Skip to content
Sep 19 14

Home Depot confirms data theft for 56 million cards

by Pierluigi Paganini
Home Depot Data-Breach2

Home Depot announced that data related to 56 million cards were stolen by cyber criminals.

Home Depot, the US largest home improvement retailer, confirms breach impacted 56 million customers.

On Thursday the company Home Depot released an update on the evolution of the investigation of the data breach suffered by the company.

Home Depot data breach is larger than the incident at Target retailer, which exposed exposed 40 million cards, and the investigation puts the extension of the incident behind TJX Cos.’s theft of 90 million records.

home depot data-breach

The company confirmed that a malware infected its POS network between April and September of 2014.

“The hacker’s method of entry has been closed off, the malware has been eliminated from the company’s systems, and the company has rolled out enhanced encryption of payment data to all U.S. stores.” states Home Depot.

As reported in the update, the company’s ongoing investigation has determined the following:

  • Criminals used unique, custom-built malware to evade detection. The malware had not been seen previously in other attacks, according to Home Depot’s security partners.
  • The cyber-attack is estimated to have put payment card information at risk for approximately 56 million unique payment cards.
  • The malware is believed to have been present between April and September 2014.
The statement issued by Home Depot reports elements of investigation conducted by the US Secret Service, Symantec, and internal security staff.
The threat actor used a “custom-built malware” to evade detection and payment card data of 56 million unique payment cards are at risk of exposure. Experts involved in the investigation haven’t provided further information related to attacks, it’s not clear how the threat actors had access to the Home Depot network.

“We apologize to our customers for the inconvenience and anxiety this has caused, and want to reassure them that they will not be liable for fraudulent charges. From the time this investigation began, our guiding principle has been to put our customers first, and we will continue to do so,” said Frank Blake, chairman and CEO.

To improve security of payment processes, Home Depot has announced that the new payment security protection is based on strong encryption to secure credit card data, the company revealed to have chosen encryption technology provided by the Voltage Security firm.

The Voltage solution was already deployed in all US stores last week, meanwhile it will be extended to stores located in Canada within early 2015. Home Depot will be rolling out more than 85,000 PIN pads to stores which will used them to unlock payment details on the card.

Home Depot confirmed its sales-growth estimates for the fiscal year, despite the company’s fiscal 2014 outlook includes estimates for the cost to investigate the incident and related activities (e.g. providing credit monitoring services to its customers, increasing call center staffing).

The company admitted it’s not yet able to estimate overall costs for liabilities related to payment card networks for reimbursements of credit card fraud and card re-issuance costs. However, costs associated with the incident so far have reached approximately $62 million.

Pierluigi Paganini

(Security Affairs – Home Depot, data breach)

Sep 19 14

Schneider ClearSCADA platform affected by different security flaws

by Pierluigi Paganini

ICS-CERT issued a security advisory for the existence of vulnerabilities in a variety of Schneider Electric StruxureWare SCADA Expert ClearSCADA versions.

According to a recent advisory issued by the ICS-CERT (ICSA-14-259-01) several Electric’s StruxureWare SCADA Expert ClearSCADA are affected by different vulnerabilities.

The independent researcher Aditya Sood has discovered a weak hashing algorithm and CSRF vulnerability in Schneider Electric’s StruxureWare SCADA Expert ClearSCADA.

The Schneider Electric has identified also another flaw affecting its StruxureWare SCADA Expert ClearSCADA product line and is already working for the development of a security patch to fix the problems.

According to the experts Schneider Electric’s SCADA products are affected by several remotely exploitable vulnerabilities still unpatched, in one case a flaw could be exploited to shutdown the SCADA server meanwhile a different vulnerability is an authentication bypass that could give an attacker access to affected systems and sensitive data they manage.


StruxureWare SCADA Expert ClearSCADA product line offers integrated, scalable SCADA software optimized for remote management of critical infrastructure systems.

“SCADA Expert ClearSCADA versions released prior to September 2014 may be vulnerable to specific web cross-site [request forgery] attacks. The attacker would have to trick the user with system administration privileges logged in via the WebX client interface to exploit this vulnerability. The attacker could then execute a remote shutdown of the ClearSCADA Server. Social engineering is required to exploit this vulnerability,” reports the advisory from ICS-CERT.

The authentication bypass flaw allows a remote attacker to access sensitive data without logging in as explained in the advisory:

“The guest user account within ClearSCADA installations is provided read access to the ClearSCADA database for the purpose of demonstration for new users. This default security configuration is not sufficiently secure to be adopted for systems placed into a production environment and can potentially expose sensitive system information to users without requiring login credentials,” the advisory says.

Schneider Electric as announced the release of a patch later this month, waiting for the fixes the company is recommending some mitigations for customers.

“Schneider Electric advises all ClearSCADA users to take steps to secure the interfaces to the ClearSCADA system. The ClearSCADA database security configuration should be reviewed and updated to limit all system access to authorized users only. The access permissions of existing users should be reduced to only those required by their role (e.g., removing any higher level System Administration privileges from Operations or Engineering users), and specific accounts should be created with appropriate permissions for performing System Administration tasks,” reports the advisory.

A third security issue is related to the use of a default self-signed certificate for ClearSCADA platform, the digital document uses MD5 as the hashing algorithm.

The security flaws affect the following versions of Schneider’s products:

  • ClearSCADA 2010 R3 (build 72.4560),
  • ClearSCADA 2010 R3.1 (build 72.4644),
  • SCADA Expert ClearSCADA 2013 R1 (build 73.4729),
  • SCADA Expert ClearSCADA 2013 R1.1 (build 73.4832),
  • SCADA Expert ClearSCADA 2013 R1.1a (build 73.4903),
  • SCADA Expert ClearSCADA 2013 R1.2 (build 73.4955),
  • SCADA Expert ClearSCADA 2013 R2 (build 74.5094),
  • SCADA Expert ClearSCADA 2013 R2.1 (build 74.5192), and
  • SCADA Expert ClearSCADA 2014 R1 (build 75.5210).

Security flaws in SCADA systems are considered critical by the security community because the SCADA components are often deployed in critical infrastructure. Governments are alarmed by potential cyber attacks against critical infrastructure, hackers could pose a potential risk to the helpless population, for this reason it crucial to fix any flaw as soon as possible and assess the overall security of such systems.

Pierluigi Paganini

(Security Affairs – SCADA, Critical Infrastructure)

Sep 18 14

Adobe issued critical security updates for Acrobat and Reader PDF

by Pierluigi Paganini
adobe flaws

Adobe with a week of delay on the roadmap has released security updates to fix critical vulnerabilities in Acrobat and Reader PDF.

Adobe has finally released critical security updates for its products Reader and Acrobat PDF software. The vulnerabilities fixed with these updates have been targeted by hackers in numerous cyber attacks worldwide.

The security updates for Adobe Reader and Acrobat are available for Windows and Macintosh computers and fix eight vulnerabilities.

adobe security updates

“Adobe has released security updates for Adobe Reader and Acrobat for Windows and Macintosh. These updates address vulnerabilities that could potentially allow an attacker to take over the affected system.” states the Adobe Security Bulletin.

The updates were originally scheduled to be released a week ago, but were delayed due to issues emerged during the development phase.

Five of eight flaws could be exploited by attackers for remote code execution, the other three vulnerabilities are:

  • a sandbox bypass vulnerability and could be exploited by an attacked to escalate privileges on Windows machines.
  • a denial-of-service (DoS) vulnerability related to memory corruption.
  • a cross-site scripting (XSS) flaw that affects only Mac OS.

The vulnerabilities are identified by the following CVE Numbers:

CVE-2014-0560, CVE-2014-0561, CVE-2014-0562, CVE-2014-0563, CVE-2014-0565, CVE-2014-0566, CVE-2014-0567, CVE-2014-0568

The Adobe product versions affected by the vulnerabilities are:
  • Adobe Reader XI (11.0.08) and earlier 11.x versions for Windows
  • Adobe Reader XI (11.0.07) and earlier 11.x versions for Macintosh
  • Adobe Reader X (10.1.11) and earlier 10.x versions for Windows
  • Adobe Reader X (10.1.10) and earlier 10.x versions for Macintosh
  • Adobe Acrobat XI (11.0.08) and earlier 11.x versions for Windows
  • Adobe Acrobat XI (11.0.07) and earlier 11.x versions for Macintosh
  • Adobe Acrobat X (10.1.11) and earlier 10.x versions for Windows
  • Adobe Acrobat X (10.1.10) and earlier 10.x versions for Macintosh
Once the software is updated, the system must be restarted. Adobe has also issued a critical update for Adobe Flash (Windows and Macintosh), Flash browser plugins and Adobe AIR Desktop to fix other critical flaws.
The new versions can be downloaded by using the following links:
Don’t waste time, update your Adobe products.


Pierluigi Paganini

(Security Affairs – Adobe products,security updates, Patch Management)

Sep 18 14

Chinese hackers hit several US contractors

by Pierluigi Paganini
Chinese hackers 1

A report issued by the Senate Armed Services Committee reveals alleged Chinese hackers conducted dozens of cyber attacks on US defense contractors.

A study conducted by the Senate Armed Services Committee discovered that hackers gained access to the systems run by US defense contractors work for the US Transportation Command (TRANSCOM).

The Senate study released on Wednesday stated it was based on interviews with 11 contractors, but it didn’t reveal the names of the companies involved. The incursions of the hackers mentioned by the document are at least 50 in a one-year period ending May 30, 2013.

“Of those 50, at least 20 were successful intrusions into contractor networks attributed to an ‘advanced persistent threat’ (APT), a term used to distinguish sophisticated cyber threats that are frequently associated with foreign governments,” states the report.

The report reveals that nearly 40 percent of the attacks were successful intrusions, the committee chairman Senator Carl Levin speculated that all these offensives are linked to the activity of Chinese APTs. The circumstance is alarming for different reasons, first of all, due to the nature of the information potentially breached and for the lack of coordination between US defense contractors and US agencies like the FBI.

“The security of our military operations is what is at stake,” Levin told reporters commenting the de-classified version of the report.

The intelligence agencies, according to the report, have left TRANSCOM in the dark about the intrusions, of the 20 data breaches suffered by TRANSCOM, the command has been made aware of just two of the incursion.

“Information about these threats isn’t getting where it needs to go,” Levin said.

The investigators analyzed the Civil Reserve Air Fleet, a program managed by the US Government through which commercial companies help TRANSCOM move troops and equipment around the world. The experts discovered that nearly 90 percent of US military personnel is transported on private airlines, this means that a potential data breach suffered by the companies working for TRANSCOM could have a serious impact on the operations of the Command.


Chinese hackers 2


Senator James Inhofe, the committee’s top Republican, warned that the incursions my disrupt Command mission readiness by compromising the contractors, particularly during national emergencies.

The committee is concerned by the possible persistence of threat actors inside contractors systems, a circumstance that could allow hackers to easily access over the time to sensitive information regarding US Government activities.

According the study, in the specific cases the data breached occurred between 2008 and 2010,  the “Chinese military intrusion” into a TRANSCOM contractor compromised emails, sensitive documents, computer code and passwords. Another major intrusion occurred in in 2012, when hackers obtained information form several systems on board a commercial ship contracted by TRANSCOM.

The report closes with indications for the 2015 defense spending bill which urge further effort to secure Government networks and to improve information sharing regarding cyber attacks on defense contractors.

Pierluigi Paganini

(Security Affairs – Chinese Hackers, Cyber espionage)

Sep 18 14

Surveillance – How to secretly track cellphone users position around the globe

by Pierluigi Paganini
tracking surveillance technology

Using the proper surveillance systems available on the market it is easy and quick to track cellphone and the movements of targets everywhere on the globe.

We recently discussed about the decision of Wikileaks to publish copies of the criticized surveillance software FinFisher, highlighting the dangers for the militarization of the cyberspace and in particular for the use of spyware to track users.
The principal vendors of surveillance platforms defend their business declaring that the solutions are only for law enforcement and intelligence agencies. Unfortunately the reality is quite different, because many threat actors worldwide use surveillance malware to track individual for different reasons.
The Washington Post published an interesting article a few weeks ago on surveillance technology that can be used to track individuals anywhere in the world through the localization of their mobile devices.
The post explains that surveillance vendors using the SS7 protocol, aka Signaling System Number, are able to geo-localize users with great precision.
“The tracking technology takes advantage of the lax security of SS7, a global network that cellular carriers use to communicate with one another when directing calls, texts and Internet data.” reports the Washington Post. 

SS7 or Signaling System Number 7 is a protocol suite used by several telecommunications operators to communicate with one another with directing calls, texts and Internet data. The SS7 protocol allows cell phone carriers to collect location data related to the user’s device from cell phone towers and share it with other carriers, this means that exploiting the SS7 a carrier is able to discover the position of its customer everywhere he is.

The system was built decades ago, when only a few large carriers controlled the bulk of global phone traffic. Now thousands of companies use SS7 to provide services to billions of phones and other mobile devices, security experts say,” explains the post.

All of these companies have access to the network and can send queries to other companies on the SS7 system, making the entire network more vulnerable to exploitation. Any one of these companies could share its access with others, including makers of surveillance systems.” continues the Washington post.

Another family of devices sold by companies which provide surveillance solutions are the IMSI catchers, also known by one popular trade name, StingRay. An IMSI catcher (International Mobile Subscriber Identity) is device for telephony eavesdropping commonly  used for intercepting mobile phone traffic and tracking movement of mobile phone users. Essentially, it operates as a bogus mobile cell tower between the target mobile phone and the service provider’s real towers. The IMSI catcher runs a Man In the Middle (MITM) attack that could not be detected by victims using commercial products.
The use of trackers based on exploitation of the SS7 protocol is recommended with “IMSI catchers,” in fact while SS7 tracker locate the victim the IMSI catchers can be deployed effectively.
StingRays are common surveillance devices that allow are able to intercept calls and Internet traffic, send fake texts, install malware on a phone, and of course find the precise location of the victim.

What’s interesting about this story is not that the cell phone system can track your location worldwide,”“That makes sense; the system has to know where you are. What’s interesting about this story is that anyone can do it.”  said the popular expert Bruce Schneier.

Privacy advocates are really concerned with possible misuse of such technology, foreign state-sponsored hackers and cyber criminals could use it for illegal activities. Let’s remember that it is illegal in many countries to track individuals without a court order, but there is no clear international legal framework that punishes ill intentioned for secretly tracking people in other countries.

The FCC recently created an internal task force to study the misuse of IMSI catchers in the cybercrime ecosystem and foreign intelligence agencies, which demonstrated that this technology could be used to spy on American citizens, businesses and diplomats.


Don’t forget that government to track us just need to type our phone number into a computer portal, which then collects data about our location, to within a few blocks in an urban area or a few miles in a rural one, from databases maintained by cellular carriers.

The Washington Post made explicit reference to a 24-page marketing brochure for the cellular tracking system sold by Verint codenamed SkyLock. The document, dated January 2013 and labeled “Commercially Confidential,”,  reveals the system offers government agencies “a cost-effective, new approach to obtaining global location information concerning known targets.”

The brochure includes screen shots of maps depicting location tracking in what appears to be Mexico, Nigeria, South Africa, Brazil, Congo, the United Arab Emirates, Zimbabwe and several other countries. Verint says on its Web site that it is “a global leader in Actionable Intelligence solutions for customer engagement optimization, security intelligence, and fraud, risk and compliance,” with clients in “more than 10,000 organizations in over 180 countries.”

As said by Eric King, deputy director of Privacy International:
“Any tin-pot dictator with enough money to buy the system could spy on people anywhere in the world,” “This is a huge problem.”

Pierluigi Paganini

(Security Affairs – Surveillance, privacy)

Sep 17 14

Android Same Origin Policy flaw affects more than 70% devices

by Pierluigi Paganini
AOSP browser SOP flaw

A serious flaw vulnerability has been discovered in the default browser on a large number of Android devices that allows to bypass the Same Origin Policy.

A critical flaw has been discovered in the Web browser installed by default on the majority of Android mobile devices, it has been estimated that nearly 70 percent of the them is affected by the vulnerability that could be exploited by an attacker to hijack users’ open websites. A further element of concern is the availability of a specific Metasploit module which allows easily to exploit the vulnerability.

“The Android Browser application 4.2.1 on Android allows remote attackers to bypass the Same Origin Policy via a crafted attribute containing a \u0000 character, as demonstrated by an onclick=”‘\u0000javascript: sequence.”states the description of the CVE-2014-6041 vulnerability.

The latest release, Android 4.4, is not affected by the flaw, but the new version of the popular mobile OS is installed only on 25 percent of the devices.

The vulnerability CVE-2014-6041 affects Android versions 4.2.1 and all older versions and was discovered for the first time early September by the independent security researcher Rafay Baloch. Baloch also discovered that the AOSP browser installed on Android 4.2.1 is vulnerable to Same Origin Policy (SOP) bypass which allows one website to steal data from another.

“Same Origin Policy (SOP) is one of the most important security mechanisms that are applied in modern browsers, the basic idea behind the SOP is the javaScript from one origin should not be able to access the properties of a website on another origin.” “A SOP bypass occurs when a is some how able to access the properties of such as cookies, location, response etc. Due to the nature of the issue and potential impact, browsers have very strict model pertaining it and a SOP bypass is rarely found in modern browsers. However, they are found once in a while. The following writeup describes a SOP bypass vulnerability i found in my Qmobile Noir A20 running Android Browser 4.2.1, and later verified that Sony+Xperia+Tipo, Samsung galaxy, HTC Wildfire, Motrorolla etc are also affected. To best of my knowledge, the issue occurred due to improper handling of nullbytes by url parser. ” said Baloch in a blog post.

Baloch confirmed that the Same Origin Policy (SOP) bypass works on a large number of devices, including Qmobile Noir, Sony Xperia, Samsung Galaxy S3, HTC Wildfire and Motorola Razr.

AOSP browser Same Origin Policy flaw 2

Due to  the huge impact of the flaw, the Android vulnerability has been dubbed “privacy disaster” by Tod Beardsley, which is one of the developers for the Metasploit team. Beardsley has anticipated that he will post a POC-video to demonstrate that the flaw is “sufficiently shocking.”

“By malforming a javascript: URL handler with a prepended null byte, the AOSP, or Android Open Source Platform (AOSP) Browser) fails to enforce the Same-Origin Policy (SOP) browser security control,” Tod Beardsley of Rapid7 wrote in a blog post.

“What this means is, any arbitrary website (say, one controlled by a spammer or a spy) can peek into the contents of any other web page. Imagine you went to an attackers site while you had your webmail open in another window — the attacker could scrape your e-mail data and see what your browser sees. Worse, he could snag a copy of your session cookie and hijack your session completely, and read and write webmail on your behalf.

This is a privacy disaster. The Same-Origin Policy is the cornerstone of web privacy, and is a critical set of components for web browser security. Oh, and it gets worse.”

Baloch reported the security issue to the Google security team, but when it came to reward for the bug discovered the company replied that was not able to reproduce the vulnerability.

“We are unable to reproduce this issue though. It’s possible that your OEM has modified the browser in a manner that has created this issue,” said Josh Armour of Android Security team.

Android does not currently have a Vulnerability Rewards Program. As far as publicly crediting for the vulnerability we have started to maintain a list of acknowledgements here. Given that this was published before we had a chance to provide patches, this specific report would not qualify.

Unfortunately the browser affected by the Same Origin Policy vulnerability cannot be uninstalled by the users, waiting for a fix Android users need to “Disable the browser” from the menù item Settings > Apps > All.

Pierluigi Paganini

(Security Affairs – Same Origin Policy, Android)

Sep 17 14

WikiLeaks publicly disclosed copies of FinFisher surveillance software

by Pierluigi Paganini

WikiLeaks has published copies of the criticized FinFisher surveillance software, claiming that the malware is sold to the most “abusive” regimes in the world.

Copies of the surveillance software “FinFisher” were made available for public scrutiny by WikiLeaks early this week. The international, online journalistic organization has decided to publish the public disclose the criticized software online to allow exponents of the security community to conduct a technical review of the spyware.

The malware is for law enforcement and government use, but it seems to be  preferred for those regimes that desire to monitor representatives of the opposition. FinFisher is considered powerful cyber espionage malware developed by Gamma Group that is able to secretly spy on victim’s computers intercepting communications, recording every keystroke and taking the complete control of the machine.

Wikileaks FinFisher spyware

WikiLeaks published the information online last Monday, the organization has the explicit intent to neutralize the menace represented by Finfisher and any other surveillance software.

“Today, 15 September 2014, WikiLeaks releases previously unseen copies of weaponised German surveillance malware used by intelligence agencies around the world to spy on journalists, political dissidents and others.

FinFisher (formerly part of the UK based Gamma Group International until late 2013) is a German company that produces and sells computer intrusion systems, software exploits and remote monitoring systems that are capable of intercepting communications and data from OS X, Windows and Linux computers as well as Android, iOS, BlackBerry, Symbian and Windows Mobile devices. FinFisher first came to public attention in December 2011 when WikiLeaks published documents detailing their products and business in the first SpyFiles release.”

WikiLeaks co-founder, Julian Assange, has criticized the German Government accusing the government to protect FinFisher while it is expressing concerns about privacy disappoint surveillance activities conducted by foreign government, including the US.

FinFisher continues to operate brazenly from Germany selling weaponised surveillance malware to some of the most abusive regimes in the world. The Merkel government pretends to be concerned about privacy, but its actions speak otherwise. Why does the Merkel government continue to protect FinFisher? This full data release will help the technical community build tools to protect people from FinFisher including by tracking down its command and control centers.” said Assange. 

Wikileaks has published the FinFisher Relay and FinSpy Proxy components of the FinFisher architecture. These modules are used to collect data syphoned from victim machines and send them back to the command and control servers. A network of C&C servers is deployed worldwide and is used by FinFisher, such as by other similar software, to anonymize the traffic and hide the identity of the bad actors.

Let me suggest to read a report published by the organization Citizen Lab, which revealed that capability of FinFisher to infect almost every mobile device.

WikiLeaks has also published other material related to Finfisher, including files related to the recent FinFisher. The leaked document includes brochures and a database of the customer support website.

“In order to make the data more easily accessible and consumable, all the new brochures, videos and manuals are now available organized under the related FinFisher product name. The database is represented in full, from which WikiLeaks compiled a list of customers, their eventual attribution, all the associated support tickets and acquired licenses, along with the estimated costs calculated from FinFisher’s price list. WikiLeaks conservatively estimates FinFisher’s revenue from these sales to amount to around €50,000,000. Within the full list of customers, it’s worth noticing that among the largest is Mongolia, which has been recently selected as new Chair of the Freedom Online Coalition.” reports the official announcement issued by Wikileaks.

The scientific community is divided on the decision of WikiLeaks to publish copies of FinFisher. Some experts disagree with Assange and argue that the choice could paradoxically increase the spread of malware in an uncontrolled manner because bad actors may be able to use it for illegal activities.

Pierluigi Paganini

(Security Affairs – FinFisher, Wikileaks )

Sep 16 14

A critical flaw in Twitter allows to delete payment cards from any account

by Pierluigi Paganini
Twitter's IPO Filing Implies $12.8 Billion Value Amid Growth

An Egyptian security researcher has discovered a critical flaw in Twitter platform which allows an attacker to delete credit cards from Any Twitter Account.

The Egyptian Security Researcher, Ahmed Mohamed Hassan Aboul-Ela has discovered a critical vulnerability in Twitter’s advertising service that allowed an attacker to delete credit cards from any Twitter account. Ahmed Mohamed Hassan Aboul-Ela is a popular bug hunter that has already received many rewards for the discovery of flaws in software of IT giants like Google, Microsoft and Apple.
Early September Twitter launched a bug bounty program, paying paying monetary rewards to security experts who find and report vulnerabilities in its software.
“We’re introducing a bug bounty program to thank researchers for responsibly-disclosed issues,” Twitter said through its Twitter account.
As explained in Ahmed Mohamed Hassan Aboul-Ela’s blog post the researcher discovered two distinct vulnerabilities in having the “same effect and impact.
i’ve successfully found a CSRF vulnerability that can add many followers  in a single request and bypass the CSRF token protection but unfortunately it was duplicate issue. I started looking again for some more critical bugs and i successfully found a serious logical vulnerability [insecure direct object reference]  in that allowed me deleting credit cards from any Twitter account. the impact of the vulnerability was very critical and high because all what’s needed to delete credit card is to have the credit card identifier which consists only of 6 numbers such as “220152″.” state the post.
The first vulnerability affects the “Delete function” of credit cards in payment method page,[account id]/payment_methods
When a Twitter user tries to Delete a card the function sends an ajax POST request to the server with following parameters:
Account: the twitter account id
ID: the credit card id and it’s numerical without any alphabetic characters
twitter payment methods
Playing with both parameter the experts discovered that it was easy to delete the payment cards for any Twitter accounts, the expert highlighted that despite re response was “403 forbbiden” the payment card was deleted.

“All I had to do is to change those two parameters to my other twitter account id and credit card id , then reply again the request and I suddenly found that credit card have been delete from the other twitter account without any required interaction,” Aboul-Ela wrote.

Aboul-Ela also discovered a second similar vulnerability, which affected the, the impact of this flaw was higher than the previous one. Trying to add an invalid credit card. When he tried to add an invalid credit card to his twitter account the system returned the following message:
“We were unable to approve the card you entered”
Twitter displays a “Dismiss” button to the user that Clicking it will cause the credit card disappear from his account.

“I thought it have the same effect of deleting, so I tried to add invalid credit card again and intercepted the request,” he said.

Be aware, unlike the first flaw, the expert, just modified the credit card Id in the URL and body to his credit card Id from other twitter account and then replied the request.

This means that it was possible to delete from the other twitter account the payment card with the specific Id.

Below the video proof of concept sent by Aboul-Ela.

Pierluigi Paganini

(Security Affairs – Twitter security flaw, hacking)

Sep 16 14

Citadel Trojan targets energy industry in Middle East

by Pierluigi Paganini
citadel trojan admin panel

Experts at IBM Trusteer security firms have discovered a massively distributed Citadel trojan targets Middle Eastern Petrochemical companies.

Researchers at IBM Trusteer have recently discovered targeted cyber attacks using a variant of the popular Citadel trojan on several Middle Eastern petrochemical companies. The Citadel Trojan is a malware designed to steal personal information, including banking and financial data, from infected machines. The Citadel Trojan was first discovered in 2012 and  it is based on the source code of the banking trojan Zeus. Security experts have discovered numerous Citadel botnet over the years used to run large scale scams.

The experts consider the discovery as the first time Citadel trojan is used to target nonfinancial entities in a targeted for corporate espionage.

“The targets of this attack include one of the largest sellers of petrochemical products in the Middle East and a regional supplier of raw petrochemical materials. IBM has worked with the appropriate channels to responsibly disclose this information to the targeted companies.” reports a blog post published by SecurityIntelligence.

The availability online of the Zeus source code has made possible a significant improvement of the Citadel malware whom functionalities are improved by several malware authors. The latest versions include sophisticated remote management and data stealing capabilities. In the specific case, threat actors configured Citadel bots to spy on users’ activity on certain URLs (e.g. “,”), such as the webmail of the targeted companies, and to grab every data provided in the form. The information collected through the form grabbing is sent to the a C&C server managed by cyber criminals, who can then log in on behalf of the victim, access corporate emails and manage his email account.

“Once Citadel is installed on a machine, it fetches a configuration file from one of its command-and-control servers. The configuration file instructs Citadel on which websites and applications to target, which information to steal and how to steal it. According to an analysis of the configuration file used in this attack, the Citadel malware was instructed to look for user access to certain URL addresses of Internet-connected systems, such as webmail, of the targeted companies. Once the browser accesses such a URL, the malware is instructed to grab all the information submitted by the user. This is known as form grabbing, or “HTTP POST” grabbing. When the user submits information into the system, the Web browser generates an HTTP POST request that sends the data entered to the site. The malware then intercepts the POST data before it is encrypted and sent to the server.” continues the post.

Citadel trojan on energy company


The functions available with Citadel Trojan and other malware families include:

  • Keylogging: Recording the user keystrokes and sending them to the attacker.
  • Screenshot capturing: Recording the browser session, including all the information that is displayed to the user.
  • Video capturing: Recording a video stream of a browser session, including all the information that is displayed to the user.
  • Form grabbing (HTTP POST grabbing): A method used to acquire user input from a Web data form before it is sent to the user. HTTP POST grabbing has multiple advantages compared to other information-stealing methods such as keylogging and screenshot capturing. Capturing the data in the form just before it is sent to the server enables the attacker to capture the real, complete data the user entered, even if the user entered it using a virtual keyboard or copied and pasted it into the browser.
  • HTML injection: A method used to inject HTML content into a legitimate Web page in order to modify it and steal information from the user. It is often used to display fake security warnings and customized text requesting additional information during login, account navigation and financial transactions.
  • Remote execution of command line instructions: Enables the operator to collect data and change settings on one or more remote computers.
  • Remote control of the infected machine: Allows complete control over the PC and full access to the corporate network. It is typically done via a graphical, desktop-sharing system that is used to remotely control another computer, such as virtual network computing tools.
  • Advanced evasion techniques: Designed to evade antivirus and other traditional security controls.
  • Anti-research techniques: A variety of sophisticated features designed to thwart malware researchers from analyzing the malware and understanding its internal operations or attack methods.

The above features make this category of malicious code very effective for targeted attacks and in the past many APT groups have already exploited these kind of source codes.

APTs use to compromise their targets adopting similar malware in malicious phishing campaigns, drive-by downloads attacks, watering hole attacks and social engineering schemes as confirmed by the experts at Trusteer.

“IBM Trusteer research found that an average of 1 in 500 machines worldwide is infected with massively distributed APT malware at any point in time. IBM Trusteer’s Service team reports that they have discovered such malware in practically every customer environment in which they’ve worked.”

Let’s close the post with an interesting couple of graphs proposed by the IBM Trusteer research team, which show the geographic distribution of APT malware infection rates:

APT-malware-by-country included Citadel trojan


Pierluigi Paganini

(Security Affairs – Citadel trojan, APT )

Sep 16 14

New BoSSaBoTv2 botnet targeting vulnerable Servers

by Pierluigi Paganini
BoSSBoTv2 malware botney

Trustwave has detected a new series of attacks on servers worldwide based on the exploitation of old CGI-PHP vulnerability to spread BoSSaBoTv2 botnet.

It was 2012 when security experts discovered a security flaw (CVE-2012-1823) in some PHP builds that could be exploited by a threat actor to remotely execute commands on the affected server, if PHP was configured as a CGI script (PHP-CGI) at the time.

Security experts have recently discovered that the old CGI-PHP vulnerability is now exploited on a large scale to recruit machines for a botnet used with a primary purpose to mine Bitcoin. The researchers have detected different reconnaissance activities on a large scale, attackers were scanning for the above flaws in an automated fashion, and the operations were linked to various attacks over the years.

BoSSaBoTv2 malware IDS alert

Trustwave, analyzing the traffic related to the spike in scanning activities detected in August, has noticed an uptick in attacks targeting the PHP-CGI vulnerability to deploy the BoSSaBoTv2 bot. In the same period, a researcher discovered an ad online offering the source code to BoSSaBoTv2 and just a few weeks later the malware was having risen in Internet again.

Once infected the machine, the BoSSaBoTv2 malware allows a remote attacker to control the servers using a shell or IRC. As explained in the blog post it could be used for Bitcoin mining as well as for DDoS attacks.

“Notice some of these features including bundling a Bitcoin Miner program.  This is interesting as this shows another aspect how an attacker is looking to abuse their access to a compromised web server.  They can siphon off local system resources such as CPU and RAM in attempts to create Bitcoins.  Here are some of the commands for downloading and running the Bitcoin miner -” reports the post from Trustwave about the mining feature implemented in the BoSSaBoTv2 malware.

Below the statements used by the experts to introduce their discovery:

“Our web honeypots picked up some interesting attack traffic.  The initial web application attack vector (PHP-CGI vulnerability) is not new, the malware payload is.  We wanted to get this information out to the community quickly due to the following combined threat elements -

  • Active exploit attempts to upload/install the malware
  • The overall low detection rates among AV vendors
  • The malware is actively being sold in underground forums “

The worrying aspect of the attacks based on newer versions of BoSSaBoTv2 malware is the low detection rate for the binaries used in the recent attacks:

[Nome file 1] 5453043042be4ad21259bcb9b17e9bd3.exe

[Nome file 2] 097d995b242e387f4bdbfd2b9c9e5dfd9a33acc2_w00ted

The experts highlighted that the malicious code was written in C, a circumstance that is rare for the development of a botnet.

Once the attackers discover a vulnerable server, they try to install both 64-bit and 32-bit version of the BoSSaBoTv2 malware. According to the experts, bad actors mainly targeted businesses, that rent their servers or share them, because enterprise systems have the greatest computational capabilities and connect to faster communication cables.

How much cost BoSSaBoTv2?

A fee for lifetime updates of BoSSBoTv2 malware costs $125, and the basic package is offered at $25 paying upgrades as extra.

BoSSaBoTv2 ad

Administrators could use as indicator of compromise the presence of strings containing POST variables that are Base64 encoded:

“Pay close attention to the HTTP Response Status Codes. Anything other than a 404 – Not Found could indicate trouble.” states the post from Trustwave.

another element to consider is that the following directories are being targeted during the automated scans we have described in this post:

  • /cgi-bin/php
  • /cgi-bin/php4
  • /cgi-bin/php5
  • /cgi-bin/php.cgi
  • /cgi-bin/php-cgi

Pierluigi Paganini

(Security Affairs – botnet, BoSSaBoTv2 )