Author Archives: admin

What Is googleapis.com ?

The domain googleapis.com is owned and operated by Google.  This domain is used by programs to talk to Google services.

Subdomains

storage.googleapis.com – This is the service that hosts Google Cloud Storage.

commondatastorage.googleapis.com – This was the previous name for accessing Google Cloud Storage.

maps.googleapis.com – Google Maps.

domain-registrar.storage.googleapis.com – TBC




Swisscoin Email Spam [coinexchange.io]

We have received a lot of spam reports for coinexchange.io they appear to come from a wide range of fake or spoofed e-mail addresses, we have had over 15 of the same e-mail ourselves ! – The message reads :

Every once in a while, an opportunity comes around. What divides winners from losers is those who seize it and those who don’t. By now, you must have heard about all the people who made a killing with bitcoin over the last year. Some of them made more than ten million with just an initial purchase of a thousand bucks. What I want to ask you though is: Did you know that there are hundreds of other digital currencies that have had even bigger gains over the last twelve months? This includes Ripple, Ethereum and Raiblocks you may have heard about some of them. What is the next big one for 2018? The answer in my opinion is simple. It’s Swisscoin [SIC]. The reason for that is very straight forward. It’s because it is supported by the Switzerland government. It is already considered as legal in the country and it is entirely shielded from any political instability. It’s the type of coin that you can buy a thousand bucks of, and sit on for a few months or even years and that few thousand will likely be worth a few million. SIC has already doubled in value since Saturday and it will double or triple again by this Friday. So, what are you waiting for? For the time being it can only be purchased on /coinexchange [dot] io/ (that’s the website address of the exchange). You can set up an account in about thirty seconds, then you send bitcoins to it and you can easily buy swiss coin. If you don’t have any bitcoin already you can just google how to get some, it’s super simple and will just take you 10 minutes at most, then transfer them to coinexchange’s website and get the SIC.

Community chatter at bitcointalk.org shows the fact that people don’t really know where to put this operation yet. Some are quick to call it a scam, while others gripe about the high withdrawal fees and still others voice their contentment with coinexchange.io. From the above analysis, it is clear that not everything is as it should be with this crypto currency exchange.

According to the comments here and here it appears to be a some form of scam – although we can not verfity this, make up your own mind.



Enterprise Networking Operating System Authentication Bypass in Lenovo and IBM RackSwitch and BladeCenter Products [CVE-2017-3765]

Lenovo Security Advisory: LEN-16095

Potential Impact:  An attacker could gain access to the switch management interface, permitting settings changes that could result in exposing traffic passing through the switch, subtle malfunctions in the attached infrastructure, and partial or complete denial of service.

Severity: High

Scope of Impact: Lenovo-specific

CVE Identifier: CVE-2017-3765

Summary Description:

ENOS, or Enterprise Network Operating System, is the firmware that powers some Lenovo and IBM RackSwitch and BladeCenter switches. An authentication bypass mechanism known as “HP Backdoor” was discovered during a Lenovo security audit in the Telnet and Serial Console management interfaces, as well as the SSH and Web management interfaces under certain limited and unlikely conditions. This bypass mechanism can be accessed when performing local authentication under specific circumstances using credentials that are unique to each switch. If exploited, admin-level access to the switch is granted.

CNOS, or Cloud Network Operating System, firmware is not vulnerable to this issue.

These ENOS interfaces and authentication configurations are vulnerable to this issue:

  • Telnet and Serial Console when performing local authentication, or a combination of RADIUS, TACACS+, or LDAP and local authentication under specific circumstances described below
  • Web when performing a combination of RADIUS or TACACS+ and local authentication combined with an unlikely condition under specific circumstances described below
  • SSH for certain firmware released in May 2004 through June 2004 (only) when performing a combination of RADIUS or TACACS+ and local authentication under specific circumstances described below; the vulnerable code is present in more recent firmware, but not used

Other interfaces and authentication configurations are not vulnerable to this issue:

  • SSH in firmware released after June 2004 are not vulnerable
  • SSH and Web using only local authentication are not vulnerable
  • SSH, Web, Telnet, and Serial Console using LDAP, RADIUS, or TACACS+ without use of local authentication fallback are not vulnerable
  • Other management interfaces, such as SNMP, are not vulnerable

A source code revision history audit revealed that this authentication bypass mechanism was added in 2004 when ENOS was owned by Nortel’s Blade Server Switch Business Unit (BSSBU). The mechanism was authorized by Nortel and added at the request of a BSSBU OEM customer.  Nortel spun BSSBU off in 2006 to form BLADE Network Technologies (BNT). BNT was purchased by IBM in 2010, and, subsequently, Lenovo in 2014.

Lenovo has provided relevant source code to a third-party security partner to enable independent investigation of the mechanism.

The existence of mechanisms that bypass authentication or authorization are unacceptable to Lenovo and do not follow Lenovo product security or industry practices. Lenovo has removed this mechanism from the ENOS source code and has released updated firmware for affected products.

Lenovo is not aware of this mechanism being exploited, but we assume that its existence is known, and customers are advised to upgrade to firmware which eliminates it.

Mitigation Strategy for Customers (what you should do to protect yourself):

Upgrade to the ENOS firmware version described in the product impact section below.

If upgrading is not immediately possible, then the surest option is to do all the following:

  • Enable LDAP, RADIUS, or TACAS+ remote authentication AND
  • For any of LDAP, RADIUS, or TACAS+ that are enabled, disable the related “Backdoor” and “Secure Backdoor” local authentication fallback settings AND
  • Disable Telnet AND
  • Restrict physical access to the serial console port

If doing all this is not desired, it may be possible to do a more limited set of actions based on the specifics of your environment. The precise circumstances for the vulnerability are:

SSH management interfaces are vulnerable if:

  • ENOS firmware being used was created between May 2004 and June 2004 AND
  • One or more of RADIUS or TACAS+ is enabled AND the related “Backdoor” or “Secure Backdoor” local authentication fallback is enabled AND a RADIUS or TACAS+ authentication timeout occurs

Note: LDAP is not vulnerable for these interfaces




Note: Local-only authentication is not vulnerable for these interfaces

Web management interfaces are vulnerable if:

  • An unlikely internal out of order execution condition (race condition) occurs AND
  • One or more of RADIUS or TACAS+ is enabled AND the related “Backdoor” or “Secure Backdoor” local authentication fallback is enabled AND a RADIUS or TACAS+ authentication timeout occurs

Note: LDAP is not vulnerable for these interfaces

Note: Local-only authentication is not vulnerable for these interfaces

Telnet and Serial Console management interfaces are vulnerable if:

  • LDAP, RADIUS, and TACAS+ are all disabled OR
  • One or more of LDAP, RADIUS, or TACAS+ are enabled AND the related “Backdoor” or “Secure Backdoor” local authentication fallback is enabled AND an LDAP, RADIUS, or TACAS+ authentication timeout occurs

For clarity, references to “Backdoor” and “Secure Backdoor” in the Mitigation Strategy for Customers section refer to local authentication fallback mechanisms and not the authentication bypass mechanism described in this advisory.  “Backdoor” in the authentication fallback context is an industry standard term used when configuring RADIUS and TACACS+.

Product Impact:

Lenovo Switches

IBM Switches

For a complete list of all Lenovo Product Security Advisories, click here.



Fake Spectre And Meltdown Patches Spread Smoke Loader Malware

A new variant of the Smoke Loader malware has been observed being distributed via fake patches for the Meltdown and Spectre vulnerabilities.

Fraudulent updates are purported to be from the German Federal Office for Information Security have been used as a delivery mechanism for the malware. The patches claim to fix the recent Intel vulnerabilities and as such are likely to receive greater attention by users.

German authorities recently warned about phishing emails trying to take advantage of those infamous bugs.

Once downloaded, the malware injects itself into explorer.exe before communicating with its Command and Control (C2) server to install the latest version of itself. These updated samples are packaged using a different encryption scheme to make detection harder, before being stored in a hidden subfolder.

Smoke Loader will attempt to maintain persistence through the addition of new registry keys and uses partially encrypted code with redundant jumps as an anti-forensics tool. It also performs environment checks to avoid being executed in a controlled environment and will ensure network connection by connecting to various legitimate sites before initiating C2 communications.

Fake Patch

sicherheit-informationstechnik.bid/Download/Sicherheitsupdate/Intel-AMD-SecurityPatch-11-01bsi.zip

Command And Control Servers

Please block the following domains :-

coolwater-ltd-supportid[.]ru
localprivat-support[.]ru
service-consultingavarage[.]ru
sicherheit-informationstechnik[.]bid

Affected Platforms

Microsoft Windows – All versions



Cisco CPU Side-Channel Information Disclosure Vulnerabilities

On January 3rd 2018, researchers disclosed three vulnerabilities that take advantage of the implementation of speculative execution of instructions on many modern microprocessor architectures to perform side-channel information disclosure attacks. These vulnerabilities could allow an unprivileged local attacker, in specific circumstances, to read privileged memory belonging to other processes or memory allocated to the operating system kernel.

The first two vulnerabilities, CVE-2017-5753 and CVE-2017-5715, are collectively known as Spectre. The third vulnerability, CVE-2017-5754, is known as Meltdown. (Details here) The vulnerabilities are all variants of the same attack and differ in the way that speculative execution is exploited.

To exploit any of these vulnerabilities, an attacker must be able to run crafted code on an affected device. Although the underlying CPU and operating system combination in a product or service may be affected by these vulnerabilities, the majority of Cisco products are closed systems that do not allow customers to run custom code and are, therefore, not vulnerable. There is no vector to exploit them. Cisco products are considered potentially vulnerable only if they allow customers to execute custom code side-by-side with Cisco code on the same microprocessor.

A Cisco product that may be deployed as a virtual machine or a container, even while not directly affected by any of these vulnerabilities, could be targeted by such attacks if the hosting environment is vulnerable. Cisco recommends that customers harden their virtual environments, tightly control user access, and ensure that all security updates are installed. Customers who are deploying products as a virtual device in multi-tenant hosting environments should ensure that the underlying hardware, as well as operating system or hypervisor, is patched against the vulnerabilities in question.

Although Cisco cloud services are not directly affected by these vulnerabilities, the infrastructure on which they run may be impacted. Refer to the “Affected Products” section of this advisory for information about the impact of these vulnerabilities on Cisco cloud services.

Cisco will release software updates that address these vulnerabilities.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180104-cpusidechannel

Affected Products
Cisco is investigating its product line to determine which products and cloud services may be affected by these vulnerabilities. As the investigation progresses, Cisco will update this advisory with information about affected products and services, including the Cisco bug ID for each affected product or service.

Any product or service not listed in the “Products Under Investigation” or “Vulnerable Products” section of this advisory is to be considered not vulnerable. The criteria for considering whether a product is vulnerable is explained in the “Summary” section of this advisory. Because this is an ongoing investigation, please be aware that products and services currently considered not vulnerable may subsequently be considered vulnerable as additional information becomes available.

Further details avaliable here – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180104-cpusidechannel



Microsoft Excel 2010 Security Update 4011660

This security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. To learn more about these vulnerabilities, see Microsoft Common Vulnerabilities and Exposures CVE-2018-0796.

Note To apply this security update, you must have the release version of Service Pack 2 for Office 2010 installed on the computer.

Be aware that the update in the Microsoft Download Center applies to the Microsoft Installer (.msi)-based edition of Office 2010. It doesn’t apply to the Office 2010 Click-to-Run editions, such as Microsoft Office 365 Home (see Determining your Office version).

This security update replaces previously released security update KB 4011197.

How to get and install the update

Method 1: Microsoft Update

This update is available from Microsoft Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to get security updates automatically, see Windows Update: FAQ.

Method 2: Microsoft Update Catalog

To get the stand-alone package for this update, go to the Microsoft Update Catalog website.

Method 3: Microsoft Download Center

You can get the stand-alone update package through the Microsoft Download Center. Follow the installation instructions on the download page to install the update.




Meltdown and Spectre – Vendor Patches

In early January we became aware of a set of security vulnerabilities known as Meltdown and Spectre that affect modern computer processors. Exploitation of these vulnerabilities could allow an attacker to obtain access to sensitive information.

Microsoft has temporarily halted updates for AMD machines. More information can be found here: https://support.microsoft.com/en-us/help/4073707/windows-os-security-update-block-for-some-amd-based-devices

The three Vulnerabilities have been disclosed:

  1. CVE-2017-5753
  2. CVE-2017-5715 (1 & 2 are collectively known as Spectre)
  3. CVE-2017-5754 (Meltdown)

The following table contains links to advisories and patches published in response to the vulnerabilities. This table will be updated as information becomes available.

Link to Vendor Information Date Added
Amazon (link is external) January 4, 2018
AMD (link is external) January 4, 2018
Android (link is external) January 4, 2018
Apple (link is external) January 4, 2018
ARM (link is external) January 4, 2018
CentOS January 4, 2018
Chromium January 4, 2018
Cisco (link is external) January 10, 2018
Citrix (link is external) January 4, 2018
Debian January 5, 2018
DragonflyBSD January 8, 2018
F5 (link is external) January 4, 2018
Fedora Project January 5, 2018
Fortinet (link is external) January 5, 2018
Google (link is external) January 4, 2018
Huawei (link is external) January 4, 2018
IBM (link is external) January 5, 2018
Intel (link is external) January 4, 2018
Juniper (link is external) January 8, 2018
Lenovo (link is external) January 4, 2018
Linux January 4, 2018
LLVM: variant #2 January 8, 2018
LLVM: builtin_load_no_speculate January 8, 2018
LLVM: llvm.nospeculatedload January 8, 2018
Microsoft Azure (link is external) January 4, 2018
Microsoft (link is external) January 4, 2018
Mozilla January 4, 2018
NetApp (link is external) January 8, 2018
Nutanix (link is external) January 10, 2018
NVIDIA (link is external) January 4, 2018
OpenSuSE January 4, 2018
Qubes January 8, 2018
Red Hat (link is external) January 4, 2018
SuSE (link is external) January 4, 2018
Synology (link is external) January 8, 2018
Trend Micro (link is external) January 4, 2018
VMware (link is external) January 4, 2018
Xen January 4, 2018





HPE Integrated Lights Out 2 Multiple Remote Vulnerabilities

Multiple vulnerabilities in HPE Integrated Lights-Out 2 (iLO2) firmware could allow an unauthenticated, remote attacker to execute arbitrary code, bypass authentication, or cause a denial of service (DoS) condition on a targeted system.

The vulnerabilities are due to an unspecified condition that exist in the affected firmware. An attacker could exploit these vulnerabilities to execute arbitrary code, bypass authentication, or cause a DoS condition on a targeted system. A successful exploit could result in a complete system compromise.

HPE has confirmed these vulnerabilities and released software updates.

Analysis
  • Limited details are available to describe these vulnerabilities. However, a successful exploit of these vulnerabilities may result in a complete system compromise.
Safeguards
  • Administrators are advised to apply the appropriate updates.

    Administrators are advised to allow only trusted users to have network access.

    Administrators may consider using IP-based access control lists (ACLs) to allow only trusted systems to access the affected systems.

    Administrators are advised to monitor affected systems.

Vendor Announcements
  • HPE has released a security bulletin at the following link: HPESBHF03797
Fixed Software

Affected Products

HP Integrated Lights Out 2 (iLO-2) firmware – 2.29 (Base)




Juniper Junos J-Web Use-After-Free Memory Error Remote Code Execution Vulnerability

A vulnerability in the J-Web interface of Juniper Junos could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system.

The vulnerability is due to a use-after-free vulnerability in the affected interface. An attacker could exploit this vulnerability by submitting crafted data to the affected system. A successful exploit could allow the attacker to execute arbitrary code on the system.

Juniper Networks confirmed the vulnerability in a security bulletin and released software updates.

Analysis
To exploit this vulnerability, the attacker must have access to a targeted device. This access requirement reduces the likelihood of a successful exploit.
Safeguards
Administrators are advised to apply the appropriate updates.
Administrators are advised to allow only trusted users to have network access.
Administrators are advised to monitor affected systems.
Vendor Announcements
Juniper Networks has released a security bulletin at the following link: JSA10828
Fixed Software
Juniper customers are advised to obtain software upgrades as described in the Juniper Networks security bulletin.




Trojan Downloader – Win32/Jadtre.A

TrojanDownloader:Win32/Jadtre.A is a trojan that downloads and executes arbitrary files. It also prevents certain processes from executing normally.

Threat behavior

TrojanDownloader:Win32/Jadtre.A is a trojan that downloads and executes arbitrary files. It also prevents certain processes from executing normally.
Installation
TrojanDownloader:Win32/Jadtre.A is dropped and installed as a replaced system service DLL by TrojanDropper:Win32/Jadtre.B.
Payload
Downloads and executes arbitrary files
TrojanDownloader:Win32/Jadtre.A contacts remote hosts to download and execute files of the attackers’s choice on the affected system. In the wild, TrojanDownloader:Win32/Jadtre.A has been observed contacting the following domain for this purpose:
  • ipdown.poloi999.cn
At the time of this writing, the downloaded files are detected as Worm:Win32/Viking.NA and TrojanSpy:Win32/Hitpop.gen!C.




Hijacks image file execution options
TrojanDownloader:Win32/Jadtre.A modifies the registry to hijack the Image File Execution Options for cetain processes to prevent normal execution:
Adds value: “Debugger
With data: “ntsd-d
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<process>
where <process> could be any one of the following:
360hotfix.exe
360rpt.exe
360safe.exe
360safebox.exe
360tray.exe
agentsvr.exe
apvxdwin.exe
ast.exe
avcenter.exe
avengine.exe
avgnt.exe
avguard.exe
avltmain.exe
avp32.exe
avtask.exe
bdagent.exe
bdwizreg.exe
boxmod.exe
ccapp.exe
ccenter.exe
ccevtmgr.exe
ccregvfy.exe
ccsetmgr.exe
cqw32.exe
DrvAnti.exe
egui.exe
ekrn.exe
frameworkservice.exe
frwstub.exe
guardfield.exe
iparmor.exe
kaccore.exe
kasmain.exe
kav32.exe
kavstart.exe
kavsvc.exe
kavsvcui.exe
kislnchr.exe
kmailmon.exe
knownsvr.exe
kpfw32.exe
kpfwsvc.exe
kregex.exe
kvfw.exe
kvmonxp.exe
kvmonxp.kxp
kvol.exe
kvprescan.exe
kvsrvxp.exe
kvwsc.exe
kvxp.kxp
kwatch.exe
livesrv.exe
mcagent.exe
mcdash.exe
mcdetect.exe
mcshield.exe
mctskshd.exe
mcvsescn.exe
mcvsshld.exe
mghtml.exe
naprdmgr.exe
navapsvc.exe
navapw32.exe
navw32.exe
nmain.exe
nod32.exe
nod32krn.exe
nod32kui.exe
npfmntor.exe
oasclnt.exe
pavsrv51.exe
pfw.exe
psctrls.exe
psimreal.exe
psimsvc.exe
qqdoctormain.exe
ras.exe
ravmon.exe
ravmond.exe
ravstub.exe
ravtask.exe
rfwcfg.exe
rfwmain.exe
rfwproxy.exe
rfwsrv.exe
rsagent.exe
rsmain.exe
rsnetsvr.exe
rssafety.exe
rstray.exe
safebank.exe
safeboxtray.exe
scan32.exe
scanfrm.exe
sched.exe
seccenter.exe
secnotifier.exe
SetupLD.exe
shstat.exe
smartup.exe
sndsrvc.exe
spbbcsvc.exe
symlcsvc.exe
tbmon.exe
uihost.exe
ulibcfg.exe
updaterui.exe
uplive.exe
vcr32.exe
vcrmon.exe
vptray.exe
vsserv.exe
vstskmgr.exe
vstskmgr.exe
webproxy.exe
xcommsvr.exe
xnlscn.exe
Most of these processes are associated with antivirus and security products.