Month: June 2015

Muy poderoso HanJuan Exploit Kit

Posted on

Según profesionales de seguridad informática en México, servicios de acortamiento de URL son a menudo empleados por los delincuentes cibernéticos para pasar enlaces maliciosos en México. La organización International Institute of Cyber Security que también proporciona servicios de hacking ético en México señaló que la campaña de publicidad (HanJuan) maliciosa está diseñado para no explotar el enlace corto pero un anuncio embebido dentro del servicio Ad.fly. Por lo tanto, la publicidad maliciosa ocurre y el usuario esta redirigido al kit de exploit.

El ataque comienza con la explotación del servicio Ad.fly. Básicamente, el acortador utiliza la publicidad intersticial. Intersticiales son páginas web que se muestran al usuario antes o después de que lo alcanza el contenido deseado. Por lo general, intersticiales son controladas por un servidor de anuncios.

Campaña maliciosa similares al HanJuan exploit kit también conocida como Troya Timba y Fobber indico experto de seguridad en la nube en México. El servicio de publicidad – Ad.fly ha sido comprometido y explotado para vincular a los usuarios a una pieza de software malicioso diseñado para la conseguir detalles de inicio de sesión. Puede considerar el ataque como ataque de man-in-the-middle ya que el navegador del usuario tiene mucha información de diversas credenciales.

Los investigadores de seguridad informática en México de iicybersecurity dicen que esta publicidad maliciosa se encuentra en algunos sitios web famosos, entre ellos algunos son:

dailymotion.com

theblaze.com

nydailynews.com

tagged.com

webmail.earthlink.net

mail.twc.com

my.juno.com

La amenaza es un ataque de drive-by download que ocurre en cuestión de segundos y no requiere la interacción del usuario, es decir, no se requiere un clic para infectarse. Normalmente, un drive-by download es muy sencillo a menos que se trata de Java o falle el navegador. En el caso de Flash, que es completamente transparente y el usuario no sabría nada de ese ataque.

Muy poderoso HanJuan Exploit Kit
Muy poderoso HanJuan Exploit Kit

El sistema de redirección maliciosa de exploit kit es bastante sofisticado, como se indica investigadores de seguridad en la nube. Las primeras sesiones cargan el anuncio intersticial a través de una nota publicitaria de JavaScript codificada: Una vez cargado el kit HanJuan, Flash Player e Internet Explorer son despedidos antes de cargar el payload en el disco duro. La vulnerabilidad explotada en Flash Player es CVE-2015-0359, y el de IE – CVE-2014-1776. Cada uno puede ser empleado, dependiendo del perfil del usuario. Además, la carga útil más probable contiene varias capas de cifrado – tanto en el propio binario y las comunicaciones C & C, por lo que toda la campaña malicioso es muy complejo.

Para estar protegido contra la explotación de los kits, los usuarios pueden seguir algunos consejos de seguridad de Mike Stevens profesional de hacking ético en México, tales como:

  • Actualizar frecuentes Java, los productos de Adobe, Silverlight y Flash.
  • Apague Java y Flash cuando no se necesita.
  • Implementar un programa de aplicación de parches.
  • Mantener una solución anti-malware.

Para las organizaciones la punta de seguridad importante es:

  • Eliminar o restringir los derechos de nivel de administrador para los empleados no expertos.

Para asegurarse de que el equipo no se ha afectado por el HanJuan EK, realiza un análisis completo de los sistemas, se recomienda experto de iicybersecurity.

Dridex banking malware spreading through new spam campaign

Posted on

A new spam campaign armed with the Dridexbanking malware is making its rounds and targeting company accountants with phony emails.

Attached to each spam email is a fake scanned document that, in reality, is a macros-enabled .doc, Heimdal Security wrote in its blog post on the attack. The email tries to pass as legitimate under the subject line “Scanned from a Xerox Multifunction Printer.” It tells the recipient that the document was scanned and then sent to them directly from the printer.

Heimdal Security outlined a recent Dridex-spreading spam campaign that tries to trick users into opening a malicious macros-enabled document.
Heimdal Security outlined a recent Dridex-spreading spam campaign that tries to trick users into opening a malicious macros-enabled document.

If opened, the document retrieves Dridex from various compromised webpages.

While this attack isn’t terribly different from any other spam campaign, Morten Kjaersgaard, CEO of Heimdal Security, told SCMagazine.com in an email that it’s much more “refined and stealthy” in its attack mechanisms.

“As users we need to constantly remind ourselves that hackers are getting better at what they do,” he said. “This is serious business [for them] and we should consider this a serious threat.”

When Heimdal scanned the impacted webpages on VirusTotal, only five out of more than 20 antivirus solutions detected the malicious payload.

Once on a victim’s system, Dridex “sleeps” until a user types in banking credentials that will be sent to the attackers.

Kjaersgaard recommends using a web filtering service on the endpoint, combined with other traditional security approaches, such as signature-based detection.

“I would strongly urge users and companies to be very careful in keeping their software up-to-date and not trusting unlikely inbox items,” he said. “This Dridex campaign is just the tip of a currently very big, and unfortunately increasing, iceberg.”

Source:http://www.scmagazine.com/

Blackhats using mystery Magento card stealers

Posted on

Sucuri infosec researcher Peter Gramantik says carders are exploiting an unknown vulnerability to steal billing information from e-commerce sites that use eBay’s Magento platform.

Gramantik found an attack script that plunders POST data and identifies valuable payment data before storing it as an encrypted image file.

He says attackers appear to be exploiting a vulnerability in Magento core and demonstrate a strong understanding of the way the platform works.

A quarter of all Alexa top one million e-commerce sites are said to use Magento, making it a valuable target for attackers.

“It seems though that the attacker is exploiting a vulnerability in Magento core or some widely used module/extension,” Gramantik says .

“Using this vector, the attacker is able to inject malicious code into the Magento core file … the attacker gets the content of every POST request.

Blackhats using mystery Magento card stealers
Blackhats using mystery Magento card stealers

“The sad part is that you won’t know it’s affecting you until it’s too late, in the worst cases it won’t become apparent until they appear on your bank statements.”

Gramantik says the inclusion of a public key variable indicates the attacker is likely behind a family of credit card stealers.

The attack tool wipes trails clean and masks user agents in an attempt to avoid suspicion. It further modifies the creation timestamp of the image file in which billing information is stored and serves up a fake JPEG header.

“The attacker, however, is able to download the whole image file to decrypt the stolen contents using their public key, and now they have all the billing information processed by the Magento e-commerce website,” Gramantik says.

Variants have been found storing all POST data including login credentials to a gif image.

The security bod previously found a less surreptitious attack where billing information from the Magento billing module is exfiltrated over clear text.

Source:http://www.theregister.co.uk/

Cisco warns of default SSH key in several products

Posted on

Cisco security engineers have disclosed that there is a single default ‘maintenance’ SSH key hardcoded into several families of Cisco security appliances.

The default authorised SSH keys and SSH host keys are associated with remote access for maintenance, meaning that a successful attack would allow hackers to access the devices at will. Once obtained, the private keys would allow an attacker to decrypt traffic after collecting it during a man-in-the-middle attack, or impersonate one of the appliances and alter traffic.

Cisco warns of default SSH key in several products
Cisco warns of default SSH key in several products

According to Cisco, Web Security Virtual Appliances, Email Security Virtual Appliances, and Content Security Management Virtual Appliances are affected by the security issue, reports theSecurityAffairs blog.

“Multiple Cisco products contain a vulnerability that could allow an unauthenticated, remote attacker to decrypt and impersonate secure communication between any virtual content security appliances. Updates are available”, said the company in a widely-quoted statement.

The vendor has pushed out a security patch to rectify the issue, (“cisco-sa-20150625-ironport SSH Keys Vulnerability Fix”), and says all versions prior to 25 June need the update.

The Register quotes the patch advisory as saying: “IP address connectivity to the management interface on the affected platform is the only requirement for the products to be exposed to this vulnerability. No additional configuration is required for this vulnerability to be exploited.

“This patch is not required for physical hardware appliances or for virtual appliance downloads or upgrades after June 25, 2015,” the advisory continues.

However, according to ComputerWorld, Cisco said it “is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory.”

Source:http://www.welivesecurity.com/

New Tinba variant delivered via HanJuan Exploit Kit in malvertising attack

Posted on

Researchers with Malwarebytes have observed a new variant of Tinba banking malware being distributed via the HanJuan Exploit Kit as part of a malvertising attack that involves advertising and URL shortening service Adf.ly.

Jerome Segura, senior security researcher with Malwarebytes, told SCMagazine.com in a Thursday email correspondence that the majority of infections have been observed in the Netherlands, but he added that the campaign is still in its early stages and could expand.

The threat was made possible because the attackers were able to successfully submit a malicious advertisement to Adf.ly, which was then arbitrarily displayed to users who clicked on shortened Adf.ly links around the web.

“Adf.ly monetizes its service by displaying ads when people click on the shortened link,” Segura said. “Before the shortened link redirects to the actual URL, an ad is displayed for a few seconds. This is where the malvertising happened.”

Once the malvertisement was displayed, a redirection chain triggered without any user interaction, Segura explained. According to a Wednesday post, users were ultimately taken to a compromised Joomla website that pushed what is believed to be the HanJuan Exploit Kit.

The HanJuan Exploit Kit was observed exploiting an Adobe Flash Player vulnerability and an Internet Explorer vulnerability.
The HanJuan Exploit Kit was observed exploiting an Adobe Flash Player vulnerability and an Internet Explorer vulnerability.

Researchers observed the HanJuan Exploit Kit targeting two exploits in order to deliver the Tinba variant – an Adobe Flash Player vulnerability, CVE-2015-0359, and an Internet Explorer vulnerability, CVE-2014-1776, the post said.

The Tinba variant, which was initially identified by Malwarebytes as ‘Fobber,’ was observed going after sensitive information – including Google, Microsoft, Facebook and Twitter credentials – by hooking browsers and grabbing usernames and passwords before they were encrypted, the post said, adding the malware was not observed stealing banking credentials.

“This is an evolved version of Tinba v2, which was identified by security researchers at Fox-IT,” Segura said. “While the core of the program is more or less the same, the authors of this piece of banking malware have improved its encryption capabilities, making it harder for security researchers to properly identify and take down.”

To address these types of threats, Segura said that advertising networks must ensure they are delivering clean content, and end users must make certain their computers are fully patched and are protected with adequate security solutions.

Source:http://www.scmagazine.com/

Security researcher casually drops Adobe Reader, Windows critical vulnerability bomb

Posted on

A security researcher has casually revealed 15 vulnerabilities which impact on Microsoft Windows and Adobe Reader.

On Tuesday, Google Project Zero hacker Mateusz Jurczyk outlined a total of 15 critical vulnerabilities discovered within font management systems.

The research, also presented at the REcon security conference in Montreal in a talk called “One font vulnerability to rule them all: A story of cross-software ownage, shared codebases and advanced exploitation,” (.PDF), reveals a set of nasty remote code execution and privilege escalation flaws which can be exploited through Adobe Reader or the Windows Kernel.

Jurczyk discovered a number of low to critical-severity security flaws, but the worst two, CVE-2015-3052 and CVE-2015-0093, which exist in both 32-bit and 64-bit systems, are found within the Adobe Type Manager Font Driver.

Security researcher casually drops Adobe Reader, Windows critical vulnerability bomb
Security researcher casually drops Adobe Reader, Windows critical vulnerability bomb

Speaking to The Register, Jurczyk said the most serious and interesting vulnerability, an “entirely reliable” BLEND instruction exploit, relates to how systems handle CharStrings which are responsible for shaping glyphs depending on point size. The exploit “defeats all modern user and kernel-mode exploit mitigations,” according to the researcher.

“The extremely powerful primitive provided by the vulnerability, together with the fact that it affected all supported versions of both Adobe Reader and Microsoft Windows (32-bit) — thus making it possible to create an exploit chain leading to a full system compromise with just a single bug — makes it one of the most interesting security issues I have discovered so far,” Jurczyk writes.

The researcher also devised a x64 way to exploit the flaw for the purpose of privilege escalation using another CharString vulnerability (CVE-2015-0090).

The video below demonstrates the exploitation of Adobe Reader 11.0.10 using the BLEND vulnerability (CVE-2015-3052), accompanied by sandboxes escapes via the Windows Kernel.

After being notified of the vulnerabilities, Microsoft and Adobe patched the flaws in their latest updates.

Source:http://www.zdnet.com/

THIS RADIO BUG CAN STEAL LAPTOP CRYPTO KEYS, FITS INSIDE A PITA

Posted on

THE LIST OF paranoia-inducing threats to your computer’s security grows daily: Keyloggers, trojans, infected USB sticks, ransomware…and now the rogue falafel sandwich.

Researchers at Tel Aviv University and Israel’s Technion research institute have developed a new palm-sized device that can wirelessly steal data from a nearby laptop based on the radio waves leaked by its processor’s power use. Their spy bug, built for less than $300, is designed to allow anyone to “listen” to the accidental radio emanations of a computer’s electronics from 19 inches away and derive the user’s secret decryption keys, enabling the attacker to read their encrypted communications. And that device, described in a paper they’re presenting at the Workshop on Cryptographic Hardware and Embedded Systems in September, is both cheaper and more compact than similar attacks from the past—so small, in fact, that the Israeli researchers demonstrated it can fit inside a piece of pita bread.

THE LABORATORY FOR EXPERIMENTAL INFORMATION SECURITY AT TEL AVIV UNIVERSITY
THE LABORATORY FOR EXPERIMENTAL INFORMATION SECURITY AT TEL AVIV UNIVERSITY

“The result is that a computer that holds secrets can be readily tapped with such cheap and compact items without the user even knowing he or she is being monitored,” says Eran Tomer, a senior lecturer in computer science at Tel Aviv University. “We showed it’s not just possible, it’s easy to do with components you can find on eBay or even in your kitchen.”

Their key-stealing device, which they call the Portable Instrument for Trace Acquisition (yes, that spells PITA) consists of a loop of wire to act as an antenna, a Rikomagic controller chip, a Funcube software defined radio, and batteries. It can be configured to either collect its cache of stolen data on an SD storage card or to transmit it via Wifi to a remote eavesdropper. The idea to actually cloak the device in a pita—and name it as such—was a last minute addition, Tomer says. The researchers found a piece of the bread in their lab on the night before their deadline and discovered that all their electronics could fit inside it.

The Tel Aviv researchers focused their attack on extracting the keys stored by GnuPG, an open source and widely used version of the encryption software PGP. They alerted GnuPG to their work in February, and an update to the software released at the same time as their paper is designed to protect against the attack. But they say their key-stealing method could be applied to other crypto systems that use RSA and ElGamal, the cryptographic algorithms integrated into GnuPG. Tromer says the group is also exploring whether the technique could be adapted and made more widely applicable, too, even allowing the theft of bitcoins by stealing the private keys created by users’ “wallet” programs. Their paper includes recommendations for how cryptographers can alter software to better foil their radio key thieving mechanism.

The Israeli researchers’ ability to steal data from unwitting computers’ radio waves isn’t exactly new: Computer scientists have known for decades that computers leak sensitive data in the form of radio emissions from their electromagnetic components. The Dutch security researcher Wim van Eckdemonstrated back in 1985 that he could pick up the radio emissions of CRT monitors and reconstruct on-screen images. In 2008, German and Iranian researchers used a similar radio analysis trick to “listen” to the computations inside wireless key fobs and clone them to unlock cars and open garage doors.

But the Tel Aviv researchers’ technique uses that same form of radio spying to target a laptop—a far more electromagnetically complicated target than a key fob or a monitor—and also to do it on the cheap. The team cleverly reduced the resources necessary for their attack by sampling the radio emanations from the processor only intermittently, while the chip does its decryption work of reading those emissions at a much faster frequency. PITA takes its samples at 100 kiloherz compared with the processor’s 20,000-times-faster computation rate of two gigaherz. But by tricking the target into decrypting a carefully chosen message, they were able to “twist the algorithm’s arm” into leaking more sensitive information, creating more clues in the leaked emanations for their PITA radio to pick up.1

“It’s like someone’s reciting secrets in a room, and you only get to hear a syllable a day to try to reconstruct what they’re saying,” says Tromer. “You can force that person in the room to always say one syllable over and over if the secret is ‘zero,’ and another syllable over and over if the secret is ‘one’…That allows us to take a very low frequency sample and still extract information.”

The notion of someone planting an eavesdropping device less than two feet away from a target computer may seem farfetched as an espionage technique—even if that spy device is concealed in a pita (a potentially conspicuous object in certain contexts) or a stealthier disguise like a book or trashcan. But the PITA attack represents a significant advancement from less than a year ago, when the same researchers released an attack that required the attacker to actually touch a laptop’s metal components to pick up their charge.

Tromer says the team is now working on another upgrade that would allow much longer-distance snooping, though he declined to say more before the research’s publication. If that more remote attack becomes practical, it could introduce the threat of radio-based crypto key theft through walls or floors—without even a telltale sandwich to warn the user their secrets are being stolen.

Source:http://www.wired.com/