Ειδοποιήσεις

Researchers at Check Point have figured out the encryption method used by RansomWarrior. The Ransomware was developed in India.

The ransomware has targeted Windows users, the payload is delivered as an executable under file name “A Big Present.exe”  if the application is executed it will encrypt files with a .THBEC extension. The victims are given a link to the dark web website that takes payments in Bitcoin.

The Ransomware offers the victims to decrypt two files for free, however if the victims don’t pay the ransom they will not get the rest of their files back. The ransomware cheekily has a sentence saying that the police can’t help you.

How Did The Researchers Break the Encryption?

Researchers at Check Point found the malware was developed by some inexperienced hackers, the company was able to retrieve decryption keys from the malware. Check Point succeeded due to the weak encryption used by the ransomware. The Ransomware used only 1000 hard-coded keys within the RansomWarrior binary code.

The Key’s index is saved in the victim’s machine which is providing the means to unlock the files. The Researchers were able to create a decryption tool to retrieve the files of any user who might have been affected by the RansomWarrior. Most of the ransomware authors have been deploying mass spam messages to affect the entire networks.

Why Ransomware Became famous?

Some Ransomware products have made over $6 Million by just following a targeted campaign. However many have seen a move away from ransomware with a new focus on Cryptocurrency mining.

Lazarus Group, the North Korean hackers who hacked Sony Films a few years back, have deployed their first Mac malware ever, according to Russian antivirus vendor Kaspersky Lab. In this report Kaspersky researchers reveal that Lazarus Group penetrated the IT systems of an Asia-based cryptocurrency exchange platform.

The hack of this platform was not reported in the media as of yet, a Kaspersky spokesperson told Bleeping Computer.

“The company was breached successfully, but we are not aware of any financial loss,” Vitaly Kamluk, Head of GReAT APAC at Kaspersky Lab told Bleeping Computer via email today. “We assume the threat was contained based on our notification.”

Exchange hacked after employee downloads trojanized app

The hack, which Kaspersky Lab analyzed under the codename of Operation AppleJeus, took place after one of the exchange’s employees downloaded an app from a legitimate-looking website that claimed to be from a company that develops cryptocurrency trading software.

But the app was a fake and infected with malware. On Windows, the app downloaded and infected users with Fallchill, a remote access trojan (RAT) known to be associated with the Lazarus Group since at least 2016, when it was deployed for the first time in live campaigns.

But unlike previous Lazarus operations, the hackers also deployed a Mac malware strain, something they have not done before. The malware was hidden inside the Mac version of the same cryptocurrency trading software.

Experts say that both the Windows and Mac malware wasn’t visible inside the tainted app. Lazarus operators did not embed the malware inside the third-party app directly but merely modified its update component to download the malware at a later date.

The mystery of the malware’s certificate

Furthermore, the trojanized cryptocurrency trading software was also signed by a valid digital certificate, allowing it to bypass security scans.

The big mystery surrounding this certificate is that it was issued by a company that Kaspersky experts said they weren’t able to prove it ever existed at the address in the certificate’s information.

“The fact that they developed malware to infect macOS users in addition to Windows users and – most likely – even created an entirely fake software company and software product in order to be able to deliver this malware undetected by security solutions, means that they see potentially big profits in the whole operation, and we should definitely expect more such cases in the near future,” Kamluk says.

Kaspersky didn’t name the hacked cryptocurrency exchange

Several cyber-security firms have pointed out many times this year that since the start of 2017, North Korean hackers have shown great interest in penetrating cryptocurrency exchanges and financial institutions, from where they steal funds that they later bring back into North Korea.

In the past year, several Asian cryptocurrency exchange platforms suffered security incidents, primarily exchange platforms located in South Korea. Hacks have been reported at Bithumb, Yapizon, YouBit, Coinrail, and Bithumb again.

Kaspersky did not reveal the name of the cryptocurrency exchange at the center of its report.

 

The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

Security researchers from Bitdefender have discovered a new Android malware strain named Triout that comes equipped with intrusive spyware capabilities, such as the ability to record phone calls and steal pictures taken with the device.

Researchers spotted the malware for the first time a month ago, but they say they identified signs of its activity going back as far as mid-May, when it was first uploaded on VirusTotal, a website that aggregates multiple antivirus scanning engines.

Bitdefender says Triout samples they discovered were masquerading in a clone of a legitimate application, but they were unable to discover where this malicious app was being distributed from. The obvious guess would be via third-party Android app stores, or app-sharing forums, popular in some areas of the globe.

Researchers said the first Triout sample uploaded on VirusTotal came from Russia, but subsequent samples were uploaded from an Israeli IP.

 

Triout is a pretty capable spyware

As for the malware itself, Triout comes with some pretty advanced features. According to a 16-page white paper on the malware’s capabilities published earlier today, Triout can:

– record every call taking place on the phone
– upload recorded phone calls to a remote server
– steal call log data
– collect and steal SMS messages
– send phone’s GPS coordinates to a remote server
– upload a copy of every picture taken with the phone’s cameras to a remote server
– hide from the user’s view

These are some pretty high-level features that require advanced knowledge of the Android OS. Generally speaking, similar malware is used by nation-state hackers or by experienced cyber-criminals.

But Bitdefender says that despite the malware’s advanced capabilities, its authors appear to have also slipped up.

“What’s striking […] is that it’s completely unobfuscated, meaning that simply by unpacking the [cloned app’s] .apk file, full access to the source code becomes available,” Bitdefender wrote in its report, suggesting that they had no difficulty in accessing and analyzing Triout’s entire feature set.

“This could suggest the [Triout] framework may be a work-in-progress, with developers testing features and compatibility with devices,” researchers added.

 

Triout C&C server still up and running

There were no clues to help analysts determine if Triout was the work of a nation-state hacker or a cyber-criminal involved in some sort of economic espionage.

Nevertheless, Triout operators don’t appear to have detected Bitdefender researchers sniffing around their command and control server.

“The C&C (command and control) server to which the application seems to be sending collected data appears to be operational, as of
this writing, and running since May 2018,” the Romania-based antivirus firm said, suggesting that Triout campaigns are most likely going on as we speak.

 

The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

Security researchers have discovered a new exploitation technique that they say can bypass the kernel protection measures present in the Windows operating systems.

 

Discovered by security researchers Omri Misgav and Udi Yavo from enSilo, the technique is named Turning Tables, and exploits Windows’ page tables.

Page tables are a data structure common to all operating systems, not just Windows, that are used to store mappings between virtual memory and physical memory. Virtual addresses are used by the program executed by an OS process, while physical addresses are used by hardware components, and more specifically, by the RAM subsystem.

Because physical memory (RAM) is limited, operating systems create so-called “shared code pages” where multiple processes can store the same code and call upon it when needed.

Misgav and Yavo say the Turning Tables technique relies on crafting malicious code that alters these “shared code pages” in a negative way to affect the execution of other processes, some of which have higher privileges.

By doing this, the Turning Tables technique allows attackers to elevate the privileges of their code to higher levels, such as SYSTEM.

The two enSilo researchers say the technique can also be used to alter applications running in sandboxes, which are isolated environments created for the sole purpose of protecting apps against such attacks. For example, Turning Tables can be used to poison browsers that run inside a sandbox, such as Chrome.

 

Turning Tables also impacts macOS, Linux

Furthermore, since the concept of page tables is also used by Apple and the Linux project, macOS and Linux are, in theory, also vulnerable to this technique, albeit the researchers have not verified such attacks, as of yet.

“The reason why is that the technique is based on an optimization leveraged by almost all modern operating systems,” the enSilo team said.

But the thing that stands out about this technique the most is that it bypasses all the kernel-level security protections that Microsoft has added to the Windows OS in recent years, the researchers said.

 

The two enSilo researchers said they informed Microsoft about the Turning Tables technique. A Microsoft spokesperson was not available for comment before this article’s publication.

Misgav and Yavo presented their research at the BSides Las Vegas security conference held at the start of the month. A recorded live stream of the conference’s proceedings is available below. The Turning Tables presentation starts at the 8:57:26 mark. The slides presented at the conference are available here.

 

The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

JavaScript web apps and web servers are susceptible to a specific type of vulnerabilities/attacks known as regular expression (regex) denial of service (ReDoS).

 

These vulnerabilities take place when an attacker sends large and complex pieces of text to the open input of a JavaScript-based web server or app.

If the server component or an app library is not specifically designed to handle various edge cases, the attacker’s input can end up blocking the entire app or server for seconds or minutes at a time, while the server analyzes and pattern-matches the input.

Various programming languages and web server technologies have similar issues with the performance of pattern matching operations and ReDoS attacks, but they are vastly exaggerated in the case of JavaScript because of the single-threaded execution model of most JavaScript servers, where every request is handled by the same thread.

When a ReDoS attack hits, this ends up clogging the entire server, rather than slowing down one particular operation.

ReDoS attacks known since 2012, but gaining momentum

ReDoS attacks in the case of JavaScript servers were first detailed in a research paper published in 2012, but back then, JavaScript, and Node.js, in particular, weren’t the behemoth they are today on the web development scene, hence, this particular issue went largely ignored for another half of decade.

Subsequent research published in 2017 revealed that 5% of the total vulnerabilities found in Node.js libraries and applications were ReDoS vulnerabilities.

But according to research presented at a security conference last week, the ReDoS issue is gaining momentum in the JavaScript community because it has been left unaddressed for so many years.

Cristian-Alexandru Staicu and Michael Pradel, two academics from the Technical University in Darmstadt, Germany, say they’ve found 25 previously unknown vulnerabilities in popular Node.js modules.

The two said that an attacker could craft special exploit packages and attack websites/servers using any of these 25 libraries.

Sending an exploit packages causes any of the vulnerable websites to freeze between a few seconds to even minutes, as the server is trying to match the text contained within the exploit to a regular expression (regex) pattern in order to decide what to do with the input. Such regex filters on input fields are common, as they are the base of many XSS filters.

But while one attack is bad, sending repeated exploit packages to the same server can cause prolonged downtime periods.

Nearly 340 sites vulnerable to ReDoS attacks

Staicu and Pradel say the primary reason for these flaws is the lack of attention to the performance of regex matching, as most developers seem to be focused on accuracy, leaving big holes in their code that attackers can exploit using ReDoS attacks.

The two also took their research one step further. They devised a method of detecting these vulnerabilities on live websites without actually using the ReDoS exploit code.

They used this method to scan 2,846 popular Node.js-based sites, revealing that 339 —approximately 12%— were vulnerable to at least one ReDoS vulnerabilities.

“ReDoS poses a serious threat to the availability of these sites,” the research team said. “Our results are a call-to-arms for developing techniques to detect and mitigate ReDoS vulnerabilities in JavaScript.”

Some ReDoS issues were patched

The TU Darmstadt research team reported all the vulnerabilities to the respective module developers, some of who addressed the problems. This GitHub repo contains proof-of-concept exploits for testing the vulnerable libraries but also links to the appropriate fixes for the affected modules.

Besides JavaScript, Java is also known to be affected by ReDoS attacks. In 2017, researchers from the University of Texas at Austin created a tool named Rexploiter, which they used to find 41 ReDoS vulnerabilities in 150 Java programs collected from GitHub.

More details about ReDoS vulnerabilities affecting JavaScript are available in a whitepaper titled “Freezing the Web: A Study of ReDoS Vulnerabilities in JavaScript-based Web Servers.” The paper is available for download from here or here, and was also presented at the 27th Usenix Security Symposium held last week in Baltimore, USA.

 

The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.