Monthly Archives: September 2014

On Tuesday, investigative journalist Brian Krebs reported that sources had informed him of a potential breach involving Home Depot. Home Depot is a home improvement retailer with 2,200 stores in the U.S.

Krebs’ sources said they believe that the alleged breach could go back as far as late April or early May. If so, then a confirmed breach at Home Depot has the potential to be larger than the one at Target.

Aside from the reports from sources working with several banks, Krebs was able to add a little more weight to the breach speculation by reporting that criminals on an underground marketplace (http://rescator[.]cc) are selling two new batches of stolen credit cards.

These new batches emerged on September 2, but the source of their data isn’t clear; aside from the likelihood that the American set came from Home Depot.

On Wednesday, Krebs offered another layer of insight.

When the 1,822 ZIP codes associated with the stolen American cards were checked by Krebs, he noticed a 99 percent match when that list was compared to the 1,939 ZIP codes where a Home Depot is located. Salted Hash checked the same data set used by Krebs, as well as a manual audit on the marketplace website, and can confirm his findings.

Home Depot has only issued a brief statement to the media. Spokesperson Paula Drake said that the company is “looking into some unusual activity and we are working with our banking partners and law enforcement to investigate.”

If the breach is a reality, the question is, how did it happen?

“The Home Depot breach may have been carried out in the same fashion the Target breach was performed. Given that they are both retail chains and it affected credit cards, it’s likely that a particular type of exploit that was successful will lead to others in the same fashion. This could be by the same group or a completely unrelated group,” commented Paul Martini, CEO of iboss Network Security.

“Now, if the exfiltration of data at terminals was not the way this was performed, it’s very likely that the data was taken through more traditional means such as a botnet infection on a sensitive server or database.”

If the attackers took a more traditional approach, it’s possible they targeted an application online.

“Home Depot offers clients two payment options, one via PayPal and another through its own system,” BitDefender’s Marius Doroftei said.

“One technique hackers could have used to grab the data is through a vulnerability in Home Depot’s own payment interface [https://secure2.homedepot.com], however, since the site is SSL-secured, there is a higher probability they found a way to access the company’s storage facilities and steal the banking credentials.”

Possible ties to the JPMorgan data breach?

In a statement, Peter Tapling, the President of Authentify, singled out the new batches of credit card data being sold by criminals online. The batches are being sold under two different names; the American set under the name “American Sanctions” and the European set as “European Sanctions.”

“The ‘American Sanctions’ name for the card batches for sale are an interesting twist. Is this just a group that sympathizes with Russia? Or is it a state actor involved directly,” he asked.

The consensus, Tapling added, is that there’s a possibility the perpetrators of this apparent breach may be the same group of Russian and Ukrainian hackers responsible for recent data breaches at JP Morgan and other banks. When the JPMorgan breach was announced, the source of the attack was said to be Russia, and the reasoning is speculated to be retaliatory.

But, there’s no evidence – other than a batch name – proving that the attacks are connected.

For now, Home Depot isn’t responding to requests for additional statements. Nevertheless, if you follow the money and look at the data, something somewhere has gone horribly wrong. Perhaps Home Depot doesn’t need to confirm anything.

Via: csoonline

Six security advisories – three of which are deemed critical – were addressed in the Tuesday release of Firefox 32, which also comes with some new features, including public key pinning support that is enabled by default.

Public key pinning is an extension for HTTPS/SSL that lets the browser “know” the characteristics for the legitimate certificate of a site, Wolfgang Kandek, CTO at Qualys, told SCMagazine.com in a Wednesday email correspondence, explaining that an alert is raised when going to a site where the certificates do not match.

“This mechanism defends against man-in-the-middle (MitM) attacks in SSL,” Kandek said. “A typical MitM attack that can be detected with this technology would be an entity wanting to eavesdrop on SSL communication with a site.”

Public key pinning also reduces phishing attacks, Sid Stamm, senior engineering manager of security and privacy at Mozilla, told SCMagazine.com in a Wednesday email correspondence, adding Mozilla is continuously working to stop attackers from exploiting certificates that should never have been issued.

“This can happen for many reasons, including a [certificate authority (CA)] compromise, a CA violating our policies, or even mistakes in the issuance process,” Stamm said, going on to add, “Our main goal is to reduce risk present in the CA system, and pinning will help. It makes HTTPS connections safer by providing stronger assurance that the site you think you’re on is actually the right one.”

Public key pinning in Firefox 32 is limited to Mozilla and Twitter sites, but it will expand in Firefox 33 as Mozilla adds sites that are in the Google Chrome browser. Kandek said Google Chrome has had public key pinning for about three years now.

Three critical security advisories were addressed in Firefox 32, including a use-after-free setting text directionality, a use-after-free during DOM interactions with SVG, and miscellaneous memory safety hazards, according to a post.

Fixes were issued for high impact advisories regarding an uninitialized memory use during GIF rendering, and a profile directory file access through file: protocol that only affects Firefox for Android; a moderate impact out-of-bounds read in Web Audio audio timeline advisory was also addressed, the post indicates.

Altogether, eight individual vulnerabilities were fixed. Mozilla has posted an entire list of Firefox 32 release notes here.

Via: scmagazine

With CryptoLocker seemingly out of commission, its less well-known twin CryptoWall has stepped out of the shadows and thrived, in a roughly five-month period infecting 625,000 victims worldwide, encrypting 5.25 billion files, collecting more than $1.1 million in ransoms and effectively surpassing its more famous sibling in infection rates, according to a threat analysis from Dell SecureWorks Counter Threat Unit researcher Keith Jarvis.

“CryptoWall’s distribution is different in many respects, but they’ve infected 80k+ more machines (in 3 months less time) than CryptoLocker solely because they wanted to,” Jarvis told SCMagazine.com in an email correspondence. “At any time, [CryptoLocker]  could have infected millions of machines if they wanted to but they made the decision not to.”

Once known as CryptoClone or CryptoDefender, CryptoWall is less sophisticated — both in terms of infrastructure and malware — than CryptoLocker but no less of a threat. But the ransom take for its authors has been less dramatic.

“Despite infecting 15 percent more machines in 50 percent less time CryptoWall has only made 37 percent in ransoms of what CryptoLocker made,” Jarvis said. “That’s the difference between very sophisticated criminals (like the Gameover Zeus gang) who can accept, cash out, and launder dozens of prepaid cards like MoneyPak per day,  versus a less mature group, like the CryptoWall operators, who have to accept bitcoins only (a currency they can sit on).”

CryptoWall victims typically paid between $200 to $2,000 in ransom to unlock their files, the company said, though one victim forked over $10,000.

“We were surprised to see one victim was charged $10k,” Jarvis said. ” We don’t know why they were targeted for that much money or what type of individual or organization they were. We know they are based in the U.S. and paid in early May.”

The two families of ransomware are similar that Dell SecureWorks researchers believe “the same threat actors may be responsible for both families, or that the threat actors behind both families are related,” Jarvis said in the threat analysis.

CTU researchers first began analyzing the ransomware that eventually became known as CryptoWall in February 2014, noting that it has been distributed at least since November 2013.

The infection vectors spreading CryptoWall have been varied — from browser exploit kits and drive-by downloads to malicious email attachments. The latter has been the primary mode of distribution since march with the Cutwail spam botnet being used to send download links, typically through the Upatre downloader which famously distributed Gameover Zeus until Operation Tovar took it down.

What started as a low-level infection rate in February saw a marked growth in mid-May after threat actors boosted the volume of distribution, Jarvis wrote in the threat analysis.

While early distribution showed “a bias towards systems in Asian and Middle Eastern countries,” later campaigns have ensured that “every nation in the world had at least one victim” with most infections occurring in the U.S. as a result of Cutwail spam targeting English-speaking users.

At the time that researchers were analyzing CryptoWall, they noted that the variants “terminate after successfully encrypting files and notifying the C2 server” but “may not be executing in memory on systems affected by these variants.” However, “the persistence mechanisms remain,” which ensures that the malware will run when a system is rebooted, Jarvis wrote in the threat analysis.

CryptoWall does not nab user credentials, files or metadata, the researchers found, and a functionality that early variants used “to transmit a screenshot of the infected system back to the C2 server” has been included since mid-March.

“The threat is nearly identical to CryptoLocker: the cost of extortion versus the cost of losing valuable data,” Jarvis told SCMagazine.com. “One mitigating factor with a CW vs CL infection is the former does NOT come along with a Gameover Zeus infection,  so you aren’t dealing with those other aspects which include: credential theft, DDOS, banking fraud, etc. Though, CryptoWall sometimes does get implemented onto victim’s computers, along side other malware families.”

According to the threat analysis, CryptoWall is “the largest and most destructive ransomware threat on the Internet” and is expected to “continue growing.” But Jarvis told SCMagazine.com that he expects “to see ransomware that ‘destroys files’ become the new normal.” In fact, the most of the major ransomware families, such as Reveton and Urausy, “are evolving into more sophisticated threats in parallel with those like CryptoWall and CryptoLocker.”

Via: scmagazine