News & Updates

Refuting allegations that its anti-virus product helped Russian spies steal classified files from an NSA employee’s laptop, Kaspersky Lab has released more findings that suggest the computer in question may have been infected with malware.

Moscow-based cyber security firm Kaspersky Lab on Thursday published the results of its own internal investigation claiming the NSA worker who took


Source: http://feeds.feedburner.com/TheHackersNews

Enlarge (credit: Samuel Axon)

While it will be some time before 5G LTE becomes standard, Apple is thinking ahead about how to best incorporate 5G technology into its iPhones. According to a Fast Company report, Apple has been working with Intel to incorporate the chipmaker’s 5G modems in future iPhones while talks with Qualcomm, the world’s biggest modem supplier, have been “limited.”

Qualcomm currently has a more advanced 5G modem than Intel does, but Intel reportedly has “multiple thousands” of employees working on improving its 5G chip. Intel first announced its 5G modem at CES 2017 and announced recently that it completed a “full end-to-end 5G call based on its early 5G silicon.” While Qualcomm’s 5G modem has more specialized carrier features, reports suggest that those features won’t be “widely adopted” by all carriers. Also, Qualcomm’s chips are particularly equipped to support CDMA networks but those may become obsolete over time as 5G infiltrates the industry.

An iPhone with a 5G modem would theoretically be capable of connection speeds of one gigabit per second or more, but the industry’s transition to support 5G will take some time. The report suggests that Intel could supply a 5G modem for an iPhone debuting in 2019 or 2020.

Read 5 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

Enlarge / Hard to believe that this stuff could cut carbon emissions. (credit: Department of Energy)

The boom in natural gas production has been essential to the drop in carbon emissions in the US, as methane, the primary component of natural gas, releases more energy for each carbon atom when burned. But there’s still a carbon atom in each molecule of methane, so switching to natural gas will eventually lead to diminishing returns when it comes to emissions reductions. To keep our climate moderate, we’ll eventually need to move off natural gas, as well.

But two new papers out this week suggest we could use natural gas without burning it. They detail efficient methods of converting methane to hydrogen in ways that let us capture much or all of the carbon left over. The hydrogen could then be burned or converted to electricity in a fuel cell—including mobile fuel cells that power cars. The supply obtained from methane could also be integrated with hydrogen from other sources.

The tech involved is also pretty cool in its own right, involving things like catalysts dissolved in liquid metal and solid materials that allow current to travel through them as protons, rather than as electrons.

Read 13 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

Researchers are investigating a mysterious wave of attacks in the Middle East that was dubbed MuddyWater due to the confusion in attributing the.

Security experts at Palo Alto Networks are monitoring long-lasting targeted attacks aimed at entities in the Middle East and that are difficult to attribute.

The experts called the campaign ‘MuddyWater’ due to the confusion in attributing these attacks that took place between February and October 2017 targeting entities in Saudi Arabia, Iraq, Israel, United Arab Emirates, Georgia, India, Pakistan, Turkey, and the United States to date.

Threat actors used PowerShell-based first stage backdoor named POWERSTATS, across the time the hackers changed tools and techniques.

“This blog discusses targeted attacks against the Middle East taking place between February and October 2017 by a group Unit 42 is naming MuddyWater” states the analysis from PaloAlto Networks.

“MuddyWater attacks are characterized by the use of a slowly evolving PowerShell-based first stage backdoor we call “POWERSTATS”. Despite broad scrutiny and reports on MuddyWater attacks, the activity continues with only incremental changes to the tools and techniques.”

MuddyWater attackers used a set of weaponized documents that were also used in recently observed incidents targeting the Saudi Arabian government. The same set of documents is similar to ones associated with a series of attacks discovered by experts at Morphisec.

The malicious documents associated with this last wave of attacks had been tailored according to the target regions.

Some of the attacks were attributed to the FIN7 that launched a campaign aimed at employees involved in SEC Filings.

Palo Alto Networks believe that the recent wave of attacks might have been mistakenly associated with the FIN7 group, it also reported that a C&C server delivering the FIN7-linked DNSMessenger tool was in MuddyWater attacks as well.

The hackers maintained the same final payload while changing delivery methods between attacks.

“Based on these connections we can be confident that all the files and infrastructure […] are related, since more than one of these can be used to link each of the samples discussed in each case,” Palo Alto notes.

The hackers used well known tools, including Meterpreter, Mimikatz, Lazagne, Invoke-Obfuscation, and more.

In some recent attacks, the threat actor used GitHub to host the POWERSTATS backdoor.

“In some of their recent attack documents, the attackers also used GitHub as a hosting site for their custom backdoor, POWERSTATS.” continues the analysis.

The experts managed a number of GitHub repositories related to their malware.

The experts observed compromised accounts at third party organizations sending the MuddyWater malware, in one case, the attackers sent a malicious document which appears nearly identical to a legitimate attachment which PaloAlto observed later being sent to the same recipient.

“This indicates that the attackers stole and modified a legitimate document from the compromised user account, crafted a malicious decoy Word macro document using this stolen document and sent it to the target recipient who might be expecting the email from the original account user before the real sender had time to send it,” reported PaloAlto.

MuddyWater

According to Palo Alto Networks, past attribution of the attacks were wrong, the group in not financially motivated as previously thought, instead it politically motivated.

Threat actors might have planted a false flag to make hard the attribution.

“Whilst we could conclude with confidence that the attacks discussed in this article are not FIN7 related, we were not able to answer many of our questions about the MuddyWater attacks. We are currently unable to make a firm conclusion about the origin of the attackers, or the specific types of information they seek out once on a network,” the security researchers concluded.

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Criteo.DisplayAd({
“zoneid”: 1082811,
“async”: false});

Pierluigi Paganini 

(Security Affairs – MuddyWater , APT)

Criteo.DisplayAd({
“zoneid”: 1063289,
“async”: false});

Criteo.DisplayAd({
“zoneid”: 321967,
“async”: false});

The post Who is behind MuddyWater in the Middle East? Likely a politically-motivated actor appeared first on Security Affairs.

Source: Security affairs

Enlarge / Someone is (thankfully) missing here, and his name rhymes with “hot-mud-sand.” (credit: Warner Bros.)

This week’s feature-length Justice League film benefits as much as it suffers from a “can’t get any worse” reputation. Between the diminishing returns of Zack Snyder as a filmmaker, a crowded cast of new-to-film DC characters, and the incredibly stinky shadow of Batman V Superman, you’d be foolish to go into the latest (and likely final) Snyder DC film with high hopes. Like, even if it’s adequate, that might seem monumental.

With that in mind, Justice League lands almost exactly where I predicted: as a mostly tolerable, occasionally fun, often ponderous, rarely logical attempt to unify the DC Comics film universe. It doesn’t unseat Wonder Woman as the best DC Comics film in recent memory. It’s certainly no Avengers, and, gosh, it isn’t even Avengers: Age of Ultron. But it also won’t live in infamy as another one of DC’s midnight-movie laugh-a-ramas. It’s just acceptably subpar.

Two outta three origins ain’t bad

If you’re desperate to have your pro-DC bias acknowledged, Justice League does kick butt at a couple of things. The film has to juggle a whopping three film-universe origin stories, and it surprisingly succeeds at two of those.

Read 16 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

Enlarge / The pull of the Force is strong with things like an impeccably rendered Millennium Falcon. (I mean, gosh, that’s purty.) But Star Wars: Battlefront II can’t paint over most of its failings. (credit: EA / DICE)

I’ve tried to give the new video game Star Wars: Battlefront II a fair shake, and I tried to do so through three types of fandom, at that. I really dig Star Wars—and I’ve generally appreciated when the series has expanded its universe in video game form. I’m a big fan of DICE as a creator of high-polish, massively multiplayer online shooters. And I thought 2015’s reboot of the Star Wars: Battlefront game series was perfectly satisfactory as an accessible online action game.

I kept all of these optimistic angles in mind as I booted the new game—and as I used my lightsaber of fandom to try to carve through its confusing economies. But that has been Scarif-massacre levels of difficult. Battlefront II ultimately lands as an adequate-but-forgettable combination of polish, bombast, and been-there-done-that shooter tropes. Even after EA’s last-minute about-face, little about the total package makes me eager to recommend it to anybody looking for a family-friendly blaster, a Star Wars-worthy story, or a month-after-month dive into online team combat.

One step forward, how many steps back?

Read 32 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

JoltandBleed – Oracle issued an emergency patch for vulnerabilities affecting several of its products that rely on the proprietary Jolt protocol.

Oracle issued an emergency patch for vulnerabilities affecting several of its products that rely on the proprietary Jolt protocol.

The vulnerabilities were reported by experts at ERPScan who named the set of five vulnerabilities JoltandBleed.

The most critical flaw was rated with the highest CVSS base score of 9.9 and even 10.0, according to the experts it may be exploited over a network without the need for a valid username and password.

The JoltandBleed issues affect the Jolt server within Oracle Tuxedo that is used by numerous Oracle’s products, including Oracle PeopleSoft. An attacker can exploit the vulnerabilities to gain full access to all data stored in the following ERP systems:

  • Oracle PeopleSoft Campus Solutions
  • Oracle PeopleSoft Human Capital Management
  • Oracle PeopleSoft Financial Management
  • Oracle PeopleSoft Supply Chain Management, etc.

Below the complete list of the JoltandBleed vulnerabilities discovered by the expert:

  1. CVE-2017-10272 is a vulnerability of memory disclosure; its exploitation gives an attacker a chance to remotely read the memory of the server.
  2. CVE-2017-10267 is a vulneralility of stack overflows.
  3. CVE-2017-10278 is a vulneralility of heap overflows.
  4. CVE-2017-10266 is a vulnerability that makes it possible for a malicious actor to bruteforce passwords of DomainPWD which is used for the Jolt Protocol authentication.
  5. CVE-2017-10269 is a vulnerability affecting the Jolt Protocol; it enables an attacker to compromise the whole PeopleSoft system.

The flaw ties the way Jolt Handler (JSH) processes a command with opcode 0x32

“This error is originated with that how Jolt Handler processes a command with opcode 0x32. If the package structure is incorrect, a programmer has to provide a Jolt client with a certain Jolt response indicating there is an error in the communication process,” continues ERPScan.

Oracle made the patches available Tuesday for Oracle Fusion Middleware, which address all vulnerabilities.

JoltandBleed

The vulnerability was caused by a coding mistake in a function call that was responsible for packing data to transmit.

“The confusion was between 2 functions, jtohi and htoji. Consequently, packing of a constant package length that must be 0x40 bytes is actually 0x40000000,” said ERPScan.

“Then a client initiates the transmission of 0x40000000 bytes of data. Manipulating the communication with the client, an attacker can achieve a stable work of a server side and sensitive data leakage. Initiating a mass of connections, the hacker passively collects the internal memory of the Jolt server,”

The vulnerability causes the leakage of credentials when a user enters them through the web interface of PeopleSoft systems.

Technically, the flaw is a memory leakage vulnerability similar to HeartBleed so it can be used to retrieve a user password and other sensitive data.

“One of the possible attacks besides an obvious theft of employees data is for students to hack Campus Solutions and modify or delete payment orders for their education or gain financial aid. This attack as well as other details was demonstrated today at the DeepSec Security conference in Vienna.” said ErpScan.

Below the video PoC published by ErpScan:

According to Oracle the CVE-2017-10272 memory disclosure vulnerability is easy to exploit and allows a low privileged attacker with network access via Jolt to compromise Oracle Tuxedo.

“Vulnerability in the Oracle Tuxedo component of Oracle Fusion Middleware (subcomponent: Core). Supported versions that are affected are 11.1.1, 12.1.1, 12.1.3 and 12.2.2. Easily exploitable vulnerability allows low privileged attacker with network access via Jolt to compromise Oracle Tuxedo.” wrote Oracle. “While the vulnerability is in Oracle Tuxedo, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Tuxedo accessible data as well as unauthorized access to critical data or complete access to all Oracle Tuxedo accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Tuxedo.”

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Criteo.DisplayAd({
“zoneid”: 1082811,
“async”: false});

Pierluigi Paganini 

(Security Affairs – JoltandBleed, hacking)

Criteo.DisplayAd({
“zoneid”: 1063289,
“async”: false});

Criteo.DisplayAd({
“zoneid”: 321967,
“async”: false});

The post Oracle issues emergency patches for JOLTANDBLEED flaws appeared first on Security Affairs.

Source: Security affairs

Kaspersky Lab publishes a full technical report related to hack of its antivirus software to steal NSA hacking code.

In October, anonymous source claimed that in 2015 the Russian intelligence stole NSA cyber weapons from the PC of one of its employees that was running the Kaspersky antivirus.

Kaspersky denies any direct involvement and provided further details about the hack, but it wasn’t a good period for the firm.

In September, the US Government banned the Russian security firm from all federal government systems.

The PC was hacked after the NSA employee installed a backdoored key generator for a pirated copy of Microsoft Office.

Kaspersky Lab, published in October a detailed report on the case that explains how cyber spies could have easily stolen the software exploits from the NSA employee’s Windows PC.

In October many media accused Kaspersky of helping the Russian intelligence for the detection of the US cyber-weapons on the PC via its security solutions, but according to the security firm the situation is quite different.

According to the telemetry logs collected by the Russian firm, the staffer temporary switched off the antivirus protection on the PC, and infected his personal computer with a spyware from a product key generator while trying to use a pirated copy of Office.

On September 11, 2014, Kaspersky antivirus detected the Win32.GrayFish.gen trojan on the NSA employee’s PC, some time later the employee disabled the Kaspersky software to execute the activation-key generator

Then the antivirus was reactivated on October 4, it removed the backdoored key-gen tool from the NSA employee’s PC and uploaded it to Kaspersky’s cloud for further analysis.

Kaspersky offered to hand over the source code of its solution to the US experts, to prove it wasn’t up involved in any cyber espionage operation.

Back to the present, Kaspersky published a new report that sheds the light on the investigation conducted by the firm on the NSA-linked Equation Group APT.

Kaspersky began running searches in its databases since June 2014, 6 months prior to the year the alleged hack of its antivirus, for all alerts triggered containing wildcards such as “HEUR:Trojan.Win32.Equestre.*”. The experts found a few test signatures in place that produced a LARGE amount of false positives.

The analysis revealed the presence of a specific signature that fired a large number of times in a short time span on just one system, specifically the signature “HEUR:Trojan.Win32.Equestre.m” and a 7zip archive (referred below as “[undisclosed].7z”). This is the beginning of the analysis on the system that was found containing not only this archive, but many files both common and unknown that indicated this was probably a person related to the malware development.

“In total we detected 37 unique files and 218 detected objects, including executables and archives containing malware associated with the Equation Group. Looking at this metadata during current investigation we were tempted to include the full list of detected files and file paths into current report, however, according to our ethical standards, as well as internal policies, we cannot violate our users’ privacy.” states the new report published by Kaspersky.

“This was a hard decision, but should we make an exception once, even for the sake of protecting our own company’s reputation, that would be a step on the route of giving up privacy and freedom of all people who rely on our products. Unless we receive a legitimate request originating from the owner of that system or a higher legal authority, we cannot release such information.”

kaspersky

The analysis of the computer there the archive was found revealed that it was already infected with malware. In October of that year the user downloaded a pirated copy of the Microsoft Office 2013, but the .ISO was containing the Mokes backdoor.

“What is interesting is that this ISO file is malicious and was mounted and subsequently installed on the system along with files such as “kms.exe” (a name of a popular pirated software activation tool), and “kms.activator.for.microsoft.windows.8.server.2012.and.office.2013.all.editions”. Kaspersky Lab products detected the malware with the verdict Backdoor.Win32.Mokes.hvl.” continues Kaspersky.

Kaspersky was able to detect and halt Mokes, but the user turned off the Russian software to execute the keygen.

Once the antivirus was turned on again, it detected the malware. Kaspersky added that over a two month its security software found 128 separate malware samples on the machine that weren’t related to the Equation Group.

Kaspersky found that the Mokes’ command and control servers were apparently being operated by a Chinese entity going by the name “Zhou Lou”, from Hunan, using the e-mail address “zhoulu823@gmail.com.”

Kaspersky explained that it’s also possible that the NSA contractor’s PC may have been infected with a sophisticated strain of malware developed by an APT that was not detected at the time.

“Given that system owner’s potential clearance level, the user could have been a prime target of nation states,” Kaspersky said. “Adding the user’s apparent need for cracked versions of Windows and Office, poor security practices, and improper handling of what appeared to be classified materials, it is possible that the user could have leaked information to many hands.”

Further details are included in the technical report.

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Criteo.DisplayAd({
“zoneid”: 1082811,
“async”: false});

Pierluigi Paganini 

(Security Affairs – Kaspersky Lab, Cyber espionage)

Criteo.DisplayAd({
“zoneid”: 1063289,
“async”: false});

Criteo.DisplayAd({
“zoneid”: 321967,
“async”: false});

The post Kaspersky provided further details on NSA Incident. Other APTs targeted the same PC appeared first on Security Affairs.

Source: Security affairs

Enlarge (credit: Sergi Reboredo/VW PICS/UIG via Getty Images)

A New York state judge has concluded that a powerful police surveillance tool known as a stingray, a device that spoofs legitimate mobile phone towers, performs a “search” and therefore requires a warrant under most circumstances.

As a New York State Supreme Court judge in Brooklyn ruled earlier this month in an attempted murder case, New York Police Department officers should have sought a standard, probable cause-driven warrant before using the invasive device.

The Empire State court joins others nationwide in reaching this conclusion. In September, the District of Columbia Court of Appeals also found that stingrays normally require a warrant, as did a federal judge in Oakland, California, back in August.

Read 7 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

Millions of AI-based voice-activated personal assistants, including Google Home and Amazon Echo, are affected by the Blueborne flaws.

A series of recently disclosed critical Bluetooth flaws that affect billions of Android, iOS, Windows and Linux devices have now been discovered in
Millions of AI-based voice-activated personal assistants, including Google Home and Amazon Echo, are affected by the recently discovered Blueborne vulnerabilities.
The recently discovered BlueBorne attack technique was devised by experts with Armis Labs. Researchers discovered a total of eight vulnerabilities in the Bluetooth design that expose devices to cyber attacks.
Billions of mobile, desktop and IoT devices that use Bluetooth may be exposed to a new remote attack, even without any user interaction and pairing. The unique condition for BlueBorne attacks is that targeted devices must have Bluetooth enabled.
blueborne attack

Once an attacker compromises a Bluetooth-enabled device, he can infect any other device on the same network.

The IoT security firm Armis now reported that an estimated 15 million Amazon Echo and 5 million Google Home devices are vulnerable to BlueBorne attack.

“Following the disclosure of the BlueBorne attack vector this past September, Armis discovered that critical Bluetooth vulnerabilities impact the Amazon Echo and Google Home. These new IoT voice-activated Personal Assistants join the extensive list of affected devices.” reads the blog post published by Armis.

“Personal Assistants are rapidly expanding throughout the home and workplace, with an estimated 15 million Amazon Echo and 5 million Google Home devices sold. Since these devices are unmanaged and closed sourced, users are unaware of the fact their Bluetooth implementation is based on potentially vulnerable code borrowed from Linux and Android.”

The Amazon Echo devices are affected by the following two vulnerabilities:
  • Remote code execution vulnerability in the Linux Kernel (CVE-2017-1000251)
  • Information leak vulnerability in the SDP Server (CVE-2017-1000250)

The researchers highlighted that other Echo devices running Linux or Android operating systems are affected by other Blueborne vulnerabilities.

Google Home devices are affected only by the CVE-2017-0785 vulnerability that is an information disclosure flaw in Android’s Bluetooth stack.

The voice-activated personal assistants are constantly listening to Bluetooth communications, an attacker within the range of the vulnerable IoT device can easily hack them.

“These devices are constantly listening to Bluetooth communications. There is no way to put an agent/antivirus on these devices. And given their limited UI, there is no way to turn their Bluetooth off” continues the blog post.

Experts from Armis published a video proof-of-concept (PoC) to show how to hack an Amazon Echo device.

Armis reported the issues to both Amazon and Google that have released patches and issued automatic updates for the affected problems.

Amazon Echo users can check that their devices are using a version that is newer than v591448720.

“The Amazon Echo and Google Home are the better examples as they were patched, and did not need user interaction to update. However, the vast bulk of IoT devices cannot be updated. However, even the Echos and the Homes will eventually be replaced by new hardware versions (as Amazon and Google recently announced), and eventually the old generations will not receive updates – potentially leaving  them susceptible to attacks indefinitely.” concluded Armis.

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Criteo.DisplayAd({
“zoneid”: 1082811,
“async”: false});

Pierluigi Paganini

(Security Affairs – Bluetooth hacking, BlueBorne attack)

Criteo.DisplayAd({
“zoneid”: 1063289,
“async”: false});

Criteo.DisplayAd({
“zoneid”: 321967,
“async”: false});

The post 20 Million Google Home and Amazon Echo devices are affected by the Blueborne flaws appeared first on Security Affairs.

Source: Security affairs