San Francisco transit ransomware attacker likely used year-old Java exploit

Enlarge (credit: Zboralski)
The attacker who infected servers and desktop computers at the San Francisco Metropolitan Transit Agency (SFMTA) with ransomware on November 25 apparently gained access to the agency’s network by way of a known vulnerabil…

Enlarge (credit: Zboralski)

The attacker who infected servers and desktop computers at the San Francisco Metropolitan Transit Agency (SFMTA) with ransomware on November 25 apparently gained access to the agency's network by way of a known vulnerability in an Oracle WebLogic server. That vulnerability is similar to the one used to hack a Maryland hospital network's systems in April and infect multiple hospitals with crypto-ransomware. And evidence suggests that SFMTA wasn't specifically targeted by the attackers; the agency just came up as a target of opportunity through a vulnerability scan.

In an e-mail to Ars, SFMTA spokesperson Paul Rose said that on November 25, "we became aware of a potential security issue with our computer systems, including e-mail." The ransomware "encrypted some systems mainly affecting computer workstations," he said, "as well as access to various systems. However, the SFMTA network was not breached from the outside, nor did hackers gain entry through our firewalls. Muni operations and safety were not affected. Our customer payment systems were not hacked. Also, despite media reports, no data was accessed from any of our servers."

That description of the ransomware attack is not consistent with some of the evidence of previous ransomware attacks by those behind the SFMTA incident—which Rose said primarily affected about 900 desktop computers throughout the agency. Based on communications uncovered from the ransomware operator behind the Muni attack published by security reporter Brian Krebs, an SFMTA Web-facing server was likely compromised by what is referred to as a "deserialization" attack after it was identified by a vulnerability scan.

Read 6 remaining paragraphs | Comments

Botched Java patch leaves millions vulnerable to 30-month-old attack

Oracle said the flaw was fixed. Newly released exploit code shows otherwise.

A botched security fix released for the Java software framework 30 months ago has left millions of users vulnerable to attacks that Oracle had claimed were no longer possible, a security researcher said.

The bypass code, which was released Thursday by Polish security firm Security Explorations, contains only minor changes to the original proof-of-concept, according to an e-mail posted to the Full Disclosure security list. Security Explorations released the original exploit in October 2013 following the release of a patch from Oracle. Thursday's bypass changes only four characters from the 2013 code and uses a custom server to work. The bypass means that millions of Java users have remained vulnerable to the flaw, categorized as CVE-2013-5838, despite assurances from Oracle that the attacks were no longer possible.

"We implemented a Proof of Concept code that illustrates the impact of the broken fix described above," Security Explorations researchers wrote in a report. "It has been successfully tested in the environment of Java SE Update 97, Java SE 8 Update 74, and Java SE 9 Early Access Build 108. In all cases, a complete Java security sandbox escape could be achieved."

Read 2 remaining paragraphs | Comments

Java “RAT-as-a-Service” backdoor openly sold through website to scammers

The malware once known as AlienSpy is back in action after original domains shut down.

The JSocket website: open for business on the open Web (at least right now). (credit: Sean Gallagher)

A family of Java-based malware that has given attackers a backdoor into Windows, Linux, Mac OS X, and Android devices since 2013 has risen from the dead once again as a "commercial" backdoor-as-a-service. It was recently detected in an attack on a Singapore bank employee. Previously known as AlienSpy or Adawind, the malware was all but shut down in 2015 after the domains associated with its command and control network were suspended by GoDaddy. But according to Vitaly Kamluk, the director of Kaspersky Lab's Asia/Pacific research and analysis team, the malware has been modified, rebranded, and is open for service again to customers ranging from Nigerian scam operators to possible nation-state actors. Ars has confirmed that the service is offered openly through a website on the public Internet.

AlienSpy was found last spring on the Android phone of Alberto Nisman, the Argentinian prosecutor who died under suspicious circumstances just as he was apparently about to deliver a report implicating the Argentine government in the bombing of a Buenos Aires Jewish community center in 1994. Now resurrected under the names JSocket and jRat, according to a presentation by Kamluk at the Kaspersky Security Analyst Summit 2016 in Tenerife, the malware is available through an open website to subscribers at prices ranging from $30 for one month to $200 for an unlimited license. Kamluk believes the service's author is a native Spanish speaker, possibly based out of Mexico.

JSocket includes a number of typical "RAT" (remote access tool) capabilities, including video capture from webcams, audio capture from microphones, the ability to detect antivirus software on a system, a keylogger to record key strokes, and a virtual private network key-stealing feature that could be used to gain access to any of the VPNs used by the victim. Kaspersky has tracked more than 150 attack campaigns against more than 60,000 targets with the latest iterations of the malware, with Nigerian e-mail-based scam operations (particularly those targeting banks) being the biggest adopters of the tool. The lion's share of the remaining subscribers to the malware appeared to come from the US, Canada, Russia, and Turkey.

Read on Ars Technica | Comments

Oracle deprecates the Java browser plugin, prepares for its demise

It will be removed some time after the release of Java 9.

The much-maligned Java browser plugin, source of so many security flaws over the years, is to be killed off by Oracle. It will not be mourned.

Oracle, which acquired Java as part of its 2010 purchase of Sun Microsystems, has announced that the plugin will be deprecated in the next release of Java, version 9, which is currently available as an early access beta. A future release will remove it entirely.

Of course, Oracle's move is arguably a day late and a dollar short. Chrome started deprecating browser plugins last April, with Firefox announcing similar plans in October. Microsoft's new Edge browser also lacks any support for plugins. Taken together, it doesn't really matter much what Oracle does: even if the company continued developing and supporting its plugin, the browser vendors themselves were making it an irrelevance. Only Internet Explorer 11, itself a legacy browser that's receiving only security fixes, is set to offer any continued plugin support.

Read 1 remaining paragraphs | Comments