Monthly Archives: May 2016

Windows Zero Day Selling for $90,000

Hackers claim to have unearthed a zero-day vulnerability giving attackers admin rights to any Windows machine from Windows 2000 to a fully patched version of Windows 10. The zero day is for sale on the black market for $90,000.

Security experts say the zero-day exploit looks legitimate and in the wrong hands could be an extremely effective tool for hackers who already have a foothold in an existing computer network.

“A cyber gang would be eager to use this to leverage malware and ransomware to get a much better ROI by combining exploits,” said Ziv Mador VP of security research at Trustwave in an interview with Threatpost. “Also, any nation state type APT attack would easily see this as key tool in sophisticated network penetration.”

Trustwave underscores there is no way to know with absolute certainty if the zero day is legitimate without purchasing the exploit. However, Mador said there are a number of strong indicators that the exploit is legit, such as the seller offering the use of an independent escrow agent to verify the exploit works before payment is made.

Other indicators include two videos that accompany the hacker’s for-sale listing that show the vulnerability in action. One video shows the exploit successfully bypassing all of Microsoft Windows’ Enhanced Mitigation Experience Toolkit (EMET) protections for the latest version of Windows. The second video shows a fully updated Windows 10 machine being exploited successfully, by elevating the CMD EXE process to the SYSTEM account.

In both instances, the hacker successfully exploited a local privilege escalation vulnerability in Windows. The listing for the exploit describes itself as an “exploit for local privilege escalation (LPE) for a 0day vulnerability in win32k.sys. The vulnerability exists in the incorrect handling of window objects, which have certain properties, and [the vulnerability] exists in all OS [versions], starting from Windows 2000,” according to the seller.

The zero day was noticed by Trustwave on May 11 on the underground site exploit[dot]in by a seller using the handle “BuggiCorp”. The exploit will be sold exclusively to one buyer, according to the posting. Originally the seller offered to sell the zero day for $95,000, but has since dropped the price to $90,000.

“For this type of capability $95,000 USD does sound reasonable. These are relatively rare, and take a degree of expertise to develop, thus they are valuable to attackers and defenders alike,” said Logan Brown, president Exodus Intelligence, that runs its own vulnerability purchasing program, among other offerings.

Microsoft did not return requests to comment for this report. However, Microsoft has spoken out publicly acknowledging the zero day listing’s existence, but has stressed it cannot verify the authenticity of the claim. In a statement on Krebs On Security, a cybersecurity strategist with Microsoft Jeff Jones pointed out that Microsoft has a bug bounty program that is offering a reward of between $50,000 and $100,000 for an exploit capable of bypassing its EMET safeguards (something that this exploit does).

The exploit, according to a Trustwave post by its SpiderLabs blog, has capabilities that include taking a compromised sandbox environment and converting it into a remote code execution springboard for entire system takeover. Additional exploit capabilities include the installing of a root kit, limited control over a web server, use on a POS systems and steal credit card data and the additional installation of malicious software on systems, according to Trustwave.

from Threatpost – English – Global – thr…

SandJacking Attack Puts iOS Devices At Risk to Rogue Apps

Apple has yet to patch a vulnerability disclosed during last week’s Hack in the Box hacker conference in Amsterdam that allows an attacker with physical access—even on the latest versions of iOS—to swap out legitimate apps with malicious versions undetected on the device.

Researcher Chilik Tamir of mobile security company Mi3 Security disclosed last week during his talk at the show that an iOS mitigation for a previous attack he’d developed was incomplete and with a modification, he could still infect non-jailbroken iOS devices with malicious or misbehaving apps.

Apple declined to comment about the vulnerability it has known about the issue since Jan. 27. On May 23 Apple informed Tamir that it was working on a patch.

A number of factors enable this attack, starting with a change Apple instituted about six months ago in Xcode7 that allows developers to obtain a developers certificate from Apple—with restrictions—by providing an email address and Apple ID, both of which are free and simple to obtain.

Tamir’s first attack, which was publicly disclosed March 31 during Black Hat Asia in Singapore, was enabled by a tool he developed call Su-A-Cyder. Using this software, an attacker can swap out legitimate versions of apps, developed with the said certificate, in order to spy on users and gain elevated privileges on the device that expose contacts, messaging, photos, the microphone and more. So long as the malicious app had the same bundle ID as the original, the attacker was in business.

After iOS 8.3, however, Apple prevented this attack vector. Tamir, since has found a way around the mitigation with a new technique called SandJacking, which allows an attacker access to an app’s sandbox contents.

“Apple patched the front door installation process which denies an upgrade of any app with mismatched files,” Tamir said. “They forgot the backdoor, or the restore process.”

His SandJacking attack works by first backing up the device, deleting the original application and installing a rogue one. By initiating a restore from backup on the device, the device will re-emerge with the evil client, as Tamir calls it. Tamir’s attack requires, because of Apple’s modifications, that users manually approve apps. A malicious app—he demonstrated a rogue version of Skype in an interview with Threatpost—is likely to skate through unnoticed by a user and will be approved.

Tamir pointed out that while physical access to the device can be an impediment, law enforcement, malicious actors at a repair shop, or even family members wishing to spy on one another, could use Su-A-Cyder to copy an app and side-load extra functionality such as recording capabilities.

“Any iPhone repair shop becomes a pwn shop,” Tamir said. “Anyone with access to the phone can run code and install malware anonymously. You would only need the device and the passcode.”

Hackers have been able to find clever ways to scale Apple’s so-called walled garden and sneak malicious apps such as XcodeGhost, WireLurker, YiSpecter and others into the App Store and third-party download sites.

The common element in most of these incidents is that developers with Apple-issued certs from the iOS Developer Enterprise Program were able to write malicious or misbehaving apps that were trusted by Apple.

Apple’s change six months ago requiring only an email address to earn a certificate comes with limitations; apps built on this program cannot use Apple Pay, iCloud, have in-app purchase features and more. Apps, however, could be granted access to GPS location data, Health Kit, inter-application recording, wireless features and much more, all of which can be abused anonymously using Tamir’s attack, he said.

Tamir said he will release his SandJacking PoC tool once Apple patches the vulnerability.

from Threatpost – English – Global – thr…

Millions of Stolen MySpace, Tumblr Credentials Being Sold Online

Hackers are peddling roughly 427 million passwords belonging to users of MySpace, a social network that in its heyday was one of the most visited sites on the internet.

The same service that claimed to have information on 164 million LinkedIn users earlier this month is now boasting to have information on 360 million MySpace accounts.

According to a post on, which runs a searchable repository of leaked data, a user that goes by “” provided the information.

The post claims that MySpace was hacked nearly three years ago, on June 11, 2013 and that the dataset contains 360,213,024 records, 111,341,258, which contain a username and a password, and 68,493,651 which contain a secondary password.

MySpace corroborated a few of those details in a FAQ about the incident on Tuesday, confirming that accounts created prior to June 11 are affected. The Time. Inc. owned company is admitting the breach is legitimate and attributes it to Peace-the same hacker who apparently carried out the LinkedIn hack two weeks back.

For what it’s worth, the company claims it’s using automated tools to attempt to identify and block suspicious activity on user accounts and that its invalidated old user passwords. Users will be prompted to authenticate then reset passwords for their account upon logging in next.

Details around what exactly led to the breach are scant, but MySpace claims that it’s likely from before certain security measures were implemented on the site.

The passwords, few which are over 10 characters long, were stored using the cryptographic hash function SHA-1, without salting, according to LeakedSource. SHA-1 is almost universally regarded as weaker than it was first designed to be. While salting hashes – the act of adding a random string of characters to passwords – isn’t alone enough to protect data, it does make them more difficult to reverse.

The site claims its improved security since 2013 and is now using double salted hashes – “random data that is used as an additional input to a one-way function that “hashes” a password or passphrase” – to store its users’ passwords.

According to Vice’s Motherboard, Peace is reportedly selling the data for six Bitcoin, roughly $2,800, on TheRealDeal, a darknet site.

A spokesperson for Viant, Time, Inc.’s data marketing firm, citing an ongoing investigation, wouldn’t comment further than what’s mentioned in Tuesday’s blog post.

MySpace, which in may ways was a precursor to Facebook, had nearly 80 million users at its peak. News Corp famously purchased the site in 2005 for $580 million and at one point it was valued at $12 billion before its eventual downturn. The site was purchased by Time Inc. in February.

News of the MySpace breach comes around the same time that the scope of another breach from 2013, blogging platform Tumblr, has come to light.

Tumblr informed users earlier this month that a third party was able to access a dataset of user email addresses, along with salted and hashed passwords. The information, Tumblr stressed, was from three years ago, shortly before Yahoo acquired it.

It was unclear until now exactly how many users were implicated by the hack however. According to, a data breach awareness portal run by Troy Hunt, the breach included information on 65 million user accounts. Hunt, who obtained a copy of the dataset, calculated that the breach leaked information on 65,469,298 accounts to be exact, and acknowledged that the information, including passwords stored as salted SHA1 hashes, is being sold online.

According to Motherboard, who claim to have discussed the breach with Peace, who has access to the data, the hacker is selling the information for just .425 Bitcoin, or $150. Since the passwords are more difficult to crack in that format, the data is basically a list of emails Peace claims, something that contributes to the low asking price.

According to Hunt, who spoke with Threatpost last week, big data breaches like LinkedIn, Tumblr, and MySpace are simply the new normal and sites like LeakedSource, which is also selling the Tumblr data, are selling day passes to the information.

“Breach data markets used to be more cloak and dagger. Now the data is a commodity,” Hunt said, “… with data breaches making headlines every day, we have created a social immunity to them.”

While there’s certainly been a spike in older breaches – in this case hacks from 2012 and 2013 – making headlines, experts don’t see it as anything new however.

“I don’t think this is a new trend as much as there are more and more researchers focusing on the topic and discovering what’s been around for years now.  As more of these breaches come to light, companies are digging deeper for this information,” Brian Bartholomew, a Senior Security Researcher for Kaspersky Lab’s Global Research and Analysis Team, said Tuesday.

“Data from large breaches has been available for some time. It’s just up until recently, the only ones who really knew about how much is out there were the ones trading in that market,” Bartholomew said.

from Threatpost – English – Global – thr…

65 million Tumblr passwords stolen and up for sale

On 12 May, Tumblr revealed that it had just discovered a 2013 breach of user email addresses and passwords.

Details were sparse, and the company reportedly refused to put a number on the affected accounts.

Now, we know: the dataset included more than 65 million accounts, up for sale on the Dark Web, as confirmed by an independent security researcher.

Troy Hunt, who maintains the data breach awareness portal Have I Been Pwned, on Monday sent out an email blast to affected Tumblr users who’d signed up for notifications when their accounts are pwned (including me).

According to the advisory, the total number of compromised accounts is 65,469,298.

That puts it in third place in the list of largest data breaches ever recorded on Have I Been Pwned, after the 164 million LinkedIn passwords listed for sale on the Dark Web earlier this month after a 2012 breach and the 152 million accounts from the 2013 Adobe breach.

Those are big leaks, but there’s a bigger one that still has to make it onto Have I Been Pwned’s list of top breaches: 360 million accounts from a past, unreported breach of MySpace.

What’s triggering this spate of datasets emerging from years-old breaches?

As Hunt said in a post on Monday, we’re seeing some commonalities:

  • The age: the age of the most recent breach is still more than 3 years. We don’t know the age of the MySpace breach, but MySpace hasn’t been widely used for years, so that breach also likely dates back a while
  • The size: these four breaches are in the top 5 of the biggest Have I Been Pwned has ever seen. Once the MySpace data shows up, these 4 incidents will account for two thirds of all the data in the system
  • The reveal: all the datasets have emerged in May
  • The purveyor: all four datasets have been listed for sale on the Dark Web by the same account, “peace_of_mind,” who’s known simply as “Peace.”

Just because Peace offered them for sale doesn’t mean that he’s the one responsible for any of the initial breaches. Maybe they were sitting around for years, but maybe they’ve been passed from illicit hand to illicit hand for years.

But as Hunt noted, if all of this adds up to a trend, it’s quite possible that it will continue. If so, we can gird our loins as more enormous breaches surface and for more public releases of data.

Tumblr says it looks like the logins haven’t been used by whoever nabbed them:

We recently learned that a third party had obtained access to a set of Tumblr user email addresses with salted and hashed passwords from early 2013, prior to the acquisition of Tumblr by Yahoo. As soon as we became aware of this, our security team thoroughly investigated the matter.

Our analysis gives us no reason to believe that this information was used to access Tumblr accounts. As a precaution, however, we will be requiring affected Tumblr users to set a new password.

Passwords that are securely stored should be salted and hashed (we have a detailed article for techies and an explanation in plain English in our article about the recent MySpace breach), so there’s a bit of a silver lining here.

The salt isn’t a secret cryptographic key – indeed, it’s typically stored along with the final password hash – but instead serves to ensure that if two users pick the same password, they don’t end up with the same hash.

Salting therefore ensures that hash-cracking lists can’t be pre-computed for all users in advance: you’d have to pre-compute a hash list for each possible salt combined with each possible dictionary word.

As with any data breach, those affected should head over to Tumblr to change their passwords immediately.

Finally, if you’ve used the same password in other places (which of course you shouldn’t – and here’s why it matters), you should head to those other sites and change it there – using a unique password for each site.

from Naked Security – Sophos

Hackers Find Bugs, Extort Ransom and Call it a Public Service

Crooks breaking into enterprise networks are holding data they steal for ransom under the guise they are doing the company a favor by exposing a flaw. The criminal act is described as bug poaching by IBM researchers and is becoming a growing new threat to businesses vulnerable to attacks.

According to IBM’s X-Force researchers, the new tactic it is a variation on ransomware. In the case of bug poaching, hackers are extorting companies for as much as $30,000 in exchange for details on how hackers broke into their network and stole data. More conventional ransomware attacks, also growing in number, simply encrypt data and demand payment for a decryption key.

Researchers say once the intruders steal the data, there’s no explicit threat that they will break in again or release data if companies don’t pay. Instead, attackers release a simple statement demanding payment in exchange for details on how to fix the vulnerability, said John Kuhn, senior threat researcher for IBM Managed Security Services.

“These attackers are trying to play a moral high ground when it comes to exposing bugs,” Kuhn said to Threatpost in an interview. “But make no mistake, this is straight up extortion,” he said.

IBM says it’s aware of 30 unsolicited bug poaching incidents within the past 12 months. According to Kuhn, similar incidents of extortion were unheard of before that. He predicts that this type of extortion will become more commonplace and companies need to protect themselves from these type of attacks.

IBM says a typical bug poaching incidents start with criminals breaking into a network and stealing as much sensitive data as they can. Next, they post the data to a third-party cloud storage service. Lastly, the attackers email the company links to the data as proof the information was stolen and ask for a wire transfer of money in exchange for how the data was stolen.

During the attack, victims are not threatened with the public release of their data, instead attackers simply send a message that reads: “Please rest assured that the data is safe with me. It was extracted for proof only. Honestly, I do this job for a living, not for fun.”

Kuhn said that payment of the ransom is no guarantee the hackers will destroy the stolen data.

“These attackers are equal opportunity hackers looking for any business that may have a simple vulnerability to exploit such as a SQL injection attack against a website flaw,” Kuhn said. Other attacks have included the use of off-the-shelf penetration testing tools to find flaws.

“So far, none of the cases investigated use significant zero-day vulnerabilities, but rather tactics that could easily be prevented,” wrote Kuhn in a blog post describing bug poaching.

Kuhn anticipates that these attacks will become more sophisticated as any success will inspire bigger paydays against larger companies.

“While on the surface these attackers may seem to be less threatening than others, they still pose a threat to an organization’s data and security posture,” Kuhn wrote.

from Threatpost – English – Global – thr…

Bloatware Insecurity Continues to Haunt Consumer, Business Laptops

Last year’s Superfish and eDellRoot bloatware mishaps exposed the security nightmare that pre-installed software updaters can create on new laptops. And while these two high-profile incidents made the issue public, they’re hardly isolated cases.

Many popular consumer and business laptops from manufacturers such as Dell, HP, Lenovo, Asus and Acer include bloatware that have a host of security issues. Some transmit XML manifests in the clear, exposing machines to man-in-the-middle attacks, while other flaws can grant attackers privilege escalation or the ability to execute arbitrary code, sometimes at SYSTEM level. Those that do encrypt updates have such poor implementations that they fail to properly validate updates. In all, the attack surface exposed by these programs is large and, in most cases, trivial to update.

Researchers at Duo Labs today published a report on their findings after pulling apart the bloatware from 10 new laptops, all running either Windows 8.1 or Windows 10, including some Microsoft Signature edition machines that are supposed to be bloatware free, but still include some of these components.

They found and privately disclosed a dozen vulnerabilities, half of which were rated high-severity. Asus and Acer have yet to patch any of the flaws reported to them; the two Asus bugs are more than 125 days old and allow for code execution and privilege escalation, while the Acer flaws are more than 45 days old and both expose systems to arbitrary code execution.

HP has patched four of the seven flaws reported to it, while Lenovo said it would remove the affected software from its systems starting in late June.

Dell, meanwhile, has silently updated some flaws, and has mitigations in place that prevent the exploitation of others.

“There are more nuanced flaws. All of these updaters specify their own update manifests where the system grabs a XML file over HTTP (Dell downloads its updates over HTTPS). None of the manifests are signed and they don’t use proper engineering practices to make sure the integrity of the manifests is validated properly,” said Duo Labs researcher and one of the report authors Darren Kemp. “All of (the manifests) include commands to ensure the updates run properly. A bad guy can hijack those commands and execute with system level permission.”

Most of these updaters run with system-level privileges, meaning they’re going to bypass any security protection on the machine.

“Most are implementation and design issues where things are fundamentally broken by design,” Kemp said. “They are not easily mitigated without rewriting how the software works. There are not a lot of controls to prevent this.”

The bloatware in question is primarily there for feature updates for the respective OEM components, things that manufacturers receive monetary incentives to pre-install on computers.

“All of them tended to suffer from the same kinds of flaws, and the level of vulnerabilities on these things negate the hard work Microsoft put in hardening Windows 10,” Kemp said. “The reality is that for most, it’s trivial to perform man-in-the-middle attacks, whereas it’s non-trivial against Windows Update, for example. Very little security engineering went into these.”

Duo Labs identified a number of security issues including the lack of TLS protecting executable files and manifests, as well as a lack of integrity validation of manifest files that could be hijacked in a man-in-the-middle attack and modified to inject malicious software. The respective vendors also failed to validate that executable files running via the updaters were published by the expected source, Duo said, adding that Windows supports this capability via Authenticode. In some cases the validation was not performed or done incorrectly where certificate chains were not validated.

Duo also expressed concern in its report over obfuscation techniques designed to stored encrypted versions of strings and other data that were trivial to reverse engineer.

“By their very nature, they are highly privileged, easy to exploit, and not difficult to reverse engineer,” Duo said in its report. “Couple that with limited security review, and this creates the perfect storm for a network-based attacker.”

from Threatpost – English – Global – thr…

Improving software security through a data-driven security model

The current software security models, policies, mechanisms, and means of assurance are a relic of the times when software began being developed, and have not evolved along with it, says Google researcher Úlfar Erlingsson. Practical security of computer users has, therefore, worsened, even as a plethora of computer security mechanisms have been introduced time and time again.

improving software security

Erlingsson proposes a new data-driven software security model to improve user and system security.

“When deciding whether software should be permitted to perform a security-relevant action, it seems like a good idea to consider the historical evidence of what actions that software has performed in the past,” he noted.

“For popular, widely-used software, there are literally billions of executions from which to draw such historical evidence, thereby allowing a very accurate view of what constitutes ‘normal’ software execution to be established.”

He posits that this “historical” information, properly summarized and used along with the software, could support this new security model, which says: “Permit only executions that historical evidence shows to be common enough, unless given explicit, special permission.”

“This model could, by default, prevent many software attacks, such as privilege-escalation exploits of the vulnerabilities regularly discovered in esoteric operating system services,” says Erlingsson. “Most recently, this model’s enforcement would have blocked exploits of the CVE-2016-0728 vulnerability by prohibiting use of the Linux keyctl system call in commonly-used applications, since historical evidence would have shown that this software never used keyctl or kernel keyrings.”

This approach could either used by itself or combined with existing security models.

Erlingsson is aware that there may be obstacles to implementing it, and that it hinges on the efficient monitoring of how software is behaving, and that monitoring this behavior should be executed without intruding on users’ privacy.

But, these things can be achieved, he believes, and machine learning methods can help discover users’ expectations for intended software behavior, and thereby help set security policy.

In his paper, he also details examples of how Google has already managed to successfully perform and/or implement all three of these steps.

from Help Net Security – News