Researchers at Trend Micro say attackers are actively exploiting a vulnerability in Android’s WebView browser in order to compromise Facebook accounts. 

The flaw allows the attackers to bypass Android’s Same Origin Policy (SOP), and impacts devices running versions of the operating system prior to 4.4. The vulnerability, CVE-2014-6041, was first disclosed in September by an independent researcher. But months later, the vulnerability continues to be exploited in the wild.

“The Android WebView in Android before 4.4 allows remote attackers to bypass the Same Origin Policy via a crafted attribute containing a u0000 character, as demonstrated by an onclick=”window.open(‘u0000javascript: sequence to the Android Browser application 4.2.1 or a third-party web browser,” according to the National Vulnerability Database.

According to Trend Micro Mobile Security Engineer Simon Huang, the attack targets Facebook users via a link in a particular Facebook page that leads to a malicious site. The page contains obfuscated JavaScript code that includes an attempt to load a Facebook URL in an inner frame. The user will only see a blank page as the page’s HTML has been set not to display anything via its div tag while the inner frame has a size of one pixel, he added.

“While these routines are being carried out, the SOP bypass is being performed,” he blogged, adding that a remote JavaScript file is loaded from a legitimate cloud storage provider.

The file, he noted, contains the malicious code of the attack and enables the attackers to perform the following activities on Facebook:

1. Add friends
2. Like and follow Facebook pages
3. Modify subscriptions
4. Authorize a Facebook app to access the user’s public profile, friends list, birthday information, likes and friends’ likes
5. Steal the victim’s access tokens and upload them to their server  at http://{BLOCKED}martforchristmas.website/walmart/j/index.php?cid=544fba6ac6988&access_token= $ token;
6. Collect analytics data (such as victims’ location, HTTP referrer,  etc.) using the legitimate service at https://whos.{BLOCKED}ung.us/pingjs/

“In addition to the code at the above site, we found a similar attack at <a href="http://redirect.viglink.com?key=11fe087258b6fc0532a5ccfc924805c0&u=http%3A%2F%2Fwww.%257bBLOCKED%257dphp.com%2Fx%2Ftoplu.php%22%3Ehttp%3A%2F%2Fwww.%7BBLOCKED%7Dphp.com%2Fx%2Ftoplu.php%3C%2Fa%3E%2C" Huang explained. "We believe both of them are created by the same author because they share several function names, as well as the client_id of the Facebook app."

“The client_id involved in this malware was “2254487659”,” he added. “This is an official BlackBerry App  maintained by BlackBerry. We confirmed with BlackBerry and clarified that this malware is trying to take advantage of the trusted BlackBerry brand name and steal user’s access-tokens, which can be used to make requests to Facebook APIs and read user’s information or to publish content to Facebook on behalf of a person.”

Blackberry is working with Facebook and Trend Micro to address the issue. Google has already issued a fix for the vulnerability for Android users.

Tags:

• INDUSTRY INSIGHTS
• Vulnerabilities

Kaspersky Lab recently analyzed the activities of a threat group that has been targeting executive business travelers in the Asia-Pacific region.

The actors behind the cyber espionage campaign dubbed “<a href="http://redirect.viglink.com?key=11fe087258b6fc0532a5ccfc924805c0&u=http%3A%2F%2Fwww.securityweek.com%2Fdarkhotel-attackers-target-business-travelers-hotel-networks%22%3EDarkhotel%3C%2Fa%3E" use various techniques to distribute their sophisticated pieces of malware, such as highly customized spear-phishing, malicious Wi-Fi networks, and P2P sharing websites.

The attackers, which appear to speak Korean, have been compromising the networks of luxury hotels for the past four or five years, attempting to trick chief executives, senior vice presidents, sales and marketing directors, and researchers into downloading a backdoor disguised as software updates. Some of the pieces of malware used in these attacks date back to 2007, Kaspersky said.

Thousands of Darkhotel victims have been spotted all over the world, but most of them appear to be located in Japan, Taiwan, China, Russia and Korea. 

Security experts shared their thoughts on this campaign and provided some important recommendations for executives who travel often and don’t want sensitive corporate information to end up in the hands of cyber spies.

And the Feedback Begins…

Carl Wright, General Manager for TrapX Security:

“Organizations must understand that hackers are always looking for the path of least resistance. While enterprises today are generally doing a better job of securing their networks against intrusions from outsiders, they’re falling short when it comes to securing devices outside the corporate network.

As a result of this and an ever-increasing mobile workforce, we’re seeing hackers shifting their attention from attacking organizations head-on through their network and instead concentrate their efforts on individuals outside the corporate firewall. And what a better place to reach them than at the hotels they’re staying at while they’re on the road.

Executives must begin to treat every hotel, plane, bus, cab, cafe etc. as an extension of their corporate office and as such, they need to subject themselves to the same level of security and best practices imposed by their organization’s IT teams. This includes not clicking on suspicious links and making sure their communications to corporate HQ are secured through a proper VPN tunnel.”

Jack Daniel, Strategist at Tenable Network Security:

“Recent stories including the Darkhotel attacks have made it clear that travelers need to assess their information security risks and take reasonable precautions to protect their systems and information. As always, context is critical in deciding what is reasonable in your situation- for some travelers a little extra caution may be all that is needed, for others more aggressive actions such as dedicated (and possibly even disposable) hardware may be required.

A few universal basics can help everyone. Start with strong authentication, including using two-factor authentication everywhere possible and keeping your second factor devices (tokens, phones, cards, etc.) under your control at all times. Use VPNs any time you connect to any network not under your (or your organization¹s) control. Since different networks sometimes interfere with different VPN technologies it is a good idea to have more than one VPN endpoint to connect to, and ideally use more than one VPN technology (IPsec, SSL, etc.) to improve your chances of establishing a secure connection. Other fundamentals include taking no more information than you need for the trip, and limiting the systems and information you access while traveling.

Depending on the type and amount of technology you travel with, it may be best to simply keep all of your digital equipment with you at all times. For more advanced tips, such as the use of Wi-Fi firewalls, consult a trusted security professional.”

Idan Tendler, Fortscale CEO:

“The DarkHotel malware is just more evidence of the troubling vulnerability of networks when it comes to phishing campaigns and credentials theft. It is one of the reasons that networks will need turn their focus internally and adopt a more aggressive approach to security that includes analyzing users.

If a user’s behavior is thoroughly analyzed and profiled, an attacker could steal the user credentials but can’t imitate his historic behavior, which can immediately trigger red flags to the security team for deeper investigation.”

Jared DeMott, security researcher at Bromium:

“Wi-Fi attacks are a real threat, and not just in hotels. At most free Wi-Fi spots there is usually no guidance on secure connection: the user is left to figure it out, and hope it just works. Traveling business people typically are not technical experts either. So, using a device that prefers a VPN is helpful in preventing snooping once connected.  But, if initial connection pages attack with 0-day exploits, the browser is, as usual, a potential weak link without a way to isolate attacks.

I’d advise people to stay off Wi-Fi, in favor of a mobile hotspot. Understandably that can be difficult while in planes, or overseas where mobile devices may not function or be prohibitively expensive.” 

Alex Cox, Senior Manager, RSA-FirstWatch:

“My advice to travelers wishing to stay secure is to opt for the “overly paranoid” approach.

When executives travel they should assume that any open wifi access point has the potential to be malicious, especially in “convenience” areas, where Internet access is provided as a service, probably without a lot of security forethought. They should consider using an Internet access service through a portable wifi device via a cellular network (a MiFi is a popular version). This gives the user a self-contained source of internet access that is for their use only, and this method of connectivity has proven to be one of the more secure as far as eavesdropping and manipulation. That said, it must be configured and used correctly.

If an executive is travelling in a high-risk area, they should consider that any time their device is out of their direct physical control (airport, hotel room, vehicle, etc.) it has the potential to be tampered with. With that in mind, the traveler should keep physical control of the device as much as possible. It’s also a good idea for a high-risk traveler to bring a “clean” laptop and/or smartphone or tablet that doesn’t involve any of their work outside of what is currently needed. While traveling users should have increased suspicion of update notifications, emails with attachments and unknown links, or the request to install “helper” apps in order to access something.

It’s important to adopt an intelligence-focused mindset, to help understand the threat vectors and attackers that may be targeting the traveler.”

John Dickson, Principal at The Denim Group:

“I think the pressure from clients, shareholders or deadlines puts executives in a situation where they rarely think twice about hopping on a hotel Wi-Fi to conduct business. Couple that with the trust in brands – executives would assume Hilton, Hyatt, and others provide information security in addition to physical security and a clean room – and you have a dangerous mix.

Connecting [to Wi-Fi] itself is not completely terrible, but users should VPN-in as soon as they connect to the network for both e-mail and browsing purposes. Also, they should make sure their laptops and mobile devices have the most recent software updates, to make their computing devices less vulnerable to known, often exploited vulnerabilities. The thing to remember is that most security issues occur when two things happens: (1.) A user-initiated action, like clicking on an attachment or link or visiting a site hosting malware; and (2.) a latent vulnerability exists on the computing devices from which the user is browsing.

This was a well thought-out attack, and like most great attacks, is less about the technology and more about exploiting a known trust mechanism, in this case the strength of hotel chains’ brands.”

Oliver Tavakoli, CTO of Vectra Networks:

“There are two lessons that can be learned from the DarkHotel issue. The first is security architectures must be able to protect against attacks that exploit mobile users on guest Wi-Fi networks. The second is in the fast evolving threat landscape, “what the malware is doing” is more important than “what the malware is.

The BYOD Mobile Security Report published by the LinkedIn InfoSec Community revealed that exploits entering organizations via mobile devices is a top security concern in 2014. It is not possible to completely protect users from exploits when they travel and use public-access Wi-Fi networks at coffee shops or hotels. However, it is possible to detect the activities of an attacker who has breached the network perimeter through a traveling employee’s laptop. In a targeted attack, the attacker will use the infected laptop to perform reconnaissance, spread laterally, acquire data, and ultimately exfiltrate it in as stealthy a manner as possible. Real-time breach detection uses machine learning to detect these behaviors among the chatter in the network, even when the exploit or malware “walks” into an organization on a user’s laptop.

 

Just like there were multiple iterations of Conficker and the malware that was used to attack Target was “tweaked,” there could one day be a “DarkHotel 2.” Naming malware may satisfy a human need or assist in knowing whether the right detection signatures are deployed, but it is not relevant in advanced threat defense. Advanced threats, even when they start with simple tactics like spear phishing, are stealthy by nature and will use malware and C&C channels that slip past perimeter and endpoint security that use signatures and reputation lists. Detecting what the malware is doing will always have a higher likelihood – and multiple opportunities – of detecting a targeted attack than knowing what the malware is. Think of it this way, if you can name it, then it is no longer an advanced threat or a targeted attack. Ignoring the malware may only relegate you to being one of its first victims, and that is no fun.”

Ian Amit, ZeroFOX Vice President:

“First things first – nothing is revolutionary about Darkhotel. It uses the same tactics that penetration testers have been using at red team engagements for years. The only surprise is that the attack was found, albeit with a delay of 7 years.

Darkhotel leverages publicly available information and past behaviors to predict where and when an executive is traveling. Having that information at hand is critical for launching a pinpoint attack, and in most cases can be derived from a simple social media search. Once the target is located, the attack comes via the hotel wireless network. As usual, the human factor plays a lead role in enabling such attacks, and unfortunately, most of the information needed can be found on social media.

When traveling, follow the rule “no changes allowed” – no updates, no downloads, no new software or hardware installations. This will prevent almost every malware attack. For the extremely security-conscious traveler, a freshly installed laptop and phone are recommended, both of which should be disposed of at the end of the trip.”

Anup Ghosh, Founder and CEO, Invincea:

“The DarkHotel campaign sheds light on risks business travelers face when leaving the four walls of their enterprise networks. Business travelers need access to the Internet, of course, and the hotel networks is usually the gateway. Even if they are employing VPNs, the access point is the local hotel wireless net prior to being able to login via VPN. At this juncture, we have seen not only rogue Flash updates, but also drive-by exploits hosted on these hotel network pages that silently infect the traveller’s machine.

This isn’t confined to hotel networks, of course, as any public network with a network access login (coffee shops, airports) can be compromised accordingly. Airports would be particularly rich for business travelers and many incorporate advertising that can be subverted via third party ad networks.

Bottomline is business travelers need end point protection that stops targeted attacks and novel malware without requiring the corporate network.”

Tal Klein, VP of Strategy for Adallom:

“Captive portals are basically dressed up Men-in-the-Middle. I don’t particularly understand the hype around DarkHotel given that tools like Hak5’s Pineapple have demonstrated the ease with which people can be compromised by trusting captive portals, especially in hotel settings. My advice: Invest in a mobile carrier Mi-Fi. Most hotel internet connections are unbearably slower and more expensive than a Mi-Fi anyway.”

Ian Pratt, Co-founder & EVP, Products at Bromium:

“Attacks using Wi-Fi captive portals are certainly on the rise. The networks at hotels are particular attractive as information about the user’s name and the organization they work for is frequently available, enabling very targeted attacks. It is common for hotels to outsource provision of networking services, and hence these third parties become attractive targets to attackers to target visitors staying at many hotels. In some parts of the world state security services specifically take advantage of this.

 

A VPN is unable to help protect against many of these attacks. Most Wi-Fi networks require you to successfully sign-in to a captive portal page before they will allow you external access. In many cases it is the sign-in page itself that is malicious, and by the time the user has entered their surname and room number they will have been delivered an exploit tailored to their machine and compromised. Bringing a VPN up at this point plays directly into the attackers hands, bringing the infection onto the enterprise network.”

Paul Lipman, CEO of iSheriff:

“Darkhotel illustrates a fundamental hole in the typical approach to corporate cybersecurity. Organizations spend many millions of dollars to protect their networks against outside threats, investing in ever more sophisticated ways to defend their network infrastructure, applications, and data from attack. Despite all of this investment, roaming users are typically protected with nothing more than endpoint anti-virus, a technology that is woefully inadequate to protect against advanced persistent threats such as Darkhotel. Even worse, when an infected user later comes back into the office, any malware infection picked up “on the road” can instantly spider out across the network, multiplying the risk by orders of magnitude.

 

A cloud-based Web security solution provides a persistent layer of protection for roaming users, wherever or however they are connecting to the Internet. These services are constantly updated to cover the latest advanced threats, identifying them in the cloud in real-time, and blocking them before they can ever reach an end user’s device. In the case of Darkhotel, a user connecting through a cloud security layer would be fully protected through a “secure tunnel” from the device to the cloud security provider.”

Chris Messer, vice president of technology at Coretelligent:

“DarkHotel is a moderate threat for unsuspecting and non-technical users, and for users and organizations that have lax security safeguards present on traveling employee or executive devices.

 

This type of attack requires the potential victim to download a compromised update such as Adobe Flash or Google Toolbar from a compromised link or pop-up browser window. The user is then tricked into installing these updates as the attacker uses bogus digital certificates to “sign & validate” the compromised software to lead the user to believe they came from a trusted source. This compromised application then installs additional malicious software (Trojan, keylogger, etc.) on the victim’s machine, and then allows the attacker to track and collect data from their machine at will.

 

The good news is that this type of attack can be prevented if users follow good security practices and have reasonable security software and precautions put in place by IT:

 

• Individuals should avoid hotel wired and wireless Internet services all together, and instead rely on a company-provided mobile hotspot device, or tether via their mobile device. When individuals are required to leverage a hotel’s wired or wireless Internet, they should avoid performing any system administrative tasks or updates.

 

• Users should only transact business over a secure VPN connection and HTTPS secured sites. They should avoid sensitive sites such as banking sites for the duration of the hotel stay, if at all possible.

 

• Users should never click on any advertisements via the hotel Wi-Fi, and after logging into the wireless, make it a point to close and re-open their browsers to avoid re-using a questionable session.

 

• Individuals should ensure that they have a robust antivirus suite installed on their machine that has some sort of web filtering component. 

 Feel free to add your thoughts in the comments below, and until Next Friday…Have a Great Weekend!

Tags:

• Network Security
• NEWS & INDUSTRY
• Incident Management
• Risk Management
• Malware
• Management & Strategy

A new variant of the Bifrose backdoor has been used in a cyberattack aimed at an unnamed device manufacturer, Trend Micro reported.

The threat, detected by the security firm as BKDR_BIFROSE.ZTBG-A, is more evasive than previous variants because it uses the Tor anonymity network for command and control (C&C) communications.

After infecting a device, the backdoor allows its masters to perform various tasks, including downloading and uploading files, creating and deleting folders, executing files and commands, capturing keystrokes, capturing screenshots and webcam images, terminating processes, collecting system information and manipulating windows.

“BIFROSE is mostly known for its keylogging routines, but it is capable of stealing far more information than just keystrokes,” Trend Micro threat response engineer Christopher Daniel So explained in a blog post. “It can also send keystrokes and mouse events to windows, which means that the attacker may be able to conduct operations as the affected user without having to compromise their accounts. For example, the attacker can log into internal systems or even send messages to other users in the network.”

While C&C communications via Tor can make the threat more elusive, the same communications can also be used by IT administrators to detect an attack. More precisely, they can identify malicious activity by monitoring the network for Tor traffic. Many organizations don’t use Tor for regular operations so any traffic associated with the anonymity network could indicate a cyberattack.

Another method recommended by Trend Micro for detecting Bifrose, in addition to the use of security solutions, involves checking for a file named klog.dat, which is used for the threat’s keylogging routines. Verifying network and mail logs could also help IT admins in detecting the malware.

Bifrose has been around since at least September 2008. One interesting campaign leveraging this particular threat was launched in 2010, when cybercriminals distributed the backdoor with the aid of a mail worm. The operation, dubbed “Here You Have,” was initially aimed at the human resource departments of organizations like NATO and the African Union. This old campaign demonstrates Bifrose’s potential for targeted attacks.

 The “Here You Have” campaign was so successful that it caused a global outbreak.

Tags:

• NEWS & INDUSTRY
• Malware
• Cybercrime

OpenDNS has enhanced its cloud-based network security service Umbrella with new capabilities designed to protect organizations against targeted attacks, the company announced on Tuesday.

The company says its monitoring systems are capable of detecting malicious traffic from the first stages of a potential targeted attack by comparing customers’ traffic to activity on OpenDNS’s global network. By providing predictive intelligence on the attackers’ network infrastructure, OpenDNS enables organizations to block attacks before any damage is caused.

Many organizations are capable of identifying single-stage, high-volume cyberattacks, but the “noise” generated by these types of attacks makes it more difficult to detect highly targeted operations, the company explained.

According to OpenDNS, its services address this issue by providing real-time reports on global activity and detailed information for each significant event. The reports can be used by enterprises to identify ongoing or emerging targeted attacks based on whether or not the threats have a large global traffic footprint, or if they’re detected for the first time.

In order to make it easier for security teams to investigate an incident, OpenDNS provides information on the users, devices and networks from which malicious requests are sent. Information on the attackers’ infrastructure can be useful for predicting future threats and for blocking components that are being prepared for new attacks. 

“Enterprises today are challenged to keep up with the volume of attacks that are targeting their networks. Not only is the efficacy of today’s security tools declining, but when they do identify a threat they lack the context that is critical to blocking it,” said Dan Hubbard, CTO of OpenDNS. “The ability to determine the relevance and prevalence of an attack is key to prioritizing response, remediating infected hosts, and understanding the scope of the threat.”

The new capabilities are available as part of the Umbrella service based on a per user, per year subscription.

Tags:

• Network Security
• NEWS & INDUSTRY
• Malware