Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us


    We’re back to look inside the crystal ball of future technologies. This is the third post of the “FuTuRology” project, a blog series where the Trend Micro Forward-Looking Threat Research (FTR) team predicts the future of popular technologies.

    In the last two installments of this series, we introduced our future technology threat landscape project and started to paint a picture of how the healthcare industry might look like in a few years.

    Part I: A Look at Impending Threats to Popular Technologies

    Part II: Wearables and Smart Medical Devices, Gears for a Data-Driven Healthcare Future

    Today, the plan is to speculate over other healthcare technologies that are further out into the future and could provide opportunities for attackers and threats to healthcare users.

    • 3D Scanning and Printing 
      This technology is quickly becoming mainstream as hardware keeps getting cheaper every year. It might get to a point where an accurate enough scanning of limbs and body anatomy should enable physicians to 3D-print personalized prosthetics, from body casts for temporary immobilization to limb replacement for a more permanent treatment. We’re talking about the possible birth of customized bionics at a massive scale.The current generation has seen the repercussion of sharing intimate pictures with others over the internet. Should 3D scanning become more available, scanned files would be as much the targets of blackmail and extortion by cybercriminals as 2D photos of today.
    • Lab-on-a-Chip Drugs 
      More cool stuff in the future of this exciting field? How about the so-called “incredible shrinking laboratory” or lab-on-a-chip drugs? These are pills or patches that can deliver the right dosage of medicine needed automatically. This is possibly based on body parameters taken from an external sensor or cloud-based algorithmic diagnosis. It looks like the patient needs 10 milligram of this particular drug mixture? Coming right up!

      Varying drug composition and dosage has its technological difficulties, I’m sure of that. Once these are overcome and we have such a device in the market, an attacker’s interception of those drug parameters might be fatal. Even delaying drug delivery could be bad enough.  This can possibly be the ultimate, pay-or-die ransomware of the future. Denial of health service, anyone?
    • Smart Clothing 
      We’re not only talking about t-shirts with fitness sensors and gimmicks – there have been attempts at those lately – but there’s a wider spectrum of things that could be coming in the future. How about exoskeletons? No, we’re not going to get adamantium bones or retractable claws anytime soon. We’re talking about devices that can help impaired bodies to move thanks to servo motors for enabling people with muscle atrophy or paralysis to perform physical activities.Sounds too out there? These have already been explored for military use to help individuals to carry more weight or absorb more impact in the battlefield. As 3D scanning and printing devices advance and become cheaper, they could accommodate more therapeutic uses for more mundane illnesses.Sport enthusiasts, especially those in extreme sports, can use smart clothing as protective gear. Now that’s something I wouldn’t mind trying myself.
    • Robotic Caregiving 
      Speaking of robots or looking like one with an exoskeleton fitted on your body, we might also see more of robotic caregiving soon. Robots as assistants to nursing staff is not unthinkable. Medical practice equipments are becoming increasingly robotic in nature as the high productivity of using them justifies the investment. This opens the door for robotic surgery for those highly automated operations where the surgeon can give the exact instructions and the machine can execute them exactly as programmed. These are already being used in some fields but can become commonplace as the technology becomes more accurate and affordable.In theory a hacker could access the robot leading to physical harm, but in real life, that’s not likely to happen – and is more the realm of science fiction. For the amount of work involved in getting into the network, reversing the firmware, and controlling the robot, it is easier to inflict harm using traditional real-world means.This ties in nicely with the subject of IoT (Internet of Things) hacking or internet-connected device hacking. The idea is that anything with an online connection can be attacked. Again, the likelihood of being a target is directly related to the kind of device we’re talking about. I won’t go into detail but, whether the attack is likely or not, devices that involve a higher risk obviously need more defense. An internet-connected car needs more protection than an internet-connected toaster. The same goes for any medical device that is physically connected to or directly affects a human body.
    • Data Visualization and Analysis 
      With the latest advances in this field, doctors might be able to visualize 3D scans coming from magnetic resonance imaging (MRI) or X-ray computed tomography (X-ray CT) scans through augmented reality superimposed on the patient’s imaging data. Visualization technology similar to the Oculus Rift can be used to enter the patient’s innards, fully understand their state, give a more accurate diagnosis, get a closer look at the data, and plan for an important surgical procedure. I don’t know if I should be happy for those doctors or scared at the prospect.

    It is clear that the current state and evolution of technology will give new toys to all human fields. Healthcare is no exception. However, added risks make this industry more prone to attacks and life-threatening repercussions. Healthcare technologies need to be thought of in advance. Developers need to build in some level of security from the get-go because, in this case, even a casual or accidental screw up can be crippling, literally.


    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Issues surrounding the Android mediaserver component continue. It has been brought to our attention that a vulnerability (CVE-2015-3823) could (theoretically) be used for arbitrary code execution as well. On August 23, Google raised the severity of this vulnerability to “critical”, indicating that code execution was possible. We have previously discussed how this bug in the mediaserver component of Android could lock devices in an endless reboot loop.

    To recap, the vulnerability is an integer overflow in parsing .MKV files, which causes the device to fall into an endless loop and heap overflow when reading video frames. Users could encounter a malicious .MKV file via a malicious app or by opening a malicious video file.

    We earlier noted how this could be used to, in effect, stop the device from working. If this vulnerability is used to run arbitrary code, then the attacker would be able to run code with the permissions of mediaserver. The code is shown below:

    If an attacker exploits this heap overflow successfully, they would be able to run their code with the same permissions that mediaserver already has as part of its normal routines. Since the mediaserver component deals with a lot of media-related tasks including taking pictures, reading MP4 files, and recording videos, the privacy of the victim may be at risk. However, unlike “good” exploits, it is very difficult to control the flow of execution. This makes a practical exploit much more difficult.

    End users can block this threat from the onset by downloading Trend Micro Mobile Security (TMMS), which can detect threats like malicious apps that may exploit this vulnerability. We also recommend that device manufacturers regularly patch their devices’ OS to prevent users suffering from attacks such as the ones discussed.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Data breaches rarely make for sensational news. Media outlets may report about them but public interest often dies down after a week or two.

    Or that was the case until the Ashley Madison breach happened. The recent leak of the Ashley Madison accounts is the culmination of a month-long digital stand-off between the site that blatantly encourages people to have affairs and a hacktivist group called the Impact Team.

    Last July, Ashley Madison reported that they became victims of a data breach. The Impact Team took credit, demanding that the site and another related site be taken offline permanently. The hackers then proceeded to leak snippets of account information as well as company information, including internal company servers.

    The group made good with their threat as the accounts soon found their way into the Deep Web. The leaked information had several revelations. For example, 15,000 accounts had either a .mil or .gov email address. Combing through the addresses, other media outlets have found that work emails were frequently used in accounts.

    (Funnily enough, the leak presented proof that the site practiced some security measures not found in other sites. For example, the passwords were stored using some form of encryption and not just in plaintext.)

    Some have pointed out that users shouldn’t have expected their information to be kept safe, considering the very nature of the website. But removing the moral implications of the site, Ashley Madison assured customers that their information would be kept private and even offered a paid service to delete user data permanently—which it failed to do on both counts.

    Addressing Data Breaches

    This leak proves that many organizations are not ready to deal with a data breach: either by preventing one in the first place or managing one after it’s occurred. This is very problematic given the real-world implications of data breaches.

    “Reputational risk is real if you do not actually invest in next-generation cybersecurity. The hackers of the world will bypass the traditional security defenses that are advocated by major standards organizations like the Payment Card Industry Security Standards Council (PCI SSC),” says Tom Kellermann, chief cybersecurity officer for Trend Micro in an interview.

    This is so much so in the case of Ashley Madison or many other sites working on the premise of keeping its users actions discreet and private.

    In an ideal scenario, security measures against data breaches should be put in place even before such incidents occur. For example, organizations should assess the type of data that they ask from users. Do they really need certain specifics beyond contact and financial information? Even non-essential nuggets of information can be seen as sensitive—especially when used as building blocks to complete a victim’s profile.

    Encrypting sensitive information and restricting access to it goes a long way in mitigating possible intrusions, especially from internal hackers. Some have speculated that the Ashley Madison breach was an inside job; if that were the case, stricter access control could have made it harder to get the data.

    When it comes to data breaches, it is no longer an issue of “if” but “when.”  So even with these preventive measures in place, organizations should assume that there is an intruder in the network. With that thought, continuous monitoring of systems should be implemented to look for suspicious activity.

    With all these in mind, organizations need to deploy  a concrete multi-layered defense system as a proactive step against data breaches, as follows:

    • Deploy web application firewalls (WAF) to establish rules that block exploits especially when patches or fixes are still underway.
    • Deploy data loss prevention (DLP) solutions to identify, track, and secure corporate data and minimize liability.
    • Deploy a trusted breach detection system (BDS) that does not only catch a broad spectrum of Web-, email- and file-based threats, but also detects targeted attacks and advanced threats.

    But what should orgs do after a data breach happens? Firstly, they should confirm if a breach did occur. Victims should learn of the breach from the affected organization, never from the media. Orgs need to state all that they know about the incident, such as the time the incident occurred.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Microsoft has released MS15-093, an out-of-band update for all supported versions of Windows. This bulletin fixes a vulnerability in Internet Explorer (designated as CVE-2015-2502) that allowed an attacker to run arbitrary code on a user’s system if they visited a malicious site. A compromised site, spear phishing, and/or malicious ads could all be used to deliver exploits targeting this vulnerability to the user. This threat is already in use in limited, targeted watering hole attacks in the wild.

    This particular vulnerability is a memory corruption vulnerability, which has historically proven to be a common problem for Internet Explorer. While this vulnerability has been rated as Critical by Microsoft and no mitigations/workarounds were identified in the post, there are several factors that help lessen the risk to users.

    First, any code is run with the privileges of the logged-in user; therefore users who run as an ordinary user and not as an administrator are at lesser risk. Secondly, users of the new Microsoft Edge browser in Windows 10 are also not at risk. In addition, because Internet Explorer in server versions of Windows (Server 2008, Server 2008 R2, Server 2012, or Server 2012 R2) runs in a restricted mode that reduces the risk for these OSes.

    Trend Micro Deep Security and Vulnerability Protection users are already protected from this threat; the following rule that was released as part of the regular Patch Tuesday set of rules also covers this vulnerability:

    • 1006957 – Microsoft Internet Explorer Arbitrary Remote Code Execution Vulnerability

    We urge all affected users to immediately use Windows Update to download and install this update. Users who wish to download this update manually should note that this bulletin is not a cumulative update for Internet Explorer. As a result, the August cumulative update should be installed before this new patch is installed.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Why would Pawn Storm, the long-running cyber-espionage campaign, set its sights on a Russian punk rock group? Sure, Pussy Riot is controversial. Members of the feminist band had previously been thrown in jail for their subversive statements against the Orthodox Church and Russian patriarchal system. But why would attackers have any interest in them? What is their connection to other targets?

    Earlier this year, we reported that the operators behind Pawn Storm had gone after members of the North Atlantic Treaty Organization (NATO), the White House, and the German parliament. Previously, they focused on various embassies and military attachés stationed across several countries. Pawn Storm’s targets have mostly been external political entities outside of Russia, but after our analysis we found that a great deal of targets can actually be found within the country’s borders.

    Domestic spying in Russia

    The Russian spies behind Pawn Storm apparently do not discriminate. They even monitor their fellow citizens. Credential phishing attacks directed towards Russian nationals builds a case for domestic spying. Figure 1 shows a closer breakdown of their targets per industry.

    Figure 1. Primary industry/sector targets in Russia

    Many peace activists, bloggers, and politicians got targeted in Russia. Some of the more noteworthy targets per industry are as follows:

    Politicians A former Russian prime minister, and a prominent member of United Russia
    Artists Two members of Pussy Riot and a popular Russian rock star
    Media Journalists from, The New Times, TV Rain, Novaya Gazeta, Jailed Russia, other media outlets that criticize the current Russian regime, and the Apostol Media Group
    Software developers A CEO of a Russian company developing encryption software, and a developer

    Looking at the list, it’s easy to conclude that the people behind this campaign are keeping tabs on potential dissidents of the current Russian regime. Pussy Riot’s criticism of the government does make them a logical target if this were the case. But the inclusion of software developers, as well the Apostol Media Group, which has ties to Russian government, is interesting. The fact that at least one active Russian military attaché in a NATO country got targeted by Pawn Storm makes the spies’ motivations even more intriguing.

    The Ukraine and US connection

    In Figure 2, we see the top 10 target countries of Pawn Storm. Ukraine has the lion’s share. With 25%, it surpasses Russia and the US. The three countries currently have a volatile relationship thanks to clashing political interests.

    Figure 2. Breakdown of Top 10 targets by country

    The military, media, government, and political figures in Ukraine were all targeted almost equally, with those four categories accounting for approximately two-thirds of all targets in the country:

    Figure 3. Primary industry/sector targets in Ukraine

    As for the US, the primary targets are defense companies and the military (Air Force, Navy, and Army). Think tanks and academia are targets too. Pawn Storm also has a particular interest in oil researchers and nuclear energy.

    Figure 4. Primary industry/sector targets in the US

    These attempted compromises were part of a larger campaign of tens of thousands of individual credential phishing attacks against high-profile users of a multitude of webmail providers like Gmail, Yahoo, Hushmail, Outlook, and other providers in Ukraine, Iran, Norway, and even China.

    The United Kingdom is a big target for Pawn Storm, but the majority of attacks are attempts to compromise Eastern Europeans who reside in Britain.

    A case of credential phishing

    The way the attacks are carried out varies. Some campaigns used malware and vulnerabilities. Pawn Storm used at least six zero-days, including the critical CVE-2015-2590 Java vulnerability. A prominent modus operandi is advanced credential phishing. We were able to collect data on more than 12,000 individual credential phishing attacks in 2014 and 2015, making it possible for us to derive reliable statistics on Pawn Storm targets worldwide.

    To illustrate one of the credential phishing attacks Pawn Storm sends to its targets, we will focus on a particular attack on high-profile Yahoo users in early July 2015.

    Figure 5. Targeted Yahoo credential phishing e-mail

    This phishing attack tried to lure selected Yahoo users to give Pawn Storm full access to their mailboxes using OAuth—an open standard authentication protocol that Yahoo offers to app developers. Pawn Storm sent out phishing e-mails that offered a “Mail Delivery Service” for guaranteed delivery of e-mails. In reality, this service was built to allow attackers behind Pawn Storm to access their target’s accounts through OAuth. When Yahoo users would opt in, Pawn Storm would get unfettered access to the mailbox.

    The problem here is that the phishing links point to a legitimate Yahoo website of OAuth. Since this is the case, recipients of the phishing e-mails may think the phishing URL is harmless.


    Figure 6. Phishing site at where Pawn Storm’s targets are lured into giving permission to full mailbox access

    Although we cannot say for sure what these spies’ intentions are, given the variety of this campaign’s targets, it looks like they are amassing a huge database of information, perhaps keeping tabs on possible threats to Russia. We are continually monitoring the campaign and its developments.

    This is the latest entry in a series of blog posts we have done on Operation Pawn Storm:

    Pawn Storm is also mentioned in our 2Q Security Roundup, A Rising Tide: New Hacks Threaten Public Technologies.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice