Tech News - Malware Analysis

git-bug is a distributed bug tracker that is embedded in git. Using git's internal storage ensures that no files are added in your project. You can push your bugs to the same git remote that you are already using to collaborate with other people. The main idea behind implementing a distributed bug tracker in Git was to stop relying on a web service somewhere to deal with bugs. Browsing and editing bug reports offline wouldn’t be much of a pain, thanks to this implementation. While git-bug addresses a pressing need, note that the project is not yet available for full fledged use and is currently a proof of concept released just 3 days ago at version 0.2.0. Reddit is abuzz with views on the release. A user quotes- Source: reddit.com Certain users also had counter thoughts on the cons of the release - Source: reddit.com   Now that you want to get your hands on git-bug, let’s look at how to get started. Installing git-bug, Linux packages needed and CLI usage for its implementation To install the git-bug, all you need to do is execute the following command- go get github.com/MichaelMure/git-bug If it's not done already, add golang binary directory in your PATH: export PATH=$PATH:$GOROOT/bin:$GOPATH/bin You can set pre-compiled binaries by following 3 simple steps: Head over to the release page and download the appropriate binary for your system. Copy the binary anywhere in your PATH Rename the binary to git-bug (or git-bug.exe on windows) The only linux packge needed for this release is the Archlinux (AUR) Further, you can use the CLI to implement the git-bug using the following commands- Create a new bug: git bug new Your favorite editor will open to write a title and a message. You can push your new entry to a remote: git bug push [<remote>] And pull for updates: git bug pull [<remote>] List existing bugs: git bug ls   Use commands like show, comment, open or close to display and modify bugs. For more details about each command, you can run git bug <command> --help or scan the command's documentation. Features of the git-bug #1 Interactive User Interface for the terminal Use the git bug termui  command to browse and edit bugs. This short video will demonstrate how easy and interactive it is to browse and edit bugs #2 Launch a rich Web UI Take a look at the awesome web UI that is obtained with git bug webui. Source: github.com     Source: github.com   This web UI is entirely packed inside the same go binary and serve static content through a localhost http server. It connects to  backend through a GraphQL API. Take a look at the schema for more clarity. The additional features that are planned include media embedding import/export of github issue extendable data model to support arbitrary bug tracker inflatable raptor Every new release is expected to come with exciting new features, it is also coupled with a few minor constraints. You can check out some of the minor inconveniences as listed out on the github page. We can’t wait for the release to be in a fully working condition. But before that, if you need any additional information on how the git-bug works, head over to the github page. Snapchat source code leaked and posted to GitHub GitHub open sources its GitHub Load Balancer (GLB) Director Homebrew’s Github repo got hacked in 30 mins. How can open source projects fight supply chain attacks?

Researchers from the North China Electric Power University have recently published a paper titled, ‘A Review on The Use of Deep Learning in Android Malware Detection’. Researchers highlight the fact that Android applications can not only be used by application developers, but also by malware developers with criminal intention to design and spread malicious applications that can affect the normal work of Android phones and tablets, steal personal information and credential data, or even worse lock the phone and ask for ransom. In this paper, they have explained how deep learning methods can be used as a countermeasure in Android malware detection to fight back malware. Android Malware Detection Techniques Researchers have said that one critical point of mobile phones is that they are a sensor-based event system, which permits malware to respond to approaching SMS, position changes and so forth, increasing the sophistication of automated malware-analysis techniques. Moreover, the apps can use services and activities and integrate varied programming languages (e.g. Java and C++) in one application. Each application is analyzed in the following stages: Static Analysis The static analysis screens parts of the application without really executing them. This analysis incorporates Signature-based, Permission-based and Component-based analysis. The Signature-based strategy draws features and makes distinctive signs to identify specific malware. Hence, it falls short to recognize the variation or unidentified malware. The Permission-based strategy recognizes permission requests to distinguish malware. The Component-based techniques decompile the APP to draw and inspect the definition and byte code connections of significant components (i.e. activities, services, etc.), to identify the exposures. The principal drawbacks of static analysis are the lack of real execution paths and suitable execution conditions. Dynamic Analysis This technique includes the execution of the application on either a virtual machine or a physical device. This analysis results in a less abstract perspective of application than static analysis. The code paths executed during runtime are a subset of every single accessible path. The principal objective of the analysis is to achieve high code inclusion since every feasible event ought to be activated to watch any possible malicious behavior Hybrid Analysis The hybrid analysis technique includes consolidating static and dynamic features gathered from examining the application and drawing data while the application is running, separately. Nevertheless, it would boost the accuracy of the identification. The principal drawback of hybrid analysis is that it consumes the Android system resources and takes a long time to perform the analysis. Use of deep learning in Android malware detection Currently available machine learning has several weaknesses and some open issues related to the use of DL in Android malware detection include: Deep learning lacks transparency to provide an interpretation of the decision created by its methods. Malware analysts need to understand how the decision was made. There is no assurance that classification models built based on deep learning will perform in different conditions with new data that would not match previous training data. Deep learning studies complex correlations within input and output feature with no innate depiction of causality. Deep learning models are not autonomous and need continual retraining and rigorous parameters adjustments. The DL models in the training phase were subjected to data poisoning attacks, which are merely implemented by manipulating the training and instilling data that make a deep learning model to commit errors. In the testing phase, the models were exposed to several attack types including: Adversarial Attacks are where the DL model inputs are the ones that an adversary has invented deliberately to cause the model to make mistakes Evasion attack: Here, the intruder exploits malevolent instances at test time to have them incorrectly classified as benign by a trained classifier, without having an impact over the training data. This can breach system integrity, either with a targeted or with an indiscriminate attack. Impersonate attack: This attack mimics data instances from targets. The attacker plans to create particular adversarial instances to such an extent that current deep learning-based models mistakenly characterize original instances with different tags from the imitated ones. Inversion attack: This attack uses the APIs allowed by machine learning systems to assemble some fundamental data with respect to the target system models. This kind of attack is divided into two types; Whitebox attack and Blackbox attack. The white-box attack implies that an aggressor can loosely get to and download learning models and other supporting data, while the black-box one points to the way that the aggressor just knows the APIs opened by learning models and some observation after providing input. According to the researchers, hardening deep learning models against different adversarial attacks and detecting, describing and measuring concept drift are vital in future work in Android malware detection. They also mentioned that the limitation of deep learning methods such as lack of transparency and being nonautonomous, is to build more efficient models. To know more about this research in detail, read the research paper. Researchers introduce a deep learning method that converts mono audio recordings into 3D sounds using video scenes IEEE Computer Society predicts top ten tech trends for 2019: assisted transportation, chatbots, and deep learning accelerators among others Stanford researchers introduce DeepSolar, a deep learning framework that mapped every solar panel in the US

This month, during the Microsoft Build 2019, the team behind .NET Core announced that .NET Core 5 will be coming in 2020. Yesterday the team at .NET Core released the .NET Core May 2019 updates for 1.0.16, 1.1.14, 2.1.11 and 2.2.5. The updates include security, reliability fixes, and updated packages. Expected updates in .NET Core Security .NET Core Tampering Vulnerability(CVE-2019-0820) When .NET Core improperly processes RegEx strings, a denial of service vulnerability exists. In this case, the attacker who can successfully exploit this vulnerability can cause a denial of service against a .NET application. Even a remote unauthenticated attacker can exploit this vulnerability by issuing specially crafted requests to a .NET Core application. This update addresses this vulnerability by correcting how .NET Core applications handle RegEx string processing. This security advisory provides information about a vulnerability in .NET Core 1.0, 1.1, 2.1 and 2.2. Denial of Service vulnerability in .NET Core and ASP.NET Core (CVE-2019-0980 & CVE-2019-0981) When .NET Core and ASP.NET Core improperly handle web requests, denial of service vulnerability exists. An attacker who can successfully exploit this vulnerability can cause a denial of service against a .NET Core and ASP.NET Core application. This vulnerability can be exploited remotely and without authentication. A remote unauthenticated attacker can exploit this vulnerability by issuing specially crafted requests to a .NET Core application. This update addresses this vulnerability by correcting how .NET Core and ASP.NET Core web applications handle web requests. This security advisory provides information about the two vulnerabilities (CVE-2019-0980 & CVE-2019-0981) in .NET Core and ASP.NET Core 1.0, 1.1, 2.1, and 2.2. ASP.NET Core Denial of Service vulnerability(CVE-2019-0982) When ASP.NET Core improperly handles web requests, a denial of service vulnerability exists. An attacker who can successfully exploit this vulnerability can cause a denial of service against an ASP.NET Core web application. This vulnerability can be exploited remotely and without authentication. A remote unauthenticated attacker can exploit this vulnerability by issuing specially crafted requests to the ASP.NET Core application. This update addresses this vulnerability by correcting how the ASP.NET Core web application handles web requests. This security advisory provides information about a vulnerability (CVE-2019-0982) in ASP.NET Core 2.1 and 2.2. Docker images .NET Docker images have now been updated. microsoft/dotnet, microsoft/dotnet-samples, and microsoft/aspnetcore repos have also been updated. Users can get the latest .NET Core updates on the .NET Core download page. To know more about this news, check out the official announcement. .NET 5 arriving in 2020! Docker announces collaboration with Microsoft’s .NET at DockerCon 2019 .NET for Apache Spark Preview is out now!  

Researchers from Skylight Cyber, an Australian cybersecurity enterprise, have tricked Blackberry Cylance’s AI-based antivirus product. They identified a peculiar bias of the antivirus product towards a specific game engine and bypassed it to trick the product into accepting malicious malware files. This discovery means companies working in the field of artificial intelligence-driven cybersecurity need to rethink their approach to creating new products. The bypass is not just limited to Cylance, researchers chose it as it is a leading vendor in the field and is publicly available. The researchers Adi Ashkenazy and Shahar Zini from Skylight Cyber say they can reverse the model of any AI-based EPP (Endpoint Protection Platform) product, and find a bias enabling a universal bypass. Essentially meaning if you could truly understand how a certain model works, and the type of features it uses to reach a decision, you would have the potential to fool it consistently. How did the researchers trick Cylance into thinking bad is good? Cylance’s machine-learning algorithm has been trained to favor a benign file, causing it to ignore malicious code if it sees strings from the benign file attached to a malicious file. The researchers took advantage of this and appended strings from a non-malicious file to a malicious one, tricking the system into thinking the malicious file is safe and avoiding detection. The trick works even if the Cylance engine previously concluded the same file was malicious before the benign strings were appended to it. The Cylance engine keeps a scoring mechanism ranging from -1000 for the most malicious files, and +1000 for the most benign of files. It also whitelists certain families of executable files to avoid triggering false positives on legitimate software. The researchers suspected that the machine learning would be biased toward code in those whitelisted files. So, they extracted strings from an online gaming program that Cylance had whitelisted and appended it to malicious files. The Cylance engine tagged the files benign and shifted scores from high negative numbers to high positive ones. https://youtu.be/NE4kgGjhf1Y The researchers tested against the WannaCry ransomware, Samsam ransomware, the popular Mimikatz hacking tool, and hundreds of other known malicious files. This method proved successful for 100% of the top 10 Malware for May 2019, and close to 90% for a larger sample of 384 malware. “As far as I know, this is a world-first, proven global attack on the ML [machine learning] mechanism of a security company,” told Adi Ashkenazy, CEO of Skylight Cyber to Motherboard, who first reported the news. “After around four years of super hype [about AI], I think this is a humbling example of how the approach provides a new attack surface that was not possible with legacy [antivirus software].” Gregory Webb, chief executive officer of malware protection firm Bromium Inc., told SiliconAngle that the news raises doubts about the concept of categorizing code as “good” or “bad.” “This exposes the limitations of leaving machines to make decisions on what can and cannot be trusted,” Webb said. “Ultimately, AI is not a silver bullet.” Martijn Grooten, a security researcher also added his views to the Cylance Bypass story. He states, “This is why we have good reasons to be concerned about the use of AI/ML in anything involving humans because it can easily reinforce and amplify existing biases.” The Cylance team have now confirmed the global bypass issue and will release a hotfix in the next few days. “We are aware that a bypass has been publicly disclosed by security researchers. We have verified there is an issue which can be leveraged to bypass the anti-malware component of the product. Our research and development teams have identified a solution and will release a hotfix automatically to all customers running current versions in the next few days,” the team wrote in a blog post. You can go through the blog post by Skylight Cyber researchers for additional information. Microsoft releases security updates: a “wormable” threat similar to WannaCry ransomware discovered 25 million Android devices infected with ‘Agent Smith’, a new mobile malware FireEye reports infrastructure-crippling Triton malware linked to Russian government tech institute

Yesterday Wladimir Palant, the creator of AdBlock Plus, reported that Mozilla removed four Firefox extensions made by Avast and its subsidiary AVG. Palant also found credible reports about the extensions harvesting user data and browsing histories. The four extensions are Avast Online Security, AVG Online Security, Avast SafePrice, and AVG SafePrice. The first two are extensions that show warnings when navigating to known malicious or suspicious sites, while the last two are extensions for online shoppers, showing price comparisons, deals, and available coupons. Avast and AVG extensions were caught in October Mozilla removed the four extensions from its add-ons portal after receiving a report from Palant. Palant analyzed the Avast Online Security and AVG Online Security extensions in late October and found that the two were collecting much more data than they needed to work -- including detailed user browsing history, a practice prohibited by both Mozilla and Google. He published a blog post on October 28, detailing his findings, but in a blog post dated today, he says he found the same behavior in the Avast and AVG SafePrice extensions as well. On his original blog post Mozilla did not intervene to take down the extensions. Palant reported about it again to Mozilla developers yesterday and they removed all four add-ons within 24 hours. “The Avast Online Security extension is a security tool that protects users online, including from infected websites and phishing attacks,” an Avast spokesperson told ZDNet. “It is necessary for this service to collect the URL history to deliver its expected functionality. Avast does this without collecting or storing a user's identification.” “We have already implemented some of Mozilla's new requirements and will release further updated versions that are fully compliant and transparent per the new requirements,” the Avast spokesperson said. “These will be available as usual on the Mozilla store in the near future.” Extensions still available on Chrome browser The four extensions are still available on the Chrome Web Store according to Palant. "The only official way to report an extension here is the 'report abuse' link," he writes. "I used that one of course, but previous experience shows that it never has any effect. "Extensions have only ever been removed from the Chrome Web Store after considerable news coverage," he added. On Hacker News, users discussed Avast extensions creepily trick browsers to inspect tls/ssl packets. One on the users commented, “Avast even does some browser trickery to then be able to inspect tls/ssl packets. Not sure how I noticed that on a windows machine, but the owner was glad to uninstall it. As said on other comments, the built-in windows 10 defender AV is the least evil software to have enabled for somewhat a protected endpoint. The situation is desperate for AV publishers, they treat customers like sheep, the parallel with mafia ain't too far possible to make. It sorts of reminds me 20 years back when it was common discussion to have on how AV publishers first deployed a number of viruses to create a market. The war for a decent form of cyber security and privacy is being lost. It's getting worse every year. More money (billions) is poured into it. To no avail. I think we got to seriously show the example and reject closed source solutions all together, stay away from centralized providers, question everything we consume. The crowd will eventually follow.” Mozilla’s sponsored security audit finds a critical vulnerability in the tmux integration feature of iTerm2 Mozilla Thunderbird 78 will include OpenPGP support, expected to be released by Summer 2020 Mozilla introduces Neqo, Rust implementation for QUIC, new http protocol

A ransomware strain named Lilocked or Lilu has been affecting thousands of Linux-based servers all over the world since mid-July and the attacks got intensified by the end of August, ZDNet reports.  Lilocked ransomware’s first case got noticed when Micheal Gillespie, a malware researcher uploaded a ransomware note on the website, ID Ransomware. This website is used for identifying the name of ransomware from the ransomware note or from the demand specified in the attack. It is still unknown as to how the servers have been breached. https://twitter.com/demonslay335/status/1152593459225739265 According to a thread on a Russian-speaking forum, attackers might be targeting those systems that are running outdated Exim (email) software. The forum also mentions that the ransomware managed to get root access to servers by “unknown means”. Read Also: Exim patches a major security bug found in all versions that left millions of Exim servers vulnerable to security attacks Lilocked doesn't encrypt system files, but it encrypts a small subset of file extensions, such as JS, CSS, HTML, SHTML, PHP, INI, and other image file formats so the infected servers are running normally. As per the French security researcher, Benkow, Lilocked has encrypted more than 6,700 servers, out of which many have been indexed and cached in Google search results. However, the number of affected servers is much higher. “Not all Linux systems run web servers, and there are many other infected systems that haven't been indexed in Google search results,” ZDNet reports. It is easy to identify the servers that have been affected by the ransomware as most of their files are encrypted and they sport a new ".lilocked" file extension. Image Source: ZDNet Read Also: Exim patches a major security bug found in all versions that left millions of Exim servers vulnerable to security attacks The victims are first redirected to a portal on the dark web, where they are asked to enter a key from the ransom note and later are notified that their data has been encrypted. The victims are then asked to transfer 0.03 bitcoin, which is around $325. https://twitter.com/dulenkp/status/1170091139510218752 https://twitter.com/Zanket_com/status/1171089344460972032 To know more about the Lilocked ransomware in detail, head over to ZDNet. Other interesting news in security Intel’s DDIO and RDMA enabled microprocessors vulnerable to new NetCAT attack Endpoint protection, hardening, and containment strategies for ransomware attack protection: CISA recommended FireEye report Highlights StackRox App integrates into the Sumo Logic Dashboard  for improved Kubernetes security

Last week, a vulnerability was found in all the versions of Exim, a mail transfer agent (MTA), that when exploited can let attackers run malicious code with root privileges. According to the Exim team, all Exim servers running version 4.92.1 and the previous ones are vulnerable.  On September 4, the team at Exim published a warning on the Openwall information security mailing list regarding the critical security flaw that was affecting Exim. On Friday, the team at Exim released 4.92.2 to address this vulnerability. This vulnerability with the ID, CVE-2019-15846 was reported in July by a security researcher called Zerons. The vulnerability allows attackers to take advantage of the TLS ServerName Indicator and execute programs with root privileges on servers that accept TLS connections. An attacker can simply create a buffer overflow to gain access to a server running Exim as the bug doesn’t depend on the TLS library that is used by the server, both GnuTLS, as well as OpenSSL, get affected. It is used to serve around 57% of all publicly reachable email servers over the internet. Exim was initially designed for Unix servers, is currently available for Linux and Microsoft Corp. Windows and is also used for the email in cPanel.  Exim's advisory says, "In the default runtime configuration, this is exploitable with crafted ServerName Indication (SNI) data during a TLS negotiation.”  Read Also: A year-old Webmin backdoor revealed at DEF CON 2019 allowed unauthenticated attackers to execute commands with root privileges on servers Server owners can mitigate by disabling TLS support for the Exim server but it would expose email traffic in cleartext and would make it vulnerable to sniffing attacks and interception. Also, this mitigation plan can be more dangerous for the Exim owners living in the EU, since it might lead their companies to data leaks, and the subsequent GDPR fines. Also, Exim installations do not have the TLS support enabled by default but the Exim instances with Linux distros ship with TLS enabled by default.  Exim instances that ship with cPanel also support TLS by default but the cPanel staff have moved towards integrating the Exim patch into a cPanel update that they already started rolling it out to customers. Read Also: A vulnerability found in Jira Server and Data Center allows attackers to remotely execute code on systems A similar vulnerability named as CVE-2019-13917 was found in July that impacted Exim 4.85 up to and including 4.92 and got patched with the release of 4.92.1. Even this vulnerability would allow remote attackers to execute programs with root privileges. In June, the team at Exim had patched CVE-2019-10149, a vulnerability that is called "Return of the Wizard," that allowed attackers to run malicious code with root privileges on remote Exim servers. Also, Microsoft had issued a warning in June regarding a Linux worm that was targeting Azure Linux VMs that were running vulnerable Exim versions. Most of the users are sceptical about the meditation plan as they are not comfortable around disabling the TLS as the mitigation option. A user commented on HackerNews, “No kidding? Turning off TLS isn't an option at many installations. It's gotta work.” Other interesting news in Security  CircleCI reports of a security breach and malicious database in a third-party vendor account Hundreds of millions of Facebook users’ phone numbers found online, thanks to an exposed server, TechCrunch reports Espressif IoT devices susceptible to WiFi vulnerabilities can allow hijackers to crash devices connected to enterprise networks    

Two days ago, Check Point researchers reported a new mobile malware attack called ‘Agent Smith’ which infected around 25 million Android devices. This malware is being used for financial gains through the use of malicious advertisements. The malware, concealed under the identity of a Google related app, exploited known Android vulnerabilities and automatically replaced installed apps with their malicious versions, without any consent of the user. The primary targets of this malware are based in Asian countries, especially India with over 15 million infected devices, Pakistan, Bangladesh, Saudi Arabia, UK and around 300k devices infected in the U.S. Currently, no malicious apps remain on the Google Play Store. However, before being removed, the malicious apps were downloaded over 10 million times. Researchers have estimated over 2.8 billion infections in total, on around 25 Million unique devices. Image Source: Check Point Research How Agent Smith infected Android apps A preliminary investigation revealed that the app strongly resembled Janus vulnerability abuse which was discovered in 2017 and allowed attackers to modify the code in Android applications without affecting their signatures. These malicious apps had the ability to hide their app icons and claim to be Google related updaters or vending modules. Check Point researchers found that  Agent Smith’s attack also resembled previous malware campaigns against Android apps, like Gooligan, HummingBad, and CopyCat. The Agent Smith malware basically attacks in a step by step manner: Image Source: Check Point Research Firstly, a dropper app attracts a victim to install itself voluntarily. The dropper has an inbuilt Feng Shui Bundle which works as an encrypted asset file. The dropper variants include photo utility, games, or sex-related apps. Next, the dropper automatically decrypts and installs its core malware APK, which is usually disguised as Google Updater, Google Update for U or ‘com.google.vending’.  This core malware APK is then used to conduct malicious patching and app updates. The core malware’s icon is hidden from the user, at all times. Lastly, the core malware extracts the device’s installed app list. If the malware finds apps like Whatsapp, Flipkart, Jio, Truecaller, etc on its prey list (hard-coded or sent from C&C server), the malware extracts the base APK of the target innocent app on the device. Next, the malware patches the APK with malicious ads modules. The base APK is then installed back, making it seem like an update. During the final update installation process, Agent Smith relies on the Janus vulnerability to bypass Android’s APK integrity checks. Finally, Agent Smith hijacks the compromised user apps, to show malicious advertisements. The hackers have used Agent Smith for financial gain only until now. However, with its ability to hide its icon from the launcher and successfully impersonate any popular existing app on a device, Agent Smith can cause serious harms like banking credential theft, shopping, and other sensitive apps. It has also come to light that Google had fixed Janus vulnerability, in 2017 but the fix has not made its way onto every Android phone. “Android users should use ad blocker software, always update their devices when prompted, and only download apps from the Google Play Store”, said Dustin Childs, the communications manager at a cybersecurity company Trend Micro. Many Android users have expressed their concern about the Agent Smith malware attack. https://twitter.com/TMWB1/status/1149337833695600640 https://twitter.com/AkiSolomos/status/1149487532272312324 Few iOS users, now say that its Google’s security vulnerabilities that make users opt for iOS phones. A Redditor comments, “This is unfortunately why I am still an Apple customer. I do not trust android to keep my information safe. Hey Google, how about I pay you a $15 per month subscription and you stop using spyware on me?” According to the researchers, the malware appears to be run by a Chinese Internet company located in Guangzhou that claims to help Chinese Android developers publish and promote their apps on overseas platforms. Check Point researchers have submitted their report to Google and law enforcement units, to facilitate further investigation. The names of the malicious actors have not yet been revealed. Google has not yet released any official statement warning Android users about the Agent Smith malware attack. For more details about the attack, head over to Check Point research page. An IoT worm Silex, developed by a 14 year old resulted in malware attack and taking down 2000 devices China is forcing tourists crossing Xinjiang borders to install an Android app that sends personal information to authorities, reports the Vice News React Native 0.60 releases with accessibility improvements, AndroidX support, and more

Have you heard about the latest VPNFilter Malware attack? In brief, the software networking firm and its network analysis department known as ‘Talos’ identified a malware known as VPNFilter a few weeks ago. Something about these attacks made them particularly risky. If you are an individual or any small or medium business organization accessing the internet using routers from companies such as Linksys, Netgear, QNAP, TP-Link, ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE then you are vulnerable to the VPNFilter malware attack. Read on to understand where do you stand and what you can do to avoid falling victim of this vicious malware attack. How VPNFilter malware works? The first thing that you need to understand is that VPNFilter has a 3 stage attack procedure. The first stage, which is one of the most potent and dangerous one too, plants itself into the router firmware. In most malware attack cases, a reboot would make the malware go away. That’s where VPNFilter stands out. It persists through the reboot and after the reboot it initiates the second stage. The second stage is about spying on the user activity and data and then storing and accessing user data, tracking the URLs and getting to know more about the victim. The most terrifying factor is that the user never realizes that they have been attacked. The reason being that VPNFilter uses the technique of “Man in the Middle” or MitT attack. What happens in this form of cyber attack is that the spyware gets attached to the router and then collects user data and prepares for a larger assault while the user is completely unaware of it. The image below explains the process.     Source: Yeahhub.com If this seems scary to you then you haven’t yet heard the interesting bit yet. The third stage is about introducing different plugins which can perform different types of actions. One of them is it can downgrade the security level of your requests from HTTPS to HTTP protocol. This in turn makes your data unencrypted and also makes your passwords and other valuable data open to anyone who is snooping on your network. The rest of the hacking process then eventually becomes much easier. Imagine what could happen if you logged in to a social media platform or into your netbanking application and the data is phished away. The worst part is that you won’t even know that your account is hacked until the hackers expose themselves by making malicious transactions. The horror story doesn’t end here, it also comes with a “Remote Destroy” button. This enables the hackers to delete important network and configuration files from your router before destroying the malware and this means your router will be rendered useless after they choose to do so. This gives them the power to disrupt internet connectivity on a global scale since the number of routers presently affected can be anywhere around 500k. Is there a way out? How can you save your router from this onslaught. Rebooting doesn’t work. The only way that some groups have suggested is to restore factory defaults of your router, upgrade the firmware of your router, and log in with your credentials. This three step process might be the only way you can get away from this attack. How to know that your router is no good? Try updating it to the latest version of firmware, if it says unable to upgrade, you can be damn sure of the fact that it’s time for you to buy a new one. BeyondCorp is transforming enterprise security Top 5 cybersecurity assessment tools for networking professionals IoT Forensics: Security in an always connected world where things talk

Microsoft has taken steps to release security updates for unsupported but still widely-used Windows operating systems like XP and Windows 2003. The company took this move as a part of its May 14 Patch Tuesday, due to the discovery of a “wormable” flaw that could be a major threat similar to the WannaCry ransomware attacks of 2017. The WannaCry ransomware threat was quick to spread across the world in May 2017 due to a vulnerability that was prevalent among systems running Windows XP and older versions of Windows. On Tuesday, Microsoft released 16 updates that target at least 79 security issues in Windows and related software. Now let’s have a look at the vulnerabilities,  CVE-2019-0708 and CVE-2019-0863. CVE-2019-0708, remote desktop services vulnerability The  CVE-2019-0708 vulnerability is in remote desktop services into supported versions of Windows, including Windows 7, Windows Server 2008 R2, and Windows Server 2008. It is present in computers powered by Windows XP and Windows 2003. To attack the system, an unauthenticated attacker connects to the target system using Remote Desktop Protocol (RDP) and then sends specially crafted requests. This security update now corrects how Remote Desktop Services handles connection requests. Though the vulnerability CVE-2019-0708 does not affect Microsoft’s latest operating systems, including,  Windows 10, Windows 8, Windows 8.1, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, or Windows Server 2012. The company hasn’t observed any evidence of attacks against this security flaw, but it might head off a serious and imminent threat. Simon Pope, director of incident response for the Microsoft Security Response Center said, “This vulnerability is pre-authentication and requires no user interaction. In other words, the vulnerability is ‘wormable,’ meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017. It is important that affected systems are patched as quickly as possible to prevent such a scenario from happening.” CVE-2019-0863, zero-day vulnerability One of the security updates fixed a zero-day vulnerability, (CVE-2019-0863) in the Windows Error Reporting Service. An attacker who can successfully exploit this vulnerability can run arbitrary code in kernel mode.The attacker can then install programs; change, view, or delete data; or create new accounts with administrator privileges. An attacker has to gain unprivileged execution on the victim’s system in order to exploit the vulnerability. Microsoft’s security update addresses this vulnerability by correcting the way WER (Windows Error Reporting) handles files. According to Chris Goettl, director of product management for security vendor Ivanti, this vulnerability has already been seen in targeted attacks. Microsoft Office and Office365, Sharepoint, .NET Framework and SQL server are some of the other Microsoft products that received patches. To know more about this news, check out Microsoft’s page. #MSBuild2019: Microsoft launches new products to secure elections and political campaigns Microsoft Build 2019: Introducing Windows Terminal, application packed with multiple tab opening, improved text and more Microsoft Build 2019: Introducing WSL 2, the newest architecture for the Windows Subsystem for Linux  

Yesterday the team at Mozilla announced that the company is receiving hundreds of bug reports and feature requests from Firefox users on a daily basis. The team noted that it’s important to get the bugs fixed as soon as possible for the smooth functioning of the systems. Also, the developers should quickly come to know that there is a bug in order to fix it. Bug triage, a process where tracker issues are screened and prioritised can be useful in such cases. However, even when developers come to know that bugs exist in the system, it is still difficult for the developers to closely look at each bug. The team at Mozilla has been using Bugzilla since years now which is a web-based general-purpose bugtracker and testing tool that group the bugs by product. But product assignment or the grouping process was done manually by the developers so this process failed to scale. Now Mozilla is experimenting with Machine Learning to train systems to triage bugs. BugBug It’s important to get the bugs in the eye of the right set of engineers, for which the team at Mozilla developed BugBug, a machine learning tool that assigns a product and component automatically for every new untriaged bug. By bringing the bugs into the radar of the triage owners, the team at Mozilla has made an effort towards decreasing the turnaround time to fix new issues. Training the BugBug model Mozilla has a large training set of data for this model which includes two decades worth of bugs that have been reviewed by Mozillians and assigned to products and components. The bug data can’t be used as-is and any change to the bug after triage would create trouble during operation. So the team at Mozilla rolled back the bug to the time it was originally filed. Out of 396 components, 225 components had more than 49 bugs filed in the past 2 years. During operation, the team performed the assignment when the model was confident enough of its decision and currently, the team is using a 60% confidence threshold. Ever since the team has deployed BugBug in production at the end of February 2019, they have triaged around 350 bugs. The median time for any developer to act on triaged bugs is 2 days. Usually, 9 days is the average time to act, but with BugBug the Mozilla team took just 4 days to remove the outliers. Mozilla plans to use Machine learning in the future The Mozilla team has planned to use machine learning to assist in other software development processes, such as identifying duplicate bugs, providing automated help to developers, and detecting the bugs important for a Firefox release. The team plans to extend BugBug to automatically assign components for other Mozilla products. To know more about this news, check out the post by Mozilla. Mozilla is exploring ways to reduce notification permission prompt spam in Firefox Mozilla launches Firefox Lockbox, a password manager for Android Mozilla’s Firefox Send is now publicly available as an encrypted file sharing service  

This week, an IoT worm called Silex that targets a Unix-like system took down around 2,000 devices, ZDNet reports. This malware attacks by attempting a login with default credentials and after gaining access. Larry Cashdollar, an Akamai researcher, the first one to spot the malware, told ZDNet in a statement, "It's using known default credentials for IoT devices to log in and kill the system.” He added, “It's doing this by writing random data from /dev/random to any mounted storage it finds. I see in the binary it's calling fdisk -l which will list all disk partitions."  He added, "It then writes random data from /dev/random to any partitions it discovers." https://twitter.com/_larry0/status/1143532888538984448 It deletes the devices' firewall rules and then removes its network config and triggers a restart, this way the devices get bricked. Victims are advised to manually reinstall the device's firmware for recovering. This malware attack might remind you of the BrickerBot malware that ended up destroying millions of devices in 2017. Cashdollar told ZDNet in a statement, "It's targeting any Unix-like system with default login credentials." He further added, "The binary I captured targets ARM devices. I noticed it also had a Bash shell version available to download which would target any architecture running a Unix like OS." This also means that this malware might affect Linux servers if they have Telnet ports open and in case they are secured with poor or widely-used credentials. Also, as per the ZDNet report, the attacks were carried out from a VPS server that was owned by a company operating out of Iran. Cashdollar said, "It appears the IP address that targeted my honeypot is hosted on a VPS server owned by novinvps.com, which is operated out of Iran."  With the help of NewSky Security researcher Ankit Anubhav, ZDNet managed to reach out to the Silex malware author who goes by the pseudonym Light Leafon. According to Anubhav, Light Leafon, is a 14-year-old teenager responsible for this malware.  In a statement to Anubhav and ZDNet, he said, “The project started as a joke but has now developed into a full-time project, and has abandoned the old HITO botnet for Silex.” Light also said that he has plans for developing the Silex malware further and will add even more destructive functions. In a statement to Anubhav and ZDNet, he said, "It will be reworked to have the original BrickerBot functionality."  He is also planning to add the ability to log into devices via SSH apart from the current Telnet hijacking capability. He plans to give the malware the ability to use vulnerabilities for breaking into devices, which is quite similar to most of the IoT botnets. Light said, "My friend Skiddy and I are going to rework the whole bot.” He further added, "It is going to target every single publicly known exploit that Mirai or Qbot load." Light didn’t give any justification for his actions neither have put across any manifesto as the author of BrickerBot (goes with the pseudonym-Janit0r) did post before the BrickerBot attacks. Janit0r motivated the 2017 attacks to protest against owners of smart devices that were constantly getting infected with the Mirai DDoS malware. In a statement to ZDNet, Anubhav described the teenager as "one of the most prominent and talented IoT threat actors at the moment." He further added, "Its impressive and at the same time sad that Light, being a minor, is utilizing his talent in an illegal way." People are surprised how a 14-year-old managed to work this out and are equally worried about the consequences the kid might undergo. A user commented on Reddit, “He's a 14-year old kid who is a bit misguided in his ways and can easily be found. He admits to DDoSing Wix, Omegle, and Twitter for lols and then also selling a few spots on the net. Dude needs to calm down before it goes bad. Luckily he's under 18 so really the worst that would happen in the EU is a slap on the wrist.”  Another user commented, “It’s funny how those guys are like “what a skid lol” but like ... it’s a 14-year-old kid lol. What is it people say about the special olympics…” Few others said that developers need to be more vigilant and take security seriously. Another comment reads, “Hopefully manufacturers might start taking security seriously instead of churning out these vulnerable pieces of shit like it's going out of fashion (which it is).” To know more about this news, check out the report by ZDNet. WannaCry hero, Marcus Hutchins pleads guilty to malware charges; may face upto 10 years in prison FireEye reports infrastructure-crippling Triton malware linked to Russian government tech institute ASUS servers hijacked; pushed backdoor malware via software updates potentially affecting over a million users  

Yesterday, at Black Hat 2019, Mimecast Limited, a leading email and data security company, introduced Mimecast Threat Intelligence which offers a deeper understanding of the cyber threats faced by organizations. The cybersecurity landscape changes daily, and attackers are constantly changing their techniques to avoid detection. According to Mimecast’s recent State of Email Security Report 2019, 94% of organizations saw phishing attacks in the last 12 months and 61% said it was likely or inevitable that they would be hit with an email-borne attack. The new features in Mimecast Threat Intelligence are designed to give organizations access to threat data and analytics specific to overall organization. Additionally it offers a granular view of the attacks blocked by Mimecast. The Mimecast Threat Intelligence dashboard highlights users who are most at-risk, malware detections, malware origin by geo-location, Indicators of Compromise (IoCs) and malware forensics based on static and behavioral analysis. The data is consolidated into a user-friendly view and will be available for integration into an organization’s security ecosystem through the Threat Feed API. This targeted threat intelligence will provide greater visibility and insight to security professionals, enabling them to easily respond and remediate against threats and malicious files. “As the threat landscape evolves, arming our organization and people with the best possible tools is more important now than ever,” said Thomas Cronkright, CEO at CertifID. “Mimecast’s Threat Intelligence is a unique, incredibly easy to use value-added service that provides an outstanding benefit to organizations in search of a secure ecosystem.” “The cyber threat landscape is dynamic, complex and driven by a relentless community of adversaries. IT and security teams need threat intelligence that is easy to digest and actionable, so they can better leverage the information to proactively prevent and defend against cyberattacks,” said Josh Douglas, Vice President of threat intelligence at Mimecast. “Mimecast sees a lot of data, as we process more than 300 million emails every day to help customers block hundreds of thousands of malicious emails. Mimecast Threat Intelligence helps organizations get the deep insights they need to build a more cyber resilient environment.” Mimecast Threat Intelligence consists of a Threat Dashboard, Threat Remediation and Threat Feed with Threat Intelligence APIs. To know more, check out this page on Mimecast Threat Intelligence. International cybercriminals exploited Citrix internal systems for six months using password spraying technique A zero-day vulnerability on Mac Zoom Client allows hackers to enable users’ camera, leaving 750k companies exposed An IoT worm Silex, developed by a 14 year old resulted in malware attack and taking down 2000 devices

Yesterday, Mingye Wang reported a bug in the Glibc, GNU C Library. According to him, the dl_platform detection performs "cripple AMD" in the sysdeps in Glibc. The dl_platform check is used for dispatching SIMD (Single instruction, multiple data) libraries. Explaining the bug in detail, Wang writes, that in 2017, Glibc got the capability to transparently load libraries for specific CPU families with some SIMD extensions combinations to benefit the x86 users. However, this implementation limits two "good" sets of modern SIMD instructions to only Intel processors that prevent competitor CPUs with equivalent capabilities to fully perform, something that should not work in any free software package.  He further added that this bug seemed like an implementation of Intel’s ‘cripple AMD’ bug which was reported in 2009, and hence the name. According to the author, Agner Fog, “software compiled with the Intel compiler or the Intel function libraries has inferior performance on AMD and VIA processors. The Intel CPU dispatcher does not only check which instruction set is supported by the CPU, it also checks the vendor ID string. If the vendor string says "GenuineIntel" then it uses the optimal code path. If the CPU is not from Intel then, in most cases, it will run the slowest possible version of the code, even if the CPU is fully compatible with a better version.” A user commented on HackerNews, “Hm, is this really "crippling" AMD? Seems more like Intel submitted a performance patch that is only enabled for Intel processors, but could be extended to support AMD too. There's a moral difference. It is wrong to intentionally degrade the performance of your competitors. It is not wrong to not do something that benefits others.” Mingye Wang writes, “The crux of the problem lies in the `(cpu_features->kind == arch_kind_intel)` (LHS now renamed cpu_features->basic.kind) comparison that surrounds the entire x86_64 case. Although AMD has not yet made any processors with AVX512, their newer processors (Zen -- Epyc, Ryzen) should at least satisfy the haswell test case.” According to Wang, glibc should remove the dl platform check and the processors should use their feature flags. At 07:15:15 UTC, the page updated that the bug has been resolved and it is a duplicate of 2018, bug 23249, where Epyc and other current AMD CPUs couldn’t select the "haswell" platform subdirectory. This bug was reported by Allan Jensen, who wrote, “Recently a "haswell" sub-arch was introduced to be similar to the old i686 subarch for x86. It is documented as requiring BMI1, BMI2, LZCNT, MOVBE, POPCNT, AVX2 and FMA, but undocumented also checks the CPU is an Intel CPU before using the faster paths. I would suggest glibc fixes that before it becomes public knowledge.” Florian Weimer, author at Red Hat, writes, “We really need feedback from AMD for this change, and it has been difficult for us to talk to engineers there. If you have contacts there, please encourage them to reach out to Red Hat Engineer Partner Management via their own channels (or contact me directly). I agree that this situation is unfortunate, and that AMD customers may not get the best possible performance as the result.” Weimer further added, “The "haswell" platform subdirectory is somewhat ill-defined, see bug 24080. I don't think current AMD CPUs implement the ERMS feature, which Intel assumes is part of the "haswell" definition. This bug has been marked as a duplicate of bug 23249.” Few users are sceptical about this news and think that there might be a planned conspiracy behind this bug. A user commented on HackerNews, “Could this be a legitimate unintended consequence of the pull request or some new dirty pool tactic? Either way I agree with Mingye Wang's assessment, this kind of thing cannot be allowed to get into the source tree. Hopefully AMD will increase their Linux activities with their new bigger market share and income.” To know more about this news, check out the post by Sourceware Bugzilla. Other interesting news in Security  CircleCI reports of a security breach and malicious database in a third-party vendor account Hundreds of millions of Facebook users’ phone numbers found online, thanks to an exposed server, TechCrunch reports Espressif IoT devices susceptible to WiFi vulnerabilities can allow hijackers to crash devices connected to enterprise networks  

Today, Google announced a security bug in its Bluetooth Low Energy (BLE) Titan Security Keys. This issue is due to a misconfiguration in the Titan Security Keys’ Bluetooth pairing protocols, which is currently affecting the BLE versions in the U.S. Google has provided users with quick actions to protect themselves against the attack and to gain a free replacement key. However, the bug affects Bluetooth pairing only, so non-Bluetooth security keys are not affected. “Current users of Bluetooth Titan Security Keys should continue to use their existing keys while waiting for a replacement since security keys provide the strongest protection against phishing”, the official post reads. Attackers can only gain access to a user’s device if they are within close proximity (approximately 30 feet) while the user is using the security key. With this, the attacker can easily communicate with a user’s security key or also communicate with the device to which the user’s key is paired. The two cases an attacker might use to exploit the security keys in the BLE are: While trying to sign into an account on the device, a user is normally asked to press the button on their BLE security key to activate it. At this time, the attacker will have to connect their own device to the user’s affected security key before the user’s own device connects, for the bug to be exploited. However, this case is only possible if they have already obtained the victim’s username and password. The attacker could also use their device to masquerade as the user’s affected security key and connect to the user’s device at the moment the user is asked to press the button on the key. After that, they could attempt to change their device to appear as a Bluetooth keyboard or mouse and potentially take actions on the user’s device. Google also mentions that this issue does not affect the primary purpose of security keys (to protect you against phishing by a remote attacker). They also suggest that security keys remain the strongest available protection against phishing and it is still safer to use a key that has this issue, rather than turning off security key-based two-step verification (2SV) on one’s Google Account or downgrading to less phishing-resistant methods (e.g. SMS codes or prompts sent to a user’s device). This local proximity Bluetooth issue does not affect USB or NFC security keys. “To determine if your key is affected, check the back of the key. If it has a “T1” or “T2” on the back of the key, your key is affected by the issue and is eligible for free replacement”, the official post states. Mark Risher, Director of Product Management at Google tweeted: https://twitter.com/mrisher/status/1128703153397030913 Google has also provided some additional steps that users can take to minimize the remaining risk until they receive their replacement keys on their official blog post. To know more about this news in detail, head over to Google’s official blog post. Go 1.11.3 and Go 1.10.6 released with fixes to security issues Amazon FreeRTOS adds a new ‘Bluetooth low energy support’ feature Google I/O 2019: Flutter UI framework now extended for Web, Embedded, and Desktop