Understanding jQuery Security via /r/netsec

Understanding jQuery Security

Submitted September 30, 2016 at 06:22PM by grizzly_wintergreen
via reddit http://ift.tt/2dBBPrE

TLS version intolerance – Working around bugs in legacy TLS stacks via /r/netsec

TLS version intolerance – Working around bugs in legacy TLS stacks

Submitted September 30, 2016 at 03:26PM by ttaubert
via reddit http://ift.tt/2cGiTY9

DressCode and its Potential Impact for Enterprises


DressCode and its Potential Impact for Enterprises


Threats to mobile users have grown quickly in the span of only a few months. Trend Micro’s Mobile App Reputation Service (MARS) has counted 16.6 million malware detections as of August 2016, a 40% leap from detections listed in January. The Android platform continues to be particularly susceptible, with one specific malware family called “DressCode” steadily and stealthily spreading since April before reports about it surfaced in August. This malware gives attackers an avenue into internal networks which compromised devices are connected to—a notable risk if the device is used to connect to company networks.

Trend Micro detects this as ANDROIDOS_SOCKSBOT.A and has found at least 3,000 Trojanized apps. The Trojanized apps were hosted by several well-known Android mobile markets, including more than 400 detected on Google Play. They range from the recreational apps like games, skins, and themes to phone optimization boosters. The malicious code only makes for a small part of the app, making it difficult to detect.

Figure 1. According to its Google Play page, this app has been installed 100,000 - 500,000 times

Figure 1. According to its Google Play page, this app has been installed 100,000 – 500,000 times.

Figure 2. The structure of the malicious code

Figure 2. The structure of the malicious code

Multiple threats possible with DressCode

Once the Trojanized app is installed, DressCode connects with its command and control (C&C) server—in earlier versions the malware authors used a hardcoded IP address for its C&C server, but it has since been replaced by a domain. A background service creates a Transmission Control Protocol (TCP) socket that connects the compromised device with the C&C server and sends a “HELLO” string to finish registering. Once the C&C server replies, a “CREATE, <Attacker IP>, <Port>” command prompts the device to establish a TCP connection between it and the attacker. This allows the device to receive commands from the attacker via the SOCKS protocol.

The compromised device can act as a proxy that relays traffic between the attacker and internal servers the device is connected to—think of it as a tunnel. Since the device is behind the router, it can initiate a TCP connection to the C&C server. After the SOCKS proxy is set up, it can forward commands from the C&C server to other machines connected to the same LAN. The process allows an attacker to connect to its server, even if the internal servers are also located behind the router.


Figure 3. Received commands from the C&C server


Figure 4. Set up a SOCKS proxy to relay traffic between the attacker and internal server

This general purpose tunnel can be used for different purposes, and the device owner—as well as any network he is connected to—is exposed to a variety of security risks.

  • This malware allows threat actors to infiltrate a user’s network environment. If an infected device connects to an enterprise network, the attacker can either bypass the NAT device to attack the internal server or download sensitive data using the infected device as a springboard. With the growth of Bring Your Own Device (BYOD) programs, more enterprises are exposing themselves to risk via carefree employee mobile usage. According to Trend Micro data, 82% of businesses implement BYOD or allow employee personal devices for work-related functions. While this program can increase employee productivity, it can also make companies vulnerable to malware like DressCode.

Figure 3. Infected mobile devices allow clients to bypass a NAT device and attack internal servers

Figure 5. Infected mobile devices allow clients to bypass a NAT device and attack internal servers

  • The malware installs a SOCKS proxy on the device, building a general purpose tunnel that can control and give commands to the device. It can be used to turn devices into bots and build a botnet, which is essentially a network of slave devices that can be used for a variety of schemes like distributed denial-of-service (DDoS) attacks—which have become an increasingly severe problem for organizations worldwide—or spam email campaigns. The botnet can use the proxied IP addresses also generated by the malware to create fake traffic, disguise ad clicks, and generate revenue for the attackers.

Figure 4. Large botnets can launch powerful DDoS attacks against enterprises and organizations

Figure 6. Large botnets can launch powerful DDoS attacks against enterprises and organizations.

  • A compromised mobile device can also be used to reach other devices connected to the same home network. A weak home router password will make it easier for an attacker to discover the IP address of other connected devices and establish control. For example, an IP camera connected to the same router as the mobile device would be vulnerable and could expose users to privacy risks—potentially attackers could access and record the video feed.

Figure 5. Privacy becomes a concern as devices like IP cameras can be hacked

Figure 7. Privacy becomes a concern as devices like IP cameras can be hacked

While DressCode’s infection methods and behavior isn’t unique, the number of Trojanized apps that found their way to a legitimate app store is certainly significant. In response to the growing threat, here are some general safety tips to prevent malware from compromising your device:

    1. Check your apps. If you are downloading a new app, make sure it’s from a legitimate app store. Check reviews online and on the download page, and do a little research to make sure it’s not a malicious app.
    2. Update regularly. Make sure your operating system is updated. The latest patches can ensure that the latest identified vulnerabilities are fixed.
    3. Be aware of the risks of rooting. Rooting removes security restrictions and safeguards specifically placed by manufacturers to keep your device protected. The system will be more vulnerable to malware and other dangerous code if the device is rooted.
    4. Avoid unsecured Wi-Fi. This will reduce the risk of threat actors connecting to your phone without your knowledge. Also, make sure to disable the option on your device that connects automatically to available Wi-Fi.
    5. Use a Virtual Private Network (VPN). If you do need to connect to public Wi-Fi, make sure to use a VPN. It secures your devices’ Internet connection and protects the data you’re sending and receiving through encryption.

Users can also benefit from layered mobile security solutions such as Trend Micro™ Mobile Security. The solution has a malware blocker feature that bars threats from app stores before they can be installed and cause damage your device or data. Enterprises should invest in solid mobile device management solutions. Trend Micro™ Safe Mobile Workforce™ offers a virtualized mobile infrastructure where company data is securely stored on corporate servers and separated from personal apps and data.

Trend Micro has already detected samples that infected enterprise users in the United States, France, Israel, and Ukraine—with still more being detected in other countries. These users can successfully avoid the threat with Trend Micro™ Mobile Security for Enterprise. This solution includes device management, data protection, application management, compliance management, configuration provisioning, and other features so employers can balance privacy and security with the flexibility and added productivity of BYOD programs.

Related to SHA1s detected as ANDROIDOS_SOCKSBOT.A:

• 2ae29110c34efea0dedfa4d7d48055c4b8deaaa2

• 997d7978eb825111f62b6dfd00e26d952adac8c0

• cc2ebbcab305ffd52b18df7d61b35abd6abf7681

• 3c0182486e701d7d85641c6dc5ef1be79dcaa151

• 66824215afa64ea28a1956ad9be635c8a65b425a

• b48814f4c9e91a55d2b5b51313180ba105112022

• 12be3c11b3006ece729a49718384b135bff0aacd

• 3eeba05a2c15442422a70c67abaeb90062ac531d

• 5a2189ba300076f8370945ef854ddc7de1eb437c

• c36e87c2462ff4480a66a034646c220f76307379

• 6047d7271af3f629595e92a5e43722da19eee5ac

• 9de174e5883dc4ff34f10e5cb071775552a3caf2

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

DressCode and its Potential Impact for Enterprises

VESK coughs up £18k in ransomware attack

VESK coughs up £18k in ransomware attack


Exclusive Hosted desktop and cloud provider VESK is staggering back to its feet after paying 29 Bitcoins (£18,600) in a ransomware attack earlier this week.

VESK became aware that one of its environments had been impacted by a ransomware virus on Monday (26 September) at 3am.

This virus was a new strain of the Samas DR ransomware, which affected one of VESK’s multi-tenanted environments. Around 15 per cent of VESK’s clients were on that platform.

Because this was a new strain, VESKs antivirus provider Sophos had not yet been updated to detect it – something other antivirus providers were also yet to do.

Nigel Redwood, chief exec of VESK’s parent company, Nasstar, said: “On Monday the first thing did was search the environment and kill the process. We then spent time to determine quickest route to restore services.

“We decided to do that by running restores from backups and also paying for the decryption keys, to attack the problem from both angles.”

He said the company restored the email, but purposefully didn’t get Citrix up until it could identify where and how it originated form.

“Once we did, we began the process of getting Citrix back online for users.”

The majority of services are now back up for customers, as the decryption process nears completion.

The company will undergo a control and compliance audit with its ethical hacker, and in addition has engaged Falanx to do assist in the audit.

It has notified the Cyber Security Information Sharing Partnership (CISP) which have reported the attack as a criminal activity.

“We are doing everything we can to mitigate against this happening again.”

“We’ve been deeply apologetic to our clients; we have a shift of people working 24/7 to resolve this. Myself and team have also been meeting with customers.”

Ransomware attacks are becoming increasingly prevalent, with security consultant Trend Micro naming it as the biggest threats to companies this year.

Joseph Bonavolonta, an assistant special agent with the FBI, has previously said firms that fall victim to infection from file encrypting ransomware should simply pay the ransom. ®