PwC Weekly
Security Report
This is a weekly digest of security news and events from around the world. Excerpts from news items are presented and web links are provided for further information.
Cyberspies
Hong Kong government hacked by Chinese cyberspies, FireEye says
Zero day Malware Cyberspies Top stories
Zero day
MySQL zero-day exploit puts some servers at risk of hacking
Malware
Researchers identify cryptomining malware on Seagate NAS servers Warning! This cross-platform malware can hack Windows, Linux and OS X computers
Top story
Incident raises concerns on safety in usage of e-wallets
Scamsters jump the gun on
Raghuram Rajan exit, use Urjit
Patel’s name in phishing attempt
MySQL zero-day exploit puts some servers at
risk of hacking
A publicly disclosed vulnerability in the MySQL database could allow attackers to completely compromise some servers.
The vulnerability affects "all MySQL servers in default configuration in all version branches (5.7, 5.6, and 5.5) including the latest versions," as well as the MySQL-derived databases MariaDB and Percona DB, according to Dawid Golunski, the researcher who found it.
The flaw, tracked as CVE-2016-6662, can be exploited to modify the MySQL configuration file (my.cnf) and cause an attacker-controlled library to be executed with root privileges if the MySQL process is started with the mysqld_safe wrapper script.
The exploit can be executed if the attacker has an authenticated connection to the MySQL service, which is common in shared hosting environments, or through an SQL injection flaw, a common type of vulnerability in websites.
Golunski reported the vulnerability to the
developers of all three affected database servers, but only MariaDB and Percona DB received patches so far. Oracle, which develops MySQL, was informed on Jul. 29, according to the researcher, but has yet to fix the flaw.
Oracle releases security updates based on a quarterly schedule and the next one is expected in October. However, since the MariaDB and Percona patches are public since the end of August, the researcher decided to release details about the vulnerability Monday so that MySQL admins can take actions to protect their servers.
Golunski's advisory contains a limited proof-of- concept exploit, but some parts have been
intentionally left out to prevent widespread abuse.
The researcher also reported a second vulnerability to Oracle, CVE-2016-6663, that could further simplify the attack, but he hasn't published details about it yet.
The disclosure of CVE-2016-6662 was met with some criticism on specialized discussion forums, where some users argued that it's actually a privilege escalation vulnerability and not a remote code execution one as described, because an attacker would need some level of access to the database.
"As temporary mitigations, users should ensure that no mysql config files are owned by mysql user, and create root-owned dummy my.cnf files that are not in use," Golunski said in his advisory. "These are by no means a complete solution and users should apply official vendor patches as soon as they become available."
Oracle didn't immediately respond to a request for comments on the vulnerability.
Zero day
Source:
http://www.pcworld.com/article/3119119/
mysql-zero-day-exploit-puts-some-servers- at-risk-of-hacking.html
Our perspective
We recommend that our customers verify if existing MySQL deployment in their environment is vulnerable and at a high risk of a hacking attempt. Temporary mitigation measures may be implemented in such a scenario until the final patch is released by Oracle.
Cyberspies Top stories Malware
Security researchers at Sophos have discovered a new way that cybercriminals are distributing malware that makes money by "borrowing” your computer to mine cryptocurrency.
A paper signed by Attila Marosi, Senior Threat Researcher at Sophos, investigates the Mal/Miner-C malware, which criminals are using to mine the cryptocurrency Monero, a bitcoin-inspired cryptocurrency.
In this paper, Marosi examines how Mal/Miner-C quietly infects victims' computers and
communicates with host servers to run mining operations covertly in the background.
Alone, one computer may not make a big impact on cryptocurrency mining, but the criminals aim to infect as many computers as possible with their malware so they can reap the cumulative financial reward from hundreds of thousands of infected computers.
Marosi investigates how NAS devices, including many made by Seagate, are used as a distribution server for the Mal/Miner-C malware, and explores the criminals’ mining activities and how much money this racket is potentially worth to them.
Researchers from security vendor Sophos made the discovery when they investigated a malicious program dubbed Mal/Miner-C, which infects Windows computers and hijacks their CPUs and GPUs to generate Monero, a bitcoin-inspired cryptocurrency.
With most cryptocurrencies, users can generate new units by devoting their computing resources to solving complex math problems needed to validate transactions in the network. This process, known as
"mining," provides an incentive for attackers to hijack other people's computers and use them for their own gain.
The Sophos researchers found that Mal/Miner-C does not have an automatic infection mechanism and instead relies on users to execute the malicious program. As such, it is distributed via downloads through compromised websites, but also through open FTP servers.
Researchers identify cryptomining malware on Seagate NAS servers
Malware
Source:
http://www.cdrinfo.com/Sections/News/De tails.aspx?NewsId=48874
Attackers scan for FTP servers that are accessible from the internet and attempt to log in with default and weak credentials or with anonymous accounts.
If successful, they verify that they have write access on the server and copy the malware in all of the available directories.
This explains why Sophos counted more than 1.7 million Mal/Miner-C detections over the past six months from about 3,000 systems. Most of the affected systems were FTP servers that hosted multiple copies of the malware in different directories.
The researchers used an internet scanning engine called Censys to identify public FTP servers that allow anonymous access with write privileges. They found 7,263 such servers and determined that 5,137 of them had been contaminated with Mal/Miner-C.
Another interesting discovery was that many of those FTP servers were running on Seagate Central NAS devices. While this malware threat does not specifically target such devices, it turns out that Seagate Central's configuration makes it easier for users to expose insecure FTP servers to the Internet.
By default, the Seagate Central NAS system
provides a public folder for sharing data, the Sophos researchers said. This public folder cannot be disabled and if the device administrator enables remote access to the device, it will become accessible to anyone on the Internet, they said.
Cyberspies Top stories Zero day
Stefan Ortloff, a researcher from Kaspersky Lab’s Global Research and Analysis Team, first discovered the Linux and Windows variants of this family of cross-platform backdoor, dubbed Mokes, in January this year.
Now, the researcher today confirmed the existence of anOS X variantof this malware family,
explaining a technical breakdown of the backdoor in a post on Securelist.
Alike theLinux and Windows variants, the OS X backdoor variant, Backdoor.OSX.Mokes.a, specializes in capturing audio-video, obtaining keystrokes as well as taking screenshots every 30 seconds from a victim’s machine.
The variant is written in C++ using Qt, a cross- platform application framework that is widely being used for developing applications to run on various software and hardware platforms.
The backdoor also has the capability to monitor removable storage like when a USB drive is connected to or removed from the computer.
It can also scan the file system for Office documents, including .docx, .doc, .xlsx, and .xls files.
The OS X backdoor can also execute arbitrary commands on the victim’s computer from its command and control (C&C) server.
The backdoor establishes an encrypted connection with its command and control server and
communicates using AES-256 encryption, which is considered to be a secure encryption algorithm.
Ortloff notes, right after execution, the OS X sample he analyzed copies itself to a handful of locations, including caches that belong to Skype, Dropbox, Google, and Firefox. This behavior is similar to the Linux variant that copied itself to locations
belonging to Dropbox and Firefox after execution.
Warning! This cross- platform malware can hack Windows, Linux and OS X computers
Source:
http://thehackernews.com/2016/09/cross- platform-malware.html
The researcher has not attributed the Mokes backdoor family to any hacking group, state- sponsored hacker or country, nor he detailed about the OS X backdoor’s infection vector and how widespread it is.
However, based on the currently available information, the backdoor seems to be a sophisticated piece of malware.
Cyberspies Top stories
Malware
Zero day
Cyberspies
Two Hong Kong government agencies have come under attack from cyberspies originating in China in the month leading up to Sunday’s legislative
elections, according to a U.S. cybersecurity firm.
On at least three occasions in early August, the China-based group APT 3 targeted the organizations with “spear-phishing” attacks, in which e-mails with malicious links and attachments containing
malware are used to access computer networks, said John Watters, president of iSIGHT, a unit of
FireEye Inc. He said the hacks were “certainly”
politically motivated, based on their targets.
Watters declined to say what agencies were attacked because his firm seeks to identify attackers, not shine a spotlight on the victims. It wasn’t possible to confirm whether APT 3 was linked to any Chinese government organization, he said, adding that the Hong Kong authorities had been informed of the incidents.
The Hong Kong’s government office for information confirmed it had been informed about the hacks.
“Relevant security measures had already been put in place to block the suspicious e-mails,” it said in a statement. “So far, there is no security incident report from the two concerned departments.”
Legislative Elections
While Hong Kong was returned to China in 1997, the former British colony was guaranteed a “high degree of autonomy” for at least 50 years under a deal with the U.K. Beijing’s influence over the financial hub has been a key campaign issue in Sunday’s elections, in which voters will select lawmakers for the city’s 70-seat Legislative Council.
“What it appears to be is an opportunity to gain information without having the transparency of having to make a request,” Watters said. “If you want to know what someone’s thinking, would you rather read their diary or hear their prepared remarks?”
It wasn’t possible to verify what information, if any, had been stolen, Watters said.
The Hong Kong and Macau Affairs Office of the State Council in Beijing didn’t immediately respond to faxed questions about the incident.
Incidents of U.S. hacking by China-based groups have fallen since President Xi Jinping’s visited the U.S. last September and reached a cybersecurity deal,accordingto FireEye. Some of those hacking groups have refocused their energies on Asian targets amid an increase in regional tensions.
Vietnam in particular has come under attack withmalicious codedisguised as antivirus software found lurking in everything from government offices to banks, companies and universities.
Watters said his firm has tracked APT 3 since 2011, over which time it has been blamed for hacking companies in industries from telecommunications to agriculture, in countries including the U.S., Germany and Italy. APT 3 is among the top hackers based on sophistication and constant updates of tools it uses to access networks, he said.
Mandiant, another unit of FireEye, alleged in 2013 that China’s military might have been behind a group that had hacked at least 141 companies worldwide since 2006. The U.S. issued indictments against five military officials who were purported to be members of that group.
Hackers typically send e-mails to targets hoping they’ll open attachments loaded with malware that infiltrates their computers and helps them access broader networks. ISIGHT tracks malware globally, and traced its presence to the networks of the Hong Kong government agencies, Watters said.
The subject of one of the e-mails used in the attacks in Hong Kong was a report on election results with a hyperlink to what the reader would assume was the report itself, Watters said. The hyperlink leads to a compromised sub-domain that contains the malware.
Hong Kong government hacked by Chinese
cyberspies, FireEye says
Source:
http://www.bloomberg.com/news/articles/
2016-09-01/hong-kong-government-hacked- by-chinese-cyberspies-fireeye-says
Zero day Malware Top stories
Top
storiesIncident raises concerns on safety in usage of
e-wallets
Nearly 100 customers of e-wallet FreeCharge lost Rs. 8,000- Rs. 10,000 across the country in cities like Chennai, Mumbai, Hyderabad, Delhi only to be restored later as the e-wallet's system met with a phishing attack. The cases are now being looked at by the regional Reserve Bank of India cells, banking ombudsman and respective cyber crime police officials. The attacks happened between June and August 2016.
Phishing is an attempt to obtain sensitive information such as usernames, passwords, and banking details, by conning people into believing that the attempt is being made by an official/
trusted entity.
"We had been emailing then, calling them multiple times. There was no proper helpline and we got only automated responses. We didn't hear back at all from them. Even after the article highlighting what happened at FreeCharge, the amount was reversed with no explanation," said complainant Anupam Agarwal, who lost 10,000 on the wallet on July 24.
FreeCharge, which has 37 million customer
accounts, said in an emailed response that it started reversing transactions of up to Rs. 2.9 lakh after August 19. TOI reported on August 19 that three FreeCharge customers had lost money, while using its services. Between August 19-25 customers started receiving money back into the wallets, which FreeCharge terming then as a "goodwill gesture.
"FreeCharge acknowledged that its customers lost their money as a result of a 'phishing attack'."
A police official in Delhi's cyber crime cell said, "On August 24, we received a complaint from
FreeCharge stating that eight of its customers had lost money totalling to Rs. 77,000. We subsequently spoke to complainants." In what could be slightly alarming, the trail leads onto bitcoin users. Bitcoins are still viewed with suspicion in India , which is currently unregulated in the country. Complainants said that they started receiving calls from regional RBI centres between August 22-23.
Source:
http://timesofindia.indiatimes.com/busines s/india-business/Incident-raises-Concerns- On-Safety-In-Usage-of-e-
Wallets/articleshow/54299842.cms
According to FreeCharge, the attackers, in the first instance transferred money to bank accounts. "Then they started using the account to purchase items across different websites, including Snapdeal, ClearTrip and Vodafone, where FreeCharge wallets are accepted," said Farheen Akhtar, head -public relations, Snapdeal, a company that has close ties with FreeCharge. After the fraudsters started buying gift cards, FreeCharge stopped permitting usage of its wallet for purchase of the same. Users of e- wallets say that these companies provide no redressal mechanism, especially when they need to be contacted on an urgent basis. While the e-wallet in question sent automated messages to customers within a few minutes that is not as effective as banks freezing accounts real-time, when we report debit card loss.
Zero day Malware Cyberspies
Top
storiesScamsters jump the gun on Raghuram Rajan exit, use Urjit Patel’s name in phishing attempt
There might still be a few days left until RBI's Governor Raghuram Rajan steps down and Deputy Governor Urjit Patel takes over the reins.
But what do a few days matter? Especially if you are scamster looking to make a quick buck?
Zero day Malware Cyberspies
Top
storiesScamsters jump the gun on Raghuram Rajan exit, use Urjit Patel’s name in phishing attempt
A few routine emails sent out attempting to hoodwink people into divulging their personal and financial details to scamsters have jumped the gun and already replaced Raghuram Rajan with Urjit Patel on their standard templates.
One such email, purportedly from the RBI, with a badly photoshopped logo, has been circulated promising around Rs 4.72 crore if the addressee responds with personal and financial details.
In an attempt at lending it that crucial bit of authenticity, the email narrates how the payment is an unclaimed one deposited in the addressee's name with the British Government for some unspecified award.
It even states that the disbursement is the result of a policy meeting between as the RBI Governor, UN Secretary General Ban Ki Moon (misspelt Ban-Kin Moon) and other government representatives.
Safe to say, the attempt at authenticity falls quite flat. Quite aside from the spelling and grammatical errors in every sentence, almost innocently
incompetent photoshop skills and an email ID that tries to spell out ‘compensation’ but manages to misspell that too, the scamsters have failed at basic research too.
All through the mail, the RBI Governor is repeatedly named Urjit Patel. A whole week before Patel even takes charge
There’s no limit to dreaming, but if you want to skim some money, the least you can do is be a little better at research.
As for Rajan, he must be thankful that he will no longer be the man cursed by the gullible few who have fallen for these scams in the past.
Source:
http://www.newindianexpress.com/busines s/news/Scamsters-jump-the-gun-on-
Raghuram-Rajan-exit-use-Urjit-Patels- name-in-phishing-
attempt/2016/09/02/article3609226.ece
Zero day Malware Cyberspies
About PwC
At PwC, our purpose is to build trust in society and solve important problems. We’re a network of firms in 157 countries with more than 2,08,000 people who are committed to delivering quality in assurance, advisory and tax services. Find out more and tell us what matters to you by visiting us at www.pwc.com
In India, PwC has offices in these cities: Ahmedabad, Bengaluru, Chennai, Delhi NCR, Hyderabad, Kolkata, Mumbai and Pune. For more information about PwC India's service offerings, visit www.pwc.com/in PwC refers to the PwC International network and/or one or more of its member firms, each of which is a separate, independent and distinct legal entity in separate lines of service. Please see www.pwc.com/structure for further details.
©2016 PwC. All rights reserved
For any queries, please contact:
Sivarama Krishnan
[email protected] Amol Bhat
All images in this presentation are protected by copyright, trademark, patent, trade secret and other intellectual property laws and treaties. Any unauthorised use of these images may violate such laws and shall be punishable under appropriate laws. Our sharing of this presentation along with such protected images with you does not authorise you to copy, republish, frame, link to, download, transmit, modify, adapt, create derivative works based on, rent, lease, loan, sell, assign, distribute, display, perform, license, sub-license or reverse engineer the images. In addition, you should desist from employing any data mining, robots or similar data and/or image gathering and extraction methods in connection with the presentation.
© 2016 PricewaterhouseCoopers Private Limited. All rights reserved. In this document, “PwC” refers to
PricewaterhouseCoopers Private Limited (a limited liability company in India having Corporate Identity Number or CIN : U74140WB1983PTC036093), which is a member firm of PricewaterhouseCoopers International Limited (PwCIL), each member firm of which is a separate legal entity.
MB/September2016-
