The Tianfu Cup 2019 International Cyber Security Competition is ended and white hat hackers have earned $545,000 for working zero-day exploits.
During Day 1 of the Tianfu Cup 2019 contest 13 hacking attempts out of a total of 32 were successful, 13 attempts failed and in 12 cases the researchers abandoned the attempts. Now that the competition is ended, let’s see what has happened during the two days.
White hat hackers have attempted to test their exploits on targeting VMware, Microsoft, Google, Apple, D-Link, and Adobe products and earned a total of $545,000 for working zero-day exploits.
Researcher @xiaowei from the 360Vulcan team received the highest reward ($200,000) for a working exploit for the VMware vSphere ESXi product that allowed them to escape from the guest virtual machine to the host.
The 360Vulcan team won the competition and received a total of $382,500 for their exploits, the second place was assigned to the ddd Team that earned a total of $83,750 for exploits targeting Edge, Chrome, Adobe Reader, and D-Link routers.
Google addressed an XSS vulnerability in Gmail, the IT staff at Google defined the vulnerability as “awesome.”
Michał Bentkowski, Chief Security Researcher from security frimSecuritum, found an XSS vulnerability in Gmail and responsibly disclosed it this week after Google has addressed it.
The flaw, described by Google IT staff as an awesome XSS issue, resides in the AMP4Email feature rolled out in July. Bentkowski reported the vulnerability via the Google Vulnerability Reward Program in August 2019.
AMP4Email makes it easier the management of dynamic content inside emails, it allows users to easily take action directly from within the message itself, like RSVP to an event, fill out a questionnaire, browse a catalog or respond to a comment.
Even if AMP4Email implements a strong validator that only allows a list of tags and attributes in dynamic mails, it doesn’t implement a validation system to prevent cross-site scripting (XSS) attacks. The expert noticed that that the id attribute is not disallowed in tags, so decided to investigate whether or not AMP4Email could be subject to DOM Clobbering.
The expert verified that the AMP4Email employs some protection against DOM Clobbering by forbidding certain values for the id attribute (i.e. AMP). However, the restriction didn’t work with AMP_MODE that triggers a 404 error if the function tried to load JS files, causing the presence of an ‘undefined’ portion in the middle of the resultant URL (https://cdn.ampproject.org/rtv/undefined/v0/amp-auto-lightbox-0.1.js).
“AMP tries to get a property of AMP_MODE to put it in the URL,” the continues the researcher. “Because of DOM Clobbering, the expected property is missing, hence undefined.”
The researchers discovered that the code creates a new ‘script’ element, then it checks whether AMP_MODE.test and window.testLocation are both truthy.
Bentkowski discovered that it was possible to control the URL by writing specific code to overload the window.testLocation.
Anyway, the code didn’t execute in the real-world case because of Content-Security-Policy deployed in AMP.
“I didn’t find a way to bypass the CSP, but when trying to do so, I found an interesting way of bypassing dir-based CSP and I tweeted about it (later it turned out that the same trick was already used in a CTF in 2016). Google in their bug bounty program, don’t actually expect bypassing CSP and pay a full bounty anyway. It was still an interesting challenge; maybe someone else will find way to bypass ” concludes the expert.
“In the post, I’ve shown how DOM Clobbering could be used to perform an XSS if certain conditions are met. It was surely an interesting ride! If you wish to play around with these kind of XSS-es, have a look at my XSS Challenge, which was based on this very XSS. “
Below the Gmail XSS vulnerability timeline:
15th Aug 2019 – sending report to Google
16th Aug 2019 – “nice catch!”,
10th Sep 2019 – response from Google: “the bug is awesome, thanks for reporting!”,
12th Oct 2019 – confirmation from Google that the bug is fixed (although in reality it happened way earlier),
Cyber security firm Venafi announced it has uncovered lookalikedomains with valid TLS certificates that appear to target major retailers.
Venafi, Inc. is a private cybersecurity company that develops software to secure and protect cryptographic keys and digital certificates.
Ahead of the holiday shopping season, security experts from Venafi conducted a study of typosquatted domains used to target 20 major retailers in the United States, the United Kingdom, Australia, Germany, and France.
The researchers discovered 109,045 lookalike domains using valid TLS certificates to make them appear more trustworthy. The number is doubled compared to last year, the study revealed that less than 19,890 certificates have been issued for legitimate retail domains.
Growth in the number of look-alike domains has more than doubled since 2018, outpacing legitimate domains by nearly four times.
The total number of certificates used for look-alike domains is more than 400% greater than the number of authentic retail domains.
Over half (60%) of the look-alike domains studied use free certificates from Let’s Encrypt.
Experts pointed out that every region had its own lookalike domains, in the US crooks targeted 83,934 retailers, one of which is a top U.S. retailers with over 49,500 typosquatted domains. In the US 14,784 certificates have been issued for legitimate retail domains.
Experts reported nearly 84,000 target retailers in the U.S., including almost 50,000 domains that imitate one of the country’s top retailers. In the U.K., Venafi identifier nearly 14,000 certificates issued for fake retailer domains.
The situation is also worrisome in the UK where Venafi has found the largest ratio of lookalike domains targeting retailers, that are over six times more look-alike domains than valid domains. The researchers found nearly 14,000 target retailers in the U.K., identifier nearly 1,900 certificates issued for fake retailer domains.
In Germany, there were roughly 7,000 certificates for typosquatted domains targeting retailers in the country, the lookalike domains are more likely to use certificates from Let’s Encrypt than any other region (85%).
In Australia, the experts found nearly 3,500 certificated for domains targeting local retailers, while the number of certificated in France was 1,500.
“We continue to see rampant growth in the number of malicious, look-alike domains used in predatory phishing attacks,” said Jing Xie, senior threat intelligence researcher at Venafi. “This is a result of the push to encrypt more and potentially all web traffic, a trend that generally improves security for users but inadvertently introduces a new challenge to existing methods of phishing detection. Most businesses and many retailers don’t have the updated technology in place to find these malicious sites and remove them to protect their customers.”
NextCry is a new ransomware that was spotted by researchers while encrypting data on Linux servers in the wild.
Security experts spotted new ransomware dubbed NextCry that targets the clients of the NextCloud file sync and share service.
The name comes from the extensions the ransomware appends to the filenames of encrypted files. The malicious code targets Nextcloud instances and it is currently undetected by antivirus engines.
“xact64, a Nextcloud user, posted on the BleepingComputer forum some details about the malware in an attempt to find a way to decrypt personal files.” reads the post published by BleepingComputer that reported the news.
The user explained that even if his system was backed up, the synchronization process had started to update files on a laptop with the encrypted version on the server.
“I realized immediately that my server got hacked and those files got encrypted.” said xact64. “The first thing I did was pull the server to limit the damage that was being done (only 50% of my files got encrypted)”
The user has provided the case SHA1 to BleepingComputer and the popular malware researcherMichael Gillespie analyzed it confirming that the threat is new and uses Base64 to encode the file names. Gillespie added that the ransomware uses the AES-256 algorithm to encrypt the files and that the key is encrypted with an RSA-2048 public key embedded in the code of the ransomware.
NextCry is a Python script that has been compiled in a Linux ELF binary using the pyInstaller.
The ransomware demands a ransom of BTC 0.025 (roughly $210 at the time of writing). The analysis of the balance for the bitcoin wallet provided by crooks revealed that no one has paid the ransom until now.
Below the ransom note dropped by the ransomware after the files have been encrypted.
“YOU HAVE BEEN HACKED YOUR FILES HAVE BEEN ENCRYPTED USING A STRONG AES-256 ALGORITHM – SEND 0.025 BTC TO THE FOLLOWING WALLET wallet address AND AFTER PAY CONTACT their email TO RECOVER THE KEY NECESSARY TO DECRYPT YOUR FILES”
The analysis of the compiled script extracted by another member of the BleepingComputer forum confirmed that the malicious code was designed to targetsNextCloud users.
Once executed, the NextCry ransomware reads the NextCloud service’s config.php file in order to find the NextCloud file share and sync data directory. Then the malware deletes some folders that could be used to restore files and then encrypts all the files in the data directory.
Four days ago, another user that goes online with the handle ‘alexpw‘ published on the platform’s support page a message that describes the way his instance, running the latest version of the software, was infected. According to ‘ialexpw‘, he had been locked via SSH.
“Just a warning. It seems there’s a vuln somewhere as my instance of NextCloud got taken over today. My server was locked down already, using SSH keys and NextCloud was up to date.” wrote the users.
The description shared by Alex suggests that attackers have exploited some vulnerabilities in the server.
On October 24, Nextcloud released an urgent alert for the CVE-2019-11043 RCE in NGINX, experts warn of the availability of a public exploit for the issue.
“In the last 24 hours, a new security risk has emerged around NGINX, documented in CVE-2019-11043. This exploit allows for remote code execution on some NGINX and php–fpm configurations. If you do not run NGINX, this exploit does not effect you.” reads the alert.
“Unfortunately the default Nextcloud NGINX configuration is also vulnerable to this attack.”
Nextcloud admins are recommended to upgrade their PHP packages and NGINX configuration file to the latest version.
With the advent of this year’s holiday shopping season are cybercriminals are using carding bots to test stolen payment card data before using them.
Cybercriminals need to test the validity of the stolen card data before carrying out fraudulent transactions or selling them during the holiday shopping season. Cybercriminals are automating this process using carding bots that are able to make small purchases on smaller retailers’ websites.
“While investigating these increasing attacks against checkout pages during the months leading into the holiday season, the PerimeterX research team uncovered two new carding bots.” reads the analysis published by PerimeterX. “One of the new carding bots, dubbed the canary bot, exploits top e-commerce platforms, which could have a significant impact on thousands of websites if they are not blocked soon. The second carding bot, dubbed the shortcut bot, exploits the card payment vendor APIs used by a website or mobile app and bypasses the e-commerce website entirely.”
Researchers from PerimeterX spotted two such carding bots targeting e-stores running carding attacks ahead of the holiday shopping season.
The following graph shows the checkout page traffic across PerimeterX customers in September 2019.
Experts pointed out that real shoppers differ from bad actors because they make purchases less before the holiday season. Instead, the experts at PerimeterX observed a spike in malicious traffic before the holiday season, in some cases it has increased to over 700% since September.
The first bots called ‘Canary’ was observed in at least two attacks aimed at a particular e-commerce platform used by thousands of businesses.
“Canary carding bots explore well-known platforms and test their vulnerabilities to carding attacks to exploit a potentially large number of e-commerce website users.” continues the experts.
Researchers were able to detect the first Canary bot attack after noticing a Safari browser version from 2011 changing IP addresses on a daily basis and that originate from cloud and colocation services.
The bot was attempting to mimic human behavior, it was creating a shopping cart, then it was adding products to it, and also providing shipping information.
The second attack associated with the Canary bot appears more sophisticated, unlike the previous one, it was changing the IP address and the user agent to mimicking real users having different mobile devices.
In this second attack, the bot was mimicking a different human behavior by adding the products directly to the cart, without checking their pages first, then jumping to check out page.
The second carding bot tracked as ‘Shortcut’ attempt to avoid the e-commerce website to evade detection.
“We have found that in some cases, the attackers are discovering paths with API calls that are unknown to even the website operators.” state the researchers. “In general, our researchers have seen an increasing trend in API endpoint abuse to validate credit cards on the web and on mobile applications.”
This second attack scenario leverages sees external third-party services handling payments. Attackers abuse API endpoint used these third-party services to validate credit cards.
The name “shortcut” comes after attackers directly access the payment services without passing through the e-commerce website.
Experts observed three attacks involving the Shortcut bot against three websites selling apparel, sportswear, and a grocery shop.
Experts explained that threat actors will continue to use carding bots to validate stolen card data, even if today is quite simple to detect them.
“To be prepared, e-commerce website owners can take a number of actions. Firstly, since legitimate consumers would probably never attempt payment with an empty cart, website owners can prevent users from getting to the payment page without an item in the cart.” concludes the experts. “This basic practice increases the effort required by bots and stops simple carding attacks. Secondly, with bots improving constantly and mimicking user behavior, e-commerce website owners should pay more attention to advanced automated threats.”
The Tianfu Cup 2019 International Cyber Security Competition has started, in two days white hat hackers will attempt to exploit flaws in major software.
The Tianfu Cup 2019 International Cyber Security Competition has started, white hat hackers will attempt to devise working zero-day exploits for popular software.
Each working exploit receives a cash prize and points that are assigned to the team that devised it, like the popular Pwn2Own hacking contest.
Chinese white hat hackers have a long story of success, they won several international hacking contests in the past, but in 2018 the Chinese government prohibited Chinese experts in participating this kind of competition abroad.
Since the decision of the Chinese Government, the TianfuCup was set up for the first time in the fall of 2018. Last year, white hat hackers earned more than $1 million for zero-day exploits disclosed at the Tianfu Cup PWN competition.
According to the organizers, in 2018 hackers earned $1,024,000 for a total of 30 vulnerabilities. Most of the amount of money, $620,000, was paid to a team from cybersecurity firm Qihoo 360. Other participants were teams from universities, Tencent, financial service provider Ant Financial, and independent researchers.
During the Day1 of the Tianfu Cup 2019 contest 13 hacking attempts out of a total of 32 were successful, 13 attempts failed and in 12 cases the researchers abandoned the attempts.
Below the list of successful attempts:
Researchers from the ddd @ExpSky and 360vulcan @mj0011sec teams achieved remote code execution and sandbox escape on the version of Microsoft Edge based on the EdgeHTML engine. Each exploit was paid $55,000, the team .(dot) get $10,000 with RCE.
The researcher 360Vulcan @Xiaowei__ received the highest bounty in a single exploit in Day1, he devised an exploit on Ubuntu + #qemu- and achieved partial control of the host. He received a bonus of $80,000.
Researchers discovered a vulnerability in Siemens SIMATIC S7-1200 programmable logic controller (PLC) that could allow attackers to execute arbitrary code on vulnerable devices.
Researchers discovered an undocumented access feature in Siemens SIMATIC S7-1200 programmable logic controller (PLC) that could be exploited by attackers to execute arbitrary code on affected devices.
The feature was discovered by a team of researchers from the Ruhr-University Bochum in Germany composed of Ali Abbasi, Tobias Scharnowski and Thorsten Holz.
The medium-severity flaw was tracked as CVE-2019-13945 and received a CVSS score of 6.8, the issue is hard to exploit because requires a deep knowledge of the operating system used by the Siemens SIMATIC S7-1200
The Siemens S7 is considered one of the most secure controllers in the industry, it is used in power plants, traffic lights, water pumps, building control, production lines, aviation systems, and many other critical infrastructures.
The researchers focused their analysis on the firmware integrity verification process implemented in the Siemens SIMATIC S7-1200 PLC.
The mechanism is triggered on boot and leverages the bootloader code that is stored on separate SPI flash memory. The teams of researchers discovered that the hardware undocumented access mode was present in the bootloader code since 2013.
“There is an access mode used during manufacturing of S7-1200 CPUs that allows additional diagnostic functionality. Using this functionality requires physical access to the UART interface during boot process.” reads a security advisory published by Siemens. “Siemens is working on a solution and recommends specific countermeasures until the solution is available “
The access feature was implemented to provide additional diagnostic functionality and it could be accessed by an attacker who has physical access to the device.
The attacker could access the feature by sending a special command via the universal asynchronous receiver-transmitter (UART) interface the boot process, before the PLC firmware is loaded.
The attack could leverage the feature to achieve arbitrary code execution in the boot stage.
The experts have developed a proof-of-concept (PoC) exploit that allows writing data to the flash chip by leveraging the PLC’s firmware update feature.
The experts reported the flaw to Siemens in March and the company confirmed that it is working on a fix.
The advisory published by Siemens includes the following specific workarounds and mitigations that customers can apply to reduce the risk:
The popular messaging platform WhatsApp made the headlines again, a new bug could be exploited by hackers to secretly install spyware.
According to the website The Hacker News, WhatsApp has recently fixed a critical vulnerability, tracked as CVE-2019-11931, that could have allowed attackers to remotely compromise targeted devices.
The CVE-2019-11931 is a stack-based buffer overflow issue that affects the way WhatsApp handles the elementary stream metadata of an MP4 file.
“A stack-based buffer overflow could be triggered in WhatsApp by sending a specially crafted MP4 file to a WhatsApp user. The issue was present in parsing the elementary stream metadata of an MP4 file and could result in a DoS or RCE.” reads an advisory published by Facebook. “This affects Android versions prior to 2.19.274, iOS versions prior to 2.19.100, Enterprise Client versions prior to 2.25.3, Windows Phone versions before and including 2.18.368, Business for Android versions prior to 2.19.104, and Business for iOS versions prior to 2.19.100.”
The issue could trigger a DoS condition or it could exploit by a remote attacker to execute arbitrary code on the target devices.
The flaw could be exploited by sending a maliciously crafted MP4 file via WhatsApp.
The vulnerability affects WhatsApp versions for Google Android, Apple iOS, and Microsoft Windows.
“Android versions prior to 2.19.274, iOS versions prior to 2.19.100, Enterprise Client versions prior to 2.25.3, Windows Phone versions before and including 2.18.368, Business for Android versions prior to 2.19.104, and Business for iOS versions prior to 2.19.100.” continues the security advisory.
In October, a security researcher that goes online with the moniker Awakened discovered a double-free vulnerability in WhatsApp for Android and demonstrated how to leverage on it to remotely execute arbitrary code on the target device.
The expert reported the issue to Facebook that acknowledged and addressed the flaw with the release of WhatsApp version 2.19.244.
In May, Facebook patched a critical zero-day vulnerability in WhatsApp, tracked as CVE-2019-3568, that has been exploited to remotely install spyware on phones by calling the targeted device.
The WhatsApp zero-day vulnerability is a buffer overflow issue that affects the WhatsApp VOIP stack. The flaw could be exploited by a remote attacker to execute arbitrary code by sending specially crafted SRTCP packets to the targeted mobile device.
In the case of the CVE-2019-11931 flaw, it is not clear if the issue was exploited in attacks in the wild.
A working exploit for the checkm8 BootROM vulnerability is now available and security experts fear that threat actors could use is in attacks in the wild.
This week, the “unpatchable” jailbreak, known as Checkra1n, for the checkm8 BootROM vulnerability was officially released potentially threatening millions of devices.
“This release is an early beta preview and as such should not be installed on a primary device. We strongly recommend proceeding with caution.” reads the page set up for the checkra1n exploit.
In September, the security expert Axi0mX released a new jailbreak, dubbed Checkm8, that works on all iOS devices running on A5 to A11chipsets. The jailbreak works with all Apple products released between 2011 and 2017, including iPhone models from 4S to 8 and X.
The expert who devised the Checkm8 jailbreak described it as “a permanent unpatchablebootrom exploit,” anyway it is essential to highlight that the exploit could lead to a jailbreak by chaining it with other flaws.
Bootrom jailbreaks are very dangerous because they are permanent and can’t be addressed via software, in order to patch a Bootrom flaw it is necessary to physical modify the chipsets.
Axi0mX’s jailbreak code is marked as a “beta” release, but experts warned of the concrete possibility that expert coders or intelligence agencies will integrate it into hacking tools and malware. Experts pointed out that the jailbreak needs physical access to the device, so and could not be used remotely.
Now, checkm8 BootROM vulnerability has a working exploit, the checkra1n iPhone jailbreak, that is publicly available.
“Checkra1n is unprecedented in potential impact, with millions of devices at risk as a result of the extensive device and iOS targets,” said Christopher Cinnamo, senior vice president of product management at Zimperium.
The tool leverages the checkm8 BootROM exploit that was released in September, but experts warn that it is not correct to consider the jailbreak permanent because, as explained by Christoph Hebeisen, head of security research at Lookout, “the device will be ‘un-jailbroken’ by a reboot.”
This limitation could be overwhelmed by gaining persistence with a malicious app that executes the exploit after the reboot.
Experts explained that it is not easy to use the exploit to jailbreak a target’s device because it needs the physical access to an unlocked iPhone and tethering it to a macOS computer running the exploit code.
However, the risk of exploitation is concrete in multiple scenarios, such the control while crossing international borders of countries where there is a strict censorship.
In July, the media reported that Chinese border guards are secretly installing a surveillance app on smartphones of tourists and people crossings in the Xinjiang region who are entering from Kyrgyzstan.
“[An attack] can happen with device theft or when a device must be handed over for inspection while crossing international borders. For example, a few months ago it was reported that Chinese border guards put secret surveillance app on tourists’ phones,” explained Hebeisen.
Because Checkra1n leverages the unpatchable checkm8 vulnerability in the BootROM, the only way to mitigate protect the devices from the exploit is by upgrading devices to an iPhone XR or more recent.
Sergiy P. , the administrator of DDoS-for-hire services was sentenced to 13 months in prison, and additional three years of supervised release.
Sergiy P. Usatyuk, a man that was operating several DDoS-for-hire services was sentenced to 13 months in prison, and additional three years of supervised release.
DDoS-for-hire services, aka stressers or booters, allows crooks to launch large scale DDoS attacks by paying a subscription fee.
“An Orland Park, Illinois, resident was sentenced yesterday to 13 months in prison, followed by three years of supervised release on one count of conspiracy to cause damage to internet-connected computers for his role in owning, administering and supporting illegal booter services that launched millions of illegal denial of service, or DDoS, attacks against victim computer systems in the United States and elsewhere.” reads the press release published by the DoJ.
The defendant made hundreds of thousands of dollars by launching millions of DDoS attacks with the platforms he was operating with a co-conspirator from August 2015 to November 2017.
The list of illegal DDoS-for-hire services operated by the man includes ExoStress.in (“ExoStresser”), QuezStresser.com, Betabooter.com (“Betabooter”), Databooter.com, Instabooter.com, Polystress.com, and Zstress.net. ExoStresser.
An advertising on the ExoStresser website (exostress.in) said that the booter service alone had launched 1,367,610 DDoS attacks, and caused targeted victim computer systems to suffer 109,186.4 hours of network downtime.
According to the authorities, Betabooter was used by one of the subscribers to the service in November 2016 to hit the school district in the Pittsburgh, Pennsylvania area, with a series of DDoS attacks. The attacks disrupted the computer systems of 17 organizations that shared the same infrastructure, including other school districts, the county government, the county’s career and technology centers, and a Catholic Diocese in the area.
DDoS-for-hire service was a profitable business for Usatyuk and its co-conspirator that reportedly made over $550,000 from charging subscriber fees to paying customers of their booter services, as well as from selling advertising space to other booter operators.
The man was sentenced on one count of conspiracy to cause damage to internet-connected computers for launching millions of DDoS attacks.
The Chief U.S. District Judge Terrence W. Boyle condemned Usatyuk to forfeit dozens of servers and electronic equipment, as well as $542,925 in proceeds from his illegal scheme.
“DDoS-for-hire services pose a malicious threat to the citizens of our district, as well as districts across the country, by impeding critical access to the internet and jeopardizing safety and security in the process,” said U.S. Attorney Robert J. Higdon Jr. for the Eastern District of North Carolina. “The operation and use of these services to disrupt the operations of our businesses and other institutions cannot be tolerated. Anyone who weaponizes web traffic in this manner will be vigorously pursued and prosecuted by my office.”
The computer network of Australian Parliament was hacked earlier this year, and hackers exfiltrated data from the computers of several elected officials.
According to the Australian Broadcasting Corp (ABC), earlier this year hackers penetrated the computer network of Australian Parliament and stole data from the computers of several elected officials.
The attack took place on January 31, 2019, when the Australian security agencies discovered the intrusion and monitored it for a week before shutting down the network in the attempt of hunting the threat actors. The incident was revealed by Senate President Scott Ryan that informed the parliamentary committee of the intrusion, according to the ABC.
“A small number of users visited a legitimate external website that had been compromised,” Senate President Scott Ryan told a parliamentary committee. “This caused malware to be injected into the parliamentary computer network.”
“They shut the system down on February 8, after two senators and a small number of lower house members had “non-sensitive” data stolen.”
According to the Australian Broadcasting Corp, hackers accessed “non-sensitive” data stolen belonging to two senators and a small number of lower house members.
The security staff at the Parliament notified the incident to the users, as a precautionary measure the experts shut down the Parliament’s IT system in order to reset user’s password.
The Australian government did not provide further details about the hack, it is only known that a malware infected some computers after users visited a legitimate external website that was previously compromised.
Personnel and users at the Parliament were not temporarily blocked from accessing personal email accounts like Gmail.
Australia disclosed the attacks in February, at the time experts speculated the involvement of a nation-date actor without attributing the attacks to a specific threat actor.
In September, Australia’s intelligence announced it has evidence that the attacks that hit its parliament and political parties were orchestrated by China. Anyway the Australian government decided to not publicly accuse it to preserve trade relations with Beijing.
Reuters cited five sources within the Australian intelligence that attributed the attacks on its national parliament and three largest political parties before the general election in May to China-linked hackers.
“The cyber intelligence agency, the Australian Signals Directorate, concluded in March that China’s Ministry of State Security was responsible for the attack but recommended keeping the findings secret to avoid disrupting trade relations with Beijing” states the Reuters.
A new threat actor tracked as TA2101 is conducting malware campaigns using email to impersonate government agencies in the United States, Germany, and Italy.
A new threat actor, tracked as TA2101, is using email to impersonate government agencies in the United States, Germany, and Italy to multiple families of malware, deliver ransomware, and banking Trojans.
The phishing campaigns delivering malicious attachments were observed since the end of October. According to Proofpoint researchers, the news threat actor has been impersonating the United States Postal Service, the German Federal Ministry of Finance, and the Italian Revenue Agency.
“Proofpoint researchers recently detected campaigns from a relatively new actor, tracked internally as TA2101, targeting German companies and organizations to deliver and install backdoor malware.” reads the analysis published by ProofPoint.“Between October 16 and November 12, 2019, Proofpoint researchers observed the actor sending malicious email messages to organizations in Germany, Italy, and the United States, targeting no particular vertical but with recipients that were heavily weighted towards business and IT services, manufacturing, and healthcare.”
Between October and November 2019, the TA2101 threat actor carried out a malspam campaign against targets in Germany that impersonates the German Federal Ministry of Finance (“Bundeszentralamt fur Steuern”).
The spam messages pretend to be a notification from the above agencies that informs users of a tax refund. The emails use malicious Word attachments that claim to include instructions on how to request a refund.
Once the user opened the attachment and enabled the macros, the malicious code will install the Cobalt Strikepentesting tool or the Maze Ransomware on the victim’s computer.
The threat actors also targeted IT support companies to compromise their MSP and use it to deliver the Maze Ransomware to its clients.
Another campaign observed by ProofPoint aimed at German users impersonating the German internet service provider 1&1 Internet AG.
On October 29, Proofpoint observed dozens of emails attempting to deliver weaponized Microsoft Word attachments with Italian lures impersonating the Italian Ministry of Taxation, the “Agenzia delle Entrate“.
This bait email pretends to inform citizens about a message sent by the agency to inform the recipients about new activities related to the contrast to the tax evasion.
Proofpoint also observed a campaign using emails pretending to be sent by the United States Postal Service. The spam messages contained malicious Word doc attachments named “USPS_Delivery.doc”.
The campaign is similar tot he one that hit the Italy campaign, the messages ask users to enable the macros to decrypt the alleged RSA encrypted content.
If a user enabled the macros in this campaign, the macros will download and execute the IcedID banking Trojan on the victim’s computer.
“These spoofs are notable for using convincing stolen branding and lookalike domains of European taxation agencies and other public-facing entities such as Internet service providers. Most recently, the actor has attacked US organizations spoofing the United States Postal Service.”concludes Proofpoint. “The increasing sophistication of these lures mirrors improved social engineering and a focus on effectiveness over quantity appearing in many campaigns globally across the email threat landscape.”
Similar to Inter, Pipka allows configuring which fields in the target forms it will parse and extract. The skimmer software is able to capture payment account number, expiration date, CVV, and cardholder name and address, from the checkout pages of the targeted sites.
In the cases investigated by PFD, the skimmer was configured to check for the payment account number field. Data captured by the skimmer is base64 encoded and encrypted using ROT13 cipher. Before sending the data to the C2, the skimmer checks if the data string was previously sent in order to avoid sending duplicate data.
Experts noticed that all the samples they analyzed contained the same value for scriptId: ‘#script’. One sample analyzed by the experts was specifically customized to target two-step checkout pages that collect billing data on one page and payment account data on another.
“This sample uses two different lists to target form fields, inputsBill and inputsCard, and the variable curStep to calculate which form’s data is being stored in a cookie instead of the variable name trigger.” continues the advisory.
One of the analyzed samples was designed to target two-step checkout pages, where billing data and payment account data is collected on different pages.
The Pipka skimmer implements some unique anti-forensics features, it is able to remove its code from the HTML code of the page that is hosting it.
VISA PFD believes that Pipka will continue to evolve and that its use will increase in the cybercrime ecosystem to target eCommerce merchant websites.
Symantec addressed a local privilege escalation flaw that affects all Symantec Endpoint Protection client versions prior to 14.2 RU2.
Symantec addressed a local privilege escalation flaw, tracked as CVE-2019-12758, that affects all Symantec Endpoint Protection client versions prior to 14.2 RU2. The vulnerability could be exploited by attackers to escalate privileges on target devices and carry out malicious actions, including the execution of malicious code with SYSTEM privileges.
The issue is similar to other vulnerabilities discovered by researchers from SafeBreach Labs in other antivirus solutions from several security vendors, including McAfee,Trend Micro, Check Point, Bitdefender, AVG and Avast.
The flaws could allow attackers to bypass the self-defense mechanism of the antivirus solutions and deliver persistent malicious payloads.
Like other DLL hijacking issues in security solutions, the Symantec Endpoint Protection LPE flaws could be exploited only by attackers with Administrator privileges.
“This vulnerability could have been used in order to bypass Symantec’s Self-Defense mechanism and achieve defense evasion, persistence and privilege escalation by loading an arbitrary unsigned DLL into a process which is signed by Symantec and that runs as NT AUTHORITY\SYSTEM.” reads the advisory published by SafeBreach. “
“we found a service (SepMasterService) of the Symantec Endpoint Protection which is running as signed process and as NT AUTHORITY\SYSTEM, which is trying to load the following DLL which doesn’t exist: c:\Windows\SysWOW64\wbem\DSPARSE.dll”
In the case of the Symantec Endpoint Protection experts discovered a service called SepMasterService, which is running as signed process and as NT AUTHORITY\SYSTEM, attempts to load a DLL from the following patch: c:\Windows\SysWOW64\wbem\DSPARSE.dll
The researchers tested the flaw by compiling a 32-bit Proxy DLL (unsigned) out of the original dsparse.dll DLL file, which writes the name of the process which loaded it, the username which executed it and the name of the DLL file. Then the experts implanted it in C:\Windows\SysWow64\Wbem, and restarted the computer:
“We were able to load an arbitrary Proxy DLL (which loaded another arbitrary DLL) and execute our code within a service’s process which is signed by Symantec Corporation as NT AUTHORITY\SYSTEM, resulting in bypassing the self-defense mechanism of the program.” continues the analysis.
“There are two root causes for this vulnerability:
No digital signature validation is made against the binary. The program does not validate whether the DLL that it is loading is signed (for example, using the WinVerifyTrust function). Therefore, it can load an arbitrary unsigned DLL.
The fastprox.dll library is trying to import the dsparse.dll from it’s current working directory (CWD), which is C:\Windows\SysWow64\Wbem, while the file is actually located in the SysWow64 folder.”
Symantec addressed the flaw with the release of the Symantec Endpoint Protection 14.2 RU2 on October 22, 2019.
“The vulnerability gives attackers the ability to load and execute malicious payloads in a persistent way, each time the services are being loaded. That means that once the attacker drops a malicious DLL, the services will load the malicious code each time it is restarted.” concludes SafeBreach.
Security vulnerabilities in Qualcomm allow attackers to steal private data from hundreds of million millions of devices, especially Android smartphones.
Security experts from Check Point have discovered security flaws in Qualcomm that could be exploited attackers to steal private data from the so-called TrustZone.
The TrustZone is a security extension integrated by ARM into the Corex-A processor that aims at creating an isolated virtual secure environment that can be used by the main operating system running on the applications’ CPU.
The ARM TrustZone is part of all modern mobile devices, the most popular commercial implementations of the Trusted Execution Environment (TEE) for mobile devices running on top of ARM hardware:
Qualcomm’s Secure Execution Environment (QSEE), used on Pixel, LG, Xiaomi, Sony, HTC, OnePlus, Samsung and many other devices.
Trustronic’s Kinibi, used on Samsung devices for the Europe and Asia markets.
HiSilicon’s Trusted Core, used on most Huawei devices.
The flaws affect the first of the above implementations, the Qualcomm’s Secure Execution Environment (QSEE).
The QSEE is a sort of hardware enclave that protects sensitive information (i.e. private encryption keys, passwords, payment card credentials) and offers a separate secure environment for executing Trusted Applications.
“TEE code is highly critical to bugs because it protects the safety of critical data and has high execution permissions. A vulnerability in a component of TEE may lead to leakage of protected data, device rooting, bootloader unlocking, execution of undetectable APT, and more.” reads the analysis published by Check Point. “Therefore, a Normal world OS restricts access to TEE components to a minimal set of processes. Examples of privileged OS components are DRM service, media service, and keystore. However, this does not reduce researchers’ attention to the TrustZone.”
The experts reversed the Qualcomm’s Secure World operating system used a custom-made fuzzing tool to find the vulnerabilities.
“We can now execute a trusted app in the Normal world. We found a way to load a patched version of signed trustlet in the Secure world and adapted the CPU emulator to communicate with it. In other words, we emulated a trustlet’s command handler on the Android OS. All that’s left to do is to repeatedly call the command handler with different inputs generated on the basis of code coverage metrics. The QEMU emulator can be used to produce such metrics.” reads the analysis.“The prepared fuzzer easily found that the provtrustlet can be crashed by the following packet.”
The experts used the fuzzing tool to test trusted code on Samsung, LG, Motorola devices, and found the following vulnerabilities in the implementation of Samsung, Motorola, and LG:
tzpr25 (acknowledged by Samsung)
prov (Motorola is working on a fix)
The flaws could be also exploited by an attacker to:
execute trusted apps in the Normal World (Android OS),
load patched trusted app into the Secure World (QSEE),
bypass the Qualcomm’s Chain Of Trust,
adapt the trusted app for running on a device of another manufacturer.
Check Point reported the vulnerability (CVE-2019-10574) to Qualcomm in June, only a day before the publication of the research the flaw was addressed.
The security firm also disclosed its findings to all affected vendors, some of them, including LG, Samsung, and Qualcomm, have already released a patch to address them.
The Canadian Security Intelligence Service (CSIS) and the Communications Security Establishment (CSE) are divided over the ban of Huawei 5G technology.
The Canadian Security Intelligence Service (CSIS) and the Communications Security Establishment (CSE) agencies are divided over the ban of Huawei 5G technology. Canada, along with the US, the UK, New Zealand, and Australia formed the so-calledFive Eyesintelligence-alliance.
Currently, the Chinese supplier is already prohibited from bidding on government contracts and core network equipment.
According to the Globe and Mail reported Wednesday, the Canadian government asked the intelligence agencies to evaluate the risks related to the adoption of the Huawei 5 equipment for the national telecommunication infrastructure. The agencies were also tasked to evaluate the economic impact for the Canadian telecoms and consumers in replacing and blacklisting Huawei equipment.
The Globe and Mail revealed that according to an unnamed source, the CSIS and the CSE have a different opinion on the ban of Huawei 5G technology.
While CSE suggests the full ban of Huawei 5G equipment from the national infrastructure the CSIS believes the risks associated with the deployment of the Chinese technology can be mitigated with the effective validation and monitoring of the equipment.
“The office of the minister of public safety, Ralph Goodale, declined to comment on Huawei specifically as it relates to its evaluation of emerging 5G technologies.” reported the AFP press.
“But it said in a statement that the government’s review “includes the careful consideration of our allies’ advice” and it “will ensure that our networks are kept secure.””
The relationship between the Chinese and the Canadian government deteriorated following the arrest in Vancouver of a senior Huawei executive on a US warrant that took place in December and the arrest of two Canadian citizens in apparent retaliation.
Experts pointed out that the ban could cost Canadian telecom firms millions of dollars and two of the largest wireless carriers in the country, Bell and Telus, plans to use Huawei equipment in the upcoming 5G infrastructure.
Rogers, the nation’s top carrier announced the use of 5G equipment from Ericsson.
McAfee a vulnerability in its antivirus software that could allow an attacker to escalate privileges and execute code with SYSTEM privileges.
Security experts at SafeBreach have discovered a vulnerability in McAfee antivirus software tracked as CVE-2019-3648 that could allow an attacker with Administrator privileges to escalate privileges and execute code with SYSTEM privileges.
The flaw impacts McAfee Total Protection (MTP), McAfee Anti-Virus Plus (AVP), and all McAfee Internet Security (MIS) versions including 16.0.R22.
The CVE-2019-3648 flaw could be exploited by attackers to load unsigned DLLs into multiple services that run as NT AUTHORITY\SYSTEM.
“this vulnerability could have been used in order to bypass McAfee’s Self-Defense mechanism; and achieve defense evasion and persistence by loading an arbitrary unsigned DLL into multiple services that run as NT AUTHORITY\SYSTEM.” reads the analysis published by SafeBreach.
“Multiple parts of the software run as a Windows service executed as “NT AUTHORITY\SYSTEM,” which provides it with very powerful permissions.” “this vulnerability can be exploited to achieve arbitrary code execution within the context of multiple McAfee services, gaining access with NT AUTHORITY\SYSTEM level privileges.
The experts discovered that multiple services of the McAfee software try to load a library from the path c:\Windows\System32\wbem\wbemcomn.dll, that cannot be found because it is located in System32 and not in the System32\Wbem folder.
An attacker can place a malicious dll named wbemcomn.dll. in the wbem folder and get it executed.
Experts explained that it is possible to bypass the self-defense mechanism of the antivirus because the antivirus doesn’t validate digital signature of the DLL file.
The researchers tested the flaw by compiling a proxy DLL (unsigned) out of the original wbemcomn.dll DLL file, which writes the name of the process which loaded it, the username which executed it and the name of the DLL file. Then the experts implanted it in C:\Windows\System32\Wbem, and restarted the computer:
“We were able to load an arbitrary DLL and execute our code within multiple processes which are signed by McAfee, LLC as NT AUTHORITY\SYSTEM, resulting in bypassing the self-defense mechanism of the program.” continue the experts.
Experts reported the flaw to McAfee in August and on November 12 Mcafee published a security advisory and releases a patch to address the issue. McAfee confirmed that it is not aware of the vulnerability being exploited in attacks in the wild.
SafeBreach discovered similar issues in other security solutions from other vendors, including Trend Micro, Check Point, Bitdefender, AVG and Avast.
Eclypsium experts found a vulnerability affecting the popular PMx Driver Intel driver that can give malicious actors deep access to a device.
In August, Eclypsium researchers found multiple serious vulnerabilities in more than 40 device drivers from tens of vendors, including AMI, ASRock, ASUS, ATI, Biostar, EVGA, Getac, Gigabyte, Huawei, Insyde, Intel, MSI, NVIDIA, Phoenix Technologies, Realtek, SuperMicro and Toshiba.
The experts warn that the vulnerabilities that can be exploited by attackers to deploy persistent backdoor on vulnerable systems.
The experts pointed out that since they reported the issued to the vendor, only Intel and Huawei addressed them with patches and advisories, while Insyde and Phoenix provided patches to their OEM customers.
According to Eclypsium, Intel addressed a vulnerability in its PMx Driver (PMxDrv). The vulnerability could be exploited to have full access to the devices. The driver implements a superset of all the capabilities including read and write to physical memory, model specific registers, control registers, IDT and GDT descriptor tables, debug registers, gain I/O and PCI access.
“This level of access can provide an attacker with near-omnipotent control over a victim device. Just as importantly, this capability has been included as a staple component of many Intel ME and BIOS related toolsets going back to 1999.” reads the analysis published by Eclypsium.”Ironically, the very tool released by Intel to detect and mitigate a recent AMT vulnerability included the vulnerable driver as part of the toolset used to solve the AMT issue.”
Experts recommend users and organizations to enable Hypervisor-protected Code Integrity (HVCI) for devices that support the feature.
This option will only work with 7th generation or newer processor, new processor features such as mode-based execution control, this means it will not possible to enable HVCI on many devices.
The only universally effective possible consist of blocking or blacklisting old, known-bad drivers.
“The only universally available option possible today is to block or blacklist old, known-bad drivers. To this end, we would like to specifically commend the response of Insyde Software, a UEFI firmware vendor. Of the 19 vendors we notified early this summer, Insyde is the only vendor to date to proactively contact Microsoft and ask that the old version of the driver be blocked.” concludes the report. “Due to this request, Windows Defender will proactively quarantine the vulnerable version of the driver so it can’t cause damage to the system.”