Posts

19-Year-Old TLS Vulnerability Weakens Modern Website Crypto

A vulnerability called ROBOT, first identified in 1998, has resurfaced. Impacted are leading websites ranging from Facebook to Paypal, which are vulnerable to attackers that could decrypt encrypted data and sign communications using the sites’ own private encryption key.

The vulnerability is found in the transport layer security protocol used for Web encryption. A successful attack could allow an attacker to passively record traffic and later decrypt it or open the door for a man-in-the-middle attack, according to researchers.

ROBOT, which stands for Return Of Bleichenbacher’s Oracle Threat, was named after Daniel Bleichenbacher, the researcher who originally discovered it almost two decades ago. The version of ROBOT discovered recently was through Facebook’s bug bounty program, which paid an undisclosed reward to researchers Hanno Böck, Juraj Somorovsky and Craig Young who published their findings Tuesday.

The vulnerability is tied to the TLS protocol and a flaw in the algorithm that handles RSA encryption keys. The attack involves using specially crafted queries designed to generate errors on TLS servers that use RSA encryption to protect communications between a user’s browser and a website.

The attack involves sending crafted queries that generate “yes” or “no” answers in a type of brute-force guessing attack. Using this technique, called an adaptive chosen-ciphertext attack, over time can force the TLS server to reveal the session key. That allows an attacker to then decrypt HTTPS traffic sent between the TLS server and the user’s browser.

This is same technique used to exploit Bleichenbacher’s ROBOT vulnerability in 1998.

“In 1998, Daniel Bleichenbacher discovered that the error messages given by SSL servers for errors in the PKCS #1 1.5 padding allowed an adaptive-chosen ciphertext attack; this attack fully breaks the confidentiality of TLS when used with RSA encryption,” researchers wrote. “We discovered that by using some slight variations this vulnerability can still be used against many HTTPS hosts in today’s Internet.”

The original ROBOT patch did not include replacing the insecure RSA algorithm; rather the TLS standard was modified to make brute-force guessing exponentially harder.

“After Bleichenbacher’s original attack the designers of TLS decided that the best course of action was to keep the vulnerable encryption modes and add countermeasures. Later research showed that these countermeasures were incomplete leading the TLS designers to add more complicated countermeasures,” researchers wrote. “The section on Bleichenbacher countermeasures in the latest TLS 1.2 standard (7.4.7.1) is incredibly complex. It is not surprising that these workarounds aren’t implemented correctly.”

Since the original ROBOT patch, variations of the vulnerability have surfaced. In March 2016, a TLS vulnerability related to ROBOT called DROWN exposes 33 percent of HTTPS connections to attack.

What researchers revealed on Tuesday was that a number of vendors failed to properly implement countermeasures used to protect against attacks that take advantage of the ROBOT vulnerability.

“We have identified vulnerable implementations from at least seven vendors including F5, Citrix, and Cisco,” researchers wrote. “Some of the most popular webpages on the Internet were affected, including Facebook and Paypal. In total, we found vulnerable subdomains on 27 of the top 100 domains as ranked by Alexa.”

The United States Computer Emergency Readiness Team issued a security bulletin on the vulnerability Tuesday and lists eight vendors affected.

On Tuesday, Cisco issued an advisory for the vulnerability it rated as medium. It said multiple Cisco products are affected such as the Cisco ACE 4710 Application Control Engine Appliance and the Cisco ACE30 Application Control Engine Module.

Facebook and Paypal each issued patches in October.

Researchers offer of number of stopgap mitigation solutions in its research along with offering a testing tool for public HTTPS servers, as well as a Python tool to test for the vulnerability.

Source: ThreatPost

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!

New Spider Ransomware Comes With 96-Hour Deadline

A new ransomware strain called Spider is targeting victims located in the Balkans in what is called a “mid-scale” campaign.

The Spider ransomware is unique in that attackers are given a 96-hour deadline to pay. Attackers also attempt to calm victims, assuring them the ransom payment and file recovery process will be “really easy.” Attackers go one step further and provide a link to a video tutorial on how the Spider ransomware payment and file recovery process works.

The campaign was first spotted on Dec. 10 by Netskope Threat Research labs who shared its finding in a blog post Tuesday.

Victims are targeted with malicious Office documents sent as attachments as part of an email phishing campaign with the subject line reading “Debt Collection”, according to Google Translate of the Bosnian-language phrase”Potrazivanje dugovanja”.

“These attachments are auto-synced to the enterprise cloud storage and collaborations apps. Netskope Threat Protection detects the decoy document as ‘VB:Trojan.VBA.Agent.QP’ and the downloaded payload as ‘Trojan.GenericKD.12668779’ and ‘Trojan.GenericKD.6290916,’” wrote Netskope researchers.

The malicious Office documents are written in the Bosnian language and contain obfuscated code, according to researchers. If the malicious code is executed a Windows PowerShell launches with instructions to download a malicious Base64 encoded payload hosted on YourJavaScript.com, a free hosting site.

“After downloading the payloads, the PowerShell script decodes the Base64 string and performs XOR operation with the key ‘AlberTI’ to decode the final payloads, which is later saved into executable (.exe) files,” researchers wrote. “The decoded payloads named ‘dec.exe’ and ‘enc.exe’ compiled in .NET  are copied to the ‘%APPDATA% /Spider’ directory.”

According to Netskope binary “enc.exe” is the ransomware encryptor and “dec.exe” is the decryptor. The encryptor (enc.exe) encrypts the user’s files using AES encryption and adds the “.spider” extension to encrypted files.

Once files are encrypted the ransomware note is displayed warning that the victim only has 96 hours to pay the ransom in bitcoin to obtain a key to unencrypt a files. “You have to be fast, after 96 hours the key will be blocked and all your files will remain permanently encrypted… do not try anything stupid, the program has several security measures to delete all your files and cause the damage to your PC,” according to the note.

Attackers also walk victims through the payment process, from how to use the Tor Browser and how to obtain a bitcoin for payment. If victims are still confused, the ransomware provides a link to video hosted on a video sharing service that offers a tutorial.

“The video provides instructions to decrypt victims files. We suspect that the video was most likely uploaded by the threat actor group of Spider,” researchers wrote.

Netscope’s Amit Malik, author of the post, said to avoid Spider, or other ransomware attacks, users should disable macros by default and not execute unsigned macros from untrusted sources. “We continue to see an increase of decoy Office documents as an attack vector in spreading ransomware like GlobeImposter tied to several active and ongoing campaigns,” he said.

Source: ThreatPost

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!

Leftover Debugger Doubles as a Keylogger on Hundreds of HP Laptop Models

HP Inc. released a software update to fix a vulnerability that allows attackers to turn debugging code, accidentally left on hundreds of model laptops, into a keylogger.

Researcher Michael Myng is credited for discovering the vulnerability tied to the use of a Synaptics Touchpad driver. He said in technical write-up outlining the discovery that the debugger feature is disabled by default, but a user with system admin privileges could change Windows registry values and permit keylogger functionality.

HP confirmed the flaw and released an update that removes the offending code identified as a Windows software trace preprocessor (WPP) debugger. HP said more than 460 model laptops are impacted, including laptops that are part of its EliteBook, HP Pavilion and ZBook lines.

“A potential security vulnerability has been identified with certain versions of Synaptics touchpad drivers that impacts all Synaptics OEM partners. A party would need administrative privileges in order to take advantage of the vulnerability,” HP stated in a security bulletin. HP said neither Synaptics or HP accessed customer data as a result of this issue.

Myng said that the debugging code that could be turned into a keylogger is present in the Synaptics Touchpad SynTP.sys file.

“The keylogger saved scan codes to a WPP trace. The logging was disabled by default but could be enabled by setting a registry value (UAC required),” Myng wrote.

WPP trace is a technique used by developers to debug code. By changing the value in the Windows registry, Myng was able to enable a keylogging feature that allowed user keystrokes to be stored locally.

“Sometime ago someone asked me if I can figure out how to control HP’s laptop keyboard backlit. I asked for the keyboard driver SynTP.sys, opened it in IDA and after some browsing noticed a few interesting strings,” Myng said of his discovery.

The software update is available via HP and will also be pushed via Windows Update, according the researcher.

In May,  it was discovered an audio driver that came installed on some HP-manufactured computers recorded users’ keystrokes and stores them in a world-readable plaintext file. The culprit was a version 1.0.0.31 of MicTray64.exe, a program that comes installed with the Conexant audio driver package on select HP machines.

Source: ThreatPost

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!

Ursnif Trojan Adopts New Code Injection Technique

Hackers are testing a new variation of the Ursnif Trojan aimed at Australian bank customers that utilizes novel code injection techniques.

Since the summer of 2017, IBM X-Force researchers report that Ursnif (or Gozi) samples have been tested in wild by a new malware developer. The samples are a noteworthy upgrade from previous versions.

“This finding is significant because it suggests that a new group has joined the cybercrime arena and is specifically operating in Australia, where malware gangs such as TrickBot and Dridex already have a firm foothold,” wrote Limor Kessem, executive security adviser with IBM Security in a technical analysis of the Ursnif Trojan sample.

Most notable to this variant are modifications to the code injection techniques and attack strategies, Kessem said.

“In a redirection attack, the victim is diverted to a fake website hosted on an attacker-controlled server. The malware maintains a live connection with the bank’s legitimate webpage to ensure that its genuine URL and digital certificate appear in the victim’s address bar. At that point, the malicious actors can use web injections to steal login credentials, authentication codes and other personally identifiable information without tripping the bank’s fraud detection mechanisms,” she wrote.

Separately, researchers at FireEye noted, in research posted last week, they also have been tracking the same new Ursnif variant.

FireEye also noted the variant’s novel use of a malicious Transport Layer Security (TLS) callback techniques to achieve process injection.

“We recently came across a Ursnif/Gozi-ISFB sample that manipulated TLS callbacks while injecting to child process. Though many of the malware binaries (or their packers) use some variation of GetThreadContext/SetThreadContext or CreateRemoteThread Windows API functions to change the entry point of the remote process during injection, this sample (and the related cluster) is using a relatively lesser-known stealth technique,” wrote Abhay Vaish and Sandor Nemes with FireEye’s Threat Research team.

For years, Ursnif has targeted Japan along with North America, Europe and Australia. Ursnif is a widespread threat that was discovered in 2007. Original targets were online banking wire systems in English-speaking countries. That changed in 2010, when source code for the Trojan was accidentally leaked. That lead to the development of Ursnif v2 that adopted web-injection techniques and also leverages a hidden virtual network computing feature.

In its recent campaigns targeting Australian bank customers, Ursnif has been using malspam to reach its victims. That has included emails with fake supply orders that lure recipients to follow links to electrically sign and review documents.

“After clicking on the “REVIEW DOCUMENT” button, the malware downloads a ZIP file named YourMYOBSupply_Order.zip,” FireEye describes. “The ZIP file contains a malicious JavaScript file that, when executed, will download and execute the Ursnif/Gozi-ISFB payload.”

Both FireEye and X-Force said that this latest sample indicates a more sophisticated malware author has improved the v3 Ursnif code to be stealthier and evade malware signature detection.

Between 2016 through 2017, X-Force said Ursnif (or Gozi) has been a top player when it comes to code evolution and attack volumes.

In October, attackers behind Ursnif made Japan one of their top targets. In those campaigns, authors behind Ursnif didn’t just target banks, but also credentials for local webmail, cloud storage, cryptocurrency exchange platforms and e-commerce sites.

Source: ThreatPost

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!

RAT Distributed Via Google Drive Targets East Asia

Researchers said that they are tracking a new remote access Trojan dubbed UBoatRAT that is targeting individuals or organizations linked to South Korea or the video game industry.

While targets aren’t 100 percent clear, researchers at Palo Alto Networks Unit 42 said UBoatRAT threats are evolving and new variants are increasingly growing more sophisticated. They said recent samples found in September have adopted new evasion techniques and novel ways to maintain persistence on PCs.

“We don’t know the exact targets at the time of this writing. However, we theorize the targets are personnel or organizations related to Korea or the video games industry,” wrote Kaoru Hayashi, cyber threat intelligence analyst at Palo Alto Networks in a technical write-up of Unit 42’s research published this week. “We see Korean-language game titles, Korea-based game company names and some words used in the video games business on the list.”

UBoatRAT was first identified by Unit 42 in May 2017. At the time, UBoatRAT utilized a simple HTTP backdoor and connected to a command-and-control server via a public blog service in Hong Kong and a compromised web server in Japan. By September, the RAT evolved to adopt Google Drive as a distribution hub for malware and uses URLs that connect to GitHub repositories that act as a C2. UBoatRAT also leverages Microsoft Windows Background Intelligent Transfer Service (BITS) to maintain persistence on targeted systems.

BITS is a Microsoft service for transferring files between machines. BITS is most widely known for its use by Windows Update and third-party software for application updates. The service has a long history of being abused by attackers dating back to 2007. And even up until today, BITS is still an attractive feature for hackers because the Windows component includes the ability to retrieve or upload files using an application trusted by host firewalls. Last year, researchers identified hackers who used a BITS “notification” feature to deliver malware and maintain system persistence.

With UBoatRAT, adversaries are using the BITS binary Bitsadmin.exe as a command-line tool to create and monitor BITS jobs, researchers said. “The tool provides the option, /SetNotifyCmdLine which executes a program when the job finishes transferring data or is in error. UBoatRAT takes advantage of the option to ensure it stays running on a system, even after a reboot,” they said.

According to researchers, UBoatRAT is being delivered to targets via URLs that link to executable files or Zip archives hosted on Google Drive. “The zip archive hosted on Google Drive contains the malicious executable file disguised as a folder or a Microsoft Excel spread sheet. The latest variants of the UBoatRAT released in late July or later masquerade as Microsoft Word document files,” researchers said.

If files are executed, UBoatRAT attempts to determine if the targeted system is part of a larger corporate network or a home PC by checking if the machine is part of an Active Directory Domain, typically used by business PCs. The malware is also programmed to detect virtualization software (VMWare, VirtualBox or QEmu) that would indicate a research environment.

If ideal host conditions aren’t met various fake Windows system error messages are generated and the UBoatRAT executable quits.

Communication with the command-and-control server is performed via a hidden C2 address in the RAT, researchers said.

“The attacker behind the UBoatRAT hides the C2 address and the destination port in a file hosted on Github… After establishing a covert channel with C2, the threat waits following backdoor commands from the attacker,” researcher wrote.

Some commands include “Checks if whether the RAT is alive”, “Starts CMD shell” and “Uploads file to compromised machine”.

The malware gets its name from the name from the way it decodes the characters in the GitHub URL.

“The malware accesses the URL and decodes the characters between the string ‘[Rudeltaktik]’ and character ‘!’ using BASE64. ‘Rudeltaktik’ is the German military term which describes the strategy of the submarine warfare during the World War II,” researchers said.

Since June, the GitHub “uuu” repository the C2 links to has been deleted and replaced by “uj”, “hhh” and “enm”, according to researcher  Hayashi. The GitHub user  name behind the repository is “elsa999”.

“Though the latest version of UBoatRAT was released in September, we have seen multiple updates in elsa999 accounts on GitHub in October. The author seems to be vigorously developing or testing the threat. We will continue to monitor this activity for updates,” Hayashi said.

Source: ThreatPost

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!