Friday, June 23, 2017

Honda halted production in a factory after finding WannaCry traces in its networks

The WannaCry ransomware makes the headlines once again, The Honda Company to stopped the production in one of its plant in Japan after discovering the malware in its computer networks,
The Honda automaker halted the activities in the Sayama plant northwest of Tokyo on Monday after finding that the WannaCry ransomware had infected systems in its networks across Japan, North America, Europe, China, and other regions,
According to the Reuters agency, the experts discovered the infection on Sunday.
“The automaker shut production on Monday at its Sayama plant, northwest of Tokyo, which produces models including the Accord sedan, Odyssey Minivan and Step Wagon compact multipurpose vehicle and has a daily output of around 1,000 vehicles.” states the article.
“Honda discovered on Sunday that the virus had affected networks across Japan, North America, Europe, China and other regions, a spokeswoman said, despite efforts to secure its systems in mid-May when the virus caused widespread disruption at plants, hospitals and shops worldwide.”
According to the company, the production at other plants had not been affected, according to a Honda Spokesman, regular operations at the Sayama plant had resumed on Tuesday.
It is still unclear why the WannaCry ransomware was present in the Honda networks 5 weeks after its discovery,
WannaCrypt ransomware
the unique certainly is that the company had yet to patch its systems with the highly critical patch that Microsoft released in March.
One possibility is that IT staff at the company has inadvertently blocked the access to the kill switch domain that partially stopped the infections. That would have caused the WannaCry propagation inside the Honda networks.
We cannot exclude that the shutdown of Sayama plant was a  precautionary measure to eradicate dormant instance of the ransomware.
Honda wasn’t the only company forced to shut down its networks due to WannaCry, other automakers like Renault and Nissan Motor were affected and were forced to halt productions in plants in Japan, Britain, France, Romania, and India.
It’s my opinion that the failure in responding the WannaCry attack was primarily caused by the failure of patch management processes. Don’t forget that systems across the world were infected by ransomware that was exploiting a flaw that was already fixed by a two-month-old patch.

Attackers can exploit electronic cigarettes to hack computers

In November 2014, in a discussion started on the Reddit news media website it has been debated the case of a malware implanted by using electronic cigarettes connected over USB.
Hackers are able to exploit any electronic device to deliver a malware in a poorly protected network. Electronic cigarettes could be an attack vector, the idea may appear hilarious, many electronic cigarettes can be charged over USB, using a special cable or by inserting one end of the cigarette directly into a USB port.
The report posted on the social news Reddit website reported a strange case happened to an executive that discovered a malware in his system without immediately identify its source.
“One particular executive had a malware infection on his computer from which the source could not be determined,” reported a Reddit user “After all traditional means of infection were covered, IT started looking into other possibilities.
Investigating on the case, the man discovered that the electronic cigarettes were infected by a malware hardcoded into the charger, once the victim will connect it to the computer the malicious code will contact the C&C server to drop other malicious code and infect the system
Electronic cigarettes or vape pens properly modified could be an effective hacking tool to infect a targeted computer.
The security researcher Ross Bevington presented at BSides London how to use electronic cigarettes to compromise a computer by tricking it to believe that it was a keyboard.The researchers also explained that it is BSides London how to use electronic cigarettes to compromise a computer by tricking it to believe that it was a keyboard.
It is important to note that Bevington’s attack required the victim’s machine to be unlocked.
“PoisonTap is a very similar style of attack that will even work on locked machines,” Mr Bevington told Sky News.
The researchers also explained that it is possible to use the electronic cigarettes to interfere with its network traffic.
E-cigarettes are powered by a rechargeable lithium-ion battery that can be plugged into a cable or directly connects to the USB port of a computer.
“Security researchers have demonstrated how e-cigarettes can easily be modified into tools to hack computers.” reported SkyNews.
“With only minor modifications, the vape pen can be used by attackers to compromise the computers they are connected to – even if it seems just like they are charging.”
The researcher @FourOctets published a proof-of-concept video which showed arbitrary commands being sent to an unlocked laptop just by charging a vape pen.
Fouroctets modified the vape pen by simply adding a hardware chip which allowed the device to communicate with the laptop as if it were a keyboard or mouse.
“A pre-written script that was saved on the vape made Windows open up the Notepad application and typed “Do you even vape bro!!!!” reported SkyNews.
Enjoy the video!

National Security Agency opens the NSA Github Account that already lists 32 Projects

The National Security Agency has opened its GitHub account and presented an official GitHub page. The US intelligence agency employees numerous excellent experts that in the past demonstrated extraordinary abilities in developing hacking tools, exploits and surveillance solutions.
The work of the NSA experts was secret until the Snowden’s revelations, but now the Agency seems to be more social and the creation of the Github account demonstrates it.
Giving a look at the GitHub account we can notices that the NSA is sharing 32 different projects as part of the NSA Technology Transfer Program (TTP), while some of these are ‘coming soon.’
“The NSA Technology Transfer Program (TTP) transfers NSA-developed technology to industry, academia, and other research organizations, benefitting the economy and the Agency mission. The program has an extensive portfolio of patented technologies across multiple technology areas” states the description of the NSA program.
Many projects shared by the NSA are very old and were already available online, such as the SELinux (Security-Enhanced Linux).
“The NSA Technology Transfer Program (TTP) works with agency innovators who wish to use this collaborative model for transferring their technology to the commercial marketplace,” the agency wrote on the program’s page
“OSS invites the cooperative development of technology, encouraging broad use and adoption. The public benefits by adopting, enhancing, adapting, or commercializing the software. The government benefits from the open source community’s enhancements to the technology.”
NSA Github Account
Other NSA’s open source projects are below:
  • Certificate Authority Situational Awareness (CASA): A Simple tool that Identifies unexpected and prohibited certificate authority certificates on Windows systems.
  • Control Flow Integrity: A hardware-based technique to prevent memory corruption exploitations.
  • GRASSMARLIN: It provides IP network situational awareness of ICS and SCADA networks to support network security.
  • Open Attestation: A project to remotely retrieve and verify system integrity using Trusted Platform Module (TPM).
  • RedhawkSDR: It is a software-defined radio (SDR) framework that provides tools to develop, deploy, and manage software radio applications in real-time.
  • OZONE Widget Framework (OWF): It is basically a web application, which runs in your browser, allows users to create lightweight widgets and easily access all their online tools from one location.
The full list of NSA’s projects is available here.

Two Ztorg Trojans Removed from Google Play Store Are Definitely Better

Most software developers update their apps to patch vulnerabilities and add new features. But when the software is malware, an update could be the worst thing to do. The Google Play Store is always working to prevent malware from being downloaded by unsuspecting users and recently two apps built with the Ztorg malware were removed. The two apps, “Magic Browser” and “Noise Detector,” are believed to have been benign when they were originally uploaded to the Play Store, but the bad guys were updated the software using the malware toolkit over time.
Ztorg Trojans
The Ztorg Malware toolkit was identified by Kaspersky Labs in September, 2016 with “Guide for Pokémon Go.” At the time it was identified the Guide had been downloaded over 500,000 times and researchers estimate at least 6,000 successful infections. Since that time, dozens of apps associated with Ztorg have been distributed and eventually removed from the Google Play Store. And like all good developers, the bad guys using Ztorg are adding features and capabilities over time.
Once the initial app is installed, it utilizes a wide range of advanced techniques to evade detection, get updates from the Command and Control infrastructure and ultimately try to get Root on the phone. From Fortinet researchers:
  • It implements many emulator detection features. It detects the Android SDK emulator, but also emulators from Genymotion, Bluestacks and BuilDroid. It also detects tainted environments. Several of its checks will be difficult to bypass.
  • It uses string obfuscation, based on XOR.
  • It communicates with a remote server using DES-CBC encryption.
  • It downloads, installs and launches an Android application from that remote server.
What happens when your smartphone is infected with a Ztorg trojan? Like most malware, the bad guys’ ultimate objective is to make money. Initial Ztorg trojans leveraged AdWare to generate money for the bad guys through legitimate advertising networks. Some of the techniques included redirecting webpages, messing with search results and collecting information about what sites you visit. These are legitimate, if unwanted, business activities, but in the case of the bad guys distributing trojan apps, the users participate unknowingly. The bad guys get all the profits, and the users get a poorly performing phone, that may even become unstable or unusable.
The two apps recently removed from the Google Play Store, “Magic Browser” and “Noise Detector” show an evolution of Ztorg Trojan capabilities and include some nifty new techniques for making illegitimate money. Premium Rate SMS is a business model where an individual sends a specific text message and the fees are automatically charged to the user’s mobile phone bill. For example, you could donate money for disaster relief simply by texting an amount with your phone. The latest Ztorg trojan leverages this Premium Rate SMS system, with the proceeds going to the bad guys. And like the rest of the Ztorg system, they use some sophisticated techniques to maximize their profits and minimize their chances of being caught.
Once infected, the trojan lies dormant for 10 minutes. In this way, if the user notices something odd, they are less likely to associate it with the app they just installed. After the delay, the trojan sends the first five digits of the phone’s International Mobile Subscriber Identity (IMSI) to the C&C servers. This part of the IMSI identifies what network the phone is connected to, and in what country. With this information the C&C can determine which Premium Rate SMS services are available and the trojan starts racking up the bills. And since most of these SMS services will reply with a txt message receipt or notice, the Ztorg Trojans delete incoming SMS messages. It seems obvious that a user would notice missing legitimate messages, but in the meantime the bad guys are counting their profits.
Mobile phones are convenient because they are compact, powerful and use a lot of simple shortcuts to makeup for the lack of a keyboard and a large screen. App stores make it easy to install new apps but it isn’t always obvious what the apps themselves are doing.
“The Ztorg Trojan continues to appear on the Google Play Store, accompanied by new tricks to bypass security and infect as many different Android devices and OS versions as possible. Even if a victim downloads what is clearly a clean app, there is no guarantee that it will still be clean in a few days’ time. Users, Google and security researchers need to remain vigilant at all times and to be proactive about protection,” says Roman Unuchek, researcher at Kaspersky Labs.

TrickBot gang is back with new campaigns targeting Payment Processors and CRM Providers

Threat actors behind Banking Trojan TrickBot switched from financial institutions to Payment processors and CRM providers.
TrickBot was initially observed in September 2016 by the researchers at security firm Fidelis Cybersecurity, that linked it to the Dyre banking trojan.
The security firm first spotted the TrickBot malware in September while it was used by crooks to target the customers of Australian banks (ANZ, Westpac, St. George and NAB).
The first TrickBot samples analyzed by the experts were implementing a single data stealer module, but a few weeks later, the researchers discovered a new sample including webinjects that appear to be in the testing phase.
In September 2016, Fidelis Cybersecurity was alerted to a new malware bot calling itself TrickBot that we believe has a strong connection to the Dyre banking trojan. From first glance at the loader, called TrickLoader, there are some striking similarities between it and the loader that Dyre commonly used. It isn’t until you decode out the bot, however, that the similarities become staggering.” reads the analysis published by Fidelis Cybersecurity.
“This would suggest, but is far from conclusive, that some individuals related to the development of Dyre have found their way into resuming criminal operations.”
TrickBot and Dyre have many similarities, the code of the new banking trojan seems to have been rewritten with a different coding style, but maintaining many functionalities.
The malware was used in a number of attacks at the end of 2016 targeting banks in the UK and Australia, and Asian financial institutions.
In May, TrickBot was used to target 20 new private banking brands, eight building societies in the UK, two Swiss banks, private banking platforms in Germany, and four investment banking firms in the U.S.
Researchers at F5 analyzed 26 TrickBot configurations that were active in May 2017 when crooks also targeted two payment processing providers and two Customer Relationship Management (CRM) SaaS providers.
“In the 26 TrickBot configurations F5 researchers analyzed that were active in May 2017, targets expanded beyond banks to include two payment processing providers and two Customer Relationship Management (CRM) SaaS providers.” F5 reports“The fact that payment processors were targets was a notable change that we also observed in Marcher, an Android banking trojan in March of 2017. It appears now that CRMs are a new target of attackers; is it because of their potential for collecting valuable user data that could enhance phishing campaigns?”
The F5 experts analyze two distinct TrickBot infection campaigns that were active in May, they respectively targeted 210 URL targets and 257 URLs. Both campaigns targeted the same US payment processor (PayPal), but according to F5 only the second campaign targeted the CRM providers.
Giving a look at the campaigns the experts discovered:
The first campaign:
  • Banks (83% of URL targets, 18% UK banks)
  • PayPal (a payment processor attributed to the US). 35 different PayPal URLs were also present in the configuration used in the second campaign.
TrickBot gang
The second campaign:
  • Banks in UK (47% of targets).
  • Payment processors with the addition of a new payment processor URL in the UK.
  • CRMs Salesforce.com and an auto sales CRM developed by Reynolds & Reynolds in the US.
Trickbot campaign 2
F5 identified 6 C&C IP addresses belonging European web hosting provider networks, three of which are operated by hosting firms in Asia. All the IP addresses used 443 / HTTPS for communication with the infected hosts in order to avoid detection.
F5 concludes TrickBot gangs has extended their campaigns due to their success.
“It seems the success of TrickBot thus far has influenced the authors to not only repeat their previous target list of banks from previous campaigns but to expand those targets to include new banks globally as well as CRM providers. The fact that C&C servers in these two most recent campaigns reside within web hosting companies is also significant, along with the fact that the C&C servers were different from those used in previous campaigns,” F5 says.

DRA firm left 1.1 TB of data unsecured on an Amazon S3, 198 million US voter records exposed

Researcher Chris Vickery has found nearly 200 million voter records in an unsecured Amazon S3 bucket maintained by Deep Root Analytics (DRA), it is the largest exposure of its kind in history.
The records include the voter’s first and last name, home and mailing address, date of birth, phone number, party affiliation, ethnicity, voter registration data, and a flag should the person appear on the federal Do-Not-Call registry.
The voter files also include other attributes that could have been used for analysis based on ethnicity and religion.
In 2015, Vickery discovered an archive exposed online containing 191 million voter records.
DRA is a Republican big data analytics firm, the popular expert discovered the huge trove of data on June 12, then he reported the issue to the authorities and the company secured it in two days.
The archive contains complete voter files compiled by DRA and at least two other contractors, Target Point Consulting Inc. and Data Trust.
Voter information is considered public, but sometimes it is not easy to access them even if they are freely available. Anyway, it is forbidden the use of such data for commercial purposes.
The archive discovered by Vickery on the DRA S3 bucket (“data_trust”) contains a collection of personal information representing between 150 to 198 million potential voters.
“Salted Hash has seen an example voter record, and many of the profile fields are similar to those from two years ago.” reported Salted Hash.
“Using an internal “RNC ID” – each voter in the database can be uniquely identified and associated with the logged data points.”
The archive discovered by Vickery contains information on 2008, 2012, while data related to 2016 are associated only with details on voters in Ohio and Florida.
Vickery also found another folder in the S3 bucket belonging to Target Point. The records included in the folder used the same “RNC ID” for each voter, but the update timestamps are recent (January 2017).
According to UpGuard’s Dan O’Sullivan, data discovered by the expert “provide a rare glimpse in to a systematic large-scale analytics operation.”
“The result is a database of frightening scope and intrusiveness into the modeled personal and political preferences of most of the country – adding up in total to an unsecured political treasure trove of data which was free to download online.” 
Many of the Target Point data were focused on post-election data, they included scores for potential voters on specific topics.
“For example, one 50 GB file contained scores for potential voters, signifying their potential to support a given policy, such as President Trump’s foreign policy stance of “America First”, or how concerned they’ll be with auto manufacturing as an issue.” states Salted Hash.
The discovery highlights the risks for organizations in using cloud storage without implementing necessary security policies.
Amazon offers several tools and the guidance to secure the infrastructure of its customers, but evidently it is not enough.
Chris Vickery discovered many other clamorous cases of open database exposed on the Internet. In December 2015 the security expert discovered 191 million records belonging to US voters online, in April 2016 he also discovered a 132 GB MongoDB database open online and containing 93.4 million Mexican voter records.
In March 2016, Chris Vickery has discovered online the database of the Kinoptic iOS app, which was abandoned by developers, with details of over 198,000 users.
In January 2017, the expert discovered online an open Rsync server hosting the personal details for at least 200,000 IndyCar racing fans.
In March, he announced a 1.37 billion records data leak.