Category Archives: Security News

Anti-theft Software Exploited By State Actor [LoJack]

Research by Arbor Networks has alleged that a capable state actor has hijacked software that protects users if their computers are stolen.

The software, called LoJack, allows administrators to remotely lock, locate and remove files from stolen computers.

Its main customers are corporate IT-related firms that need to protect information from exploitation. It is often installed by default. However, the actor has re-configured the software for malicious use to maintain persistent access to targeted devices and communicate with command-and-control servers that the actor operates.

Most anti-virus packages cannot detect when LoJack has been hijacked, or do not recognise the hijacked version as malicious.

Previous research as far back as 2009 has publicised that Lojack could be exploited.

However, not all computers that use LoJack are vulnerable to compromise and data exfiltration – the attacker needs to gain initial access to the machine before they can deploy the hijacked version of LoJack to maintain persistence.




Twitter Passwords Exposed

Twitter has urged its users to change their passwords after a software bug exposed their login details.

The bug saw usernames and passwords written in plain text and stored in an internal log before being encrypted.

Twitter discovered and fixed the error and have since apologised for their mistake, advising all 330 million users to change their passwords as a precautionary measure.

Despite login credentials being made visible by the bug, Twitter are confident that no details have been compromised.

It is important to manage passwords effectively; never use the same password for important accounts such as banking, work accounts or cloud storage. If your password is exposed on one platform it’s possible that criminals or other threat actors might attempt to use that information in the hope of compromising others.




UK Cyber Criminal Pleads Guilty To Selling Customer Credentials On The Dark Web

A cyber criminal who hacked into the online networks of at least 200 companies worldwide recently pleaded guilty to multiple offences in court.

Grant West, 25, who operated under the pseudonym ‘Courvoisier’, was detained in September 2017 following a two-year investigation by Scotland Yard. He was arrested on a train whilst logging on to his dark web marketplace account.

Southwark Crown Court heard that from at least 2015, West hacked into the online networks of Sainsburys, Asda, Apple, Uber, Ladbrokes, JustEat, Argos and others.

The data of thousands of customers was then stolen and used in spear-phishing scams to dupe customers into revealing their credit and debit card details, login credentials and email addresses.

The customer credentials were then sold on the dark web marketplace and used by other cyber criminals to make illegal purchases. Although hacking of the company websites was the major enabler of this cyber criminal activity, the spear-phishing emails ultimately led to customers unwittingly divulging their personal banking details which were then used to steal their money.




Powershell Script To Check for MS17-010 Hotfixes [EternalBlue]

The below PowerShell script will check for all Microsoft KB patches associated to MS17-010.

EternalBlue  is an exploit developed by the U.S. National Security Agency (NSA) according to testimony by former NSA employees. It was leaked by the Shadow Brokers hacker group on April 14, 2017, and was used as part of the worldwide WannaCry ransomware attack

Exploits include WannaCry, EternalRomance, EternalChampion, and EternalSynergy exploits.

The most severe of the vulnerabilities could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.

This script will only work on the local PC (it can be midified to cover the entire network – please feel free to add comments if you have done this)

#list of all the hotfixes from https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
$hotfixes = "KB3205409", "KB3210720", "KB3210721", "KB3212646", "KB3213986", "KB4012212", "KB4012213", "KB4012214", "KB4012215", "KB4012216", "KB4012217", "KB4012218", "KB4012220", "KB4012598", "KB4012606", "KB4013198", "KB4013389", "KB4013429", "KB4015217", "KB4015438", "KB4015546", "KB4015547", "KB4015548", "KB4015549", "KB4015550", "KB4015551", "KB4015552", "KB4015553", "KB4015554", "KB4016635", "KB4019213", "KB4019214", "KB4019215", "KB4019216", "KB4019263", "KB4019264", "KB4019472", "KB4015221", "KB4019474", "KB4015219", "KB4019473"

#checks the computer it's run on if any of the listed hotfixes are present
$hotfix = Get-HotFix -ComputerName $env:computername | Where-Object {$hotfixes -contains $_.HotfixID} | Select-Object -property "HotFixID"

#confirms whether hotfix is found or not
if (Get-HotFix | Where-Object {$hotfixes -contains $_.HotfixID})
{"Found HotFix: " + $hotfix.HotFixID} 
else 
{Write-Warning ”Did Not Find HotFix"}

There is also otther ways to check for the patches, as documented by Microsoft here.




Early Bird Code Injection Technique

Early Bird is a new code injection technique that enables malicious users to effectively avoid anti-malware detection. The technique is known to be part of malware which is used by the Iranian group advanced persistent threat (APT) 33.

The technique uses legitimate Windows functions such as svhost.exe to inject the code into an application before the actual process starts and the anti-malware product has started to monitor it.

Anti-malware products have a process called hooking which is designed to detect this type of technique, however Early Bird loads the malicious code in a very early stage of the start process, this is before many anti-malware’s have placed their hooks, so it can go undetected.

Cyberbit provides an Endpoint Detection and Response solution (EDR) which successfully detects the ‘Early Bird’ injection technique. To learn more visit the Cyberbit EDR page.

Affected Platforms

Microsoft Windows – All versions




Cyberbit published a report with the details of the injection process, along with the YouTube video shown above.

 

 

Phishing Emails Deemed Number One Threat By UK Businesses

Industry research by security company Clearswift has reported that malicious links within emails are perceived as posing the biggest cyber threat to UK businesses, with 59% of business decision makers highlighting this as their chief concern. This is indicated to be far more than any other cyber threat.

The research surveyed 600 senior business decision makers and 1,200 employees across the UK, US, Germany and Australia.

When asked what they see as the biggest threat to their organisation, business decision makers ranked phishing emails as the top threat in all four surveyed regions:

Cyber Threatscape Top 10

  1. Malicious links within emails – 59%
  2. Employees sharing usernames/passwords – 33%
  3. USB memory sticks/removable storage – 31%
  4. Users not following protocol/data protection policies – 30%
  5. Ex-employees retaining access to network – 28%
  6. Infection via malware from personal devices – 26%
  7. Hackers – 25%
  8. Employees using non-authorised tools/applications for work purposes (personal email drives/file sharing) – 25%
  9. Social media viruses – 24%
  10. Critical information on stolen devices – 23%





HMRC Spear Phishing Emails

Phishing emails appearing to be from HM Revenue & Customs (HMRC) are known to increase in volume from January to March, towards the end of the UK financial year. The emails claim to offer tax rebates, enticing users with financial incentives. Companys can be particularly susceptible to this type of scam as their contact information is often readily available.
These emails can have all the hallmarks of an HMRC email but contain hidden links that redirect to malicious websites. Once the links are activated the user’s machine can become infected with malware.

Emails from HMRC will never:

  • Send notification of a tax rebate.
  • Offer a repayment.
  • Request personal information such as your full address, postcode, Unique Taxpayer Reference, or bank account details.
  • Request any responses to a non-HMRC personal email address.
  • Request financial information such as specific figures or tax computations, unless you’ve given HMRC prior consent and formally accepted the risks.
  • Have attachments, unless you’ve given HMRC prior consent and formally accepted the risks.
  • Provide a link to a secure log-in page or a form asking for information – instead HMRC will ask you to log on to your online account to check for information.

Any email received from the HMRC requesting financial information or offering financial incentives should be treated with the utmost caution and checked before opening

Affected Platforms

All Windows Versions

Image result for hmrc



CCleaner Attack Update

Cyber security company Avast continues to investigate the 2017 supply chain attacks involving clean-up tool CCleaner. For a month last summer, Advanced Persistent Threat (APT) attackers are reported to have maliciously modified versions of CCleaner and CCleaner Cloud at source, before being downloaded by 2.27 million customers worldwide. The attackers then selected a small number of high profile technology and telecommunications companies to receive a secondary payload.

Avast’s ongoing investigation has now revealed that CCleaner developer Piriform (acquired by Avast in July) was probably compromised as early as March 2017, although no information is given about the original attack vector.

The investigation also points to a possible third stage of the malware that may have been distributed via the CCleaner attack: once on the Piriform network, the attackers deployed a tool known as Shadowpad, which included keylogging and password stealing functionality, as well as other tools, to allow them to progress their attack remotely. The same tool may have been deployed to those customers who received the secondary payload.

Avast also details the steps it has taken to remove the threat from the Piriform network.




Jolokia Agent Cross-Site Scripting Vulnerability [CVE-2018-1000129]

CVE Number – CVE-2018-1000129

A vulnerability in the Jolokia agent could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack on a targeted system.

The vulnerability is due to improper security restrictions that are imposed by the affected software. An attacker could exploit this vulnerability by persuading a targeted user to follow a link that contains malicious JavaScript code. A successful exploit could allow the attacker to inject malicious JavaScript code into the user’s browser, which the attacker could leverage to access sensitive information.

The vendor has confirmed this vulnerability and released software updates.

Analysis
  • To exploit this vulnerability, the attacker may use misleading language and instructions to persuade a user of the targeted system to follow a link that contains malicious JavaScript code.
Safeguards
  • Administrators are advised to apply the appropriate updates.

    Administrators are advised to allow only trusted users to access network systems.

    Administrators are advised to monitor affected systems.

    For additional information about cross-site scripting attacks and the methods used to exploit these vulnerabilities, see the Cisco Applied Mitigation Bulletin Understanding Cross-Site Scripting (XSS) Threat Vectors.

Vendor Announcements
Fixed Software





Reports Of Increased Use Of Counterfeit Code-Signing Certificates

A recent open source blog post from Insikt suggests there is a small but growing market in counterfeit code-signing certificates.  This raises further questions regarding the effectiveness of code-signing certificates in providing assurance to website users by establishing the identity of software authors and confirming that the software has not been corrupted or altered since its original distribution.

The NCSC Weekly Threat Report of 15th December 2017, highlighted that websites using SSL and HTTPS, signified by the padlock, are not inherently protected from attack. Malevolent actors can potentially compromise sites using HTTPS domains or obtain legitimate certificates for use on malicious websites.

Counterfeit certificates were first identified in 2015. They are advertised as being registered under legitimate corporations and supplied by known issuers. The early versions were expensive at approximately $1,000 but more recent standard certificates have been found for sale at $295.

The main benefit for malicious actors of the counterfeit certificates is that the certificates are highly effective in remaining undetected by antivirus software.  However, as these certificates are thought to be created for each buyer individually, it seems likely that, at present, the majority of cyber criminals won’t use this technique.