PwC Weekly Security Report
This is a weekly digest of security news and events from around the world. Excerpts from news items are presented and web links are provided for further information.
Malware
Dok Malware takes complete control of your Mac
Malware
IBM ships Trojanized USBs to storage customers
Threat and
vulnerabilities Malware Top story
Threats and vulnerabilities Microsoft patches Shadow Brokers exploits, updates privacy controls
Malware
Top story
Known SS7 network flaw used to
drain customer bank accounts
Microsoft patches Shadow Brokers exploits, updates privacy controls
Threat and vulnerabilities
The hacking group Shadow Brokers last week revealed a large number of Windows vulnerabilities it claims to have stolen from the National Security Agency (NSA), but Microsoft said Friday that it has already patched most of them. The company has also rolled out new privacy settings through its recent Creators Update.
Nine exploits released by the Shadow Brokers have already been patched, while three others only affected users running older, unsupported versions of the Windows operating system, said principal security group manager Phillip Misner on
Microsoft's TechNet IT portal. Misner said anyone with those older versions should upgrade their systems to avoid the vulnerabilities.
Since emerging last summer, the Shadow Brokers organization has published five leaks of zero-days and other vulnerabilities it claims to have taken from the NSA. The exploits the group revealed Friday included Windows vulnerabilities as well as hacking tools apparently used by the NSA to monitor messages about financial transactions through the SWIFT telecommunications network for banking.
Described as the "Lost in Translation" leak, the Shadow Brokers' latest release has been called the group's most damaging dump to date by some news sources. The leak reportedly included "mentions of previously disclosed NSA top secret programs and software," according to Motherboard. The leak also included a tool that appeared to be linked to the Stuxnet computer worm that caused extensive damage to Iran's nuclear facilities in 2010.
The SWIFT-focused hacking tools included in last week's leak indicate "the U.S. National Security Agency had accessed the SWIFT interbank messaging system, allowing it to monitor money flows among some Middle Eastern and Latin American banks," Reuters reported on Friday.
Misner noted on the TechNet site that Microsoft has already patched many of the Windows exploits revealed in the leak.
Malware
"Of the three remaining exploits,
'EnglishmanDentist', 'EsteemAudit', and 'ExplodingCan', none reproduces on supported platforms, which means that customers running Windows 7 and more recent versions of Windows or Exchange 2010 and newer versions of Exchange are not at risk," Misner said. "Customers still running prior versions of these products are encouraged to upgrade to a supported offering."
Last Tuesday, Microsoft also began rolling out its latest big update for Windows 10. Dubbed the
"Creators Update," the OS refresh introduced several new security and privacy controls.
A new privacy dashboard, for example, "lets you see and manage your activity data across multiple Microsoft services," Yusuf Mehdi, Windows and Devices Group vice president, wrote in a blog post on March 29. Activity covered in the dashboard includes search history, location data and browsing history for the Edge browser. Users also can specify what diagnostic and usage data is sent to Microsoft.
The Creators Update also added a new Windows Defender Security Center that gives enterprise users a centralized dashboard for controlling security preferences, as well as a Device Health Advisor.
The Creators Update accompanies a change in which Windows 10 Mobile devices Microsoft will continue to support, Windows and Devices Group software engineer Dona Sarkar noted in a blog post on Friday. They include the HP Elite x3 and the Microsoft Lumia 550, 640, 640XL, 650, 950, and 950XL, along with some other Alcatel, SoftBank, Vaio, MouseComputer, and Trinity devices.
"Devices not on this list will not officially receive the Windows 10 Creators Update nor will they receive any future builds from our development branch that we release as part of the Windows Insider Program,"
Sarkar said. "However, Windows Insiders who have devices not on this list can still keep these devices on the Windows 10 Creators Update at their own risk knowing that it's unsupported."
Source:
http://www.data-storage-
today.com/article/index.php?story_id=132 00CV179M0
Top story Malware
IBM ships Trojanized USBs to storage customers
Malware
MalwareThreat and vulnerabilities
Source:
https://www.infosecurity-
magazine.com/news/ibm-ships-trojanized- usbs-storage/
Top story
IBM has inadvertently shipped off untold numbers of malware-laden USB flash drives to unwitting customers.
Big Blue sent the USBs to act as initializers for its Storwize disk racks. Now, it’s telling usersto
"securely destroy the USB flash drive so that it cannot be reused,” or wipe it—and to instead download the files needed.
The USBs have the part number 01AC585, and IBM has listed the various models with which it could have shipped. It also said that the laptop or desktop used to configure the storage arrays are the targets, rather than the storage servers themselves.
According to Kaspersky, the malware is a trojan dropper that can be used to fetch an array of secondary malware, including ransomware and espionage worms. In the past, more than a third of its infections has been concentrated in Russia.
IBM’s unintentional role as a distribution partner could widen its reach considerably.
“The malicious program copies its executable file to a temporary folder on the user’s computer and modifies the operating system registry, enabling the malware to run automatically after the user logs in to the system,” Kaspersky said. “The malware decrypts itself, performs extraction from its resources section and launches other malicious programs.”
Affected users should ensure their antivirus products are updated, and be configured to scan temporary directories and address any issues identified. To manually remove the malicious file, users can delete the temporary directory named
%TMP%\initTool in Windows and /tmp/initTool on Linux and Mac.
Our perspective
Malicious files distributed on USB flash drives are being used in the initialisation tool for IBM Storwize V3500, V3700 and V5000 Gen 1 systems. The temporary directory holds the malicious file which does not execute itself during initialisation, thus allowing it to infect systems later. Administrators are advised to manually clean the temporary directory if any of the IBM products listed above have been inserted into the USB flash drive. It is also important to note that neither IBM Storwize storage systems nor the data stored on these systems is infected by this malicious code.
The infected flash drives can be repaired by deleting the InitTool folder on the USB and downloading a new initialisation tool package from IBM’s Fix Central. The USB device should then be scanned using an antivirus software to ensure it is Trojan free.
110001110010 1001100001100
110001110010 100110000110 110001110010
110001 110010 1100010 011000
1100010 011000
Malware
Dok Malware takes complete control of your Mac
Threat and
vulnerabilities Top story
The days of malware being just a problem for Windows users arelong gone, with malicious software now appearing for all major operating systems. The latest, and most dangerous to hit the Mac yet, is called OSX/Dok. It targets any and all versions of Mac OS X and will take complete control of your Mac if you let it.
First the good news: in order for Dok to infect a Mac the user needs to open a .zip archive attached to an email. Most people's suspicions will be raised as soon as they see the Dokument.zip archive attached to an email they don't recognize. Those that don't are in for some pain.
According toCheck Point, Dok is not currently detected on VirusTotal, meaning it won't get picked up by any security software run on your system (this will likely change quickly). Dok also uses a
developer certificate that is signed and therefore authenticated by Apple, meaning your Mac will allow it to install and Gatekeeper is on no help.
Once successfully installed on your system, Dok enjoys complete access to all communications, even those sent over encyrpted SSL. Such access is achieved by quietly redirecting the user's traffic through a malicious proxy server. All traffic can be monitored and the attacker can cherry pick through the details. Once done, the malware deletes itself from the system.
If you do somehow get infected or are asked to help get rid of the malware on a friend's Mac,iMore posted detailed instructionson how to remove Dok.
If you're unsure whether it is Dok, scroll
throughCheck Point's detailed Dok articleand you'll soon recognize if the malware is the same from the screenshots.
The same advice applies as always: if you have any suspicion at all about an email in your inbox, do not under any circumstances attempt to open the included attachment. 99 percent of the time it's going to be malicious and you'll regret taking the risk. Running a goodsecurity suiteis also advised.
0:00/2:56
Source:
http://in.pcmag.com/news/114255/dok- malware-takes-complete-control-of-your- mac
Malware
Known SS7 network flaw used to drain customer bank accounts
Malware Threat and
vulnerabilities
Source:
https://www.pcauthority.com.au/News/46 0821,known-ss7-network-flaw-used-to- drain-customer-bank-accounts.aspx
Top story
Despite years of warnings that the SS7 networking protocol contained significant vulnerabilities, it now appears to have been exploited by hackers to drain customer bank accounts, according to reports.
Signaling System No.7 (SS7), as the protocol is known, is used by more than 800
telecommunications companies around the world, allowing customers in one country to send text messages to users in different countries. The protocol also helps with interoperability between networks, and also allows for phone calls to go uninterrupted while in low signal areas.
However, it has been discovered that the same protocol, which was created in the 1970s, can be used to track users and eavesdrop on their conversations. These vulnerabilities have been publicised as early as 2008, yet most recently, security researchers in 2016 were able to demonstrate the ease at which they could track the movements of US Representative Ted Lieu using his phone number and the SS7 network.
It has now emerged that unidentified hackers used the same vulnerabilities in the SS7 protocol to bypass two-factor authentication services of banks in Germany, according to the Süddeutsche Zeitung newspaper. This same protocol is used in Australia.
The hackers were able to use SS7 to divert the text messages that the banks send to customers as one-time password checks, sending them instead to phones controlled by the attackers. The codes were then used to authorise the transfer of funds out of customer accounts, according to the report.
To locate the targets, the hackers used a malware campaign to identify bank account numbers, login details, passwords and balance amounts. They were then able to purchase access to as yet unidentified foreign telecommunications provider to gain backdoor access to the customers' phones.
Speaking to the Süddeutsche Zeitung, Germany's O2 Telefonica said: "Criminals carried out an attack from a network of a foreign mobile network
operator in the middle of January. The attack redirected incoming SMS messages for selected German customers to the attackers."
This news shouldn't come as a surprise to those advocating against the use of the SS7 protocol. In August last year, Representative Lieu requested the FCC to investigate the reported vulnerabilities of SS7, and impose changes to prevent these kinds of attacks. However, this could take years to address given the size of its reach and the number of companies using it.
Immediately following the news of the hack, Lieu issued a statement which read: "Everyone's accounts protected by text-based two-factor authentication, such as bank accounts, are potentially at risk until the FCC and telecom industry fix the devastating SS7 security flaw. Both the FCC and telecom industry have been aware that hackers can acquire our text messages and phone conversations just knowing our cell phone number."
The silver lining is that since this is the first
reported public attack using the SS7 protocol, it may spur other regulators to help fix the vulnerabilities.
Malware
About PwC
At PwC, our purpose is to build trust in society and solve important problems. We’re a network of firms in 157 countries with more than 2,23,000 people who are committed to delivering quality in assurance, advisory and tax services. Find out more and tell us what matters to you by visiting us at www.pwc.com
In India, PwC has offices in these cities: Ahmedabad, Bengaluru, Chennai, Delhi NCR, Hyderabad, Kolkata, Mumbai and Pune. For more information about PwC India's service offerings, visit www.pwc.com/in PwC refers to the PwC International network and/or one or more of its member firms, each of which is a separate, independent and distinct legal entity. Please see www.pwc.com/structure for further details.
©2017 PwC. All rights reserved
For any queries, please contact:
Sivarama Krishnan
[email protected] Amol Bhat
This report presents the highlights of security news and events from around the world that have been published on external websites.
This publication has been prepared for a general guidance on matters of interest only, and does not constitute professional advice.
You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PwC, its partners, employees and agents do not accept any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it. PwC is however available for follow-up on any queries you may have regarding information and IT security. The views, opinions and interpretation shared in the newsletter are strictly of the individual's collating this newsletter and is not necessarily a representation of the firm's views. All images, information, references in this presentation are protected by copyright, trademark, patent, trade secret and other intellectual property laws of the respective publisher. Our sharing of this presentation along with such protected images with you does not authorise you to copy, republish, frame, link to, download, transmit, modify, adapt, create derivative works.
© 2017 PricewaterhouseCoopers Private Limited. All rights reserved. In this document, “PwC” refers to PricewaterhouseCoopers Private Limited (a limited liability company in India having Corporate Identity Number or CIN : U74140WB1983PTC036093), which is a member firm of PricewaterhouseCoopers International Limited (PwCIL), each member firm of which is a separate legal entity.
MJ/May2017-9597
