Latest Warnings


29
Jun 15

Crooks Use Hacked Routers to Aid Cyberheists

Cybercriminals have long relied on compromised Web sites to host malicious software for use in drive-by download attacks, but at least one crime gang is taking it a step further: New research shows that crooks spreading the Dyre malware for use in cyberheists are leveraging hacked wireless routers to deliver their password-stealing crimeware.

Ubiquity Networks airRouter

Ubiquity Networks airRouter

Dyre (a.k.a. “Dyreza”) is generally installed by a downloader Trojan that is flagged by most tools under the name “Upatre.” The latter is most often delivered via malicious e-mails containing a link which directs unsuspecting users to servers hosting malicious javascript or a basic redirection to a malicious payload. If the user clicks the malicious link, it may serve a bogus file — such as an invoice or bank statement — that if extracted and opened reaches out to an Upatre control server to download Dyre.

According to a recent in-depth report from Symantec, Dyre is a highly developed piece of malware, capable of hijacking all three major web browsers and intercepting internet banking sessions in order to harvest the victim’s credentials and send them to the attackers. Dyre is often used to download additional malware on to the victim’s computer, and in many cases the victim machine is added to a botnet which is then used to send out thousands of spam emails in order to spread the threat.

Recently, researchers at the Fujitsu Security Operations Center in Warrington, UK began tracking Upatre being served from hundreds of compromised home routers — particularly routers powered by MikroTik and Ubiquiti’s AirOS.

“We have seen literally hundreds of wireless access points, and routers connected in relation to this botnet, usually AirOS,” said Bryan Campbell, lead threat intelligence analyst at Fujitsu. “The consistency in which the botnet is communicating with compromised routers in relation to both distribution and communication leads us to believe known vulnerabilities are being exploited in the firmware which allows this to occur.”

airos

Continue reading →


23
Jun 15

A Month Without Adobe Flash Player

I’ve spent the better part of the last month running a little experiment to see how much I would miss Adobe‘s buggy and insecure Flash Player software if I removed it from my systems altogether. Turns out, not so much.

brokenflash-aBrowser plugins are favorite targets for malware and miscreants because they are generally full of unpatched or undocumented security holes that cybercrooks can use to seize complete control over vulnerable systems. The Flash Player plugin is a stellar example of this: It is among the most widely used browser plugins, and it requires monthly patching (if not more frequently).

It’s also not uncommon for Adobe to release emergency fixes for the software to patch flaws that bad guys started exploiting before Adobe even knew about the bugs. This happened most recently in February 2015, and twice the month prior. Adobe also shipped out-of-band Flash fixes in December and November 2014.

Update, 11:30 a.m. ET: Oddly enough, Adobe just minutes ago released an out-of-band patch to fix a zero-day flaw in Flash.

Original story:

Time was, Oracle’s Java plugin was the favorite target of exploit kits, software tools made to be stitched into hacked or malicious sites and foist on visiting browsers a kitchen sink of exploits for various plugin vulnerabilities. Lately, however, it seems to pendulum has swung back in favor of exploits for Flash Player. A popular exploit kit known as Angler, for example, bundled a new exploit for a Flash vulnerability just three days after Adobe fixed it in April 2015.

So, rather than continue the patch madness and keep this insecure software installed, I decided to the pull the…er…plugin. I tend to (ab)use different browsers for different tasks, and so uninstalling the plugin was almost as simple as uninstalling Flash, except with Chrome, which bundles its own version of Flash Player. Fear not: disabling Flash in Chrome is simple enough. On a Windows, Mac, Linux or Chrome OS installation of Chrome, type “chrome:plugins” into the address bar, and on the Plug-ins page look for the “Flash” listing: To disable Flash, click the disable link (to re-enable it, click “enable”).

In almost 30 days, I only ran into just two instances where I encountered a site hosting a video that I absolutely needed to watch and that required Flash (an instructional video for a home gym that I could find nowhere else, and a live-streamed legislative hearing). For these, I opted to cheat and load the content into a Flash-enabled browser inside of a Linux virtual machine I have running inside of VirtualBox. In hindsight, it probably would have been easier simply to temporarily re-enable Flash in Chrome, and then disable it again until the need arose. Continue reading →


22
Jun 15

“Free” Proxies Aren’t Necessarily Free

Netflix, Hulu and a host of other content streaming services block non-U.S. users from viewing their content. As a result, many people residing in or traveling outside of the United States seek to circumvent such restrictions by using services that advertise “free” and “open” Web proxies capable of routing browser traffic through U.S.-based computers and networks. Perhaps unsurprisingly, new research suggests that most of these “free” offerings are anything but, and actively seek to weaken browser security and privacy.

proxyThe data comes from Austrian researcher and teacher Christian Haschek, who published a simple script to check 443 open Web proxies (no, that number was not accidental). His script tries to see if a given proxy allows encrypted browser traffic (https://), and whether the proxy tries to modify site content or inject any content into the user’s browser session, such as ads or malicious scripts.

Haschek found that 79 percent of the proxies he tested forced users to load pages in unencrypted (http://) mode, meaning the owners of those proxies could see all of the traffic in plain text.

“It could be because they want you to use http so they can analyze your traffic and steal your logins,” Haschek said. “If I’m a good guy setting up a server so that people can use it to be secure and anonymous, I’m going to allow people to use https. But what is my motive if I tell users http only?”

Haschek’s research also revealed that slightly more than 16 percent of the proxy servers were actively modifying static HTML pages to inject ads.

Virtual private networks (VPNs) allow users to tunnel their encrypted traffic to different countries, but increasingly online content providers are blocking popular VPN services as well. Tor offers users the ability to encrypt and tunnel traffic for free, but in my experience the service isn’t reliably fast enough to stream video. Continue reading →


17
Jun 15

Critical Flaws in Apple, Samsung Devices

Normally, I don’t cover vulnerabilities about which the user can do little or nothing to prevent, but two newly detailed flaws affecting hundreds of millions of Android, iOS and Apple products probably deserve special exceptions.

keychainThe first is a zero-day bug in iOS and OS X that allows the theft of both Keychain (Apple’s password management system) and app passwords. The flaw, first revealed in an academic paper (PDF) released by researchers from Indiana University, Peking University and the Georgia Institute of Technology, involves a vulnerability in Apple’s latest operating system versions that enable an app approved for download by the Apple Store to gain unauthorized access to other apps’ sensitive data.

“More specifically, we found that the inter-app interaction services, including the keychain…can be exploited…to steal such confidential information as the passwords for iCloud, email and bank, and the secret token of Evernote,” the researchers wrote.

The team said they tested their findings by circumventing the restrictive security checks of the Apple Store, and that their attack apps were approved by the App Store in January 2015. According to the researchers, more than 88 percent of apps were “completely exposed” to the attack.

News of the research was first reported by The Register, which said that Apple was initially notified in October 2014 and that in February 2015 the company asked researchers to hold off disclosure for six months.

“The team was able to raid banking credentials from Google Chrome on the latest Mac OS X 10.10.3, using a sandboxed app to steal the system’s keychain and secret iCloud tokens, and passwords from password vaults,” The Register wrote. “Google’s Chromium security team was more responsive and removed Keychain integration for Chrome noting that it could likely not be solved at the application level. AgileBits, owner of popular software 1Password, said it could not find a way to ward off the attacks or make the malware ‘work harder’ some four months after disclosure.”

A story at 9to5mac.com suggests the malware the researchers created to run their experiments can’t directly access existing keychain entries, but instead does so indirectly by forcing users to log in manually and then capturing those credentials in a newly-created entry.

“For now, the best advice would appear to be cautious in downloading apps from unknown developers – even from the iOS and Mac App Stores – and to be alert to any occasion where you are asked to login manually when that login is usually done by Keychain,” 9to5’s Ben Lovejoy writes.

SAMSUNG KEYBOARD FLAW

Separately, researchers at mobile security firm NowSecure disclosed they’d found a serious vulnerability in a third-party keyboard app that is pre-installed on more than 600 million Samsung mobile devices — including the recently released Galaxy S6 — that allows attackers to remotely access resources like GPS, camera and microphone, secretly install malicious apps, eavesdrop on incoming/outgoing messages or voice calls, and access pictures and text messages on vulnerable devices. Continue reading →


18
May 15

St. Louis Federal Reserve Suffers DNS Breach

The St. Louis Federal Reserve today sent a message to those it serves alerting them that in late April 2015 attackers succeeded in hijacking the domain name servers for the institution. The attack redirected Web searches and queries for those seeking a variety of domains run by the government entity to a Web page set up by the attackers in an apparent bid by cybercrooks to hijack online communications of banks and other entities dealing with the regional Fed office.

fedstlouisThe communique, shared by an anonymous source, was verified as legitimate by a source at another regional Federal Reserve location.

The notice from the St. Louis Fed stated that the “the Federal Reserve Bank of St. Louis has been made aware that on April 24, 2015, computer hackers manipulated routing settings at a domain name service (DNS) vendor used by the St. Louis Fed so that they could automatically redirect some of the Bank’s web traffic that day to rogue webpages they created to simulate the look of the St. Louis Fed’s research.stlouisfed.org website, including webpages for FRED, FRASER, GeoFRED and ALFRED.”

Requests for comment from the St. Louis Fed so far have gone unreturned. It remains unclear what impact, if any, this event has had on the normal day-to-day operations of hundreds of financial institutions that interact with the regional Fed operator.

The advisory noted that “as is common with these kinds of DNS attacks, users who were redirected to one of these phony websites may have been unknowingly exposed to vulnerabilities that the hackers may have put there, such as phishing, malware and access to user names and passwords.”

The statement continues:

“These risks apply to individuals who attempted to access the St. Louis Fed’s research.stlouisfed.org website on April 24, 2015. If you attempted to log into your user account on that date, it is possible that this malicious group may have accessed your user name and password.

The St. Louis Fed’s website itself was not compromised.

“Out of an abundance of caution, we wanted to alert you to this issue, and also make you aware that the next time you log into your user account, you will be asked to change your password. In addition, in the event that your user name and password are the same or similar as those you use for other websites, we highly recommend that you follow best practices and use a strong, unique and different password for each of your user accounts on the Internet. Click https://research.stlouisfed.org/useraccount/forgotpassword/step1 to change your user account password now.”

According to Wikipedia, the Federal Reserve Economic Data (FRED) is a database maintained by the Research division of the Federal Reserve Bank of St. Louis that has more than 247,000 economic time series from 79 sources. The data can be viewed in graphical and text form or downloaded for import to a database or spreadsheet, and viewed on mobile devices. They cover banking, business/fiscal, consumer price indexes, employment and population, exchange rates, gross domestic product, interest rates, monetary aggregates, producer price indexes, reserves and monetary base, U.S. trade and international transactions, and U.S. financial data. Continue reading →


23
Mar 15

Hilton Honors Flaw Exposed All Accounts

Hospitality giant Hilton Hotels & Resorts recently started offering Hilton HHonors Awards members 1,000 free awards points to those who agreed to change their passwords for the online service prior to April 1, 2015, when the company said the change would become mandatory. Ironically, that same campaign led to the discovery of a simple yet powerful flaw in the site that let anyone hijack a Hilton Honors account just by knowing or guessing its valid 9-digit Hilton Honors account number.

Until it was notified by KrebsOnSecurity about a dangerous flaw in its site, Hilton was offering 1,000 points to customers who changed their passwords before April 1, 2015.

Until it was notified by KrebsOnSecurity about a dangerous flaw in its site, Hilton was offering 1,000 points to customers who changed their passwords before April 1, 2015.

The vulnerability was uncovered by Brandon Potter and JB Snyder, technical security consultant and founder, respectively, at security consulting and testing firm Bancsec. The two found that once they’d logged into a Hilton Honors account, they could hijack any other account just by knowing its account number. All it took was a small amount of changing the site’s HTML content and then reloading the page.

After that, they could see and do everything available to the legitimate holder of that account, such as changing the account password; viewing past and upcoming travel; redeeming Hilton Honors points for travel or hotel reservations worldwide; or having the points sent as cash to prepaid credit cards or transferred to other Hilton Honors accounts. The vulnerability also exposed the customer’s email address, physical address and the last four digits of any credit card on file.

I saw this vulnerability in action after giving Snyder and Potter my own Hilton Honors account number, and seconds later seeing screen shots of them logged into my account. Hours after this author alerted Hilton of the discovery, the Hilton Honors site temporarily stopped allowing users to reset their passwords. The flaw they discovered now appears to be fixed.

“Hilton Worldwide recently confirmed a vulnerability on a section of our Hilton HHonors website, and we took immediate action to remediate the vulnerability,” Hilton wrote in an emailed statement. “As always, we encourage Hilton HHonors members to review their accounts and update their online passwords regularly as a precaution. Hilton Worldwide takes information security very seriously and we are committed to safeguarding our guests’ personal information.” Continue reading →


18
Mar 15

OpenSSL Patch to Plug Severe Security Holes

The world is about to get another reminder about just how much of the Internet runs on technology maintained by a handful of coders working on a shoestring budget. OpenSSL — the software used by thousands of companies to encrypt online communications — is set to get a security makeover this week: The OpenSSL project said it plans to release new versions of its code to fix a number of security weaknesses, including some classified as “high” severity.

iheartOpenSSL is deployed at countless organizations, including at Web giants like Facebook, Google and Yahoo — as well as broadly across U.S. federal government networks. As its name suggests, OpenSSL implements Secure Sockets Layer (SSL) encryption (also known as “transport layer security” or TLS) for Web sites and associated networks, ensuring that the data cannot be read by untrusted parties.

The patch is likely to set off a mad scramble by security teams at organizations that rely on OpenSSL. That’s because security updates — particularly those added to open-source software like OpenSSL that anyone can view — give cybercriminals a road map toward finding out where the fixed vulnerabilities lie and insight into how to exploit those flaws.

Indeed, while the OpenSSL project plans to issue the updates on Thursday, Mar. 19, the organization isn’t pre-releasing any details about the fixes. Steve Marquess, a founding partner at the OpenSSL Software Foundation, said that information will only be shared in advance with the major operating system vendors.

“We’d like to let everyone know so they can be prepared and so forth, but we have been slowly driven to a pretty brutal policy of no [advance] disclosure,” Marquess said. “One of our main revenue sources is support contracts, and we don’t even give them advance notice.”

Advance notice helps not only defenders, but attackers as well. Last year, ne’er-do-wells pounced on Heartbleed, the nickname given to an extremely critical flaw in OpenSSL that allowed anyone to extract passwords, cookies and other sensitive data from servers that were running vulnerable versions of OpenSSL. This Heartbleed disclosure timeline explains a great deal about how that process unfolded in a less-than-ideal manner. Continue reading →


12
Mar 15

MS Update 3033929 Causing Reboot Loop

One of the operating system updates Microsoft released on Tuesday of this week — KB3033929 — is causing a reboot loop for a fair number of Windows 7 users, according to postings on multiple help forums. The update in question does not appear to address a pressing security vulnerability, so users who have not  yet installed it should probably delay doing so until Microsoft straightens things out. Continue reading →


11
Mar 15

Apple Pay: Bridging Online and Big Box Fraud

Lost amid the media firestorm these past few weeks about fraudsters turning to Apple Pay is this stark and rather unsettling reality: Apple Pay makes it possible for cyber thieves to buy high-priced merchandise from brick-and-mortar stores using stolen credit and debit card numbers that were heretofore only useful for online fraud.

applepayTo understand what’s going on here, a quick primer on card fraud is probably in order. If you’re a fraudster and you wish to walk into a Best Buy store and walk out with a big screen TV or xBox console on someone else’s dime, you’re going to buy “dumps,” which are data stolen straight off the magnetic stripe on the backs of cards.

Typically, dumps are stolen via malware planted on point-of-sale devices, as in the breaches at brick-and-mortar stores like Target, Home Depot and countless others over the past year. Dumps buyers encode the data onto new plastic, which they then use “in-store” at retailers and walk out with armloads full of high-priced goods that can be easily resold for cash. The average price of a single dump is between $10-$30, but the payoff in stolen merchandise per card is often many times that amount.

When fraudsters want to order something online using stolen credit cards, they go buy what the crooks call “CVVs” — i.e., card data stolen from hacked online stores. CVV stands for “card verification code,” and refers to the three-digit code on the back of cards that’s required for most online transactions. Fraudsters buying CVVs get the credit card number, the expiration date, the card verification code, as well as the cardholder’s name, address and phone number. Because they’re less versatile than dumps, CVVs cost quite a bit less — typically around $1-$5 per stolen account.

So in summary, dumps are stolen from main-street merchants, and are sought after by crooks mainly for use at main street merchants. CVVs, on the other hand, are stolen from online stores, and are useful only for fraud against online stores.

Enter Apple Pay, which potentially erases that limitation of CVVs because it allows users to sign up online for an in-store payment method using little more than a hacked iTunes account and CVVs. That’s because most banks that are enabling Apple Pay for their customers do little, if anything, to require that customers prove they have the physical card in their possession.

Avivah Litan, a fraud analyst with Gartner Inc. explained a blog post published earlier this month that Apple provides banks with a fair amount of data to aid banks in their efforts at “identity proofing” the customer, such as device name, its current geographic location, and whether or not the customer has a long history of transactions with iTunes.

All useful data points, of course, unless the iTunes account that all of this information is based on is hijacked by fraudsters. And as we know from previous stories on this blog, there is a robust trade in the cybercrime underground for hijacked iTunes accounts, which retail for about $8 per account.

Continue reading →


10
Mar 15

Microsoft Fixes Stuxnet Bug, Again

Microsoft today shipped a bundle of security updates to address more than three dozen vulnerabilities in Windows and associated software. Included in the batch is a fix for a flaw first patched in 2010 — the very same vulnerability that led to the discovery of the infamous cyberweapon known as Stuxnet. Turns out, the patch that Microsoft shipped to fix that flaw in 2010 didn’t quite do the trick, leaving Windows users dangerously exposed all this time.

brokenwindowsOn this, the third Patch Tuesday of 2015, Microsoft pushed 14 update bundles to address at least 43 separate vulnerabilities in Internet Explorer, Exchange, Office and a host of other components.

Five of the the patches released today fix flaws that Microsoft has assigned its most serious “critical” label, meaning the vulnerabilities these patches fix can be exploited to compromise vulnerable systems through little or no action on the part of the user — save for perhaps opening a booby-trapped file or visiting a hacked/malicious Web site.

One of the more curious critical fixes is MS15-020, which according to HP’s Zero Day Initiative researchers addresses the same vulnerability that Microsoft patched in August 2010. That vulnerability — first revealed in a post on this blog July 15, 2010 — was later discovered to have been one of four zero-day flaws used in Stuxnet, a weapon of unprecedented sophistication that is now widely considered to have been a joint U.S. and Israeli project aimed at delaying Iran’s nuclear ambitions. The folks at HP TippingPoint have published a blog post on their work in uncovering the failed fix, and how the original 2010 patch missed the mark. For more on Stuxnet, check out Kim Zetter‘s excellent new book, Countdown To Zero Day. Continue reading →