DDoS attacks and botnets
IoT_reaper: a new growing botnet
Netlab researchers identified a new botnet, which was named IoT_reaper.
The botnet is in its first phases and is rapidly growing: it hasn’t launched a single attack up to now but, as the name suggests, hoards vulnerable IoT devices adding them to it network. It is similar to Mirai, although there are some differences: this one only targets vulnerable devices and doesn’t try to hack a password (with a substantial saving in computational resources), it integrates parts of LUA code that allow more sophisticated attacks and its scans are not invasive, so they are hard to identify.
The botnet added more than 20 thousands devices in less than 2 weeks; devices exploited are D-Link, Netgear and Linksys among the others: the full list is in the article linked before. Luckily there are some patches available.
A botnet is scanning the Web for private SSH keys
In a post on its blog, Wordfence warns about a Web scanning activity that looks for private SSH keys left without precautions on web server.
It’s not clear which botnet is responsible for this scan, however Wordfence warns everyone running a site/server and connects with a key-based authentication system.
Finding the private key allows to connect to the corresponding site/server, the impact is potentially devastating; the mistake that sometimes is done is to copy on the site/server the private key: this one must remain on your computer, well protected. You only have to copy the public key on the server, which is text file usually with the .pub (=public) extension. Often times the private key is a text file without an extension.
Wordfence offers the Gravity service which scans your site and signals any misconfiguration/problem.
Interestingly enough, Gravity has identified how 13% of analyzed sites has sensitive information with public access: configuration files, logs, scripts and backups.
AKAMAI identifies a Fast Flux botnet
In a post on its blog, AKAMAI states it has identified a Fast Flux botnet composed by 14 thousands zombie devices.
The idea behind a “Fast Flux” botnet is to associate different IP addresses to the same site and round-robin rotate them; if domain names are used properly, an hacker can hide the C&C server and make the identification and analysis of the botnet hard. Further information about this type of botnets are available in this ESET post.
This specific botnet hosts several phishing sites, proxies and C&C servers for malware campaigns, as well as web scraping, SQL Injection and Brute Force attacks activities. AKAMAI hasn’t released details on the botnet yet, but as port 7549 (the one of the TR-069 protocol for remote management), it’s believed that vulnerable routers and home network devices are part of the botnet.
Browsers bitcoin mining is ramping
In september ThePirateBay hit the lines with a post which described a test feature on its site which as about the user mining bitcoins when accessing it.
Coinhive is a Javascript library that allows the mining of cryptocurrencies (especially Monero) via browser: the user visits a website and loads the script, which makes the local computer to mine as long as the connection to the site is established. Palo Alto Networks researchers too covered that in an article.
During the last months, services like Coinhive have been spreading: Coin Have, PPoi, MineMyTraffic and JSEcoin. There are even WordPress plugins like Simple Monero Miner and Coin Hive Ultimate.
In some cases users prefer this solution instead of noisy banners, but what would happen when an hacker adds a mining component to an hacked site? Browsers should implement an sort of mining opt-in feature and warn users if a site tries to mine bitcoins.
At the moment an ad-blocker or an anti-mining plugin should do the trick.
Ransomware
Magniber, Cerber’s successor
Magniber is the new ransomware distributed by the Magnitude Exploit Kit, as identified by Malwarebytes researchers.
Magniber has the same payment and encryption system of Cerber, which leads to the rational hypothesis of being a work of the same Cerber developer.
It leverages malvertising techniques and exploits an Internet Explorer vulnerability (which has a patch) on non updated computers. Interestingly enough, it has a mechanism that starts the encryption process only if the victim’s IP address is from South Korea.
New decryption tools are available
If it’s true that every month the list of ransomware grows, on the other hand some researchers and volunteers bless us with decryption tools: if you happen to get hit by a ransomware and don’t have a backup, then don’t despair and store encrypted files somewhere, as a decryption tool might be available sooner or later.
This month we recommend tools for Petya (both Green and Red Petya, Mischa and GoldenEye), LambdaLocker and Stricker (download it here). A resercher that goes by the name of Simone” published a tool for Magniber, which unfortunately has to be compiled in Visual Studio.
MalwareHunter Team’s Ransomware ID service identifies which ransomware encrypted your files, then head to dedicated NoMoreRansom page and look for an encryption tool: most of them are listed here. The NoMoreRansom Project is the point of reference.
Hidden ransomware economy is growing fast
Black Carbon published an interesting study on the economy of ransomware which highlights that this hidden economy grows by 2.500% per year and reaches the $7 million mark.
The study was conducted between August and September 2017 and offers some other interesting facts: there are 6.300 marketplaces, 45.000 listings and prices for DIY kits span from $0.5 to $ 3.000; a new figure is arising: service providers and distributors of RaaS (Ransomware as a Service).
BitCoin and the TOR network are used to guarantee anonymity; the amount of ransoms paid is almost $1 billion: an actual booming economy.
Vulnerabilities
Apache’s OptionsBleed exposes memory information
An Apache bug which exposes information about server’s memory has been disclosed.
HTTP has different methods other than the usual GET and POST, including OPTIONS; several webservers would reply to such request with responses that include all supported methods and snippets of casual strings, giving information in a “bleed-style”, hence the name. It is not as impactful as HeartBleed.
The bug is due to the Limit directive in the main configuration file that restricts access of a user to certain HTTP methods; however if the Limit directive is contained in a non registered .htaccess file and set to an invalid method, Apache exposes in a random manner some strings about its configuration, which are not sufficient to plan an attack or collect sensitive information.
The bug has already been patched, so you just need to update your Apache installation.
A bug in dnsmasq exposes Linux devices
dnsmasq is a software with a small footprint and DNS and DHCP capabilities, suitable for small networks and implemented in mobile devices, operating systems, IoT devices, home router, software (ie Kubernetes) and much more.
Google researchers have found several vulnerabilities that expose systems with dnsmasq. In particular they identified 7 vulnerabilities regarding DNS and DHCP whose effects are relevant: 3 Remote Code Execution, 3 DoS and an Information Leak that neutralizes Address Space Layout Randomization (ASLRS, an anti-exploit capability).
Version 2.78 of the software fixes these bugs; Android released a patch in october’s “Security Bulletin” monthly update.
Further information are available in this TrendMicro blog post.
Sockbot Android malware found in 8 apps on Google Play Store
Symantec researchers have identified 8 apps sold on the Play Store which are infected by the Sockbot Android malware.
This malware started a SOCKS proxy on infected devices which would become part of a botnet waiting for commands from a C&C server.
These apps were skins for the popular game Minecraft, each app counted between 600.000 and 2.6 millions installation; they’ve been removed from the store.
Adobe releases patch for Flash Player
Adobe released a patch for Flash Player which fixes a zero-day vulnerability (CVE-2017-11292) that could be used for Remote Code Execution attacks.
This vulnerability is present in all Flash Players versions, save for 27.0.0.170, on Windows, Linux, macOS and Chrome OS.
The vulnerability was discovered by Kaspersky Labs researchers and has been exploited by the BlackOasis hacking team with email campaigns (infected attachment).
News from the vendors
Firefox Quantum, the new browser by Mozilla
Firefox Quantum is the new browser by Mozilla currently available in beta, whose release is expected in November.
Quantum introduces new features in comparison to the previous versions of Firefox, starting with a new graphical interface called Photon.
The most interesting news are about performances, with the browser finally using all available cores and with an improved memory management.
Other new feature include a screenshot capture tool (with sharing capabilities by means of another Mozilla service), a Library button with quick access to Pocket elements (Pocket is the integrated “read it later” tool), bookmarks, downloads, screenshots, history, synchronized tabs, a new address bar and a new menu customization feature.
NextCloud introduces native end-to-end encryption
The new version of the NextCloud client Firefox Quantum: end-to-end data encryption, aka Client Side Encryption.
At the moment the feature is in beta phase, the general availability is expected with version 13 of the software.
Encryption works on a folder level and, obviously, doesn’t involve the server where NextCloud is installed: the advantage is that should the server be hacked, data remain encrypted. NextCloud also supports full disk encryption.
This feature doesn’t require user passwords, instead it leverages device-generated passcodes; restore of the code can be done with a device associated to the user account or by means of a manual code set at encryption time. The Hardware Security Module protocol is supported for enterprise-grade solutions: an interesting feature in terms of the General Data Protection Regulation, which will be enforced in may 2018.
Microsoft’s Fall Creators Update is now available
The cumulative update package for Windows 10 “Fall Creators Update” is now available.
It’s currently being shipped in different release phases, but you can force the download with the Windows 10 Update Assistant tool.
In addition to several new about apps and features, there’s an interesting news about security: Windows Defender Security Guard.
This is an anti-ransomware tool and safeguards files against unwanted and unauthorized modifications. It replaces the Enhanced Mitigation Experience Toolkit (EMET), whose support will end in July 2018. Windows Defender Antivirus too has an anti-ransomware feature active by default.
Moreover, if you access your Windows profile with an AADP or MSA account, you can reset password and PIN straight from the lock screen with email verification (on another device).
Google releases Chrome 62 and introduces Chrome Cleanup
Google released Chrome 62 for Windows, macOS and Linux.
This release fixes 35 different security issues (8 are marked as high level) and adds new features, like support to variable OpenType fonts, the release of Network Quality Estimator APIs, capturing and streaming DOM elements and warnings for HTTP connections (both in normal and Incognito modes), though they are shown only if the page includes user input fields. Later on, they will be shown for all un-encrypted connections.
Release notes are available at this address.
Moreover, Google added a new feature that warns the user when an extension tries to change the default settings set by the user (extension hijacking) like homepage, proxy and preferred search engine, and the Chrome Cleanup Tool, which was previously available only as a standalone app
This tool checks for software at installation time that tries to change Chrome’s setting and behaviour, warning the user: this way it prevents the installation of unwanted, bundled software components, which often times happens when downloading programs from certain sites.
Lastly, Chrome announces a collaboration with ESET for the creation of an integrated sandboxing environment to scan downloaded files.
Microsoft Patch Tuesday now available
As every second tuesday of the month, Microsoft released the cumulative package of Windows systems updates that is known as Patch Tuesday.
It’s installed automatically if automatic updates are enabled, otherwise it’s available with Windows Update.
This month features 67 updates, 27 of them are labelled as Critical: ricordiamo Microsoft Graphics (Remote Code Execution), Internet Explorer e Microsoft Edge (Memory Corruption), Microsoft Office, Microsoft Skype for Business, Microsoft JET Database Engine, Microsoft Windows (Remote Code Execution), and Chakra Core.
You can also download single updates and find further information in the Security Update Guide.