- Experts found a way to exploit HP Enterprise printers to hack into company networks
- ProtonMail Contacts – ProtonMail launches world’s first encrypted contacts manager
- U.S. charges Iranian state-sponsored hacker over ‘Game of Thrones’ HBO hack
- Unbelievable: Uber concealed data breach that exposed 57 Million records in 2016
- Lazarus APT uses an Android app to target Samsung users in the South Korea
Posted: 22 Nov 2017 10:17 AM PST
Researchers at FoxGlove Security have found a potentially serious remote code execution vulnerability in some of HP's enterprise printers.
HP dedicates significant efforts in designing secure printing systems, a recent marketing campaign launched by the firm shows the dangers of vulnerable printers for corporate networks.
HP launched new enterprise LaserJet printers back in 2015 and introduced several security improvements across the time.
Experts from FoxGlove Security tested an HP PageWide Enterprise 586dn multi-functional printer (MFP) and an HP LaserJet Enterprise M553n printer.
The team used a hacking tool dubbed PRET (PRinter Exploitation Toolkit) developed by researchers from Ruhr-Universität Bochum in Germany.
At the time, the tool was used by the author to find security vulnerabilities in 20 printer models manufactured by Dell, Brother, Konica, Samsung, HP, OKI, and Lexmark.
The printers were affected by flaws related to common printing languages, PostScript and PJL, used in most laser printers. The flaws are not a novelty, according to the experts, they have existed for decades.
Now experts from FoxGlove used the PRET tool to find a path traversal flaw that allowed them to access the content of any print job, including those jobs protected by a PIN code. The same team found vulnerabilities that can be exploited by attackers to manipulate the content of print jobs and reset devices to factory settings.
In order to find a remote code execution (RCE) the researchers reverse engineered the firmware extracted from the HP printer, bypassing anti-tampering mechanisms implemented by the vendor.
The team analyzed firmware updates and HP Software Solutions discovering they leverages the OXP platform and SDK to extend a printer's functionality. Both Solutions and firmware updates are delivered as a single bundle (.BDL) file that must be digitally signed.
“PJL is a language that computers will speak with the printer when submitting print jobs. This language has also been extended to have the ability of performing some administrative tasks.” stated the analysis published by the experts.
“One of the capabilities of PJL is very limited management of files on the printer. For example, it is possible to store and delete files, but only in a very specific location, a small "jail" on the filesystem that it should not be possible for a user speaking PJL to escape from:”
The experts failed to upload a malicious firmware to the device due to the signature validation checks, but they devised possible attack vectors.
“A BDL file modified in this way was uploaded to the printer and confirmed working, however no malicious changes to code could be implemented just yet. When we tried to replace any of the DLL files in the ZIP we began getting DLL signature validation errors.” continues the analysis.
The researchers succeeded in cracking signature validation for Solutions files and uploading a malicious DLL and execute arbitrary code.
The experts shared the source code of the tools used during the tests, including the proof-of-concept (PoC) malware the exploited.
The team reported the discovery to HP on August 21 and the tech giant is committed to release a security update this week.
(Security Affairs – HP, printers)
The post Experts found a way to exploit HP Enterprise printers to hack into company networks appeared first on Security Affairs.
Posted: 22 Nov 2017 05:34 AM PST
ProtonMail launched ProtonMail Contacts, the world’s first contact manager with both zero-access encryption and digital signature verification.
ProtonMail is announcing today the launch of the world’s first encrypted contacts manager that also features digital signature verification. Starting immediately, the new contacts manager is available to all of ProtonMail’s 5 million users around the world.
The development and launch of this feature was driven by the feedback that the company received from many of its users in the investigative journalism space. “Last year, we had the unique opportunity to meet with many of our users in the field at the Second Asian Investigative Journalism Conference in Kathmandu, Nepal, and one message that we heard over and over again was the need for better ways to protect sources,” says ProtonMail co-founder Dr. Andy Yen, “the new encrypted contacts manager today is the result of over one year of research and development into how we can best meet the needs of the thousands of activists, journalists, and dissidents who rely on ProtonMail to protect their privacy.“
In addition to protecting sensitive contact details with zero-access encryption (meaning that ProtonMail itself cannot decrypt the data, and cannot reveal the private contact details to third parties), ProtonMail’s new contact manager also utilizes digital signatures to verify the integrity of contacts data. This provides a cryptographic guarantee that nobody (not even ProtonMail), has tampered with the contacts data.
“Combining encryption with digital signatures provides powerful protection that guarantees not only the privacy, but also the authenticity of the contacts saved in ProtonMail, and reduces the need to trust ProtonMail, as even we cannot access or change this information without your knowledge,” says Dr. Yen. In line with standard company practice, the software behind ProtonMail’s encrypted contacts manager is fully open source.
-> For more details about ProtonMail’s encrypted contacts manager, please refer to our launch blog post here: https://protonmail.com/blog/encrypted-contacts-manager/
-> The link to this press release can be found here: https://protonmail.com/blog/contacts-press-release/
-> ProtonMail’s media kit can be found here: https://protonmail.com/media-kit/
About the author ProtonMail
ProtonMail is headquartered in Geneva, Switzerland, near CERN (the European Organization for Nuclear Research) where the founding team met in 2013. Every day, the ProtonMail team, brought together by a shared vision of protecting civil liberties, works to advance Internet security and privacy. Since its inception, ProtonMail's infrastructure has been located exclusively in Switzerland, under the protection of some of the world's strongest privacy laws.
The post ProtonMail Contacts – ProtonMail launches world’s first encrypted contacts manager appeared first on Security Affairs.
Posted: 22 Nov 2017 05:15 AM PST
US Department of Justice charged the Iranian computer expert Behzad Mesri of ‘Games of Thrones’ HBO Hack, he also worked with the Iranian Military.
The United States charged the Iranian computer expert Behzad Mesri of ‘Games of Thrones‘ HBO Hack. On Tuesday, the man was charged with stealing scripts and plot summaries for ‘Games of Thrones’.
The Manhattan US attorney Joon Kim said Mesri is "had previously hacked computer systems for the Iranian military". The man threatened to release stolen data, unless HBO paid a $6 million ransom in Bitcoin.
“Behzad Mesri, an Iranian national who had previously hacked computer systems for the Iranian military, allegedly infiltrated HBO's systems, stole proprietary data, including scripts and plot summaries for unaired episodes of Game of Thrones, and then sought to extort HBO of $6 million in Bitcoins.” said U.S. Attorney Joon H. Kim. “Mesri now stands charged with federal crimes, and although not arrested today, he will forever have to look over his shoulder until he is made to face justice. American ingenuity and creativity is to be cultivated and celebrated — not hacked, stolen, and held for ransom. For hackers who test our resolve in protecting our intellectual property — even those hiding behind keyboards in countries far away — eventually, winter will come.”
Behzad Mesri, who is still at large, is an Iran-based hacker who also goes online with the moniker Skote Vahshat.
Mesri faces seven counts in the United States, including wire fraud, aggravated identity theft and four counts of computer fraud.
The DoJ accused the man of being the mastermind behind the cyber attacks against HBO from May to August, he stole scripts and plot summaries for then unaired episodes of the “Game of Thrones” series, and multiple other shows.
Mersi compromised multiple user accounts belonging to HBO employees and other authorized users, in this way he accessed the company servers and stole confidential and proprietary information.
“Over the course of several months, MESRI used that unauthorized access to steal confidential and proprietary information belonging to HBO, which he then exfiltrated to servers under his control.” states the press release published by the US Department of Justice.
“Through the course of the intrusions into HBO's systems, MESRI was responsible for stealing confidential and proprietary data belonging to HBO, including, but not limited to: (a) confidential video files containing unaired episodes of original HBO television programs, including episodes of "Barry," "Ballers," "Curb Your Enthusiasm," "Room 104," and "The Deuce;" (b) scripts and plot summaries for unaired programming, including but not limited to episodes of "Game of Thrones;"(c) confidential cast and crew contact lists; (d) emails belonging to at least one HBO employee; (e) financial documents; and (f) online credentials for HBO social media accounts (collectively, the "Stolen Data").”
According to the US prosecutors, Mesri previously conducted computer attacks on behalf of the Iranian military that targeted nuclear software systems and Israeli infrastructure.
Prosecutors confirmed that the Iranian man was a member of the Iranian-based Turk Black Hat Security hacking group that targeted hundreds of websites in the United States and around the world.
“MESRI is an Iran-based computer hacker who had previously worked on behalf of the Iranian military to conduct computer network attacks that targeted military systems, nuclear software systems, and Israeli infrastructure.” continues the DoJ.
“At certain times, MESRI has been a member of an Iran-based hacking group called the Turk Black Hat security team and, as a member of that group, conducted hundreds of website defacements using the online hacker pseudonym "Skote Vahshat" against websites in the United States and elsewhere.”
(Security Affairs – HBO hack, Iran)
The post U.S. charges Iranian state-sponsored hacker over ‘Game of Thrones’ HBO hack appeared first on Security Affairs.
Posted: 22 Nov 2017 12:56 AM PST
Unbelievable: Uber concealed data breach that exposed 57 Million records in 2016 and paid hackers to delete stolen records.
Uber CEO Dara Khosrowshahi announced on Tuesday that hackers broke into the company database and accessed the personal data of 57 million of its users, the bad news is that the company covered up the hack for more than a year.
The attackers accessed also the names and driver's license numbers of roughly 600,000 of its drivers in the United States.
The hack happened in 2016, it was easy for hackers that according to a report published by Bloomberg, obtained credentials from a private GitHub site used by the Uber development team. The hackers tried to blackmail Uber and demanded $100,000 from the company in exchange for avoiding publish the stolen data.
“Two attackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company. From there, the hackers discovered an archive of rider and driver information. Later, they emailed Uber asking for money, according to the company.” states Bloomberg.
In a statement on Tuesday, Khosrowshahi said the intruders accessed cloud-hosted data stores:
“I recently learned that in late 2016 we became aware that two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service that we use. The incident did not breach our corporate systems or infrastructure.
At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals. We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.” reads a CEO’s statement.
“You may be asking why we are just talking about this now, a year later. I had the same question, so I immediately asked for a thorough investigation of what happened and how we handled it.”
The situation is more unbelievable, rather than to notify the data breach to customers and law enforcement as is required by the California’s data security breach notification law, the Uber’s chief of information security Joe Sullivan ordered to pay the ransom and to cover the story destroying any evidence. The payout was disguised as a bug bounty prize complete with non-disclosure agreements signed. It is a good way to hide the payment, Uber is running a bug bounty program to encourage white hat hackers to responsibly disclose vulnerabilities affecting its services.
“Uber acquiesced to the demands, and then went further. The company tracked down the hackers and pushed them to sign nondisclosure agreements, according to the people familiar with the matter. To further conceal the damage, Uber executives also made it appear as if the payout had been part of a "bug bounty" — a common practice among technology companies in which they pay hackers to attack their software to test for soft spots.” reported The New York Times“
“The details of the attack remained hidden until Tuesday. The ride-hailing company said it had discovered the breach as part of a board investigation into Uber's business practices.”
As a result of the new board investigation Sullivan and one of his lieutenants were ousted.
The CEO explained that such kind of thing will not happen again in the future because Uber put the customers’ security and trust as the pillar of its business.
“While I can't erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.” added Khosrowshahi.
The CEO added that forensics experts haven’t found evidence that data were downloaded, anyway the company is monitoring the affected account for fraudulent activities.
Below the list of actions the company has taken in response to the incident:
The New York Attorney General Eric Schneiderman has also launched an investigation into Uber data breach.
This isn’t the first time the company has experienced security breaches, it suffered the first data breach in May 2014, but the event was discovered on February 2015.
In the attack, the names and driver's licenses of more than 50,000 of the company's drivers were compromised.
At the time, the giant announced a data breach that resulted in unauthorized access to the driver partner license numbers of roughly 50,000 of its drivers.
In June 2016, security experts from the Integrity firm have found more than a dozen flaws in the Uber website that could be exploited by hackers to access driver and passenger data. The researchers discovered a total of security 14 issues, four of which cannot be disclosed.
(Security Affairs – Uber data breach, hacking)
The post Unbelievable: Uber concealed data breach that exposed 57 Million records in 2016 appeared first on Security Affairs.
Posted: 21 Nov 2017 11:45 PM PST
The North Korea linked group Lazarus APT has been using a new strain of Android malware to target smartphone users in South Korea.
The hacking campaign was spotted by McAfee and Palo Alto Networks, both security firms attributed the attacks to the Hidden Cobra APT.
The activity of the Lazarus APT Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.
This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems. Security researchers discovered that North Korean Lazarus APT group was behind recent attacks on banks, including the Bangladesh cyber heist.
According to security experts, the group was behind, other large-scale cyber espionage campaigns against targets worldwide, including the Troy Operation, the DarkSeoul Operation, and the Sony Picture hack.
The malicious code used in this last campaign is an Android malware delivered as an APK file that has been designed to mimic a Korean bible app that was published in the Google Play by a developer named GODpeople.
The malicious APK wasn’t available on the Google Play store and it is still unclear how the APT distributed it.
“The McAfee Mobile Research team recently examined a new threat, Android malware that contains a backdoor file in the executable and linkable format (ELF). The ELF file is similar to several executables that have been reported to belong to the Lazarus cybercrime group. (For more on Lazarus, read this post from our Advanced Threat Research Team.)” states McAfee.
“The malware poses as a legitimate APK, available from Google Play, for reading the Bible in Korean. The legit app has been installed more than 1,300 times. The malware has never appeared on Google Play, and we do not know how the repackaged APK is spread in the wild.”
According to McAfee, the malware delivers a backdoor as an executable and linkable format (ELF) file, it allows to take full control of the infected device.
The list of command and control (C&C) servers used by the Android backdoor includes IP addresses previously associated with to the Lazarus group.
Experts from Palo Alto Networks pointed out that the campaign appears to be aimed at Samsung device owners in South Korea.
“Unit 42 has discovered a new cluster of malware samples, which targets Samsung devices and Korean language speakers, with relationships to the malware used in Operation Blockbuster. The specific points of connection between these new samples and Operation Blockbuster include:
states the analysis from Palo alto Networks.
Experts from Unit 42 analyzed a PE file uploaded to VirusTotal that was used to deliver ELF ARM files and APK files from an HTTP server. The APK allows the attacker to gain full control on the target device.
Palo Alto Networks has collected evidence that links the malware with the Lazarus’s attack on the SWIFT banking system and the on Operation Blockbuster. The C&C infrastructure used in the latest attack is the same used in Lazarus’s campaigns.
“It is clear that source code was reused between previously reported samples and the cluster of new samples outlined by Unit 42. Additionally, command and control IPv4 addresses were reused by the malware discussed in this analysis. Technical indicators as well as soft indicators, such as APK themes and names, provide soft and tenable ties to the actors behind Operation Blockbuster and the HiddenCobra group.” concluded Palo alto Networks.
(Security Affairs – Lazarus APT, North Korea)
The post Lazarus APT uses an Android app to target Samsung users in the South Korea appeared first on Security Affairs.
|You are subscribed to email updates from Security Affairs. |
To stop receiving these emails, you may unsubscribe now.
|Email delivery powered by Google|
|Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States|