Sunday 12 July 2015

Second Flash Player Zero-day Exploit found in 'Hacking Team'

Another Flash zero-day exploit has emerged from the hundreds of gigabytes of data recently leaked from Hacking Team, an Italian surveillance software company that is long been accused of selling spying software to governments and intelligence agencies.
The critical zero-day vulnerability in Adobe Flash is a Use-After-Free() programming flaw (CVE-2015-5122) which is similar to the CVE-2015-5119 Flash vulnerability patched last week and allows an attacker to hijack vulnerable computers.

Adobe says the cyber criminals are apparently already exploiting this vulnerability for which no patch exists yet. However, it's second time in a single week when the company is working on a fix for the zero-day vulnerability in its Flash Player software.

Flash Zero-Day Flaw in the Wild

The Exploit code for this flaw is already available online, allowing an attacker to remotely execute malicious code on victims' computers and install malware, Adobe said in an advisory published late Friday.

"Successful exploitation [of CVE-2015-5122 flaw] could cause a crash and potentially allow an attacker to take control of the affected system," Adobe said.

The zero-day vulnerability is present in the latest Adobe Flash Player version 18.0.0.204 and earlier versions for Windows, Linux and OS X.

Adobe credited FireEye researcher Dhanesh Kizhakkinan for reporting the vulnerability documented in stolen data leaked from Hacking Team.
Therefore, once again we advise everyone with Flash installed to remove or disable the software until the company patches the critical security bug.

Sunday 9 November 2014

APT28 — State Sponsored Russian Hacker Group


Nearly a decade-long cyber espionage group that targeted a variety of Eastern European governments and security-related organizations including the North Atlantic Treaty Organization (NATO) has been exposed by a security research firm.

The US intelligence firm FireEye released its latest Advanced Persistent Threat (APT) report on Tuesday which said that the cyber attacks targeting various organisations would be of the interest to Russia, and "may be" sponsored by the Russian government.

The Report entitled "APT28: A Window Into Russia's Cyber Espionage Operationspublished by FireEye has "evidence of long-standing, focused operations that indicate a government sponsor - specifically, a government based in Moscow."
"Despite rumours of the Russian government's alleged involvement in high-profile government and military cyber attacks, there has been little hard evidence of any link to cyber espionage," Dan McWhorter, FireEye vice president of Threat Intelligence, wrote in a blog post discussing the report.
"FireEye's latest APT report sheds light on cyber espionage operations that we assess to be most likely to be sponsored by the Russian government, long believed to be a leader among major nations in performing sophisticated network attacks."
The cyber-espionage group believed to have been operating since at least 2007 in order to steal political and state secrets from businesses and foreign governments. The group launched a cyber attack on government in Georgia, Eastern Europe, as well as NATO and the Organisation for Security and Co-operation in Europe, according to the report.

Whereas the Russian cyber criminal groups are known for conducting massive cyber campaigns aimed at stealing money and financial information, but APT28 focuses on "privileged information related to governments, militaries and security organizations."
This group, unlike the China-based threat actors we track, does not appear to conduct widespread intellectual property theft for economic gain,” FireEye stated in the report. “Nor have we observed the group steal and profit from financial account information.
The security firm analyzed that the malware used by APT28 features a consistent use of the Russian language. Moreover, more than 96 percent of malware samples analyzed by the researchers were compiled between Monday and Friday, between 8AM and 6PM in the time zone paralleling working hours in Moscow and St. Petersburg. This regularity in the work suggests that the hackers were in Moscow, the report argues.
APT28 Hacker Group — Cyber Espionage Attacks Tied to Russian Government
The APT28 group has constantly updated their software and made the resulting binaries difficult to reverse engineer. It used a downloader tool that FireEye dubbed "SOURFACE", a backdoor labelled "EVILTOSS" that gives hackers remote access and a flexible modular implant called "CHOPSTICK" to enhance functionality of the espionage software.

Infection is usually achieved via a spear phishing email with a relevant lure and the malware hidden in the attachment. The hacker group has also created a number of fake domains for UK-based defence events, including the Counter Terror Expo, as part of the operation to gather intelligence on attendees.

Together with the help of above mentioned tools, the group gained access to the file system and registry; enumerate network resources; create processes; log keystrokes; access stored credentials; execute shellcode, and encrypt exfiltrated data uploaded with an RSA public key.
The coding practices evident in the group’s malware suggest both a high level of skill and an interest in complicating reverse engineering efforts,” the report stated.
In  another report , a top White House official has confirmed that Russian hackers have hacked into the unclassified White House computer networks. "we identified activity of concern on the unclassified Executive Office of the President network,".

Russia has been suspected of attacks on Ukraine too, including attempts to gain access to politicians’ mobile phone communications.

Friday 7 November 2014

FBI Seize Silk Road 2.0 Servers; Admin Arrested

The authorities of the U.S. Federal Bureau of Investigation have announced that they have arrested "Silk Road 2.0" operator Blake Benthall, used the alias "Defcon" in California on Wednesday and charged him with conspiracy to commit drug trafficking, computer hacking, money laundering and other crimes.

Silk Road 2, an alternative to the notorious online illegal-drug marketplace that went dark in October of 2013, has been seized in a joint action involving the FBI, Department of Homeland Security, and European law enforcement.
"As alleged, Blake Benthall attempted to resurrect Silk Road, a secret website that law enforcement seized last year, by running Silk Road 2.0, a nearly identical criminal enterprise," Manhattan US Attorney Preet Bharara said in a statement. "Let’s be clear—this Silk Road, in whatever form, is the road to prison. Those looking to follow in the footsteps of alleged cybercriminals should understand that we will return as many times as necessary to shut down noxious online criminal bazaars. We don’t get tired."
The arrest comes almost a year after the arrest of a San Francisco man Ross William Ulbricht, also known as "Dread Pirate Roberts," — the alleged founder of the dark Web online drug bazaar "Silk Road" that generated $8 million in monthly sales and attracted 150,000 vendors and customers. At that time, FBI seized the notorious site, but the very next month, a nearly identical site, Silk Road 2.0, opened for business.

The Feds and the US Department of Justice claim 26-year-old Blake Benthall launched the notorious Silk Road 2.0 on Nov. 6, 2013, five weeks after the shutdown of the original Silk Road website and arrest of its alleged operator.

Benthall appeared Thursday afternoon in federal court before Magistrate Judge Jaqueline Scott Corley, where Assistant US Attorney Kathryn Haun told the judge that Benthall is a "severe flight risk," according to the San Francisco Chronicle.

Benthall is charged with conspiring to commit narcotics trafficking, conspiring to commit computer hacking, conspiring to traffic in fraudulent identification documents and money laundering. If convicted, he could be sentenced to life in prison.

Silk Road 2.0 operated much the same way as its predecessor did, it sold illegal goods and services on the Tor network and generates millions of dollars each month. As of September 2014, Benthall allegedly processed $8 Million in monthly sales, according to the FBI.

In order to maintain the the anonymity of buyers and sellers, Silk Road 2.0 offers transactions to be made entirely in Bitcoin, as well as accessed through The Onion Router, or TOR, which conceals Internet Protocol (IP) addresses enabling users to hide their identities and locations.

According to the FBI, it bought 1 kilogram of heroin, 5 kilograms of cocaine, and 10 grams of LSD from Silk Road 2.0, apparently from Benthall himself.
"The offerings on Silk Road 2.0 consisted overwhelmingly of illegal drugs, which were openly advertised as such on the site. As of October 17, 2014, Silk Road 2.0 had over 13,000 listings for controlled substances," reads the complaint.
"Silk Road 2.0 had over 13,000 listings for controlled substances, including, among others, 1,783 listings for 'Psychedelics,' 1,697 listings for'“Ecstasy,' 1,707 listings for 'Cannabis,' and 379 listings for 'Opioids,'."

Thursday 6 November 2014

Samsung 'Find My Mobile' Flaw Allows Hacker to Remotely Lock Your Device


The National Institute of Standards and Technology (NIST) is warning users of a newly discovered Zero-Day flaw in the Samsung Find My Mobile service, which fails to validate the sender of a lock-code data received over a network.

The Find My Mobile feature implemented by Samsung in their devices is a mobile web-service that provides samsung users a bunch of features to locate their lost device, to play an alert on a remote device and to lock remotely the mobile phone so that no one else can get the access to the lost device.

The vulnerability in Samsung’s Find My Mobile feature was discovered by Mohamed Abdelbaset Elnoby (@SymbianSyMoh), an Information Security Evangelist from Egypt. The flaw is a Cross-Site Request Forgery (CSRF) that could allow an attacker to remotely lock or unlock the device and even make the device rings too.

Cross-Site Request Forgery (CSRF or XSRF) is an attack that tricks the victim into loading a page that contains a specially crafted HTML exploit page. Basically, an attacker will use CSRF attack to trick a victim into clicking a URL link that contains malicious or unauthorized requests.

The malicious link have the same privileges as the authorized user to perform an undesired task on the behalf of the victim, like change the victim's e-mail address, home address, or password, or purchase something. CSRF attack generally targets functions that cause a state change on the server but it can also be used to access victim’s sensitive data.
"In this way, the attacker can make the victim perform actions that they didn't intend to, such as logout, purchase item, change account information, retrieve account information, or any other function provided by the vulnerable website," Elnoby said.
The researcher has also provided a proof-of-concept (POC) video that will give you a detail explanation on How the researcher made the attack work on Samsung’s Find My Mobile feature.


According to the researcher, the first attack to remotely lock victim’s device is critical if exploited because the attackers are able to lock victim’s device with a lock code of their own choice, forcing the victim to do a recovery for the lock code with his Google Account.

The US-CERT/NIST identified the vulnerability in the Samsung Find My Mobile as CVE-2014-8346 and rated the severity of the flaw as HIGH, whereas the exploitability score of the flaw is 10.0.
"The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic," the security advisory issued by the NIST states.

New BlackEnergy Crimeware Enhanced to Target Linux Systems and Cisco Routers


Security researchers at Kaspersky Lab have unearthed new capabilities in the BlackEnergy Crimeware weapon that has now ability to hacking routers, Linux systems and Windows, targeting industry through Cisco network devices.

The antivirus vendor’s Global Research & Analysis Team released a report Monday detailing some of the new “relatively unknown” custom plug-in capabilities that the cyber espionage group has developed for BlackEnergy to attack Cisco networking devices and target ARM and MIPS platforms.

The malware was upgraded with custom plugins including Ciscoapi.tcl which targets The Borg's kit, and According to researchers, the upgraded version contained various wrappers over Cisco EXEC-commands and "a punchy message for Kaspersky," which reads, "F*uck U, Kaspersky!!! U never get a fresh B1ack En3rgy. So, thanks C1sco 1td for built-in backd00rs & 0-days."

BlackEnergy malware program was originally created and used by cybercriminals to launch Distributed Denial-of-Service (DDoS) attacks. The malware developer then added some custom plugins used to funnel banking information.

Most recently BlackEnergy malware was observed in alleged state-sponsored attacks targeting the North Atlantic Treaty Organization (NATO), Ukrainian and Polish government agencies, and a variety of sensitive European industries over the last year.

Now, the cyber espionage group has enhanced the malware program which also has the capabilities like port scanning, password stealing, system information gathering, digital certificate theft, remote desktop connectivity and even hard disk wiping and destroying.

In case if a victim knew of the BlackEnergy infection on their system, the attacker activates "dstr," the name of a plugin that destroys hard disks by overwriting them with random data. A second victim was compromised by using VPN credentials taken from the first victim.

Security researchers, Kurt Baumgartner and Maria Garnaeva, also came across BlackEnergy version that works on ARM and MIPS based systems and found that it has compromised networking devices manufactured by Cisco Systems.

However, the experts are not sure for the purpose of some plugins, including one that gathers device instance IDs and other information on connected USB drives and another that collects details on the BIOS (Basic Input/Output System), motherboard, and processor of infected systems.
"We are pretty sure that our list of [BlackEnergy] tools is not complete," the researchers wrote. "For example, we have yet to obtain the router access plugin, but we are confident that it exists. Evidence also supports the hypothesis that there is a decryption plugin for victim files."
Multiple unnamed victim companies in different countries were targeted with the latest BlackEnergy malware, including victims in Russia, Germany, Belgium, Turkey, Libya, Vietnam and several other countries.

Another Crimeware group, the Sandworm Team, believed to have used the BlackEnergy exclusively throughout 2014 at victim sites and included custom plugin and scripts of their own. Also last month, the Sandworm Team had targeted organizations across the world in an espionage campaign, and iSIGHT Partners revealed that the team used spear phishing as the major attack vector to victimize their targets.

Google Releases 'nogotofail' Network Traffic Security Testing Tool


Google introduced a new security tool to help developers detect bugs and security glitches in the network traffic security that may leave passwords and other sensitive information open to snooping.

The open source tool, dubbed as Nogotofail, has been launched by the technology giant in sake of a number of vulnerabilities discovered in the implementation of the transport layer security, from the most critical Heartbleed bug in OpenSSL to the Apple's gotofail bug to the recent POODLE bug in SSL version 3.

The company has made the Nogotofail tool available on GitHub, so that so anyone can test their applications, contribute new features to the project, provide support for more platforms, and help improve the security of the internet.

Android security engineer Chad Brubaker said that the Nogotofail main purpose is to confirm that internet-connected devices and applications aren't vulnerable to transport layer security (TLS) and Secure Sockets Layer (SSL) encryption issues.

The network security testing tool includes testing for common SSL certificate verification issues, HTTPS and TLS/SSL library vulnerabilities and misconfigurations, SSL and STARTTLS stripping issues, and clear text traffic issues, and more.
"Google is committed to increasing the use of TLS/SSL in all applications and services. But 'HTTPS everywhere' is not enough; it also needs to be used correctly," Brubaker wrote in a blog post.
"Most platforms and devices have secure defaults, but some applications and libraries override the defaults for the worse, and in some instances we've seen platforms make mistakes as well. As applications get more complex, connect to more services, and use more third party libraries, it becomes easier to introduce these types of mistakes."
Nogotofail tool, written by Android engineers Chad Brubaker, Alex Klyubin and Geremy Condra, works on devices running Android, iOS, Linux, Windows, Chrome OS, OS X, and “in fact any device you use to connect to the Internet.” The tool can be deployed on a router, a Linux machine, or a VPN server.

The company says it has been using the Nogotofail tool internally for "some time" and has worked with developers to improve the security of their apps before releasing it. "But we want the use of TLS/SSL to advance as quickly as possible," Brubaker said.

The Nogotofail tool requires Python 2.7 and pyOpenSSL>=0.13. It features an on-path network Man-in-the-Middle (MiTM), designed to work on Linux machines, as well and optional clients for the devices being tested.

Wednesday 5 November 2014

The Pirate Bay's 3rd and the Last Founder Arrested After 4 Years On The Run


Fredrik Neij – known online as "TiAMO", third and the last founder of the popular file sharing website The Pirate Bay has been arrested driving across the border of Laos and Thailand.

The 36-year-old fugitive Fredrik Neij was convicted by a Swedish court in 2009 of aiding copyright infringement and now he has been arrested under an Interpol warrant after four years on the run.

The Pirate Bay allows users to share files, including copyrighted content such as movies and music, through peer-to-peer technology.

He fled the country after being released on bail and had been living in Laos with his wife and children since 2012. Neij was arrested on Monday while trying to cross a border checkpoint in Nong Khai province, about 385 miles northeast of Bangkok, with his wife, Police said.
"Mr. Neij will be transferred to the immigration headquarters in Bangkok on Wednesday where the Swedish embassy is expected to pick him up and bring him back to Sweden" WP reported.
According to Neij's travel records, he and his family have traveled to Thailand about 30 times since his passport was revoked by the Swedish Embassy in Bangkok in 2012.

His photo had been given to immigration police in Nong Khai. It might have been a coincidence, but unluckily Neij was wearing the same grey T-shirt while crossing the border that was in the photo.
"The immigration police officer who spotted him in the car recognized him, so he pulled his car over,” Regional immigration police commissioner Major General Chartchai Eimsaeng said.
Last week, Pirate Bay's first Founder Gottfird Svartholm, who used the alias "Anakata" on the Internet, was also found guilty of hacking by a Danish court and is now serving a three-and-a-half year sentence, while the second founder - Peter Sunde is serving the final days of an eight month sentence in Sweden.

Anyways, the awesome 'The Pirate Bay' website is of course still alive and Kicking!