While APT activity and a raft of malware types continue to capture the notice of researchers and journalists, it turns out that trusty old banking trojans remain the top email-borne threat out there. According to Proofpoint’s latest quarterly report, analyzing trends for the fourth quarter of 2018 based on its telemetry, banking malware that harvests online banking credentials made up 56 percent of all malicious payloads at the end of last year. Of those, the firm found that Emotet comprised 76 percent of them – although, strictly speaking, Emotet has evolved into much more than just a banking trojan. “Despite the presence of a range of banking trojans appearing in the wild, threat actors continue to coalesce around known malware,” the report highlighted. “Taken together, Emotet, Panda Banker and Ursnif comprised almost 97 percent of observed banking trojans in Q4. Emotet traffic, while far more consistent and appearing in higher volumes than other bankers in Q4, was quiet for most of October; the actor primarily responsible for high-volume Emotet campaigns was also inactive for most of April. Aside from these two periods, however, Emotet steadily increased in the volume and frequency of associated email campaigns throughout 2018.” In all, malicious messages bearing credential-stealers or downloaders in general collectively jumped more than 230 percent year-over-year – an illustration of the value of stolen credentials on the Dark Web. As for the rest of the bunch, espionage-ready remote access trojans (RATs) accounted for just 8.4 percent of all malicious payloads in Q4 and 5.2 percent for the year; however, that marks a significant change from previous years in which they were more rarely used by crimeware actors, according to the report. RATs establish backdoors on a victim’s machine for the purposes of reconnaissance, data exfiltration, credential theft, loading additional malware and so on. APT505 was particularly active using RATs in the quarter. And, ransomware dropped even further in Q4 to just one tenth of 1 percent of overall malicious message volume. “After dominating the threat landscape in 2016 and much of 2017, ransomware nearly disappeared in Q1 2018,” the report explained. “In Q2, we observed a return of ransomware, albeit at much lower levels than we saw in 2017. However, this spike appeared to be a ‘testing of the waters,’ since ransomware message volumes dropped by 10 percentage points from Q2. This suggests that ransomware campaigns did not generate sufficient returns for threat actors to continue distributing them at scale. Ransomware dropped even further in Q4 to just one tenth of 1% of overall malicious message volume.” Only three ransomware strains appeared, and only in relatively small, sporadic email campaigns, in Q4: GandCrab, GlobeImposter and Troldesh. Interestingly, the malware delivery mechanism of choice seemed to be via malicious links embedded within the body of an email, rather than attachments. “Malicious URLs continued to outnumber malicious attachments in email campaigns delivering malware throughout Q4,” according to the report. “Proofpoint observed over twice as many URL messages as attachment messages during this period, although this constituted a decrease from 2018 as a whole. For the entire year, malicious URLs appeared over three times as often as messages with malicious attachments, suggesting that the pendulum may be swinging back toward attachments as it tends to do periodically.” On the non-malware email-attack front, business email compromise (BEC) spiked considerably, continuing its inexorable growth; the number of email fraud attacks against targeted companies increased 226 percent quarter-on-quarter and a whopping 476 percent from two years ago. On average, companies targeted by BEC received about 120 fraudulent emails in the fourth quarter of the year, up from 36 in Q3 2018 and up from 21 in the year-ago quarter.
Ubuntu and some other Linux distributions suffer from a severe privilege escalation vulnerability that could allow a local attacker or a malicious program to obtain root privileges and total control over the targeted system. Dubbed “Dirty_Sock” and identified as CVE-2019-7304, the vulnerability was discovered by security researcher Chris Moberly, who privately disclosed it to Canonical, the maker of Ubuntu, late last month. The vulnerability resides in the REST API for snapd service, a universal Linux packaging system that makes an application compatible for various Linux distributions without requiring any modification. Built by Canonical, snapd comes by default installed on all versions of Ubuntu and also used by other Linux distributions, including Debian, OpenSUSE, Arch Linux, Solus, and Fedora. Snap packages are basically applications compressed together with their dependencies that also includes instructions on how to run and interact with other software on various Linux systems for desktop, cloud, and Internet of Things. Snap locally host a web server (UNIX_AF socket) to offer a list of RESTful APIs that help the service perform various actions on the operating system. These REST APIs come with access control to define user-level permission for specific tasks. Some powerful APIs are only available to root users while others can be accessed by low-privileged users. According to Moberly, a flaw in the way the access control mechanism checks the UID associated with any request made to a server allows attackers to overwrite the UID variable and access any API function, including those that are restricted for the root user. “Snapd versions 2.28 through 2.37 incorrectly validated and parsed the remote socket address when performing access controls on its UNIX socket,” Ubuntu explains in its advisory. “A local attacker could use this to access privileged socket APIs and obtain administrator privileges.” However, it should be noted that since the Dirty Sock exploit leverages local privilege escalation flaw, it does not allow hackers to compromise a vulnerable Linux system remotely. Moberly has also released two proofs-of-concept (PoC) exploits on GitHub today, one of which requires an SSH connection while the other is able to sideload a malicious snap by abusing this API. Canonical has released snapd version Snapd 2.37.1 this week to address the vulnerability, and Ubuntu and other major Linux distributions have already rolled out a fixed version of their packages. Linux users are highly recommended to upgrade their vulnerable installations as soon as possible. Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.
What could be more frightening than a service informing you that all your data is gone—every file and every backup servers are entirely wiped out? The worst nightmare of its kind. Right? But that's precisely what just happened this week with VFEmail.net, a US-based secure email provider that lost all data and backup files for its users after unknown hackers destroyed its entire U.S. infrastructure, wiping out almost two decades' worth of data and backups in a matter of few hours for no apparent reason. Started in 2001 by Rick Romero, VFEmail provides secure, private email services to companies and end users, both free and paid-for. Describing the attack as “catastrophic,” the privacy-focused email service provider revealed that the attack took place on February 11 and that “all data” on their US servers—both the primary and the backup systems—has been completely wiped out, and it's seemingly beyond recovery. “Yes, @VFEmail is effectively gone,” Romero wrote on Twitter Tuesday morning. “It will likely not return. I never thought anyone would care about my labor of love so much that they'd want to completely and thoroughly destroy it.” The VFEmail team detected the attack on February 11 itself after it noticed all the servers for his service went offline without any notice. After two hours, the company reported that the attackers had been caught “in the middle of formatting its backup server,” saying that it “fear all US-based data may be lost.” However, shortly after that VFEmail confirmed that “all the disks on every server” had been wiped out, virtually erasing the company's entire infrastructure, including mail hosts, virtual machine hosts, and a SQL server cluster, within just a few hours. “Strangely, not all VMs shared the same authentication, but all were destroyed,” VFEmail explained. “This was more than a multi-password via ssh exploit, and there was no ransom. Just attack and destroy,”—a rare example of a purely destructive attack. Although it is yet unclear who was behind this destructive attack and how the hack was pulled off, a statement posted to the company's website pointed to an IP address 94[.]155[.]49[.]9 and the username “aktv,” which appears to be registered in Bulgaria. Romero believes the hacker behind the above-mentioned IP address most likely used a virtual machine and multiple means of access onto the VFEmail infrastructure to carry out the attack, and as a result, no method of protection, such as 2-factor authentication, would have protected VFEmail from the intrusion. The official website has now been restored and running, but all secondary domains still remain unavailable. If you are an existing user, expect to find your inboxes empty. This isn't the first time the company has been attacked. In 2015, a group of hackers known as the “Armada Collective,” who also targeted Protonmail, Hushmail, and Runbox, launched a DDoS attack against VFEmail after it refused to pay a ransom.
A local privilege-escalation vulnerability in Canonical’s snapd package has been uncovered, which would allow any user to obtain administrator privileges and immediate root access to affected Linux system servers. Snapd is used by Linux users to download and install apps in the .snap file format. Chris Moberly at Missing Link Security found the issue (CVE-2019-7304), and said that it resides in the snapd API. This is installed by default in Ubuntu; Moberly said in his bug report that his proof-of-concept exploits work “100% of the time on fresh, default installations of Ubuntu Server and Desktop.” He also noted that the flaw is “likely included in many Ubuntu-like Linux distributions.” Taking a page from the well-known “Dirty Cow” vulnerability, Moberly dubbed the issue “Dirty Sock,” since it revolves around handling sockets. “snapd versions 2.28 through 2.37 incorrectly validated and parsed the remote socket address when performing access controls on its UNIX socket,” Canonical explained in its Ubuntu advisory, which provides patches for affected packages. “A local attacker could use this to access privileged socket APIs and obtain administrator privileges.” Moberly elaborated in a blog post explaining the technical details of the issue. “snapd serves up a REST API attached to a local UNIX_AF socket. Access control to restricted API functions is accomplished by querying the UID associated with any connections made to that socket. User-controlled socket peer data can be affected to overwrite a UID variable during string parsing in a for-loop. This allows any user to access any API function.” With access to the API, there are multiple methods to obtain root. The researcher developed PoCs for two of them that involve creating root-level user accounts; but there are likely many more approaches that could be taken, he noted. The first, dirty_sockv1, bypasses access control checks to use a restricted API function (POST /v2/create-user) of the local snapd service. “This queries the Ubuntu SSO for a username and public SSH key of a provided email address, and then creates a local user based on these values,” Moberly explained. The down side is that successful exploitation requires an outbound Internet connection and an SSH service accessible via localhost. The second, appropriately named dirty_sockv2, also bypasses access control checks of the local snapd service to use a restricted API function, this time POST /v2/snaps. “This allows the installation of arbitrary snaps,” the researcher said. “Snaps in ‘devmode’ bypass the sandbox and may include an install hook that is run in the context of root at install time. dirty_sockv2 leverages the vulnerability to install an empty ‘devmode’ snap including a hook that adds a new user to the local system. This user will have permissions to execute sudo commands.” As opposed to version one, dirty_sockv2 does not require the SSH service to be running. It will also work on newer versions of Ubuntu with no Internet connection at all, making it resilient to changes and effective in restricted environments. Exploit two is also effective on non-Ubuntu systems that have installed snapd but that do not support the “create-user” API that the first exploit leverages. Moberly found the vulnerability in January, and praised the snapd team fixing the issue quickly. “I was very impressed with Canonical’s response to this issue,” he said. “The team was awesome to work with, and overall the experience makes me feel very good about being an Ubuntu user myself.” On Ubuntu systems with snaps installed, snapd “typically will have already automatically refreshed itself to snapd 2.37.1 which is unaffected,” Canonical said. As for other Linux distros that use snapd, such as Linux Mint, Debian and Fedora, administrators should check to see if the flaw is present and apply patches accordingly.
A design flaw in Apple’s macOS could allow a malicious application to steal victims’ Safari web browsing history. The security hole exists in every version of the Mac’s Mojave operating system, including macOS Mojave 10.14.3 Supplemental Update recently released on Feb. 7. That’s according to Mac and iOS developer Jeff Johnson, who disclosed the bug over the weekend. The issue specifically exists in the fact that there are no permission dialogues for apps in certain folders. While enforcing permissions would mean that these folders could only be accessed by certain apps, the alternative (no permissions required) in the case of ~/Library/Safari means that apps are allowed to look inside it. And inside the folder is a user’s entire web browsing history (as well as reading list archives, remote notifications, template icons and more). Johnson said that once a malicious app laced with malware has been installed on the system, it could then access the Safari library and steal the web browsing history. New blog post “Spying on Safari in Mojave” In which I report a newly discovered hole in macOS Mojave privacy protections.https://t.co/86HyJXlC0C — Jeff Johnson (@lapcatsoftware) February 9, 2019 “I’ve discovered a way to bypass these protections in Mojave and allow apps to look inside ~/Library/Safari without acquiring any permission from the system or from the user,” said Johnson in a Feb. 8 post, titled Spying on Safari in Mojave. “There are no permission dialogs, It Just Works.™ In this way, a malware app could secretly violate a user’s privacy by examining their web browsing history.” Johnson said that he notified Apple and privately released the technical details to the computing giant. Apple has acknowledged the vulnerability, he said. At the time of this writing, there is no patch/remediation available. Apple has faced a slew of security issues lately – the company last week patched a major flaw in its Group FaceTime feature that allowed callers to eavesdrop on people they called even if the other party never picked up. Also last week, a researcher claimed to have found a new Apple zero-day impacting macOS that could allow an attacker to extract passwords from a targeted Mac’s keychain password management system. Threatpost reached out to Apple for comment and will update this post with any response. Interested in learning about mobile enterprise security threats and best practices? Don’t miss our free Threatpost webinar on Feb. 27 at 2 p.m. ET. Join Threatpost senior editor Tara Seals and a panel of mobile security experts, including Patrick Hevesi of Gartner; Mike Burr of Google Android; and David Richardson from Lookout. They’ll discuss the top evolving threats and risks that are unique to this work-from-anywhere environment; best practices for addressing them; and new challenges on the horizon, such as 5G services.
Cybersecurity researchers have discovered a way to hide malicious code in Intel SGX enclaves, a hardware-based memory encryption feature in modern processors that isolates sensitive code and data to protect it from disclosure or modification. In other words, the technique allows attackers to implant malware code in a secure memory that uses protection features of SGX which are otherwise designed to protect important data from prying eyes or from being tampered, even on a compromised system. Introduced with Intel's Skylake processors, SGX (Software Guard Extensions) allows developers to run selected application modules in a completely isolated secure region of memory, called enclaves, which are designed to be protected from processes running at higher privilege levels like the operating system, kernel, BIOS, SMM, hypervisor, etc. However, a team of researchers, some of whom were behind the discovery of the Spectre-Meltdown CPU flaws, managed to bypass this protection and got their own malicious application in the secure enclaves by leveraging the age-old technique of return-oriented programming (ROP). The attack also uses Transactional Synchronization eXtensions (TSX), found in modern Intel CPUs, in conjunction with a novel fault-resistant read primitive technique called TSX-based Address Probing (TAP). TAP uses TSX to determine if a virtual address is accessible by the current process, and this exploration of memory is undetectable because operating system-level applications cannot look inside an enclave, by design. “Our SGX-ROP attack uses new TSX-based memory-disclosure primitive and a write-anything-anywhere primitive to construct a code reuse attack from within an enclave which is then inadvertently executed by the host application,” reads a research paper [PDF] published Tuesday. To determine whether a memory page is writable, the team developed a fault-resistant write primitive, Checking Located Addresses for Writability (CLAW), which encapsulates the write instruction for the target memory page within a TSX transaction and explicitly aborts the transaction after the write. After that, the writability of the target memory page can be deduced based on the return value of the transaction. Once the malware gets its way into the secure enclave, the confidentiality and integrity that SGX fundamentally guarantees to legit programs would also prohibit researchers or security solutions from detecting and analyzing the malware within an enclave. This would eventually allow the malware app to bypass various security technologies, such as operating system-level Address Space Layout Randomization (ASLR), stack canaries, and address sanitizer, as well as execute arbitrary code on the targeted system. “Moreover, there's a potential threat of next-generation ransomware which securely keeps encryption keys inside the enclave and, if implemented correctly, prevents ransomware recovery tools,” the academics explain. The researchers said the proof-of-concept exploit developed by their team bypassed ASLR, stack canaries, and address sanitizer, to “run ROP gadgets in the host context enabling practical enclave malware,” noting that the entire exploit process took 20.8 seconds. In the end, the academics concluded that instead of “protecting users from harm, SGX currently poses a security threat, facilitating so-called super-malware with ready-to-hit exploits.” The mitigations against such attacks could be implemented in future generations of Intel CPUs that better sandbox the SGX enclaves. While some of those mitigations would require hardware-level changes without costing any performance, some would not require hardware modifications but would trade some performance.
Microsoft on Tuesday issued a bevy of patches to correct at least 70 distinct security vulnerabilities in Windows and software designed to interact with various flavors of the operating system. This month's patch batch tackles some notable threats to enterprises — including multiple flaws that were publicly disclosed prior to Patch Tuesday. It also bundles fixes to quash threats relevant to end users, including critical updates for Adobe Flash Player and Microsoft Office, as well as a zero-day bug in Internet Explorer. Some 20 of the flaws addressed in February's update bundle are weaknesses labeled “critical,” meaning Microsoft believes that attackers or malware could exploit them to fully compromise systems through little or no help from users — save from convincing a user to visit a malicious or hacked Web site. Microsoft patched a bug in Internet Exploder Explorer (CVE-2019-0676) discovered by Google that attackers already are using to target vulnerable systems. This flaw could allow malware or miscreants to check for the presence of specific files on the target's hard drive. Another critical vulnerability that impacts both end users and enterprises is a weakness in the Windows component responsible for assigning Internet addresses to host computers (a.k.a. “Windows DHCP client”). That flaw, CVE-2019-0626, could let an attacker execute malcode of his choice just by sending the target a specially crafted DHCP request. At the top of the list of patch concerns mainly for companies is a publicly disclosed issue with Microsoft Exchange services (CVE-2019-0686) that could allow an attacker on the same network as the target to access the inbox of other users. Microsoft said it has not seen active exploitation of this bug yet, but considers it likely to be exploited soon. Security experts are fond of saying “patch now!” when it comes to Windows bugs, but in general it can’t hurt for regular users to wait a day or two after Microsoft releases monthly security updates before installing the fixes. That's because occasionally buggy patches can cause serious headaches for users who install them before all the kinks are worked out. Just don't put off the task too long. And bear in mind it’s a good idea to get in the habit of backing up your data before installing Windows updates, to hedge against the odd case in which a wonky patch ends up rendering your system unusable until you can work out how to reverse the changes. Windows 10 likes to install patches all in one go and reboot your computer on its own schedule. Microsoft doesn’t make it easy for Windows 10 users to change this setting, but it is possible. For all other Windows OS users, if you’d rather be alerted to new updates when they’re available so you can choose when to install them, there’s a setting for that in Windows Update. Microsoft also included fixes to address a single vulnerability in Adobe Flash Player. Microsoft and Adobe disagree on the severity of this flaw, according to security firm Qualys. Adobe labels it an “important” bug, while Microsoft tags it with a far more severe “critical” label. Regardless, Flash flaws are favorite targets of attackers. If you browse the Web with IE or Edge, this month's patch batch from Microsoft has you covered. Fortunately, the most popular Web browser by a long shot — Google Chrome — auto-updates Flash but also is now making users explicitly enable Flash every time they want to use it (Microsoft also bundles Flash with IE/Edge and updates it whenever Windows systems install monthly updates). By the summer of 2019 Google will make Chrome users go into their settings to enable it every time they want to run it. Firefox also forces users with the Flash add-on installed to click in order to play Flash content; instructions for disabling or removing Flash from Firefox are here. Adobe will stop supporting Flash at the end of 2020. Adobe also released updates for Adobe Acrobat and Reader that plug at least 70 security holes in these applications, so if you have either installed please be sure to update those. As always, if you experience any problems installing any of these patches this month, please feel free to leave a comment about it below; there’s a good chance other readers have experienced the same and may even chime in here with some helpful tips.
By Carolina To test the security of its data, Russia is considering disconnecting its Internet service for a short period of time. The test will affect all the data sent by Russian citizens or organizations as Internet access would be limited only within the national territory, meaning that they will not be routed internationally. The test has […] This is a post from HackRead.com Read the original post: Russian to shut down Internet to test its cyber deterrence
Microsoft has issued its second Patch Tuesday for this year to address a total of 77 CVE-listed security vulnerabilities in its Windows operating systems and other products, 20 of which are rated critical, 54 important and 3 moderate in severity. February security update addresses flaws in Adobe Flash Player, Internet Explorer, Edge, Windows, MS Office, and Office Services and Web Apps, ChakraCore, .NET Framework, Exchange Server, Visual Studio, Azure IoT SDK, Dynamics, Team Foundation Server, and Visual Studio Code. Four of the security vulnerabilities patched by the tech giant this month have been reported as being publicly known at the time of release, and one is being actively exploited in the wild. The vulnerability actively being exploited in the wild is rated as important and resides in the way Internet Explorer handles objects in the memory. An attacker can trick victims into landing on a specially crafted website and exploit this vulnerability, identified as CVE-2019-0676, to check for files on a target system, leading to information disclosure. Though Microsoft has not yet shared any details about the malicious campaign exploiting this flaw, the vulnerability likely restricted to targeted attacks. One of the publicly disclosed flaws but not exploited in the wild, identified as CVE-2019-0636 and rated as important, concerns an information vulnerability in Windows operating system that could allow an attacker to read the contents of files on disk. “An information vulnerability exists when Windows improperly discloses file information,” Microsoft says in its advisory. “To exploit the vulnerability, an attacker would have to log onto an affected system and run a specially crafted application.” As expected, almost each of the listed critical-rated vulnerabilities leads to remote code execution attacks and primarily impact various versions of Windows 10 and Server editions. Though there is no public exploit, the critical remote code execution vulnerabilities in SharePoint (CVE-2019-0594 and CVE-2019-0604) and Windows DHCP Servers (CVE-2019-0626) are more troubling, as the successful exploitation of these flaws could allow attackers to run arbitrary code and take control of the server. While some of the important-rated vulnerabilities also lead to remote code execution attacks, others allow elevation of privilege, information disclosure, security feature bypass, and spoofing vulnerabilities. Users and system administrators are strongly recommended to apply the latest security patches as soon as possible to keep hackers and cybercriminals away from taking control of their systems. For installing the latest security patch updates, head on to Settings → Update & Security → Windows Update → Check for updates, on your computer system or you can install the updates manually. Adobe has also rolled out security updates to fix a total of 75 vulnerabilities in its various software, 71 of which resides in Adobe Acrobat and Reader alone. Users of the affected Adobe software for Windows and macOS systems are highly recommended to update their software packages to the latest versions as soon as possible. Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.
A new security vulnerability has been discovered in the latest version of Apple's macOS Mojave that could allow a malicious application to access data stored in restricted folders which are otherwise not accessible to every app. Discovered by application developer Jeff Johnson on February 8, the vulnerability is unpatched at the time of writing and impacts all version of macOS Mojave, including macOS Mojave 10.14.3 Supplemental update released on February 7. Certain folders in macOS Mojave have restricted access that is forbidden by default, like ~/Library/Safari, which can be accessed by only a few applications, such as Finder. However, Johnson discovered a way to bypass these restrictions in Mojave, allowing applications to access ~/Library/Safari without needing any permission from the user or the system, and read users' web browsing history. “My bypass works with the ‘hardened runtime' enabled,” Johnson said in a blog post published last week. “Thus, an app with the ability to spy on Safari could be ‘notarized' by Apple (as long as it passed their automated malware checks, which I suspect would be no problem). My bypass does not work with sandboxed apps, as far as I can tell.” Since the vulnerability has already been reported to Apple and would not get a patch until at least the next official release of Mojave, Johnson has decided not to release technical details until the flaw is resolved. Johnson also clarified that the privacy protection bypass he discovered has nothing at all to do with Safari extensions, as the issue impacts restricted folders and so could potentially impact all restricted folders on the macOS system, including ~/Library/Safari. Since the issue resides in the new privacy protection feature introduced by Apple in macOS Mojave 10.14, Apple users running High Sierra on their Mac computers are not impacted by the vulnerability. We will update this article as soon as we hear more from the researcher about the vulnerability. Stay Tuned!
Our Standard Office Hours
Monday – Friday: 8:00AM – 5:00PM EDT
Saturday – Sunday: Closed
Where to Find Us
Data Privacy Notice
- – All product names, logos, and brands are property of their respective owners.
- – The use of these names, logos, and brands is for identification purposes only and does not imply endorsement.
- – Content syndication and aggregation of public information is solely for the purpose of identifying information security trends, all syndicated content contains source links to the content creator website. All content is owned by it’s respective content creators.
- – If you are an owner of some content and want it to be removed, please email email@example.com