Blog

A new variant of the Shamoon malware, aka DistTrack, was uploaded to VirusTotal from Italy this week, but experts haven’t linked it to a specific attack yet.

Shamoon was first observed in 2012 when it infected and wiped more than 30,000 systems at Saudi Aramco and other oil companies in the Middle East.

Four years later, a new version (Shamoon 2) appeared in the threat landscape, it was involved in a string of cyber attacks aimed at various organizations in the Persian Gulf, including Saudi Arabia’s General Authority of Civil Aviation (GACA). 

A second variant of the same threat was discovered by researchers at Palo Alto Networks in January 2017 and it was able to target virtualization products.

DistTrack is able to wipe data from hard drives of the infected systems and render systems unusable. Like other malware, Shamoon leverages Windows Server Message Block (SMB) to spread among systems of the target network.

The code of the original Shamoon includes a list of hard-coded domain credentials used to the target a specific organization and steal credentials, but a variant uploaded to VirusTotal this week doesn’t contain these credentials.

Google security firm Chronicle discovered a file containing Shamoon uploaded to its VirusTotal database.

“The new Shamoon was set to detonate on Dec. 7, 2017, at 11:51 pm, but only uploaded yesterday.reported  Axios website.

“Chronicle notes that attackers may have set the attack date to the past — perhaps by changing 2018 to 2017 — in order to start an attack immediately. Another possibility, said Brandon Levene, head of applied intelligence at Chronicle, is that the malware was compiled in the past as part of preparations for a later attack.”

Unlike the Shamoon2, the new version contains a much longer filename list used for selecting a dropped executable name. The new list does not overlap with previously observed versions of Shamoon.

The new variant presents other anomalies, for example, the list of the command and control server was blank. Experts at Chronicle believe that attackers may have a different connection to the host network and manually install Shamoon.

Another difference is that Shamoon in the past has replaced all files with images that had political significance. The latest variant irreversibly encrypts the files.

The file was uploaded on VirusTotal from Italy and malicious files were discovered at around the time Italian oil services company Saipem announced to have suffered a cyber attack.

“While Chronicle cannot directly link the new Shamoon variant to an active attack, the timing of the malware files comes close to news of an attack on an Italian energy corporation with assets in the Middle East.” 
Chronicle noted in a statement.

Pierluigi Paganini

(Security Affairs – Wiper, malware)

The post A new variant of Shamoon was uploaded to Virus Total while Saipem was under attack appeared first on Security Affairs.

Some of the servers of the Italian oil and gas services company Saipem were hit by a cyber attack early this week.

 Saipem has customers in more than 60 countries, including Saudi Arabian oil and gas giant Saudi Aramco. It could be considered a strategic target for a broad range of threat actors.

The attack has been identified out of India on Monday and primarily affected the servers in the Middle East, including Saudi Arabia, the United Arab Emirates, and Kuwait.

Main operating centers in Italy, France and Britain had not been affected.

The attack affected only a limited number of servers in its infrastructure, Saipem said it is working to restore them using backups, a circumstance that could suggest that a ransomware hit the company.

Saipem told Reuters the attack originated in Chennai, India, but the identity of the attackers is unknown.

“The servers involved have been shut down for the time being to assess the scale of the attack,”Saipem’s head of digital and innovation, Mauro Piasere, told Reuters. 

“There has been no loss of data because all our systems have back-ups,” he added.

Saipem

The Italian oil services company Saipem was hit by a cyber attack, it confirmed the event but has shared a few details about the attack.

“We have no proof of the origins or reasons for the attack, though this is being investigated,” a Saipem spokesperson said via email.

“We are collecting all the elements useful for assessing the impact on our infrastructures and the actions to be taken to restore normal activities,” the firm said in a statement.

At the time it is impossible to attribute the attack, it is not clear is the company faced a targeted attack or if was hit in a broader campaign carried out by threat actors.

We cannot exclude that attackers hit the company to target its business partners too, for example, Saudi Aramco that suffered Shamoon attacks in 2012 and 2016.

Saipem told media it was reporting the incident to the competent authorities.

Pierluigi Paganini

(Security Affairs – energy industry, cyber attack)

The post Cyber attack hit the Italian oil and gas services company Saipem appeared first on Security Affairs.

Experts from Kaspersky Lab reported that that the recently patched Windows kernel zero-day vulnerability (CVE-2018-8611) has been exploited by several threat actors.

Microsoft’s Patch Tuesday updates for December 2018 address nearly 40 flaws, including a zero-day vulnerability affecting the Windows kernel.

The flaw, tracked as CVE-2018-8611, is as a privilege escalation flaw caused by the failure of the Windows kernel to properly handle objects in memory.

“An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.” reads the security advisory published by Microsoft.

“An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system.”

The vulnerability was reported to Microsoft by researchers at Kaspersky Lab. Kudos to Kaspersky experts that in the last months reported other two Windows zero-days, CVE-2018-8453 and CVE-2018-8589, respectively exploited by FruityArmor and multiple threat actors in attacks mostly aimed at the Middle East.

according to Kaspersky, the CVE-2018-8611 is a race condition that resides in the Kernel Transaction Manager, and most interesting, it could be used to escape the sandbox of the Chrome and Edge web browsers.

“CVE-2018-8611 is a race condition that is present in the Kernel Transaction Manager due to improper processing of transacted file operations in kernel mode.” reads the analysis published by Kaspersky.

“This vulnerability successfully bypasses modern process mitigation policies, such as Win32k System call Filtering that is used, among others, in the Microsoft Edge Sandbox and the Win32k Lockdown Policy employed in the Google Chrome Sandbox. Combined with a compromised renderer process, for example, this vulnerability can lead to a full Remote Command Execution exploit chain in the latest state-of-the-art web-browsers.”

Kaspersky has found several builds of the CVE-2018-8611 exploit, including one adapted for the latest versions of Windows.

The flaw was exploited by known threat actors and a recently discovered group tracked as SandCat that appears to be active in the Middle East.

SandCat was also using the FinFisher/FinSpy spyware and the CHAINSHOT malware,

According to Kaspersky, SandCat exploited the CVE-2018-8611 flaw in attacks aimed at entities in the Middle East and Africa. 

Pierluigi Paganini

(Security Affairs –SANDCAT, CVE-2018-8611)

The post New threat actor SandCat exploited recently patched CVE-2018-8611 0day appeared first on Security Affairs.

Security experts at Trend Micro have discovered a new exploit kit, dubbed Novidade (“novelty” in Portuguese), that is targeting SOHO routers to compromise the devices connected to the network equipment.

The Novidade exploit kit leverages cross-site request forgery (CSRF) to change the Domain Name System (DNS) settings of SOHO routers and redirect traffic from the connected devices to the IP address under the control of the attackers.

Since its first discovery in August 2017, experts observed three variants of the exploit kit, including one involved in the DNSChanger system of a recent GhostDNS campaign.

Currently, Novidade is used in different campaigns, experts believe it has been sold to multiple threat actors or its source code leaked.

Most of the campaigns discovered by the researchers leverages phishing attacks to retrieve banking credentials in Brazil. Experts also observed campaigns with no specific target geolocation, a circumstance that suggests attackers are expanding their target areas or a larger number of threat actors are using the exploit kit. 

“We found Novidade being delivered through a variety of methods that include malvertising, compromised website injection, and via instant messengers.” reads the analysis published by Trend Micro.

Novidade eK

Experts noticed that the landing page performs HTTP requests generated by JavaScript Image function to a predefined list of local IP addresses that are used by routers. Once established a connection, the Novidade toolkit queries the IP address to download an exploit payload encoded in base64.

The exploit kit blindly attacks the detected IP address with all its exploits. 

The malicious code also attempts to log into the router with a set of default credentials and then executes a CSRF attack to change the DNS settings.

“Once the router is compromised, all devices connected to it are vulnerable to additional pharming attacks.” continues the analysis.

All the variants of Novidade exploit kit observed by Trend Micro share the same attack chain, but the latest version improves the code on the landing page and adds a new method of retrieving the victim’s local IP address. 

Below the list of possible affected router models based on Trend Micro comparisons of the malicious code, network traffic, and published PoC code. 

  • A-Link WL54AP3 / WL54AP2 (CVE-2008-6823)
  • D-Link DSL-2740R
  • D-Link DIR 905L
  • Medialink MWN-WAPR300 (CVE-2015-5996)
  • Motorola SBG6580
  • Realtron
  • Roteador GWR-120
  • Secutech RiS-11/RiS-22/RiS-33 (CVE-2018-10080)
  • TP-Link TL-WR340G / TL-WR340GD
  • TP-Link WR1043ND V1 (CVE-2013-2645)

Novidade was used mostly to target Brazilian users, the largest campaign has delivered the exploit kit 24 million times since March. 

In September and October, the Novidade was delivered through notifications on instant messengers regarding the 2018 Brazil presidential election, and leveraging compromised websites injected with an iframe to redirect users to Novidade. The latter attack hit websites worldwide.

Trend Micro recommends to keep devices’ firmware up to date, change the default usernames and passwords on their routers, and also change the router’s default IP address. If not needed, disabling remote access is also recommended, as well as using secure web connections (HTTPS) to access sensitive websites to prevent pharming attacks.

Pierluigi Paganini

(Security Affairs – Novidade exploit kit, hacking)

The post Novidade, a new Exploit Kit is targeting SOHO Routers appeared first on Security Affairs.

Group-IB, an international company that specializes in preventing cyberattacks, has detected more than 40 000 compromised user credentials of online government services in 30 countries around the world.

Most of the victims were in Italy (52%), Saudi Arabia (22%) and Portugal (5%). Users’ data might have been sold on underground hacker forums or used in targeted attacks to steal money or exfiltrate sensitive information. CERT-GIB (Group-IB’s Computer Emergency Response Team) upon identification of this information promptly warned CERTs of the affected countries about the threat so that risks could be mitigated.

Group-IB Threat Intelligence has detected government websites’ user accounts compromised by cyber criminals in 30 countries. Official government portals including Poland (gov.pl), Romania (gov.ro),Switzerland (admin.ch), the websites of Italian Ministry of Defense (difesa.it), Israel Defense Forces(idf.il), the Government of Bulgaria (government.bg), the Ministry of Finance of Georgia (mof.ge),Norwegian Directorate of Immigration (udi.no), the Ministries of Foreign Affairs of Romania and Italyand many other government agencies were affected by the data compromise.

Government employees, military and civilian citizens who had accounts on official government portals of France (gouv.fr), Hungary (gov.hu) and Croatia (gov.hr) became victims of this data compromise. In total Group-IB Threat Intelligence system has detected more than 40 000 comprised user accounts of the largest government websites in 30 countries across the world over the past year and a half – Italy (52%), Saudi Arabia (22%) and Portugal (5%) were affected most.

According to Group-IB experts, cyber criminals stole user accounts’ data using special spyware – form grabbers, keyloggers, such as Pony Formgrabber, AZORult and Qbot (Qakbot). Phishing emails were sent to personal and corporate email accounts. The infection came from a malware included as an email attachment disguised as a legitimate file or archive. Once opened, it ran a Trojan aimed at stealing personal information. For instance, Pony Formgrabber retrieves login credentials from configuration files, databases, secret storages of more than 70 programs on the victim’s computer and then sends stolen information to cyber criminals’ C&C server. Another Trojan-stealer — AZORult, aside from stealing passwords from popular browsers, is capable of stealing crypto wallets data. Qbot worm gathers login credentials through use of keylogger, steals cookie files and certificates, active internet sessions, and forwards users to fake websites.

The stolen user accounts data is usually sorted by subject (banks’ client data, government portals user accounts, combo lists – email & password) and goes for sale on underground hacker forums. It is worth noting that government websites’ user accounts are less common on the forums. Cyber criminals and state-sponsored APT-groups, specialized in sabotage and espionage, are among those who can buy this information. Knowing the credentials of government websites’ users, hackers can not only obtain classified information from these websites, but also infiltrate government networks. Even one compromised government employee’s account can lead to the theft of commercial or state secrets.

“The scale and simplicity of government employees’ data compromise shows that users, due to their carelessness and lack of reliable cyber defense, fall victims to hackers, – commented Alexandr Kalinin,head of Group-IB’s Computer Emergency Response Team (CERT-GIB). – Malware used by cyber criminals to compromise user accounts continue to evolve. For better protection against this type of attacks, it is indeed important to not only use most up-to-date anti-APT solutions, but also to know the context of the attacks:  when, where and how exactly your data was compromised”.

Regularly updated Group-IB Threat Intelligence system allows to get actionable information about data leaks, compromised accounts, information about malware, infected IPs, existing vulnerabilities across the world. These unique indicators allow to prepare for cyberattacks in advance. Another important factor is international cooperation. To prevent further incidents GIB-CERT experts contacted official CERTs in more than 30 countries and notified local incident response teams about data compromise.

“Threat Intelligence data exchange between official government CERTs is crucial for global fight against cybercrime, — highlights Alexandr Kalinin, — it is important for us to cooperate with other CERTs, which allows to provide rapid incident response and gather more information about hackers’ evolving tactics and tools, indicators of compromise, and about most urgent threats. Cybercrime has no borders and affects private and public companies and ordinary citizens. International data exchange on current threats is a backbone of global stability”. 

About the author: Group-IB

Group-IB is a leading provider of solutions aimed at detection and prevention of cyberattacks, online fraud, and IP protection. 

Pierluigi Paganini

(Security Affairs – leaked credentials, cybercrime)

The post Group-IB identifies leaked credentials of 40,000 users of government websites in 30 countries appeared first on Security Affairs.

The Seedworm APT Group has targeted more than 130 victims in 30 organizations since September including NGOs, oil and gas, and telecom businesses.

According to a new research conducted from Symantec’s DeepSight Managed Adversary and ThreatIntelligence (MATI) team, the Seedworm APT group, aka MuddyWater, is rapidly evolving and extended its targets to the telecom, IT services, and oil and gas industries.

The first MuddyWater campaign was observed in late 2017, then researchers from Palo Alto Networks were investigating a mysterious wave of attacks in the Middle East.

The experts called the campaign ‘MuddyWater’ due to the confusion in attributing these attacks that took place between February and October 2017 targeting entities in Saudi Arabia, Iraq, Israel, United Arab Emirates, Georgia, India, Pakistan, Turkey, and the United States to date.

In September 2018, experts from Symantec found evidence of Seedworm and the espionage group APT28 on a computer in the Brazil-based embassy of an oil-producing nation. 

“We not only found the initial entry point, but we were able to follow Seedworm’s subsequent activity after the initial infection due to the vast telemetry Symantec has access to via its Global Intelligence Network. Because of this unique visibility, our analysts were able to trace what actions Seedworm took after they got into a network.”

“Seeing two active groups piqued our interest and, as we began pulling on that one string, we found more clues that led us to uncover new information about Seedworm.” reads the analysis published by Symantec.

The experts were able to gather further information on the group, of the 131 victims hit from mid-September to late November 2018, 39% were in Pakistan,14% in Turkey, 8% in Russia, and 5% in Saudi Arabia.

Most of the targets were in the telecommunications and IT services sectors.

Seedworm

Experts believe that the Seedworm APT is focused on telecommunications and IT services because they are interested in gaining access to customers of those firms. Changing Tools and Techniques

Seedworm threat actors regularly adopt new tactics, techniques and tools to remain under the radar. 

In recent campaigns, the cyber espionage group used new variants of their Powermud backdoor, a new backdoor (Powermuddy), and some custom tools designed to steal passwords, create reverse shells, escalate privilege, and use of the native Windows cabinet creation tool.

“We found new variants of the Powermud backdoor, a new backdoor (Backdoor.Powemuddy), and custom tools for stealing passwords, creating reverse shells, privilege escalation, and the use of the native Windows cabinet creation tool, makecab.exe, probably for compressing stolen data to be uploaded.” continues the analysis.

“The Seedworm group controls its Powermud backdoor from behind a proxy network to hide the ultimate command-and-control (C&C) location.”

Once compromised a machine with its backdoors, threat actors deploy a tool to steal passwords saved in browsers, email accounts, social media, and chat access.

Attackers are very agile, they also used publicly available tools to quickly update operations.

Unlike other APT groups that adopt custom malware for each campaign, Seedworm threat actors were more focused on the ability to quickly adapt their action to the specific circumstance. 

According to Symantec, there is evidence of Seedworm following the people who are analyzing their activities.

Further details, including IoCs are reported in the report published by Symantec.

Pierluigi Paganini

(Security Affairs –Seedworm , APT)

The post Seedworm APT Group targeted more than 130 victims in 30 organizations since Sept appeared first on Security Affairs.

Google announced it will close the consumer version of Google+ before than originally planned due to the discovery of a new security flaw.

Google will close the consumer version of Google+ in April, four months earlier than planned. According to G Suite product management vice president David Thacker. the company will maintain only a version designed for businesses. Google will shut down the Application programming interface programs (APIs) used by developers to access Google+ data within 90 days, due to the discovery of a bug.

“We’ve recently determined that some users were impacted by a software update introduced in November that contained a bug affecting a Google+ API.” wrote David Thacker.

“We discovered this bug as part of our standard and ongoing testing procedures and fixed it within a week of it being introduced. No third party compromised our systems, and we have no evidence that the app developers that inadvertently had this access for six days were aware of it or misused it in any way.”

The new flaw was introduced with a software update in November and it was discovered during routine testing and quickly fixed by the experts of the company.

Thacker pointed out that the protection of Google users is a priority for the firm and for this reason all Google+ APIs will be shut-down soon.

“With the discovery of this new bug, we have decided to expedite the shut-down of all Google+ APIs,” Thacker said.

“While we recognize there are implications for developers, we want to ensure the protection of our users.”

social network Google+

According to Google, the vulnerability affected approximately 52.5 million users, allowing applications to see profile information such as name, occupation, age, and email address even if access was set to private.

Google initially announced plans to shut down Google+ after discovered 
a bug that exposed private data in as many as 500,000 accounts

At the time, there was no evidence that developers had taken advantage of the flaw.

Google is in the process of notifying any enterprise customers that were impacted by this flaw.

“A list of impacted users in those domains is being sent to system administrators, and we will reach out again if any additional impacted users or issues are discovered.” concludes Thacker. 

Pierluigi Paganini

(Security Affairs –Google+, social network)

The post Google will shut down consumer version of Google+ earlier due to a bug appeared first on Security Affairs.

Experts from Malwarebytes discovered a new strain of Mac malware, tracked as DarthMiner, that is a combination of two open-source programs. 

Experts from Malwarebytes discovered a new piece of Mac malware, tracked as DarthMiner, that is the combination of two open source tools.

The malware is distributed through Adobe Zii, an application supposedly helps in the piracy of various Adobe programs. In this case, attackers used a fake Adobe Zii software that was definitely not the real thing.

“Earlier this week, we discovered a new piece of Mac malware that is combining two different open-source tools—the EmPyre backdoor and the XMRig cryptominer—for the purpose of evil.” reads the analysis published by MalwareBytes.

“The malware was being distributed through an application named Adobe Zii.”

The fake Adobe Zii application was developed to run a shell script that downloads and executes a Python script, and then downloads and runs an app named sample.app, that appears to be a version of Adobe Zii, most likely to appear as a harmless application. 

The Python script looks for the presence of Little Snitch, a commonly-used outgoing firewall, and halt the infection process if it is present.

Then the script opens a connection to an EmPyre backend that send arbitrary commands to a compromised Mac. Next, the backdoor downloads a script that fetches and installs the other components of the malware. The malware creates a launch agent named com.proxy.initialize.plist that keeps the backdoor open persistently by running exactly the same obfuscated Python script mentioned previously.

The malicious code also installs the XMRig cryptominer and creates a launch agent for it. 

The analysis of the code revealed another interesting feature, the code to download and install a root certificate for the mitmproxy tool.

“Interestingly, there’s code in that script to download and install a root certificate associated with the mitmproxy software, which is software capable of intercepting all web traffic, including (with the aid of the certificate) encrypted “https” traffic. However, that code was commented out, indicating it was not active.” continues the analysis.

Further details, including Indicators of Compromise (IoCs), are reported in the analysis,

“Please, in the future, do yourself a favor and don’t pirate software. The costs can be far higher than purchasing the software you’re trying to get for free,” Malwarebytes concludes.

Pierluigi Paganini

(Security Affairs – Mac malware, backdoor)

The post A new Mac malware combines a backdoor and a crypto-miner appeared first on Security Affairs.

The British teenager George Duke-Cohan (19) has been sentenced to three years in prison due to false bomb threats and carrying out DDoS attacks.A

Cohan was arrested in August by the U.K. National Crime Agency (NCA), the teenager, aka “7R1D3N7,” “DoubleParallax” and “optcz1,” was arrested on August 31 and pleaded guilty to three counts of making hoax bomb threats.

According to the investigator, the young man is the leader of the Apophis Squad, which is the hacking group that sent bomb threats to thousands of schools in the United Kingdom and the United States.

The group is also known for launching massive DDoS attacks against encrypted email provider ProtonMail, the popular investigator Brian Krebs, the DEF CON hacking conference, and government agencies worldwide.

The team was offering a DDoS-for-hire service that has many similarities with the booter implemented by the popular Lizard Squad hacking crew.

He has admitted making bomb threats to thousands of schools and a United Airlines flight traveling from the UK to San Francisco in August. in many cases resulting in evacuations. 
The NCA says the teenager, known online as “7R1D3N7,” “DoubleParallax” and “optcz1,” has also admitted making a prank call claiming that a United Airlines flight traveling from the U.K. to San Francisco had been hijacked by gunmen, including one carrying a bomb.

Cohan has now been sentenced to one year in prison for the bomb hoaxes targeting schools, and two years for the airport attack.

Unfortunately for the British youngster, he will face additional charges in the United States, even if the indictment has yet to be announced.

Before sentencing, the judge noted that Duke-Cohan’s early guilty pleas, his age, no prior criminal record and, to a limited extent, his “functioning deficiencies which have contributed to a diagnosis of autism,” were taken into consideration. However, these mitigating factors only helped his case to a certain degree.

“You knew exactly what you were doing and why you were doing it, and you knew full well the havoc that would follow.” said Judge Richard Foster

“You were playing a cat-and-mouse game with the authorities. You were playing a game for your own perverted sense of fun in full knowledge of the consequences.”

“You knew exactly what you were doing and why you were doing it, and you knew full well the havoc that would follow,” Judge Richard Foster said, quoted by the Daily Mail. “What you did was far removed from anything that could be described as naivety or a cry for help from a sick person.”

Pierluigi Paganini

(Security Affairs – cybercrime, DDoS)

The post Duke-Cohan sentenced to three years in prison due to false bomb threats and DDoS appeared first on Security Affairs.

The Linux.org website was defaced last week via DNS hijack, attackers breached into associated registrar account and changed the DNS settings.

Attackers changed the defacement page a few times, they protested against the new Linux kernel developer code of conduct in a regrettable way with 
racial slurs and the image of an individual showing the anus.

linux.org-community-defacement

The defacement page also includes links and a Twitter account (@kitlol5) believed to be under the control of the attacker.

The person who was operating the Twitter account posted a screenshot showing that they had access to the Network Solutions account of Michelle McLagan, who evidently owns linux.org, and modified the DNS settings.

“This evening someone got into my partner’s netsol account and pointed linux.org DNS to their own cloudflare account. The production env (web / db) wasn’t touched. DNS was simply pointing to another box.” 
one of the Linux.org admins
wrote on Reddit.

“She’s working with netsol to prove ownership, etc.. and we’re hoping things will be cleared up in the morning.”

The hacker did not access the servers hosting Linux.org and user data were not compromised.

How to prevent this kind of incident?

Administrators should enable multi-factor authentication (MFA) for their account.

“I think it was a combination of public whois info and no MFA that lead to this,” added the Linux.org admin.

“There’s always one thing – they found the weakest link and exploited it.”

After the incident, admins have enabled MFA on all accounts.

Pierluigi Paganini

(Security Affairs – DNS hijack, hacking)

The post Hackers defaced Linux.org with DNS hijack appeared first on Security Affairs.