actually pull it off; by using virtualization, we’re basically getting a lot of the work done for free. With virtualization, a number of virtual machines can run on the same physical computer, which makes it cost-effective, since part of the physical server resources can also be leased to other tenants. Such virtual machines are also highly portable, since they can be moved from one physical server to the other in a manner of seconds and without downtime; new virtual machines can also be easily created. Another benefit of using virtualization is the location of virtual machines in a data center – it doesn’t matter where the data center is located and the virtual machine can also be copied between the data centers with ease.

[infosecurity-magazine] Android Malware Repurposed to Thwart Two-factor Authentication

A malicious mobile application for Android that offers a range of espionage functions has now gone on sale in underground forums with a new trick: it’s being used by several banking trojans in an attempt to bypass the two-factor authentication method used by a range financial institutions.

[infosecurity-magazine] Despite Mobile, Cloud and Big Data, People Are the Biggest Security Weakness

As the volume of data generated within the enterprise workflow grows bigger each and every day, adopting a future-proof approach to information security will be increasingly imperative – and even more challenging. Much talk has arisen about the cloud and mobile devices, and their requisite applications, being a growing threat vector. But new survey results suggest that when it comes to protecting companies’ IT infrastructure, it is in fact people who present the biggest security problem.

[infosecurity-magazine] Disintegration of Trust in Cyberspace Must Drive New Security Attitudes

The revelations in 2013 that governments and their agencies have been spying on citizens in the name of national security have seriously undermined trust when it comes to operating in cyberspace, according to the Information Security Forum (ISF).

[securelist] New threat: Trojan-SMS.AndroidOS.Stealer.a

The situation surrounding attempted mobile malware infections is constantly changing, and I’d like to write about one recent trend. Over the last year, Trojan-SMS.AndroidOS.Stealer.a, a mobile Trojan, has become a leader in terms of the number of attempted infections on KL user devices, and now continually occupies the leading positions among active threats. For example, in Q1 2014 it accounted for almost a quarter of all detected attacks.

[securelist] Would you like some Zeus with your coffee?

Cybercriminals often like to use a bogus letter to trick people into opening malicious attachments. There are two tricks that make this work: a message from a familiar name (a bank, social network, service provider or other organization that might interest the recipient) and an intriguing or alarming subject. An attack based on fake messages supposedly from coffee chain Starbucks combined the two.

[fireeye] The Economics of Security

During many of my customer meetings, I often hear security leaders ask the question: “What technology could I remove to free up budget to enable the implementation of FireEye?”

[fireeye] Crimeware or APT? Malware’s “Fifty Shades of Grey”

Some cybercriminals build massive botnets to use unsuspecting endpoints for spam, distributed denial-of-service (DDoS) attacks, or large-scale click fraud. With the aid of banking Trojans, other cybercriminals create smaller, specialized botnets that focus on stealing bank credentials and credit card information.

Tuesday, April 15, 2014

[thehackernews] German Aerospace Center targeted by Self-Destructing Spyware

It’s not so far when Germany confirmed its biggest Data theft in the country's history with the usernames and passwords of some 18 million email accounts stolen and compromised by Hackers, and now German space research center has been reportedly targeted in a cyber attack.

[securityaffairs] APWG report 2H2013- Analysis of phishing phenomena on global scale

The APWG report 2H2013 seeks to understand trends and their significance by quantifying the scope of the global phishing problem.

Last Anti-Phishing Working Group APWG report titled “Global Phishing Survey: Trends and Domain Name Use in 2H2013” confirms that threat of phishing has never been so high, the number of domains registered to conduct this kind of illicit activities has passed all records in the second half of 2013. Chinese phishers are the most aggressive and they were responsible for 85% of the domain names that were registered for phishing activities.
The phishing attacks are mainly suffered by Chinese online population instead better-secured US and European netizens. The overall number of malicious domains used for phishing attacks reached a total of 82,163 in the second half of 2013,  59,332 were compromised web hosts while remaining 22,831 were registrations made by phishing criminals.
APWG report H2 2013 basic stats
The scale of phishing activities against the Chinese population during last year should worry the local authorities, for Chinese cyber criminal gangs it is very easy to register and manage domains for illicit activities without incurring in any sanction.
The APWG report states that there were at least 115,565 unique phishing attacks worldwide, an increase of 60% respect first half of 2013.
“Most of the growth in attacks came from phishing that used maliciously registered domains and subdomains. An attack is defined as a phishing site that targets a specific brand or entity. A single domain  name can host several discrete phishing attacks against different banks” states the APWG report.
Another interesting aspect related to phishing attacks occurred in the H2 2013 is that the average uptimes of phishing attacks is declined respect the first part of the year, the average duration was 28 hours and 43 minutes, while the median uptime was 7 hours and 54 minutes. The data confirm that phishing attacks must succeed quickly,  half of all the offensives stay active for less than 8 hours.
Very interesting is the data related to target distribution, the APWG report discovered 681 unique phished target institutions (mainly financial and ecommerce), 324 of them were totally new and not attacked in the first part of the year, this means thatphishers are trying out new targets.
“They appear to be looking for companies that are newly popular, have vulnerable user bases, and/or are not ready to defend themselves against phishing” states APWG report.
APWG report H2 2013 targeted industries
As occurred already in the past, phishers continue to break into web servers that hosts a large number of domains, “shared virtual servers”, in this way just updating server configuration with malicious content the hackers can compromise multiple domains
“Instead of hacking sites one at a time, the phisher often infects hundreds of web sites at a time, depending on the server. In 2H2013, we identified 178 mass break-ins of this type, resulting in 20,911 phishing attacks. This represents 18% of all phishing attacks recorded worldwide”
APWG report H2 2013 shared server attacks
The APWG report definitely suggests that phishing is changing, phishers are exploring new tactics and they are searching for new targets. We must consider that China isn’t the unique country to suffer phishing activities, US for example suffer a much bigger problem related to small-scale spear phishing attacks, which are not analyzed by the APWG because they are targeting single enterprises and can’t be detected through domain registrations.
As explained in the APWG report spear-phishing continues to be an important tool for:
  • Criminals who are perpetrating financial crimes against specialized or small targets, like students at a particular university. 
  • Spies involved in corporate and government espionage
  • Hacktivists who seek publicity for their causes.
http://securityaffairs.co/wordpress/23996/cyber-crime/apwg-report-2h2013.html