CYBAZE-News

Experts from Safety Detective discovered thousands of refrigeration systems made by Resource Data Management (RDM) exposed to remote attacks.

Thousands of instances of a temperature control system made by Resource Data Management (RDM) are exposed to remote attacks because they were using default passwords and failed in implementing other security measures.

The vulnerable instances are used by organizations from several industries, including healthcare providers and supermarket chains such as Marks & Spencer, Ocado, and Way-On.

The experts have found 7,400 devices exposed online by querying
the Shodan search engine, most of them in Russia, Malaysia, Brazil, the United Kingdom, Taiwan, Australia, Israel, Germany, the Netherlands, and Iceland.

Systems exposed online could be accessed via HTTP on ports 9000, 8080, 8100, or 80. An attacker can easily access the vulnerable instances because they use a known default username and password combination. In many cases, the web interface can be accessed without authentication.

“They all come with a default username and “1234” as the default password, which is rarely changed by system administrators.” reads the analysis published by Safety Detective.

All the screenshots taken in this report didn’t require entering the user and password but it came to our knowledge that almost all devices used the default password.”

Experts pointed out that many systems can be easily found using a simple Google search, they explained that the office secretary of the company quickly discovered a cooling factory in Germany and a hospital in the UK.

Accessing the exposed refrigeration systems, an unauthorized attacker can change user and alarm settings. Imagine the damages that could be caused by activating the defrost function, especially when dealing with hospitals where refrigeration systems are used to store blood and drugs.

refrigeration systems

Safety Detective reported its findings to RDM, but the vendor initially downplayed the report. RDM later acknowledged the risks but highlighted that the issues reported by the experts were caused by wrong installations made by users and installers.

“To clarify the situation from RDM we would
confirm that the default passwords must be changed by the installer at the time
of setup. RDM does not have any control over where our systems go and who
install them. We clearly state in our documentation that the default passwords
MUST be changed when the system is installed. It’s similar to an off the shelf
router with default user names and passwords Admin Admin,” replied an RDM
spokesman.

“We would also point out that we do not have
remote connectivity to many systems and even though it is possible to upgrade
our software remotely we are unable to do this without the consent of the
owner. We will inform owners that we have new software available with new
functions and features but ultimately it is up to them to request an upgrade
which can be done via USB locally or by there installer / maintainer remotely,”

Pierluigi Paganini

(SecurityAffairs – refrigeration systems, hacking)

The post Thousands of RDM refrigeration systems exposed online are at risk appeared first on Security Affairs.

Google announced Adiantum, a new encryption method devised to protect Android devices without cryptographic acceleration.

Google announced Adiantuma new encryption method devised to protect Android devices without cryptographic acceleration.

“Adiantum is an innovation in cryptography designed to make storage encryption more efficient for devices without cryptographic acceleration, to ensure that all devices can be encrypted.” reads the announcement published by Google.

Since Android version 6.0, user data are protected with Advanced Encryption Standard (AES) encryption, however, the feature is slow on mobile devices using low-end processors that haven’t hardware to support it.

The new encryption form has been created for devices running Android 9 and higher that doesn’t support AES CPU instructions.

For this reason, Google developed Adiantum that supports the ChaCha stream cipher in a length-preserving mode.
ChaCha allows improving security and performance in the absence of dedicated hardware acceleration.

Google experts pointed out that Adiantum encryption/decryption processes on ARM Cortex-A7 processors are around five times faster compared to AES-256-XTS.

Adiantum performance

“Unlike modes such as XTS or CBC-ESSIV, Adiantum is a true wide-block mode: changing any bit anywhere in the plaintext will unrecognizably change all of the ciphertext, and vice versa.  It works by first hashing almost the entire plaintext,” continues Google.

“We also hash a value called the “tweak” which is used to ensure that different sectors are encrypted differently. This hash is then used to generate a nonce for the ChaCha encryption. After encryption, we hash again, so that we have the same strength in the decryption direction as the encryption direction”  

Adiantum could represent the optimal solution for a wide range of devices that haven’t dedicated hardware for encryption, such as smartwatches, smart TVs, and other IoT devices running on Android OS.

“Our hope is that Adiantum will democratize encryption for all devices. Just like you wouldn’t buy a phone without text messaging, there will be no excuse for compromising security for the sake of device performance.”
wrote Eugene Liderman, Director of Mobile Security Strategy, Android Security & Privacy Team, says. 

“Everyone should have privacy and security, regardless of their phone’s price tag,”

Google published technical details about the new encryption form in the paper titled “Adiantum: length-preserving encryption for entry-level processors.”

Pierluigi Paganini

(SecurityAffairs – Android, encryption)

The post Adiantum will bring encryption on Android devices without cryptographic acceleration appeared first on Security Affairs.

Google has open sourced ClusterFuzz, its fuzzing infrastructure it has developed to find memory corruption vulnerabilities in Chrome.

Google has open sourced its fuzzing infrastructure ClusterFuzz that the tech giant developed to find memory corruption bugs in the Chrome browser.

ClusterFuzz is a scalable fuzzing tool that can run on clusters with more than 25,000 cores.

The platform has been available as a free service to open source projects through the OSS-Fuzz service. 

Fuzzing is an automated method for detecting bugs in software that works by feeding unexpected inputs to a target program. It is effective at finding memory corruption bugs, which often have serious security implications.” reads a blog post published by Google.

“Manually finding these issues is both difficult and time consuming, and bugs often slip through despite rigorous code review practices. For software projects written in an unsafe language such as C or C++, fuzzing is a crucial part of ensuring their security and stability.”

The fuzzing test methodology is effective in detecting bugs in software on a large scale, especially when it is directly integrated with the development process.

ClusterFuzz was created more than 8 years ago to provide end-to-end automation, from bug detection, to triage (accurate deduplication, bisection), to bug reporting, and finally to automatic closure of bug reports.

Google confirmed that to date, ClusterFuzz discovered over 16,000 vulnerabilities in Chrome and more than 11,000 vulnerabilities across more than 160 open source projects integrated with OSS-Fuzz.

“It is an integral part of the development process of Chrome and many other open source projects. ClusterFuzz is often able to detect bugs hours after they are introduced and verify the fix within a day.” continues the blog post.

“Check out our GitHub repository. You can try ClusterFuzz locally by following these instructions.”

ClusterFuzz

ClusterFuzz can be also installed locally on a computer cluster.

Pierluigi Paganini

(SecurityAffairs – ClusterFuzz, hacking)

The post Google open sourced the ClusterFuzz fuzzing platform appeared first on Security Affairs.

Security experts from Trend Micro have discovered a new strain of coin miner that targets the Linux platform and installs the XMR-Stak Cryptonight cryptocurrency miner.

Security experts from Trend Micro have discovered a new strain of coin miner that targets the Linux platform and installs the XMR-Stak Cryptonight cryptocurrency miner, researchers observed it killing other Linux malware and coin miners present on the infected machine.

coin miner linux-deletes-other-malware_1

The experts detected a coinminer script on one of their honeypots and, the malicious code shares some parts with the Xbash malware and the KORKERDS cryptocurrency miner that leverages rootkit to avoid detection.

“We found the script capable of deleting a number of known Linux malware, coin miners, and connections to other miner services and ports, and we observed some parts of the script to be reminiscent of Xbash features and KORKERDS.” reads the analysis published by Trend Micro.

“It installs a cryptocurrency-mining malware as well as implant itself into the system and crontabs to survive reboots and deletions.”

Experts noticed that this specific variant of KORKERDS leverages the rootkit to download a binary of a modified version of a universal Stratum XMR-Stak pool miner.

According to the experts, the infection started from some IP cameras and web services via TCP port 8161, where the attacker attempts to upload a crontab file.

The crontab file allows to launch a second stage that implements the following three functions:

  • Function B kills previously installed malware, coin miners, and all related services referenced to an accompanying malware (detected by Trend Micro as SH.MALXMR.UWEIU). It also creates new directories, files, and stop processes with connections to identified IP addresses.
  • Function D downloads the coin miner binary from hxxp://yxarsh.shop/64 and runs it.
  • Function C downloads a script from hxxp://yxarsh.shop/0, saves it to /usr/local/bin/dns file, and creates a new crontab to call this script at 1 a.m. It also downloads hxxp://yxarsh.shop/1.jpg and puts it in different crontabs.

The malware attempts to hide its presence by clearing system logs and achieve persistence using implanted crontab files.

Compared to the original KORKERDS cryptocurrency miner, the new script improved the way it downloads and executes the files. It inserts a single crontab that fetches all the code and the miner component.

“While a malware routine that includes the removal of other malware in the system is not new, we’ve never seen the removal of Linux malware from the system on this scale. Removing competing malware is just one way cybercriminals are maximizing their profit.” concludes Trend Micro.

Further details, including indicators of compromise, are reported in the analysis published by Trend Micro.

Pierluigi Paganini

(SecurityAffairs – coin miner, malware)

The post New Linux coin miner kills competing malware to maximize profits appeared first on Security Affairs.

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Let me inform you that my new book, “Digging in the Deep Web” is online with a special deal

20% discount

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

Pierluigi Paganini

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 200 – News of the week appeared first on Security Affairs.

A newly discovered malware campaign leverages steganography to hide GandCrab ransomware in an apparently innocent Mario image.

Security experts at Bromium have discovered a malware campaign using steganography to hide the GandCrab ransomware in a Mario graphic package.

According to Matthew Rowan, a researcher at Bromium, threat actors use steganography to hide the malicious code and avoid AV detection.

The steganography is used in conjunction with heavily obfuscated Microsoft PowerShell commands that attackers have hidden within the color channels of a picture of Mario, in a particularly manipulating
blue and green pixels.

Steganographic techniques such as using the low-bits from pixel values are clearly not new, but it’s rare that we see this kind of thing in malspam; even at Bromium, where we normally see slightly more advanced malware that evaded the rest of the endpoint security stack.” reads the analysis published by Rowan.

“A manual re-shuffle to de-obfuscate the code and you can see more clearly the bitwise operation on the blue and green pixels. Since only the lower 4 bits of blue and green have been used, this won’t make a big difference to the image when looked at by a human, but it is quite trivial to hide some code within.”

This technique makes the threat hard to be detected by firewall and other defence systems.

Experts pointed out that attackers are targeting users in Italy, but the campaign will likely extend to other countries worldwide.

“The manually de-obfuscated PowerShell reveals the final level which is dropping and executing from a site, but only if the output of ‘get-culture’ on the machine matches “ita” (for example if the culture is Italian, which matches the earlier targeting attempts).” continues the expert.

steganography campaign.png

Experts were able to download the samples from the address in the de-obfuscated Powershell, including from an Italy-based VPN, and discovered several samples of the Gandcrab ransomware.

Additional details, including IoCs are reported in the analysis published by the security firm Bromium

Pierluigi Paganini

(SecurityAffairs – steganography, hacking)

The post GandCrab ransomware campaign targets Italy using steganography appeared first on Security Affairs.

Cayosin Botnet: a deeper look at this threat supported by the psychological profile of the “youngsters-wannabe-hackers” Rolex boasters

Cayosin Botnet

Money,
botnet as service business and coding on the dark side of the life: “At this
point of my life… if it doesn’t make me money,
I don’t make time for it”, is stated in the picture below.

Or
elsewhere the same threat actor pronounces a more blatantly made statement in a
sentence that sounds like “I am not scared by the death, I am scared more to
not live a pleasant life.”

Cayosin Botnet
Image downloaded by Odisseus
from the Instagram profile of the threat actor

This is the “new” motto of those youngsters-wannabe-hackers: botnet providers,
sellers, coders, “boaters” driving in the night with the laptop ever connected
aside. In the imaginary world of a teen the adults world becomes a violent
jungle dominated by the dark colors of the delirium of omnipotence.  Botnet, packet flooding, bots, power of
attack: “I don’t care how many and what bots I have, all I care is only to have
stable stress power”.

It is in this psychedelic context that the
Cayosin botnet has seen the light and for the first time has been reversed and
analyzed (the report is here)
by “unixfreaxjp” from the MalwareMustDie team. 

The analysis is sapient and clear: in the
reversed samples there are many traces of a collection of attacks that lead to
a collection of different source codes.

One of them is the Layer 7 (HTTP) Attack reported in the picture below documenting how this kind of malware can evade the anti-DDoS solutions like Cloudfare.

Cayosin Botnet

From the unixfreaxjp’s Cayosin botnet binary analysis we can understand that the core of the artifact is the “integration” of different botnet source codes, as it is also well documented by reading the now deleted Instagram profile of the 13 years old scriptbots/unholdable, who implemented this Botnet . STD attack, Tsunami, Christmas DDoS attacks were adapted from Kaiten botnet, along with more flood combination taken from Qbot/Lizkebab/Torlus/Gafgyt variants: multiple attack methods integrating multiple source code in the same artifact and provided a “As a Service” to other teens or threat actors and sold offhandedly on Instagram. From Mirai source code the Cayosin was taken the table scheme to hide strings used by the botnet to hack the login credential of the vulnerable telnet accounts for known IOT devices, along with other Mirai botnet functionalities. Obviously, the coder was not updating much feature of the C2 which explains how the base protocol of the botnet is still made by Qbot/Torlus basis.

A ready-to-use botnet build to be sold for
$20 a month, “full options” on sale with an expiry token and functionalities
that were able to ban the users who didn’t renew the expired “licence”.

The combination of more capabilities of the
botnet has been well documented also by PERCH Security Threat Report who made a
great analysis
on it, confirming the combination of these functionalities used in Cayosin
along with the deeper OSINT investigation of the threat source.

PERCH report states: “Cayosin largely recycles exploits utilized by other botnets, like Mirai, though the injections reference”, like GPON attack that was documented on the Instagram profile of the crew, so clearly that an external observer could have easily view of the day by day findings of new exploits  and methods then implemented in the malware to enrich  the harmful capability of the new “product”.

They candidly state this in their Instagram
Stories: “New Methods, DM me if you want to know more.”

Cayosin Botnet
Image downloaded by Odisseus from the Instagram profile of the threat actor

PERCH has understood it well, in fact
writes: “This is not the team’s first tool. They have created a few along the
way like Summit, Tragic, and about a dozen others. You
can learn more about these tools by following the various Instagram accounts of
the crew. They seem interested in building tools to DDoS and boast about taking
down services with OVH, Choopa, NFO – and if the hype is real, maybe even
Rocket League servers.”

At this point is not excluded that Cayosin
is only an evolution of many other botnets made always by the same threat actor
(or crew) and in particular of the botnet named Messiah. In the following is reported the advertising of the Messiah botnet with its features which
remember Cayosin botnet capabilities. Check the following exclusive image:

  • Features:  Admin of accounts, Add user
    commands, Kick user commands, Full chat, On line user list, Bot limits for
    account, Full bot type list, Port Scanner and Resolver
  • Methods: Reg UDP, Reg TCP, STD Hex, CNC Flood, Stomp Flood, Xmas and VSE
  • Replication Exploits: GPON, Telnet, Realtek, Tr064, Huawai
Cayosin Botnet
Image downloaded by Odisseus from the Instagram profile of the threat actor

What we learn from the evolving of botnets is the adaptation of the source codes, once one bad actor coder starts to implement something different and other actor coders find it useful, they adapt the capability by merging source codes. Each of coders and botnet provider is racing with others to present their technology of their botnet is better, to attract the market: Youngster and Actors who interest to rent the best service.

The conclusion is given by MalwareMustDie team, the group that we all know by of their struggle fighting along the years against botnet coders, through their public tweet in which is shown how this situation can be summarized by a simple fact: “Money”. The veteran DDoS botnet hackers are facilitating frameworks for surviving the DDoS ELF IoT botnet as the income engine: from coordination to each type of coders, linking DDoS-As-Service sites (known as Stressers or Bruters)  to providing the botnet control via API, then supplying infrastructure, assisting the newbies with setups, with all this effort these veterans are urging and provoking green and young actors to do their own botnets. The money scheme is following in these processes by first taking these youngster “weekly allowance”, then getting merit the botnets used by the rented “boaters” , till making profits from cuts taken from case by case with the arrangement of API used for Bruters/Stressers platform for the attackers that pays the service for DDoS”

In the end, this is all about the money circulation scheme that fuels the existence of the IoT botnet, their coders, their stressers behind them. The disrupting this money flow may give us a chance to disrupt this badness so strongly to force the scheme to the discontinuation.

Additional glossary:
*) boaters: they who uses the rented botnet
*) herders: they who herd botnet
*) stressers or bruters are the frontend of DDoS-As-Service sites

About the Author: 

Odisseus – Independent Security Researcher involved in Italy and worldwide in topics related to hacking, penetration testing and development.

unixfreaxjp team leader of the MalwareMustDie team.

Pierluigi Paganini

(SecurityAffairs – Cayosin Botnet, cybercrime)

The post Exclusive – MalwareMustDie Team analyzed the Cayosin Botnet and its criminal ecosystem appeared first on Security Affairs.

The NATO Communications and Information Agency (NCI) announced the opening of the fourth annual Defense Innovation Challenge (NITEC19) to start-ups, SMEs and academia.

NITEC19 300x200

The Agency calls for proposals on solutions that could support NATO’s command, control, communications, computers, intelligence, surveillance and reconnaissance (C4ISR) and of course to improve cyber capabilities.

According to the official website, the challenge focuses on data science and natural language processing, for this reason, NATO Communications and Information Agency is accepting submissions in the following priority areas:

  • Data science tools and approaches for a) Natural Language Processing for semantics and sentiment analysis, or b) processing data from maritime environments;
  • Capabilities for sensing the maritime environment;
  • Solutions to the telecommunication challenges of the High North.

The challenge aims at accelerating transformational, state-of-the-art technology solutions from participants to support NATO’s C4ISR and improve its cyber capabilities.

“The NITEC innovation challenge,” said Mike Street, Head of innovation and data science at the NCI Agency, “is a great way for a wide range of companies and organizations to share their innovative products and services with the NCI Agency. It is one of the routes we use to ensure that NATO’s technology experts stay aware of how innovative technologies are being applied.”

The top ten proposals will be exposed in a 5-minute pitch presentation during the plenary session of the NITEC19 event. The winner will receive a
prize of 10 000 EUR, it will be also tasked of running a formal pilot with the NCI Agency to demonstrate their solution.

“We are seeking to broaden engagement with innovative technology drivers as NATO undergoes its largest technological modernization in decades,” said NCI Agency General Manager Kevin J. Scheid.

Proposals must be received by 22 March, and the Agency will announce the winners on 8 April.

Pierluigi Paganini

(SecurityAffairs – NITEC19, NATO)

The post NITEC19 – NATO Opens Defense Innovation Challenge calls for C4ISR solutions appeared first on Security Affairs.

Crooks leverage Google Translate service as camouflage on mobile browsers in a phishing campaign aimed at stealing Google account and Facebook credentials.

The security expert Larry Cashdollar, a member of Akamai’s Security Intelligence Response Team (SIRT), discovered that cybercriminals are carrying out a new Phishing attack that leverages Google Translate as camouflage.

The phishing campaign targets both Google and Facebook accounts, the use of Google Translate allows the attackers to make the phishing page as a legitimate form from a Google domain. The technique makes it harder to detect the attack on mobile browsers.

These phishing emails pose as alerts sent by Google that inform users that their accounts were accessed from a new Windows device. The malicious emails come with a subject of “Security Alert,” they attempt to trick victims to click on the “Consult the activity” button to receive more information about the potential unauthorized access.

When a user clicks on the link embedded in the phishing message, he will be redirected to a Google Translate page that opens up a phishing page that appears to be a Google Account login. 

The expert pointed out that this kind of attack could be easily detected by users on desktop browsers because the Translate toolbar is visible.

On mobile browsers, it is much difficult to understand that the displayed page is the result of Google Translate because the interface of the service is minimal.

“Using Google Translate does a number of things; it fills the URL (address) bar with lots of random text, but the most important thing visually is that the victim sees a legitimate Google domain. In some cases, this trick will help the criminal bypass endpoint defenses.” reads the analysis published by Cashdollar.

“However, while this method of obfuscation might enjoy some success on mobile devices (the landing page is a near-perfect clone of Google’s older login portal), it fails completely when viewed from a computer.”

When the victims provide their Google/Facebook credentials to the phishing page, a script will send them to the attacker via email.

Once obtained the victim’s credentials, attackers carry out a second phishing attack to attempt obtaining also Facebook credentials.

According to Cashdollar, the Facebook phishing page was not optimized as well for mobile and was very easy to spot.

“Some phishing attacks are more sophisticated than others. In this case, the attack was easily spotted the moment I checked the message on my computer in addition to seeing it on my mobile device. However, other, more clever attacks fool thousands of people daily, even IT and Security professionals.” concludes the expert.

“The best defense is a good offense. That means taking your time and examining the message fully before taking any actions.”

Pierluigi Paganini

(SecurityAffairs – phishing, Google Translate)

The post Phishing campaign leverages Google Translate as camouflage appeared first on Security Affairs.

Security experts at Google discovered that two of the zero-day vulnerabilities patched by Apple with the release of iOS 12.1.4 were exploited in the wild.

Security researchers at Google revealed that two of the zero-day flaws addressed by Apple with the release of iOS 12.1.4 were exploited in the wild.

Apple iOS 12.1.4 version addresses four vulnerabilities, two issues associated with the FaceTime bug and two memory corruption flaws that could be exploited by attackers to elevate privileges and execute arbitrary code.

The CVE-2019-7287 vulnerability affects the IOKit and it can be exploited by a malicious app to execute arbitrary code with kernel privileges.

“An application may be able to execute arbitrary code with kernel privileges.” reads the security advisory.

“A memory corruption issue was addressed with improved input validation.”

The CVE-2019-7286 vulnerability impacts the Foundation component in iOS, it could allow a malicious application to gain elevated privileges.

“An application may be able to gain elevated privileges” continues the advisory. “A memory corruption issue was addressed with improved input validation.”

The flaws were discovered by Clement Lecigne of Google Threat Analysis Group, and Ian Beer and Samuel Groß of Google Project Zero. Apple also credited an anonymous researcher for the discovery of the vulnerabilities.

Project Zero Team Lead Ben Hawkes revealed that both CVE-2019-7286 and CVE-2019-7287 have been exploited in the wild. Google experts did not reveal technical details on the attacks they observed in the wild.

The popular Google Project white hat hacker Tavis Ormandy confirmed that three of the four vulnerabilities addressed by Apple were exploited by attackers in the wild.

Pierluigi Paganini

(SecurityAffairs – hacking, iOS 12.1.4)

The post Three out of the four flaws fixed with iOS 12.1.4 were exploited in the wild appeared first on Security Affairs.