Information Security News
In common with many other vendors, TP-Link, one of the world's biggest sellers of Wi-Fi access points and home routers, has a domain name that owners of the hardware can use to quickly get to their router's configuration page. Unlike most other vendors, however, it appears that TP-Link has failed to renew its registration for the domain, leaving it available for anyone to buy. Any owner of the domain could feasibly use it for fake administration pages to phish credentials or upload bogus firmware. This omission was spotted by Amitay Dan, CEO of Cybermoon, and posted to the Bugtraq mailing list last week.
Two domain names used by TP-Link appear to be affected. tplinklogin-dot-net was used, according to TP-Link, on devices sold until 2014. On initial setup, while the router's Internet connection is still offline, the domain name will be trapped automatically and correctly send users to the router's configuration page. But subsequent visits to the configuration page can use the real Internet DNS system to resolve the address, and hence those routers are susceptible to being hijacked. A second TP-Link domain name, tplinkextender-dot-net, was used by TP-Link wireless range extenders and is similarly vulnerable.
Together, these domain names appear to be quite busy; estimates based on Alexa's ranking suggest that tplinklogin-dot-net sees about 4.4 million visits per month, with another 800,000 for tplinkextender-dot-net. It's not known who the new owner of the domains is, but Dan tweeted that domain name brokers are offering the more popular of the two for $2.5 million. This high price tag is perhaps why TP-Link has declined to buy the name back.
After taking a hiatus, Mac malware is suddenly back, with three newly discovered strains that have access to Web cameras, password keychains, and pretty much every other resource on an infected machine.
The first one, dubbed Eleanor by researchers at antivirus provider Bitdefender, is hidden inside EasyDoc Converter, a malicious app that is, or at least was, available on a software download site called MacUpdate. When double clicked, EasyDoc silently installs a backdoor that provides remote access to a Mac's file system and webcam, making it possible for attackers to download files, install new apps, and watch users who are in front of an infected machine. Eleanor communicates with control servers over the Tor anonymity service to prevent them from being taken down or being used to identify the attackers.
"This type of malware is particularly dangerous as it's hard to detect and offers the attacker full control of the compromised system," Tiberius Axinte, technical leader of the Bitdefender Antimalware Lab, said in a blog post published Wednesday. "For instance, someone can lock you out of your laptop, threaten to blackmail you to restore your private files or transform your laptop into a botnet to attack other devices."
by Sean Gallagher
News reports that Silent Circle, the commercial encrypted voice-over-IP service company that manufactures the security-focused Blackphone, had removed its "warrant canary" webpage have apparently created some confusion. Things only got fuzzier since the company counsel stated that the page’s removal was a “business decision” and not the result of a warrant being served against the company for customer data. But the explanation for that decision, made more than a year ago with no fanfare, is actually very simple: Silent Circle's customers don't care. In fact, the warrant warning might have been a liability with some of Silent Circle's core customers, who might be more likely to be serving a warrant than receiving one.
Many of Silent Circle’s customers are in the government and corporate sector. "Our customer base is generally not concerned with law enforcement," Vic Hyder, Silent Circle's chief strategy officer, explained to Ars. "They use Silent Circle to protect their business activities from criminals and competition for the most part."
As Ars reported when we tested the original Blackphone and the Blackphone 2, the Silent Phone service definitely keeps customer security at the core. It provides end-to-end encrypted voice, video, and text messaging, and the service doesn’t provide any way for the Switzerland-based company to monitor or log the contents of messages, much as Apple’s iMessage service can’t. In addition to a layer of SSL encryption between the two ends of a call or message stream, Silent Phone applies another layer of encryption based on an exchange of keys. As a result, once the call or message thread is established, all of the data is protected between devices. In cases of calls from Silent Phone to an unsecured phone, the call is encrypted all the way to Silent Circle’s access point to the switched public phone network.
When generating exploit kit (EK) traffic earlier today, I noticed a change in post-infection activity on a Windows host infected with CryptXXX ransomware." />
Shown above: Flow chart for Neutrino EK/CryptXXX caused by pseudoDarkleech.
This morning, the decryption instructions for CryptXXX ransomware looked different. A closer examination indicates CryptXXX has been updated. As I write this, I haven" />
Shown above: An infected Windows desktop from earlier today.
Todays EK traffic was on 220.127.116.11 using the same domain shadowing technique weve seen before from various campaigns using Neutrino EK (formerly using Angler EK [1, 2, 3] before Angler disappeared)." />
Shown above: Traffic from today" />
Shown above:" />
Shown above:" />
Shown above: Neutrino EK sends the payload (it" />
Shown above:" />
Shown above: HTML-based decryption instructions sent on 18.104.22.168 over TCP port 443.
curityonion.net/">Security Onion setup to see what Snort-based alerts triggered." />
Shown above: My results from Sguil on Security Onion using the ET Pro ruleset.
Below are two screenshots with HTML decryption instructions from the infected Windows host" />
Although I havent noticed anything yet, Im sure some of the usual sources will have a more in-depth article on these recent changes in CryptXXX ransomware. This diary is just meant to give everyone a heads-up.
Pcap and malware for this diary are located here.
brad [at] malware-traffic-analysis.net