(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

This (blurry) picture shows the bad domain name printed on the bottom of a TP-Link router. (credit: Amitay Dan)

In common with many other vendors, TP-Link, one of the world's biggest sellers of Wi-Fi access points and home routers, has a domain name that owners of the hardware can use to quickly get to their router's configuration page. Unlike most other vendors, however, it appears that TP-Link has failed to renew its registration for the domain, leaving it available for anyone to buy. Any owner of the domain could feasibly use it for fake administration pages to phish credentials or upload bogus firmware. This omission was spotted by Amitay Dan, CEO of Cybermoon, and posted to the Bugtraq mailing list last week.

Two domain names used by TP-Link appear to be affected. tplinklogin-dot-net was used, according to TP-Link, on devices sold until 2014. On initial setup, while the router's Internet connection is still offline, the domain name will be trapped automatically and correctly send users to the router's configuration page. But subsequent visits to the configuration page can use the real Internet DNS system to resolve the address, and hence those routers are susceptible to being hijacked. A second TP-Link domain name, tplinkextender-dot-net, was used by TP-Link wireless range extenders and is similarly vulnerable.

Together, these domain names appear to be quite busy; estimates based on Alexa's ranking suggest that tplinklogin-dot-net sees about 4.4 million visits per month, with another 800,000 for tplinkextender-dot-net. It's not known who the new owner of the domains is, but Dan tweeted that domain name brokers are offering the more popular of the two for $2.5 million. This high price tag is perhaps why TP-Link has declined to buy the name back.

Read 1 remaining paragraphs | Comments


After taking a hiatus, Mac malware is suddenly back, with three newly discovered strains that have access to Web cameras, password keychains, and pretty much every other resource on an infected machine.

The first one, dubbed Eleanor by researchers at antivirus provider Bitdefender, is hidden inside EasyDoc Converter, a malicious app that is, or at least was, available on a software download site called MacUpdate. When double clicked, EasyDoc silently installs a backdoor that provides remote access to a Mac's file system and webcam, making it possible for attackers to download files, install new apps, and watch users who are in front of an infected machine. Eleanor communicates with control servers over the Tor anonymity service to prevent them from being taken down or being used to identify the attackers.

"This type of malware is particularly dangerous as it's hard to detect and offers the attacker full control of the compromised system," Tiberius Axinte, technical leader of the Bitdefender Antimalware Lab, said in a blog post published Wednesday. "For instance, someone can lock you out of your laptop, threaten to blackmail you to restore your private files or transform your laptop into a botnet to attack other devices."

Read 9 remaining paragraphs | Comments


The Silent Phone app from Silent Circle is encrypted end-to-end, so there's really no call for a canary.

News reports that Silent Circle, the commercial encrypted voice-over-IP service company that manufactures the security-focused Blackphone, had removed its "warrant canary" webpage have apparently created some confusion. Things only got fuzzier since the company counsel stated that the page’s removal was a “business decision” and not the result of a warrant being served against the company for customer data. But the explanation for that decision, made more than a year ago with no fanfare, is actually very simple: Silent Circle's customers don't care. In fact, the warrant warning might have been a liability with some of Silent Circle's core customers, who might be more likely to be serving a warrant than receiving one.

Many of Silent Circle’s customers are in the government and corporate sector. "Our customer base is generally not concerned with law enforcement," Vic Hyder, Silent Circle's chief strategy officer, explained to Ars. "They use Silent Circle to protect their business activities from criminals and competition for the most part."

As Ars reported when we tested the original Blackphone and the Blackphone 2, the Silent Phone service definitely keeps customer security at the core. It provides end-to-end encrypted voice, video, and text messaging, and the service doesn’t provide any way for the Switzerland-based company to monitor or log the contents of messages, much as Apple’s iMessage service can’t. In addition to a layer of SSL encryption between the two ends of a call or message stream, Silent Phone applies another layer of encryption based on an exchange of keys. As a result, once the call or message thread is established, all of the data is protected between devices. In cases of calls from Silent Phone to an unsecured phone, the call is encrypted all the way to Silent Circle’s access point to the switched public phone network.

Read 3 remaining paragraphs | Comments



When generating exploit kit (EK) traffic earlier today, I noticed a change in post-infection activity on a Windows host infected with CryptXXX ransomware." />
Shown above: Flow chart for Neutrino EK/CryptXXX caused by pseudoDarkleech.

This morning, the decryption instructions for CryptXXX ransomware looked different. A closer examination indicates CryptXXX has been updated. As I write this, I haven" />
Shown above: An infected Windows desktop from earlier today.


Todays EK traffic was on using the same domain shadowing technique weve seen before from various campaigns using Neutrino EK (formerly using Angler EK [1, 2, 3] before Angler disappeared)." />
Shown above: Traffic from today" />
Shown above:" />
Shown above:" />
Shown above: Neutrino EK sends the payload (it" />
Shown above:" />
Shown above: HTML-based decryption instructions sent on over TCP port 443.

curityonion.net/">Security Onion setup to see what Snort-based alerts triggered." />
Shown above: My results from Sguil on Security Onion using the ET Pro ruleset.

Below are two screenshots with HTML decryption instructions from the infected Windows host" />

Final words

Although I havent noticed anything yet, Im sure some of the usual sources will have a more in-depth article on these recent changes in CryptXXX ransomware. This diary is just meant to give everyone a heads-up.

Pcap and malware for this diary are located here.

Brad Duncan
brad [at] malware-traffic-analysis.net


[1] http://blogs.cisco.com/security/talos/angler-domain-shadowing
[2] https://blog.malwarebytes.com/threat-analysis/2015/04/domain-shadowing-with-a-twist/
[3] https://www.proofpoint.com/us/threat-insight/post/The-Shadow-Knows
[4] https://www.proofpoint.com/us/threat-insight/post/cryptxxx-new-ransomware-actors-behind-reveton-dropping-angler

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
ImageMagick CVE-2016-5118 Remote Command Execution Vulnerability
ImageMagick CVE-2015-8896 Integer Overflow Vulnerability
ImageMagick 'coders/icon.c' Integer Overflow Vulnerability
Squid Multiple Buffer Overflow and Information Disclosure Vulnerabilities
OpenSSL CVE-2015-3197 Security Bypass Vulnerability
VMware vCenter Server CVE-2015-6931 Cross-site Scripting Vulnerability
Huawei Honor CVE-2016-5366 Arbitrary File Include Vulnerability
The U.S. Commerce Departments National Institute of Standards and Technology (NIST) today announced that 19 small businesses will receive nearly $3.3 million in grants to spur U.S. innovation and competitiveness through federally funded ...
Drupal Core Arbitrary File Upload and Information Disclosure Vulnerabilities
Drupal Base system SA-CORE-2016-001 Open Redirection Vulnerability
Drupal Core Multiple Security Vulnerabilities
Drupal Core SA-CORE-2016-001 Multiple Security Vulnerabilities
Google Chrome Prior to 49.0.2623.75 Multiple Security Vulnerabilities
Adobe Flash Player and AIR CVE-2016-1001 Unspecified Heap Buffer Overflow Vulnerability
Adobe Flash Player and AIR APSB16-08 Multiple Unspecified Integer Overflow Vulnerabilities
Adobe Flash Player and AIR APSB16-08 Multiple Unspecified Memory Corruption Vulnerabilities
Re: Putty (beta 0.67) DLL Hijacking Vulnerability
ESA-2016-054: EMC Avamar Data Store and Avamar Virtual Edition Unauthorized Data Access Vulnerability
Micron CMS v5.3 - (cat_id) SQL Injection Vulnerability
Teampass 2.1.26 - Authenticated File Upload Vulnerability
IBM BlueMix Cloud - (API) Persistent Web Vulnerability
Internet Storm Center Infocon Status