Month: May 2018

Bug In Git Opens Developer Systems Up to Attack

Threatpost Security News May 31, 2018 0

Git repository hosting services GitHub, GitLab and Microsoft VSTS each patched a serious vulnerability on Tuesday that could lead to arbitrary code execution when a developer uses a malicious repository.

Developers behind the open-source development Git tool pushed out Git 2.17.1, addressing two bugs (CVE-2018-11233 and CVE-2018-11235).

“These are tricky vulnerabilities that will require the Git hosting services to patch, but also individual developers who are using the tool,” said Tim Jarrett, senior director of security, Veracode.

Of the two vulnerabilities, CVE-2018-11235 is the most worrisome, researchers said.

The vulnerability is described as a submodule configuration flaw that surfaces when the Git submodule configuration is cloned. Git provides developers with post-checkout hooks, which are executed within the context of the project. Those hooks can be defined within the submodules, and submodules can be malicious and directed to execute code.

“The software does not properly validate submodule ‘names’ supplied via the untrusted .gitmodules file when appending them to the ‘$GIT_DIR/modules’ directory. A remote repository can return specially crafted data to create or overwrite files on the target user’s system when the repository is cloned, causing arbitrary code to be executed on the target user’s system,” according to a SecurityTracker description of the flaw.

The concern is that a rogue submodule can trick the Git into running code it shouldn’t outside the context of the repository. “This allowed an adversary to exfiltrate data, pull down a web shell, plant a cryptominer or just totally own the machine that the Git repository or (Git) clone is being run on,” Jarrett said.

He noted that the vulnerabilities are unusual, because the bugs allow adversaries to target the developer tool chain rather than the software itself.

Edward Thomson, a Microsoft program manager for the Visual Studio Team Services, explains the patch to mitigate the bug is simple. “Submodule folder names are now examined more closely by Git clients,” he wrote in a post outlining Microsoft’s fix on Tuesday. “They can no longer contain '..' as a path segment, and they cannot be symbolic links, so they must be within the .gitrepository folder, and not in the actual repository’s working directory.”

“Git will now refuse to work with repositories that contain a submodule configuration like this. And Visual Studio Team Services — along with most other hosting providers — will actively reject you from pushing repositories that contain such a submodule configuration, to help protect clients that haven’t yet upgraded,” Thomson continued.

Researcher Etienne Stalmans is credited for discovering the vulnerability via GitHub’s bug bounty program. Credit for fixing the bugs goes to Jeff King and Johannes, Schindelin and others. The patches made available Tuesday cover both CVEs.

“In addition to the above fixes, this release adds support on the server side that reject pushes to repositories that attempt to create such problematic .gitmodules file etc. as tracked contents, to help hosting sites protect their customers with older clients by preventing malicious contents from spreading,” according to the Git alert.

Botnet Operators Team Up To Leverage IcedID, Trickbot Trojans

Threatpost Security News May 31, 2018 0

The botnet operators behind two infamous banking trojans have banded together to gouge victims of cash in a tricky collaborative scheme.

Flashpoint analysts, who highlighted the collaboration in a Wednesday report, said that the operators behind the IcedID and TrickBot trojans appear to be targeting banking victims in a dual threat — and sharing the profit.

Researchers first discovered the collaboration while studying the IcedID malware – they quickly realized that computers infected with IcedID were also downloading the other piece of malware, Trickbot.

“Why would IcedID, which is commercial banking malware, download another commercial banking malware from the same ecosystem? We decided to look into it; we found it unusual because groups compete for a limited number of victims,” Vitali Kremez, director of research at Flashpoint, told Threatpost.”While looking at that, we realized that IcedID and Trickbot were working together – not necessarily from the malware development side, but from the operations side.”

Malware strains typically butt heads over victims’ data, particularly in a hyper-competitive market like banking; for example, the SpyEye malware has been seen to uninstall the similar Zeus trojan upon infecting machines, Kremez said.

Trickbot has made its mark as a trojan responsible for man-in-the-browser attacks since mid-2016. The malware has targeted financial institutions, and is a successor to the Dyre banking Trojan, sharing many of the same attributes. The trojan leverages multiple modules, including leaked exploits, and targets victims for various malicious activities, such as cryptocurrency mining and ATO operations.

The IcedID Trojan meanwhile was spotted in 2017 by researchers at IBM’s X-Force Research team. They said the trojan has several standout techniques and procedures; most notably for this situation the ability to create proxies that are used to steal credentials for a host of websites (mainly in financial services). The local proxy intercepts traffic and uses a web inject that steals login data from the victim.

Kremez said it appears that IcedID is sent directly as spam via email, and the piece of malware then acts as a downloader that installs TrickBot, which in turn installs other modules on victims’ machines.

The two combined forces use an array of methods and tools to then steal banking credentials from the victims, including token grabbers, redirection attacks and web injects.

“The attacks are complex…there are other modules at the operators’ disposal that allow them to have deep coverage of a victim’s machine and expand the breadth and scope of an attack, thereby allowing them to derive additional potential sources of profit from a successful compromise,” according to Flashpoint.

The double-edged threat is not only bringing a new force of tools to the table; from an operations standpoint, the collaboration pulls in an extended network of fraud operators who can carry efficient account takeover operations. “One of the main things behind the Trickbot-IcedID collaboration are the human operators behind this,” said Kremez.

Complex Collaboration

Flashpoint said it “assesses with high confidence” that a head of operations likely oversees a complex network of fraudsters who connect back to machines infected by the two trojans. This head is the botmaster, who operates the command and control of botnets for remote process execution.

Meanwhile, the bad actors who make up the extensive network likely know each other only by aliases and are specialists within their respective domains, Kremez told Threatpost.

“Linguistic analysis and an investigation into TrickBot and IcedID botnet operations reveals that the campaign involving a botnet belongs to a small group that commissions or buys the banking malware, manages the flow of infections, makes payments to the project’s affiliates (traffic herders, webmasters, mule handlers), and receives the laundered proceeds,” Flashpoint said in the report.

Essentially,when the victims log in to the banking page of interest on an infected system, the botmaster accepts XMPP or Jabber notifications via the “jabber_on” field in the backend.

The combined malware operation also has the ability to carry out account checking (or credential stuffing), which determines the value of a victim’s machine and their access — so the bad actors can leverage higher-value targets for network penetration and use other compromised targets for things like cryptocurrency mining.

The botmaster then is able to extract information consisting of the victim’s login credentials, answers to the secret questions and email address from the logs, and then passes that information to an affiliate who manages real-world operations.

Meanwhile, mules use that information to open bank accounts in the geographic location of the victim and at the same financial institution. They in turn receive fraudulent account clearing house (ACH) and wire transfers into their account and then forward the proceeds to the botnet owner or an intermediary.

“Based on the close collaboration between TrickBot and IcedID operators and their shared backend infrastructure, it is likely that the operators will continue to closely collaborate on cashing out stolen accounts,” Flashpoint noted. Additional details about the breadth of attacks and the amount of money stolen at this point are unknown.

Kremez said he expects more botnet operators to begin a similar collaboration scheme in the future: “This is only the beginning,” he said. “It’s getting harder and harder to commit fraud when it comes to banking… and I think this is where the collaboration will really start to come in.”

Yahoo Hacker Sentenced; Coke Opens Up a Can of Data Breach

Threatpost Security News May 31, 2018 0

Fortune 500 breaches seem to be a theme this week. As the Yahoo attacker responsible for the company’s 500 million-account data breach has been sentenced, Coca-Cola disclosed an insider stole the information of 8,000 employees.

A Canadian man who pleaded guilty last year to a “hacking-for-hire” spear-phishing operation of Yahoo employees was sentenced to five years in prison on Tuesday by a federal judge in San Francisco. Karim Baratov (only one of his aliases) was also ordered to pay a $250,000 fine, which “encompasses the rest of his assets,” according to the U.S. Department of Justice.

According to the DoJ announcement, Baratov was part of a conspiracy in which two Russian Federal Security Service (FSB) intelligence officers hired him to collect information on webmail accounts between January 2014 and December 2016. The efforts resulted in the heist of a half-billion Yahoo user accounts, part of a massive breach ultimately totaling 3 billion accounts.

“It’s difficult to overstate the unprecedented nature of this conspiracy, in which members of a foreign intelligence service directed and empowered criminal hackers to conduct a massive cyberattack against 500 million victim user accounts,” said FBI Special Agent in Charge, John Bennett.

In the attack, first disclosed in 2016, the hackers were able to steal a proprietary process Yahoo uses to create authentication cookies. They were then able to use this process to themselves forge cookies and access internal accounts without the need for authentication; from there, they were able to lift information from the company’s user account database.

While the attack was state-sponsored – a reality that Yahoo talked up in the aftermath – the company still came under fire for internal security failings. It also admitted that it knew in 2014 attackers were on its network and at the time had stolen data from a half-billion accounts. Congress then demanded answers from CEO Marissa Mayer, calling the two years between the attack and disclosure “unacceptable.”

“All of these breaches come back to a fundamental problem – companies are not managing and controlling their critical data; companies are very, very sloppy about data management,” said Eric Cole, CEO of Secure Anchor Consulting, in an interview. “It’s a widespread lack of visibility and control.”

Data control is at the heart of the Coca-Cola incident. The Americana icon has issued notifications to about 8,000 employees, saying that their personal data walked off in September 2017, thanks to a former employee at a Coke subsidiary that stole an external hard drive.

“Our investigation identified documents containing certain personal information for Coca-employees and other individuals that was contained in the data held by the former employee,” the company said in a notification letter to workers. It didn’t specify what information was compromised.

The soda-and-water giant said that it discovered the breach only after it was notified by law enforcement officials, who recovered the drive. It also defended its decision not to disclose the breach for eight or so months, saying the delay was at the request of authorities investigating the breach.

“The thing that strikes me with the Coca-Cola breach is that they didn’t detect it themselves,” Cole said. “Their intrusion detection systems of choice are the FBI. It sums up the three major trends in data breaches: Companies don’t know where data is and they leave it in an exposed state; they do not do timely detection of attacks; and they often rely on third parties like law enforcement to let them know they’ve been breached.”

Coke has seen information physically walk away in the past: In a 2014 incident, several laptops containing unencrypted personal data were stolen from its Atlanta headquarters, affecting about 74,000 current and former employees.

“I often joke that most companies have employees that are carrying around million-dollar laptops, because the average machine has a 2TB hard drive that likely has a lot of sensitive information on it, that has no business being stored there,” Cole said.

Coke didn’t immediately say how many workers were affected, but clarified the scope of the problem to Bleeping Computer.

“The part that worries me is that breaches are becoming the norm,” Cole said. “I talked to some folks about the Coke breach and the sentiment was that it’s ‘only’ 8,000 people. So unless it’s a million people or more, we have a tolerance level? Instead of putting pressure on companies to be better, we’re accepting it as business as normal.”

Image courtesy of Coca-Cola Co.

Google Patches 34 Browser Bugs in Chrome 67, Adds Spectre Fixes

Threatpost Security News May 31, 2018 0

Google updated its Chrome browser to version 67.0.3396.62 on Tuesday patching 34 bugs and adding support for the credential management API called WebAuthn. The update will be available in the coming days for Windows, Mac and Linux platforms, Google said.

Most notably to the browser update are mitigations for Spectre. The fix includes an added feature called Site Isolation that essentially separates the processes between different tabs – so that if one tab crashes, the others will continue to work. This also protects against speculative side-channel CPU vulnerabilities like Spectre because it reduces the amount of data exposed to side channel attacks.

“We’re continuing to roll out Site Isolation to a larger percentage of the stable population in Chrome 67,” said Chrome in its security release. “Site Isolation improves Chrome’s security and helps mitigate the risks posed by Spectre.”

Bug fixes for Chrome 67 include nine rated high. One of them is an out of bounds memory access bug (CVE-2018-6130) in Web Real Time Communication (WebRTC), which is an open-source project providing web browsers with real-time communication through simple APIs. Google also patched a heap buffer overflow glitch in open source graphics library Skia (CVE-2018-6126) and an overly permissive policy bug (CVE-2018-6125) in the WebUSB API, which provides a way to expose USB device services to the Web. Below is a full list of the vulnerabilities fixed that are rated high.

CVE-2018-6123: Use after free in Blink.

CVE-2018-6124: Type confusion in Blink.

CVE-2018-6125: Overly permissive policy in WebUSB.

CVE-2018-6126: Heap buffer overflow in Skia.

CVE-2018-6127: Use after free in indexedDB.

CVE-2018-6128: uXSS in Chrome on iOS.

CVE-2018-6129: Out of bounds memory access in WebRTC.

CVE-2018-6130: Out of bounds memory access in WebRTC.

CVE-2018-6131: Incorrect mutability protection in WebAssembly.

Part of the Google update also included the introduction of the WebAuthn API into Chrome 67. This API enables users to log into their accounts using alternative methods such as with biometric options ranging from fingerprint readers, iris scans or facial recognition. Mozilla has also recently packaged this feature into Firefox a few weeks ago with the release of Firefox 60.

Finally, the latest version of Chrome has deprecated the browser’s support for HTTP public key pinning; instead adopting the more flexible solution of Expect-CT headers. This plan was first announced in 2017 after Google argued that public key pinning runs the risk of leaving website admins open to difficulties selecting a reliable set of keys to pin to.

Chrome 67 for desktops is currently available. Android and Chrome OS versions will follow soon after.