WPA2 security flaw puts almost every Wi-Fi device at risk of hijack, eavesdropping

A security protocol at the heart of most modern Wi-Fi devices, including computers, phones, and routers, has been broken, putting almost every wireless-enabled device at risk of attack.

The bug, known as "KRACK" for Key Reinstallation Attack, exposes a fundamental flaw in WPA2, a common protocol used in securing most modern wireless networks. Mathy Vanhoef, a computer security academic, who found the flaw, said the weakness lies in the protocol's four-way handshake, which securely allows new devices with a pre-shared password to join the network.

That weakness can, at its worst, allow an attacker to decrypt network traffic from a WPA2-enabled device, hijack connections, and inject content into the traffic stream.

In other words: this flaw, if exploited, gives an attacker a skeleton key to access any WPA2 network without a password. Once they're in, they can eavesdrop on your network traffic.

The bug represents a complete breakdown of the WPA2 protocol, for both personal and enterprise devices -- putting every supported device at risk.

"If your device supports Wi-Fi, it is most likely affected," said Vanhoef, on his website.

But because Vanhoef hasn't released any proof-of-concept exploit code, there's little risk of immediate or widespread attacks.

News of the vulnerability was later confirmed on Monday by US Homeland Security's cyber-emergency unit US-CERT, which about two months ago had confidentially warned vendors and experts of the bug, ZDNet has learned.

The warning came at around the time of the Black Hat security conference, when Vanhoef presented a talk on networking protocols, with a focus on the Wi-Fi handshake that authenticates a user joining a network.

The cyber-emergency unit has since reserved ten common vulnerabilities and exposures (CVE) records for the various vulnerabilities.

Cisco, Intel, Juniper, Samsung, and Toshiba are among the companies affected.

At its heart, the flaw is found in the cryptographic nonce, a randomly generated number that's used only once to prevent replay attacks, in which a hacker impersonates a user who was legitimately authenticated.

In this case, an attacker can trick a victim into reinstalling a key that's already in use. Reusing the nonce can allow an adversary to attack the encryption by replaying, decrypting, or forging packets.

Windows and latest versions of Apple's iOS are largely immune from the flaws, according to security researcher Kevin Beaumont, in a blog post.

However, Vanhoef said the security issue is "exceptionally devastating" for Android 6.0 Marshmallow and above.

via zdnet

Read more »

Here is every patch for KRACK Wi-Fi attack available right now

Monday morning was not a great time to be an IT admin, with the public release of a bug which allowed WPA2 security to be broken.

As reported previously by ZDNet, the bug, dubbed "KRACK" -- which stands for Key Reinstallation Attack -- is at heart a fundamental flaw in the way Wi-Fi Protected Access II (WPA2) operates.

The security protocol, an upgrade from WPA, is used to protect and secure communications between everything from our routers, mobile devices, and Internet of Things (IoT) devices, but there is an issue in the system's four-way handshake which permits devices with a pre-shared password to join a network.

According to security researcher Mathy Vanhoef, who discovered the flaw, threat actors can leverage the vulnerability to decrypt traffic, hijack connections, perform man-in-the-middle attacks (MiTM) and eavesdrop on communication sent from a WPA2-enabled device.

US-CERT has known of the bug for some months and informed vendors ahead of the public disclosure to give them time to prepare patches and prevent the exploit from being utilized in the wild -- of which there are no current reports of this bug being harnessed by cyberattackers.

The bug is present in WPA2's cryptographic nonce and can be utilized to dupe a connected party into reinstalling a key which is already in use. While the nonce is meant to prevent replay attacks, in this case, attackers are then given the opportunity to replay, decrypt, or forge packets.

In general, Windows and newer versions of iOS are unaffected, but the bug can have a serious impact on Android version 6.0 Marshmallow and above.

The attack could also be devastating for IoT devices, as vendors often fail to implement acceptable security standards or update systems in the supply chain, which has already led to millions of vulnerable and unpatched IoT devices being exposed for use by botnets.

The vulnerability does not mean the world of WPA2 has come crumbling down, but it is up to vendors to mitigate the issues this may cause.

In total, 10 CVE numbers have been preserved to describe the vulnerability and its impact, and according to the US Department of Homeland Security (DHS), the main affected vendors are Aruba, Cisco, Espressif Systems, Fortinet, the FreeBSD Project, HostAP, Intel, Juniper Networks, Microchip Technology, Red Hat, Samsung, various units of Toshiba and Ubiquiti Networks.

So who is on top of the game?

Aruba: Aruba has been quick off the mark with a security advisory and patches available for download for ArubaOS, Aruba Instant, Clarity Engine and other software impacted by the bug.

Cisco: The company is currently investigating exactly which products are impacted by KRACK, but says that "multiple Cisco wireless products are affected by these vulnerabilities."

"Cisco is aware of the industry-wide vulnerabilities affecting Wi-Fi Protected Access protocol standards," a Cisco spokesperson told ZDNet. "When issues such as this arise, we put the security of our customers first and ensure they have the information they need to best protect their networks. Cisco PSIRT has issued a security advisory to provide relevant detail about the issue, noting which Cisco products may be affected and subsequently may require customer attention.

"Fixes are already available for select Cisco products, and we will continue publishing additional software fixes for affected products as they become available."

In other words, some patches are available, but others are pending the investigation.

Espressif Systems: The Chinese vendor has begun patching its chipsets, namely ESP-IDF and ESP8266 versions, with Arduino ESP32 next on the cards for a fix.

Fortinet: At the time of writing there was no official advisory, but based on Fortinet's support forum, it appears that FortiAP 5.6.1 is no longer vulnerable to most of the CVEs linked to the attack, but the latest branch, 5.4.3, may still be impacted. Firmware updates are expected.

FreeBSD Project: There is no official response at the time of writing.

Intel: Intel has released a security advisory listing updated Wi-Fi drives and patches for affected chipsets, as well as Intel Active Management Technology, which is used by system manufacturers.

Linux: As noted on Charged, a patch is a patch is already available and Debian builds can patch now, while OpenBSD was fixed back in July.

The WiFi Standard: A fix is available for vendors but not directly for end users.

Mikrotik: The vendor has already released patches which fix the vulnerablities.

Google: Google told The Verge that the company is "aware of the issue, and we will be patching any affected devices in the coming weeks."

AVM: This company may not be taking the issue seriously enough, as due to its "limited attack vector," despite being aware of the issue, will not be issuing security fixes "unless necessary."

OpenBSD: Patches are now available.

Microsoft: While Windows machines are generally considered safe, the Redmond giant isn't taking any chances and has released a security fix available through automatic updates.

Netgear: Netgear has released fixes for some router hardware. The full list can be found here.

Ubiquiti Networks: A new firmware release, version 3.9.3.7537, protects users against the attack.

Check back as we update this story.

via zdnet

Read more »

Shadow Brokers Release Windows Malware that can Steal Keystrokes and Record Audio to its Paid Subscriber

Paid subscribers of Shadow Brokers’ monthly subscription can now gain complete access to your PC/laptop and steal your passwords and chats



The hacking group named SHADOW BROKERS, which was responsible for the NSA leaks earlier. is back with another NSA hacker kit. This time however, the leak is only available for the users with its “monthly subscription”.

In their latest release, SHADOW BROKERS have released a malware dubbed UNITEDRAKE. It is a remote access and control tool with “plug-ins” that can target WINDOWS based systems enabling the hacker with full control over their victim's system.

UNITEDRAKE is compatible with systems running on Microsoft Windows XP, Vista, 7, 8 up to Windows Server 2012. It first came to light in 2014 as a part of NSA's classified documents leaked by its former contractor Edward Snowden.

The Snowden documents suggested the agency used the tool alongside other pieces of malware, including GUMFISH, FOGGYBOTTOM, GROK, and SALVAGERABBIT

The malware's modules including FOGGYBOTTOM and GROK can perform tasks including listening in and monitoring communication, capturing keystrokes and both webcam and microphone usage, impersonating users, stealing diagnostics information and self-destructing once tasks are completed.

These tools were allegedly developed and used by the US National Security Agency (NSA) to perform mass surveillance and bulk hacking worldwide.

Ankush Johar, director at HumanFirewall.io, said: "Remote Administration and surveillance tools are not a new thing in the global cyberspace. These have existed since the beginning of the internet. Although, criminal grade pro malware like these are extremely dangerous as, even the inexperienced chaps now can use them to carry out nation-wide cyber crimes.

"It’s not too difficult to avoid the basic malware. Being aware and staying cautious is the key to your security. Consumers are suggested to make sure that the following points are always kept in mind before hovering around the tech."

* Keep a genuine anti-virus installed and updated.
* Do not click on click on unknown links. Verify the links completely before opening them.
* Never download attachments from untrusted sources.
* Never download pirated software/cracks as they contain malware or backdoors that can give complete access of your system to the hacker.
* Install all software and OS updates available on your device whenever prompted to do so.
* Avoid plugging in unknown USB devices, whether at home or office.

via BusinessWorld

Read more »

Millions of Android phones could be tracked with ultrasonic spying tool

Researchers discovered 234 Android apps that could be spying on users CREDIT: GOOGLE

Hundreds of Android apps could be covertly tracking users via inaudible sounds emitted by nearby devices, researchers have found. 

Researchers discovered technology that lets devices talk to one another for tracking purposes using ultrasonic tones on 234 Android apps. 

Televisions, billboards, websites and shops can emit the high frequency sounds, which can't be heard by humans but are picked up by the apps. This signals whether a person has engaged with an advert by watching it, or visited a shop, and how long for. 

Apps featuring the technology include those from McDonald's and Krispy Kreme. Major companies could be using it to track customers' location and habits, both on and off their mobile devices, without them knowing, the researchers warned.

"An adversary can monitor a user's local TV viewing habits, track their visited locations and deduce their other devices," said the researchers. "They can gain a detailed, comprehensive user profile with a regular mobile application and the device's microphone." 

The tracking method has spiked in popularity recently, according to the researchers. Two years ago just five apps in the Google Play store used the technology. Now, it is allegedly present in 234. 

As well as tracking customers' habits, the beacon technology can also be used to send them targeted adverts. Given that the tool can connect location and habits with the device, it could also be used to identify anonymous users, such as those of Bitcoin and Tor. 

The researchers from the Braunschweig University of Technology warned that millions of users could be under surveillance without knowing after they found that a sample of five of the 234 apps had been downloaded up to 11 million times. 

The majority of the apps don't alert users that they are tracking them. All they require to be able to follow users is permission to access the device's microphone. 

"The user just needs to install a regular mobile application that is listening to ultrasonic signals through the microphone in the background," said the researchers. "Once the user has installed these applications on their phone, they neither know when the microphone is activated nor are they able to see what information is sent to company servers."

Silverpush, the company that created the listening tool, denied that its technology was still being used. It stopped supporting the software in 2015 following a privacy outcry. 

"We respect customer privacy and would not want to build our business foundation where privacy was questionable," Hitesh Chawla, founder of Silverpush, told Ars Technica. "Even when we were live, our software was not present in more than 10 to 12 apps. So there is no chance that our presence in 234 apps is possible.

"Every time a new handset gets activated with our software, we get a ping on our server. We have not received any activation for six months now." 

Google said its privacy policy requires apps to disclose how they collect, use and share customer data. 

McDonald's said it did not use the technology in the UK for marketing purposes. Krispy Kreme has been contacted for comment. 

via telegraph.co.uk

Read more »

Check if you were hit by the massive 'Avalanche' cybercrime ring

SAN FRANCISCO — The U.S. government has posted links for free scanning programs so companies and individuals can check their computers to make sure they weren't victims of a massive, international cyber criminal operation that was taken down Thursday after a four-year investigation.

“This is probably the biggest operation that law enforcement has ever done against cyber crime,” said Catalin Cosoi, chief security strategist with BitDefender, one of the dozens of companies worldwide that worked with law enforcement to attack the group.

The U.S. Computer Emergency Readiness Team (US_CERT) has posted links to five scanners on its site. Europol has also posted a list of sites in multiple languages for potentially infected users. The malware only affects systems running the Microsoft Windows operating system, according to US-CERT.

The Department of Homeland Security’s National Cybersecurity and Communications Integration Center, which includes US-CERT, will be providing victim notification to stakeholders, including Internet Service Providers, DHS said in a statement.

Known as "Avalanche," the group had been active since 2009, according to the FBI and Europol, the European law enforcement agency. It was effectively a criminal company that sold and rented cloud-hosted software to other criminals who used it to take over systems, infect networks, launch ransomware or create enormous robot networks (botnets) to send spam.

Avalanche networks were also used to launch targeted attacks against banks and to recruit people to illegally transfer stolen money between countries, known as money mules.

"They sent more than one million e-mails with damaging attachments or links every week to unsuspecting victims," and involved as many as 500,000 infected computers worldwide on a daily basis, Europol said in a release.

“They would do whatever you wanted. You just had to call them, say ‘I need command and control service,’ or ‘I need to infect this type of people or this type of business,’ and they’d do it,” said Cosoi.

The investigation originally began in Germany in 2012 after prosecutors there detected a ransomware operation that blocked access to a substantial number of computer systems and allowed the criminals to do bank transfers from the victims' accounts.

As authorities became aware of the scope and reach of the criminal organization, the effort to shut it down ended up involving prosecutors and investigators in 30 countries.

Law enforcement takedown

On Wednesday, law enforcement launched a concerted action against the Avalanche group. It resulted in five arrests, the search of 37 premises and seizure of 39 servers. In addition, over 800,000 Internet domains, or addresses, were seized to block the criminals access to their customers.

Now that the operation has been taken down, the next crucial stage is for infected individuals and companies to check to make sure that their computers do not have Avalanche malware on them.

“Companies and consumers should take this opportunity to scan their systems for the different families of malware that the Avalanche botnet distributed,” said ESET senior security researcher, Stephen Cobb.

Multiple companies worldwide have written tools to run this scan.

As Europol said on its website, "computer users should note that this law enforcement action will NOT clean malware off any infected computers — it will merely deny the Avalanche users’ ability to communicate with infected victims’ computers. Avalanche victims’ computers will still be infected, but shielded from criminal control."

While the effort was hailed in the cyber security world as a major coup against cyber crime, the differential between how fast international cybercrime networks proliferate and how quickly international law enforcement can act is troubling.

“It does give some reason for concern that our anti-cybercrime efforts still can't match the speed and dexterity that cyber criminals use for their own efforts," said Nathan Wenzler, principal security architect at AsTech Consulting, a San Francisco-based security consulting company.

Unfortunately, while he believes that dismantling the Avalanche network will certainly show some short-term gains, he expects the cyber criminals will be "back up and running in short order.”

Read more »

GM Bot (Android Malware) Source Code Leaked Online

The source code of a recently discovered Android banking Trojan that has the capability to gain administrator access on your smartphone and completely erase your phone's storage has been LEAKED online.

The banking Trojan family is known by several names; Security researchers from FireEye dubbed it SlemBunk, Symantec dubbed it Bankosy, and last week when Heimdal Security uncovered it, they dubbed it MazarBot.

All the above wave of Android banking Trojans originated from a common threat family, dubbed GM Bot, which IBM has been tracking since 2014.

GM Bot emerged on the Russian cybercrime underground forums, sold for $500 / €450, but it appears someone who bought the code leaked it on a forum in December 2015, the IBM X-Force team reported.

What is GM Bot and Why Should You Worry about it?

The recent version of GM Bot (dubbed MazarBOT) has the capability to display phishing pages on the top of mobile banking applications in an effort to trick Android users into handing over their financial credentials to the fraudsters.

Besides this, the banking trojan is also capable of forwarding phone calls and intercepting SMS messages to help fraudsters bypass an additional layer of bank security mechanisms, and locking a device’s screen.

Cyber criminals could also use the malware to:

• Spy on victims
• Delete data from the infected device
• Gain boot persistence to help survive device restart
• Send and Read your SMS message
• Make Calls to your contacts
• Read the phone's state
• Plague phone's control keys
• Infect your Chrome browser
• Change phone settings
• Force the phone into sleep mode
• Query the network status
• Access the Internet
• Wipe your device's storage (the most critical capabilities of the malware)

However, someone leaked the malware source code only to boost his/her reputation on an underground forum, according to the researchers.

GM Bot Android Malware Source Code for FREE

Yes, the source code for GM Bot and its control panel is now accessible to cybercriminals and fraudsters for FREE.

Here’s the Cherry on the Top:

Besides the source code, the leader also posted a tutorial and instructions for server-side installation, which means cybercriminals can create their own versions of the malware strain to conduct online banking frauds.

Though the archive file containing the source code and its control panel is password protected, the leader is offering the password only to active forum members who is approaching him.

"Those who received the password, in turn, passed it on to other, unintended users, so the actual distribution of the code went well beyond that discussion board’s member list," IBM cyber security evangelist Limor Kessem wrote in a blog post.

Online users had started sharing the password to the archive among their friends, and in no time, the GM Bot source code was all over the hacking underground forums.

GM Bot is one of the most dangerous banking trojan in the Android ecosystem and after its source code gets leaked, users are recommended to beware while banking online.

How to Protect Yourself?

As I previously mentioned, online users are advised to follow these steps in order to protect themselves against this kind of threat:

• Never open attachments from unknown sources.
• Never click on links in SMS or MMS messages sent to your phone.
• Even if the email looks legit, go directly to the source website and verify any possible updates.
• Go to Settings → Security → Turn OFF "Allow installation of apps from sources other than the Play Store" option.
• Always keep an up-to-date Anti-virus app on your Android devices.
• Avoid unknown and unsecured Wi-Fi hotspots and Keep your Wi-Fi turned OFF when not in use.

via hackernews

Read more »

Facts About Remote Access Trojans (RATs) vs AlienSpy

AlienSpy is the latest in a family of RATs which target both consumers and enterprises in a bid to steal valuable data and compromise systems.

Remote Access Trojans (RATs) never fully vanish; instead, they are often recycled and redeveloped in the changing cybersecurity landscape. These kinds of Trojans, often deployed through phishing campaigns which use spoof emails and malicious files to deliver malware payloads, can be tailored to target particular industries -- such as banking or manufacturing -- or be used indiscriminately against both consumers and businesses.

In a security advisory (.PDF) posted Thursday, security firm Fidelis said the newly-discovered AlienSpy Trojan is currently being used in international phishing campaigns against both consumers and the enterprise, although generally has been detected in campaigns based in the technology, finance, government and energy sectors.

Joining the likes of njRAT, njWorm and Houdini, the RAT's development focuses on delivery rather than core functions. However, AlienSpy does differ from its predecessors. While also similar to Frutas, Adwind and Unrecom, the security firm believes the new RAT has benefited from "unified," collaborative development. As a result, the Trojan is more sophisticated and has expanded functionality.

AlienSpy currently supports infections on Windows, Linux, Mac OSX and the Android mobile operating system. However, the Trojan also demonstrates new evasion techniques not present in past RATs.

Once deployed, the Java-based Trojan grants an attacker access and control over a compromised system. The malware is able to collect system information including OS version, RAM data and computer name, upload and deploy additional malware packages, capture webcam and microphone streams without consent, and remotely watch device activity. In addition, the Trojan includes a keylogger.

AlienSpy's additional features include a sandbox detection tool, the detection and disabling of antivirus software, and the use of Transport Layer Security (TLS) cryptographic protocols to secure its connection to the command and control (C&C) server.

"Applying this technique makes it very difficult for network defenders to detect the malicious activity from infected nodes in the enterprise. To prevent various security tools from running, this version of AlienSpy performs various registry key changes," the advisory notes. "Infected systems could end up with botnet malware downloaded through AlienSpy RAT (e.g. Citadel) as it was observed by our security researchers during one of the infections."

In the same manner as its predecessors, AlienSpy is available through various subscription models and receives continual updates from its developers. According to Fidelis, AlienSpy can be purchased for between $19.90 and $219.99.

"Enterprises should ensure that they are capable of detecting inbound malware as well as active infections involving this RAT," Fidelis says.

The security firm has also published a Yara rule to help developers identify and classify the AlienSpy malware strain.

via ZDNet

Read more »

TOP 20 MALICIOUS IP - Weekly Threat Report – December 16, 2014

104.194.4.89
103.41.124.31
198.13.96.59
203.196.162.162
121.127.248.230
222.186.51.140
213.149.0.230
93.89.237.114
38.72.115.193
222.186.51.140
103.41.124.42
61.160.224.128
83.3.193.238
94.214.238.208
47.16.90.49
221.226.35.154
212.7.192.138
62.210.178.42
98.109.76.36
93.174.95.41

Read more »