Yet another adware campaign stemming from China has been identified, and in this fresh go, victims' Android devices can be completely taken over.
The Kemoge adware family, as FireEye calls it, is thought to originate in China. Its infections already span more than 20 countries, including the U.S. and Russia. The adware disguises itself as repackaged popular apps, including “Calculator,” “Talking Tom 3,” and “Smart Touch.” These apps are put on third-party app stores.
Although the infection is relatively typical, with the downloaded app first serving up annoying ads and then trying to gain root access, it does come with one especially new feature. After having gained root, the malware searches for antivirus (AV) software and purposefully seeks to uninstall or disable it.
Yulong Zhang, a FireEye research scientist, said in an interview with SCMagazine.com that this was the first time an adware group's been documented going directly for AV vendors in order to remain on a device.
Going back to the adware's technique for gaining root, once a user downloads a malicious app, the malware unpacks its disguised .zip file, which is protected by at least three layers of encryption. The perpetrators go to great lengths to keep their ultimate payload hidden.
The payload contains exploits for multiple Android devices, including Motorola and Samsung, Zhang said. The apps also don't ask for administrator privileges, although Zhang said users typically breeze through the permissions page anyway. Instead, it requests access to portions of the phone where it might be able to run a root exploit. The camera is one example, he said.
“There's no direct relationship between the description of a permission and its root exploit,” he explained. “It might access the camera, but there may be some vulnerability in the camera's library, and the app can obtain root by exploiting it.”
While these apps are all located on a third-party store, Zhang did point out that one of the malicious apps was designed by a developer whose products appear in the legitimate Google Play store. It doesn't necessarily mean any apps made it through to the real Android marketplace, but Zhang did caution that it's a possibility.
Although a malicious app might not be live now, it could have been in the past and then upgraded to a benign state.
Fonte Ufficiale: http://www.scmagazine.com/fireeye-identifies-new-adware-family/article/443726/
EXAMPLE POC: root@mysqlserver ~# /usr/bin/mysql_plugin `perl -e 'print ?X? x 9000'` *** buffer overflow detected ***: mysql_plugin terminated ======= Backtrace: ========= ... 7fac520e0000-7fac520f5000 rw-p 00000000 00:00 0 Aborted (core dumped)
Vulnerability title: Multiple Path/Directory Traversal and/or Local File Inclusion in Easy2Map version 1.2.9 WordPress plugin CVE: CVE-2015-7669 Vendor: Steven Ellis Product: Easy2Map Affected version: 1.2.9 Fixed version: 1.3.0 Reported by: Ibéria Medeiros Vulnerability Details: ===================== It was discovered that no protection against two Path/Directory Traversal (PT/DT) and/or Local File Inclusion (LFI) attacks was implemented, resulting in an attacker being able to access to files from website directory and/or file system directory (PT/DT); and/or access to files that were previously stored in computer victim, by a upload file functionality, then execute them in computer victim. The Easy2Map version 1.2.9 WordPress plugin is vulnerable to 2 PT/DT and/or LFI vulnerabilities. The includes/MapImportCSV2.php and includes/MapImportCSV.php files are vulnerable to Path or Directory Traversal (PT/DT) and/or Local File Inclusion (LFI) attacks via $_FILES["csvfile"]['tmp_name'] parameter. System affected: =============== Any system that access to a web site developed by WordPress CMS version 4.3.1 or earlier and uses the Easy2Map version 1.2.9 or earlier. Advisory: ======== https://wordpress.org/plugins/easy2map/changelog/ item: "Increased data sanitization logic, for improved plugin security." Solution: ======== Update to Easy2Map version 1.3.0 plugin. https://wordpress.org/plugins/easy2map/ Disclosure Timeline: =================== Vendor notification: September 22, 2015 Vendor fixed vulnerability: October 4, 2015 Public advisory: October 4, 2015 Public disclosure: October 4, 2015
Vulnerability title: A Reflected XSS in Easy2Map version 1.2.9 WordPress plugin CVE: CVE-2015-7668 Vendor: Steven Ellis Product: Easy2Map Affected version: 1.2.9 Fixed version: 1.3.0 Reported by: Ibéria Medeiros Vulnerability Details: ===================== It was discovered that no protection against a reflected XSS attacks was implemented, resulting in an attacker being able to retrive user data from end user, such as session cookies. The Easy2Map version 1.2.9 WordPress plugin is vulnerable to 1 reflected XSS vulnerability. The includes/MapPinImageSave.php file is vulnerable to Cross-site.scripting (XSS) attacks via $_GET["map_id"] parameter. System affected: =============== Any system that access to a web site developed by WordPress CMS version 4.3.1 or earlier and uses the Easy2Map version 1.2.9 or earlier. Advisory: ======== https://wordpress.org/plugins/easy2map/changelog/ item: "Increased data sanitization logic, for improved plugin security." Solution: ======== Update to Easy2Map version 1.3.0 plugin. https://wordpress.org/plugins/easy2map/ Disclosure Timeline: =================== Vendor notification: September 22, 2015 Vendor fixed vulnerability: October 4, 2015 Public advisory: October 4, 2015 Public disclosure: October 4, 2015
Vulnerability title: Multiple Reflected XSS in ResAds version 1.0.1 WordPress plugin CVE: CVE-2015-7667 Vendor: WordPress web-mv Product: ResAds Affected version: 1.0.1 Fixed version: 1.0.2 Reported by: Ibéria Medeiros Vulnerability Details: ===================== It was discovered that no protection against multiple reflected XSS attacks was implemented, resulting in an attacker being able to retrive user data from end user, such as session cookies. The ResAds version 1.0.1 WordPress plugin is vulnerable to 2 reflected XSS vulnerabilities. The templates/admanagement/admanagement.php and templates/adspot/adspot.php files are vulnerable to Cross-site.scripting (XSS) attacks via $_REQUEST['page'] parameter. System affected: =============== Any system that access to a web site developed by WordPress CMS version 4.3.1 or earlier and uses the ResAds version 1.0.1. Advisory: ======== https://wordpress.org/plugins/resads/changelog/ Solution: ======== Update to ResAds version 1.0.2 plugin. https://wordpress.org/plugins/resads/ Disclosure Timeline: =================== Vendor notification: September 27, 2015 Vendor fixed vulnerability: September 29, 2015 Public advisory: September 29, 2015 Public disclosure: October 4, 2015
Vulnerability title: Multiple Reflected XSS in Payment Form for PayPal Pro version 1.0.1 WordPress plugin CVE: CVE-2015-7666 Vendor: WordPress DWBooster Product: Payment Form for PayPal Pro Affected version: 1.0.1 Fixed version: 1.0.2 Reported by: Ibéria Medeiros Vulnerability Details: ===================== It was discovered that no protection against multiple reflected XSS attacks was implemented, resulting in an attacker being able to retrive user data from end user, such as session cookies. The Payment Form for PayPal Pro version 1.0.1 WordPress plugin is vulnerable to 2 reflected XSS vulnerabilities. The cp_ppp_admin_int_message_list.inc.php file is vulnerable to XSS attacks via $_GET[\"cal\"] parameter. System affected: =============== Any system that access to a web site developed by WordPress CMS version 4.3.1 or earlier and uses the Payment Form for PayPal Pro version 1.0.1. Advisory: ======== https://wordpress.org/plugins/payment-form-for-paypal-pro/changelog/ Solution: ======== Update to Payment Form for PayPal Pro version 1.0.2 plugin. https://wordpress.org/plugins/payment-form-for-paypal-pro/ Disclosure Timeline: =================== Vendor notification: September 26, 2015 Vendor fixed vulnerability: September 27, 2015 Public advisory: September 27, 2015 Public disclosure: October 4, 2015
The risk of a "serious cyber attack" on nuclear power plants around the world is growing, warns a report.
The civil nuclear infrastructure in most nations is not well prepared to defend against such attacks, it added.
Many of the control systems for the infrastructure were "insecure by design" because of their age, it said.
Published by the influential Chatham House think tank, the report studied cyber defences in power plants around the world over an 18-month period.
Cyber criminals, state-sponsored hackers and terrorists were all increasing their online activity, it said, meaning that the risk of a significant net-based attack was "ever present".
Such an attack on a nuclear plant, even if small-scale or unlikely, needed to be taken seriously because of the harm that would follow if radiation were released.
In addition, it said "even a small-scale cyber security incident at a nuclear facility would be likely to have a disproportionate effect on public opinion and the future of the civil nuclear industry".
Unfortunately, research carried out for the study showed that the UK's nuclear plants and associated infrastructure were not well protected or prepared because the industry had converted to digital systems relatively recently.
This increasing digitisation and growing reliance on commercial software is only increasing the risks the nuclear industry faces.
There was a "pervading myth" that computer systems in power plants were isolated from the internet at large and because of this were immune to the kind of cyber attacks that have dogged other industries.
However, it said, this so-called "air gap" between the public internet and nuclear systems was easy to breach with "nothing more than a flash drive". It noted that the destructive Stuxnet computer virus infected Iran's nuclear facilities via this route.
The story of Stuxnet
In 2009, a malicious computer program called 'Stuxnet' was manually uploaded into a nuclear plant in Iran.
The worm took control of 1,000 machines involved with producing nuclear materials, and instructed them to self-destruct.
What made the world's first cyber-weapon so destructive?
The researchers for the report had also found evidence of virtual networks and other links to the public internet on nuclear infrastructure networks. Some of these were forgotten or simply unknown to those in charge of these organisations.
Already search engines that sought out critical infrastructure had indexed these links making it easy for attackers to find ways in to networks and control systems.
Keith Parker, chief executive of the Nuclear Industry Association, said: "Security, including cyber security, is an absolute priority for power station operators."
"All of Britain's power stations are designed with safety in mind and are stress-tested to withstand a vast range of potential incidents," he added. "Power station operators work closely with national agencies such as the Centre for the Protection of National Infrastructure and other intelligence agencies to always be aware of emerging threats."
In addition, said Mr Parker, the industry's regulator continuously monitors plant safety to help protect it from any outside threats.
In June this year the International Atomic Energy Agency held its first international conference about the cyber threats facing plants and manufacturing facilities. At the conference Yukiya Amano, director of the IAEA, said both random and targeted attacks were being directed at nuclear plants.
"Staff responsible for nuclear security should know how to repel cyber-attacks and to limit the damage if systems are actually penetrated," he said in a keynote address to the conference.
The civil nuclear industry should do a better job of measuring cyber attack risks and improve the way it defends against them, according to Chatham House. Many plants examined by the report's researchers lacked preparedness for large-scale attacks that took place outside office hours.
"The nuclear industry is beginning - but struggling - to come to grips with this new, insidious threat," said Patricia Lewis, research director of Chatham House's international security programme.
Fonte Ufficiale: http://www.bbc.com/news/technology-34423419
Antivirus applications and other security software are supposed to make users more secure, but a growing body of research shows that in some cases, they can open people to hacks they otherwise wouldn't be vulnerable to.
The latest example is antivirus and security software from Kaspersky Lab. Tavis Ormandy, a member of Google's Project Zero vulnerability research team, recently analyzed the widely used programs and quickly found a raft of easy-to-exploit bugs that made it possible to remotely execute malicious code on the underlying computers. Kaspersky has already fixed many of the bugs and is in the process of repairing the remaining ones. In a blog post published Tuesday, he said it's likely he's not the only one to know of such game-over vulnerabilities.
"We have strong evidence that an active black market trade in antivirus exploits exists," he wrote, referring to recent revelations that hacked exploit seller Hacking Team sold weaponized attacks targeting antivirus software from Eset.
He continued: "Research shows that it’s an easily accessible attack surface that dramatically increases exposure to targeted attacks. For this reason, the vendors of security products have a responsibility to uphold the highest secure development standards possible to minimise the potential for harm caused by their software. Ignoring the question of efficacy, attempting to reduce one’s exposure to opportunistic malware should not result in an increased exposure to targeted attacks."
As Ormandy suggested, the bugs he found in Kaspersky products would most likely be exploited in highly targeted attacks, such as those the National Security Agency might carry out against a terrorism suspect or spies pursuing an espionage campaign might carry out against the CEO of a large corporation. That means most people are probably better off running antivirus software than foregoing it, at least if their computers run Windows. Still, the results are concerning because they show that the very software we rely on to keep us safe in many cases makes us more vulnerable.
Kaspersky isn't the only security software provider to introduce bugs in their products. Earlier this month, security researcher Kristian Erik Hermansen reported finding four vulnerabilities in the core product marketed by security firm FireEye. One of them made it possible for attackers to retrieve sensitive password data stored on the server running the program. Ormandy has also uncovered serious vulnerabilities in AV software from Sophos and Eset.
In a statement, Kaspersky Lab officials wrote, "We would like to assure all our clients and customers that vulnerabilities publicly disclosed in a blogpost by Google Project Zero researcher, Mr. Tavis Ormandy, have already been fixed in all affected Kaspersky Lab products and solutions. Our specialists have no evidence that these vulnerabilities have been exploited in the wild."
The statement went on to say that Kaspersky Lab developers are making architectural changes to their products that will let them better resist exploit attempts. One change included the implementation of stack buffer overflow protection, which Ormandy referred to as "/GS" in his blog post. Other planned changes include the expansion of mitigations such as address space layout randomization and data execution prevention (for much more on these security measures see How security flaws work: The buffer overflow by Ars Technology Editor Peter Bright). Ormandy thanked Kaspersky Lab for its "record breaking response times" following his report.
Still, the message is clear. To perform, security software must acquire highly privileged access to the computers they protect, and all too often this sensitive position can be abused. Ormandy recommended that AV developers build security sandboxes into their products that isolate downloaded files from core parts of the computer operating system.
"The chromium sandbox is open source and used in multiple major products," he wrote. "Don't wait for the network worm that targets your product, or for targeted attacks against your users, add sandboxing to your development roadmap today."
Fonte Ufficiale: http://arstechnica.com/security/2015/09/security-wares-like-kaspersky-av-can-make-you-more-vulnerable-to-attacks/
It is often said, "the Internet is running out of phone numbers," as a way to express that the Internet is running out of IPv4 addresses, to those who are unfamiliar with Internet technologies. IPv4 addresses, like phone numbers are assigned hierarchically, and thus, have inherent inefficiency. The world’s Internet population has been growing and the number of Internet-connected devices continues to rise, with no end in sight. In the next week, the American Registry for Internet Numbers (ARIN) will have exhausted their supply of IPv4 addresses. The metaphorical IPv4 cupboards are bare. This long-predicted Internet historical event marks opening a new chapter of the Internet’s evolution. However, it is somehow anti-climactic now that this date has arrived. The Internet will continue to operate, but all organizations must now accelerate their efforts to deploy IPv6.
ARIN IPv4 Address Exhaustion
The Internet Assigned Numbers Authority (IANA) delegates authority for Internet resources to the five RIRs that cover the world. The American Registry for Internet Numbers (ARIN) is the Regional Internet Registry (RIR) for the United States, Canada, the Caribbean, and North Atlantic islands. ARIN has been managing the assignment of IPv4 and IPv6 addresses and Autonomous System (AS) numbers for several decades. Each RIR has been managing their limited IPv4 address stores and going through their various phases of exhaustion policies. ARIN has been in Phase 4 of their IPv4 depletion plan for more than a year now. ARIN will soon announce that they have completely extinguished their supply of IPv4 addresses.
At this point, the rules for how address resources are allocated will change. Address resource applicants may not get their justified request fulfilled and might be offered a smaller block or the choice to be added to a waiting list. This page documents the process for the waiting list for unmet IPv4 address requests. To review the unmet resource policies, consult the Number Resource Policy Manual (NRPM), check out section 4.1.8. However, when the supply of IPv4 address space drops to 0.00000, then there will be no more addresses to allocate. If IPv4 addresses become available, then the policies in the NRPM will dictate that they are given out based on the Waiting List for Unmet Requests method.
IPv4 Exhaustion Predicted for Decades
Predictions of IPv4 depletion date back to the early 1990s. The IETF formed the Address Lifetime Expectations (ALE) Working Group in the mid-1990s to analyze the rate of IPv4 adoption in anticipation that this date would come. IPv4 address supply concerns was the primary reasons the IETF wanted to create a new version of the Internet Protocol (IP). The IETF IP Next Generation (IPng) working group started their work around that time and the first IPng was drafted around 1993. In those early days of the Internet, no one could have predicted the tremendous growth of the Internet. The IETF created Internet Protocol version 6 and finalized the header format with RFC 2460 in 1998. Each year as the IPv4 Internet grew at breakneck speeds, transition to IPv6 had become more and more daunting.
Prolonging IPv4’s Lifespan
As the Internet began to grow, techniques like Classless Interdomain Routing (CIDR) and Network Address Translation (NAT) were used to extended life-support for IPv4 for almost two decades. Now ISPs are looking at using Carrier Grade NAT (CGN)/Large Scale NAT (LSN) to further prolong the use of IPv4. However, many of these multi-NAT techniques cause problems for many popular Internet applications. We can expect that there will be other techniques contrived to keep the much-loved IPv4 protocol running for decades to come.
No End in Sight for IPv4
Few organizations are thinking about when they may eventually stop using IPv4. Some enterprise organizations have not given IPv6 much thought and are not aggressively moving to implementing it. Organizations will not be able to transition right from using IPv4 to using IPv6 directly. The dual-stack transition technique is the dominant transition strategy (tunnels are to be avoided when possible). In other words, organizations are encouraged to use native IPv6.
Even if an organization starts to deploy IPv6 immediately, they will still require the use of IPv4 for years to come. IPv6 may not have a large impact on an organization’s near-term IPv4 address constraints. Those few enterprise organizations are playing a dangerous "game of chicken" by ignoring IPv6. While, there are techniques for prolonging the lifespan of IPv4, organizations may end up with limited options. Going forward, organizations that require additional IPv4 addresses will need to request them from their service provider (provided they have any addresses left to lease) or purchase them on the open market. As IPv4 address blocks get traded around and split up, we can expect the Internet routing tables to become increasingly fragmented.
Organizations that deploy IPv6 will be living in a dual-stack world for many years. During that period of using both IPv4 and IPv6 in parallel, organizations will likely incur increased operating expenses. Gradually, over time, the cost of running an IPv4 network will increase.
Now What? Move to IPv6!
So now that this Internet historic date of ARIN’s IPv4 run-out has arrived, we should review what our own organizations are doing to plan for the next phase of the Internet’s lifespan.
Internet Service Providers (ISPs) should already be well on their way through their IPv6 deployments. If you work for an ISP that has not yet started your IPv6 deployment then you are in serious danger of falling far behind your competitors.
If you are an enterprise organization, then your plans for the future need to be quickly defined and put into action. Your organization no longer has the option to continue to ignore IPv6. However, your organization may be planning to invest in purchasing additional IPv4 addresses. Your organizations will be forced to tolerate the use of multiple-layers of NAT and the application problems that come with it. Your organization will be forced to invest in larger Internet routers to be able to handle the rapidly expanding IPv4 Internet routing tables. Your organization should be planning for future years of legacy IPv4-Internet connectivity and actively moving toward full deployment of IPv6.
If your organization is one of those that waited to embrace IPv6, then you are in luck, as there are plenty of resources available to help you with your IPv6 planning and deployment. While Wikipedia.org can get you started learning the basics, you should visit the Internet Society Deploy360 Programme IPv6 page. You should also explore ARIN’s own Get6 site. We wish you the best of luck configuring your systems so you can reach the "whole Internet" using IPv6 and not just the "old Internet" using IPv4.
Fonte Ufficiale: http://www.networkworld.com/article/2985340/ipv6/arin-finally-runs-out-of-ipv4-addresses.html
Apple has said it is taking steps to remove malicious code added to a number of apps commonly used on iPhones and iPads in China.
It is thought to be the first large-scale attack on Apple's App Store.
The hackers created a counterfeit version of Apple's software for building iOS apps, which they persuaded developers to download.
Apps compiled using the tool allow the attackers to steal data about users and send it to servers they control.
Cybersecurity firm Palo Alto Networks - which has analysed the malware dubbed XcodeGhost - said the perpetrators would also be able to send fake alerts to infected devices to trick their owners into revealing information.
It added they could also read and alter information in compromised devices' clipboards, which would potentially allow them to see logins copied to and from password management tools.
Infected applications includes Tencent's hugely popular WeChat app, NetEase's music downloading app and Didi Kuaidi's Uber-like car hailing app.
Some of the affected apps - including the business card scanner CamCard - are also available outside China.
"We've removed the apps from the App Store that we know have been created with this counterfeit software," said Apple spokeswoman Christine Monaghan.
"We are working with the developers to make sure they're using the proper version of Xcode to rebuild their apps," said Christine Monaghan.
On its official WeChat blog, Tencent said the security issue affected an older version of its app - WeChat 6.2.5 - and that newer versions were not affected.
It added that an initial investigation showed that no data theft or leakage of user information had occurred.
In Apple's walled garden App Store, this sort of thing shouldn't happen.
The company goes to great lengths, and great expense, to sift through each and every submission to the store. Staff check for quality, usability and, above all else, security.
The Apple App Store is generally considered a safe haven as the barrier to entry is high - there's only been a handful of instances of malware found on iOS apps, compared to Google's Play store which for a while was regarded as something of a "Wild West" for apps (until they introduced their own malware-scanning system too).
It makes this attack all the more surprising, as it looks like two groups of supposedly informed people have been caught out.
Firstly developers, who security researchers say were duped into using counterfeit software to build their apps, creating the right conditions for the malware to be applied.
And secondly, Apple's quality testers, who generally do a very good job in keeping out nasties, but in this case couldn't detect the threat.
Fonte Ufficiale: http://www.bbc.com/news/technology-34311203