“OG” Tools Remain Valuable, (Wed, Oct 10th)

Read Full Article

For vendors, the cybersecurity landscape is a nice place to make a very lucrative business. New solutions and tools are released every day and promise you to easily detect malicious activities on your networks. And it’s a recurring story. Once they have been implemented by many customers, vendors come back again with new version flagged as “2.0”, “NG” or “Next Generation”. Is it really useful or just a hype? I won’t start the debate but keep in mind that good old tools and protocols remain still very valuable today.


I was contacted by a company which had a security incident. Apparently, they suffer from an ongoing data leak and customers’ information are leaked to the competition. If you are working in this field and you need to investigate quickly, you probably already faced the following situation. I visited them and started to grab details about the infrastructure, the architecture and the key point: logs or any kind of data that could help to spot the source of the leak. You realise quickly that nothing or only a low amount of information is available. A good point, they had a bunch of logs extracted from the local resolver. Based on the DNS queries performed by the hosts, we were able to spot a compromised one. But not all of them were using the local resolver (yes, it was possible to use any public DNS) and some hosts might communicate directly with IP addresses…


My next question to them was: “Do you know the NetFfow protocol?”. No, they did not. NetFlow[1] is a very old protocol developed by Cisco in 1996(!). At the origin, it was developed for accounting reasons when the Internet was slow and subscription plans based on the amount of traffic you used (I’m feeling old now). A Cisco router/switch which has NetFlow enable (called an exporter) send UDP packets to a Netflow collector with the following details (resumed):


  • timestamp (flow start)
  • duration
  • protocol
  • source IP /port
  • destination IP / port
  • number of packets
  • number of bytes


This information is very useful to spot malicious activity! Once you started to collect Netflow data you can easily generate stats like:


  • Top speakers on the network
  • Top destinations
  • Top protocols (based on the port)
  • Hosts talking to suspicious hosts (ex: located in a country where you don’t have business thanks to the GeoIP)
  • Hosts talking a regular interval with a low amount of traffic (typically systems phoning home to their C2)
  • Hosts starting to talk at night
  • And many more…


Compared to a full packet capture, you won’t see the traffic payload but the amount of data is very low and you don’t need a very powerful computer to process them.


To collect NetFlow data, you just have to install a collector (nfdump[2] is the most known)



# apt-get install nfdump
# vi /etc/default/nfdump (change the value of nfcapd_start to “yes”)
# service nfdump start


Now, connect to your Cisco device and enable NetFlow:



Router(config)# ip flow-export <collector> <port>


The default port is 9996 and <collector> is the IP/FQDN of the server running the nfcapd daemon. Now, have a look at the nfdump command to extract interesting stats from the captured data. Note that many tools are able to digest NetFlow data. Logstash from the ELK stack is a good example[3]. This setup can be deployed in a few minutes and will give you a nice visibility of your network traffic to quickly spot a malicious behaviour.


Conclusion: “Old Generation” tools remain valuable when you need to investigate security incidents.


[1] https://www.cisco.com/c/en/us/products/ios-nx-os-software/ios-netflow/index.html

[2] https://github.com/phaag/nfdump

[3] https://www.elastic.co/guide/en/logstash/current/netflow-module.html


Xavier Mertens (@xme)

Senior ISC Handler – Freelance Cyber Security Consultant

PGP Key

Read Full Article

Security Vulnerabilities in US Weapons Systems

Read Full Article

Security Vulnerabilities in US Weapons Systems

The US Government Accounting Office just published a new report: “Weapons Systems Cyber Security: DOD Just Beginning to Grapple with Scale of Vulnerabilities” (summary here). The upshot won’t be a surprise to any of my regular readers: they’re vulnerable.

From the summary:

Automation and connectivity are fundamental enablers of DOD’s modern military capabilities. However, they make weapon systems more vulnerable to cyber attacks. Although GAO and others have warned of cyber risks for decades, until recently, DOD did not prioritize weapon systems cybersecurity. Finally, DOD is still determining how best to address weapon systems cybersecurity.

In operational testing, DOD routinely found mission-critical cyber vulnerabilities in systems that were under development, yet program officials GAO met with believed their systems were secure and discounted some test results as unrealistic. Using relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected, due in part to basic issues such as poor password management and unencrypted communications. In addition, vulnerabilities that DOD is aware of likely represent a fraction of total vulnerabilities due to testing limitations. For example, not all programs have been tested and tests do not reflect the full range of threats.

It is definitely easier, and cheaper, to ignore the problem or pretend it isn’t a big deal. But that’s probably a mistake in the long run.

Posted on October 10, 2018 at 6:21 AM

0 Comments

Read Full Article

Naming & Shaming Web Polluters: Xiongmai

Read Full Article


What do we do with a company that regularly pumps metric tons of virtual toxic sludge onto the Internet and yet refuses to clean up their act? If ever there were a technology giant that deserved to be named and shamed for polluting the Web, it is Xiongmai — a Chinese maker of electronic parts that power a huge percentage of cheap digital video recorders (DVRs) and Internet-connected security cameras.

A rendering of Xiongmai’s center in Hangzhou, China. Source: xiongmaitech.com

In late 2016, the world witnessed the sheer disruptive power of Mirai, a powerful botnet strain fueled by Internet of Things (IoT) devices like DVRs and IP cameras that were put online with factory-default passwords and other poor security settings.

Security experts soon discovered that a majority of Mirai-infected devices were chiefly composed of components made by Xiongmai (a.k.a. Hangzhou Xiongmai Technology Co., Ltd.) and a handful of other Chinese tech firms that seemed to have a history of placing product market share and price above security.

Since then, two of those firms — Huawei and Dahua — have taken steps to increase the security of their IoT products out-of-the-box. But Xiongmai — despite repeated warnings from researchers about deep-seated vulnerabilities in its hardware — has continued to ignore such warnings and to ship massively insecure hardware and software for use in products that are white-labeled and sold by more than 100 third-party vendors.

On Tuesday, Austrian security firm SEC Consult released the results of extensive research into multiple, lingering and serious security holes in Xiongmai’s hardware.

SEC Consult said it began the process of working with Xiongmai on these problems back in March 2018, but that it finally published its research after it became clear that Xiongmai wasn’t going to address any of the problems.

“Although Xiongmai had seven months notice, they have not fixed any of the issues,” the researchers wrote in a blog post published today. “The conversation with them over the past months has shown that security is just not a priority to them at all.”

Xiongmai did not respond to requests for comment.

PROBLEM TO PROBLEM

A core part of the problem is the peer-to-peer (P2P) communications component called “XMEye” that ships with all Xiongmai devices and automatically connects them to a cloud network run by Xiongmai. The P2P feature is designed so that consumers can access their DVRs or security cameras remotely anywhere in the world and without having to configure anything.

The various business lines of Xiongmai. Source: xiongmaitech.com

To access a Xiongmai device via the P2P network, one must know the Unique ID (UID) assigned to each device. The UID is essentially derived in an easily reproducible way using the device’s built-in MAC address (a string of numbers and letters, such as 68ab8124db83c8db).

Electronics firms are assigned ranges of MAC address that they may use, but SEC Consult discovered that Xiongmai for some reason actually uses MAC address ranges assigned to a number of other companies, including tech giant Cisco Systems, German printing press maker Koenig & Bauer AG, and Swiss chemical analysis firm Metrohm AG.

SEC Consult learned that it was trivial to find Xiongmai devices simply by computing all possible ranges of UIDs for each range of MAC addresses, and then scanning Xiongmai’s public cloud for XMEye-enabled devices. Based on scanning just two percent of the available ranges, SEC Consult conservatively estimates there are around 9 million Xiongmai P2P devices online.

[For the record, KrebsOnSecurity has long advised buyers of IoT devices to avoid those advertise P2P capabilities for just this reason. The Xiongmai debacle is yet another example of why this remains solid advice].

BLANK TO BANK

While one still needs to provide a username and password to remotely access XMEye devices via this method, SEC Consult notes that the default password of the all-powerful administrative user (username “admin”) is blank (i.e, no password).

The admin account can be used to do anything to the device, such as changing its settings or uploading software — including malware like Mirai. And because users are not required to set a secure password in the initial setup phase, it is likely that a large number of devices are accessible via these default credentials.

The raw, unbranded electronic components of an IP camera produced by Xiongmai.

Even if a customer has changed the default admin password, SEC Consult discovered there is an undocumented user with the name “default,” whose password is “tluafed” (default in reverse). While this user account can’t change system settings, it is still able to view any video streams.

Normally, hardware devices are secured against unauthorized software updates by requiring that any new software pushed to the devices be digitally signed with a secret cryptographic key that is held only by the hardware or software maker. However, XMEye-enabled devices have no such protections.

In fact, the researchers found it was trivial to set up a system that mimics the XMEye cloud and push malicious firmware updates to any device. Worse still, unlike with the Mirai malware — which gets permanently wiped from memory when an infected device powers off or is rebooted — the update method devised by SEC Consult makes it so that any software uploaded survives a reboot.

CAN XIONGMAI REALLY BE THAT BAD?

In the wake of the Mirai botnet’s emergence in 2016 and the subsequent record denial-of-service attacks that brought down chunks of the Internet at a time (including this Web site and my DDoS protection provider at times), multiple security firms said Xiongmai’s insecure products were a huge contributor to the problem.

Among the company’s strongest critics was New York City-based security firm Flashpoint, which pointed out that even basic security features built into Xiongmai’s hardware had completely failed at basic tasks.

For example, Flashpoint’s analysts discovered that the login page for a camera or DVR running Xiongmai hardware and software could be bypassed just by navigating to a page called “DVR.htm” prior to login.

Flashpoint’s researchers also found that any changes to passwords for various user accounts accessible via the Web administration page for Xiongmai products did nothing to change passwords for accounts that were hard-coded into these devices and accessible only via more obscure, command-line communications interfaces like Telnet and SSH.

Not long after Xiongmai was publicly shamed for failing to fix obvious security weaknesses that helped contribute to the spread of Mirai and related IoT botnets, Xiongmai lashed out at multiple security firms and journalists, promising to sue its critics for defamation (it never followed through on that threat, as far as I can tell).

At the same time, Xiongmai promised that it would be issuing a product recall on millions of devices to ensure they were not deployed with insecure settings and software. But according to Flashpoint’s Zach Wikholm, Xiongmai never followed through with the recall, either. Rather, it was all a way for the company to save face publicly and with its business partners.

“This company said they were going to do a product recall, but it looks like they never got around to it,” Wikholm said. “They were just trying to cover up and keep moving.”

Wikholm said Flashpoint discovered a number of additional glaring vulnerabilities in Xiongmai’s hardware and software that left them wide open to takeover by malicious hackers, and that several of those weaknesses still exist in the company’s core product line.

“We could have kept releasing our findings, but it just got really difficult to keep doing that because Xiongmai wouldn’t fix them and it would only make it easier for people to compromise these devices,” Wikholm said.

The Flashpoint analyst said he believes SEC Consult’s estimates of the number of vulnerable Xiongmai devices to be extremely conservative.

“Nine million devices sounds quite low because these guys hold 25 percent of the world’s DVR market,” to say nothing of the company’s share in the market for cheapo IP cameras, Wikholm said.

What’s more, he said, Xiongmai has turned a deaf ear to reports about dangerous security holes across its product lines principally because it doesn’t answer directly to customers who purchase the gear.

“The only reason they’ve maintained this level of [not caring] is they’ve been in this market for a long time and established very strong regional sales channels to dozens of third-party companies,” that ultimately rebrand Xiongmai’s products as their own, he said.

Also, the typical consumer of cheap electronics powered by Xiongmai’s kit don’t really care how easily these devices can be commandeered by cybercriminals, Wikholm observed.

“They just want a security system around their house or business that doesn’t cost an arm and leg, and Xiongmai is by far the biggest player in that space,” he said. “Most companies at least have some sort of incentive to make things better when faced with public pressure. But they don’t seem to have that drive.”

A PHANTOM MENACE

SEC Consult concluded its technical advisory about the security flaws by saying Xiongmai “does not provide any mitigations and hence it is recommended not to use any products associated with the XMeye P2P Cloud until all of the identified security issues have been fixed and a thorough security analysis has been performed by professionals.”

While this may sound easy enough, acting on that advice is difficult in practice because very few devices made with Xiongmai’s deeply flawed hardware and software advertise that fact on the label or product name. Rather, the components that Xiongmai makes are sold downstream to vendors who then use it in their own products and slap on a label with their own brand name.

How many vendors? It’s difficult to say for sure, but a search on the term XMEye via the e-commerce sites where Xiongmai’s white-labeled products typically are sold (Amazon, Aliexpress.com, Homedepot.com and Walmart) reveals more than 100 companies that you’ve probably never heard of which brand Xiongmai’s hardware and software as their own.  That list is available here (PDF) and is also pasted at the conclusion of this post for the benefit of search engines.

SEC Consult’s technical advisory about their findings lists a number of indicators that system and network administrators can use to quickly determine whether any of these vulnerable P2P Xiongmai devices happen to be on your network.

For end users concerned about this, one way of fingerprinting Xiongmai devices is to search Amazon.com, aliexpress.com, walmart.com and other online merchants for the brand on the side of your device and the term “XMEye.” If you get a hit, chances are excellent you’ve got a device built on Xiongmai’s technology.

Another option: open a browser and navigate to the local Internet address of your device. If you have one of these devices on your local network, the login page should look like the one below:

The administrative login screen for IoT devices powered by Xiongmai’s software and hardware.

Another giveaway on virtually all Xiongmai devices is pasting “http://IP/err.htm” into a browser address bar should display the following error message (where IP= the local IP address of the device):

Ironically, even the error page for Xiongmai devices contains errors.

According to SEC Consult, Xiongmai’s electronics and hardware make up the guts of IP cameras and DVRs marketed and sold under the company names below.

What’s most remarkable about many of the companies listed below is that about half of them don’t even have their own Web sites, and instead simply rely on direct-to-consumer product listings at Amazon.com or other e-commerce outlets. Among those that do sell Xiongmai’s products directly via the Web, very few of them seem to even offer secure (https://) Web sites.

SEC Consult’s blog post about their findings has more technical details, as does the security advisory they released today.

Here’s the current list of companies that white label Xiongmai’s insecure products, according to SEC Consult:

9Trading
Abowone
AHWVSE
ANRAN
ASECAM
Autoeye
AZISHN
A-ZONE
BESDER/BESDERSEC
BESSKY
Bestmo
BFMore
BOAVISION
BULWARK
CANAVIS
CWH
DAGRO
datocctv
DEFEWAY
digoo
DiySecurityCameraWorld
DONPHIA
ENKLOV
ESAMACT
ESCAM
EVTEVISION
Fayele
FLOUREON
Funi
GADINAN
GARUNK
HAMROL
HAMROLTE
Highfly
Hiseeu
HISVISION
HMQC
IHOMEGUARD
ISSEUSEE
iTooner
JENNOV
Jooan
Jshida
JUESENWDM
JUFENG
JZTEK
KERUI
KKMOON
KONLEN
Kopda
Lenyes
LESHP
LEVCOECAM
LINGSEE
LOOSAFE
MIEBUL
MISECU
Nextrend
OEM
OLOEY
OUERTECH
QNTSQ
SACAM
SANNCE
SANSCO
SecTec
Shell film
Sifvision/sifsecurityvision
smar
SMTSEC
SSICON
SUNBA
Sunivision
Susikum
TECBOX
Techage
Techege
TianAnXun
TMEZON
TVPSii
Unique Vision
unitoptek
USAFEQLO
VOLDRELI
Westmile
Westshine
Wistino
Witrue
WNK Security Technology
WOFEA
WOSHIJIA
WUSONLUSAN
XIAO MA
XinAnX
xloongx
YiiSPO
YUCHENG
YUNSYE
zclever
zilnk
ZJUXIN
zmodo
ZRHUNTER












Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,


Read Full Article

Researchers presented an improved version of the WPA KRACK attack

Read Full Article


Security researchers who devised last year the Key Reinstallation Attack, aka KRACK attack,  have disclosed new variants of the attack.

Security researchers Mathy Vanhoef and Frank Piessens who devised last year the Key Reinstallation Attack against WPA, aka KRACK attack,  have disclosed new variants of the attack.

Last year, boffins discovered several key management flaws in the core of Wi-Fi Protected Access II (WPA2) protocol that could be exploited by an attacker to hack into Wi-Fi network and eavesdrop on the Internet communications stealing sensitive information (i.e. credit card numbers, passwords, chat messages, emails, and pictures).

WPA2 was compromised, the flaws, in fact, reside in the Wi-Fi standard itself, and not in the numerous implementations.

he KRACK attack allows attackers to decrypt WiFi users’ data without cracking or knowing the password.

According to the researchers, the KRACK attack works against:

  • Both WPA1 and WPA2,
  • Personal and enterprise networks,
  • Ciphers WPA-TKIP, AES-CCMP, and GCMP

The bugs impact all implementations, including Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others.

Now the experts presented a new variant of the attack technique  at the Computer and Communications Security (CCS) conference

The new attacks no longer rely on hard-to-win race conditions and involved a new method to carry out man-in-the-middle (MitM) attacks.

“First, we generalize attacks against the 4-way handshake so they no longer rely on hard-to-win race conditions, and we employ a more practical method to obtain the required man-in-the-middle (MitM) position.” reads the research paper.

“Second, we systematically investigate the 802.11 standard for key reinstallation vulnerabilities, and show that the Fast Initial Link Setup (FILS) and Tunneled directlink setup PeerKey (TPK) handshakes are also vulnerable to key reinstallations. These handshakes increase roaming speed, and enable direct connectivity between clients, respectively. Third, we abuse Wireless Network Management (WNM) power-save features to trigger reinstallations of the group key”

KRACK attack 2

Experts explained that they achieved the multi-channel MitM position by forging Channel Switch Announcements (CSAs) to trick clients into switching to the desired (rouge) channel.

“We propose a more practical method to obtain the MitM, which works based on Channel Switch Announcements (CSAs). In this method, the adversary forges CSAs to trick clients into switching to the desired (rouge) channel [27, 46].” continues the paper. “This is more reliable then jamming certain channels, and does not require special Wi-Fi equipment. We successfully tested this approach against Android and Chromium”

The security duo also discovered that it is possible to delay the delivery of message 3, which transports the group key to the client after it has been captured. In this way, the key reinstallation will no be immediately triggered allowing to the delay the attack and increasing the potential impact.

Experts successfully tested the delay on Linux, Android, iOS, and macOS, and is also works with encrypted messages.

“Our results show that preventing key reinstallations is harder than initially assumed. We believe the main reason vulnerabilities are still present is because the Wi-Fi standard is large, is continually being expanded with new features, and requires domain-specific knowledge to understand,” the researchers conclude.

“These obstacles can be overcome by having high-level descriptions (or formal models) of all security-related features of Wi-Fi. Additionally, we believe the Wi-Fi Alliance should not only test products for interoperability, but also fuzz them for vulnerabilities,” 

Pierluigi Paganini

(Security Affairs – KRACK attack, WPA)









Read Full Article

Windows 10 Ransomware Protection Bypassed Using DLL Injection

Read Full Article

In Windows 10, Microsoft added a new ransomware protection feature called Controlled Folder Access that can be used to prevent modifications to files in protected folders by unknown programs. 

At the DerbyCon security conference last week, a security researcher showed how DLL injection can be used by ransomware to bypass the Controlled Folder Access ransomware protection feature.

Bypassing Controlled Folder Access using DLL injection

Controlled Folder Access is a feature that allows you to protect folders and the files inside them so that they can only be modified by an application that is whitelisted. The whitelisted applications are either ones that you specify or ones that are whitelisted by default by Microsoft.

Knowing that the explorer.exe program is whitelisted in Controlled Folder Access, Soya Aoyama, a security researcher at Fujitsu System Integration Laboratories Ltd., figured out a way to inject a malicious DLL into Explorer when it is started. Since Explorer is whitelisted, when the DLL is injected it will launch and be able to bypass the ransomware protection feature.

To do this, Aoyama relied on the fact that when explorer.exe starts, it will load DLLs found under the HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers registry key shown below.

Regedit

The HKEY_CLASSES_ROOT tree is a merge of registry information found in HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER. When performing the merge, Windows gives the data in the HKCU tree precedence.

This means that if a key exists in HKCU, it would take precedence over the same key in HKLM, and be the data merged into the HKEY_CLASSES_ROOT tree. I know this can be a bit confusing, so you can read this document for more information. 

By default, when explorer starts it loads Shell.dll from the HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{90AA3A4E-1CBA-4233-B8BB-535773D48449}\InProcServer32 key. To load the malicious DLL into explorer.exe instead, Aoyama simply created a HKCU\Software\Classes\CLSID\{90AA3A4E-1CBA-4233-B8BB-535773D48449}\InProcServer32 key and set its default value to the malicious DLL. 

Now when Explorer.exe is killed and restarted, the malicious DLL will be launched inside explorer.exe rather than Shell.dll.  You can see an example of the DLL injected into explorer.exe below.

Process Explorer

Unfortunately, not only did this bypass the Controlled Folder Access, but it also was not detected by Windows Defender. To be fair, according to Aoyama’s tests, it was not detected by Avast, ESET, Malwarebytes Premium, and McAfee – all of which have ransomware protection.

For more details and to see Aoyama’s DerbyCon talk and demonstration, you can view the video below.

MSRC responds to vulnerability report

Aoyama has stated that before he gave this presentation he had responsibly disclosed this vulnerability to the Microsoft Security Response Center and included a proof-of-concept that could be used to bypass Controlled Folder Access.

Microsoft, though, did not feel that this was a vulnerability that warranted a bounty or that requires a patch.

“If I am interpreting your findings correctly, this report predicated on the attacker having login access to the target’s account already,” stated Microsoft’s response to Aoyama. ”Followed by planting a DLL through registry modifications. Since you are only able to write to the HKCU, you will not be able to effect other users, just the target you have already compromised through other means. There also does not appear to be an escalation privileges and you already had the same access level as the target.”

Unfortunately a ransomware does not need an escalation of privileges to encrypt a victim’s computer. Yes, it needs it for the clearing of shadow volume copies, but a malware developer can use other exploits or methods to execute vssadmin.

What this does allow, is for malware to be installed without administrative privileges and still be able to bypass the ransomware protection of Controlled Folder Access. This does not sound like a good thing.

Read Full Article

National Cybersecurity Awareness Month: Careers in Cybersecurity

Read Full Article
Original release date: October 09, 2018

October is National Cybersecurity Awareness Month, an annual campaign to raise awareness about cybersecurity. The month’s themes educate students and professionals about cybersecurity attack methods, best practices, and preventive measures and are geared toward informing the next generation of cybersecurity professionals. It is critical that today’s students graduate ready to enter the workforce and are open to learning more about the growing field of cybersecurity.

NCCIC encourages interested candidates to review the following resources for information on cybersecurity employment opportunities:


This product is provided subject to this Notification and this Privacy & Use policy.

Read Full Article

Apple to Congress: Chinese spy-chip story is “simply wrong”

Read Full Article

Article intro image
Enlarge /

Apple CEO Tim Cook.

Apple isn’t relenting in its attacks on last week’s Bloomberg story claiming that tiny Chinese chips had compromised the security of Apple and Amazon data centers. In a Monday letter to Congress, Apple wrote that the claims in the Bloomberg story were “simply wrong.”

Bloomberg’s story, published last Thursday, claimed that the Chinese government had secretly added spy chips to the motherboards of servers sold by Supermicro. According to Bloomberg, these servers wound up in the data centers of almost 30 companies, including Apple and Amazon. But the three companies featured in the story—Apple, Amazon, and Supermicro—have all issued broad and strongly worded denials.

Read Full Article

Google+ Shutting Down After Bug Leaks Info of 500k Accounts

Read Full Article

Google+ Header

Google has announced that they are closing the consumer functionality of Google+ due lack of adoption and an API bug that leaked the personal information of up to 500,000 Google+ accounts.

While no evidence was found that indicates this bug was ever misused, it was determined that the complexity of protecting and operating a social network like Google+ was not a worthwhile endeavor when so few users actually used the service for any length of time.

“This review crystallized what we’ve known for a while: that while our engineering teams have put a lot of effort and dedication into building Google+ over the years, it has not achieved broad consumer or developer adoption, and has seen limited user interaction with apps,” stated a blog post by Google regarding the Google+ closure. ”The consumer version of Google+ currently has low usage and engagement: 90 percent of Google+ user sessions are less than five seconds.”

The consumer functionality of Google+ will be closing over a 10 month period, while Google transitions the product to be used internally by the Enterprise.

API bug caused data leak

After performing a code review of the Google+ APIs, called Project Strobe, Google stated they discovered a bug that could leak the private information of Google+ accounts. This bug could allow a user’s installed apps to utilize the API and access non-public information belonging to that user’s friends. The non-public information that was accessible includes an account holder’s name, email address, occupation, gender and age.

Underlining this, as part of our Project Strobe audit, we discovered a bug in one of the Google+ People APIs:

  • Users can grant access to their Profile data, and the public Profile information of their friends, to Google+ apps, via the API.

  • The bug meant that apps also had access to Profile fields that were shared with the user, but not marked as public.  

  • This data is limited to static, optional Google+ Profile fields including name, email address, occupation, gender and age. (See the full list on our developer site.) It does not include any other data you may have posted or connected to Google+ or any other service, like Google+ posts, messages, Google account data, phone numbers or G Suite content.

  • We discovered and immediately patched this bug in March 2018. We believe it occurred after launch as a result of the API’s interaction with a subsequent Google+ code change.

As Google only keeps two weeks of API logs for its Google+ service, it was impossible for them to determine if the bug was ever misused. They were able to determine that the bug was not misused during the two weeks that they had log data.

Google knew about leak in May but did not disclose

According to a report by the Wall Street Journal, the bug in the Google+ API existed between 2015 and March 2018, which was when Google discovered and fixed the bug. According to their reporting, an internal committee at Google decided not to disclose the bug even though they were not 100% sure that it was not abused.

The Wall Street Journal, reported that they have reviewed a memo prepared by Google’s legal and policy staff, which indicated that disclosing the data breach could lead to scrutiny by government regulatory agencies.

“disclosing the incident would likely trigger “immediate regulatory interest” and invite comparisons to Facebook’s leak of user information to data firm Cambridge Analytica.”

Google, on the other hand, stated that their Privacy & Data Protection Office felt it did not need to be disclosed as it did not meet the threshold that would warrant disclosure.

“Our Privacy & Data Protection Office reviewed this issue, looking at the type of data involved, whether we could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response,” stated the Google’s statement. ”None of these thresholds were met in this instance.”

Read Full Article

APT28 group return to covert intelligence gathering ops in Europe and South America.

Read Full Article


Experts from Symantec collected evidence that APT28 group returns to covert intelligence gathering operations in Europe and South America.

APT28 state-sponsored group (aka Fancy BearPawn StormSofacy GroupSednit, and STRONTIUM) seems to have shifted the focus for its operations away from election interference to cyber espionage activities.

The APT28 group has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. The group was involved also in the string of attacks that targeted 2016 Presidential election.

According to experts from Symantec, the group is now actively conducting cyber espionage campaigns against government and military organizations in Europe and South America.

Starting in 2017 and continuing into 2018, the APT28 group returned to covert intelligence gathering operations in Europe and South America.

“After receiving an unprecedented amount of attention in 2016, APT28 has continued to mount operations during 2017 and 2018. However, the group’s activities since the beginning of 2017 have again become more covert and appear to be mainly motivated by intelligence gathering.” reads the analysis published by Symantec.

“The organizations targeted by APT28 during 2017 and 2018 include:

  • A well-known international organization
  • Military targets in Europe
  • Governments in Europe
  • A government of a South American country
  • An embassy belonging to an Eastern European country”

APT28 back espionage

The cyberespionage group used several malware and hacking tools from its arsenal, including the Sofacy backdoor, the in composed of two main components; the Trojan.Sofacy (aka Seduploader) used for basic reconnaissance and the Backdoor.SofacyX (aka X-Agent) which was used as a second stage info-stealing malware.

The APT group is also using the recently discovered Lojax UEFI rootkit that allows the attackers to maintain persistence on the infected machine even if the operating system is reinstalled and the hard drive is replaced.

Symantec researchers also highlighted possible links to other espionage operations, including the Earworm that has been active since at least May 2016 and is involved intelligence-gathering operations against military targets in Europe, Central Asia, and Eastern Asia.

The Earworm group carried out spear-phishing campaigns aimed at delivering the Trojan.Zekapab downloader and the Backdoor.Zekapab.

Experts noticed some overlap with the command and control infrastructures used by Earworm and APT28.

“During 2016, Symantec observed some overlap between the command and control (C&C) infrastructure used by Earworm and the C&C infrastructure used by Grizzly Steppe (the U.S. government code name for APT28 and related actors), implying a potential connection between Earworm and APT28. However, Earworm also appears to conduct separate operations from APT28 and thus Symantec tracks them as a distinct group.” continues the report.

The information gathered by Symantec demonstrates that APT28 is still very active and continues to change Techniques, Tactics, and Procedures (TTPs) to remain under the radar.

Pierluigi Paganini

(Security Affairs – APT28, hacking)








Share On


Read Full Article

APT28 group return to covert intelligence gathering ops in Europe and South America.

Read Full Article


Experts from Symantec collected evidence that APT28 group returns to covert intelligence gathering operations in Europe and South America.

APT28 state-sponsored group (aka Fancy BearPawn StormSofacy GroupSednit, and STRONTIUM) seems to have shifted the focus for its operations away from election interference to cyber espionage activities.

The APT28 group has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. The group was involved also in the string of attacks that targeted 2016 Presidential election.

According to experts from Symantec, the group is now actively conducting cyber espionage campaigns against government and military organizations in Europe and South America.

Starting in 2017 and continuing into 2018, the APT28 group returned to covert intelligence gathering operations in Europe and South America.

“After receiving an unprecedented amount of attention in 2016, APT28 has continued to mount operations during 2017 and 2018. However, the group’s activities since the beginning of 2017 have again become more covert and appear to be mainly motivated by intelligence gathering.” reads the analysis published by Symantec.

“The organizations targeted by APT28 during 2017 and 2018 include:

  • A well-known international organization
  • Military targets in Europe
  • Governments in Europe
  • A government of a South American country
  • An embassy belonging to an Eastern European country”

APT28 back espionage

The cyberespionage group used several malware and hacking tools from its arsenal, including the Sofacy backdoor, the in composed of two main components; the Trojan.Sofacy (aka Seduploader) used for basic reconnaissance and the Backdoor.SofacyX (aka X-Agent) which was used as a second stage info-stealing malware.

The APT group is also using the recently discovered Lojax UEFI rootkit that allows the attackers to maintain persistence on the infected machine even if the operating system is reinstalled and the hard drive is replaced.

Symantec researchers also highlighted possible links to other espionage operations, including the Earworm that has been active since at least May 2016 and is involved intelligence-gathering operations against military targets in Europe, Central Asia, and Eastern Asia.

The Earworm group carried out spear-phishing campaigns aimed at delivering the Trojan.Zekapab downloader and the Backdoor.Zekapab.

Experts noticed some overlap with the command and control infrastructures used by Earworm and APT28.

“During 2016, Symantec observed some overlap between the command and control (C&C) infrastructure used by Earworm and the C&C infrastructure used by Grizzly Steppe (the U.S. government code name for APT28 and related actors), implying a potential connection between Earworm and APT28. However, Earworm also appears to conduct separate operations from APT28 and thus Symantec tracks them as a distinct group.” continues the report.

The information gathered by Symantec demonstrates that APT28 is still very active and continues to change Techniques, Tactics, and Procedures (TTPs) to remain under the radar.

Pierluigi Paganini

(Security Affairs – APT28, hacking)








Share On


Read Full Article