Home Tags Proxy Server

Tag: Proxy Server

Inmates built computers hidden in ceiling, connected them to prison network

Ohio prison's lax supervision was akin to "an episode from Hogan's Heroes."

Unraveling the Lamberts Toolkit

The Lamberts is a family of sophisticated attack tools that has been used by one or multiple threat actors against high-profile victims since at least 2008.

The arsenal includes network-driven backdoors, several generations of modular backdoors, harvesting tools, and wipers.

JSA10770 – 2017-01 Security Bulletin: Junos Space: Multiple vulnerabilities resolved in...

CVE CVSS base score Summary CVE-2016-1762 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) The xmlNextChar function in libxml2 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted XML document. CVE-2016-444...

JSA10774 – 2017-01 Security Bulletin: Network and Security Manager (NSM): Multiple...

CVE CVSS base score Summary CVE-2015-5600 6.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L) The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processing of keyboard-interactive devices withi...

Malware-Ridden Word Docs Lead To Microsoft Alert Blurt

MICROSOFT HAS taken the trouble to warn Windows users about an attack that takes what trust people have left in the software and throws it out of the window. The firm explained that the problem involves macros and the use of social engineering. People are tricked into downloading and then enabling malicious content that ultimately leads to trouble when they innocently use Word. "Attackers have been using social engineering to avoid the increasing costs of exploitation due to the significant hardening and exploit mitigation investments in Windows," said the firm in a Microsoft TechNet blog post suggesting that this is a cheap shot by hackers. "Tricking a user into running a malicious file or malware can be cheaper for an attacker than building an exploit which works on Windows 10. We recently came across a threat that uses the same social engineering trick but delivers a different payload." Microsoft explained that the payload's primary purpose is to change a user's browser Proxy Server setting, which could result in the theft of authentication credentials or other sensitive information. "We detect this JScript malware as Trojan:JS/Certor.A. What's not unique is that the malware gets into the victim's computer when the victim clicks the email attachment from a spam campaign," the post said. Microsoft added that people really ought not to click on links from people or outfits that they do not know or trust.

This is good, if perhaps hoary and often ignored, advice. "To avoid attacks like we have just detailed, it is recommended that you only open and interact with messages from senders and websites that you recognise and trust," explained the firm. "For added defence-in-depth, you can reduce the risk from this threat by following [our] guidance to adjust the registry settings to help prevent OLE Embedded Objects executing altogether or running without your explicit permission." Just don't click untrusted links, people. µ

New Brazilian Banking Trojan Uses Windows Powershell Utility

Microsoft’s PowerShell utility is being used as part of a new banking Trojan targeting Brazilians. Researchers made the discovery earlier this week and say the high quality of the Trojan is indicative of Brazilian malware that is growing more sophisticated. The banking Trojan is identified as “Trojan-Proxy.PowerShell.Agent.a” and is one of the most technically advanced Brazilian malware samples discovered, said Fabio Assolini, a senior security researcher with Kaspersky Lab’s Global Research and Analysis Team in a Securelist blog on Thursday. The banking Trojan is being delivered via a phishing campaign where emails are masquerading as a receipt from a mobile carrier.

A malicious .PIF (Program Information File) attachment is used to attack the target’s PC. PIF files tell MS-DOS applications how to run in Windows environments and can contain hidden BAT, EXE or COM programs that automatically execute after the host file is run. In the case of “Trojan-Proxy.PowerShell.Agent.a” the PIF file changes the proxy configuration in Internet Explorer to a malicious proxy server that redirects connections to phishing pages for Brazilian banks, Assolini said.

Those changes in the system are made using a PowerShell script. The browser aspect of the attack is identical to how cybercriminals have exploited proxy auto-config (PAC) files in previous attacks, Assolini said. PAC files are designed to enable browsers to automatically select which proxy server to use to get a specific URL. “It’s the same technique used by malicious PACs that we described in 2013, but this time no PACs are used; the changes in the system are made using a PowerShell script,” Assolini wrote. Not only are Internet Explorer users affected, but also users of Firefox and Chrome. The malware has no command and control communication.
Instead, once the .PIF file is launched, the “powershell.exe” process is spawned and the command line “-ExecutionPolicy Bypass -File %TEMP%\599D.tmp\599E.ps1” is cued.

This is an attempt to bypass PowerShell execution policies, Assolini said.

The malware changes the file prefs.js, inserting the malicious proxy change. After being infected by “Trojan-Proxy.PowerShell.Agent.a”, if a user tries to access some of the websites listed in the script, they will be redirected to a phishing domain hosted at the malicious proxy server.

The proxy domains used in the attack use dynamic DNS services and their goal is to redirect all traffic to a server located in the Netherlands, where there are several phishing pages for Brazilian banks, according to Assolini. According to Kaspersky Lab, Brazil was the most infected country when it comes to banking Trojans in Q1 2016. “Attackers (developing Brazilian malware) are investing time and money to develop solutions where the malicious payload is completely hidden under a lot of obfuscation and code protection,” notes a Securelist post from March.

That stands in stark contrast to Brazilian malware that not long ago was described as simple and easy to detect. Researchers believe Brazilian cybercriminals have upped their game by adopting new techniques as a result of collaboration with their European counterparts.

Brazilian banking Trojans meet PowerShell

Crooks are always creating new ways to improve the malware they use to target bank accounts, and now Brazilian bad guys have made an important addition to their arsenal: the use of PowerShell.

Brazil is the most infected country worldwide when it comes to banking Trojans, according to our Q1 2016 report, and the quality of the malware is evolving dramatically. We found Trojan-Proxy.PowerShell.Agent.a in the wild a few days ago, marking a new achievement by Brazil’s cybercriminals. The malware is distributed using a malicious email campaign disguised as a receipt from a mobile operator with a malicious .PIF file.

After the file is executed it changes the proxy configuration in Internet Explorer to a malicious proxy server that redirects connections to phishing pages for Brazilian banks.
It’s the same technique used by malicious PACs that we described in 2013, but this time no PACs are used; the changes in the system are made using a PowerShell script.

As Windows 7 and newer OS versions are now the most popular in Brazil, the malware will not face a problem running on victims’ computers. The malware has no C&C communication.

After execution it spawned the process “powershell.exe” with the command line “-ExecutionPolicy Bypass -File %TEMP%\599D.tmp\599E.ps1” aiming to bypass PowerShell execution policies.

The .ps1 file in the temp folder uses random names.
It’s a base64 encoded script capable of making changes in the system. After some deobfuscation we can see the goal of the script: to change the Internet Settings key and enable a proxy server on it: And this is the result in the browser of the victim – a small change in the proxy settings: This change will not only affect IE but all other browsers installed in the system as well, as they tend to use the same proxy configuration set on IE.

The proxy domains used in the attack are listed below.

All of them use dynamic DNS services and their goal is to redirect all traffic to a server located in the Netherlands (89.34.99.45), where there are several phishing pages for Brazilian banks: gbplugin.[REMOVED].com.brmoduloseguro.[REMOVED].com.brx0x0.[REMOVED].com.brX1x1.[REMOVED].com.br The malware also has other features of interest: it checks for the language of the OS and aborts if it’s not PTBR, a clever trick to avoid infecting Windows versions in languages other than Brazilian Portuguese. To protect a network against malware that uses PowerShell, it is important to modify its execution, using administrative templates that only allow signed scripts. We are sure this is the first of many that Brazil’s bad guys will code. Hash of the malware: cancelamento.pif -> MD5: 9419e7cd60487532313a43559b195cb0

FalseCONNECT sends vendors scrambling to patch proxy MITM bug

Protocols pwned, but patches parachuted for many popular platforms For the many people that dislike corporate proxies, this probably won't be much of a surprise: a bunch of environments are vulnerable to man-in-the-middle attacks. “FalseCONNECT” is a combination of protocol bug and implementation error – which means it affects end users via operating systems, as well as network devices. The problem is in how two Web protocols interact: HTTP CONNECT (which asks a firewall or proxy to forward a connection, described in RFC 7230), and HTTP Authentication (described in RFC 7235), which the firewall or proxy use to ask users to authenticate. The discoverer, Jerry Decime, explains FalseCONNECT here. If an attacker can see users' requests to connect (for example, via a rogue wireless access point), they can replace the proxy's OK message (expected under RFC 7230) with “407 Proxy Authentication Required” message – and grab the victim's credentials. Here's some detail from the US CERT advisory about this mess: “HTTP CONNECT requests and 407 Proxy Authentication Required messages are not integrity protected and are susceptible to man-in-the-middle attacks. WebKit-based applications are additionally vulnerable to arbitrary HTML markup and JavaScript execution in the context of the originally requested domain.” This is a potent attack, because the user's browser can then go ahead and establish their “trusted” connection via the proxy.

The victim won't get anything like a browser warning to tell them something's wrong. And because it happens before the handshakes set up trust, it doesn't trip warnings like pinned certificates. “This vector happens before the server public key can be provided to the client as shown in step five, but not before a trust relationship has already been established or maintained by the browser or application as shown in step one,” Decime writes. “Unfortunately this implementation resulted in false trust situations whereby untrusted code delivered in the response body of the CONNECT could execute within trusted browser and application states.” Who's affected? So far, the CERT advisory lists Apple, Microsoft, Opera, and Oracle as affected. Lenovo reckons its machines aren't affected. Ten other vendors and systems are on the notice but are still working out whether they're vulnerable: Arista, Belkin, CentOS, Cisco, CoreOS, Debian, DesktopBSD, DragonFly BSD, EMC and F5 Networks. Others will, we expect, be added to that list as time passes. Decime's post concentrates on how the bug can be exploited against iOS, because of how WebKit handles the CONNECT / 407 interaction. He notes that the attack code leaves out the header that the 407 message should include, because that would risk tipping the user off: “On iOS, WebKit renders the markup provided in a '407 Proxy Authentication Required.' This allows a proxy server that requires authentication to give the user a soft-error after a certain number of failed authentication attempts, but because the contents of the HTTP response are rendered within a trust realm, it can be used to attack cryptography trust in WebKit.” Apple has fixed the bug in the iOS 9.3.3 update and in El Capitan's 10.11.6 update. ® Sponsored: Global DDoS threat landscape report

VU#905344: HTTP CONNECT and 407 Proxy Authentication Required messages are not...

HTTP CONNECT and 407 Proxy Authentication Required messages are not integrity protected Original Release date: 15 Aug 2016 | Last revised: 15 Aug 2016 Overview HTTP CONNECT requests and 407 Proxy Authentication Required messages are not integrity protected and are susceptible to man-in-the-middle attacks. WebKit-based applications are additionally vulnerable to arbitrary HTML markup and JavaScript execution in the context of the originally requested domain. Description Web browsers and operating systems making a HTTPS request via a proxy server are vulnerable to man-in-the-middle (MITM) attacks against HTTP CONNECT requests and proxy response messages. HTTP CONNECT requests are made in clear text over HTTP, meaning an attacker in the position to modify proxy traffic may force the use of 407 Proxy Authentication Required responses to phish for credentials. WebKit-based clients are vulnerable to additional vectors due to the fact that HTML markup and JavaScript are rendered by the client Document Object Model (DOM) in the context of the originally requested HTTPS domain.For more information, refer to the FalseCONNECT website. Impact An attacker in the position to control HTTP CONNECT requests and proxy responses can conduct MITM attacks, which may include credential phishing and, where vulnerable WebKit-based clients are involved, arbitrary HTML and JavaScript injection. Solution Apply an updateCheck with affected software vendors and apply an update, if available.

Those unable or unwilling to apply an update should consider the following workarounds. Avoid untrusted networksAvoid using proxy-configured clients while connected to untrusted networks, including public WiFi. Using a proxy-configured client on an untrusted network increases the chance of falling victim to a MITM attack.Disable proxy configuration settingsIf use of proxy auto-configuration (PAC) or web proxy auto-discovery (WPAD) is not required, consider disabling them. Vendor Information (Learn More) Vendor Status Date Notified Date Updated Apple Affected 17 Jun 2016 11 Aug 2016 Microsoft Corporation Affected 17 Jun 2016 11 Aug 2016 Opera Affected 17 Jun 2016 11 Aug 2016 Oracle Corporation Affected 17 Jun 2016 11 Aug 2016 Lenovo Not Affected 17 Jun 2016 01 Aug 2016 Arista Networks, Inc. Unknown 17 Jun 2016 17 Jun 2016 Belkin, Inc. Unknown 28 Jul 2016 28 Jul 2016 CentOS Unknown 17 Jun 2016 17 Jun 2016 Cisco Unknown 28 Jul 2016 28 Jul 2016 CoreOS Unknown 17 Jun 2016 17 Jun 2016 Debian GNU/Linux Unknown 17 Jun 2016 17 Jun 2016 DesktopBSD Unknown 17 Jun 2016 17 Jun 2016 DragonFly BSD Project Unknown 17 Jun 2016 17 Jun 2016 EMC Corporation Unknown 17 Jun 2016 17 Jun 2016 F5 Networks, Inc. Unknown 17 Jun 2016 17 Jun 2016 If you are a vendor and your product is affected, let us know.View More »CVSS Metrics (Learn More) Group Score Vector Base 4.3 AV:A/AC:M/Au:N/C:P/I:P/A:N Temporal 3.4 E:POC/RL:OF/RC:C Environmental 3.4 CDP:ND/TD:H/CR:ND/IR:ND/AR:ND References Credit Thanks to Jerry Decime for reporting these vulnerabilities. This document was written by Joel Land. Other Information CVE IDs: Unknown Date Public: 15 Aug 2016 Date First Published: 15 Aug 2016 Date Last Updated: 15 Aug 2016 Document Revision: 23 Feedback If you have feedback, comments, or additional information about this vulnerability, please send us email.

Don’t use a VPN in United Arab Emirates – unless you...

Arab monarchy tries to slam door on privacy tools A royal edict from the president of the United Arab Emirates (UAE) may have just effectively made it illegal for anyone in the country to use a VPN or secure proxy service. Those caught could face jail time and fines of between 500,000 and 2,000,000 UAE dirham (US$136,130 and $544,521).

The change was announced by the UAE President His Highness Sheikh Khalifa bin Zayed Al Nahyan in a proclamation that amended federal laws. The wording is ambiguous and technologically illiterate.

Essentially, it seems, you are not allowed to use systems that may hide the fact that you're committing a crime or covering one up.
So if you're found routing your network traffic through a secure VPN or proxy server, you could be evading the eyes of the state, and that's a big no-no. You could claim you were using the VPN or proxy for legit reasons, and that no criminal activity was being committed or concealed, but since your packets were encrypted, you may have a hard time proving your innocence. The tweaked law now reads as follows: Whoever uses a fraudulent computer network protocol address (IP address) by using a false address or a third-party address by any other means for the purpose of committing a crime or preventing its discovery, shall be punished by temporary imprisonment and a fine of no less than Dhs 500,000 and not exceeding Dhs 2,000,000, or either of these two penalties. Less than 15 per cent of the desert kingdom's inhabitants are locals, with the rest of the population made up of expatriates, many of whom want to access private corporate networks and the internet at large without being limited by the filtering systems the country has set up.

The state telco blocks anything seen as being against UAE values, any Israeli domains, and pornography sites, as well as many VoIP services for calling home. There are two state-sanctioned VoIP services, Etisalat and Du, but they are relatively expensive.
Skype was outlawed in the kingdom, but that ban was lifted in April after Microsoft and business leaders complained that the blockade was discouraging businesses from coming to the country. In the meantime, if you're visiting the UAE, using a VPN or proxy server may be problematic.

The new law is now in effect, and you may get a knock on the door by the police if you try using one of those services. ® Sponsored: Global DDoS threat landscape report

15-year-old security hole HTTPoxy returns to menace websites – it has...

So you know it's really scary A dangerous easy-to-exploit vulnerability discovered 15 years ago has reared its head again, leaving server-side website software potentially open to hijackers. The Apache Software Foundation, Red Hat, Ngnix and others have rushed to warn programmers of the so-called httpoxy flaw, specifically: CVE-2016-5385 in PHP; CVE-2016-5386 in Go; CVE-2016-5387 in Apache HTTP server; CVE-2016-5388 in Apache TomCat; CVE-2016-1000109 in PHP-engine HHVM; and CVE-2016-1000110 in Python. This security hole can be exploited to seize control of vulnerable web apps.

Basically, you abuse the Proxy HTTP header in a request to the application to set a common environment variable called HTTP_PROXY.

The app then, unwisely, uses the proxy server defined by that variable for any of its outgoing connections. So, if you point HTTP_PROXY at a malicious server, you can intercept the web app's connections to other systems and, depending on how the code is designed, potentially gain remote code execution.
It hinges on whether or not the app makes outgoing connections as part of its operation, and if these can be usefully exploited. "If you're running PHP or CGI, you should block the Proxy header now," said Vend infrastructure engineer Dominic Scheirlinck, who coordinated the disclosure of the security holes with software makers. The Register had an early look at the details prior to today's public announcement. There are advisories available now from Apache, Red Hat, US CERT, Nginx, and Drupal with more details. "httpoxy is extremely easy to exploit in basic form, and we expect security researchers to be able to scan for it quickly.
If you're not deploying code, you don't need to worry," added Scheirlinck. Code that makes outgoing HTTP connections to look up information or perform some other task while running in a server-side CGI context is potentially open to easy attack, he said.
It may be possible to siphon off sensitive internal records, or feed dodgy data into apps, by injecting a proxy server into the mix. "For example, if you are using a Drupal plugin that uses Guzzle 6 and it makes an outgoing HTTP request (for example, to check a weather API), you are vulnerable to the request that plugin makes being 'httpoxied'," Scheirlinck explained. The New Zealander says attackers can direct vulnerable servers to open connections to an evil machine's IP address, and waste server resources by running traffic through malicious proxies. Scheirlinck said the vulnerability is down to a basic namespace conflict: RFC 3875 (CGI) puts the HTTP proxy header from a request into the environment variables as HTTP_PROXY. HTTP_PROXY is a popular environment variable used to configure an outgoing proxy. Exploitation is possible if just one vulnerable library is used, such as Guzzle or Artax, while processing incoming HTTP requests. "Probably many, many libraries" are affected, Scheirlinck said. Here's how he described the flaw in a PHP script: PHP has a method called getenv(). There is a common vulnerability in many PHP libraries and applications, introduced by confusing getenv for a method that only returns environment variables.
In fact, getenv() is closer to the $_SERVER superglobal: it contains both environment variables and user-controlled data. Specifically, when PHP is running under a CGI-like server, the HTTP request headers (data supplied by the client) are merged into the $_SERVER superglobal under keys beginning with HTTP_.

This is the same information that getenv reads from. When a user sends a request with a proxy header, the header appears to the PHP application as getenv('HTTP_PROXY').
Some common PHP libraries have been trusting this value, even when run in a CGI/SAPI environment. Reading and trusting $_SERVER['HTTP_PROXY'] is exactly the same vulnerability, but tends to happen much less often (perhaps because of getenv's name, perhaps because the semantics of the $_SERVER superglobal are better understood among the community). Quick and easy mitigations are available, with the best being to block Proxy request headers before they hit applications. A longer-term fix is to not trust HTTP_PROXY under CGI.

Developers of software that is insecure and in need of patching should obtain a Distributed Weakness Filing Project number or apply for a CVE number from MITRE. "We suspect there may be more CVEs coming for httpoxy, as less common software is checked over," said Scheirlinck. The Proxy / HTTP_PROXY confusion was first spotted in March 2001 in libwww-perl, and was fixed at the time.

This month, researchers at Vend found libraries and tools still making the same namespace screw up, leaving them open to hijacking. ® Sponsored: Global DDoS threat landscape report