PwC Weekly Security Report
This is a weekly digest of security news and events from around the world. Excerpts from news items are presented and web links are provided for further information.
Malware Top story
Threats and vulnerabilities A chip flaw strips away hacking protections for millions of devices
Top story
Hackers can steal millions of cars after discovering huge flaw in manufacturer’s connected car apps
Threats and vulnerabilities Bug allowed theft of over $400,000 in Zcoins
Malware
Palo Alto networks discovers MacOS Trojan ‘XAgentOSX’
Threats and vulnerabilities
Threats and vulnerabilities
Palo Alto networks
discovers MacOS Trojan
‘XAgentOSX’
Malware
Palo Alto Networks discovered a backdoor trojan called XAgentOSX that can take screenshots from, examine files stored on, and log keystrokes sent to a macOS computer. XAgentOSX is said to be made by a group called Sofacy that uses the similarly named XAgent to steal information from Windows PCs.
XAgentOSX appears to be related toKomplex, another trojan that targeted computers running the operating system formerly known as OS X, the company said. Komplex was likely used to install XAgentOSX--which has broader capabilities--by the malware's creators. Palo Alto Networks said it found "a loose connection to the attack campaign that Sofacy waged on the Democratic National Committee based on hosting data in both attacks."
So what information can XAgentOSX gather? Palo Alto Networks said that in addition to keylogging, the trojan can also be used to take screenshots or figure out if a Mac has been used to back up an iOS device. The companysaid in a blog postthat digging around for backups is particularly noteworthy:
The ‘showBackupIosFolder’ command is rather interesting, as it allows the threat actors to determine if a compromised system was used to backup an IOS device, such as an iPhone or iPad.
We believe this command is used to determine if a mobile device was backed up, and we speculate that the actors would use other commands within XAgent to exfiltrate those files.
Palo Alto Networks' report follows reports that malicious software has become more common on Macs. Apple's computers used to have a reputation of being virus-free, at least among general
consumers, but the reality was that hackers were better served by targeting more popular Windows devices. Now it seems that some attackers no longer want to participate in the platform wars--they're going to target people who use either operating system.
Sophos said as much in the 2017 malware forecast released during the RSA Conference:
Source:
http://www.tomshardware.co.uk/palo- alto-networks-macos-trojan,news- 54868.html
Though Mac malware is comparatively rare, Macs aren’t magically immune to cybercriminality. Even though Mac users aren’t losing huge amounts of money to ransomware like their Windows counterparts, Mac malware is often technically sneaky and geared towards exfiltrating data or providing covert remote access to thieves --
something that could easily get companies in just as much trouble with regulators as with their
customers. The bad guys gained plenty of traction with these attacks, and we expect more of it in 2017.
XAgentOSX certainly appears to be "more of it."
Palo Alto Networks said its products have been updated to protect their users from the trojan. For everyone else, this is another reminder that the days of macOS being too high-effort/low-reward for hackers are over.
Threats and vulnerabilities
Threats and
vulnerabilities Top story
Bug allowed theft of
over $400,000 in Zcoins
Threat and vulnerabilities
An implementation bug has allowed someone to make a profit of more than $400,000 after creating roughly 370,000 units of the Zcoin cryptocurrency, users were told on Friday.
Zcoin (XZC), worth approximately $2 per unit, is an implementation of theZerocoinprotocol, which aims to provide fully anonymous currency
transactions. Zerocoin has also been used to create a new protocol called Zerocash and the ZCash digital currency.
A typo in the code allowed an attacker to
fraudulently obtain Zcoins. They managed to create roughly 370,000 coins and sold a majority of it for a profit of approximately 410 bitcoins ($435,000).
Zcoin representatives pointed out that the exploit was possible due to a bug in the code and not a cryptographic weakness, and that the anonymity provided by Zerocoin has not been compromised.
Zcoin said the damage was “mostly absorbed by the markets.”
“From what we can see, the attacker (or attackers) is very sophisticated and from our investigations, he (or she) did many things to camouflage his tracks through the generation of lots of exchange accounts and carefully spread out deposits and withdrawals over several weeks,”saidZcoin’s Reuben Yap.
Ian Miers, one of the founders of ZCash, has provided a likelyexplanationfor what went wrong.
Miers believes it was probably a bug that resulted from copying and pasting code.
The bug was addressed over the weekend and pools and exchanges have been instructed to update their code. Zcoin said no coins will be forfeited or blacklisted, despite the severity of the hack.
Incidents involving cryptocurrencies are not uncommon. In June 2016, the value of the Ethereum digital currencyplummetedafter someone exploited a vulnerability in the DAO.
Source:
http://www.securityweek.com/bug- allowed-theft-over-400000-zcoins
Malware Threats and
vulnerabilities Top story
For the last decade or so, hackers have faced a daunting challenge when they try to break into a computer: Even when they get malicious code running on a victim’s machine, they have to figure outwherein the computer’s memory that code has ended up. That’s because a security protection used in Windows, Android, and every other modern operating system randomizes where programs run in a device’s memory. It turns the process of digital intrusion into something like an attempt to
burglarize a house in total darkness.
But now a team of Dutch researchers has found a technique that undermines that so-called address space layout randomization, creating the You Are Here arrow that hackers need to orient themselves inside a stranger’s computer. That means any of the common memory corruption bugs found in software applications on a daily basis could lead to a much deeper takeover of a target PC or smartphone. And because the attack exploits not software but hardware, it leaves millions of devices at risk regardless of their operating system—and it can’t be fully fixed with any mere software update.
Back in the ASLR
“Bugs are everywhere, but ASLR is a mitigation that makes bugs hard to exploit,” says Ben Gras, a researcher at the Free University of Amsterdam who developed the attack along with his colleague Kaveh Razavi. “This technique makes bugs that weren’t exploitable exploitable again. In some sense, it takes us back to the ’90s in terms of security.”
Their attack is particularly serious because attackers can pull it off with javascript alone, meaning that simply visiting a malicious website can trigger it;
the research team, known as VUSec, released ademonstration videoshowing it running in a Firefox browser. “Nobody has done this before from the context of a web page,” says Yossi Oren, a researcher at Ben Gurion University who specializes in microarchitecture security. “It’s a very insidious and clever example of this class of attack.”
A chip flaw strips away hacking protections for millions of devices
It may also be as difficult to fix as it is easy to deploy. The VUSec technique exploits the deepest properties of the computer’s hardware, the microprocessors made by companies including Intel, AMD, Nvidia, and Samsung. Making ASLR fully effective again, the researchers say, could require not just a quick operating system or browser update but also redesigning and replacing those chips.
Cracking the safe
The attack exploits the way microprocessors and memory interact: Processors have a component called a memory management unit that maps where a computer stores programs in its memory. To keep track of those addresses, the MMU constantly checks a directory called a page table.
The key to the VUSec hack is that devices usually store the page table in the processor’s cache—a small chunk of memory that keeps frequently accessed information close to its computing cores.
That makes the chip speedier and more efficient.
But a piece of malicious javascript code running on a website can write to that cache too. And, crucially, it can simultaneously watch how quickly the MMU is working. “By monitoring the MMU very closely, the javascript can find out about its own addresses, which it’s not supposed to do,” Gras says.
The VUSec researchers’ attack turns the MMU’s speed into a revealing clue. The attacking code overwrites the cache, one unit of memory at a time, until it sees the MMU slowing down. That’s a sign that whatever part of the cache got overwritten was a chunk of the page table the MMU was looking for—the MMU slows down because it has to go back to a copy of the page table in normal random-access memory instead of in the processor’s cache.
Malware Threats and
vulnerabilities
Threats and
vulnerabilities
Top storyThe MMU has to perform four separate page table checks to find the physical address of any given piece of code. So the attack overwrites the cache four times, ferreting out four places in the cache that have a piece of the page table. Each time, the malicious program notes the moment of the MMU’s slowdown. Just how long the MMU takes to hit that slowdown provides a hint as to the malicious code’sown address in the cache and therefore its location in RAM, when the device copies the hack from the cache to that other memory—the exact information that ASLR tries to hide from a hacker.
Think of the attack as an old-fashioned safecracker, listening with a stethoscope for telltale clicks while slowly turning a safe’s dial. “The cache is like the cogs in the safe that produce those little clicks that allow you to crack it,” Gras says.
A deep bug to fix
Gras says VUSec reached out to the Netherlands’
National Cybersecurity Center, which contacted all the affected chipmakers and software companies—
including Intel, AMD, Samsung, Nvidia, Microsoft, Apple, Google, and Mozilla—more than three months ago, but the researchers are only now going public with their findings after giving the companies a standard window to address them. The
researchers aren’t releasing any code to
demonstrate the attack. But they warn that skilled hackers could reverse-engineer the technique from what they’ve revealed in a matter of weeks.
Meanwhile, Gras suggests some band-aids. You can enable plug-ins, likeNoScriptfor Firefox
orScriptSafefor Chrome, to block javascript on web pages. And browser-makers could conceivably reduce the exactness of the timing measurements they allow scripts to make, preventing them from monitoring the MMU’s speed.
At least one company has already worked to mitigate the dangers; Apple publisheda software updatedesigned to “harden” Safari but didn’t reveal exactly what that update does. An Apple
spokesperson says the company also distributed a plan of action to other affected vendors—likely the companies that build the chips it uses..”
A chip flaw strips away hacking protections for millions of devices
A full fix will ultimately require replacing hardware, not software. Devices will need new chips with new architectures that separate the MMU and its page table from the processor’s cache. “Because it’s at such a fundamental layer, the layers of software above can make it harder to exploit, but they can’t make it go away,” Gras says.
Intel, Microsoft, and Mozilla, meanwhile,
downplayed the issue. “We’ve determined it does not represent a security issue,” says a statement Microsoft PR emailed to WIRED. Intel writes that the research “doesn’t represent a significant change in the security of Intel Architecture–based
systems.” Spokespeople from all three companies point out that the attack alone only represents a threat in combination with another memory
corruption bug. Samsung, Nvidia, AMD, and Google didn’t respond to WIRED’s request for comment.
It’s little comfort, however, for Microsoft and Intel to point out that defeating ASLR alone doesn’t allow someone to hack an operating system, Oren says.
With ASLR broken, hackers will go back to hunting the kind of commonplace memory corruption bugs that ASLR rendered useless. Old bugs could learn new tricks.
The result, if tech firms don’t take the ASLR attack seriously, could soon be a bounty of new ways to hack millions of innocent users unlucky enough to click on the wrong web page. “Attackers are always getting smarter,” Oren says. “If computers are getting dumber, attackers will have the advantage Source:
https://www.wired.com/2017/02/flaw- millions-chips-strips-away-key-hacking- defense-software-cant-fully-fix
Malware Threats and
vulnerabilities
Threats and
vulnerabilities
Top storyHackers can steal millions of cars after
discovering huge flaw in manufacturer’s
connected car apps
Security researchers have discovered that it is easy for attackers to gain access to millions of cars, simply by hacking into car-controlling mobile apps and using them to unlock the vehicles.
Kaspersky Lab researchers Mikhail Kuzin and Victor Chebyshev decided toanalyse nine different connected car Android apps– designed to let drivers easily locate cars and unlock them via smartphone – by top car manufacturers.
Each app has been downloaded between 10,000 to one million times from the Google Play app store.
The researchers discovered that all nine mobile apps feature unencrypted usernames and passwords that are stored together with the car's unique Vehicle Identification Number (VIN) and in some cases, even the car's licence plate number in plaintext .xml files in the device, which is a dangerous mistake.
The apps don't check whether the user has root access to the device (meaning that the user is granted full privileges to the phone), and some of the apps can easily be decompiled to read the app's code or actively save debugging data to the phone's SD card.
Forget hotwiring, now you can steal someone’s car through an app
Both the app and debugging code list the user's username and password as clear as day. This means that, if the device has been rooted by an attacker, or Android malware has been accidentally downloaded to the device, it would be easy for an attacker to steal these details, login to the app and unlock the user's car to steal it – in some cases even use the app to remotely start the car's engine.
Although storing login details in plaintext is clearly a rookie mistake, security researchers do point out that at least none of the car manufacturers have enabled users to unlock their automobiles using SMS text messages or voice control, and that all the apps have a white list of specified mobile numbers that are given permission to control the car.
Malware Threats and
vulnerabilities
Threats and
vulnerabilities
Top story
Hackers can steal millions of cars after
discovering huge flaw in manufacturer’s
connected car apps
However, even with a white list, it is possible for cybercriminals to either root the device or use a Trojan sneakily installed on the user's smartphone to gain access to login details. Once the attacker has this information, they can login on another device while standing next to the car, and at the same time, disable the speakers and screen on the victim's smartphone so that it doesn't notify the user that their car has been logged into by another device.
Since many of the apps even provide the ability to start the engines as well as opening the car doors, all the attacker would need to do is log into the app, disable the victim's phone and then jump into the car and drive off before the victim realises.
The automotive industry needs to wise up on cybersecurity fast
"The automotive industry is still relatively new to both application management and security issues, comparatively speaking, and is certainly working hard to address issues as they arise. While the banking industry may be better prepared to address security issues, the automotive industry continues to learn how to manage the many security
challenges it faces as their connected vehicles continue to proliferate. It may take some time until the automotive industry reaches a level of security maturity that is as well developed as banks, but I have no doubt they will get there," Mike Ahmadi, Synopsys' global director of critical systems security toldIBTimes UK.
Kaspersky are refusing to name any of the apps so as not to jeopardise the security of millions of cars, and all the manufacturers have been informed of the cybersecurity flaws, and it is assumed that they will update their apps to remove these serious security flaws. And fortunately, Kaspersky says it has not yet witnessed a single attack on an app that controls cars.
"When thinking about the security of a connected car, its infrastructure safety (for control servers) and its interaction and infrastructure channels are not the only things worth considering. It's also worth it to pay attention to the client side, particularly to the app that is installed on user devices. It is too easy to turn the app against the car owner nowadays, and currently the client side is quite possibly the most vulnerable spot that can be targeted by malefactors," Kuzin and Chebyshev said in the blog post.
"At this point, it should be noted that we have not witnessed a single attack on an app that controls cars, and none of the thousands of instances of our malware detection contain a code for downloading the configuration files of such apps.
"However, contemporary Trojans are quite flexible:
if one of these Trojans shows a persistent ad today (which cannot be removed by the user himself), then tomorrow it can upload a configuration file from a car app to a command-and-control server at the request of criminals. The Trojan could also delete the configuration file and override it with a modified one. As soon as all of this becomes financially viable for evildoers, new capabilities will soon arrive for even the most common mobile Trojans."
Source:
http://www.ibtimes.co.uk/hackers-can- steal-millions-cars-after-discovering-huge- flaw-manufacturers-connected-car-apps- 1607200
Malware Threats and
vulnerabilities
Threats and
vulnerabilities
Top story
About PwC
At PwC, our purpose is to build trust in society and solve important problems. We’re a network of firms in 157 At PwC, our purpose is to build trust in society and solve important problems. We’re a network of firms in 157 countries with more than 223,000 people who are committed to delivering quality in assurance, advisory and tax services. Find out more and tell us what matters to you by visiting us at www.pwc.com.
In India, PwC has offices in these cities: Ahmedabad, Bangalore, Chennai, Delhi NCR, Hyderabad, Kolkata, Mumbai and Pune. For more information about PwC India's service offerings, visit www.pwc.com/in PwC refers to the PwC International network and/or one or more of its member firms, each of which is a separate, independent and distinct legal entity. Please see www.pwc.com/structure for further details.
©2017 PwC. All rights reserved
For any queries, please contact:
Sivarama Krishnan
[email protected] Amol Bhat
All images in this presentation are protected by copyright, trademark, patent, trade secret and other intellectual property laws and treaties. Any unauthorised use of these images may violate such laws and shall be punishable under appropriate laws. Our sharing of this presentation along with such protected images with you does not authorise you to copy, republish, frame, link to, download, transmit, modify, adapt, create derivative works based on, rent, lease, loan, sell, assign, distribute, display, perform, license, sub- license or reverse engineer the images. In addition, you should desist from employing any data mining, robots or similar data and/or image gathering and extraction methods in connection with the presentation.
© 2017 PricewaterhouseCoopers Private Limited. All rights reserved. In this document, “PwC” refers to PricewaterhouseCoopers Private Limited (a limited liability company in India having Corporate Identity Number or CIN : U74140WB1983PTC036093), which is a member firm of PricewaterhouseCoopers International Limited (PwCIL), each member firm of which is a separate legal entity.
MB/February2017-8840
