Skip to content
Apr 23 14

Kaspersky on SmartTV malware … it’s question of time

by paganinip
eugene kaspersky

Eugene Kaspersky explained that SmartTV are vulnerable to malware-based cyber attacks, it’s a question of time to assist a large-scale infection.

In the last months we discussed about possible infection through the Internet of Things, in particular, we focused on cyber attacks on home appliances including Routers, SmartTV, refrigerators and ovens. The number of smart devices is growing at an exponential rate, but security experts believe that IT industries is not responding with implementation of principal security requirements.
As explained by Eugene Kaspersk (CEO of Kaspersky Lab),  in an interview with the Telegraph,  a computer malware  could infect our domestic network propagating itself from desktop PC and infecting our SmartTV.
The impact is dramatically serious if we consider by 2016 over 100 million SmartTV will  be deployed in our homes, a unique opportunity for hackers and cyber criminals.
Eugene Kaspersky remarked that any device exposed on the Internet is vulnerable to cyber attacks.
The threats will diversify to mobile phones and to the home environment, such as through televisions, which are now connected to the Internet,” said Kaspersky.
Malware authors will specialize their malicious code to infect our domestic networks, the Internet of Things will be the next battlefield for cyber criminals and Intelligence agencies. Kaspersky confirmed the increase of cyber attacks against mobile devices and home appliance, recently we reported of attacks against Soho devices and The Polish Computer Emergency Response Team has documented a series of offensives against home routers. 
smartTV
Why IoT is a profitable industry for hackers?
The high level of penetration of such devices and the lack of security requirements makes those devices very attractive for hackers.
On the specific question on the possible creation of virus able to infect SmartTV, Eugene Kaspersky answered:
 “Not yet, but it will happen. What’s the difference been a TV and a computer? A bigger screen and a remote control. It has Android inside and memory chips and Internet connections. That’s all.”

“It’s just a question of time. We already have a product for mobile and we have a prototype for TV so we are ready to address this issue when the new malware for television is released by criminals.”

From the words of Kaspersky is evident the interest in the new market niches resulting from the diffusion of the IoT paradigm. The security market for these devices is now virgin and profit margins are staggering, it is a tempting opportunity for all the major players in the security sector, including Kaspersky.

(Security Affairs –  Kaspersky, SmartTV)

Apr 23 14

An overview on the Bad Bot Landscape by Distil Networks

by paganinip
The Bad Bot Landscape Report Q1 2014 Infographic

Distil Networks security firm has published an interesting report on the Bad Bot Landscape, it is full of data on the evolution of malicious architecture.

Surfing on the Internet I have found The Bad Bot Landscape Report Q1 2014 and interesting study issued by the Distil Networks security firm which provides an interesting analysis of botnet evolution detected by the system of the company.

The Bad Bot Landscape Report Q1 2014 contains statistics on the evolution of malicious architectures under different axis of analysis like geographical area, originating ISP, originating organization and hosting provider, size and many others.

Experts at Distil observed an increase of cloud-hosted botnets, mainly based on the Amazon cloud architecture which was seen hosting 14% of malicious traffic.

Amazon isn’t the only provider abused by cybercrime, “cheap hosting” providers represent a privileged choice for bad actors because they usually implement a poor monitoring and a put in place a few safeguards to prevent bad bot origination.

Where Bad Bots Come From?

Russia, China, and India are not in the top positions of the ranking, the US (46%), Great Britain (19%), Germany (9.6 %), and The Netherlands (3.3%) are the top four countries exploited by criminals to host the malicious structure.

The Bad Bot Landscape Report Q1 2014 Top countries

The botmasters preferred those countries because they host the largest number of quality Internet exchange points, an essential factor for the successfully deployment of the botnets.

“Those who develop bad bots want them to attack as fast as possible, prior to detection and mitigation steps, and they want to do this as cost effectively as possible. For this reason, they attempt to use inexpensive cloud hosting providers that offer quick and easy set-up. These cloud providers locate their infrastructure where space and bandwidth come cheap, which is at major Internet exchange points. Therefore, most frequent offending nations represent those with the largest number of quality Internet exchange points.” states the The Bad Bot Landscape Report Q1 2014.

The experts at Distil Networks revealed that Verizon Business was responsible for nearly 11 % of all malicious bot traffic while and Level 3 Communications account for  10%.

“From the ISP perspective, costs run much higher when trying to clean up infected computers. In the case of residential ISPs, informing consumers that their computers are infected with malware and helping them perform the associated cleanup would triple support costs,” explains the The Bad Bot Landscape Report Q1 2014.

Analyzing the botnet distribution per industry The Bad Bot Landscape Report Q1 2014 reports that the financial services industry is the one that serves up the highest botnet traffic.

During the last year Distil firm detected bad bot traffic originating from every wireless provider operating in the United States, botnets are targeting mobile platform, the illicit activities grew up of more than 1,000 percent in the last 12 months.

The Bad Bot Landscape Report Q1 2014 Infographic

Following the Key findings:

  • To date, Distil has identified, tracked and catalogued over 8 Billion bad bots 4 Bad bots ~doubled as a percentage of all web traffic between Q1 and Q4 2013, from 12.25% to 23.6%.
  • Good bots dropped as a percentage of all web traffic between Q1 and Q4 2013, from 27.25% to 19.4%
  • More bad bots originate in the USA than from any other country
  • The top four bad-bot countries are the USA, Great Britain, Germany and The Netherlands, NOT the usual suspects of Russia, China and India
  • Verizon Business and Level 3 Communications originate the most bad bot traffic in a global ISP comparison, 11% and 10% of all bad bot traffic, respectively
  • Amazon serves the most bad bot traffic among hosting providers worldwide, 14%
  • More than 1,100 ISPs and hosting providers serve bad bots as 70% or more of their total traffic
  • Bad bots attack most between 6pm and 9pm ET (US-only data for this point)
  • The biggest bad bot of 2013 was “Pushdo”, impacting 4.2 million IP addresses and ~4 million computers
  • The Financial Services industry had more organizations serving a high percentage of bad bot traffic than any other industry
  • Bad bots are 5 times more likely to attempt to ‘Get’ data/information than ‘Post’ it
  • The Mobile bad bot threat is gaining significance, with bad bots running across 9 of the world’s top 10 mobile operators
  • Mobile bad bots are far more prevalent in the US mobile networks than those of other nations

Pierluigi Paganini

(Security Affairs –  The Bad Bot Landscape Report Q1 2014, botnet)

Apr 22 14

Grams, the search engine for the black markets

by paganinip
grams

It has been officially announced the launch of the beta version of Grams Darknet Market Search Engine specialized for researches in the underground markets.

All my readers know my involvement in the researches conducted on Tor Network, and more in general on the Deep Web. Recently, many events have shocked the Tor community, the revelation on NSA project to track Tor users, the seizure of the Silk Road black market and the arrest of Eric Eoin Marques, the 28-year-old Irishman owner and operator of Freedom Hosting, the principal hosting service within Tor Network.
Many security experts, me included, have spent their effort to make more accessible the Tor Network, to crawl its content and realize a sort of search engine to rapidly makes search within not indexed pages.
The number of hidden services within the Tor network is impressive, many of them unknown to the majority of the users.
Security experts have discovered that the offer of illicit godds in the underground websites is very articulated and dynamic, on daily base new services offer illegal high quality drugs, weapons, hacking tools, and provide illegal services to its customers.
Search them within Tor network is often not so easy, users have to know exactly onion URL of the web resource which is difficult to remember.
Grams is a project for the implementation of a search engine for online underground Black Markets. It was launched in Beta last week at the address http://grams7enufi7jmdl.onion, it could be used by Tor users to easily find website proposing illegal godds including drugs.  Grams’ creator, who uses the nickname of Gramsadmin, announced the release of the beta with a post on Reddit.
Grams Black Market search engine
Let’s do a simple search for “cocaine” term. Grams layout remembers the look of Google, all we need to do is to type it in the search box, exactly like the popular search engine.
Grams Black Market search engine 2
We must consider that Grams searches for content inside Tor network, the creator has designed a specific algorithm to explore the various black markets. In the post that announce the release of the beta version, the administrator informs the users to have included data from The Pirate Market, Mr. Nice Guy and Blank BankCurrently Grams search engine is crawling results from eight different black markets, including BlackBank, C9, Evolution, Mr. Nice Guy, Pandora, The Pirate Market, and SilkRoad2.

“We had to disable Agora for now since they have gone offline, but as soon as they are back their listings will start showing up in the search results again.” said GramsAdmin.

I have no doubt, search engines have an infinite power and I’m sure that the author of Grams will try to expand the capabilities of its platform including data from the other relevant black market. The author has also announced that the Grams will include advertising exactly like Google AdWords, reveling the business model behind the search engine.

“Within the next two weeks Grams will have a system similar to google adwords where vendors can buy keywords and their listings will go to the top of the search results when those keywords are searched for. They will be bordered with an advertisement disclaimer so users know those are paid results.”

Grams is probably a little light that is trying to make inroads into the depths of the black market.

Pierluigi Paganini

(Security Affairs –  Grams, underground)

Apr 22 14

Certificate revocation checks aren’t efficient against Heartbleed

by paganinip
certificate

Security researcher Adam Langley of Google explained the real efficiency of revocation checking in response to OpenSSL heartbeat bug.

The Heartbleed bug is a source of great concern for IT industry, every day we discover that the flaw in the OpenSSL library has had a significant impact on Servers, on the mobile industry and on the anonymity of Tor users.

Last debate is related to PKI infrastructures, in particular under revision the process of certificate revocation, a crucial activity to limit the validity of a given certificate for security reason.

The principal concerns are related to circumstance like certificate theft or data breach suffered by the systems of a Certification Authorities.

The Heartbleed attack can allow an attacker to compromise a vulnerable server to steal the secret key associated with the certificate generated for server authentication. Once stolen the key a bad actor could easily impersonate the compromised site.

After the disclosure of OpenSSL flaw, administrators of vulnerable servers have updated the OpenSSL library and generated a new certificate for their infrastructure (so a new public key), but as noted by the security researcher Adam Langley of Google, the old certificates still work allowing an attacker with the old private key to still impersonate the website.

ocsp responder diagram certificate revocation checking

The online certificate status protocol (OCSPis the Internet protocol used for managing the revocation status of an X.509 digital certificate, it is an alternative to certificate revocation lists (CRL). The messages communicated via OCSP are usually communicated over HTTP,  OCSP manages less information respect a typical CRL and this allow an optimized use of networks and client resources. Practically the OCSP protocol requires the client to contact a third party to confirm certificate validity.

Common browsers submit a request to the OCSP server to check the certificate status, they receive a signed assertion that tells them whether the certificate is still valid. In the case the browser for some reason doesn’t get a response from the OCSP server, it has to decide whether to accept the certificate.

Langley has written a specific post titled “No, don’t enable revocation checking” to analyze the large number of revocations resulting from precautionary rotations for servers affected by the heartbeat flaw.

“If you’re worried about an attacker using a revoked certificate then the attacker first must be able to intercept your traffic to the site in question. (If they can’t even intercept the traffic then you didn’t need any authentication to protect it from them in the first place.) Most of the time, such an attacker is near you. For example, they might be running a fake WiFi access point, or maybe they’re at an ISP. In these cases the important fact is that the attacker can intercept all your traffic, including OCSP traffic. Thus they can block OCSP lookups and soft-fail behaviour means that a revoked certificate will be accepted,” Langley wrote.

In the post Langley proposed different scenarios in which revocations are useless and cannot prevent attacks, for example for offensives related to a nation-state attacker who is able to intercept the entire victim’s traffic.

“Firstly, the attacker can use OCSP stapling to include the OCSP response with the revoked certificate. Because OCSP responses are generally valid for some number of days, they can store one from before the certificate was revoked and use it for as long as it’s valid for. DNS hijackings are generally noticed and corrected faster than the OCSP response will expire.”

Langley explained the checking method implemented by Google Chrome that daily monitors the status of certificates for high-value sites and pushes the information to Chrome users, in this way a revocation is propagated within a day or so.

“It’s called the CRLSet and it’s not complete, nor big enough to cope with large numbers of revocations, but it allows us to react quickly to situations like Diginotar and ANSSI. It’s certainly not perfect, but it’s more than many other browsers do,” Langley wrote.

“A powerful attacker may be able to block a user from receiving CRLSet updates if they can intercept all of that user’s traffic for long periods of time. But that’s a pretty fundamental limit; we can only respond to any Chrome issue, including security bugs, by pushing updates.”

Langley is suggesting a scalable solution to the revocation problem in the form of short-lived certificates or something like OCSP Must Staple, limiting the validity of OCSP response in a few days.

Pierluigi Paganini

(Security Affairs –  Certificate revocation, HeartBleed)

Apr 21 14

The novelties inside the last critical update for P2P Zeus

by paganinip
Zeus critical update

Which are the security improvements in the critical update proposed by criminal ecosystem for P2P Zeus Botnet? Fortinet experts detected and analyzed it.

Security experts at Fortinet have uncovered a critical update proposed by criminal ecosystem for P2P Zeus Botnet.

The first P2P Zeus variant was uncovered by Trusteer firm a couple of years ago, it was used in a series of attacks against principal internet service providers and targeting users of popular web services including Facebook, Hotmail,Yahoo and  Google Mail.

Zeus has evolved since the leak of its source code in the underground, security experts have discovered different versions, including 64bit instances and variant able to exploit Tor network to hide their C&C.

Zeus P2P, like others, is used mainly for banking fraud due its ability to steal banking credentials from victims, current variant supports both the UDP and TCP protocols.

“Currently, P2P Zeus supports both the UDP and TCP protocols for its various communication tasks including peer list exchange, command-and-control (C&C) server registration, and malware binary updates.” reports the official post.

Fortinet botnet monitoring system discovered that the malware author released a critical update to its P2P botnet. Since the experts started to monitor the Zeus P2P botnet traffic, they have observed that the version number reported in the encrypted update packets is passed from 0×38 (September 2013) to 0x3B (detected on April 8th 2014).

P2P Zeus  critical update september 2013

P2P Zeus critical update April 2014

Every P2P Zeus code analyzes the version number from the update packet, and compares it with the one hardcoded in its code to evaluate the necessity to update itself.

The experts at Fortined analyzed the new Zeus P2P critical update noting a few minor changes apart the abilities of the new binary to drop a rootkit driver file into the %SYSTEM32%\drivers folder.

The rootkit was used by malware author to hide the presence of the P2P Zeus and prevents the deletion of its binary and its autorun registry entries.

The discontinuation in the version number suggests to the expert that between the versions there were test versions occasionally appeared in the P2P network, “but they are not being pushed as an update to all peers“.

The new P2P Zeus is more resilient thanks the use of  the rootkit, let’s wait for further improvement, the Zeus factory never stops.

Pierluigi Paganini

(Security Affairs –  P2P Zeus, malware)

Apr 21 14

Critical Infrastructure security, is it possible a shared regulatory?

by paganinip
Critical Infrastructure KAspersky Cyber Security Summint 2014

Reflession on the necessity to adopt a shared regulatory for the security of critical infrastructure. Eugene Kaspersky point of view on the topic.

Security of critical infrastructure is a critical urgency of any government, the NIST announced the Framework for Improving Critical Infrastructure Security, a document that proposed cybersecurity standards and practices to build out a security program.

The cybersecurity framework for critical infrastructure proposed by the US Government is a “living document” to improve internal security of the structures in the country. Security industry has observed in the last years that the number of high-profile attacks such as Stuxnet and Shamoon has reached unprecedented levels, alerting politicians and Intelligence agencies on the possible risks related to a cyber offensive against these vital systems.

Utilities, transportation systems, telecommunication systems, power grids, are just some example of critical environment where networks and infrastructure use arcane software not aligned with modern requirements in term of security.

Critical Infrastructure KAspersky Cyber Security Summint 2014 2

Kaspersky, the CEO of Kaspersky Lab, expressed during an interview at the last KAspersky Cyber Security Summit many doubts about the methods pursued to date, he is skeptical about any international effort to develop global recognized standards.

“I vote for less regulation in technology and innovation,” “The older I am, the less and less I believe in international projects. Let the nations do it themselves, and they can be an example for the rest of the world. I think the United States will be first and then the rest of the world can copy and paste.” he said.

Eugene Kaspersky is stressing security industry for a long time alerting on the possible risks of a major attack on a critical infrastructure, but he is convinced that there is too much still to do to address the growing cyber threats.

Kaspersky is convinced that assigning to each government the responsibility for definition of necessary countermeasures to mitigate cyber threats will help to create the condition for a healthy competition that could give rise to innovative projects.

“If you have many competing companies there’s much more chance that one of these will come up with something innovative. I vote for competition. I believe in a world that has independent and competing businesses,” “There’s a much better chance that the right answer will be found much faster.”  Kasperky said.

The software running on computers within critical infrastructure in many cases lacks of security by design, and haven’t been subjected to any kind of security testing. To give you an example consider that during the last S4x14 Conference in Miami, Luigi Auriemma of ReVuln disclosed a serious vulnerability in HMI software. The team of researchers at ReVuln discovered buffer overflow vulnerability in the company’s IntegraXor Web-based HMI software, a software designed by the Malaysian SCADA company Ecava.

We must consider that despite we all agree on the risks related to a possible attack against critical infrastructure, there’s still a lot of disagreement in the industry about the terms used to qualify these critical systems.

Contrary to Kaspersky’s thought to leave each government the responsibility of its infrastructure, policymakers and politics led to calls for regulation and standardization for security. It is an hard challenge, each actor involved in the creation of standards and regulations must be properly recognized.

As remarked by ThreatPost, one of the principal problems related to security of SCADA and critical infrastructure is that the majority of them is owned and managed by private companies.

“The government has no critical infrastructure of its own. It relies on the private sector for that, and when it goes down, the government goes down,” “National security and economic security are intertwined.” said Tom Ridge, the former secretary of the Department of Homeland Security and former governor of Pennsylvania.

Which are privileged targets for cybercriminals and state-sponsored hackers?

Kaspersky confirmed that US infrastructure is at the top of the target list for hackers.

“It’s very difficult to compare who is better protected. The U.S. is the most developed IT country in the world,”“It has many more SCADA systems than any other country, so the U.S. is the biggest target. But it also has the most resources. So which nation is better protected, the one with all of the systems and resources or the one with fewer systems and is a smaller target?”  he said. 

I also remark that it is quite easy to find online information and tools necessary for an attack against SCADA systems, let’s think for example of the simplicity to find online SCADA components through the Shodan search engine. Once identified the targets the next step is to choose the weapons and the underground offer a huge collection of exploits to hit the targets.

“Our critical infrastructure continues to be at risk from threats in cyberspace, and our economy is harmed by the theft of our intellectual property,” “Although the threats are serious and they constantly evolve, I believe that if we address them effectively, we can ensure that the Internet remains an engine for economic growth and a platform for the free exchange of ideas.” are the words used by President Obama to describe the critic of the topic.

Time is running out …. cyber security for critical infrastructure is a must!

Pierluigi Paganini

(Security Affairs –  Critical Infrastructure, Kaspersky)

Apr 20 14

Millions Feedly users vulnerable to Javascript Injection attack

by paganinip
feedly android app

A security researcher discovered a serious Javascript Injection vulnerability in the popular Feedly Android App impacting Millions Users.

While mobile industry continues to grow, in the same time the number of cyber threats continues to increase in frequency and level of sophistication. Mobile platforms like Android are a privileged target of cyber criminals that with a successful exploit could impact security of a wide audience. One of the most common tactics adopted by cybercrime communities  to infect mobile platforms is the Injection of malicious JavaScript directly into popular Android apps.
Security researcher Jeremy S. from Singapore discovered a critical vulnerability in the Feedly app that could be exploited by attackers to infect millions of Android app users.
Feedly is a popular app available for iOS and Android, which offers an aggregation platform for content published on blogs, websites, RSS Feeds and magazines.
The researcher provided evidence of the flaw in blog post, the expert exploited the vulnerability through a JavaScript injection attack. Due a cross-site scripting vulnerability an attacker is able to execute any JavaScript code on client-side, the attack is possible due the lack of input validation in the Feedly app that doesn’t sanitize the Javascript code written in the original articles on subscribed websites or blogs.
A javascript code injection is possible from an RSS feed (e.g. from a blog on blogspot) into the ‘Feedly’ Android App. The android app does not sanitize javascript codes and interpretes them as codes. As a result, allows potential attackers to perform javascript code executions on victim’s Feedly android app session via a crafted blogpost. However, the pre-requisite for such an attack to be possible is that the user must have subscribed (RSS) to the site. In other words, attacks can take place only when user browses the RSS-subscribed site’s contents via the Feedly android app.
More than 5 Million users currently use the Feedly app for their Android devices, exploiting JavaScript injection the attacker can perform different malicious activities, including cookies reading, modification of web page contents, injection of tracking codes or exploits codes to infect victim’s Android device.
The researcher provided the Proof of concept using the following Injection payload that allows to display on the mobile browser the JavaScript button:

</script>
<button onclick=”location.href=’http://www.potentially-malicious.site’” id=”1″ value=”1″/>BreakToProtect’s Button
<but

“Upon clicking on ‘BreakToProtect’s button’, user will be redirected to another site. As per proof-of-concept, a fake URL link ‘http://www.potentially-malicious.site/’ was used instead.”

feedly app vulnerability
The flaw in the Feedly application was reported to the company on March 10th and fixed within 24 hours. It is strongly suggested to the users to update their Feedly app to the last version.

Pierluigi Paganini

(Security Affairs –  Android, Feedly app)

Apr 20 14

Mandiant uncovered Heartbleed based attacks to Hijack VPN sessions

by paganinip
heartbleed VPN

Security experts at Mandiant uncovered attackers exploiting the Heartbleed vulnerability to circumvent Multi-factor Authentication on VPNs.

We have practically read everything about HeartBleed bug which affects OpenSSL library, we have seen the effects on servers, on mobile devices and also on Tor anonymity,  now lets focus on the possibility to exploit it to hijack VPN sessions.

Cyber criminals are trying to exploit Heartbleed OpenSSL bug against organisations to spy on virtual private network connections hijacking multiple active web sessions.
Security experts at Mandiant discovered attackers are exploiting the Heartbleed vulnerability to circumvent Multi-factor authentication on VPNs. The investigators have found evidences of the attack analyzing IDS signatures and VPN logs.
Considering that through an Heartbleed request the attacker could gain access to a limited portion of memory (64KB of memory for each Heartbeat request), in order to fetch useful data he needs to send a huge quantity of requests. This stream of requests was identified by IDS once it was written a signature specifically for Heartbleed.
heartbleed VPN 2
During the intrusion observed by Mandiant the IDS detected more than 17,000 requests matching the pattern written for HearttBleed.
Mandiant confirmed that an unnamed organization suffered a targeted attack which exploited the “Heartbleed” bug in OpenSSL running in the client’s SSL VPN concentrator to remotely access organization’s internal network.
“This post focuses on a Mandiant investigation where a targeted threat actor leveraged the Heartbleed vulnerability in a SSL VPN concentrator to remotely access our client’s environment and steps to identify retroactively if this occurred to your organization.” reported the Mandiant official post.
The attacker is able to obtain active session tokens for currently authenticated users sending repeatedly malformed heartbeat requests to the HTTPS web server running on the VPN device. Once gained an active session token, the attacker successfully hijacked multiple active user sessions and deceived the VPN concentrator which considered it as legitimately authenticated.
With an active session token, the attacker successfully hijacked multiple active user sessions and convinced the VPN concentrator that he/she was legitimately authenticated.
“The attack bypassed both the organization’s multifactor authentication and the VPN client software used to validate that systems connecting to the VPN were owned by the organization and running specific security software.” wrote Mandiant experts Christopher Glyer and Chris DiGiamo. 

The following evidence proved the attacker had stolen legitimate user session tokens:

  1. A malicious IP address triggered thousands of IDS alerts for the Heartbleed vulnerability destined for the victim organization’s SSL VPN.
  2. The VPN logs showed active VPN connections of multiple users rapidly changing back and forth, “flip flopping”, between the malicious IP address and the user’s original IP address.  In several cases the “flip flopping” activity lasted for multiple hours.
  3. The timestamps associated with the IP address changes were often within one to two seconds of each other.
  4. The legitimate IP addresses accessing the VPN were geographically distant from malicious IP address and belonged to different service providers.
  5. The timestamps for the VPN log anomalies could be correlated with the IDS alerts associated with the Heartbleed bug.
The hackers once gained the access to the internal network of targeted organization attempted to move laterally and escalate his/her privileges.
Attacks like the one uncovered by Mantiant will increase in the next weeks, it is necessary to immediately identify and upgrade the component that make use of the flawed library.

Pierluigi Paganini

(Security Affairs –  VPN, Mandiant)

Apr 19 14

Unflod Baby Panda, the Chinese malware hit jailbroken iphone

by paganinip
Unflod Baby Panda malware

Unflod Baby Panda is the name of a new mobile malware which is targeting jailbroken versions of Apple iPhone. The threat seems to have China origin.

The number of cyber threats against mobile users is in constant increase, on the other hand bad habits like the practice of jailbreak/root the devices and the lack of defense systems are favoring the diffusion of new families of malicious code.

Recently I noted ion the Reddit Jailbreak community discovered a new malware, dubbed ‘Unflod Baby Panda’, affecting some jailbroken Apple iOS devices. A user triggered the alert after noting an unusual activity on his jailbreaked iPhone, as reported by the member of the community Snapchat and Google Hangouts were crashing constantly just after the execution of the jailbreak procedure.
According the members of the communities the Unflod Baby Panda infection was limited to jailbroken Apple iOS devices, the malware was designed to steal victims’ credentials, including the Apple IDs.
The threat affects iPhone iPhone 5 and any other 32-bit jailbroken iOS device handset.
The malware spread through the‘Unfold.dylib’ file, once has stolen the user’s credentials, it sends them to a C&C servers provided by US hosting companies and managed by Chinese customers.

“This malware appears to have Chinese origin and comes as a library called Unflod.dylib that hooks into all running processes of jailbroken devices and listens for outgoing SSL connections. From these connections it tries to steal the device’s Apple-ID and corresponding password and sends them in plaintext to servers with IP addresses in control of US hosting companies for apparently Chinese customers. Users of reddit have made this malware available to the public, which allowed SektionEins to perform an analysis of this threat. However so far only the malware itself has been found and until now it is unknown how it ends up on jailbroken phones. Rumours that Chinese piracy repositories are involved are so far unverified” states a post published by SektionEins security firm which analyzed the malicious agent.

It has been hypothesized that Unflod Baby Panda malware was spread through a Chinese web site which offer iOS software, another interesting aspect of the infection that malicious code is digitally signed with an iPhone developer certificate.
I have found it curious because the Unflod Baby Panda malware infect only jailbroken iPhones and it was not necessary on such hardware to sign the source code for its execution.
Details of the digital certificate used by to sign Unflod Baby Panda malware are reported below.
$ codesign -vvvv -d Unflod.dylib
Executable=./Unflod.dylib
Identifier=com.your.framework
Format=Mach-O thin (armv7)
CodeDirectory v=20100 size=227 flags=0x0(none) hashes=3+5 location=embedded
Hash type=sha1 size=20
CDHash=da792624675e82b3460b426f869fbe718abea3f9
Signature size=4322
Authority=iPhone Developer: WANG XIN (P5KFURM8M8)
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
Signed Time=14 Feb 2014 04:32:58
Info.plist=not bound
Sealed Resources=none
Internal requirements count=2 size=484

The the signature date is the 14th of February of this year, probably the Unflod Baby Panda is being around without being discovered in the last months.

Unflod Baby Panda 2

The researchers noted that it is possible to manually remove Unflod Baby Panda

  • Download the iFile app for free from Cydia and by using iFile, check whether your device is affected by the malicious software or not.
  • Navigate to /Library/MobileSubstrate/DynamicLibraries/
  • If you spot any files named Unflod.dylib or Unflod.plist and/or framework.dylib and framework.plist then you have been affected.
  • Use iFile to delete Unflod.dylib and Unflod.plist and/or framework.dylib and framework.plist
  • Reboot your device and then change your Apple ID password and security questions immediately and just to be on safe side, use two-step verification method and avoid installing apps from untrusted sources.

“We therefore believe that the only safe way of removal is a full restore, which means the removal and loss of the jailbreak,” reported the researchers.

Be aware mobile jailbreak could hide numerous pitfalls.

Pierluigi Paganini

(Security Affairs –  Unflod Baby Panda, iOS)

Apr 19 14

Satellite equipment affected by severe vulnerabilities

by paganinip
Satellite

A study conducted by experts at IOActive uncovered a variety of severe vulnerabilities in Satellite equipment widely used in numerous industries.

Satellite Communication Devices are vulnerable to cyber attacks due the presence of critical design flaws in the firmware of principal satellite terrestrial equipment. Different satellite systems manufactured by some of the world’s biggest government contractors are affected by severe vulnerabilities according Security experts at IOActive. The researchers have uncovered numerous vulnerabilities in software and ground-based satellite systems manufactured by British suppliers Cobham and Inmarsat. Hackers can hijack and disrupt communication links used in various industries including defense, aviation and communications with serious consequences for the population.

IOActive found that malicious actors could abuse all of the devices within the scope of this study. The vulnerabilities included what would appear to be backdoors, hardcoded credentials, undocumented and/or insecure protocols, and weak encryption algorithms. In addition to design flaws, IOActive also uncovered a number of features in the devices that clearly pose security risks. ” states the report from IOActive.

Products commercialized by different manufactures, including Iridium, Harris Corporation, Hughes, Thuraya and Japan Radio Company, are also flawed according a study conducted by researchers.

The vulnerable satellites equipments discovered by researchers at IOActive are Harris’ RF-7800-VU024 and RF-7800-DU024 terminals for Broadband Global Area Network (BGAN) services; Hughes 9201/9202/9450/9502 for BGAN and BGAN M2M services, Thuraya IP for BGAN services, Cobham Explorer and SAILOR 900 VSAT for VSAT services, Cobham AVIATOR 700 (E/D) for SwiftBroadband Classic Aero services, Cobham SAILOR FB 150/250/500 for Inmarsat FB services, Cobham SAILOR 6000 Series for Inmarsat C services, JRC JUE-250/500 FB for Inmarsat FB services, and Iridium Pilot/OpenPort for Iridium services.

Satellite components flawed

“You could attack one of these devices with SMS, and trigger features to install new firmware or to compromise it,” “Attackers who compromise the database of an Inmarsat SIM/Terminals reseller can use this information to remotely compromise all those terminals,” says Ruben Santamarta, principal security consultant for IOActive.

As explained by Santamarta, just an SMS text message could become a bullet in the hand of a cyber criminals, the researchers uncovered wrong design habit in the firmware of the device, hardcoded credentials, implementation of insecure protocols, presence of backdoors, and adoption of weak password reset processes are some sample of the flawed processed identified on the equipment.

In my opinion the most alarming fact is that despite the researcher has reported the findings to the CERT Coordination Center, which promptly issued an alert to the vendors in January, but to date the reply is faint. Within the plethora of vendors, only Iridium has started to work for the development of the patches.

“In most cases, attackers can completely compromise” “They could run their own code, install malicious firmware… and do anything they want with that device.” “They can spoof messages and trick the ship to follow a certain path, or to rescue another ship. They can disrupt communications… if a vessel can’t send a distress signal, that’s the worst scenario, if a ship can’t communicate.” the system, Santamarta says.

The same would be true for an airplane, he says. And an attacker would not even need physical access to the satellite equipment to pull off a link hijack or spoof; in many cases, hackers could execute their attacks remotely.

The researchers were able to discover various vulnerabilities simply reverse engineering the firmware of the satellite appliances, once discevered the flaws the unique problem for the attackers is to gain access to the systems through the Internet or any other kind of interface.

 “I wasn’t looking for memory or buffer overflow or other typical vulnerabilities. But design flaws [found] like backdoors or [weak] protocols are in a way more dangerous because you can reach the device” by using them.

 “But if you can reach the device, you can compromise it. You can access it through HTTP or some other kind of documented interfaces. In most cases, you can remotely exploit these flaws.”

The report issued by IOActive provides also some recommendations for users of these satellite equipment inviting to seriously consider the possibilities that attackers exploit these vulnerabilities.

“Owners and providers should evaluate the network exposure of these devices, implement secure policies, enforce network segmentation, and apply restrictive traffic flow templates (TFT) when possible. Until patches are available, vendors should provide official workarounds in addition to recommended configurations in order to minimize the risk these vulnerabilities pose.”

The researchers at IOActive also recommend that SATCOM manufacturers and resellers immediately remove all publicly accessible copies of device firmware updates from their websites to avoid reverse engineering of the source code. 

“If one of these affected devices can be compromised, the entire SATCOM infrastructure could be at risk. Ships, aircraft, military personnel, emergency services, media services, and industrial facilities (oil rigs, gas pipelines, water treatment plants, wind turbines, substations, etc.) could all be impacted by these vulnerabilities.
The results of IOActive’s research should be a wake-up call for both the vendors and  users of the current generation of SATCOM technology.” is the statement used to closes the report.

Pierluigi Paganini

(Security Affairs –  Satellite equipment, cyber security)