HTTP:// *Illegal content? / send an email with link to withdrawal from the post!
ZicutaKE | Search Articles

Tuesday, July 2, 2019



Chinese smart home solutions vendor Orvibo leaks two billion user logs

Posted: 02 Jul 2019 10:22 PM PDT

Experts found a Chinese smart home solutions vendor that has been leaking billions of logs from devices managed via its cloud platform.

Experts at vpnMentor discovered a massive data leak in Orvibo's user database. The research team, led by Noam Rotem and Ran Locar, has found an open database managed by Orvibo Smart Home vendor.

The analysis of the database revealed the presence of over 2 billion logs containing a broad range of data, such as usernames, email addresses, passwords, and in some cases the locations of the devices.
Logs belong to devices used by people and organizations in China, Japan, Thailand, the US, the UK, Mexico, France, Australia, and Brazil.

“Our expert cybersecurity research team, led by Noam Rotem and Ran Locar, discovered an open database linked to Orvibo Smart Home products.” reads the blog post published by vpnMentor. “The database includes over 2 billion logs that record everything from usernames, email addresses, and passwords, to precise locations.”

orvibo logs

Experts noticed that the database is still unsecured, the amount of data included in the archive continues to increase day by day.

The company’s platform, called SmartMate, has around a million users, including private users and hotels that could use it to manage their devices (i.e. Home entertainment, smart meters, smart mirrors, smart cameras, and HVAC systems).

“It's important to note that not every single data log included every type of personal information. However, even with over 2 billion records to search through, there was enough information to put together several threads and create a full picture of a user's identity.” continues the post.

The exposed archive was discovered in the middle of June and reported by the researchers to Orvibo several times since June 16.

At the time there is no evidence that threat actors have accessed the huge trove of data.

“A breach of this size has massive implications. Each device in Orvibo's product catalog can have a different negative effect on its users.” concludes the post. “This is on top of having an abundance of identifying information about users. Much of the data can be pieced together both to disrupt a person's home while possibly leading to further hacks.”

Pierluigi Paganini

(SecurityAffairs – Orvibo, hacking)

The post Chinese smart home solutions vendor Orvibo leaks two billion user logs appeared first on Security Affairs.

A cyberattack took offline websites of the Georgia agency

Posted: 02 Jul 2019 03:59 PM PDT

Some court websites of a Georgia state were brought offline after their systems were infected by ransomware in a cyber attack.

A Georgia state agency confirmed that a cyberattack has brought offline some court websites. According to local media, hackers infected the systems of the Georgia Administrative Office of the Courts with ransomware,

“News outlets report hackers demanding a ransom infected computers with malware at the Georgia Administrative Office of the Courts.” reported the Associated Press. “Agency spokesman Bruce Shaw said Monday that officials have "quarantined our servers and shut off our network to the outside."

The Georgia Administrative Office of the Courts provides services to some local probate and municipal courts.

The website of the agency ( was offline earlier this week, while the websites for the Georgia Supreme Court and court clerks in the larger counties of the state were up and running.

“Hackers have infected computers at a Georgia courts agency, demanding a ransom payment and causing officials to shut down court websites.” reported the AJC website.

“The Administrative Office of the Courts was offline Monday as the state government tried to contain the hack.”

At the time of writing, it wasn't clear the extent of the attack in term of impacted Georgia courts and interference with ordinary operations.

Agency spokesman Bruce Shaw pointed out that users’ data were not exposed because the Georgia Administrative Office of the Courts doesn't users details apart from information in public court documents.

“Personal information wasn't compromised because the agency doesn't keep that information, said Michelle Barclay, a division director for the Administrative Office of the Courts.” concludes the AJC website.

"Everything is shut down until they tell us to turn it on," Barclay said. "We're definitely inconveniencing folks who rely on our applications."

The attack was discovered during the weekend, experts believe it was launched from a foreign country.

The attackers sent an email to the agency with instructions to contact them, the message didn't specify a ransom amount.

This incident follows other similar attacks on government systems, such as the one that hit the city of Atlanta and the Georgia Department of Agriculture.

County and state courts were operational, but they were unable to access information provided by the Administrative Office of the Courts, Allen said. He didn't know how long it will take to recover from the attack.

Pierluigi Paganini

(SecurityAffairs – Georgia agency, hacking)

The post A cyberattack took offline websites of the Georgia agency appeared first on Security Affairs.

Firefox finally addressed the Antivirus software TLS Errors

Posted: 02 Jul 2019 07:45 AM PDT

Firefox finally addressed the issues with antivirus apps crashing HTTPS websites starting with the release of Firefox 68.

Mozilla announced that it will resolve the issues that caused antivirus apps crashing HTTPs websites with the release of Firefox 68 version.

The problems began after the release of Firefox 65 in December 2018, since then experts observed a significant increase in a certain type of TLS error that is triggered by the interaction of antivirus software with the browser. Mozilla finally has solved these problems without impacting on the security.

Security apps often inspect the content of HTTPS connections in order to detect malicious activities. This is possible by installing root certificates on the device.

Unlike most common web browsers that leverage the operating system's root store to determine if a certificate is trusted, Firefox maintains its own list of trusted certificate authorities (CAs). Developers of security solutions that need to inspect the traffic have to properly configure Firefox to avoid that the browser will raise a MitM attack warning every time users are accessing websites over HTTPS.

The issue could be addressed by enabling the "enterprise roots" preference in Firefox, in this way it is possible to force the browser to import any root CAs added to the OS.

“The interception of TLS connections has historically been referred to as a "man-in-the-middle", or MITM. We've developed a mechanism to detect when a Firefox error is caused by a MITM. We also have a mechanism in place that often fixes the problems.” reads the blog post published by Mozilla. “The "enterprise roots" preference, when enabled, causes Firefox to import any root CAs that have been added to the OS by the user, an administrator, or a program that has been installed on the computer. This option is available on Windows and MacOS. “

When this setting is enabled, Firefox will automatically import all the root certificates, including the certificates installed by antivirus software.

Mozilla initially evaluated the possibility to add a "Fix it" button to the MitM error pages to allow users to easily enable the "enterprise roots" option, but finally, it opted out to add a mechanism that would automatically enable the option and reload the page whenever the MitM error is displayed.

The preference will remain enabled unless it's manually disabled by the user. Mozilla urges antivirus companies to enable this preference instead of adding their root CA to the browser's root store.

This change will be implemented with the release of Firefox 68 that is scheduled for July 9.

Users can determine if a website is using an imported root CA certificate by clicking on the lock icon in the address bar.

"It might cause some concern for Firefox to automatically trust CAs that haven't been audited and gone through the rigorous Mozilla process," concludes Mozilla."However, any user or program that has the ability to add a CA to the OS almost certainly also has the ability to add that same CA directly to the Firefox root store. Also, because we only import CAs that are not included with the OS, Mozilla maintains our ability to set and enforce the highest standards in the industry on publicly-trusted CAs that Firefox supports by default. In short, the changes we're making meet the goal of making Firefox easier to use without sacrificing security."

Pierluigi Paganini

(SecurityAffairs – Firefox, digital certificates)

The post Firefox finally addressed the Antivirus software TLS Errors appeared first on Security Affairs.

LooCipher: The New Infernal Ransomware

Posted: 02 Jul 2019 06:06 AM PDT

A new Ransomware appeared in the threat landscape, the malware began to threats the digital world. This time using a nice but scary name: LooCipher.


A new Ransomware began to threats the digital world. This time using a nice but scary name: LooCipher. The name is at the same time an allusion to its capabilities (thank to the term "Cipher") and to the popular religious figure, Lucifer. Despite its evocative nickname, the functionalities of this malware are pretty straight forward, not very different from those belonging to many other ransomware families, but digging into its internals we also found elements suggesting its operators could be able to run large scale campaigns.  

Technical Analysis

Unlike most ransomware, LooCipher uses a macro-weaponized document as dropper of the real threat. We identified two different document files involved to deploy the ransomware, they are called: "Info_BSV_2019.docm" and "Info_Project_BSV_2019.docm". Both files are very poor in design and contain a single text line inviting the user to enable macro execution.

Figure 1. Document content

Exploring the content in-depth, we retrieved its minimal macro code payload: its only purpose is to download the ransomware from the "hxxp://hcwyo5rfapkytajg.onion[.]pet/2hq68vxr3f.exe" dropurl and launch it.

The author did not care to obfuscate in any sophisticated way his malicious code, even some comment strings like "//binary" and "//overwrite" are still visible.

Figure 2. Macro code

Once run, it starts the encryption of all the victim's files, except for the system and programs folders: "Program Files""Program Files (x86)""Windows". Obviously, this trick allows to avoid the corruption of the files needed to start the operating system, letting the user login to its PC to see the ransom request. 

Figure 3. Ransomware excluded folders

After a long files enumeration phase, the ransomware encrypts all files ending with the following extensions:

.jpg, .jpeg, .xml, .xsl, .wps, .cmf, .vbs, .accdb, .cdr, .svg, .conf, .config, .wb2, .msg, .azw, .azw1, .azw3, .azw4, .lit, .apnx, .mobi, .p12, .p7b, .p7c, .pfx, .pem, .cer, .key, .der, .mdb, .htm, .html, .class, .java, .asp, .aspx, .cgi, .php, .py, .jsp, .bak, .dat, .pst, .eml, .xps, .sqllite, .sql, .jar, .wpd, .crt, .csv, .prf, .cnf, .indd, .number, .pages, .x3f, .srw, .pef, .raf, .rf, .nrw, .nef, .mrw, .mef, .kdc, .dcr, .crw, .eip, .fff, .iiq, .k25, .crwl, .bay, .sr2, .ari, .srf, .arw, .cr2, .raw, .rwl, .rw2, .r3d, .3fr, .eps, .pdd, .dng, .dxf, .dwg, .psd, .png, .jpe, .bmp, .gif, .tiff, .gfx, .jge, .tga, .jfif, .emf, .3dm, .3ds, .max, .obj, .a2c, .dds, .pspimage, .yuv, .3g2, .3gp, .asf, .asx, .mpg, .mpeg, .avi, .mov, .flv, .wma, .wmv, .ogg, .swf, .ptx, .ape, .aif, .av, .ram, .m3u, .movie, .mp1, .mp2, .mp3, .mp4, .mp4v, .mpa, .mpe, .mpv2, .rpf, .vlc, .m4a, .aac, .aa3, .amr, .mkv, .dvd, .mts, .vob, .3ga, .m4v, .srt, .aepx, .camproj, .dash, .zip, .rar, .gzip, .mdk, .mdf, .iso, .bin, .cue, .dbf, .erf, .dmg, .toast, .vcd, .ccd, .disc, .nrg, .nri, .cdi, .ai, .doc, .docm, .docx, .dxg, .odb, .odm, .odp, .ods, .odt, .orf, .ppt, .pptm, .pptx, .rtf, .xlk, .xls, .xlsb, .xlsm, .xlsx, .pdf, .mobi, .epub, .sage

During the encryption phase, for each file to be encrypted, the malware creates the encrypted copy of the files but it does not delete the original ones, rather it empties them and forces a 0-byte size.

Figure 4. Example of ciphered file with empty original file

It is not clear if this mechanism derives from buggy code or it is a specific peculiarity of this malware, intentionally introduced by the author.

Figure 5. Actions during encryption phase

When the encryption phase ends, it creates a FAQ folder within victim's desktop reporting the instructions to proceed with ransom payment in a "friendly" Q&A form.

Figure 6. File containing the payment instructions

As stated in the payment instruction file, the victim has only five days to proceed with the payment. After this period, the key will be automatically destroyed, preventing any way to recover the user content. Similar information is also displayed in the image set as background and into the interactive pop-up window. 

Figure 7. Background image and pop-up window reporting info about the payment

As soon as the encryption phase is ended, the malicious process contacts its C2 sending information about the infected machine and retrieving the BTC address to display in the pop-up window. 

Figure 8. Example of HTTP request to retrieve the BTC address

The C2 is hosted in the TOR Network, at the "hxxp://hcwyo5rfapkytajg[.]onion" address, so the malware uses some services which act as proxies between the Darknet and clearnet to easily perform its malicious actions, avoiding the installation of TOR libraries on the victim machine. The abused services are:

The request sent by the malware includes information like the User-ID assigned to the victim machine during the encryption phase "u=rEui7jhIJk6SaRTyhL08N7h1Sft" and its public IP address "". The C2 server replies specifying the BTC Address the user will pay the requested amount to, for instance "BTC_ADDR: 16HDCwCuy2R5b7YFCmsidXzHQrvHmT7VHGG".

We noticed that every time the ransomware contacts its C2 at the "k.php" resource, the server generates a new BTC Address. Probably, the backend embeds a BTC wallet factory able to register a new wallet on the blockchain for each ransomware infection. This trick surely allows to make more stealthy BTC transactions, avoiding a huge number of transactions towards the same wallet and hardening the cash flow reconstruction. In the following table we inserted some of the BTC addresses generated by the C2:


Table. Example of Generated BTC Addresses

However, if the victim machine is offline the ransomware is not able to download the BTC address to display in the window. For this reason, the malware also embeds a fallback addresses list to use when it fails to reach the C2.

Figure 9. Other BTC addresses embedded in ransomware binary

Table. Hardcoded BTC Addresses on sample

An interesting peculiarity of this ransomware is its capability to work both as encryptor and as decryptor. The last answer of the instruction file, in fact, reports that the decryptor software is embedded into the ransomware binary in order to make the decryption process as simple as possible.

In fact, after the payment the victim can click on "Check Payment" button included in the pop-up window, and so, if the transaction has been confirmed, the "DECRYPT" button will be enabled. Moreover, if the user accidentally closes the pop-up window needed to trigger the decryption, he can download a new copy of the ransomware and use it as decryptor. That copy is hosted on the MEGA repository "hxxps://mega [.nz/#!KclRVIRY!YrUgGjvldsoTuNZbCOjebAz5La7hbB41nJHk1mlgqZo".

Clicking the "Check Payment" button, the process sends a new HTTP request to its C2 to "/d.php" in order to check if the payment related to the specific User-ID has been received.

Figure 10. Example of HTTP request to check if the payment has been executed

In the specific case, the server replies with the "0" value, indicating the payment has not been approved, so the "DECRYPT" button will not be enabled. Moreover, if the contacted server is down, the malware tries to reach its TOR C2 using one of the other above-mentioned proxies, avoiding proxy service failures. 

Figure 11. HTTP-TOR proxy services used by the malware


In the nowadays, Ransomware is one of the quickest ways to monetize cyber-criminal activities, and for this reason a wide-range of threat actors, including micro cyber-criminals, leverage these "tools" to threaten organizations and companies. LooCipher is a new entry in this sector: it's a Ransomware family spreading through malicious emails embedding infected Office documents, differently from the recent Sodinokibi campaign that used redirectors to land the victims on Exploit Kits infected pages (eg RIG EK).

LooCipher encrypts all files on victim computer, it abuses Clearnet-to-Tor proxy services to connect to its Command and Control hidden behind onion sites. Cybaze-Yoroi ZLAB advises to always keep a recent, tested and offline backup of all the business critical data.

Technical details, including IoCs and Yara Rules, are available in the analysis published in the Yoroi blog.

Pierluigi Paganini

(SecurityAffairs – loocipher, ransomware)

The post LooCipher: The New Infernal Ransomware appeared first on Security Affairs.

Cyber Defense Magazine – July 2019 has arrived. Enjoy it!

Posted: 01 Jul 2019 11:51 PM PDT

Cyber Defense Magazine July 2019 Edition has arrived. We hope you enjoy this month’s edition…packed with over 168 pages of excellent content.

Cyber Defense Magazine July 2019 Edition has arrived. Tips, tricks, ideas, secrets and insider information on the best practices in cybersecurity.  Please read it and share it with your friends.  With much appreciation to our sponsors.

Cyber Defense Magazine July
168 pages packed with excellent content.  Tips, tricks, ideas, secrets and insider information on the best practices in cybersecurity.  Please read it and share it with your friends.  With much appreciation to our sponsors. 
Thank You To Our Sponsors:
Cyber Defense Magazine
cyber defense magazine may 2
Our Growing Media Platforms…
After 7 Years, We’ve Completely – Please Let Us Know What You Think.  It’s mobile and tablet friendly and superfast.  We hope you like it.  In addition, we’re shooting for 7x24x365 uptime as we continue to scale with improved Web App Firewalls, Content Deliver Networks (CDNs) around the Globe, Faster and More Secure DNS and up and running as an array of live mirror sites.

Pierluigi Paganini

(SecurityAffairs – Cyber Defense Magazine, hacking)

The post Cyber Defense Magazine – July 2019 has arrived. Enjoy it! appeared first on Security Affairs.

After 2 years under the radars, Ratsnif emerges in OceanLotus ops

Posted: 01 Jul 2019 11:20 PM PDT

Security experts spotted a news wave of attacks carried out by the OceanLotus APT group that involved the new Ratsnif Trojan.

Experts at the security firm Cylance detected a new RAT dubbed Ratsnif that was used in cyber espionage operations conducted by the OceanLotus APT group.

The OceanLotus APT group, also known as APT32 or Cobalt Kitty, is state-sponsored group that has been active since at least 2013.

The hackers targeted organizations across multiple industries and have also hit foreign governments, dissidents, and journalists.

Since at least 2014, experts at FireEye have observed APT32 targeting foreign corporations with an interest in Vietnam's manufacturing, consumer products, and hospitality sectors. The APT32 also targeted peripheral network security and technology infrastructure corporations, and security firms that may have connections with foreign investors.

Due to the type of targets, OceanLotus is believed to be a Vietnam-linked cyber espionage group.

Back to nowadays, the Ratsnif RAT was improved with new capabilities that allow the threat to modify web pages and SSL hijacking.

“Surfacing during the latter half of 2018 and wrapped in a bespoke OceanLotus shellcode loader, this sample was first reported in a blog from Macnica Networks.” reads the analysis published by Cylance. “Compared to the 2016 variants this sample introduces a configuration file and does not rely on C2 for operation. It also adds new features in the form of HTTP injection, protocol parsing, and SSL hijacking.”

In previous attacks, OceanLotus hackers used both custom malware with commercially-available tools, like Cobalt Strike.

The experts analyzed four different samples of the Ratsnif RAT, three dated back 2016, and the fourth created in H2 2018.

The analysis revealed the evolution of the malware, from a debug build to a stable release that implements the following features:

  • C2 over HTTP
  • Packet sniffing
  • ARP poisoning
  • DNS spoofing
  • HTTP redirection
  • Remote shell

While 2 out of 3 of 2016 samples appear to be version under development and testing, the third one compiled September 13, 2016, was “one of the earlier Ratsnifs to be deployed by OceanLotus in-the-wild.”

Once installed on the target machine, Ratsnif creates a run once mutex named “onceinstance”, initialises Winsock version 2.2 and sends back to the C2 collected system information (i.e. username, computer name, workstation configuration, Windows system directory, and network adapter information).

The samples analyzed by the experts have hardcoded one or more C2 domains, but only one seemed to have been active.

The 2018 variant analyzed by Cylance leverages a different piece of malware deployed on the victim host for communications.

“Compared to the 2016 variants this sample introduces a configuration file and does not rely on C2 for operation. It also adds new features in the form of HTTP injection, protocol parsing, and SSL hijacking.” continues the analysis.

Experts discovered that it is possible to decrypt the traffic by using version 3.11 of the wolfSSL library, formerly known as CyaSSL.

The malware doesn’t protect the configuration file, it is a text file encoded in Base64 with a parameter on its own line.

The expert also found a bug in the Ratsnif RAT that caused a memory read violation when parsing the “dwn_ip” parameter if the value is present in the configuration.

Ratsnif bug

Another difference between 2016 variants of Ratsnif and the 2018 one is that the former samples stored all packets to a PCAP file, the latter uses multiple sniffer classes for harvesting sensitive information from packets.

In this way, the malware drastically reduces the amount of data the attacker has to collect, exfiltrate and process.

“Ratsnif is an intriguing discovery considering the length of time it has remained undetected, likely due to limited deployment. It offers a rare glimpse of over two years of feature development, allowing us to observe how threat actors tailor tooling to their nefarious purposes.” concludes the experts. “While all samples borrow heavily from open-source code/snippets, overall development quality is deemed to be poor. Simply put, Ratsnif does not meet the usual high standards observed in OceanLotus malware.”

Pierluigi Paganini

(SecurityAffairs – OceanLotus, Ratsnif)

The post After 2 years under the radars, Ratsnif emerges in OceanLotus ops appeared first on Security Affairs.