News & Updates

A glitch in the live streaming platform Twitch may have exposed some of its users’ private messages to other users. The company is notifying affected users.

The live streaming platform Twitch warning users that a glitch may have exposed some of their private messages to other users.

The company sent out the notifications to some broadcasters informing them that a software bug could have changed access permissions to older messages allowing other users to download them and read them.

The flaw affected recently removed a feature dubbed Messages that have exposed some the messages.

“I reached out to Twitch for a comment, and a company spokesperson says that it has fixed the bug. It also explained that most of the exposed messages were promotional announcements that went out to everyone who subscribes to certain channels. But it’s possible that this also affected private communications featuring more sensitive information as well.” reported VentureBeat.

Twitch email

Copy of the email sent by Twitch obtained by Bleeping Computer

“In May, we removed a legacy feature called Messages and provided users the ability to download an archive of past messages. Due to a bug in the code that generated the message archive files, which has since been fixed, a small percentage of user messages were included in the wrong archives.” reads the statement from Twitch’s spokesperson.

“The primary use case for Messages was promotion; streamers sending out mass communication to subscribers for example, and the majority of messages that were unintentionally provided to another user fall into that category. We have notified users via email and provided them the affected messages for review. Protecting our users’ privacy is important to us and we have taken actions to ensure this kind of error does not happen in the future.”

According to Twitch, the bug only affected the Messages feature, and there were no private messages sent via the Twitch Whisper systems included in these archives.

Twitch users can discover if their messages were accidentally exposed by visiting the website twitch.tv/messages/archive.

Searching on Twitter it is possible to find messages of Twitter users that found messages in their archive belonging to other users.

Anyway, Twitch sent a warning message to all affected users.

window._mNHandle = window._mNHandle || {};
window._mNHandle.queue = window._mNHandle.queue || [];
medianet_versionId = “3121199”;

try {
window._mNHandle.queue.push(function () {
window._mNDetails.loadTag(“762221962”, “300×250”, “762221962”);
});
}
catch (error) {}

Pierluigi Paganini

(Security Affairs – data leak, privacy)


The post Twitch bug may have exposed some users messages to others appeared first on Security Affairs.

Source: Security affairs

Few cars are quite as legendary as the Aston Martin DB5. It’s not because they sold well—just over a thousand were built between 1963 and 1965. And it’s not because they won famous races. Instead, the DB5 became such an icon thanks to an early example of product placement, because it’s the car that James Bond drove in the film Goldfinger. And now, Aston Martin has said it’s going to build 25 of them, complete with gadgets. But they won’t be cheap—each will cost $3.51 million (£2.75 million) plus tax.

In the film, 007’s car was modified by Q Branch and equipped with revolving number plates, machine guns, an oil slick dispenser, and even an ejector seat. In reality, the car used in the film—actually one of Aston Martin’s pre-production prototypes—was modified by John Stears, who won an Oscar for his work. No one knew at the time quite how much the DB5 would steal the show, and after the film the gadgets were removed from the car, then reinstalled some years later.

Read 3 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

Enlarge / A customer inspects the 2013 iPhone at the Wangfujing flagship store in Beijing. (credit: Lintao Zhang/Getty Images)

Apple removed thousands of gambling apps from China’s App Store after the company came under fire from state-run media. According to a report by The Wall Street Journal, the tech giant removed as many as 25,000 illegal gambling apps, many of which were disguised as official lottery apps, from China’s App Store after China Central Television criticized the company for not doing more to catch and remove banned content.

“Gambling apps are illegal and not allowed on the App Store in China,” Apple said in an emailed statement to The Wall Street Journal. “We have already removed many apps and developers for trying to distribute illegal gambling apps on our App Store, and we are vigilant in our efforts to find these and stop them from being on the App Store.”

While Apple occasionally cleans up its App Stores to remove spam apps and content, this recent situation shows another way that the company has bent to the rules of the Chinese government. Last year, Apple removed VPN apps from its Chinese App Store after the local government banned services that were not already approved by the state. VPN apps allowed Chinese users to bypass the Great Firewall to get uncensored access to blocked websites.

Read 3 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

Enlarge (credit: Sega)

This week, for the first time since the early ’00s, Sega’s Shenmue games will be available on modern platforms. Both original games, 1999’s Shenmue and 2001’s Shenmue II, arrive on Xbox One, PlayStation 4, and Windows PC on Tuesday, August 21, as a $30 compilation.

Chances are, you never got to dive into either, owing not only to their age but also their exclusive launches on largely unpopular consoles in the West (the Dreamcast and original Xbox, respectively). This week’s compilation changes the access-half of the equation (and comes to tide fans over while waiting for the crowdfunded Shenmue III). But does it deliver a must-play return to Sega’s console swan song?

Not really. The team responsible for restoring this pair of games has erred on the side of authenticity. In good news, that means everything from the original games—art, dialogue, presentation—has been shined up as much as humanly possible. These are the best versions of Shenmue games in the world. But hundreds of open-world games have surpassed Yu Suzuki’s classic in the days since, and none of those later games’ successes have inspired Sega to fix what’s broken here.

Read 18 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

Enlarge / At the heart of the Relativity factory is the “Stargate” 3D printer, which the company says is the largest metal 3D printer in the world. (credit: Relativity Space)

Relativity is one of the most ambitious companies in the rocket industry. It seeks to manufacture the entirety of its rockets using 3D printing techniques, hoping to one day print a rocket on the surface of Mars to launch from there. But are either of these goals achievable?

Some new moves by the company suggest they just might be. On Monday morning, Relativity will announce the hiring of Tim Buzza as an adviser to shepherd the company’s launch vehicle execution. These duties will include finalizing the selection of a US-based launch site (a decision will come before the end of this year) and overseeing development of ground launch systems at that site.

Tim Buzza

Tim Buzza (credit: Relativity Space)

Buzza is a well-known figure in the aerospace industry. He was employee number five at SpaceX, having hired on in 2002, and over a 12-year career ended up as the company’s vice president of launch operations. In an oral history interview in 2013 with NASA, Buzza explained his early duties at SpaceX.

Read 7 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

The popular malware researchers Marco Ramilli has analyzed a malware that remained under the radar for more than two years.

Today I’d like to share the following reverse engineering path since it ended up to be more complex respect what I thought. The full path took me about hours work and the sample covers many obfuscation steps and implementation languages.
During the analysis time, only really few Antivirus (6 out of 60) were able to “detect” the sample. Actually, none really detected it, but some AVs triggered “generic unwanted software” signature, without being able to really figure it out. As usually, I am not going to show you who was able to detect it compared to the one who wasn’t, since I won’t ending on wrong a declaration such as (for example): “Marco said that X is better than Y”.  Anyway, having the hash file I believe it would be enough to search for such information.

 

AntiVirus Coverage

 

The Sample (SHA256: e5c67daef2226a9e042837f6fad5b338d730e7d241ae0786d091895b2a1b8681) presents itself as a JAR file. The first thought that you might have as an experienced malware reverse engineer would be: “Ok, another bytecode reversing night, easy.. just put focus and debug on it…”. BUT surprisingly when you decompile the sample you read the following class!

 

Stage1: JAR invoking JavaScript
A Java Method that invokes (through evals) an embedded “Javascript” file ! This is totally interesting stuff :D. Let’s follow up on stages and see where it goes. The extracted Javascript (stage 2) looks like the following image. The “OOoo00” obfuscation technique has been used. Personally I do not like this obfuscation technique it’s harder to reverse respect to different obfuscation techniques, even the CTR-F takes confused on substrings, but we need to figure out what it does, so let’s try to manually substitute every string and watch-out for matching substrings (in order words %s/OOoo00/varName/g won’t work at all.

 

Stage 2: evaluated Javacript (obfuscated)
Manually substitution takes “forever” if you do not have a substitution framework which asks you for a string, it replaces such string (and not a substring) and eventually represents the new beautified JavaScript. After many substitutions (I really have no idea how many :D) you land on a quite readable JavaScript as the following one (click on it to make it bigger).
Stage 2: Manually Deobfuscated JavaScript
What is interesting (at least in my personal point of view) is the way the attacker (ab)used the JS-JVM integration. JavaScript takes the Java context by meaning it might use Java functions calling contextual java classes.  In this stage the JavaScript is loading an encrypted content from the original JAR, using a KEY decrypts such a content and finally loads it (Dynamic Class Loader) on memory in order to fire it up as a new Java code.
The used encryption algorithm is AES and everything we need to decrypt is in this file, so let’s build up a simple python script to print our decryption parameters. The following image shows the decoding script made to easily reconstruct AES-KEY and surrounded parameters. NB: The written python code is not for production, is not protected and full of imprecisions. I made it up just for decode AES key and such, so don’t judge it, take it as a known weak but working dirty code.
Python Script to Decode AES-KEY

 

We now have every decoding parameter, we just need to decrypt the classes by using the following data:
  • ClassName
  • Resource (a.k.a package in where it will be contextualized)
  • Byte to be decrypted
  • Secret Key
  • Byte Length to be decrypted
A Simple Java Decrypter has been developed following the original Malware code. Once run, the following code was decrypted.

 

Stage 3 Decrypted JavaClass
Here my favorite point. As you might appreciate from the previous image we are facing a new stage (Stage 3). What is interesting about this new stage is in the way it reflects the old code. It is a defacto replica of Stage 2. We have new classes to be decrypted (red tag on the image), the same algorithm (orange label on the image), a new KEY (this time is not derived by algorithm as was in Stage 2 but simply in clear text, orange tag on the image) and the same reflective technique in which attacker dynamically loads memory decrypted content on Java.loader and uses it to decrypt again a further step, and after that it replies the code again and again. There is an interesting difference although, this stage builds up a new in-memory stage (let’s call Stage 4) by adding static GZIpped contents at the end of encrypted section (light blue tag on image). By using that technique the attacker can reach as many decryption stages as he desires.
At the end of the decryption loop (which took a while, really ) the sample saves (or drops from itself, if you wish) an additional file placed in AppData – Local – Temp named: _ARandomDecimalNumber.class. This .class is actually a JAR file carrying a whole function set. The final stage before ending up runs the following command:
 java -jar _ARandomDecimalNumber.class
The execution of such a command drops on local HardDrive (AppData-Local-Temp) three new files named: RetrieveRandomNumber.vbs (2x) and RandomName.reg. The following image represents a simple ‘cat’ command on the just dropped files.
On Final Stage VBS Run Files
It’s quite funny to see the attacker needed a new language script (he already needed Java, as the original entry point, Javascript as payload decrypt and now he is using VBS ! ) to query WMI in order to retrieve installed AntiVirus and Installed Firewall information. Significative the choice to use a .reg file to enumerate tons of security tools that have been widely used by analysts to analyze Malware. The attacker enumerates 571 possible analysis tools that should not be present on the target machine (Victim). Brave, but not neat at all (on my personal point of view).  The sample does not evade the system but it forces the System Kill of such a process independently if they are installed or not, just like Brute force Killing process. The sample enters in a big loop where it launches 571 sigKill one for each enumerated (.reg) analysis program. It copies through xcopy.exe the entire Java VM into AppData-Roaming-Oracle and by changing local environment classpath uses it to perform the following actions. It finally drops and executes another payload called “plugins”.
The following image shows plugins and initial new stage JAR stage.
Final Droppe Files (_RandomDec and plugins)
At a first sight experienced Malware reverser engineer would notice that the original sample finally drops a AdWind/JRat Malware having as a main target to steal files and personal information from victims. While the AdWind/JRat is not interesting per-se since widely analysed,  this new way to deliver AdWind/JRat, it is definitely fascinating me. The attacker mixed up Obfuscation TechniquesDecryption TechniquesFileless abilitiesMulti Language Stages and EvasionsTechniques in order to deliver this AdWind/JRat version.  Multiple programming styles have been found during the analysis path. Each Stage belonging with specific programming language is atomic by meaning that could be run separately and each following stage could easily consume its outputs. All these indicators make me believe the original Sample has been built by using Malware builder, which BTW, perfectly fits the AdWind philosophy to run as a service platform.
A final consideration is about timing. Checking the VirusTotal details (remembering that only 6 on 60 AV were able to say the original JAR was malicious or unwanted) you might notice the following timeline.
Detection Time Line (VirusTotal)
VT shows the first time it captured that hash (sha256): it was in 2016. But then the first submission is on 2018-08-14 a few days ago. In such a date (2018-08-14) only 6 out of 60 detected a suspicious (malicious) behavior and triggered on red state. But what about the almost 2 years between December 2016 and August 2018? If we assume the Malware is 2 years old, was it silent until now (until my submission)? Have we had technology two years ago to detect such a threat? Or could it be a targeted attack that took almost 2 years before being deployed?
I currently have no answers to such questions, hope you might find some.
*Actually not really an evasion technique, more likely a toolset mitigation.

Further details on the malware, including the IoCs are reported in the original analysis published by Marco Ramilli

https://marcoramilli.blogspot.com/2018/08/interesting-hidden-threat-since-years.html

About the author: Marco Ramilli, Founder of Yoroi

I am a computer security scientist with an intensive hacking background. I do have a MD in computer engineering and a PhD on computer security from University of Bologna. During my PhD program I worked for US Government (@ National Institute of Standards and Technology, Security Division) where I did intensive researches in Malware evasion techniques and penetration testing of electronic voting systems.

 

I do have experience on security testing since I have been performing penetration testing on several US electronic voting systems. I’ve also been encharged of testing uVote voting system from the Italian Minister of homeland security. I met Palantir Technologies where I was introduced to the Intelligence Ecosystem. I decided to amplify my cyber security experiences by diving into SCADA security issues with some of the most biggest industrial aglomerates in Italy. I finally decided to found Yoroi: an innovative Managed Cyber Security Service Provider developing some of the most amazing cyber security defence center I’ve ever experienced ! Now I technically lead Yoroi defending our customers strongly believing in: Defence Belongs To Humans

window._mNHandle = window._mNHandle || {};
window._mNHandle.queue = window._mNHandle.queue || [];
medianet_versionId = “3121199”;

try {
window._mNHandle.queue.push(function () {
window._mNDetails.loadTag(“762221962”, “300×250”, “762221962”);
});
}
catch (error) {}

Edited by Pierluigi Paganini

(Security Affairs – malware)


The post Malware researcher reverse engineered a threat that went undetected for at least 2 years appeared first on Security Affairs.

Source: Security affairs

Enlarge

Update (8/20/2018 10:55am ET): The discount looks to have expired for now; we’ll update this post if it returns.

Original story: Essential really seems to want to get rid of whatever phones it has left in stock. Last month we highlighted a deal in which the struggling startup’s first and only Android phone was marked down to $250 on Amazon Prime Day. On Monday, the device is going for even less than that, as Amazon is selling the “Halo Gray” edition of the handset for $224.

The Essential Phone first sold for $699 when it launched last summer and has undergone a couple of permanent price drops after sales reportedly fell well short of expectations. To be clear, the device still has its share of issues: there’s no waterproofing, no microSD slot, no headphone jack, and some users have reported issues with reception on T-Mobile. Battery life is just okay, and even after several updates the camera isn’t really competitive with any other flagship phone from last year. Essential’s modular accessory system has been a total bust, too.

Read 4 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

Valentina Palladino

It has been two years since Fitbit updated its Charge 2 fitness tracker, the $150 device that represents the most advanced activity band in Fitbit’s lineup before you enter smartwatch territory. Today, Fitbit announced the Charge 3, a new tracker that maintains the Charge 2’s spot but further bridges the gap between fitness tracker and smartwatch.

Fitbit made subtle changes to the Charge 2’s design to come up with the Charge 3. Immediately noticeable in my short demo of the Charge 3 is its lightness—at 20-percent lighter than the Charge 2, you can barely feel it when it’s on your wrist as you’re wearing it.

Read 11 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

Logitech

Logitech on Monday announced the MX Vertical, the first vertical mouse to come from the popular peripheral maker.

The mouse costs $99.99 and is available to pre-order on Logitech’s website as of Monday. Logitech says it will start shipping the MX Vertical to customers sometime in September.

Read 10 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

Researchers from Trustwave have uncovered a malspam campaign targeting banks with the FlawedAmmyy RAT.

The peculiarity of this malspam campaign is the unusual use of a Microsoft Office Publisher file to infect victims’ systems.

Experts noticed an anomalous spike in the number of emails with a Microsoft Office Publisher file (a .pub attachment) and the subject line, “Payment Advice,” that was sent to domains belonging to banks.

This campaign is very small but appears to be very focused on banks.

The spam messages contained URLs that downloaded FlawedAmmyy remote-access trojan (RAT), a well-known backdoor.

Another interesting aspect of the campaign is that It was powered by the Necurs botnet.

“This campaign was unusual in the use of .pub files. It also appeared to originate from the Necurs botnet, a notorious botnet responsible for much mass malware distribution in the past,” reads the analysis published by Trustwave.

“Unlike previous mass campaigns, this campaign was small and, interestingly, all of the To: addresses we saw targeted were domains belonging to banks, indicating a desire for the attackers to get a foothold within banks with the FlawedAmmyy RAT.”

malspam

When the victims open the pub file, they are prompted to “Enable Macros,” earlier versions of Microsoft Publisher may display instructions to “Enable Editing” and “Enable Content”

When manually opening the Visual Basic Editor (VBA Editor) in Microsoft Publisher and clicking “ThisDocument” in Project Explorer, the VBScript executes a weaponized archive containing the RAT.

“The macro script is triggered with the function Document_Open(). As the name implies, when the file is opened, the script will access a URL and execute a downloaded file.” continues the analysis.

The malicious code leverages control objects in forms to hide the URL from which It downloads the RAT, the URL is stored in the Tag Property.

malspam

“By the time we examined the sample, the URL was not accessible anymore, but a little further research indicated this URL was used for downloading a self-extracting archive, which contained the FlawedAmmyy RAT,” researchers said.

In July, Proofpoint uncovered another massive malspam campaign delivering the FlawedAmmyy RAT that was leveraging emails with weaponized PDF documents containing malicious SettingContent-ms files.

The campaign was attributed to the financially motivated cybercriminal group TA505.

“this campaign was unusual in the use of .pub files. It also appeared to originate from the Necurs botnet, a notorious botnet responsible for much mass malware distribution in the past (see here and here).” concludes Trustwave.

“Unlike previous mass campaigns, this campaign was small and, interestingly, all of the To: addresses we saw targeted were domains belonging to banks, indicating a desire for the attackers to get a foothold within banks with the FlawedAmmyy RAT.” 

Technical details, including the IoCs, are reported in the analysis published by the experts.

window._mNHandle = window._mNHandle || {};
window._mNHandle.queue = window._mNHandle.queue || [];
medianet_versionId = “3121199”;

try {
window._mNHandle.queue.push(function () {
window._mNDetails.loadTag(“762221962”, “300×250”, “762221962”);
});
}
catch (error) {}

Pierluigi Paganini

(Security Affairs – Malspam, Publisher)


The post Unusual Malspam campaign targets banks with Microsoft Publisher files appeared first on Security Affairs.

Source: Security affairs