CDitter – CD-ROM drive based data exfiltration via /r/netsec


CDitter – CD-ROM drive based data exfiltration
http://ift.tt/29eynzT

Submitted June 30, 2016 at 10:02PM by deutronium
via reddit http://ift.tt/297WL5q

Advertisements

Facebook wins privacy case, can now track any Belgian it wants

Facebook wins privacy case, can now track any Belgian it wants

http://ift.tt/295vU7V

In a somewhat unexpected twist, Facebook has won a legal battle against Belgium’s data protection authority, which had sought to prevent Facebook from tracking non-Facebook (or not-logged-into-Facebook) users, both on the Facebook website itself but also via the company’s Like and Share buttons that can be found in even the darkest depths of the known universe.

The Brussels appeals court dismissed the case on Wednesday, saying that the Belgian CPP (Commission for the Protection of Privacy) had no jurisdiction over Facebook, which has its European headquarters in Dublin, Ireland.

"We are pleased with the court’s decision and look forward to bringing all our services back online for people in Belgium," a Facebook spokesperson said.

Read 4 remaining paragraphs | Comments

News

via Ars Technica UK http://ift.tt/1FAJXi5

June 30, 2016 at 03:30AM

CISCO fixed severe vulnerabilities in Network Management and Security Products

CISCO fixed severe vulnerabilities in Network Management and Security Products

http://ift.tt/298oNQX

Cisco released security patches for some of its products that fix critical and high severity flaw that could be remotely exploited by hackers.

Cisco has released security patches for a number of high-severity vulnerabilities in the CISCO Management and other security products.

One of the flaws, a critical vulnerability in the Cisco Prime Collaboration Provisioning (CVE-2016-1416), could be exploited by a remote attacker to bypass authentication and gain full administrator privileges on the affected system.

The vulnerability plagued the Cisco Prime Collaboration Provisioning version 10.6 if the SP2 is installed.

“A vulnerability in the Lightweight Directory Access Protocol (LDAP) authentication for Cisco Prime Collaboration Provisioning could allow an unauthenticated, remote attacker to bypass authentication. The attacker could be granted full administrator privileges.” states the security advisory published by Cisco. “The vulnerability is due to an improper implementation of LDAP authentication. An attacker could exploit this vulnerability by logging into a targeted device that is configured for LDAP authentication. Successful exploitation of this vulnerability could grant the attacker full administrator privileges.” 

Cisco has released software updates, available in the Cisco Software Center,  to fix the flaw.

Cisco also fixed another critical vulnerability (CVE-2016-1289) that affected the API of Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager (EPNM). A remote attacker can exploit the flaw to abuse the API and upload malicious code to the application server or access management data, such as login credentials.

CISCO prime_collaboration_large

The flaw is due to the improper input validation of HTTP requests for unauthenticated URIs.

The attacker could exploit it by sending a specially crafted HTTP request to the affected URIs.

“The vulnerability is due to improper input validation of HTTP requests for unauthenticated URIs. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected URIs. Successful exploitation of this vulnerability could allow the attacker to upload malicious code to the application server or read unauthorized management data, such as credentials of devices managed by Cisco Prime Infrastructure or EPNM.” reads the CISCO advisory that confirms also that the security issue impacts Prime Infrastructure versions 1.2 through 3.0, and EPNM version 1.2.

The IT giant also announced that the Firepower software running on some FirePOWER, Adaptive Security Appliance (ASA), Advanced Malware Protection (AMP), and Virtual Next-Generation Intrusion Prevention System products is plagued by a high severity flaw (CVE-2016-1394).

The software includes a user account with a default and static password that could be exploited by a remote attacker to log in to the device.

Cisco was also informed by Daniel Jensen from Security-Assessment.com of a medium severity remote code execution vulnerability in Prime Infrastructure and EPNM. The experts of the company are working to fix it, fortunately, it could be exploited only by an authenticated attacker.

Pierluigi Paganini

(Security Affairs – Security updates, network security)

The post CISCO fixed severe vulnerabilities in Network Management and Security Products appeared first on Security Affairs.

News

via Security Affairs http://ift.tt/Lp7iZa

June 30, 2016 at 01:14PM

Recent MNKit Exploit Activity Reveals Some Common Threads

Recent MNKit Exploit Activity Reveals Some Common Threads

http://ift.tt/296L64Q

Unit 42 recently identified a variant of MNKit-weaponized documents being used to deliver LURK0 Gh0st, NetTraveler, and Saker payloads. The documents were delivered to targets involved with universities, NGOs, and political/human rights groups concerning Islam and South Asia. Reuse of this MNKit variant, sender email addresses, email subject lines, attachment filenames, command and control domains, XOR keys, and targeted recipients show a connection between the different payload families delivered.

MNKit is the name given to a builder that generates CVE-2012-0158 exploit documents. The documents are in MHTML format and install a malicious payload on the compromised host. We believe MNKit is privately shared between multiple attack groups, but is not widely available.

Information about previous attack campaigns using MNKit is available in the following reports:

For more details on MNKit, see the Sophos publication, Office exploit generators.

Typical MNKit MHTML files have used User123 or User323 as the Author and LastAuthor element values within their DocumentProperties sections and C:/2673C891/Doc1.files/ as a file directory location. The samples discussed in this blog use User323 and User426 as Author and LastAuthor element values and C:/23456789/Doc1.files/ as a file directory location.

MNKit 1

LURK0 Delivery

LURK0 is a family of remote access trojans derived from Gh0st RAT. It has been used by attack groups for years, as discussed by CitizenLab in a publication from 2012 on Tibet-related information operations and has been fairly well analyzed in publicly available reporting. Contained within a subset of the MNKit exploit documents were malicious SFX PE files that delivered LURK0 implants. These PE files were encoded using a decrementing XOR function with the key beginning at 127. Within each SFX are five files:

  RasTls.exe

  RasTls.dll

  MemoryLoad.dump

  BTFly.dump

  IconConfigBt.DAT or IconConfigBty.DAT

The execution of the self-extracting zips side-loading of LURK0 payloads is identifiable by the registry key they create

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\DbxUpdateET\

The hashes and compile times of the malicious RasTls.dll files follow:

838d893581666a2d62bc41497c2214b04b39d0d8e869bcc9bdef7e0e67e1c6a8 0x56E02E36 (Wed Mar 09 09:07:50 2016)

6833f160407175bdb77a6b6b8c9f90ac5c1a73e67b89df6469d12fd6dba54827 0x56F7DE4F (Sun Mar 27 08:21:19 2016)

dde54ba5a79ed2c0eb1dad667926ac8ee91afea5540a5fe3c98f21610861accd 0x56B04040 (Tue Feb 02 00:36:00 2016)

f2d37ca11fb1e3a900cb79f45a4d97ec770fddedf2f8fc3a5d55d945aa57da40 0x56F7DE4F (Sun Mar 27 08:21:19 2016)

f241bdf8dcd4b5c5d15ba5f984b76b9c2a524fd6ad6b8197089723ce3b672505 0x56E02E36 (Wed Mar 09 09:07:50 2016)

a1b7ae7d2591b6055dfbf561d4e4527ba2eb18cffba9b50096460618b3972220 0x57315827 (Mon May 09 23:40:23 2016)

http://ift.tt/295ZVbj and dge.123nat[.]com are two command and control domains resolved by the malware. The first domain was previously mentioned by Arbor Networks in a report detailing the targeting of Tibetan, Hong Kong, and Taiwanese interests in their report, The Four-Element Sword Engagement. A subdomain of 123nat[.]com, manhaton.123nat[.]com, was also referenced in Arbor’s report as a LURK0 command and control domain. Below shows the LURK0 string used in the first five bytes of an implant beacon.

MNKit 2

Saker Delivery

Saker, often also called ‘Xbox’ and ‘Mongall’, is a malware family used by targeted attack groups who have also deployed NetTraveler and Gh0stRAT.

Two of the sending addresses used to distribute the above LURK0 samples, dolkun2015@gmail[.]com and duqdiniishlari@gmail[.]com, were also used to distributed other types of malware. By observing overlaps in the sending and receiving email addresses as well as the filenames of attachments, we were able to identify additional MNKit exploit documents that also included self-extracting PE files. These PE files were again XOR encoded in the attached documents using the same decrementing key (beginning with 127). These additional SFX PE files are password protected using one of the following passwords:

  aurhuhkdsf!.xlas

  ^elqwiajdsfile!

  Ieafsdisdlflei!dsa

Instead of including RasTls.exe to sideload payloads (as the LURK0 payloads did), within each of the embedded PEs is a single DLL file named msdis.dll which exports a function named JustTempFun. The recently compiled and deployed msdis.dll files’ SHA256 hashes and compile timestamps follow:

5bbe82e975ef161d562cab2fe640f11b576964ad9fc6c3150cfaa43f073d4e01 0x56D7DFB0 (Thu Mar 03 01:54:40 2016)

445a4d12f012c69acaf40011daf5a14f1b7832a9fcd0f3451a773e0f084b44ac 0x56D7DFB0 (Thu Mar 03 01:54:40 2016)

60891bab7fe0baecc9038e194ab6a9222b9f0a7b814eacbd9d20b8c4fe63796c 0x570B5D12 (Mon Apr 11 04:15:14 2016)

74074a1b1b77f7922cafed5437fa0be012275a63c57aa10626fad77f3c85d8e9 0x56D7DFB0 (Thu Mar 03 01:54:40 2016)

68261823356d3471a7794a3cb5cd208101f5660b4928206a22c01df5ed0b4b52 0x56D55EC9 (Tue Mar 01 04:20:09 2016)

ec341eebee6c08daf153675698404c9c6805049c31027490432e08c783edfd2c 0x572B0294 (Thu May 05 04:21:40 2016)

Saker samples construct strings during execution. One such string is the origin of the malware’s name.

MNKit 3

The Saker PEs also contain a user agent strings (also constructed manually during execution) of Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; .NET CLR 1.1.4531) and Mozilla/6.0 (compatible; MSIE 9.0; Wis NT 8.1; .NET CLR 2.13431). This second user agent is similar to the user agent, <code>Mozilla/4.0 (compatible; MSIE 6.0; Wis NT 5.0; .NET CLR 1.1.4322), as outlined by FireEye in 2014.

The command and control locations for the Saker samples delivered via MNKit follow:

bsnl[.]wang

www.amerikauyghur[.]top

www.onebook[.]top

amerikauyghur[.]top overlaps with the LURK0 samples previously mentioned. Both onebook[.]top (registered with a registrant email address of interestbook@sina.com and bsnl.wang (registered with a registrant email address of jgjop@yahoo.com) have resolved previously to 103.232.222[.]20.

Using AutoFocus, we were able to locate additional samples that resolved to these domains. The samples are a mix of LURK0, Saker, and PlugX. Their hashes follow:

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

02b9681c6b9b56ce6778dd360e38ffb9bd932c4e78256bc082d405b5ac2752bf

0c35a508ece0c9269e176b6b278a96f7ca29e04a2ca2319a91b585f27abfe2f6

0dc315e0b3d9f4098ea5cac977b9814e3c6e9116cf296c1bbfcb3ab95c72ca99

2368f620e812e6adbb9e502a26930922b940a87c488132f2960b4bd97b94f8cc

2a791ef693d410c22ecd6bdbb2855d29816c089d914a4c30ae37df9ff2d66850

343b5b27ebe615f5b97613aa6834740bdae3a90805b6f075d39cc173783aa631

3bbf0f821c89ba03d30deb63eec59c8e9e76c20578ad805de9971bdbcd2855d2

3f3d0a5aa2799d6afe74c5cb6e077e375078b173263c5ca887ffe2e22164b10f

45e39db2a877ff2663efc4d66ed4084ffdb6ddb4926112b7c471872208b96767

4ab388b1310918144ad95e418ebe12251a97cb69fbed3f0dd9f04d780ddd132d

4e749de65f1bb48ec647c5bdf4dd3357f9a1b1970bf2c9e486378e5a2c99f7be

5e818eeb0cffeb6f65f611a17f522560912ae19372e7f734be6df5e35ba82337

6e10e572cecf5b473ea0d75c02d1f7756a08ae0b5c294dee44d9b40f405bae95

81f7e37e6f07dea702e2fd69fc522dc756180f6b79c90e6646e719afd82d1d61

8f0f49e76275c8c129b0ad9b6c2556b0e8d678b4e7cbb20fec64346e135ca04c

940d0770e644c152d60a13f9d40015a1089419361de33fe127e032f4bb446c69

9b3d54069c052a28c8edfedd9acb0a29c550e0594921c96b2d0f179ddd3dc442

9feee2a3fe49fe774d414999ac393655255e7c035ffc93bbd031a2331fd89dc8

aee15bbea68236cbcc622be63fa90134e5da1e7b9af5d87b99b25005a3322976

b625e605932196efbc6c80a18f61a71d27d82935209a1abde2ec591973fed31e

b94f87c0afa49526e807a39259552c2176c5aa26ec79896b264b676e531839fd

ba9f756ab3e7313388192547e1884eaf3f574c3256b03ac96db829dac90f8653

c39e0fc30c2604b3eb9694591789a8e3d4cee7bcc4f9b03349e10c45304aef59

cb0a6704f39d89e64220be531c09d17af0232f5a2665346aace4fa4930ad6c25

cbb3b49d743c1a463b675f9b369ee8363a8c6ab211cb14df333656bad4af1e25

cf394e482e63803dea495316615d2f63fe610790cbb4fb0d967c91c569dc0be7

d90e40837ef510cd29f28ccd8caa343e22438b792c086e2a6df626948d3a3ab8

dfdbf86793cd212f8073c1531fc0b9de86df3809cee97a69c1b1b4060297ead4

dfe7dcb54842bbb9af8defd4dfeca945ca9a1d7205ad8bebdd53e471f3337b69

e20adee61a6dd2a5fbe39abc94ae4b800e69bee8955042e942ebcf1d66398154

e55912a134902ab73c52cb42f32051745214275b59a95d565cfcb7560d32f601

f4fd8554710017caa042b52122d7985c7f510df8e2c26f1ffa6e27233bfe9b54

Pivoting from the first rather unique user agent string we located the following Saker samples on totalhash:

  331594c845fc7b906d8f9bbac7ad0f46a563d86ba6fa12b5d72a9fed7f23cc3d

  e4a8996d3cfd9146c8a2c8eaedae655f006c26999e561731c449662bce1f7223

These samples beacon to http://www.togolaga[.]com (103.246.246[.]221) and unisers[.]com (123.254.104[.]32) which respectively were mentioned by the Sophos Rotten Tomatoes publication.

Within AutoFocus the user-agent string was also seen being used by the following Saker sample hashes:

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

  01a661ee0473efdd5502ac109180bc3eb45ffd5d76a433d248099f1c03bf2a01

  0d2600d978f5c1042e93b701654db080aac144dfa2877844334b1d4cd78f4a1d

  1a36de918338df965edc2405cedd3a2cc0fce7078805e6430c0f1515ef4770db

  23c5832325da3f243db7775688582c9e6e9b21edf276ba2ebfec45eae5952cbe

  25339bfd0befe9f493a6b120755e5e87b47df4aeaf4ba9f1157ff1215f37db97

  343b5b27ebe615f5b97613aa6834740bdae3a90805b6f075d39cc173783aa631

  3677534e326febb704b344dc151c9d0cfd931a72ad625b944614265b12a2677b

  5236f08f8a4097c5a7bb854be22a18672e7feacb7ff4e10c502aec518cff5b8e

  5d97ec30c481e00d4285246b528745f331be905f453e062bd9c2d506e9386f0e

  77ecd4e442d8ef7cf273cadadd6d822206e482c64e43de6298941c4c6ec8eb94

  841db1850dc2df1d62c647fd6707a24d2eb4f2e14cce6a4f46bb2a1d5e09aaa4

  89adc12913232995e2565c03f4c876953937a6b84102c15170a1034eeb3fad0f

  9a45850d4963bfe065ce979ce9e35d9b03ba6f1f065daf34819e04e775841443

  9c7959c83f1d37d38dc2db3815d78805ea7f7c49b375738576ae3800bc42324f

  9e7e88b3ada8ca3a9484aac3d3abf2fd967d5230695a66241e6101b9593ebd2a

  c4799e8a8b260b13bd7eae170e2a49459629b9d049f2a704114cd4f8a340f519

  c7d7211d1fea69ea6a9697a8f8d21ac40f6d7dc6863708b9a98930271a156c86

  d2a5cf434e8a0c63c23e6a3e5cf8a60f259099a706d2d243ffa5c7dbd46fd9d4

  dff2e340c2b66847aa7cef8a211102798d46d2bf568c9fd186522db22972f5d2

  e4a8996d3cfd9146c8a2c8eaedae655f006c26999e561731c449662bce1f7223

These resolve and connect to the following domain names:

  onebook[.]top (103.232.222[.]20)

  www.dicemention[.]com (123.108.111[.]228)

  www.updatenewes[.]com (103.246.246[.]221)

  softinc[.]pw (210.209.118[.]87)

  www.notebookhk[.]net (123.254.104[.]50)

notebookhk[.]net, also mentioned in the Rotten Tomatoes report, was at one point a known PlugX command and control domain. This domain as well as http://ift.tt/1DTmNjJ are noted Korplug (often used to load PlugX) domains outlined by ESET in a blog post here. These domains as well as other overlapping indicators, such as the export function name JustTempFun, were discussed by ProofPoint in a 2015 publication on PlugX targeting Russian military and telecom organizations and by Kaspersky in part 1 of their publication on NetTraveler.

NetTraveler Delivery

NetTraveler is a backdoor used to install other malware, steal information, and provide remote control of a compromised system. The targets previously mentioned by Kaspersky Lab of the NetTraveler operators aligns closely with the recipients of a new set of samples.

Three additional MNKit documents were located as MNKit exploit attachments. Unfortunately, we were unable to locate emails the attachments were sent with. These three samples also included SFX PE files encoded using the same decrementing XOR. Within each PE are three files which side-load NetTraveler. The files are named:

  fsguidll.exe

  fslapi.dll

  fslapi.dll.gui

The hashes and compile timestamps for each fslapi.dll follow:

8d03cead273180baaae19aca5dd84ea4b7a8c88375c5eba3c3d4b69fce563506 0x574D3F35 (Tue May 31 03:37:25 2016)

682638c3fa5447da1af53b8dd60ee9fdd8489dd5dd4606e8d06082a6a363d362 0x57513FF6 (Fri Jun 03 04:29:42 2016)

d953cd81ef92c301ad9c3f43dd183aac65719c729cdf55341954acd6da08bb23 0x571177B8 (Fri Apr 15 19:22:32 2016)

The fslapi.dll files load their accompanying fslapi.dll.gui files that are XOR encoded. The decoded fslap.dll.gui DLLs include the following embedded URLs, the first of which was previously documented by Unit 42 as a red herring within NetTraveler samples.

  http://192.168.3[.]201/downloader2013/asp/downloader.asp

  http://http://ift.tt/2960GkE

The fslapi.dll files contain an overlay that is used to decode the real C2 as documented in the same Unit 42 NetTraveler blog. The decoded command and control URLs include:

  http://http://ift.tt/296L2Ss

  http://http://ift.tt/296052q

MNKit 4

Both domains have previously resolved to 103.231.184[.]163 which has also hosted http://www.tassnews[.]net http://www.info-spb[.]com, both of which have also been used as NetTraveler command and control domains. http://www.tassnews.net is also the resolved by

ed0caf7ce1fe3b13cef5606515543536e078022c486f0266e02f2f42bd72a128

the SFX PE (encoding using the same decrementing XOR) decoded from

80ba8997067025dd830d49d09c57c0dcb1e2f303fa0e093069bd9cff29420692

another sample of this MNKit variant.

Tassnews[.]net was registered with a registrant email address of ghjksd@gmail[.]com and info-spb[.]com was registered with a registrant email address of kefj0943@yahoo[.]com. Riaru[.]net was registered with a registrant email address of fjknge@yahoo[.]com on 29 March 2016, which also registered one other domain name, yandax[.]net, on 16 June 2016 using the same authoritative DNS servers and registrar. Interfaxru[.]com was registered with a registrant email address of ganh@gmail[.]com on 18 April 2016 using the same registrar and authoritative DNS servers as riaru[.]net and yandax[.]net. Only one domain name is currently registered by ganh@gmail[.]com, however it would be no surprise if an additional domain is registered by this registrant in the near future.

Putting it All Together

While MNKit has been associated with multiple different groups the reuse of domain names, IPv4 addresses, phishing themes, XOR schemes, and email accounts are strong evidence for linkage between these new attacks and the previously documented ones. The change in PE SFX contents over the three sets of SFX PE files between February 2016 to March 2016, March 2016 to April 2016, and April 2016 to June 2016 time frames show a slight deviation is payload but consistencies in delivery methods. The best defense against MNKit is to ensure your systems are patched for CVE-2012-0158, but in situations where this isn’t possible, exploit mitigation technology like Traps is warranted.

While attribution is a challenging art, it’s likely whoever is behind these recent attacks is, through infrastructure, malware families and delivery techniques, somehow related to the previously reported attacks. The attackers have been active for years, will likely continue to be active, and seem to prefer to change tactics only subtly.

AutoFocus users can track the malware discussed above using the following tags:

Examined MNKit Samples and Payloads

MNKit MIME attachments carrying LURK0 payloads:

  d90e40837ef510cd29f28ccd8caa343e22438b792c086e2a6df626948d3a3ab8

  0dc315e0b3d9f4098ea5cac977b9814e3c6e9116cf296c1bbfcb3ab95c72ca99

  192fc3ed6259e1b226b713829dc101542b9248a686284b71eda285630b6394bc

  9feee2a3fe49fe774d414999ac393655255e7c035ffc93bbd031a2331fd89dc8

  0c35a508ece0c9269e176b6b278a96f7ca29e04a2ca2319a91b585f27abfe2f6

  3a32d88cef7bb8b013e48a77c2845eed344ad317d28a4a45dfe33d5e7b9661c6

LURK0 payload files contained within MNKit documents:

  e20adee61a6dd2a5fbe39abc94ae4b800e69bee8955042e942ebcf1d66398154

  9b3d54069c052a28c8edfedd9acb0a29c550e0594921c96b2d0f179ddd3dc442

  29cfd443459d7a6e4974e780447f60e8f4e251f2a57afeba573086260c6af69b

  2a791ef693d410c22ecd6bdbb2855d29816c089d914a4c30ae37df9ff2d66850

  6f302dca845c679c7b243ca0b17b568d1d651770f9025874f38bbd1beb1508fe

  28fbd4373ddd0714846aeae5a6000da2233eafe4b7eb1505e83b8904525b3f28

MNKit MIME attachments carrying Saker payloads:

  8f0f49e76275c8c129b0ad9b6c2556b0e8d678b4e7cbb20fec64346e135ca04c

  cf394e482e63803dea495316615d2f63fe610790cbb4fb0d967c91c569dc0be7

  45e39db2a877ff2663efc4d66ed4084ffdb6ddb4926112b7c471872208b96767

  940d0770e644c152d60a13f9d40015a1089419361de33fe127e032f4bb446c69

  dfe7dcb54842bbb9af8defd4dfeca945ca9a1d7205ad8bebdd53e471f3337b69

  f4fd8554710017caa042b52122d7985c7f510df8e2c26f1ffa6e27233bfe9b54

  343b5b27ebe615f5b97613aa6834740bdae3a90805b6f075d39cc173783aa631

  5e818eeb0cffeb6f65f611a17f522560912ae19372e7f734be6df5e35ba82337

Saker payload files contained within MNKit documents:

  4bf5c328915537fbfa46d198373875c7098a719953bcdd1260704d7d40d33ff4

  ac12f86ea8f9c195bcd84f4f8cd35876d9df9bdc34d430a31e30bae410d8164f

  8ed28bdd1b95022eca20637d3a8d358c6e619a8502104f1ce9d0cf616830d93f

  97669b680a0175cc59bb82953b8d4c62f5418020fe008bfd60541375740453cd

  f942c6b977fbe009ca7d4372930eaa49961c20a1d3c03c31ebc3e5841816c082

  856a4a3abe97a4b9c10ae92d9f1d0a565893cfd2bfa934a1127f14baa6413721

  94e522b1194c3c4845436a0f0b6657beb832b469823835b1b0e81cf93d42983e

  96b4dacef4d6ca5d7ad951014f30148fa8ecc5295cf4c1fadc2d69552e2505d3

MNKit MIME attachments carrying NetTraveler payloads:

  59933209d3774e501f2384a2591db2d8ab048a3cccf3d7c028f838981a120648

  c3c453c43be714ec26ffe23626df9851efdcf65af42d4b6475f7890e96859679

  60386112fc4b0ddb833fc9a877a9a4f0fe76828ebab4457637b0827106b269fe

  80ba8997067025dd830d49d09c57c0dcb1e2f303fa0e093069bd9cff29420692

NetTraveler payload files contained within MNKit documents:

  f0911c03276b13019cc32751efcd4e79cb89848721a14fbda8892cb2183c85b9

  cc1ffa59fc1033a7d56cd858de44153b6826493af25d7b5fab351de0c1a29ce2

  97e2ec38e310e612d2a4118ecf4e513687eb47c0eff196bc4854119148e938e4

  ed0caf7ce1fe3b13cef5606515543536e078022c486f0266e02f2f42bd72a128

 

 

 


News

via Palo Alto Networks Blog http://ift.tt/1j3V34b

June 30, 2016 at 02:40PM

Time is running out to stop a $53 million cryptocurrency heist – The Verge

Time is running out to stop a $53 million cryptocurrency heist – The Verge

http://ift.tt/295JyHm

On June 17, someone stole $53 million from the DAO, an experimental investment bank built in the Ethereum cryptocurrency system — and the developers have spent the last two weeks trying to get it back.

The DAO’s withdrawal system froze the money for 27 days, and rather than let the money slip away permanently, Ethereum’s coders have decided to stop the theft by changing the basic code that the currency runs on. But making those changes is delicate and complex — and if nothing changes before July 14th, the money will be lost permanently, and the theft will be complete.


The result has been one of the most urgent coding challenges a cryptocurrency has faced so far. At the beginning of this week, it seemed as if Ethereum would clear it easily. Miners were scheduled to approve new code on today, and as of Monday, it looked like the proposed change would easily pass, saving the money with weeks to spare.

Then, the plan fell apart.

Developers had proposed a backwards-compatible change to the Ethereum code (a so-called “soft fork”) that would make the stolen money unspendable. The update would make it impossible for miners to approve any transaction involving the stolen money, so even if the thief tried to withdraw his stolen funds, that withdrawal would never make it into the blockchain. It wouldn’t restore all the stolen funds, but it would at least stop the theft in its tracks.

“I’m rooting for these guys, but it’s been a tough week.”

But two days before the vote, Cornell cryptographer Emin Gün Sirer found a nasty bug in the soft fork. The proposed change would void any contracts involving the stolen funds, Sirer wrote in a post, but the mechanism for doing so enabled an unexpected kind of denial-of-service attack. Under the soft fork, an attacker could fill up the blockchain with bogus contracts without incurring any costs, since invoking the stolen DAO funds would invalidate any contract halfway through.

Sirer imagined disgruntled attackers who “might short ETH and launch a DoS attack to profit off of the impending drop in the coin’s value… Because the attack currently has no cost, it is quite possible for these groups to launch it.”

The soft fork was already controversial for political reasons — with some characterizing it as centralized censorship — but in the wake of Sirer’s post, support for the soft fork plummeted. The current miner vote shows little support, and today’s vote is expected to overwhelmingly reject the change.

But while the soft fork is out, it’s unclear what might take its place. As Bitcoin entrepreneur Andreas Antonoopolous put it in a recent video, “we’re back to, ‘okay, what do we do now?’”

Sirer’s bug is tied to the fork’s backwards compatibility, so his preferred solution is a new version that isn’t backwards-compatible — known as a “hard fork.” That would avoid the denial-of-service bug, but leave anyone running the old version of the software completely cut off from the broader currency system.

Developers have already begun writing software for that system, but they’re facing a brutally tight deadline. The community will have only two weeks to implement the hard fork, having spent more than half its time going down a dead end. If a similar bug turns up in the new code, the result may simply be a $53 million loss for the DAO.

Former Bitcoin Foundation chairman Peter Vessenes says he believes there’s still political will to save the money, but the coding challenge is a serious one. “I’m rooting for these guys,” says Vessenes, “but it’s been a tough week.”

News

via denial of service http://ift.tt/21rHRJd

June 30, 2016 at 10:54AM

Man Booked For Hacking Wife’s Facebook Account – ValueWalk

Man Booked For Hacking Wife’s Facebook Account – ValueWalk

http://ift.tt/29eJkS8

An Indian man was booked on Wednesday, under section 66A of the Information Technology Act, for the alleged hacking of his wife’s Facebook account.

Facebook hacking

Facebook hacking, changing password and objectionable messages

The victim is Meenu, and she claims that her husband Sachin Jindal, from Faridabad, hacked his way into her Facebook account, changed her login password so she was no longer able to access her own page, and then he is alleged to have sent malicious messages to her friends.

Matrimonial difficulties

It appears that the couple had been having matrimonial difficulties for a few months. The lady now lives in sector 9A in Gurgaon. A police officer involved in the case stated, “According to the complainant, the accused hacked her Facebook account to settle scores. She approached the police when he did not mend his ways,”

He continued, “based on the complaint, a preliminary investigation was carried out by the Cyber Cell and the allegations against the man were found to be true.”

Investigation finds the husband responsible

“After an investigation it was found that Jindal changed the password and uploaded insulting posts,” Assistant Commissioner of Police Hawa Singh told IANS.

The spokesperson for the Gurgaon Police, Assistant Commissioner Hawa Singh said, “A case has been registered against the accused,” and he is expected to be arrested very soon.

High profile hacking of Mark Zuckerberg

Hacking is an all too common problem in today’s digital world. In this case it is likely the the estranged husband was able to guess the password. Meana, the victim, is in good company though. Earlier this month Mark Zuckerberg the founder and Chief Executive of Facebook had a number of his social media accounts hacked, included LinkedIn, Twitter and Pinterest.

After a huge cache of LinkedIn passwords were leaked online, it was found that Zuckerberg’s details were included. Although the passwords were encrypted with an algorithm, it was relatively easy for a Saudi Arabian group calling themselves OurMine to crack.

And what was his password… Dadada !!

Security Hoax

Facebook has recently had to deny a recent ‘privacy notice’ and has made a statement branding it as a hoax. The note was claiming that unless you copied and pasted some information, all your posts would be become public. Facebook confirmed there had been no change in its privacy policy.









News

via hacking – Google News http://ift.tt/1TBlf7L

June 30, 2016 at 11:00AM

Hackers Can Exploit LibreOffice Flaw With RTF Files

Hackers Can Exploit LibreOffice Flaw With RTF Files

http://ift.tt/297oIKH

The developers of the open source office suite LibreOffice informed users this week that they have patched a vulnerability which could allow attackers to execute arbitrary code using specially crafted RTF files.

The vulnerability, found by Cisco Talos researchers and tracked as CVE-2016-4324, affects the RTF parser in LibreOffice. The flaw can be exploited with an RTF document that contains both a stylesheet and a superscript token.

“A specially crafted RTF document containing both a stylesheet and superscript element causes LibreOffice to access an invalid pointer referencing previously used memory on the heap. By carefully manipulating the contents of the heap, this vulnerability can be able to be used to execute arbitrary code,” Cisco said.

The attacker needs to somehow trick the targeted individual into opening a malicious RTF file in order to trigger the exploit. It’s not uncommon for cybercriminals to exploit RTF parser vulnerabilities in Microsoft Office to deliver malware and this flaw shows that such attacks are also possible against LibreOffice users.

The issue has been addressed with the release of LibreOffice 5.1.4. Cisco says there is no evidence that this vulnerability has been exploited in the wild, but users are advised to update their installations to protect themselves against potential attacks.

The developers of various Linux distributions are also analyzing the issue and some have already released package updates to patch the flaw.

This is the third vulnerability confirmed by LibreOffice developers this year. In February, The Document Foundation informed users that researchers from VeriSign’s iDefense Labs had identified a couple of memory corruption bugs that could have been exploited to cause a denial-of-service (DoS) condition using specially crafted Lotus Word Pro files.

Cisco Talos researchers recently identified flaws in many popular products, including the chat client PidginTrane thermostats, and the Lhasa, Libarchive and 7-Zip archivers.

Related Reading: Cisco Finds Backdoor Installed on 12 Million PCs

Related Reading: 3.2 Million Devices Exposed to Ransomware Attacks



Previous Columns by Eduard Kovacs:

Tags:

News

via SecurityWeek RSS Feed http://ift.tt/T5XpCH

June 30, 2016 at 10:43AM

Conficker Used in New Wave of Hospital IoT Device Attacks

Conficker Used in New Wave of Hospital IoT Device Attacks

http://ift.tt/295qLQT

Internet-connected medical devices such as MRI machines, CT scanners and dialysis pumps are increasingly being targeted by hacker seeking to steal patient medical records from hospitals. Attackers consider the devices soft digital targets, seldom guarded with same security as client PCs and servers within hospitals.

In a report by security firm TrapX Labs, researchers found that the dearth of cyber defenses on clinical IoT medical equipment was tied to a resurgence of old malware such as networm32.kido.ib and the notorious Conficker worm. In its paper MEDJACK.2 Hospitals Under Siege (PDF), researchers describe how modern hospital security systems overlook protecting internet-connected devices running Windows XP or unpatched versions of Windows 7 and Windows 8 making them an easy target for ancient exploits.

“The malware utilized for this attack was specifically selected to exploit older versions of Windows… It enabled the attacker to install a backdoor within the enterprise, from which they could launch their campaign and quietly exfiltrate data and perhaps cause significant damage using a ransomware attack,” TrapX wrote in its report.

In its 2009 heyday Conficker was estimated to have infected between 9 million to 15 million computers. The computer worm was known for constantly morphing as Conficker authors regularly updated the code. The worm targets Microsoft’s Windows operating system and was notorious for cracking passwords, hijacking Windows computers and enlisting them into botnets that distributed spam and installed scareware.

Researchers say they have captured new samples of the Conficker worm that has been updated with an enhanced ability to laterally move within a network and target specific types of medical devices. Researchers say malware is being delivered via spear phishing attacks against hospital staff. Researchers say once Conficker or networm32.kido.ib infects and wends its way inside a network attackers use command-and-control instructions to deliver additional “more sophisticated” malware to devices.

“Wrapped inside an out-of-date malware wrap­per for networm32.kido.ib, we determined that the malware was in fact quite sophisticated, and capable of ‘jumping’ or moving between networks successfully. The almost harmless net­worm, easily ignored by Windows 7 patched systems, Windows 8 platforms and new oper­ating systems, exploited a vulnerability within Windows XP to load a RAT (remote access tool) so the attacker could load sophisticated, state of the art attacker software components,” according to the report.

In its previous 2015 report TrapX noticed similar types of attacks inside hospitals and healthcare facilities. What’s new is, “The old exploits such as Conficker are being used in tandem with much more sophisticated payloads that are able to go deeper into a hospital network and target specific devices that can gain criminals easier access to patient records,” said Moshe Ben-Simon, co-founder of Trapx Labs.

Patient records are quickly becoming a hot commodity on the dark web. Ben-Simon said medical records are known to hold greater value on the black market over other items such as credit card data. That’s because criminals can steal a patient’s identity and not just extend credit in their names, but also have costly prescriptions filled. “Insurance pays for the prescription and attackers can resell the drugs on the black market,” Ben-Simon said.

TrapX estimates that medical records fetch $10 to $20 per record on the black market versus about $5 for one financial profile.

Last week records for 655,000 patients wound up on the web that were allegedly stolen from three healthcare organizations. In the case of these records, attackers claim to have obtained the data via a remote desktop protocol attack.

According to the TrapX report, which studied real-world infections at three hospitals, a forensic investigation revealed that the presence of the Conficker worm failed to generate any cybersecurity alarms. TrapX reported the Conficker worm went unnoticed out of a lack of concern for the ancient exploit. “Medical devices are ‘black boxes’ and their internal software operations are not visible to the hospital cyber defense team. They run out of date operating systems, such as Windows 7 or Windows XP which are highly vulnerable and almost completely unprotected,” wrote researchers.

Ben-Simon said those medical devices are extremely attractive targets because each one of them is highly connected and link to a community additional vulnerable medical devices that link to high value patient data. “All it takes is one successful at­tempt for the attacker to establish a backdoor, find and steal data, or use automated tools to set a ransomware attack in motion,” according to the report.

News

via Threatpost | The first stop for security news http://threatpost.com

June 30, 2016 at 09:49AM

Dridex and Locky authors revamped the Bart malware

Dridex and Locky authors revamped the Bart malware

http://ift.tt/292Ko7r

The authors responsible for Dridex and Locky malware have recently made another appearance, this time with their latest release – Bart malware.

Similar to other ransomware, infected users are notified of the compromise with their desktop backgrounds changed with a warning, confirming that their files have been encrypted and offering a number of URLs accessible via the TOR network where they can receive instructions on obtaining their private keys. Recovery instructions are also placed into a text file names recover.txt and located in many of the users folders.

bart malware

A screenshot of the desktop wallpaper recover.bmp

Unlike previous versions the cost of unlocking encrypted files has increased dramatically to 3 bitcoins (at time of writing equating to around 1425 Pounds Sterling or 1900 US Dollars) compared to the initial 0.5 or 1 bitcoin of its predecessors.

This particular ransomware was first discovered a few days ago by security vendor Phishme.

It differs greatly in operation from previous malware from presumably the same authors, notably in its lack of reliance on Command and Control servers, thus reducing the required investment and complexity on the attacker’s side.

Similar to Locky and Dridex the tool employs rogue JavaScript, invoking the Rockloader malware for delivery which is disseminated via ZIP attachments within emails, often containing permutations of the names photos.zip, pictures.zip or image.zip.

Other similarities include the payment portals, coding structure, email distribution mechanism and curiously the encryption of .n64 ROM files, with Locky being the only other malware to do this.

The ransom note, which displays itself as the desktop background is localized for English, Spanish, French, German and Italian and interestingly if the user’s language pack is detected in Russian, Ukrainian or Belorussian the users’ files aren’t encrypted.

Instead of employing the typical C2 key pair storing procedure where the encrypted files key is passed to the attackers command servers only available on release following payment of the ransom, Bart malware operates by placing the victims files in password protected ZIPs.

bart malware 2

Bart malware ’s payment portal, almost identical to that of Locky

The methods of operation and increased cost in terms of the price of the ransom, shows a worrying change in direction from the authors of these already difficult and potentially crippling digital infections.

The cost of operations and complexity have reduced on the attackers side, which arguably will see a rise in the volume of these attacks as the tools become more accessible to a larger number of malicious players.

The hardest hit in this latest wave won’t be the organizations who can respond quickly to these threats, employ an adequate backups system for restore in occasion of compromise and have the ability the filter the included attachment names at the perimeter but instead the numerous security naive end users on their home machines.

This, coupled with the increased cost for unlocking, could see Bart malware as one of the most destructive and intrusive forms of malware to date, particularly within the public realm.

Written by: Steven Boyd

Steven Boyd

Steven is a security consultant, researcher, ethical hacker and freelance writer with over 16 years of experience in the industry. He has provided security consultancy to some of the world’s biggest banks, the private sector as well as public services and defense. He is the owner and creator of security blog www.CybrViews.com.

Twitter: @CybrViews

 

 

 

 

Pierluigi Paganini

(Security Affairs – Bart malware, hacking)

The post Dridex and Locky authors revamped the Bart malware appeared first on Security Affairs.

News

via Security Affairs http://ift.tt/Lp7iZa

June 30, 2016 at 08:09AM