Category Archives: Hacking News

Memory corruption flaw in AMD Radeon driver allows VM escape

Experts at Cisco Talos group discovered a vulnerability in the AMD ATI Radeon ATIDXX64.DLL driver that could lead to VM escape.

Researchers at Cisco Talos group discovered a vulnerability in the AMD ATI Radeon ATIDXX64.DLL driver that be exploited by an attacker to escale the VM and execute code on the host.

This flaw affects the AMD Radeon RX 550 and the 550 series video cards and it could be exploited only when running VMWare Workstation 15.

The issue is an out-of-bounds memory write that could be triggered via a malformed pixel shader inside the VMware guest OS, to the AMD ATIDXX64.DLL driver.

“Some AMD Radeon cards contain a remote code execution vulnerability in their ATIDXX64.DLL driver. AMD produces the Radeon line of hardware, which includes graphics cards and graphics processing units. This specific vulnerability exists on the Radeon RX 550 and the 550 Series while running VMWare Workstation 15.” reads the post published by Talos.

AMD radeon rx-550-4gb

The vulnerability, tracked as CVE-2019-5049, has received a CVSS score of 9.0.

The flaw affects the ATIDXX64.DLL driver versions 25.20.15031.5004 and 25.20.15031.9002, it can only be exploited when VMware Workstation 15 version, 15.0.4,build-12990004 with Windows 10 x64 as the guestVM is running.

“An attacker could exploit this vulnerability by supplying a malformed pixel shared inside the VMware guest operating system to the driver. This could corrupt memory in a way that would allow the attacker to gain the ability to remotely execute code on the victim machine,” Talos continues.

The Talos team reported the flaw to AMD in early May and the vendor addressed it this week.

The experts released the following SNORT rules to detect exploitation attempts: Snort Rules: 49978, 49979

Cisco credited Piotr Bania of Cisco Talos for the discovery of this vulnerability.

Pierluigi Paganini

(SecurityAffairs – AMD Radeon, hacking)

The post Memory corruption flaw in AMD Radeon driver allows VM escape appeared first on Security Affairs.

United States government files civil lawsuit against Edward Snowden

The United States government sued Edward Snowden, the former CIA employee and NSA contractor, to block payment for his book, Permanent Record.

The US DoJ filed a lawsuit against Edward Snowden to prevent the former CIA employee and National Security Agency contractor from receiving the payment for his book, Permanent Record.

According to the civil lawsuit, filed in the Eastern District of Virginia, Snowden violated non-disclosure agreements signed when he was an employee at the US intelligence agencies.

“The United States today filed a lawsuit against Edward Snowden, a former employee of the Central Intelligence Agency (CIA) and contractor for the National Security Agency (NSA), who published a book entitled Permanent Record in violation of the non-disclosure agreements he signed with both CIA and NSA.” reads the press release published by the DoJ.

“The lawsuit alleges that Snowden published his book without submitting it to the agencies for pre-publication review, in violation of his express obligations under the agreements he signed. Additionally, the lawsuit alleges that Snowden has given public speeches on intelligence-related matters, also in violation of his non-disclosure agreements.”

The agreements require signatories to submit books and any publication to the agencies for review, before publishing it, to avoid the disclosure of classified information.

“Intelligence information should protect our nation, not provide personal profit,” declared G. Zachary Terwilliger, US Attorney for the Eastern District of Virginia, in a statement. “This lawsuit will ensure that Edward Snowden receives no monetary benefits from breaching the trust placed in him.”

The book, titled “Permanent Record,” has been released on September 17th, it was published by Henry Holt and Company.

Edward Snowden’s book includes details of the author’s life, including the description of his activity at the US intelligence agencies while they were buiding the Prism surveillance system.

The legal initiative of the UD DoJ aims at recovering all proceeds earned by Snowden, instead of blocking the publication of the book.

“The United States’ lawsuit does not seek to stop or restrict the publication or distribution of Permanent Record. Rather, under well-established Supreme Court precedent, Snepp v. United States, the government seeks to recover all proceeds earned by Snowden because of his failure to submit his publication for pre-publication review in violation of his alleged contractual and fiduciary obligations.” continues the press release.

The US DoJ also sued the publisher to prevent that payments are transferred to Snowden.

“The United States’ ability to protect sensitive national security information depends on employees’ and contractors’ compliance with their non-disclosure agreements, including their pre-publication review obligations,” said Assistant Attorney General Jody Hunt of the Department of Justice’s Civil Division.

“This lawsuit demonstrates that the Department of Justice does not tolerate these breaches of the public’s trust. We will not permit individuals to enrich themselves, at the expense of the United States, without complying with their pre-publication review obligations.”

Edward Snowden lives in Russia since 2013 after leaking information about the US intelligence’s mass surveillance program, recently appealed to France’s government to grant him asylum.

Pierluigi Paganini

(SecurityAffairs – Edward Snowden, hacking)

The post United States government files civil lawsuit against Edward Snowden appeared first on Security Affairs.

Australia is confident that China was behind attack on parliament, political parties

Australia ‘s intelligence is sure that China is behind the cyberattacks that hit its parliament and political parties, but decided to not publicly accuse it.

According to the Reuters agency, Australia’s intelligence has evidence that the attacks that hit its parliament and political parties were orchestrated by China. Anyway the Australian government decided to not publicly accuse it to preserve trade relations with Beijing.

Reuters cited five sources within the Australian intelligence that attributed the attacks on its national parliament and three largest political parties before the general election in May to China-linked hackers.

“Australia’s cyber intelligence agency – the Australian Signals Directorate (ASD) – concluded in March that China’s Ministry of State Security was responsible for the attack, the five people with direct knowledge of the findings of the investigation told Reuters.” reported the Reuters.

“The report, which also included input from the Department of Foreign Affairs, recommended keeping the findings secret in order to avoid disrupting trade relations with Beijing, two of the people said.”

Australia Australian National University hack australian parliament house

Australia disclosed the attacks in February, at the time experts speculated the involvement of a nation-date actor without attributed the attacks to a specific threat actor.

China is Australia’s biggest trading partner and its not surprising that its government gathers intelligence on it. Beijing denied any involvement in the attacks and China’s Foreign Ministry pointed out that his country is also the target of numerous attacks.

“When investigating and determining the nature of online incidents there must be full proof of the facts, otherwise it’s just creating rumors and smearing others, pinning labels on people indiscriminately. We would like to stress that China is also a victim of internet attacks,” the Ministry told the Reuters.

“China hopes that Australia can meet China halfway, and do more to benefit mutual trust and cooperation between the two countries.”

When the Australian authorities discovered the attacks, the IT staff forced a password reset to every person working at the parliament.

According to information collected by Reuters, the hackers did access private emails and policy paper from members of the Liberal, National and Labor parties.

Australian experts shared their findings with the United States and the United Kingdom, the latter sent a team of cyber experts to Canberra to help investigate the attack.

“Australian investigators found the attacker used code and techniques known to have been used by China in the past, according to the two sources.” concludes the Reuters. “Australian investigators found the attacker used code and techniques known to have been used by China in the past, according to the two sources.”

Pierluigi Paganini

(SecurityAffairs – Australia, hacking)

The post Australia is confident that China was behind attack on parliament, political parties appeared first on Security Affairs.

Fraudulent purchases of digitals certificates through executive impersonation

Experts at ReversingLabs spotted a threat actor buying digital certificates by impersonating legitimate entities and then selling them on the black market.

Researchers at ReversingLabs have identified a new threat actor that is buying digital certificates by impersonating company executives, and then selling them on the black market. The experts discovered that digital certificates are then used to spread malware, mainly adware.

Threat actors sign their malware with legitimate digital certificates to avoid detection.

The experts provided details of a certificate fraud that leverages on the executive impersonation. The researchers provided evidence that the threat actors sold the purchased certificates to a cybercrime gang that used them to spread malware.

The analysis published by Reversinglabs provides technical details for each phase of the certificate fraud carried out by impersonating executive.

The fraud begins with the reconnaissance phase in which the attackers select the target to impersonate. Threat actors use publicly available information to select candidates that are usually well-established people working in the software industry.

Once identified, the threat actors scrape victim’s information from open sources, such as their public LinkedIn profile page. Then attackers set up legitimate-looking infrastructure for the entity they are impersonating in the attempt to deceive certificate authorities.

“The attacker aims to use the top-level domain confusion in order to mislead the certificate authority during their identity verification process. The gamble is that the person verifying the certificate issuance request will assume that the same company owns both the global .COM and the regional .CO.UK domains for their business.” reads the analysis published by the experts.

“Here’s where the choice of registrar becomes truly important. Since GDPR legislation came into effect, most EU domain registrars have agreed that WHOIS records are considered private and personally identifiable information. This makes knowing the true identity behind the registered domain name subject to a data release process – a bureaucratic procedure meant to be fulfilled in cases of a legitimate enquiry such as a trademark dispute or a law enforcement request.”

Once set up the infrastructure, the threat actors then proceed to purchase the certificates and verify them. The verification is done using a public antivirus scanning service, then the threat actors use the file scan record as “a clean bill of health” for potential buyers.

2019-04-30 07:07:59 – The first signed malicious file appears in the wild. The certificate is used to sign OpenSUpdater, an adware application that can install unwanted software on the client’s machine. This executable is cross-signed for timestamp verification via Symantec Time Stamping Services Signer service.” continues the analysis.

The experts pointed out that even if it is harder for the attacker to acquire digital certificates, the threat actors they tracked has shown that it is in fact possible to do so.

Pierluigi Paganini

(SecurityAffairs – digital certificates, hacking)

The post Fraudulent purchases of digitals certificates through executive impersonation appeared first on Security Affairs.

MobiHok RAT, a new Android malware based on old SpyNote RAT

A new Android malware has appeared in the threat landscape, tracked as MobiHok RAT, it borrows the code from the old SpyNote RAT.

Experts from threat intelligence firm SenseCy spotted a new piece of Android RAT, dubbed MobiHok RAT, that used code from the old SpyNote RAT.

At the beginning of July 2019, the experts spotted a threat actor dubbed mobeebom that was offering for sale an Android Remote Administration Tool (RAT) dubbed MobiHok v4 on a prominent English hacking forum.

The experts discovered that mobeebom is active on multiple Arab-speaking hacking forums under different pseudonyms, a circumstance that suggests that he is an Arab-speaker. Researchers also noticed that the posts published by the hacker were using poor English.

mobeebom has been promoting the MobiHok RAT through multiple channels, including YouTube and a dedicated Facebook page, since January 2019.

Mobihok

MobiHok is written in Visual Basic .NET and Android Studio, it allows to fully control the infected device. Experts pointed out that the latest release of the RAT implements new features, including a bypass to the Facebook authentication mechanism.

The analysis conducted by the experts suggests that the threat actor obtained SpyNote’s source code and made some minor changes to its code before reselling it online.

“However, from a research we conducted into mobeebom’s activity in the underground communities, and the analysis of a sample of the malware builder we retrieved, it is apparent that the threat actor based MobiHok on the source code of another prominent Android RAT named SpyNote, which was leaked online in 2016.” continues the report.

“The initial findings of our technical analysis confirmed that mobeebom probably obtained SpyNote’s source code, made some minor changes, and now resells it as a new RAT under the name MobiHok.”

In July 2016, experts from Palo Alto Networks a RAT offered for free called Spynote, much like OmniRat and DroidJack, today the malware can be purchased from a website on the surface web, or downloaded for free from a forum.

MobiHok supports several features, including access to files, access to the camera, keylogging, control over SMS and contacts, the ability to bypass both Samsung security mechanisms and Google Play mechanisms, and to bind itself to another APK app.

“To conclude, despite mobeebom’s attempt to market his MobiHok v4 Android RAT as new and his declared intention to make it the top Android RAT on the market, it appears that this malware is based on the leaked source code of the known SpyNote Android RAT with only minor changes and is being reselled by the threat actor under a different name.” concludes Sensecy.

Pierluigi Paganini

(SecurityAffairs – MobiHok RAT, malware)

The post MobiHok RAT, a new Android malware based on old SpyNote RAT appeared first on Security Affairs.

Delaler Leads, a car dealer marketing firm exposed 198 Million records online

Researcher discovered an unsecured database exposed online, belonging to car dealership marketing firm Dealer Leads, containing 198 million records.

The researcher Jeremiah Fowler discovered an unsecured database exposed online that belong to car dealership marketing firm Dealer Leads.

The archive containing 198 million records for a total of 413GB of data containing information of potential car buyers, vehicles, loan and finance inquiries, log data with IP addresses of visitors, and more.

“On August 19th I reported a non-password protected database that contained a massive 413GB of data and a total of 198 million records. The most shocking part was that I had seen this dataset several times in the previous weeks, but was unable to identify the owner.” reports Security Discovery. “I spent several days trying to identify the owner of the database and there was no clear indication in the millions of records.”

Dealer Leads provides content relevant and related to the auto industry for franchise and independent car dealerships, the website of the company describes itself with the following statement.

“dominates the automotive digital marketing industry with highly used automobile search strings turned into online inventory advertising classified sites, service sites, finance sites etc. Car shoppers have needs, and DealerLeads matches those needs in live searches.”

The Elastic database was accessible to anyone with any browser, its records included name, email, phone, address, IP, and other sensitive or identifiable information, in plain text.

The archive also included IP addresses, ports, pathways, and storage info.

The good news is that after the expert reported his discovery to the company, it has secured the database restricting public access to the archive.

At the time of writing it is not clear how long the data remained exposed online and if someone had access to its records.

“Dealer Leads acted fast to restrict public access immediately after the notification. Unfortunately, the data was exposed for an undetermined length of time and it is unclear who else may have had access to the millions of records that were publicly exposed.” Security Discovery concludes.

“It is unclear if Dealer Leads has notified individuals, dealerships, or authorities about the data incident. Because of the size and scope of the network applicants and potential customers may not know if their data was exposed,”

Pierluigi Paganini

(SecurityAffairs – hacking, data leak)

The post Delaler Leads, a car dealer marketing firm exposed 198 Million records online appeared first on Security Affairs.

A bug in Instagram exposed user accounts and phone numbers

Facebook addressed a vulnerability in Instagram that could have allowed attackers to access private user information.

The security researcher @ZHacker13 discovered a flaw in Instagram that allowed an attacker to access account information, including user phone number and real name.

ZHacker13 discovered the vulnerability in August and reported the issue to Facebook that asked for additional time to address the issue. The social network giant has finally fixed the flaw.

“In putting this article together, I had the security researcher run tests on the platform and he successfully retrieved “secure” user data I know to be real. This data included users’ real names, Instagram account numbers and handles, and full phone numbers.” reads a post published by Forbes. “The linking of this data is all an attacker would need to target those users. It would also enable automated scripts and bots to build user databases that could be searched, linking high-profile or highly-vulnerable users with their contact details.”

The expert also warns that attackers could use automated scripts and bots to collect user data from the platform, linking users with their contact details.

Just a week before ZHacker13 disclosed the bug, phone numbers associated with 419 million accounts of the social network giant were exposed online.

It is not clear if the two incidents could have the same root cause.

“I found a high vulnerability on Instagram that can cause a serious data leak,” @ZHacker13 told to Forbes. “The vulnerability is still active—and it looks like Facebook are not very serious about pathing it.” Exploiting this vulnerability would enable an attacker using an army of bots and processors to build a searchable/ attackable database of users, bypassing protections protecting that data.”

The expert explained that he discovered by flaw by using the platform’s contact importer in combo with a brute-force attack on its login form.

The attack scenarios is composed of two steps:

  • The attacker carries out a brute force attack on Instagram’s login form, checking one phone number at a time for those linked to a live Instagram account.
  • The attacker finds the account name and number linked to the phone number by exploiting Instagram’s Sync Contacts feature.

A Facebook spokesman explained that his company modified the contact importer in Instagram to address the flaw.

we have changed the contact importer on Instagram to help prevent potential abuse. We are grateful to the researcher who raised this issue, and to the entire research community for their efforts.” said the spokesman.

Facebook, after initial resistance, confirmed it is evaluating to reward @ZHacker13 for reporting the bug as part of its bug bounty program.

“Facebook had also told @ZHacker13 that although the vulnerability was serious, there was internal awareness of the issue and so it was not eligible for a reward under the bounty scheme.” continues the post. “This would have set a terrible precedent and disincentivized researchers from coming forwards with similar vulnerabilities. I questioned Facebook on its decision, and the company reconsidered and told me it has “reassessed” the discovery of the bug and would reward the researcher after all. “

Facebook pointed out that there is no evidence that any user data has been abused by threat actors.  

Pierluigi Paganini

(SecurityAffairs – Instagram, hacking)

The post A bug in Instagram exposed user accounts and phone numbers appeared first on Security Affairs.

The US Treasury placed sanctions on North Korea linked APT Groups

The US Treasury placed sanctions on three North Korea-linked hacking groups, the Lazarus Group, Bluenoroff, and Andarial.

The US Treasury sanctions on three North Korea-linked hacking groups, the Lazarus Group, Bluenoroff, and Andarial.

The groups are behind several hacking operations that resulted in the theft of hundreds of millions of dollars from financial institutions and cryptocurrency exchanges worldwide and destructive cyber-attacks on infrastructure. Lazarus Group is also considered the threat actors behind the 2018 massive WannaCry attack.

According to the Treasury, the three groups “likely” stole $571 million in cryptocurrency from five Asian exchanges in 2017 and 2018.

Intelligence analysts believe the groups are under the control of the Reconnaissance General Bureau, which is North Korea’s primary intelligence bureau.

“Treasury is taking action against North Korean hacking groups that have been perpetrating cyber attacks to support illicit weapon and missile programs,” said Sigal Mandelker, Treasury Under Secretary for Terrorism and Financial Intelligence.

“We will continue to enforce existing US and UN sanctions against North Korea and work with the international community to improve cybersecurity of financial networks.”

The activity of the Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.

This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems.

The group is considered responsible for the massive WannaCry ransomware attack, a string of SWIFTattacks in 2016, and the Sony Pictures hack.

Bluenoroff is considered a sub-group of the Lazarus APT that was formed by the North Korean government to earn revenue from hacking campaigns in response to increased global sanctions.  

“According to industry and press reporting, by 2018, Bluenoroff had attempted to steal over $1.1 billion dollars from financial institutions and, according to press reports, had successfully carried out such operations against banks in Bangladesh, India, Mexico, Pakistan, Philippines, South Korea, Taiwan, Turkey, Chile, and Vietnam.” continues the US Treasury.

Andariel, is another Lazarus subgroup that focuses in targeting businesses, government agencies, and individuals. In conducted multiple attacks aimed at stealing bank card information and on ATMs.

Andariel carried out cyber attacks against online gambling and poker sites.

The sanctions placed by the US Treasury aim to lock the access to the global financial system and to freeze any assets held under US jurisdiction.

“As a result of today’s action, all property and interests in property of these entities, and of any entities that are owned, directly or indirectly, 50 percent or more by the designated entities, that are in the United States or in the possession or control of U.S. persons are blocked and must be reported to OFAC.” states the US Treasury. “OFAC’s regulations generally prohibit all dealings by U.S. persons or within (or transiting) the United States that involve any property or interests in property of blocked or designated persons. “

Pierluigi Paganini

(SecurityAffairs – North Korea, hacking)

The post The US Treasury placed sanctions on North Korea linked APT Groups appeared first on Security Affairs.

WatchBog cryptomining botnet now uses Pastebin for C2

A new cryptocurrency-mining botnet tracked as WatchBog is heavily using the Pastebin service for command and control (C&C) operations.

Cisco Talos researchers discovered a new cryptocurrency-mining botnet tracked as WatchBog is heavily using the Pastebin service for command and control.

The WatchBog bot is a Linux-based malware that is active since last year, it targets systems to mine for the Monero virtual currency.

“Cisco Incident Response (CSIRS) recently responded to an incident involving the Watchbog cryptomining botnet. The attackers were able to exploit CVE-2018-1000861 to gain a foothold and install the Watchbog malware on the affected systems.” states the analysis published by Cisco Talos.

“This Linux-based malware relied heavily on Pastebin for command and control (C2) and operated openly. CSIRS gained an accurate understanding of the attacker’s intentions and abilities on a customer’s network by analyzing the various Pastebins.”

Recently, experts at Intezer researchers have spotted a strain of the Linux mining that also scans the Internet for Windows RDP servers vulnerable to the Bluekeep.

WatchBog

The new WatchBog variant includes a new spreader module along with exploits for the following recently patched vulnerabilities in Linux applications:

The malware also includes scanners for Jira and Solr flaws along with Brute-forcing module for CouchDB and Redis installs.

The operators behind the WatchBog botnet claim to be able to identify vulnerabilities in enterprise systems “before any ‘real’ hackers could do so,” and offer their protection services. However, every time the operators identify vulnerable hosts, the systems are recruited in the crypto-mining botnet,

“During the investigation, Cisco IR found signs of hosts becoming a part of a separate botnet around the time of the Watchbog activity. This raises serious doubts about the “positive” intentions of this adversary.” continues Talos.

During the installation phase, the bot checks for running processes associated with other cryptocurrency miners, then it will use a script to terminate them.

Then determines whether it can write to various directories, checks the system architecture, and then makes three attempts to download and install a ‘kerberods’ dropper using wget or curl. .

The installation script also retrieves the contents of a Pastebin URL containing a Monero wallet ID and mining information, then it downloads the miner. The script also checks if the ‘watchbog‘ process is running, if it is not founb, the ‘testa‘ or ‘download’ functions are called to install the version of the miner that match the target architecture.

The ‘testa‘ function is used to facilitate the infection process, is responsible for writing the various configuration data used by the miner.

The script downloads encoded Pastebins as a text file and gives it execution permissions. The script finally starts the Watchbog process and deletes the text file.

The ‘download’ function performs similar operations by writing the contents retrieved from various file locations, once determined the target architecture it installs the appropriate miner.

The WatchBog uses SSH for lateral movements, a specific script also checks for the existence of SSH keys into the target systems in the attempt to use it while targeting other systems.

Talos researchers also noticed that threat actors leverage a Python script that scans for open Jenkins and Redis ports on the host’s subnet for lateral movement. Attackers also rely on cron jobs to achieve persistence and attempt to cover their tracks by erasing or overwriting files and logs.

Unpatched web applications vulnerable to known CVEs are a major target for attackers. Adversaries can leverage the vulnerability to gain a foothold into the web server and network environment in which the web server is deployed.” concludes the report. “The best way to prevent such activity would be to ensure that all enterprise web applications are up to date,” Talos notes.

Pierluigi Paganini

(SecurityAffairs – WatchBog, malware)

The post WatchBog cryptomining botnet now uses Pastebin for C2 appeared first on Security Affairs.

Poland to establish Cyberspace Defence Force by 2024

Poland announced it will launch a cyberspace defense force by 2024 composed of around 2,000 soldiers with a deep knowledge in cybersecurity.

The Polish Defence Ministry Mariusz Blaszczak has approved the creation of a cyberspace defence force by 2024, it will be composed of around 2,000 soldiers with deep expertise in cybersecurity.

The news was reported by AFP, Blaszczak announced that the cyber command unit would start its operations in 2022.

“We’re well aware that in today’s world it’s possible to influence the situation in states by using these methods (cyberwar),” Mariusz Blaszczak told to local media at a military cyber training centre in Zegrze.

Poland Cyberspace Defence Force

The defence ministry is already looking for talent with the help of the HackYeah hackathon, it is already offering cash prizes to most skilled hackers. The HackYeah hackathon is one of the most important hacking events in Europe and according to the Polish government, it will attract the many talents and will incentive youngsters in a new profession.

The Ministry also added that Poland would have enough IT graduates by 2024 to provide the force with 2,000 personnel qualified in cyberdefense.

“Poland’s defense ministry is already looking for talent by partnering with the HackYeah hackathon to offer a total of 30,000 zlotys (6,900 euros, $7,650) in cash prizes for top hackers, according to a post the ministry’s website.” states the AFP agency.

Pierluigi Paganini

(SecurityAffairs – Poland, Cyberspace Defense Force)

The post Poland to establish Cyberspace Defence Force by 2024 appeared first on Security Affairs.