Viry a Červi

Sharpshooter takes aim at critical infrastructure

Hackers are targetting critical infrastructure providers, including nuclear power and defense agencies, in what may be a state-sponsored attack that's hiding behind North Korean code.…

The trojan purports to be a battery optimization app - and then steals up to 1,000 euro from victims' PayPal accounts.

Někdy od začátku prosince se po českém internetu „prohání“ havěť v podobě přílohy s názvem „VydanaFaktura“. V posledních dnech pak oblétla i média, tudíž nemůže minout ani viry.cz

Jedná se o havěť z rodiny „BackSwap“ o které jsem psal již v červnu 2018. Tehdy zasáhla klienty bankovních institucí v Polsku. Nyní zavítal útok na území ČR a útočníci si dali práci i s kvalitní lokalizací do českého jazyka. Podvodná e-mailová zpráva tak vypadá vcelku věrohodně, což není zvykem. Posuďte sami (snad jen to jméno není úplně české):

Údajná dlužná faktura v příloze je pak samozřejmě smyšlená a pokud poklepáte myší na soubor uvnitř archivu, problém je na světě.  Použita je méně známá přípona .JSE, přičemž tento skript je po spuštění předhozen systémové aplikaci „Windows Script Host“ (WSH). Výsledkem je stažení a spuštění dalšího svinstva z internetu.

Na konci toho všeho máte v PC havěť, která zasahuje do komunikace internetového bankovnictví řady tuzemských bankovních institucí. Pokud na takovém počítači provádíte převod peněz, havěť před odesláním takové platby změní bankovní účet příjemce. Vy tak sice odešlete požadovanou částku, ale na účet útočníka. Pro potvrzení platby Vám sice v rámci dvoufázového ověření přichází SMS zpráva, kdy musíte z SMS opsat kontrolní kód, ale kdo si v ten moment v SMS znovu kontroluje, zda je tam uveden správný účet příjemce? Já tedy ne!

Po technické stránce je havěť „BackSwap“ docela inovativní a více se lze dočíst v článku z června 2018.

Naopak tipy pro ochranu lze pak najít například v „Kapesní příručce pro boj s počítačovou havětí„.

The post Virus „VydanaFaktura“ řádil v ČR! appeared first on VIRY.CZ.

Consumers are much more likely to fall for spam during the season of giving.

Liberty and pals seek to prove intrusive spy powers can never be justified

A band of human rights organisations have appealed against a top European court's ruling on bulk surveillance, arguing that any form of mass spying breaches rights to privacy and free expression.…

Who was Jamal Khashoggi, anyway?

British ministers have approved the export of more than £2.4m worth of telecoms snooping gear to Saudi Arabia, in spite of its very obvious human rights problems, according to a report.…

Operation Sharpshooter uses a new implant to target mainly English-speaking nuclear, defense, energy and financial companies.

The news comes amid reports that a Chinese intelligence-gathering effort was behind the massive Marriott hotel data breach.

Experts sound off on how companies can work with their third-party suppliers and partners to secure the end-to-end supply chain.

Flaws in the mobile site were leaving users vulnerable to attackers who could have reset their user passwords and hijacked their accounts.

Google has disclosed the second security hole in its Google+ social network in three months.

As CAPTCHA-haters know to their frequent irritation, the death of the text-based Completely Automated Procedures for Telling Computers and Humans Apart tends to be exaggerated.

Data brokers are tracking 200 million mobile devices in the US, updating locations up to 14,000 times a day, the New York Times has found.

Uh, hello? Didn't you put third-party Javascript on a payment page?

Ticketmaster is telling its customers that it wasn't to blame for the infection of its site by a strain of the Magecart cred-stealing malware – despite embedding third-party Javascript into its payments page.…

Today, we release the video of the VB2018 presentation by Check Point researcher Aseel Kayal, who connected the various dots relating to campaigns by the APT-C-23 threat group.

Read more

Executive summary

In October 2018, our AEP (Automatic Exploit Prevention) systems detected an attempt to exploit a vulnerability in the Microsoft Windows operating system. Further analysis led us to uncover a zero-day vulnerability in ntoskrnl.exe. We reported it to Microsoft on October 29, 2018. The company confirmed the vulnerability and assigned it CVE-2018-8611. Microsoft just released a patch, part of its December update, crediting Kaspersky Lab researchers Boris Larin (Oct0xor) and Igor Soumenkov (2igosha) with the discovery.

This is the third consecutive exploited Local Privilege Escalation vulnerability in Windows we discovered this autumn using our technologies. Unlike the previously reported vulnerabilities in win32k.sys (CVE-2018-8589 and CVE-2018-8453), CVE-2018-8611 is an especially dangerous threat – a vulnerability in the Kernel Transaction Manager driver. It can also be used to escape the sandbox in modern web browsers, including Chrome and Edge, since syscall filtering mitigations do not apply to ntoskrnl.exe system calls.

Just like with CVE-2018-8589, we believe this exploit is used by several threat actors including, but possibly not limited to, FruityArmor and SandCat. While FruityArmor is known to have used zero-days before, SandCat is a new APT we discovered only recently. In addition to this zero-day and CHAINSHOT, SandCat also uses the FinFisher / FinSpy framework.

Kaspersky Lab products detected this exploit proactively through the following technologies:

1. Behavioral detection engine and Automatic Exploit Prevention for endpoint products
2. Advanced Sandboxing and Anti Malware engine for Kaspersky Anti Targeted Attack Platform (KATA)

Kaspersky Lab verdicts for the artifacts used in this and related attacks are:

• HEUR:Exploit.Win32.Generic
• HEUR:Trojan.Win32.Generic
• PDM:Exploit.Win32.Generic

Brief details – CVE-2018-8611 vulnerability

CVE-2018-8611 is a race condition that is present in the Kernel Transaction Manager due to improper processing of transacted file operations in kernel mode.

This vulnerability successfully bypasses modern process mitigation policies, such as Win32k System call Filtering that is used, among others, in the Microsoft Edge Sandbox and the Win32k Lockdown Policy employed in the Google Chrome Sandbox. Combined with a compromised renderer process, for example, this vulnerability can lead to a full Remote Command Execution exploit chain in the latest state-of-the-art web-browsers.

We have found multiple builds of exploit for this vulnerability. The latest build includes changes to reflect the latest versions of the Windows OS.

A check for the latest build at the time of discovery: Windows 10 Redstone 4 Build 17133

Similarly to CHAINSHOT, this exploit heavily relies on the use of C++ exception handling mechanisms with custom error codes.

To abuse this vulnerability exploit first creates a named pipe and opens it for read and write. Then it creates a pair of new transaction manager objects, resource manager objects, transaction objects and creates a big number of enlistment objects for what we will call “Transaction #2”. Enlistment is a special object that is used for association between a transaction and a resource manager. When the transaction state changes associated resource manager is notified by the KTM. After that it creates one more enlistment object only now it does so for “Transaction #1” and commits all the changes made during this transaction.
After all the initial preparations have been made exploit proceeds to the second part of vulnerability trigger. It creates multiple threads and binds them to a single CPU core. One of created threads calls NtQueryInformationResourceManager in a loop, while second thread tries to execute NtRecoverResourceManager once. But the vulnerability itself is triggered in the third thread. This thread uses a trick of execution NtQueryInformationThread to obtain information on the latest executed syscall for the second thread. Successful execution of NtRecoverResourceManager will mean that race condition has occurred and further execution of WriteFile on previously created named pipe will lead to memory corruption.

Proof of concept: execution of WriteFile with buffer set to 0x41

As always, we provided Microsoft with a proof of concept for this vulnerability, along with source code. And it was later shared through Microsoft Active Protections Program (MAPP).

More information about SandCat, FruityArmor and CVE-2018-8611 is available to customers of Kaspersky Intelligence Reports. Contact: intelreports@kaspersky.com

Windows, Office, Acrobat, SAP... you know the deal

Microsoft, Adobe, and SAP are finishing up the year with a flurry of activity, combining to patch more than 140 CVE-listed security flaws between them.…

Italy's regulator found the social giant guilty of misleading consumers as to what it does with their data.

Microsoft patches nine critical bugs as part of December Patch Tuesday roundup.

'Entirely preventable' theft down to traffic-monitoring certificate left expired for 19 months

Updated  A US Congressional report outlining the breakdowns that led to the 2017 theft of 148 million personal records from Equifax has revealed a stunning catalog of failure.…