What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2017-05-17 03:33:55 | WanaCrypt0r Ransomworm (lien direct) | Written by Sergei Shevchenko and Adrian NishBACKGROUNDSince the release of the ETERNALBLUE exploit by 'The Shadow Brokers' last month security researchers have been watching for a mass attack on global networks. This came on Friday 12th May when it was bundled with ransomware called WanaCrypt0r and let loose. Initial reports of attacks were highlighted by Telefonica in Spain but the malware quickly spread to networks in the UK where the National Health Service (NHS) was impacted, followed by many other networks across the world.The infographic below illustrates the key components of the WanaCrypt0r ransomware. This is described in further detail in subsequent sections of this report along with initial clues on attribution. ANALYSIS: Initial VectorThe initial infection vector is still unknown. Reports by some of phishing emails have been dismissed by other researchers as relevant only to a different (unrelated) ransomware campaign, called Jaff.There is also a working theory that initial compromise may have come from SMB shares exposed to the public internet. Results from Shodan show over 1.5 million devices with port 445 open – the attacker could have infected those shares directly.The Dropper/WormThe infection starts from a 3.6Mb executable file named mssecsvc.exe or lhdfrgui.exe. Depending on how it's executed, it can function as a dropper or as a worm.When run, the executable first checks if it can connect to the following URL:http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com The connection is checked with the WinINet functions, shown below: 01 qmemcpy(&szUrl, 02 "http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com", 03 57u); 04 h1 = InternetOpenA(0,&nbs |
Guideline Medical | Wannacry APT 38 | |
|
2017-03-06 12:15:49 | Cyber Heist Attribution (lien direct) | Written by Sergei Shevchenko and Adrian NishBACKGROUNDAttributing a single cyber-attack is a hard task and often impossible. However, when multiple attacks are conducted over long periods of time, they leave a trail of digital evidence. Piecing this together into a campaign can help investigators to see the bigger picture, and even hint at who may be behind the attacks.Our research into malware used on SWIFT based systems running in banks has turned up multiple bespoke tools used by a set of attackers. What initially looked to be an isolated incident at one Asian bank turned out to be part of a wider campaign. This led to the identification of a commercial bank in Vietnam that also appears to have been targeted in a similar fashion using tailored malware, but based off a common code-base.In the bank malware cases we know of, the coders used a unique file wipe-out function. This implementation was so distinctive that it further drew our attention – and so we began to look for other instances of code which had used the same function. Using disassembled machine opcodes (with masked out dynamic virtual addresses) we generated signatures to scan a large malware corpus.Our initial search turned up an additional sample which implemented the same wipe-out function.This sample was uploaded from a user in the US on 4th March 2016: SHA1 Compile time Size (bytes) Name Country c6eb8e46810f5806d056c4aa34e7b8d8a2c37cad 2014-10-24 09:28:55 45,056 msoutc.exe US ANALYSISThe msoutc.exe functionalitymsoutc.exe accepts a number of parameters passed with the command line. When executed, it | Guideline | ||
|
2017-03-06 12:15:07 | Pray before you buy with Shylock (lien direct) |  Written by Sergei Shevchenko, Cyber Research"I will buy with you, sell with you, talk with you, walk with you, and so following; but I will not eat with you, drink with you, nor pray with you" Shylock, 1.3.37 The Merchant of Venice, Shakespeare, 1564 Shylock-The-Trojan will indeed talk to you via Skype; walk with you while you browse Internet or while you buy or sell online. Ironically, this Man-in-the-browser (MitB) trojan considers the homeland of Shakespeare its target #1.Being a banking trojan that targets multiple banking institutions, it employs a plug-in architecture that allows complementing the main 'framework' with additional functionality. Shylock plug-ins are DLLs with the exports:Destroy()Init()Start()This description enlists main Shylock's components, one-by-one.DriverShylock driver is a kernel-mode rootkit that is designed to hide files, processes, registry entries, and traffic that is associated with Shylock. In addition to that, it also switches off Windows UAC by resetting the value:EnableLUA = 0x00000000HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\SystemWith UAC disabled, Windows Vista/7/8 will no longer prompt for consent or for credentials for a valid administrator account before launching a Shylock executable, allowing it to start silently.If the Windows version is Vista, 7, or 8, it will obtain "NSI proxy" driver and then it will hook its IRP_MJ_DEVICE_CONTROL dispatch routine. On a pre-Vista Windows OS, it will also hook IRP_MJ_DEVICE_CONTROL dispatch routine within TCP driver.The reason why Shylock hooks "NSI proxy" driver is to hide itself from netstat - a tool that is often used by technically savvy users to check for active connections that are present on a compromised PC: to inspect any open ports and to see what executables are holding any active connections. In those scenarios where Shylock engages its user-mode VNC component, the remote attacker will have full remote access to the compromised system: its graphical desktop will be fully relayed to the attacker, along with the keyboard and mouse events. The generated VNC traffic is thus relatively 'heavy' and so, there is a high chance it will eventually draw attention from the end user (e.g. the user might keep wondering why the modem LEDs are blinking so wildly). In that case, the netstat tool becomes one of the first tools to be run to see what's going with a system, and Shylock doesn't like that.Whenever netstat is run, its calls are marshalled into the kernel and are eventually handled by "NSI proxy" driver. The hook it installs is known as IRP-hook. The hook handler it places will monitor enumerated connections, and whenever it locates a TCP connection that involves any particular port number that it needs to hide (e.g. responsible for VNC traffic), it wi |
Guideline | ||
|
2017-03-06 12:13:56 | Testing Your Defences Against SQL Injection (lien direct) | Websites that serve content in response to user input are generally database-driven. By entering search terms, logging in, clicking options and filters and other user interface methods, the user is interacting with the underlying database, the server.Structured Query Language (SQL) is the standard method of accessing data in most databases. SQL queries are generated by the website, passed to the database and executed to retrieve or modify the information that it holds.However, if user input is not appropriately validated, it may be possible for an attacker to 'inject' raw SQL statements as part of a malicious input, and for these to be executed by the database.So-called SQL injection (SQLi) attacks can be used to delete, modify or retrieve information from the database, and even execute commands on the underlying operating system. The most common SQLi attacks result in an attacker gaining access to and 'dumping' large amounts of data in the database that they should not have been able to access. Timeline of recent SQLi attacksSQL injection attacks were first discovered in 1998, with one of the first live attacks taking place in 2002 on the fashion retailer Guess.  Common platforms and common vulnerabilitiesBuilding a web application and backend from scratch is a significant undertaking; hence developers typically use web application frameworks and readily available code, often open-source. The resulting website may contain SQLi vulnerabilities owing to flaws in the platform. These vulnerabilities will exist in all websites currently being supported by that version, and patch status, of the platform. Examples of such platforms include:Application and integration 'middleware' such as IBM Websphere – both the David Jones and Kmart ecommerce systems (see timeline above) were built on IBM Websphere; a vulnerability of the Websphere platform was identified and this was used to attack sites built on the same technology.Content Management Systems (CMS) – these allow non-technical users to add and edit website content with ease, change and optimise site layout on various devices and automatically improve search engine rankings. CMS run a database with a variety of user interface elements on top. WordPress and Drupal are the top two CMSs in use on the web and account for nearly half of all dynamic con |
Guideline | ||
|
2017-03-06 12:13:46 | Multiple vulnerabilities affecting several ASUS Routers (lien direct) | Written by Eldar Marcussen Affected Vendor: ASUS - http://www.asus.com/au/Networking/Wireless-Routers-Products/Affected Device: Multiple - including: RT-AC3200Affected Version: Multiple - including: 3.0.0.4.378_7838Issue type: Multiple VulnerabilitiesRelease Date: 14 Apr 2016Discovered by: T.J. ActonIssue status: Vendor patch available athttp://www.asuswrt.net/2016/03/30/asus-release-beta-firmware-for-acn-router SummaryASUS produces a suite of mid to high-end consumer-grade routers. The RT-AC3200 is confirmed to be affected, and the following devices are assumed to be affected:TM-AC1900RT-AC3200RT-AC87URT-AC68URT-AC68PRT-AC68RRT-AC68WRT-AC66RRT-AC66WRT-AC66URT-AC56URT-AC51URT-N18U1. Insecure default configuration for the Anonymous FTP user accountDescriptionThe affected ASUS routers suffer from insecure default configuration for Anonymous users, once anonymous access in enabled. Write access is enabled for all directories in the attached storage by default. Furthermore, the administrator is not able to restrict read or write access for any specific directories on attached storage devices.ImpactThe anonymous FTP user can write arbitrary files to the attached storage device.2. FTP users can access certain system files when Download Master is installed |
Guideline | ||
|
2017-03-06 12:13:22 | Lazarus & Watering-hole attacks (lien direct) | On 3rd February 2017, researchers at badcyber.com released an article that detailed a series of attacks directed at Polish financial institutions. The article is brief, but states that "This is – by far – the most serious information security incident we have seen in Poland" followed by a claim that over 20 commercial banks had been confirmed as victims.This report provides an outline of the attacks based on what was shared in the article, and our own additional findings. ANALYSISAs stated in the blog, the attacks are suspected of originating from the website of the Polish Financial Supervision Authority (knf.gov[.]pl), shown below: From at least 2016-10-07 to late January the website code had been modified to cause visitors to download malicious JavaScript files from the following locations: hxxp://sap.misapor[.]ch/vishop/view.jsp?pagenum=1hxxps://www.eye-watch[.]in/design/fancybox/Pnf.action Both of these appear to be compromised domains given they are also hosting legitimate content and have done for some time. The malicious JavaScript leads to the download of malware to the victim's device. Some hashes of the backdoor have been provided in BadCyber's technical analysis: 85d316590edfb4212049c4490db08c4bc1364bbf63b3617b25b58209e4529d8c1bfbc0c9e0d9ceb5c3f4f6ced6bcfeae The C&Cs given in the BadCyber analysis were the following IP addresses: 125.214.195.17196.29.166.218 LAZARUS MALWAREOnly one of the samples referenced by BadCyber is available in public malware repositories. At the moment we cannot verify that it originated from the watering-hole on the KNF website – but we have no reason to doubt this either. MD5 hash Filename File Info First seen |
Guideline Medical | APT 38 | |
|
2017-03-06 12:13:03 | Lazarus\' False Flag Malware (lien direct) | Written by Sergei Shevchenko and Adrian NishBACKGROUNDWe continue to investigate the recent wave of attacks on banks using watering-holes on at least two financial regulator websites as well as others. Our initial analysis of malware disclosed in the BadCyber blog hinted at the involvement of the 'Lazarus' threat actor. Since the release of our report, more samples have come to light, most notably those described in the Polish language niebezpiecznik.pl blog on 7 February 2017. MD5 hash Filename Compile Time File Info Submitted 9216b29114fb6713ef228370cbfe4045 srservice.chm N/A N/A N/A 8e32fccd70cec634d13795bcb1da85ff srservice.hlp N/A N/A N/A e29fe3c181ac9ddb | Guideline Medical | APT 38 |
1
We have: 7 articles.
We have: 7 articles.
To see everything:
Our RSS (filtrered)
