Zicutake USA Comment | Search Articles

#History (Education) #Satellite report #Arkansas #Tech #Poker #Language and Life #Critics Cinema #Scientific #Hollywood #Future #Conspiracy #Curiosity #Washington
Space ads.
Contributions BTC: 1D3rCiP7XpdZbNF9g8HHqmRs9GxXgwb4ec



Fancy Bear abuses LoJack security software in targeted attacks

Posted: 02 May 2018 09:27 PM PDT

Recently, several LoJack agents were found to be connecting to servers that are believed to be controlled by the notorious Russia-linked Fancy Bear APT group.

LoJack for laptops is a security software designed to catch computer thieves, but it could be theoretically abused to spy on legitimate owners of the device.

LoJack could be used to locate a stolen laptop, lock it or wipe its content, it is a precious application for enterprises that want to implement an additional protection of their assets.

What about an intelligence agency or nation-state actors are able to hack into such kind of software?

According to experts at Netscout Arbor Networks, recently, several LoJack agents (rpcnetp.exe) were found to be connecting to servers that are believed to be controlled by the notorious Russia-linked Fancy Bear APT group.

“ASERT recently discovered Lojack agents containing malicious C2s. These hijacked agents pointed to suspected Fancy Bear (a.k.a. APT28, Pawn Storm) domains.” reads the report published by Netscout.

“ASERT has identified five Lojack agents (rpcnetp.exe) pointing to 4 different suspected domains.  Fancy Bear has been tied to three of the domains in the past.”

Five LoJack agents discovered by the experts were pointing to four C&C servers, three of which have been associated with past campaigns conducted by the Fancy Bear APT group.


This circumstance leads the experts into believing that nation-state hackers have installed a backdoor in certain copies of LoJack to use it as a surveillance tool, likely as a part of a cyber espionage campaign.

According to the experts, the analysis of the samples revealed that attackers haven’t added additional functionality into the binary. Researchers published yara rule to help administrators in identifying Lojack samples abused by hackers.

“The LoJack agent protects the hardcoded [command-and-control] URL using a single byte XOR key; however, according to researchers it blindly trusts the configuration content,” the report says. “Once an attacker properly modifies this value then the double-agent is ready to go.” continues the analysis.

The abuse of such kind of software for cyber espionage is very dangerous and insidious, common anti-malware products and security applications whitelist them.

“Hijacking legitimate software is a common enough tactic for malicious actors. What makes this activity so devious is the binaries hijacked being labeled as legitimate or simple "Risk Tool", rather than malware. As a result, rogue Lojack samples fly under the radar and give attackers a stealthy backdoor into victim systems.” concluded the experts.


At the time of writing, the initial attack vector is still unclear.


Pierluigi Paganini

(Security Affairs – LoJack, Fancy Bear)

The post Fancy Bear abuses LoJack security software in targeted attacks appeared first on Security Affairs.

Cambridge Analytica is shutting down after Facebook privacy scandal, is it true?

Posted: 02 May 2018 01:58 PM PDT

Cambridge Analytica, the commercial data analytics company at the centre of the Facebook privacy scandal, is ceasing all operations.

Cambridge Analytica, the commercial data analytics company at the centre of the Facebook privacy scandal, is ceasing all operations.

The commercial data analytics company Cambridge Analytica that was the protagonist of the biggest privacy scandal of the last years has announced it is “ceasing all operations” following the Facebook data breach.

An official statement released by the company states it had been “the subject of numerous unfounded accusations” and was “vilified for activities that are not only legal, but also widely accepted as a standard component of online advertising in both the political and commercial arenas.”

The firm has used data harvested by Facebook to target US voters in the 2016 Presidential election.

The data were collected by a group of academics that then shared it with the firm Cambridge Analytica, a news that was later confirmed by Facebook. The researchers used an app developed by the University of Cambridge psychology lecturer, Dr. Aleksandr Kogan, to collect user data.

Cambridge Analytica always denied any involvement with Trump’s campaign has declared that it never use collected data to influence the Presidential election.

Early April, Facebook revealed that 87 million users have been affected by the Cambridge Analytica case, much more than 50 million users initially thought.

In the wake of the scandal, Facebook decided to tighten its privacy restrictions.

“Over the past several months, Cambridge Analytica has been the subject of numerous unfounded accusations and, despite the company’s efforts to correct the record, has been vilified for activities that are not only legal, but also widely accepted as a standard component of online advertising in both the political and commercial arenas,” said Clarence Mitchell, a spokesman for Cambridge Analytica.

Facebook- Cambridge Analytica

“Despite Cambridge Analytica’s unwavering confidence that its employees have acted ethically and lawfully, which view is now fully supported by Mr Malins’ report (independent investigator Julian Malins), the siege of media coverage has driven away virtually all of the company’s customers and suppliers.” continued the announcement issued today by the data analytics company.

“As a result, it has been determined that it is no longer viable to continue operating the business, which left Cambridge Analytica with no realistic alternative to placing the company into administration.”

While Cambridge Analytica declared it would have helped the UK authorities in investigating into the Facebook scandal, last month, the Information Commissioner Elizabeth Denham declared that the company failed to meet a deadline to produce the information requested by the authorities.

According to the official statement published by Cambridge Analytica on its website, its parent company SCL Elections was also commencing bankruptcy proceedings.

Journalists and experts are skeptical about the decision of the companies to shut down.

“The chair of a UK parliament committee investigating the firm’s activities also raised concerns about Cambridge Analytica and SCL Elections’ move.” reported the BBC.

“They are party to very serious investigations and those investigations cannot be impeded by the closure of these companies,” said Damian Collins MP.

“I think it’s absolutely vital that the closure of these companies is not used as an excuse to try and limit or restrict the ability of the authorities to investigate what they were doing.”

Is this the end of the story?

No, of course, let me close with this statement published by The Guardian about the future projects of Alexander Nix and his collaborators.

“Although Cambridge Analytica might be dead, the team behind it has already set up a mysterious new company called Emerdata. According to Companies House data, Alexander Nix is listed as a director along with other executives from SCL Group. The daughters of the billionaire Robert Mercer are also listed as directors.” reads The Guardian.

Pierluigi Paganini

(Security Affairs – privacy scandal, Facebook)

The post Cambridge Analytica is shutting down after Facebook privacy scandal, is it true? appeared first on Security Affairs.

Mysterious findings emerged from the analysis of the SiliVaccine North Korea’s antivirus software

Posted: 02 May 2018 05:56 AM PDT

Security experts at Check Point that analyzed North Korea's antivirus software SiliVaccine discovered it is based on a 10-year-old anti-malware engine developed by Trend Micro.

Check Point received the very rare sample of North Korea's SiliVaccine antivirus software from the freelance journalist Martyn Williams.

The researchers discovered the SiliVaccine application contained "large chunks of 10+-year-old antivirus engine code belonging to Trend Micro," a circumstance confirmed by Trend Micro.

“In an exclusive piece of research, Check Point Researchers have carried out a revealing investigation into North Korea's home-grown anti-virus software, SiliVaccine. One of several interesting factors is that a key component of SiliVaccine's code is a 10-year-old copy of one of Trend Micro's, a Japanese company, software components.” reads the analysis published by CheckPoint.

ATTACHMENT DETAILS SiliVaccine-North-Korea-antivirus

On July 8th 2014 Mr. Williams received a mail containing a link to the software, the message was sent by someone going by the name of 'Kang Yong Hak', whose mailbox has since been rendered unreachable.

Kang Yong Hak is believed to be a Japanese engineer, the email contained a link to a Dropbox-hosted zip file that held a copy of the SiliVaccine software, a readme file in Korean language explaining how to use the software and a suspicious looking file posing as a patch for SiliVaccine.

The analysis revealed an interesting feature, the North Korea’s antivirus software whitelisted mystery malware, its signature, in fact, was detected by the legitimate Trend Micro's solution.

According to the experts, the whitelisted mystery malware may be nation-state malware that North Korea wants to use for surveillance purposes.

“During our research we discovered that the authors of SiliVaccine have chosen to white-list a single very specific malware signature, and effectively ignore any detection of files matching that specific signature. The white-listed signature is Trend Micro's 'MAL_NUCRP-5', described by Trend Micro as:

"…the Trend Micro detection for suspicious files that manifest behavior and characteristics similar to known NUWAR, TIBS, and ZHELAT variants." continues the analysis.

“This signature doesn't seem to be related to any one specific malware, but rather seems to detect specific packing related characteristics common in some malware.”

Check Point discovered other singularities, for example, the use of the Themida and Unopix packers commonly used to make malware analysis very hard.

As SiliVaccine is the unique antivirus software in North Korea, the use of the packers could be motivated with the intent of the author to make hard its analysis by foreign actors.

CheckPoint also discovered that the antivirus solution used a custom encryption protocol to encrypt pattern files, it is modified SHA1 hashing algorithm.

Experts discovered the SiliVaccine uses 3 driver components:

  • sys – Kernel-mode process information collection module.
  • sys – File system filter driver used for real-time and AV files protection.
  • sys – Network Transport Driver Interface (TDI) Driver.

“This revealing exploration into SiliVaccine may well raise suspicions of authenticity and motives of the IT security products and operations of this Hermit Kingdom.” concludes Check Point.

“While attribution is always a difficult task in cyber security, there are many questions raised by our findings. What is clear, however, are the shady practices and questionable goals of SiliVaccine's creators and backers.”

Pierluigi Paganini

(Security Affairs – SiliVaccine, North Korea)

The post Mysterious findings emerged from the analysis of the SiliVaccine North Korea’s antivirus software appeared first on Security Affairs.

GitHub urged some users to reset their passwords after accidental recorded them

Posted: 02 May 2018 04:47 AM PDT

GitHub, world’s leading software development platform, forced password reset for some users after the discovery of a problem that caused internal logs to record passwords in plain text.

GitHub urged some users to reset their passwords after a problem caused internal logs to record passwords in plain text.

Some users published on Twitter the communication received via email by the company, the incident was discovered during a regular internal audit.


The company immediately clarified that its systems were not hacked and that users’ data are not at risk.

According to GitHub, only a "small number" of users are affected, the company forced them a password reset for their accounts and confirmed to have fixed the problem.

The mail provides details on the problems and explained that user passwords were stored in a secure way.

"GitHub stores user passwords with secure cryptographic hashes (bcrypt). However, this recently introduced bug resulted in our secure internal logs recording plaintext user passwords when users initiated a password reset," GitHub said.

The company added that the plaintext passwords were only accessible through internal log files accessible to a small portion of its IT staff, they were not publicly available.

github social coding

Back in June 2016, the company adopted a similar measure forcing password reset for its customers after it became aware of unauthorized attempts to access a large number of its accounts.

GitHub accounts could represent a mine of information for attackers, in March 2017 threat actors targeted developers having repositories with a data-stealing malware called Dimnie. The malicious code includes keylogging features and modules that capture screenshots, the attackers were searching something of interest among the huge number of projects hosted on the platform.

Pierluigi Paganini

(Security Affairs – GitHub , password)

The post GitHub urged some users to reset their passwords after accidental recorded them appeared first on Security Affairs.

Man who hacked computer system of Washtenaw County Jail to alter inmate records gets 7-Years in prison

Posted: 02 May 2018 12:18 AM PDT

Konrads Voits, the man who hacked into the computer system of Washtenaw County Jail to alter inmate records and gain early release for his friend, gets 7-Years in prison.

In March 2017, Konrads Voits (27), hacked into the computer system of Washtenaw County Jail to alter inmate records and gain early release for his friend.

Konrads Voits’s hack was discovered by an IT employee that noticed an anomaly in the release date of the inmate and promptly alerted the FBI, who identified and arrested Voits a month later.

According to prosecutors, Voits used phone calls to prison personnel pretending to be a manager at the County Jail’s IT department and tricking them into downloading and executing a malicious code that was delivered by visiting the website “ewashtenavv.org,” (a rogue version of the legitimate Washtenaw site that is available at the “ewashtenaw.org.”)

According to the US Justice Department announced, the infection compromised personal information of around 1,600 employees of the jail,

Konrads Voits pleaded guilty in federal court for hacking into the Washtenaw County computer system the attempt to get his friend released early from the federal prison.

Last week, Voits has been sentenced to seven years and three months in jail for the above crimes. Voits has also been condemned to pay $235,488 in fine to Washtenaw County for the cost accrued in investigating the intrusion and cleaning up the infected system.

An Ypsilanti resident was sentenced today to 87 months in prison for damaging a protected computer, United States Attorney Matthew Schneider announced.” states the DoJ. 

Voits also surrendered his equipment used for the hack, a laptop, four mobile phones, $385.49 worth of Bitcoin, and one “Green Integrated Circuit Component.

“The sentence was imposed by United States District Judge Robert H. Cleland who also ordered restitution in the amount of $238,517 to be paid to Washtenaw County and a 3-year term of supervised release.  As part of the sentencing, Voits forfeited all interests he had in some bitcoins, and in various electronic devices, including a laptop, an integrated circuit component, and several cellular phones.” continues the DoJ.

Pierluigi Paganini

(Security Affairs – Washtenaw County Jail, hacking)

The post Man who hacked computer system of Washtenaw County Jail to alter inmate records gets 7-Years in prison appeared first on Security Affairs.

CVE 2018-8781 Privilege Escalation flaw was introduced in Linux Kernel 8 years ago

Posted: 01 May 2018 10:48 PM PDT

Researchers from security firm Check Point discovered a security vulnerability in a driver in the Linux kernel, tracked as CVE 2018-8781, that leads to local privilege escalation.

The CVE 2018-8781 flaw, introduced 8 years ago, could be exploited by a local user with access to a vulnerable privileged driver to escalate local privileges and read from and write to sensitive kernel memory.

Experts explained that it is common for drivers to implement their own version of file operation functions, this is visible by analyzing the file_operations struct of a driver.

Such kind of implementations could introduce flaws such as Integer-Overflows and the lack of input validations.

TheCVE 2018-8781 flaw revealed by CheckPoint affects the internal mmap() function defined in the fb_helper file operations of the "udl" driver of "DisplayLink."

” A classic driver should probably look like this:

  1. The driver will hold an internal buffer that represents the shared memory region with the peripheral device.
  2. The driver should only let the user access memory ranges that fall inside this buffer.” states the analysis published by CheckPoint.

The prototype of the mmap() function from user-space confirms the presence of numerous fields that could be used by the attacker to potentially trigger the vulnerabilities.

According to the experts, developers should perform at least the following checks to avoid possible Integer-Overflows:

  1. Region start: 0 <= offset < buffer's end
  2. Region end: buffer's start <= offset + length <= buffer's end
  3. Region start <= Region End

"In actual fact, the last check can be spared since the Linux kernel will sanitize the supplied length, making it practically impossible to pass the first two checks while still passing the third check," continues Check Point.

The experts discovered the CVE 2018-8781 vulnerability while analyzing a function that maps physical memory pages to the user, the remap_pfn_range().

The experts searched for all the modules using the remap_pfn_range function (GREP for "remap_pfn_range) and contained 158 results, then filtering for drivers the list was restricted to six possible candidates.

CVE 2018-8781

“The video/drm module in the kernel defines a default mmap() wrapper that calls that real mmap()handler defined by the specific driver. In our case the vulnerability is in the internal mmap() defined in the fb_helper file operations of the "udl" driver of "DisplayLink".” discovered the researchers.

In this way, the researchers spotted an Integer-Overflow in the driver.

“This is a classic example for an Integer-Overflow. Since offset is unsigned the programmer skipped check #1 and went directly to check #2. However, the calculation "offset + size" could wrap-around to a low value, allowing us to bypass the check while still using an illegal "offset" value.” continues 

“on 64 bit machines there are only 48 bits of accessible memory, meaning that if we use a huge "offset" to bypass this check we will also have to make sure that "info->fix.smem_start + offset" will wrap-around to a valid mapable physical address.”

The experts verified the flaw on an Ubuntu 64-bit virtual machine using a simulated vulnerable driver. The driver's mmap() handler contained the implementation to check in each test performed by the researchers.

The user-mode code preformed 2 consecutive calls to mmap() on the vulnerable driver:

  1. length = 0x1000, offset = 0x0 -> sanity check
  2. length = 0x1000, offset = 0xFFFFFFFFFFFFFFFF – 0x1000 + 1 -> vulnerability check

Setting the buffer's address at the page-aligned physical address of the kernel's /dev/urandom implementation results were the expected ones.

Additional checks revealed that it is possible for the user to read and write from/to the mapped pages. Thus, an attacker could eventually trigger code execution in kernel space, the researchers explain.

“While the vulnerability was found using a simple search, it was introduced to the kernel eight years ago. This fact can teach us that even on a popular open source project as the Linux Kernel, you could always hope to find vulnerabilities if you know where to search.” concluded CheckPoint.

Pierluigi Paganini

(Security Affairs – CVE 2018-8781, Linux)

The post CVE 2018-8781 Privilege Escalation flaw was introduced in Linux Kernel 8 years ago appeared first on Security Affairs.