Security Week 16: SWIFT under the hood, again in Magento a hole, give Honeypot to a friend

Shadow Brokers are clearly jealous of the fame of Assange. Previously, they poker with the laid out the stale archives of the tools of the NSA, which themselves gave grounds for a notable heite to the NSA. Now Shadow Brokers are such Wikileaks, only better: this time they merged not only exploits, but also logs, and completely secret documents. If earlier it was necessary to guess how and for what the NSA applies its implants, now it is known for sure: SWIFT has long been under the hood of the office.

It's about the SWIFT network, which deals with interbank money transfers. The most important thing for international trade, and within countries is actively used. Just recently, I wrote about the Lazarus group, which makes money through SWIFT - and there is a lot of money there. But the maximum that those guys can do is to clear the bank's SWIFT correspondent account. At NSA, the swing was wider.

According to Shadow Brokers documents, hackers from the Equation group linked to the NSA found the key to the SWIFT service bureau. For the SWIFT network, these organizations play the same role as Internet service providers for the Internet — that is, provide end-user access (in this case, banks) to network resources, plus offer related services. And in the new leak there was quite convincing evidence that the network of at least one of these providers was successfully hacked by the NSA.

The compromised provider, the EastNets Service Bureau, of course, immediately declared that, firstly, their systems were working in an isolated network and it was impossible to hack them, and, secondly, it was all a long time ago, and they turned off the hacked server in 2013 .
')
[Lyric mode inc.] Bikes about their own, physically unrelated to the Internet, communication channels, sing many organizations dealing with very large money or top secret data. Sometimes this is true, but often they wishful thinking - creating a fully connected physically isolated network for large organizations is very expensive, and administering it like hell is inconvenient. I really, really want to just fence off a piece of the network with reliable unbreakable firewalls [lyric mode off].

In Magento found a new zerodey
News Research Recently, Magento is mentioned in the news no less than Wordpress. Here there is a hole, then there is a hole. Meanwhile, this CMS is used in online stores. In Russia, for example, Lamoda, Auchan, Philips and Huawei and dozens of other smaller market players are spinning under it.

The vulnerability was found in the function that allows the administrator to add videos with Vimeo to the product description. In short, an attempt to upload a preview image of a video with the URL leading not to an image, but to something else (for example, a php file) results in an error return. But the curve file is downloaded to the server! It turns out, if you feed Magenta .htaccess, allowing the launch of php, and also php, which runs the cmd shell, you can do anything on the server.



To turn this trick is not very simple. It is necessary either to slip the admin of the store, who is logged into the Magenta at this moment, with a special link, or somehow (at least with a carcass or stuffed animal) to gain access to the administration panel, even without full permissions. The prize may be a database of users, including stored payment card data. But! Regardless of this vulnerability, stores storing customer card numbers should be avoided. Payment systems have long invented safe methods of payment via the Internet.

By the way, after the publication of this news on Threatpost, Magento users received a letter from the CMS vendor notifying of this vulnerability and methods of protection until a patch was released. However, what prevented addressing the problem in November, when the security guards from the DefenseCode notified the company about this outrage? The question, of course, is rhetorical.

A researcher has turned his friends' IoT devices into baits for hackers
News We continue our cool storyboard with SAS 2017. Dan Demeter, senior researcher at the Kaspersky Lab's Global Threat Research and Analysis Center (GReAT), told about the inhuman experiments with which he subjected himself and his friends. Our hero installed routers with leaky firmware in his friends' houses (as if there were not leaking in the SOHO class) as traps (hanipots) and forced them to log all incoming activity, and also connected a computer that clicked on malicious links and collected samples.

The biennial catch amounted to 13 million attacks with 200 IP addresses. Demeter has seen the use of many old exploits for vulnerabilities discovered as far back as 2014 — obviously, there are still a lot of unpatched devices on the Web. The most interesting thing is that the first attack attempt through a vulnerability in Apache Struts 2 was fixed the next day after the publication of its description. It turns out that not to follow the IB news can be just dangerous - the bad guys keep abreast, and you have literally several hours to roll patches from new vulnerabilities.

Antiquities

"Driver-1024"

The resident very dangerous stealth virus infects .COM and .EXE files when reading and writing directory sectors containing information about .COM or .EXE files. It stores its body in the last cluster of an infected logical drive, this cluster marks as the last one in the chain of clusters. When a file is infected, the virus corrects only the number of the first cluster of the file located in the corresponding sector of the directory. The new initial file cluster will point to the cluster containing the virus body. Thus, when infecting files, their length and the contents of the clusters containing these files do not change, and there will be only one copy of the virus for all infected files on one logical drive.

During initialization, it penetrates the DOS kernel, changes the address of the system disk driver, and then intercepts all DOS calls to this driver. The virus implements a powerful “stealth” mechanism at the level of the system driver, as a result of which the virus in the infected files is not visible when reading a file through both int 21h and int 25h. At the same time, the virus refers directly to DOS resources and “breaks through” practically any antivirus brokers.

Quote from the book "Computer viruses in MS-DOS" Eugene Kaspersky. 1992 Page 65.

Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.