Security Weekly 25

Security Weekly 25 Main Logo

Security Weekly 25: Quiet Hunting, or Carbanak to the Rescue, Why Firefox Needs a Features Of Tor Browser, Why Break the Lock if You Can go Into the Keystore

Who does not know Carbanak? A few years ago, these smart guys skillfully took away, according to some reports, up to a billion dollars from a good hundred banks of the United States, Japan, Russia, Ukraine.

  • The experts identified a group of cyber criminals under the code name Silence, who diligently copied the best techniques of Carbanak in trying to reach bank accounts.

The approach of attack is really painfully similar: through a phishing letter to a bank employee, intruders manage to penetrate into its internal network, settle there and quietly study the infrastructure, while sending out “contracts” to partners – that is, the same malicious letters, but on behalf of real employees and even with their signature. It is clear that in this scenario, the infected attachment will be clicked with a high degree of probability, rather than a letter from another Nigerian philanthropist. Old-good social engineering is still on horseback.

  • Silence uses the proprietary format of Microsoft’s online Help (Compiled HTML Help or CHM). After the victim opens the attachment, the “start.htm” file containing JavaScript inside is launched, the purpose of which is to download the dropper from the specified address to perform the next step.
  • Furthermore: the dropper loads the Silence Trojan, whose modules function as Windows services. Among them: a control and monitoring module, a module for recording screen activity, a module for communicating with management servers, and a program for remote execution of console commands.

Having freely settled in an infected network, intruders begin to partisan – to save data, record images from the victims’ screens, calculating “cash cows” – holders of the necessary information. Once they manage to get to the bottom of the “truth” – the algorithm of the work of information systems of such employees – the finances are smoothly removed from the accounts and migrated to the pockets of intruders.

Mozilla removes the shadowing from Firefox

Security Weekly 25 Photo 1

Sometimes you proudly refuse to save cookies, you go to a new site and you think that you have not noticed it. But in fact, most likely you were counted. They just did it in a slightly more sophisticated way. One of many such tools is Canvas Fingerprinting.

What is the essence? On many sites, a special tracking code is installed. It just asks the browser to draw a hidden image, and due to the peculiarities of the particular system (GPU, driver, browser version and so on), the image is no less unique than the human fingerprint. So the computer is reliably identified. This knowledge can be used for very different purposes. Most often – to show the right advertising. And it’s virtually impossible to disable Canvas Fingerprint in popular browsers.

In January 2018, Mozilla promised to make “support” Canvas Fingerprint switchable. This option will be available in Firefox 58. It’s interesting that the Canvas Fingerprint lock function came to Firefox straight from the Tor Browser, which is based on the Firefox code. Previously, functions migrated just from Firefox to Tor. It remains to understand what to do with the rest fingerprints and you can live peacefully.

Why break the lock if you can go to the Keystore?

Security Weekly 25 Photo 2

Programmer Alex Birsan recently earned $ 15,000 for pointing out a vulnerability in Google’s Issue Tracker, which allows you to get information from the internal bug repository, which Google affectionately calls Buganizer.

  • Anyone who has a Google account can add information to the list, but the list of open issues is only available to employees of the corporation. At least that’s how it was meant.

Alex found a way with a Javascript (via POST request) to get a full description of the bugs. He, however, immediately specifies that he did not read the bugs and did not remember any secrets. Now, of course, the loophole is closed, and Birsan can buy something nice for the award.

  • It’s worth noting that this is not the first story with unauthorized access to a vulnerability store belonging to a company of this level. Something similar happened in 2013 with Microsoft. And after all, it would seem that such services should be guarded especially carefully, especially since they are held by absolutely all IT companies.

Potentially, an attacker can get not only hundreds of carefully described and tested vulnerabilities in bulk, but also interfere with the work of the tracker. Change the status of the vulnerability to a lower one or just close the ticket as unconfirmed. Theoretically, this may allow delaying the closure of the vulnerability indefinitely.