image
Google has patched a critical vulnerability in its current and legacy versions of its Android operating system, which allow an attacker to send a specially crafted Portable Network Graphics (.PNG) image file to a targeted device and execute arbitrary code. In its February Android Security Bulletin, Google lists three critical Android Framework vulnerabilities (CVE-2019-1986, CVE-2019-1987, CVE-2019-1988), one of which is associated with the .PNG bug. Impacted versions of its Android OS range from Nougat (7.0) to its current Pie (9.0). “The most severe of these issues is a critical security vulnerability in (the Android) Framework that could allow a remote attacker using a specially crafted PNG file to execute arbitrary code within the context of a privileged process,” according to the security bulletin. An attacker exploiting the flaw could remotely take over a vulnerable Android device by sending a booby-trapped image or tricking a user into following a malicious link sent via a mobile message service. Google said that it has no reports that any of the vulnerabilities listed in its February security bulletin have been exploited in the wild. “The severity assessment is based on the effect that exploiting the (.PNG) vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed,” according to the Android security bulletin. The Framework vulnerabilities accounted for three of 11 critical bugs reported Monday. In all, Google released 42 fixes of which 30 were rated high severity. Four of the bugs were tied to Android hardware components made by NVIDIA and five to chip maker Qualcomm. Updates to Google Pixel and other vendor phones (Samsung, LG and etc.) will commence or become available within 48 hours of the Monday bulletin posting. “Android partners are notified of all issues at least a month before publication. Source code patches for these issues will be released to the Android Open Source Project (AOSP) repository in the next 48 hours,” Google wrote. Detailed descriptions of CVEs associated with Google’s February Android Security Bulletin are expected in the days ahead. For its part, LG posted Monday six patches for critical vulnerabilities impacting its handsets along with 21 high-severity bug and one moderate. One of the critical fixes (CVE-2018-11847) is left over from January and tied to an unspecified Qualcomm component. Qualcomm posted some information regarding several CVEs that were part of the February bulletin. For example, the critical bug CVE-2018-11289 is identified as a buffer-copy flaw originating from a Qualcomm chip function where “data truncation during higher to lower type conversion which causes less memory allocation than desired can lead to a buffer overflow.”

Source

image
It's 2019, and just opening an innocent looking office document file on your system can still allow hackers to compromise your computer. No, I'm not talking about yet another vulnerability in Microsoft Office, but in two other most popular alternatives—LibreOffice and Apache OpenOffice—free, open source office software used by millions of Windows, MacOS and Linux users. Security researcher Alex Inführ has discovered a severe remote code execution (RCE) vulnerability in these two open source office suites that could be triggered just by opening a maliciously-crafted ODT (OpenDocument Text) file. The attack relies on exploiting a directory traversal flaw, identified as CVE-2018-16858, to automatically execute a specific python library bundled within the software using a hidden onmouseover event. To exploit this vulnerability, Inführ created an ODT file with a white-colored hyperlink (so it can't be seen) that has an “onmouseover” event to trick victims into executing a locally available python file on their system when placing their mouse anywhere on the invisible hyperlink. According to the researcher, the python file, named “pydoc.py,” that comes included with the LibreOffice's own Python interpreter accepts arbitrary commands in one of its parameters and execute them through the system's command line or console. PoC Exploit and Video Demo Released Inführ provided a proof-of-concept (PoC) video demonstration showing how he was able to trick the event into calling a specific function within a Python file, which eventually executed the researcher's payload through Windows command line (cmd) without showing any warning dialog to the user. The researcher also released the PoC exploit code for the vulnerability and stressed that though he tested his exploit on Microsoft’s Windows operating system, it should work on Linux, as well. Inführ reported the vulnerability to LibreOffice and Apache OpenOffice on October 18 last year. While LibreOffice fixed the issue by the end of that month with the release of LibreOffice 6.0.7/6.1.3, OpenOffice still appears to be vulnerable. In mid-November, RedHat assigned the path traversal vulnerability a CVE ID and told the researcher not to disclose the details or PoC of the bug until January 31, 2019. Inführ made the details and PoC exploit code of the vulnerability public on February 1, even when Apache OpenOffice 4.1.6 (latest version at the time of writing) remains unpatched. However, he says his exploit code does not work on OpenOffice. “Openoffice does not allow to pass parameters; therefore, my PoC does not work but the path traversal can [still] be abused to execute a python script from another location on the local file system,” Inführ explains. As a workaround until OpenOffice releases a security fix, users can remove or rename the pythonscript.py file in the installation folder to disable the support for python. So, merely ditching Microsoft Office for open-source office suites would not help much to protect yourself from such attacks, unless you adopt basic security practices.

Source

image
The European Commission has issued a recall for a popular smartwatch for children, citing “serious” privacy issues that could allow a bad actor to track or communicate with kids remotely. The issues exist in Safe-KID-One, an IoT watch made by German company Enox Group that allows parents to surveil their children using a GPS map on a complementary smartphone app. However, this mobile app accompanying the watch has unencrypted communications with its backend server – enabling unauthenticated access to data, according to the EU. “As a consequence, the data such as location history, phone numbers, serial number can easily be retrieved and changed,” according to the January recall. “A malicious user can send commands to any watch making it call another number of his choosing, can communicate with the child wearing the device or locate the child through GPS.” Click to Expand. The watch also fails to comply with the Radio Equipment Directive, a regulatory framework that requires technical features in radio equipment for the protection of privacy, personal data and against fraud. The EU urged distributors of the Safe-KID-One to recall the product from end users. The alert was submitted by Iceland. According to Bernieri Christian, CEO of Bernieri Consulting, it’s the first Rapid Alert for dangerous products related to data protection and privacy. “I’m very happy to see #dangerous #products withdrawn from the market due to lack of data protection,” he said in a tweet. “It is the very first time. I hope that the monitoring system will keep on focusing on data protection.” 1/4 This is huge!! As far as I know, the UE has issued the FIRST Rapid Alert (#RAPEX) for dangerous products that may be related to data protection and #Privacy. This drive me crazy: the product is a smartwatch for MONITORING KIDS (#ENOX SAFE KID ONE with GSM and GPS integrated) pic.twitter.com/huFsSxDrOp — Bernieri Christian (@prevenzione) February 1, 2019 The Safe-KID-One is one of many smart watches offered by Enox Group, including health smart bands and another kid’s model watch (Safe-KID-Two). When contacted by Threatpost, Ole Anton Bieltved, the CEO and president of the Enox Group, said the Safe-KID-One was tested by Bundenetzagentur (also known as the Federal Network Agency, the German regulatory office of the German Federal Ministry of Economics and Technology) in 2018 and had passed regulatory tests. Click to Expand. “In December 2018 we got the…confirmation from them, that the watch had passed their test,” Ole Anton Bieltved told Threatpost via email. “This RAPEX announcement bases on a test in Iceland. We think this test was excessive – not reasonable, material or fair – or, based on a misunderstanding or the wrong product. We also think that the test conclusion of the Bundesnetzagentur is sufficient and rules.” The smartwatch has not been distributed in the U.S. or the U.K., he told Threatpost. “Our customer in Iceland has made a strong protest against this test conclusion in Iceland, based on the approval of the product in Germany, and they have appealed to the authorities in charge with the demand, that this test conclusion would be reversed,” he said. Threatpost reached out to the Federal Network Agency regarding what factors go into compliance tests – but has not yet heard back. Smart Watch Issues While IoT device security issues are nothing new to the infosec community, children’s connected smartwatches privacy problems are viewed as particularly insidious. Click to Expand. Researchers at Pen Test Partners recently found that the Gator kids’ GPS-tracking watches were exposing sensitive data involving 35,000 children — including their location, in real time. In November, The Misafes “Kids Watcher” GPS watch was found to have vulnerabilities that translate into a stalker or pedophile’s ideal toolset. And it’s not just smartwatches: After CloudPets connected teddy bears were found to have exposed 2.2 million voice recordings between parents and their children in a significant data breach, Amazon, Target and Walmart have pulled the toys from their online markets. Genesis Toys’ My Friend Cayla doll (which was banned in Germany) and Mattel’s Hello Barbie doll have also undergone major security issues. The Federal Trade Commission (FTC) for its part in a June statement warned that poorly secured IoT devices could pose a consumer safety hazard and outlined ways to mitigate such risks. Last January, the FTC announced its first settlement that involved IoT-connected toys. The FTC alleged that an app used with some of VTech’s toys gathered personal data from hundreds of thousands of children. As part of the settlement, VTech agreed to pay $650,000.

Source

image
LAS VEGAS — Multiple critical vulnerabilities in the commonly used Remote Desktop Protocol (RDP) would allow a malicious actor to achieve remote code-execution over a client’s computer. According to Check Point research released Tuesday at the CPX360 event in Las Vegas, both open-source and Microsoft proprietary RDP clients are at risk from an attacker who has either set up a malicious RDP server within a network, or who has compromised a legitimate one using other vulnerabilities. Used by thousands upon thousands of enterprise users worldwide, RDP is a common application that allows those working remotely to connect to corporate resources; and, which allows tech support staff and researchers to connect to remote computers for diagnostic and support purposes. To use RDP, teleworkers and support staff would have RDP clients installed on their machines that connect to a remote RDP server host. “In a normal scenario, you use an RDP client, and connect to a remote RDP server that is installed on the remote computer,” Check Point explained in an analysis shared with Threatpost. “After a successful connection, you now have access to and control of the remote computer, according to the permissions of your user. But if the scenario could be put in reverse? We wanted to investigate if the RDP server can attack and gain control over the computer of the connected RDP client.” It turns out that the vulnerabilities make it possible to do just that, essentially reversing the usual direction of communication and infecting the client computer – that in turn could then allow for an intrusion into the IT network as a whole. According to Check Point, 16 major vulnerabilities and a total of 25 security vulnerabilities were found overall across the clients it examined; these include mstsc.exe (Microsoft’s built-in RDP client); FreeRDP (the most popular and mature open-source RDP client on Github, Check Point said); and rdesktop (an older open-source RDP client that comes by default in Kali-linux distros, often used by security research red teams for penetration testing). Also, additional analysis showed that the xrdp open-source RDP server is based on the code of rdesktop, while the RDP client NeutrinoRDP is a fork of an older version (1.0.1) of FreeRDP. So, the team postulated that these two probably suffer from similar vulnerabilities as the parent code. Attack Scenarios Check Point analysis shows that there are a few common scenarios in which an attacker can gain elevated network permissions by deploying such an attack, thus advancing his lateral movement inside an organization. For instance, a malefactor could attack an IT member that connects to an infected work station inside the corporate network, thus gaining higher permission levels and greater access to the network systems. Or, a bad actor could attack a malware researcher that connects to a remote sandboxed virtual machine that contains a tested malware. This allows the malware to escape the sandbox and infiltrate the corporate network. A third, less likely scenario would be if blue security research teams installed organizational honeypots to attack red teams that try to connect to them through the RDP protocol. As mentioned, the feasibility of any attack relies on the perpetrator gaining prior access to an RDP server (or to set up a rogue one) – a notable mitigating factor. Open-Source RDP Flaws rdesktop The analysis kicked off with manually parsing the code for rdesktop v1.8.3, with the researchers finding “several vulnerable patterns in the code.” At the end of the process, the team had uncovered 11 vulnerabilities with a major security impact, and 19 vulnerabilities overall in the library. The most severe of these, RCE flaws with the CVE range of 2018-20179 to 2018-20181, arise from the fact that the code doesn’t check to make sure that the packet sent by the server is the right size before trying to parse it. If the server sends too many bytes (more than eight), the stream connecting the server to the client breaks, allowing for an information disclosure. “The fields ‘length’ and ‘flags’ are parsed from the stream ‘s,’ without checking that ‘s’ indeed contains the required eight bytes for this parsing operation,” according to the analysis. “While this usually only leads to an out-of-bounds read, we can combine this vulnerability with an additional vulnerability in several of the inner channels and achieve a much more severe effect.” Three logical channels share this second vulnerability: “lspci,” “rdpsnddbg” (a debug channel that is always active); and “seamless.” If an RDP server has a malicious, proprietary implementation of a process called “STRNCPY” (the researchers didn’t detail this), it’s possible to trigger a massive heap-based buffer overflow when copying data to the small allocated heap buffer. “By chaining together these two vulnerabilities, found in three different logical channels, we now have three remote code-execution vulnerabilities,” according to the analysis. Another concerning RCE flaw, CVE 2018-8795, allows an integer-overflow flaw when processing screen-content updates. “Although width and height are only 16 bits each, by multiplying them together with bits-per-pixel, we can trigger an integer-overflow,” analysts noted. “Later on, the bitmap decompression will process our input and break on any decompression error, giving us a controllable heap-based buffer-overflow.” rdesktop has patched the issues as part of its v1.8.4 release. FreeRDP The researchers also looked at FreeRDP v.2.0.0-rc3, which initially fares better in some ways than rdesktop; there are, for instance, minimal size checks before parsing data from the server. “However, after a deeper examination, we started to find cracks in the code,” the team said: Overall, there were six flaws in the library, five of which represent a major security impact. For one, FreeRDP suffers from the same screen-content integer-overflow RCE flaw, in this case assigned CVE 2018-8787. Unique to FreeRDP however is the CVE 2018-8786 RCE flaw, which is an integer-truncation problem that arises when trying to calculate the required capacity for the bitmap updates array. “Later on, rectangle structs will be parsed from our packet and into the memory of the too-small allocated buffer,” analysts explained. “This specific vulnerability is followed by a controlled amount (“bitmapUpdate->number”) of heap allocations (with a controlled size) when the rectangles are parsed and stored to the array, granting the attacker a great heap-shaping primitive.” FreeRDP has patched the flaws as part of it s2.0.0-rc4 release. The researchers released a proof-of-concept video: https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/04145259/RDP-Attack_Check-Point-Demo-Video.mp4 Microsoft’s RDP Client As part of its research, the team also reverse-engineered Microsoft’s RDP client, bBuild 18252.rs_prerelease.180928-1410. “Microsoft’s implementation is much better than the implementations we tested previously,” the researchers said. “Actually, it seems like Microsoft’s code is better by several orders of magnitude.” The code for instance contains several optimization layers for efficient network streaming, robust input and decompression checks, to guarantee that no byte will be written past the destination buffer; and there are checks for integer-overflows when processing bitmap updates. However, the team uncovered what it considers to be a major flaw in the copy-and-paste clipboard feature, which allows information to be transferred over an RDP connection. The server accesses the clipboard through a broker application called rdpclip.exe. This talks to the RDP service using a dedicated virtual channel API. However, Microsoft’s code doesn’t verify that what’s being sent hasn’t been tampered with. Courtesy: Check Point “A malicious RDP server can transparently drop arbitrary files to arbitrary file locations on the client’s computer,” according to the analysis. “For example, we can drop malicious scripts to the client’s startup folder, and after a reboot, they will be executed on his computer, giving us full control.” Check Point created a PoC exploit, where the researchers “simply killed rdpclip.exe, and spawned our own process to perform the path-traversal attack by adding additional malicious file to every copy-and-paste operation:” https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/04145454/RDP-Attack_-Check-Point-2nd-Demo-Video.mp4 The attack was performed with “user” permissions, and does not require the attacker to have system or any other elevated permission. Also, they found that every time a clipboard is updated on either side of the RDP connection, a message is sent to the other side, to notify it about the new clipboard formats that are now available. “We can think of it as a complete sync between the clipboards of both parties,” the team noted. “This means that our malicious server is notified whenever the client copies something to his ‘local’ clipboard, and it can now query the values and read them. So for instance, if a client locally copies an admin password, the server would then have it too. In addition, the server can notify the client about a clipboard update without the need for a copy operation inside the RDP window, thus allowing an attacker to completely control the client’s clipboard without being noticed. “A malicious RDP server can modify any clipboard content used by the client, even if the client does not issue a copy operation inside the RDP window,” according to the analysis. “if you copy a file on your computer, the server can modify your file, piggy-back on your copy to add additional files, or carry out the path-traversal files using the previously shown [attack].” According to Check Point, Microsoft acknowledged the findings, but said that the issues aren’t severe enough to address: “As a result, this path traversal has no CVE-ID, and there is no patch to address it,” according to the analysis, adding that the team recommends that users to disable the clipboard-sharing channel (on by default) when connecting to a remote machine. Threatpost reached out to Microsoft, and will update this post with any response.

Source

image
What’s in a name? When it comes to advanced persistent threat groups, it is often quite a bit. While their monikers’ may seem whimsical – Fancy Bear, Double Secret Octopus, Ocean Lotus and Darkhotel – the reality is these are not arbitrary names. In fact, many are similar to schoolyard nicknames or type of shorthand – tied to the attributes of the mysterious groups behind cyberattacks. Generally speaking, it’s difficult to determine the exact entity behind an APT group. Not that it’s impossible, but while researchers might suspect that a certain country could be funding and directing an APT’s hacking, espionage and malware activity, all too often such attribution is more based on instinct or suspicions than hard evidence. Throw in false flags and other attempts to throw threat-hunters off the trail, and it becomes a dicey business to point a decisive finger at a suspected culprit after or during a cyberattack campaign. APT Anchor Panda is a Chinese threat actor that targets maritime operations. (See Slideshow Below for More APT Illustrations) credit: CrowdStrike This is also, of course, a high-stakes business. If the security community throws its consensus behind, say, an Iranian military wing funding the latest wiper campaign that’s sabotaging critical infrastructure, the geopolitical ramifications of that pronouncement could be severe. That’s why security researchers instead tend to take an FBI-like profiling approach for these gangs. Even if a serial killer’s identity isn’t known, the FBI examines the modus operandi behind the criminal to building a solid outline of the person behind the crime. That was the impetus behind pseudonyms such as the Boston Strangler or the Zodiac Killer. Similarly, cybercrime researchers build profiles based on their typical targeting, tactics, malware and techniques, in order to follow APT activity and campaigns around the world. Sometimes they are also given names, which act as a handy way to organize and catalogue threat patterns – often with a nod to the geography they’re thought to be associated with. Why So Many Aliases? When it comes to the names themselves, security firms tend to have their own naming conventions, meaning that there will be multiple aliases for any given APT group. It makes for a confusing state of affairs, but it’s unlikely to be resolved anytime soon. For instance, researchers at CrowdStrike and CyberX and others use animal names that are associated with geography. Panda for instance refers to China, while a reference to “cat” or “kitten” means Iran (either for Persian cats, or the shape of the country, depending on which researcher you talk to). Lotus meanwhile tends to point to Vietnam, and names containing “bear” are reserved for Russia. Meanwhile, FireEye/Mandiant takes a more clinical approach, and uses numbers, i.e., APT33. Ben Read, senior manager of analysis at FireEye, explained that the numbers correspond to internal country codes. “We take the responsibility of attributing an APT to a country seriously – but at the same time our naming system designates the country by design. Because we have to make that call before we give them a name and it puts us into a little bit of a box,” he said. So, until the researchers achieve a high degree of confidence on who’s behind an attack, they might assign a temporary name, to be changed to a number later. And sometimes the naming process is a more fun, individualized exercise. “CrowdStrike’s Dmitri Alperovitch is rumored to have named the Fancy Bear APT after the fact that the Sofacy malware that it uses reminded him of the song ‘Fancy’ from Australian singer Iggy Azalea,” explained Phil Neray, vice president of industrial cybersecurity for CyberX. “the song has a lyric that goes, ‘I’m so fancy can’t you taste this gold,’ so CrowdStrike named them Fancy Bear, a.k.a. APT 28 in FireEye’s convention.” Fancy Bear is also called Pawn Storm, Sofacy Group, Sednit and STRONTIUM. In some cases, APT names proliferate thanks to oneupsmanship and marketing. If researchers from one company can give an APT a catchy name that sticks with the public, then research competitors may have to succumb to using their rival’s APT name. Another reason for the plethora of aliases is the fact that each security company is working from its own set of data. “You’re really naming groups of behavior, and these can overlap and get really messy,” said Jill Sopko, senior security researcher at NETSCOUT. “We as a security community are stronger based on our differences. Some teams can see specific actors’ effects on servers or routers, while we see more on the network traffic side. Working together, we can help define the tools, tactics and procedures at play in order to come together and say yes this is what we’re talking about – but even then, in a year our definitions and attribution criteria might diverge. Now that the Sofacy malware is out in the wild for instance, anyone can use it, not just APT28 – so it’s certainly not an exact science to determine which APT is responsible for which campaign.” FireEye’s Read added, “where it gets tricky is the fact that there are weird overlapping circles within the APT community, and they may be sharing tools but operating separately.” Hiding Their Tracks APT tracking and naming has become more difficult in recent years thanks to better efforts to thwart identification. This includes using commodity malware that’s common in the wild, or leaving fake artifacts for researchers to find – and misinterpret. “For at least four years we’ve seen APTs trying to implant things inside the malware to derail researchers,” said Neatsun Ziv, vice president of threat prevention at Check Point. “They might change the language or the timestamp of the malware in order to be associated with working hours in a certain country, so the attack will look like it’s from somewhere else.” Perhaps the best example of this is the Olympic Destroyer campaign, which employed an eponymous wiper malware to briefly disrupted the Winter Olympic Games in South Korea last February. Despite its name, Olympic Destroyer has targeted victims beyond the Games in the months since, using spear-phishing emails with attached documents containing malicious macros as its initial threat vector. The group’s doc files and macro obfuscators have unique characteristics that can be used to distinguish them from other droppers. For instance, most droppers include one of the three document author names: James, John or AV. These “fingerprints” are important for researchers tracking the group, because they’re so few and far between, analysts said. Between a lack of distinguishing characteristics and the numerous false flags built into the code to make it look like the work of other well-known APTs, Kaspersky Lab has called efforts to identify the group “attribution hell” — an assessment that has evolved into dubbing the group “Hades” as a catch-all. Hades, is a biblical reference widely associated with a hell-like underworld. “The APT tried to pin it on Lazarus Group from North Korea, by inserting code into the malware that only North Koreans have used in the past,” said Neray. “I suspect this is actually a Russian group, mad about the doping ban or something like that.” Some research outfits have not only named APTs, they have created memorable images for them. Have a look. “Ocean Lotus” – Credit Volexity “Deep Panda” – Credit: source unknown “Fancy Bear” – Credit CrowdStrike “Charming Kitten” – Credit ClearSky Security “Lazarus Group” – Credit Kaspersky Lab “DarkHotel” – Credit Kaspersky Lab Attribution: A Thorny Arena Sophisticated attempts by APTs to obscure their identities has given rise to a spirited discussion of the role of security firms when it comes to attribution. “We do think attribution can be valuable when you’re doing a risk profile,” said Read. “If you’re dealing with a spear-phishing incident, attribution may not seem like the most vital thing.” However, if you open a new office in a country, or do a business deal with a state-run entity, and then find yourself attacked, it helps to know who’s behind the attack, he said. “We try to draw on all sources of data when we’re doing this,” Read said. “It’s multifactored, and we look at the devices targeted, the type of phish, which folder the APT is hiding data in, what passwords were compromised and how – we gather everything that has happened in this incident and then say, okay, who is this – is it a bigger broader group that we know, or is it something new?” Ziv at Check Point said that the stakes vary depending on the incident. “If we’re talking about attacks on critical infrastructure – we need to know who’s trying to do that, who’s targeting you, so you can boost your security,” he said. “Black Energy crippled Ukraine’s power grid, and that is not a small thing at all.” Attribution also tends to be incremental and evolve over time. “First we give it a campaign name,” explained NETSCOUT’s Sopko. “Over time, you may amass enough information to make it a group – if it has a solid history, and you have an understanding of group’s operation, infrastructure, capabilities and victims — then you can put that against a larger geopolitical landscape.”

Source

image
By Waqas The IT security researchers at Check Point have identified a new malware called SpeakUp targeting Linux and macOS – The new findings prove that there has been a surge in malware attacks against Linux and Apple devices. SpeakUp is a new backdoor Trojan that is being distributed by cybercriminals through a malicious new campaign designed […] This is a post from HackRead.com Read the original post: New cryptocurrency malware SpeakUp hits Linux & Mac devices

Source

image
Godaddy.com, the world's largest domain name registrar, recently addressed an authentication weakness that cybercriminals were using to blast out spam through legitimate, dormant domains. But several more recent malware spam campaigns suggest GoDaddy's fix hasn't gone far enough, and that scammers likely still have a sizable arsenal of hijacked GoDaddy domains at their disposal. On January 22, KrebsOnSecurity published research showing that crooks behind a series of massive sextortion and bomb threat spam campaigns throughout 2018 — an adversary that's been dubbed “Spammy Bear” — achieved an unusual amount of inbox delivery by exploiting a weakness at GoDaddy which allowed anyone to add a domain to their GoDaddy account without validating that they actually owned the domain. Spammy Bear targeted dormant but otherwise legitimate domains that had one thing in common: They all at one time used GoDaddy's hosted Domain Name System (DNS) service. Researcher Ron Guilmette discovered that Spammy Bear was able to hijack thousands of these dormant domains for spam simply by registering free accounts at GoDaddy and telling the company's automated DNS service to allow the sending of email with those domains from an Internet address controlled by the spammers. Very soon after that story ran, GoDaddy said it had put in place a fix for the problem, and had scrubbed more than 4,000 domain names used in the spam campaigns that were identified in my Jan. 22 story. But on or around February 1, a new spam campaign that leveraged similarly hijacked domains at GoDaddy began distributing Gand Crab, a potent strain of ransomware. As noted in a post last week at the blog MyOnlineSecurity, the Gand Crab campaign used a variety of lures, including fake DHL shipping notices and phony AT&T e-fax alerts. The domains documented by MyOnlineSecurity all had their DNS records altered between Jan. 31 and Feb. 1 to allow the sending of email from Internet addresses tied to two ISPs identified in my original Jan. 22 report on the GoDaddy weakness. “What makes these malware laden emails much more likely to be delivered is the fact that the sending domains all have a good reputation,” MyOnlineSecurity observed. “There are dozens, if not hundreds of domains involved in this particular campaign. Almost all the domains have been registered for many years, some for more than 10 years.” A “passive DNS” lookup shows the DNS changes made by the spammers on Jan. 31 for one of the domains used in the Gand Crab spam campaign documented by MyOnlineSecurity. Image: Farsight Security. In a statement provided to KrebsOnSecurity, GoDaddy said the company was confident the steps it took to address the problem were working as intended, and that GoDaddy had simply overlooked the domains abused in the recent GandCrab spam campaign. “The domains used in the Gand Crab campaign were modified before then, but we missed them in our initial sweep,” GoDaddy spokesperson Dan Race said. “While we are otherwise confident of the mitigation steps we took to prevent the dangling DNS issue, we are working to identify any other domains that need to be fixed.” “We do not believe it is possible for a person to hijack the DNS of one or more domains using the same tactics as used in the Spammy Bear and Gand Crab campaigns,” Race continued. “However, we are assessing if there are other methods that may be used to achieve the same results, and we continue our normal monitoring for account takeover. We have also set up a reporting alias at dns-spam-concerns@godaddy.com to make it easier to report any suspicious activity or any details that might help our efforts to stop this kind of abuse.” That email address is likely to receive quite a few tips in the short run. Virus Bulletin editor Martijn Grooten this week published his analysis on a January 29 malware email campaign that came disguised as a shipping notice from UPS. Grooten said the spam intercepted from that campaign included links to an Internet address that was previously used to distribute GandCrab, and that virtually all of the domains seen sending the fake UPS notices used one of two pairs of DNS servers managed by GoDaddy. “The majority of domains, which we think had probably had their DNS compromised, still point to the same IP address though,” Grooten wrote. That IP address is currently home to a Web site that sells stolen credit card data. The fake UPS message used in a Jan. 29 Gand Crab malware spam campaign. Source: Virus Bulletin. Grooten told KrebsOnSecurity he suspects criminals may have succeeded at actually compromising several of GoDaddy's hosted DNS servers. For one thing, he said, the same pair (sometimes two pairs) of name servers keep appearing in the same campaign. “In quite a few campaigns we saw domains used that were alphabetically close, [and] there are other domains used that had moved away from GoDaddy before these campaigns, yet were still used,” Grooten said. “It's also interesting to note that hundreds — and perhaps thousands — of domains had their DNS changed within a short period of time. Such a thing is hard to do if you have to log into individual accounts.” GoDaddy said there has been no such breach. “Our DNS servers have not been compromised,” Race said. “The examples provided were dangled domains that had zone files created by the threat actor prior to when we implemented our mitigation on January 23. These domain names were parked until the threat actors activated them. They had the ability to do that because they owned the zone files already. We’re continuing to review customer accounts for other potential zone entries.” First emerging in early 2018, Gand Crab has been dubbed “the most popular multi-million dollar ransomware of the year.” Last week, KrebsOnSecurity was contacted by a company hit with Gand Crab in late January after an employee was taken in by what appears to be the same campaign detailed by Virus Bulletin. Charlene Price is co-owner of A.S. Price Mechanical, a small metal fabrication business in Gilbert, South Carolina. Price said an employee was tricked into infecting one of their hard drives with Gand Crab, which encrypted the drive and demanded $2,000 in bitcoin for a key needed to unlock the files. While Price and her husband consulted with tech experts and debated what to do next, the extortionists doubled the ransom demand to $4,000. Sites like nomoreransom.org distribute free tools and tutorials that can help some ransomware victims recover their files without paying a ransom demand, but those tools often only work with specific versions of a particular ransomware strain. Price said the tool nomoreransom.org made available for Gand Crab infections was unable to decrypt the files on her scrambled hard drive. “It’s not fair or right and this is unjust,” Price said. “We have accepted the fact, for now, that we are just locked out our company’s information. We know nothing about this type of issue other than we have to pay it or just start again.” Update: 2:55 p.m. ET: Added statement from GoDaddy.

Source

Godaddy.com, the world’s largest domain name registrar, recently addressed an authentication weakness that cybercriminals were using to blast out spam through legitimate, dormant domains. But several more recent malware spam campaigns suggest GoDaddy’s fix hasn’t gone far enough, and that scammers likely still have a sizable arsenal of hijacked GoDaddy domains at their disposal.

On January 22, KrebsOnSecurity published research showing that crooks behind a series of massive sextortion and bomb threat spam campaigns throughout 2018 — an adversary that’s been dubbed “Spammy Bear” —  achieved an unusual amount of inbox delivery by exploiting a weakness at GoDaddy which allowed anyone to add a domain to their GoDaddy account without validating that they actually owned the domain.

Spammy Bear targeted dormant but otherwise legitimate domains that had one thing in common: They all at one time used GoDaddy’s hosted Domain Name System (DNS) service. Researcher Ron Guilmette discovered that Spammy Bear was able to hijack thousands of these dormant domains for spam simply by registering free accounts at GoDaddy and telling the company’s automated DNS service to allow the sending of email with those domains from an Internet address controlled by the spammers.

Very soon after that story ran, GoDaddy said it had put in place a fix for the problem, and had scrubbed more than 4,000 domain names used in the spam campaigns that were identified in my Jan. 22 story. But on or around February 1, a new spam campaign that leveraged similarly hijacked domains at GoDaddy began distributing Gand Crab, a potent strain of ransomware.

As noted in a post last week at the blog MyOnlineSecurity, the Gand Crab campaign used a variety of lures, including fake DHL shipping notices and phony AT&T e-fax alerts. The domains documented by MyOnlineSecurity all had their DNS records altered between Jan. 31 and Feb. 1 to allow the sending of email from Internet addresses tied to two ISPs identified in my original Jan. 22 report on the GoDaddy weakness.

“What makes these malware laden emails much more likely to be delivered is the fact that the sending domains all have a good reputation,” MyOnlineSecurity observed. “There are dozens, if not hundreds of domains involved in this particular campaign. Almost all the domains have been registered for many years, some for more than 10 years.”

A “passive DNS” lookup shows the DNS changes made by the spammers on Jan. 31 for one of the domains used in the Gand Crab spam campaign documented by MyOnlineSecurity. Image: Farsight Security.

In a statement provided to KrebsOnSecurity, GoDaddy said the company was confident the steps it took to address the problem were working as intended, and that GoDaddy had simply overlooked the domains abused in the recent GandCrab spam campaign.

“The domains used in the Gand Crab campaign were modified before then, but we missed them in our initial sweep,” GoDaddy spokesperson Dan Race said. “While we are otherwise confident of the mitigation steps we took to prevent the dangling DNS issue, we are working to identify any other domains that need to be fixed.”

“We do not believe it is possible for a person to hijack the DNS of one or more domains using the same tactics as used in the Spammy Bear and Gand Crab campaigns,” Race continued. “However, we are assessing if there are other methods that may be used to achieve the same results, and we continue our normal monitoring for account takeover. We have also set up a reporting alias at dns-spam-concerns@godaddy.com to make it easier to report any suspicious activity or any details that might help our efforts to stop this kind of abuse.”

That email address is likely to receive quite a few tips in the short run. Virusbulletin editor Martijn Grooten this week published his analysis on a January 29 malware email campaign that came disguised as a shipping notice from UPS. Grooten said the spam intercepted from that campaign included links to an Internet address that was previously used to distribute GandCrab, and that virtually all of the domains seen sending the fake UPS notices used one of two pairs of DNS servers managed by GoDaddy.

“The majority of domains, which we think had probably had their DNS compromised, still point to the same IP address though,” Grooten wrote. That IP address is currently home to a Web site that sells stolen credit card data.

The fake UPS message used in a Jan. 29 Gand Crab malware spam campaign. Source: Virusbulletin.

Grooten told KrebsOnSecurity he suspects criminals may have succeeded at actually compromising several of GoDaddy’s hosted DNS servers. For one thing, he said, the same pair (sometimes two pairs) of name servers keep appearing in the same campaign.

“In quite a few campaigns we saw domains used that were alphabetically close, [and] there are other domains used that had moved away from GoDaddy before these campaigns, yet were still used,” Grooten said. “It’s also interesting to note that hundreds — and perhaps thousands — of domains had their DNS changed within a short period of time. Such a thing is hard to do if you have to log into individual accounts.”

GoDaddy did not respond to requests for comment about the possibility of a breach explaining the continuing abuse of its DNS services.

First emerging in early 2018, Gand Crab has been dubbed “the most popular multi-million dollar ransomware of the year.” Last week, KrebsOnSecurity was contacted by a company hit with Gand Crab in late January after an employee was taken in by what appears to be the same campaign detailed by Virusbulletin.

Charlene Price is co-owner of A.S. Price Mechanical, a small metal fabrication business in Gilbert, South Carolina. Price said an employee was tricked into infecting one of their hard drives with Gand Crab, which encrypted the drive and demanded $2,000 in bitcoin for a key needed to unlock the files.

While Price and her husband consulted with tech experts and debated what to do next, the extortionists doubled the ransom demand to $4,000.

Sites like nomoreransom.org distribute free tools and tutorials that can help some ransomware victims recover their files without paying a ransom demand, but those tools often only work with specific versions of a particular ransomware strain. Price said the tool nomoreransom.org made available for Gand Crab infections was unable to decrypt the files on her scrambled hard drive.

“It’s not fair or right and this is unjust,” Price said. “We have accepted the fact, for now, that we are just locked out our company’s information. We know nothing about this type of issue other than we have to pay it or just start again.”

Source

image
By Waqas The Canada-based cryptocurrency exchange QuardigaCX has suffered a major setback after the untimely death of its founder and CEO Gerald Cotten. Apparently, Cotten had exclusive and crucial information about the exchange’s password. Now that the CEO is no more, the exchange claims to have lost access to an exorbitant virtual currency amount that totals around […] This is a post from HackRead.com Read the original post: Crypto exchange loses access to $145M after CEO dies without giving password

Source

image
A cyber-espionage campaign has been spotted targeting recipients of a mailing list run by the Central Tibetan Administration (CTA). India’s CTA is an organization officially representing the Tibetan government-in-exile. The territory of Tibet is administered by the People’s Republic of China – but the CTA considers that an illegitimate military occupation. The CTA instead believes that Tibet is a distinct independent nation. Researchers with Cisco Talos recently discovered emails spamming subscribers on the CTA’s mailing list. The emails, which purport to be from the CTA, said they were commemorating the upcoming 60th anniversary of the Dalai Lama’s exile on March 31 with an attached Microsoft PowerPoint document titled “Tibet Was Never A Part of China.” Click to Expand. However, the attachment is actually a malicious PPSX file used as a dropper to allow an attacker to execute various JavaScript scripts and eventually download a payload onto the victims’ systems. That payload, a remote access trojan (RAT) called ExileRAT, scoops up their computer’s information. “Given the nature of this malware and the targets involved, it is likely designed for espionage purposes rather than financial gain,” researchers Warren Mercer, Paul Rascagneres and Jaeson Schultz said in a Monday analysis. “This is just part of a continuing trend of nation-state actors working to spy on civilian populations for political reasons.” Researchers told Threatpost that they had no further information for now regarding the bad actor behind this campaign. Infection Method Craig Williams, director of outreach for Cisco Talos, told Threatpost that the firm observed the first sample from the campaign on Jan. 30. While it is unknown how many are on the CTA’s mailing list, it appears everyone on the mailing list received the email. The mailing list’s infrastructure is run by India-based DearMail. Researchers said that attackers modified the standard “Reply-To” header so that any responses would be directed back to an email address belonging to the bad actors (mediabureauin [at] gmail.com). The email message is entitled “Tibet-was-never-a-part-of-China.” Click to Expand. Researchers said the email message contained a malicious PPSX file attachment meant to attack subscribers of the CTA mailing list. PPSX is a file format used to deliver a non-editable slideshow derived from a Microsoft PowerPoint document. The attached document is a large slide show (made up of over 240 slides). Interestingly, the document is actually a copy of a legitimate PDF available for download from the CTA’s tibet.net homepage, researchers said. “The slideshow’s file name, ‘Tibet-was-never-a-part-of-China,’ is identical to a legitimate PDF published Nov. 1, 2018, which demonstrates the attacker moved quickly to abuse this,” they said. This attack exploits CVE-2017-0199, a high-severity vulnerability in Microsoft Office, which allows remote attackers to execute arbitrary code via a crafted document. Once downloaded, the malicious PPSX file then executes a Javascript that’s responsible for downloading the payload, ExileRAT, (“syshost.exe”) from the command and control server (C2). ExileRAT is capable of siphoning information on the system (computer name, username, listing drives, network adapter, process name), pushing files and executing or terminating processes. Link to LuckyCat RAT Interestingly, the infrastructure used for the C2 in the campaign was previously linked to the LuckyCat Android RAT, and researchers found that the C2 domain featured an Android RAT created on Jan. 3. It’s important to note that LuckyCat was not used in the spam campaign attack from the CTA mailer – it simply shared a C2. The LuckyCat Android RAT was used in 2012 against Tibetan activists, in a campaign targeting pro-Tibetan sympathizers, researchers said. “This newer [Jan. 3] version includes the same features as the 2012 version (file uploading, downloading, information stealing and remote shell) and adds several new features, including file removing, app execution, audio recording, personal contact stealing, SMS stealing, recent call stealing and location stealing,” said Cisco’s researchers.

Source