Qadit Blog

After entering a password, your regular computer keyboard might appear to look the same as always, but a new approach harvesting thermal energy can illuminate the recently pressed keys, revealing that keyboard-based password entry is even less secure than previously thought.

Thermal image of “passw0rd” 20 seconds after entry

Computer Science Ph.D. students Tyler Kaczmarek and Ercan Ozturk from UC Irvine’s Donald Bren School of Information and Computer Sciences (ICS), working with Chancellor’s Professor of Computer Science Gene Tsudik, have exploited thermal residue from human fingertips to introduce a new insider attack the Thermanator.

“It’s a new attack that allows someone with a mid-range thermal camera to capture keys pressed on a normal keyboard, up to one minute after the victim enters them,” describes Tsudik. “If you type your password and walk or step away, someone can learn a lot about it after-the-fact.”

Their paper, “Thermanator: Thermal Residue-Based Post Factum Attacks On Keyboard Password Entry,” outlines the rigorous two-stage user study they conducted, collecting thermal residues from 30 users entering 10 unique passwords (both weak and strong) on four popular commodity keyboards.

As noted in the paper, results show that entire sets of key-presses can be recovered by non-expert users as late as 30 seconds after initial password entry, while partial sets can be recovered as late as one minute after entry. The study further revealed that hunt-and-peck typists are particularly vulnerable.

Kaczmarek, Ozturk and Tsudik suggest some mitigation strategies, such as swiping your hands over the keyboard after password entry or selecting characters with the mouse. Regardless, based on the study results, they conclude that “Thermanator Attacks” represent a new credible threat for password-based systems, noting that “as formerly niche sensing devices become less and less expensive, new side-channel attacks move from ‘Mission: Impossible’ towards reality.”

Example of thermal emanations being recorded

Developing a de-authentication prototype for “Lunchtime Attacks”

The same research team also recently developed a novel technique aimed at mitigating “Lunchtime Attacks.” Such attacks occur when an insider adversary takes over an authenticated state of a careless user who has left his or her computer unattended.

Tsudik, Kaczmarek and Ozturk have come up with an unobtrusive and continuous biometic-based “de-authentication,” i.e., a means of quickly terminating the secure session of a previously authenticated user after detecting that user’s absence.

The paper, “Assentication: User De-Authentication and Lunchtime Attack Mitigation with Seated Posture Biometric,” presents a hybrid biometic based on the user’s seated posture pattern. By instrumenting the seat and lower back of a standard office chair with 16 tiny pressure sensors, they found a way to capture a unique combination of physiological and behavioral traits to provide continuous user authentication (and de-authentication). Results from user experiments involving a cohort of 30 subjects show that Assentication yields very low false accept and false reject rates.

A new malware campaign that delivers Emotet Malware Via Microsoft Office documents attachments with “Greeting Card” as the document name.

Attackers targeted the USA’s Independence Day to trick users into downloading the malicious document and to install the malware.The Banking Trojan EMOTET was identified in 2014, it has the capabilities of stealing personal information such as username and Passwords.

Emotet Malware Campaign

The new malware campaign was spotted by Zscaler’s research team and it is active between July 2nd to July 4th, “We saw over two dozen unique payloads hitting our Cloud Sandbox in the 48-hour span.” said Zscaler.

The document contains a tricky social-engineered message that asks users to enable content that allows the malicious macro to run in the background. The Macro obfuscated to avoid detection’s and it triggers wscript.exe to run the command.

Wscript downloads the payload through PowerShell script, finally, the De-obfuscated PowerShell command parameters download the Emotet payload and drops in the temp directory.

Emotet is a widely distributed malware it is commonly distributed via malicious spam campaigns that contain office documents, every time it emerges with new capabilities.

It is a multi-component malware that is capable of stealing credentials through browsers and email, Man-in-the-Browser attack and email harvesting.

With the last campaign, it includes a future called RunPE, that hides malware into the Legitimate process to evade the security scanners and inject its code into windows executable process.

Hackers on this planet have no dearth of malicious malwares to strike leaving millions of Internet users and bank account holders high and dry.

Of late, they have taken resort to a PDF sample which they want to be in use for crypto mining and to act as Ransomware forcing the top cyber security experts to step in to counter the threat that deepens on every passing day.

Named as Rakhni ransomware family, the newly developed malicious PDF sample is being released for the users to infect many systems as the hackers keep using it for crypto mining purpose causing much concern in the entire cyber world.

Armed with this malware with added futures, the hackers are learnt to have been maximizing their targets in Russia apart from India, Kazakhstan, Ukraine and Germany.

The malware in question comes through the spam emails with attached documents which infects an user once the document is unfolded to be saved.

It strikes as soon as the user double clicks the document attached in the PDF file. Some doubtful message lines suggest the infection process much to the pleasure of the hackers on the wait with fake identity.

The malware, then would decide the further course of action whether to download the cryptor or not. The downloading process undergoes a few technical procedure to reach the cryptor level from the infected users.

The normal processes of the system stand canceled before the infected system starts performing the cryptor.

According to the experts, the files from the infected systems are taken into a encryption algorithm for encryption and the attackers on the wait, would receive mails asking them to decrypt the files.

Significantly, two commands would be in force to complete the malicious system. Firstly, there would be a command to start the crypto currency monero process while the second one would be to mine the original one.

Hacker himself got hacked.

It turns out that most samples of the LokiBot malware being distributed in the wild are modified versions of the original sample, a security researcher has learned.

Targeting users since 2015, LokiBot is a password and cryptocoin-wallet stealer that can harvest credentials from a variety of popular web browsers, FTP, poker and email clients, as well as IT administration tools such as PuTTY.

The original LokiBot malware was developed and sold by online alias "lokistov," a.k.a. "Carter," on multiple underground hacking forums for up to $300, but later some other hackers on the dark web also started selling same malware for a lesser price (as low as $80).

It was believed that the source code for LokiBot was leaked which might have allowed others to compile their own versions of the stealer.

However, a researcher who goes by alias "d00rt" on Twitter found that someone made little changes (patching) in the original LokiBot sample, without having access to its source code, which let other hackers define their own custom domains for receiving the stolen data.

Hackers Are Actively Spreading "Hijacked" Versions of LokiBot

The researcher found that the C&C server location of the malware, where the stolen data should be sent, has been stored at five places in the program four of them are encrypted using Triple DES algorithm and one using a simple XOR cipher.

The malware has a function, called "Decrypt3DESstring", that it uses to decrypt all the encrypted strings and get the URL of the command-and-control server.

The researcher analyzed the new LokiBot samples and compared them with the old original sample, and found that Decrypt3DESstring function in new samples has been modified in a way that it always return value from the XOR-protected string, instead of Triple DES strings.

These changes allowed anyone with a new sample of LokiBot to edit the program, using a simple HEX editor, and add their own custom URLs for receiving the stolen data.

However, it is not clear why the original malware author also stored the same C&C server URL in a string encrypted by the less secure XOR cipher, even when it was unnecessary.

A lot of different LokiBot samples currently distributed in the wild and available for sale on the underground market at a very low price have also been patched in the same way by several hackers.

Meanwhile, the original author of LokiBot has already launched its new version 2.0 and selling it online on many forums.

The decryption function was also being used to get registry values required for making the malware persistent on a system, but since after patching the decryption function only returns a URL, the new LokiBot samples fails to restart after the device reboots.

A Department of Homeland Security-funded product designed to better protect mobile-phone users from phishing is becoming available to government and private-sector clients, the department said Thursday.

DHS’s Science and Technology Directorate, which partially funded the tools made by mobile security company Lookout, hailed the product’s ability to block phishing attempts and detect malware lurking in mobile applications. The beefed-up product, Lookout Mobile Endpoint Security, is now available for Android and iOS operating systems, the department said.

Phishing offers hackers a cheap and easy foothold into a network by exploiting people’s trust in the internet. The rate at which victims are falling for phishing attacks on mobile devices has grown an average of 85 percent annually since 2011, according to a study by Lookout, which is based in San Francisco.

DHS is trying to lessen the threat to mobile users, including those in government, by investing in Lookout’s technology, which the department said inspects all outbound network connections but does not read message content.

The technology will “greatly increase the security of the federal government’s mobile systems for mission-critical activities,” S&T program manager Vincent Sritapan said in a statement.

“Simply managing a mobile device is not enough to protect sensitive government information,” Sritapan added. “The device also must have mobile endpoint security that alerts IT and security personnel to potential attacks.”

The mobile-protection technology targets another common hacking scheme in which attackers lace popular mobile apps with malware. Last year alone, security specialists removed 700,000 malicious apps from the Google Play store.

In announcing the newly available product, DHS cast malicious apps as a clear and present danger to federal IT networks.

“Vulnerabilities discovered in new devices and apps may be used by hackers as vectors to access sensitive government information and attack legacy enterprise network systems,” the department said. Government mobile devices are an attractive avenue to attack backend systems containing data on millions of Americans and sensitive information relevant to government functions.

Lookout plans to add several security features to the mobile-security product, according to DHS, including greater detection of things like man-in-the-middel attacks.

Malware can read, intercept, or tamper with the traffic of any HTTPS-protected site.

Tens of thousands of Fortnite players have been infected by malware that hijacks encrypted Web sessions so it can inject fraudulent ads into every website a user visits, an executive with a game-streaming service said Monday.

Rainway CEO Andrew Sampson said in a blog post that company engineers first detected the mass infections last week when server logs reported hundreds of thousands of errors. The engineers soon discovered that the errors were the result of ads that somehow were injected into user traffic. Rainway uses a technique known as whitelisting that permits customers to connect only to approved URLs. The addresses hosting the fraudulent addresses—hosted on the adtelligent.com and springserve.com domains—along with unauthorized JavaScript that accompanied them made it clear the traffic was generated by malware infecting a large number of game players using the Rainway service. Rainway is a cloud-based service that lets people play PC games remotely, similar to PlayStation Now.

“As the errors kept flowing in, we took a glance at what these users had in common,” Sampson wrote. “They didn’t share any hardware, their ISPs were different, and all of their systems were up to date. However, one thing did stand out—they played Fortnite.”

Root certificate installed

Suspecting the malware was spread by one of the countless Fortnite cheating hacks available online that promise to give users an unfair advantage over other players, Rainway researchers downloaded hundreds of the hacks and scoured them for references to the rogue URLs. The researchers eventually found one Sampson declined to name that promised to allow users to generate free in-game currency called V-Bucks. It also promised users access to an “aimbot,” which automatically aims the character’s gun at opponents without any need for precision by the player. When the researchers ran the app in a virtual machine, they discovered that it installed a self-signed root certificate that could perform a man-in-the-middle attack on every encrypted website the user visited.

Sampson wrote: “Now, the adware began altering the pages of all Web requests to add in tags for Adtelligent and voila, we’ve found the source of the problem—now what?”

Rainway researchers reported the rogue malware to the unnamed service provider that hosted it. The service provider removed the malware and reported that it had been downloaded 78,000 times. In all, the malware generated 381,000 errors in Rainway’s logs. The researchers also reported the abuse to Adtelligent and Springserve. Adtelligent, Sampson said, didn’t respond, but Springserve helped to identify the abusive ads and remove them from its platform. Adtelligent officials didn’t immediately respond to a message seeking comment for this post. Officials from Epic Games, the maker Fortnite, declined to comment.

Sampson also said that Rainway implemented a defense known as Certificate pinning. Certificate pinning binds a specific certificate to a given domain name in order to prevent browsers from trusting fraudulent TLS certificates that are self-signed by an attacker or misissued by a browser-trusted authority. While the adoption of certificate pinning is a good defense-in-depth move, it unfortunately would do nothing to protect users against root certificates installed to perform man-in-the-middle attacks, as Google researchers have warned for years. That means the malware has the ability to read, intercept, or tamper with the traffic of any HTTPS-protected site on the Internet.

Virus-free. www.avg.com

Newly discovered cryptocurrency mining bot targeting the Internet of Things (IoT) devices which contain SSH service and IoT-related ports, including 22, 2222, and 502.

Cryptocurrency-mining malware consumes the system resources and utilizes them for mining cryptocurrencies without user permissions.

This crypto-mining attack will work for all the connected devices and servers that running under SSH service.

SSH service provides the secure connection for IoT (Internet of Things) refers to devices that are connected to the Internet.

Attackers using Various social Engineering tricks to compromise victims and Monero and Ethereum coins to gain huge profits using another device.

The uncovered bot mainly searches for the device that running with open Remote Desktop Protocol (RDP) port and taking advantages of vulnerable devices and run the script that download & install the malware.

Botnet Infection process on SSH Service

Initially, botnet host the malicious script using specific website and the script will download the files from hxxps://www[.]yiluzhuanqian[.]com/soft/Linux/yilu_2_[.]tgz and save it into the temp folder.

This is one of the widely using exploitation technique against Linux-based servers and this bot is able to load miners on Linux.

Script downloaded site appears to be financial scam site and the attacker using sophisticated techniques that helps switch to another domain to continue operations if the link is blocked at any cost.

So once the downloaded malicious script will be executed then it first checks the internet connectivity the connect to Baindu.com after that, it checks the OS that running on the target and it specifically targets the Linux based operating system.

The huge page and memlock are also set up helps to enhance the more computational power to mining the cryptocurrency.

Once those are set up, the script downloads the miner, disguised as a download of a libhwloc4library and this miner using some persistence mechanism to keep running the miner even after rebooting the computer.

According to Trend micro report, The file cmd.txt lists commands used to run the “mservice” binary with parameters, which then installs the actual miner, “YiluzhuanqianSer.” (Note that the miner is related to the potential scam site domain.Apart from this a conf.json file contains e web shell/backdoor and the additional directories includes two binaries and even a cmd.txt file that contains commands used to run the miner.

This type of mining operation that targets connected devices for profit is not the first of its kind. Moreover, security incidents that make use of bots to target IoT devices have made headlines on several occasions Trend Micro said.

ATM Penetration testing, Hackers have found different approaches to hack into the ATM machines. Programmers are not restricting themselves to physical assaults, for example, money/card catching, skimming, and so forth they are investigating better approaches to hack ATM programming.

An ATM is a machine that empowers the clients to perform keeping money exchange without setting off to the bank.

Utilizing an ATM, a client can pull back or store the money, get to the bank store or credit account, pay the bills, change the stick, redesign the individual data, and so on. Since the ATM machine manages money, it has turned into a high need focus for programmers and burglars.

In this article, we will perceive how do an ATM functions, security arrangements used to secure the ATMs, diverse sorts of infiltration testing to break down ATM security and a portion of the security best practices which can be utilized to evade ATM hack.

Also Read ATM Black box attacks – ATM Jackpotting

ATM Work Function :

Most of the ATMs have 2 input and 4 output. The card reader and keypad are input whereas a screen, receipt printer, cash dispenser, and the speaker are output.

There are for the most part two sorts of ATM’s which vary as indicated by the way they work. They can be called as

1.Rented line ATM
2.Dial-up ATM machines

Any ATM machine needs an information terminal with two data sources and four yield gadgets. Obviously, for this to happen there ought to likewise be the accessibility of a host processor. The host processor is important so that the ATM can interface furthermore speak with the individual asking for the money. The Internet Service Provider (ISP) additionally assumes an essential part in this activity. They go about as the passage to the halfway systems furthermore the bank PC.

Image Credit : HowstuffWorks

A rented line ATM machine has a 4-wire, indicate point committed phone line which assists in associating it with the host processor. These sorts of machines are favored in spots where the client volume is high. They are viewed as top of the line and the working expenses of this sort of a machine is high.

The dial-up ATM machines just has an ordinary telephone line with a modem and a toll free number. As these are typical associations their underlying establishment cost is less and their working costs just turn into a small amount of that of a rented line ATM.

The host is primarily claimed by the bank. It can likewise be claimed by an ISP. On the off chance that the host is possessed by the bank just machines that work for that specific bank will be upheld.

Also Read Undetectable ATM “Shimmers” Hacker’s Latest Tool for Steal your Chip Based Card Details

ATM BPT style penetration testing

Security professionals perform advanced penetration tests on automated teller machine (ATM) solutions in the financial sector. In most cases, serious security flaws are identified in the ATM configurations and associated processes.

ATMs test with our ‘Business Penetration Test’ (BPT) methodology, which simulates real attacks on ATM solutions. This includes carefully designed targeted attacks, which combines physical, logical and optionally social engineering attack vectors.

ATM security is often considered a complex area by IT security managers, who tend to focus more on the physical risks and less on the logical weaknesses in the operating system and application layer.

Meanwhile, ATM security is a business area that often lacks holistic security assessments. Our ATM tests are based on this belief, and seek to paint a holistic ) picture of your ATM environment.

Physical controls

Many banks rely heavily on the assumption that physical access to their ATM solutions is effectively restricted. In the meantime repeated, illustrates how little effort is often required to gain unauthorized access to the ATM CPU, which controls the user interface and transaction device.

Logical controls

With physical access to the ATM CPU, authentication mechanisms can be bypassed to gain unauthorized access to the ATM platform.

With this access, an attacker may be able to steal credit card data that is stored in file systems or memory, without ever alerting the bank. Furthermore, experts able to demonstrate, this unauthorized access can be expanded from the ATM to the bank’s network and back-end servers by using the compromised ATM as an attack platform.

ATM solution management processes associated with third party service providers and application development vendors are often the golden key for an attacker, and can be included in the scope of our test to identify logical weaknesses in trust relationships that an attacker can exploit to compromise an ATM.

ATM ecosystem

An ATM solution and network form a complex ecosystem that consists of different vendors and responsible agents, both internal and external to the banking organization.

Due to the complexity of this ecosystem with its distributed roles and responsibilities that cross organizational boundaries, the areas associated with security risk are often overlooked. The ATM application itself, with its software updates, operating system patches, platform hardening, and networks, is often vulnerable to attacks.

These attacks are not necessarily sophisticated and often not included in standard penetration tests.

Security Best Practices to be followed for ATM

The banks can implement security best practices to reduce the attack surface for the attacker. This section can be categories into three categories:

1.Protection against physical attacks:

• Detection and protection against Card skimming.
• Detection and protection against card/ cash trapping.
• Detection against keypad tampering.
• Mirror and pin shield to identify and prevent shoulder surfing attack.
• Implementing a DVSS camera inbuilt in the ATM to capture facial features of the user along with transaction details and timestamp.
• Vault protection against fire, explosion, etc.
• Lock protection again unauthorized access to banknotes or bills.
• Electric power point and network point protection.
• Disabling unused network and electric port.
• The ATM must be grouted on the floor to secure against threats related to the robbery. ATM can be implemented with shock sensor to identify the impact and movement of ATM machine.
• Implementation of CCTV camera. The presence of security guard.

2 . Protection against logical attacks:

• Protection against unauthorized booting by setting non-guessable boot and BIOS password. Most of ATM have default boot password configured.
• Protection against USB and unauthorized hard disk access.
• OS hardening and latest patch.
• Whitelisting the application, services, and process on ATM.
• Running ATM with least privilege user. Need to know and need to have approach.
• File integrity checks.
• Securing the transaction logs.
• Use of secure channel for the communication and transaction.
• Configure security best practices in ATM application.
• Antivirus protection.
• ATM network segregation with other networks.
• Protection against Malware like tyupkin, ploutus, etc.

3 . Protection against fraud attacks:

• Implementation of geo-blocking. In this implementation, the card can only be used in originating country or region. The user has to take permission to use the card outside the originating country.
• Implementation of chip and pin based card to mitigate copied and skimming card based attack.
• Implementing a behavior mentoring which detects the unusual transaction in term of the amount, place of transaction, frequency of transaction, etc.

Assessment of ATM Security Solution installed in the ATM:

ATM security solutions

Most of the ATMs run on Windows XP and 7. Patching individual ATM is a quite complex process. Since Windows XP is no longer supported by Microsoft, many ATM vendor uses security solution to mitigate the threats related to ATM attacks such as Malware-based attacks, OS-level vulnerabilities. These security solutions allow the ATM application to run in very restrictive environment with limited services and processes in the back end. Two of such security solutions are Mcafee Solidcore and Phoenix Vista ATM.

Mcafee Solidcore:

McAfee Application Control blocks unauthorized executables on servers, corporate desktops, and fixed-function devices. Using a dynamic trust model and innovative security features such as local and global reputation intelligence, real-time behavioral analytics, and auto-immunization of endpoints, it immediately thwarts advanced persistent threats—without requiring labor-intensive list management or signature updates.

• Complete protection from unwanted applications with coverage of executable files, libraries, drivers, Java apps, ActiveX controls, scripts, and specialty code.
• Flexibility for desktop users and server admins with self-approval and auto-approval based on application rating.
• Viable security for fixed-function, legacy, and modern systems.
• Patch cycle reduction and advanced memory protection.
• Centralized, integrated management via McAfee ePolicy Orchestrator.

Phoenix Vista ATM:

Phoenix Vista ATM is a product of Phoenix Interactive Design Inc .This solution integrates with the ATM application itself. This application works on file integrity check where any modification/tampering with the application related critical file will result in a system shutdown. This disallows any unauthorized program to modify the application specific file.

XFS (extensions for Financial Services) provides a client-server architecture for financial applications on the Microsoft Windows platform, especially peripheral devices such as ATM’s which are unique to the financial industry. It is an international standard promoted by the European Committee for Standardization (known by the acronym CEN, hence CEN/XFS). XFS provides a common API for accessing and manipulating various financial services devices regardless of the manufacturer.

Vista ATM communicates with the XFS layer which gives commands to the hardware like cash dispenser of the ATM to dispense the cash. Any unauthorized modification in XFS files will trigger the Vista ATM application to restart the machine forcefully. The machine restarts 4-5 times, and after that, it goes into maintenance mode which does not allow the user to perform any transaction.