Ars Technica

Syndikovat obsah Risk Assessment – Ars Technica
Serving the Technologist for more than a decade. IT news, reviews, and analysis.
Aktualizace: 50 min 1 sek zpět

Obama reportedly ordered implants to be deployed in key Russian networks

23 Červen, 2017 - 22:51

Enlarge (credit: Wikimedia Commons/Maria Joner)

In his final days as the 44th president of the United States, Barack Obama authorized a covert hacking operation to implant attack code in sensitive Russian networks. The revelation came in an 8,000-word article The Washington Post published Friday that recounted a secret struggle to punish the Kremlin for tampering with the 2016 election.

According to Friday's article, the move came some four months after a top-secret Central Intelligence Agency report detailed Russian President Vladimir Putin's direct involvement in a hacking campaign aimed at disrupting or discrediting the presidential race. Friday's report also said that intelligence captured Putin's specific objective that the operation defeat or at least damage Democratic candidate Hillary Clinton and help her Republican rival Donald Trump. The Washington Post said its reports were based on accounts provided by more than three dozen current and former US officials in senior positions in government, most of whom spoke on the condition of anonymity.

In the months that followed the August CIA report, 17 intelligence agencies confirmed with high confidence the Russian interference. After months of discussions with various advisors, Obama enacted a series of responses, including shutting down two Russian compounds, sanctioning nine Russian entities and individuals, and expelling 35 Russian diplomats from the US. All of those measures have been known for months. The Post, citing unnamed US officials, said Obama also authorized a covert hacking program that involved the National Security Agency, the CIA, and the US Cyber Command. According to Friday's report:

Read 1 remaining paragraphs | Comments

Kategorie: Hacking & Security

Check Point says Fireball malware hit 250 million; Microsoft says no

23 Červen, 2017 - 14:00

Enlarge (credit: Corinne Kuhlmann)

Microsoft sparked a curious squabble over malware discovery and infection rates. At the start of the month security firm Check Point reported on a browser hijacker and malware downloader called Fireball. The firm claimed that it had recently discovered the Chinese malware and that it had infected some 250 million systems.

Today, Microsoft said no. Redmond claimed that actually, far from being a recent discovery, it had been tracking Fireball since 2015 and that the number of infected systems was far lower (though still substantial) at perhaps 40 million.

The two companies do agree on some details. They say that the Fireball hijacker/downloader is spread through being bundled with programs that users are installing deliberately. Microsoft further adds that these installations are often media and apps of "dubious origin" such as pirated software and keygens. Check Point says that the software was developed by a Chinese digital marketing firm named Rafotech and fingers similar installation vectors; it piggy backs on (legitimate) Rafotech software and may also be spread through spam, other malware, and other (non-Rafotech) freeware.

Read 5 remaining paragraphs | Comments

Kategorie: Hacking & Security

How the CIA infects air-gapped networks

23 Červen, 2017 - 01:55

Enlarge / A configuration screen found in the Drifting Deadline exploit. (credit: WikiLeaks)

Documents published Thursday purport to show how the Central Intelligence Agency has used USB drives to infiltrate computers so sensitive they are severed from the Internet to prevent them from being infected.

More than 150 pages of materials published by WikiLeaks describe a platform code-named Brutal Kangaroo that includes a sprawling collection of components to target computers and networks that aren't connected to the Internet. Drifting Deadline was a tool that was installed on computers of interest. It, in turn, would infect any USB drive that was connected. When the drive was later plugged into air-gapped machines, the drive would infect them with one or more pieces of malware suited to the mission at hand. A Microsoft representative said none of the exploits described work on supported versions of Windows.

The infected USB drives were at least sometimes able to infect computers even when users didn't open any files. The so-called EZCheese exploit, which was neutralized by a patch Microsoft appears to have released in 2015, worked any time a malicious file icon was displayed by the Windows explorer. A later exploit known as Lachesis used the Windows autorun feature to infect computers running Windows 7. Lachesis didn't require Explorer to display any icons, but the drive letter the thrumbdrive was mounted on had to be included in a malicious link. The RiverJack exploit, meanwhile, used the Windows library-ms function to infect computers running Windows 7, 8, and 8.1. Riverjack worked only when a library junction was viewed in Explorer.

Read 4 remaining paragraphs | Comments

Kategorie: Hacking & Security

Honda shuts down factory after finding NSA-derived Wcry in its networks

21 Červen, 2017 - 19:46

Enlarge (credit: S-8500)

The WCry ransomware worm has struck again, this time prompting Honda Company to halt production in one of its Japan-based factories after finding infections in a broad swath of its computer networks, according to media reports.

The automaker shut down its Sayama plant northwest of Tokyo on Monday after finding that WCry had affected networks across Japan, North America, Europe, China, and other regions, Reuters reported Wednesday. Discovery of the infection came on Sunday, more than five weeks after the onset of the NSA-derived ransomware worm, which struck an estimated 727,000 computers in 90 countries. The mass outbreak was quickly contained through a major stroke of good luck. A security researcher largely acting out of curiosity registered a mysterious domain name contained in the WCry code that acted as a global kill switch that immediately halted the self-replicating attack.

Honda officials didn't explain why engineers found WCry in their networks 37 days after the kill switch was activated. One possibility is that engineers had mistakenly blocked access to the kill-switch domain. That would have caused the WCry exploit to proceed as normal, as it did in the 12 or so hours before the domain was registered. Another possibility is that the WCry traces in Honda's networks were old and dormant, and the shutdown of the Sayama plant was only a precautionary measure. In any event, the discovery strongly suggests that as of Monday, computers inside the Honda network had yet to install a highly critical patch that Microsoft released in March.

Read 2 remaining paragraphs | Comments

Kategorie: Hacking & Security

More Android apps from dangerous Ztorg family sneak into Google Play

20 Červen, 2017 - 23:36

Enlarge (credit: Kaspersky Lab)

For the second time this month, Google has removed Android apps from its Google Play marketplace. Google did so after a security researcher found the apps contained code that laid the groundwork for attackers to take administrative "root" control of infected devices.

"Magic Browser," as one app was called, was uploaded to Google's official Android App bazaar on May 15 and gained more than 50,000 downloads by the time it was removed, Kaspersky Lab Senior Research Analyst Roman Unuchek said in a blog post published Tuesday. Magic Browser was disguised as a knock-off to the Chrome browser. The other app, "Noise Detector," purported to measure the decibel level of sounds, and it had been downloaded more than 10,000 times. Both apps belong to a family of Android malware known as Ztorg, which has managed to sneak past Google's automated malware checks almost 100 times since last September.

Most Ztorg apps are notable for their ability to use well-known exploits to root infected phones. This status allows the apps to have finer-grain control and makes them harder to be removed. Ztorg apps are also concerning for their large number of downloads. A Ztorg app known as Privacy Lock, for instance, received one million installations before Google removed it last month, while an infected Pokémon Go guide racked up 500,000 downloads before its removal in September.

Read 3 remaining paragraphs | Comments

Kategorie: Hacking & Security

Web host agrees to pay $1m after it’s hit by Linux-targeting ransomware

20 Červen, 2017 - 00:52

(credit: Aurich Lawson)

A Web-hosting service recently agreed to pay $1 million to a ransomware operation that encrypted data stored on 153 Linux servers and 3,400 customer websites, the company said recently.

The South Korean Web host, Nayana, said in a blog post published last week that initial ransom demands were for five billion won worth of Bitcoin, which is roughly $4.4 million. Company negotiators later managed to get the fee lowered to 1.8 billion won and ultimately landed a further reduction to 1.2 billion won, or just over $1 million. An update posted Saturday said Nayana engineers were in the process of recovering the data. The post cautioned that the recovery was difficult and would take time.

“It is very frustrating and difficult, but I am really doing my best, and I will do my best to make sure all servers are normalized,” a representative wrote, according to a Google translation.

Read 2 remaining paragraphs | Comments

Kategorie: Hacking & Security

Serious privilege escalation bug in Unix OSes imperils servers everywhere

19 Červen, 2017 - 19:50

Enlarge (credit: Victorgrigas)

A raft of Unix-based operating systems—including Linux, OpenBSD, and FreeBSD—contain flaws that let attackers elevate low-level access on a vulnerable computer to unfettered root. Security experts are advising administrators to install patches or take other protective actions as soon as possible.

Stack Clash, as the vulnerability is being called, is most likely to be chained to other vulnerabilities to make them more effectively execute malicious code, researchers from Qualys, the security firm that discovered the bugs, said in a blog post published Monday. Such local privilege escalation vulnerabilities can also pose a serious threat to server host providers because one customer can exploit the flaw to gain control over other customer processes running on the same server. Qualys said it's also possible that Stack Clash could be exploited in a way that allows it to remotely execute code directly.

"This is a fairly straightforward way to get root after you've already gotten some sort of user-level access," Jimmy Graham, director of product management at Qualys, told Ars. The attack works by causing a region of computer memory known as the stack to collide into separate memory regions that store unrelated code or data. "The concept isn't new, but this specific exploit is definitely new."

Read 6 remaining paragraphs | Comments

Kategorie: Hacking & Security

How to install Linux on a Chromebook (and why you should)

19 Červen, 2017 - 14:52

Enlarge

Chromebooks are one of the most secure devices you can give a non-technical end user, and at a price point few can argue with, but that security comes with a privacy trade off: you have to trust Google, which is part of the NSA's Prism programme, with your data in the cloud.

Even those who put their faith in the company's rusty "don’t be evil" mantra may find Chromebook functionality limiting—if you want more than Google services, Netflix, some other Web apps, and maybe the Android app store, then you're out of luck.

Geeky users willing to engage in some entry-level hackery, however, can install Linux on their Chromebook and unleash the Power of Torvalds™.

Read 27 remaining paragraphs | Comments

Kategorie: Hacking & Security

Google Play is fighting an uphill battle against Android adware

16 Červen, 2017 - 21:30

Enlarge (credit: SophosLabs)

Google's official Play marketplace is waging an uphill battle against Android apps that display an unending stream of popup ads even when users try to force them to stop, researchers said Friday.

The researchers, from UK-based SophosLabs, said they have found a total of 47 apps in the past week that collectively have racked up as many as 6 million downloads. They all use a third-party library that bombards users with ads that continue to display even after users force-close the app or scrub memory. In a blog post, SophosLabs said Google has removed some of the privately reported apps while allowing others to remain.

The MarsDae library that's spawning the popup torrent supports Android versions 2.3 through 6, as well as Samsung, Huawei, Mizu, Mi, and Nexus devices. One app that incorporates MarsDae, SophosLabs said, is Snap Pic Collage Color Splash, which remained available on Google servers as this post was being prepared. Snap Pic has been downloaded from 50,000 to 100,000 times. Once installed, it displays ads on the Android home screen. Even after a user uses the Android settings to force close the app, the ads resume a few seconds later.

Read 3 remaining paragraphs | Comments

Kategorie: Hacking & Security

Advanced CIA firmware has been infecting Wi-Fi routers for years

16 Červen, 2017 - 00:39

Enlarge (credit: D-Link)

Home routers from 10 manufacturers, including Linksys, DLink, and Belkin, can be turned into covert listening posts that allow the Central Intelligence Agency to monitor and manipulate incoming and outgoing traffic and infect connected devices. That's according to secret documents posted Thursday by WikiLeaks.

CherryBlossom, as the implant is code-named, can be especially effective against targets using some D-Link-made DIR-130 and Linksys-manufactured WRT300N models because they can be remotely infected even when they use a strong administrative password. An exploit code-named Tomato can extract their passwords as long as a default feature known as universal plug and play remains on. Routers that are protected by a default or easily-guessed administrative password are, of course, trivial to infect. In all, documents say CherryBlossom runs on 25 router models, although it's likely modifications would allow the implant to run on at least 100 more.

(credit: WikiLeaks)

The 175-page CherryBlossom user guide describes a Linux-based operating system that can run on a broad range of routers. Once installed, CherryBlossom turns the device into a "FlyTrap" that beacons a CIA-controlled server known as a "CherryTree." The beacon includes device status and security information that the CherryTree logs to a database. In response, the CherryTree sends the infected device a "Mission" consisting of specific tasks tailored to the target. CIA operators can use a "CherryWeb" browser-based user interface to view Flytrap status and security information, plan new missions, view mission-related data, and perform system administration tasks.

Read 8 remaining paragraphs | Comments

Kategorie: Hacking & Security

Login-stealing phishing sites conceal their evil with lots of hyphens in URL

15 Červen, 2017 - 15:49

Researchers at PhishLabs recently spotted a trend emerging in malicious websites presented to customers: mobile-focused phishing attacks that attempt to conceal the true domain they were served from by padding the subdomain address with enough hyphens to push the actual source of the page outside the address box on mobile browsers.

"The tactic we're seeing is a tactic for phishing specifically mobile devices," said Crane Hassold,  a senior security threat researcher at PhishLabs’ Research, Analysis, and Intelligence Division (RAID).

Hassold called the tactic "URL padding," the front-loading of the Web address of a malicious webpage with the address of a legitimate website. The tactic, he said, is part of a broad credential-stealing campaign that targets sites that use an e-mail address and password for authentication; PhishLabs reports that there has been a 20 percent increase overall in phishing attacks during the first quarter of 2017 over the last three months of 2016. The credentials are likely being used in other attacks based on password reuse.

Read 6 remaining paragraphs | Comments

Kategorie: Hacking & Security

Georgia’s lax voting security exposed just in time for crucial special election

15 Červen, 2017 - 02:37

(credit: Verified Voting)

To understand why many computer scientists and voting rights advocates don't trust the security of many US election systems, consider the experience of Georgia-based researcher Logan Lamb. Last August, after the FBI reported hackers were probing voter registration systems in more than a dozen states, Lamb decided to assess the security of voting systems in his state.

According to a detailed report published Tuesday in Politico, Lamb wrote a simple script that would pull documents off the website of Kennesaw State University’s Center for Election Systems, which under contract with Georgia, tests and programs voting machines for the entire state. By accident, Lamb's script uncovered a breach whose scope should concern both Republicans and Democrats alike. Reporter Kim Zetter writes:

Within the mother lode Lamb found on the center’s website was a database containing registration records for the state’s 6.7 million voters; multiple PDFs with instructions and passwords for election workers to sign in to a central server on Election Day; and software files for the state’s ExpressPoll pollbooks — electronic devices used by poll workers to verify that a voter is registered before allowing them to cast a ballot. There also appeared to be databases for the so-called GEMS servers. These Global Election Management Systems are used to prepare paper and electronic ballots, tabulate votes and produce summaries of vote totals.

The files were supposed to be behind a password-protected firewall, but the center had misconfigured its server so they were accessible to anyone, according to Lamb. “You could just go to the root of where they were hosting all the files and just download everything without logging in,” Lamb says.

And there was another problem: The site was also using a years-old version of Drupal — content management software — that had a critical software vulnerability long known to security researchers. “Drupageddon,” as researchers dubbed the vulnerability, got a lot of attention when it was first revealed in 2014. It would let attackers easily seize control of any site that used the software. A patch to fix the hole had been available for two years, but the center hadn’t bothered to update the software, even though it was widely known in the security community that hackers had created automated scripts to attack the vulnerability back in 2014.

Lamb was concerned that hackers might already have penetrated the center’s site, a scenario that wasn’t improbable given news reports of intruders probing voter registration systems and election websites; if they had breached the center’s network, they could potentially have planted malware on the server to infect the computers of county election workers who accessed it, thereby giving attackers a backdoor into election offices throughout the state; or they could possibly have altered software files the center distributed to Georgia counties prior to the presidential election, depending on where those files were kept.

Lamb privately reported the breach to University officials, the report notes. But he learned this March that the critical Drupal vulnerability had been fixed only on the HTTPS version of the site. What's more, the same mother lode of sensitive documents remained as well. The findings meant that the center was operating outside the scope of both the University and the Georgia Secretary of State for years.

Read 2 remaining paragraphs | Comments

Kategorie: Hacking & Security

Fileless malware targeting US restaurants went undetected by most AV

14 Červen, 2017 - 16:21

Enlarge (credit: Carol Von Canon)

Researchers have detected a brazen attack on restaurants across the United States that uses a relatively new technique to keep its malware undetected by virtually all antivirus products on the market.

Malicious code used in so-called fileless attacks resides almost entirely in computer memory, a feat that prevents it from leaving the kinds of traces that are spotted by traditional antivirus scanners. Once the sole province of state-sponsored spies casing the highest value targets, the in-memory techniques are becoming increasingly common in financially motivated hack attacks. They typically make use of commonly used administrative and security-testing tools such as PowerShell, Metasploit, and Mimikatz, which attackers use to feed malicious commands to targeted computers.

FIN7, an established hacking group with ties to the Carbanak Gang, is among the converts to this new technique, researchers from security firm Morphisec reported in a recently published blog post. The dynamic link library file it's using to infect Windows computers in an ongoing attack on US restaurants would normally be detected by just about any AV program if the file was written to a hard drive. But because the file contents are piped into computer memory using PowerShell, the file wasn't visible to any of the 56 most widely used AV programs, according to a Virus Total query conducted earlier this month.

Read 6 remaining paragraphs | Comments

Kategorie: Hacking & Security

Microsoft’s decision to patch Windows XP is a mistake

14 Červen, 2017 - 04:20

(credit: Aurich Lawson)

Once again, Microsoft has opted to patch the out-of-support Windows XP. Dan has written about the new patch, the circumstances around the flaws it addresses, and why Microsoft has chosen to protect Windows XP users. While Microsoft's position is a tricky one, we argue in this post first published in 2014 that patching is the wrong decision: it sends a clear message to recalcitrant corporations that they can stick with Windows XP, insecure as it is, because if anything too serious is found, Microsoft will update it anyway. Windows 10 contains a wide range of defense-in-depth measures that will never be included in Windows XP: every time an organization resists upgrading to Microsoft's latest operating system, it jeopardizes its own security. Back in 2014, it was an Internet Explorer patch that Microsoft released after Windows XP's end of support; this time around the patches are for flaws in the kernel and file sharing drivers. While this means that the situations are not quite identical, we nonetheless feel that the arguments against releasing a patch for an out-of-support operating system in 2014 hold up today. It was bad then; it's still bad now.

Microsoft officially ended support of the twelve-and-a-half-year-old Windows XP operating system a few weeks ago. Except it apparently didn't, because the company has included Windows XP in its off-cycle patch to fix an Internet Explorer zero-day that's receiving some amount of in-the-wild exploitation. The unsupported operating system is, in fact, being supported.

Explaining its actions, Microsoft says that this patch is an "exception" because of the "proximity to the end of support for Windows XP."

Read 13 remaining paragraphs | Comments

Kategorie: Hacking & Security

Win XP patched to avert new outbreaks spawned by NSA-leaking Shadow Brokers

13 Červen, 2017 - 21:55

(credit: Microsoft)

On Tuesday, Microsoft took the highly unusual step of issuing security patches for XP and other unsupported versions of Windows. The company did this in a bid to protect the OSes against a series of "destructive" exploits developed by, and later stolen from, the National Security Agency.

By Ars' count, Tuesday is only the third time in Microsoft history that the company has issued free security updates for a decommissioned product. One of those came one day after last month's outbreak of the highly virulent "WCry" ransom worm, which repurposed NSA-developed exploits. The exploits were leaked by the Shadow Brokers, a mysterious group that somehow got hold of weaponized NSA hacking tools. (WCry is also known as "WannaCry" and "WannaCrypt.")

According to this updated Microsoft post, Tuesday's updates include fixes for three other exploits that were also released by the Shadow Brokers. A Microsoft blog post announcing the move said the patches were prompted by an "elevated risk of destructive cyberattacks" by government organizations.

Read 8 remaining paragraphs | Comments

Kategorie: Hacking & Security

Russia struck at election systems and data of 39 US states

13 Červen, 2017 - 16:51

Enlarge / President Barack Obama reportedly called Russian President Vladimir Putin in October 2016 on the "cyber hotline" to warn about the ongoing hacking of US election officials' systems. (credit: Presidential Press and Information Office)

Citing sources "with direct knowledge of the US investigation" into Russia's information operations campaign during the 2016 US presidential election campaign, Bloomberg News' Michael Riley and Jordan Robertson report that Russian hackers struck at far more states' election offices than previously known. A total of 39 states had election systems targeted by the Russians, Bloomberg's sources said—including Illinois, where attackers broke into voter rolls and tried to delete or modify voter registration data in an attempt to disrupt voting on Election Day.

The scope of the attacks was so broad, Bloomberg reports, that in October of 2016, then-President Barack Obama directly called Russian Federation President Vladimir Putin on the "cyber-hotline." The cyber-hotline "red phone" was set up in 2013 by Obama and Putin as part of an effort to reduce the risk of a "cyber incident" escalating; Obama used it to present evidence of the attacks and warn Putin that the intrusions could trigger a larger conflict between the US and Russia.

As the National Security Agency analysis recently leaked by contractor Reality Winner suggested, the attackers also gained access to software used by poll workers to check voter eligibility, according to Bloomberg's sources. In another unnamed state, attackers accessed a campaign-finance database.

Read 2 remaining paragraphs | Comments

Kategorie: Hacking & Security

Facing limits of remote hacking, Army cybers up the battlefield

13 Červen, 2017 - 12:45

Enlarge / FORT IRWIN, California – Spc. Nathaniel Ortiz, Expeditionary CEMA (Cyber Electromagnetic Activities) Team (ECT), 781st Military Intelligence Battalion, "conducts cyberspace operations" at the National Training Center at Fort Irwin, California, May 9, 2017. (credit: Bill Roche, U.S. Army Cyber Command)

The US military and intelligence communities have spent much of the last two decades fighting wars in which the US significantly over-matched its opponents technologically—on the battlefield and off. In addition to its massive pure military advantage, the US also had more sophisticated electronic warfare and cyber capabilities than its adversaries. But those advantages haven't always translated into dominance over the enemy. And the US military is facing a future in which American forces in the field will face adversaries that can go toe to toe with the US in the electromagnetic domain—with disastrous physical results.

That's in part why the Army Cyber Command recently experimented with putting "cyber soldiers" in the field as part of an exercise at the Army's National Training Center at Fort Irwin, California. In addition to fielding troops to provide defensive and offensive cyber capabilities for units coming into NTC for training, the Army has also been arming its opposition force (the trainers) with cyber capabilities to demonstrate their impact.

That impact was demonstrated clearly in May, when an armored unit staging a simulated assault at NTC was stopped dead in its tracks by jamming of communications. As the unit's commanders attempted to figure out what was wrong, a simulated artillery barrage essentially took the unit out of action.

Read 6 remaining paragraphs | Comments

Kategorie: Hacking & Security

Found: “Crash Override” malware that triggered Ukrainian power outage

12 Červen, 2017 - 23:05

Enlarge / An overview of Crash Override/Industroyer, including the four international specifications it uses to communicate with electric grid devices all over the world. (credit: Eset)

Last December, hackers with suspected ties to Russia caused a power outage in Ukraine in a deliberate attempt to leave households without electricity during what's typically one of the coldest months of the year. Now, the advanced malware that triggered the power failure has been found in the wild. This discovery is prompting concerns that the attack tools could be repurposed or reused in new sabotage operations, possibly by unrelated hacking groups.

"Crash Override," as security firm Dragos has named the tool platform, is the first known malware framework designed to attack electric grid systems. Dragos researchers said it was used successfully in what may have been a dress rehearsal on a December 17 hack on an electric transmission substation in Kiev. While the Kiev outage lasted only a few hours, several features of the malware that weren't turned on in the December hack have the potential to cause disruptions that persist for as long as a week. Crash Override is a completely new platform that was far more advanced than the general-purpose tools the same group used to attack Ukraine's power grid in December 2015.

What makes Crash Override so sophisticated is its ability to use the same arcane technical protocols that individual electric grid systems rely on to communicate with one another. As such, the malware is more notable for its mastery of the industrial processes used by global grid operators than its robust code. Its fluency in the low-level grid languages allowed it to instruct Ukrainian devices to de-energize and re-energize substation lines, a capability not seen in the attack a year earlier that used a much cruder set of tools and techniques. The concern is that "Industroyer"—the other name given to the malware—can be used against a broad range of electric systems around the world.

Read 9 remaining paragraphs | Comments

Kategorie: Hacking & Security

Banking trojan executes when targets hover over link in PowerPoint doc

9 Červen, 2017 - 20:25

Enlarge (credit: Dodge This Security)

Criminal hackers have started using a novel malware attack that infects people when their mouse hovers over a link embedded in a malicious PowerPoint file.

The method—which was used in a recent spam campaign that attempted to install a bank-fraud backdoor alternately known as Zusy, OTLARD, and Gootkit—is notable because it didn't rely on macros, visual basic scripts, or JavaScript to deliver its payload. Those methods are so widely used that many people are able to recognize them before falling victim.

Instead, the delivery technique made use of the Windows PowerShell tool, which was invoked when targets hovered over a booby-trapped hyperlink embedded in the attached PowerPoint document. Targets using newer versions of Microsoft Office would by default first receive a warning, but those dialogues can be muted when users are tricked into turning off Protected View, a mode that doesn't work when documents are being printed or edited. Targets using older versions of Office that don't offer Protected View are even more vulnerable.

Read 4 remaining paragraphs | Comments

Kategorie: Hacking & Security

Sneaky hackers use Intel management tools to bypass Windows firewall

9 Červen, 2017 - 02:11

Enlarge / Physical serial ports (the blue ones) are fortunately a relic of a lost era and are nowadays quite rare to find on PCs. But their virtual counterparts are alive and well, and they can be used for some exciting things. (credit: Ericf)

When you're a bad guy breaking into a network, the first problem you need to solve is, of course, getting into the remote system and running your malware on it. But once you're there, the next challenge is usually to make sure that your activity is as hard to detect as possible. Microsoft has detailed a neat technique used by a group in Southeast Asia that abuses legitimate management tools to evade firewalls and other endpoint-based network monitoring.

The group, which Microsoft has named PLATINUM, has developed a system for sending files—such as new payloads to run and new versions of their malware—to compromised machines. PLATINUM's technique leverages Intel's Active Management Technology (AMT) to do an end-run around the built-in Windows firewall. The AMT firmware runs at a low level, below the operating system, and it has access to not just the processor, but also the network interface.

The AMT needs this low-level access for some of the legitimate things it's used for. It can, for example, power cycle systems, and it can serve as an IP-based KVM (keyboard/video/mouse) solution, enabling a remote user to send mouse and keyboard input to a machine and see what's on its display. This, in turn, can be used for tasks such as remotely installing operating systems on bare machines. To do this, AMT not only needs to access the network interface, it also needs to simulate hardware, such as the mouse and keyboard, to provide input to the operating system.

Read 6 remaining paragraphs | Comments

Kategorie: Hacking & Security