Monthly Archives: March 2017

Fedora

knot-resolver-1.2.4-1.fc25

Leave a comment

new upstream release
+ security: Knot Resolver 1.2.0 and higher could return AD flag for insecure
answer if the daemon received answer with invalid RRSIG several
times in a row.
+ fix: layer/iterate: some improvements in cname chain unrolling
+ fix: layer/validate: fix duplicate records in AUTHORITY section in case
+ fix: of WC expansion proof
+ fix: lua: do *not* truncate cache size to unsigned
+ fix: forwarding mode: correctly forward +cd flag
+ fix: fix a potential memory leak
+ fix: don’t treat answers that contain DS non-existance proof as insecure
+ fix: don’t store NSEC3 and their signatures in the cache
+ fix: layer/iterate: when processing delegations,
check if qname is at or below new authority
+ enhancement: modules/policy: allow QTRACE policy to be chained
with other policies
+ enhancement: hints.add_hosts(path): a new property
+ enhancement: module: document the API and simplify the code
+ enhancement: policy.MIRROR: support IPv6 link-local addresses
+ enhancement: policy.FORWARD: support IPv6 link-local addresses
+ enhancement: add net.outgoing_{v4,v6} to allow specifying address
to use for connections

Panda Security

Sticky Attacks: When the operating system turns against you

Leave a comment

Cyber-attackers are always finding new ways of bypassing the protection systems installed on computers in order to avoid detection and steal user data. In that respect, Black Hat hackers have always turned to malware-based attacks (phishing, network worms, or the dreaded Trojans with ransomware as the most dangerous example) to reach their goals: break into companies to steal credentials and huge amounts of other data in exchange for a ransom… At least, until now.

PandaLabs has recently detected a quite clever attack targeting a company in Hungary. What makes it so special? Well, the attack does not use any malware as such, but scripts and other tools belonging to the operating system itself in order to bypass scanners. This is just another example of the increased self-confidence and professionalization we have been observing among cyber-crooks in recent months.

Analysis of a malware-less attack

First, and as has become the norm in the latest security incidents analyzed at the lab, the attack starts with the attackers launching a brute-force attack against a server with the Remote Desktop Protocol (RDP) enabled. Once they get the computer’s login credentials, they have complete access to it.

Then, the first thing that the attackers do is run the sethc.exe file with the parameter 211 from the computer’s Command Prompt window (CMD). This turns on the system’s “Sticky Keys” feature. We are sure you have seen this message before:

panda-security-pandalabs

Next, a program called “Traffic Spirit” is downloaded and run. “Traffic Spirit” is a traffic generator application which in this case is used to make extra money out of the compromised computers.

panda-security
Traffic Spirit website

Then, a self-extracting file is launched that uncompresses the following files in the %Windows%cmdacoBin folder:

  • registery.reg
  • SCracker.bat
  • sys.bat

The attackers then proceed to run the Windows registry editor (Regedit.exe) to add the following key contained in the registery.reg file:

This key aims at ensuring that every time the Sticky Keys feature is used (sethc.exe), a file called SCracker.bat gets run. This is a batch file that implements a very simple authentication system. Running the file displays the following window:

The user name and password are obtained from two variables included in the sys.bat file:

This way, the attacker installs a backdoor on the affected machine. With this backdoor, the attacker will be able to connect to the targeted computer without having to enter the login credentials, enable the Sticky Keys feature (for example, by pressing the SHIFT key five times), and enter the relevant user name and password to open a command shell:

The command shell shortcuts will allow the attacker to access certain directories, change the console color, and make use of other typical command-line commands.

However, the attack doesn’t stop here. In their attempt to make as much profit as possible from the targeted company, the attacker installs a bitcoin miner to take advantage of every compromised computer for free money. Bitcoin mining software aims to use the victims’ computer resources to generate the virtual currency without them realizing. A cheap and very effective way to monetize computer infections.

How does the Sticky Keys feature aid cyber-crooks?

If an attacker can actually access a targeted computer via an RDP connection, what do they need a backdoor for? The answer to this question is quite simple: By installing a backdoor on the affected machine, even if the victim realizes that their system has been compromised and changes the Remote Desktop credentials, all the attacker has to do is  press the SHIFT key five times to enable Sticky Keys and run the backdoor to be able to access the system again. And remember, all of this without running malware on the affected computer.

Adaptive Defense 360, Panda Security’s advanced cyber-security solution, was capable of stopping this targeted attack thanks to the continuous monitoring of the company’s IT network, saving the organization from serious financial and reputational harm. Protect your corporate network with the security solution that best adapts to your needs.

 

The post Sticky Attacks: When the operating system turns against you appeared first on Panda Security Mediacenter.

Fedora

knot-resolver-1.2.4-1.fc26

Leave a comment

new upstream release – security fix
+ security: Knot Resolver 1.2.0 and higher could return AD flag for insecure
answer if the daemon received answer with invalid RRSIG several
times in a row.
+ fix: layer/iterate: some improvements in cname chain unrolling
+ fix: layer/validate: fix duplicate records in AUTHORITY section in case
+ fix: of WC expansion proof
+ fix: lua: do *not* truncate cache size to unsigned
+ fix: forwarding mode: correctly forward +cd flag
+ fix: fix a potential memory leak
+ fix: don’t treat answers that contain DS non-existance proof as insecure
+ fix: don’t store NSEC3 and their signatures in the cache
+ fix: layer/iterate: when processing delegations,
check if qname is at or below new authority
+ enhancement: modules/policy: allow QTRACE policy to be chained
with other policies
+ enhancement: hints.add_hosts(path): a new property
+ enhancement: module: document the API and simplify the code
+ enhancement: policy.MIRROR: support IPv6 link-local addresses
+ enhancement: policy.FORWARD: support IPv6 link-local addresses
+ enhancement: add net.outgoing_{v4,v6} to allow specifying address
to use for connections

Panda Security

Protect your social media account in these 5 simple steps

Leave a comment

It’s pervasive; it’s everywhere. It can even rig national elections according to some well-known experts and academics. No, we’re not talking about Vladimir Putin’s team of world-class cyber spies. We’re talking about the medium of social media.

Hate it or love it, social media is here to stay. It’s bringing us closer to one another, and it’s helping us keep in touch across vast distances. Hey, it’s even helping us reconnect with these long-lost, faraway people we thought we’d never hear from again. Like, ever. And on the other hand, it’s hard to remain anonymous these days.

There are many people who decide not to store and share information on their social networks in order to avoid risks

It is smarter to share content on social networks from a cyber-secure point of view than to try to do not to exist digitally

The kind of information we share on social media is very personal and everyone posts what they concon disider necessary. However, we live in a hyper-connected society and there’s a lot of effort to be made to avoid leaving our mark on the Internet. Sooner or later, somebody ends up doing it for us. It is smarter to share content on social networks from a cyber-secure point of view than to try to do not to exist digitally. At least in the first case, what you have on the Internet is protected, “says Hervé Lambert, Global Consumer Operations Manager at Panda Security.

We are not saying we ought to pull the plug on this social media thing altogether. It has too many advantages to give up… But with the rise of fake news and cyber insecurity, we need to be protected.

Malware programs

As an example malware, short for malicious software, are computer programs that get installed on your device – often inadvertently. It may just be a brief moment of inattention, one rapid click, and boom! A malware installs itself on your hard drive if you are not protected.

Malware programs will then disrupt normal operations, and they might collect personal data like bank details, credit card information, and passwords. Briefly, anything valuable to any mildly talented crook. And let’s face it, by listening to the news, it’s seems that there are many of them out there.

Nothing is more important than the safety of the people who use Facebook, and the security of their data.

According to Facebook, “nothing is more important than the safety of the people who use Facebook, and the security of their data.” That’s re-assuring. The company has a Security Team dedicated to keeping you safe. Apparently, they’ve pioneered multiple defense systems against spam, viruses and phishing attacks. And even though Facebook has some automated enforcement mechanisms that are meant to shut down malicious apps, pages or accounts quickly, sometimes troubles makers manage to people like you.

Prevention is the best cure, therefore, why not implement these easy steps to protect your social media accounts?

  • Step 1: Choose a secure password. The bottom line is you need a more robust password. Sorry to disappoint, but if you think pa55word is a safe option then think again. Someone figured that one out a long time ago.
  • Step 2: Don’t put sensitive information in your profile. Why would anyone want to do this anyway? Like your mother would say: “if in doubt, leave it out.”
  • Step 3: Refuse to let ANY application access your profile. That’s right, and we mean it: deny access to all of them. They promise to make your life easier, but they might end up making your life a nightmare instead!
  • Step 4: Don’t click on suspicious links, however tempting they may look. It’s not worth it! Think before you take action.
  • Step 5: adjust your privacy settings. There’s a reason why these settings exist, familiarize yourself with them and review them regularly. You’ll thank us later!

And remember that if you think your device may have been infected with malware, fear not: help is available. Anti-virus specialists like us propose an advanced, dynamic, ever-evolving cyber-security model based on the principles of artificial intelligence. In short: we’ve got your back.

We developed, patented sets of proactive technologies aimed at blocking unknown viruses, along with the Collective Intelligence model. This system is the first to automatically detect, analyze, and classify malware in real time. We are very proud of our product and remember, your safety is our priority!

The post Protect your social media account in these 5 simple steps appeared first on Panda Security Mediacenter.

Hackers News

New Apache Struts Zero-Day Vulnerability Being Exploited in the Wild

Leave a comment

Security researchers have discovered a Zero-Day vulnerability in the popular Apache Struts web application framework, which is being actively exploited in the wild.

Apache Struts is a free, open-source, Model-View-Controller (MVC) framework for creating elegant, modern Java web applications, which supports REST, AJAX, and JSON.

In a blog post published Monday, Cisco’s Threat intelligence