Monday, April 28, 2014
Verizon Data Breach Investigation Report 2014, to better understand how attackers can affect company business, and learn the proper countermeasures.
Researcher David Kirkpatrick discovered a flaw in older versions of NetSupport Manager could expose sensitive configuration settings and lead to compromise.
A researcher discovered a flaw in the section “notes” of the social network Facebook that could be exploited by anyone to conduct a powerful DDoS attack.
Remote Access Tool is a piece of software used to remotely access or control a computer. This tool can be used legitimately by system administrators for accessing the client computers. Remote Access tools, when used for malicious purposes, are known as a Remote Access Trojan (RAT). They can be used by a malicious user to control the system without the knowledge of the victim. Most of the popular RATs are capable of performing key logging, screen and camera capture, file access, code execution, registry management, password sniffing etc.
This document will guide you to penetrate web applications step by step. We have followed OWASP (Open Web Application Security Project) and OSSTM (Open Source Security Testing Methodologies) to construct this article.
Sohu.com, China’s eighth-largest website and currently the 27th most-visited website in the world, was the unwitting originator of a massive distributed denial-of-service (DDoS) attack earlier in the month, which was carried out using traffic hijacking techniques. In all, the application-layer attack consisted of more than 20 million GET requests originating from the browsers of 22,000+ internet users – all turned into unwilling accomplices by the offender.
In mid-April we detected two new SWF exploits. After some detailed analysis it was clear they didn't use any of the vulnerabilities that we already knew about. We sent the exploits off to Adobe and a few days later got confirmation that they did indeed use a 0-day vulnerability that was later labeled as CVE-2014-0515. The vulnerability is located in the Pixel Bender component, designed for video and image processing.
For too long, our industry has framed cybersecurity as a technical issue.
We have measured success on the volume of malware we detect and block, not how we respond to the threats that matter. We have taken a one-size-fits-all approach to security incidents, regardless of who’s attacking, how they work, and what they’re after. We have rarely engaged other business units when responding to incidents — and when we do, we fixate on the technical details rather than weighing their business impact.
[fireeye] New Zero-Day Exploit targeting Internet Explorer Versions 9 through 11 Identified in Targeted Attacks
FireEye Research Labs identified a new Internet Explorer (IE) zero-day exploit used in targeted attacks. The vulnerability affects IE6 through IE11, but the attack is targeting IE9 through IE11. This zero-day bypasses both ASLR and DEP. Microsoft has assigned CVE-2014-1776 to the vulnerability and released security advisory to track this issue.
When it comes to “zero-days,” there is much room for confusion in terms of definition and priority. At FireEye, we follow the industry-standard term of “zero-day attacks.” This term is defined as software or hardware vulnerabilities that have been exploited by an attacker where there is no prior knowledge of the flaw in the general information security community, and, therefore, no vendor fix or software patch available for it.
Thursday, April 24, 2014
Security researchers at UNH Cyber Forensics Research & Education Group have discovered a serious flaw in Viber messaging and voice system.
The NIST announced it will request final public comments before Dual_EC_DRBG generator is officially removed from NIST Special Publication 800-90A, Rev.1
Wednesday, April 23, 2014
Distil Networks security firm has published an interesting report on the Bad Bot Landscape, it is full of data on the evolution of malicious architecture.
It has been officially announced the launch of the beta version of Grams Darknet Market Search Engine specialized for researches in the underground markets.
Security researcher Adam Langley of Google explained the real efficiency of revocation checking in response to OpenSSL heartbeat bug.
In the first two articles, we discussed attacks associated with Activity Components, content provider leakage and ways to secure them. In this article, we will discuss attacks on broadcast receivers.
This paper attempts to explain one of the critical buffer overﬂow vulnerabilities and its detection approaches that check the referenced buffers at run time, moreover suggesting other protection mechanics applied during software deployment configuration. Programs typically written in C or C++ language are inherently susceptible to buffer overflow attacks, in which methods are often passed pointers or arrays as parameters without any indication of their size, and such malpractices are exploited later. Buffer overflows remain one of the most critical threats to systems security, especially for deployed software. Successful mistreatment of a buffer overflow attack often leads to arbitrary code execution in the form of so-called shell code, and thorough control of the vulnerable application in a vicious manner.
API hooking is a technique by which we can instrument and modify the behavior and flow of API calls. API hooking can be done using various methods on Windows. Techniques include memory break point and .DEP and JMP instruction insertion. We will briefly discuss the trampoline insertion techniques.
Surfing the internet through untrustworthy public networks whether wired or wireless has been known to be risky for a long time now. We all think twice before logging into our bank account or accessing any kind of sensitive information, but what about simply browsing our favourite site?
Apple has fixed a critical “triple-handshake” crypto vulnerability with a round of OS X and iOS updates that would allow an attacker with a privileged network position to capture data or change the operations performed in sessions protected by SSL.
The Heartbleed vulnerability continues to sap the life force from various sectors, and it looks like the mobile applications space is not immune. New analysis has revealed that approximately 150 million downloads of Android apps contain OpenSSL libraries vulnerable to Heartbleed, a larger number than originally expected.
Recently, we’ve seen SMS Trojans starting to appear in more and more countries. One prominent example is Trojan-SMS.AndroidOS.Stealer.a: this Trojan came top in Kaspersky Lab's recent mobile malware ТОР 20. It can currently send short messages to premium-rate numbers in 14 countries around the world.
The OpenSSL Heartbleed vulnerability “allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read” . Heartbleed surprised the public by allowing attackers to steal sensitive information from vulnerable websites by sending crafted SSL heartbeat messages. However, due to the fact that servers can send heartbeats to clients as well, malicious servers can, in turn, attack vulnerable clients and steal sensitive information. For the Android platform, we find that roughly 150M downloads of Android apps contain OpenSSL libraries vulnerable to Heartbleed.
With the release of this year’s Verizon Data Breach Investigations Report, it is clear that the cybersecurity landscape is once-again experiencing a drastic change in the type of attacks that are threatening organizations’ intellectual property, financial information and customer data.
InfoSecurity Europe is the biggest security event and most important date on the calendar for information security professionals across Europe. The event aims to break through the noise and provide the European audience with all the necessary information to better understand cyber threats to their networks. Join FireEye experts and learn how to prepare for a new frontier of advanced attackers:
Monday, April 21, 2014
At the beginning of this year, we reported about the secret backdoor ‘TCP 32764’ discovered in severalrouters including, Linksys, Netgear, Cisco and Diamond that allowed an attacker to send commands to the vulnerable routers at TCP port 32764 from a command-line shell without being authenticated as the administrator.
Which are the security improvements in the critical update proposed by criminal ecosystem for P2P Zeus Botnet? Fortinet experts detected and analyzed it.
Reflession on the necessity to adopt a shared regulatory for the security of critical infrastructure. Eugene Kaspersky point of view on the topic.
Security experts at Mandiant uncovered attackers exploiting the Heartbleed vulnerability to circumvent Multi-factor Authentication on VPNs.
Unflod Baby Panda is the name of a new mobile malware which is targeting jailbrokenversions of Apple iPhone. The threat seems to have China origin.
The number of cyber threats against mobile users is in constant increase, on the other hand bad habits like the practice of jailbreak/root the devices and the lack of defense systems are favoring the diffusion of new families of malicious code.
Recently I noted ion the Reddit Jailbreak community discovered a new malware, dubbed ‘Unflod Baby Panda’, affecting some jailbroken Apple iOS devices. A user triggered the alert after noting an unusual activity on his jailbreaked iPhone, as reported by the member of the community Snapchat and Google Hangouts were crashing constantly just after the execution of the jailbreak procedure.
According the members of the communities the Unflod Baby Panda infection was limited to jailbroken Apple iOS devices, the malware was designed to steal victims’credentials, including the Apple IDs.
The threat affects iPhone iPhone 5 and any other 32-bit jailbroken iOSdevice handset.
The malware spread through the‘Unfold.dylib’ file, once has stolen the user’s credentials, it sends them to a C&C servers provided by US hosting companies and managed by Chinese customers.
“This malware appears to have Chinese origin and comes as a library called Unflod.dylib that hooks into all running processes of jailbroken devices and listens for outgoing SSL connections. From these connections it tries to steal the device’s Apple-ID and corresponding password and sends them in plaintextto servers with IP addresses in control of US hosting companies for apparently Chinese customers. Users of reddit have made this malware available to the public, which allowed SektionEins to perform an analysis of this threat. However so far only the malware itself has been found and until now it is unknown how it ends up on jailbroken phones. Rumours that Chinese piracy repositories are involved are so far unverified” states a post published by SektionEins security firm which analyzed the malicious agent.
It has been hypothesized that Unflod Baby Panda malware was spread through a Chinese web site which offer iOS software, another interesting aspect of the infection that malicious code is digitally signed with an iPhone developer certificate.
I have found it curious because the Unflod Baby Panda malware infect only jailbroken iPhones and it was not necessary on such hardware to sign the source code for its execution.
Details of the digital certificate used by to sign Unflod Baby Panda malware are reported below.
$ codesign -vvvv -d Unflod.dylib Executable=./Unflod.dylib Identifier=com.your.framework Format=Mach-O thin (armv7) CodeDirectory v=20100 size=227 flags=0x0(none) hashes=3+5 location=embedded Hash type=sha1 size=20 CDHash=da792624675e82b3460b426f869fbe718abea3f9 Signature size=4322 Authority=iPhone Developer: WANG XIN (P5KFURM8M8) Authority=Apple Worldwide Developer Relations Certification Authority Authority=Apple Root CA Signed Time=14 Feb 2014 04:32:58 Info.plist=not bound Sealed Resources=none Internal requirements count=2 size=484
The the signature date is the 14th of February of this year, probably the Unflod Baby Panda is being around without being discovered in the last months.
The researchers noted that it is possible to manually remove Unflod Baby Panda
- Download the iFile app for free from Cydia and by using iFile, check whether your device is affected by the malicious software or not.
- Navigate to /Library/MobileSubstrate/DynamicLibraries/
- If you spot any files named Unflod.dylib or Unflod.plist and/or framework.dylib and framework.plist then you have been affected.
- Use iFile to delete Unflod.dylib and Unflod.plist and/or framework.dylib and framework.plist
- Reboot your device and then change your Apple ID password and security questions immediately and just to be on safe side, use two-step verification method and avoid installing apps from untrusted sources.
“We therefore believe that the only safe way of removal is a full restore, which means the removal and loss of the jailbreak,” reported the researchers.
Be aware … mobile jailbreak could hide numerous pitfalls.
A study conducted by experts at IOActive uncovered a variety of severe vulnerabilities in Satellite equipment widely used in numerous industries.
Privacy and information security research firm Ponemon Institute, along with DB Networks, an innovator of behavioral analysis in database security, today announced the results of the Ponemon Institute’s first-of-its-kind SQL injection threat study.
In some of the previous articles in this series, we have looked at how we can modify the behaviour of an application by patching it using IDA Pro, Hopper etc. However, doing this hasn’t been quite straightforward always. We can also use Cycript to modify the behaviour of an application by changing some of the method implementations, but the change isn’t permanent. This is where writing tweaks for an application comes in handy. A tweak is nothing but a run-time patch to an application using the Cydia Substrate framework. Cydia Substrate consists of 3 major components: MobileHooker, MobileLoader and safe mode. You can read about these 3 major components here. Saurik has also written a complete series of documentation here. Our main focus here would be not to go in depth and learn how to write tweaks for jailbroken devices but to understand there relevance to application security so we can quickly write our own tweaks when necessary.
Thursday, April 17, 2014
The Keen Team – a mysterious group of Chinese hackers who hacked Apple’s Safari Mac OS XMavericks system in just 20 seconds and Windows 8.1. Adobe Flash in only 15 seconds during Pwn2OwnHacking Competition this year, are no more mysterious as the team revealed its members identity.
The demand for cyber security experts continues to raise, the US Government announced further investment to recruit new cyber talents with many difficulties.
Security experts at ESET detected a new variant ofiBanking Trojan offered in the underground thatexploits Facebookplatform as vector of infection.
A group of researchers discovered a vulnerability in WhatsApp “Location Share” feature which exposes user’s location to the attackers.
SRLabs researchers have published a video POC on YouTube to demonstrate how it is easy to bypass the fingerprint sensor on Samsung Galaxy S5.
Satellite Communications (SATCOM) play a vital role in the global telecommunications system, but the security of the devices used leaves much to be desired, says Ruben Santamarta, principal security consultant with IOActive.
Akamai announced a new global DDoS attack report, which shows that in Q1, DDoS attackers relied less upon traditional botnet infection in favor of reflection and amplification techniques.
Thanks to the OpenSSL Heartbleed bug, the Tor anonymity network is set to temporarily lose around "12 per cent of the exit capacity and 12 per cent of the guard capacity.”
MASM is maintained by Microsoft and is an x86 assembler that consumes Windows and Intel syntax to produce a COFF executable. It is compatible for both 16 bit and 32 bit sources. Fortunately, Microsoft’s Visual Studio IDE endorses MASM programming tasks just by making a couple of project property changes. The prime objective behind this article is to introduce the power of assembly code in terms of speed and full control over programs which are typically not seen in other programming languages. Even though there are numerous editors and software available to do such a task in a standalone way, the aspirant system or security programmers who are only limited to .NET software IDE so far can enter into the real system programming world by using none other than visual studio IDE.
In this article we are going to solve a Bot challenge. The name of the bot is Dexter and the vulnerable VM which we are going to use is created by Brian Wallace. The challenge is to gain root privileges of the bot command and control center and the system’s also.
In cloud computing, there are a number of components used to build the cloud infrastructure. At the lowest layer there are actual hardware components like servers, network attached storage and network components. In order to limit the possibility of spreading an infection, networks need be properly separated into multiple DMZs with limiting rules of connectivity between two networks. The very core of cloud computing is virtualization, which is used to separate a single physical machine into multiple virtual machines in a cost-effective way. Don’t get me wrong, running and operating a cloud is certainly possible without virtualization, but requires more work and time to actually pull it off; by using virtualization, we’re basically getting a lot of the work done for free. With virtualization, a number of virtual machines can run on the same physical computer, which makes it cost-effective, since part of the physical server resources can also be leased to other tenants. Such virtual machines are also highly portable, since they can be moved from one physical server to the other in a manner of seconds and without downtime; new virtual machines can also be easily created. Another benefit of using virtualization is the location of virtual machines in a data center – it doesn’t matter where the data center is located and the virtual machine can also be copied between the data centers with ease.
A malicious mobile application for Android that offers a range of espionage functions has now gone on sale in underground forums with a new trick: it’s being used by several banking trojans in an attempt to bypass the two-factor authentication method used by a range financial institutions.
[infosecurity-magazine] Despite Mobile, Cloud and Big Data, People Are the Biggest Security Weakness
As the volume of data generated within the enterprise workflow grows bigger each and every day, adopting a future-proof approach to information security will be increasingly imperative – and even more challenging. Much talk has arisen about the cloud and mobile devices, and their requisite applications, being a growing threat vector. But new survey results suggest that when it comes to protecting companies’ IT infrastructure, it is in fact people who present the biggest security problem.
The revelations in 2013 that governments and their agencies have been spying on citizens in the name of national security have seriously undermined trust when it comes to operating in cyberspace, according to the Information Security Forum (ISF).
The situation surrounding attempted mobile malware infections is constantly changing, and I’d like to write about one recent trend. Over the last year, Trojan-SMS.AndroidOS.Stealer.a, a mobile Trojan, has become a leader in terms of the number of attempted infections on KL user devices, and now continually occupies the leading positions among active threats. For example, in Q1 2014 it accounted for almost a quarter of all detected attacks.
Cybercriminals often like to use a bogus letter to trick people into opening malicious attachments. There are two tricks that make this work: a message from a familiar name (a bank, social network, service provider or other organization that might interest the recipient) and an intriguing or alarming subject. An attack based on fake messages supposedly from coffee chain Starbucks combined the two.
Some cybercriminals build massive botnets to use unsuspecting endpoints for spam, distributed denial-of-service (DDoS) attacks, or large-scale click fraud. With the aid of banking Trojans, other cybercriminals create smaller, specialized botnets that focus on stealing bank credentials and credit card information.
Tuesday, April 15, 2014
It’s not so far when Germany confirmed its biggest Data theft in the country's history with the usernames and passwords of some 18 million email accounts stolen and compromised by Hackers, and now German space research center has been reportedly targeted in a cyber attack.
The APWG report 2H2013 seeks to understand trends and their significance by quantifying the scope of the global phishing problem.
Last Anti-Phishing Working Group APWG report titled “Global Phishing Survey: Trends and Domain Name Use in 2H2013” confirms that threat of phishing has never been so high, the number of domains registered to conduct this kind of illicit activities has passed all records in the second half of 2013. Chinese phishers are the most aggressive and they were responsible for 85% of the domain names that were registered for phishing activities.
The phishing attacks are mainly suffered by Chinese online population instead better-secured US and European netizens. The overall number of malicious domains used for phishing attacks reached a total of 82,163 in the second half of 2013, 59,332 were compromised web hosts while remaining 22,831 were registrations made by phishing criminals.
The scale of phishing activities against the Chinese population during last year should worry the local authorities, for Chinese cyber criminal gangs it is very easy to register and manage domains for illicit activities without incurring in any sanction.
The APWG report states that there were at least 115,565 unique phishing attacks worldwide, an increase of 60% respect first half of 2013.
“Most of the growth in attacks came from phishing that used maliciously registered domains and subdomains. An attack is defined as a phishing site that targets a specific brand or entity. A single domain name can host several discrete phishing attacks against different banks” states the APWG report.
Another interesting aspect related to phishing attacks occurred in the H2 2013 is that the average uptimes of phishing attacks is declined respect the first part of the year, the average duration was 28 hours and 43 minutes, while the median uptime was 7 hours and 54 minutes. The data confirm that phishing attacks must succeed quickly, half of all the offensives stay active for less than 8 hours.
Very interesting is the data related to target distribution, the APWG report discovered 681 unique phished target institutions (mainly financial and ecommerce), 324 of them were totally new and not attacked in the first part of the year, this means thatphishers are trying out new targets.
“They appear to be looking for companies that are newly popular, have vulnerable user bases, and/or are not ready to defend themselves against phishing” states APWG report.
As occurred already in the past, phishers continue to break into web servers that hosts a large number of domains, “shared virtual servers”, in this way just updating server configuration with malicious content the hackers can compromise multiple domains.
“Instead of hacking sites one at a time, the phisher often infects hundreds of web sites at a time, depending on the server. In 2H2013, we identified 178 mass break-ins of this type, resulting in 20,911 phishing attacks. This represents 18% of all phishing attacks recorded worldwide”
The APWG report definitely suggests that phishing is changing, phishers are exploring new tactics and they are searching for new targets. We must consider that China isn’t the unique country to suffer phishing activities, US for example suffer a much bigger problem related to small-scale spear phishing attacks, which are not analyzed by the APWG because they are targeting single enterprises and can’t be detected through domain registrations.
As explained in the APWG report spear-phishing continues to be an important tool for:
- Criminals who are perpetrating financial crimes against specialized or small targets, like students at a particular university.
- Spies involved in corporate and government espionage.
- Hacktivists who seek publicity for their causes.