Cisco has a wormable vulnerability in its Firewall appliances, crimeware that allows unlimited ATM withdrawals & the big problem with the Java installer.

Plus great questions, a rocking round up & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Cisco ASA IPSec vulnerability given highest possible CVSS score

• Cisco has released a patch for a critical vulnerability its ASA (Adaptive Security Appliance) firewalls
• “The Cisco ASA Adaptive Security Appliance is an IP router that acts as an application-aware firewall, network antivirus, intrusion prevention system, and virtual private network (VPN) server. It is advertised as “the industry’s most deployed stateful firewall.” When deployed as a VPN, the device is accessible from the Internet and provides access to a company’s internal networks.”
• “A vulnerability in the Internet Key Exchange (IKE) version 1 (v1) and IKE version 2 (v2) code of Cisco ASA Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code.“
• “The vulnerability is due to a buffer overflow in the affected code area. An attacker could exploit this vulnerability by sending crafted UDP packets to the affected system. An exploit could allow the attacker to execute arbitrary code and obtain full control of the system or to cause a reload of the affected system.”
• So the router can be owned by a single UDP packet. It could then be controlled by the attack and used to send more of those UDP packets, making this a “wormable” exploit
• Affected devices include:
  • Cisco ASA 5500 Series Adaptive Security Appliances
  • Cisco ASA 5500-X Series Next-Generation Firewalls
  • Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
  • Cisco ASA 1000V Cloud Firewall
  • Cisco Adaptive Security Virtual Appliance (ASAv)
  • Cisco Firepower 9300 ASA Security Module
  • Cisco ISA 3000 Industrial Security Appliance
• Users of ASA software versions 7.x, 8.0 – 8.6, will be forced to upgrade to ASA version 9.1
• The researchers had dubbed the exploit “Execute My Packet”
• “The algorithm for re-assembling IKE payloads fragmented with the Cisco fragmentation protocol contains a bounds-checking flaw that allows a heap buffer to be overflowed with attacker-controlled data.”
• Attempts to exploit the attack can be detected with packet inspection:
• “Looking for the value of the length field of a Fragment Payload (type 132) IKEv2 or IKEv1 packet allows detecting an exploitation attempt. Any length field with a value < 8 must be considered as an attempt to exploit the vulnerability. The detection also has to deal with the fact that the multiple payloads can be chained inside an IKEv2 packet, and that the Fragment Payload may not be the only/first payload of the packet.”
• Researcher Post
• Additional Coverage: SANS
• SANS says “We are seeing a LARGE INCREASE in port 500/UDP traffic (see and select TCP Ratio for the left Y axis. earlier spikes affecting this port were mostly TCP)”

Metel crimeware allows unlimited ATM withdrawls

• An APT (Advanced Persistent Threat) crimeware package has been found in the wild, being used to drain ATMs and bank accounts
• This type of attack was previously the exclusive territory of Nation States
• “It contains more than 30 separate modules that can be tailored to the computer it’s infecting. One of the most powerful components automatically rolls back ATM transactions shortly after they’re made. As a result, people with payment cards from a compromised bank can withdraw nearly unlimited sums of money from ATMs belonging to another bank. Because the Metel module repeatedly resets card balances, the criminals never pass the threshold that would normally freeze the card. Last year, the rollback scheme caused an unnamed bank in Russia to lose millions of rubles in a single night.”
• “Metel usually gains an initial foothold by exploiting vulnerabilities in browsers or through spear phishing e-mails that trick employees to execute malicious files. Members of the Metel hacking gang then use legitimate software used by server administrators and security researchers to compromise other PCs in an attempt to further burrow into the targeted network. They will often patiently work this way until they gain control over a system with access to money transactions, for example, PCs used by call center operators or IT support.”
• “Metel illustrates the growing sophistication of hackers targeting banks. It wasn’t long ago that reconnaissance, social engineering, state-of-the-art software engineering, lateral movements through a network, and long-term persistence were largely the exclusive hallmarks of so-called advanced persistent threat actors that painstakingly hack high-profile targets, usually on behalf of government spy agencies. Hackers targeting financial institutions, by contrast, took a more opportunistic approach that infected the easiest targets and didn’t bother with more challenging ones. Now, sophisticated techniques are increasingly a part of financially motivated hacking crimes as well.”
• Other groups have been found doing similar things:
• “The so-called GCMAN group, which gets its name because its malware is built using the GCC compiler. Like Metel, its members gain an initial foothold into financial institutions using spearphishing e-mails and from there use widely available tools such as Putty, VNC, and Meterpreter to broaden their access. In one case, GCMAN members had access to one targeted network for 18 months before siphoning any funds. When the group finally sprang into action, it used automated scripts to slowly transfer funds—about $200 per minute—into the account of a so-called “mule,” who was designated to withdraw the money.”
• “The Carbanak 2.0 malware, which in one recent case used its access to a financial institution to change ownership details of a large company. The records were modified to list a money mule as one of the shareholders. After attacking a variety of banks last year, the gang took a five-month sabbatical that caused Kaspersky researchers to think it had disbanded. In December, Kaspersky confirmed the group was active and had overhauled its malware to target new classes of victims”
• “Kaspersky researchers said all three gangs appear to be active and are known to have collectively infected 29 organizations in Russia. The researchers said they suspect the number of institutions hit by the groups is much higher.”
• Researcher Post
• Indicators and Signatures

Java installer vulnerable to binary planting

• “On Friday, Oracle published a security advisory recommending that users delete all the Java installers they might have laying around on their computers and use new ones for versions 6u113, 7u97, 8u73 or later.”
• Oracle Advisory
• “On most computers, the default download folder quickly becomes a repository of old and unorganized files that were opened once and then forgotten about. A recently fixed flaw in the Java installer highlights why keeping this folder clean is important.”
• “The reason is that older Java installers are designed to look for and automatically load a number of specifically named DLL (Dynamic Link Library) files from the current directory. In the case of Java installers downloaded from the Web, the current directory is typically the computer’s default download folder.”
• This allows an attacker to plant their own malicious binaries there, and then when the “trusted” Java installer is run with enhanced privileges, the malicious .dll gains those enhanced permissions
• “To be successfully exploited, this vulnerability requires that an unsuspecting user be tricked into visiting a malicious web site and download files into the user’s system before installing Java SE 6, 7 or 8. Though relatively complex to exploit, this vulnerability may result, if successfully exploited, in a complete compromise of the unsuspecting user’s system.”
• It is not clear how Oracle’s new java downloader is improved, but it is likely not as good as it should be
• Many other downloaders are also likely vulnerable, but the applications do not have the same install base as java
• For less sophisticated users, the process of “clearing download history” would seem to imply that the files are removed as well, which is not the case

Feedback:

• R Pi 2 as proxy server?

• PFSense Central Management

• ZFS on the desktop

Round Up:

• Super Bowl fans use a record 10TB of data on Levi’s Stadium WiFi network, up 63% from 2015
• Paper: How Complex Systems Fail
• Hacker leaks thousands of FBI, DHS employees’ details
• Norse are not the only ones that can do Visualizations
• Google Will Reject All Flash Based Adverts In a Push For HTML5
• Krebs: Credit Card skimmers at the self checkout at Safeway
• U.S. can’t ban encryption because it’s a global phenomenon, Harvard study finds
• Krebs: New e-commerce fraud, order expensive merchandise just to steal the rewards points
• Linux kernel bug delivers corrupt TCP/IP data to Mesos, Kubernetes, Docker containers
• New tool from Harvard, AMBER, a wordpress and drupal plugin that automatically archives pages you link to, and uses that copy if the original goes away, or falls back to the Archive.org wayback machine
• “Revenue per employee, 2015: Yahoo: $419,830 Twitter: $462,009 MSFT: $789,145 Google: $1,160,648 Facebook: $1,412,655 Apple: $2,032,304”
• “Profit per employee, 2015: Twitter: -$129,334 Yahoo: $54,182 MSFT: $102,822 Google: $250,367 Facebook: $290,600 Apple: $464,296”