Thursday, 26 October 2017

Infrastructure Behind BadRabbit Ransomware Since 2016 Active

The infrastructure used last Tuesday to spread the BadRabbit ransomware has been active since 2016, says Dutch security researcher Yonathan Klijnsma from security company RiskIQ. During the attack the attackers used a large number of hacked websites.

These websites showed a popup to visitors that they needed to install an update for Adobe Flash Player. In fact, it was a Petya ransomware variant that encrypted files on the hard drive and overwritten the Master Boot Record from the hard drive. As a result, the operating system can no longer be started. Furthermore, BadRabbit tries to spread on SMB via a list of commonly used passwords and intercepting login credentials via SMB.

On the hacked websites, code was sent to an injection server that showed the malicious popup on the websites. One of these injection servers was first observed last September. In addition, various hacked websites have been compromised since last year. RiskIQ counted 63 hacked websites where the attackers had access. The security company claims, however, that it can go for more websites.

"The group behind the BadRabbit ransomware has been active for quite some time," said Klijnsma. The researcher speaks of a long-term campaign that could possibly be set up for something other than BadRabbit. "Although the BadRabbit ransomware is brand new, we can track the distribution industry by the beginning of 2016, which shows that victims had been compromised a lot before before the ransomware hit and the news cycle began. The campaign could originally be set up for something other than BadRabbit. " Security company Symantec claims that 86 percent of the infections occurred in Russia and it mainly concerns companies.

Wednesday, 25 October 2017

Security Company Develops DDE Feature Patch In Microsoft Office

A security company has developed an unofficial patch for the DDE feature in Microsoft Office where cybercriminals are currently exploiting abuse. Dynamic Data Exchange (DDE) is a feature that was added to older Windows versions and is still used in many places. The feature allows you to inject data from, for example, an Excel document into a Word document.

In the event that the Excel document is updated, this will be immediately visible in the Word document. However, the DDE feature also makes it possible to call a malicious application instead of Excel or a benign application that performs malicious commands. To perform the called application, the user must first give permission to two dialog boxes.

However, this does not seem to be a problem, as the functionality is currently being used by cyber criminals. Microsoft is not currently planning to resolve the issue through a security update. However, the Windows 10 Fall Creators Update features the Windows Defender Exploit Guard that can block attacks via the DDE feature. Since Microsoft did not get a patch for the time being, security company ACROS decided to look into the possibilities to develop a patch.

The result is a " micro-patch " for Office 2007, 2010, 2013, 2016 and 365, both the 32-bit and 64-bit versions. The patch causes the DDE feature not to invoke the specified application. Microsoft Word will still display the two dialog boxes, but if the user click here yes, the called application will not be executed. To install the micro patch, the free 0patch Agent software must run on the system. This is an unofficial patch and the use is at your own risk. ACROS has previously developed micro-vulnerability vulnerabilities in Windows and Foxit Reader, among other things.

Researchers Crack Google's Audio Captcha

Researchers have managed to crack Google's audio captcha with an average of 85 percent accuracy, allowing bots to automatically create accounts on websites and place spam messages. To distinguish robots from people, captcha's often need to solve puzzles and distorted texts. The captcha of Google also allows users to resolve an audio captcha.

The audio captcha consists of multiple digits read in different speeds, accents and pitches with background noise. Researchers at the University of Maryland devised an attack targeting Google's audio captcha. To crack the audio captcha, the researchers developed " unCaptcha ", software that downloads the captcha audio file and then splits the parts with voice.

The split audio fragment of each digit is then sent to six free online audio transcription services, including Google's. Based on the different results, which figure was read in the audio clip. The results are then entered 'organic' by the software in the captcha window. On average, the software knows how to solve the captcha with 85 percent accuracy. After the researchers published their research ( pdf ), Google has taken various measures that limit the effectiveness of unCaptcha.

Assault Modifies Dns Coinhive Using Reused Password

An attacker succeeded in adjusting the coinhive dns yesterday, making websites using the cryptominer a JavaScript file of the attacker's being. Coinhive is a cryptominer that uses the computer's computing power to cryptocurrency Monero through the browser. To do this, the computer performs a cryptographic calculation.

Owners of websites that want to use Coinhive must point to a coinhive JavaScript file on their website. This file is then uploaded by the visitor's browser, after which the computing power of their computer is used to perform the cryptographic calculation. The attacker was able to access the Coinhive Cloudflare account. Cloudflare is Coinhive's dns provider.

Then, the attacker changed the DNS settings, which forwarded requests for to another server. This server turned a custom version of the JavaScript file. This caused the attacker to benefit from the calculations made by website visitors, rather than the websites running Coinhive.

According to Coinhive , the Cloudflare account has been hacked through an unsafe password probably stolen at Kickstarter's hack in 2014. "Since then, we learned hard lessons about security and used two-factor authentication and unique passwords for all services, but have failed to update our years-old Cloudflare account," said Coinhive. We are now looking at ways to offset affected websites.

Tuesday, 24 October 2017

Ukraine And Russia Hit By Bad Rabbit Ransomware

Organizations in Ukraine and Russia have been hit by a new ransomware copy called Bad Rabbit, which would be a Petya ransomware variant that spread this summer, reports anti-virus company ESET. The malware would have infected hundreds of systems.

Among the victims are the Kiev metro, the Odessa airport and the Ukrainian ministries, according to the virus fighter. Anti-virus company Kaspersky Lab announces that most victims are in Russia. For example, the Russian press agency Interfax has been hit by the ransomware. The press office reports that the news services are not available because of the attack. "Based on our research, it is a targeted attack on corporate networks through methods similar to the ExPetr attack," said Kaspersky researcher Alex Perekalin. ExPetr is one of the names given to the Petya variant of this summer.

According to Kaspersky Lab, Bad Rabbit ransomware is spread through a number of hacked Russian media websites. ESET researcher Lukas Stefanko , Proofpoint researcher Darien Huss and the known anti-virus veteran Vesselin Vladimirov Bontchev warn that ransomware is on websites as an update for Flash Player . As soon as a user downloads and opens this so-called update, the Bad Rabbit ransomware will be activated on the system. Bad Rabbit tries to spread on the network. To do this, a list of common passwords is used, and Bad Rabbit tries to steal login data through the Mimikatz tool.

Bad Rabbit encrypts files and, like Petya, overwrites the Master Boot Record (MBR) of the hard drive. Therefore, the system becomes unusable. The ransomware claims victims 240 euros for decrypting the files. Whether victims pay the ransom to recover their files is still unknown. Organizations are advised to block executing files c: \ windows \ infpub.dat and c: \ windows \ cscc.dat and, if possible, disable Windows WMI service so that ransomware can not spread further .

Initially, ESET researcher Stefanko reported that the EternalBlue operation was also used. This does not appear to be the case at all. The article has been modified.

The attackers knew to hack several media and news sites. Then there was a malicious code that offered the so-called Flash Player update. Most infections have been observed in Russia, followed by Ukraine, Bulgaria and Turkey. According to ESET, all major companies are affected at the same time. "It is possible that the attackers already had access to the network and launched the attack through the websites at the same time as distraction," said Marc-Etienne M.Léveillé of ESET. He notes that there are no indications that employees of affected organizations have been stepped into the so-called Flash Player update. Anti malware company Malwarebytes announces that the attackers behind Bad Rabbit are likely to be responsible for the Petya / NotPetya variant of last June.

In the meantime, several technical analyzes of Bad Rabbit have appeared online. :

- Bitdefender

- Cisco


- Kaspersky Lab

- Malwarebytes

- McAfee

- Qualys

According to Costin Raiu of Kaspersky Lab, the attackers behind Bad Rabbit would have been working on setting up the network of hacked websites since July. The attackers had access to, inter alia, Russian, Turkish, German and Bulgarian websites.

Lenovo Provides Computers With FIDO Authenticators

Lenovo has provided various computer models of so-called FIDO authenticators that let users login their accounts via a fingerprint scan or click on a prompt on the screen. The Fast IDentity Online (FIDO) Alliance has set itself the goal of replacing the password with authentication methods that are "safer and user-friendly."

Lenovo is one of the FIDO members, among other things, Google, Microsoft, MasterCard and PayPal. The parties involved develop products and services that make use of the FIDO protocol. This would automatically recognize devices that support FIDO and allow users to replace passwords by another authentication method.

Lenovo now claims that it is the first PC manufacturer to integrate directly into Windows computers by FIDO certified authenticators. Instead of a password to log in, users can choose from an alternative. For example, a fingerprint scan can be logged through the Universal Authentication Framework (UAF). In addition, the system also supports Universal 2nd Factor (U2F).

In case a user has enabled two-factor authentication for his account, it is no longer necessary to enter a separate security key or SMS. The two-factor authentication is built directly into the computer. In the case of two-factor authentication via U2F, users get a prompt to confirm, after which they are logged in to their account. This login method is supported by Google, Facebook and Dropbox.

To support UAF and U2F, Lenovo uses Intel Online Connect and Intel Software Guard Extensions (Intel SGX) on the latest Intel processors. The functionality will be delivered with different computer models and available for all models delivered. Intel Online Connect is available for download from Lenovo's website and will be available through Lenovo System Update and Lenovo App Explorer.

Well-known British Clinic For Plastic Surgery Hacked

Attackers hacked a well-known British clinic for plastic surgery, taking off all sorts of sensitive patient data including photos. Opposite The Daily Beast, the attackers, known as The Dark Overlord, claim that they stole terabytes of data.

Information about members of the royal family would also be available in the stolen databases. The attackers shared information and operation photos with a journalist from The Daily Beast . The attackers' emails were sent from a hacked clinic's e-mail account. The attackers are threatening to make the stolen images public.

On its own website , London Bridge confirms Plastic Surgery and states that it has taken measures to stop the attack. It is now investigating what data the attackers have taken precisely. How the attack could take place do not let the clinic know, but on Twitter it speaks of a " refined cyber attack ". Earlier, a Hollywood studio was also squeezed by the group after Orange's episodes have not yet appeared, the New Black had been stolen.

Mozilla Doubles Donations To The Tor Project

The Tor Project has today launched a crowdfunding campaign to raise funds and Mozilla will double donations to a total of $ 500,000. Every day, 2 million people use the Tor network to protect their privacy and visit censored websites.

According to the Tor Project, the number of online attacks on censorship and privacy was unprecedented this year. "Countries around the world tried to restrict access to the web, to dissolve dissidents and to compromise personal privacy," said Tommy Collison of the Tor Project. Also for next year, the Tor Project expects many governments and companies censorship to make the norm and want privacy to be included in the past.

A large part of the revenue from the Tor Project comes from the US government and the organization wants to reduce it by depending more on individual donations. As there are no restrictions on crowdfunding, the money that is collected can be spent on projects which, according to the Tor Project, are the most important and can be responded quickly to changing circumstances.

Furthermore, the Tor Project praises cooperation with Mozilla. Not only will Mozilla double donations to a total of $ 500,000, both parties will work closely together in software development. For example, there is regular consultation between the engineers of Mozilla and the Tor Project. For example, Tor Browser's privacy enhancements are added to Firefox, and Mozilla engineers have taught Tor developers to program in the Rust programming language. In addition, Mozilla helps the Tor network by running several Tor servers.

25,000 Fortinet Devices Vulnerable To DUHK Attacks

Over 25,000 Fortinet devices used for vpn connections and accessible via the Internet are vulnerable to a new DUHK cryptographic attack, allowing attackers to decrypt passive vpn connections to read traffic.

DUHK stands for Do not Use Hard-coded Keys and was developed by Matthew Green , cryptographer and professor at Johns Hopkins University, in collaboration with Nadia Heninger and Shaanan Cohney. Vulnerability occurs with the ANSI X9.31 Random Number Generator (RNG) in combination with a hard-coded seed key. The ANSI X9.31 RNG is a more than 20 year old algorithm that was used to recently to generate cryptographic keys that are used to protect vpn connections and web sessions so that third parties can not intercept.

Through the DUHK attack, an attacker of vulnerable implementations can detect the secret encryption key, thus decrypting and reading traffic from vpn connections and web sessions. This may include sensitive information, such as company information, login information, credit card information, and other confidential content. The ANSI X9.31 RNG is used in many government-certified products. Until last year, ANSI X9.31 RNG was one of four number-generators approved by the United States for use in cryptographic modules. However, it has been removed from the list.

Network manufacturer Fortinet made use of this vulnerable number generator. It's about devices with FortiOS 4.x. All Fortinet vpn devices with FortiOS 4.3.0 to FortiOS 4.3.18 can be decrypted by a passive network attacker who can detect encrypted handshake traffic. Fortinet released FortiOS 4.3.19 last year to update the problem. According to Green, there are more than 25,000 vulnerable vpn devices on the Internet. The professor argues that it is a "conservative number", as only machines were counted that responded to the researchers' scans. The researchers have published a document with their findings ( pdf ) but will not disclose the attack code.

Man Charged For Hacking 550 Gmail And iCloud Accounts

In the United States, a 32-year-old man is charged with hacking over 550 Gmail and iCloud accounts, including Hollywood star and other celebrity accounts. According to the charge, the man sent phishing emails from April 2013 until the end of August 2014 in which recipients were asked to return their username and password.

If the recipient responded and returned the credentials, the man used to log in to the victim's iCloud and Gmail account. As soon as the man logged in, he searched for sensitive personal information, including photos and videos. The case against the man arises from the search for 'Celebgate' or 'The Fappening', which loads all kinds of nude photos of celebrities. However, the FBI has not found evidence that the accused man is responsible for leakage of the naked photos or that he has shared or uploaded the information obtained.

The man has now signed a "plea" agreement with Justice and is expected to acknowledge debt, as soon as the US Department of Justice knows. Earlier this year, a 29-year-old American was sentenced to a nine-month imprisonment for hacking the iCloud and Gmail accounts of more than 300 people, including at least thirty Hollywood stars. According to the FBI, this man was not responsible for Celebgate.

WordPress Sites Attacked Via Zeroday Leak In Plug-In

A zeroday leak in the WordPress plug-in Ultimate Form Builder Lite is actively used to attack and acquire websites before an update was available. Ultimate Form Builder Lite is a WordPress plugin for creating contact forms and runs on over 50,000 websites.

Vulnerability was discovered by security investigators of Wordfence.Wordfence already warned Zeroday leaks in three plug-ins, named Appointments, Flickr Gallery and Registration Magic-Custom Registration Forms, which were actively attacked. These three plug-ins were used in total by 21,000 websites. During the investigation of the attacks, the researchers discovered that attackers had also provided it with WordPress sites with Ultimate Form Builder Lite.

The attackers used SQL injection in combination with a php vulnerability. By sending one request, attackers could completely take over vulnerable websites. The developer of the WordPress extension was informed on October 13 and rolled out an update on Sunday, October 22, which solved the problem.

Windows Defender Exploit Guard Protects Against DDE Attacks

With the launch of the Windows 10 Fall Creators Update, Microsoft has added new security measures to the operating system, which, among other things, protect against the DDE attack that has been in the news lately. The new security measures are called Microsoft Windows Defender Exploit Guard. It is a collection of features that should protect users from various threats.

For example, the feature is called Controlled folder access, which protects directories against ransomware. Only authorized applications will have access to files in specified folders in this case. Unauthorized executable files, dll files and scripts will not be accessed, even if they are running administrative privileges. In case ransomware approaches the files in the specified folders, Windows 10 gives a warning.

Attack Surface Reduction

Another feature is Attack Surface Reduction (ASR). This is a set of controls that allow organizations to prevent an attacker from infecting emails, scripts, or Microsoft Office systems. In the case of Microsoft Office, ASR can prevent apps from creating executable content or injecting themselves into a process. Also, macro code is blocked. Another attack that blocks ASR is through the Microsoft Office DDE feature, so Microsoft has announced .

The Dynamic Data Exchange (DDE) feature of Microsoft Office makes it possible to inject data from, for example, an Excel document into a Word document. This will add code to one document that points to the data in the other document. Instead of a document, malicious code may also be linked. Attackers now use this feature to infect internet users through Word documents with ransomware and other malware. Windows Defender Exploit Guard can detect and stop this attack. Furthermore, the feature stops JavaScript, VBScript and PowerShell code, as well as executable content that enters email or webmail.

Exploitation Protection

Windows Defender Exploit Guard also provides protection against exploits. It replaces Microsoft's well-known Enhanced Mitigation Experience Toolkit (EMET). Like EMET, Exploit Guard provides the system with additional security that provides protection against known and unknown exploits. The Fall Creators Update will remove EMET on Windows 10 computers if this tool is installed. EMET users can import their settings within Exploit Guard. The Fall Creators Update will be rolled out in Windows 10 in the coming months and can be installed manually .