Thursday, January 18, 2018
Home Tags Password-protected

Tag: password-protected

The authors of malware use various techniques to circumvent defensive mechanisms and conceal harmful activity. One of them is the practice of hiding malicious code in the context of a trusted process.

Typically, malware that uses concealment techniques injects its code into a system process, e.g. explorer.exe.

But some samples employ other interesting methods. We're going to discuss one such type of malware.
We're already used to the fact that complex cyberattacks use 0-day vulnerabilities, bypassing digital signature checks, virtual file systems, non-standard encryption algorithms and other tricks.
Sometimes, however, all of this may be done in much simpler ways, as was the case in the malicious campaign that we detected a while ago – we named it 'Microcin' after microini, one of the malicious components used in it.
Report uncovers a litany of lapses in voting system used state wide.
OBD-II devices are used to provide telematics information for managers of fleets of vehicles. One type of device,manufactured by CalAmp,has an SMS(text message)interface. We have found multiple deployments where no password was configured for this interface by the integrator/reseller.

Companies using the CalAmp hardware should be aware that they need to set a password or disable SMS.
Vendors were notified and the SMS interface was disabled or password-protected by all vendors known to be affected.
Patch or perish Some 2,000 MongoDB installations have been compromised by an attacker demanding administrators pay 0.2 bitcoins (US$206) to have lost data returned. Victor Gevers (@0xDUDE), penetration tester and chairman of the, noticed the attacks while reporting exposed non-password-protected MongoDB installations to owners. One open server contained a ransom warning message in place of the database content Gevers expected. Rather than encrypt the data, the attacker, "harak1r1," ran a script that replaced the database's content with the ransom message. So far 16 organisations appear to have paid harak1r1. John Matherly, the brains behind security search engine Shodan, where many exposed MongoDBs can be found, has warned since 2015 of the dangers of exposed installations. Back then he warned of some 30,000 exposed MongoDB instances open to the internet without access controls, a number that has since fallen to about 25,000, with version 2.4.9 being the most popular install. Gevers told BleepingComputer old MongoDB instances were deployed to cloud services, saying a whopping 78 percent of Amazon Web Services hosts were running known-vulnerable versions of the platform. Those old versions exposed databases to the internet, a problem that is fixed in the current releases. Gevers says he is receiving requests for assistance from ransomed and exposed organisations, and recommends MongoDB administrators check logs and ensure unauthorised accounts have not been added. ® Sponsored: Next gen cybersecurity.
Visit The Register's security hub
Microsoft security researchers warn that after a brief quiet period, the Cerber ransomware family has reemerged with a vengeance to target holiday shoppers and enterprise business data files. The holidays are no time to drop one's guard when it comes to cyber-security.After tracking the popular Cerber ransomware family and noticing a decline in activity earlier this month, the Microsoft Malware Protection Center warns that attackers have ratcheted up their efforts during what is considered a slow period at many businesses, but a prime shopping time for online bargain hunters.Microsoft's security researchers have uncovered a pair of new  campaigns, including a flood of new spam that exploits the uptick in ecommerce transactions during the season.The Cerber ransomeware is constantly evolving. Not content with encrypting user files and holding them for ransom, last month Cerber's authors expanded into databases and files associated with critical business applications. Version 4.1.5 of the ransomware was coded to seek out Microsoft Access, MySQL and Oracle database files.
In some cases Cerber shuts down running databases so that the malware can encrypt files in use. In the latest wave, attackers are spamming inboxes with malicious attachments that download and install the ransomware.

The malware masquerades as password-protected zip files.

The passcode is typically provided in the body of the email, which is another red flag for potential malware, that purportedly contains online order and delivery details.Attackers are also using an exploit kit to spread Cerber over malicious and compromised websites.

The sites use vulnerabilities like those found in older versions of Adobe Flash to download and execute the latest version of Cerber on a victim's machine.

This tactic is proving particularly effective in Asia and Europe, telemetry data from Microsoft's Windows Defender anti-malware software shows.Adding a new wrinkle in Cerber's development, version information has been removed from the ransomware's configuration data, making it somewhat tougher to track its evolution, observed Microsoft security specialists Rodel Finones and Francis Tan Seng, in their exhaustive analysis of the threat.Cerber is also casting a wider net, targeting an additional 50 file types, while excluding .cmd, .exe. and .msi, a first for this type of ransomware.Cerber also now prioritizes Office folders containing critical files, suggesting that attackers are targeting enterprise environments.

Corporate networks are overflowing with sensitive information and business-critical software, adding urgency to efforts to protect against ransomware and its damaging effects.Behind the scenes, two sets of additional IP address ranges have been added to the command-and-control server setup used by the malware to communicate with attackers.

Finally, a Tor proxy site has replaced the three proxy sites that formerly provided a payment site.

The privacy-enhancing Tor (The Onion Router) network employs encryption and relays to conceal an Internet user's location."For cyber-criminals, releasing a new version of malware not only increases [the] likelihood of evading antivirus detection; it's also a way of increasing the complexity of malware," the Microsoft security researchers  noted. "Cerber's long list of updated behavior indicates that the cyber-criminals are highly motivated to continue improving the malware and the campaigns that deliver it."
The very nature of wireless Wi-Fi networks means that hackers or criminals simply need to be located near an access point in order to eavesdrop and intercept network traffic. Poorly configured access point encryption or services that allow data to be sent without any encryption pose a serious threat to user data. Confidential data can be protected by encrypting traffic at wireless access points.
In fact, this method of protection is now considered essential for all Wi-Fi networks.

But what actually happens in practice? Is traffic always encrypted on public Wi-Fi networks? How does the situation differ from country to country? Kaspersky Security Network statistics can answer all these questions. We compared the situation with Wi-Fi traffic encryption in different countries using data from our threat database. We counted the number of reliable and unreliable networks in each country that has more than 10 thousand access points known to us (this obviously excludes Antarctica and other regions where there is not enough data to draw any conclusions). Security of Wireless Networks Using statistics from Kaspersky Security Network (KSN), we analyzed data from across the world for almost 32 million Wi-Fi hotspots accessed by the wireless adapters of KSN users. Encryption type used in public Wi-Fi hotspots across the world Approximately 24.7% of Wi-Fi hotspots in the world do not use any encryption at all.

This basically means that by using an antenna capable of sending and receiving data at 2.4 GHz, any individual located near an access point can easily intercept and store all user traffic and then browse it for data they are interested in.

Fortunately, modern online banking systems and messengers do not transfer unencrypted data.

But this is the only thing that prevents users of Wi-Fi networks with unencrypted traffic from revealing their passwords and other essential data when using an unsecure access point. The WEP (Wired Equivalent Privacy) protocol for encryption of data transferred over Wi-Fi is used by approximately 3.1% of all analyzed access points.

The protocol was the first to be created, quite a long time ago, and is now completely unreliable – it would take hackers just a few minutes to crack it.

From a data security point of view, using WEP is not much different from using open networks.

This protocol is being relegated to oblivion everywhere, but as we see from the chart above, it can still be found in use. Around three-quarters of all access points use encryption based on the Wi-Fi Protected Access (WPA) protocol family.

The protocols from this family are currently the most secure.

The effort required to hack WPA depends on its settings, including the complexity of the password set by the hotspot owner.
It is worth noting that an attempt to decipher traffic from “personal” (WPA-Personal, PSK authentication) wireless networks (with public access points) can be made by intercepting the handshakes between the access point and the device at the beginning of the session. “Corporate” versions are protected from this sort of interception because they use internal company authorization. When it comes to “personal” WPA2 attacks, the situation is similar to that of WPA and mostly depends on the strength of the password set by the hotspot owner. It is only fair to note that during a standard attack on a Wi-Fi access point, a personal computer can generate from 50 to 300 keys per second on average.
If the encryption key is strong, it will take years to hack it.
Still, no one can guarantee that the key used at a cafe will be secure and that the attacker will have nothing but a PC at their disposal. Overall, it can be said that today’s WPA/WPA2 “non-enterprise” versions are reasonably, but not absolutely, secure.
In particular, they allow brute-force and dictionary attacks.

There are ready-to-use publicly available tools (aircrack-ng and similar software) for performing such attacks, as well as a large number of manuals. Geography of Unsecured Wi-Fi Access Points Share of Wi-Fi hotspots that use unreliable WEP or do not encrypt data (by country) We would like to note that the five countries with the highest proportion of unsecured connections include Korea (47.9% of unsecured Wi-Fi access points), while France (40.14%) and the US (39.31%) rate 9th and 12th respectively in the list. Germany appears to be the most secure among Western European countries, with 84.91% of access points secured by WPA/WPA2 protocol encryption. Share of Wi-Fi hotspots that use WPA/WPA2 (by country) However, even when using an encrypted connection, you should not completely rely upon this security measure.

There are several scenarios that could compromise even well-encrypted network traffic.

These include fake access points with names that duplicate or mimic real ones (for example, TrainStation_Free or TrainStation Free) and compromised routers forwarding traffic without encryption to attackers (malware tools that infect such devices are already “in the wild”).

At any rate, taking care of your own security is a good idea. Recommendations for Users There are several simple rules that help protect personal data when using open Wi-Fi networks in cafes, hotels, airports, and other public places. Do not trust networks that are not password-protected. Even if a network requests a password, you should remain vigilant. Fraudsters can find out the network password at a coffee shop, for example, and then create a fake connection with the same password.

This allows them to easily steal personal user data. You should only trust network names and passwords given to you by employees of the establishment. To maximize your protection, turn off your Wi-Fi connection whenever you are not using it.

This will also save your battery life. We recommend disabling automatic connection to existing Wi-Fi networks too. If you are not 100% sure the wireless network you are using is secure, but you still need to connect to the internet, try to limit yourself to basic user actions such as searching for information. You should refrain from entering your login details for social networks or mail services, and definitely not perform any online banking operations or enter your bank card details anywhere. To avoid being a target for cybercriminals, you should enable the “Always use a secure connection” (HTTPS) option in your device settings.
It is recommended to enable this option when visiting any websites you think may lack the necessary protection. If possible, connect via a Virtual Private Network (VPN). With a VPN, encrypted traffic is transmitted over a protected tunnel, meaning criminals won’t be able to read your data, even if they gain access to them. And, of course, you should use dedicated security solutions.

They inform users about any potential dangers when connecting to a suspicious Wi-Fi network and prevent any passwords or other confidential data from being compromised if there is a threat. One example of a dedicated solution is the Secure Connection tool included in the latest versions of Kaspersky Internet Security and Kaspersky Total Security.

This module protects users connected to Wi-Fi networks by providing a secure encrypted connection channel.
Secure Connection can be launched manually or, depending on the settings, activated automatically when connecting to public Wi-Fi networks, when navigating to online banking and payment systems or online stores, and when communicating online (mail services, social networks, etc.).
If you step away from your computer, an attacker could quickly insert a USB stick and take control using a series of vulnerabilities. The device costs only $5. While most people know not to leave their computer alone in a public space, locking the system with a password gives many users a feeling of security.A new hacking tool released this week has shown how illusory that feeling is, demonstrating the danger of leaving any system unsupervised. The tool, known as PoisonTap, can be loaded onto a $5 Raspberry Pi barebones computer and will take over the internet connection of any system to which it is connected. Once plugged in, the program will steal the victim’s cookies for the top 1 million Web sites, expose internal routers to the Internet, and allow remote access to the system.The hacker behind the program, Samy Kamkar, a security researcher best known for creating the MySpace worm in 2005, announced the tool on Nov. 16.“When plugged into a locked or password-protected computer, it takes over all internet traffic momentarily,” Kamkar said in a video explaining the attack. “The back door and remote access persists even after the device is removed and you walk away.” The attack is a bold demonstration that leaving a computer unattended is never a good idea. When PoisonTap is plugged into a computer the device masquerades as an Ethernet device. The computer immediately sends a request to PoisonTap for an IP address, even if it is locked or password-protected. The address that PoisonTap returns makes it seem that “almost all IP addresses on the Internet are part of PoisonTap’s LAN,” Kamkar said.The result is that the targeted computer will send all its Internet traffic through PoisonTap.PoisonTap will intercept any requests to the Web and steal cookies to the top 1 million Web sites. The cookies could then be used by an attacker to automatically log into sites without needing a username and password, although the effectiveness of such an attack depends on the site’s security requirements.The program can also poison the browser cache and redirect requests for certain Web sites to go to an attacker-owned site, essentially giving control of the browser to the attacker, Kamkar said.“Whenever the Web socket is open, the attacker can remotely send command to the victim and force their browser to execute JavaScript code,” he said. “This allows that attacker to make requests as the user, with the user cookies and view the responses, with no visibility to the user.”There is very little a consumer can do to secure against the attack, he said.“To protect a client machine, I suggest adding cement to all you USB ports,” he said. The program will not run on computers that have file system encryption, such as FileVault, because the browser does not run in the background.Web sites can protect against parts of the attack by requiring all traffic to use HTTPS. While that seems to be a basic precaution, only 21 percent of the top–100 non-Google sites require HTTPS by default, according to a 2016 analysis by Google.Overall, the attack is able to avoid a laundry list of security protections, including password protected lock screens, same-origin policies in the browser, two-factor authentication and DNS pinning.
EnlargeSamy Kamkar reader comments 48 Share this story The perils of leaving computers unattended just got worse, thanks to a newly released exploit tool that takes only 30 seconds to install a privacy-invading backdoor, even when the machine is locked with a strong password. PoisonTap, as the tool has been dubbed, runs freely available software on a $5/£4 Raspberry Pi Zero device. Once the payment card-sized computer is plugged into a computer's USB slot, it intercepts all unencrypted Web traffic, including any authentication cookies used to log in to private accounts. PoisonTap then sends that data to a server under the attacker's control.

The hack also installs a backdoor that makes the owner's Web browser and local network remotely controllable by the attacker. Enlarge Samy Kamkar PoisonTap is the latest creation of Samy Kamkar, the engineer behind a long line of low-cost hacks, including a password-pilfering keylogger disguised as a USB charger, a key-sized dongle that jimmies open electronically locked cars and garages, and a DIY stalker app that mined Google Streetview. While inspiring for their creativity and elegance, Kamkar's inventions also underscore the security and privacy tradeoffs that arise from an increasingly computerized world. PoisonTap continues this cautionary theme by challenging the practice of password-protecting an unattended computer rather than shutting it off or, a safer bet still, toting it to the restroom or lunch room. Kamkar told Ars: The primary motivation is to demonstrate that even on a password-protected computer running off of a WPA2 Wi-Fi, your system and network can still be attacked quickly and easily.

Existing non-HTTPS website credentials can be stolen, and, in fact, cookies from HTTPS sites that did not properly set the 'secure' flag on the cookie can also be siphoned. Unsecured home or office routers are similarly at risk. Kamkar has published the PoisonTap source code and additional technical details here and has also released the following video demonstration:
PoisonTap - exploiting locked machines w/ Raspberry Pi Zero. Once the device is inserted in a locked Mac or PC (Kamkar said he hasn't tested PoisonTap on a Linux machine), it surreptitiously poisons the browser cache with malicious code that lives on well after the tool is removed.

That makes the hack ideal for infecting computers while they are only briefly unattended. Here's how it works. Once the PoisonTap software is installed, the Raspberry Pi device becomes a miniature Linux computer that presents itself as an Ethernet network. Like a router, it's responsible for allocating IP addresses for the local network through the dynamic host configuration protocol.
In the process, the device becomes the gateway for sending and receiving traffic flowing over the local network.
In this sense, PoisonTap is similar to a USB exploit tool demonstrated in September that stole login credentials from locked PCs and Macs. Through a clever hack, however, PoisonTap is able to become the gateway for all Internet traffic as well.
It does this by defining the local network to include the entire IPv4 address space. With that, the device has the ability to monitor and control all unencrypted traffic the locked computer sends or receives over its network connection. PoisonTap then searches the locked computer for a Web browser running in the background with an open page. When it finds one, the device injects HTML iframe tags into the page that connect to the top 1 million sites ranked by Alexa.

Because PoisonTap masquerades as the HTTP server for each site, the hack is able to receive, store, and upload any non-encrypted authentication cookies the computer uses to log in to any of those sites. Given its highly privileged man-in-the-middle position, PoisonTap can also install backdoors that make both the Web browser and connected router remotely accessible to the attacker.

To expose the browser, the hack leaves a combination of HTML and JavaScript in the browser cache that produces a persistent WebSocket. PoisonTap uses what's known as a DNS rebinding attack to give remote access to a router. That means attackers can use PoisonTap to remotely access a browser as it connects to a website or to gain administrative control over the connected router.

Attackers still must overcome any password protections safeguarding an exposed router.

But given the large number of unpatched authentication bypass vulnerabilities or default credentials that are never changed, such protections often don't pose much of an obstacle. PoisonTap challenges a tradition that can be found in almost any home or office—the age-old practice of briefly leaving a locked computer unattended.

And for that reason, the ease and thoroughness of the hack may be understandably unsettling for some people.
Still, several safeguards can significantly lower the threat posed by the hack.

The first is to, whenever possible, use sites that are protected by HTTPS encryption and the transmission of secure cookies to prevent log-in credentials from being intercepted.

A measure known as HTTP Strict Transport Security is better still, because it prevents attack techniques that attempt to downgrade HTTPS connections to unsecured HTTP. As a result, neither Google nor Facebook pages can be triggered by computers infected by PoisonTap.
Sadly, multi-factor authentication isn't likely to provide much protection because it generally isn't triggered by credentials provided in authentication cookies. End users, meanwhile, should at a minimum close their browsers before locking their computer or, if they're on a Mac, be sure to enable FileVault2 and put their machine to sleep before walking away, since browsers are unable to make requests in such cases. Regularly flushing browser caches is also a sound, albeit imperfect, measure.

For the truly paranoid, it may make more sense to simply bring laptops along or to turn off machines altogether.
The spear-phishing e-mail received by Clinton campaign staffer William Rinehart matches messages received by both former Secretary of State Colin Powell and Clinton campaign chairman John Podesta.The Smoking Gun reader comments 28 Share this story The breach of personal e-mail accounts for Clinton presidential campaign chairman John Podesta and former Secretary of State Colin Powell have now been tied more closely to other breaches involving e-mail accounts for Democratic party political organizations. Podesta and Powell were both the victims of the same form of spear-phishing attack that affected individuals whose data was shared through the “hacktivist” sites of Guccifer 2.0 and DCLeaks. As Ars reported in July, the spear-phishing attack used custom-coded shortened URLs containing the e-mail addresses of their victims.

The URLs appeared in e-mails disguised to look like warnings from Google about the victims’ accounts.

These spear-phishing attacks were tracked by the security firm SecureWorks as part of the firm’s tracking of the “Fancy Bear” threat group (also known as APT28), a hacking operation previously tied to a phishing campaign against military and diplomatic targets known as Operation Pawn Storm. As The Smoking Gun reported in August, one of these e-mails was sent to William Rinehart, a staffer with the Clinton presidential campaign. Rinehart’s e-mails were leaked on the DCLeaks site.

DCLeaks also carried the e-mails of Sarah Hamilton, an employee of a public relations firm that has done work for the Clinton campaign and for the DNC. Hamilton's e-mails were offered to The Smoking Gun by someone claiming to be Guccifer 2.0 via a password-protected link on the DC Leaks site. E-mails with the same crafted Web addresses were found in the e-mails of both Podesta and Powell, as Motherboard’s Lorenzo Franceschi-Bicchierai reports. Podesta’s e-mails were shared by WikiLeaks; Powell’s were posted on DCLeaks.

That would suggest a firm connection between the DC Leaks  / Guccifer 2.0 campaign (already linked to Russian intelligence) and the source of the WikiLeaks DNC files.
Odinaff shares links with Carbanak A second group of hackers – Odinaff – has broken into the SWIFT system, the fulcrum of the global financial payments system. Odinaff were found to be using the same approach as those who stole $81m from the Bangladesh central bank earlier this year. Attacks involving the Odinaff trojan and associated tools appear to have begun in January, 2016.

The attacks have hit a wide range of regions with the US the most frequently targeted, followed by Hong Kong, Australia, the UK, and Ukraine. It’s unclear to what extent these attacks have been successful – much less how much money the hackers have extracted. The targets are mostly banks and other financial institutions. Malware is spread through spear-phishing emails, many of which come with malicious macros. Password-protected RAR archives are another potential lure. Some Odinaff infections have been pushed through botnets onto already-infected machines.
Security firm Symantec has found evidence of tools capable of manipulating SWIFT customers’ transfer logs and wiping computers to hide traces of activity, it claims. “The attacks involving Odinaff share some links to the Carbanak group, whose activities became public in late 2014,” according to its security response team. “Carbanak also specializes in high-value attacks against financial institutions and has been implicated in a string of attacks against banks, in addition to point of sale intrusions.” Three command and control IP addresses connected to previously reported Carbanak campaigns also feature in Odinaff.
It may be that the two groups are cooperating with each other. Kevin Bocek, chief cybersecurity strategist at Venafi, said: “These attacks on SWIFT are like old-school bank robberies for a digital age; the hackers are taking money right from the bank’s safe." “This is a shift from previous attacks that have been more focused on stealing from banking customers.

After the success of the first SWIFT hack, it’s unsurprising to see the headlines doing the rounds again and I’d be shocked if this is the last we see of it.” ®
Symantec warns of the growing risk from a malware variant that is targeting the SWIFT messaging system that banks use for financial transfers. Symantec issued a warning on Oct. 11 about an emerging malware dubbed Odinaff that is going after the SWIFT m...