Category: Blog

Ransomware Is Spreading Through Macros In Word

Security researcher Jaromir Jorejsi of Trend Micro has discovered a disturbing new strain of ransomware named qkG that spreads by way of macros inside MS Word.

The ransomware strain targets only Office documents, encrypting them and infecting the Word default document in order to propagate to newly created documents opened via the Office suite on the infected computer.

This new threat is unusual in the world of ransomware because it abides by a completely different and much more tightly targeted set of operating principles than any other form of ransomware found in the wild today. It’s also a bit of a throwback. The use of macros to spread worms is still fairly commonplace on older machines running out-of-date or pirated copies of Office, but it hasn’t really been in fashion in the mainstream hacking community for quite some time.

An analysis of the code reveals it to be a work in progress. The researchers were quick to point out the ransomware has not found any actual victims to date, and that several different variants and strains of the code were found in different documents, each with a different and slightly more robust feature set.

Based on evidence Horejsi found in the qkG samples he had the opportunity to analyze, the author of this new strain is apparently based somewhere in Vietnam, and goes by the alias “TNA-MHT-TT2.”

The malware is notable for its rather innovative use of malicious macros. Horejsi warns that these techniques will undoubtedly be picked up by other hackers, refined and used more broadly in the months ahead.

That’s likely to pose a special challenge for your IT security team, who have probably fallen out of the habit of watching for such threats, given that they declined in popularity some time ago. It seems, however, that what’s old has been made new again, so alert the troops to be ready.

DirecTV Genie DVR May Have A Major Vulnerability

If you have a Genie DVR system, you should be aware of a major security flaw in the firmware that could allow a hacker to take complete control over the device.

At issue is the equipment offered by AT&T as part of their free DireTV WVB Kit. Researchers of the ZDI initiative and Trend Micro discovered a zero-day vulnerability in one of the core components of the system, Linksys WVBR0-25, which is a Linux-powered wireless video bridge. It is this bridge that allows customers to connect up to eight Genie client boxes connected to television sets in customers’ homes.

Trend Micro researcher Ricky Lawshae took a deep dive into the firmware and was able to get the Linksys WVBR0-25 to divulge a wealth of information from the device’s web server, without requiring any sort of authentication whatsoever. There wasn’t even a login screen, just a wall of easy-to-access text, which included:

  • Customer WPS PIN
  • Connected clients
  • Processes currently running

And more. Lawshae had this to say after completing his investigation:

“It literally took 30 seconds of looking at this device to find and verify an unauthenticated, remote root command injection vulnerability. It was at this point I became pretty frustrated.

The vendors involved here should have some form of secure development to prevent bugs like this from shipping. More than that, we as security practitioners have failed to affect the changes needed in the industry to prevent simple yet impactful bugs from reaching unsuspecting consumers.”

It gets worse, though. When the ZDI Initiative reported this security flaw to the manufacturer, rather than issuing a patch to correct it, they simply ceased all communication. After more than six months of trying, and getting nowhere, ZDI decided to publicize the vulnerability in the hopes that doing so would finally prompt the company to take action.

Until they do, about your only option (aside from simply canceling your service) is to limit the number of devices that can interact with Linksys WVBR0-25 so as to limit your exposure.

Microsoft Word Gets Update To Disable DDE After Malware Concerns

In recent months, Microsoft Word has been getting a fair amount of bad press, thanks to an old-but-still-supported feature called DDE (Dynamic Data Exchange). This is the feature that allows Word to pull data from other MS Office applications. For instance, if you embed a chart into your Word document, each time you open the doc, it will automatically poll the spreadsheet the chart was created from and update it dynamically.

It’s a good feature, but unfortunately, it’s subject to abuse by hackers, who can use it to insert malicious code.

For a long time, Microsoft held the opinion that DDE wasn’t flawed per se, and as such, refused to take any action to try and limit its abuse. The thinking was that the company had already done enough since MS Office is designed to display a warning message before actually opening a file, which gives the user a choice.

Unfortunately, hackers have found ways to game that system as well and get around the warning box, and ultimately, that’s what changed the company’s mind.

Back in October, Microsoft published Security Advisory 4053440, which warned of the potential dangers of DDE and advised users on how to disable the feature in Word, Outlook and Excel. The company has now taken things a step further, disabling the feature inside MS Word in the Office Defense in Depth Update, ADV170021.

In fact, the company now sees the problem as being so severe and pervasive that they took the unusual step of issuing an emergency, out-of-band patch to update Word 2003 and 2007, two versions that Microsoft has officially stopped supporting.

If your employees use MS Office, this most recent patch is of critical importance, so if you’re not getting updates automatically, make sure your team knows to grab and apply this one.

Uber Paid To Hide Massive Data Breach From Public

It has recently come to light that the company was hacked in 2016 in a massive breach that exposed the personal information of more than 57 million Uber users and drivers. A wide range of data was stolen. Where users were concerned, names, email addresses and phone numbers were compromised.

As bad as that is, the problem was even worse for more than 600,000 of the company’s drivers who had their driver’s license numbers hacked, too.

Standard protocol is that when a breach like this occurs, the company will engage law enforcement officials as appropriate, hire a third-party security firm to help with the forensic investigation and notify their consumers.

Unfortunately, that’s not the path Uber chose to take. Instead, they paid the hackers $100,000 in exchange for keeping quiet about the hack and deleting the stolen data.

The company kept the incident under wraps for more than a year, but eventually, word of the attack leaked out, and the fallout has been catastrophic. Uber’s CEO Dara Khosrowshahi has asked for the resignation of the company’s Chief Security Officer, Joe Sullivan, and one of his deputies, Craig Clark, both of whom worked to keep the attack quiet.

In a formal statement, Khosrowshahi had this to say:

“None of this should have happened, and I will not make excuses for it. While I cannot erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”

As is common in the aftermath of events like these, Uber is offering its impacted customers a free year’s worth of credit monitoring services and will likely force password changes for its app users. More than a year too late, but it’s something.

File this away under how not to handle a data breach.

Researchers Find Malware Targeting Industrial Systems

In the malware ecosystem, few strains are more terrifying than those that target industrial control systems. Think Stuxnet, Industroyer and IronGate. Recently, security researchers from FireEye have identified a new threat in this class of malware. Alternately called “Triton” or “TRISIS,” this new code targets Triconex Safety Instrumented Systems (SIS) controllers, which are manufactured by Schneider Electric. These control systems are found in a wide range of industrial equipment. They are, in effect, the gears that keep the machine of modern industry moving.

So far, there’s suggestive evidence that at least one state-sponsored attack has been carried out using the new strain of malware, although neither the identity of the target of the attack, nor the organization responsible for it have been disclosed. All we know for sure is that the attack was launched against an industrial concern in the Middle East.

The code base of the new threat utilizes the TriStation Protocol, which is a proprietary tool used by Triconex SIS products. There is no public documentation available for the protocol, which suggests that the hackers who developed the malware must have reverse engineered it.

A spokesman for FireEye had this to say about the code in general and the recent attack:

“The attacker gained remote access to an SIS engineering workstation and deployed the Triton attack framework to reprogram the SIS controllers. During the incident, some SIS controllers entered a failed safe state, which automatically shut down the industrial process and prompted the asset owner to initiate an investigation.

The attacker deployed Triton shortly after gaining access to the SIS system, indicating that they had pre-built and tested the tool, which would require access to hardware and software that is not widely available.”

The real danger of software like this is that it can reprogram control systems to ignore when equipment begins operating beyond normal operating parameters, which can lead to physical damage to critical infrastructure.

If deployed against a power station, for instance, it could result in widespread blackouts. If deployed against a nuclear installation, it could send the reactor into a meltdown.

Threats like these are becoming more common by the day, and with hundreds of millions of controllers deployed around the world, it’s just a matter of time before the hackers succeed at hitting close to home.

Latest iOS Version May Have Bug That Changes Your Letters

If you’re using an Apple device running iOS 11.0.3 or 11.1, you may have noticed some oddities when sending text messages. For reasons that aren’t quite clear, the letter “I” is being replaced by the characters “A[?].” It’s not a game-breaking bug, but it is annoying, and if you’re not paying attention, it can make for some rather mystifying text messages.

Fortunately, Apple is on the case, and the company has announced that they’ll have a fix for the issue in their next release. If you’d rather not wait, there are several things you can do in the meantime to work around the issue. In no particular order, these are:

• Simply disable Apple’s predictive text auto-correct feature. If you rely on it frequently, this may slow you down some, but is probably the most straightforward approach to take at the moment.
• Install a third-party keyboard app because these use their own predictive text features.
• Or, take Apple’s recommendation and set up a text replacement rule (essentially replacing “I” with “I”).
If you opt for this last approach, you’ll want to go into your phone’s settings, look under the general tab, then keyboard, and choose “Text Replacement.”

Tap the plus sign (+), then, for “phrase,” type in an upper case “I”. For shortcut, type a lower-case “I.”

Save that change, and you should be all set.

To reiterate, this isn’t a huge deal, and it’s hard to see how this could cause anything but a bit of annoyance and perhaps a few scattered miscommunications. Even so, if you send more than a handful of text messages during the course of a typical business day, it’s probably worth spending a few minutes implementing one of these simple workarounds until Apple can ride to the rescue with a permanent fix.

Breach Of Health Data Gets California Company $2M Fine

Cottage Health System, a company that operates five hospitals in the Santa Barbara area of California, is the latest firm to have been hit with a hefty fine for losing control of PHI and PII for patients that it serves.

In this case, more than 55,000 patients were impacted between 2013 and 2015.

Cottage Health discovered the breach late in 2013. The company received a voicemail message informing company officers that there was a large file containing PHI of an unspecified number of its patients available online, without encryption or password protection that could prevent unauthorized access. In 2015, the company suffered a second, much smaller breach that impacted 4,596 of its patients.

As a result of the investigation that followed, the California Attorney General determined that the Cottage Health System had violated California’s Confidentiality of Medical Information Act, as well as several federal HIPAA regulations.

Under the terms of the agreement, in addition to a $2 million fine, the company has been required to upgrade its data security practices, including:

• Training employees on the collection, storage and proper use of PHI and PII
• Maintaining a reasonable set of policies and protocols surrounding incident tracking reports, risk assessment, data retention, internal audits and incident management plans, subject to external review
• Encrypting all PHI and PII in transit
• Assessing all hardware and software used in Cottage Health’s network for potential vulnerabilities, and upgrading as appropriate
• And conducting periodic testing to identify and address additional vulnerabilities.

This most recent incident serves as a painful reminder to any company involved in the handling of PHI and PII. According to Elizabeth Hodge, a health care attorney of the law firm Akerman, LLP:

“Even if the Office for Civil Rights slows down its enforcement activities going forward, covered entities and business associates should still anticipate enforcement activity by state attorney’s general enforcing their respective state laws.”

Windows 10 Third Party Password Manager Could Have Security Issue

Do you use “Keeper?” If you’re not sure what it is, then you probably don’t. It’s a password manager that Microsoft has been bundling with some of its Windows 10 releases. Either way, there’s a serious flaw in its design that you should be aware of.

Earlier in the year, Tavis Ormandy, a researcher on Google’s Project Zero team, discovered a bug that saw Keeper injecting privileged user information into web pages, exposing all manner of private data unnecessarily to website owners.

The potential damage comes from a user being lured onto a hacker-controlled website, whose owner could siphon up the information (including literally every password stored by Keeper) and resell it, or use it to launch a highly targeted attack against a specific user or device.

The bug was reported, and a patch was issued. Then, in a later version, Ormandy found the same bug cropping up again. He had this to say about the matter:

“I’ve heard of Keeper, I remember filing a bug a while ago about how they were injecting privileged UI into pages. I checked and, they’re doing the same thing again with this version.

I think I’m being generous considering this a new issue that qualifies for a ninety-day disclosure, as I literally just changed the selectors and the same attack works. Nevertheless, this is a complete compromise of Keeper security, allowing any website to steal any password.”

Craig Lurey, the CTO of Keeper Security, had this to say when informed of the bug:

“This potential vulnerability requires a Keeper user to be lured to a malicious website while logged into the browser extension, and then fakes user input by using a ‘clickjacking’ technique to execute privileged code within the browser extension.”

The two important takeaways here are as follows:

  • The company reports that so far as anyone can tell, this flaw has not actually been exploited in the wild.
  • Keeper Security has issued an emergency patch that has disabled the “Add to Existing” feature, which is where the problem code actually resides.

This temporary measure was implemented as a stop-gap until the bug can be properly patched.

Apple Might Be Working On Universal Apps Across Mac, iOS

Apple has been quietly working on something called “Project Marzipan” for a couple of years now, and it appears that they’re getting closer to unveiling it.

The company seeks to bring its MacOS and iOS platforms closer together by developing universal apps that will work in either environment. This mirrors Microsoft’s Universal Windows app strategy, where apps can detect the environment they’re running on and adjust their display and navigation accordingly.

Project Marzipan presents some real challenges for Apple because MacOS programs use an entirely different set of development tools, although there is some overlap. The programming language called Swift, for example, can be used to make apps that run in either environment, and if the company placed a greater emphasis on it, the process of creating their own universal apps would be greatly simplified.

The thinking behind Marzipan seems to be driven by the company’s desire to breathe new life into the Mac App Store, which hasn’t seen nearly the level of success as their iOS Store. The move would be a boon to developers because creating a common platform would allow Mac app developers to get their product in front of more potential customers.

Another potential reason is that the company may be planning to ultimately merge MacOS and iOS into a singular operating system that runs every Apple product. It’s a compelling theory, but the company has said nothing to confirm it.

In any event, if Apple goes ahead with Marzipan, and at this point, all indications are that they will, then we can expect a public announcement to that effect at next year’s World Wide Developer Conference. The first of the universal apps should appear not long after that, although the process of merging the two app stores and building out a robust collection of universal apps could take more than a year.

2017 List Of Most Used Passwords Released

SplashData has released their latest annual report on the most commonly used passwords. Unfortunately, the more things change, the more they stay the same.

By now, everyone knows that the number of hacking attempts and high-profile data breaches are on the rise. Everyone has heard, on more than one occasion, how important it is to not use the same password across multiple web properties, to enable two-factor authentication if and where it is offered and to use passwords that contain a combination of letters, numbers and symbols in order to make them more difficult to crack.

Although these are things that everyone knows, the wisdom embedded in the advice above often goes unheeded. According to the data collected by aggregating passwords leaked in data breaches over the past year, the most commonly used password for 2017 is “123456,” followed closely by the ubiquitous “password.” These are unchanged from last year.

The rest of the top 25 list contains a mix of the old and the new, including:

  • 12345678
  • Qwerty
  • 12345
  • 123456789
  • Letmein
  • 1234567
  • Football
  • Iloveyou
  • Admin
  • Welcome
  • Monkey
  • Login
  • Abel123
  • Starwars
  • 123123
  • Dragon
  • Passw0rd
  • Master
  • Hello
  • Freedom
  • Whatever
  • Qazwsx
  • And Trustno1

If you make use of any of these passwords, we urge you to change them immediately. As important as data security is and as much as is at stake, you’re putting yourself, your friends and your coworkers at grave risk by using such easily cracked passwords.

SplashData’s CEO Morgan Slain had this to say on the topic:

“Unfortunately, while the newest episode may be a fantastic addition to the Star Wars franchise, ‘starwars’ is a dangerous password to use. Hackers are using common terms from pop culture and sports to break into accounts online because they know how many people are using those easy-to-remember words.”