Not all malware is ransomware, even though ransomware hogs the spotlight these days.Keyloggers are still popular in the cyberunderworld, because they help crooks to steal your passwords.

Armed with your email password, for example, crooks can pull off much more audacious crimes than ransomware, such as business email attacks, also known a CEO fraud or wire-wire scams.

That’s where a crook logs in with a stolen password to send an email that doesn’t just look as though it came from your CEO’s account, it really did come from her account.

The fraudulent email in a wire-wire scam won’t be a demand for $300 in bitcoins, which is a typicalprice-point in ransomware, but an official-sounding corporate instruction to put through a massive funds transfer.

The amount may be $100,000 or even more, and the email will typically claim that that the funds are part of time-critical business venture such as an acquisition, to justify both the large sum and the urgency.

In other words, there’s still big money in keyloggers.

KNOWLEDGE BELONGS TO THE WORLD

The post “You dirty RAT” – Spy versus Spy in the cybercrime underworld appeared first on Information Security Newspaper.

Mirai evolves from the source code of Gafgyt. A new trojan named Mirai has surfaced, and it’s targeting Linux servers and IoT devices, mainly DVRs, running Linux-based firmware, with the purpose of enslaving these systems as part of a large botnet used to launch DDoS attacks.

KNOWLEDGE BELONGS TO THE WORLD

The post Mirai DDoS Trojan Is the Next Big Threat for IoT Devices and Linux Servers appeared first on Information Security Newspaper.

Just recently I stumbled upon an Android app that lets you receive free products in various pubs, restaurants or cafes in exchange for points accumulated with previous purchases. When the purchase is made, you let the vendor know that you want to receive points. In the app you select the types of products you bought. The eligible types of products may be “Beer”, “Lunch” or“Spent 50 PLN”. It all depends on the place. In order to verify the purchase, the vendor needs to swipe a physical beacon device over your phone (or enter a PIN if that doesn’t work) and the application magically approves the transaction, granting you points.

As an example, one of the places offers you a free beer for 5 points and each purchased beer grants you 1 point. That gives you a free beer for every 5 purchased beers in that place.

Everyone likes free beer, so the first thing I thought about is how secure the purchase verification process is and how exactly do these magical beacons work?

More importantly, was there any way to get around the application’s security and get a taste of free beer?

I intentionally don’t want to mention the name of the application as it only operates in my home country (in Poland). My goal is to give you an idea of what flaws similar applications may have, how to find them and how to better secure such applications. I’ve retained all technical details on how the application works, occasionaly replacing some easy to identify IDs or private information with random data.

In this post I will use a fictional name for the discussed application – “EatApp”.

With that out of the way, let’s get started!

Doing the research

The first thing I was most curious about was the beacon technology that is used with the application. The beacons apparently communicate with the mobile phone over bluetooth as the application made it clear that bluetooth needs to be turned on for the beacon swipes to work.

After a very short time I found the company that manufactures the same beacons that I saw working with EatApp. The company is Estimote and this is what they write about their beacon technology:

Estimote Beacons and Stickers are small wireless sensors that you can attach to any location or object. They broadcast tiny radio signals which your smartphone can receive and interpret, unlocking micro-location and contextual awareness.

With the Estimote SDK, apps on your smartphone are able to understand their proximity to nearby locations and objects, recognizing their type, ownership, approximate location, temperature and motion. Use this data to build a new generation of magical mobile apps that connect the real world to your smart device.

Estimote Beacons are certified Apple iBeacon™ compatible as well as support Eddystone™, an open beacon format from Google.

Apparently EatApp application detects the restaurant’s beacon in close proximity, retrieves some identification values from the device and uses them to authorize the registration of new points with EatApp server.

Thankfully Estimote has released an SDK with a very detailed documentation.

That allowed me to learn more about what information the beacon transmits. More technical information says that:

Estimote Beacon is a small computer. Its 32-bit ARM® Cortex M0 CPU is accompanied by accelerometer, temperature sensor, and what is most important—2.4 GHz radio using Bluetooth 4.0 Smart, also known as BLE or Bluetooth low energy.

I’ve also learned that beacons broadcast the following values:

• UUID – most commonly represented as a string, e.g. “B9407F30-F5F8-466E-AFF9-25556B57FE6D”
• Major number – an unsigned short integer, i.e., an integer ranging from 1 to 65535, (0 is a reserved value)
• Minor number – also an unsigned short integer, like the major number.

Great! They also provide their own Android library to make it very easy for any application to listen to beacon broadcasts. Here is one of the example code snippets from the tutorial on how to set up the beacon listener:

beaconManager = new BeaconManager(getApplicationContext());  
// add this below:
beaconManager.connect(new BeaconManager.ServiceReadyCallback() {  
    @Override
    public void onServiceReady() {
        beaconManager.startMonitoring(new Region(
                "monitored region",
                UUID.fromString("B9407F30-F5F8-466E-AFF9-25556B57FE6D"),
                22504, 48827));
    }
});

It looks to me that the UUID number must be constant and unique to the application using it. Major and Minor numbers on the other hand can describe the product, so in EatApp scenario they must be unique for every restaurant.

Whenever the application waits for the vendor to swipe their beacon over the phone, it listens for packets with specific UUID. If the broadcast packet is detected, it uses signal strength value to measure the beacon’s proximity to the Android device. If the beacon’s signal strength indicates that the device is close enough, it uses the Major and Minor numbers from the packet as validation keys, which are sent with the authorization packet to the EatApp’sserver.

I wondered what was the maximum range over which, the beacon was able to transmit its packets. The application must be constantly listening for beacon broadcast messages as it even gives you a push notification when you enter the restaurant where EatApp beacon is present. I didn’t have to search long for an answer:

Estimote Beacons have a range of up to 70 meters (230 feet). The signal, however, can be diffracted, interfered with, or absorbed by water (including the human body). That’s why in real world conditions you should expect range of about 40–50 meters.

Wow. Up to 70 meters? That means that in theory the security keys (UUID,Major and Minor numbers), that are very likely used for authorizing the rewards, are broadcasted in clear air! That can’t be good.

Knowing that beacon broadcast packets can be received over such range, I needed to find a way how to receive the packets and read their contents. It would probably take me few days to write my own Android app using Estimote SDK, but thankfully Estimote provides their own Estimote Developer App for debugging and troubleshooting problems. From the screenshots I could tell that it gathers all the critical information.

At that moment, obtaining the beacon information would not do me much good without any insight on how the application communicates with the server. It was time to set up a small lab for intercepting and decrypting HTTPS communication from the mobile phone.

The Fiddler in the Middle

For intercepting mobile phone traffic, I’ve used a Windows box. The best and free HTTP/HTTPS Windows proxy for inspecting and forging new packets, that I know of, is Fiddler.

Setting up Fiddler

In order to enable HTTPS interception in Fiddler, open Tools > Telerik Fiddler Options > HTTPS and make sure Capture HTTPS CONNECTs and Decrypt HTTPS traffic is checked. Also make sure that under Tools > Telerik Fiddler Options > Connections, you ticked the Allow remote computers to connectoption.

You will also need to export Fiddler’s Certificate Authority certificate. In the same tab, click Actions and click Export Root Certificate to Desktop like so:

This will put a file named FiddlerRoot.cer on your desktop. This is the root certificate that Fiddler will use to generate forged certificates for every HTTPS connection that goes through the proxy. Obviously Fiddler’s generated root certificate won’t be on your phone’s list of trusted certificate authorities and any HTTPS connection that goes through the proxy will be blocked. That’s why you need to import Fiddler’s certificate on your phone and add it to trusted CA storage.

To do that, first copy the FiddlerRoot.cer to the SD card on your phone by any means. On your phone open Settings > Security and select Install from SD card:

Find and pick Fiddler’s certificate file in order to import it. Now your phone will trust Fiddler’s proxy and you will be able to intercept and decrypt HTTPS traffic. You need to make sure that both your phone and your Windows box with Fiddler are running on the same network.

Before you proceed, find out which port Fiddler’s proxy listens on, by openingTools > Telerik Fiddler Options > Connections and checking the port box:

Next, find out the local network IP address of your Windows box. Open upcmd.exe command line prompt and type in ipconfig. You should be able to find your current IP address under the section with the network interface that you are currently using.

On your Android phone, open up Settings > Wi-Fi and find the wireless network that you are connected to. Touch the network entry for 2 seconds and select Modify network from the drop-down menu. In the dialog tick Advanced options and scroll down to proxy settings. For the proxy type you need to setManual and under hostname and proxy port enter the IP address of your Windows box and the Fiddler’s proxy port. I entered 192.168.0.14 as the hostname and 9090 as the proxy port number.

Now if everything went fine, you should be able to see the outgoing mobile phone traffic in Fiddler.

Capturing traffic

With this setup I was able to intercept EatApp’s traffic as the application didn’t implement certificate pinning. Otherwise, it would require more work to be done. I’d have to decompile the application, remove the certificate comparison check and recompile the application.

I opened up EatApp and opened up Earn Points dialog for randomly picked restaurant. As I didn’t have the restaurant’s Estimote Beacon on me (duh!), I had to use the option to enter the PIN number to verify the point rewards. I entered the random PIN number and checked the intercepted packets in Fiddler.

Sent request:

POST https://api.eatapp.com/users/461845f5d03e6c052a43afbc/points HTTP/1.1  
Accept: application/json  
Accept-Language: en-us  
X-App-Version: 1.28.0  
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4;)  
...
Content-Type: application/json; charset=UTF-8  
Content-Length: 265  
Host: api.eatapp.com  
Connection: Keep-Alive  
Accept-Encoding: gzip

{
  "authentication_token":"boKUp9vBHNAJp7XbWZCK",
  "point":{
    "promoted_products_ids":[
      {"id":"760493597149625959620000"},
      {"id":"760493597149625959620000"}
    ],
    "pin":"1234",
    "place_id":"6088",
    "isDoneByGesture":false
  },
  "longitude":0.0,
  "latitude":0.0
}

Received reply:

HTTP/1.1 422 Unprocessable Entity  
Server: nginx  
Date: ...  
Content-Type: application/json; charset=utf-8  
Content-Length: 99  
Connection: keep-alive  
Vary: Accept-Encoding

{
  "status":"422 Unprocessable Entity",
  "code":"incorrectArgument",
  "title":"Incorrect argument: pin."
}

The request is not complicated. Parameters are sent as JSON data, there are no hash values being sent as a form of anti-tampering method with account state verification and the PIN is sent just in plain-text. The parameters are pretty self explanatory:

• authentication_token – This is the account’s authentication token that was received from the server during the login process. This value is unique to every EatApp account and won’t change.
• promoted_products_ids – the array of product type IDs that we are earning points for.
• pin – the PIN number that we’ve entered.
• place_id – the unique ID of the restaurant where we want to earn points.
• isDoneByGesture – this one is a mystery, but I believe it is set to true only when you spend your points.
• longitute and latitude – These are the last known GPS location values that were retrieved recently, letting the server know user’s exact geographical location. This could be used as a security measure to detect if we are not too far away from the restaurant we are receiving points in.

At this point I wanted to try out if the application is vulnerable to PIN brute-forcing. After all, there are only 10’000 possible PIN combinations. Unfortunately after sending about 5 requests with different PIN values, I started to receive the following reply from the server:

HTTP/1.1 422 Unprocessable Entity  
Server: nginx  
Date: ...  
Content-Type: application/json; charset=utf-8  
Content-Length: 289  
Connection: keep-alive  
Vary: Accept-Encoding

{
  "status":"422 Unprocessable Entity",
  "code":"pinTooManyAttempts",
  "title":"Too many pin code attempts",
  "header":"Account locked",
  "message":"Earning and spending points and redeeming deals using your account has been locked for the next 30 minutes. Please let us know if this is a mistake."
}

Unless I had hundreds of EatApp accounts that I could switch between during the brute-force process, the 30 minutes account lockdown is a pretty strong deterrent.

Looking at the parameters of the verification request, I wondered what would the parameters be if the verification was done with the beacon swipe rather than with entering the PIN.

One idea of how free points could be earned, would be to remotely intercept the request packet with the correct PIN value entered by the restaurant’s staff. Intercepting the packet remotely would also give me an opportunity to find the exact request parameters if beacon swipe was used instead of the PIN.

Main obstacle in performing this task is that I had to intercept the request from the mobile device, while I was at the restaurant.

That was a great opportunity to try setting up the interception VPN that would be used with 3G/4G connection on my mobile phone. The VPN server would then intercept and decrypt the HTTPS traffic the same way Fiddler did.

The Evil VPN

First of all, I required a VPS where I could install the VPN software. The fastest, easiest and most reliable way to set up a Linux box VPS is Digital Ocean (you will get 10$ credit if you sign up from this link). I created the cheapest Debian 8 1CPU 512MB RAM droplet for 5$/month or 0.007$/hour. This had to be more than enough for my needs.

I had to decide which VPN protocol I wanted to use. Android officially supports PPTP and L2TP types of VPN protocols. I’ve learned though that although PPTP is supported, it is considered insecure and Google doesn’t trust it enough to enable Always-On feature for this kind of VPN. Always-On VPN feature in Android makes sure that your phone will reconnect to the VPN whenever the connection breaks and makes sure that no other packet will ever be sent NOTthrough the VPN. This is very important as I wanted to be absolutely sure that every single packet gets intercepted and decrypted.

Finding a good tutorial that would teach me how to install L2TP VPN on Debian 8 was very hard as most tutorials were written for Debian 7 and apparently in the later version of the system some dependencies changed and the tutorials became outdated.

Finally I found a perfect way to install IPsec/L2TP VPN with auto setup scripts. This is basically all I had to do on the server:

wget https://git.io/vpnsetup -O vpnsetup.sh  
nano -w vpnsetup.sh  
[Replace with your own values: YOUR_IPSEC_PSK, YOUR_USERNAME and YOUR_PASSWORD]
sudo sh vpnsetup.sh  

YOUR_IPSEC_PSK – this should be you preshared key phrase (e.g. mysecretpskforvpn).
YOUR_USERNAME and YOUR_PASSWORD – your username and password to login into the VPN.

All done in fire and forget manner! The VPN was up and running. Now it was time to set up the VPN connection on my phone. I went to Settings > Wireless & Networks (More) > VPN and added a new VPN and filled the settings as follows:

Name: vpn_interceptor
Type: L2TP/IPSec PSK
Server address: [VPN_SERVER_IP]
L2TP secret: (not used)
IPSec identifier: (not used)
IPSec pre-shared key: [YOUR_IPSEC_PSK]
DNS search domains: (not used)
DNS servers: 8.8.8.8
Forwarding routes: (not used)

Now that the VPN was added, I clicked the triple-dot Settings button in the same window and clicked Always-On option and then picked the newly created VPN connection.

This is when I ran into a problem on my Android 6.0. No matter how hard I wanted the VPN to connect, it would always show connection error. I tried on another Android 4.4 device and it worked perfectly, so I knew something was wrong with the latest version of Android. The Github page of the auto script did mention a workaround for Android 6 Marshmellow:

Note: Android 6 (Marshmallow) users should edit /etc/ipsec.conf on the VPN server and append ,aes256-sha2_256 to both ike= and phase2alg= lines. Then add a new line sha2-truncbug=yes immediately after those. Indent lines with two spaces. When finished, run service ipsec restart.

That didn’t work, so I removed that “fix” from the server config files. Shortly after, I found a feature in the VPN profile settings called Backwards-compatible mode. I set that to Enable and *bang* – finally everything started to work.

Now that I had a working VPN, it was time to set up the interception and decryption of HTTPS packets. For that I decided to use SSLsplit software. Installation was easy:

wget http://mirror.roe.ch/rel/sslsplit/sslsplit-0.5.0.tar.bz2  
tar jxvf sslsplit-0.5.0.tar.bz2  
cd sslsplit-0.5.0  
make  
sudo make install  

The IPSec/L2TP installation script created some advanced firewall settings for my new VPN setup and honestly I was not able to adjust it in such a way that allowed me to redirect HTTP/HTTPS packets to sslsplit proxy. I decided to completely purge the iptables settings and replace the iptables config file with the clean one, including some settings for redirecting packets to sslsplit.

iptables -F  
iptables -t nat -F  
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE  
iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE  
iptables-save > /etc/iptables.rules  

Packet forwarding should already have been enabled (and should be re-enabled at every boot), because of the VPN auto setup script, but in order to be sure, you could run:

echo 1 > /proc/sys/net/ipv4/ip_forward  

Next, I prepared the directory structure for sslsplit log files and created thesslsplit root certificate that will be used for generating forged HTTPS certificates the same way that Fiddler did before:

mkdir sslsplit  
mkdir sslsplit/certs  
mkdir sslsplit/logs  
cd sslsplit/certs  
openssl genrsa -out ca.key 2048  
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt  

I had to download sslsplit/certs/ca.crt root certificate from the VPS, copy it my phone’s SD card and import it as trusted certificate authority. That way my Android phone would allow any forged certificate generated by sslsplit to be accepted. You could easily download ca.crt file from your VPS via SSH protocol on Windows using WinSCP.

In order to easily turn on and off our HTTP/HTTPS interception, on the server, I decided to create two small shell scripts (my sslsplit directory was put in /root/):

/root/sslsplit/start.sh

#!/bin/bash
iptables-restore < /etc/iptables.rules  
iptables -t nat -A PREROUTING -i ppp+ -p tcp --dport 80 -j REDIRECT --to-ports 8080  
iptables -t nat -A PREROUTING -i ppp+ -p tcp --dport 443 -j REDIRECT --to-ports 8443  
sslsplit -d -l /root/sslsplit/connections.log -j /root/sslsplit/ -F /root/sslsplit/logs/%T -k certs/ca.key -c certs/ca.crt ssl 0.0.0.0 8443 tcp 0.0.0.0 8080  

/root/sslsplit/stop.sh

#!/bin/bash
killall sslsplit  
iptables-restore < /etc/iptables.rules  

Now whenever I wanted to start intercepting packets, I’d run ./start.sh and if I wanted to stop, ./stop.sh. Simple. The sslsplit was configured to run as a daemon and it would log all raw packets into separate files in /root/sslsplit/logs/ directory. The logging feature of sslsplit is not perfect as it doesn’t fully decode saved HTTP packets, it doesn’t group packets in request/reply order and will put several packets into one file if they are sent at the same exact second, but for my needs it had to do fine. I will later describe how I overcame the HTTP decoding issue.

With the VPN setup done and HTTPS interception in place, I was finally able to drive to town, eat something and do some live packet capturing!

Trip to town

I visited three places and ordered some food in each one of them. During checkout I asked the vendor to register some EatApp points for the products I just had. At that point my phone was all the time connected to the interception VPN and the authorization packets were logged on the server by sslsplit.

I found out that if the location permission was turned off, the beacon proximity feature wouldn’t work, thus in two places the staff had to use the PIN authorization. I retrieved two packets with correct PIN values in the first two places and in the third place I was able to capture the beacon authorization packet, after I enabled the location permission for the app.

Finally I had an opportunity to check out the official Estimote developer’s app that was supposed to detect nearby beacon broadcasts and retrieve the broadcasted UUID, Major and Minor. It turned out my theory was correct:

I still had to confirm at home if the broadcasted authorization keys were really used in the authorization packet, by analyzing the sslsplit log files.

Connecting the dots

I downloaded the sslsplit log files from the server. The issue with sslsplit is that it will log all HTTP packets in their raw form. Meaning that if the Transfer-Encoding is chunked or packet is compressed with gzip, the packets won’t be logged in decoded plain-text form.

I have released a small script that is supposed to decode the sslsplit packets into clear text form. Please note that script uses a quite buggy http-parserlibrary that I decided to use for parsing HTTP packets. For simple needs, though, it is “good enough”. You can find splitparse.py on Github here.

Usage:

pip install http-parser  
python splitparse.py -i [sslsplit_logs_dir] -o [output_dir]  

I quickly found the request packet with the authorization data that was sent when the beacon was swiped over my phone:

POST /users/461845f5d03e6c052a43afbc/points  
Accept: application/json  
Accept-Language: en-gb  
X-App-Version: 1.28.0  
User-Agent: Dalvik/2.1.0 (Linux; U; Android 6.0.1;)  
...
Content-Type: application/json; charset=UTF-8  
Content-Length: 375  
Host: api.eatapp.com  
Connection: Keep-Alive  
Accept-Encoding: gzip

{
  "authentication_token":"boKUp9vBHNAJp7XbWZCK",
  "latitude":...,
  "longitude":...,
  "point":{
    "isDoneByGesture":false,
    "main_beacon":{
      "major":38995,
      "minor":12702,
      "uuid":"2C75E74B-41B7-49E3-BD26-CE86B2F569F8"
    },
    "place_id":"450",
    "promoted_products_ids":[
      {"id":"647035946536601578040000"},
      {"id":"647035946536601578040000"},
      {"id":"647035946536601578050000"}
    ]
  }
}

Jackpot! I confirmed that the UUID, Major and Minor numbers were exactly the same in the request authorization packet and detected live with the Estimote developer’s app. That meant my theory was correct and the verification keys are constantly being broadcasted over the air in every EatAppsupported restaurant.

To summarize, here is the step-by-step guide on how to get free EatApp points in restaurant ZZZ:

• Walk into restaurant ZZZ.
• Open up Estimote developer’s app and detect the closest nearby beacon.
• Save the screenshot with the visible UUID, Major and Minor values.
• Go home.
• Set a breakpoint in Fiddler to intercept EatApp packets with /users/ path in GET requests.
• On your phone, select the ZZZ restaurant and set EatApp to await PIN authorization for earned points.
• Enter any PIN.
• Modify the intercepted packet in Fiddler, removing the "pin":"NNNN" entry and replacing it with the valid "main_beacon":{...} content containing the beacon keys captured with Estimote app.
• Let the modified packet through to EatApp server.
• Enjoy your free points!

Of course it would be much better to write you own tool to directly communicate with application’s server API while implementing proper location spoofing. The method I described is just quicker and easier for testing purposes.

Conclusion

Broadcasting authorization keys publicly over the air is never a good idea. Here is the list of things that could be done to improve EatApp’s security:

• Send a hash value of account’s current state as an additional request parameter (points for every restaurant, account name, last sent GPS location etc.). The server would then verify if the hash is correct and only then authorize the request. Finding out how the hash parameter is formed would not be possible without disassembling and reverse engineering the application’s code. That would add additional difficulty.
• In order to make reverse engineering harder, the application’s code should be obfuscated. If the additional hash verification parameter was implemented, it would greatly increase the difficulty of reverse engineering the application’s code.
• @FabricatorGeneral mentioned in the comment section that it is possible to enable Secure UUID feature in Estimote’s beacons that would broadcast the beacon keys in encrypted form. That way only applications with the correct API key would be able to decrypt it. Bypassing that would require writing a custom mobile application implementing Estimote SDK, that would listen to broadcasts, decrypting them with application’s API key, that would have to be retrieved first by reverse engineering the application’s code.
• Certificate pinning should be implemented to make it harder to intercept the HTTPS connection using forged certificates. This security feature could also be bypassed, but it would involve reverse engineering the application, finding where the certificate verification check is done, removing it and recompiling the application again.
• Not sure if that is possible with Estimote Beacon’s, but it would be good to provide restaurants with a second beacon that would be used only for authorizing transactions with maximum broadcast range of half meter.
• Never trust the client’s device! For maximum security, client’s device should only send the reward request to the server, without any authorization keys. Afterwards, the server would send the authorization request to vendor’s dedicated tablet behind the counter, requesting him to authorize the point rewards with proper keys. Beacon swiping or entering the PIN would only be done on vendor’s device, thus making it impossible for the client to intercept the request that he could later use to create forged packets.

Source:https://breakdev.org

KNOWLEDGE BELONGS TO THE WORLD

The post How I Hacked an Android App to Get Free Beer appeared first on Information Security Newspaper.

A new ransomware that pretends to be from a fake organization called the Central Security Treatment Organization has been discovered by security researcher MalwareHunterTeam.  When the Central Security Treatment Organization, or Cry, Ransomware infects a computer it will encrypt a victim’s files and then append the .cry extension to encrypted files. It will then demand approximately 1.1 bitcoins, or $625 USD, in order to get the decryption key.

Based on analysis by myself, MalwareHunterTeam, and Daniel Gallagher, this infection exhibits some interesting characteristics not commonly seen in ransomware. For example, like Cerber, this ransomware will send information about the victim to the Command & Control server using UDP. Furthermore, it will also use public sites such as Imgur.com and Pastee.org to host information about each of the victims. Last, but not least, it will query the Google Maps API to determine the victim’s location using nearby wireless SSIDs.

This ransomware is still currently being analyzed and it may be discovered that decryption is possible. Therefore, victims may want to monitor the Central Security Treatment Organization Support Topic for updates.

As with many ransomware infections, it is hard to provide a descriptive name, so for the purposes of this article the ransomware will be referred to as the Central Security Treatment Organization Ransomware, CSTO Ransomware, or Cry Ransomware.

Command & Control Server Communication Methods

When a victim is infected, the ransomware will compile a variety of information such as the Windows version, the service pack installed, the Windows bit-type, the user name, the computer name, and the type of CPU installed in the computer. This information will then be sent via UDP to 4096 different IP addresses, with one of them being the ransomware’s Command & Control server.  The use of UDP packets is probably being done to obfuscate the location of the Command & Control server so that authorities cannot seize it.

The Cry Ransomware will also upload the same information as well as a list of encrypted files to Imgur.com.  It does this by compiling all of the information into a fake PNG image file and then uploading it to a designated Imgur album.  Once the file has successfully been uploaded, Imgur will respond with a unique name for the filename. This filename then be broadcasted over UDP to the 4096 IP addresses to notify the Command & Control server that a new victim has been infected.

Finding a victim’s location based on nearby SSIDs

Using the Google Maps API, a user can determine the location of a querying device by the SSIDs of nearby wireless networks. This ransomware uses the WlanGetNetworkBssList function to get a list of nearby wireless networks and their SSIDs. It will then query the Google Maps API using these SSIDs to get the victim’s location.

It is unsure what this is currently being used for, but this information could be used to generate an image of the victim’s location using Google maps. This could then be used to further scare the victims into paying the ransom.

How the Central Security Treatment Organization Ransomware Encrypts Files

When this ransomware infects a computer it make a backup of certain shortcuts on the victim’s Windows desktop and save them in a folder on the desktop called old_shortcuts. The purpose of this folder is currently unknown.

The ransomware will now encrypt the victim’s files and append the .cry extension to encrypted files. The files currently targeted by this ransomware are:

.#vc, .$ac, .00c, .07g, .07i, .08i, .09i, .09t, .1pa, .1pe, .3dm, .3ds, .3g2, .3gp, .3me, .3pe, .7z, .10t, .11t, .13t, .123, .210, .500, .2011, .2012, .2013, .2014, .2015, .2016, .2017, .aac, .aaf, .ab4, .ac2, .acc, .accd, .ach, .aci, .acm, .acr, .aep, .aepx, .aes, .aet, .afm, .ai, .aif, .amj, .arc, .as, .as3, .asc, .asf, .asm, .asp, .asx, .ati, .avi, .back, .bak, .bat, .bay, .bc8, .bc9, .bd2, .bd3, .bgt, .bk2, .bmp, .bpf, .bpw, .brd, .brw, .btif, .bz2, .c, .cal, .cat, .cb, .cd, .cdf, .cdr, .cdt, .cdx, .cf8, .cf9, .cfdi, .cfp, .cgm, .cgn, .ch, .chg, .cht, .clas, .clk, .cmd, .cmx, .cnt, .cntk, .coa, .cpp, .cpt, .cpw, .cpx, .crt, .cs, .csl, .csr, .css, .csv, .cur, .cus, .d07, .dac,.dat, .db, .dbf, .dch, .dcr, .ddd, .dds, .defx, .der, .des, .dgc, .dif, .dip, .djv, .djvu, .dng, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .drw, .ds4, .dsb, .dsf, .dtau, .dtd, .dtl, .dwg, .dxf, .dxi, .ebc, .ebd, .ebq, .ec8, .efs, .efsl, .efx, .emd, .eml, .emp, .ens, .ent, .epa, .epb, .eps, .eqb, .ert, .esk, .ess, .esv, .etq, .ets, .exp, .fa1, .fa2, .fca, .fcpa, .fcpr, .fcr, .fef, .ffd, .fim, .fla, .flac, .flv, .fmv, .fon, .fpx, .frm, .fx0, .fx1, .fxr, .fxw, .fyc, .gdb, .gem, .gfi, .gif, .gnc, .gpc, .gpg, .gsb, .gto, .gz, .h, .h10, .h11, .h12, .hbk, .hif, .hpp, .hsr, .html, .hts, .hwp, .i2b, .iban, .ibd, .ico, .idml, .iff, .iif, .img, .imp, .indb, .indd, .indl, .indt, .ini, .int?, .intu, .inv, .inx, .ipe, .ipg, .itf, .jar, .java, .jng, .jp2, .jpeg, .jpg, .js, .jsd, .jsda, .jsp, .kb7, .kd3, .kdc, .key, .kmo, .kmy, .lay, .lay6, .lcd, .ldc, .ldf, .ldr, .let, .lgb, .lhr, .lid, .lin, .lld, .lmr, .log, .lua, .lz, .m, .m3u, .m3u8, .m4a, .m4u, .m4v, .m10, .m11, .m12, .m14, .m15, .m16, .mac, .max, .mbsb, .md, .mda, .mdb, .mdf, .mef, .mem, .met, .meta, .mhtm, .mid, .mkv, .ml2, .ml9, .mlb, .mlc, .mmb, .mml, .mmw, .mn1, .mn2, .mn3, .mn4, .mn5, .mn6, .mn7, .mn8, .mn9, .mne, .mnp, .mny, .mone, .mov, .mp2, .mp3, .mp4, .mpa, .mpe, .mpeg, .mpg, .mql, .mrq, .ms11, .msg, .mwi, .mws, .mx0, .myd, .mye, .myi, .myox, .n43, .nap, .nd, .nef, .nl2, .nni, .npc, .nv, .nv2, .oab, .obi, .odb, .odc, .odg, .odm, .odp, .ods, .odt, .oet, .ofc, .ofx, .old, .omf, .op, .orf, .ost, .otg, .otp, .ots, .ott, .p08, .p7b, .p7c, .p12, .paq, .pas, .pat, .pcd, .pcif, .pct, .pcx, .pd6, .pdb, .pdd, .pdf, .pem, .per, .pfb, .pfd, .pfx, .pg, .php, .pic, .pl, .plb, .pls, .plt, .pma, .pmd, .png, .pns, .por, .pot, .potm, .potx, .pp4, .pp5, .ppam, .ppf, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .pr0, .pr1, .pr2, .pr3, .pr4, .pr5, .prel, .prf, .prn, .prpr, .ps, .psd, .psp, .pst, .ptb, .ptdb, .ptk, .ptx, .pvc, .pxa, .py, .q00, .q01, .q06, .q07, .q08, .q09, .q43, .q98, .qb1, .qb20, .qba, .qbb, .qbi, .qbk, .qbm, .qbmb, .qbmd, .qbo, .qbp, .qbr, .qbw, .qbx, .qby, .qbz, .qch, .qcow, .qdf, .qdfx, .qdt, .qel, .qem, .qfi, .qfx, .qif, .qix, .qme, .qml, .qmt, .qmtf, .qnx, .qob, .qpb, .qpd, .qpg, .qph, .qpi, .qsd, .qsm, .qss, .qst, .qtx, .quic, .quo, .qw5, .qwc, .qwmo, .qxf, .r3d, .ra, .raf, .rar, .raw, .rb, .rcs, .rda, .rdy, .reb, .rec, .resx, .rif, .rm, .rpf, .rss, .rtf, .rtp, .rw2, .rwl, .rz, .s7z, .s12, .saf, .saj, .say, .sba, .sbc, .sbd, .sbf, .scd, .sch, .sct, .sdf, .sdy, .seam, .ses, .set, .shw, .sic, .skg, .sldm, .sldx, .slk, .slp, .sql, .sqli, .sr2, .srf, .ssg, .stc, .std, .sti, .stm, .str, .stw, .svg, .swf, .sxc, .sxd, .sxi, .sxm, .sxw, .t00, .t01, .t02, .t03, .t04, .t05, .t06, .t07, .t08, .t09, .t10, .t11, .t12, .t13, .t14, .t15, .t99, .ta1, .ta2, .ta4, .ta5, .ta6, .ta8, .ta9, .tar, .tax, .tax0, .tax1, .tax2, .tb2, .tbk, .tbp, .tdr, .text, .tfx, .tga, .tgz, .tif, .tiff, .tkr, .tlg, .tom, .tpl, .trm, .trn, .tt10, .tt11, .tt12, .tt13, .tt14, .tt15, .tt20, .ttf, .txf, .txt, .u08, .u10, .u11, .u12, .uop, .uot, .v30, .vb, .vbpf, .vbs, .vcf, .vdf, .vdi, .vmb, .vmdk, .vmx, .vnd, .vob, .vsd, .vyp, .vyr, .wac, .wav, .wb2, .wi, .wk1, .wk3, .wk4, .wks, .wma, .wmf, .wmv, .wpd, .wpg, .wps, .x3f, .xaa, .xcf, .xeq, .xhtm, .xla, .xlam, .xlc, .xlk, .xll, .xlm, .xlr, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xpm, .xqx, .yuv, .zdb, .zip, .zipx, .zix, .zka, ._vc

During this process it will also delete the system’s Shadow Volume Copies using the command:

vssadmin delete shadows /all /quiet

In order to provide persistence, the ransomware will create a random named scheduled task that will trigger when the user logs into Windows.

Finally, the ransomware will create ransom notes named !Recovery_[random_chars].htmland !Recovery_[random_chars].txt on the victim’s desktop.

This ransom note will contain the victim’s personal ID and instructions on how to access the TOR payment site as shown above. Information about this Payment site can be found Central Security Treatment Organization’s payment site can be found in the next section.

The Central Security Treatment Organization Ransomware’s TOR Payment Site

The ransom notes created by the Central Security Treatment Organization Ransomware contain links to a TOR payment site that has a Window title of User Cabinet. When a user visits this site, they will be prompted to login using the personal code from their ransom note.

Once a victim logs in, they will be shown a page that states that it is part of some fake organization called the Central Security Treatment Organization and will contain the ransom amount that a victim must pay.

Other sections on the site include a payment page that lists the bitcoin address that the payment must be sent to.  There is also a support page that a victim can use to communicate with the malware developers.

The payment site will also include a free decryption of one file to test that they can actually decrypt a victim’s files.

When a file is submitted to the free decryption, it will decode it while you wait.

In my tests, though, the free decryption failed and the decrypted file was not made available.  With that said, if you do plan on paying the ransom, you may want to confirm that this feature works before doing so in order to test the decryption.

Files associated with the Central Security Treatment Organization Ransomware:

%UserProfile%\AppData\Local\Temp\[random_chars].exe
%UserProfile%\AppData\Local\Temp\[random_chars].tmp
%UserProfile%\AppData\Local\Temp\[random_chars].html
%UserProfile%\Desktop\!Recovery_[random_chars].html
%UserProfile%\Desktop\!Recovery_[random_chars].txt
%UserProfile%\Desktop\old_shortcuts\
C:\Windows\System32\Tasks\[random_chars]

Registry Entries associated with the Central Security Treatment Organization Ransomware:

HKCU\Software\[same_name_as_executable]

IOCs:

SHA256:	33f66a95e01e2650ea47405031d4ced2ad25db971e65a92319296ccef62b7964

Network Communication:

http://imgur.com
https://pastee.org/
https://maps.googleapis.com
UDP Traffic to ip addresses in the 37.x.x.x range

Source:http://www.bleepingcomputer.com/

KNOWLEDGE BELONGS TO THE WORLD

The post The Central Security Treatment Organization Ransomware uses the Cry Extension and Communicates via UDP appeared first on Information Security Newspaper.

LuaBot is the latest addition to the Linux malware scene. A trojan coded in Lua is targeting Linux platforms with the goal of adding them to a global botnet, security researcher MalwareMustDie! has reported today.

For an operating system with a minuscule 2.11 percent market share, this is our third story on Linux malware in the past 24 hours, after previously reporting on the Mirai DDoS trojan and the Umbreon rootkit.

LuaBot falls into the same category as Mirai because its primary purpose is to compromise Linux systems, IoT devices or web servers, and add them as bots inside a bigger botnet controlled by the attacker.

LuaBot most likely used for DDoS attacks

At the time of writing, this botnet’s purpose is currently unknown, but MalwareMustDie told Softpedia on Twitter that the code for launching packet floods (DDoS attacks) is there, only that he wasn’t able to confirm the functionality yet.

At the moment, the LuaBot trojan is packed as an ELF binary that targets ARM platforms, usually found in embedded (IoT) devices. Based on his experience, this seems to be the first Lua-based malware family packed as an ELF binary spreading to Linux platforms.

Unlike Mirai, which is the fruit of a two-year-long coding frenzy, LuaBot is in its early stages of development, with the first detection being reported only a week ago and a zero detection rate on VirusTotal for current samples.

Since it’s only a one-week-old malware strain, details are scarce about its distribution and infection mechanism.

LuaBot author challenges security researchers

MalwareMustDie has managed to reverse-engineer some of the trojan’s code and discovered that the bot communicates with a C&C server hosted in the Netherlands on the infrastructure of dedicated server hosting service WorldStream.NL.

The researcher also found that LuaBot’s brazen developer left a message behind for all the infosec professionals trying to deconstruct his code. The message reads, “Hi. Happy reversing, you can mail me: [REDACTED .ru email address].”

Additionally, MMD also discovered code labeled as “penetrate_sucuri,” alluding to features capable of skirting Sucuri’s infamous Web Application Firewall, a cyber-security product that has stopped many web threats in the past.

MMD told Softpedia that “it seems the function is there […] coded with that purpose,” but the researcher later admitted that “I don’t know the Sucuri WAF much, so I can not test it.” Softpedia has reached out to Sucuri, and we’ll update the article if this function proves to be a successful firewall bypass or just an unfinished piece of code.

Source:http://news.softpedia.com/

KNOWLEDGE BELONGS TO THE WORLD

The post LuaBot Is the First Botnet Malware Coded in Lua Targeting Linux Platforms appeared first on Information Security Newspaper.

A mobile banking trojan called Trojan-Banker.AndroidOS.Gugi.c, or “Gugi” for short, found no problem bypassing a couple of the security measures introduced in Android 6.

The name of the game is social engineering when it comes to a Gugi infection.

According to Kaspersky Lab’s senior malware analyst Roman Unuchek, the trojan first infects a device by posing as a spam SMS message that reads as follows:

“Dear user, you receive MMS-photo! You can look at it by clicking on the following link.”

If clicked, the link begins downloading Gugi onto the device.

The malware then faces its first test.

In response to an expanding field of Android ransomware–which includes samples that havemasqueraded as adult apps, infected Android smart TVs, and demanded ransom in the form of iTunes gift cards–Google built into Android 6 a feature that requires an app to request permissions if it wants to overlay its window over another app.

For Gugi, that’s nothing a little social engineering can’t fix. As Unuchek explains:

“The first thing an infected user is presented with is a window with the text ‘Additional rights needed to work with graphics and windows’ and one button: ‘provide.’… After clicking on this button, the user will see a dialog box that authorizes the app overlay (‘drawing over other apps’).”

Flipping that switch surrenders control of the device to Gugi. Indeed, with the ability to overlay other apps, the trojan initiates a series of requests for additional permissions by abusing another feature of Android 6: a dynamic request capability that allows mobile apps to ask for additional permissions after they have been installed.

Among other things, Gugi requests to be made device administrator, a status which allows the malware to act as a regular mobile banking trojan by opening up phishing pages for banking credentials and stealing contacts/SMS messages off the device.

If the user denies Gugi’s requests, they face their own set of consequences, as Unuchek rightly notes:

“Should the user deny permission, subsequent requests will offer them the option of closing the request. If the Trojan does not receive all the permissions it wants, it will completely block the infected device. In such a case the user’s only option is to reboot the device in safe mode and try to uninstall the Trojan.”

Currently, Gugi is targeting users living in Russia primarily, but it could set its sights on other demographics in the coming weeks and months.

Kaspersky Lab intends to release a report on Gugi soon. In the meantime, users should protect themselves against an infection by exercising caution around suspicious links and email attachments, by reviewing app permission requests carefully, and by keeping an up-to-date antivirus solution installed on their devices.

Source:http://www.bleepingcomputer.com

KNOWLEDGE BELONGS TO THE WORLD

The post Gugi Trojan Guffaws at Android 6 Security Measures… and Then Bypasses Them appeared first on Information Security Newspaper.

According to security researcher Timothy Davies, a new version of the Locky Ransomware, aka Zepto, has been circulating since around the September 5th 2016 that includes an embedded RSA key. This key allows Locky to encrypt a victim’s computer without having to contact their Command & Control server. As many system administrators block Command & Control servers on their firewalls, by using an embedded RSA key, Locky can encrypt a computer regardless of what has been blocked at the edge.

The good news is that this version is having distribution problems as there attachments are not being named properly. For example, a current campaign is using ZIP attachments that contain JS files. When executed, these files are giving an error as seen below.

This error is occurring because the attachments are actually HTA files and not JS files. Once the file is renamed to HTA, it works properly.

Other than that, this version continues to append the .ZEPTO extension to encrypted files and create ransom notes that are named %Desktop%\[number]_HELP_instructions.html, %Desktop%\_HELP_instructions.html, and %Desktop%\_HELP_instructions.bmp.

This version is targeting the following extensions for encryption:

.ARC, .CSV, .DOC, .DOT, .MYD, .MYI, .NEF, .PAQ, .PPT, .RTF, .SQLITE3, .SQLITEDB, .XLS, .aes, .apk, .asc, .asf, .asm, .asp, .asset, .avi, .bak, .bat, .bik, .bmp, .brd, .bsa, .cgm, .class, .cmd, .cpp, .crt, .csr, .d3dbsp, .das, .dbf, .dch, .dif, .dip, .djv, .djvu, .docb, .docm, .docx, .dotm, .dotx, .fla, .flv, .forge, .frm, .gif, .gpg, .hwp, .ibd, .iwi, .jar, .java, .jpeg, .jpg, .key, .lay, .lay6, .lbf, .ldf, .litemod, .litesql, .ltx, .max, .mdb, .mdf, .mid, .mkv, .mml, .mov, .mpeg, .mpg, .ms11 (Security copy), .odb, .odg, .odp, .ods, .odt, .onetoc2, .otg, .otp, .ots, .ott, .pas, .pdf, .pem, .php, .png, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .pptm, .pptx, .psd, .pst, .qcow2, .rar, .raw, .sav, .sch, .sldm, .sldx, .slk, .sql, .stc, .std, .sti, .stw, .svg, .swf, .sxc, .sxd, .sxi, .sxm, .sxw, .tar, .tar.bz2, .tbk, .tgz, .tif, .tiff, .txt, .uop, .uot, .upk, .vbs, .vdi, .vmdk, .vmx, .vob, .wallet, .wav, .wks, .wma, .wmv, .xlc, .xlm, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .zip
Source:http://www.bleepingcomputer.com/

KNOWLEDGE BELONGS TO THE WORLD

The post Locky now using Embedded RSA Key instead of contacting Command & Control Servers appeared first on Information Security Newspaper.

KNOWLEDGE BELONGS TO THE WORLD

The post Down but Not Out! Dridex Begins Targeting Crypto-Currency Wallets appeared first on Information Security Newspaper.

KNOWLEDGE BELONGS TO THE WORLD

The post The Missing Piece – Sophisticated OS X Backdoor Discovered appeared first on Information Security Newspaper.

Hacking video demo shows government spyware in action.Have you ever wondered how does a government-sanctioned hacking actually work? Well, unless you are employed in a police department, or are a middleman who sells spyware software, or if you’ve worked in one of these companies, it is unlikely that you may have seen a live demo of how a spyware works.

However, a new 10-minute-video obtained by Motherboard, shows an Italian surveillance contractor called RCS Lab demo the hacking tool intended for use by police forces and government agencies. It also shows that the cops need very little technical knowledge to remove a scary level of information from a target’s computer.

The video shows off a software product from Italian firm RCS Labs called Mito3, which allows the RCS employee to set up these kinds of attacks with ease by just applying a rule in the software settings. RCS’s website explains this product as a “monitoring center” that “retrieves, decodes, processes and stores contents coming from virtually any kind of communication network.”

The RCS employee can select whatever site he or she wants to use as a vector, click on a dropdown menu and select “inject HTML” into an innocent-looking website. This then creates a malicious popup that prods the victim to download a Flash update. From there, the computer is hacked, even though a fake update appears to happen on screen to appease the user. Once the user downloads the fake update, he or she is infected with the spyware.

Source:http://www.techworm.net/

KNOWLEDGE BELONGS TO THE WORLD

The post Leaked video shows how government spyware Infects a Computer appeared first on Information Security Newspaper.

KNOWLEDGE BELONGS TO THE WORLD

The post WINDOWS MEDIA PLAYER DRM USED FOR MALWARE appeared first on Information Security Newspaper.

The manufacturer USBKill.com has commercialized USB Kill 2.0, a USB dongle that is able to fry any computer through the USB ports.

The Hong Kong-based technology manufacturer USBKill.com has created a USB dongle that is able to fry any computer into which it’s plugged by using an electrical discharge. The attack is simple, the USBKill use to charge capacitors from the USB power supply, and then discharges 200 volts DC over the host device.

The designer of the USBKill presented a prototype last year, the USB device was able to destroy a laptop in a few seconds. Now they have presented the USB kill 2.0, a final release that  is commercialized by USBKILL.com team.

“Our tests reveal that more than 95% of all devices using USB ports will be damaged permanently or completely destroyed by a USB power surge attack”. explained the researchers behind the project that explained they created the USB kill 2.0 for testing purposes. The unique device that passed the tests is the latest version of Apple’s MacBook, which uses surge-protected USB ports.

The company warns it has been “designed and tested to be safe,”,  it “is a high-voltage device — it is not a toy — and is only intended for responsible adults.”

Hardware developers could use the USB device to evaluate the resilience of their machine against such kind of “devastating power surge attacks” and to prevent data theft via “juice jacking.”

“Any public facing USB port should be considered an attack vector. In data security, these ports are often locked down to prevent exfiltration of data, or infiltration of malware, but are very often unprotected against electrical attack!” reads the press release.

“When the USB Kill stick is plugged in, it rapidly charges its capacitors from the USB power supply, and then discharges — all in the matter of seconds,” the company said in a news release.

The Juice jacking is a cyber attack where wherein malware might be installed on to, or data surreptitiously copied from, a mobile device or other computer device using a charging port that doubles as a data connection.

Below a video PoC of the KillUSB 2.0.

The USB Kill 2.0 could cause serious damage to the host, despite it isn’t designed to wipe data depending on the hardware configuration it could have this effect by destroying drive controllers.

“When tested on computers, the device is not designed or intended to erase data. However, depending on the hardware configuration (SSD vs platter HDD), the drive controllers may be damaged to the point that data retrieval is impractical,” the company said in its marketing material.

USB Kill also said the device was created for use by hardware designers of public machines, such as photo booths, copy machines, airline entertainment systems and ticket terminals — anything with exposed USB ports that need to “ensure that their systems resist electrical attacks.”

“Finally, the general public, or anyone who wants to test or kill their own devices should equip themselves,” the company stated. “Penetration testers and security auditors should include the USB kill 2.0 to their arsenal of testing tools.”

The technology manufacturer USBKill.com also offer for sale a USB Protection Shield specifically designed to allow the testing of the USB Killer without damaging the host machine.

The USB Kill 2.0 stick costs around $56, meanwhile the Test Shield will go for about $15.70.

The USBKill.com “strongly condemns malicious use of its products.”

Source:http://securityaffairs.co/

KNOWLEDGE BELONGS TO THE WORLD

The post Now you can buy USB Kill that could fry your PC via USB appeared first on Information Security Newspaper.

Malware authors have made around $86,400, so far. A malware variant named Mal/Miner-C (also known as PhotoMiner) is infecting Internet-exposed Seagate Central Network Attached Storage (NAS) devices and using them to infect connected computers to mine for the Monero cryptocurrency.

Miner-C, or PhotoMiner, appeared at the start of June 2016, when a report revealed how this malware was targeting FTP servers and spreading on its own to new machines thanks to worm-like features that attempted to brute-force other FTP servers using a list of default credentials.

Miner-C now specifically targets Seagate Central NAS hard drives

This same functionality is still present in the latest Miner-C version, but security researchers from Sophos say that recent Miner-C iterations are using a design flaw in the Seagate Central NAS devices to place a copy of itself on their public data folders.

NAS devices, which are network-connected hard drives, allow users to access files from the local network, but also via the Internet if the administrator chooses to open the NAS drive for remote access.

According to Sophos, Seagate Central devices contain a public folder accessible to all users, even anonymous non-logged-in users, which can’t be deactivated or deleted.

Miner-C tricks users into installing the cryptocurrency miner

Miner-C is copying files to this public folder on all Seagate Central NAS devices it can find. One of the files it copies is called Photo.scr, a script file that malware coders have modified to use a standard Windows folder icon.

Because Windows has a bad habit of hiding file extensions, whenever the device owner accesses their NAS, they see this file as a folder, fooled by the fake icon.

When they try to access the folder, they’re actually executing the Photo.scr file, which installs a cryptocurrency mining application on their PC.

Public and private folders on Seagate Central NAS drives

Miner-C also features a modular structure made of different parts that do different things, and it uses a unique method of loading its config file.

“Since it generates a new initialization file when it is launched, it helps the malware avoid security solutions. It also gives the botnet operators a chance to change the payload of the threat in the future, for example, dropping ransomware to the victim’s machine after the mining business is no longer profitable,” the Sophos team explains in a technical report.

Miner-C mines for Monero only

Right now, Monero is one of the most profitable cryptocurrencies from when it comes to mining operations. While Bitcoin mining difficulty has increased many times over the years, PC-based Bitcoin mining has ceased to be profitable in 2012 and is currently only an option if you’re using special hardware and dedicated data centers.

Monero is one of the few cryptocurrencies that can still be mined using regular PCs, hence the reason the crooks chose it.

There are around 5,000 Seagate Central NAS devices infected

According to telemetry data Sophos researchers gathered, Miner-C has infected around 70 percent of all Seagate Central NAS devices available on the Internet.

Researchers discovered around 7,000 Seagate Central NAS devices connected to the Internet, which means crooks managed to infect around 5,000 such devices.

Since all the accounts to which crooks collect Monero are stored in the malware’s config file, Sophos was able to estimate that they have made around €76,600 ($86,400) from their operations until now and are currently responsible for 2.5 percent of the entire Monero mining activity.

The quandary is that Seagate Central owners have no way to protect their device. Turning off the remote access NAS feature can prevent the infection, but also means they lose the ability to access the device from a remote location, one of the reasons they purchased the hard drive in the first place.

Map of infected Seagate Central NAS devices

 Source:http://news.softpedia.com/

KNOWLEDGE BELONGS TO THE WORLD

The post Cryptocurrency Mining Malware Discovered Targeting Seagate NAS Hard Drives appeared first on Information Security Newspaper.

Experts from Dr Web discovered a new Linux Trojan called Linux.BackDoor.Irc.16 that is written in the Rust programming language.

KNOWLEDGE BELONGS TO THE WORLD

The post Doctor Web discovers the first Linux Trojan that is written in Rust language appeared first on Information Security Newspaper.

These days, parents can easily end up installing RATs instead of legitimate parental control software. Parents looking for a way to monitor their child’s online activities may turn to malware known as Remote Access Trojans (RATs) due to their proliferation and low cost.

KNOWLEDGE BELONGS TO THE WORLD

The post Is Using Remote Access Trojans (RATs) to Monitor Your Kids Acceptable? appeared first on Information Security Newspaper.

High-pitched sound destroys bank’s data storage drives. Problems during a planned fire drill shut down ING Romania’s entire data center for ten hours on Saturday, in an event that looked like a MythBusters episode.

The fire drill involved the release of Inergen gas, a type of inert gas used to extinguish fires in data centers without damaging equipment.

Not everything went was planned during the release of the Inergen gas, which resulted in abnormal and high-pitched sound levels that resonated and affected the bank’s data storage hard drives, causing them problems writing and reading data from their disks.

Everything was down. Everything!

This resulted in the damaging of some equipment and the immediate shutdown of the entire bank’s suite of services. At around 13:00 local time, the bank’s entire ATM infrastructure stopped functioning, along with its PoS services, online payment system, Homebanking service, commercial website, and even internal email and ticketing support system.

This left the bank in the awkward position of not being able to communicate with its clients for a few hours.

The first to figure something was wrong were Softpedia’s Romanian forum users. Attempts from Softpedia to contact the bank at that time were unanswered.

This was not an ATM heist or SWIFT attack, even if it looked like one

Due to the wide-reaching and devastating blackout of its IT system, it took the bank over four hours to post its first message on its Facebook account. An ING spokesperson told Softpedia at the time that this was “a general technical issue.”

Users complained on Facebook, Twitter, and forums, and speculation about cyber-attacks was rampant. The bank’s website, which often came back online only to succumb a few minutes later, presented the classic signs of a DDoS attack.

The shutdown of its entire ATM and transactions service on a weekend day also made some speculate that a SWIFT attack or a coordinated ATM heist had taken place. These latter attacks often occur during weekends, when banks aren’t fully staffed.

Safety and security procedures delayed the data restoration process

Bank services started coming back online after 20:00 local time and were fully restored by 23:00 the same day. On Sunday morning, the bank issued a statement about what happened during the previous day.

ING Romania explained that while it would have been easy to restore from a backup and start services immediately, due to the highly sensitive data found on its data center’s storage servers, they had to follow a strict set of procedures and tests before putting each of its services online.

The bank is currently undergoing a diagnostics and analysis phase of the entire incident. ING Romania also apologized for its failure to inform customers of the issues earlier, but said this would have been practically impossible since it couldn’t reach its customer database at that point in time.

Bank officials say they’ll reimburse costs to all ING clients who used ATMs of other banks to withdraw money on Saturday.

Softpedia collaborated on this story with Andrada Fiscutean. You can read more about the science behind the data center’s failure in her Motherboard feature. Below is a video released by the bank’s PR staff from Saturday’s mini-crisis.

Source:http://news.softpedia.com/

KNOWLEDGE BELONGS TO THE WORLD

The post Fire Drill Gone Bad Shuts Down An ING Bank Data Center for Ten Hours appeared first on Information Security Newspaper.

Targets foot hardware and electricity costs of mining Monero coins. Attackers are draining the CPU and power resources of thousands file transfer protocol servers by infecting them with malware that surreptitiously mints the relatively new crypto currency called Monero, researchers said.

A notable percentage of the 3,000 or so infected servers are powered by Seagate Central, a network-attached storage device that allows users to remotely retrieve files using FTP connections, according to a report published Friday by researchers from antivirus provider Sophos. The Seagate device contains a weakness that allows attackers to upload malicious files to any device that has been configured to allow remote file access, the report said. Once users inadvertently click on the malicious files, their systems are infected with Mal/Miner-C, the malware that mines the Monero coins.

Sophos Senior Threat Researcher Attila Marosi estimated that Mal/Miner-C has already mined Monero coins valued at 76,599 Euros (about $88,347) and has the ability to earn about $481 each day. While new crypto coins sold on the open market don’t always fetch their entire estimated value, the earnings are nonetheless significant, since virtually all the hardware and electricity costs are borne by the people hosting the infected servers. The researcher went on to calculate that the infected servers comprised about half of the monorepool.com pool. The estimate was based on the infected servers having the capacity to generate 431,000 hashes per second when mining Monero coins, while the overall pool as measured by monoepool.com was 861,000 hashes per second. That translated to about 2.5 of the entire mining community.

Just add social engineering

The malware has no known abilities to spread automatically. Instead it takes advantage of FTP servers that allow anonymous users to upload to a public folder. As it turns out, Seagate Central devices allow such anonymous usage whenever remote access has been enabled, a setting that Marosi said allowed them to host much of the malware found. Attackers who found such servers uploaded a file that was disguised to look like a screensaver installer. When end users clicked on it, their systems were infected.

Over the past six months, Sophos has seen about 1.7 million Mal/Miner-C detections from about 3,000 different IP addresses. The large number of detections is the result of malware running in multiple directories. Marosi also scanned the Internet and found about 2.1 million IP addresses actively hosting FTP servers. Of those, 7,263 servers had write access enabled and 5,137 were hosting Mal/Miner-C files.

“More than 70 percent of the servers where write access was enabled had already been found, visited and ‘borrowed’ by crooks looking for innocent-sounding repositories for their malware,” the Sophos report stated. “If you’ve ever assumed that you’re too small and insignificant to be of interest to cybercriminals, and thus that getting security settings right is only really for bigger organizations, this should convince you otherwise.”

Source:http://arstechnica.com/

KNOWLEDGE BELONGS TO THE WORLD

The post Thousands of infected FTP servers net attackers $88k in cryptocurrency appeared first on Information Security Newspaper.

Shark Ransomware Project rebrands as Atom. The Shark Ransomware Project has recently rebranded and switched to a new domain in an attempt to start from scratch, calling itself Atom – a ransomware affiliate program.

The change comes after a series of news articles that gave it a bad reputation, including ours, published last month, in which we called it “scammy-looking.”

When it appeared, Shark was unique among other RaaS (Ransomware-as-a-Service) offerings because it used a website hosted on the public Internet, instead of Tor, like most of its rivals.

Shark was offering users a ransomware builder that allowed them to create their own Shark ransomware version. Crooks could customize Shark to their liking, and then use spam or exploit kits to infect victims.

Users paying the ransom would send the money to Shark’s creator Bitcoin wallet, who would keep 20 percent and forward the rest to the person who infected the victim.

Atom comes with a GUI payload builder

When accessing Shark’s website today, we got redirected to a new website promoting the Atom ransomware affiliate program.

Under the hood, Atom works almost the same way as Shark. It offers a payload builder and uses the same 80-20 percent cut as Shark did before being taken down.

The glaring change is that Atom uses a nice graphical user interface to build the ransomware. Shark previously used a terminal-based builder with users having to pass customization settings via command-line options.

Atom now includes a web panel for displaying campaign statistics

This builder generates the ransomware payload, the final EXE file that crooks need to deliver to victims, but also prints out a ransomware campaign ID.

Crooks deploying the Atom ransomware can enter this ID on the Atom website and access a web panel that shows details about the number of infected victims and earned money.

We called this ransomware operation “scammy” in our first report, and we still stand by that opinion. The ransomware still requires victims to make Bitcoin ransom payments to Atom’s creator Bitcoin wallet, with no guarantee that Atom subscribers will receive their 80 percent cut. At any time Atom’s creator can have a change of heart and shut down his operation, keeping a big chunk of the funds.

In a report released today, Fortinet took a look at how a typical Atom ransomware infection works. You’ll find in it technical details regarding Atom’s C&C server communications, not included in this article.

Atom ransom note

KNOWLEDGE BELONGS TO THE WORLD

The post Bad Press Forces Shark Ransomware Project to Rebrand appeared first on Information Security Newspaper.

It is a good day when a ransomware programmer channels their noobness and releases an insecure ransomware. This is the case with a new variant of the NoobCrypt Ransomware that was discovered by security researcher Jakub Kroustek. Living up to its name, the developer of NoobCrypt uses the same encryption key for every victim. This allowed Jakub to easily retrieve the password and post it on Twitter for victims to use.

NoobCrypt gets its name from taunts found in the executable’s source code. These taunts would be displayed when victim’s enter various passwords in the key field to try and decrypt their files. For example, as seen by the source code below, when a victim enters 123, the ransomware would display an alert that taunts them with the message “123 is not the code! You idiot. GO PAY IF U WANT UR PC BACK. NOOB HAH”.

Looks like the joke is on the ransomware dev, as thanks to Jakub we have a list of known decryption keys that a victim can use to decrypt files affected by NoobCrypt.

Decrypting NoobCrypt

When a user is infected with NoobCrypt they will be shown a ransom lock screen like the one below. This lock screen will state “Your personal files are encrypted”, that it was “Made in R0MANIA”, the bitcoin address a payment must be paid to, and the amount of the ransom.

As each release of NoobCrypt has a specific bitcoin address and ransom amount that associated with that release, we can use this information and the table below to determine the decryption key. With the help of Jakub, the known list of passwords and how to identify what version you are infected with is below.

Once the associated decryption key is identified, a vicitm needs to enter it into the Key field of the ransom screen and then click the Check button. If the key is accepted, it will display a message and decrypt the victim’s files.

If the key is not accepted, simply send us a sample of the executable and we will retrieve the key for you.

Extensions encrypted by NoobCrypt:

txt,doc,dot,docx,docm,dotx,dotm,docb,rtf,wpd,pdf,xls,xlt,xlm,xlsx,xlsm,xltx,xltm,xlsb,cdx,xla,xlam,xll,xlw,ppt,pot,pps,pptx,pptm,potx,potm,ppam,ppsx,ppsm,sldx,sldm,accdb,db,dbf,mdb,pdb,sql,jpg,jpeg,raw,tif,gif,png,bmp,wav,mp3,aif,iff,m3u,m4u,mid,mpa,wma,ra,avi,mov,mp4,3gp,3g2,asf,asx,flv,wmv,vob,m3u8,ico

IOCs:

SHA256:	974d2a36971b0f05c8a2d5b0daaee93732b78f0edeb4555aadbc1b7736ce995f

Source:http://www.bleepingcomputer.com/

KNOWLEDGE BELONGS TO THE WORLD

The post NoobCrypt Ransomware Dev shows Noobness by using Same Password for Everyone appeared first on Information Security Newspaper.

Number of DualToy infections is on the rise. A trojan targeting Windows computers is secretly sideloading mobile applications to any Android or iOS devices the user is connecting to infected PCs via USB cables.

KNOWLEDGE BELONGS TO THE WORLD

The post DualToy Windows Trojan Secretly Sideloads Apps on Android and iOS Devices appeared first on Information Security Newspaper.