Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for April 2017

MilkyDoor Infests 200 Android Apps

MilkyDoor Infests 200 Android Apps

About 200 unique Android apps have been embedded with the MilkyDoor backdoor, which is built to attack an enterprise’s internal networks, private servers, and ultimately, corporate assets and data.

According to Trend Micro, the trojanized apps masquerade as recreational applications like style guides and Doodle applications, and are likely legitimate apps which cyber-criminals have repackaged and then republished in Google Play, banking on their popularity to draw victims. One of the apps had installs ranging between 500,000 and a million on Google Play.

“MilkyDoor is similar to DressCode—an Android malware family that adversely affected enterprises—given that both employ a proxy using Socket Secure (SOCKS) protocol to gain a foothold into internal networks that infected mobile devices connect to,” explained Trend Micro researchers Echo Duan and Jason Gu, in an analysis. “MilkyDoor, maybe inadvertently, provides attackers a way to conduct reconnaissance and access an enterprise’s vulnerable services by setting the SOCKS proxies. Further, this is carried out without the user’s knowledge or consent.”

MilkyDoor does adds some new functionality, including clandestine routines that enable it to bypass security restrictions and conceal its malicious activities within normal network traffic.

“The way MilkyDoor builds an SSH tunnel presents security challenges for an organization’s network, particularly in networks that integrate BYOD devices,” the researchers said. “It’s stealth lies in how the infected apps themselves don’t have sensitive permissions and consequently exist within the device using regular or seemingly benign communication behavior.”

MilkyDoor can covertly grant attackers direct access to a variety of an enterprise’s services—from web and FTP to SMTP in the internal network. From there, they can pivot and locate public, vulnerable servers with a lack of authentication mechanisms in its internal databases.

“Tracing the malware and the SDK revealed that they were distributed as early as August 2016,” the researchers said. “The earlier iterations were adware integrators, with the backdoor capabilities added in version 1.0.3. Our research into MilkyDoor also pointed us to a traffic arbitrage service being advertised in a Russian bulletin board system (BBS). We construe that the SSH tunnel MilkyDoor builds is also used to create fake traffic and perpetrate click fraud to generate more revenue for the attackers.”

Among the best practices mobile users can adopt to protect themselves from MilkyDoor and other threats like it include taking caution against suspicious apps, and keeping the device’s OS up-to-date. 

Source: Information Security Magazine

SAP NetWeaver Flaws Allow Attackers Access to Enterprise Websites

SAP NetWeaver Flaws Allow Attackers Access to Enterprise Websites

Vulnerabilities in the SAP NetWeaver platform open the door for attackers to intercept login credentials, register keystrokes, spoof data or perform other illegal activities that could potentially lead to a system compromise.

Positive Technologies has detected the flaws, present in the SAP Enterprise Portal Navigation, SAP Enterprise Portal Theme Editor and the SAP NetWeaver Log Viewer components of the platform.

"Large companies all over the world use SAP to manage financial flows, product lifecycle, relationships with vendors and clients, company resources, procurement and other critical business processes,” said Dmitry Gutsko, head of the Business System Security Unit at Positive Technologies. “It is vital to protect the information stored in SAP systems, as any breach of confidential information could have a devastating impact on the business."

Four cross-site scripting (XSS) vulnerabilities were detected in the SAP Enterprise Portal Navigation (CVSSv3 score 6.1) and SAP Enterprise Portal Theme Editor (three flaws with CVSSv3 scores 5.4, 6.1, and 6.1). Exploiting these vulnerabilities, an attacker could obtain access to a victim's session tokens, login credentials or other sensitive information in the browser, perform arbitrary actions on the victim's behalf, rewrite HTML page content and intercept keystrokes.

Another vulnerability—Directory Traversal—allows arbitrary file upload in the SAP NetWeaver Log Viewer. This allows attackers to upload files to an arbitrary place on the server file system. The consequences can include total compromise of a system, overload of a file system or database, expanding attacks to back-end systems and defacement.

Remediation guidelines can be found in SAP Security notes No. 2369469, 2372183, 2372204, and 2377626. 

“SAP collaborates frequently with research companies such as Positive Technologies to ensure a responsible disclosure of vulnerabilities," the company said via email. "The vulnerabilities in question have been fixed by SAP and the patches have been made available in for download. For details please visit the SAP Product Security Response page."

It added, "Our recommendation to all our customers is to implement SAP security patches as soon as they are available – typically on the second Tuesday of every month. Timely security patching of SAP systems is the best policy to protect SAP infrastructure from attacks.”

Source: Information Security Magazine

Employees Are Sharing Confidential Info at Alarming Rates

Employees Are Sharing Confidential Info at Alarming Rates

Nearly three in four employees (72%) are willing to share sensitive, confidential or regulated company information, and more than one in three employees say it’s common to take confidential corporate data with them when leaving a company.

Those alarming stats are from the Dell End-User Security Survey, which found that not only are many employees likely to share confidential information, but that they are doing so without proper data security protocols in place or in mind.

Results show that today’s workforce is caught between two imperatives: be productive and efficient on the job and maintain the security of company data. To address data security issues, companies must focus on educating employees and enforcing policies and procedures that secure data wherever they go, without hindering productivity. So far, they’re falling down on the job: A full 76% of employees feel their company prioritizes security at the expense of employee productivity.

Survey results indicate that among the professionals who work with confidential information on a regular basis, there is a lack of understanding in the workplace regarding how confidential data should be shared and data security policies.

“This lack of clarity and confusion is not without merit; there are many circumstances under which it makes sense to share confidential information in order to push business initiatives forward,” the report noted. This opens the door to a wide range of reasons for sharing which include: Being directed to do so by management (43%); sharing with a person authorized to receive it (37%); determining that the risk to their company is very low and the potential benefit of sharing information is high (23%); feeling it will help them do their job more effectively (22%); feeling it will help the recipient do their job more effectively (13%).

The survey found that when employees handle confidential data, they often do so insecurely by accessing, sharing and storing the data in unsafe ways; Almost half (45%) of employees admit to engaging in unsafe behaviors throughout the work day. These include connecting to public Wi-Fi to access confidential information (46%), using personal email accounts for work (49%) or losing a company-issued device (17%).

About a quarter (24%) of respondents indicated they do these things to get their job done, and 18% say they did not know they were doing something unsafe. Only 3% of respondents said they had malicious intentions when conducting unsafe behaviors.

“When security becomes a case-by-case judgement call being made by the individual employee, there is no consistency or efficacy,” said Brett Hansen, vice president of Endpoint Data Security and Management at Dell. “These findings suggest employees need to be better educated about data security best practices, and companies must put procedures in place that focus first and foremost on securing data while maintaining productivity.”

Four in five employees in financial services (81%) would share confidential information, and employees in education (75%), healthcare (68%) and federal government (68%) are also open to disclosing confidential or regulated data at alarmingly high rates. Employees take on unnecessary risk when storing and sharing their work, with 56% using public cloud services such as Dropbox, Google Drive, iCloud and others to share or back-up their work; and 45% of employees will use email to share confidential files with third-party vendors or consultants.

Ironically, nearly two in three employees (65%) feel it is their responsibility to protect confidential information, including educating themselves on possible risks and behaving in a way that protects their company, and 36% of employees feel very confident in their knowledge of how to protect sensitive company information.

Nearly two in three (63%) employees are required to complete cybersecurity training on protecting sensitive data. However, of those who received cybersecurity training, 18% still conducted unsafe behavior without realizing what they were doing was wrong, whereas 24% conducted unsafe behavior anyway in order to complete a task.

“While every company has different security needs, this survey shows how important it is that all companies make an effort to better understand daily tasks and scenarios in which employees may share data in an unsafe way,” said Hansen. “Creating simple, clear policies that address these common scenarios in addition to deploying endpoint and data security solutions is vital in order to achieve that balance between protecting your data and empowering employees to be productive.”

Source: Information Security Magazine

Interpol Spots Thousands of C&C Servers Across Asean

Interpol Spots Thousands of C&C Servers Across Asean

Interpol is claiming success after discovering close to 9000 C&C servers and 270 infected websites across the Asean region.

The global police network’s Singapore-based Global Complex for Innovation (IGCI) teamed up with investigators from Indonesia, Malaysia, Myanmar, Philippines, Singapore, Thailand and Vietnam on the initiative, with cyber-intelligence also supplied by China.

Interpol officers also liaised with multiple private sector firms: Trend Micro, Kaspersky Lab, Cyber Defense Institute, Booz Allen Hamilton, BT, Fortinet and Palo Alto Networks.

Thanks to their combined efforts, officers found 8800 C&C servers across eight countries, responsible for financial malware, ransomware, Distributed Denial of Service (DDoS) attacks and spam.

Investigators also found close to 270 infected websites including some government portals, potentially exposing data on citizens.

Hackers managed to compromise these by exploiting an unnamed vulnerability in a web design app, Interpol claimed.

The law enforcement organization also claimed to have “identified” a number of phishing website operators including one with links to Nigeria and one selling phishing kits on the darknet who has posted to YouTube.

The investigation is far from over, but Interpol is keen to show the value of public-private partnerships in tackling cross-border cybercrime.

“With direct access to the information, expertise and capabilities of the private sector and specialists from the Cyber Fusion Centre, participants were able to fully appreciate the scale and scope of cybercrime actors across the region and in their countries,” said IGCI executive director Noboru Nakatani.

“Sharing intelligence was the basis of the success of this operation, and such cooperation is vital for long-term effectiveness in managing cooperation networks for both future operations and day-to-day activity in combating cybercrime.”

Those involved from the private sector lined up to confirm their support for such initiatives.

“The greatest threats to global cybersecurity are those that emanate from cyber-criminal undergrounds,” noted Trend Micro chief cybersecurity officer, Ed Cabrera.

“What is needed is a global cybersecurity strategy that leverages the power of public-private partnerships to disrupt, degrade and deny cyber-criminals’ freedom of movement and the ability to monetize their attacks. Collaboration with Interpol in take downs such as this cyber surge are exemplary towards this goal.”

Source: Information Security Magazine

Locky Returns via Necurs Botnet

Locky Returns via Necurs Botnet

Researchers from Cisco Talos have observed the first large scale Locky campaign in months via the Necurs botnet.

In a post on the firm’s website on Friday April 21, Nick Biasini explained that Talos had seen in excess of 35,000 emails in the space of several hours associated with this newest wave of Locky.

“This large wave of distribution has been attributed to the Necurs botnet which, until recently, had been focused on more traditional spam such as pump-and-dump spam, Russian dating spam, and work-from-home spam”, he wrote.

Locky was the dominant ransomware threat for the majority of 2016, but its distribution declined dramatically in the latter stages of last year.

“This could be the first significant wave of Locky distribution in 2017,” Biasini added. “The payload hasn't changed but the methodology has; the use of PDFs requiring user interaction was recently seen by Dridex and has now been co-opted into Locky. This is an effective technique to defeat sandboxes that do not allow user interaction and could increase the likelihood of it reaching an end user's mailbox.”

This latest Locky surge is proof that cyber-criminals continue to evolve and adapt their techniques for maximum impact and profit, and highlights the ever-changing threat of email based malware.

To conclude, Biasini pointed to the following as defences against this type of risk:
•    Advanced Malware Protection (AMP)
•    CWS or WSA web scanning
•    Email Security
•    The Network Security protection of IPS and NGFW
•    AMP Threat Grid
•    Umbrella, our secure internet gateway (SIG)

Source: Information Security Magazine

Giant Viagra Botnet Claims 80K Devices

Giant Viagra Botnet Claims 80K Devices

A massive Viagra spam campaign has been uncovered, found to be enlarged by 80,000 compromised devices.

The sheer size of the operation is notable: In the course of an investigation by Incapsula, researchers were able intercept payloads with details of 51 websites used by spammers to sell counterfeit drugs. These were located in China, Malaysia, Vietnam, Ukraine, France, Taiwan, Russia, Indonesia and Romania.

Tracing back the IPs of these website researchers discovered 1,005 more active domains, presumably used by spammers. Seventy-two and two-tenths percent of these are hosted in Russia, and the rest are hosted in France.

No less impressive is the size of the botnet that controlled this network of compromised websites. Over a period of 14 days, researchers intercepted communications from 86,278 unique IPs worldwide. The firm determined that the bulk of the botnet IPs belonged to some type of web browsing devices (e.g., home computers) that were compromised through an application layer attack, such as a malicious browser add-on.

According to Incapsula, the innovative spam campaign also was built to circumvent security countermeasures.

The malware was programmed to construct spam emails from remotely received payloads containing certain parameters. The malware would decode these parameters, create the spam email and send it out using the email function from the sites’ configured SMTP server. Each payload had eight layers of base64 encoding, plus three more for each pipe (‘|’) separated parameter.

“We realized that what we had here is an elaborate attack built to bypass spam filters—the type that identifies unwanted messages based on sender identity and links to known malicious domains,” researchers noted. “The hustle works by pairing two compromised domains—one to issue out spam emails and the other to reroute visitors to the fake pharmacy store. [And] doesn’t account for the added complexity of running the scam over a network of interlinking sites, spewing out daily floods of spam email while juggling a multitude of visitors. Making something like this work requires a team effort. Based on everything we saw, there’s no doubt that we were dealing with a widespread criminal operation.”

“Among spam campaigns, the Canadian pharmacy scam is one of the worst,” the firm said in an analysis. “It's a poster child for pharma spam—the most common form of spam—which has been clogging inboxes with ads for male-enhancement pills and painkillers for years.”

The scam has been traced back to Russian and Ukrainian organized crime syndicates operating in what is estimated to be a $431 billion and growing market. The scale of this criminal activity, and the danger counterfeit drugs pose to the public heath, has prompted repeat action from FDA, Interpol and other law enforcement agencies.

Source: Information Security Magazine

2016 Saw 702 Million Exploit Attempts

2016 Saw 702 Million Exploit Attempts

In 2016, there were 702 million attempts to launch an exploit, according to Kaspersky Lab. This is 24.54% more than in 2015, when Kaspersky protection technologies blocked just over 563 million such attempts.

The growing use of exploits, i.e. malware that uses bugs in software to infect devices with additional malicious code like banking trojans or ransomware, is a result of the fact that these are among the most effective. In a report prepared by Kaspersky, the firm noted that attacks conducted with the help of exploits generally don’t require any user interaction, and can deliver their dangerous code without the user suspecting anything.

Such tools are therefore often used both by cyber-criminals seeking to steal money from private users and companies, and by sophisticated targeted attack actors hunting for sensitive information.

The report found that the number of corporate users attacked by exploits increased 28.35% to reach more than 690,000, or 15.76% of all users attacked with exploits. Browsers, Windows OS, Android OS and Microsoft Office are the applications exploited most often—and 69.8% of users encountered an exploit for one of these at least once in 2016.

Exploits to the infamous Stuxnet vulnerability (CVE-2010-2568) still top the list in terms of the number of attacked users. A quarter of users that encountered an exploit last year faced this particular threat.

In 2016, more than 297,000 users worldwide were attacked by zero-day and heavily obfuscated known exploits—which represents an increase of just under 7% on 2015. The market price for previously unknown exploits may reach tens of thousands of dollars, and they are usually used by sophisticated actors against high-profile targets.

Overall, targeted attackers and campaigns reported on by Kaspersky Lab in the years 2010 to 2016 made use of more than 80 vulnerabilities. Around two-thirds of these were used and re-used by more than one threat actor.

Interestingly, despite the growing number of attacks featuring exploits, and the growing number of corporate users attacked in this way, the number of private users who encountered an exploit attack in 2016 decreased just over 20%—from 5.4 million in 2015 to 4.3 million in 2016.

According to Kaspersky Lab researchers, a possible reason for this decline could be a reduction in the number of sources for exploits: 2016 saw several big and popular exploit kits (the Neutrino and Angler exploit kits) leave the underground market. This significantly affected the overall exploit threat landscape as many cybe-rcriminal groups apparently lost their capabilities to spread the malware.

Another reason is the faster reaction time of software vendors to newly discovered security issues. As a result, it is now far more expensive for cybe-rcriminals to develop and support an effective consumer exploit kit and simultaneously stay profitable.

“Based on both our detection statistics and our observations of the activity of targeted attack actors, we see that professional cyber-espionage groups still have the budgets and skills to develop and distribute sophisticated exploits,” said Alexander Liskin, security expert at Kaspersky. “The recent leak of malicious tools allegedly used by the Equation Group is an illustration of this. However, this doesn’t mean that it is impossible to protect your organization against exploit-based attacks. In order not to let malicious actors succeed, we advise users, especially corporate ones, to implement best practices of internet security and protect their computers, mobile devices and networks with proven and effective protection tools.” 

Source: Information Security Magazine

Two-thirds of Apps Using Open-source Have Known Software Vulns

Two-thirds of Apps Using Open-source Have Known Software Vulns

With 96% of all apps containing open-source components, it should be alarming to learn that two-thirds of all apps using open source (60+%) contain known software vulnerabilities.

And, 85% contain license conflicts.

That’s according to the second-annual 2017 Open Source Security & Risk Analysis report from Black Duck’s Center for Open Source Research and Innovation (COSRI), which examined findings from more than 1,000 commercial applications audited in 2016. The firm found that financial services, retail and e-commerce companies’ systems had the highest number of vulnerabilities per application.

Notably, audit results of applications from the financial industry contained 52 open source vulnerabilities per application, and 60% of the applications contained high-risk vulnerabilities. The retail and e-commerce industry had the highest proportion of applications with high-risk open source vulnerabilities, with 83% of audited applications containing high-risk vulnerabilities.

“Reading this report should be a wake-up call. Everyone is using lots of open source, but as the audits show, very few are doing an adequate job detecting, remediating and monitoring open source vulnerabilities in their applications,” said Chris Fearon, director at Black Duck’s Northern Ireland based Open Source Security Research Group, the security research arm of COSRI. “The COSRI analysis of the audits clearly demonstrate that organizations in every industry have a long way to go before they are effective in managing their open source.”

The widespread open-source license conflicts can be attributed to the fact that the audited applications contained 147 open source components on average—a daunting number of license obligations of which to keep track. The most common challenges were GPL license violations, with 75% of applications containing components under the GPL family of licenses. But, only 45% of those applications in compliance with GPL obligations.

“Open-source use is ubiquitous worldwide and recent research reports show that between 80% and 90% of the code in today’s apps is open-source,” said Black Duck CEO Lou Shipley. “This isn’t surprising, because open-source is valuable in lowering dev costs, accelerating innovation and speeding time to market. Our audits confirmed the universal use, but also revealed troubling levels of ineffectiveness in addressing risks related to open source security vulnerabilities and license compliance challenges.”

Shipley said he expected the open-source audit findings to be eye-opening for security executives, because the application layer is a primary target for hackers: “Exploits of open-source vulnerabilities are the biggest application security risk that most companies have.”

Source: Information Security Magazine

NCA: Young Cyber-Criminals Looking for Sense of Achievement

NCA: Young Cyber-Criminals Looking for Sense of Achievement

Many young cyber-criminals are motivated to break the law because they relish the challenge, sense of accomplishment and validating their skills with peers, and could be deterred by targeted interventions highlighting the positive opportunities to achieve the same legally, according to the NCA.

The UK crime agency’s NCCU Prevent team spoke to a range of former offenders and those heading towards cyber-criminality via cease & desist visits in order to better understand the pathways into cybercrime.

The average age of cyber-criminals in the UK is far lower than that of other crimes: just 17-years-old in 2015, compared to around 37 in NCA drugs cases.

The report found that many youngsters are drawn into cybercrime via “modding” and gaming cheat forums and progress to criminal hacking forums without fully acknowledging the gravity of the step.

As for why they do so, money is not always a priority for young offenders, although off-the-shelf hacking tools have made it increasingly easy for even low-skilled hackers to generate profits for relatively little effort.

Instead, many offenders are motivated by more innocuous factors, the report explained:

“Completing a challenge, a sense of accomplishment and proving oneself to peers are key motivations for those involved in cyber-criminality. These factors are repeated throughout the debriefs and academic literature, as the main reason young people begin and continue hacking. An 18-year-old who was arrested for obtaining unauthorized access to a US government site said ‘I did it to impress the people in the hacking community, to show them I had the skills to pull it off…I wanted to prove myself…that was my main motivation’.”

These motivational factors could be used to steer young offenders away from cybercrime, according to the NCA.

“That can be as simple as highlighting opportunities in coding and programming, or jobs in the gaming and cyber industries, which still give them the sense of accomplishment and respect they are seeking”, argued Richard Jones, head of NCCU Prevent.

Jamie Graves, CEO of ZoneFox, said more should be done to change the perception of cybersecurity and encourage more talented young hackers into the industry.

“Yes, targeting and removing the free tools that exist online that allow hacking to take place, must be a focus, but more innovative approaches are needed,” he argued.

"Instead of spending resources looking to suppress these highly intelligent young individuals and put them behind bars, we should be identifying them and nurturing and encouraging them to contribute positively in roles that can utilize their skills, both in the private and public sectors. This will not only empower them for good, but also boost the economy and safeguard the nation."

The report also burst the myth that cybercrime is a solitary affair, claiming online relationships are key and that building reputation drives young cyber-criminals.

It claimed that autism spectrum disorder (ASD) appears more prevalent among cyber-criminals than the general populace, although this has yet to be proved.

Earlier this month a new study was announced to explore exactly that link.

Source: Information Security Magazine

Mastercard's Biometric Card Promises "Apple Pay" Without the Phone

Mastercard's Biometric Card Promises "Apple Pay" Without the Phone

Security experts have broadly welcomed Mastercard’s new biometric card as a sign of things to come, claiming it will help to reduce customer friction and fraud.

The credit card giant yesterday unveiled the new EMV model which it has successfully trialled in South Africa with retailers Pick n Pay and Barclays Africa subsidiary, Absa Bank.

“Consumers are increasingly experiencing the convenience and security of biometrics,” said Mastercard enterprise risk and security president, Ajay Bhalla, in a statement.

“Whether unlocking a smartphone or shopping online, the fingerprint is helping to deliver additional convenience and security. It’s not something that can be taken or replicated and will help our cardholders get on with their lives knowing their payments are protected.”

New users are asked to enrol their card with their bank and hold their finger to the biometric reader, whereupon the unique fingerprint will be stored digitally on the card’s EMV chip.

When paying, they simply insert the card as usual while placing their finger on the sensor and if the biometrics match, the transaction will be approved.

Mastercard believes the innovation will improve the customer experience further, fostering loyalty, while rooting out fraud; lowering chargeback costs for its clients.

Trials are planned for Europe and APAC and a contactless version is also on its way, according to the firm.

Payment expert Pinar Ozcan, of Warwick Business School, said the future of authentication is biometric.

“The real question is, what will [the] device be? A phone, a biometric ring, bracelet or watch? All of these payment devices already exist today through large technology firms and start-ups,” she added.

"In my opinion, a phone that allows you to communicate, handle business, use entertainment, and make payments is the most complete option of all as a wallet replacement. But when these new payment devices will truly replace our wallets depends on how widely the NFC point of sale devices are established, allowing users to make payments no matter where they go."

ESET IT security specialist, Mark James, argued that while security of the new biometric system was important, a move away from PINs should be welcomed.

“Biometrics are a good way to secure our everyday items that need that extra layer to keep our data safe,” he added.

“There are measures that can be used to protect the storage of the biometric data and of course proof of concept will dictate that someone somewhere has the means to copy your fingerprint, through ‘finding’ a mug that you have used and duplicating your fingerprint and use it with your card. I for one welcome the extra security and would embrace any method of moving away from an antiquated four-digit code.”

Source: Information Security Magazine