Monthly Archives: April 2017

A hacker set off all 156 of Dallas’s emergency sirens Friday night.

“It does appear at this time it was a hack, and it does appear this came from the Dallas area,” Sana Syed, the city’s managing director of public information, said at a Saturday news conference.

The alarms sounded at about 11:40 p.m. and were turned off by 1:20 a.m. Saturday, but not before officials had to shut down Dallas’s emergency system.

The FBI sought to assure residents – thousands of whom called 911 – by tweeting that the emergency sirens were malfunctioning and noting there was no bad weather or active emergency afoot. Authorities are investigating.

via:  scmagazine

An unpatched critical vulnerability in Microsoft Office is being exploited by malicious actors to achieve full code execution on target machines, McAfee and FireEye security researchers warn.

The vulnerability resides in the Object Linking and Embedding (OLE) functionality in Office and can be abused to create malicious RTF (Rich Text Format) documents that link to HTA (HTML Application) files hosted on remote servers. These HTA files load and execute a final malicious Visual Basic script.

“Because .hta is executable, the attacker gains full code execution on the victim’s machine,” McAfee explains, adding that the malicious RTF samples they observed were using the .doc extension.

Both McAfee and FireEye explain that this logical bug allows attackers to bypass memory-based mitigations developed by Microsoft, as well as other security products. The malicious documents are used to download and execute malicious payloads pertaining to various well-known malware families.

The HTA files used in the observed attacks were masquerading as normal RTF files to trick users and evade detection. When successful, the exploit closes the original Office document, then opens a new one and displays it to the victim, while the malicious code is being installed in the background.

“In both observed documents the malicious script terminated the winword.exe process, downloaded additional payload(s), and loaded a decoy document for the user to see. The original winword.exe process is terminated in order to hide a user prompt generated by the OLE2link,” FireEye explains.

The vulnerability was initially observed in January, but attacks that leverage it continue to surface, McAfee says. The security company said that all Office versions are affected by this issue, including Office 2016 on Windows 10.

According to FireEye, they too have been aware of the vulnerability for some time, but they have been coordinating with Microsoft for several weeks to release information on the matter only after a patch was available. Microsoft’s next set of security patches is scheduled to roll-out as soon as this Tuesday.

Users are advised to avoid opening Office files that come from unknown sources and to leave Office Protected View enabled to ensure no malicious code runs without their knowledge. Apparently, the vulnerability can’t bypass Protected View.

via:  securityweek

GameStop is investigating a possible payment card breach on the retailer’s GameStop.com online store, according to published reports.

KrebsonSecurity is reporting that GameStop is looking into a breach after it received notice from a third party that some customer data was for sale online. KrebsonSecurity said word was received from two financial industry sources which had, in turn, been warned by a credit card processor that data was stolen between September 2016 and February 2017.

The breach may have exposed customer names, addresses, payment card numbers, expiration dates and CVV codes.

“If Brian Krebs’ report is correct, the GameStop breach has the potential to be a huge payday for hackers. Compromised credit card numbers aren’t always easy to monetize, but in this case hackers were able to intercept CVV2 numbers, which allow them to begin making fraudulent purchases immediately,” Vishal Gupta, Seclore CEO, told SC Media.

Other industry insiders noted that attacks such as this could signal a time when smaller retailers are simply unable to protect themselves from cyberthieves.

“You can imagine a future where attacks such as this become so sophisticated and frequent that no one but the largest retailers can afford to defend against them. This would give the Amazons and Walmarts of the world a real competitive advantage in winning consumers’ business,” John Gunn, CMO of VASCO Data Security.

GameStop has not yet responded  for confirmation of the incident.

via:  scmagazine

Many UK residents woke up to a rude internet shock: a scam email that greeted them with their real name and home address.

Collectively, we’re getting better and better at spotting emails that don’t come from where they say, for example because our real bank doesn’t call us Dear Customer, and because our real mortgage provider knows how to spell its own kompani nayme without making absurd misteaks.

But in this case, the email wasn’t trying to disguise that it came from a ne’er-do-well.

Indeed, the scamminess of the text made the email more worrisome, and thus perhaps paradoxically more likely to squeeze victims into action than a well-written email from an obviously unlikely source.

The text in the emails vary slightly from sample to sample, but examples seen go something like this:

Or like this:

The salutation uses your first name (given name); the filename is your surname (family name); and the address is your home address, complete with postcode.

You know it’s a scam, not only from the terrible mistakes in spelling and grammar, but also from the fact that no official organization would dare write what amounts to a veiled threat of this sort.

So it feels wrong and risky to open it to see how much is in there.

On the other hand, there must be some truth in the claims about a data leak, because the crooks know your name and address – and not just vaguely, but precisely, so who knows what else they know about you?

With so many data breaches in the news recently, it’s perfectly reasonably to wonder, “How serious is this?”

So it feels wrong and risky not to open it to see how much is in there.

What happens next?

If you do open the attachment, which is portentously called Yoursurname.dot, Word prompts you for a password, just as the scammers warned you to expect:

The password is randomly chosen for each recipient, and you really do need to use the one in your own email to open the file:

At this point, the crooks are aiming to persuade you to enable macros in the open document, which means you’ll be running program code stored in the file by the crooks themselves.

This is a feature of Word – you can write extensive and powerful Word extensions as macros, using Microsoft’s Visual Basic for Applications (VBA) programming language – but because macros that arrive from outside can be super-dangerous, they don’t run by default.

To get you to agree to run their malicious macro program, the crooks use what you might call a bait-and-switch trick.

The document presents an official-looking help page that tells you that you need to “Enable editing” to view its content.

Somehow, this sounds less suspicious that enabling macros, as though you’re just agreeing to view what’s inside the document, not trusting it to the point of letting it run untrusted program code inside Word.

If you click on [Enable Content], you’re agreeing to execute a malicious VBA program that tries two different web pages, hosted on hacked web servers, and downloads what looks like a GIF file.

GIF is short for Graphics Interchange Format, an old but still-common type of image file.

In fact, the GIF file has just 10 bytes of valid header data, followed by a 256-byte decryption key, followed by about 0.5MB of binary data scrambled by XORing it with the decryption key repeated over and over. (This is known as a Vigenère cipher, named after a cryptographer from the 1500s who didn’t actually invent it.)

The GIF header makes the file look innocent, even though it won’t display as an image, and the Vigenère scrambling means that the suspicious parts of the file aren’t obvious.

Malware unscrambled

Of course, the scrambling also means that the fake GIF file is harmless on its own, so the malicious macro includes a decryption loop that strips out the executable code, unscrambles it and writes it to %TEMP%, the special folder where Windows saves your temporary files.

The malware ends up with a randomly-chosen numeric name, such as 05643.EXE

When testing out this attack at SophosLabs, the downloaded malware was Troj/Agent-AURH, a strain of bot or zombie malware that calls home to a so-called command-and-control (C&C) network for further instructions.

Our zombified computer didn’t receive any instructions during our test, but it’s important to remember that in attacks of this sort:

• The crooks can vary the downloaded malware as they see fit, changing it according to your time zone, your location, your language settings or simply their own whim.
• The crooks can vary the instructions they send to some or all of the bots in their botnet,typically including updating or changing the bot itself, or downloading additional malware.

The malicious macro in the original document has two more tricks up its sleeve to go along with the “fake GIF file” unscrambling shenanigans.

If the macro gets an unexpected response on its first attempt to download the fake GIF, the crooks assume that some sort of firewall or web-filtering anti-virus blocked the download, so they try to talk you into turning your security filtering off:

It’s easy to assume that the popup comes from Word, or even Windows itself, but that’s the crooks talking to you.

Equally sneakily, the crooks pop up the following message, right at the very end:

,

It’s all a pack of lies: the “file is corrupted” message means exactly the opposite of what it says, because it only appears after the malware has been downloaded, unscrambled, saved to disk and launched in the background.

Should you be afraid?

It’s understandable to feel a touch of fear when you receive a scam email that knows your name and home address, because of the lurking question, “Why me?”

The good news, if you can call it that, is that through articles and advisories like this one, you’ll soon see that you aren’t alone, and that the crooks are targeting a much wider group than just you.

Sadly, however, it’s likely that the home addresses they’re using were stolen in one or more data breaches, and then sold on in the computer underground for criminal abuse of this sort.

At least in the UK, many companies that collect addresses put them through some kind of standardisation algorithm to produce address data in the format preferred by the Post Office, so it can be hard to figure out the likely source of the breach.

What to do?

• Don’t open unsolicited or unexpected attachments, especially not on the say-so of an unknown sender.

Even if the document claims to be an invoice you don’t owe, or threatens you in some way, don’t let fear or uncertainty get the better of you. After all, if you’re concerned about the trustworthiness of the sender, the worst thing you can do is to take their “advice” about computer security!

• Don’t turn off important security settings such as “macros have been disabled”, especially not on the say-so of an unknown sender.

The crooks have come up with many ways to trick you into clicking [Enable content], usually by making it sound as though it somehow increases security, for example by decrypting or unlocking confidential information. But Microsoft turned Word macros off by default years ago to improve security, so turning macros back on will leave you less secure.

• If you’re unsure what to do, ask someone you actually know and trust, such as a friend or family member.

Never ask the sender of the email for advice. They will simply tell you what they want you to hear, not what you need to know. And if you’re a friend who gets asked for help, try using our short-and-sweet motto, and stick to your guns: “Don’t buy, don’t try, don’t reply.”

• If you think a targeted email of this sort really is a personal attack on you, for example by a stalker, rather than part of a wider cybercrime campaign, and you are genuinely concerned for your safety, contact law enforcement locally.

Be prepared to explain yourself clearly, which typically means keeping suspicious emails and messages.

Have you recently opened an email that you now have reason to distrust, or are you concerned that you may have let malware sneak in by taking risky advice that came from someone you don’t know? If so, you can download our free Sophos Virus Removal Tool to search for malware that may be lurking undetected. You don’t need to uninstall your existing anti-virus first – our Virus Removal Tool is designed to work alongside other security products.

You may also want to get malwarebytes, update it and run a scan.

via:  sophos

A bill that has now passed both the U.S. Senate and House of Representatives would repeal a Federal Communications Commission rule issued last year that allows consumers to decide how internet service providers use their information.

If President Trump signs it into law, as he is expected to do, the rule can not be reinstated by the FCC. ISPs could then track you, sell that information to any buyer, or use it to advertise to you directly.

Privacy advocates are — understandably — in an uproar.

Let’s say you open private browser to avoid being tracked by Facebook, Google and other third-party trackers, there’s a party that still can see the sites and services you visit. That’s your internet service provider.

“Your ISP can already monetize you based on your demographics,” Sean Sullivan, Security Advisor at F-Secure, tells me. “Still, they feel that they’re behind Facebook and Google’s ad technology — and arguably they are. But the difference is you can avoid Google and Facebook. You can’t avoid your ISP.”

There is still something that you can do that gives you more control over who has access to your browsing history.

“Your ISP is privy to all the web destinations you visit, unless you’re using a VPN,” Sean says. “Then they’re only privy to seeing that you went to, for instance, VPN.F-Secure.com.”

A VPN is a virtual private network and it puts all of your browsing data in the hands of one provider who encrypts it.

“VPNs are essentially a way of moving your trust,” says Jacob Hoffman-Andrews, senior staff technologist at EFF, told The Verge.

This requires finding a VPN provider you can put your full faith in. A recent study from Australia’s Commonwealth Scientific and Industrial Research Organization found that this isn’t as easy as you might assume.

“The good news is that CSIRO researchers did find some gems,” Wired reported. “They specifically lauded F-Secure Freedome, an app that encrypts what it says it will and offers quality ad-blocking to boot. Sure, it’ll cost you $6 per month. But online privacy is like anything else in life: You get what you pay for.”

At F-Secure, we put our reputation from three decades in the security industry behind Freedome. As PC World noted, “Freedome VPN pledges not to log your traffic and is run by F-Secure, an established and reputable name in Internet security.

Our F-Secure TOTAL security and privacy offers both our award-winning best protection along with the encrypted privacy of Freedome.

Forcing consumers to take their privacy in their own hands shows a lack of foresight about rapid evolution of ad technology, Sean tells me. Currently, advertisers generally divide consumers into four segments to target them.

“With artificial intelligence, there’s nothing slowing them down from developing bots the target you down to one hundred or even one thousand segmentations,” he says.

If your ISP knows that you’ve visited, for instance, a site about a medical or psychological affliction, that information can be used to target you. And given the radical advances of technology and massive amounts of time we all spend online, the ramifications of such targeting are almost impossible to imagine.

Unfortunately, the U.S. government is forcing you to consider who will have control of your browsing history. With a VPN, you can do something about it.

via:  safeandsavvy

A recently discovered piece of malware allows attackers to remotely control compromised ATMs (automated teller machines), Kaspersky Lab reveals.

The threat was discovered after a Russian bank was hit by a targeted attack where cybercriminals gained control of ATMs and uploaded malware to them. Although the actors did remove the malware after the heist, which left researchers without an executable to analyze, the malware’s logs and some file names were restored after the attack, which Kaspersky researchers were able to analyze.

The files were recovered by the bank’s forensic team, which provided the security researchers with two text files (located at C:\Windows\Temp\kl.txt and C:\logfile.txt), and the names of two deleted executables (C:\ATM\!A.EXE and C:\ATM\IJ.EXE). However, the contents of the exe files couldn’t be retrieved, Kaspersky notes.

Based on the information retrieved from the log files, the researchers created a YARA rule to find a sample, and eventually found one, in the form of “tv.dll”. This in turn led to the discovery of ATMitch, a piece of malware that essentially provides attackers with the ability to remotely administrate ATMs.

The malware is installed and executed via Remote Desktop Connection (RDP) access to the ATM from within the bank. Once on the infected machine, the threat looks for the “command.txt” file located in the same directory as the malware itself, as this file includes a list of one character commands: ‘O’ – Open dispenser; ‘D’ – Dispense; ‘I’ – Init XFS; ‘U’ – Unlock XFS; ‘S’ – Setup; ‘E’ – Exit; ‘G’ – Get Dispenser id; ‘L’ – Set Dispenser id; and ‘C’ – Cancel.

After that, the malware writes the results of the command to the log file and removes “command.txt” from the ATM’s hard drive. ATMitch, which apparently doesn’t try to conceal within the system, uses the standard XFS library to control the ATM, meaning that it can be used on all ATMs that support the XFS library.

The !A.exe and IJ.exe executables, which might be the installer and uninstaller of the malware, couldn’t be retrieved. “tv.dll”, the researchers say, contained one Russian-language resource.

This attack, Kaspersky notes, was connected to a fileless attack detailed in February 2017, which targeted numerous organizations worldwide. The attack, Morphisec revealed last month, was tied to an attack framework used in a series of other incidents detailed by Cisco and FireEye as well.

via:  securityweek

Vulnerabilities in Broadcom’s Wi-Fi system-on-chip (SoC) can be exploited to hijack iPhone, Nexus, Samsung and other smartphones without requiring any user interaction.

Google Project Zero researcher Gal Beniamini has identified several remote code execution, privilege escalation and information disclosure vulnerabilities in Broadcom firmware.

Since Broadcom’s Wi-Fi chips are widely used, the flaws affect many devices, including Google’s Nexus 5, 6 and 6P, all iPhones since iPhone 4, and most of Samsung’s flagship Android smartphones.

Beniamini has published a lengthy blog post describing the Broadcom Wi-Fi chipset and vulnerabilities that can be exploited for remote code execution. The researcher has also promised to publish another blog post that will provide details on the second part of the exploit chain, which involves elevating privileges from the SoC to the operating system’s kernel.

An attacker who is in Wi-Fi range can exploit the security holes found by the Google researcher to take complete control of a vulnerable device without any user interaction.

Beniamini applauded Broadcom’s response, stating that the company was responsive and helpful in fixing the vulnerabilities and making the patches available to affected device manufacturers.

The researcher said Broadcom’s firmware lacks all basic exploit mitigations, but the company claims newer versions do include some security mechanisms and exploit mitigations are being considered for future versions.

Apple released an emergency update this week for iOS to address the remote code execution vulnerability (CVE-2017-6975), but the company did not provide any details.

The Broadcom flaws were also patched in Android with the release of the April security updates.

Samsung has also released maintenance updates this week for its Android devices. The updates include both the Google patches and fixes for vulnerabilities specific to Samsung products.

via:  securityweek

Cyber crime is getting worse. If the frequent accounts of online extortion and data breaches (you can check out our recent State of Cyber Security report for more info on these) aren’t enough to convince you, you should consider that in some parts of the world, cyber crime actually exceeds “traditional” crime.

Law enforcement has had some success in combating the problem. Arrests have been made. Gangs have been busted. Infrastructure has been taken down.

Cyber security companies like F-Secure play an important role here. Besides protecting people and businesses from online crime with various products and services, the cyber security industry shares threat intelligence with organizations like Europol and the European Union Agency for Network and Information Security (ENISA). F-Secure and other companies also assist law enforcement agencies conduct their investigations, such as with the FBI’s recent takedown of Avalanche.

Unfortunately, such takedowns are few and far between – certainly not enough to get cyber crime under control.

But on the upside, this leaves lots of space for innovation. And not just in terms of new products.

According to Dr. Janne Järvinen, Director of External R&D Collaborations at F-Secure, innovation is an area where the cyber security industry can work together with smaller companies, research institutions, and other organizations.

“Cooperation helps drive innovation,” says Janne. “New ideas, whether those are realized in the form of companies, technologies, or something else entirely, need support to succeed. And cyber security is an industry that needs to be innovative to stay ahead of threats.”

And Janne isn’t alone in this thinking. Last year, the European Commission created a public-private partnership (PPP) aiming to raise 1.8 billion euros to address various cyber security challenges facing the EU.

Steve Purser, Head of Core Operations for ENISA, says innovative and pragmatic ideas from industry participants will play a vital role in developing the EU cyber security economy.

“There are already innovative examples of collaborations between established cyber security players and research institutions. F-Secure’s collaboration with the University of Helsinki on a Massive Open Online Course is a good example of how much space there is to work together. SMEs, organizations, and even individual researchers should consider how collaborating can help them launch their ideas,” he says.

According to Janne, who gave a presentation on sponsoring/mentoring cyber security SMEs at an ENISA-sponsored event last week in Brussels, there are three main areas where collaborations play a vital role in improving cyber security.

Serving industry-wide needs

Collaborations need to be mutually beneficial for the parties involved. And there are more collaborative opportunities for needs that serve larger numbers of people. The CANVAS consortium is a perfect example of this. CANVAS will create guidelines and recommendations to help governments and institutions balance European ethics and values with security needs. Issues like the encryption debate highlight how far reaching this question of values can be, and collaborations like CANVAS will play an important role in addressing them. “And of course, with the General Data Protection Regulation on the horizon, prioritizing user security and privacy is a requirement. It’s an area where the cyber security community will play a vital role,” says Janne.

Fast tracking business results

Because the cyber security industry is an industry, companies need to produce results. Investments, such as the PPP mentioned above, have to pay off. That means smaller companies, many of whom have great ideas, need to find partners that can help them get ideas off the ground. “Working with a larger company or some other kind of established organization is a great way for SMEs to quickly get good ideas to market. I’ve seen great success stories with the EIT Digital Trusted Cloud Ecosystem I’ve been working with recently. Initiatives like these can function like accelerators for startups and SMEs, and help keep overheads low for new businesses while they work on new products and services,” says Janne.

Developing collaborative frameworks

Things like conferences, hackathons, and research projects are well-established methods to foster collaboration.  Janne is currently serving as the Focus Area Director for one such research program – the Need for Speed (N4S) program. According to Janne, the program aims include developing ways to deliver software and new business opportunities faster. It advocates deepening collaborations with customers to get feedback to developers faster. Fast feedback means corrections and improvements can be made quickly, allowing businesses to make better use of the information. “Having different companies, organizations, and researchers work together to establish and share best practices will make products and services better for end users.”

via:  safeandsavvy

Apple has released an emergency security update for its iOS operating system to address a serious vulnerability affecting the Wi-Fi component.

According to the tech giant, the flaw is a stack-based buffer overflow that allows an attacker who is within range to execute arbitrary code on the Wi-Fi chip.

The security hole, tracked as CVE-2017-6975, has been addressed with the release of iOS 10.3.1 through improved input validation, Apple said. The update is available for iPhone 5 and later, iPod touch 6th generation and later, and iPad 4th generation and later.

9to5 Mac reported that while iOS 10.3 dropped support for 32-bit devices, the latest update reintroduces support for these systems.

The vulnerability was identified and reported by Gal Beniamini of Google Project Zero, which typically discloses the details of flaws found by its researchers after 90 days.

In a security advisory submitted to the Full Disclosure mailing list, Apple advised users to install the update immediately if possible, and pointed out that the update is only available through iTunes and the Software Update utility on the iOS device; the update will not show up on the Apple Downloads website or in the computer’s Software Update application.

iOS 10.3.1 was released just one week after Apple announced the general availability of iOS 10.3, which brings many new features and patches for nearly 90 vulnerabilities. Roughly 30 of these security holes were reported to Apple by Google Project Zero researchers.

via:  securityweek

What’s worse than an actively exploited zero-day vulnerability for which there is no patch? Answer: an actively exploited zero-day security vulnerability for which there will never be a patch.

If this sounds like an April Fool riddle, this is the situation facing anyone unwise enough to still be using Microsoft’s ancient Internet Information Services 6.0 (IIS) web server after Chinese researchers last week said they’d got wind of a flaw that has been exploited since July or August 2016.

In a disclosure on March 27 that included their own simple Python proof-of-concept, the researchers outlined the “buffer overflow in the ScStoragePathFromUrl function in the WebDAV service” when an attacker sends an overlong IF header request as part of a PROPFIND request (if that sounds obscure you can read about WebDAV here).

Designated CVE-2017-7269, that’s bad news, but the fact that it has been known about for months – with new exploits now likely – is the main takeaway.

Given that IIS 6.0 shipped with Windows Server 2003 R2 in 2005 and Microsoft stopped supporting it after the end of life deadline passed in July 2015 (ie no more patches), one might assume that the install base is small.

One would be wrong. More likely, this is another version of the Windows XP situation where organisations find it hard to wean themselves off core software and end up putting themselves at risk.

In 2015, research from analysts RiskIQ found 2,675 installs of IIS 6.0 inside 24 of the top FTSE-100 UK companies alone. Incredibly, the same analysis found 417 installs of IIS 5.0 in the same companies, which at that time was a year beyond extended support death.

Shodan estimates 600,000 machines still visibly running this software globally, perhaps 10% of which have the PROPFIND extension running according to an analysis by one enterprising researcher. That sounds containable until you realise that each of those servers will be hosting numerous websites.

How many? Nobody knows, but with Microsoft unlikely to step in with a fix, it could be more than enough to cause problems. The premium fix is to stop using IIS 6.0 immediately but for anyone who finds that difficult there is one hope: guerrilla patching.

We discussed this phenomenon in our recent coverage of Google’s “Operation Rosehub”, but it can be summed up by the simple idea that if the vendor in whose software a vulnerability has arisen can’t or won’t fix the issue then someone else does it for them.

A company called Acros Security dubbed this the “0patch” and, lo and behold, has come up with a “micro-patch” for CVE-2017-7269. We can’t vouch for this but Acros explains how developed this in some detail for anyone staring down the barrel of limited options.

What the latest episode challenges is the fixed idea of software lifecycles according to big software vendors, which runs something like “we’ve told them in advance that support will be removed by a given date so if they don’t follow our advice and upgrade then that’s their lookout”.

The near debacle of XP’s zombie afterlife was an example of this MO running aground on the rocks of business reality, beside which the latest IIS 6.0 event might look modest. But an unpatchable zero-day affecting hundreds of thousands of compromised web servers won’t be fun for anyone – Microsoft included.

via: nakedsecurity