- Fancy Bear abuses LoJack security software in targeted attacks
- Cambridge Analytica is shutting down after Facebook privacy scandal, is it true?
- Mysterious findings emerged from the analysis of the SiliVaccine North Korea’s antivirus software
- GitHub urged some users to reset their passwords after accidental recorded them
- Man who hacked computer system of Washtenaw County Jail to alter inmate records gets 7-Years in prison
- CVE 2018-8781 Privilege Escalation flaw was introduced in Linux Kernel 8 years ago
Posted: 02 May 2018 09:27 PM PDT
Recently, several LoJack agents were found to be connecting to servers that are believed to be controlled by the notorious Russia-linked Fancy Bear APT group.
LoJack for laptops is a security software designed to catch computer thieves, but it could be theoretically abused to spy on legitimate owners of the device.
LoJack could be used to locate a stolen laptop, lock it or wipe its content, it is a precious application for enterprises that want to implement an additional protection of their assets.
What about an intelligence agency or nation-state actors are able to hack into such kind of software?
According to experts at Netscout Arbor Networks, recently, several LoJack agents (rpcnetp.exe) were found to be connecting to servers that are believed to be controlled by the notorious Russia-linked Fancy Bear APT group.
“ASERT recently discovered Lojack agents containing malicious C2s. These hijacked agents pointed to suspected Fancy Bear (a.k.a. APT28, Pawn Storm) domains.” reads the report published by Netscout.
“ASERT has identified five Lojack agents (rpcnetp.exe) pointing to 4 different suspected domains. Fancy Bear has been tied to three of the domains in the past.”
Five LoJack agents discovered by the experts were pointing to four C&C servers, three of which have been associated with past campaigns conducted by the Fancy Bear APT group.
This circumstance leads the experts into believing that nation-state hackers have installed a backdoor in certain copies of LoJack to use it as a surveillance tool, likely as a part of a cyber espionage campaign.
According to the experts, the analysis of the samples revealed that attackers haven’t added additional functionality into the binary. Researchers published yara rule to help administrators in identifying Lojack samples abused by hackers.
“The LoJack agent protects the hardcoded [command-and-control] URL using a single byte XOR key; however, according to researchers it blindly trusts the configuration content,” the report says. “Once an attacker properly modifies this value then the double-agent is ready to go.” continues the analysis.
The abuse of such kind of software for cyber espionage is very dangerous and insidious, common anti-malware products and security applications whitelist them.
“Hijacking legitimate software is a common enough tactic for malicious actors. What makes this activity so devious is the binaries hijacked being labeled as legitimate or simple "Risk Tool", rather than malware. As a result, rogue Lojack samples fly under the radar and give attackers a stealthy backdoor into victim systems.” concluded the experts.
At the time of writing, the initial attack vector is still unclear.
(Security Affairs – LoJack, Fancy Bear)
The post Fancy Bear abuses LoJack security software in targeted attacks appeared first on Security Affairs.
Posted: 02 May 2018 01:58 PM PDT
Cambridge Analytica, the commercial data analytics company at the centre of the Facebook privacy scandal, is ceasing all operations.
Cambridge Analytica, the commercial data analytics company at the centre of the Facebook privacy scandal, is ceasing all operations.
The commercial data analytics company Cambridge Analytica that was the protagonist of the biggest privacy scandal of the last years has announced it is “ceasing all operations” following the Facebook data breach.
An official statement released by the company states it had been “the subject of numerous unfounded accusations” and was “vilified for activities that are not only legal, but also widely accepted as a standard component of online advertising in both the political and commercial arenas.”
The firm has used data harvested by Facebook to target US voters in the 2016 Presidential election.
The data were collected by a group of academics that then shared it with the firm Cambridge Analytica, a news that was later confirmed by Facebook. The researchers used an app developed by the University of Cambridge psychology lecturer, Dr. Aleksandr Kogan, to collect user data.
Cambridge Analytica always denied any involvement with Trump’s campaign has declared that it never use collected data to influence the Presidential election.
In the wake of the scandal, Facebook decided to tighten its privacy restrictions.
“Over the past several months, Cambridge Analytica has been the subject of numerous unfounded accusations and, despite the company’s efforts to correct the record, has been vilified for activities that are not only legal, but also widely accepted as a standard component of online advertising in both the political and commercial arenas,” said Clarence Mitchell, a spokesman for Cambridge Analytica.
“Despite Cambridge Analytica’s unwavering confidence that its employees have acted ethically and lawfully, which view is now fully supported by Mr Malins’ report (independent investigator Julian Malins), the siege of media coverage has driven away virtually all of the company’s customers and suppliers.” continued the announcement issued today by the data analytics company.
“As a result, it has been determined that it is no longer viable to continue operating the business, which left Cambridge Analytica with no realistic alternative to placing the company into administration.”
While Cambridge Analytica declared it would have helped the UK authorities in investigating into the Facebook scandal, last month, the Information Commissioner Elizabeth Denham declared that the company failed to meet a deadline to produce the information requested by the authorities.
According to the official statement published by Cambridge Analytica on its website, its parent company SCL Elections was also commencing bankruptcy proceedings.
Journalists and experts are skeptical about the decision of the companies to shut down.
(Security Affairs – privacy scandal, Facebook)
The post Cambridge Analytica is shutting down after Facebook privacy scandal, is it true? appeared first on Security Affairs.
Posted: 02 May 2018 05:56 AM PDT
Security experts at Check Point that analyzed North Korea's antivirus software SiliVaccine discovered it is based on a 10-year-old anti-malware engine developed by Trend Micro.
Check Point received the very rare sample of North Korea's SiliVaccine antivirus software from the freelance journalist Martyn Williams.
The researchers discovered the SiliVaccine application contained "large chunks of 10+-year-old antivirus engine code belonging to Trend Micro," a circumstance confirmed by Trend Micro.
“In an exclusive piece of research, Check Point Researchers have carried out a revealing investigation into North Korea's home-grown anti-virus software, SiliVaccine. One of several interesting factors is that a key component of SiliVaccine's code is a 10-year-old copy of one of Trend Micro's, a Japanese company, software components.” reads the analysis published by CheckPoint.
On July 8th 2014 Mr. Williams received a mail containing a link to the software, the message was sent by someone going by the name of 'Kang Yong Hak', whose mailbox has since been rendered unreachable.
Kang Yong Hak is believed to be a Japanese engineer, the email contained a link to a Dropbox-hosted zip file that held a copy of the SiliVaccine software, a readme file in Korean language explaining how to use the software and a suspicious looking file posing as a patch for SiliVaccine.
The analysis revealed an interesting feature, the North Korea’s antivirus software whitelisted mystery malware, its signature, in fact, was detected by the legitimate Trend Micro's solution.
According to the experts, the whitelisted mystery malware may be nation-state malware that North Korea wants to use for surveillance purposes.
“During our research we discovered that the authors of SiliVaccine have chosen to white-list a single very specific malware signature, and effectively ignore any detection of files matching that specific signature. The white-listed signature is Trend Micro's 'MAL_NUCRP-5', described by Trend Micro as:
"…the Trend Micro detection for suspicious files that manifest behavior and characteristics similar to known NUWAR, TIBS, and ZHELAT variants." continues the analysis.
“This signature doesn't seem to be related to any one specific malware, but rather seems to detect specific packing related characteristics common in some malware.”
Check Point discovered other singularities, for example, the use of the Themida and Unopix packers commonly used to make malware analysis very hard.
As SiliVaccine is the unique antivirus software in North Korea, the use of the packers could be motivated with the intent of the author to make hard its analysis by foreign actors.
CheckPoint also discovered that the antivirus solution used a custom encryption protocol to encrypt pattern files, it is modified SHA1 hashing algorithm.
Experts discovered the SiliVaccine uses 3 driver components:
“This revealing exploration into SiliVaccine may well raise suspicions of authenticity and motives of the IT security products and operations of this Hermit Kingdom.” concludes Check Point.
“While attribution is always a difficult task in cyber security, there are many questions raised by our findings. What is clear, however, are the shady practices and questionable goals of SiliVaccine's creators and backers.”
(Security Affairs – SiliVaccine, North Korea)
The post Mysterious findings emerged from the analysis of the SiliVaccine North Korea’s antivirus software appeared first on Security Affairs.
Posted: 02 May 2018 04:47 AM PDT
GitHub, world’s leading software development platform, forced password reset for some users after the discovery of a problem that caused internal logs to record passwords in plain text.
GitHub urged some users to reset their passwords after a problem caused internal logs to record passwords in plain text.
Some users published on Twitter the communication received via email by the company, the incident was discovered during a regular internal audit.
The company immediately clarified that its systems were not hacked and that users’ data are not at risk.
According to GitHub, only a "small number" of users are affected, the company forced them a password reset for their accounts and confirmed to have fixed the problem.
The mail provides details on the problems and explained that user passwords were stored in a secure way.
"GitHub stores user passwords with secure cryptographic hashes (bcrypt). However, this recently introduced bug resulted in our secure internal logs recording plaintext user passwords when users initiated a password reset," GitHub said.
The company added that the plaintext passwords were only accessible through internal log files accessible to a small portion of its IT staff, they were not publicly available.
Back in June 2016, the company adopted a similar measure forcing password reset for its customers after it became aware of unauthorized attempts to access a large number of its accounts.
GitHub accounts could represent a mine of information for attackers, in March 2017 threat actors targeted developers having repositories with a data-stealing malware called Dimnie. The malicious code includes keylogging features and modules that capture screenshots, the attackers were searching something of interest among the huge number of projects hosted on the platform.
(Security Affairs – GitHub , password)
The post GitHub urged some users to reset their passwords after accidental recorded them appeared first on Security Affairs.
Posted: 02 May 2018 12:18 AM PDT
Konrads Voits, the man who hacked into the computer system of Washtenaw County Jail to alter inmate records and gain early release for his friend, gets 7-Years in prison.
In March 2017, Konrads Voits (27), hacked into the computer system of Washtenaw County Jail to alter inmate records and gain early release for his friend.
Konrads Voits’s hack was discovered by an IT employee that noticed an anomaly in the release date of the inmate and promptly alerted the FBI, who identified and arrested Voits a month later.
According to prosecutors, Voits used phone calls to prison personnel pretending to be a manager at the County Jail’s IT department and tricking them into downloading and executing a malicious code that was delivered by visiting the website “ewashtenavv.org,” (a rogue version of the legitimate Washtenaw site that is available at the “ewashtenaw.org.”)
According to the US Justice Department announced, the infection compromised personal information of around 1,600 employees of the jail,
Konrads Voits pleaded guilty in federal court for hacking into the Washtenaw County computer system the attempt to get his friend released early from the federal prison.
Last week, Voits has been sentenced to seven years and three months in jail for the above crimes. Voits has also been condemned to pay $235,488 in fine to Washtenaw County for the cost accrued in investigating the intrusion and cleaning up the infected system.
“An Ypsilanti resident was sentenced today to 87 months in prison for damaging a protected computer, United States Attorney Matthew Schneider announced.” states the DoJ.
Voits also surrendered his equipment used for the hack, a laptop, four mobile phones, $385.49 worth of Bitcoin, and one “Green Integrated Circuit Component.
“The sentence was imposed by United States District Judge Robert H. Cleland who also ordered restitution in the amount of $238,517 to be paid to Washtenaw County and a 3-year term of supervised release. As part of the sentencing, Voits forfeited all interests he had in some bitcoins, and in various electronic devices, including a laptop, an integrated circuit component, and several cellular phones.” continues the DoJ.
Posted: 01 May 2018 10:48 PM PDT
Researchers from security firm Check Point discovered a security vulnerability in a driver in the Linux kernel, tracked as CVE 2018-8781, that leads to local privilege escalation.
The CVE 2018-8781 flaw, introduced 8 years ago, could be exploited by a local user with access to a vulnerable privileged driver to escalate local privileges and read from and write to sensitive kernel memory.
Experts explained that it is common for drivers to implement their own version of file operation functions, this is visible by analyzing the file_operations struct of a driver.
Such kind of implementations could introduce flaws such as Integer-Overflows and the lack of input validations.
TheCVE 2018-8781 flaw revealed by CheckPoint affects the internal mmap() function defined in the fb_helper file operations of the "udl" driver of "DisplayLink."
” A classic driver should probably look like this:
The prototype of the mmap() function from user-space confirms the presence of numerous fields that could be used by the attacker to potentially trigger the vulnerabilities.
According to the experts, developers should perform at least the following checks to avoid possible Integer-Overflows:
"In actual fact, the last check can be spared since the Linux kernel will sanitize the supplied length, making it practically impossible to pass the first two checks while still passing the third check," continues Check Point.
The experts discovered the CVE 2018-8781 vulnerability while analyzing a function that maps physical memory pages to the user, the remap_pfn_range().
The experts searched for all the modules using the remap_pfn_range function (GREP for "remap_pfn_range) and contained 158 results, then filtering for drivers the list was restricted to six possible candidates.
“The video/drm module in the kernel defines a default mmap() wrapper that calls that real mmap()handler defined by the specific driver. In our case the vulnerability is in the internal mmap() defined in the fb_helper file operations of the "udl" driver of "DisplayLink".” discovered the researchers.
In this way, the researchers spotted an Integer-Overflow in the driver.
“This is a classic example for an Integer-Overflow. Since offset is unsigned the programmer skipped check #1 and went directly to check #2. However, the calculation "offset + size" could wrap-around to a low value, allowing us to bypass the check while still using an illegal "offset" value.” continues
“on 64 bit machines there are only 48 bits of accessible memory, meaning that if we use a huge "offset" to bypass this check we will also have to make sure that "info->fix.smem_start + offset" will wrap-around to a valid mapable physical address.”
The experts verified the flaw on an Ubuntu 64-bit virtual machine using a simulated vulnerable driver. The driver's mmap() handler contained the implementation to check in each test performed by the researchers.
The user-mode code preformed 2 consecutive calls to mmap() on the vulnerable driver:
Setting the buffer's address at the page-aligned physical address of the kernel's /dev/urandom implementation results were the expected ones.
Additional checks revealed that it is possible for the user to read and write from/to the mapped pages. Thus, an attacker could eventually trigger code execution in kernel space, the researchers explain.
“While the vulnerability was found using a simple search, it was introduced to the kernel eight years ago. This fact can teach us that even on a popular open source project as the Linux Kernel, you could always hope to find vulnerabilities if you know where to search.” concluded CheckPoint.
(Security Affairs – CVE 2018-8781, Linux)
The post CVE 2018-8781 Privilege Escalation flaw was introduced in Linux Kernel 8 years ago appeared first on Security Affairs.
|You are subscribed to email updates from Security Affairs. |
To stop receiving these emails, you may unsubscribe now.
|Email delivery powered by Google|
|Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States|