Flashpoint conducted the analysis of Floki Bot with Cisco’s Talos research team, and the two organizations said that the author behind the bot maintains a presence on a number of different underground forums, some of which are in Russian or other non-native languages for him. Kremez said that attackers sometimes will participate in foreign language forums as a way to expand their knowledge.
Along with its PoS infection capability, Floki Bot also has a feature that allows it to use the Tor network to communicate.
Exploit kits have long been a key tool in the arsenal of many attackers, from low-level gangs to highly organized cybercrime crews. Their attraction stems from their ease of use and the ability for attackers to add exploits for new vulnerabilities as needed. While there are dozens of exploit kits available, a handful of them attract the most use and attention, including Angler, Neutrino, Nuclear, and Rig. Researchers at Recorded Future looked at more than 140 exploit kits and analyzed which exploits appeared in the most kits in the last year, and it’s no surprise that Flash and IE exploits dominated the landscape.
Six of the top 10 most-refquently targeted vulnerabilities in the last year were in Flash, while the other four were in Microsoft products, including IE, Windows, and Silverlight. Flash has been a favorite target for attackers for a long time, for two main reasons: it’s deployed on hundreds of millions of machines, and it has plenty of vulnerabilities. Recorded Future’s analysis shows that trend is continuing, and one Flash bug disclosed October 2015 was incorporated into seven individual exploit kits. The flaw was used by a number of high-level attackers, including some APT groups.
The cameras affected by the vulnerabilities are surveillance cameras, mainly used in enterprises and retail settings and there are dozens of models that contain the vulnerable firmware. Researchers at SEC Consult discovered the backdoors and found that an attacker could use one of them to enable hidden Telnet and SSH services on the cameras and then use the other backdoor to gain root privileges.
“After enabling Telnet/SSH, another backdoor allows an attacker to gain access to a Linux shell with root privileges! The vulnerabilities are exploitable in the default configuration over the network. Exploitation over the Internet is possible, if the web interface of the device is exposed," the researchers said.
On Monday Google launched a new app for Android called Trusted Contacts that allows users to share their locations and some limited other information with a set of close friends and family members. The system is a two-way road, so a user can actively share her location with her Trusted Contacts, and stop sharing it at her discretion. But, when a problem or potential emergency comes up, one of those contacts can request to get that user’s location to see where she is at any moment. The app is designed to give users a way to reassure contacts that they’re safe, or request help if there’s something wrong.
The operation, which was a collaborative effort by Europol, the FBI, German police, and security groups, resulted in five arrests and the seizure of 39 servers in various countries. Officials say the Avalanche crew and its infrastructure was distributed around the world and estimated that damages from the group’s activities were in the hundreds of millions of Euros. The group conducted spam, phishing, and malware attacks using a wide variety of malware strains and tactics.
Investigators began looking at the Avalanche infrastructure in 2012 after a widespread ransomware attack that was attributed to the group. Many victims also were infected with banker malware that stole banking credentials and other private data. Like many cybercrime crews, Avalanche used money mules to cash out their profits and layers of personnel to handle specific tasks in an effort to avoid detection. The group also employed technical methods to attempts to confuse law enforcement and security researchers.
The malware campaign is known as Gooligan, and it’s a variant of older malware called Ghost Push that has been found in many malicious apps. Researchers at Check Point recently discovered several dozen apps, mainly in third-party app stores, that contain the malware, which is designed to download and install other apps and generate income for the attackers through click fraud. The malware uses phantom clicks on ads to generate revenue for the attackers through pay-per-install schemes, but that’s not the main concern for victims.
The Gooligan malware also employs exploits that take advantage of several known vulnerabilities in older versions of Android, including Kit Kat and Lollipop to install a rootlet that is capable of stealing users’ Google credentials.Although the malware has full remote access to infected devices, it doesn’t appear to be stealing user data, but rather is content to go the click-fraud route. Most users are being infected through the installation of apps that appear to be legitimate but contain the Gooligan code, a familiar infection routine for mobile devices.
Researchers from Cisco’s Talos group have come across a new version of the Cerber ransomware that uses these techniques, combined with pretty rudimentary email messages to trick victims into clicking on links that lead to the malicious files. Typically, sophisticated ransomware crews will use well-crafted emails with malicious attachments that contain the ransomware. But this Cerber campaign isn’t using any attachments in its spam emails and instead is relying on trickery to entice users into following the links, which are obfuscated and lead to sites on the Tor anonymity network.
The attack involves a technique called re-tasking in which the researchers changed the functionality of the audio jacks on a target computer. So, whereas an input jack would normally be used by a microphone and the output jack would be used by the speakers, the researchers remapped the jacks so that the speakers can record sound when plugged into an output jack. The technique, developed by a team at Ben Gurion University of the Negev in Israel, involves the use of custom malware on the machine, but the researchers showed in their work that the attacks can succeed in recording audio from across a room.
The attack that the researchers developed allows them to record audio surreptitiously and then transmit it to another machine several meters away. The technique can be used without the user’s interaction.
“It’s pretty difficult to defend against such an attack, but it’s possible that anti-virus will detect such a microphone retasking and will block it. Chip manufacturers can redesign the internal commands that can be sent to the controller and regulate it in a better way,” Mordechai Guri, one of the paper's authors, said.
Trailrunner7 writes: As voice has continued to emerge as one of the key interfaces for new devices and apps, including vehicles, bank accounts, and home automation systems, concerns about the security of these systems have evolved, as well. Now, as both Google and Adobe have demonstrated systems that can insert and replace words in recorded speech or mimic human speech those concerns are becoming more concrete.
Adobe has revealed a project known as VoCo that has that it has compared to a Photoshop for voice recordings. The app can take a small piece of a person’s recorded voice and give the user the ability to rearrange or insert words or short phrases into the recording. The user types whatever text he wants into the app and the software can then add them into the recording wherever the user specifies.
Google also has been working on a synthetic speech system, known as WaveNet, which models raw audio waveforms to produce speech that sounds more human. Many existing text-to-speech systems rely on a database of recorded words to produce sentences. Google’s model doesn’t have that limitation.
The proposed change to Rule 41 of the Federal Rules of Criminal Procedure would allow law enforcement officials to get a single warrant from essentially any judge where things related to a given crime have occurred to remotely search computers that might be involved in the crime. The modification also would allow officers to remotely search computers of victims of computer crimes.
Privacy advocates and some legislators say that the change would constitute a huge a expansion of government hacking powers, while Department of Justice officials and supporters of the change say it’s simply a procedural change. The United States Supreme Court approved the change in April and it is scheduled to go into effect on Dec. 1. Congress has the ability to enact legislation to prevent the change, but so far has not.
On Thursday, a group of five senators introduced a bill that would keep Rule 41 as-is for now and delay the change until July 1, 2017. The idea is to give Congress time to consider the consequences of the proposed change. Sen. Ron Wyden (D-Ore.), one of the sponsors of the new bill, has expressed concern about the change to the rule for months.
The technique is a simple one but has proven to be quite effective. Rather than spamming out huge volumes of email with rigged attachments, the attackers are calling selected hotels and telling the customer service reps that they’re having trouble using the online reservation system. They then ask if they can email over a document with their travel details. The attacker will stay on the phone with the victim until he opens the attachment, which is a Word document loaded with a malicious VBS script, according to researchers at Trustwave, who have investigated several incidents involving this technique recently.
This attack represents an interesting mixture of social engineering tactics and traditional spear phishing methods. Even highly targeted phishing campaigns typically involve several different waves of emails. But this technique allows the attacker to choose his target individually and receive immediate confirmation that the attack succeeded. The malware that’s involved in the attack is powerful and has a long list of capabilities. Once installed, it connects to a remote server and downloads a second stage tool that’s disguised as an Adobe file. It installs a persistence mechanism and might download even more tools.
Trailrunner7 writes: The recent DDoS attacks by the Mirai botnet against various targets, including DNS provider Dyn, have drawn the attention of congressional leaders, who say there may be a need for regulation of IoT device security in order to address the problem of vulnerable embedded devices.
In a joint hearing on Wednesday, the House Subcommittee on Communications and Technology and the Subcommittee on Commerce, Manufacturing, and Trade delved into the issue of IoT security and several lawmakers said that they were reluctant to get the government involved in regulating this problem, but it may be inevitable. The problem, of course, is that many of the embedded devices that make up the IoT aren’t manufactured in the United States, so regulation would have no effect on their security.
Another piece of the puzzle is the fact that there’s no one federal agency or independent organization that oversees security standards for IoT devices. There are embedded computers in cars, appliances, medical devices, and hundreds of other kinds of devices. That cuts across many different industries and regulatory fields, a problem that the federal government is not set up to handle.
“I actually think we need a new agency. We can’t have different rules if a computer makes calls, or a computer has wheels, or is in your body,” said cryptographer Bruce Schneier, another witness during the hearing. “The government is getting involved here regardless, because the stakes are too high. The choice isn’t between government involvement and no government involvement. It’s between good government involvement and stupid government involvement. I’m not a regulatory fan but this is a world of dangerous things.”
Trailrunner7 writes: A renowned hardware hacker has released a cheap USB device that, when plugged in to any computer–even password-protected or locked ones–can hijack all of the Internet traffic from the PC, steal web cookies, and install a persistent backdoor that survives after device is removed.
Known as PoisonTap, the device is the work of Samy Kamkar, a security researcher and hardware hacker who built the tool on a cheap Raspberry Pi Zero board. He’s released the code for PoisonTap, which could be a key tool in the arsenal of any security researcher or hacker. The device sounds simple, but there’s a whole lot going on in the background.
The device tells the infected machine that the PoisonTap local network contains all of the IPv4 space, so all Internet requests go through the device. The device performs a similar trick in order to siphon off web cookies from HTTP requests. When a browser running on the infected machine makes an HTTP request, the device will perform DNS spoofing so that the request goes to the PoisonTap web server rather than the intended one. The device has the ability to grab cookies from any of the Alexa top one million sites, Kamkar said.
Trailrunner7 writes: A major privacy group has filed a lawsuit against the FBI to force the bureau to release all relevant documents about its plan to share a huge amount of biometric information with the Department of Defense.
The lawsuit filed by EPIC (Electronic Privacy Information Center) concerns the FBI’s Next Generation Identification system, which comprises fingerprint, iris scan, and facial recognition data, and the bureau has been using it for several years.
EPIC’s lawsuit asks that the FBI be forced to release records about the plan to share NGI data with the Department of Defense under the Freedom of Information Act. EPIC filed a FOIA request about the plan last year and though the FBI said it has located 35 pages of records that are responsive to the request, it hasn’t released any of those records.
Trailrunner7 writes: The news has been full of headlines for weeks about election fraud, voting machine hacking, and all kinds of other scary sounding stuff. Much of the coverage has been hyperbolic to say the least, so we decided to get some clear-headed, rational thoughts on the topic from Avi Rubin. Avi is a professor at Johns Hopkins University and did some of the pioneering work on voting machine security in the early 2000s. We talked with Avi about the problems with electronic voting machines, the potential for tampering with them, whether the machines can be attacked remotely, and what other avenues attackers might have to disrupt the election.