Cyber Security Awareness Month starts today!

October is upon us, reminding us to make choices every day that will scare cybersecurity threats away

For many, October is a month of ghosts and ghouls, witches and wizards, pirates and pumpkins. After all, it culminates in the scariest day of the year – Halloween. However, it’s time not only to prepare for all things spooky. Far from it. October is also a month dedicated to a subject that, if ignored, can be far scarier than any trick-or-treater knocking on the door – cybersecurity.

In today’s technology-infused world where the cyber-threat landscape is constantly evolving, staying safe online and protecting our data is an absolute necessity. The list of potential threats can seem endless and many cyberattacks may hit closer to home than we think. In sum, we’re all at risk.

This is where campaigns such as European Cyber Security Month (ECSM), National Cyber Security Awareness Month (NCSAM) in the United States and Cyber Security Awareness Month in Canada come in. Throughout October, these initiatives will seek to raise awareness, change behaviors, and provide accessible resources in order to educate people on how to stay safe online. In so doing, the campaigns also highlight a number of simple steps that all of us can take to protect our personal, financial and/or professional data.

To achieve their goals, the campaigns often revolve around several themes that are split over the course of the month. In Europe, for example, there are two main themes this year – cyber-hygiene and emerging technology. Whereas the former theme explains, and prompts you to implement, simple behaviors to protect yourself from cyberthreats, the latter focuses specifically on new technologies, which come with additional risks of their own.

Are you ready to start the #CyberSecMonth!?
Stay tuned for a new content every day about good cybersecurity habits and risks of new tech devices.
This is an initiative of @enisa_eu, supported by the @EU_Commission and EU Member States, for more info visit https://t.co/YqRnjgddVl pic.twitter.com/zZJzZy0l9a

— Cyber Security Month (@CyberSecMonth) October 1, 2019

However, all these initiatives have a common underlying thread and their overarching message – that ‘cybersecurity is a shared responsibility’ – remains the same as last year and applies universally. After all, we all have a role to play when it comes to responding to the growing threat of cybercrime and staying one step ahead of cybercriminals.

In Europe, for example, a range of events are being organized to help promote the campaign’s goals. This includes a social engineering presentation in the United Kingdom, a kid’s cybersecurity roadshow in Denmark, and a travelling interactive phishing game in Belgium. Indeed, a whole host of European-wide activities and events are being planned, and 2019 is looking to be the biggest year yet. Take a look at the ECSM interactive map to find out what’s happening in your city. Want to get involved? Head over to the ECSM website to check out all the activities and events happening across Europe.

In a world increasingly vulnerable to cyberattacks, advocacy campaigns such as ECSM and NSCAM are vital in order to educate and increase awareness around the importance of ensuring you are safe and secure online. WeLiveSecurity is happy to support the worthy cause of the initiatives on both sides of the Atlantic, and ESET provides free cybersecurity resources of its own to help you become more cyber-aware.

1 Oct 2019 – 03:32PM

Week in security with Tony Anscombe

ESET researchers break down a revamped set of tools that the Sednit group has added to its Zebrocy malware family

ESET researchers break down a revamped set of tools that the Sednit group has added to its Zebrocy malware family. Microsoft has issued an emergency patch to fix a critical zero-day vulnerability in Internet Explorer. Organizations list cybersecurity as one of their top priorities, but do their actions always support the claim?

Are you sure you wiped your hard drive properly?

Almost 60% of second-hand hard drives hold leftover data from previous owners, a study shows

Have you ever seen a hacker movie? When the other shoe drops, you can see the black hat scrambling for their computer, tearing out their hard drives and trying to erase them. They may even run neodymium magnets over them and then finish the job by driving an electric drill directly through the platters of the drives. Alternatively, they just smash it with a hammer and hope for the best.

Rest assured, you really do not have to go about smashing your hard drives left and right, but you should always ensure the security and privacy of your data under all circumstances – a point made even clearer by a recent study.

Commissioned by Comparitech and conducted by the University of Hertfordshire, the study sought to find out how thorough we are when it comes to wiping our hard drives before we sell them. Turns out, many of us are not very thorough. Or at all.

The researchers performed a series of tests on a sample of 200 second-hand hard drives that had been bought off online marketplaces and various merchants. They found that almost 60% of these hard drives still contained some information stored on them by the former owners.

The leftover information included sensitive data that could be exploited by bad actors. The data ranged from official documents such as scans of passports and driver licenses, through bank statements and tax documents to visa applications and even photos of an intimate nature. The list of documents uncovered on these hard drives is much more varied, but this is just to illustrate how much sensitive data you may store on your hard drives, and without giving it much thought.

On the other hand, although it may look like the owners are indifferent towards securing their data, the study shows otherwise. The former owners did try to wipe their data, they just failed to do so securely. Only 26% of the drives were wiped properly and no data could be recovered from them, while another 16% were not accessible and could not be read. As for the rest, the data could be recovered with varying degrees of difficulty. Worryingly, one in six people made no attempt whatsoever to wipe the data.

A similar study was conducted in 2007. Back then, the amount of recoverable data from second-hand HDDs was significantly lower. What’s more, in the older study a considerable number of the drives ended up being unreadable. Observing this rising trend of data being easily recoverable from second-hand drives, sellers should be more careful.

You can always take preventive measures, with the simplest being encrypting your hard drive so you can rest easy if you ever lose it. When it comes to wiping the hard drive you want to sell, you can check the website of your hard drive’s manufacturer that should contain tools to help you manage the wiping process properly. Before you proceed, however, make sure you have backed up all the data you want to keep.

Earlier this year, researchers from the University of Hertfordshire arrived at not-too-dissimilar findings in a study that focused on second-hand thumb drives.

About the author: Amer Owaida is a cybersecurity writer for WeLiveSecurity.

27 Sep 2019 – 03:46PM

Microsoft rushes out patch for Internet Explorer zero‑day

There is no word on which threat actor is abusing the severe vulnerability for attacks

Microsoft is urging Windows users to install an emergency security patch to address a critical vulnerability that affects multiple versions of Internet Explorer (IE) and is under active exploitation by unspecified bad actors.

The company’s advisory notes that the zero-day, listed as CVE-2019-1367, is a remote code execution vulnerability that has to do with how the browser’s scripting engine handles objects in memory. It affects IE versions 9, 10 and 11.

If exploited, the security hole could allow remote attackers to run malicious code on the affected system, giving them the same privileges as those of the current user. If the user is logged in with admin rights, the attackers could take complete control of the system to install malware, steal or tamper with data, and set up accounts with full user rights.

“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email,” said Microsoft. The bug has also prompted a warning from the United States’ Cybersecurity and Infrastructure Security Agency (CISA).

IE users are advised to install the updates post-haste. To do so, some user action is needed, such as by following the links to the update packages that are listed in the advisory. Microsoft has also issued temporary workarounds for users who cannot implement the fixes promptly. Various statistics put the market share of the browser’s eleventh version at between 2.6 percent and 7 percent.

The IE bug isn’t the only issue that Microsoft is fixing this week and separately from the usual security update cycle known as Patch Tuesday. Also being patched is a denial-of-service flaw that affects Windows Defender. The latter bug, designated as CVE-2019-1255, is not as severe and there are no known cases of it being actively exploited for attacks. No user action is required to plug this hole, as the update will be shipped automatically within a few days.

25 Sep 2019 – 03:50PM

Do companies take cybersecurity seriously enough?

Many companies are ranking cybersecurity as a top 5 priority but their actions do not measure up to the claim, a survey finds

The hard truth that companies must face is that there is no way that cybersecurity risk can be fully eliminated. On the other hand, there are steps that organizations can take to prevent many attacks or mitigate the consequences if any such attack occurs. A recent survey by Microsoft and Marsh provides some valuable insights into how businesses perceive some of these challenges.

While 79% of respondents of the study, called 2019 Global Cyber Risk Perception Survey, have made cybersecurity their top-tier priority, they are quite unsure as to how to best address the issue. In addition, the study – which canvassed views from 1,500 business leaders across the globe – shows that almost a quarter of the companies asked had “no confidence” in responding to and recovering from cyberattacks.

The general decline in confidence from the 2017 edition of the same survey affects other key areas of cyber-resilience, such as preventing cyberthreats or even assessing and understanding them. Companies that aim to keep up with the ever-evolving world also need to adopt new technologies. That said, they often lack confidence in their ability to secure these technologies, which can handicap them in such endeavors.

A total of 74 % of organizations evaluate risks in some way prior to adopting new technology, while 54% assess them after adopting it. While that might sound reassuring to a certain extent, the reality is a bit different, as only 36 % of the organizations asked evaluate the risks both before and after the adoption of new technologies. A mere 5% evaluate risks at all stages, whereas 11 % don’t evaluate them at all.

It is no surprise then that the potential risks involved may dissuade some organizations from adopting emerging technologies, the reason being that the risks outweigh the potential benefits. According to the survey that happens in 23% of the cases.

Then there is the issue of trust between companies and third-party providers. Certain levels of trust among these parties are indeed standard, with 32% of the survey’s participants claiming to trust the vendors to take the necessary steps to secure their products. On the other hand, 40% of the respondents are proponents of the trust-but-verify approach where they do not accept the security claims of the providers. Instead, they always take the necessary precautions and conduct their own due diligence.

Even though more and more companies are starting to approach cybersecurity as a top-tier issue, there is still a great disparity between how cybersecurity is perceived and how it is approached in practice. The numbers mentioned above provide a narrative where a large percentage of companies are not sure about how to deal with cybersecurity, and we can go as far as saying that many of them underestimate it. By extension, it can be safely assumed that many organizations across the world have yet to ensure they’re well-equipped to counter the growing cybersecurity threats.

About the author: Amer Owaida is a cybersecurity writer for WeLiveSecurity.

24 Sep 2019 – 04:18PM

No summer vacations for Zebrocy

ESET researchers describe the latest components used in a recent Sednit campaign

While summer is usually synonymous with vacations, it seems that the Sednit group has been developing new components to add to the Zebrocy malware family.

The Sednit group – also known as APT28, Fancy Bear, Sofacy or STRONTIUM – has been operating since at least 2004 and has made headlines frequently in recent years.

On August 20th, 2019, a new campaign was launched by the group targeting their usual victims – embassies of, and Ministries of Foreign Affairs in, Eastern European and Central Asian countries.

This latest campaign started with a phishing email containing a malicious attachment that launches a long chain of downloaders, ending with a backdoor. An example of such an email was uploaded to VirusTotal on August 22nd, two days after the mail was delivered. An overview of the attack vector was recently published by Telsy TRT.

However, we have some further pieces of this puzzle that could help to draw a more complete picture of the campaign.

As predicted by other fellow researchers, the Sednit group added a new development language in their toolset, more precisely for their downloader: the Nim language. However, their developers were also busy improving their Golang downloader, as well as rewriting their backdoor from Delphi into Golang.

Figure 1 depicts the different steps leading to a victim being compromised, from the malicious email initially received in the inbox to the backdoor deployed on targets deemed “interesting enough” by the operators.

Figure 1. Chain of compromise overview

When a victim is targeted by Zebrocy’s components, the chain is usually quite loud. Loud because, in this case, the victim has at least six malicious components dropped on the computer before the final payload is executed. Such activities can easily raise different types of flags for a security product.

The document attached to the phishing email is blank, but references a remote template, wordData.dotm, hosted at Dropbox. Opening this document in Word causes it to download wordData.dotm, as seen in Figure 2, and to incorporate it into the associated document’s working environment, including any active content the template may contain.

Figure 2. Empty word document downloading a remote template

The wordData.dotm file contains malicious macros that then are executed. (Depending on the Microsoft Word version, the VBA macros are disabled by default and user action is required to enable them.) It also contains an embedded ZIP archive that the macros dropped and extracted.

As shown in Figure 1, the macros in wordData.dotm open another document (lmss.doc that was unpacked from the archive extracted from wordData.dotm). Macros in lmss.doc execute lmss.exe (Zebrocy’s new Nim downloader, also extracted from the archive embedded in wordData.dotm) instead of wordData.dotm executing the downloader directly.

However, it’s important to notice that lmss.doc, containing the VBA code that executes the new Nim downloader, also embeds a base64-encoded executable. According to its Document Properties, lmss.doc was created in January 2019 and modified on August 20th, a few hours before the campaign started.

Figure 3. Creation and last modification dates of lmss.doc

The executable embedded in lmss.doc is an AutoIt downloader (SHA-1: 6b300486d17d07a02365d32b673cd6638bd384f3) used in the past for a campaign performed around the creation time of lmss.doc. Here, the AutoIt downloader is ignored and doesn’t have any purpose other than making the size of the document bigger. The operator probably forgot to remove the previous embedded downloader – it would not be the first time that Sednit operators have made mistakes.

Sednit operators have used several downloaders written in different languages. This campaign uses the most recent extension of that list – a downloader written in the relatively new language, Nim. It’s a straightforward download-and-execute binary with two small details added. The first is probably used as an anti-sandbox trick and it checks that the first letter of the executed file (letter l here or 0x6C in hex) has not changed.

Figure 4. Filename check

The second is a kind of obfuscation where the operator replaces placeholder letters in a string with the correct ones, at defined offsets. As seen in Figure 5, the downloader reconstructs the correct download URL string with this method to avoid basic static analysis tools that could otherwise locate the URL string.

Figure 5. Hex-Rays output of the strings deobfuscation

For example, the string o-ps-c..ll is “patched” at three offsets by s, v and d, respectively, to give ospsvc.dll. In the case of the URL, since the beginning of the string in the downloader is [email protected]@p://, tools looking for http:// won’t catch it.

The Nim downloader fetches its dynamic-link library (DLL) payload, named ospsvc.dll, to C:ProgramDataJavaOracle, and executes it as a service via regsvr32 /s.

ospsvc.dll is a downloader written in Golang, and different from other Sednit downloaders seen in the past.

Sednit’s previous Golang downloaders have been described in detail by other researchers [1][2][3] and it seems that Sednit’s developers have rewritten their previous Delphi downloader in Golang. Those earlier downloaders gather a lot of information about the victim computer and send it to their C&C server. However, this new one is quite light in terms of its data-gathering capabilities, as described below.

Its function main_init() contains libraries that are initialized and don’t need further explanations due to their names (see this article for more information).

Figure 6. Hex-Rays output of initialized functions in the main_init() using the IDAGolangHelper plugin

Since the DLL is run as a service, via the Nim downloader, we need to look at main_DllRegisterServer() instead of main_main(). The strings and the key are stacked and they can be decrypted using a simple XOR loop. This simple encryption is quite efficient against tools that extract strings stacked from binaries statically.

Figure 7. IDA Pro output of encrypted strings stacked

Aside from downloading the next stage of the malware, taking screenshots of the victim’s desktop and executing commands received from the C&C server are the main functions of this malware.

Screenshots are taken every 35 seconds during the first few minutes of this downloader’s execution, and then they are sent to the C&C server in base64-encoded form. The hostname and the %USERPROFILE% values are also sent to the C&C server encoded in base64. The reply from the C&C server is also straightforward: it’s a concatenation of base64-encoded strings, separated by “|”.

<spaces>|<cmd to execute>|<name of the binary to drop>|<binary to drop>

According to our telemetry, this downloader has been used to execute three different pieces of malware. The first one is the dumper that we described in our previous Zebrocy article. The second one is the usual Delphi backdoor – also run as a service via the same command used by the Nim downloader. The third one we saw is a new backdoor downloaded and executed on the victim’s machine, as described in the next section.

Analysis

The new Zebrocy backdoor is not written in Delphi as we are used to, but in Golang. To the best of our knowledge, this is the first time this backdoor has been seen, but it shares a lot of similarities with the Delphi one.

By looking again at the main_init() function’s library initialization code (Figure 8) we can see new entries. An AES algorithm, hex encoding, and screenshot capabilities are the main entries that were added.

Figure 8. Diff between the backdoor and the downloader functions initialized in the main_init()

Notice that image_png_init replaces image_jpeg_init for taking screenshots. Images in JPG format are usually smaller in size than the PNG format.

The backdoor is started with an argument that is a hex-encoded string. All but the last six-byte chunk of this string is XOR-encrypted with the key stored in the last six bytes of the string. The following python snippet describes the decryption logic.

It’s the address of the C&C server, which is later encrypted and stored on disk. That encryption is done using the AES-128 ECB algorithm with a key generated from the hostname. Hence, there is no possibility to obtain this C&C server just by looking at the binary. There is no persistence defined by the downloaders as we have seen in the past, nor does the backdoor have any persistence mechanism.

This new backdoor has various capabilities that were also previously seen in Zebrocy’s Delphi backdoor:

  • file manipulation such as creation, modification, and deletion
  • screenshot capabilities
  • drive enumeration
  • command execution (via cmd.exe)
  • schedule a task under the following name WindowsSoftwareOSDebug (which the operators could use to set persistence manually)

As in the Delphi backdoor, there is a very limited set of commands – but the ability to execute arbitrary commands via cmd.exe extends possibilities like persistence or information gathering. Another similarity found is a three-digit version number (in the format x.y.z); the current major version is 4.y.z.

Network

The network protocol shares some similarities with the Delphi version of the backdoor. The first interaction with the C&C server retrieves an AES 32-bit key to encrypt future communications. The packet capture of that first request looks like this:

POST [REDACTED URI] HTTP/1.1
Host: [REDACTED IP]
User-Agent: Go-http-client/1.1
Content-Length: 297
Content‑Type: multipart/form‑data; boundary=b116f1e0a94eff1bb406531e74bb0feba65687cf90ec8a64fc409f230fbd
Accept-Encoding: gzip

–b116f1e0a94eff1bb406531e74bb0feba65687cf90ec8a64fc409f230fbd
Content-Disposition: form-data; name=”filename”; filename=”[REDACTED]”
Content-Type: application/octet-stream

1
–b116f1e0a94eff1bb406531e74bb0feba65687cf90ec8a64fc409f230fbd–

Those with experience with Sednit might think that the Content-Disposition and boundary keywords look familiar. They were previously used by the Delphi backdoor in its network protocol; it also uses the AES algorithm to encrypt the pseudo body (content after the Content-Type data). Notice that even if Content-Disposition and the second instance of Content-Type are real HTTP headers, here they are used inside the HTTP message body. The boundary field is randomized for every exchange and the filename field inside the pseudo Content‑Disposition header can be decrypted with the following snippet of Python:

which results in the following string:

757365722D504318162020190821151055207C.inc

That string can be further understood thus:

Username: 757365722D5043
SID*: 181620
Date: 20190821151055
Random: 207C.inc

* 6 bytes comes from the current user’s Security Identifiers (SID) S-1-5-21‑xxxxxxxxx‑yyyyyyyyyy‑zzzzzzzzzz‑1000

Further interactions with the C&C server follow this pattern except that the pseudo body, which is 1 in the example above, is replaced by the output of the command requested by the C&C server. The full message body is also encrypted, using the same AES algorithm used previously, with the key provided in the first exchange.

New downloaders, new backdoor – the Sednit group has been active and is not letting their components get too old. New? Not really. By looking at it, it seems that the Sednit group are porting the original code to, or reimplementing it in, other languages in the hope of evading detection. It’s probably easier that way and it means they do not need to change their entire TTPs. The initial compromise vector stays unchanged, but using a service like Dropbox to download a remote template is unusual for the group.

ESET recommends being attentive when users are opening attachments from suspicious emails.

We will continue to monitor new activities from the Sednit group and will publish relevant information on our blog. For any inquiries, contact us at [email protected]

Hashes (SHA-1) Filenames ESET detection names
c613fcccb380f7e3ce157c4f620efca503c1bad3 – (eml file) DOC/TrojanDownloader.Agent.AMY
6f281b30d8d6a9bc1dbe2fe73995aac382c4a543 612243236.docx DOC/TrojanDownloader.Agent.AMY
f3f945fb22916f82cb7407cde2a80a68cd83b074 wordData.dotm VBA/TrojanDropper.Agent.AIP
a56af5b44624e8ada60057fd7f39af5b3de10724 lmss.zip Win32/TrojanDownloader.Sednit.BK
b8ac400e1deb6e90fa4e2adb150c511c98bafc6e lmss.doc VBA/TrojanDropper.Agent.AIQ
f0793e02180f3ccf48e41bd67ec1161d93f07e01 lmss.exe Win32/TrojanDownloader.Sednit.BK
04303024ff453f918925d7160abbd199f137a442 ospsvc.dll Win32/Sednit.DI
c96db85ece2b57a9e82ba36b5f31ca9d2051a6f0 osppsvc.exe Win32/Sednit.DJ

Network

https://www.dropbox[.]com/s/foughx315flj51u/wordData.dotm?dl=1

185.221.202[.]35

Tactic ID Name Description
Initial Access T1193 Spearphishing Attachment Zebrocy is using spearphishing emails with an attachment as method of compromise.
Execution T1059 Command-Line Interface The Golang backdoor uses cmd.exe to execute commands.
T1117 Regsvr32 The Nim downloader uses regsvr32.exe to launch the Golang downloader.
T1053 Scheduled Task The Golang backdoor can create a pre-defined scheduled task.
T1064 Scripting The remote template contains VBA used to execute the next stage of the malware.
T1204 User Execution Zebrocy attempts to get users to click on Microsoft Office attachments containing malicious macro scripts.
Persistence T1053 Scheduled Task The Golang backdoor can create a pre-defined scheduled task.
Privilege Escalation T1053 Scheduled Task The Golang backdoor can create a pre-defined scheduled task.
Defense Evasion T1107 File Deletion The Golang backdoor can delete files.
T1117 Regsvr32 The Nim downloader uses regsvr32.exe to launch the Golang downloader.
T1064 Scripting The remote template contains VBA used to execute the next stage of the malware.
Discovery T1083 File and Directory Discovery The Golang backdoor can list drives.
Collection T1113 Screen Capture HTTP is used for C&C communications.
Command and Control T1043 Commonly Used Port All components are using port 80 to communicate with the C&C server.
T1024 Custom Cryptographic Protocol The Golang backdoor is using an XOR loop for its communications.
T1132 Data Encoding The Golang backdoor base64- encodes the data before encrypting it.
T1071 Standard Application Layer Protocol HTTP is used for C&C communications.
T1032 Standard Cryptographic Protocol The Golang backdoor encrypts communications with the C&C server with AES ECB.
Exfiltration T1022 Data Encrypted The Golang backdoor encrypts the data with AES ECB before sending it over the C&C server.
T1041 Exfiltration Over Command and Control Channel The Golang backdoor exfiltrates data to its C&C server.

References:

[1] https://unit42.paloaltonetworks.com/sofacy-creates-new-go-variant-of-zebrocy-tool/
[2] https://securelist.com/a-zebrocy-go-downloader/89419/
[3] https://www.vkremez.com/2018/12/lets-learn-dissecting-apt28sofacy.html

24 Sep 2019 – 11:30AM

Week in security with Tony Anscombe

A nationwide data leak is believed to affect almost all citizens of Ecuador, putting them at risk of identity theft

Almost every single citizen of Ecuador is thought to be affected by another nationwide data leak. Researchers have found 125 security flaws across 13 routers and network-attached storage (NAS) devices that may leave them vulnerable to remote attacks. The UK’s cybersecurity agency urges universities to be on their guard against cyberattacks. All this – and more – on WeLiveSecurity.

Universities warned to brace for cyberattacks

The UK’s cybersecurity agency also outlines precautions that academia should take to mitigate risks

The United Kingdom’s National Cyber Security Centre (NCSC) has issued a stark warning to universities across the country, urging them to be on their guards against cyberattacks.

The main risk is, in fact, two-fold. Firstly, it comes from ne’er-do-wells seeking financial gain via what are often untargeted attacks. When the attacks are targeted, however, they “have the potential for greater financial impact”, notes the cybersecurity agency.

“Cybercrime will probably present the most evident and disruptive difficulties for universities,” reads the threat assessment.

At the same time, however, the report sounds the alarm on a more silent threat, one that is “likely to cause greater long-term damage” – state-sponsored attacks and espionage. These incursions seek strategic gain and are aimed at intellectual property theft from institutions that house valuable research data and other assets, which is largely why they fall in the crosshairs of cyberattackers.

To defend against incursions, the universities are being urged to ensure they have a range of basic measures in place. This includes security-conscious policies and strict authentication and access controls, as well as making sure that university networks are designed with security considerations in mind. Still, the very first line of defense, as noted by the report, is “good security awareness among staff and students”.

Techniques may be evolving but, courtesy of their high success rate, attacks involving social engineering remain a staple. Indeed, a team of ethical hackers recently conducted simulated attacks at more than 50 universities in the UK and, in each case, got their hands on high-value data within two hours. As we also wrote back then, key to the 100-percent success rate was spear-phishing, a targeted form of phishing that involves sending a bespoke email to a well-researched prospective victim.

Here is our list of measures that educational institutions are well advised to take in order to defend against cyberattacks.

19 Sep 2019 – 05:57PM

Remote access flaws found in popular routers, NAS devices

In almost all tested units, the researchers achieved their goal of obtaining remote root-level access

Security researchers have uncovered a total of 125 security flaws across 13 small office/home office (SOHO) routers and network-attached storage (NAS) devices that may leave them vulnerable to remote attacks.

The devices ranged from units intended for the general public to high-end enterprise-grade devices, according to the research conducted by a US-based company called Independent Security Evaluators (ISE). The experts routed their focus primarily on devices from well-known and reputable vendors, meaning that the problem may ultimately affect millions of units. (The list of the devices and additional details are available here.)

“Today, we show that security controls put in place by device manufacturers are insufficient against attacks carried out by remote adversaries,” reads the study. All devices had been updated to the then-latest firmware and were tested in their out-of-the-box configurations.

Each of the 13 devices was found to contain at least one web application vulnerability such as cross-site scripting, operating system command injection or SQL injection that could be leveraged by an attacker to get remote access to the device’s shell or admin panel. Once compromised, the device may be used as a stepping stone for further attacks inside a home or enterprise network.

Other common flaws included authentication and authorization bypasses. In 12 devices, the researchers reached their goal of obtaining remote root-level access. Six units could be remotely exploited without authentication.

ISE reported the vulnerabilities to the affected vendors and praised most of them for getting to work promptly in order to mitigate the issues. (Whether any security updates are eventually installed is another matter, however, as consumers often don’t give much thought to updating their routers and are often not aware of the vulnerabilities therein.) Worryingly, some vendors failed to respond to the reports entirely.

The project, called SOHOpelessly Broken 2.0, built on the company’s research in 2013, which also involved a look under the hood of 13 routers and NAS devices and resulted in the discovery of 52 security holes. As seen from the new study, things don’t appear to have improved over the years.

For more especially on router security, please refer to some of our previous articles:

How to secure your router to prevent IoT threats?
New Year’s resolutions: Routing done right
Five ways to check if your router is configured securely
Router reboot: How to, why to, and what not to do

18 Sep 2019 – 06:38PM

Nearly all of Ecuador’s citizens caught up in data leak

The humongous collection of extensive personal details about millions of people could be a gold mine for scam artists

Almost every single citizen of Ecuador, a country of some 16.6 million people, is believed to have been affected by a new massive data leak, reads a report from vpnMentor.

Two weeks ago, the firm discovered a misconfigured Elasticsearch server that was packed with personal data on most of Ecuador’s citizens, including children. The server – which is hosted in Miami but is believed to be owned by an Ecuadorean consulting company called Novaestrat – was left unsecured for an unknown period of time.

The cache of data weighed in at 18 gigabytes and comprised various personal details, including full names, dates of birth, addresses, phone numbers, ID numbers, family information, financial details, and car registration numbers. As many as 20 million individuals may be impacted, said the researchers, although this count includes duplicate records and records for deceased people.

The leak was eventually plugged on September 11th, but not until Ecuador’s Computer Emergency Response Team (EcuCERT) had to step in. Per ZDNet, which got the scoop on and examined the leak, Novaestrat initially took no action to secure it.

Meanwhile, Ecuador’s telecommunications ministry said (in Spanish) that Novaestrat had obtained the data in an illegal manner. In fact, the country’s interior minister María Paula Romo announced that the firm‘s managing director, identified as William Roberto G., had been detained on Monday.

The information apparently originates from Ecuadorean government sources, as well as from a local automotive association called AEADE and a state-owned bank known as BIESS.

It’s unclear whether or not the unsecured database was accessed by bad actors before being spotted by the researchers. The personal details could be immensely useful for all manner of scammers, who could leverage them for convincing and highly targeted social engineering campaigns.

Data exposures caused by leaky servers are certainly not uncommon, but this security and privacy lapse is notable for its sheer breadth and depth. In fact, it may bring echoes of an incident in Chile from just weeks ago that had the personal data of 80% of the country’s population exposed in another ‘nationwide leak’, also courtesy of an unsecured Elasticsearch cluster.

Meanwhile, a data breach at credit bureau Equifax two years ago saw hackers steal extensive personal data on half the US population, as well as hundreds of thousands of Canadians and Brits. In Bulgaria, bad actors recently breached the country’s tax agency and made off with personal data on almost all of the country’s taxpayers.

17 Sep 2019 – 04:33PM