Monthly Archives: February 2018

Ransomware: Get ready for the next wave of destructive cyberattacks

It might look to be out of the limelight compared to 2017, but it would be foolish to write ransomware off yet, as more attacks using the file-encrypting malware are ahead.

High profile incidents like WannaCry, NotPetya and Bad Rabbit made ransomeware infamous last year. WannaCry and NotPetya have since both been attributed to be the work of nation-states – the former to North Korea and the latter to Russia – changing the perception of ransomware from something used by cybercriminals attempting to make a quick buck, to it becoming a tool of cyberwarfare.

That’s especially the case for NotPetya, which took down the networks of businesses around the world and causing billions of dollars in damages and lost income.

So while some cybercriminal operations have pivoted towards cryptocurrency mining as means of making money, don’t expect ransomware to be any less effective – or destructive.

The company’s newly released 2018 Global Threat Report suggests that rather than fading into the background, ransomware could become an even more prominent tool of cyberwarfare – especially as the likes of WannaCry have demonstrated the large amounts of damage which can be done.

Next Generation Firewall or NGFW

Next Generation Firewall or NGFW

Next Generation Firewall or NGFW is an integrated network platform that combines a traditional firewall with other security system functionalities like an application firewall, Intrusion Prevention System or IPS, SSL/SSH interception, QoS/bandwidth management, malware inspection etc. An NGFW includes the typical functionalities of a traditional firewall, yet it is much more powerful than a traditional firewall in detecting and preventing attacks and enforcing security.

Traditional Firewall and how it works

A traditional firewall monitors incoming and outgoing network packets of a system and prevents unauthorized access depending on some pre-configured rules.
A traditional firewall filters traffic based on mainly the following parameters :
  • Source IP address and destination IP address of the network packets.
  • Source port and destination port of the inbound and outbound traffic.
  • Current stage of connection.
  • Filtering rules based on per process basis.
  • Protocols used.
  • Routing features.
So, though a traditional firewall is good in ensuring security, it is not sufficient. One has to rely on other security solutions like IPS, anti-malware products, content filtering packages etc to ensure proper security.
The disadvantage of using different network security techniologies separately is it increases administrative cost and degrades network performance. An NGFW combines multiple network security technologies to provide better security mechanism while taking care of most of the disadvantages of using seperate security solutions at a time.

Next Generation Firewalls

An NGFW typically includes :
  • Intrusion Prevention System
  • Malware protection
  • Filtering traffic per application basis.
  • QoS or Quality of Service to guarantee network throughput
  • VPN
  • SSL/SSH interception
An NGFW uses Deep Packet Inspection or DPI using which it can examine the data part of the network packets and search for protocol non-compliance, virus, spam, intrusions and other statistical information to filter the traffic and enforce security in a better way.
An NGFW can monitor and filter traffic per application basis instead of port basis, which enables it to troubleshoot network problems in a better way. It can also associate network traffic with specific user or group of users, which helps in enforcing better acceptable-use policies.
NGFW can intercept the encrypted SSL and SSH traffic to look for any malicious traffic concealed in the encrypted traffic. And, this enables it to detect advanced threats and attacks.
And, as NGFW integrates multiple security technologies in an efficient manner, it improves network performance over using different security technologies separately.

Advantages of Next Generation Firewalls

An NGFW has a number of advantages over traditional firewalls. Some of the most important ones are listed below :

Lower Administrative Cost

In an NGFW, all the above mentioned security technologies are installed and configured as a unit. As a result, it reduces administrative cost significantly.

Easier to identify threats

An NGFW monitors the network traffic and reports all the events through a single reporting system, which is much more convenient than using different security techniologies separately.

Inspection of SSL/SSH traffic

Malware can be concealed in an encrypted SSL/SSH communication. For example, botnets and Advanced Persistent Threats often create SSL tunnels and exchange communication with the attackers. But, traditional firewalls cannot decrypt SSL/SSH traffic. As a result, the attackers can take advantage of that to make attacks.
NGFW can decrypt and inspect SSL/SSH traffic using Deep Packet Inspection and filter network traffic based upon that.

Filtering based on application

Traditional firewalls can filter traffic based on port, but that may prove to be inconvenient at times.
NGFW can associate traffic based on application, which enables it to block or monitor network traffic per application and troubleshoot problems based on that.

Identifying network traffic by users

Traditional firewalls cannot associate network traffic to users easily. One has to laboriously look at the log files for that purpose.
But, as NGFW can easily associate network traffic to specific users, it helps in enforcing better acceptable use policies.
For example, in a company marketing and Human Resource group may need to access some social networking sites, but others need not. Using NGFW one can easily set proper acceptable-use policy for that purpose.
Similarly, a company may allow its employees to access some social networking sites to make posts or comments, but may not allow them to play games. Using NGFW the company can set required policies easily.

Improved Network Performance

Using different network security technologies separately often causes degradation of network performance. Administrators often need to respond to that by disabling monitoring of certain ports, disabling some firewall rules or limiting Deep Packet Inspection which compromise network securities.
But, as NGFW integrates multiple network technologies together efficiently, it improves network throughput without having to trade off security for performance.
So, be informed about various security technologies so that you can protect your systems in a better way. And, stay safe, stay protected.

BootStomp – Find Android Bootloader Vulnerabilities

BootStomp is a Python-based tool, with Docker support that helps you find two different classes of Android bootloader vulnerabilities and bugs. It looks for memory corruption and state storage vulnerabilities.

BootStomp - Find Bootloader Vulnerabilities

 

Note that BootStomp works with boot-loaders compiled for ARM architectures (32 and 64 bits both) and that results might slightly vary depending on angr and Z3’s versions. This is because of the time angr takes to analyze basic blocks and to Z3’s expression concretization results.

How does BootStomp find Android Bootloader Vulnerabilities?

BootStomp implements a multi-tag taint analysis resulting from a novel combination of static analyses and dynamic symbolic execution, designed to locate problematic areas where input from an attacker in control of the OS can compromise the bootloader’s execution or its security features.

Using the tool the team found six previously-unknown vulnerabilities (of which five have been confirmed by the respective vendors), as well as rediscovered one that had been previously reported. Some of these vulnerabilities would allow an attacker to execute arbitrary code as part of the bootloader (thus compromising the entire chain of trust), or to perform permanent denial-of-service attacks.

The vulnerabilities impact the Trusted Boot or Verified Boot mechanisms implemented by vendors to establish a Chain of Trust (CoT). The team using BootStomp discovered vulnerabilities in the bootloaders used by Huawei, Qualcomm, MediaTek, and NVIDIA.

The team analyzed bootloader implementations in many platforms, including Huawei P8 ALE-L23 (Huawei / HiSilicon chipset), Sony Xperia XA (MediaTek chipset), Nexus 9 (NVIDIA Tegra chipset), and two versions of the LK-based bootloader (Qualcomm).

 

How to use BootStomp

The easiest way to use BootStomp is to run it in a docker container. The folder docker contains an appropriate Dockerfile, these are the commands to use it:

 

You can download BootStomp here:

BootStomp-master.zip

Mr.SIP – SIP Attack And Audit Tool

Mr.SIP was developed in Python as a SIP Attack and audit tool which can emulate SIP-based attacks. Originally it was developed to be used in academic work to help developing novel SIP-based DDoS attacks and defence approaches and then as an idea to convert it to a fully functional SIP-based penetration testing tool, it has been redeveloped into the current version.

Mr.SIP - SIP Attack And Audit Tool

 

Mr.SIP – SIP Attack Features

Mr.SIP currently comprises of four sub-modules named SIP-NES, SIP-ENUM, SIP-DAS and SIP-ASP. Since it provides a modular structure to developers, more modules will continue to be added by the authors and it is open to being contributed to by the open-source developer community.

  • SIP-NES needs to enter the IP range or IP subnet information. It sends SIP OPTIONS message to each IP addresses in the subnet and according to the responses outputs the potential SIP clients and servers on that subnet.
  • SIP-ENUM outputs which SIP users are valid according to the responses in that network by sending REGISTER messages to each client IP addresses on the output of SIP-NES.
  • SIP-DAS (DoS Attack Simulator) is a module developed to simulate SIP-based DoS attacks. It comprises four components: spoofed IP address generator, SIP message generator, message sender and scenario player. It needs outputs of SIP-NES (Network Scanner) and SIP-ENUM (Enumerator) along with some pre-defined files.
  • SIP-DAS basically generates legitimate SIP INVITE message and sends it to the target SIP component via TCP or UDP. It has three different options for spoofed IP address generation, i.e., manual, random and by selecting spoofed IP address from subnet. IP addresses could be specified manually or generated randomly. Furthermore, in order to bypass URPF filtering, which is used to block IP addresses that do not belong to the subnet from passing onto the Internet, we designed a spoofed IP address generation module. Spoofed IP generation module calculated the subnet used and randomly generated spoofed IP addresses that appeared to come from within the subnet.

 

 

You can download Mr.SIP here:

Mr.SIP-master.zip

Or read more here.

Hackers are selling legitimate code-signing certificates to evade malware detection

Security researchers have found that hackers are using code-signing certificates more to make it easier to bypass security appliances and infect their victims.

New research by Recorded Future’s Insikt Group found that hackers and malicious actors are obtaining legitimate certificates from issuing authorities in order to sign malicious code.

That’s contrary to the view that in most cases certificates are stolen from companies and developers and repurposed by hackers to make malware look more legitimate.

Code-signing certificates are designed to give your desktop or mobile app a level of assurance by making apps look authentic. Whenever you open a code-signed app, it tells you who the developer is and provides a high level of integrity to the app that it hasn’t been tampered with in some way. Most modern operating systems, including Macs, only run code-signed apps by default.

But not only does code-signing have an affect on users who inadvertently install malware, code-signed apps are also harder to detect by network security appliances. The research said that hardware that uses deep packet inspection to scan for network traffic “become less effective when legitimate certificate traffic is initiated by a malicious implant.”

That’s been picked up by some hackers, who are selling code-signing certificates for as little as $299. Extended validation certificates which are meant to go through a rigorous vetting process can be sold for $1,599.

The certificates, the researchers say, were obtained by reputable certificate issuing authorities, like Comodo, and Symantec and Thawte — both of which are now owned by DigiCert.

Apple certificates were also available.

“In Apple’s world, you cannot execute a program which is not code-signed — there are plenty of ways around it though,” said Amit Serper, principal security researcher at Cybereason, and a specialist in Mac malware. “In order to get a program signed, you need to set up a developer account, pay Apple $99 and give them a reason to issue you a certificate. Since Apple’s goal is to make money and have more developers joining their developer program and generate revenue, getting a certificate is incredibly easy.”

“Many malware and adware for macs out there are signed with legitimate code signing certificates provided by Apple,” he said.

“We are confident that no help from insiders at these companies is being used,” he said.

According to the research, the hacker sold over 60 certificates in six months. But sales declined after malware writers opted for obfuscation techniques other than expensive code-signing certificates.

Hack whatsapp messages without access to phone

WhatsApp Tracker allows Hackers to Intercept and Read Your Encrypted Messages

This method is perhaps the most appealing of them all. In essence, it uses a “backdoor” flaw.

Some say it is a severe mistake, while others claim it is an additional feature.

Anyway, it allows to you to hack Whatsapp and to read, by intercepting the messages between users. Backdoor is used by Whatsapp, Telegram, and a few more apps.

First of all, we should explain the end-to-end encryption. It means that you, as a user will send an encrypted message to another person.

Only after it is received, it will be decrypted and readable. Whatsapp introduced this feature in 2012 and then became the most secure app of them all. Sadly, it looks like it isn’t so secure.

Whatsapp is owned by Facebook, and if we know that this giant allows to the central intelligence agencies to spy on their users, we can deduce that Whatsapp shares the same flaw.

That’s why the backdoor feature exists. Originally, it has been developed for central intelligence agencies, but at the same time, it is something that hackers can use.

Furthermore, Whatsapp end-to-end encryption works on “trust”. The company uses a secure server to process the messages, but according to the user agreement, they can change any of the rules at any given moment.

Basically, Whatsapp can choose to share your messages with others and you won’t know about it!

How this actually works?

The vulnerability relies on the way WhatsApp behaves when an end user’s encryption key changes.

Basically, we have a scenario between users A and a person B.

When a person A sends a few messages to the person B, the Whatsapp on that device will decrypt the messages and allow for the user to read them.

But, when a user B replaces the device, he will also be able to get and read those messages.

This is possible due to the fact Whatsapp choose to update and modify the private keys, needed for decryption at any given moment, without informing the user.

Now, you as a hacker will be user C. You will modify the private key of a user B and insert your own.

By doing so, you will directly be able to read messages of user A. Whatsapp spy app that can do it for you isn’t so complicated to use, after all.

Here we have another advantage of this method. Facebook, which owns Whatsapp didn’t solve this issue since 2016. It is obvious that it will stay available in the future as well.

All of this means that you, as a hacker will be able to exploit this method in the near future. Using Whatsapp tracker online and using this method will give impressive results.

Some believe that backdoor feature is used as a feature to eliminate the need for constant privacy key verification, which is annoying. Instead, Whatsapp will do it instead of you.

But, Signal private messenger, which uses the same technology is immune to this issue, simply due to the fact it requires physical verification.

If you are a decent hacker, you will be able to exploit this method or better said this drawback of the Whatsapp.

After all, it is introduced to allow for agencies to spy on users, which means that hackers, including yourself, can use it for the same reason.

Hack Whatsapp messages and read them whenever you want.

Perhaps all of this spends complicated, but the real procedure is more than just simple. In essence, you will have to:

  • Step 2: Install it on targeted device
  • Step 3: Login to your control panel on a PC. Done

As you can see, the entire process takes no more than 5 minutes of your time.

It is specifically developed to be simple enough for average users and those who don’t even fully understand smartphones and how they work.

The bottom line is yes, you will be able to use it without a problem.

Here it should be mentioned that there is no risk of being detected!

The app works by connecting to the operating system and literally becoming part of it.

As such, the app has all the access to the OS on your phone, obviously.

The app cannot be detected by antivirus, malware software or on any other way.

Hard reset of a device won’t delete the app as well. At the end, we can add Copy9 is the safest app to use.

The hack Whatsapp online feature

Besides the hack Whatsapp online feature, Copy9 offers plenty of additional features!

  • Besides the fact you will be able to read Whatsapp messages, the app allows you to read messages and monitor calls performed via other apps. All messenger apps are supported.

  • Tracking the GPS location is possible as well. The app will determine the exact location of a smartphone within a matter of seconds.

  • Monitoring internet activities is just another feature. Although Whatsapp tracker option is associated with the internet, the feature here is a bit different.

  • Basically, it allows for the user to block access to the web, limit it or check out what has been visited via the targeted device.

The full list of features is significantly long. In general, you will be able to hack Whatsapp chat history, monitor call, all messages, internet activity, GPS, detecting when a SIM card is changed and many other features.

Customer support is guaranteed and also more than just decent, which isn’t a case with apps of this kind!

The best part, you get a free trial, without a need to enter your credit card. If you don’t like it, after 48 hours simply delete the app and you are done.

However, most users who tried the free trial, have been using Copy9 ever since.

ADB.Miner worm is rapidly spreading across Android devices

A fresh threat to Android devices has managed to infect thousands of devices in days, researchers warn.

The malware has similar capabilities to worms and uses the ADB debug interface,  on port 5555, to spread.

It is usually the case that port 5555 is kept closed; however, the ADB debug tool used to conduct diagnostic tests sometimes may open this port — potentially by accident.

Once a device is infected, it will continue to scan the 5555 port to propagate further and find other devices with the same port open, such as Android-based smartphones, tablets, or television sets.

According to the Chinese security firm, smartphones and smart TV set-top boxes are among most of the devices currently infected, but the company has not disclosed which models or vendors.

While the earliest time of infection has been traced back to 31 January, in only 24 hours, the researchers estimate ADB.Miner has been able to spread to upwards of 5,000 devices, mainly in China and South Korea.

“Overall, we believe malicious code based on the Android system ADB debug interface is now actively spreading in worms and infected over 5,000 devices in 24 hours,” the team says. “Affected devices are actively trying to deliver malicious code.”

The malware contains mining software which specifically focuses on Monero (XMR). ADB.Miner connects to two different mining pools which both share the same wallet address but is yet to deposit proceeds from the fraudulent mining operations.

Cybercriminals are exploring ways to utilize cryptocurrency miners, in themselves not malicious, for fraudulent purposes. A recent report from Cisco Talos has suggested that cyberattackers are turning away from ransomware in favor of this silent, and harder to detect, kind of scheme.

Malware based on the Mirai botnet, dubbed Satori, has been recently spotted targeting Ethereum mining rigs. A tailored version of Satori, called Satori.Coin.Robber, scans for devices through port 3333.

If old versions of Claymore Miner software which have not been patched against the malware are detected, the malicious code replaces user wallet addresses with others controlled by the malware operators.

Phishing attacks: How hunting down fake websites is making life harder for hackers

A new approach to phishing URLs and scam emails is helping to reduce the window of opportunity for cyber-attackers — but the fight isn’t over yet.

 

  • Cybercriminals are finding it more to find it more difficult to maintain the malicious URLs and deceptive domains used for phishing attacks for more than a few hours, because action is being taken to remove them from the internet much more quickly.
  • That doesn’t mean that phishing — one of the most common means of performing cyber-attacks — is any less dangerous, but a faster approach to dealing with the issue is starting to hinder attacks.
  • Deceptive domain names look like those of authentic services, so that somebody who clicks on a malicious link may not realise they aren’t visiting the real website of the organisation being spoofed.
  • One of the most common agencies to be imitated by cyber-attackers around the world isthat of government tax collectors. The idea behind such attacks is that people will be tricked into believing they are owed money by emails claiming to be from the taxman.
  • However, no payment ever comes, and if a victim falls for such an attack, they’re only going to lose money when their bank details are stolen, and they can even have their personal information compromised.
  • In order to combat phishing and other forms of cyber-attack, the UK’s National Cyber Crime Centre — the internet security arm of GCHQ — launched what it called the Active Cyber Defence programme a year ago.

0-Day Flash Vulnerability Exploited In The Wild

So another 0-Day Flash Vulnerability is being exploited in the Wild, a previously unknown flaw which has been labelled CVE-2018-4878 and it affects 28.0.0.137 and earlier versions for both Windows and Mac (the desktop runtime) and for basically everything in the Chrome Flash Player (Windows, Mac, Linux and Chrome OS).

0-Day Flash Vulnerability Exploited In The Wild

 

The full Adobe Security Advisory can be found here:

– Security Advisory for Flash Player | APSA18-01

Adobe warned on Thursday that attackers are exploiting a previously unknown security hole in its Flash Player software to break into Microsoft Windows computers. Adobe said it plans to issue a fix for the flaw in the next few days, but now might be a good time to check your exposure to this still-ubiquitous program and harden your defenses.

Adobe said a critical vulnerability (CVE-2018-4878) exists in Adobe Flash Player 28.0.0.137 and earlier versions. Successful exploitation could allow an attacker to take control of the affected system.

The software company warns that an exploit for the flaw is being used in the wild, and that so far the attacks leverage Microsoft Office documents with embedded malicious Flash content. Adobe said it plans to address this vulnerability in a release planned for the week of February 5.

According to Adobe’s advisory, beginning with Flash Player 27, administrators have the ability to change Flash Player’s behavior when running on Internet Explorer on Windows 7 and below by prompting the user before playing Flash content. A guide on how to do that is here (PDF). Administrators may also consider implementing Protected View for Office. Protected View opens a file marked as potentially unsafe in Read-only mode.

 

The wild usage of the exploit seems to be in the Korean context with North Korean hackers using it against South Korean targets and apparently they have been using it since November 2017.

It’s a fairly complex attack chain so I’m surprised if it’s a very reliable exploit as it targets Flash content embedded in Microsoft Office documents.

Hopefully, most readers here have taken my longstanding advice to disable or at least hobble Flash, a buggy and insecure component that nonetheless ships by default with Google Chrome and Internet Explorer. More on that approach (as well as slightly less radical solutions) can be found in A Month Without Adobe Flash Player. The short version is that you can probably get by without Flash installed and not miss it at all.

For readers still unwilling to cut the Flash cord, there are half-measures that work almost as well. Fortunately, disabling Flash in Chrome is simple enough. Paste “chrome://settings/content” into a Chrome browser bar and then select “Flash” from the list of items. By default it should be set to “Ask first” before running Flash, although users also can disable Flash entirely here or whitelist and blacklist specific sites.

By default, Mozilla Firefox on Windows computers with Flash installed runs Flash in a “protected mode,” which prompts the user to decide if they want to enable the plugin before Flash content runs on a Web site.

Another, perhaps less elegant, alternative to wholesale kicking Flash to the curb is to keeping it installed in a browser that you don’t normally use, and then only using that browser on sites that require Flash.

Most browsers of the current generation have either no Flash support at all, or make it “ask-first” when Flash content attempts to display. I would hazard a guess that this is why the attackers chose to target Flash embedded in Microsoft Office documents as it’s such ubiquitous software and not so regularly updated or patched by individuals or organsations.

It’s not the first Flash zero-day and it won’t be the last, we’ve reported on a few before, I think the impact should get less and less as more sites phase out Flash and move to native HTML5.