November 28, 2014

Kaspersky unveils The Mask, a 5 year cyber-espionage operation

Kaspersky Labs has revealed details of Careto/The Mask, a complex advanced persistent threat (APT) that has been running since 2007. The Mask is highly complex and uses a sophisticated set of tools including malware, rootkits and bootkits to infect Windows, OS X and Linux machines.

Kaspersky first noticed The Mask when it observed attempts by the malware used to hide itself from Kaspersky Lab products by attempting to exploit vulnerabilities in those programs. the mask APT Those vulnerabilities where fixed five years ago and Kaspersky has been researching this operation since then. Kaspersky rate The Mask higher than Duqu in terms of its sophistication and it is possible that the operation was state sponsored.

The main targets of The Mask fall into the following categories:

  • Government institutions
  • Diplomatic offices and embassies
  • Energy, oil and gas companies
  • Research institutions
  • Private equity firms
  • Activists
  • In the top five infected countries were the United Kingdom, Spain and France with Morocco being the most target country with over 380 IP addresses found in Mask related traffic.

    Once a machine is infected, Mask intercepts all the communication channels and start stealing data including encryption keys, VPN configurations, SSH keys and RDP files. It is also possible that it steals data related to custom military/government-level encryption tools.

    “Detection is extremely difficult because of its stealth rootkit capabilities. In addition to built-in functionalities, the operators of Careto can upload additional modules which can perform any malicious task. Given the nature of the known victims, the impact is potentially very high,” wrote members of the Global Research & Analysis Team (GReAT) at Kaspersky Lab.

    Among the exploits used by The Mask is an Adobe Flash Player vulnerability which was discovered by VUPEN and used to win the CanSecWest Pwn2Own contest in 2012. The exploit, which included a tactic for escaping Google Chrome’s sandbox, was sold to VUPEN’s customers and not disclosed publically. It is possible that the group behind The Mask purchased the exploit from VUPEN.

    At the moment the command and control servers used by The Mask are offline. The attackers began taking them offline in January 2014 but it is possible that the attackers could resurrect the campaign at some point in the future. The high degree of professionalism on the part of those running The Mask, including the way it was shutdown and the use of wipe instead of delete for log files, is another reason to believe that the operating was state sponsored.

    Three expert tips on business web security

    If there is one thing we can be sure of is that when it comes to our IT infrastructure security, it is that we need to cover a lot of ground. Threats to our business can come from a

    Dashboard Activity - GFI WebMonitor™

    Dashboard Activity – GFI WebMonitor™

    wide variety of sources: emails, portable storage devices, insider attacks, remote attacks, physical attacks, as well as web usage. Every single vector requires its own considerations and should not be neglected. After all, your security is only as strong as your weakest link.

    So how do we go about ensuring our business web security?

    Antivirus Technology:

    One of the major risks of providing web access is that it can lead to the introduction of malware on your network. To counter such risks we need to employ antivirus capabilities that can detect and stop malware from spreading.

    There are a few things you should look out for to ensure your investment provides maximum protection. There are various technologies that antivirus solutions use to detect malware. For example, there is manual virus analysis by engineers who then release specific rules for their antivirus solution through updates. In addition, there is heuristic analysis in which the antivirus solution detects the malware based on the malware’s behaviour. However, different antivirus solutions can have varying degrees of success, so using multiple antivirus engines can give you an edge in keeping your network secure against malware.

    Anti–Phishing:

    After malware, the biggest risk posed by having web access is probably phishing attacks. Specifically crafted web sites, made to look like legitimate business services your organization makes use of, can trick your employees into disclosing confidential information, such as financial credentials. Various solutions designed to ensure your business’ web security provide a number of options to protect your users from phishing attacks. These can include finger print information, as well as databases of various known phishing URLs.

    Malicious Websites:

    The most common way employees get their computers infected with malware is through social engineering which encourages them to download malware and run it. Some malicious websites, however, do not need to rely on this step at all. Using exploits or misdirection, they can either get the web browser to download the malware and infect the victim’s machine without the user being aware, or they can even manipulate the user into downloading particular malicious software they might believe to be safe as it appears to come from a specific reputable source. In fact, such malware would actually come from a source the attacker chooses.

    Ensure your network has controls that can help your users avoid such scenarios. Good web security software should include a number of features that prevent such occurrences. The ability to analyse and detect malicious code, databases that contain finger printed data of such malicious attacks, as well as a list of URLs of known malicious sites are all useful in keeping your network secure. Other, more advanced, products can also utilize technologies such as web categorization, which allows an administrator to configure access to web sites based on your company needs and thus keep risks to a minimum.

    We all know business web security is a priority if we want to ensure proper business continuity. The three tips discussed above go a long way to protect your business from downtime due to a web security compromise.

    Editor Note: This guest post was provided by Emmanuel Carabott on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. Learn more on what your web security solution should include.

    Disclaimer: All product and company names herein may be trademarks of their respective owners.

    Maintenance and Security Update for WordPress

    (LiveHacking.com) – The WordPress team has released WordPress 3.4.1 to fix an important information disclosure vulnerability, in addition to Cross-Site Scripting (XSS) and privilege escalation vulnerabilities.

    According to the WordPress blog, this release also addresses 18 bugs with version 3.4, including:

    • Fixes an issue where a theme’s page templates were sometimes not detected.
    • Addresses problems with some category permalink structures.
    • Better handling for plugins or themes loading JavaScript incorrectly.
    • Adds early support for uploading images on iOS 6 devices.
    • Allows for a technique commonly used by plugins to detect a network-wide activation.
    • Better compatibility with servers running certain versions of PHP (5.2.4, 5.4) or with uncommon setups (safe mode, open_basedir), which had caused warnings or in some cases prevented emails from being sent.

    WordPress 3.4.1 can be downloaded from here or you can update from the Dashboard → Updates menu in your site’s admin area.

    Secunia Released Secunia Personal Software Inspector 3.0

    (LiveHacking.com) – Secunia, the Danish IT security solution provider has released Secunia Personal Software Inspector 3.0.

    Secunia Released Secunia Personal Software Inspector 3.0

    Secunia Released Secunia Personal Software Inspector 3.0

    According to Secunia official press release which has been sent to LiveHacking.com; The Secunia PSI 3.0 is a free personal vulnerability scanner which identifies software applications that are insecure and in need of security updates, or patches.

    Secunia PSI 3.0 New Features & Improvements

    1. Simple User Interface: The new and simplified user interface displays the key information that users need to know such as scan results, the security status of installed software, and the last update dates. Further, the new settings menu allows users to select whether or not to install updates automatically, and which drives are to be scanned.
    2. Automatic Patching: Secunia PSI 3.0 receives automatic updates for all software supported by the application.
    3. Localization: The Secunia PSI 3.0 can be installed in any one of five languages including French, Spanish, German, Danish and English.
    4. Program Ignore Rules: Users have the ability to ignore updates to a particular program by creating ignore rules.
    5. Scan History: Reports about the updates installed and scans conducted can be accessed at any time through the history feature.

    The Secunia PSI 3.0 is available to download here.

    Tenable Network Security Released Nessus 5.0.1

    (LiveHacking.Com) — Tenable Network Security has released version 5.0.1 of its famous vulnerability and configuration assessment scanner, Nessus.

    Nessus 5.0.1 is a bug fix and enhancement release with the focus on a packet forgery fix on Windows setups and a compatibility fix on reading 64-bit database on a 32-bit systems and vice-versa.

    Here is the list of enhancements and bug fixes with reference to Nessus 5.0.1 release announcements:

    • Resolved an issue where packet forgery was not working on some Windows setups
    • Improved the Windows installer which would fail on some setups
    • Fixed several thread synchronization issues leading to a crash in certain situations
    • Imported v1 reports are more legible
    • Nessus can now read a 64-bit database on a 32-bit system and vice-versa
    • Identified and resolved a minor memory leak issue occurring on all platforms
    • Scanning with a SSL certificate defined in the policy would sometimes cause a scanner crash
    • Workaround for CVE-2011-3389
    • Worked around a possible incompatibility with the Fedora 16 / Debian 6 memory allocator
    • Restored the ability to log in via certificate authentication on port 1241 when “force_pubkey_auth = no
    • This version of Nessus now includes OpenSSL version 1.0.0h

    Nessus 5.0.1 can be download from here.

    Facebook Scams with Chrome and FireFox Plugins

    Picture Source: Websense security labs

    (LiveHacking.Com) – Security researchers at Websense® have discovered new Facebook scams.

    According to the report published by Websense®, the attacker is utilizing social engineering tricks such as engaging video or offers of a free voucher to attract the victims to its scam pages. Then, the victims will be asked to install a browser plugin. When the plugin is installed, it utilizes a malicious script and the Facebook API to post the scam to the victim’s friends’ pages.

    According to the Websense® researchers, at the moment, only Chrome and Firefox plugins are being used.

    More information is available at Websense® Security Blog.

    phpMyAdmin Released Versing 3.4.9 to Fix XSS Vulnerabilities

    (LiveHacking.Com) – phpMyAdmin’s development team has released version 3.4.9 of this open source database administration tool. This new version fixes two critical cross-site scripting (XSS) vulnerabilities in setup interface and the export panels in the server, database and table sections.

    All previous versions of phpMyAdmin (3.4.x) and including version 3.4.8 are affected. It is highly recommended to upgrade to version 3.4.9 to correct these security issues.

    The new fixes are:

    • bug #3442028 [edit] Inline editing enum fields with null shows no dropdown
    • bug #3442004 [interface] DB suggestion not correct for user with underscore
    • bug #3438420 [core] Magic quotes removed in PHP 5.4
    • bug #3398788 [session] No feedback when result is empty (signon auth_type)
    • bug #3384035 [display] Problems regarding ShowTooltipAliasTB
    • bug #3306875 [edit] Can’t rename a database that contains views
    • bug #3452506 [edit] Unable to move tables with triggers
    • bug #3449659 [navi] Fast filter broken with table tree
    • bug #3448485 [GUI] Firefox favicon frameset regression
    • [core] Better compatibility with mysql extension
    • [security] Self-XSS on export options (export server/database/table), see PMASA-2011-20
    • [security] Self-XSS in setup (host parameter), see PMASA-2011-19

    The new versions of phpMyAdmin are available to download from the project website. phpMyAdmin is licensed under version 2 of the GNU General Public License.

    New Version of Secpoint Google Hacking Database and Tool Released

    (LiveHacking.Com) – Danish IT security company Secpoint has released the new version of its Google Hacking database and tool.New Version of Secpoint Google Hacking Database and Tool Released

    The new version of Secpoint Google Hacking database and tool have more than 7800 updates in its Google Hacking database in addition to friendly output and support for multiple sites in its tool.

    This open source tool could help the security professionals and penetration testers to submit automated queries to Google and save the output in a file for further investigation.

    The following Google hacking databases are included in the Secpoint Google Hacking tool:

    1. devices_and_cameras.txt
    2. errors.txt
    3. files.txt
    4. interesting_directories.txt
    5. interesting_info.txt
    6. login_pages.txt
    7. misc.txt
    8. network_or_vulnerability data.txt
    9. passwords_and_usernames.txt
    10. sql_injection_list.txt
    11. vulnerabilities.txt
    12. vulnerable_systems.txt
    13. webserver_banners.txt

    The Secpoint Google Hacking database and tool is available to download here.

    Disclaimer: It is against Google’s Terms of Service to send automated queries to Google’s System.

    Critical Vulnerability is TYPO3-Core; Remote Code Execution

    (LiveHacking.Com) – The TYPO3 development team has issued a warning about a critical vulnerability in the TYPO3 content management system.

    According to TYPO3 security bulletins, a crafted request to a vulnerable TYPO3 installation will allow an attacker to load PHP code from an external source and to execute it on the TYPO3 installation. The security issue is due to insufficient validation of the AbstractController.php file’s BACK_PATH parameter that leads to remote code execution.

    With reference to the TYPO3 security advisory, a vulnerable system will meet all the the following conditions:

    1. TYPO3 version 4.5.0 up to 4.5.8, 4.6.0 or 4.6.1 (+ development releases of 4.7 branch).
    2. The following PHP configuration variables set to “on”: register_globals (“off” by default, advised to be “off” in TYPO3SecurityGuide), allow_url_include (“off” by default) and allow_url_fopen (“on” by default)

    The following solutions have been advised by the TYPO3 security advisory:

    1. Update to the TYPO3 version 4.5.9 or 4.6.2 that fixes the problem described.
    2. Set at least one of following PHP configuration variables to “off”: register_globals, allow_url_include and allow_url_fopen.
    3. Apply the securitypatch.
    4. Set up a mod_security rule: SecRule ARGS:BACK_PATH “^(https?|ftp)” “deny”.

    Please view the TYPO3 security advisory for more information.

    ClamAV Version 0.97.2 Released

    ClamAV Logo(LiveHacking.Com) – The ClamAV development team has released version 0.97.2 of its open source anti-virus. This update includes fixes for problems with the bytecode engine, Safebrowsing detection, hash matcher, and other minor issues.

    ClamAV is an open source cross-platform anti-virus engine designed for detecting Trojans, viruses, malware and other malicious threats. ClamAV 0.97.2 is available to download for Linux and Unix distributions from the project’s web site.

    The ClamAV team have also announced a new service called “Third Party web interface”. It will allow selected individuals/organizations to publish ClamAV Virus Databases (CVD) through the ClamAV mirror network.

    ClamAV source code is released under the GNU General Public License (GPL).