Ransomware outbreak at a global scale | #wannacry

Approximately 74 countries are currently under an ongoing cyber-attack. The NHS in the UK has been massively affected, along with major companies worldwide. 

Computer systems are being infected with the ransomware known as WanaCrypt0r 2.0 (known as WCry and WannaCry). The malicious file targets a known computer vulnerability (MS17-010). 

System Administrators:
- Ensure systems are fully patched, especially by addressing the MS17-010 vulnerability. 
- Disable SMBv1.
- Firewall protect ports: 139/445 & 3389
- Make sure you have a backup of your data and it is also stored offline. 
- Ensure Antivirus is installed and active.

Legacy systems should be isolated and any systems which are infected, consider removing them from the network. 

Under Attack?

• Customers in the healthcare sector should follow the national guidance as instructed by the NHS and the National Cyber Security Centre (NCSC).
• UK customers consult the Cyber Information Sharing Platform (CiSP).
• DeepRecce customers requiring further advice or information should contact our 24/7 incident response line www.deeprecce.com

--

Repository of information:

WannaCry|WannaDecrypt0r NSA-Cybereweapon-Powered Ransomware Worm
https://gist.github.com/pcostesi/87a04a3bbbdbc4aeb8b787f45eb21197 

Microsoft released notes:
https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/

Ticketbleed (CVE-2016-9244)

A vulnerability similar to the well-known heartbleed was discovered in the TLS/SSL stack of F5 BIG-IP appliances that allows a remote attacker to extract up to 31 bytes of uninitialized memory at a time. This vulnerability is called Ticketbleed as it lies in the implementation of Session Tickets, which is a resumption technique used to speed up repeated connections. The vulnerability affects the proprietary F5 TLS stack which exposes 31 bytes at a time.

F5 published article K05121675 addressing this vulnerability. You can read the story of how Ticketbleed was found and a complete technical walkthrough on the Filippo.io blog.

Test
You can test your domain using the automated script which you can find at: https://filippo.io/Ticketbleed/

Alternatively, you can test for Ticketbleed yourself with a Go script: here

Fixes and mitigation
The full list of affected versions is available on the F5 website. At the time of this public disclosure not all releases have upgrade candidates available.

Disabling Session Tickets is a complete mitigation, which will only cause a performance degradation in the set-up phase of resumed connections.

Reproduced here are the instructions provided by F5 and available at the link above.

1. Log in to the Configuration utility
2. Navigate on the menu to Local Traffic > Profiles > SSL > Client
3. Toggle the option for Configuration from Basic to Advanced
4. Uncheck the Session Ticket option to disable the feature
5. Click Update to save the changes

Source: https://filippo.io/Ticketbleed/

Invitation to the largest European Cyber Security Challenge

ENISA (European Union Agency for Network and Information Security) is organising the European Cyber Security Challenge 2016 - the largest European challenge for cyber security talent. The Challenge will be held in November in Dusseldorf, Germany - and the Greek National Cyber Security team will compete with other national teams in various security-related challenges, such as web security, mobile security, crypto puzzles, reverse engineering, forensics.

The Greek team will be assembled in a qualifying round - in which we'd like to invite you to participate!

The qualifier will be held on Saturday, July 9 at the Department of Digital Systems of the University of Piraeus. The challenges will be similar to the ones outlined above, and the top 10 participants will comprise the Greek team that will travel to Germany. In order to be eligible, contestants need to legally reside in the country, be aged between 14-30, not have a Master's or higher degree or any professional experience in the information security sector - and of course have some InfoSec skills! Both competitions will be held in English, so contestants need to have at least basic understanding of the English language.

The Greek team is organised by TwelveSec and the Department of Digital Systems of the University of Piraeus, and supported by other major Greek universities and organisations, such as Security BSides Athens.

All you need to do to get the chance to compete in the qualifier is to register in the official website of the Greek team http://ecsc.gr/

Registrations are closing this week (Friday, July 1), so hurry up and register!

Critical vulnerability found in glibc

A critical vulnerability has been found in Glibc. The critical flaw affects nearly all Linux machines, as well as API web services and major web frameworks. Glibc is the GNU C library which was at the core of last year’s GHOST vulnerability. 

The flaw, CVE-2015-7547, effects all Linux servers and web frameworks such as Rails, PHP and Python, as well as Android apps running Glibc. The vulnerability was discovered by researchers at Google and Red Hat and a patch has been made available. Google has released further information on the issue in its advisory. 

It is strongly suggested to patch all effected systems immediately, as this vulnerability is considered critical and could be exploited for malicious reasons (allows remote code execution). More specifically, the vulnerability effects all versions of Glibc since version 2.9 and there are no temporary mitigations that can be implemented until Linux machines are patched. 

SSH vulnerability in Fortinet Fortigate products

It was stated that an SSH "backdoor" was identified in Fortinet Fortigate products and the proof-of-concept source code was posted on the Full Disclosure mailing list. 

See here: http://seclists.org/fulldisclosure/2016/Jan/26

Fortinet released a brief statement regarding the issues found with FortiOS on January 12, 2016. The brief statement says that the issue that was recently disclosed publicly was resolved and a patch was made available in July 2014. 

Fortinet stated that: "This was not a “backdoor” vulnerability issue but rather a management authentication issue. The issue was identified by our Product Security team as part of their regular review and testing efforts. After careful analysis and investigation, we were able to verify this issue was not due to any malicious activity by any party, internal or external."

Biometrics: the Future of Mobile Payments?

Billions of people are now using smartphones, even in the most remote areas of the planet. Global adoption of these new mobile technologies opens up the discussion for more advanced methods of identification, authentication, and verification, especially when it comes to protecting against fraud, identity theft and financial crime. One of these promising new technologies, available to end users as a result of the acceptance of mobile devices such as mobile phones, tablets, and laptops, is biometrics.

Biometrics look promising when it comes to simplifying the processing, authentication, and confirmation of transactions in general, but more importantly when it comes to payments. Technological advances, along with pattern recognition and multi-factor biometrics, are expected to tackle cybercrime by making it very expensive and time-consuming for cybercriminals to attempt to target these systems. 

FireEye critical vulnerability

Google's team in Project Zero discovered a critical vulnerability in FireEye NX, EX, AX and FX network security devices that run on security content version 427.334 or prior versions.

An attacker could exploit this vulnerability to gain persistent access and remotely exploit code. It is good to see that FireEye focused this time towards patching the security flaw and did not try to take legal action, like previously, for the vulnerabilities discovered by the German security firm ERNW). 

FireEye responded with a support alert stating that a patch was released through automated security content updates for all of the affected devices. FireEye is making the patch available for “out-of-contract customers” and the firm warned customers who perform manual security content updates, to “update immediately”.

The flaw discovered by Project Zero follows an earlier series of vulnerabilities discovered by the German security firm ERNW. FireEye filed an injunction against ERNW in September after learning that the firm was planning to release findings on vulnerabilities that it discovered in FireEye's operating system

It was proven that it was possible for an attacker to root the FireEye's network security device by simply tricking a victim into clicking on a link contained in an email. 

"Unauthorized code" in Juniper firewalls decrypts encrypted VPN traffic

Juniper Networks published an advisory saying that NetScreen firewalls using ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20 contain unauthorized code that surreptitiously decrypts the VPN traffic by giving attackers administrative access. 

This system "backdoor" requires immediate patching! The vulnerability was discovered during a recent internal code review[1]. The "unauthorised code" in ScreenOS could allow a knowledgeable attacker to gain administrative access to NetScreen appliances and to decrypt VPN connections. 

Juniper Networks explained in a separate advisory that there are two separate vulnerabilities which are both described as “Unauthorised Code”.

The first flaw allows unauthorized remote administrative access to an affected device over SSH or telnet. Exploits can lead to complete compromise. "The second issue may allow a knowledgeable attacker who can monitor VPN traffic to decrypt that traffic," the advisory said. "It is independent of the first issue. There is no way to detect that this vulnerability was exploited." [2]

This Github repository contains notes, binaries, and related information from the analysis of the CVE-2015-7755 & CVE-2015-7756 issues within Juniper ScreenOS. See a detailed analysis by Rapid7. 

Joomla Critical 0day Remote Command Execution Vulnerability - Patch Now

A vulnerability that affects all versions of Joomla from 1.5.0 to 3.4.5 have just been released (CVE-2015-8562). 

The Joomla security team released a patch to address this critical remote command execution vulnerability that is already being exploited in the wild. 

Joomla is one of the most popular Content Management Systems (CMS), alongside Wordpress, Drupal and Magento. Joomla CMS is used to build web sites and online applications in conjunction with the many supported shopping cart, e-commerce and payment gateway extensions.  

Joomla users need to upgrade to version 3.4.6 immediately. For Joomla 3 and above, updating is a simple one-click process through the admin panel. For the unsupported versions 1.5.x - 2.5.x the users need to patch using the Joomla hotfixes.

Adobe Flash patches 17 remote code execution vulnerabilities

Adobe Flash version 19.0.0.245 was released today. This version patches 17 remote code execution vulnerabilities if exploited [see here]. Adobe said that there are no reports of public exploits for any of the patched flaws.

In addition to the desktop version of Flash for Windows and Mac OS X, Adobe also updated Flash for Internet Explorer 11 and Microsoft Edge, both of which are expected to be included in today’s Microsoft Patch Tuesday security bulletins. Adobe also updated Flash Player for Linux and various Adobe Air products for Windows, iOS and Android mobile devices. 

To verify the version of Adobe Flash Player installed on your system, access the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe (or Macromedia) Flash Player" from the menu. To verify the version of Adobe AIR installed on your system, follow the instructions in the Adobe AIR TechNote. 

For those of us using multiple browsers, perform the check for each browser you have installed on your system. The Flash updated packages can be found here.

CVE numbers: CVE-2015-7651, CVE-2015-7652, CVE-2015-7653, CVE-2015-7654, CVE-2015-7655, CVE-2015-7656, CVE-2015-7657, CVE-2015-7658, CVE-2015-7659, CVE-2015-7660, CVE-2015-7661, CVE-2015-7662, CVE-2015-7663, CVE-2015-8042, CVE-2015-8043, CVE-2015-8044, CVE-2015-8046

During last month’s scheduled update, Adobe patched Flash and Acrobat Reader addressing 69 critical vulnerabilities that could lead to code execution and information disclosure. Just three days later, Adobe updated Flash once again with an emergency patch that addressed a zero-day type confusion* vulnerability. The zero-day was being exploited by a Russian-speaking APT group during Operation Pawn Storm.

*Type confusion vulnerabilities occur when the code doesn't verify the type of object that is passed to it, and uses it without type-checking. 

Adobe Flash Player - Keep it up-to-date

There is a big debate about uninstalling Adobe Flash Player completely from your systems or not. Unfortunately, Adobe Flash Player has been found to suffer by a number of vulnerabilities and new ones surface each other week. 

If you still want to keep flash player on your system, I suggest you change your browser* settings and make sure any flash content runs after you have authorised it by clicking on it and not automatically when you visit a web page. 

I also suggest you make sure you have the latest version of Adobe Flash Player which YOU MUST ONLY download from the Adobe website and not through any random popups or third party links. 

This is the official URL where you can download the latest version of Adobe Flash Player for your system and the browser you are using is https://get.adobe.com/flashplayer/. Please note that you need to run Windows Update in order to download automatically the latest Adobe Flash Player update for Internet Explorer. I suggest restarting your system before you run Windows Update and after you have completed patching your OS through Windows Update. 

By visiting the following link you can check if you are running the latest version of Adobe Flash Player: http://www.adobe.com/uk/software/flash/about/

* Make sure you have updated your browser (Firefox, Chrome, Opera, etc.) to its latest version before updating the flash player. In order to check if you have the latest version, run your browser, hit the Alt key from the keyboard, go to the Help menu and select the "About" option. Your browser will inform you if it is at its latest version or it will start downloading the latest version for you. 

Logjam attack - Diffie-Hellman key exchange weakness (a quick and brief explanation)

A study was published regarding the security of the Diffie-Hellman key exchange. This popular cryptographic algorithm can be found among many protocols such as HTTPS, SSH, IPsec, SMTPS and it is used for sharing a key and establishing a secure connection. 

The weaknesses uncovered affect websites, mail servers, and other TLS-dependent services that support DHE_EXPORT ciphers. The exploitation of this vulnerability  was given the name Logjam attack [1] and depends on how Diffie-Hellman key exchange has been deployed in each case. 

The Logjam attack against TLS can be performed by downgrading vulnerable TLS connections to 512-bit export-grade cryptography, allowing the man-in-the-middle (MiTM) attacker to read and modify any data passed over the connection. At the moment, this attack affects all modern web browsers. 

ozwpan driver - Remote packet-of-death vulnerabilities in Linux Kernel

"The ozwpan driver accepts network packets, parses them, and converts them into various USB functionality. There are numerous security vulnerabilities in the handling of these packets. Two of them result in a memcpy(kernel_buffer, network_packet, -length), one of them is a divide-by-zero, and one of them is a loop that decrements -1 until it's zero." [1]

1. A remote packet can be sent, resulting in funny subtractions of
signed integers, which causes a memcpy(kernel_heap, network_user_buffer, -network_user_provided_length).

There are two different conditions that can lead to this:
https://lkml.org/lkml/2015/5/13/740
https://lkml.org/lkml/2015/5/13/744

2. A remote packet can be sent, resulting in divide-by-zero in softirq, causing hard crash:
https://lkml.org/lkml/2015/5/13/741

3. A remote packet can be sent, resulting in a funny subtraction, causing an insanely big loop to lock up the kernel: https://lkml.org/lkml/2015/5/13/742

4. Multiple out-of-bounds reads, resulting in possible information leakage, explained in the last paragraph of the introductory email here: https://lkml.org/lkml/2015/5/13/739

The above is a repost of this: http://seclists.org/oss-sec/2015/q2/446

You may find more information about ozwpan here: https://lkml.org/lkml/2015/5/13/739

[1] https://lkml.org/lkml/2015/5/13/739

VENOM Vulnerability - Virtualized Environment Neglected Operations Manipulation

VENOM is short for Virtualized Environment Neglected Operations Manipulation and it is a vulnerability in the QEMU’s virtual Floppy Disk Controller (FDC). The vulnerable code is used in numerous virtualization platforms and appliances such as Xen, KVM, and the native QEMU client. 

The vulnerability has been assigned the following CVE (CVE-2015-3456). As far as we know, VMware, Microsoft Hyper-V, and the Bochs hypervisors are not impacted by this. 

The interesting fact about VENOM is that it applies to a wide range of virtualization platforms (using the default configurations) and it allows for arbitrary code execution. Due to the fact that the vulnerability exists in the hypervisor’s codebase, it affects all host and guest Operating Systems. 

However, the vulnerability can be exploited only with escalated privileges (root, administrator). 

To Flash, or not to Flash?

Adobe suffers its third critical vulnerability (CVE-2015-0313) for this year. The vulnerabilities are exploited by the use malicious advertisements known as malvertising attacks. Due to the fact advertisements are designed to load once a user visits a site, the infection happens automatically. 

The affected version of this third vulnerability were:

• Adobe Flash Player 16.0.0.296 and earlier versions for Windows and Mac OS X
• Adobe Flash Player 13.0.0.264 and earlier 13 x versions

There are two Flash player updates already released by Adobe to mitigate the two previous vulnerabilities (CVE-2015-0310, CVE-2015-0311) and new updates are expected during this week for the latest vulnerability. 

In the meanwhile, make sure your flash does not load automatically by enabling the click-to-play feature of your web browser, make sure your AntiVirus solution is up-to-date, make sure you have the latest Flash player installed downloaded only by the legitimate Adobe website and last but not least, use an ad-blocker. 

POODLE SSLv3 Vulnerability

Bodo Möller, Thai Duong and Krzysztof Kotowicz from Google who discovered this, released a security advisory which you can find on OpenSSL website [2]. 
The Padding Oracle On Downgraded Legacy Encryption aka #POODLE vulnerability, has already a good write-up [1]. Jesper Jurcenoks explains the vulnerability on his blog [3] in a very detailed manner but at the same time, easy to understand. I am happy to see that Jesper used for his blog-post the logo I made for the poople vulnerability! :) Also, if you are thirsty for more technical details, you should also read this blog-post from ImperialViolet [4]. If you want to see some statistics on how vulnerable we are today in regards to this, you should read this article on netcraft [5]. The following post outlines the steps on how to disable SSLv3 [6]. If you wanna do a quick test and see if your browser supports SSLv3 regarding the poodle vulnerability, then you can visit: www.poodletest.com. On the other hand, www.howsmyssl.com can provide some useful information about the SSL/TLS client you used to render its page. Last but not least, if you need to a server given its domain name for this vulnerability, you may use www.poodlescan.com

CVE­-2014-­3566 has been allocated for this protocol vulnerability.

I had an idea for a logo for this vulnerability which I posted on twitter when the vulnerability came out and I would like to share it with you. We are trying to ditch SSLv3 for quite some time now, the logo had to look a little bit old style, retro and maybe vintage. Let me know what you think. ( you are free to use this logo, it would be nice if you reference it with: @drgfragkos )

Do you want to test manually?
Use this command: 
openssl s_client -connect google.com:443 -ssl3
If the handshake fails then the server doesn't support SSLv3 

Bash-ing (Bash Bug, Shell Shock) - All the information you need

The Bash Bug is a severe vulnerability discovered by by Stephane Chazelas of Akamai, who most probably deserves a pwnie award [1]. 
The discovery of this particular vulnerability is a serious risk, similar (maybe proven to be a lot bigger) to the Heartbleed bug [2]. Mostly because Linux not only runs the majority of the servers but also in a large number of embedded devices. Keep in mind that there are approximately about 25 years’ worth of Bash versions! Effectively, Mac OS X [11] and Android devices may also be running the vulnerable version of bash. 
Also, for Windows systems, msysgit contains a vulnerable version of bash (by Joshua McKinney) [12]. Which means, we are going to have more of these popping up very soon under the Windows platform as well.
Just to give you a hint about the severity of this vulnerability, NIST Vulnerability DataBase rated this with "10 out of 10". [3]

Gamma International; a Hacker's Hacking Guide

The original document was found at pastebin [1]. 

[1] http://pastebin.com/raw.php?i=cRYvK4jb

                _   _            _      ____             _    _ 
               | | | | __ _  ___| | __ | __ )  __ _  ___| | _| |
               | |_| |/ _` |/ __| |/ / |  _ \ / _` |/ __| |/ / |
               |  _  | (_| | (__|   <  | |_) | (_| | (__|   <|_|
               |_| |_|\__,_|\___|_|\_\ |____/ \__,_|\___|_|\_(_)
                                                 
     A DIY Guide for those without the patience to wait for whistleblowers

London Trust Forum

I was invited to attend the London Trust Forum organised by NCC where Andy Davis talked about CANimation and highlighting the security threats to automotive systems. A very interesting talk on how you can hack into cars when you have physical access to them or in some occasions, remotely! 

It was really nice to see familiar faces at the event and catch up with Dr. Jessica Barker (@drjessicabarker), David Middlehurst (@dtmsecurity) , @netbiosX and @Emil_i.

Looking forward to the next Trust Forum event already!