Erebus Linux ransomware attack demanded $1.62 million from South Korean firm

South Korean firm NAYANA was hit with a Linux ransomware attack that demanded an unprecedented 550 Bitcoins (BTC) or $1.62 million ransom.

Erebus ransomware attack demanded NAYANA demanded $1.62M.

Erebus ransomware attack demanded NAYANA demanded $1.62M.

The attack occurred on June 10, 2017, and on June 12, 2017, the company announced the attack. On June 14, 2017 the web hosting company was eventually able to negotiate down to the ransom to 397.6 BTC, nearly $1.01 million, to be paid in three installments, according to a June 19 blog post.

The threat actors used the Erebus ransomware to infect 153 Linux servers and 3,400 businesses sites hosted by NAYANA and as of June 19, 2017, two of the three payments have already been made. The final payment is expected to be made one the first and second batches of servers have been successfully recovered.

A local exploit may have been used in the attack though it is unclear exactly what exploits were used to infect the system as there isn’t a clear understanding of what vulnerabilities are in the systems.

Researchers said it’s worth noting the ransomware is limited in terms of coverage and is heavily concentrated in South Korea. Other samples however, have been submitted from security researchers in Ukraine and Romania.

Erebus was first spotted in a spate of malvertising attacks in September 2016 and then reemerged in February 2017 using a method to bypass Windows’ User Account Control. The recent Linux variant was similar to the updated variant discovered in February 2017, with OS-specific changes in the way it gains access to the system, Trend Micro Director of Hybrid Cloud Security Steve Neville told SC Media.

“The Windows version leveraged a strategy of bypassing the User Access Controls (UAC) to gain elevated privilege in order to execute,” Neville said. “The Linux version leverages a similar mechanism in Linux, but also adds a fake Bluetooth service to ensure that the ransomware is executed even after the system or server is rebooted.”

Researchers warn to always make sure all of their systems are patched and up to date to prevent infection as well as the backing up of critical files.


via:  scmagazine

Save pagePDF pageEmail pagePrint page

Fashion Retailer Buckle Finds Malware on PoS Systems

The Buckle, Inc., a fashion retailer that operates more than 450 stores across the United States, informed customers on Friday that malware had been found on some of its point-of-sale (PoS) systems.

Buckle suffers credit card breach

According to the retailer, malware was present on PoS systems at some of its stores between October 28, 2016, and April 14, 2017. The company has called in outside experts to investigate the incident and help secure its network.

The malware was designed to steal data from a card’s magnetic stripe, including cardholder name, account number and expiration date, but The Buckle believes the malware did not collect data from all transactions conducted via infected PoS systems.

The company pointed out that all its stores support EMV (chip card) technology, which makes it significantly more difficult to clone cards using stolen data. Nevertheless, the compromised payment card data can still be useful to cybercriminals, particularly for card-not-present fraud.


The Buckle said there was no evidence that social security numbers, email addresses or physical addresses were obtained by the attackers, and there is no indication that its website and online store are affected.

“As part of Buckle’s response, connections between Buckle’s network and potentially malicious external IP addresses were blocked, potentially compromised systems were isolated, and malware-related files residing on Buckle’s systems were eradicated.

Additionally, Buckle reported a potential incident to the payment card brands and is cooperating with them regarding this incident,” the company said in a statement.

The Buckle has advised customers to keep an eye out for any suspicious activity on their payment card, and immediately report any unauthorized charges to the card issuer. A list of affected stores has not been made available.

The Buckle’s announcement comes just two weeks after big box department store chain Kmart, which operates more than 700 stores, informed customers of a payment card breach and a couple months after 200 Brooks Brothers Stores were Hit by Payment Card Breach.


via:  securityweek

Save pagePDF pageEmail pagePrint page

Phishers Padding URLs with Hyphens to Target Facebook Users

Phishers are sending Facebook users fake login pages with URLs they’ve padded with hyphens, a trick which makes the sites look legitimate on mobile devices.

The attack works by sending a real, legitimate domain within a larger URL that’s fake.

For instance, the following link redirects users to a phishing site: hxxp://—————-validate—-step1.rickytaylk[dot]com/sign_in.html.

The genuine path for Facebook mobile, “,” appears in the URL, but the link’s actual domain is rickytaylk[dot]com.

Why does that matter? Just see what it looks like in a mobile browser.

Screenshot of URL in mobile browser. (Source: PhishLabs)

Not so easy to spot the difference from the real Facebook mobile sign-in page, is it? Not only that, but the attackers include a work like “validate” or “secure” after their first round of hyphens. This tactic further boosts the fake link’s appearance of legitimacy.

PhishLabs has detected at least 50 instances of this phishing technique since January 2017. Researchers at the security awareness training provider haven’t found lures for the attack just yet. Even so, they believe fraudsters are mainly spreading around these hyphen-padded URLs via SMS messages.

Crane Hassold, senior security threat researcher at PhishLabs, says this belief comes down to mobile users’ inability to verify the location of a link sent via SMS:

“… Until you visit the site, you have no way of knowing whether it’s legitimate. And, as we’ve already seen, once you’re there the URL padding approach is highly effective at obscuring the site’s real domain.”

He goes on to say that phishers are likely using Facebook users’ credentials they steal in this campaign to access victims’ accounts and then send out additional phishing lures in updates and private messages. They could also use the login details to commit password reuse attacks across multiple web accounts, a digital threat against which Carbonite warned in late June 2016.

This isn’t the first type of scam to target the popular social networking platform, and it’s not even the sole innovative phishing technique to emerge in recent weeks. With that said, mobile users need to exercise caution around clicking on links in suspicious SMS messages. They should also refer to these tips to further protect themselves against phishing attacks.


via:  tripwire

Save pagePDF pageEmail pagePrint page

Apple Music quietly added a $99 annual subscription plan

If you’re an Apple Music subscriber, chances are that you’re paying $9.99 every month, $14.99 for a family plan, or $4.99 per month if you’re a student. But Apple quietly added another option as Tehnot spotted. You can now pay $99 for a 12-month subscription.

This setting is quite buried as Apple doesn’t want you to know that you can pay less than what you’re actually paying. We tried different scenarios, and it was quite hard to find the new annual plan — but it’s real.

If you’re not a current Apple Music subscriber, the Music app only lets you subscribe to a normal monthly plan as pictured above. But if you’re an existing subscriber, you can go to your membership settings and switch to an annual plan. So new users will have to buy a monthly subscription first and then switch.

Now stay with me as it’s about to get a bit complicated. Let’s hope that the upcoming App Store redesign is going to make it easier to access the subscription settings because we’re not there yet.

First, you need to open the App Store app and scroll to the very bottom of the Featured tab. Then tap on your Apple ID, enter your password and tap on “View Apple ID.” Finally, tap on the Subscriptions button and you can access your Apple Music membership settings. Here’s what it looks like (prices may vary depending on your country):

So if you think you’re going to keep using Apple Music for the foreseeable future, you can switch in a couple of taps and save around 17.5 percent.

Before this change, you could buy an Apple Music gift card for $99 to get a full year of service access. But if you’re not a gift card person, there was no way to access this discounted rate.


via:  techcrunch

Save pagePDF pageEmail pagePrint page

The Reality of Internet Safety: Why Education Trumps Technology

For many people, the Internet’s ubiquity is akin to a utility. Like electricity and running water, there’s a tendency to not think about the Internet too much – until something goes very wrong. But also, prevailing attitudes towards Internet safety tend towards ‘flick of a switch’ solutions – the notion a piece of software or a service from an ISP is enough to ensure the younger members of your family remain safe online.

This is fundamentally wrong. Although software can be an ally – especially when you’re attempting to protect very young children – the reality is education and discussion are also vital. And that means for children and parents alike.

What follows are three short stories that impart useful lessons when considering how to manage Internet usage for your own families, with ongoing safety and privacy in mind.

Lesson 1: Software is not a magic wand

This story isn’t a personal one, but nonetheless provides insight into what can happen when people make broad assumptions about technology-based Internet filters. In my native United Kingdom, the government has of late been keen on Internet service providers activating content filters by default, only barely stopping short of outright centralized content regulation (although that’s in the current government’s manifesto). The reasoning is to protect young children from unsuitable content.

If you’re well-versed in technology, it’s easy to be cynical about such claims. Arguments about censorship rage, with concerns that when any legal content becomes blocked by default, it’s the thin end of the wedge. But reports that pop up in the news suggest the more widespread problem is the somewhat scattershot nature of filtering combined with complacency on the part of users.

Sometimes, content that shouldn’t get through a filter does, resulting in parents who assumed unsupervised children were ‘safe’ getting a nasty shock. Elsewhere, you’ll find stories about opaque and over-zealous blacklists wrongly blocking content, leaving vulnerable teens and children unable to access helplines regarding child abuse or critical information about sexuality.

Whether these blocks were algorithmic or accidental in nature is irrelevant. The point is that should you decide to activate such filters or software, you need to do so with your eyes open, and an understanding that software isn’t typically very nuanced. For very young children, supervision remains key. Should they get unsupervised time online, consider a ‘whitelist’ of sites you’ve personally vetted and are happy for them to use alone, rather than automated blacklists.

As children get older, though, the best route to Internet safety is to prioritize discussion over technological solutions, which is the subject of the next story.

Lesson 2: Discussion is key to children being safe online

An acquaintance is a prominent figure in the technology industry. Her daughter had therefore grown up surrounded by technology and Internet-enabled devices, and had always been respectful of such things – even slightly cautious.

When old enough to surf the web alone, she one day decided to search for her mother’s name. Instantly, the browser listed page after page of articles and images about her mother. Needless to say, this was a jolt.

Her mother explained that having authored many books and spoken at a range of public events, such an online presence was to be expected. Most importantly, these decisions had been down to choices she consciously made. However, she warned it would be feasible to find a similar level of information about yourself online if you shared content in an unthinking manner.

Stories elsewhere on the web about online sharing are often far less pleasant and reasoned tales. We hear of kids who send intimate imagery to someone who then vindictively shares it with all and sundry. The natural instinct of parents and governments alike is to assume ‘control’ is a fix. They clamp down on Internet use and install filters. But as already noted, the Internet is today close in nature to a utility – as kids get older, they will find ways to get online.

It’s therefore vital they are well informed. They need to understand that the Internet is a glorious, amazing place, but also something to approach with caution. And while over-sharing may feel good at the time, sending someone anything of a very personal nature may result in it being permanently accessible to the world, rather than a single individual.

Lesson 3: Think what you yourself are sharing

When parents get into Internet safety, they tend to spend time thinking about what their kids are doing, yet don’t consider their own actions. After all, they are the grown-ups and know how everything works! Or so they think. But from simple social media status updates to photo uploads, have you already started building a searchable mesh of online content about your children? Will they thank you for that when they get older?

That might sound extreme – even a bit tinfoil hat. But the reality is search engines and social media sites suck in whatever information they can. And while you might reasonably think photos of your amazing children at every stage of development need sharing with the entire planet, you should instead consider being more focussed and private regarding such online activity.

This line of thinking became particularly apparent for me before I had a child of my own; it was largely down to a friend who I for a while thought was eccentrically expressing his inner Seuss. In every public online post that referred to his children, he’d call them Thing One and Thing Two. There wasn’t even a reference to gender. He later explained this was intentional. He enjoyed talking about and was rightly proud of his children. But through stripping posts of identifiable information, he retained a measure of privacy for his kids. In the future, there will be no way to search for their names and see a string of posts and photos from their father.

So consider a similar approach. Obfuscate personal details about your children when posting publicly. Consider not uploading photos to public-facing web pages, and instead use services that enable you to restrict access to a specific list of people (such as iCloud Photo Sharing or a private Facebook group). At least then your kids will be able to decide what they want to share with the world when they’re old enough, rather than you having already widely shared many years of their life without their consent.


via:   intego

Save pagePDF pageEmail pagePrint page

Apple’s New iCloud Security Requirements – What to Expect

We talk about the importance of keeping your data secure often on the Mac Security Blog. There are a number of ways to do this, some involving encryption, others involving ensuring that only you have access to your accounts. Some of your most important data is in Apple’s iCloud, and on other services. Data security in the cloud is especially important, because of its distributed nature; after all, anyone who has your credentials can log into your account no matter where they are.

Apple has offer enhanced security for iCloud accounts for some time now: first two-step verification, then more robust two-factor authentication. Apple is now planning to tighten up this security, requiring that third-party apps that access your iCloud data need special authorization from June 15. Read on to find out what you need to do to keep using third-party apps with iCloud.

Who is affected?

Apple recently sent emails to iCloud users who do not have either two-step verificationor two-factor authentication on their iCloud accounts. Apple’s email said:

Beginning on June 15, app-specific passwords will be required to access your iCloud data using third‑party apps such as Microsoft Outlook, Mozilla Thunderbird, or other mail, contacts, and calendar services not provided by Apple.

If you simply use Apple’s apps — Mail, Calendar, or Contacts — then you won’t have to change anything. And if you already use Apple’s two-step verification or two-factor authentication, then nothing will change. But if not, you may need to initiate a complex process to continue accessing your iCloud data from your apps.

To start with, two-factor authentication (2FA) is a powerful way of enhancing the security on your account. We discussed how this works for a number of services, and why you should use it in this article.

Apple’s version of 2FA is a bit different from that of other companies. While many forms of 2FA rely on codes sent by text message or SMS, Apple uses a system that is built into macOS and iOS. You receive codes on trusted devices as alerts, rather than as more portable text messages. This has pros and cons. It is more secure than SMS, but if you don’t have access to any trusted devices, then you may not be able to log into your iCloud account. (Read this article to learn how to set up Apple’s 2FA.)

What should I do?

If you want to continue using third-party apps, and don’t yet have 2FA activated on your iCloud account, you will have to turn this on. Apple’s Two-factor authentication for Apple ID support document explains the process.

When you have activated 2FA, you’ll find that your third-party apps will no longer be able to access your data. Most will tell you that your user name or password is incorrect. You’ll need to create app-specific passwords for each of these apps. These are passwords that the Apple ID website creates that only allow authentication for the apps for which they are created. Apple explains that process here.

What’s the risk?

You’ll have enhanced security with 2FA, but — and this is a big but — you may not be able to go back and turn it off. In the past, this was possible, but Apple now says:

You can’t turn off two-factor authentication for some accounts created in iOS 10.3 or macOS Sierra 10.12.4 and later. If you created your Apple ID in an earlier version of iOS or macOS, you can turn off two-factor authentication.

It’s not clear what this means. This suggests that if you created your Apple ID years ago, under MobileMe or .Mac, then you may be able to revert your account. However, back then, you may not have created your Apple ID “in a version of iOS or MacOS,” but simply on Apple’s website.

If you lose access to your trusted devices, then you could have problems. If you get locked out of your account, Apple says:

If you can’t sign in, reset your password, or receive verification codes, you can request account recovery to regain access to your account. Account recovery is an automatic process designed to get you back in to your account as quickly as possible while denying access to anyone who might be pretending to be you. It might take a few days — or longer — depending on what specific account information you can provide to verify your identity.

“A few days — or longer” seems a bit worrisome. If you’re traveling and lose your iPhone, and need to, say, log into to access email, you may not be able to do so. Make sure you add a trusted phone number for a friend, spouse, or other family member; so, if you need access in such a case, you can contact them. (Of course, you may need to write down their phone numbers. I don’t know about you, but I don’t know any phone numbers by heart expect my own; I just tap my contacts in my iPhone to make calls…)

What are my other options?

You could stop using third-party applications to access your iCloud data. Again, this change seems to only affect email, calendar, reminder, and contacts. Apps that access photos in your iCloud Photo Library on an iPhone or iPad access the photos directly on the device, from the Photos app; they don’t connect to iCloud. The same is the case for music you may have in iCloud Music Library; third-party apps play back music using a database stored on your iOS device, rather than connecting to iCloud to access the music.

What’s next?

It’s possible that this is the first step toward Apple requiring 2FA for all iCloud accounts. This would be cumbersome and problematic for many users. It does provide extra security, but it can be complicated to manage.

In the meantime, if you do use any third party email, calendar, or contact apps, you should turn on 2FA before June 15, so you have time to understand how the system works before the change takes effect.


via:  intego

Save pagePDF pageEmail pagePrint page

Verizon closes $4.5B acquisition of Yahoo, Marissa Mayer resigns

It’s now official. After Yahoo shareholder approval last week, Verizon today announced that it has finally closed its acquisition of Yahoo, which it plans to combine with its AOL assets into a subsidiary called Oath, covering some 50 media brands (including TechCrunch) and 1 billion people globally. It will be led by Tim Armstrong, who was the CEO of AOL before this. As expected, Marissa Mayer, who had been the CEO of Yahoo, has resigned.

“Given the inherent changes to Marissa Mayer’s role with Yahoo resulting from the closing of the transaction, Mayer has chosen to resign from Yahoo. Verizon wishes Mayer well in her future endeavors,” Verizon said in a statement. You can find Marissa in her own words here on Tumblr. It’s a long list of the achievements made with her at the helm these last five years, and — alas — you will only read of the struggles that Yahoo went through between the lines.

The deal, nevertheless, brings to a close the independent life of one of the oldest and most iconic internet brands, arguably the one that led and set the pace for search — the cornerstone of doing business on the spaghetti-like internet — at least until Google came along and surpassed Yahoo many times over, and led the company into a number of disastrous and costly attempts to redefine itself, ultimately culminating in the sale we have here today.

The sale of Yahoo is another sign of the massive consolidation that continues to happen in the world of online media and content, as large companies look to bring together multiple audiences for economies of scale to build out stronger advertising businesses in competition with the likes of Google and Facebook.

“The close of this transaction represents a critical step in growing the global scale needed for our digital media company,” said Marni Walden, Verizon president of Media and Telematics (which will include Oath), in a statement. “The combined set of assets across Verizon and Oath, from VR to AI, 5G to IoT, from content partnerships to originals, will create exciting new ways to captivate audiences across the globe.”

Carriers have been an especially interesting player in this regard, as they are looking to offset declines in their legacy businesses. But don’t cry for Verizon just yet: the company employs 161,000 people and made $126 billion in revenues in 2016, with 113.9 million retail connections in its mobile business.

As we wrote last week, there will be cuts of around 15 percent of all staff associated with the acquisition of Yahoo and merger with AOL, around areas like operations and sales and marketing. Today, no word about that in the official announcement although we are asking about this.

Also not specified is who else is departing along with Mayer. As we reported last week, Adam Cahan, who had been an SVP at Yahoo very close to Mayer, was also on his way out, as was Bob Lord, the CISO who was at the head of Yahoo’s security operations when its massive breaches were revealed (although he was not there not at the time that they were taking place). That breach resulted in Verizon knocking off several hundred million dollarsfrom its original offer price for the company.

We’re trying to confirm these and other details, but in the meantime, unsurprisingly, David Filo, Eddy Hartenstein, Richard Hill, Marissa Mayer, Jane Shaw, Jeffrey Smith and Maynard Webb Jr. have already resigned from Yahoo’s board.

Those who are keeping jobs in the media division in the newly merged operation include Jared Grusd leading the News vertical (including,, HuffPost, and Yahoo News); Geoff Reiss leading the Sports vertical; David Karp leading the People and Community vertical (including Tumblr, Polyvore, Cabana, Yahoo Answers, Yahoo View, and Kanvas); Andy Serwer leading Finance media (including Yahoo Finance and Autoblog); Michael LaGuardia leading Finance product and utilities; Ned Desmond leading TechCrunch and Engadget; Alex Wallace leading OTT video production & distribution as well as lifestyle & entertainment (that includes BUILD, RYOT, Yahoo Celebrity, Yahoo Style, Yahoo BeuYahoo TV, Yahoo Movies, Yahoo Music, and Yahoo Entertainment); Dave Bottoms heading up distribution products (Newsroom and video OTT products) as well as growth, monetization, and syndication; Tim Tully leading all of engineering; Dave McDowell leading subscriptions, commerce, and customer care (including Yahoo Shopping and AOL Shopping); and Mary Bui-Pham leading our operations (including design, UXRA, analytics, and program management).

“We’re building the future of brands using powerful technology, trusted content and differentiated data. We have dominating consumer brands in news, sports, finance, tech, and entertainment and lifestyle coupled with our market leading advertising technology platforms,” Armstrong said in a statement. “Now that the deal is closed, we are excited to set our focus on being the best company for consumer media, and the best partner to our advertising, content and publisher partners.”

This will include not just media brands but ad tech underpinnning how to leverage these audiences. In this case, the focus in on ONE by AOL and its BrightRoll technology covering mobile, video, search, native and programmatic ads.

An internal memo from Armstrong is below.


Today is a historic day. We are bringing together some of the most important and scaled brands and products that have revolutionized the way the world works. Our combined services reach over a billion people each month. Building brands people love is our mission and that gives us a billion people to keep building for everyday.

Over the coming years, another 3 billion people will join the revolution with an overwhelming majority being mobile only consumers. With our talent, technology, and brand platforms coupled with Verizon’s strategic mobile position, we will occupy one of the best strategic positions in the global marketplace. The opportunity in front of us is not about the opinions from the pundits and it is not about the competition, it is about our ability to maniacally focus on delivering magical services to mobile enabled consumers.

The companies and platforms in our portfolio have very strong track records of building brands that consumers love. From Yahoo to TechCrunch to AOL to Yahoo Mail to HuffPost to Tumblr to Yahoo Finance to Flurry, consumers and customers across the globe choose our brands everyday to deliver their digital world experiences. Our job is to deliver three simple objectives:

  • Build brands consumers love (also our mission – consumers come first in our objectives)
  • Build platforms customers love
  • Build a company talent loves

Many people across the combined companies have done a tremendous amount of work over the past year. The talent level at the combined companies has been on display in every area of work that has been accomplished in order to get to today. The team from Yahoo, led by Marissa, deserves a special thank you. Yahoo is an incredible brand and talent-based company and we have been impressed with the people, the products, and the spirit.

We want to bring everyone together today to talk about our future together. We are starting a journey together and that journey will be exciting and it will be challenging. Accomplishing our objectives and goals will require adjustments to the company and it will require us to provide clarity on the strategy and the integration objectives. We will start discussing that today.

Let’s make it happen – TA

More is sure to come.


via:  techcrunch

Save pagePDF pageEmail pagePrint page

FIN7 Hitting Restaurants with Fileless Malware

FIN7, closely associated with the notorious Carbanak group, is behind a targeted phishing campaign singling out restaurants with fileless malware that is difficult to detect.

The recent campaign incorporates, “never before seen evasive techniques that allow (malware) to bypass most security solutions,” wrote researchers at Morphisec Lab in a report release on Friday.

They said the malware attacks “pose a severe risk to enterprises” because the malware is so hard to detect.” As of Friday, there was a zero detection rate on VirusTotal for the documents used to deliver the malware.

“This means the attackers successfully bypass static analysis by most of the security solutions,” said Michael Gorelik, vice president of research and development at Morphisec.

He said the fileless attacks are currently targeting restaurants across the United States. The objective of the FIN7 attackers is to seize system control and install a backdoor to steal financial information at will. The initial attack pattern is typical of fileless malware. First, a well-crafted phishing email is sent along with a RTF Word document attached, which if opened, launches a fileless attack based on DNS queries that delivers the shellcode stage (Meterpreter).

The twist, according to Morphisec Lab researchers, is the use of DNS queries to deliver the shellcode stage. “In this new variant, all the DNS activity is initiated and executed solely from memory–unlike previous attacks which used PowerShell commands.”

In March, FIN7’s fileless malware campaign focused on financial institutions and government agencies. The previous PowerShell script opened a backdoor and grabs commands from the command-and-control server. Today’s FIN7 attacks are different. By using DNS queries and shellcode, researchers say, attackers can more effectively evade detection, mount future attacks and be more prolific. According to an analysis of OpenDNS data, FIN7 is currently carrying out large-scale attacks with peaks of more than 10,000 DNS requests per hour.

“The shellcode phase of this attack is unique and demonstrates the constantly advancing abilities of attackers. The shellcode is the primary differentiating technique between this campaign and past attacks by FIN7 and other threat actors,” Gorelik wrote.

Malicious attachments are restaurant themed and typically named “menu.rtf”, “Olive Garden.rtf” or “Chick Fil A Order.rtf”, to name a few. “The attached RTF file uses OLE and has many similarities to previous FIN7 attacks. But this attack, instead of activating HTA files (mshta.exe) from within the link, executes obfuscated JavaScript code,” researchers said.

Once the RFT document is opened, the victim is presented with a Word file that contains a large image of an envelope that instructs “Double Click Here To Unlock Contents.” According to researchers, all the target needs to do is double-click on the envelope and then press “OK” on a dialogue box to trigger the infection process.

The warning on the dialogue box reads: “The package you are about to open will run a program contained within the package. That program could anything and may harm your computer.”

The RTF document contains the JavaScript code snippets used to compile and create a scheduled task that includes the malware’s second stage code in a delayed – one minute – timeframe.

“This delayed execution helps to bypass behavior analysis since the second stage is not directly executed by the first stage,” Gorelik explained. “Basically, FIN7 implemented a shellcode that gets the next stage shellcode using the DNS messaging technique directly from memory. This way they can successfully evade many of the behavior based solutions,” Gorelik said.

The analysis revealed that each DNS query resulted in additional snippets of shellcode until complete. The last query is to the subdomain ihc[.]stage[.]12019683[.]ns2[.]true-deals[.]com), according to the research.

Next, a second-stage encrypted shellcode is delivered. Upon decryption more obfuscation takes place. “The shellcode deletes the ‘MZ’ prefix from within a very important part of the shellcode. This prefix indicates it may be a dll, and its deletion helps the attack to evade memory scanning solutions,” the report said.

According to the analysis of the attack, the final payload is CobaltStrike Meterpreter, which is used by many attackers and pen testers, according to researchers. “Having a Meterpreter session on a compromised computer allows for full control of the computer and exfiltration of any data, and in some cases lateral movement inside the organization,” according to the report,” they said.


via:  threatpost

Save pagePDF pageEmail pagePrint page

Google Offers $200,000 for TrustZone, Verified Boot Exploits

Google announced increased rewards for security researchers reporting Android TrustZone or Verified Boot exploit chains. The company is now willing to pay up to $200,000 for such compromises, and will pay up to $150,000 for remote kernel exploits.

The awards are offered as part of the company’s Android Security Rewards program, which turned two this week. The Internet giant paid over $1.5 million in bounties to security researchers reporting Android vulnerabilities over the course of two years, and is looking to pay even more in the future.

During its two-year run, Android Security Rewards has attracted a large number of security researchers, and Google received over 450 qualifying vulnerability reports from the participating researchers over the past 12 months alone.

The total program payout doubled to $1.1 million dollars, and the average pay per researcher jumped by 52.3% compared to the first year, Google says.

During the program’s second year, the Internet giant paid $10,000 or more to 31 researchers, and also paid the top research team, C0RE Team, over $300,000 for 118 vulnerability reports. Over the course of a year, the company paid 115 individuals with an average of $2,150 per reward and $10,209 per researcher.

Unfortunately, none of the reports received over the two-year period included a complete remote exploit chain leading to TrustZone or Verified Boot compromise, which would have received the highest award amount available through the program.

Because no researcher claimed the top rewards in two years, the company decided to make changes to all vulnerability reports filed after June 1, 2017 and stir researchers’ interest by significantly increasing the top-line payouts for exploit chains that could claim them.

Thus, the rewards for a remote exploit chain or exploit leading to TrustZone or Verified Boot compromise were increased from $50,000 to $200,000, while those for a remote kernel exploit went from $30,000 to $150,000.

“In addition to rewarding for vulnerabilities, we continue to work with the broad and diverse Android ecosystem to protect users from issues reported through our program. We collaborate with manufacturers to ensure that these issues are fixed on their devices through monthly security updates,” Mayank Jain and Scott Roberts, Android Security team, say.

According to Jain and Roberts, there are over 100 device models with a majority of devices running a security update released within the past 90 days. Furthermore, numerous models run a security update from the last two months, including Google Pixel XL, Pixel, Nexus 6P, Nexus 6, Nexus 5X, Nexus 9.

Various smartphone models from manufacturers such as BlackBerry, Fujitsu, General Mobile, Gionee, LGE, Motorola, Oppo, Samsung, Sharp, Sony, and Vivo also run security patches released over the past two months.


via:  securityweek

Save pagePDF pageEmail pagePrint page

Malicious Downloader Uses Mouse-Hovering to Deliver Banking Trojan

A malicious downloader waits for users to hover over modified text or an image file as a means of delivering a banking trojan.

Like most attack campaigns, this operation begins when a user receives a spam email. Bad actors appear to be abusing compromised websites, which they’re using as their command and control (C&C) servers, along with virtual private servers (VPS) to deliver the spam messages. These emails each come with a finance-themed subject line and a serial number, which indicates that those conducting the campaign are tracking their messages.

The attack missives masquerade as invoices. But they’re frauds, as are their Microsoft PowerPoint Open XML Slide Show (PPSX) and PowerPoint Show (PPS) file attachments. Trend Micro threat analysts Rubio Wu and Marshall Chen elaborate on this point:

“Once the would-be victim downloads and opens the file, user interaction is needed—hovering over the text or picture embedded with a malicious link (which triggers a mouseover action), and choosing to enable the content to run when prompted by a security notice pop-up. Microsoft disables the content of suspicious files by default—via Protected View for later versions of Office—to mitigate the execution of malicious routines that abuse features in Microsoft Office, such as macros and Object Linking and Embedding (OLE). Hence, a key ingredient in the infection chain is social engineering—luring the victim into opening the file and enabling the malware-laced content to run on the system.”

Payload embedded in the PPS/PPSX file. (Source: Trend Micro)

Once enabled, the content executes an embedded malicious PowerShell script that downloads the Nemucod as a JScript Encoded File. This second-stage downloader, which has spread everything from ad-clicking backdoors to ransomware, contacts the C&C and retrieves the final payload: OTLARD (aka Gootkit), a type of banking trojan known for stealing credentials and banking information in Europe. In this campaign, the number of attack emails carrying OTLARD peaked at 1,444 on 25 May before dying down four days later.

To protect themselves against malspam campaigns such as the innovative operation described above, users should mostly employ Protected View when viewing Microsoft documents they download from their emails. By extension, they should think twice before enabling content. They should also avoid clicking on suspicious email attachments and URL messages.


via:  tripwire

Save pagePDF pageEmail pagePrint page