Monthly Archives: June 2016

LizardStresser IoT Botnet Part of 400Gbps DDoS Attacks

LizardStresser, a distributed denial of service botnet, has found new life leveraging hundreds of internet-based webcams in attacks against Brazilian-based banks, government agencies as well as a handful of U.S.-based gaming companies.

Researchers at the Arbor’s Security Engineering and Response Team (ASERT) say publicly released source code of the LizardStresser botnet in 2015, by the Lizard Squad DDoS group, is behind the attacks. In a report released this week, ASERT says an unknown group of cybercriminals are running this latest iteration of the LizardStresser botnet via approximately 100 command-and-control servers, manipulating about 1,300 webcams and launching attacks as large as 400Gbps.

It’s unclear whose webcams are being hijacked in the attacks, but researchers say those that are part of this LizardStresser botnet are running either the x86, ARM or MIPS CPU architecture – all commonly used on embedded IoT devices.

An additional commonality between infected webcams is that 90 percent of the hosts had an HTML title of “NETSurveillance WEB”. Arbor Networks researchers believe that NetSurveillance Web interface generic code used by a large number of internet-accessible webcams.

“Each one of these cameras seem to also share the trait of having default configurations making simple work out of guessing usernames and passwords in order to gain telnet access to the cameras,” said Kirk Soluk, researcher with Arbor’s Security Engineering and Response Team.

The LizardStresser botnets carry out what are called telnet brute-force attacks where the hackers attempts to login to random IP addresses with a hard-coded/default list of usernames and passwords. Once the IoT device is accessed a command-and-control server sends down the botnet code to the webcam.

Noteworthy to researchers was also fact that the botnet is particularly robust, able to launch attacks as large as 400Gbps without any amplification. “What’s interesting is that the attack packets do not appear to be spoofed, meaning the traffic originates from the source addresses in the packets – and no UDP-based amplification protocols such as NTP or SNMP were used,” according to the report.

When researchers extracted the geo-location data from the IP addresses generating the DDoS attacks it traced an overwhelming amount of traffic to Vietnam and secondly Brazil. Targets of the attacks were only identified as two large Brazilian banks, two Brazilian telco firms, two government agencies and three large gaming companies located in the U.S.

This is not the first time that LizardStresser botnets have been used to launch DDoS attacks from IoT devices. In January 2015 the Lizard Squad took credit for attacks that crippled both Xbox Live and the PlayStation Network (PSN) networks on Christmas day. Those attacks were launched from hacked and infected home routers.

This is also not the first time internet-accessible video cameras have been leveraged in a botnet attack. Earlier this week a much larger botnet that consisted of 25,000 internet-enabled closed circuit TV devices was spotted by researchers at Sucuri. In that case hackers utilized a different style attack called a layer 7 HTTP flood attack.

Soluk says IoT devices are becoming bigger and more attractive targets for hackers. That’s because devices often run embedded or stripped-down versions of the Linux OS that lack security features.

“In order to save engineering time, manufacturers of IOT devices sometimes re-use portions of hardware and software in different classes of devices. As a product of this software re-use, the default passwords used to initially manage the device may be shared across entirely different classes of devices,” wrote ASERT in its report.

from Threatpost – English – Global – thr…

Massachusetts General Hospital Confirms Third-Party Breach

A breach at Massachusetts General Hospital has potentially compromised the information of roughly 4,300 dental patients, the hospital warned Wednesday.

MGH was quick to point out that the data leaked wasn’t stored or maintained on its systems but those of a third-party vendor that assists the hospital in managing dental patients at several practices, including the hospital.

The compromised database belongs to Patterson Dental Supply Inc., a medical supplies company headquartered in St. Paul, Minn. An unauthorized individual accessed electronic files, some which included data on MGH dental patients, on PDSI’s systems back in February, the statement reads.

It wasn’t until May 26 however – nearly three months after the breach – that law enforcement allowed the hospital to notify the public.

According to the statement “law enforcement investigators required that any notification to potentially affected individuals and any public announcement of the incident should be withheld while they were conducting their investigation.”

It took another month after the hospital got the green light to actually disclose the breach to victims. Following its own investigation the hospital claims it began mailing letters to notify those affected by the breach on Wednesday, June 26.

Patients who receive the letter will learn that sensitive information like their name, date of birth, and Social Security number may have been accessed. On top of that, “in some instances” the data may have included the date and type of their dental appointment, their dental provider name, and medical record number.

The fact that medical records are often so flush with information has made them a juicy target for attackers, especially as of late.

A report from this week detailed how some attackers are leveraging old worms like Conficker to target medical devices running on equally old platforms like Windows XP in order to extract medical records.

“These old worms such as Conficker are being used in tandem with much more sophisticated payloads that are able to go deeper into a hospital network and target specific devices that can gain criminals easier access to patient records,” Moshe Ben-Simon, co-founder of TrapX Labs, told Threatpost Thursday.

Another report from over the weekend claimed a hacker was selling upwards to 655,000 healthcare records on the dark web. That figure ballooned just a few days later, with some reports on Tuesday claiming that an even larger database, one that includes 9.3 million patient records from a health insurance provider, was making the rounds online.

Both headlines come in the wake of a report published last week that slammed hospital security. The report, “Workarounds to Computer Access in Healthcare Organizations,” commissioned by the University of Pennsylvania, Dartmouth College and the University of Southern California, found that workers at many facilities took shortcuts when it came to security and even worse, the infrastructure at many hospitals were fraught with vulnerabilities



from Threatpost – English – Global – thr…

Foxit Patches 12 Vulnerabilities in PDF Reader

Foxit patched a dozen vulnerabilities in its PDF reader software this week, more than half of which could allow an attacker to directly execute arbitrary code on vulnerable installations of the product.

The company released version 8.0 of its Foxit Reader and Foxit PhantomPDF on Monday, addressing vulnerabilities in builds and earlier of the product. Details around the issues weren’t publicly disclosed until two days later, on Wednesday, in coordination with the Zero Day Initiative.

Like most PDF vulnerabilities, user interaction is required to exploit any of the vulnerabilities, meaning an attacker would have to trick a user into either visiting a malicious page or opening a malicious PDF file. While eight of the vulnerabilities can directly result in remote code execution, technically all of the vulnerabilities could be used to execute code; some just need to be chained together with other vulnerabilities to do so.

Five of the issues stem from a flaw in ConvertToPDF plugin, a Windows shell extension Foxit installs on machines alongside the Reader software for converting PDF files or combining supported files.

To exploit the vulnerabilities an attacker could use an image file – either a BMP, TIFF, GIF, or JPEG image – to trigger a read memory past the end of an allocated buffer, or object. From there, depending on the vulnerability, an attacker could either leverage the vulnerability as is, or use it in conjunction with other vulnerabilities to “execute code in the context of the current process.”

Some of the lower tier bugs exist in specialized functionalities within the software. Like one that exists in the way Reader reads embedded SWF files inside PDF files. Since the files run outside the “Safe Mode” context, an attacker could use the bug to disclose sensitive information on vulnerable builds of the Reader.

Additional flaws exist in other functions within the software, like the decoder FlateDecode, exportData, how it handles the GoToR action, and how it handles PDF patterns.

In exportData, because of a restrictions vulnerability, the software fails to properly check the path passed to exportData. With FlateDecode, a FlateDecode stream can force a dangling pointer to be reused after it has been freed. In memory safety, when dangling pointers get reused and memory isn’t allocated for it, it could lead to a use-after-free vulnerability, a memory corruption flaw that could be leveraged by hackers to execute arbitrary code. The GoToR action could lead to a stack buffer overflow, which could also allow an attacker unauthorized access and execute code.

Researchers from Tencent’s Xuanwu LAB, Source Incite, and Fortinet’s Fortiguard Labs, many who worked alongside ZDI to disclose them, helped dig up the bugs.

It’s the fourth time the company has patched Reader, a piece of software the company claims 400 million people use to view PDFs, this year.

from Threatpost – English – Global – thr…

“Beaver Gang Counter” malware ejected from Play Store

Thanks to Jagadeesh Chandraiah of SophosLabs for his work on this article.

Here’s another cautionary tale from Google Play.

The good news is that the malware in this story has now been removed by Google; the website it used to collect stolen data is offline; and a cautious user would probably have avoided the app in the first place.

The bad news, of course, is that the app fooled Google’s security checks, received Google’s imprimatur, and was accepted into the Play Store at all.

Here’s what you would have seen, back in May 2016 when no more than 10 people had tried the app, if you’d clicked on a link promoting it:

Image from 2016-05-12T23:22:16Z, recovered from the Googleusercontent cache

Beaver Gang Counter may sound an unlikely name for an app with an Entertainment – Everyone classification.

But if you are an avid post-modern gamer (by which we mean games of the board-and-card game sort that are quite deliberately played off-line and face-to-face), you might think it worth taking a look at.

Beaver Gang is a strategic card game for young and old, a contemporary spot of old-school gaming fun.

And fans of modern card and board games aren’t averse to apps that help them keep track of their gameplay, not only for fun but also to help them review the best strategies for the future.

What harm?

What harm to try out an apparently benign app that already has Google’s blessing?

When you run Beaver Gang Counter for the first time, you’ll probably spot the mistake that escaped the attention of reviewers from both Google and the cybercrooks:

There’s a spelling mistake right there in the main menu.

Even if you overlook that faux pas, and try to use the app, you’ll soon realise that you might as well not have bothered, because it doesn’t really do very much…

…so you’ll probably uninstall it and move on.

By then, however, it would be too late.

The Beaver Gang Counter malware explicitly targets users of Viber, a popular app that lets you make free calls, send free text messages, and more.

Like competing apps such as WhatsApp and Skype, you can make video calls, share images and join in multi-person chats.

According to Google Play, Viber currently has somewhere between 500 million and one billion installs, so there are plenty of Viber-equipped Android devices out there.

Once you load it, the Beaver Gang Counter malware raids your Viber directories and starts uploading your images to a website run by the crooks:

The malware raids your Viber directories and steals your images

Android apps can’t usually read each others’ data files, to prevent this sort of data-stealing malware from doing its dirty work.

But many apps store large files, such as videos, music and images, on your removable storage, usually an SD card.

That’s not only for convenience (so you can easily move them to other devices) but also to save space on the device itself (so you can install more apps).

Unfortunately, files on external storage aren’t locked down to specific apps by Android’s security subsystem.

Apps can read everything or nothing from your SD card, depending on whether they asked for the READ_EXTERNAL_STORAGE permission at install time.

If you’re wondering why Android doesn’t take as much trouble with SD card security, it’s because SD cards are supposed to be easy to remove and use in other devices, often to share data with completely different apps running on completely different operating systems. Locking individual files to specific apps on one device makes much less sense in that sort of environment.

What next?

We don’t think this malware seriously troubled anyone, and Google ejected it from the Play Store once its illicit “call home” behaviour became known.

Nevertheless, this story teaches us three things:

  1. Cybercrooks regularly manage to slip past Google Play’s up-front security checks.
  2. Apps can permanently harm your privacy, even if you only try them out briefly.
  3. External storage is less secure under Android than the storage in your device itself.

What to do?

  • Avoid apps with a poor or non-existent reputation. Don’t trust an app about which no one yet seems to know anything.
  • Stick to Google Play if you can. Despite this and other recent failures, it’s still safer than unregulated Android markets where anything goes.
  • Consider using an Android anti-virus. The Sophos product is free, and protects you automatically from malicious and low-reputation apps.
  • Avoid storing personal or private data onto your SD card. Android protects your data more strongly against malware when the data is stored on the device itself.

from Naked Security – Sophos

Setting up Two-Step Verification on your Amazon account

I admit I am not a fan of shopping, but if it has to be done, I vastly prefer to do it online. Nowadays the vast majority of my household purchases arrive in an Amazon box (apologies to my UPS delivery driver).

So if someone were to try and get their hands on my Amazon account, I shudder to think how much damage they could do to my credit. That’s why I made sure to enable Two-Factor Authentication (2FA) on my account – to make it a bit harder for a criminal to go on a shopping spree on my dime.

We’ve covered how to set up 2FA for Gmail earlier – now I’ll walk you through setting up 2FA on your Amazon account. It only takes just a few minutes and if you do a lot of shopping on Amazon, you should give it a try.

1) On a desktop computer, log in to your Amazon account as usual with your username and password. Keep your mobile phone handy for later steps.


2) Once logged in, click the Your Account menu item, at the top right near the Shopping Cart.


3) In the “Your Account” area, scroll down a bit until you see “Settings – Password, Prime & E-mail” and then click “Login & Security Settings,” which appears directly beneath “Account Settings.”


4) At the bottom of the “Change Account Settings” screen, click “Edit” next to “Advanced Security Settings.”


5) Now you’ll see an introductory screen telling you all about what Amazon calls “Two-Step Verification” – in other words, Two-Factor Authentication. Click “Get Started.”


6) Now Amazon gives you a choice in how you may want to receive your authentication code – Text message (SMS) or via an Authenticator app. For this step, I’m going to choose the Text Message option, but I will walk you through the Authenticator app in step 8.

To set up Text message authentication, enter your cell phone number and then hit “Send Code.”


7) Within a few moments, a text message should arrive on your phone, telling you what your Amazon security code is. Enter that code back on the Amazon screen, and hit “Verify code and continue.”


8) The next screen will prompt you to add a backup method to authenticate into your account, say if you no longer have access to your main phone or do not have cell service. You have the choice here between a text message, a voice call, or Authenticator app.

An important thing to note here is that you can’t use the same phone number you did in step 6 for either the backup text OR voice call.  And since I only have one phone number, I will be using the Authenticator App.


To get an Authenticator app set up and connected to your Amazon account, here’s what you need to do:

  • Keep the Amazon window open on your desktop computer.
  • Open your phone’s app store – the Apple App Store or Google Play, for example.
  • Do a search for “Authenticator App”:Amz2FA9
  • A number of options will come up – you’ll want to make sure you use an Authenticator from a reputable provider, like Amazon, Microsoft, or Google. I personally use and prefer the Google Authenticator, so that’s what I’ll demonstrate here for you.
  • Download the Authenticator app you’ve chosen (Google Authenticator in my case).
  • Open the app.
  • Tap the button in the app that allows you to add a new website. In the Google Authenticator, it’s the plus + button at the top right.
  • Tap “Scan barcode.”
  • Your phone’s camera will turn on and you’ll see a green box on your phone’s screen. Hold your phone up to your desktop computer window so your phone camera can scan the barcode shown on your Amazon account.
  • It takes just a second to scan, and you should shortly see an entry on your Authenticator that says Amazon, six digits, and the email address you use for your Amazon account.Amz2FA9b
  • Now, enter the six digit code shown on your Authenticator app back on your Amazon account screen, and hit “Verify and continue.”Amz2FA10

9) Now that you’ve added a backup method, Amazon will show you one last screen about using 2FA on older devices (like an older Kindle) as well as disabling 2FA on computers you frequently use.


10) That’s it! Amazon will confirm that you’ve enable 2FA on your account, and you are good to go.


You’ll also get an email from Amazon confirming this change to your account.


With 2FA set up you now have an extra layer of security on your account, and can shop a little bit safer. (2FA won’t save you from your own shopping spree of course, so be careful out there.) Will you be giving 2FA a try? Is there another service you use online that you’d like to see a 2FA guide for? Let us know in the comments.

from Naked Security – Sophos

Conficker Used in New Wave of Hospital IoT Device Attacks

Internet-connected medical devices such as MRI machines, CT scanners and dialysis pumps are increasingly being targeted by hacker seeking to steal patient medical records from hospitals. Attackers consider the devices soft digital targets, seldom guarded with same security as client PCs and servers within hospitals.

In a report by security firm TrapX Labs, researchers found that the dearth of cyber defenses on clinical IoT medical equipment was tied to a resurgence of old malware such as networm32.kido.ib and the notorious Conficker worm. In its paper MEDJACK.2 Hospitals Under Siege (PDF), researchers describe how modern hospital security systems overlook protecting internet-connected devices running Windows XP or unpatched versions of Windows 7 and Windows 8 making them an easy target for ancient exploits.

“The malware utilized for this attack was specifically selected to exploit older versions of Windows… It enabled the attacker to install a backdoor within the enterprise, from which they could launch their campaign and quietly exfiltrate data and perhaps cause significant damage using a ransomware attack,” TrapX wrote in its report.

In its 2009 heyday Conficker was estimated to have infected between 9 million to 15 million computers. The computer worm was known for constantly morphing as Conficker authors regularly updated the code. The worm targets Microsoft’s Windows operating system and was notorious for cracking passwords, hijacking Windows computers and enlisting them into botnets that distributed spam and installed scareware.

Researchers say they have captured new samples of the Conficker worm that has been updated with an enhanced ability to laterally move within a network and target specific types of medical devices. Researchers say malware is being delivered via spear phishing attacks against hospital staff. Researchers say once Conficker or networm32.kido.ib infects and wends its way inside a network attackers use command-and-control instructions to deliver additional “more sophisticated” malware to devices.

“Wrapped inside an out-of-date malware wrap­per for networm32.kido.ib, we determined that the malware was in fact quite sophisticated, and capable of ‘jumping’ or moving between networks successfully. The almost harmless net­worm, easily ignored by Windows 7 patched systems, Windows 8 platforms and new oper­ating systems, exploited a vulnerability within Windows XP to load a RAT (remote access tool) so the attacker could load sophisticated, state of the art attacker software components,” according to the report.

In its previous 2015 report TrapX noticed similar types of attacks inside hospitals and healthcare facilities. What’s new is, “The old exploits such as Conficker are being used in tandem with much more sophisticated payloads that are able to go deeper into a hospital network and target specific devices that can gain criminals easier access to patient records,” said Moshe Ben-Simon, co-founder of Trapx Labs.

Patient records are quickly becoming a hot commodity on the dark web. Ben-Simon said medical records are known to hold greater value on the black market over other items such as credit card data. That’s because criminals can steal a patient’s identity and not just extend credit in their names, but also have costly prescriptions filled. “Insurance pays for the prescription and attackers can resell the drugs on the black market,” Ben-Simon said.

TrapX estimates that medical records fetch $10 to $20 per record on the black market versus about $5 for one financial profile.

Last week records for 655,000 patients wound up on the web that were allegedly stolen from three healthcare organizations. In the case of these records, attackers claim to have obtained the data via a remote desktop protocol attack.

According to the TrapX report, which studied real-world infections at three hospitals, a forensic investigation revealed that the presence of the Conficker worm failed to generate any cybersecurity alarms. TrapX reported the Conficker worm went unnoticed out of a lack of concern for the ancient exploit. “Medical devices are ‘black boxes’ and their internal software operations are not visible to the hospital cyber defense team. They run out of date operating systems, such as Windows 7 or Windows XP which are highly vulnerable and almost completely unprotected,” wrote researchers.

Ben-Simon said those medical devices are extremely attractive targets because each one of them is highly connected and link to a community additional vulnerable medical devices that link to high value patient data. “All it takes is one successful at­tempt for the attacker to establish a backdoor, find and steal data, or use automated tools to set a ransomware attack in motion,” according to the report.

from Threatpost – English – Global – thr…

Easily exploitable LibreOffice flaw is a godsend for hackers

A serious LibreOffice flaw can be easily exploited by attackers to deliver malware on computers running a vulnerable version of the popular free and open source office suite.

LibreOffice flaw

According to The Document Foundation, which develops the software suite, the vulnerability (CVE-2016-4324) arises from an insufficient check for validity while parsing the Rich Text Format (RTF) character style index.

It is a Use After Free vulnerability that could ultimately allow for malicious code execution. And, unfortunately, it’s easy to exploit.

“A specially crafted RTF document containing both a stylesheet and superscript element causes LibreOffice to access an invalid pointer referencing previously used memory on the heap. By carefully manipulating the contents of the heap, this vulnerability can be able to be used to execute arbitrary code,” says Cisco Talos technical lead of security research Martin Lee.

The attacker has to know how to create such a file, and the trick the targeted user into opening it via a vulnerable version of LibreOffice.

“Attackers have previously exploited RTF parser vulnerabilities in MS Office, and used RTF files as a vector for embedding other malicious objects,” Lee noted. “Raising awareness of the existence of vulnerabilities such as these with users can help in reminding people not to open unexpected or suspicious emails or files.”

Luckily, there is currently no indication that the flaw is being exploited in the wild, but now that the existence of the flaw has been made public it’s possible that it soon will, and upgrading to the latest version (5.1.4) of the suite is advised.

LibreOffice might not be as popular and widely used as MS Office, but it was used by over 75 million users in 2013, and that number is growing with each passing year.

Among its users are many government, city and law enforcement agencies and departments in many countries of the European Union, as well as all UK Government agencies nationwide.

The flaw was discovered by Cisco Talos researcher Aleksandar Nikolic.

from Help Net Security – News