Skip to content
Oct 23 14

Operation Pawn Storm is targeting military, government and media agencies

by Pierluigi Paganini
SEDNIT Operation Pawn Storm 2

Trend Micro discovered a cyber-espionage operation dubbed  Operation Pawn Storm, which is targeting military, government and media entities worldwide.

A new cyber espionage operation targeting military, government and media agencies on a global scale has been discovered by security experts at Trend Micro. Also in this case it seems that the threat actors behind the operation, dubbed Operation Pawn Storm, have been active since at least 2007 and are still running several attacks worldwide.

“Pawn Storm is an active economic and political cyber-espionage operation targeting a wide range of entities, mostly those related to the military, governments, and media. Specific targets include:

  • Military agencies, embassies, and defense contractors in the US and its allies
  • Opposition politicians and dissidents of the Russian government
  • International media
  • The national security department of a US ally

states Trend Micro in a blog post.

In June 2014 the hackers compromised government websites in Poland and last month they injected a malware in the website for Power Exchange in Poland.  The attackers run different attack scenarios ranging from classis spear-phishing to watering hole attacks, in both cases to serve the SEDNIT malware. 

“The cyber criminals behind Operation Pawn Storm are using several different attack scenarios: spear-phishing emails with malicious Microsoft Office documents lead to SEDNIT/Sofacy malware, very selective exploits injected into legitimate websites that will also lead to SEDNIT/Sofacy malware, and phishing emails that redirect victims to fake Outlook Web Access login pages,” states Trend Micro in a blog post.

The experts consider the attacks as surgery operations, in some cases spear-phishing emails targeted a restricted number of individuals. The attackers also adopted as attack vector a collection of malicious iframes pointing to very selective exploits, the technique was used for the attack against the Polish government websites.

SEDNIT Operation Pawn Storm

The post explains that in an attack on  billion-dollar multinational firm the group behind the Operation Pawn Storm reached via email just three employees.

“The e-mail addresses of the recipients are not advertised anywhere online,” he noted. “The company in question was involved in an important legal dispute, so this shows a clear economic espionage motive of the attackers.”

The malware analysts believe that the bad actors behind the Operation Pawn Storm have great cyber capabilities and their operation are financially motivated. The experts consider very interesting the malware they designed to compromise targets and remain persistent in their network to syphon sensitive data.

“Our investigation into Pawn Storm has shown that the attackers have done their homework,” said Jim Gogolinski, Senior Threats Researcher at Trend Micro. “Their choices of targets and the use of SEDNIT malware indicate the attackers are very experienced; SEDNIT has been designed to penetrate their targets’ defenses and remain persistent in order to capture as much information as they can.”

The hackers also adopted a very effective technique for their phishing campaigns, to avoid raising suspicions in fact, they used well-known events and conferences such as the Asia-Pacific Economic Cooperation (APEC) Indonesia 2013 and the Middle East Homeland Security Summit 2014 as bait.

Trend Micro has disclosed the details of its investigation in research in a paper titled “Operation Pawn Storm.”

Pierluigi Paganini

(Security Affairs – Operation Pawn Storm, cyber espionage)

Oct 23 14

Hackers have violated ticketing system based on NFC in Chile

by Pierluigi Paganini
NFC payment BIT

Unknowns have hacked the NFC based electronic payment system used in Chile, the “Tarjeta BIP!”, spreading an Android hack that allows users to re-charge cards for free

In Chile NFC electronic payment is already a reality, “Tarjeta BIP!” is the name of the payment system used to pay for public transportation with users’ smartphones that support the standard. The adoption of NFC standards for NFC ticketing application is a reality worldwide, many companies enable NFC ticketing payments due to its numerous advantages. We all know that when a technology is in so rapid diffusion, security issues are unfortunately are neglected and cybercrime is always ready to exploit the lack of the implementation of security requirements.

The news of the day is that according security expert Dmitry Bestuzhev cyber criminals have reversed the “Tarjeta BIP!” cards and discovered the mechanism to re-charge them for free. Someone has spread on the Internet an application, which allows users to re-charge their credits to use for NFC electronic payment with their Android devices.

“So, on Oct. 16 the very first widely-available app for Android appeared, allowing users to load these transportation cards with 10k Chilean pesos, a sum  equal to approximately $17 USD.” reported Bestuzhev in a blog post published on SecureList portal with 

The users just need to install the application on their NFC Android device, put the ticket in proximity of the smartphone and push the button “Cargar 10k”, the operation refill the card with 10,000 Chilean pesos.

The experts that analyzed the Android app discovered from the metadata of the .dex file package that it was compiled on October 16th, 2014, it is a tiny app (884.5 kB size) which interacts directly with the NFC port:android.hardware.nfc. The authors of the fraud are also able to change the card identifier, called “número BIP”, a feature that makes hard for law enforcement to block illegally refilled BIP cards.

The principal features implemented by the author of the application are:

cambiar número BIP” – allowing the user to change the card number altogether.

“número BIP” – to get the number of the card, “saldo BIP” – to get the available balance,

“Data carga” – to refill available balance and finally, maybe the most interesting is

Despite the original links available online to download the Android App were taken down, it is still possible to download a new application, that implements the same feature, from the new servers. The new application was compiled on October 17th, 2014, it is derived from the original one bit its size is greater due to the presence of an advertisement component.

“Since both apps allow users to hack a legitimate application, they are now detected by Kaspersky as HEUR:HackTool.AndroidOS.Stip.a” explained Bestuzhev.

As explained in the blog post, due to the high interest in the application in the country, cyber criminals could spread a malicious version of the app that is able to infect NFC Android mobile devices, in this way threat actors could run targeted attacks in Chile, compose a botnet or realize any other type of scam based on mobile technology (e.g. Premium SMS scam, premium call scam).

Dear Chilean friends, beware!

Pierluigi Paganini

(Security Affairs – NFC payments, hacking )

Oct 22 14

New Zero-day in Microsoft OLE being exploited in targeted attacks

by Pierluigi Paganini
zero-day powerpoint ole

Security experts at Google and McAfee have discovered a new Zero-day vulnerability in Microsoft OLE being exploited in targeted attacks.

Early this week,  Microsoft issued the security advisory 3010060 to warn its customer of a new Zero-Day vulnerability that affects all supported versions of Windows OS except, Windows Server 2003.

The OLE Packager is the component that is affected by the zero-day, which was discovered by researchers at McAfee and Google. Curiously the component was just patched this month in MS14-060, but Microsoft,  in response to this latest flaw, has released a Fix It package for PowerPoint, and encouraged the use of EMET 5.0.

The most concerning things related to the Microsoft zero-day flaw is that it is already being exploited by threat actors in targeted attacks.

“The vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Office file that contains an OLE object. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user,” the advisory explained.”At this time, we are aware of limited, targeted attacks that attempt to exploit the vulnerability through Microsoft PowerPoint.” confirming the voice that bad actors are already exploiting the zero-day in limited cases.

The OLE (Object Linking and Embedding) is a proprietary technology developed by Microsoft that allows embedding and linking to documents and other objects. As explained by the experts at Microsoft, the vulnerability in Microsoft OLE, coded as CVE-2014-6352, could allow remote code execution, this is possible if a Microsoft user opens a specially crafted Microsoft Office file that contains an OLE object.

Microsoft OLE zero-day

The file could be sent via email to the victims in a classic spear-phishing attack or the attacker could serve it through a compromised website in a classic watering hole attack.

The security advisory reports the following mitigation factors:

  • In observed attacks, User Account Control (UAC) displays a consent prompt or an elevation prompt, depending on the privileges of the current user, before a file containing the exploit is executed. UAC is enabled by default on Windows Vista and newer releases of Microsoft Windows.
  • An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
  • In a web-based attack scenario, an attacker could host a website that contains a webpage that contains a specially crafted Office file that is used to attempt to exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker’s website.
  • Files from the Internet and from other potentially unsafe locations can contain viruses, worms, or other kinds of malware that can harm your computer. To help protect your computer, files from these potentially unsafe locations are opened in Protected View. By using Protected View, you can read a file and see its contents while reducing the risks. Protected View is enabled by default.

The principal problem is that despite the exploit of the flaw trigger a warning, users often ignore them, the issue appears very serious in corporate environments, where executives and remote users are often granted administrative rights on their systems.

Pierluigi Paganini

(Security Affairs – Microsoft zero-day, hacking, OLE )

Oct 22 14

Drigo spyware exploits Google Drive in targeted attacks

by Pierluigi Paganini
drigo malware google drive

Security experts at TrendMicro have discovered a cyber espionage campaign which used a malware dubbed Drigo to syphon data through Google Drive.

Security experts at TrendMicro have uncovered a new wave of targeted attacks which were stolen information through Google Drive. The researcher detected a new strain of data stealer malware, dubbed Drigo, that is apparently used in hacking campaigns targeting government agencies worldwide. The malware is able to syphon user’s files from the infected machine and sent it to Google Drive.

Drigo is able to steal common files including Excel, Word, PDF, text and PowerPoint files, including data in the Recycle Bin and User Documents folder, and upload them to Google Drive. The exploitation of cloud-based sharing sites is becoming even more frequent in the cybercrime ecosystem, in the last months security experts detected RAT served through these powerful platforms and phishing campaigns that benefited of SSL channels they ordinarily use.

The techniques spotted by the investigators are designed to  evade security vendors and researcher and in many cases are very sophisticated.

Drigo, in order to transfer the syphoned files to the Google Drive service includes in its source code the client_id, the client_secret and a refresh token (used for authentication process based on the OAuth 2.0 protocol).

“Refresh tokens are needed as part of the OAuth 2.0 protocol, which is used by Google Drive. This protocol is used by Twitter, Facebook and other sites to use their accounts to log in to a different website,” states Trend Micro threats analyst Kervin Alintanahin in a blog post. “Access tokens are used to have access on a Google Drive account. However, access tokens expire so refresh tokens are needed to get new access tokens. We decrypted communication from the malware and saw activity such as requests for new tokens and uploading files.”

The investigation allowed the experts to discover targeted attacks against government agencies, they speculate that Drigo malware has been designed for reconnaissance purposes.

Google Drive Drigo malware

“After all, one of the key aspects in a successful attack is having enough information on the target. The more information they can gather, the more vector of attack they can use on their target,” noted Alintanahin.

Another interesting discovery made by the experts is the use of the Go open source programming language, also known as golang, that was initially developed by Google.

“While interesting, the use of golang is not new; security researchers have seen golang-created malware as early as 2012. It would be hard to pinpoint the exact reason for using golang but some have attributed its appeal to its supposed lack of mainstream profile.” states the blog post.

TrendMicro has already alerted Google of the malicious activities related to the Google Drive account used by the bad actors, but as explained by the experts in the post, if the Drigo malware is able to update the configuration file, it’s possible that the attackers will use many other Google Drive accounts to continue their campains.

Pierluigi Paganini

(Security Affairs – Drigo malware, Google Drive)

Oct 22 14

Google improved 2-Step Verification with Security Key

by Pierluigi Paganini
Security Key U2F

Google has announced the introduction of an improved two-factor authentication mechanism based on a USB token dubbed Security Key.

Google firm considers cyber security a pillar of its business, the last initiative announced by the company is the introduction of an improved two-factor authentication system for its services, including Gmail. The new 2FA process is based on the use of a tiny hardware token that will allow the authentication only when users visit legitimate Google sites.

The new hardware is named Security Key system and will be introduced by the company to prevent attacks based on cloned websites that are designed to steal users’ credentials. This kind of attacks is becoming even more sophisticated, recently security experts at Symantec discovered a phishing campaign, which exploits SSL connections used by DropBox, and in the last months a similar technique was used to host malicious content on Google Drive storage service.

Security Key

Phishing is a very common and dangerous practice in the criminal ecosystem as reported in the last APWG report, new techniques exploit paradigms like mobile, cloud computing and social networking.

As explained in the official page of the Security Key system, the hardware used by Google is a small USB token that implements the FIDO Alliance’s Universal 2nd Factor specification.

Security Key is a physical USB second factor that only works after verifying the login site is truly a Google website, not a fake site pretending to be Google. Rather than typing a code, just insert Security Key into your computer’s USB port and tap it when prompted in Chrome. When you sign into your Google Account using Chrome and Security Key, you can be sure that the cryptographic signature cannot be phished,” Nishit Shah, security product manager at Google, said in a blog post.

The Security Key represents an excellent solution for those customers that need a strong security for their accounts, typically all those people that manage sensitive data, but anyway I strongly suggest it’s adoption on a large scale. Users can acquire it from popular retailers and also from Amazon.

“If you use 2-Step Verification, you can choose Security Key as your primary method, instead of having verification codes sent to your phone. With Security Key, there’s no looking at codes and re-typing―you simply insert your Security Key into your computer’s USB port when asked.” states Google.

The basic two-factor authentication system implemented by Gmail uses the mobile device as an authentication token. This authentication process, despite protects users against account takeovers by requiring physical access to the mobile phone doesn’t protect Google users against other type of attacks like phishing.

“With 2-Step Verification, Google requires something you know (your password) and something you have (like your phone) to sign in. Google sends a verification code to your phone when you try to sign in to confirm it’s you. However, sophisticated attackers could set up lookalike sites that ask you to provide your verification codes to them, instead of Google. Security Key offers better protection against this kind of attack, because it uses cryptography instead of verification codes and automatically works only with the website it’s supposed to work with,” Google’s description of the new system says.

Th Security Key system initially will work only in Chrome, but according to Google it will be soon available for other browsers and with all the websites implementing the U2F protocol.

As explained by Google there are the following cases where users will want to use verification codes instead of a Security Key:

  • You use your account only on a mobile device. Security Key requires a USB port to work, so it’s not recommended for mobile-only users.
  • You don’t use Chrome. Security Key does not work on browsers other than Chrome.

Pierluigi Paganini

(Security Affairs – Security Key, Google)

 

Oct 21 14

Hiding a malicious Android APK in images as evasion method

by Pierluigi Paganini
android malicious apk

Two researchers at Fortinet have demonstrated during the last Black Hat Europe conference how to hide a malicious Android APK in images.

Mobile devices are continuously under attacks, cyber criminals are improving their technique to attack mobile users and increase the profits.  A new technique recently disclosed, allows attackers to hide encrypted malicious Android applications inside images, the method allows threat actors to evade detection by antivirus products and according the experts potentially also the checks run by Google Play’.

The new attack technique was developed by Axelle Apvrille, a security researcher at Fortinet, in collaboration with reverse engineer Ange Albertini. The researchers presented their proof-of-concept last week during the last Black Hat Europe security conference.

The methods exploit a technique designed by Albertini dubbed AngeCryption, which allow to encrypt anything into whatever we want (apart a few restrictions on input and output formats) using a Python script written by the researcher. The script receives in input the content user wishes to encrypt , the output user wishes to receive and it will calculate a specified key using AES in cipher-block chaining (CBC) mode that produces the expected output file..

The script elaborates the input, “without altering the information it contains, so that the input encrypted with the provided key and a generated initialization vector (IV) turns into the output.”

The two researchers at Fortinet applied the concept to Android application packages (APKs) files, they created a proof-of-concept wrapping application that displays a PNG image of Anakin Skywalker, one of the characters of Star Wars saga. The app they developed is able to decrypt the image with a particular key in order to obtain a second Android APK file that it will install.

During their presentation at the BlackHat, the researcher used an encrypted APK that once extracted by the principal app displays a picture of Darth Vader, in a real attack scenario the hackers could run a malicious application to control the Smartphone or to steal user’s, including SMS messages, photos and contacts.

Malicious APK attack uses angecrypt_anakin

During the presentation the Android device displayed a permission request when the wrapper application tried to install the decrypted APK file, but as explained by Apvrille this behavior is easy to avoid invoking a method called DexClassLoader.

Another interesting thing is that the malicious APK could be also downloaded from a remote server without triggering any alert due the to the encryption applied.

As explained the researchers there is anyway a condition to satisfy in order to successfully run the attack, some data needs to be appended at the end of the original application, but the APK format does not allow to append any data after a marker called the End of Central Directory (EOCD), which is a sort of end of the file.

The researcher bypassed the limitation, adding a second EOCD after the appended data, this procedure tricks Android into accepting the file as valid. It’s clear that APK parser fails to correctly parse the code provided on input.

The researchers have already reported the security issue to the Android security team that is currently working on a fix. The attack works on the latest version of Android, Android 4.4.2.

Because of fragmentation in the Android ecosystem, especially when it comes to firmware updates, many devices will likely remain vulnerable to this attack for a long time, giving Android malware authors ample time to take advantage of it.

The researchers speculated that the vulnerability will probably remain active for a long time on many devices because the fragmentation in the Android ecosystem and different patch management of various vendors.

The proof-of-concept code used during the presentation is available on Github.

Pierluigi Paganini

(Security Affairs – APK, Android)

Oct 21 14

100 million iCloud users spied by the Chinese Government

by Pierluigi Paganini
China icloud censorship 2

A report confirms that China is collecting private data of more that 100 million Apple iCloud users resident in the country with a man-in-the-middle attack.

The Chinese Government has launched a new hacking campaign that is targeting Apple iCloud users in the country, the news was reported by the censorship watchdog GreatFire.org is a blog post.

After previous attacks against Github, Google, Yahoo and Microsoft, the Chinese authorities are now running a man-in-the-middle (MITM) attack on Apple’s iCloud users to steal credentials of who logs into the iCloud from the country.

It is a surveillance operation on a large scale that allows the Government of Beijing to spy on Chinese citizens, accessing to the iCloud account the authorities can users contacts, photos and data archived in the Apple cloud.

The number of iPhone users in China is 100 million, all potential targets of the Government:

“The attack point is the Chinese internet backbone, and that it is nationwide, which would lead us to be 100 percent sure that this is again the work of the Chinese authorities,” one of the GreatFire founders told the South China Morning Post.

The report issued by the GreatFire.org highlights the importance of the timing for the surveillance operation, it coincides with events such as the protests in Hong Kong and the presentation of the new iPhone 6 that begun in China with a significant delay respect the rest of the world.

Apple announced a series of improvements that makes hard snooping from Intelligence agencies, so Chinese authorities would not allow the phone to be sold on the mainland.

“It is unclear if Apple made changes to the iPhones they are selling in mainland China.”

icloud China censorship

The monitoring of Apple users’information could support the authorities to track the leaders of the Hong Kong’s Umbrella Movement on the mainland.

The Government has operated PSYOPs in the social media to mitigate the protest and security firm also sustains that the China has used mobile spyware, MITM attacks and Internet monitoring to control Hong Kong protesters.

The Government was running hacking campaign against Apple iCloud users despite in the past the company has collaborated with the authorities banning from its official store any application that could violated the law of the country and evade the censorship. In August, Apple accepted to store iCloud data of Chinese users in China Telecom servers.

How iCloud users in China could protect their privacy?

  • Internet users in China must use a trusted browser on their desktops and mobile devices like Firefox and Chrome, both software in fact detect connections suffering from a MITM attack.
  • Another possibility is the used of VPN or by finding a different internet access point.
  • Enable two-step verification for iCloud accounts, this do not suffice for the attackers to capture the iCloud credentials.

Technically, the Chinese authorities are using a self-signed certificate to run a Man-In-The-Middle attack in iCloud. The Government only attacked the IP address 23.59.94.46, this means that only a portion of iCloud users for which the iCloud DNS return this IP are impacted. Below some other details of the attacks.

Wirecapture with MITM: https://www.cloudshark.org/captures/03a6b0593436
Connection log: http://pastebin.com/tN7kbDV3
Traceroute:  http://pastebin.com/8Y6ZwfzG

The report is polemic with the support offered by Apple to the Chinese Government in the past:

“If anything, cooperation with the Chinese authorities can now increasingly be labeled as the worst decision a foreign company can make. Not only will the authorities bite you in the ass, but your willingness to work with the censorship regime will lose you customers and fans worldwide.” states the report.

Apple has not yet commented on the GreatFire report.

Pierluigi Paganini

(Security Affairs – GreatFire report, Chinese censorship)

Oct 20 14

Operation Distributed Dragons, thousands of machine compromised worldwide

by Pierluigi Paganini
Operation Distributed Dragons infections report

Operation Distributed Dragons – Tiger Security firm has discovered a series of DDoS attacks from China and that appear as run by a structured organization.

Security experts at the Italian Tiger Security firm have spotted a new wave of DDoS attacks that were originated in China and that appear as run by well organized APT. The expert identified the operation with the codename “Operation Distributed Dragons”, the threat actors behind the attacks have the capability to evolve its techniques, tactics, and procedures (TTPs).

As explained by the researchers the methods of infection continuously changes, while it is expanding the perimeter of their physical infrastructure.

The bad actors initially targeted Linux servers, but the attacks also involved Windows machines and embedded device with ARM architecture (e.g. Routers and IP cams), in this way the hackers are able to run DDoS attacks that reach traffic peaks of more than 200 Gb/s, without the use of amplification techniques.

The Operation Distributed Dragons has already targeted thousand of machines worldwide, Canada, The Netherlands, Hungary and Germany are the countries hosting these greatest number of compromised PCs.

Operation Distributed Dragons infections

Attacks belonging to the Operation Distributed Dragons are still ongoing and according to the experts the number of new infected machines by the dab actors is increasing rapidly.

“The end targets of the campaign are several and range significantly across sectors and include ISPs, Cloud Storage companies and players in leisure and gaming industry.”states the report issued by Tiger Security on the Operation Distributed Dragons.

The attack chain is composed of three main steps:

  • Reconnaissance:  A range of IP addresses is scanned by the attackers searching for vulnerable systems. The bad actors used “brute force” attacks to compromise the machines exploiting several kinds of flaw, including weak login credentials and out-of-date versions of products.
  • Malware infection: Threat actors infect the machine, recruiting it as part of a botnet controlled by a series of  Command and Control (C&C) Servers detected by the researchers.  The C&C servers were distributed in many countries, including Cina, South Korea, United States, Indonesia, Russia, Germany, Brazil, France and so on.
  • Fire: Bot agents run the DDoS attack. The expert noticed several types of attacks, including SYN Flood, DNS Flood, UDP Flood and ICMP Flood.

The experts revealed that in many cases DDoS attacks were scheduled at 9pm Beijing time and last for approximately 3 hours with peaks of traffic, even without amplification.

The threat actors are specializing their activity on systems and applications that are not subject to continuous checks, updates and upgrades by the administrators and for this reason that are more vulnerable to such kind of attack.

Reading the technical details from the report it is possible to note that the threat actor used different backdoor for various websites, including some of the Chinese Government.

“These backdoor, ready to be used via web shells – including the famous “China Chopper”, have been inserted by exploiting vulnerabilities, including 0-day type, like the case of dedecms.” states the document.

In the following table is reported the list of the vulnerabilities exploited by attackers split by service:

Operation Distributed Dragons infections exploits

Who is behind the attacks?

“The objectives of the whole operation, at least at this stage of investigation, seem to be quite inconsistent. In addition, victims appear significantly far apart in terms of business model, sectors and interests. All this seems to suggest that the wave of attacks has been driven by mere economic reasons: this conclusion, if proven wright, seems to support the thesis that cyber-criminals provide a “service” to their “clients” against some sort of reward, probably financial, and can be hired to pursue the specific objectives of their “clients”, as it would happen in any legitimate business.” states the document highlighting the financial nature of the attacks.

I have contacted Emanuele Gentili – CoFounder & Partner, Chief Executive Officer of Tiger security to request more info on the operation.

Q: The threat actor behind the Operation Distributed Dragons has used public available exploits obtaining a 200 Gbits DDoS. Which is your point of view on these types of emerging threats? 

A: Poorly configured machines advantage infections on a large scale, which allow attackers to compose powerful botnet. Very interesting is the extension of the attacks to the Internet of Things devices that lack of effective security settings.

Q: You have highlighted previously unpublished references about the tools used by the cyber criminal group behind the Operation Distributed Dragons. Several software used for the C&C appear very different each other despite the malware they control are identical, which is the reason of such differentiation? 
 
A: From our research, we believe that the various software created and used as C&C are the result of continuous improvement over the time. Many control panels appear minimal, other far more advanced in terms of functionality. One of these C&C includes also sophisticated features like a builder for the delivery of infections and the time scheduling of attacks. 

Give a look to the report issued by Tiger Security on the Operation Distributed Dragons, it is full of interesting details regarding their investigation.

Pierluigi Paganini

(Security Affairs – Operation Distributed Dragons,cybercrime)

 

Oct 20 14

New releases of Tor Browser 4.0 and Tails 1.2 to preserve your privacy

by Pierluigi Paganini
Tor Browser 4.0 release

New significant software updates Tor Browser 4.0 and Tails 1.2 are available for the popular Privacy Tools used to preserve online anonymity

The Tor project has released a new version of the popular free software for enabling online anonymity Tor, Tor Browser 4.0 is the release Tor Browser Bundle available for download.

The Tor Browser Bundle is based on an  Extended Support Release (ESR) version of the Mozilla Firefox project, in the new Tor version 4.0 the Firefox version has been updated from 24 ESR  to 31 ESR version which include several security fixes, including seven critical vulnerabilities.

The fix is also necessary to mitigate the recently disclosed POODLE attack on SSL which allows bad actors to decrypt traffic over secure channels, the experts at Tor project have disabled SSLv3 in the Tor Browser 4.0 release as explained in the official post:

 “This release features important security updates to Firefox. Additionally, due to the POODLE attack, we have also disabled SSLv3 in this release.”

The measure is necessary for an anonymizing tool like Tor to avoid that an attacker can spy on user’s internet activity, even if carried out over SSL which is still supported by the majority of Internet users.

“This vulnerability allows the plaintext of secure connections to be calculated by a network attacker,” said the researcher Bodo Möller at Google. “If a client and server both support a version of TLS, the security level offered by SSL 3.0 is still relevant since many clients implement a protocol downgrade dance to work around serve ­side interoperability bugs.”

Tor Browser 4.0

Another important update is related to the mechanisms implemented to circumvent censorship, as explained in the release not the new version features the addition of three versions of the meek pluggable transport. A meek is a pluggable transport that uses HTTP for carrying bytes and TLS for obfuscation, technically the traffic is routed through a third-party server to circumvent censorship.

“More importantly for censored users who were using 3.6, the 4.0 series also features the addition of three versions of the meek pluggable transport. In fact, we believe that both meek-amazon and meek-azure will work in China today, without the need to obtain bridge addresses. Note though that we still need to improve meek’s performance to match other transports, though. so adjust your expectations accordingly.” states the release note.

The new Tor Browser 4.0 also includes an in-browser updater and as announced by the developers of the project very soon the bundle will support both strong HTTPS site-specific certificate pinning (ticket #11955) and update package signatures (ticket #13379).

“This release also features an in-browser updater, and a completely reorganized bundle directory structure to make this updater possible. This means that simply extracting a 4.0 Tor Browser over a 3.6.6 Tor Browser will not work,” reads the blog post. “Please also be aware that the security of the updater depends on the specific CA that issued the www.torproject.org HTTPS certificate (Digicert), and so it still must be activated manually through the Help (“?”) “about browser” menu option.”

don’t wast time Download Tor Browser 4.0.

Tor Browser 4.0 isn’t the unique privacy tool updated during this period, a new version of live anonymizing distribution TAILS (VERSION 1.2) has been released. Tails, also known as “Amnesiac Incognito Live System”, is a free Debian-based Linux distribution, specially tuned and optimized to preserve users’ anonymity and privacy.

Also in this case it is crucial to upgrade your privacy tool.

Pierluigi Paganini

(Security Affairs – Tor Browser 4.0, TAILS 1.2)

Oct 20 14

Phishing campaign via Dropbox exploits SSL of the popular cloud service

by Pierluigi Paganini
Dropbox  phishing page 2

Experts at Symantec have detected a scam based on Dropbox accounts to serve phishing pages over secure communication channels.

Recently a massive data leakage has interested DropBox, a week ago a guest account post on Pastebin four different documents, all claiming to be part of “the massive hack of 7,000,000 accounts”. The author also anticipated that there are “More to come” inviting all the users interested in the data to make a Bitcoin payment to him.

Other sources report that the data leak apparently surfaced on this Reddit thread, where some Reddit users who have tested the credentials have confirmed that many of them still work.  Reading the comments it seems that Dropbox in response to the data leakage has reset all the accounts listed in the Pastebin, anyway the company denies it suffered a data breach.

But for DropBox users, there is no peace, according to the experts at Symantec they are targeted by phishing scam hosted on Dropbox. The security researchers at Symantec discovered a fake Dropbox login page used by threat actors to steal credentials for popular email services.

In reality cyber criminals are also targeting other services on the Internet, including web-based email service, deploying a fake log-in page on the file sharing website, taking advantage of its secure protocol.

The attack scheme implemented by cyber criminals is ingenious and take advantage of the recent incidents occurred to DropBox to maximize its efficiency.

According to a classic phishing schema, the victims receive an unsolicited email with a subject that inform them that are potential victims of the data breach. The Subject of the email includes the word “Important” to trick victims, the email informs the victims that a large file containing the credentials of victims can be viewed only over Dropbox. Once the victim clicks on the link in the email he is redirected to a fake Dropbox login page where he is asked for Dropbox credentials.

The attackers exploit the fact that the fake Dropbox page is that it is served over SSL and the page reproduces exactly the DropBox page, the victims have the perception to be on the legitimate Dropbox page.

Dropbox  phishing page

“The page looks like the real Dropbox login page, but with one crucial difference. The scammers are interested in phishing for more than just Dropbox credentials; they have also included logos of popular Web-based email services, suggesting that users can log in using these credentials as well.” states the blog post published by Symantec.

Anyway, some of the resources present on the page are not sent using the SSL protocol (e.g. Images) causing some browser to show warnings to the user. The warnings are displayed in different ways by web browsers, in some cases, they could go unnoticed by the victims, for example, some browsers continue to show the padlock symbol in the address bar but with a different icon. In the specific case the credentials were sent to a PHP script on a compromised server.

“The fake login page is hosted on Dropbox’s user content domain (like shared photos and other files are) and is served over SSL, making the attack more dangerous and convincing,” states the report.

The case is not new, late in August I have already written about the abuse of Dropbox service for phishing activity. In July, experts at Micro analyzed a targeted attack against a Taiwanese government entity which used a variant of the PlugX RAT that abuses the Dropbox service.

Symantec has already reported the phishing activity to Dropbox that immediately took page the account used by the bad actors down.

Pierluigi Paganini

(Security Affairs – Dropbox, Phishing)