Kategorie

Three radiation monitoring device vendors will not patch a handful of vulnerabilities that could be abused by hackers, including a backdoor that affords high privileges on one device.

Some bugs aren't worth very much cash. (credit: Daniel Novta)

Microsoft today announced a new bug bounty scheme that would see anyone finding a security flaw in Windows eligible for a payout of up to $15,000.

The company has been running bug bounty programs, wherein security researchers are financially rewarded for discovering and reporting exploitable flaws, since 2013. Back then, Microsoft was paying up to $11,000 for bugs in Internet Explorer 11. In the years since then, Microsoft's bounty schemes have expanded with specific programs offering rewards for those finding flaws in the Hyper-V hypervisor, Windows' wide range of exploit mitigation systems such as DEP and ASLR, and the Edge browser.

Many of these bounty programs were time-limited, covering software during its beta/development period but ending once it was released. This structure is an attempt to attract greater scrutiny before exploits are distributed to regular end-users. Last month, the Edge bounty program was made an ongoing scheme no longer tied to any particular timeframe.

Read 2 remaining paragraphs | Comments

Posted by Megan Ruthven Android Security, Ken Bodzak Threat Analysis Group, Neel Mehta Threat Analysis Group

Android Security is always developing new ways of using data to find and block potentially harmful apps (PHAs) from getting onto your devices. Earlier this year, we announced we had blocked Chrysaor targeted spyware, believed to be written by NSO Group, a cyber arms company. In the course of our Chrysaor investigation, we used similar techniques to discover a new and unrelated family of spyware called Lipizzan. Lipizzan’s code contains references to a cyber arms company, Equus Technologies.

Lipizzan is a multi-stage spyware product capable of monitoring and exfiltrating a user’s email, SMS messages, location, voice calls, and media. We have found 20 Lipizzan apps distributed in a targeted fashion to fewer than 100 devices in total and have blocked the developers and apps from the Android ecosystem. Google Play Protect has notified all affected devices and removed the Lipizzan apps.

We’ve enhanced Google Play Protect’s capabilities to detect the targeted spyware used here and will continue to use this framework to block more targeted spyware. To learn more about the methods Google uses to find targeted mobile spyware like Chrysaor and Lipizzan, attend our BlackHat talk, Fighting Targeted Malware in the Mobile Ecosystem.

How does Lipizzan work?

Getting on a target device

Lipizzan was a sophisticated two stage spyware tool. The first stage found by Google Play Protect was distributed through several channels, including Google Play, and typically impersonated an innocuous-sounding app such as a "Backup” or “Cleaner” app. Upon installation, Lipizzan would download and load a second "license verification" stage, which would survey the infected device and validate certain abort criteria. If given the all-clear, the second stage would then root the device with known exploits and begin to exfiltrate device data to a Command & Control server.

Once implanted on a target device

The Lipizzan second stage was capable of performing and exfiltrating the results of the following tasks:

• Call recording
• VOIP recording
• Recording from the device microphone
• Location monitoring
• Taking screenshots
• Taking photos with the device camera(s)
• Fetching device information and files
• Fetching user information (contacts, call logs, SMS, application-specific data)

The PHA had specific routines to retrieve data from each of the following apps:

• Gmail
• Hangouts
• KakaoTalk
• LinkedIn
• Messenger
• Skype
• Snapchat
• StockEmail
• Telegram
• Threema
• Viber
• Whatsapp

We saw all of this behavior on a standalone stage 2 app, com.android.mediaserver (not related to Android MediaServer). This app shared a signing certificate with one of the stage 1 applications, com.app.instantbackup, indicating the same author wrote the two. We could use the following code snippet from the 2nd stage (com.android.mediaserver) to draw ties to the stage 1 applications.



Morphing first stage

After we blocked the first set of apps on Google Play, new apps were uploaded with a similar format but had a couple of differences.

The apps changed from ‘backup’ apps to looking like a “cleaner”, “notepad”, “sound recorder”, and “alarm manager” app. The new apps were uploaded within a week of the takedown, showing that the authors have a method of easily changing the branding of the implant apps.
The app changed from downloading an unencrypted stage 2 to including stage 2 as an encrypted blob. The new stage 1 would only decrypt and load the 2nd stage if it received an intent with an AES key and IV.

Despite changing the type of app and the method to download stage 2, we were able to catch the new implant apps soon after upload.

How many devices were affected?

There were fewer than 100 devices that checked into Google Play Protect with the apps listed below. That means the family affected only 0.000007% of Android devices. Since we identified Lipizzan, Google Play Protect removed Lipizzan from affected devices and actively blocks installs on new devices.

What can you do to protect yourself?

• Ensure you are opted into Google Play Protect. 
• Exclusively use the Google Play store. The chance you will install a PHA is much lower on Google Play than using other install mechanisms.
• Keep “unknown sources” disabled while not using it.
• Keep your phone patched to the latest Android security update.

List of samples

1st stage



Newer version 

Standalone 2nd stage

Microsoft has finally launched a new dedicated bug bounty program to encourage security researchers and bug hunters for finding and responsibly reporting vulnerabilities in its latest Windows versions of operating systems and software. Being the favourite target of hackers and cyber criminals, every single zero-day vulnerability in Windows OS—from critical remote code execution, mitigation

At Black Hat, Facebook CSO Alex Stamos' keynote message was one of bringing empathy and inclusion to security, and that it's time to stop being insular.

The document below is an initial level analysis of the recent Petya Ransomware (2017). We will also discuss an analysis of a dll variant of the ransomware. Ransomware Objective: Encrypt the target machine and ask for ransom (in Bitcoins) to decrypt it. Analysis Objective: First, this document does not contain all of the indicators but […]

The post Petya Ransomware Initial Analysis appeared first on InfoSec Resources.

Security based on machine learning is only as great as the data it feeds on, as Sophos data scientist Hillary Sanders explains at Black Hat 2017

What if I say that your cute, smart robotic vacuum cleaner is collecting data than just dirt? During an interview with Reuters, the CEO of iRobot, the company which manufactured Roomba device, has revealed that the robotic vacuum cleaner also builds a map of your home while cleaning — and is now planning to sell this data to third-party companies. I know it sounds really creepy, but this is

Machine learning algorithms are increasingly a target for the bad guys - but the industry is working to stop them, explains Sophos chief data scientist Joshua Saxe

At $400, the Philadelphia ransomware kit isn't cheap - but crooks buying it will get a lot of bang for their buck, as we've discovered from digging in to how it works

Roomba maker iRobot is quick to reassure that it'll all be opt-in, but it already sweeps up a lot of data

Microsoft has said it will not patch a two-decade-old Windows SMB vulnerability, called SMBloris because it behaves comparably to the Slowloris attacks. The flaw will be disclosed and demonstrated during DEF CON.

Earlier this year, China announced a crackdown on VPNs and proxy services in the country and made it mandatory for all VPN providers and leased cable lines operators to have a license from the government in order to use such services. Now, Russia is also considering to follow a similar path. The Russian Federation Council has just approved a bill that would outlaw the use of virtual private

In this article, we will try to solve another Capture the Flag (CTF) challenge which was posted on VulnHub by PaulSec. According to the information given in the description by the author of the challenge, this is the entry level boot2root web based challenge. The aim of this challenge is to gain root privilege through […]

The post SecOS: 1 CTF Walkthrough appeared first on InfoSec Resources.

Na novou vlnu podvodů šířících se na Facebooku upozorňuje CSIRT. Podvodníci se vydávají za jednoho z přátel a snaží se vylákat telefonní číslo pro potvrzení platby prostřednictvím mobilní platební brány. Průběh útoku je vždy stejný: podvodníci nejdřív zkopírují uživatelský profil jednoho z přátel ...

Důvěrné informace o více než 400 000 klientech získali zatím neznámí hackeři v italské pobočce UniCredit banky. Je to jeden z největších kybernetických útoků cílených na banku v Evropě a vůbec největší v Itálii, uvedla agentura Bloomberg. O útoku informovali ve středu zástupci banky.

Latest dump is a trove of malware from Raytheon used for surveillance and data collection

Kaspersky po vzoru některých dalších antivirových společností vypustil do světa bezplatnou verzi svého bezpečnostního programu. Oproti placené verzi je jednodušší, neobsahuje některé pokročilé funkce jako třeba VPN, nicméně všechny součásti základní ochrany počítače včetně doplňku pro ...

News that a US company is 'bio-hacking' its employees with RFID chips is a publicity stunt - but it does raise issues of security and ethics

Chinese authorities have recently initiated a crackdown on the operators of a massive adware campaign that infected around 250 Million computers, including Windows and Mac OS, across the world earlier this year. The adware campaign was uncovered by security researchers at Check Point last month after it already infected over 25 million computers in India, 24 million in Brazil, 16 million in