Skip to content
Jul 31 14

Zero-day flaws affect Symantec Endpoint Protection

by paganinip
Symantec end point protection hacked antivirus

Pen Testers at Offensive Security discovered Zero-day flaws in Symantec Endpoint Protection that could be exploited to gain full system access.

Yesterday I reported the results of the study conducted by the security researcher Joxean Koret which publicly revealed a series of flaws affecting 14 of 17 major antivirus engines. The security experts remarked that antivirus products are solutions like many others and their installation could anyway enlarge the attack surface of users to the potential presence of security flaws.

The Antivirus products are continually challenged by many security experts for their real level of effectiveness, today another news is worrying the cyber security industry: the popular Symantec’s Endpoint Protection product is affected by three zero-day flaws that could be exploited by attackers for privilege escalation.

A privilege escalation attack is a type of attack used to grant the attacker, once already logged in, elevated access to the network and its resources (e.g. data and applications).

Symantec end point protection hacked antivirus

The experts at Offensive Security, best known for Kali Linux penetration testing distro, discovered different critical flaws during an audit of the Symantec’s Endpoint Protection product, some of them will be discussed in a presentation at the next BlackHat conference in August. Offensive Security plans to preview proof-of-concept code during its “Advanced Windows Exploitation” training class at the conference in Las Vegas.

“In a recent engagement, we had the opportunity to audit the Symantec Antivirus Endpoint Protection solution, where we found a multitude of vulnerabilities. Some of these made it to CERT, while others have been scheduled for review during our upcoming AWE course at Black Hat 2014, Las Vegas. Ironically, the same software that was meant to protect the organization under review was the reason for its compromise.” states an announcement published by Offensive Security on their website.

The experts at Offensive Security will release the code for the privilege escalation exploit in the next days, meantime, they have already published a video-POC.

 

The three privilege escalation vulnerabilities have been already reported to computer emergency response teams, but Symantec firm hasn’t yet replied.

The representatives of Offensive Security firm didn’t specifically target Endpoint Security during the audit process.

Let’s think about the potential effects of the exploitation on a large-scale of such kind of vulnerabilities affecting Symantect Endpoint Protection products, a bad actor could potentially exploit a critical flaw to gain the access to “hundreds if not thousands of computers” in the financial services company.

Pierluigi Paganini

Security Affairs –  (Antivirus, Symantec )

Jul 31 14

Discovered attacks to compromise TOR Network and De-Anonymize users

by paganinip
Cracking-Tor-Anonymity-Network

On July 4 2014 Tor Team discovered a group of malicious relays that they assume were trying to deanonymize Tor Network users with confirmation attack technique.

Tor network is an excellent technology to ensure users’ online anonymity, thanks to the Tor network users can hide online activities, staying far from the prying eyes of governments and law enforcement. Recently, members of the Tor project warned their users about the presence of a critical vulnerability that was probably being used to de-anonymize the identity of users within Tor network. A few weeks ago, researchers  from Carnegie Mellon University’s computer emergency response team (Cert), Alexander Volynkin and Michael McCord, revealed that they are able to de-anonymize Tor users using a cheap equipment. Initially they planned to reveal their discovery during the next Black Hat Conference in August, but later they have announced that they will not participate in the conference. On July 30th, the website of the Tor project published a security advisory to reveal that early this month, on July 4th 2014, a group of relays suffered a cyber attack that was conducted probably to deanonymize users. The experts at Tor project noticed that bad actors were targeting relays to track users accessing Tor networks or access Tor hidden services.

“They appear to have been targeting people who operate or access Tor hidden services. The attack involved modifying Tor protocol headers to do traffic confirmation attacks.”

The security advisory explains that bad actors were leveraging a critical flaw in Tor to modify protocol headers in order to perform a traffic confirmation attack and inject a special code into the protocol header used by attackers to compare certain metrics from relays to de-anonymize users. The advisory reports that 115 malicious fast non-exit relays (6.4% of whole Tor network) were involved in the attack, the servers were actively monitoring the relays on both ends of a Tor circuit in an effort to de-anonymize users. The malicious relays were running Tor version 50.7.0.0/16 or 204.45.0.0/16 and bad actors were using them trying to de-anonymize Tor users who visit and run so-called hidden services. The malicious relays joined the Tor network on January 30th 2014 and experts at Tor Project removed them from the network on July 4th 2014.

The members of Tor project team also advised hidden service operators to change the location of their hidden service.

While we don’t know when they started doing the attack, users who operated or accessed hidden services from early February through July 4 should assume they were affected,” Tor said.

When users access the Tor network with Tor software, their IP address is not visible and it appears to the Internet as the IP address of a Tor exit relay, which can be anywhere.    Tor network exit relay

The members of the Tor project, explained that bad actors who conducted the confirmation attack were looking for users who fetched hidden service descriptors, this means that attackers were not able to see pages loaded by users neither whether users visited the hidden service they looked up.

“The attack probably also tried to learn who published hidden service descriptors, which would allow the attackers to learn the location of that hidden service. In theory the attack could also be used to link users to their destinations on normal Tor circuits too, but we found no evidence that the attackers operated any exit relays, making this attack less likely. And finally, we don’t know how much data the attackers kept, and due to the way the attack was deployed (more details below), their protocol header modifications might have aided other attackers in deanonymizing users too.” states the security advisory.

In order to close the critical flaw Tor Project team is suggesting Tor Relay Operators to upgrade Tor software to a recent release, either 0.2.4.23 or 0.2.5.6-alpha.  Tor project released a software update to prevent such attacks. It seems to be a bad period for Tor network, and more in general for anonymizing network, recently a serious flaw was discovered in Tails distribution, allowing attacker to reveal the users’ identity, while the Russian Government has recently announced a competition offering $111,000 to break Tor encryption.

Pierluigi Paganini

Security Affairs –  (Tor networks, hacking)

Jul 30 14

Serious security issues affect 14 of 17 major antivirus engines

by paganinip
Antivirus security issues

Joxean Koret, a security researcher at Singapore-based consultancy COSEINC, has publicly revealed a series of flaws which affect major antivirus engines.

The security researcher at Singapore-based consultancy COSEINC, Joxean Koret, has discovered different flaws in 14 of 17 major antivirus engines. The researcher has presented the results of his study (PDF) at the recent SyScan 360 security conference in Beijing this month. Koret explained how he had used a custom fuzzing suite to discover exploitable local and remote flaws in popular antivirus engines, the list of affected products is long and includes solutions offered by vendors such as Avast, AVG, Avira, Bitdefender, Comodo, DrWeb, ESET, F-Prot, F-Secure and Panda.

The antivirus engine is the core of any antivirus solution, different engines are used by multiple products, for example BitDefender is the most widely used antivirus kernel (e.g. G-Data, eScan, F-Secure).

As illustrated by Koret in his presentation different anti-virus software offer too much administrator privilege that could be exploited by an attacker to conduct man-in-the-middle (MiTM).

“AV engines makes your computer more vulnerable with a varying degree of performance penalty. The AV engine is as vulnerable to zero day attacks as the applications it tries to protect from.” is reported in the presentation.
Koret remarked that the installation of every application on your machine enlarges your attack surface, even if an antivirus application that runs with high privileges.
“If the application is local: your local attack surface increased. If the application is remote: your remote attack surface increased. If your application runs with the highest privileges, installs kernel drivers, a packet filter and tries to handle anything your computer may doYour attack surface dramatically increased.”

The principal flaws discovered by the researcher are buffer and heap overflow vulnerabilities, local escalation of privileges and file format bugs. Many of the vulnerabilities disclosed are “nothing new”, but anyway we can consider this presentation as the first time a researcher had publicly revealed such extensive faults affecting major anti-virus engines.

Antivirus security issues 2

The court explained that HTTP connections, ordinarily used for updates represents one of the most concerning security issues, due the lack of proper validation mechanisms, the expert also revealed that major vendors often fail to review their code.

“If one can MITM the connection (for example, in a LAN) one can install new files and/or replace existing installation files. It often translates in completely owning the machine with the AV engine installed as updates are not commonly signed. Yes. They aren’t”
It is not a mystery that a secure update process lies in the usage of SSL/TLS security protocols and digitally signed update files.
Antivirus software runs with higher privileges, they have the ability to inspect host networks and remove suspicious applications, a bad actor could exploit these capabilities to compromise the internal network of an organization. Koret said that every company has replied in different ways to his study, some of them patched their systems, others offered a bug bounty to identify the flaws.

Some AV companies don’t give a f**k about security in their products,” said Koret.

We must be aware that antivirus software, like any other code, could be affected by vulnerabilities exploitable to compromise our systems the principal difference with other applications resides in the high privileges that have to run that gives the attacker a higher power.

Pierluigi Paganini

Security Affairs –  (Antivirus, hacking)

Jul 30 14

Millions of Android devices exposed to fake ID flaw

by paganinip
android-hack

Android devices are affected by a critical vulnerability which allows a malicious app to impersonate a trusted application inheriting its permissions.

Researchers at Bluebox Security have discovered a critical vulnerability in millions of Android devices that allow a malicious app to impersonate a trusted application in a stealthy way, allowing a bad actor an attacker to perform different malicious actions.

An attacker exploiting the vulnerability could insert malicious code into a legitimate app or gain complete remote control or the targeted device, this is possible due to the way Android OS implements certificate validation through the certificate chain, the flaw is present in all versions of Android.

The researchers explained in a blog post that all those Android mobile devices which run 3LM administration extension, like HTC, Pantech, Sharp, Sony Ericsson, and Motorola are particularly exposed to the risk of a hack

“Every Android application has its own unique identity, typically inherited from the corporate developer’s identity. The Bluebox Security research team, Bluebox Labs, recently discovered a new vulnerability in Android, which allows these identities to be copied and used for nefarious purposes.” said Jeff Forristal, CTO of Bluebox Labs.

Android flaw mobile

Each Android app is signed with digital certificates that allow the unique identification for its author, but the experts at Bluebox discovered that the Android app installer doesn’t properly validate the certificate. The attacker can create an app with a fake identity and impersonate an app with extensive privileges, let’s image, for example, that he target victims impersonating the Adobe plug-in, in this case the malicious app would have the ability to escape the sandbox and run malicious code inside another app.

“For example, an attacker can create a new digital identity certificate, forge a claim that the identity certificate was issued by Adobe Systems, and sign an application with a certificate chain that contains a malicious identity certificate and the Adobe Systems certificate,”

“Upon installation, the Android package installer will not verify the claim of the malicious identity certificate, and create a package signature that contains the both certificates. This, in turn, tricks the certificate-checking code in the webview plugin manager (who explicitly checks the chain for the Adobe certificate) and allows the application to be granted the special webview plugin privilege given to Adobe Systems – leading to a sandbox escape and insertion of malicious code, in the form of a webview plugin, into other applications.” states the blog post.

Forristal will present the Android vulnerability in a speech at the next BlackHat conference in Las Vegas, he already have anticipated that it is possible to exploit the flow in many different ways.

“You could use any app distribution mechanism, whether it’s a link in SMS or a legitimate app store. Look at other Android malware. You do it whatever it takes for the user to say, Yeah I want that app,” he said. “It’s certainly severe. It’s completely stealth and transparent to the user and it’s absolutely the stuff that malware is made of. It operates extremely consistently, so in that regard it’s going to be extremely attractive to malware.”

It is important to remark that the application’s signature establishes who can manage the application and its data. The mechanism is used by Android OS also to determine the permissions assigned specific apps, some permissions are granted only to applications that have the same signature as the permission creator.

In an another example provided in the blog post, the experts have examined the case of an application with the signature specified by the device’s nfc_access.xml file, typically the signature for the Google Wallet application. An attacker could create an app with this signature to access NFC hardware and access payment information made via Google Wallet.

Bluebox has collaborated with Google to fix the flaw, a patch was released by Google to its partners in April, but the distribution of the updates to the end users is a carriers’ responsibility.

Pierluigi Paganini

Security Affairs –  (Android, digital certificate)

Jul 29 14

Chinese Hackers Comment Crew stole plans of Iron Dome Defense System

by paganinip
iron dome how works

CyberESI firm revealed that Chinese hackers members of the Comment Crew group violated the corporate networks of top Israeli defense companies.

Once again a news refers of Chinese hackers, alleged members of the Comment Crew group, who have conducted a cyber espionage campaign. This time is has been reported that the attackers violated the databases of three Israeli defense contractors and stole blueprints for Israel’s Iron Dome missile defense system.
The Israeli Iron Dome is the technology that allows Israel to intercept rockets sent against its territories, it has been estimated that approximately one-fifth of the more than 2,000 rockets that Palestinian militants have fired at Israel during the current conflict were intercepted with this defense system.
“The U.S. Congress is currently wrangling over legislation that would send more than $350 million to Israel to further development and deployment of the missile shield technology. If approved, that funding boost would make nearly $1 billion from the United States over five years for Iron Dome production, according to The Washington Post.”

An investigation by a Maryland-based cyber security firm ‘Cyber Engineering Services Inc. (CyberESI)’ revealed the disconcerting reality, he also reported that the Chinese hackers accessed plans regarding other other missile interceptors, including drones, ballistic rockets and the Arrow III missile interceptor which was designed by Boeing and other US-based companies.

 

israel iron dome Comment Crew

 

In February 2013, the Mandiant Intelligence Center released an interesting report on a large-scale cyber espionage campaign dubbed APT1.  The term APT1 is referred to one of the numerous cyber espionage campaign that stole the major quantity of information all over the world.  After the disclosure of the Mandiant Report the Comment Crew went in the dark, senior researcher at FireEye. Alex Lanstein explained that The Comment Crew was still working undercover after an apparent period of rest.

“They took a little breather, and they started back up,” he said.

Security researchers noted that after the intense activities observed early 2013 the group stopped using its infrastructures and suspended attack the company initially targeted, in reality the Comment Crew group started new campaigns against new and old targets from different infrastructures.

“We didn’t see them take control of any of the systems they had previously compromised,” “They started fresh with a whole new round of attacks.” Lanstein revealed.

The Mandiant’s report blamed the Chinese military unit called “61398” for a series of cyber attacks that compromised 141 organizations in seven years. Experts at Mandiant identified a common pattern for the attacks originated from Chinese sources defining also a series of key indicators for identifying ongoing APT attacks.

CyberESI revealed that the Chinese hackers violated the corporate networks of top Israeli defense companies, including Elisra Group, Israel Aerospace Industries, and Rafael Advanced Defense Systems, which were committed for the development of the “Iron Dome” missile shield. The attackers hit the Israeli companies through spear phishing attacks conducted between October 10th, 2011 and August 13, 2012.
“Joseph Drissel, CyberESI’s founder and chief executive, said the nature of the exfiltrated data and the industry that these companies are involved in suggests that the Chinese hackers were looking for information related to Israel’s all-weather air defense system called Iron Dome.” reported Brian Krebs in a blog post.
The Comment Crew team maintained a persistent access to the IAI network, which allowed it to steal administrator credentials, implant malware and dump Active Directory data from at least two domains.
The Comment Crew hackers exfiltrated any type of document, including emails and Office documents containing also information about Iron Dome and other sophisticated ballistic projects. Experts at Cyber ESI
identified more than 700 documents that were stolen from Israel Aerospace Industries (IAI).

“All told, CyberESI was able to identify and acquire more than 700 files — totaling 762 MB total size — that were exfiltrated form IAI’s network during the compromise. The security firm said most of the data acquired was intellectual property and likely represented only a small portion of the entire data loss by IAI.”

“The intellectual property was in the form of Word documents, PowerPoint presentations, spread sheets, email messages, files in portable document format (PDF), scripts, and binary executable files,” CyberESI wrote in a lengthy report produced about the breaches.

The experts identified a similar attack pattern in the offensive against the company Elisra, a data breach that according to CyberESI began in October 2011 and persisted intermittently until July 2012. 
The worrying aspect of the disconcerting discovery is that the information stolen, once in the wrong hands, could represent a serious menace for Israel and its population.

Pierluigi Paganini

Security Affairs –  (Iron Dome, cyber espionage, Comment Crew)

Jul 29 14

seL4, Hack-proof DARPA-derived micro kernel goes open source tomorrow

by paganinip
DARPA

DARPA-derived secure micro kernel seL4 goes open source tomorrow, it is the a first prototype mathematically proven and hacker-repelling software.

The National ICT Australia (NICTA) has completed the development of the first micro kernel mathematically proven seL4 to be bug free, its  project will be released as open source tomorrow and could be deployed on drones to prevent hacking.

The formal-methods-based secure embedded L4 (seL4) microkernel was derived from the DARPA program High-Assurance Cyber Military Systems. The microkernel seL4‘s entire source code, including proofs and additional code used to build trustworthy, will be released under the GPL v2 license.

“General Dynamics C4 Systems and NICTA are pleased to announce the open sourcing of seL4, the world’s first operating-system kernel with an end-to-end proof of implementation correctness and security enforcement. It is still the world’s most highly-assured OS.”

The NICTA is Australia’s Information Communications Technology (ICT) Research Centre of Excellence, it is an organization born to conduct, promote and sustain ICT research, it is composed by experts in maths and aviation working with primary companies Boeing and Rockwell Collins.

The micro kernel was the result of High-Assurance Cyber Military Systems program promoted by DARPA, HACMS has a four-year effort and an estimated cost of $60 million with the purpose of define an innovative and secure practice of coding to avoid that software could be affected by a “pervasive vulnerability”.

The program is described on the DARPA website with following statement:

The High-Assurance Cyber Military Systems (HACMS) program seeks to create technology for the construction of systems that are functionally correct and satisfy appropriate safety and security properties,” explained, Kathleen Fisher, DARPA program manager. “Our vision for HACMS is to adopt a clean-slate, formal method-based approach to enable semi-automated code synthesis from executable, formal specifications.”

“In addition to generating code, HACMS seeks a synthesizer capable of producing a machine-checkable proof that the generated code satisfies functional specifications as well as security and safety policies. A key technical challenge is the development of techniques to ensure that such proofs are composable, allowing the construction of high-assurance systems out of high-assurance components.”

The formal-methods-based secure embedded L4 (seL4) microkernel aims to prevent the hacking of sophisticated devices without impacting performance.

seL4 design process

As explained in the Wiki of OS DEV.org:

“A Microkernel tries to run most services – like networking, filesystem, etc. – as daemons / servers in user space. All that’s left to do for the kernel are basic services, like memory allocation (however, the actual memory manager is implemented in userspace), scheduling, and messaging (Inter Process Communication).

In theory, this concept makes the kernel more responsive (since much functionality resides in preemptible user-space threads and processes, removing the need for context-switching into the kernel proper), and improves the stability of the kernel by reducing the amount of code running in kernel space. “

In other words a similar approach allows to develop more stable and responsive software respect canonical monolithic kernels such as the Linux and Windows kernels.

The micro kernel belonging to the seL4 family could be used in wide casuistry, every critical component could be equipped with hacking proof software.

NICTA senior researcher Doctor June Andronick said the kernel should be considered by anyone building critical systems such as pacemakers and technology-rich cars.

“If your software runs the seL4 kernel, you have a guarantee that if a fault happens in one part of the system it cannot propagate to the rest of the system and in particular the critical parts,” Andronick said earlier this month.

“We provide a formal mathematical proof that this seL4 kernel is correct and guarantees the isolation between components.” said Doctor June Andronick.

Experts at NICTA provided a fascinating video-POC which demonstrates how a drone which running the platform could detect hacking attempts and adopt necessary countermeasures.

In the video, once the demo drone has detected the intrusion it fly away preventing that the hack is successfully conducted.

“What we are demonstrating here is that if one of the ground stations is malicious, and sends a command to the drone to stop the flight software, the commercially-available drone will accept the command, kill the software and just drop from the sky,” Andronick said.

Are we really close to the realization of a hack-proof machine?

Pierluigi Paganini

Security Affairs –  (seL4, DARPA)

Jul 29 14

Misusing Digital Certificates

by paganinip
digital certificate

Excerpt from the post “How Cybercrime Exploits Digital Certificates” which details means and motivation of illicit activities which abuses digital certificates.

Digital certificates have been misused many times during recent years. Bad actors abused them to conduct cyber attacks against private entities, individuals and government organizations. The principal abuses of digital certificates observed by security experts:

Man-in-the-middle (MITM) attacks

Bad actors use digital certificates to eavesdrop on SSL/TLS traffic. Usually these attacks exploit the lack of strict controls by client applications when a server presents them with an SSL/TLS certificate signed by a trusted but unexpected Certification Authority.

SSL certificates are the privileged mechanism for ensuring that secure websites really are who they say they are. Typically, when we access a secure website, a padlock is displayed in the address bar. Before the icon appears, the site first presents a digital certificate, signed by a trusted “root” authority, that attests to its identity and encryption keys.

Unfortunately web browsers, due to improper design and lack of efficient verification processes, accept the certificates issued by the trusted CA, even if it is an unexpected one.

An attacker that is able to obtain a fake certificate from any certification authority and present it to the client during the connection phase can impersonate every encrypted web site the victim visits.

“Most browsers will happily (and silently) accept new certificates from any valid authority, even for web sites for which certificates had already been obtained. An eavesdropper with fake certificates and access to a target’s internet connection can thus quietly interpose itself as a ‘man-in-the-middle’, observing and recording all encrypted web traffic traffic, with the user none the wiser.”

Digital Certificates 1

Cyber attacks based on signed malware

Another common cyber attack is based on malware signed with stolen code-signing certificates. The techniques allow attackers to improve avoidance techniques for their malicious codes. Once the private key associated with a trusted entity is compromised, it could be used to sign the malicious code of the malware. This trick allows an attacker to also install those software components (e.g. drivers, software updates) that require signed code for their installation/execution. One of the most popular cases was related to the data breach suffered by security firm Bit9. Attackers stole one of the company’s certs and used it to sign malware and serve it. The certificate was used to sign a malicious Java Applet that exploited a flaw in the browser of targeted browser.

Malware installed illegitimate certificates

Attackers could use also malware to install illegitimate certificates to trust them, avoiding security warnings. Malicious code could for example operate as a local proxy for SSL/TLS traffic, and the installed illegitimate digital certificates could allow attackers to eavesdrop on traffic without triggering any warning. The installation of a fake root CA certificate on the compromised system could allow attackers to arrange a phishing campaign. The bad actor just needs to set up a fake domain that uses SSL/TLS and passes certificate validation steps. Recently, Trend Micro has published a report on a hacking campaign dubbed “Operation Emmental”, which targeted Swiss bank accounts with a multi-faceted attack that is able to bypass two factor authentication implemented by the organization to secure its customers. The attackers, in order to improve the efficiency of their phishing schema, used a malware that installs a new root Secure Sockets Layer (SSL) certificate, which prevents the browser from warning victims when they land on these websites.

Digital Certificates 2

CAs issued improper certificates

Improper certificates are issued by the CAs and hackers use them for cyber attacks. In one of the most blatant cases, DigiCert mistakenly sold a certificate to a non-existent company. the digital certificate was then used to sign malware used in cyber attacks.

Read the Full Article “How Cybercrime Exploits Digital Certificates”  on the Infosec Institute.

Pierluigi Paganini

Security Affairs –  (Digital Certificates, cybercrime)

Jul 29 14

Kaspersky uncovered the complex infrastructure of Koler ransomware

by paganinip
Koler campaign findings 3

Researchers at Kaspersky Lab issued a report on the Koler ransomware, which is targeting both Android devices and desktop browsers.

Experts at Kaspersky Lab published a report titled “Koler—The Police Ransomware for Android” that examines how bad actors behind the Reveton campaign have operated, Koler ransomware recently targeted Android users. The report on the Koler malware is more focused on the sophisticated infrastructure the Reventon team has used for its malicious campaign.

In May 2014, French researcher Kafeine, discovered new mobile ransomware named AndroidOS.Koler.a, the attack starts when victims will visit a pornographic website on their Android device, then they are redirected to a site which host a malicious .apk file used by criminals to lock the device’s screen and demands payment of a fee between $100 and $300.

Most of the visitors of pornographic website are from the US, a limited number of visits coming from the UK, Canada and Europe.

“Through these stats, we also confirmed that the campaign started in April 2014. At the time of our analysis, the landing website had received 196,619 visitors.”

Be aware, the installation of Koler ransomware is not automatic and requests victim intervention.

The malicious app requests for its installation a significant number of permissions, including the ability to access the Internet, read phone status and identity, to run at startup and to prevent the phone from sleeping.

 

Koler campaign findings 2

July 23, something strange happened, the command and control server began sending uninstall commands to mobile devices infected by Koler malware. Only the mobile component used by Reventon team was apparently dismantled.

The expert noticed that while Koler ransomware is not a particularly complex malware, the infrastructure used for the criminal campaign is very versatile and complex.

“We believe this kind of infrastructure is a perfect example of how well prepared and dangerous these campaigns are. They are now targeting, but are not limited to, Android users. The attackers can quickly create a similar infrastructure thanks to its intricate automation, changing the payload or targeting different users,”“The attackers have also created many different ways of monetizing their campaign in a true multi-device schema.” states the report.

The distribution infrastructure used to spread the malware was far more complex than expected, it relies on a TDS (Traffic Distribution System) that targets both mobile devices and desktop visitor.

“That includes redirections to browser-based ransomware and the Angler exploit kit.” stated the report.

Koler campaign findings

The experts uncovered another interesting feature implemented by the Reveton team, is the way it automated the creation of
new pornography sites and the redirection of traffic.

“They also used their malware as a service through an API to obtain new landing sites to distribute their browser-based ransomware and exploit kit websites.”

The network of porn websites is used by attackers to redirecting victims to the main controller domain of the campaign (videosartex[].us), which collects all the requests and redirects to either the mobile payload at the hxxp://video-porno-gratuit.eu, a browser-based ransomware site, or an Angler Exploit Kit site using the Keitaro traffic distribution system.

Koler POST

“We should keep in mind this [Angler] exploit kit is one of the tools of choice of Team Reveton. The use of Port 2980, which is not usual among other exploit kits, is one of the distinctive aspects of this exploit kit,”“The Angler exploit kit has exploits for Silverlight, Adobe Flash and Java. The use of Silverlight is quite common in Angler.” the report said.

Victims are advised not to pay the requested fee, who paid it never received an unlocking code or uninstall instructions.

“We believe this kind of infrastructure is a perfect example of how well prepared and dangerous these campaigns are. They are now targeting, but are not limited to, Android users. The attackers can quickly create a similar infrastructure thanks to its intricate automation, changing the payload or targeting different users. The attackers have also created many different ways of monetizing their campaign in a true multi-device schema.” closes the report.

Pierluigi Paganini

Security Affairs –  (Koler, ransomware)

Jul 28 14

Instagram Adroid App affected by account session Hijacking flaw

by paganinip
Instagram hacked

A security researcher disclosed a serious issue on Instagram’s Android Application which could be exploited by an attacker to impersonate a victim.

A security issue related to Instagram Mobile App for Android expose the users’ account to serious risks of data breach. A security researcher discovered that the Instagram Mobile App is affected by a Hijacking vulnerability which could be exploited by an attacker to access user’s personal data and impersonate the victim deleting his photos, editing comments and posting new images.

Instagram is an online mobile photo/video-sharing and social networking service owned by Facebook, which acquired it in 2012 for approximately US$1 billion. The researcher Mazin Ahmed explained in a blog post that communications between the Instagram’s Android App and its server is not encrypted allowing a bad actor to intercept and modify the traffic.

“Then I started using the app on my phone, and monitoring the traffic in the network using WireShark, looking for evidence for unencrypted data that goes through the network or a technique to make this data unencrypted (if it was encrypted). As soon as I logged into my account on my phone, Wireshark has captured unencrypted data that goes through HTTP. This data includes: The pictures that the victims watching, The victim’s session cookies, the victim’s username and ID.”  said Mazin.

What do you think about?

You are right, what Mazin Ahmed is saying is that the Android Instagram app is affected by a session hijacking vulnerability that can be exploited to conduct a man-in-the-middle attackWhen the attacker and victims share the same wireless data traffic this kind of attacks is very easy to perform.
Instagram traffic intercepted
Mazen captured the HTTP session cookies and tried to use is from another system/browser… the discovery was disconcerting, he succeeded to hijack the session of the victim’s Instagram account.

“Then, I took the session cookies and used it in my computer, and simply “The Victim’s Session Has Been Hijacked.” he said.

Instagram traffic session token

Mazen was surprised that Facebook hasn’t fixed since now a so serious security issue, he immediately reported the flaw to the company which replied that it is aware of the security issue and it is planning to move everything on the Instagram site to HTTPS, but there is no definite date for the change.

“Facebook accepts the risk of parts of Instagram communicating over HTTP not over HTTPS.” replied Facebook.

It is difficult to accept that after the numerous scandals related to the Government surveillance a company like Instagram still hasn’t implemented the HTTPs for its service exposing the privacy of its users to serious risks.

Pierluigi Paganini

Security Affairs –  (Instagram, hacking)

Jul 28 14

Satellite images demonstrate that Ukraine is hit by pro-Russian troops across the border

by paganinip
Ukraine Russia war 6

The US Ambassador in Ukraine has released satellite images that prove Russia is firing rockets at Ukrainian troops across the border.

The US State Department has released a collection of satellite images, via the ambassador in Ukraine Geoffrey Pyatt,  that demonstrate that the Russian Army is firing rockets against Ukrainian troops located across the border. The images indicate fire from multiple rocket launchers locates “on the Russian side of the border”. The document was prepared by the US Office of the Director of National Intelligence (DNI), it includes the slides that reports what US officials claim to be “ground scarring at a multiple rocket launch site on the Russian side of the border oriented in the direction of Ukrainian military units within Ukraine.”

The US State Department hasn’t released an official statement for the satellite images, it is just inviting its follower to follow the ambassador Geoffrey Pyatt to receive updates on the situation, anyway actually he has just shared the images on his Twitter account without providing further information.

Ukraine Russia war Department of State Tweet

The satellite images, all dating between July 21 and July 25/26, were sent via email in a four-page document titled “Evidence of Russian Shelling into Ukraine“, they confirm Washington’s suspects that the Russian Government is building up troops close to the border and is using them “firing of Russian heavy weapons from the Russian side of the border at Ukrainian military personnel.”

The satellite images were taken after the crash of the Malaysia Airlines Flight MH17, intelligence experts consider the the evidence of the transportation of heavy artillery from Russia to areas controlled by pro-Russian separatist forces.

Ukraine Russia war0

The images were spread by the US ambassador to Ukraine, Geoffrey Pyattm via Twitter, they are considered evidence of the military operation conducted in the area near the border between the states. A slide dated July 23th is said to show self-propelled artillery “oriented in the direction of a Ukrainian military unit within Ukraine.” It said that “the pattern of crater impacts near the Ukrainian military unit indicates strikes from artillery” fired from self-propelled or towed artillery, vice multiple rocket launchers “only found in Russian military units, on the Russian side of the border.”

Ukraine Russia war   Ukraine Russia war 2

The image dated July 21this said to be illustrating a “wide area of impacts near the Ukrainian military” that “indicates fire from multiple rocket launchers.” The bottom impact crater inset shows impacts within a local village,” DNI claimed.

Courtesy of US State Department

Russia’s Defense Ministry has recently confirmed that international inspectors, which include representatives from the US, NATO and Ukraine, who have visited the area haven’t discovered violations made by Moscow’s troops along the Ukrainian borders.

“It has come to our attention that new allegations by top US officials as to the alleged amassing of Russian troops along the Ukrainian border have been voiced,” “No instances of violations by Russia along the Ukrainian border had been registered by the inspectors,” the ministry said. “Frequent action by the Ukrainian military taking place on the Russian border has hindered our own ability to perform similar inspections and flybys along our border,” the Russia’s Defense Ministry said.

What’s new on the investigation on the MH17 flight?

According to the NYPost pro-Russian rebels are altering MH17 crash site

“British security officials say they have “credible information” that pro-Russian rebels tampered with the crash scene of Malaysian Flight 17 — planting parts from other aircraft at the site in an attempt to foil investigators and push blame for the disaster on Ukrainian forces.” states the journal.“There is evidence starting to emerge of attempts at tampering with the crash scene, moving bodies and black boxes,” one official said, according to The Times of London.“The official added that rebels interfered with the wreckage in order to strengthen the crash narrative concocted by Russian officials and press, which suggests the Boeing 777 was attacked by a Ukrainian SU-25 fighter that was later shot down by separatists.”

Stay tuned for further information.

Pierluigi Paganini

Security Affairs –  (Ukraine, Russian, MH17)