Category Archives: Risk Assessment

Found in the wild: Vault7 hacking tools WikiLeaks says come from CIA

Malware that WikiLeaks purports belongs to the Central Intelligence Agency has been definitively tied to an advanced hacking operation that has been penetrating governments and private industries around the world for years, researchers from security firm Symantec say.

Longhorn, as Symantec dubs the group, has infected governments and companies in the financial, telecommunications, energy, and aerospace industries since at least 2011 and possibly as early as 2007. The group has compromised 40 targets in at least 16 countries across the Middle East, Europe, Asia, Africa, and on one occasion, in the US, although that was probably a mistake.

Uncanny resemblance

Malware used by Longhorn bears an uncanny resemblance to tools and methods described in the Vault7 documents. Near-identical matches are found in cryptographic protocols, source-code compiler changes, and techniques for concealing malicious traffic flowing out of infected networks. Symantec, which has been tracking Longhorn since 2014, didn't positively link the group to the CIA, but it has concluded that the malware Longhorn used over a span of years is included in the Vault7 cache of secret hacking manuals that WikiLeaks says belonged to the CIA. Virtually no one is disputing WikiLeaks' contention that the documents belong to the US agency.

Read 7 remaining paragraphs | Comments

Booby-trapped Word documents in the wild exploit critical Microsoft 0day

(credit: Rob Enslin)

Update, 4/10/2017, 9:20 AM California time: Security experts are reporting that Microsoft will patch the vulnerability on Tuesday. In the meantime, users can block
code-execution exploits by adding the following to their Windows registry: Software\Microsoft\Office\15.0\Word\Security\FileBlock\RtfFiles to 2 and OpenInProtectedView to 0. What follows is the report as it was published on Saturday.

There's a new zeroday attack in the wild that's surreptitiously installing malware on fully-patched computers. It does so by exploiting a vulnerability in most or all versions of Microsoft Word.

The attack starts with an e-mail that attaches a malicious Word document, according to a blog post published Saturday by researchers from security firm FireEye. Once opened, exploit code concealed inside the document connects to an attacker-controlled server. It downloads a malicious HTML application file that's disguised to look like a document created in Microsoft's Rich Text Format. Behind the scenes, the .hta file downloads additional payloads from "different well-known malware families."

Read 5 remaining paragraphs | Comments

WikiLeaks just dropped the CIA’s secret how-to for infecting Windows

Enlarge / The logo of the CIA's Engineering Development Group (EDG), the home of the spy agency's malware and espionage tool developers. (credit: Central Intelligence Agency)

WikiLeaks has published what it says is another batch of secret hacking manuals belonging to the US Central Intelligence Agency as part of its Vault7 series of leaks. The site is billing Vault7 as the largest publication of intelligence documents ever.

Friday's installment includes 27 documents related to "Grasshopper," the codename for a set of software tools used to build customized malware for Windows-based computers. The Grasshopper framework provides building blocks that can be combined in unique ways to suit the requirements of a given surveillance or intelligence operation. The documents are likely to be of interest to potential CIA targets looking for signatures and other signs indicating their Windows systems were hacked. The leak will also prove useful to competing malware developers who want to learn new techniques and best practices.

"Grasshopper is a software tool used to build custom installers for target computers running Microsoft Windows operating system," one user guide explained. "An operator uses the Grasshopper builder to construct a custom installation executable." The guide continued:

Read 6 remaining paragraphs | Comments

Do you want to play a game? Ransomware asks for high score instead of money

Rensenware's warning screen asks for a high score, rather than the usual pay off, to decrypt your files.

At this point, Ars readers have heard countless tales of computer users being forced to pay significant sums to unlock files encrypted with malicious ransomware. So we were a bit surprised when word started to trickle out about a new bit of ransomware that doesn't ask for money. Instead, "Rensenware" forces players to get a high score in a difficult PC shoot-em-up to decrypt their files.

As Malware Hunter Team noted yesterday, users on systems infected with Rensenware are faced with the usual ransomware-style warning that "your precious data like documents, musics, pictures, and some kinda project files" have been "encrypted with highly strong encryption algorithm." The only way to break the encryption lock, according to the warning, is to "score 0.2 billion in LUNATIC level" on TH12 ~ Undefined Fantastic Object. That's easier said than done, as this gameplay video of the "bullet hell" style Japanese shooter shows.

Gameplay from TH12 ~ Undefined Fantastic Object on Lunatic difficulty. Players needed to get 200 million points to unlock the "Rensenware" malware.

As you may have guessed from the specifics here, the Rensenware bug was created more in the spirit of fun than maliciousness. After Rensenware was publicized on Twitter, its creator, who goes by Tvple Eraser on Twitter and often posts in Korean, released an apology for releasing what he admitted was "a kind of highly-fatal malware."

Read 5 remaining paragraphs | Comments

Rash of in-the-wild attacks permanently destroys poorly secured IoT devices

Enlarge (credit: Guinnog)

Researchers have uncovered a rash of ongoing attacks designed to damage routers and other Internet-connected appliances so badly that they become effectively inoperable.

PDoS attack bots (short for "permanent denial-of-service") scan the Internet for Linux-based routers, bridges, or similar Internet-connected devices that require only factory-default passwords to grant remote administrator access. Once the bots find a vulnerable target, they run a series of highly debilitating commands that wipe all the files stored on the device, corrupt the device's storage, and sever its Internet connection. Given the cost and time required to repair the damage, the device is effectively destroyed, or bricked, from the perspective of the typical consumer.

Over a four-day span last month, researchers from security firm Radware detected roughly 2,250 PDoS attempts on devices they made available in a specially constructed honeypot. The attacks came from two separate botnets—dubbed BrickerBot.1 and BrickerBot.2—with nodes for the first located all around the world. BrickerBot.1 eventually went silent, but even now the more destructive BrickerBot.2 attempts a log-on to one of the Radware-operated honeypot devices roughly once every two hours. The bots brick real-world devices that have the telnet protocol enabled and are protected by default passwords, with no clear sign to the owner of what happened or why.

Read 6 remaining paragraphs | Comments

Android devices can be fatally hacked by malicious Wi-Fi networks

Enlarge (credit: IntelFreePress)

A broad array of Android phones are vulnerable to attacks that use booby-trapped Wi-Fi signals to achieve full device takeover, a researcher has demonstrated.

The vulnerability resides in a widely used Wi-Fi chipset manufactured by Broadcom and used in both iOS and Android devices. Apple patched the vulnerability with Monday's release of iOS 10.3.1. "An attacker within range may be able to execute arbitrary code on the Wi-Fi chip," Apple's accompanying advisory warned. In a highly detailed blog post published Tuesday, the Google Project Zero researcher who discovered the flaw said it allowed the execution of malicious code on a fully updated 6P "by Wi-Fi proximity alone, requiring no user interaction."

Google is in the process of releasing an update in its April security bulletin. The fix is available only to a select number of device models, and even then it can take two weeks or more to be available as an over-the-air update to those who are eligible. Company representatives didn't respond to an e-mail seeking comment for this post.

Read 6 remaining paragraphs | Comments

Samsung’s Tizen is riddled with security flaws, amateurishly written

Enlarge / Samsung's Smart TV interface, which seems to be running on Tizen. (credit: Samsung)

Tizen, the open source operating system that Samsung uses on a range of Internet-of-Things devices and positions as a sometime competitor to Android, is chock full of egregious security flaws, according to Israeli researcher Amihai Neiderman.

Samsung has been developing the operating system for many years. The project started as an Intel and Nokia project, and Samsung merged its Bada operating system into the code in 2013. Like Android, it's built on a Linux kernel, with a large chunk of open source software running on top. App development on Tizen uses C++ and HTML5.

Presenting at Kaspersky Lab's Security Analyst Summit and speaking to Motherboard, Neiderman had little positive to say about the state of Tizen's code. "It may be the worst code I've ever seen," Neiderman said. "Everything you can do wrong there, they do it."

Read 5 remaining paragraphs | Comments

Found: Quite possibly the most sophisticated Android espionage app ever

Enlarge (credit: MGM)

Researchers have uncovered one of the most advanced espionage apps ever written for the Android mobile operating system. They found the app after it had infected a few dozen handsets.

Pegasus for Android is the companion app to Pegasus for iOS, a full-featured espionage platform that was discovered in August infecting the iPhone of a political dissident located in the United Arab Emirates. Researchers from Google and the mobile-security firm Lookout found the Android version in the months following, as they scoured the Internet. Google said an Android security feature known as Verify Apps indicated the newly discovered version of Pegasus had been installed on fewer than three-dozen devices.

"Pegasus for Android is an example of the common feature-set that we see from nation states and nation state-like groups," Lookout researchers wrote in a technical analysis published Monday. "These groups produce advanced persistent threats (APT) for mobile with the specific goal of tracking a target not only in the physical world, but also the virtual world."

Read 8 remaining paragraphs | Comments

iOS 10.3.1 includes bug fixes and improves the security of your iPhone or iPad

Enlarge

iOS 10.3.1 is out. The release notes don't specify what it fixes that wasn't addressed in the wide-ranging iOS 10.3 update released just a week ago, but we do know that this new update includes bug fixes and improves the security of your iPhone or iPad. Specifically, according to the more detailed notes on Apple's security page, 10.3.1 addresses a buffer overflow that could be exploited to execute code on your phone or tablet's Wi-Fi chip.

The bug is credited to Google's Project Zero, which discloses bugs to the public 90 days after telling companies about them to encourage faster security patches.

Apple released a beta of iOS 10.3.2 last week shortly after releasing iOS 10.3. It will likely go through a handful of additional beta builds and be released to the public in a month or two. We don't expect it to change much, given that the public reveal of iOS 11 in June is just a couple of months away.

Read 1 remaining paragraphs | Comments

Smart TV hack embeds attack code into broadcast signal—no access required

Enlarge / A screen shot showing the exploit taking control of a Samsung TV.

A new attack that uses terrestrial radio signals to hack a wide range of Smart TVs raises an unsettling prospect—the ability of hackers to take complete control of a large number of sets at once without having physical access to any of them.

The proof-of-concept exploit uses a low-cost transmitter to embed malicious commands into a rogue TV signal. That signal is then broadcast to nearby devices. It worked against two fully updated TV models made by Samsung. By exploiting two known security flaws in the Web browsers running in the background, the attack was able to gain highly privileged root access to the TVs. By revising the attack to target similar browser bugs found in other sets, the technique would likely work on a much wider range of TVs.

"Once a hacker has control over the TV of an end user, he can harm the user in a variety of ways," Rafael Scheel, the security consultant who publicly demonstrated the attack, told Ars. "Among many others, the TV could be used to attack further devices in the home network or to spy on the user with the TV's camera and microphone."

Read 6 remaining paragraphs | Comments