Darkhotel APT Malware Targets Global CEOs Using Hotel Internet

A seven-year-old cyber espionage campaign has targeted senior level executives from large global companies by using a specialized Advanced Persistent Threat (APT), zero-day exploits, and well-developed keyloggers to extract information from them when they stay in luxury hotels during their business trips.

The researchers at Moscow-based security firm Kaspersky Lab dubbed the threat as "DarkHotel APT," appear to have the ability to know in advance when a targeted executive checks in and checks out of a hotel.

The group has been operating in Asia since from 2009 but there have been infections recorded in the United States, South Korea, Singapore, Germany, Ireland and many others, as well. It uses hotel Wi-Fi networks to target elite executives at organisations in manufacturing, defense, investment capital, private equity, automotive and other industries.

The group has access to zero day vulnerabilities and exploits, and it used them to infect victims. Threat actors use three different malware distribution methods including malicious Wi-Fi networks, booby-trapped P2P torrents, and highly customized spear phishing, Kaspersky Lab reported in research paper.

When the target executives connect their devices to the hotel’s Wi-Fi or wired Internet access, they are shown bogus software updates, typically something that looks legitimate, for Adobe Flash, Google Toolbar, or Windows Messenger. But these updates also contain a type of malware called a Trojan dropper bundled with moremalware.

"When unsuspecting guests, including situationally aware corporate executives and high-tech entrepreneurs, travel to a variety of hotels and connect to the internet, they are infected with a rare APT Trojan posing as any one of several major software releases," the researchers wrote in a report published Monday. "These might be GoogleToolbar, Adobe flash, Windows Messenger, etc. This first stage of malware helps the attackers to identify more significant victims, leading to the selective download of more advanced stealing tools."

"At the hotels, these installs are selectively distributed to targeted individuals. This group of attackers seems to know in advance when these individuals will arrive and depart from their high-end hotels. So, the attackers lay in wait until these travelers arrive and connect to the internet."

The trojan dropper then installs various keyloggers and other tracking applications in order to track each of the victim's keystrokes and scan browsers for saved passwords, exposing a wealth of trade secrets and other secret information to the Darkhotel group.

In addition, the Darkhotel malware has ability to manipulate trusted digital certificates by factoring the underlying private keys of the cloned certificates generated using 512-bit md5 keys. The ability of attackers to factor the weak keys for use in such malware attacks has long been known, as advisories issued from Fox-IT, Microsoft, Mozilla, and Entrust warned in 2011.

"All related cases of signed Darkhotel malware share the same Root Certificate Authority and Intermediate Certificate Authority that issued certificates with weak md5 keys (RSA 512 bits)," Monday's Kaspersky report stated. "We are confident that our Darkhotel threat actor fraudulently duplicated these certificates to sign its malware. These keys were not stolen."

The DarkHotel malware operating group have also recently stolen third-party certificates to sign their malware.

In order to protect your device, the easiest way for you is to avoid connecting to hotel Wi-Fi networks or to any other public or untrusted networks, and instead, use your mobile device hotspot to get access to the Internet.

By "Kunal Vohra", Director@H2K

Still Having Problem..!!! Connect with Admin
BBM: 7F72A48D

 Kunal Vohra Download Our Official Android App & Get Free Internet

"The Hackers Street"

For Daily Updates 

Microsoft to Issue 16 Security Patches and 60 Other Updates

Microsoft has this time quite a big pile of security patches in its November 2014 Patch Tuesday, which will address almost 60 non-security updates for its Windows OS along with 16 security updates.

The software giant released Advance Notification for 16 security bulletins, the most in more than three years, which will be addressed as of tomorrow, 11 November, 2014. Five of the bulletins have been marked as "critical", nine are "important" in severity, while two were labeled "moderate."

The updates will patch vulnerabilities in Microsoft’s various software including Internet Explorer (IE), Windows, Office, Exchange Server, SharePoint Server and the .NET framework as well.

Five critical vulnerabilities affect specific versions of Microsoft Windows, including Windows 7, Windows 8, Windows RT, and Windows Server. One of them also affects Internet Explorer versions 7 through 11 as well.

Four of the five critical bugs are said to allow remote code execution, meaning that successful hackers could hijack a system and install malicious softwares on the victim’s machine, while the last could allow an attacker to gain administrative privilege on a vulnerable machine.

"A vulnerability whose exploitation could allow code execution without user interaction. These scenarios include self-propagating malware (e.g. network worms), or unavoidable common use scenarios where code execution occurs without warnings or prompts. This could mean browsing to a web page or opening email," is how Microsoft describes a critical patch.

Another nine patches are rated as "important", which are not as severe as the critical ones but should still be installed in order to keep your systems safe. These affect Microsoft Windows, Office and Microsoft Exchange.

Five of the nine important updates will patch "elevation of privilege" vulnerabilities, two others fix the OS security features bypass vulnerabilities, one addresses Remote Code Execution bug, while the other one plugs an information leak.

Last two patches are rated as "moderate", which indicates a much lower risk, but should still be installed by the users. One of them addresses a denial of service flaw in Microsoft Windows, while the other patches an Elevation of Privilege bug.

If you have Automatic Updates enabled on your machine, these fixes will all be made available via Windows Update and will be applied automatically for most users. But in case users have not enabled it, Microsoft is encouraging them to apply the updates promptly. Some patches applied may require restarting the servers as well.

By "Kunal Vohra", Director@H2K

Still Having Problem..!!! Connect with Admin
BBM: 7F72A48D


 Kunal Vohra Download Our Official Android App & Get Free Internet

"The Hackers Street"

For Daily Updates 

Researcher Found TextSecure Messenger App Vulnerable to Unknown Key-Share Attack

Do you use TextSecure Private Messenger for your private conversations? If yes, then Are you sure you are actually using a Secure messaging app?

TextSecure, an Android app developed by Open WhisperSystems, is completely open-source and claims to support end-to-end encryption of text messages. The app is free and designed by keeping privacy in mind.

However, while conducting the first audit of the software, security researchers from Ruhr University Bochum found that the most popular mobile messaging app is open to an Unknown Key-Share attack.

After Edward Snowden revealed state surveillance programs conducted by the National Security Agency, and meanwhile when Facebook acquired WhatsApp, TextSecure came into limelight and became one of the best alternatives for users who want a secure communication.

"Since Facebook bought WhatsApp, instant messaging apps with security guarantees became more and more popular," the team wrote in the paper titled, "How Secure is TextSecure?".

The messaging app attracted a lot of attention lately and was downloaded by half a million users from the Google's Play Store. The research team explained a complete and precise document and analyze of TextSecure’s secure push messaging protocol.

"We are the first to completely and precisely document and analyses TextSecure's secure push messaging protocol," the team wrote.

"We show that if long-term public keys are authentic, so are the message keys, and that the encryption block of TextSecure is actually one-time stateful authenticated encryption [and] prove TextSecure's push messaging can indeed achieve the goals of authenticity and confidentiality."

According to the research team, TextSecure works on a complex cryptographic protocol which is the part of the CyanogenMod Android operating system — a popular open source aftermarket Android firmware that has been installed on about 10 million Android devices. But researchers discovered an Unknown Key-Share Attack (UKS) against the protocol.

The research was conducted by Tilman Frosch, Christian Mainka, Christoph Bader, Florian Bergsma, Jorg Schwenk and Thorsten Holz. For better understanding the UKS against the protocol, the team explained it via an example as follows:

"Bart wants to trick his friend Milhouse. Bart knows that Milhouse will invite him to his birthday party using TextSecure. He starts the attack by replacing his own public key with Nelson's public key and lets Milhouse verify the fingerprint of his new public key. This can be justified, for instance, by claiming to have a new device and having simply re-registered ... if Milhouse invites Bart to his birthday party, then Bart may just forward this message to Nelson who will believe that this message was actually sent from Milhouse. Thus, Milhouse believes that he invited Bart to his birthday party, where in fact, he invited Nelson."

The researchers also provided a mitigation strategy, which has already been acknowledged by TextSecure's developers, that prevents the UKS attack. The proposed method actually resolves the issue, making TextSecure's push messaging secure and achieves one-time stateful authenticated encryption.

By "Kunal Vohra", Director@H2K

Still Having Problem..!!! Connect with Admin
BBM: 7F72A48D


 Kunal Vohra Download Our Official Android App & Get Free Internet

"The Hackers Street"

For Daily Updates 

CVE-2014-4877: Wget FTP Symlink Attack Vulnerability

The open-source Wget application which is most widely used on Linux and Unix systems for retrieving files from the web has found vulnerable to a critical flaw.

GNU Wget is a command-line utility designed to retrieve files from the Web using HTTP, HTTPS, and FTP, the most widely used Internet protocols. Wget can be easily installed on any Unix-like system and has been ported to many environments, including Microsoft Windows, Mac OS X, OpenVMS, MorphOS and AmigaOS.

When a recursive directory fetch over FTP server as the target, it would let an attacker "create arbitrary files, directories or symbolic links" due to a symlink flaw.

IMPACT OF SYMLINK ATTACK

"It was found that wget was susceptible to a symlink attack which could create arbitrary files, directories or symbolic links and set their permissions when retrieving a directory recursively through FTP," developer Vasyl Kaigorodov wrote in a Red Hat Bugzilla comment.

A remote unauthenticated malicious FTP server connected to the victim via wget would allow attackers to do anything they wanted. Wget could download and create or overwrite existing files within the context of the user running wget.

The vulnerability was first reported to the GNU Wget project by HD Moore, chief research officer at Rapid7. and is publicly identified as CVE-2014-4877. The flaw is considered critical since wget is present on nearly every Linux server in the world, and is installable (although not by default) on OS X machines as well, so needs a patch as soon as possible.

PATCH AVAILABLE

"This flaw can lead to remote code execution through system-level vectors such as cron and user-level vectors such as bash profile files and SSH authorized_keys," Moore wrote.

The vulnerability has now been fixed by the Wget project in wget 1.16, which blocks the default setting that allowed the setting of local symlinks.

"Upgrade to wget version 1.16 or a package that has backported the CVE-2014-4877 patch," Moore said.

WORKAROUND AVAILABLE EXPLOIT

"This issue can be mitigated by ensuring that all invocations of wget in the mirror mode also specify --retr-symlinks command line option," wrote Tomas Hoger on the Bugzilla report. "Doing so is equivalent to applying the upstream commit linked in comment 14, which changes the default for the retr-symlinks options from off/no to on/yes, preventing creation of symbolic links locally."

"In addition to changing arguments in all scripts or programs that invoke wget, it is possible to enabled[sic] retr-symlinks option via wget configuration file - either global /etc/wgetrc, or user specific ~/.wgetrc - by adding the line: retr-symlinks=on"

An exploit for the vulnerability is now available on the open-source Metasploit penetration testing Website, so that security researchers could test the bug. You can download the exploit from here.

By "Kunal Vohra", Director@H2K

Still Having Problem..!!! Connect with Admin
BBM: 7F72A48D


 Kunal Vohra Download Our Official Android App & Get Free Internet

"The Hackers Street"

For Daily Updates 

Samsung 'Find My Mobile' Flaw Allows Hacker to Remotely Lock Your Device

The National Institute of Standards and Technology (NIST) is warning users of a newly discovered Zero-Day flaw in the Samsung Find My Mobile service, which fails to validate the sender of a lock-code data received over a network.

The Find My Mobile feature implemented by Samsung in their devices is a mobile web-service that provides samsung users a bunch of features to locate their lost device, to play an alert on a remote device and to lock remotely the mobile phone so that no one else can get the access to the lost device.

The vulnerability in Samsung’s Find My Mobile feature was discovered by Mohamed Abdelbaset Elnoby (@SymbianSyMoh), an Information Security Evangelist from Egypt. The flaw is a Cross-Site Request Forgery (CSRF) that could allow an attacker to remotely lock or unlock the device and even make the device rings too.

Cross-Site Request Forgery (CSRF or XSRF) is an attack that tricks the victim into loading a page that contains a specially crafted HTML exploit page. Basically, an attacker will use CSRF attack to trick a victim into clicking a URL link that contains malicious or unauthorized requests.

The malicious link have the same privileges as the authorized user to perform an undesired task on the behalf of the victim, like change the victim's e-mail address, home address, or password, or purchase something. CSRF attack generally targets functions that cause a state change on the server but it can also be used to access victim’s sensitive data.

"In this way, the attacker can make the victim perform actions that they didn't intend to, such as logout, purchase item, change account information, retrieve account information, or any other function provided by the vulnerable website," Elnoby said.

The researcher has also provided a proof-of-concept (POC) video that will give you a detail explanation on How the researcher made the attack work on Samsung’s Find My Mobile feature.

According to the researcher, the first attack to remotely lock victim’s device is critical if exploited because the attackers are able to lock victim’s device with a lock code of their own choice, forcing the victim to do a recovery for the lock code with his Google Account.

The US-CERT/NIST identified the vulnerability in the Samsung Find My Mobile as CVE-2014-8346 and rated the severity of the flaw as HIGH, whereas the exploitability score of the flaw is 10.0.

"The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic," the security advisory issued by the NIST states.

By "Kunal Vohra", Director@H2K

Still Having Problem..!!! Connect with Admin
BBM: 7F72A48D


 Kunal Vohra Download Our Official Android App & Get Free Internet

"The Hackers Street"

For Daily Updates 

Hacking Smart Electricity Meters To Cut Power Bills

Smart devices are growing at an exponential pace with the increase in connecting devices embedded in cars, retail systems, refrigerators, televisions and countless other things people use in their everyday life, but security and privacy are the key issues for such applications, which still face some enormous number of challenges.

Millions of Network-connected electricity meters or Smart meters used in Spain are susceptible to cyberattack by hackers due to lack of basic and essential security controls that could put Millions of homes at risk, according to studies carried out by a pair of security researcher.

HACKERS TO CAUSE BLACKOUT AND BILL FRAUD

The security vulnerabilities found in the electricity meters could allow an intruder to carry out billing fraud or even shut down electric power to homes and cause blackouts.

Poorly protected credentials inside the devices could let attackers take control over the gadgets, warn the researchers. The utility that deployed the meters is now improving the devices' security to help protect its network.

During an interview on Monday, the security researchers, Javier Vazquez Vidal and Alberto Garcia Illera, said the vulnerability affects smart meters installed by a Spanish utility company, the one on which the Spanish government relied in order to improve national energy efficiency.

The research carried out by the duo researchers will soon be presented at Black Hat Europe hacking conference in Amsterdam next week. The duo will explain on how they reverse engineered smart meters and found blatant security weaknesses that allowed them to commandeer the devices to shut down power or perform electricity usage fraud over the power line communications network.

SMART METER’S REPROGRAMMABLE MEMORY RUNS FLAWED CODE

The Vulnerability resides in the memory chips of the smart meters, which are reprogrammable and contain flawed code that could be exploited to remotely shut down power supplies to individual households, tamper meter readings, transfer meter readings to other customers and insert "network worms" that could leave millions of homes without power causing widespread blackouts.

Though the researchers will not provide any detail explanation on what they actually did, until the problems are fixed by the Smart meter vendor. "We are not releasing the exact details; we are not going to say how we did this," Garcia Illera, a security expert involved in the smart meter research, told Reuters. "This issue has to be fixed."

WEAK ENCRYPTION USED

According to the two researchers, the Smart meters use relatively easy to crack symmetric AES-128encryption, which was designed to secure communications and prevent tampering with billing systems by fraudsters.

There are three major utility companies in Spain — Endesa, Iberdrola and E.ON and collectively 8 million Smart meters have been installed on over 30 percent of households. However, the two haven't yet disclosed the specific smart meter manufacturer at this time.

The duo said they could take full control of the meter box, switch its unique ID to impersonate other customer boxes or turn the meter itself into a weapon for launching attacks against the power network.

"Oh wait? We can do this? We were really scared," said Vazquez Vidal, another security expert involved in the smart meter research. "We started thinking about the impact this could have. What happens if someone wants to attack an entire country?" he said.

Internet of Things (IoTs) promise to make life easier in countless ways, but as with any technology seeing an upswing, it’s to be expected that there will be associated security issues and challenges and this was what happened with the Smart meters in Spain.

By "Kunal Vohra", Director@H2K

Still Having Problem..!!! Connect with Admin
BBM: 7F72A48D


 Kunal Vohra Download Our Official Android App & Get Free Internet

"The Hackers Street"

For Daily Updates