-->
ROOM ZKE
USAComment.com
Zicutake USA Comment | Search Articles



#History (Education) #Satellite report #Arkansas #Tech #Poker #Language and Life #Critics Cinema #Scientific #Hollywood #Future #Conspiracy #Curiosity #Washington
 Smiley face
PROXY LIST

[Calculate SHA256 hash]
 Smiley face
Zicutake BROWSER
 Smiley face Encryption Text and HTML
Aspect Ratio Calculator
[HTML color codes]
 Smiley face Conversion to JavaScript
[download YouTube videos in MP4, FLV, 3GP, and many more formats]

 Smiley face Mining Satoshi | Payment speed
CALCULATOR DIMENSIONS AND RECTANGLE

 Smiley face
CREATE ADDRESS BITCOIN
Online BitTorrent Magnet Link Generator
[PERCENTAGE CALCULATOR]
JOURNAL WORLD:

SEARCH +8 MILLIONS OF LINKS ZICUTAKE STATE

#Security

#Security


Security Affairs newsletter Round 153 – News of the week

Posted: 11 Mar 2018 07:01 AM PDT

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Once again thank you!

GCHQ fears energy smart meters could expose millions of Bretons to hack
Recent Memcached DDoS attacks drive RDoS extortion practice
Applebee restaurants suffered payment card breach
Critical flaw in Pivotals Spring Data REST allows to hack any machine that runs an application built on its components
New attacks on 4G LTE networks can allow to spy on users and spoof emergency alerts
SgxPectre attack allows to reveal the content of the SGX enclave
ComboJack Malware alters Windows clipboards to steal cryptocurrencies and payments
Facebook improves link security infrastructure by implementing HSTS Preloading
Worlds largest DDoS attack record broken by a new memcached DDoS attack
For the second time in two weeks CDOT shut down computers after a ransomware infection
Funny? Useful? Cool? Kali Linux natively on Windows 10
RCE flaw in Exim MTA affects half of the email servers online
Two PoC exploits for Memcached DDoS attacks have been released online
Corero Network discovered a Kill Switch for Memcached DDoS attacks
Group-IB supported law enforcement in dismantling Ukrainian DDoS crime gang
Hardcoded password and Java deserialization flaws found in Cisco products
Leaked NSA dump contains tools developed by NSA Territorial Dispute to track state-sponsored hackers
CIGslip attack could allow hacker to bypass Microsoft Code Integrity Guard
Dofoil Trojan used to deploy cryptocurrency miner on more than 500,000 PCs in a few hours
Olympic Destroyer, alleged artifacts and false flag make attribution impossible
Russian hackers stole 860,000 euros from 32 ATMs belonging to the Raiffeisen Romania in just one night
North Korean Hidden Cobra APT targets Turkish financial industry with new Bankshot malware
Sophisticated APT group compromised routers to deliver Slingshot Spyware

Pierluigi Paganini

(Security Affairs – Newsletter)

The post Security Affairs newsletter Round 153 – News of the week appeared first on Security Affairs.

Hacking Team is back … probably it never stopped its activity. Watch Out!

Posted: 11 Mar 2018 05:26 AM PDT

ESET collected evidence of Hacking Team ‘activity post-hack, the company published an interesting analysis based on post hack samples found in the wild.

Security researchers at ESET have spotted in fourteen countries previously unreported samples of the Remote Control System (RCS), the surveillance software developed by the Italian Hacking Team, in fourteen countries.

Malware researchers that analyzed the sample believe that the Hacking Team developers are continuing the development of the surveillance malware.

Since 2003, Hacking Team gained notoriety for selling surveillance tools to governments and intelligence agencies, but human rights research group criticized its alleged sales to the authoritarian regimes.

The Remote Control System (RCS) is a sophisticated spyware that is able to transform the device in a surveillance tool by activating the webcam and microphone, extracting information from a targeted device, and intercepting emails and instant messaging.

The company made the headlines in July 2015 when it suffered a major security breach and attackers exfiltrated 400GB of internal data, including the spyware source code.

After the hack, Hacking Team was forced to request its customers to stop all the operation and don’t use the spyware.

“The first reports suggesting Hacking Team's resumed operations came six months later – a new sample of Hacking Team's Mac spyware was apparently in the wild.” states the analysis published by ESET.

“A year after the breach, an investment by a company named Tablem Limited brought changes to Hacking Team's shareholder structure, with Tablem Limited taking 20% of Hacking Team's shareholding. Tablem Limited is officially based in Cyprus; however, recent news suggests it has ties to Saudi Arabia.”

The experts started the investigation after researchers from the Citizen Lab provided them information that led to the discovery of a version of the RCS software signed with a previously unseen valid digital certificate.

The researchers uncovered many samples of Hacking Team spyware created after the 2015 data breach, their code implements some changes compared to variants released before the source code leak.

“The samples were compiled between September 2015 and October 2017. We have deemed these compilation dates to be authentic, based on ESET telemetry data indicating the appearance of the samples in the wild within a few days of those dates.” continues the analysis.

“Further analysis led us to conclude that all the samples can be traced back to a single group, rather than being isolated instances of diverse actors building their own versions from the leaked Hacking Team source code.”

ESET found six different certificates issued in succession, four of them were issued by Thawte to four different companies, and two were issued to the Hacking Team co-founder Valeriano Bedeschi and a guy named Raffaele Carnacina.

The samples analyzed have forged Manifest metadata to trick users into believing that they are using legitimate applications such as "Advanced SystemCare 9 (9.3.0.1121)", "Toolwiz Care 3.1.0.0" and "SlimDrivers (2.3.1.10)".

To avoid detection vxers behind the samples have been using VMProtect, a technique observed also in Hacking Team spyware used before the HT hack.

The researchers believe that Hacking Team developers have developed the post-leak samples and no other APT that would have borrowed their code,

“We have, however, collected further evidence that ties these post-leak samples to Hacking Team's developers themselves.” continues ESET.

“The connections among these samples alone could have originated with virtually any group re-purposing the leaked Hacking Team source code or installer – as was the case with Callisto Group in early 2016. We have, however, collected further evidence that ties these post-leak samples to Hacking Team's developers themselves.”

The samples analyzed continues the versioning progression used in pre-leak samples, experts also noticed that the same names (Scout and Soldier) in the samples that were also present in past codes.

The researchers also discovered a subtle difference between the pre-leak and the post-leak samples is the difference in Startup file size. They pointed out that before the leak, the size of the copied file is 4MB, meanwhile, in the post-leak samples this file copy operation is padded to 6MB, most likely as a primitive detection evasion technique.

In the following table, there is the timeline associated with Hacking Team Windows spyware samples. The red item is the code reuse attributed to the Callisto APT Group.

hacking Team samples

The experts found further differences that led them to attribute the new sample to the original HT development team, but they avoided to disclose them to continue to track the group.

The post-leak samples analyzed by the researchers, at least in two cases, were delivered in spear phishing message with an executable file disguised as a PDF document.

“Furthermore, our research has confirmed that the changes introduced in the post-leak updates were made in line with Hacking Team's own coding style and are often found in places indicating a deep familiarity with the code.” concludes ESET.

“It is highly improbable that some other actor – that is, other than the original Hacking Team developer(s) – would make changes in exactly these places when creating new versions from the leaked Hacking Team source code.”

 Pierluigi Paganini

(Security Affairs – Hacking Team,  RCS)

The post Hacking Team is back … probably it never stopped its activity. Watch Out! appeared first on Security Affairs.

Governments rely on Sandvine network gear to deliver spyware and miners

Posted: 11 Mar 2018 12:37 AM PST

According to Citizen Lab, some governments are using Sandvine network gear installed at internet service providers to deliver spyware and cryptocurrency miners.

Researchers at human rights research group Citizen Lab have discovered that netizens in Turkey, Egypt and Syria who attempted to download legitimate Windows applications from official vendor websites (i.e. Avast Antivirus, CCleaner, Opera, and 7-Zip)  have been infected with a nation-state malware.

According to the organization, local governments with the help of internet service providers have used deep-packet inspection boxes to hijack the traffic.

“This report describes how we used Internet scanning to uncover the apparent use of Sandvine/Procera Networks Deep Packet Inspection (DPI) devices (i.e. middleboxes) for malicious or dubious ends, likely by nation-states or ISPs in two countries.” states the report published by Citizen Lab.

Citizen Lab started this investigation in September after the researchers at ESET uncovered a surveillance campaign using a new variant of FinFisher spyware, also known as FinSpy.

Finfisher infected victims in seven countries and experts believe that in two of them the major internet providers have been involved.

The Citizen Lab researchers have found Sandvine PacketLogic devices being used on the networks of Türk Telecom and Telecom Egypt for distributing malware designed for varying purposes, ranging from surveillance to cryptocurrency mining.

“After an extensive investigation, we matched characteristics of the network injection in Turkey and Egypt to Sandvine PacketLogic devices. We developed a fingerprint for the injection we found in Turkey, Syria, and Egypt and matched our fingerprint to a second-hand PacketLogic device that we procured and measured in a lab setting.” states the report.

“The apparent use of Sandvine devices to surreptitiously inject malicious and dubious redirects for users in Turkey, Syria, and Egypt raises significant human rights concerns.”

Sandvine device

Researchers highlighted that official websites for these legitimate applications redirect users to non-HTTPS downloads by default, making easy for attackers to redirect users.

The experts reported the case of the CBS Interactive’s Download.com, its users were redirected to downloads containing spyware in Turkey and Syria.

The surveillance malware the researchers found bundled by operators was similar to that used in the espionage campaigns conducted by StrongPity APT.

The expert discovered that the Sandvine boxes were used in Egypt to distribute either affiliate ads or browser cryptocurrency mining scripts.

“The middleboxes were being used to redirect users across dozens of ISPs to affiliate ads and browser cryptocurrency mining scripts. The Egyptian scheme, which we call AdHose, has two modes.” continues the report. “In spray mode, AdHose redirects Egyptian users en masse to ads for short periods of time. In trickle mode, AdHose targets some JavaScript resources and defunct websites for ad injection. AdHose is likely an effort to covertly raise money.”

According to Citizen Lab, the same boxes are also supposedly being used for censorship, for example blocking the access to websites like Human Rights Watch, Reporters Without Borders, Al Jazeera, Mada Masr, and HuffPost Arabic.

Citizen Lab reported Sandvine of their findings, but the firm flagged the study as “false, misleading, and wrong,” and asked the organization to return the second-hand PacketLogic device they used in their investigation.

Sandvine asked the experts to delay publication of the report, claiming that the researchers intentionally provided incorrect information.

On March 7, 2018, Sandvine sent a letter to the University of Toronto, to express its disappointment about the Citizen Lab analysis. External counsel responded to Sandvine's letter on behalf of the University of Toronto and Citizen Lab on March 8, 2018.

Sandvine criticized the unethical approach of the researchers, it also pointed out that tests were conducted by acquiring a second-hand Sandvine PacketLogic PL7720 box for testing.

“You state, broadly, that Sandvine takes seriously its commitment to corporate social responsibility and ethical use of its products,” reads a letter sent by attorneys representing the University and Citizen Lab. “However, you have not responded to any of the specific questions asked of Sandvine by Citizen Lab in letters dated February 16 and March 1, 2018.”

Pierluigi Paganini

(Security Affairs – Sandvine, spyware)

The post Governments rely on Sandvine network gear to deliver spyware and miners appeared first on Security Affairs.