- Chinese smart home solutions vendor Orvibo leaks two billion user logs
- A cyberattack took offline websites of the Georgia agency
- Firefox finally addressed the Antivirus software TLS Errors
- LooCipher: The New Infernal Ransomware
- Cyber Defense Magazine – July 2019 has arrived. Enjoy it!
- After 2 years under the radars, Ratsnif emerges in OceanLotus ops
Posted: 02 Jul 2019 10:22 PM PDT
Experts found a Chinese smart home solutions vendor that has been leaking billions of logs from devices managed via its cloud platform.
The analysis of the database revealed the presence of over 2 billion logs containing a broad range of data, such as
Experts noticed that the database is still unsecured, the amount of data included in the archive continues to increase day by day.
The company’s platform, called
“It's important to note that not every single data log included every type of personal information. However, even with over 2 billion records to search through, there was enough information to put together several threads and create a full picture of a user's identity.” continues the post.
The exposed archive was discovered in the middle of June and reported by the researchers to Orvibo several times since June 16.
At the time there is no evidence that threat actors have accessed the huge trove of data.
“A breach of this size has massive implications. Each device in Orvibo's product catalog can have a different negative effect on its users.” concludes the post. “This is on top of having an abundance of identifying information about users. Much of the data can be pieced together both to disrupt a person's home while possibly leading to further hacks.”
The post Chinese smart home solutions vendor Orvibo leaks two billion user logs appeared first on Security Affairs.
Posted: 02 Jul 2019 03:59 PM PDT
Some court websites of a Georgia state were brought offline after their systems were infected by ransomware in a cyber attack.
A Georgia state agency confirmed that a cyberattack has brought offline some court websites. According to local media, hackers infected the systems of the Georgia Administrative Office of the Courts with ransomware,
“News outlets report hackers demanding a ransom infected computers with malware at the Georgia Administrative Office of the Courts.” reported the Associated Press. “Agency spokesman Bruce Shaw said Monday that officials have "quarantined our servers and shut off our network to the outside."
The Georgia Administrative Office of the Courts provides services to some local probate and municipal courts.
The website of the agency (www.georgiacourts.org) was offline earlier this week, while the websites for the Georgia Supreme Court and court clerks in the larger counties of the state were up and running.
“Hackers have infected computers at a Georgia courts agency, demanding a ransom payment and causing officials to shut down court websites.” reported the AJC website.
“The Administrative Office of the Courts was offline Monday as the state government tried to contain the hack.”
At the time of writing, it
Agency spokesman Bruce Shaw pointed out that users’ data were not exposed because the Georgia Administrative Office of the Courts doesn't users details apart from information in public court documents.
“Personal information wasn't compromised because the agency doesn't keep that information, said Michelle Barclay, a division director for the Administrative Office of the Courts.” concludes the AJC website.
"Everything is shut down until they tell us to turn it on," Barclay said. "We're definitely inconveniencing folks who rely on our applications."
The attack was discovered during the weekend, experts believe it was launched from a foreign country.
The attackers sent an email to the agency with instructions to contact them, the message didn't specify a ransom amount.
County and state courts were operational, but they were unable to access information provided by the Administrative Office of the Courts, Allen said. He didn't know how long it will take to recover from the attack.
The post A cyberattack took offline websites of the Georgia agency appeared first on Security Affairs.
Posted: 02 Jul 2019 07:45 AM PDT
Firefox finally addressed the issues with antivirus apps crashing HTTPS websites starting with the release of Firefox 68.
Mozilla announced that it will resolve the issues that caused antivirus apps crashing HTTPs websites with the release of Firefox 68 version.
The problems began after the release of Firefox 65 in December 2018, since then experts observed a significant increase in a certain type of TLS error that is triggered by the interaction of antivirus software with the browser. Mozilla finally has solved these problems without impacting on the security.
Security apps often inspect the content of HTTPS connections in order to detect malicious activities. This is possible by installing root certificates on the device.
Unlike most common web browsers that leverage the operating system's root store to determine if a certificate is trusted, Firefox maintains its own list of trusted certificate authorities (CAs). Developers of security solutions that need to inspect the traffic have to properly configure Firefox to avoid that the browser will raise a MitM attack warning every time users are accessing websites over HTTPS.
The issue could be addressed by enabling the "enterprise roots" preference in Firefox, in this way it is possible to force the browser to import any root CAs added to the OS.
“The interception of TLS connections has historically been referred to as a "man-in-the-middle", or MITM. We've developed a mechanism to detect when a Firefox error is caused by a MITM. We also have a mechanism in place that often fixes the problems.” reads the blog post published by Mozilla. “The "enterprise roots" preference, when enabled, causes Firefox to import any root CAs that have been added to the OS by the user, an administrator, or a program that has been installed on the computer. This option is available on Windows and MacOS. “
When this setting is enabled, Firefox will automatically import all the root certificates, including the certificates installed by antivirus software.
Mozilla initially evaluated the possibility to add a "Fix it" button to the MitM error pages to allow users to easily enable the "enterprise roots" option, but finally, it opted out to add a mechanism that would automatically enable the option and reload the page whenever the MitM error is displayed.
The preference will remain enabled unless it's manually disabled by the user. Mozilla urges antivirus companies to enable this preference instead of adding their root CA to the browser's root store.
This change will be implemented with the release of Firefox 68 that is scheduled for July 9.
Users can determine if a website is using an imported root CA certificate by clicking on the lock icon in the address bar.
"It might cause some concern for Firefox to automatically trust CAs that haven't been audited and gone through the rigorous Mozilla process," concludes Mozilla."However, any user or program that has the ability to add a CA to the OS almost certainly also has the ability to add that same CA directly to the Firefox root store. Also, because we only import CAs that are not included with the OS, Mozilla maintains our ability to set and enforce the highest standards in the industry on publicly-trusted CAs that Firefox supports by default. In short, the changes we're making meet the goal of making Firefox easier to use without sacrificing security."
(SecurityAffairs – Firefox, digital certificates)
The post Firefox finally addressed the Antivirus software TLS Errors appeared first on Security Affairs.
Posted: 02 Jul 2019 06:06 AM PDT
A new Ransomware appeared in the threat landscape, the malware began to threats the digital world. This time using a
|.jpg, .jpeg, .xml, .xsl, .wps, .cmf, .vbs, .accdb, .cdr, .svg, .conf, .config, .wb2, .msg, .azw, .azw1, .azw3, .azw4, .lit, .apnx, .mobi, .p12, .p7b, .p7c, .pfx, .pem, .cer, .key, .der, .mdb, .htm, .html, .class, .java, .asp, .aspx, .cgi, .php, .py, .jsp, .bak, .dat, .pst, .eml, .xps, .sqllite, .sql, .jar, .wpd, .crt, .csv, .prf, .cnf, .indd, .number, .pages, .x3f, .srw, .pef, .raf, .rf, .nrw, .nef, .mrw, .mef, .kdc, .dcr, .crw, .eip, .fff, .iiq, .k25, .crwl, .bay, .sr2, .ari, .srf, .arw, .cr2, .raw, .rwl, .rw2, .r3d, .3fr, .eps, .pdd, .dng, .dxf, .dwg, .psd, .png, .jpe, .bmp, .gif, .tiff, .gfx, .jge, .tga, .jfif, .emf, .3dm, .3ds, .max, .obj, .a2c, .dds, .pspimage, .yuv, .3g2, .3gp, .asf, .asx, .mpg, .mpeg, .avi, .mov, .flv, .wma, .wmv, .ogg, .swf, .ptx, .ape, .aif, .av, .ram, .m3u, .movie, .mp1, .mp2, .mp3, .mp4, .mp4v, .mpa, .mpe, .mpv2, .rpf, .vlc, .m4a, .aac, .aa3, .amr, .mkv, .dvd, .mts, .vob, .3ga, .m4v, .srt, .aepx, .camproj, .dash, .zip, .rar, .gzip, .mdk, .mdf, .iso, .bin, .cue, .dbf, .erf, .dmg, .toast, .vcd, .ccd, .disc, .nrg, .nri, .cdi, .ai, .doc, .docm, .docx, .dxg, .odb, .odm, .odp, .ods, .odt, .orf, .ppt, .pptm, .pptx, .rtf, .xlk, .xls, .xlsb, .xlsm, .xlsx, .pdf, .mobi, .epub, .sage|
During the encryption phase, for each file to be encrypted, the malware creates the encrypted copy of the files but it does not delete the original ones, rather it empties them and forces a 0-byte size.
It is not clear if this mechanism derives from buggy code or it is a specific peculiarity of this malware, intentionally introduced by the author.
When the encryption phase ends, it creates a FAQ folder within victim's desktop reporting the instructions to proceed with ransom payment in a "friendly" Q&A form.
As stated in the payment instruction file, the victim has only five days to proceed with the payment. After this period, the key will be automatically destroyed, preventing any way to recover the user content. Similar information is also displayed in the image set as background and into the interactive pop-up window.
As soon as the encryption phase is ended, the malicious process contacts its C2 sending information about the infected machine and retrieving the BTC address to display in the pop-up window.
The C2 is hosted in the TOR Network, at the "hxxp://hcwyo5rfapkytajg[.]onion" address, so the malware uses some services which act as proxies between the Darknet and clearnet to easily perform its malicious actions, avoiding the installation of TOR libraries on the victim machine. The abused services are:
The request sent by the malware includes information like the User-ID assigned to the victim machine during the encryption phase "u=rEui7jhIJk6SaRTyhL08N7h1Sft" and its public IP address "i=xxx.xxx.xxx.xxx". The C2 server replies specifying the BTC Address the user will pay the requested amount to, for instance "BTC_ADDR: 16HDCwCuy2R5b7YFCmsidXzHQrvHmT7VHGG".
We noticed that every time the ransomware contacts its C2 at the "k.php" resource, the server generates a new BTC Address. Probably, the backend embeds a BTC wallet factory able to register a new wallet on the blockchain for each ransomware infection. This trick surely allows to make more stealthy BTC transactions, avoiding a huge number of transactions towards the same wallet and hardening the cash flow reconstruction. In the following table we inserted some of the BTC addresses generated by the C2:
Table. Example of Generated BTC Addresses
However, if the victim machine is offline the ransomware is not able to download the BTC address to display in the window. For this reason, the malware also embeds a fallback addresses list to use when it fails to reach the C2.
Table. Hardcoded BTC Addresses on sample
An interesting peculiarity of this ransomware is its capability to work both as encryptor and as decryptor. The last answer of the instruction file, in fact, reports that the decryptor software is embedded into the ransomware binary in order to make the decryption process as simple as possible.
In fact, after the payment the victim can click on "Check Payment" button included in the pop-up window, and so, if the transaction has been confirmed, the "DECRYPT" button will be enabled. Moreover, if the user accidentally closes the pop-up window needed to trigger the decryption, he can download a new copy of the ransomware and use it as decryptor. That copy is hosted on the MEGA repository "hxxps://mega [.nz/#!KclRVIRY!YrUgGjvldsoTuNZbCOjebAz5La7hbB41nJHk1mlgqZo".
Clicking the "Check Payment" button, the process sends a new HTTP request to its C2 to "/d.php" in order to check if the payment related to the specific User-ID has been received.
In the specific case, the server replies with the "0" value, indicating the payment has not been approved, so the "DECRYPT" button will not be enabled. Moreover, if the contacted server is down, the malware tries to reach its TOR C2 using one of the other above-mentioned proxies, avoiding proxy service failures.
In the nowadays, Ransomware is one of the quickest ways to monetize cyber-criminal activities, and for this reason a wide-range of threat actors, including micro cyber-criminals, leverage these "tools" to threaten organizations and companies. LooCipher is a new entry in this sector: it's a Ransomware family spreading through malicious emails embedding infected Office documents, differently from the recent Sodinokibi campaign that used redirectors to land the victims on Exploit Kits infected pages (eg RIG EK).
LooCipher encrypts all files on victim computer, it abuses Clearnet-to-Tor proxy services to connect to its Command and Control hidden behind onion sites. Cybaze-Yoroi ZLAB advises to always keep a recent, tested and offline backup of all the business critical data.
Technical details, including IoCs and Yara Rules, are available in the analysis published
Posted: 01 Jul 2019 11:51 PM PDT
Cyber Defense Magazine July 2019 Edition has arrived. We hope you enjoy this month’s edition…packed with over 168 pages of excellent content.
Cyber Defense Magazine July 2019 Edition has arrived. Tips, tricks, ideas, secrets and insider information on the best practices in
|168 pages packed with excellent content. Tips, tricks, ideas, secrets and insider information on the best practices in cybersecurity. Please read it and share it with your friends. With much appreciation to our sponsors.|
|Thank You To Our Sponsors:|
|Our Growing Media Platforms…|
|After 7 Years, We’ve Completely RebuiltCyberDefenseMagazine.com – Please Let Us Know What You Think. It’s mobile and tablet friendly and superfast. We hope you like it. In addition, we’re shooting for 7x24x365 uptime as we continue to scale with improved Web App Firewalls, Content Deliver Networks (CDNs) around the Globe, Faster and More Secure DNS and CyberDefenseMagazineBackup.com up and running as an array of live mirror sites.|
The post Cyber Defense Magazine – July 2019 has arrived. Enjoy it! appeared first on Security Affairs.
Posted: 01 Jul 2019 11:20 PM PDT
Security experts spotted a news wave of attacks carried out by the OceanLotus APT group that involved the new Ratsnif Trojan.
Experts at the security firm Cylance detected a new RAT dubbed Ratsnif that was used in cyber espionage operations conducted by the
The hackers targeted organizations across multiple industries and have also hit foreign governments, dissidents, and journalists.
Since at least 2014, experts at FireEye have observed APT32 targeting foreign corporations with an interest in Vietnam's manufacturing, consumer products, and hospitality sectors. The APT32 also targeted peripheral network security and technology infrastructure corporations, and security firms that may have connections with foreign investors.
Due to the type of targets,
Back to nowadays, the Ratsnif RAT was improved with new capabilities that allow the threat to modify web pages and SSL hijacking.
“Surfacing during the latter half of 2018 and wrapped in a bespoke OceanLotus shellcode loader, this sample was first reported in a blog from Macnica Networks.” reads the analysis published by Cylance. “Compared to the 2016 variants this sample introduces a configuration file and does not rely on C2 for operation. It also adds new features in the form of HTTP injection, protocol parsing, and SSL
In previous attacks, OceanLotus hackers used both custom malware with commercially-available tools, like Cobalt Strike.
The experts analyzed four different samples of the Ratsnif RAT, three dated back 2016, and the fourth created in H2 2018.
The analysis revealed the evolution of the malware, from a debug build to a stable release that implements the following features:
- C2 over HTTP
- Packet sniffing
- ARP poisoning
- DNS spoofing
- HTTP redirection
- Remote shell
While 2 out of 3 of 2016 samples appear to be version under development and testing, the third one compiled September 13, 2016, was “one of the earlier Ratsnifs to be deployed by
Once installed on the target machine, Ratsnif creates a run once mutex named “onceinstance”, initialises Winsock version 2.2 and sends back to the C2 collected system information (i.e. username, computer name, workstation configuration, Windows system directory, and network adapter information).
The samples analyzed by the experts have hardcoded one or more C2 domains, but only one seemed to have been active.
The 2018 variant analyzed by Cylance leverages a different piece of malware deployed on the victim host for communications.
“Compared to the 2016 variants this sample introduces a configuration file and does not rely on C2 for operation. It also adds new features in the form of HTTP injection, protocol parsing, and SSL hijacking.” continues the analysis.
Experts discovered that it is possible to decrypt the traffic by using version 3.11 of the wolfSSL library, formerly known as CyaSSL.
The malware doesn’t protect the configuration file, it is a text file encoded in Base64 with a parameter on its own line.
The expert also found a bug in the Ratsnif RAT that caused a memory read violation when parsing the “dwn_ip” parameter if the value is present in the configuration.
Another difference between 2016 variants of Ratsnif and the 2018 one is that the former samples stored all packets to a PCAP file, the latter uses multiple sniffer classes for harvesting sensitive information from packets.
In this way, the malware drastically reduces the amount of data the attacker has to collect, exfiltrate and process.
“Ratsnif is an intriguing discovery considering the length of time it has remained undetected, likely due to limited deployment. It offers a rare glimpse of over two years of feature development, allowing us to observe how threat actors tailor tooling to their nefarious purposes.” concludes the experts. “While all samples borrow heavily from open-source code/snippets, overall development quality is deemed to be poor. Simply put, Ratsnif does not meet the usual high standards observed in OceanLotus malware.”
The post After 2 years under the radars, Ratsnif emerges in OceanLotus ops appeared first on Security Affairs.
|You are subscribed to email updates from Security Affairs. |
To stop receiving these emails, you may unsubscribe now.
|Email delivery powered by Google|
|Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States|