December 4, 2016

Ransomware claims FBI know that victim’s computer associated with crime and told to pay fine

(LiveHacking.Com) – The Department of Homeland Security’s United States Computer Emergency Readiness Team (US-CERT) has published a warning about various ransom campaigns which are impersonating multiple U.S. Government agencies. The malware, which impersonates the United States Cyber Command (USCYBERCOM) and the Federal Bureau of Investigation (FBI), displays an alert telling the victim that a Federal Government agency has associated the user’s computer with one or more online crimes. To regain use of the computer the victim must pay a fine, often through a prepaid money card service.

The US-CERT warning comes after the discovery earlier this month of a piece of ransonware known as Reveton. The drive-by Trojan, which infects a victim’s PC when they visit a compromised website, locks the user’s computer, displays a bogus message and demands payment of fines. The bogus message says that the user’s Internet address was identified by the FBI or the Department of Justice’s Computer Crime and Intellectual Property Section as having been associated illegal online activity. To unlock their machines, users are required to pay a fine using a prepaid money card service. The FBI has confirmed that the malware has already successfully stolen money from a number of innocent victims.

Needless to say, government agencies don’t send out official notifications as unsolicited emails or web popup alerts and are required by law to be delivered directly to the individual. Also, government agencies don’t ask for fines to be paid via money card services.

According to the US-CERT warning, vicitm’s can also choose to file a complaint with the FBI’s Internet Crime Complaint Center (IC3).

US-Cert Warns of On-going Denial-of-Service Attacks by Anonymous

(LiveHacking.Com) – The United States Computer Emergency Readiness Team (US-CERT), the operational arm of the National Cyber Security Division (NCSD) at the Department of Homeland Security (DHS), has issued a warning about on-going distributed denial-of-service attacks against different government institutions both in the USA and in the EU. According to the reports, these attacks are being attributed to the hacker group Anonymous.

Recent attacks by the group include:

  • Several Polish government web sites, including those of the Prime Minister, the President and Parliament. A Polish branch of Anonymous has already claimed responsibility for the attacks.
  • The European parliament website came under cyber attack on Thursday.
  • The Irish Department for Justice website and the sites of several large financial institutions
  • Other targets in the last week have included Universal Music, the U.S. Department of Justice and the Recording Industry Association of America.
The attacks are motivate either by the recent shutdown of the Megaupload site or by the signing of the  international Anti-Counterfeiting Trade Agreement (ACTA).

US-CERT encourages users and administrators to do the following to reduce the risk associated with this and other malware campaigns:

Wind River Systems VxWorks Vulnerabilities

United States Computer Emergency Readiness Team (US-Cert) issued two warnings for Wind River Systems VxWorks. The vulnerabilities have been discovered and reported by the security researches at Metasploit.

Here are the notes issues by the US-Cert:

Vulnerability Note VU#362332

Wind River Systems VxWorks debug service enabled by default

Overview

Some products based on VxWorks have the WDB target agent debug service enabled by default. This service provides read/write access to the device’s memory and allows functions to be called.

Description

The VxWorks WDB target agent is a target-resident, run-time facility that is required for connecting host tools to a VxWorks target system during development. WDB is a selectable component in the VxWorks configuration and is enabled by default. The WDB debug agent access is not secured and does provide a security hole in a deployed system.

It is advisable for production systems to reconfigure VxWorks with only those components needed for deployed operation and to build it as the appropriate type of system image. It is recommended to remove host development components such as the WDB target agent and debugging components (INCLUDE_WDB and INCLUDE_DEBUG) as well as other operating system components that are not required to support customer applications.

Consult the VxWorks Kernel Programmer’s guide for more information on WDB.

Additional information can be found in ICS-CERT advisory ICSA-10-214-01 and on the Metasploit Blog.

Impact

An attacker can use the debug service to fully compromise the device.

Solution

Disable debug agent

Vendors should remove the WDB target debug agent in their VxWorks based products by removing the INCLUDE_WDB & INCLUDE_DEBUG components from their VxWorks Image.

Restrict access
Appropriate firewall rules should be implemented to restrict access to the debug service (17185/udp) to only trusted sources until vendors have released patches to disable it.

Vulnerability Note VU#840249

Wind River Systems VxWorks weak default hashing algorithm in standard authentication API (loginLib)

Overview

The hashing algorithm that is used in the standard authentication API for VxWorks is susceptible to collisions. An attacker can brute force a password by guessing a string that produces the same hash as a legitimate password.

Description

An attacker with a known username and access to a service (telnet, rlogin or FTP) that uses the standard authentication API (loginDefaultEncrypt (), part of loginLib) can brute force the password in a relatively short period of time. Since the hashing algorithm is susceptible to collisions, the actual password does not have to be found, just a string that produces the same hash.

For instance, when the default ‘target/password’ login example is used, ‘y{{{{{kS’ hashes to the same string as ‘password’. It is thus possible to login using both ‘password’ and ‘y{{{{{kS’ as the passwords for the user ‘target’.

Impact

An attacker can brute force a correct password by guessing a string that produces the same hash and access the relevant service as the known user.

Additional information can be found in ICS-CERT advisory ICSA-10-214-01 and on the Metasploit Blog.

Solution

Vendors which use VxWorks in their products should not use the default hashing algorithm in standard authentication API (loginDefaultEncrypt()). A trusted authentication API should be used instead. It can be installed by means of the loginEncryptInstall() loginLib hook.

In addition, and so as to avoid registration of the default ‘target’/’password’ credentials at init time, the LOGIN_USER_NAME and LOGIN_USER_PASSWORD project parameters/#defines should be set to empty strings (so that no user is registered using the default encryption routine). Only after the new encryption routine is registered should new users be added to the system. [Truncated]