(credit: ErrantX)

A Las Vegas-based casino operator has sued security firm Trustwave for conducting an allegedly "woefully inadequate" forensics investigation that missed key details of a network breach and allowed credit card thieves to maintain their foothold during the course of the two-and-a-half-month investigation.

In a legal complaint filed in federal court in Las Vegas, Affinity Gaming said it hired Trustwave in October 2013 to investigate and contain a network breach that allowed attackers to obtain customers' credit card data. In mid January 2014, Trustwave submitted a report required under payment card industry security rules on all merchants who accept major credit cards. In the PCI forensics report, Trustwave said it had identified the source of the data breach and had contained the malware responsible for it. More than a year later after Affinity was hit by a second credit card breach, the casino operator allegedly learned from Trustwave competitor Mandiant that the malware had never been fully removed.

According to the December, 2015 complaint:

Read 4 remaining paragraphs | Comments

[KIS-2016-01] CakePHP <= 3.2.0 "_method" CSRF Protection Bypass Vulnerability
Defense in depth -- the Microsoft way (part 38): does Microsoft follow their own security guidance/advisories?
Researchers at the National Institute of Standards and Technology (NIST) have simulated a new concept for rapid, accurate gene sequencing by pulling a DNA molecule through a tiny, chemically activated hole in graphene—an ultrathin sheet ...
Executable installers are vulnerable^WEVIL (case 22): python.org's executable installers allow arbitrary (remote) code execution

(credit: Patrick Wardle)

In September, Ars reported a drop-dead simple exploit that completely bypassed an OS X security feature known as Gatekeeper. Apple shipped a fix, but now the security researcher who discovered the original vulnerability said he found an equally obvious work-around.

Patrick Wardle said the security fix consisted of blacklisting a small number of known files he privately reported to Apple that could be repackaged to install malicious software on Macs, even when Gatekeeper is set to its most restrictive setting. Wardle was able to revive his attack with little effort by finding a new Apple trusted file that hadn't been blocked by the Apple update. In other words, it was precisely the same attack as before, except it used a new, previously unblocked Apple-trusted file. Notably, that file was offered by security company Kaspersky Lab. Late on Thursday, Apple released an update blocking that file, too.

"It literally took me five minutes to fully bypass it," Wardle, who is director of research of security firm Synack, told Ars, referring to the updated Gatekeeper. "So yes, it means that the immediate issue is mitigated and cannot be abused anymore. However the core issue is not fixed so if anybody finds another app that can be abused we are back to square one (full gatekeeper bypass)."

Read 4 remaining paragraphs | Comments

[slackware-security] openssh (SSA:2016-014-01)

Emails remain a nice way to infect people: Write a messagewith pertinent information, respect the format and style of theorganization youre targeting, add some social engineering and you have good chances that your victim will open the attached malicious file. In 2015, we saw an increase in malicious OLE documents (Microsoft Office). Those files contain VBA macros that are automatically executed or, again with a social engineering trick, the user is enticed to execute it. The detection rate by antivirus also improved with time. Thats why attackers switched to other ways to infect computers. I see more and more malicious JavaScript code zipped and sent to victims. The goal remains the same: once executed,a payload is downloaded from the Internet which will try to infect the victims computer.

Of course, OLE document as well as JavaScript scripts are obfuscated to be unreadable by humans and, to defeat scanning tools. There are nice tools to analyze OLE documents: oledump.pyand olevba.py"> function wd84hhhps() { return evfunction wd84hhhps2() { return al

The key point is to locate the eval() function. In the example above, it is quite easy to understand, eval() is called by concatenating the two substrings. But its usually not so easy. You need tools to automate this tasks as much as possible. I like the JavaScript Deobfuscator. The toolhas been recently upgraded and is very easy to use. Here is a example based on a malicious script I received (its VT score is 20/55)


  • The website to download the tool is reported as malicious by Chrome because it contains a lot of dangerous tools.
  • Always execute this toolin a sandboxed environment! Your antivirus might detect the file as malicious and there is always a risk to double-click on it and execute it! You" />

is to click on Clues

If we search for rbhxtuqpiq, we see that the variable is populated with the content of pkwefagovz" />

Based on this analyze, we know that pkelgjqh is our obfuscated eval() function. We can now highlight it and use the Convert" />

And finally, to make the code more readable, use the Copy Output to Input button followed by Beautify" />

Now the script looks very simple. Itcontains a dl() function which downloads two malicious payloads, saves them in the %TEMP% directory using the provided name and execute them.You can now extract IOCsand, if interested,download the two binaries for further analysis. Here is a link to the analyzed content of both URLs:

https://www.virustotal.com/en/url/87ea8c2ac74b9dee82955fe7c7d6d81c350b6fc22615dd7d521c1ce1227a3e09/analysis/ (Cryptowall 4.0)
https://www.virustotal.com/en/url/2f22766516c8c78378d7ca928c0c1f466d5b9f4cda5ed09a2e5403b21ce21d31/analysis/ (Pony)

This technique is not fully automated like it could be performed by a malware analysis system running a sandbox but it helps you to really understand how the scripts are working and how attackers implement new obfuscation techniques.Happy hunting!

Xavier Mertens
ISC Handler - Freelance Security Consultant

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

FreeBSD Security Advisory FreeBSD-SA-16:07.openssh
Internet Storm Center Infocon Status