NEW MONERO CRYPTO MINING BOTNET LEVERAGES ANDROID DEBUGGING TOOL

by Christopher Kanaracus em 05/02/2018 no site Threatpost

A new botnet that distributes malware for mining Monero cryptocurrency has emerged, infecting Android devices through a port linked with a debugging tool for the OS, according to researchers at Qihoo 360 Netlab.

Dubbed ADB.Miner by 360 Netlab, the botnet is gaining entry to Android devices–mostly smartphones and TV boxes–through port 5555, which is associated with Android Debug Bridge, a command-line tool that is used for debugging, installing apps and other purposes.

ADB typically communicates with devices via USB, but it’s also possible for it to use wifi with some setup, according to Android documentation.The botnet propagates itself in “worm”-like fashion, looking for open 5555 ports on other devices, most of which are Android-based, 360 Netlab researcher Hui Wang said in a blog post.

Notably, it uses some port scanning code from the Mirai botnet, which is the first time Mirai code has been used to target Android devices, he claimed. Mirai, which emerged in August 2016, has historically been used to attack Linux devices.

Most of the Android devices being targeted by ADB.Miner are located in China and South Korea, but 360 Netlab is not identifying any of them at this time.

“Overall, we think there is a new and active worm targeting android system’s adb debug interface spreading, and this worm has probably infected more than 5,000 devices in just 24 hours,” Wang wrote. In fact, 5555 port scanning traffic has hit the top 10, according to 360 Netlab’s own scanning data.

The botnet is distributing malicious code that is mining Monero coins, but as of yet none have been paid out, according to Wang.

Cybercriminals have been increasingly turning to cryptocurrency mining via botnets, with Monero a favored target. Those behind the massive Smominru botnet have generated as much as $3.6 million since May through an army of more than 500,000 infected machines, according to Proofpoint.

Crypto mining botnets have clear advantages over other types of attacks, such as ransomware, since they don’t necessarily require social engineering and by their nature are meant to operate stealthily, stealing nothing from victims but CPU cycles. In fact, crypto miners may be the “new payload of choice” for cybercriminals, researchers at Cisco Talos said recently.

CISCO ISSUES NEW PATCHES FOR CRITICAL FIREWALL SOFTWARE VULNERABILITY

by Christopher Kanaracus em 06/02/2018 no site Threapost

Cisco has released new patches for a critical vulnerability in its Adaptive Security Appliance software after further investigation revealed additional attack vectors.

The company first announced the vulnerability, CVE-2018-0101, on Jan. 29. It received a Common Vulnerability Scoring System base score of 10.0, the highest possible, and was initially discovered by Cedric Halbronn from NCC Group.

“After broadening the investigation, Cisco engineers found other attack vectors and features that are affected by this vulnerability that were not originally identified by the NCC Group and subsequently updated the security advisory,” said Omar Santos, principal engineer with Cisco’s product security incident response team, in a blog post. Cisco also found additional denial of service conditions. A “new comprehensive fix” is now available, Santos said.

The vulnerability is linked to ASA’s XML parser. An attacker could exploit it by crafting a malicious XML file and sending it through a vulnerable interface, whereupon they could “execute arbitrary code and obtain full control of the system, cause a reload of the affected device or stop processing of incoming VPN authentication requests,” Cisco said in its security advisory. Secure Socket Layer (SSL) services or IKEv2 Remote Access VPN services must be enabled on an interface for the vulnerability to be exploited.

There are no known incidents of the vulnerability being exploited, but Cisco is urging customers to apply the updated patches. It now affects 15 products that run ASA software, including a wide range of Firepower Security Appliance versions, ASA 5500-X Series Next-Generation Firewalls and ASA 5500 Series Adaptive Security Appliances.

Cisco has come under fire for its handling of the situation. Sysadmin Colin Edwards, who blogs frequently on network and security issues, said far too much time had passed–80 days, by his measure–between when Cisco released its first patches for the vulnerability and when it published the security advisory.

“I can understand some of the challenges that Cisco and their peers are up against,” Edwards wrote. “[But] eighty days is a long time, and it’s a particularly long time for a vulnerability with a CVSS Score of 10 that affects devices that are usually directly connected to the Internet.”

“Yes, customers need to take responsibility for installing patches in a timely manner,” he added. “However, customers also need to have access to adequate information so that they can appropriately prioritize among myriad workloads.” The Jan. 29 advisory provided information that was “critical for customers to have at their disposal,” Edwards wrote.

Cisco published its security advisory immediately after finding out there was public knowledge of the vulnerability, which falls in line with its disclosure policy, Santos wrote: “Cisco recognizes the technology vendor’s role in protecting customers, and we won’t shy away from our responsibility to constantly be transparent with up-to-date information.”

CRYPTO MINERS MAY BE THE ‘NEW PAYLOAD OF CHOICE’ FOR ATTACKERS

Por  Christopher Kanaracus em 01/02/2018 no site Threatpost.

Ransomware has been a favorite and time-tested tool for cybercriminals, but the rise of cryptocurrency has given them a broad new target with key strategic advantages, leading to a sharp uptick in crypto mining botnets, researchers at Cisco Talos say.

Attackers “are beginning to recognize that they can realize all the financial upside of previous attacks, like ransomware, without needing to actually engage the victim and without the extraneous law enforcement attention that comes with ransomware attacks,” Talos researchers write in a new report.

One prominent example of a cryptocurrency mining botnet is Smominru, which has made as much as $3.6 million since May mining Monero, researchers at Proofpoint say.

Monero has emerged as a favorite among mining botnet creators, and an average-sized system comprised of about 2,000 victims could mine about $200,000 worth of Monero per year, according to Talos’s report.

Mining cryptocurrency of any type is a compute-intensive process, making the prospect of stealing CPU cycles from other machines, rather than make the large upfront investment in infrastructure and ongoing one in electricity costs a tempting one for criminals.

These botnets typically use pool-based mining, which pulls together the computing resources of all the infected systems. “This is similar to launching DDoS attacks “where 100,000 machines flooding a target with bogus traffic becomes much more effective compared to a single system under the attacker’s control,” Talos says.

But in sharp contrast to DDoS attacks, the goal of a successful crypto botnet is to remain undetected, allowing it to run for months or even years, generating cash for its owners all the while.

To that end, attackers are learning and adapting as time goes on, specifying parameters aimed at hiding the botnet malwares on infected systems. For example, limits can be put on CPU usage and system temperature. “If the mining software is executed without these options, victims might notice significant performance degradation on their systems,” Talos’s researchers write.

Mining software is typically being distributed via spam emails that contain attachments such as malicious Word documents. Talos found an example from late 2017 that used a job application spoof.

Attackers are also using exploits to take advantage of vulnerabilities. One high-profile example came in December when hackers exploited vulnerabilities in Oracle WebLogic and PeopleSoft systems to install Monero miners, generating more than $200,000 before being discovered.

Another reason mining botnets are coming into favor is that they’re the “polar opposite” of ransomware from a management perspective, since once systems are infected there is no command-and-control activity involved, Talos adds.

None of this is to say that ransomware is going away, as it will remain effective for more targeted attacks, “but as a payload to compromise random victims, its reach definitely has limits,” they wrote. “Crypto miners may well be the new payload of choice for adversaries. It has been and will always be about money and crypto mining is an effective way to generate revenue.”

MALWARE STEALS DATA FROM AIR-GAPPED NETWORK VIA SECURITY CAMERAS

by Tom SpringSeptember 20, 2017 , 1:40 pm

Proof-of-concept malware called aIR-Jumper can be used to defeat air-gapped network protections and send data in and out of a targeted network. The technique uses security cameras and infrared LED lights that can blink back and forth to each other transmitting data that has been converted into data streams.

The attack was devised by researchers Mordechai Guri, Dima Bykhovsky‏, and Yuval Elovici at the Ben-Gurion University who published their findings earlier this week(PDF).

“Attackers can use surveillance cameras and infrared light to establish bi-directional covert communication between the internal networks of organizations and remote attackers,” researchers wrote.

The big caveats to the hack are any targeted air-gapped network must already be infected with the aIR-Jumper malware and infected networks must be linked to surveillance cameras visible to external hackers. Under those conditions, the malware can target a camera’s application program interfaces (API) to either modulate infrared LED lights to send data or interpret external blinking infrared LED lights as commands.

“The IR LEDs in surveillance cameras can be controlled by the appropriate API provided by its firmware. In the most basic way, the state of the IR LEDs can be adjusted from within the camera’s Web interface… The user can set the night vision to manual/automatic mode, in order to turn the IR LEDs on and off and set the level of the IR illumination,” wrote researchers.

Under one scenario, the aIR-Jumper malware can be pre-programmed to find sensitive data within the air-gapped network. That data can then be exfiltrated by the security camera’s infrared light used for night vision and which is invisible to the naked eye.

In a video demonstration of the attack, an attacker has line-of-sight to the video camera’s blinking IR LED. The blinking light represents data that has been converted into ones and zeros. Next, the attacker would record the blinking lights and play it back later to decode the flashes as ones and zeros and then back to readable files.

“Our evaluation of the covert channel shows that data can be covertly exfiltrated from an organization at a rate of 20 bit/sec per surveillance camera to a distance of tens of meters away,” researchers said.

Using a similar technique, where an attacker uses a remote blinking IR LED light that can be seen by the security camera, data can be covertly infiltrated into an organization at a rate of more than 100 bit/sec per surveillance camera from up to a mile away. “These signals are then received by the surveillance camera and intercepted by malware within the network,” wrote researchers.

Using this technique, researchers said sensitive data such as PIN codes, passwords, encryption keys, and keylogging data can be modulated, encoded, and transmitted over the IR signals outside the air-gapped network.

In another infiltration scenario, information delivered from a remote attacker to the organization’s internal networks might consist of C&C messages for the aIR-Jumper malware residing in the network, according to researchers.

Researchers behind this report have been focused on hacking air-gapped systems over the years using techniques that range from optical (xLED), electromagnetic (AirHopper), thermal (BitWhisper) and acoustic (Fansmitter).

“Technological countermeasures may include the detection of the presence of malware that controls the camera’s IR LEDs or monitors the camera’s input,” researchers wrote. “Similarly, detection can be done at the network level, by monitoring the network traffic from hosts in the network to the surveillance cameras.”

ANDROID USERS VULNERABLE TO ‘HIGH-SEVERITY’ OVERLAY ATTACKS

by Tom Spring 

Em 09/09/2017 no site ThreatPost

Security researchers warned of a high-severity Android flaw on Thursday that stems from what they call a “toast attack” overlay vulnerability. Researchers say criminals could use the Android’s toast notification, a feature that provides simple feedback about an operation in a small pop up, in an attack scenario to obtain admin rights on targeted phones and take complete control of them.

Affected are all versions of the Android operating system prior to Android 8.0, Oreo, released just last month.

Leveraging the toast vulnerability could allow attackers to facilitate what are known as “overlay” attacks on Android phones. Overlay attacks aren’t necessarily new. They all share the same goal of allowing attackers to create a UI overlay to be displayed on top of legitimate Android applications. The overlay then tricks users into clicking confirmation buttons or entering credentials into a fake window that will grab and forward them to a remote attacker.

“This type of (toast) attack can also be used to give malicious software total control over the device. In a worst-case attack scenario, this vulnerability could be used to render the phone unusable (i.e., a ‘brick’) or to install any kind of malware including (but not limited to) ransomware or information stealers,” wrote Christopher Budd, senior threat communications manager, for Unit 42 in a technical overview posted Thursday.

Android toast messages are short-lived pop up notifications that appear on a phone’s screen. Google describes them as, “a (notification) message you display to the user outside of your app’s normal UI.” For example, clicking “Send” on an email triggers a “Sending message…” toast, Google describes.

A toast-type overlay is similar to the overlay attack method known as Cloak and Dagger that came to light earlier this year, researchers said. This type attack leverages Android permissions tied to features called System Alert Window and Bind Accessibility Service. System Alert Windows allows an app to layer on top of another to display alerts. The Bind Accessibility Feature makes the Android user interface accessible to the visually impaired via descriptors of screen activities.

Toast attacks are similar, but do not require Android permissions to be granted by users.

“This newly discovered overlay attack does not require any specific permissions or conditions to be effective. Malware launching this attack does not need to possess the overlay permission or to be installed from Google Play. With this new overlay attack, malware can entice users to enable the Android Accessibility Service and grant the Device Administrator privilege or perform other dangerous actions,” according to a technical write-up on toast, also posted Thursday by Unit 42.

Additionally, researchers said it is possible to create a toast window that overlays an entire screen making it possible to use toast to create the functional equivalent of regular app windows. “In light of this latest research, the risk of overlay attacks takes on a greater significance,” researchers said.

A patch for the vulnerability (CVE-2017-0752) was released Tuesday as part of Google’s September Android Security Bulletin.

“Most people who run Android run versions that are vulnerable. This means that it’s critical for all Android users on versions before 8.0 to get updates for their devices,” researchers wrote.

SPAM DOMAINS IMITATING POPULAR BANKS SPREADING TRICKBOT BANKING TROJAN

Michael Mimoso
Em 15/08/2017 no site Threatpost

Santander Bank customers should be aware of an effective spam campaign spreading the Trickbot banking Trojan that is coming from domains similar to those used by the financial institution.

Researchers at My Online Security and the SANS Institute’s Internet Storm Center say that Santander is not the only bank domain being leveraged, and call the malicious domains “extremely plausible imitations.”

All of the domains, the researchers say, were registered with GoDaddy. Some of them are down, but it’s unknown if GoDaddy took action.A sample of the phony domains sending Trickbot includes: hsbcdocs.co.uk, hmrccommunication.co.uk, lloydsbacs.co.uk, nationwidesecure.co.uk, natwestdocuments6.ml, santanderdocs.co.uk, santandersecuremessage.com, and securenatwest.co.uk.

“Almost all of these domains were registered through GoDaddy using various names or privacy services,” said Brad Duncan, a SANS ISC handler. “And these domains were implemented on servers using full email authentication and HTTPS.  Many recipients could easily be tricked into opening the associated attachments.”

One of the messages purporting to be from Santander arrives with a subject line “You have a Santander Secure Email,” and an attachement called “SecureDoc.html,” My Online Security said. The attachments are also sometimes Office documents that require the enablement of macros in order to view the content. The macro instead downloads Trickbot. The HTML files are a twist seen only in the last week, and they download Office documents from the attacker’s server using HTTPS to avoid scanning, Duncan said.

“HTML attachments to download Office documents, eh?  It’s not a new trick,” Duncan said. “But using this method, poorly managed Windows hosts (or Windows computers using a default configuration) are susceptible to infection.”

Trickbot is generally considered the successor to the Dyre (or Dyreza) banking malware. Recently, IBM’s X-Force research team along with researchers from Flashpoint spotted spam messages spreading Trickbot through the Necurs botnet. A customized redirection method was introduced in recent versions; Trickbot is known for carrying out man-in-the-browser attacks, using webinjects tailored for a number of banking institutions in an attempt to steal log-in credentials. Newer versions of Trickbot included webinjects for U.S.-based banks.

“They are using email addresses and subjects that will scare or entice a user to read the email and open the attachment,” My Online Security said. “A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.” Researchers added that victims who prefer to bank via mobile phones or tablets are especially at risk given they often only see the a sender’s name in the form rather than the complete domain address.

One sample analyzed by the SANS ISC was disguised as coming from Santander and contained an HTML attachment that downloaded a Word document from the same server that sent the email. The Word document contains an image of a phony Santander login page with instructions on what to do if the victim cannot log in, which includes the enablement of macros through the “Enable Content” button.

Duncan said the Word document he analyzed makes an HTTP request to centromiosalud[.]es and a PNG image that is actually a Windows executable. Sometimes the malware is downloaded from the same domain, or cfigueras[.]com.

“A scheduled task was implemented to keep the malware persistent,” Duncan said. “The persistent malware was located in a folder named winapp under the user’s AppData\Roaming directory.”

SANS ISC published a number of indicators of compromise, while My Online Security urges users, especially those running older versions of Office to be wary of these emails, and to under no circumstances “Enable content,” or “Enable macros” in order to view content.

MAMBA RANSOMWARE RESURFACES IN BRAZIL, SAUDI ARABIA

Michael Mimoso
Em 09/08/2017 no site Threatpost

Best Security Search

Mamba was among the first samples of ransomware that encrypted hard drives rather than files that was detected in public attacks, primarily against organizations in Braziland in a high-profile incursion against the San Francisco Municipal Transportation Agency last November.

Researchers at Kaspersky Lab said today in a report that a new run of Mamba infections have been spotted again in Brazil and Saudi Arabia.

In a talk yesterday, Kaspersky Lab researchers Juan Andres Guerrero Saade and Brian Bartholomew predicted this trend would continueand speculated that for now attacks disguised as ransomware for the purpose of sabotage remain within the realm of APTs.The malware is the latest sample extending a trend of attackers disguising sabotage within a ransomware attack, which began with Petya and Mischa in early 2016 and peaked this year with the ExPetr/NotPetya wiper malware attacks. It’s unknown who is behind the most recent Mamba attacks, whether it’s a nation-state or a criminal enterprise.

“Let’s say we have all the means for a sabotage attack and we want to disguise it as ransomware or as something potentially treatable, it’s not necessarily that different from what the Lazarus Group did with Sony, or some other South Korean targets, where first they asked for money and then dumped data anyways. It’s an evolution that’s particularly troubling,” Guerrero-Saade said.

Unlike the ExPetr attacks where it was unlikely victims would be able to recover their machines, that may not be the case with Mamba.

“Authors of wiper malware are not able to decrypt victims’ machines. For example, if you remember the ExPetr [malware], it uses a randomly generated key to encrypt a victim machine, but the trojan doesn’t save the key for further decryption,” said Kaspersky Lab researcher Orkhan Memedov. “So, we have a reason to call it ‘a wiper.’ However, in case of Mamba the key should be passed to the trojan as a command line argument, it means that the criminal knows this key and, in theory, the criminal is able to decrypt the machine.”

Mamba appeared in September 2016 when researchers at Morphus Labs said the malware was detected on machines belonging to a energy company in Brazil with subsidiaries in the United States and India. Once the malware infects a Windows machine it overwrites the existing Master Boot Record, with a custom MBR and encrypts the hard drive using an open source full disk encryption utility called DiskCryptor.

A ransom note, published (see below) by Kaspersky Lab, shows no demands for money unlike the original Mamba infections. Instead, it just claims data has been encrypted and provides two email addresses and an ID number in order to recover the encryption key.

“Unfortunately there is no way to decrypt data that has been encrypted with the DiskCryptor utility, because this legitimate utility uses strong encryption algorithms,” Kaspersky Lab said in its report.

The report suggests also that the group behind the latest Mamba attacks in Brazil and Saudi Arabia uses the PSEXEC utility to execute the malware on the corporate network once it has a foothold. PSEXEC was at the heart of the ExPetr malware attacks, which shared a number of similarities to the Petya attacks. ExPetr used PSEXEC and WMIC, another Windows utility, spread on local networks. Its goal was not profit, but destruction; analysts looking at the malware quickly the determined the ransomware functionality was faulty and victims would never be able to recover their files. The true purpose of those attacks was to wipe out the hard drive.

According to today’s report from Kaspersky Lab, attacks are happening in two stages. During the first stage, DiskCryptor is dropped into a new folder created by the malware and installed. A system service called DefragmentService is registered for persistence, and the victim’s machine is rebooted.

The second stage sets up the new bootloader and encrypts disk partitions using DiskCryptor before the machine is rebooted again.

“It is important to mention that for each machine in a victim’s network, the threat actor generates a password for the DiskCryptor utility,” Kaspersky Lab said in its report. “This password is passed via command line arguments to the ransomware dropper.”