CDitter – CD-ROM drive based data exfiltration via /r/netsec

CDitter – CD-ROM drive based data exfiltration

Submitted June 30, 2016 at 10:02PM by deutronium
via reddit

Facebook wins privacy case, can now track any Belgian it wants

Facebook wins privacy case, can now track any Belgian it wants

In a somewhat unexpected twist, Facebook has won a legal battle against Belgium’s data protection authority, which had sought to prevent Facebook from tracking non-Facebook (or not-logged-into-Facebook) users, both on the Facebook website itself but also via the company’s Like and Share buttons that can be found in even the darkest depths of the known universe.

The Brussels appeals court dismissed the case on Wednesday, saying that the Belgian CPP (Commission for the Protection of Privacy) had no jurisdiction over Facebook, which has its European headquarters in Dublin, Ireland.

"We are pleased with the court’s decision and look forward to bringing all our services back online for people in Belgium," a Facebook spokesperson said.

Read 4 remaining paragraphs | Comments


via Ars Technica UK

June 30, 2016 at 03:30AM

CISCO fixed severe vulnerabilities in Network Management and Security Products

CISCO fixed severe vulnerabilities in Network Management and Security Products

Cisco released security patches for some of its products that fix critical and high severity flaw that could be remotely exploited by hackers.

Cisco has released security patches for a number of high-severity vulnerabilities in the CISCO Management and other security products.

One of the flaws, a critical vulnerability in the Cisco Prime Collaboration Provisioning (CVE-2016-1416), could be exploited by a remote attacker to bypass authentication and gain full administrator privileges on the affected system.

The vulnerability plagued the Cisco Prime Collaboration Provisioning version 10.6 if the SP2 is installed.

“A vulnerability in the Lightweight Directory Access Protocol (LDAP) authentication for Cisco Prime Collaboration Provisioning could allow an unauthenticated, remote attacker to bypass authentication. The attacker could be granted full administrator privileges.” states the security advisory published by Cisco. “The vulnerability is due to an improper implementation of LDAP authentication. An attacker could exploit this vulnerability by logging into a targeted device that is configured for LDAP authentication. Successful exploitation of this vulnerability could grant the attacker full administrator privileges.” 

Cisco has released software updates, available in the Cisco Software Center,  to fix the flaw.

Cisco also fixed another critical vulnerability (CVE-2016-1289) that affected the API of Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager (EPNM). A remote attacker can exploit the flaw to abuse the API and upload malicious code to the application server or access management data, such as login credentials.

CISCO prime_collaboration_large

The flaw is due to the improper input validation of HTTP requests for unauthenticated URIs.

The attacker could exploit it by sending a specially crafted HTTP request to the affected URIs.

“The vulnerability is due to improper input validation of HTTP requests for unauthenticated URIs. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected URIs. Successful exploitation of this vulnerability could allow the attacker to upload malicious code to the application server or read unauthorized management data, such as credentials of devices managed by Cisco Prime Infrastructure or EPNM.” reads the CISCO advisory that confirms also that the security issue impacts Prime Infrastructure versions 1.2 through 3.0, and EPNM version 1.2.

The IT giant also announced that the Firepower software running on some FirePOWER, Adaptive Security Appliance (ASA), Advanced Malware Protection (AMP), and Virtual Next-Generation Intrusion Prevention System products is plagued by a high severity flaw (CVE-2016-1394).

The software includes a user account with a default and static password that could be exploited by a remote attacker to log in to the device.

Cisco was also informed by Daniel Jensen from of a medium severity remote code execution vulnerability in Prime Infrastructure and EPNM. The experts of the company are working to fix it, fortunately, it could be exploited only by an authenticated attacker.

Pierluigi Paganini

(Security Affairs – Security updates, network security)

The post CISCO fixed severe vulnerabilities in Network Management and Security Products appeared first on Security Affairs.


via Security Affairs

June 30, 2016 at 01:14PM

Recent MNKit Exploit Activity Reveals Some Common Threads

Recent MNKit Exploit Activity Reveals Some Common Threads

Unit 42 recently identified a variant of MNKit-weaponized documents being used to deliver LURK0 Gh0st, NetTraveler, and Saker payloads. The documents were delivered to targets involved with universities, NGOs, and political/human rights groups concerning Islam and South Asia. Reuse of this MNKit variant, sender email addresses, email subject lines, attachment filenames, command and control domains, XOR keys, and targeted recipients show a connection between the different payload families delivered.

MNKit is the name given to a builder that generates CVE-2012-0158 exploit documents. The documents are in MHTML format and install a malicious payload on the compromised host. We believe MNKit is privately shared between multiple attack groups, but is not widely available.

Information about previous attack campaigns using MNKit is available in the following reports:

For more details on MNKit, see the Sophos publication, Office exploit generators.

Typical MNKit MHTML files have used User123 or User323 as the Author and LastAuthor element values within their DocumentProperties sections and C:/2673C891/Doc1.files/ as a file directory location. The samples discussed in this blog use User323 and User426 as Author and LastAuthor element values and C:/23456789/Doc1.files/ as a file directory location.

MNKit 1

LURK0 Delivery

LURK0 is a family of remote access trojans derived from Gh0st RAT. It has been used by attack groups for years, as discussed by CitizenLab in a publication from 2012 on Tibet-related information operations and has been fairly well analyzed in publicly available reporting. Contained within a subset of the MNKit exploit documents were malicious SFX PE files that delivered LURK0 implants. These PE files were encoded using a decrementing XOR function with the key beginning at 127. Within each SFX are five files:





  IconConfigBt.DAT or IconConfigBty.DAT

The execution of the self-extracting zips side-loading of LURK0 payloads is identifiable by the registry key they create


The hashes and compile times of the malicious RasTls.dll files follow:

838d893581666a2d62bc41497c2214b04b39d0d8e869bcc9bdef7e0e67e1c6a8 0x56E02E36 (Wed Mar 09 09:07:50 2016)

6833f160407175bdb77a6b6b8c9f90ac5c1a73e67b89df6469d12fd6dba54827 0x56F7DE4F (Sun Mar 27 08:21:19 2016)

dde54ba5a79ed2c0eb1dad667926ac8ee91afea5540a5fe3c98f21610861accd 0x56B04040 (Tue Feb 02 00:36:00 2016)

f2d37ca11fb1e3a900cb79f45a4d97ec770fddedf2f8fc3a5d55d945aa57da40 0x56F7DE4F (Sun Mar 27 08:21:19 2016)

f241bdf8dcd4b5c5d15ba5f984b76b9c2a524fd6ad6b8197089723ce3b672505 0x56E02E36 (Wed Mar 09 09:07:50 2016)

a1b7ae7d2591b6055dfbf561d4e4527ba2eb18cffba9b50096460618b3972220 0x57315827 (Mon May 09 23:40:23 2016) and dge.123nat[.]com are two command and control domains resolved by the malware. The first domain was previously mentioned by Arbor Networks in a report detailing the targeting of Tibetan, Hong Kong, and Taiwanese interests in their report, The Four-Element Sword Engagement. A subdomain of 123nat[.]com, manhaton.123nat[.]com, was also referenced in Arbor’s report as a LURK0 command and control domain. Below shows the LURK0 string used in the first five bytes of an implant beacon.

MNKit 2

Saker Delivery

Saker, often also called ‘Xbox’ and ‘Mongall’, is a malware family used by targeted attack groups who have also deployed NetTraveler and Gh0stRAT.

Two of the sending addresses used to distribute the above LURK0 samples, dolkun2015@gmail[.]com and duqdiniishlari@gmail[.]com, were also used to distributed other types of malware. By observing overlaps in the sending and receiving email addresses as well as the filenames of attachments, we were able to identify additional MNKit exploit documents that also included self-extracting PE files. These PE files were again XOR encoded in the attached documents using the same decrementing key (beginning with 127). These additional SFX PE files are password protected using one of the following passwords:




Instead of including RasTls.exe to sideload payloads (as the LURK0 payloads did), within each of the embedded PEs is a single DLL file named msdis.dll which exports a function named JustTempFun. The recently compiled and deployed msdis.dll files’ SHA256 hashes and compile timestamps follow:

5bbe82e975ef161d562cab2fe640f11b576964ad9fc6c3150cfaa43f073d4e01 0x56D7DFB0 (Thu Mar 03 01:54:40 2016)

445a4d12f012c69acaf40011daf5a14f1b7832a9fcd0f3451a773e0f084b44ac 0x56D7DFB0 (Thu Mar 03 01:54:40 2016)

60891bab7fe0baecc9038e194ab6a9222b9f0a7b814eacbd9d20b8c4fe63796c 0x570B5D12 (Mon Apr 11 04:15:14 2016)

74074a1b1b77f7922cafed5437fa0be012275a63c57aa10626fad77f3c85d8e9 0x56D7DFB0 (Thu Mar 03 01:54:40 2016)

68261823356d3471a7794a3cb5cd208101f5660b4928206a22c01df5ed0b4b52 0x56D55EC9 (Tue Mar 01 04:20:09 2016)

ec341eebee6c08daf153675698404c9c6805049c31027490432e08c783edfd2c 0x572B0294 (Thu May 05 04:21:40 2016)

Saker samples construct strings during execution. One such string is the origin of the malware’s name.

MNKit 3

The Saker PEs also contain a user agent strings (also constructed manually during execution) of Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; .NET CLR 1.1.4531) and Mozilla/6.0 (compatible; MSIE 9.0; Wis NT 8.1; .NET CLR 2.13431). This second user agent is similar to the user agent, <code>Mozilla/4.0 (compatible; MSIE 6.0; Wis NT 5.0; .NET CLR 1.1.4322), as outlined by FireEye in 2014.

The command and control locations for the Saker samples delivered via MNKit follow:




amerikauyghur[.]top overlaps with the LURK0 samples previously mentioned. Both onebook[.]top (registered with a registrant email address of and (registered with a registrant email address of have resolved previously to 103.232.222[.]20.

Using AutoFocus, we were able to locate additional samples that resolved to these domains. The samples are a mix of LURK0, Saker, and PlugX. Their hashes follow:

































































Pivoting from the first rather unique user agent string we located the following Saker samples on totalhash:



These samples beacon to http://www.togolaga[.]com (103.246.246[.]221) and unisers[.]com (123.254.104[.]32) which respectively were mentioned by the Sophos Rotten Tomatoes publication.

Within AutoFocus the user-agent string was also seen being used by the following Saker sample hashes:









































These resolve and connect to the following domain names:

  onebook[.]top (103.232.222[.]20)

  www.dicemention[.]com (123.108.111[.]228)

  www.updatenewes[.]com (103.246.246[.]221)

  softinc[.]pw (210.209.118[.]87)

  www.notebookhk[.]net (123.254.104[.]50)

notebookhk[.]net, also mentioned in the Rotten Tomatoes report, was at one point a known PlugX command and control domain. This domain as well as are noted Korplug (often used to load PlugX) domains outlined by ESET in a blog post here. These domains as well as other overlapping indicators, such as the export function name JustTempFun, were discussed by ProofPoint in a 2015 publication on PlugX targeting Russian military and telecom organizations and by Kaspersky in part 1 of their publication on NetTraveler.

NetTraveler Delivery

NetTraveler is a backdoor used to install other malware, steal information, and provide remote control of a compromised system. The targets previously mentioned by Kaspersky Lab of the NetTraveler operators aligns closely with the recipients of a new set of samples.

Three additional MNKit documents were located as MNKit exploit attachments. Unfortunately, we were unable to locate emails the attachments were sent with. These three samples also included SFX PE files encoded using the same decrementing XOR. Within each PE are three files which side-load NetTraveler. The files are named:




The hashes and compile timestamps for each fslapi.dll follow:

8d03cead273180baaae19aca5dd84ea4b7a8c88375c5eba3c3d4b69fce563506 0x574D3F35 (Tue May 31 03:37:25 2016)

682638c3fa5447da1af53b8dd60ee9fdd8489dd5dd4606e8d06082a6a363d362 0x57513FF6 (Fri Jun 03 04:29:42 2016)

d953cd81ef92c301ad9c3f43dd183aac65719c729cdf55341954acd6da08bb23 0x571177B8 (Fri Apr 15 19:22:32 2016)

The fslapi.dll files load their accompanying fslapi.dll.gui files that are XOR encoded. The decoded fslap.dll.gui DLLs include the following embedded URLs, the first of which was previously documented by Unit 42 as a red herring within NetTraveler samples.



The fslapi.dll files contain an overlay that is used to decode the real C2 as documented in the same Unit 42 NetTraveler blog. The decoded command and control URLs include:



MNKit 4

Both domains have previously resolved to 103.231.184[.]163 which has also hosted http://www.tassnews[.]net[.]com, both of which have also been used as NetTraveler command and control domains. is also the resolved by


the SFX PE (encoding using the same decrementing XOR) decoded from


another sample of this MNKit variant.

Tassnews[.]net was registered with a registrant email address of ghjksd@gmail[.]com and info-spb[.]com was registered with a registrant email address of kefj0943@yahoo[.]com. Riaru[.]net was registered with a registrant email address of fjknge@yahoo[.]com on 29 March 2016, which also registered one other domain name, yandax[.]net, on 16 June 2016 using the same authoritative DNS servers and registrar. Interfaxru[.]com was registered with a registrant email address of ganh@gmail[.]com on 18 April 2016 using the same registrar and authoritative DNS servers as riaru[.]net and yandax[.]net. Only one domain name is currently registered by ganh@gmail[.]com, however it would be no surprise if an additional domain is registered by this registrant in the near future.

Putting it All Together

While MNKit has been associated with multiple different groups the reuse of domain names, IPv4 addresses, phishing themes, XOR schemes, and email accounts are strong evidence for linkage between these new attacks and the previously documented ones. The change in PE SFX contents over the three sets of SFX PE files between February 2016 to March 2016, March 2016 to April 2016, and April 2016 to June 2016 time frames show a slight deviation is payload but consistencies in delivery methods. The best defense against MNKit is to ensure your systems are patched for CVE-2012-0158, but in situations where this isn’t possible, exploit mitigation technology like Traps is warranted.

While attribution is a challenging art, it’s likely whoever is behind these recent attacks is, through infrastructure, malware families and delivery techniques, somehow related to the previously reported attacks. The attackers have been active for years, will likely continue to be active, and seem to prefer to change tactics only subtly.

AutoFocus users can track the malware discussed above using the following tags:

Examined MNKit Samples and Payloads

MNKit MIME attachments carrying LURK0 payloads:







LURK0 payload files contained within MNKit documents:







MNKit MIME attachments carrying Saker payloads:









Saker payload files contained within MNKit documents:









MNKit MIME attachments carrying NetTraveler payloads:





NetTraveler payload files contained within MNKit documents:









via Palo Alto Networks Blog

June 30, 2016 at 02:40PM

Time is running out to stop a $53 million cryptocurrency heist – The Verge

Time is running out to stop a $53 million cryptocurrency heist – The Verge

On June 17, someone stole $53 million from the DAO, an experimental investment bank built in the Ethereum cryptocurrency system — and the developers have spent the last two weeks trying to get it back.

The DAO’s withdrawal system froze the money for 27 days, and rather than let the money slip away permanently, Ethereum’s coders have decided to stop the theft by changing the basic code that the currency runs on. But making those changes is delicate and complex — and if nothing changes before July 14th, the money will be lost permanently, and the theft will be complete.

The result has been one of the most urgent coding challenges a cryptocurrency has faced so far. At the beginning of this week, it seemed as if Ethereum would clear it easily. Miners were scheduled to approve new code on today, and as of Monday, it looked like the proposed change would easily pass, saving the money with weeks to spare.

Then, the plan fell apart.

Developers had proposed a backwards-compatible change to the Ethereum code (a so-called “soft fork”) that would make the stolen money unspendable. The update would make it impossible for miners to approve any transaction involving the stolen money, so even if the thief tried to withdraw his stolen funds, that withdrawal would never make it into the blockchain. It wouldn’t restore all the stolen funds, but it would at least stop the theft in its tracks.

“I’m rooting for these guys, but it’s been a tough week.”

But two days before the vote, Cornell cryptographer Emin Gün Sirer found a nasty bug in the soft fork. The proposed change would void any contracts involving the stolen funds, Sirer wrote in a post, but the mechanism for doing so enabled an unexpected kind of denial-of-service attack. Under the soft fork, an attacker could fill up the blockchain with bogus contracts without incurring any costs, since invoking the stolen DAO funds would invalidate any contract halfway through.

Sirer imagined disgruntled attackers who “might short ETH and launch a DoS attack to profit off of the impending drop in the coin’s value… Because the attack currently has no cost, it is quite possible for these groups to launch it.”

The soft fork was already controversial for political reasons — with some characterizing it as centralized censorship — but in the wake of Sirer’s post, support for the soft fork plummeted. The current miner vote shows little support, and today’s vote is expected to overwhelmingly reject the change.

But while the soft fork is out, it’s unclear what might take its place. As Bitcoin entrepreneur Andreas Antonoopolous put it in a recent video, “we’re back to, ‘okay, what do we do now?’”

Sirer’s bug is tied to the fork’s backwards compatibility, so his preferred solution is a new version that isn’t backwards-compatible — known as a “hard fork.” That would avoid the denial-of-service bug, but leave anyone running the old version of the software completely cut off from the broader currency system.

Developers have already begun writing software for that system, but they’re facing a brutally tight deadline. The community will have only two weeks to implement the hard fork, having spent more than half its time going down a dead end. If a similar bug turns up in the new code, the result may simply be a $53 million loss for the DAO.

Former Bitcoin Foundation chairman Peter Vessenes says he believes there’s still political will to save the money, but the coding challenge is a serious one. “I’m rooting for these guys,” says Vessenes, “but it’s been a tough week.”


via denial of service

June 30, 2016 at 10:54AM

Man Booked For Hacking Wife’s Facebook Account – ValueWalk

Man Booked For Hacking Wife’s Facebook Account – ValueWalk

An Indian man was booked on Wednesday, under section 66A of the Information Technology Act, for the alleged hacking of his wife’s Facebook account.

Facebook hacking

Facebook hacking, changing password and objectionable messages

The victim is Meenu, and she claims that her husband Sachin Jindal, from Faridabad, hacked his way into her Facebook account, changed her login password so she was no longer able to access her own page, and then he is alleged to have sent malicious messages to her friends.

Matrimonial difficulties

It appears that the couple had been having matrimonial difficulties for a few months. The lady now lives in sector 9A in Gurgaon. A police officer involved in the case stated, “According to the complainant, the accused hacked her Facebook account to settle scores. She approached the police when he did not mend his ways,”

He continued, “based on the complaint, a preliminary investigation was carried out by the Cyber Cell and the allegations against the man were found to be true.”

Investigation finds the husband responsible

“After an investigation it was found that Jindal changed the password and uploaded insulting posts,” Assistant Commissioner of Police Hawa Singh told IANS.

The spokesperson for the Gurgaon Police, Assistant Commissioner Hawa Singh said, “A case has been registered against the accused,” and he is expected to be arrested very soon.

High profile hacking of Mark Zuckerberg

Hacking is an all too common problem in today’s digital world. In this case it is likely the the estranged husband was able to guess the password. Meana, the victim, is in good company though. Earlier this month Mark Zuckerberg the founder and Chief Executive of Facebook had a number of his social media accounts hacked, included LinkedIn, Twitter and Pinterest.

After a huge cache of LinkedIn passwords were leaked online, it was found that Zuckerberg’s details were included. Although the passwords were encrypted with an algorithm, it was relatively easy for a Saudi Arabian group calling themselves OurMine to crack.

And what was his password… Dadada !!

Security Hoax

Facebook has recently had to deny a recent ‘privacy notice’ and has made a statement branding it as a hoax. The note was claiming that unless you copied and pasted some information, all your posts would be become public. Facebook confirmed there had been no change in its privacy policy.


via hacking – Google News

June 30, 2016 at 11:00AM

Hackers Can Exploit LibreOffice Flaw With RTF Files

Hackers Can Exploit LibreOffice Flaw With RTF Files

The developers of the open source office suite LibreOffice informed users this week that they have patched a vulnerability which could allow attackers to execute arbitrary code using specially crafted RTF files.

The vulnerability, found by Cisco Talos researchers and tracked as CVE-2016-4324, affects the RTF parser in LibreOffice. The flaw can be exploited with an RTF document that contains both a stylesheet and a superscript token.

“A specially crafted RTF document containing both a stylesheet and superscript element causes LibreOffice to access an invalid pointer referencing previously used memory on the heap. By carefully manipulating the contents of the heap, this vulnerability can be able to be used to execute arbitrary code,” Cisco said.

The attacker needs to somehow trick the targeted individual into opening a malicious RTF file in order to trigger the exploit. It’s not uncommon for cybercriminals to exploit RTF parser vulnerabilities in Microsoft Office to deliver malware and this flaw shows that such attacks are also possible against LibreOffice users.

The issue has been addressed with the release of LibreOffice 5.1.4. Cisco says there is no evidence that this vulnerability has been exploited in the wild, but users are advised to update their installations to protect themselves against potential attacks.

The developers of various Linux distributions are also analyzing the issue and some have already released package updates to patch the flaw.

This is the third vulnerability confirmed by LibreOffice developers this year. In February, The Document Foundation informed users that researchers from VeriSign’s iDefense Labs had identified a couple of memory corruption bugs that could have been exploited to cause a denial-of-service (DoS) condition using specially crafted Lotus Word Pro files.

Cisco Talos researchers recently identified flaws in many popular products, including the chat client PidginTrane thermostats, and the Lhasa, Libarchive and 7-Zip archivers.

Related Reading: Cisco Finds Backdoor Installed on 12 Million PCs

Related Reading: 3.2 Million Devices Exposed to Ransomware Attacks

Previous Columns by Eduard Kovacs:



via SecurityWeek RSS Feed

June 30, 2016 at 10:43AM

Conficker Used in New Wave of Hospital IoT Device Attacks

Conficker Used in New Wave of Hospital IoT Device Attacks

Internet-connected medical devices such as MRI machines, CT scanners and dialysis pumps are increasingly being targeted by hacker seeking to steal patient medical records from hospitals. Attackers consider the devices soft digital targets, seldom guarded with same security as client PCs and servers within hospitals.

In a report by security firm TrapX Labs, researchers found that the dearth of cyber defenses on clinical IoT medical equipment was tied to a resurgence of old malware such as networm32.kido.ib and the notorious Conficker worm. In its paper MEDJACK.2 Hospitals Under Siege (PDF), researchers describe how modern hospital security systems overlook protecting internet-connected devices running Windows XP or unpatched versions of Windows 7 and Windows 8 making them an easy target for ancient exploits.

“The malware utilized for this attack was specifically selected to exploit older versions of Windows… It enabled the attacker to install a backdoor within the enterprise, from which they could launch their campaign and quietly exfiltrate data and perhaps cause significant damage using a ransomware attack,” TrapX wrote in its report.

In its 2009 heyday Conficker was estimated to have infected between 9 million to 15 million computers. The computer worm was known for constantly morphing as Conficker authors regularly updated the code. The worm targets Microsoft’s Windows operating system and was notorious for cracking passwords, hijacking Windows computers and enlisting them into botnets that distributed spam and installed scareware.

Researchers say they have captured new samples of the Conficker worm that has been updated with an enhanced ability to laterally move within a network and target specific types of medical devices. Researchers say malware is being delivered via spear phishing attacks against hospital staff. Researchers say once Conficker or networm32.kido.ib infects and wends its way inside a network attackers use command-and-control instructions to deliver additional “more sophisticated” malware to devices.

“Wrapped inside an out-of-date malware wrap­per for networm32.kido.ib, we determined that the malware was in fact quite sophisticated, and capable of ‘jumping’ or moving between networks successfully. The almost harmless net­worm, easily ignored by Windows 7 patched systems, Windows 8 platforms and new oper­ating systems, exploited a vulnerability within Windows XP to load a RAT (remote access tool) so the attacker could load sophisticated, state of the art attacker software components,” according to the report.

In its previous 2015 report TrapX noticed similar types of attacks inside hospitals and healthcare facilities. What’s new is, “The old exploits such as Conficker are being used in tandem with much more sophisticated payloads that are able to go deeper into a hospital network and target specific devices that can gain criminals easier access to patient records,” said Moshe Ben-Simon, co-founder of Trapx Labs.

Patient records are quickly becoming a hot commodity on the dark web. Ben-Simon said medical records are known to hold greater value on the black market over other items such as credit card data. That’s because criminals can steal a patient’s identity and not just extend credit in their names, but also have costly prescriptions filled. “Insurance pays for the prescription and attackers can resell the drugs on the black market,” Ben-Simon said.

TrapX estimates that medical records fetch $10 to $20 per record on the black market versus about $5 for one financial profile.

Last week records for 655,000 patients wound up on the web that were allegedly stolen from three healthcare organizations. In the case of these records, attackers claim to have obtained the data via a remote desktop protocol attack.

According to the TrapX report, which studied real-world infections at three hospitals, a forensic investigation revealed that the presence of the Conficker worm failed to generate any cybersecurity alarms. TrapX reported the Conficker worm went unnoticed out of a lack of concern for the ancient exploit. “Medical devices are ‘black boxes’ and their internal software operations are not visible to the hospital cyber defense team. They run out of date operating systems, such as Windows 7 or Windows XP which are highly vulnerable and almost completely unprotected,” wrote researchers.

Ben-Simon said those medical devices are extremely attractive targets because each one of them is highly connected and link to a community additional vulnerable medical devices that link to high value patient data. “All it takes is one successful at­tempt for the attacker to establish a backdoor, find and steal data, or use automated tools to set a ransomware attack in motion,” according to the report.


via Threatpost | The first stop for security news

June 30, 2016 at 09:49AM

Dridex and Locky authors revamped the Bart malware

Dridex and Locky authors revamped the Bart malware

The authors responsible for Dridex and Locky malware have recently made another appearance, this time with their latest release – Bart malware.

Similar to other ransomware, infected users are notified of the compromise with their desktop backgrounds changed with a warning, confirming that their files have been encrypted and offering a number of URLs accessible via the TOR network where they can receive instructions on obtaining their private keys. Recovery instructions are also placed into a text file names recover.txt and located in many of the users folders.

bart malware

A screenshot of the desktop wallpaper recover.bmp

Unlike previous versions the cost of unlocking encrypted files has increased dramatically to 3 bitcoins (at time of writing equating to around 1425 Pounds Sterling or 1900 US Dollars) compared to the initial 0.5 or 1 bitcoin of its predecessors.

This particular ransomware was first discovered a few days ago by security vendor Phishme.

It differs greatly in operation from previous malware from presumably the same authors, notably in its lack of reliance on Command and Control servers, thus reducing the required investment and complexity on the attacker’s side.

Similar to Locky and Dridex the tool employs rogue JavaScript, invoking the Rockloader malware for delivery which is disseminated via ZIP attachments within emails, often containing permutations of the names, or

Other similarities include the payment portals, coding structure, email distribution mechanism and curiously the encryption of .n64 ROM files, with Locky being the only other malware to do this.

The ransom note, which displays itself as the desktop background is localized for English, Spanish, French, German and Italian and interestingly if the user’s language pack is detected in Russian, Ukrainian or Belorussian the users’ files aren’t encrypted.

Instead of employing the typical C2 key pair storing procedure where the encrypted files key is passed to the attackers command servers only available on release following payment of the ransom, Bart malware operates by placing the victims files in password protected ZIPs.

bart malware 2

Bart malware ’s payment portal, almost identical to that of Locky

The methods of operation and increased cost in terms of the price of the ransom, shows a worrying change in direction from the authors of these already difficult and potentially crippling digital infections.

The cost of operations and complexity have reduced on the attackers side, which arguably will see a rise in the volume of these attacks as the tools become more accessible to a larger number of malicious players.

The hardest hit in this latest wave won’t be the organizations who can respond quickly to these threats, employ an adequate backups system for restore in occasion of compromise and have the ability the filter the included attachment names at the perimeter but instead the numerous security naive end users on their home machines.

This, coupled with the increased cost for unlocking, could see Bart malware as one of the most destructive and intrusive forms of malware to date, particularly within the public realm.

Written by: Steven Boyd

Steven Boyd

Steven is a security consultant, researcher, ethical hacker and freelance writer with over 16 years of experience in the industry. He has provided security consultancy to some of the world’s biggest banks, the private sector as well as public services and defense. He is the owner and creator of security blog

Twitter: @CybrViews





Pierluigi Paganini

(Security Affairs – Bart malware, hacking)

The post Dridex and Locky authors revamped the Bart malware appeared first on Security Affairs.


via Security Affairs

June 30, 2016 at 08:09AM