- Counterfeit Code-Signing certificates even more popular, but still too expensive
- Czech President wants Russian hacker Yevgeni Nikulin extradited to Russia instead of US
- Security Affairs newsletter Round 151 – News of the week
- Dozen vulnerabilities discovered in Trend Micro Linux-based Email Encryption Gateway
Posted: 25 Feb 2018 07:10 AM PST
Code-signing certificates are precious commodities in the criminal underground, they are used by vxers to sign malware code to evade detection.
Other precious commodities in the criminal underground are code-signing certificates, they allow vxers to sign the code for malware to evade detection. Operators of the major black markets in the darknets buy and sell code-signing certificates, but according to an interesting research conducted by threat intelligence firm Recorded Future, the prices for them are too expensive for most hackers.
Sales of code signing certificates have increased considerably since 2015 when experts from IBM X-Force researchers provided some best practice guides on checking for trusted certificates.
Digital certificates allow companies to trust the source code of a software and to check its integrity, The certificates are issued by the certificate authorities (CAs) and are granted to companies that generate code, protocols or software so they can sign their code and indicate its legitimacy and originality.
Using signing certificates is similar to the hologram seal used on software packages, assuring they are genuine and issued from a trusted publisher. Users would receive alerts in an attempt to install files that are not accompanied by a valid certificate. This is why cybercriminals aim to use certificates for legitimizing the malware code they make.
According to Andrei Barysevich, Director of Advanced Collection at Recorded Future, most of the code-signing certificates are obtained by hackers due to fraud and not from security breaches suffered by the CAs.
“Recorded Future's Insikt Group investigated the criminal underground and identified vendors currently offering both code signing certificates and domain name registration with accompanying SSL certificates.” states the report published by Recorded Future.
“Contrary to a common belief that the security certificates circulating in the criminal underground are stolen from legitimate owners prior to being used in nefarious campaigns, we confirmed with a high degree of certainty that the certificates are created for a specific buyer per request only and are registered using stolen corporate identities, making traditional network security appliances less effective.”
Cybercriminals offer the precious commodity via online shops, when buyers place an order the shop’s operators used stolen identities from a legitimate company and its employees to request the certificate for a fake app or website to the CAs (i.e. Comodo, Thawte, and Symantec). The certificates are used to encrypt HTTPS traffic or sign apps.
Recorded Future's Insikt Group investigated the criminal ecosystem and identified vendors currently offering both code signing certificates and domain name registration with accompanying SSL certificates.
The researchers identified four well-known vendors operating since 2011, only two vendors are currently still active in Russian-speaking crime forums.
“One of the first vendors to offer counterfeit code signing certificates was known as C@T, a member of a prolific hacking messaging board.” continues the report. “In March 2015, C@T offered for sale a Microsoft Authenticode capable of signing 32/64b versions of various executable files, as well as Microsoft Office, Microsoft VBA, Netscape Object Signing, and Marimba Channel Signing documents, and supported Silverlight 4 applications. Additionally, Apple code signing certificates were also available.”
Prices for code-signing certificates range from $299 to $1,799, most expensive items are the fully authenticated domains with EV SSL encryption and code signing capabilities.
“Standard code signing certificates issued by Comodo that do not include SmartScreen reputation rating cost $295. A buyer interested in the most trusted version of an EV certificate issued by Symantec would have to pay $1,599, a 230 percent premium compared to the price of the authentic certificate.” continues the report.
“For those seeking to purchase in bulk, fully authenticated domains with EV SSL encryption and code signing capabilities could also be arranged for $1,799”
According to recorded future, code signing certificates are not widespread among malware developers due to the high price.
Vxers prefer to pay less for other AV evasion tools, such as crypters (readily available at $10-$30)that represent an excellent compromise between cost and effectiveness
“Unlike ordinary crypting services readily available at $10-$30 per each encryption, we do not anticipate counterfeit certificates to become a mainstream staple of cybercrime due to its prohibitive cost.” concluded the report. “However, undoubtedly, more sophisticated actors and nation-state actors who are engaged in less widespread and more targeted attacks will continue using fake code signing and SSL certificates in their operations”
(Security Affairs – code signing certificates, cybercrime)
The post Counterfeit Code-Signing certificates even more popular, but still too expensive appeared first on Security Affairs.
Posted: 25 Feb 2018 05:14 AM PST
Czech President Milos Zeman wants the Russian hacker Yevgeni Nikulin to be extradited to Russia instead of the US, he is charged with hacking against social networks and frauds.
Yevgeni Nikulin (29) was requested by the US for alleged cyber attacks on social networks and by the Russian authorities that charged him with frauds.
According to US authorities, the man targeted LinkedIn and Formspring and hacked into the file hosting service Dropbox.
The Russian criminal was arrested in Prague in October 2016 in an international joint operation with the FBI.
In May, a Czech court ruled that Nikulin can be extradited to either Russia or the United States, leaving the final decision to the Justice Minister Robert Pelikan.
“It is true there have been two meetings this year where the president asked me not to extradite a Russian citizen to the United States but to Russia,” the website of the weekly newspaper Respekt quoted Pelikan as saying.
In 2016, Pelikan did not allow to extradite two Lebanese citizens charged by US court with several crimes, including the sale of ground-to-air missiles and cocaine trafficking.
“Respekt also quoted Babis, who professes a strong pro-EU and NATO stance, as saying earlier this month he would prefer Nikulin to be sent to the United States, but had no power over the decision. His spokeswoman declined comment.” reported the New York Times.
Zeman was re-elected in January, he is known for his pro-Russian line and its opposition to Western sanctions imposed on Russia over its 2014 annexation of Crimea.
The Respekt site said last week Pelikan received Vratislav Mynar, the head of Zeman’s office.
“It’s none of your business, but I have handed the minister a letter from the detained Nikulin’s mother,” Mynar told aktualne.cz.
Nikulin’s lawyer Martin Sadilek told AFP that Nikulin alleges that FBI investigators had tried twice to persuade him to confess to cyberattacks on the DNC.
(Security Affairs – Yevgeni Nikulin, cybercrime)
The post Czech President wants Russian hacker Yevgeni Nikulin extradited to Russia instead of US appeared first on Security Affairs.
Posted: 25 Feb 2018 01:49 AM PST
A new round of the weekly SecurityAffairs newsletter arrived!
The best news of the week with Security Affairs.
Once again thank you!
The post Security Affairs newsletter Round 151 – News of the week appeared first on Security Affairs.
Posted: 25 Feb 2018 12:29 AM PST
Security researchers at Core Security have discovered a dozen vulnerabilities in Trend Micro Linux-based Email Encryption Gateway.
Security researchers at Core Security have discovered a dozen flaws in Trend Micro Linux-based Email Encryption Gateway, some of them have been rated as critical and high severity. The flaws received the CVE identification numbers CVE-2018-6219 through CVE-2018-6230.
The most severe flaw could be exploited by a local or remote attacker with access to the targeted system to execute arbitrary commands with root privileges.
“Encryption for Email Gateway  is a Linux-based software solution providing the ability to perform the encryption and decryption of email at the corporate gateway, regardless of the email client, and the platform from which it originated. The encryption and decryption of email on the TMEEG client is controlled by a Policy Manager that enables an administrator to configure policies based on various parameters, such as sender and recipient email addresses,” states Core Security.
“Multiple vulnerabilities were found in the Trend Micro Email Encryption Gateway web console that would allow a remote unauthenticated attacker to gain command execution as root.”
The most serious vulnerability is CVE-2018-6223, it is related to missing authentication for appliance registration. Administrators can configure the virtual appliance running Email Encryption Gateway during the deployment process upon deployment via a registration endpoint.
The researchers discovered that attackers can access the endpoint without authentication to set administrator credentials and make other changes to the configuration.
“The registration endpoint is provided for system administrators to configure the virtual appliance upon deployment. However, this endpoint remains accessible without authentication even after the appliance is configured, which would allow attackers to set configuration parameters such as the administrator username and password.” continues the analysis.
The experts also discovered two high severity cross-site scripting (XSS) vulnerabilities, an arbitrary file write issue that can lead to command execution, am arbitrary log file locations leading command execution, and unvalidated software updates.
Remaining flaws discovered by the researchers include SQL and XML external entity (XXE) injections.
Affected Packages are Trend Micro Email Encryption Gateway 5.5 (Build 1111.00) and earlier, Trend Micro addressed ten of the vulnerabilities with the version 5.5 build 1129.
According to the report timeline, Trend Micro spent more than six months to issue the patches.
Trend Micro confirmed that a medium severity CSRF issue and a low severity SQL injection vulnerability have not been patched due to the difficulties of implementing a fix.
(Security Affairs – Trend Micro Email Encryption Gateway, hacking)
The post Dozen vulnerabilities discovered in Trend Micro Linux-based Email Encryption Gateway appeared first on Security Affairs.
|You are subscribed to email updates from Security Affairs. |
To stop receiving these emails, you may unsubscribe now.
|Email delivery powered by Google|
|Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States|