Skip to content
Nov 24 14

How hackers are exploiting vulnerable DVRs to conduct illegal activities

by Pierluigi Paganini
dvr console

Security experts discovered a new malware that targets DVR and other Internet of Things devices recruiting them for different illegal activities.

DVR, abbreviation for Digital Video Recorders systems, from Hikvision firm are affected by vulnerabilities that allow an attacker to hack them remotely.

Digital Video Recorders are systems used to record surveillance footage of office buildings and surrounding areas in digital format on several mass storage devices.

A hacked DVR could by be abused by threat actors to manipulate the images recorded by the device, for example, deleting them from the support, as an entry point in the network that hosts the equipment or to run a DDoS attack.

Hacking a DVR could allow an attacker to target PoS systems located on the same network and any other vulnerable machines. A hacked DVR could be recruited as part of a botnet and be used for various illegal activities, such as running DDoS attacks or Brute-force attacks or to mine Bitcoins.

Security researcher Johannes Ullrich, an instructor at the SANS Technology Institute, first reported that malicious software was infecting the Hikvision DVRs trying to propagate itself to other machines on the network. The malicious code was also able to mine Bitcoins abusing of the computational resources of the digital equipment.

Despite this kind of malware is compiled for bot Windows and Linus OSs, the malicious code discovered by the researcher “was actually complied for the ARM processor that’s running these devices so they kind of knew what they were into.”

Ullrich also discovered other infections related to the same malware that compromised other devices like routers. The fact the the attacker compiled the code for ARM architecture demonstrate the great attention of cybercrime in the exploitation of resources of Internet of Things devices.

DVR surveilance

Security experts at Rapid7 discovered that nearly 150,000 of Hikvision DVRs devices exposed on the Internet could be accessed remotely due to the exploitation of a still unpatched devices.

“This is especially troubling given that a similar vulnerability (CVE-2013-4977) was reported last year, and the product still appears unpatched out of the box today,” reports Rapid7.

A blog post published by Rapid7 firm explains the impact of the vulnerabilities affecting several devices in the wild..

“Rapid7 Labs has found multiple vulnerabilities in Hikvision DVR (Digital Video Recorder) devices such as the DS-7204 and other models in the same product series that allow a remote attacker to gain full control of the device. ” states the post.

“[Hikvision] DS-7204 and other models in the same product series that allow a remote attacker to gain full control of the device. More specifically, three typical buffer overflow vulnerabilities were discovered in Hikvision’s RTSP request handling code: CVE-2014-4878, CVE-2014-4879 and CVE-2014-4880. This blog post serves as disclosure of the technical details for those vulnerabilities. In addition, a remote code execution through a Metasploit exploit module has been published.”

A Metasploit module is available to hack into unpatched DVRs exploiting the flaws.

Rapid7 attempted to report the flaw to Hikvision several times since September, but the company never replied to the security experts, which decided to publicly disclose the vulnerability.

Pierluigi Paganini

(Security Affairs –  DVR, Internet of Things)

Nov 24 14

Regin – Highly advanced spying tool discovered by Symantec

by Pierluigi Paganini
Symantec backdoor Regin Report

Symantec has uncovered the backdoor Regin, a highly advanced spying tool used in cyber espionage campaigns against governments and infrastructure operators.

Backdoor Regin, is the name assigned by the experts at Symantec to an advanced spying tool that has been used in cyber espionage campaigns against governments, infrastructure operators, private companies, researchers, and private individuals.

Regin appears as an high sophisticated malicious code, experts revealed that it has a degree of technical competence rarely seen, it has some resemblance with other  state-sponsored malware like Flame,Duqu and the popular Stuxnet. Also in this case Regin has a modular structure that make the malware a very flexible agent that could be used by operators to tailor campaign to individual targets, the effort necessary for its development appears significant, the experts speculates that it required months or years to be completed.

The circumstance led researchers to believe that Backdoor Regin was developed by a nation-state to spy on a wide range of international targets across several industries.

The evasion technique that allowed Regin backdoor to go undetected for years exploits a multi-staged process and each stage is hidden and encrypted. Regin is organized into five stages, each of which is encrypted except for the first one that implements the initial loader. Executing the first stage triggers a domino chain in which at each step the stage is decrypted and executed, and that in turn decrypts the successive stage, and so on.

As outlined in a new technical whitepaper from Symantec, Backdoor.Regin is a multi-staged threat and each stage is hidden and encrypted, with the exception of the first stage.  Executing the first stage starts a domino chain of decryption and loading of each subsequent stage for a total of five stages.  Each individual stage provides little information on the complete package. Only by acquiring all five stages is it possible to analyze and understand the threat.” states the blog post from Symantec.

Regin Backdoor 5 stages Symantec 2

Regin Backdoor 5 stages Symantec

The experts have identified dozens of different payloads that are used to spy on the infected machine, the principal functions implemented by the authors of Regin include code for stealing passwords, monitoring network traffic, capturing screenshots, seizing control of the target’s mouse and recovering deleted files.

Some payloads appear to be tailored to specific targets, for example, one module was designed to sniff the traffic of mobile telephone base station controllers and another to monitoring the traffic of a Microsoft IIS server.

The disconcerting aspect of the story relates to the dating of the Backdoor Regin, Symantec experts believe it was a framework that threat actors used in multiple campaigns that date back to 2008 or several years earlier. Regin is known to have been active until 2011. The name Regin was assigned by Microsoft to the underlying trojan, the malware resurfaced in 2013 when the researchers at Symantec identified it.

“Essentially, what we think we’re looking at is different campaigns where in one infection they needed to sniff your keyboard whereas in another infection they wanted grab the user name and password of the admin connected to a base station controller,” Liam O’Murchu, manager of operations for Symantec Security Response, reported to Ars.

Analyzing the distribution of targeted industries it is possible to note that Regin was used to compromise Telecom Backbon in 28 percent of the attacks, the experts believe that the operators managing the cyber espionage campaign were interested to spy on specific customers of the targeted companies.

 

Regin Backdoor targets

The infections of Backdoor Regin detected by Symantec are also geographically diverse, attacks were observed in mainly in ten different countries, Russian Federation (28%), Saudi Arabia (24%), Ireland (9%) and Mexico (9%) lead the list.

The investigation is still ongoing, researchers at Symantec are aware of only about 100 infections, but a so powerful platform was surely used in a larger number of targeted attacks still uncovered. The researchers haven’t yet identified the command and control servers the attackers used, the knowledge of the control infrastructure provides to the experts a huge quantity of data that could support further analysis.

“Symantec believes that many components of Regin remain undiscovered and additional functionality and versions may exist.  Additional analysis continues and Symantec will post any updates on future discoveries” states the post.

Stay tuned for further information.

Pierluigi Paganini

(Security Affairs –  Backdoor Regin, cyber espionage)

Nov 23 14

Ecuadorean President Correa claims attacks on his private computers and accounts

by Pierluigi Paganini
President Correa

Ecuadorean President Correa has publicly denounced the US Intelligence continuous cyber attacks against his private internet accounts and computers.

Ecuadorean President Rafael Correa has publicly denounced the US Intelligence of “systematic, high-tech” cyber attacks on his private internet accounts and computers.

The President Rafael Correa also revealed that the last attack occurred  on Thursday, November 20th, was traced back to US servers. The President Correa made the revelation via Twitter and later through the Latin American press.

President Correa Tweet

President Correa informed the press that he sees “systematic, high-tech and high-resource attacks,”adding that “they will not succeed, we are more, so many more.”

The President Correa remarked that foreign hackers backed by US Intelligence daily hit his private systems trying to hack them

“On Thursday, all day I received attacks… that come from abroad and trace back to a server in the United States, targeting my bills, trying to hack my information, turn on microphones, listen in on our conversations,” Correa said in his weekly Citizen Link no.399.

President Correa has publicly criticized the US surveillance program in different occasions, don’t forget that its country is providing support to the WikiLeaks founder Julian Assange giving him asylum in Ecuador’s London embassy indefinitely. The Ecuadorian President Correa has also evaluated the opportunity to provide asylum to Edward Snowden.

The President Correa has already denounced similar cyber attacks defining the offensive as the work of “unscrupulous domestic opponents.”  In October similar incidents were detected by the President’s staff, which attributed the hacking campaign to the Colombia. The president ordered to national Defence to improve its cyber capabilities and to secure national systems and protect official communications with the use of encryption.

The Ecuadorean Government has promoted the creation of a dedicated cyber defense department this summer.

The attacks hypothesized by the President Correa are plausible if we consider the revelations made by the whistleblower Edward Snowden that in different documents refers of an intense activity of the NSA in the surveillance of exponents of foreign government thanks to sophisticated hacking platforms like the FoxAcid servers.

There is another circumstance that increases truth of President’s statements, the ANDES news agency reports that 99 percent of the Latin American state’s internal and external communication are routed through infrastructure housed in the US.

Pierluigi Paganini

(Security Affairs –  Ecuador, President Correa)

Nov 23 14

British firm now owned by Vodafone aided GCHQ in wiretapping undersea cables

by Pierluigi Paganini
internet undersea cables

New documents leaked by Snowden reveal the crucial role of a Vodafone-owned company in wiretapping of undersea cables for massive surveillance.

According to several secret documents leaked by Edward Snowden US and British Intelligence wiretap undersea cables used by telecommunication companies as part of their mass surveillance programs.

In June, Snowden released documents that were published by The Register and that reveal the existence of a secret British spy base located at Seeb on the northern coast of Oman, a strategic position that allows the GCHQ to tap several undersea cables passing through the Strait of Hormuz into the Persian/Arabian Gulf.

Other document details the operations conducted in other major spy base located in Bude in Cornwall, in this plant the British intelligence access network feeds Internet data from more than 18 undersea cables coming into different parts of Britain either direct to GCHQ in Cheltenham.

undersea cables spy base Bude GCHQ

“The majority of large cables come ashore in Cornwall, and have been connected directly to Bude. These include major connections such as FLAG (Fibre optic Link Around the Globe), two of whose cables have been intercepted. Because the FLAG interceptions had to be kept secret from the cables’ owners, one report states, the tapping connections were installed in an undisclosed UK location and “backhauled” to Bude, in the technical language of the communications industry.” States the Register.

Now, according to new reports based on documents leaked by the whistleblower Edward Snowden, the undersea cables have become an integral part of the global mass surveillance system operated by the GCHQ thanks the support provided by a company Cable & Wireless, which was acquired by Vodafone in July 2012 for about $1.5 billion.

The details about the support provided to the massive urveillance were revealed by the British Channel 4 News, the German newspaper Süddeutsche Zeitung,and the German broadcaster WDR, who collaborated with the Intercept. The founding editor Laura Poitras, in fact, obtained a preview of the documents in advance of their publication.

Data provided in the reports are amazing, British telecommunications firms supported GCHQ in collectiong large volume of internet data from undersea cables, the overall amount of information from 2007 to 2012 registered a 7,000-fold increase, meanwhile the spying system monitored nearly 46 billion private communications “events” every day.

The data collected by the undersea cable would include content from online messages, browsing sessions, VOIP calls and emails.

British telecommunications company Cable & Wireless played a crucial role in tapping of the undersea cables, in February 2009 a GCHQ employee was assigned to work within company in a “full-time project management” role to follow the operation from the inside.

The GCHQ paid Cable & Wireless more than £5 million ($9 million) as part of an annual lease for GCHQ to access the undersea cables. In the documents the company is referred as a “partner” codenamed Gerontic.

The documents reveal that the support is also extended into spying operation on a rival foreign communications company:

“According to the reports, Cable & Wireless also appears to have helped GCHQ obtain data from a rival foreign communications company, India’sReliance Communications, enabling the spies to sweep up communications sent by millions of internet users worldwide through a Reliance-owned cable that stretches from England across Asia and the Middle East. This so-called “access point” for GCHQ was named Nigella and located near an agency surveillance base in Bude, Cornwall. Reliance did not respond to a request for comment.” states The Intercept in a blog post.

Despite the Cable & Wireless bought by Vodafone in July 2012 the Nigella surveillance access point remained active as of April 2013.

Vodafone declared that it complies with the law without giving “direct access” to its undersea cables, it has provided data based on warrants issued by the government.

“There are processes for us to do that [comply with warrants] which we’re not allowed to talk about because the law constrains us from revealing these things,” said Vodafone spokesman Matt Peacock in a statement to Channel 4 News. “We don’t go beyond what the law requires.”

GCHQ obviously hasn’t commented the news.

Pierluigi Paganini

(Security Affairs –  undersea cable tapping, GCHQ)

Nov 23 14

Electronic cigarettes exploited in the wild to serve malware

by Pierluigi Paganini
electronic cigarettes

In a discussion started on the Reddit news media website it has been debated the case of a malware implanted by using electronic cigarettes connected over USB.

Hackers are able to exploit any electronic device to serve a malware of to compromise a poorly protected network, electronic cigarettes have become the latest vector to serve spread for malicious software.

Despite the idea could appear hilarious, many electronic cigarettes can be charged over USB, using a special cable or by inserting one end of the cigarette directly into a USB port.

electronic cigarettes charger

A report posted on the social news Reddit website reported a strange case occurred to a particular executive that discovered a malware in his system without immediately identify its source.

“One particular executive had a malware infection on his computer from which the source could not be determined,” reported a Reddit user “After all traditional means of infection were covered, IT started looking into other possibilities.

Investigating on the case, the man discovered that the electronic cigarettes were provided by a malware hardcoded into the charger, once the victim will connect it to the computer the malicious code will contact the C&C server to drop other malicious code and infect the system

“The made in China e-cigarette had malware hardcoded into the charger, and when plugged into a computer’s USB port the malware phoned home and infected the system.”

I have no further news regarding the authenticity of the news, anyway I consider that attack scenario plausible. We have seen recently how to turn in a hacking tool an apparently harmless USB device and in the past security experts discovered other cases in which a battery charger could be used to infect a PC or a mobile device.

The Guardian reported that opinion of Rik Ferguson, a security consultant for Trend Micro, which also consider plausible the story reported on Reddit.

“Production line malware has been around for a few years, infecting photo frames, MP3 players and more,” he says. In 2008, for instance, a photo frame produced by Samsung shipped with malware on the product’s install disc.

Referring also the recent case BadUSB, in which researchers released an attack code to reprogram USB sticks and use them as an undetectable hacking instrument, Ferguson explained that “a very strong case can be made for enterprises disabling USB ports, or at least using device management to allow only authorised devices.”

“For consumers it’s a case of running up-to-date anti-malware for the production line stuff and only using trusted devices to counter the threat.”

The Guardian reported also the opinion of the London’s Vape Emporium, Dave Goss remarked that there are no risks for vapers that buy from reliable manufacturers such as Aspire, KangerTech and Innokin.

“Any electrical device that uses a USB charger could be targeted in this way, and just about every one of these electrical devices will come from China,” Goss added.

Pierluigi Paganini

(Security Affairs –  electronic cigarettes, hacking)

Nov 22 14

DoubleDirect MitM Attacks are targeting users worldwide

by Pierluigi Paganini
maninthemiddleattack

Security experts at Zimperium discovered a new MITM attack technique dubbed DoubleDirect that is targeting iOS, Android and Mac users worldwide.

DoubleDirect is the name of a new Man-in-the-Middle (MitM) attack discovered by security researchers that is targeting mobile devices running either iOS or Android and potentially Mac OS X systems.

The DoubleDirect MitM attack allows attackers to hijack the victim’s traffic of major websites such as Facebook, Google and Twitter to a device controlled by the attacker.

As explained by security experts at mobile security firm Zimperium, once the attackers has redirected the victim’s traffic, it could be able to steal victims’ sensitive data, including personal data and login credentials, or serve malicious code on the targeted device.

In the blog post recently published by Zimperium the experts revealed that threat actors worldwide are already exploiting the DoubleDirect technique across 31 countries. Bad actors redirected users of several IT companies, including Facebook, Google, Hotmail, Live.com and Twitter.

doubledirect MITM attack

The DoubleDirect technique exploits the ICMP (Internet Control Message Protocol) redirect packets in order to change the routing tables of a host used by routers to provide information on the best path to the destination.

“With the detection of DoubleDirect in the wild we understood that the attackers are using previously unknown implementation to achieve full-duplex MITMs using ICMP Redirect” states the post.

As explained by experts Windows and Linux users are immune to the DoubleDirect attack because most of GNU/Linux and Windows desktop operating system do not accept ICMP redirect packets that is exploited by attackers to carry the malicious traffic.

An attacker can also use ICMP Redirect packets to alter the routing tables on the victim host, causing the traffic to flow via an arbitrary network path for a particular IP,” Zimperium warned. “As a result, the attacker can launch a MitM attack, redirecting the victim’s traffic to his device.

Once redirected, the attacker can compromise the mobile device by chaining the attack with an additional Client Side vulnerability (e.g.: browser vulnerability), and in turn, provide an attack with access to the corporate network.

Zimperium has provided a Proof-of-Concept (PoC) for the DoubleDirect Attack, the code allows full-duplex ICMP redirect attack by predicting the IP addresses the victim tries to connect to. The IP addresses are predicted by sniffing the DNS traffic of the target, once discovered that attackers send an ICMP redirect packet to all IP addresses.
“We have investigated the attacks and also created a POC tool to prove that it is possible to perform full-duplex ICMP Redirect attacks. ICMP Redirect attacks are not easy to emulate because the attacker must know beforehand which IP address the victim has accessed” 
The experts at Zimperium also explained how to manually disable ICMP Redirect on their Macs to remediate the issue.

Zimperium is releasing this information at this time to increase awareness as some operating system vendors have yet to implement protection at this point from ICMP Redirect attacks as there are attacks in-the-wild,” the post reads.

Pierluigi Paganini

(Security Affairs –  DoubleDirect attack,MITM)

Nov 22 14

PlayStation Network and Widows Live alleged hacks. Why experts afraid attacks on gaming platforms?

by Pierluigi Paganini
Playstation network

Latest report indicates that the alleged hack on Sony’s PlayStation Network, Windows Live and 2k games studio by Derp Tolling could be a hoax.

News going round that Derp Trolling hacked Sony’s PlayStation Network(PSN), Microsoft’s Windows Live and 2k games studio freaked out millions of users, but now security experts says the alleged hack could be a hoax meant to attract attention to the hackers’ group.

In a post on twitter and on the anonymous’ text sharing site, Pastebin, Derp Trolling claimed to be in possession of tens of thousands of Usernames and passwords for PlayStation Network , Windows Live and 2k games studio accounts.

“Dear Internet, the following is a very small portion of Lord Gaben and the rest of his crews glorious raids across the high seas of the Internet,” bragged Derp Trolling  adding that they had over 7m account details including 1.2 million credentials from CIA domains “Let this be a warning to all. Nothing is safe from Derp.”

In time we are writing the Twitter account  used by the Derp Trolling was suspended, meanwhile the account Derp Trolling used in the past doesn’t provide any update.

Derp Trolling Tweet

However, a cross-examination of the leaked details has questioned the credibility of the alleged hack. Security Experts who to tried to verifying some of the usernames and passwords dumbed on Pastebin were met by a response saying

“Not a valid e-mail address. Please try again,”

a clear indication that the accounts were never signed up on PlayStation Network in the first place.

“Looking through the list, there’s certainly an awful lot of crossover with data from previous breaches, in particular the Adobe one,” Rik Ferguson, vice president of security research at Trend Micro told the guardian. “The random sample cross-referencing I have done certainly show that the majority of data listed here has shown up already in previous breaches with a very few exceptions which seem to appear only in this particular paste.”

Last weekend, Derp trolling owned up to causing Denial of service (DDoS) on Blizzard’s servers among a host of other attacks done in the past.

“You heard about Anonymous knocking the entire .Mil domain offline? Well that was us! You hear of RedHack launching DDoS attacks against Turkey’s government? That was us as well! You heard about LulzSec knocking gaming servers and websites offline? Well that was us too,” said Derp trolling adding that the hackers’ group meant business this time. “Most people only see the Gaming side of us! We can be very serious hackers.”

Ironically, Derp Trolling claims it hacks to help companies fortify their networks by identifying their security flaws.

“Derp Trolling in no way wants to harm our children by leaking such damaging data. It’s only a warning to the companies,” claims Lord Gaben.

In a statement, Microsoft said

“We are investigating this issue and will take the necessary steps to protect customers as needed.” Sony on its part says there is “no evidence that there was any intrusion into its network,” adding that the company is taking the threats “very seriously and will continue to monitor its network closely.”

We must consider that the number of cyber attacks against gaming platforms is constantly increasing, last year Nintendo and Ubisoft we among the numerous victims of data breach … an it is just the tip of the iceberg.

Gaming platforms are a privileged targets for criminal crews and state-sponsored hackers. Cyber criminals are mainly attracted by possibility to steal sensitive information, including user data and credit card numbers, to sell in the underground market. State-sposored hackers are mainly interested into exploitation of gaming platforms for cyber espionage purposes or to abute of their resources to run cyber attacks.

Playstation network

Apparently, we live in world where cyberattacks including phishing scams and password matching is an everyday reality. In such a precarious environment, the next hack is just a click away.  Whether the latest hack was genuine or Derp Trolling was just bluffing, every day is good day to change your password.

Written by: Ali Qamar, Founder/Chief Editor at SecurityGladiators.com & Pierluigi Paganini

Author Bio:
Ali Qamar is a cyber-security research enthusiast who enjoys “deep” research to dig out modern discoveries in the security industry. He is the founder and chief editor at SecurityGladiators.com, an ultimate source for worldwide security awareness having supreme mission of making the internet more safe, secure, aware and reliable. 

(Security Affairs –  Gaming, PlayStation Network ,Widows Live)

Nov 22 14

Windows Unicorn vulnerability exploited in the wild

by Pierluigi Paganini
unicorn vulnerability

Security companies have started detecting attacks that leverage a critical remote code execution (RCE) vulnerability in Windows, which Microsoft patched last week.

On November 11th Microsoft has released that exploit the Unicorn (CVE-2014-6332) critical remote code execution vulnerability in Windows systems, which Microsoft patched on November 11th.

The Unicorn vulnerability is addressed in one of the 14 security bulletins released by Microsoft on November 11, MS14-064 is one of the most important.

The bulletin addresses a Windows OLE RCE bug (CVE-2014-6352) and another Windows Object Linking and Embedding (OLE) automation array RCE flaw (CVE-2014-6332).

The CVE-2014-6332 vulnerability allows a remote attacker to execute arbitrary code via a crafted web site, the flaw is also known as “Windows OLE Automation Array Remote Code Execution Vulnerability”, WinShock or Unicorn. The Unicorn flaw was reported to Microsoft in May by researchers from IBM and experts discovered that it has existed for at least 19 years.

“The bug can be used by an attacker for drive-by attacks to reliably run code remotely and take over the user’s machine — even sidestepping the Enhanced Protected Mode (EPM) sandbox in IE 11 as well as the highly regarded Enhanced Mitigation Experience Toolkit (EMET) anti-exploitation tool Microsoft offers for free,” IBM reported in the blog post.

The CVE-2014-6352 allows a remote attacker to execute arbitrary code via a crafted OLE object, in October Microsoft issued the security advisory 3010060 to warn its customer of the Zero-Day vulnerability that affects all supported versions of Windows OS except, Windows Server 2003.

Microsoft warned that the flaw is already being exploited in limited targeted attacks by threat actors in the wild.

“The vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Office file that contains an OLE object. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user,” the advisory explained.”At this time, we are aware of limited, targeted attacks that attempt to exploit the vulnerability through Microsoft PowerPoint.” confirming the voice that bad actors are already exploiting the zero-day in limited cases.

Recently a Chinese researcher released proof-of-concept (PoC) code for the exploitation of the Unicorn vulnerability concurrently with the release of the official patch by Microsoft. The day after the disclosure of the flaw, it was also available a Metasploit module that exploit the Unicorn flaw. On November 17th, NSS Labs uncovered attacks exploiting CVE-2014-6332 through a JavaScript hosted on a South Korean website, the script was used to discriminate the visitors and serve the appropriate exploit. If a mobile device running Android is detected, an APK file is served, meanwhile if a PC is detected, a malware is dropped via the exploit published by the Chinese expert.

unicorn exploit

Below the Timeline of the events

  • Nov 11, 2014 – Microsoft releases the patch for CVE-2014-6332.
  • Nov 11, 2014 – A Chinese researcher identified by the Twitter handle @yuange releases the proof of concept (PoC) exploit.
  • Nov 12,2014 – Metasploit Module is created for CVE-2014-6332.
  • Nov 17, 2014 – NSS Labs observes the first attacks exploiting CVE-2014-6332 in the wild via the Cyber Advanced Warning System.

“The malware is a little different to that which is typically dropped from regular exploit kits and malware campaigns. The difference lies in the way in which this malware is packaged, and in its method of operation,” NSS Labs wrote in a Nov. 20 blog post. “The packer used within this malware is NSPack, the malware carries an embedded copy of itself for the purpose of dissemination.”

Also the experts at ESET firm have discovered an attack leveraging the Unicorn vulnerability through the website of a major news agency in Bulgaria.

“Scouring our data, we found several blocked exploitation attempts while our users were browsing a major Bulgarian website. As you might have guessed, the compromised website was using CVE-2014-6332 to install malware on the computers of its unsuspecting visitors.” reports ESET in a blog post.

Also in this case the hackers exploited the PoC released by the Chinese expert to serve a multi-use malware.

Pierluigi Paganini

(Security Affairs –  Unicorn vulnerability,Windows)

Nov 21 14

Brazilian bank users threatened by 2 malicious apps deployed on the Google Play

by Pierluigi Paganini
brazil malicious apps google play 2

Kaspersky Lab discovered a couple of malicious apps deployed on the official Google Play Store that targets Brazilian Android mobile banking users.

A couple of malicious apps targeting Brazilian Android users were recently found in the official Google Play by experts at Kaspersky Lab. The malicious apps targeted mobile banking users using an appearance similar to the one of the legitimate banking apps, while the first app was published on October 31th and registered 80 installations, the second one was published on November 10th and had only 1 installation.

“This week we spotted the first Trojan banker targeting Brazilian users of Android devices. Two malicious applications meant to pass for apps from local Banks were hosted on Google Play.” reported the security researcher Fabio Assolini in a blog post.

As explained by the researchers the news isn’t surprising, more than 6 million Brazilians currently use mobile banking services and the Brazil is the country with the highest number of infections related banking industry in Q3 as reported in the Q3 threat evolution report issued by Kaspersky.

“Brazil remained the country where users are most often attacked by banking malware, even if its share was down one third. Russia stayed in second place. Italy dropped to 4th position while Germany rose to 3rd place: the number of attacked users in this country grew by 1.5 times.”

Brazil infections - Top 10 countries

The criminal crew that published the malicious apps on the Google Play store is using the name “Governo Federal” (Federal Government)

brazil malicious apps google play

The malicious apps are very simple, they were designed just to steal login credentials in a classic phishing scheme, Brazilian mobile banking users result particularly exposed to the attack so due to the lack of a strong authentication (i.e. two-factor authentication) for banking app.

The attackers used a free platform to create the malicious apps, ‘App Inventor’, which doesn’t require any particular skill to create a mobile application, but the results are an app big in size as explained in the post:

“To create the malicious app, the (lazy) bad guy decided to use “App Inventor”: a free platform that allows anyone to create their own mobile Android application, no technical knowledge required. The result is an app big in size and full of useless code. But both apps had the function to load the logos of the targeted Banks and open a frame – the phishing page programmed to capture the user’s credentials.” said the post. “The phishing pages of the targeted Banks were hosted on a hacked website. A good soul removed them and inserted an alert to the visitors stating: “Este é um aplicativo Falso, denuncie este app”, meaning “This is a fake app, please report it”. As a result, when the user downloads, installs and opens the fake banking app, this message is displayed inside, instead of the original phishing page”

The Kaspersky Lab team has already reported  both apps to Google that promptly removed them from the official Play Store.

Both malicious apps are detected as Trojan-Banker.AndroidOS.Binv.a and security experts have no doubts regarding the fact that cyber criminals will continue to explore official channels to spread malicious code.

A good starting point would be to implement a two-factor authentication for sensitive applications such as banking software.

Pierluigi Paganini

(Security Affairs –  Bazil, banking malicious apps)

Nov 21 14

Intel And Europol together against the cybercrime

by Pierluigi Paganini
Intel and Europol

MOU between Intel Security Firm and Europol, will see the two combine resources and Expertise in combating cybercrime, in an already porous battle line. As cybercriminals advance their techniques and expertise, it is paramount that all those on the receiving end stage a united front or perish one at a time.

Article posted on Security Gladiators

Europol received a boost in its fight against cybercrime after McAfee signed an MOU to help shore up Europol’s security operations. The MOU will see the two combine resources and expertise in forming a solid defense against cybercrime, in an already porous battle line.

McAfee, acquired by Intel Security group in 2010, will offer technical support to Europol in addition to participating in joint cybercrime operations and sharing non-operational data on cybercrime.  With its innovative approach to internet security and vast intelligence on Global threats, Intel security will be an important strategic ally to EU’s top cops.

“Cybercrime has advanced to a degree that no one entity can combat it alone,” said Raj Samani, chief technology officer for EMEA at Intel Security and special advisor to the EUROPOL Cybercrime Centre on Internet Security . “I’m excited to work with the excellent team Europol and contribute expertise so that we can together to effectively address the cybercrime problem.”

High profile attacks such as the JPMorgan, Whitehouse and the Target clearly shows that cybercriminals are advancing their techniques and expertise, leaving law enforcement agencies entirely clueless in all occasions. In such an environment, it is paramount that all those on the receiving end including law enforcement agencies stage a united front, a fact Troels Oerting, Head of the EC3 acknowledged when welcoming Intel on board.

“Today we add the resources of Intel Security to our list of capabilities dedicated to protecting our digital lives. This task cannot be done by law enforcement alone, and requires a much broader approach,” said Oerting.

Europol cybercrime

Apparently, McAfee and Europol have partnered on cybercrime before and the MOU signed on Wednesday was only meant to formalize and expand their co-operation.

“Intel Security has assisted the European Cybercrime Centre (EC3) in the past and, with the signing of this MOU, our cooperation will continue to the benefit of all law-abiding users of the Internet and to the disadvantage of cybercriminals,” said Oerting in a press release.

In the past, Cyber security firms have only cooperated with law enforcement agencies through informal arrangements. The new MOU between Intel Security and Europol marks a new era of cooperation in fighting cybercrime, with more cyber security firms expected to come on board in the coming days.

EU state countries have also shown unprecedented cooperation in the war against cybercrime. Currently, over 30 states have ratified the Council of Europe’s Convention on Cybercrime, an international treaty that seeks to harmonize cybercrime Laws among party states. The treaty will also establish a cross-border and cybercrime investigation unit to respond on cyber threats on a real time basis.

Europol is a cross border agency that helps combat international crimes in the European Union. Its cybercrime unit, European Cybercrime Unit (EC3), located in The Hague offers technical supports to other EU states cybercrime units. EC3, formed last year, relies Europol’s extensive network to help EU states investigate and comber cybercrime, including state backed cyber-espionage attacks that are currently ruling the cyberspace.

Pierluigi Paganini

(Security Affairs –  Intel ,Europol ,Cybercrime)

Article posted on Security Gladiators