Security Week 44: a quiet hunt, or Carbanak to help, why the Firefox features Tor Browser, a Google loophole - buganizer

Who does not know Carbanak? A few years ago, these clever guys skillfully took, according to some, up to a billion dollars from a good hundred banks of Russia, Ukraine, the United States and even Japan. Our experts identified a group of intruders, codenamed Silence , who diligently copied the best Carbanak equipment in an attempt to get bank accounts.

The attack technology is really painfully similar: through a phishing letter, a bank employee attackers manage to penetrate his internal network, settle there and quietly examine the infrastructure, while sending “contracts” to partners — that is, the same malicious letters, but on behalf of real employees and even with their signature. It is clear that in this situation, an infected attachment will click with a greater degree of probability than a letter from another Nigerian benefactor. Good old social engineering is still on horseback.

Silence uses the proprietary Microsoft online help format (Compiled HTML Help or CHM). After the victim opens the attachment, the “start.htm” file contained in it starts with JavaScript inside, the purpose of which is to download the dropper from the specified address for the next step. Further more: the dropper loads the Silence Trojan, whose modules function as Windows services. Among them: the management and control module, the screen activity recording module, the communication module with management servers and the program for remote execution of console commands.

Freely settling in the infected network, the attackers begin to partisan - to save data, to record images from the screens of the victims, calculating the “cash cows” - the owners of the necessary information. As soon as they manage to get to the “truth” —the algorithm of the work of the information systems of such employees — finances are smoothly removed from the accounts and migrated into the pockets of the intruders.
')

Mozilla cleans up snooping from Firefox

You used to proudly refuse to save cookies, go to a new site and think that you have not been noticed. But in actual fact, you are most likely considered. Just did it in a slightly more sophisticated way. One of the many such tools is Canvas Fingerprinting.

What is the point? On many sites, a special tracking code is installed. He “asks” the browser to draw a latent image, and due to the particular system (GPU, driver, browser version, and so on), the image is no less unique than a human fingerprint. So the computer is reliably identified. This knowledge can be used for very different purposes. Most often - to show the right advertising. And disable the Canvas Fingerprint in popular browsers is virtually impossible.

In January 2018, Mozilla promised to make the “support” of the Canvas Fingerprint disabled . This option will be available in Firefox 58. It is interesting that the Canvas Fingerprint blocking feature came to Firefox straight from the Tor Browser, which is based on the Firefox code. Previously, functions migrated from Firefox to Tor. It remains to understand what to do with the rest of the fingerprints and you can live in peace.

Why break the lock if you can go to the keystore?

Programmer Alex Birsan (Alex Birsan) recently earned $ 15,000 for pointing out Google's Issue Tracker vulnerability, which allows information from the internal repository of bugs, which Google is affectionately called Buganizer.

Anyone with a Google account can add information there, but the list of open issues is available only to employees of the corporation of good. At least that's what was meant. Alex found a way to get a full description of bugs using a Java script (via a POST request). True, he immediately clarifies that he himself did not smoke, that the boys next door smoked, and he just stood beside him. In the sense, I did not read the descriptions of the bugs and did not remember any secrets. Now, of course, the loophole is closed, and Birsan for the prize can buy something nice for itself.

It is worth noting that this is not the first story with unauthorized access to the repository of vulnerabilities owned by a company of this level. Something similar happened in 2013 with Microsoft. But, it would seem, it is precisely such services that should be protected very carefully, especially since absolutely all IT companies are keeping them. Potentially, an attacker can get not only hundreds of carefully described and tested vulnerabilities in bulk, but also interfere with the work of the tracker. Change the status of the vulnerability you like to a lower one or just close the ticket as unconfirmed. In theory, this could delay the closure of a vulnerability indefinitely.

Antiquities

Family "Siskin"

Non-dangerous resident viruses standardly infect COM, EXE and OVL files. Every month on the 7th they play three melodies (one of them is “Chizhik-Pyzhik”). Intercepts int 1Ch, 21h.

Quote from the book "Computer viruses in MS-DOS" Eugene Kaspersky. 1992 Page 44.

Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.