April-2017 News Bits

adminNews

Cyber Security news for the month of April, 2017.


Prisoners built two PCs from parts, hid them in ceiling, connected to the state’s network and did cybershenanigans

https://www.theregister.co.uk/2017/04/12/prisoners_built_computer_connected_to_states_network/

Five prisoners in the US built two personal computers from parts, hid them behind a plywood board in the ceiling of a closet, and then connected those computers to the Ohio Department of Rehabilitation and Correction’s network to engage in cybershenanigans.

The computers were cobbled together from spare parts which prisoners had collected from Marion Correction Institution’s RET3, a program that helped to rehabilitate prisoners by getting them to break down old PCs into component parts for recycling.

Forensics found “a large hacker’s toolkit with numerous malicious tools for possible attacks. These malicious tools included password-cracking tools, virtual private network tools, network enumeration tools, hand-crafted software, numerous proxy tools, and other software used for several types of malicious activity.”

In addition to the above, the forensics team found “Self-signed certificates, Pidgin chat accounts, Tor sites, Tor geo exit nodes, ether soft, virtual phone, pornography, videos, VideoLan, and other various software,” in addition to evidence that malicious activity had been occurring within the ODRC inmate network.

They reported: “Inmates appeared to have been conducting attacks against the ODRC network using proxy machines that were connected to the inmate and department networks. It appears the Departmental Offender Tracking System portal was attacked and inmate passes were created. Findings of bitcoin wallets, stripe accounts, bank accounts, and credit card accounts point toward possible identity fraud, along with other possible cybercrimes.”


Apple patches drive-by Wi-Fi flaw with emergency iOS patch

https://www.helpnetsecurity.com/2017/04/04/ios-wifi-patch/

Less than a week after Apple pushed out iOS 10.3 comes an iOS emergency patch that all iDevice owners should implement as soon as possible.

The security note accompanying iOS 10.3.1 says simply that the fixed problem is a stack buffer overflow vulnerability that was addressed through improved input validation, and that it allows an attacker within range to execute arbitrary code on the Wi-Fi chip.

No more details about it were shared, but Gal Beniamini of Google Project Zero – the discoverer of the flaw – noted that more information about it will be provided tomorrow, and that it is not the same bug as the one he found last year in Broadcom’s Wi-Fi HardMAC SoC product.

iOS 10.3.1 is available for practically all iDevices out there: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later.

As promised, Gal Beniamini shared more details about the vulnerability patched on Monday by Apple.

His post is extremely technical, and focuses more on how the flaw affects Android mobile devices, but the short of the matter is this: the flaw was found in the firmware running on Broadcom’s Wi-Fi system-on-chip – which is used on all newer iThings – and can be triggered with specially crafted wireless frames, which an attacker can send directly to the victim if he or she is within Wi-Fi range.


Github Repository Owners Targeted by Data-Stealing Malware

https://threatpost.com/github-repository-owners-targeted-by-data-stealing-malware/124656/

Phishing emails zeroing in on developers who own Github repositories were infecting victims with malware capable of stealing data through keyloggers and modules that would snag screenshots.

The binary dropped by the PowerShell script used in the attacks, senior threat researcher Brandon Levene said, is called Dimnie and has been in circulation since 2014 targeting primarily Russian-speaking targets.

This is the first time Dimnie has been used to target developers with Github repositories.

Dimnie specializes in stealth, disguising its HTTP requests to the command and control infrastructure in a GET request to a defunct Google service called Google PageRank.

Levene said an IP address was found in a DNS lookup request preceding the GET request that was the real destination IP for the follow-up HTTP request.

“Sending the request to an entirely different server is not complicated to achieve, but how many analysts would simply see a DNS request with no [apparent] related subsequent traffic? That is precisely what Dimnie is relying upon to evade detections,” Palo Alto said in its report.


McAfee’s Back as an Independent Security Firm

http://www.darkreading.com/endpoint/mcafees-back-as-an-independent-security-firm/d/d-id/1328556

McAfee has finalized its planned spinoff from Intel Corp. and has returned to its roots as a stand-alone security company. Intel purchased McAfee for $7.7 billion in August 2010 in hopes of providing it a security foothold in areas such as wireless mobility and the Internet of Things.

The former Intel Security arm’s general manager Christopher Young will serve as CEO of the new privately held McAfee. Steve Grobman, CTO of McAfee and former CTO at Intel Security, says the spinoff allows McAfee to operate more nimbly.

It’s less about changing direction in strategy for McAfee and more about speeding up the direction it began two years ago with the arrival of Young to Intel Security, Grobman says.

McAfee will continue its security platform focus, as well as moving to cloud security capabilities, he says.

“Security remains important to Intel, and in addition to our equity position and ongoing collaboration with McAfee, Intel will continue to integrate industry-leading security and privacy capabilities in our products from the cloud to billions of smart, connected computing devices.”


Booby-trapped Word documents in the wild exploit critical Microsoft 0day

https://arstechnica.com/security/2017/04/booby-trapped-word-documents-in-the-wild-exploit-critical-microsoft-0day/

There’s a new zeroday attack in the wild that’s surreptitiously installing malware on fully-patched computers. It does so by exploiting a vulnerability in most or all versions of Microsoft Word.

The attack starts with an e-mail that attaches a malicious Word document, according to a blog post published Saturday by researchers from security firm FireEye.

Second, unlike the vast majority of the Word exploits seen in the wild over the past few years, this new attack doesn’t require targets to enable macros.

Last, before terminating, the exploit opens a decoy Word document in an attempt to hide any sign of the attack that just happened.

The successful exploit closes the bait Word document and pops up a fake one to show the victim.


Pirate radio: Signal spoof set off Dallas emergency sirens, not network hack

https://arstechnica.com/information-technology/2017/04/dallas-siren-hack-used-radio-signals-to-spoof-alarm-says-city-manager/

Someone managed to trigger the emergency siren system used by the city of Dallas for tornado warnings and other emergencies.

That someone managed to keep the alarms in action for 95 minutes-even after emergency services workers shut them off.

Dallas officials initially blamed “a hack” for causing the midnight siren escapade-a statement that was initially interpreted as some sort of network intrusion into Dallas’ emergency services computer systems.

Dallas City Manager T.C. Broadnax clarified the cause, saying that the “Hack” used a radio signal that spoofed the system used to control the siren network.

Alert sirens, especially older ones like those used in Dallas, are usually controlled by tone combinations used by the Emergency Alert System broadcast over the National Weather Service’s weather radio.

They can also be controlled by Dual-Tone Multi-Frequency or Audio Frequency Shift Keying encoded commands from a dispatcher or command center terminal sent over UHF radio frequencies that were set aside for emergency agencies’ use by the FCC in 2004.

If the frequency used by the sirens in Dallas for DTMF or AFSK wasn’t monitored, an attacker could conceivably broadcast an endless number of guesses at DTMF or AFSK encoded commands until the sirens were set off-and then just play that command signal repeatedly.

Upgrade your protection with Rigid Bits. Contact us for more information about our cyber security services.