A 0-day exploit is attacking Microsoft Windows boxes all over the web, thanks to a weaponized power power presentation. No, I’m not kidding. The details are fascinating.

Old ATMs become more and more of a target & it’s not because of Windows XP, and great big batch of your questions, our answers & much much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Become a supporter on Patreon:

— Show Notes: —

Older ATMs being targeted more and more often by Malware attacks

• Krebs describes the growing trend in ATM “Jackpotting”
• Formerly, the most common attack against ATMs was skimming, installing small physical devices to read the card data and capture the PIN of victims who use the ATM, and then creating fake cards to empty the victims’ accounts
• The new trend, installing Malware on the computer that operates ATM, allows the attackers to drain all of the cash out of the ATM, without requiring compromised accounts with large balances
• The fraud is harder to detect because money does not go missing from bank accounts in real time, the theft may not be discovered until the ATM is emptied and stops dispensing cash
• Some of the malware is even smart enough to interfere with the ATM’s reports back to the bank about the level of cash available, that might tip the bank off to the fact that the ATM is infected
• “Last month, media outlets in Malaysia reported that organized crime gangs had stolen the equivalent of about USD $1 million with the help of malware they’d installed on at least 18 ATMs across the country. Several stories about the Malaysian attack mention that the ATMs involved were all made by ATM giant NCR.”
• In an Interview with Owen Wild, NCR’s “global marketing director, security compliance solutions”, Krebs learned:
• More than half of the ATM install base is using a model that was discontinued 7 years ago (Windows XP Based?)
• Most of the attacks involve physically assaulting the ATM, removing the top of front casing to access the standard PC inside, and then infecting the machine via CD or USB stick
• “What we’re finding is these types of attacks are occurring on standalone, unattended types of units where there is much easier access to the top of the box than you would normally find in the wall-mounted or attended models.”
• When asked about Windows XP: “Right now, that’s not a major factor. It is certainly something that has to be considered by ATM operators in making their migration move to newer systems. Microsoft discontinued updates and security patching on Windows XP, with very expensive exceptions. Where it becomes an issue for ATM operators is that maintaining Payment Card Industry (credit and debit card security standards) compliance requires that the ATM operator be running an operating system that receives ongoing security updates. So, while many ATM operators certainly have compliance issues, to this point we have not seen the operating system come into play.”
• It would seem that installing malware on the machine would affect newer versions of Windows almost as easily, so Windows XP might not actually be that big of a factor in these cases
• “Most of these attacks come down to two different ways of jackpotting the ATM. The first is what we call “black box” attacks, where some form of electronic device is hooked up to the ATM — basically bypassing the infrastructure in the processing of the ATM and sending an unauthorized cash dispense code to the ATM. That was the first wave of attacks we saw that started very slowly in 2012, went quiet for a while and then became active again in 2013.”

Sandworm Team – not a worm, but still a big deal

• “Microsoft has announced the discovery of a zero-day vulnerability affecting all supported versions of Microsoft Windows and Windows Server 2008 and 2012. Reports are also coming in that this specific vulnerability has been exploited and used in attacks against the North Atlantic Treaty Organization (NATO) and several European industries and sectors.”
• This particular vulnerability has allegedly been in use since August 2013, “mainly through weaponized PowerPoint documents.”
• The vulnerability exploits a flaw in the Microsoft OLE functionality
• It allows a PowerPoint or other office document to have an embedded file, or to embed and external untrusted resource
• This can cause remote code execution, allowing the attacker to run any code they wish as the user who is opening the document
• In the case of at least on attack, the embedded file was a .inf that then installed malware on the system
• Many users still run with administrative rights, giving the malware full control of the target system
• iSight Partners says: “We are actively monitoring multiple intrusion teams with differing missions, targets and attack capabilities. We are tracking active campaigns by at least five distinct intrusions teams”, “As part of our normal cyber threat intelligence operations, iSIGHT Partners is tracking a growing drum beat of cyber espionage activity out of Russia”
• “For example, we recently disclosed the activities of one of those teams (dubbed Tsar team) surrounding the use of mobile malware. This team has previously launched campaigns targeting the United States and European intelligence communities, militaries, defense contractors, news organizations, NGOs and multilateral organizations. It has also targeted jihadists and rebels in Chechnya”
• Trend Micro also found this same flaw being used against SCADA systems: “These attacks target Microsoft Windows PCs running the GE Intelligent Platform’s CIMPLICITY HMI solution suite with a spear phishing email.”, which downloads the Black Energy malware
• Researcher Post
• Technical Analysis by HP Security Research
• Additional Coverage – ZDNet
• Microsoft Security Bulletin

Delivering malicious Android apps hidden in image files

• Researchers have discovered a way to deliver Android malware by embedding the encrypted form in an image file
• The attack was demonstrated at Black Hat Europe last week in Amsterdam
• The tool encrypts a malicious .APK in such a way that it appears to be a .JPG or .PNG image file
• Then, they developed a simple wrapper .APK that includes that image file, and the ability to decrypt it
• Thus, the malicious app remains hidden from reverse engineering, anti-virus, and the Google Bouncer, so can be listed in the Google Play Store
• “In their testing, Android did show a permission request when the legitimate wrapper file tried to install the malicious APK, but the researchers say that this can be prevented by using DexClassLoader”
• Work was inspired by a previous exploit, Android/Gamex.A!tr that hid its payload in a .zip file named logos.png, with the added twist that the .zip was valid and innocuous, but if XOR’s with a key (18), it was also a valid .zip file containing a malware payload
• It turns out that .zip files do not require the header to be at the beginning of the file, so by simply concatenating a .png and a .zip file, the file will look like a valid .png, but can also be extracted as a valid .zip file
• PDF: Slides
• Example Code, Create a .PNG, .JPG, .FLV, or .PDF
• PDF: Paper

Feedback:

• Embed Browser For Steam

• Cheap NAS/Media Server

• Patch & System Management .:. Especially with all these recent bugs!

• Central Firewall Management

• But is it really your job to point out other peoples security issues?

• ZFS lag 🙁

• Windows Explorer and SMB Traffic – Ask the Performance Team – Site Home – TechNet Blogs

Round Up:

• Disney rendered its new animated film on a 55,000-core supercomputer
• Cisco finally fixed telnet bug from 2011 in Web Security Appliance, Email Security Appliance and Content Security Management Appliance
• Google’s 2-Step Verification Now Supports FIDO “Universal 2nd Factor” Open Standard
• Ironic: Publisher of Brian Krebs’ book discloses credit card breach in online shopping cart
• Hungary plans new tax on Internet traffic, public calls for rally
• MongoDB Advisory: Using MongoDB on Linux on top of VMWare may cause namespace files to be improperly zeroed, resulting in left over data that when read later is interpreted as a corrupt namespace, rather than the expected empty space. Patch resolves issue by manually zeroing the file rather than using the kernel facility to zero the entire file
• T-Mobile to upgrade US Cellular network 2G encryption from A5/1 to A5/3 to make surveillance harder. Made similar changes in Germany last year after NSA revelations
• Week old Flash vulnerability already included in 2 major Exploit kits, being deployed on legitimate infected sites throughout the Internet
• Kickstarter Freezes Anonabox Privacy Router Project for Misleading Funders
• Samsung acknowledges flaw in EVO 840 SSDs, issues Firmware update and “Data Migration Software” that re-writes data on the SSD to ‘refresh’ it, making reads faster again
• South Korea to rebuilt national ID system after a series of data breaches since 2004 have left 80% of the country exposed to identity theft. Many similar mistakes to US ID system, overuse across different sectors made the single ID number a ‘master key’ to a persons Identity, Inability to get a new ID number left victims with no recourse, and the ID numbers are based on date of birth and sex. Also, the government required the use of Microsoft ActiveX to provide digital signatures when interacting with banks and the government online