Category Archives: Vulnerability

3 Tips Venmo Users Should Follow to Keep Their Transactions Secure

You’ve probably heard of Venmo, the quick and convenient peer-to-peer mobile payments app. From splitting the check when eating out with friends to dividing the cost of bills, Venmo is an incredibly easy way to share money. However, users’ comfort with the app can sometimes result in a few negligent security practices. In fact, computer science student Dan Salmon recently scraped seven million Venmo transactions to prove that users’ public activity can be easily obtained if they don’t have the right security settings flipped on. Let’s explore his findings.

By scraping the company’s developer API, Salmon was able to download millions of transactions across a six-month span. That means he was able to see who sent money to who, when they sent it, and why – just as long as the transaction was set to “public.” Mind you, Salmon’s download comes just a year after that of a German researcher, who downloaded over 200 million transactions from the public-by-default app last year.

These data scrapes, if anything, act as a demonstration. They prove to users just how crucial it is to set up online mobile payment apps with caution and care. Therefore, if you’re a Venmo or other mobile payment app user, make sure to follow these tips in order to keep your information secure:

  • Set your settings to “private” immediately. Only the sender and receiver should know about a monetary transaction in the works. So, whenever you go to send money on Venmo or any other mobile payment app, make sure the transaction is set to “private.” For Venmo users specifically, you can flip from “public” to “private” by just toggling the setting at the bottom right corner of main “Pay or Request” page.
  • Limit the amount of data you share. Just because something is designed to be social doesn’t mean it should become a treasure trove of personal data. No matter the type of transaction you’re making, always try to limit the amount of personal information you include in the corresponding message. That way, any potential cybercriminals out there won’t be able to learn about your spending habits.
  • Add on extra layers of security. Beyond flipping on the right in-app security settings, it’s important to take any extra precautions you can when it comes to protecting your financial data. Create complex logins to your mobile payment apps, participate in biometric options if available, and ensure your mobile device itself has a passcode as well. This will all help ensure no one has access to your money but you.

And, as always, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post 3 Tips Venmo Users Should Follow to Keep Their Transactions Secure appeared first on McAfee Blogs.

Cisco fixes critical vulnerabilities in its SD-WAN, DNA Center solutions

Cisco has released another batch of fixes for many of its products, including its SD-WAN and DNA Center solutions, its Email Security Appliance, Security Manager, SOHO routers/firewalls, and more. Critical flaws CVE-2019-1625 could allow an authenticated, local attacker to elevate lower-level privileges to the root user on a device running a vulnerable version of the Cisco SD-WAN Solution. Cisco SD-WAN on a number of Cisco’s vEdge routers, its vBond Orchestrator Software, its vSmart Controller Software, … More

The post Cisco fixes critical vulnerabilities in its SD-WAN, DNA Center solutions appeared first on Help Net Security.

IoT explodes worldwide, researchers investigate security issues present in the devices real users own

About 40 percent of households across the globe now contain at least one IoT device, according to Avast. In North America, that number is almost double, at 66 percent, bringing with it an associated growth in cybersecurity risks. The findings have been published in a new research paper “All Things Considered: An Analysis of IoT Devices on Home Networks”. The research is the largest global study to date examining the state of IoT devices. Avast … More

The post IoT explodes worldwide, researchers investigate security issues present in the devices real users own appeared first on Help Net Security.

Research shows Tesla Model 3 and Model S are vulnerable to GPS spoofing attacks

Tesla Model S and Model 3 electric cars are vulnerable to cyberattacks aimed at their navigation systems, according to research from Regulus Cyber. Staged attack caused the car to veer off the main road During a test drive using Tesla’s Navigate on Autopilot feature, a staged attack caused the car to suddenly slow down and unexpectedly veer off the main road. Regulus Cyber initially discovered the Tesla vulnerability during its ongoing study of the threat … More

The post Research shows Tesla Model 3 and Model S are vulnerable to GPS spoofing attacks appeared first on Help Net Security.

Another Oracle WebLogic Server RCE under active exploitation

Oracle has released an out-of-band fix for CVE-2019-2729, a critical deserialization vulnerability in a number of versions of Oracle WebLogic Server, and is urging customers to apply the security update as soon as possible. Speed is of the essence as, according to KnownSec 404 researchers, the vulnerability is already being exploited in the wild. About the vulnerability (CVE-2019-2729) “This remote code execution vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network … More

The post Another Oracle WebLogic Server RCE under active exploitation appeared first on Help Net Security.

SACK TCP flaws can crash, slow down Linux-based systems

An engineering manager at Netflix has unearthed several TCP networking vulnerabilities in Linux and FreeBSD kernels that could lead to systems crashing or consuming too many resources and (consequently) slowing down. About the vulnerabilities The flaws were discovered by Jonathan Looney, who apart from working at Netflix is also a FreeBSD developer. They all affect the Selective Acknowledgments (SACK) TCP mechanism, which allows a receiving machine to acknowledge which data/packets it has received so that … More

The post SACK TCP flaws can crash, slow down Linux-based systems appeared first on Help Net Security.

Vulnerable TP-Link Wi-Fi extenders open to attack, patch now!

Several TP-Link Wi-Fi extender devices sport a critical remote code execution vulnerability that could allow attackers to take over the devices and command them with the same privileges of their legitimate user, IBM X-Force researcher Grzegorz Wypych warns. Aside from making the device part of a botnet, attackers could carry out sophisticated malicious activity by executing any shell command on the device’s operating system. “An attacker compromising this type of device, and the device being … More

The post Vulnerable TP-Link Wi-Fi extenders open to attack, patch now! appeared first on Help Net Security.

Web-based DNA sequencers getting compromised through old, unpatched flaw

Unknown attackers are trying to exploit a vulnerability in dnaLIMS, a Web based bioinformatics laboratory information management system, to implant a bind shell into the underlying web server. Researcher Ankit Anubhav first noticed the attacks on June 12 and they are apparently still going on. About dnaLIMS DnaLIMS is developed by Colorado-based dnaTools. It provides software tools for processing and managing DNA sequencing requests. These tools use browsers to access a UNIX-based web server on … More

The post Web-based DNA sequencers getting compromised through old, unpatched flaw appeared first on Help Net Security.

Evernote Critical Flaw Could Have Impacted Millions of Users

A critical flaw that affected Evernote’s web clipper extension for Chrome could have impacted millions of users.

Reports say that the critical flaw in the popular note-taking extension Evernote could have led to the breach of personal data of over 4.6 million users. Hackers could have exploited the vulnerability to steal personal data including emails and financial transactions of users.

Security researchers at Guardio had discovered this vulnerability in the Evernote Web Clipper extension, which is immensely popular and which lets users capture full-page articles, images, emails, selected texts etc.

A blog post by the Guardio research team says, “In May 2019 Guardio’s research team has discovered a critical vulnerability in Evernote Web Clipper for Chrome. A logical coding error made it is possible to break domain-isolation mechanisms and execute code on behalf of the user – granting access to sensitive user information not limited to Evernote’s domain. Financials, social media, personal emails, and more are all natural targets. The Universal XSS vulnerability was marked as CVE-2019-12592.”

The hackers exploiting the vulnerability could get users diverted to a website that’s controlled by them. Eventually, the hackers would be able to breach the users’ private data from affected 3rd-party websites. Guardio researchers have even demonstrated, in the PoC (Proof-of-Concept) access to social media, financial transaction history, private shopping lists etc. The Guardio researchers disclosed the flaw to Evernote on May 27 and following the disclosure, Evernote patched the vulnerability and a fixed version was deployed within a few days. The fix was confirmed on June 4th, 2019.

How the vulnerability gets exploited

In the normal course, a JavaScript is injected into the webpages that use the Evernote extension so as to enable the extension’s various functionalities. But, due to the above-mentioned vulnerability (CVE-2019-12592), logical coding error that has left a function (one that’s used to pass a URL from the site to the extension’s namespace) unsanitized, attackers could inject their own script into the webpages. This gives them access to sensitive user information available on the webpages.

The Guardio blog post says, “The exploit is triggered by the malicious website and causes Evernote’s internal infrastructure to inject an attacker-controlled payload into all iframes contexts…Injected payload is customized for each targeted website, able to steal cookies, credentials, private information, perform actions as the user and more.”

The Guardio researchers have also used a proof of concept video in which they explain how the user is first taken to the hacker-controlled malicious website (via social media, email, compromised blog comments etc) and how the malicious website then silently loads hidden, legitimate iframe tags of targeted websites. These iframe tags would have injected payload that would be customized for each targeted website. Thus, the hackers would be able to steal personal data from the targeted websites.

The solution

Users should go for the latest version of Evernote, which includes the fix for this issue. The latest version can be installed by copying chrome://extensions/?id=pioclpoplcdbaefihamjohnefbikjilc into the address bar. For security reasons it has to be manually copied; it’s to be ensured that the version shows as 7.11.1 or higher.
Users should also make it a point to install browser extensions only from trusted sources.

The post Evernote Critical Flaw Could Have Impacted Millions of Users appeared first on .

Linux servers under attack via latest Exim flaw

It didn’t take long for attackers to start exploiting the recently revealed Exim vulnerability (CVE-2019-10149). Active campaigns One security enthusiast detected exploitation attempts five days ago: Just detected the first attempts to exploit recent #exim remote command execution (RCE) security flaw (CVE-2019-10149). Tries to downloads a script located at http://173.212.214.137/s (careful). If you run Exim, make sure it's up-to-date. @qualys pic.twitter.com/s7veGBcKWO — Freddie Leeman (@freddieleeman) June 9, 2019 Amit Serper, Cybereason’s head of security research, … More

The post Linux servers under attack via latest Exim flaw appeared first on Help Net Security.

Vulnerabilities allow attackers to take over infusion pumps

Two vulnerabilities in Windows CE-powered Alaris Gateway Workstations (AWGs), which provide support for widely used infusion pumps, could allow remote attackers to disable the device, install malware, report false information, and even instruct the pumps to alter drug dosages and infusion rates. About Alaris Gateway Workstations Developed by US-based medical device maker Becton, Dickinson and Company (BD), Alaris Gateway Workstations are deployed in healthcare establishments in Europe and Asia. A company spokesperson told TechCrunch that … More

The post Vulnerabilities allow attackers to take over infusion pumps appeared first on Help Net Security.

Evernote Chrome extension flaw could have allowed access to personal info

Guardio discovered a major flaw in Evernote’s Web Clipper Chrome extension’s code that left it vulnerable, potentially allowing threat actors to access personal information from users’ online services. The vulnerability, a Universal XSS marked CVE-2019-12592, was discovered as part of Guardio’s ongoing security analysis efforts using a combination of internal technology and researchers. Guardio disclosed the vulnerabilities to Evernote during the last week of May, which prompted Evernote to address them and roll out a … More

The post Evernote Chrome extension flaw could have allowed access to personal info appeared first on Help Net Security.

Smart home security devices most at risk in IoT-targeted cyber attacks

Smart home security cameras equate to 47% of the most vulnerable devices followed by smart hubs such as Googlehome, Amazon Alexa, with the top countries executing attacks coming from China followed by USA, according to SAM Seamless Networks. Other findings reveal the USA and China are the foremost countries for both executing attacks and being targeted. The average home receives five attempted attacks per device per day via smart networks. Email malware and phishing are … More

The post Smart home security devices most at risk in IoT-targeted cyber attacks appeared first on Help Net Security.

RAMBleed Attack Can Not Just Alter But Steal Sensitive Data

Researchers discovered a new security vulnerability that affects the confidentiality of data stored in computer memory. This enabled them to successfully extract a signature key with the usual user permissions from an OpenSSH server.

Nicknamed RAMBleed, this attack is based on Rowhammer’s vulnerability and can be used to break the promise of secure storage of RAM modules; even those containing the ECC mechanism (Error Correction Code).

Rowhammer began as an experimental study that demonstrated the isolation of the information loaded into the RAM. As the memory modules became physically smaller and their memory, larger, the space between the internal cells became shorter. Thus creating the possibility of electrical interference that could alter the bit loading of the memory.

The researchers said in a document published in 2014, that repeated reading of the same address, the adjacent data can be corrupted because the bits went from 1 to 0, and vice versa, a process called a bit switch that modifies the data.

Modifying the info.

Basically, RAMBleed works on the same principle, but unlike Rowhammer, it reads the information instead of changing it. This makes it better for data theft. Another difference is that ECC memory is not a valid solution, unlike some Rowhammer attacks.

“Remarkably, RAMBleed can break the memory confidentiality of ECC memory, even if all bit flips are successfully corrected by the ECC mechanism,” say the researchers.

In a RAMBleed, the bit shift depends on the orientation and the value of the bits above and below the destination bits, which an attacker cannot access, this finding is according to the Academics from the University of Michigan.

To know the value of a secret bit in a victim using the new attack method, an attacker must map the memory and find a bit that can be moved with the same offset as the secret in a memory page.

In the above scenario, the attacker controls the two activation pages, next to the secret and can access it several times to attack the middle row. If the secret bit is 0, pounding causes the bit of the sample page to flip. Otherwise, the bit is 1.

Performing the process again with interchangeable bits in different memory offsets reveals all the bits of the secret data. This method has achieved a reading speed of about three or four bits per second.

“We note here that neither the victim nor the attacker access the secrets in any way, but by accessing the line activation pages controlled by the attacker, the attacker uses the victim’s data to influence Rowhammer-induced bit flips in their own private pages. Finally, the attacker directly verifies the sampling page to see if the bits are flipped, thus deducting the victim’s bits. As such, RAMBleed is a cross-address space attack, “the researchers explain.

Stealing an OpenSSH key

Demonstrating the effects of this attack, the researchers were able to read an RSA-2048 key on a server running OpenSSH 7.9, the latest version at the time of testing. The current version is 8.0, available from April 18.

The success measured a rate of 0.3 bits per second and an accuracy of 82%. To obtain the complete data, the researchers used a variant of the Heninger-Shacham algorithm to retrieve RSA keys from partial information.

To obtain the secret information, the researchers developed a method called Frame Feng Shui, which allows them to place the pages containing the desired data in the desired location in a frame of physical memory chosen by the attacker.

RAMBleed received the tracking number CVE-2019-0174 (base score of 3.8 out of 10) and was tested on an HP Prodesk 600 machine with an i5-4570 processor and two Axiom DDR3 4 GB 1333 MHz without DIMM ECC (51264Y3D3N13811), running Ubuntu 18.04.

Although the system uses DDR3 RAM, the researchers say that “they do not suspect that DDR4 is a fundamental limitation, assuming that DDR4 retains the property that Rowhammer-induced bit flips are data-dependent.” This conclusion is corroborated by the fact that Rowhammer-based bit modifications in DDR4 memory have already been demonstrated.

However, Intel says that to stay safe from this attack is to use “Rowhammer-resistant DRAM modules, this includes most DDR4 DRAM modules.

Defense options

Preventing a RAMBleed attack is possible on systems where memory encryption is active. This can be achieved when the Trusted Execution Environment (TEE) feature is enabled in the processor.

TEE as Intel’s Software Guard Extensions (SGX), ARM’s TrustZone, and AMD’s Secure Encrypted Virtualization (SEV) is secure enclaves that enforce encryption in the memory they work with.

One way to reduce the risk of this type of reading attack is to clear the encryption keys from the memory immediately after using them. This reduces the chances of learning the secret data because RAMBleed must remain in memory for at least one update interval, which is 64ms by default.

The post RAMBleed Attack Can Not Just Alter But Steal Sensitive Data appeared first on .

Critical Microsoft NTLM vulnerabilities allow remote code execution on any Windows machine

The Preempt research team found two critical Microsoft vulnerabilities that consist of three logical flaws in NTLM, the company’s proprietary authentication protocol. These vulnerabilities allow attackers to remotely execute malicious code on any Windows machine or authenticate to any web server that supports Windows Integrated Authentication (WIA) such as Exchange or ADFS. The research shows that all Windows versions are vulnerable. The flaws allow attackers to bypass existing mitigations NTLM is susceptible to relay attacks, … More

The post Critical Microsoft NTLM vulnerabilities allow remote code execution on any Windows machine appeared first on Help Net Security.

Major Vulnerabilities in HSMs Discovered

Yesterday’s announcement of this HSM hacking in the 2019 BlackHat program caused a lot of excitement for a good reason: the authors claim to have discovered unauthenticated remote attacks, giving full control of an HSM and full access to the keys and secrets stored in it.

For the moment, very few details are available in English about how this attack was led by Ledger researchers, but fortunately for Francophones, this work was presented in detail earlier this week at the annual conference on Security of France SSTIC. Francophones can watch the video or read the document proceedings.

What really happened?

For non-Francophones, the Cryptosense bilingual team translated a brief summary of what Ledger researchers Gabriel Campana and Jean-Baptiste Bédrune did. Many technical issues needed to be resolved along the way, as part of a thorough and professional vulnerability survey:

  • They started using the SDK’s legitimate access to test HSM to load a firmware module that would give them a shell inside the HSM.
  • Then, they used the shell to run a fuzzer in the internal implementation of PKCS #11 commands for reliable and exploitable buffer overflows.
  • They verified that they could exploit this buffer overflows out of the HSM, that is, by simply calling the PKCS #11 driver of the host machine.
  • Then they wrote a payload that would overload the access control and allow them, to load an arbitrary firmware (without signature). It is important to keep in mind that this back door is persistent, a subsequent update will not solve it.
  • Then they wrote a module that would dump all the secrets of HSM and load it into the HSM.

What’s latest?

The vulnerabilities have now been fixed. The manufacturer is not mentioned in the presentation, but it is possible to solve it, looking at the latest security announcements of major manufacturers of HSM.

Conclusion 

Well-Funded vulnerability research teams within state intelligence agencies could have done similar work and discovered this attack. The disruption caused by the disclosure of certain secret keys to the financial system of the target country would be very interesting for those seeking to wage cyberwar. The most disturbing part of the attack may be that the firmware update is persistent. There may be HSM deployed in critical infrastructure now with similar backdoors.

Also, Read:

How To Deal With DNS Vulnerabilities?

Vulnerabilities, Stolen Credentials on Dark Web on the Rise

 

The post Major Vulnerabilities in HSMs Discovered appeared first on .

Microsoft Warns Users About Ongoing Email Spam Campaign

Microsoft warns users about an ongoing email spam campaign that abuses an Office vulnerability and seems to target European users. The malware, it is reported, is spread through infected RTF documents attached to emails.

ZDNet reports, “Microsoft’s security researchers have issued a warning on Friday afternoon about an ongoing spam wave that is spreading emails carrying malicious RTF documents that infect users with malware without user interaction, once users open the RTF documents.”

The spam emails appear to target European users as they are sent in different European languages.

When the RTF document attached to an email is downloaded, it runs multiple scripts of different types, like PowerShell, PHP, VBScript etc, to download the final payload, which is a backdoor trojan.

However, it seems that after Microsoft issued its alert, the C&C server of the backdoor trojan is down. The ZDNet report, dated June 9, 2019, says, “Fortunately, the trojan’s command and control server appears to have gone down by Friday, when Microsoft issued its security alert.”

The report, however, reminds us that there could be such other future campaigns; it says, “However, there is always the danger of future campaigns that may exploit the same tactic to spread a new version of the backdoor trojan that connects to a working server, allowing crooks direct access to infected computers.”

The vulnerability that hackers have exploited to execute this campaign is an old Office vulnerability- CVE-2017-11882, which was patched by Microsoft in an update issued in November 2017. Thus, users who had applied the patch are safe from the current campaign.

CVE-2017-11882, which has been used many times by cybercriminals since the end of 2017, is, according to ZDNet security reporter Catalin Cimpanu, “…a codename for a vulnerability in an older version of the Equation Editor component that ships with Office installs, and used for compatibility purposes in addition to Microsoft’s newer Equation Editor module.”

He explains, “Back in 2017, security researchers from Embedi discovered a bug in this older component that allowed threat actors to execute code on users’ device without any user interaction whenever a user would open a weaponized Office file that contained a special exploit… Because Microsoft appeared to have lost the source code for this old component, and after the discovery of a second Equation Editor bug in 2018, Microsoft decided to remove the older Equation Editor component altogether from the Office pack in January 2018.”

Despite the vulnerability being detected and patched, hackers, as we have already mentioned, went on exploiting it again and again as many companies and users are known to have the habit of forgetting to install security updates on time.

ZDNet points out that while most other Office exploits require that users enable macros or disable various security features via popups, this exploit doesn’t need any kind of user interaction. Hence, this exploit is being used for mass-spam campaigns and continues to be popular among many hacker groups engaged in highly targeted attacks.

Related Resources:

Microsoft Releases First Preview Builds of Edge Browser

Top 6 Email Spam Blocker Tips | How to Avoid Email Spam Filters?

The post Microsoft Warns Users About Ongoing Email Spam Campaign appeared first on .

Malware peddlers hit Office users with old but reliable exploit

Emails delivering RTF files equipped with an exploit that requires no user interaction (except for opening the booby-trapped file) are hitting European users’ inboxes, Microsoft researchers have warned. Exploit delivers backdoor The exploit takes advantage of a vulnerability in an older version of the Office Equation Editor, which was manually patched by Microsoft in November 2017. “The CVE-2017-11882 vulnerability was fixed in 2017, but to this day, we still observe the exploit in attacks. Notably, … More

The post Malware peddlers hit Office users with old but reliable exploit appeared first on Help Net Security.

June Patch Tuesday forecast: Apply updates before BlueKeep hits the streets

Can you believe it is June already? Summer is rapidly approaching, but it’s been slow to warm up our temperatures here in the US. I can’t say the same thing about the temperature in our security community – things have been hot! The first months of 2019 have seen a record number of vulnerabilities reported and the latest, BlueKeep associated with CVE-2019-0708, has set the forums and security advisory lists on fire. The May updates … More

The post June Patch Tuesday forecast: Apply updates before BlueKeep hits the streets appeared first on Help Net Security.

Critical Exim flaw exploitable locally and remotely, patch ASAP!

A critical vulnerability in Exim, the mail transfer agent (MTA) deployed on over half of all Internet-facing mail servers, may allow attackers to run commands as the “root” user. About CVE-2019-10149 CVE-2019-10149 was discovered by Qualys researchers. It is a remote command execution vulnerability that is exploitable instantly by a local attacker and by a remote attacker in certain non-default configurations. “The vulnerability is critical: it allows a local user to easily run commands as … More

The post Critical Exim flaw exploitable locally and remotely, patch ASAP! appeared first on Help Net Security.

Smashing Security #131: Zap yourself from the net, and patch now against BlueKeep

Microsoft issues warning to unpatched Windows users about worm risk, and how do you delete all traces of yourself off the internet after your murder your podcast co-host?

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault.

4 Tips to Protect Your Information During Medical Data Breaches

As the companies we trust with our data become more digital, it’s important for users to realize how this affects their own cybersecurity. Take your medical care provider, for instance. You walk into a doctor’s office and fill out a form on a clipboard. This information is then transferred to a computer where a patient Electronic Health Record is created or added to. We trust that our healthcare provider has taken the proper precautions to safely store this data. Unfortunately, medical data breaches are on the rise with a 70% increase over the past seven years. In fact, medical testing company LabCorp just announced that it experienced a breach affecting approximately 7.7 million customers.

How exactly did this breach occur? The information was exposed as a result of an issue with a third-party billing collections vendor, American Medical Collection Agency (AMCA). The information exposed includes names, addresses, birth dates, balance information, and credit card or bank account information provided by customers to AMCA. This breach comes just a few days after Quest Diagnostics, another company who worked with AMCA, announced that they too experienced a breach affecting 11.9 million users.

Luckily, LabCorp stated that they do not store or maintain Social Security numbers and insurance information for their customers. Additionally, the company provided no ordered test, lab results, or diagnostic information to AMCA. LabCorp stated that they intend to provide 200,000 affected users with more specific information regarding the breach and offer them with identity protection and credit monitoring services for two years. And after receiving information on the possible security compromise, AMCA took down its web payments page and hired an external forensics firm to investigate the situation.

Medical data is essentially nonperishable in nature, making it extremely valuable to cybercrooks. It turns out that quite a few security vulnerabilities exist in the healthcare industry, such as unencrypted traffic between servers, the ability to create admin accounts remotely, and disclosure of private information. These types of vulnerabilities could allow cybercriminals to access healthcare systems, as our McAfee Labs researchers discovered. If someone with malicious intent did access the system, they would have the ability to permanently alter medical images, use medical research data for extortion, and more.

Cybercriminals are constantly pivoting their tactics and changing their targets in order to best complete their schemes. As it turns out, medical data has become a hot commodity for cybercrooks. According to the McAfee Labs Threats Report from March 2018, the healthcare sector has experienced a 210% increase in publicly disclosed security incidents from 2016 to 2017. The McAfee Advanced Threat Research Team concluded that many of the incidents were caused by failures to comply with security best practices or to address vulnerabilities in medical software.

While medical care providers should do all that they can to ensure the security of their patients, there are steps users can take to help maintain their privacy. If you think your personal or financial information might be affected by the recent breaches, check out the following tips to help keep your personal data secure:

  • Place a fraud alert.If you suspect that your data might have been compromised, place a fraud alert on your credit. This not only ensures that any new or recent requests undergo scrutiny, but also allows you to have extra copies of your credit report so you can check for suspicious activity.
  • Freeze your credit.Freezing your credit will make it impossible for criminals to take out loans or open up new accounts in your name. To do this effectively, you will need to freeze your credit at each of the three major credit-reporting agencies (Equifax, TransUnion, and Experian).
  • Consider using identity theft protection.A solution like McAfee Identify Theft Protection will help you to monitor your accounts, alert you of any suspicious activity, and help you to regain any losses in case something goes wrong.
  • Be vigilant about checking your accounts.If you suspect that your personal data has been compromised, frequently check your bank account and credit activity. Many banks and credit card companies offer free alerts that notify you via email or text messages when new purchases are made, if there’s an unusual charge, or when your account balance drops to a certain level. This will help you stop fraudulent activity in its tracks.

And, of course, to stay updated on all of the latest consumer and mobile security threats, follow me and @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post 4 Tips to Protect Your Information During Medical Data Breaches appeared first on McAfee Blogs.

NFC Vulnerability May Promote Ghost Screen Taps

Convenience vs Security, that is the frequently recurring theme when it comes to cybersecurity nowadays. Every time a new technology opens its doors to more convenience is when it becomes the new kid on the block when it comes to vulnerabilities. Here in hackercombat.com, we are eager to tell you over-and-over again our dear readers that convenience is the natural enemy of security. The newest issue of this convenience vs security theme has something to do with NFC, and the new attack proof-of-concept presented by Waseda University researchers in Tokyo which they aptly named Tap ‘n Ghost.

The 18-page paper released by a team of three researchers named Tatsuya Mori, Seita Maruyama and Satohiro Wakabayashi demonstrated the vulnerability of NFC feature built-in with many mainstream smartphones sold today. They described it as a combination of a Ghost Touch Generator and TAP (Tag-based Adaptive Ploy), that gives attackers at close range the capability to generate “Ghost Taps” against a target device, through a special combination of a battery pack, high-voltage transformer, an off-the-shelf 5mm copper sheet, NFC writer and a single-board computer like the Raspberry Pie/small laptop.

NFC

The above image is the proof-of-concept contraption that can be installed in any seemingly ordinary table in a restaurant, coffee shop or any public store. NFC communicates wirelessly in the range of just between 4 to 10 centimeters, with a rigged device such as the above the malicious attacker can then connect to the victim’s NFC-enabled smartphone (of any device with an NFC feature). It can then tell the target smartphone to open a specific website automatically. The attacker can also pretend to issue an innocent request for Bluetooth pairing or Wifi connection attempt, which fortunately requires user-permission to proceed.

Versions of Android from 9.0 or older has the convenient behavior of trusting all NFC pairing attempts when it detects one is something near. The contraption comes with copper interconnects which can produce enough electrical disturbance within the NFC range, enabling the phone to perform Ghost taps, no different from a user tapping his phone to perform an action. At first glance, this sounded like science fiction at first, but the trio of researchers showed to the presentation how these rogue taps can be generated to “provide permission” to the ghost Bluetooth pairing or wifi connection attempts mentioned earlier, completing the whole process.

At the time of this writing, the following mainstream Android devices from Sony, Sharp, HTC, Asus, Fujitsu, and Samsung were known to be vulnerable:

  • Xperia Z4
  • Galaxy S6 Edge
  • Galaxy S4
  • Aquos Zeta SH-04F
  • Nexus 9
  • Arrows NX F005-F
  • Nexus 7

It is now yet known if current devices sold in the market with NFC are also affected, but the three researchers mentioned that the false touch vulnerability may also exist on newer devices as the protocols of NFC remains the same across generations of devices. The IEEE Symposium on Security and Privacy shared a video detailing the exact components of the Ghost ‘n Tap device, its operations and basic understanding of the snooping process against NFC devices.

This vulnerability may one-day prompt smartphone vendors to ship their mobile phones with NFC disabled by default. This new disabled by-default behavior will also benefit Android users, as the device do not need to consume more energy to power-up the NFC component of the smartphone even if the user does not currently need it.

Also, Read:

Why You Need to be Careful About the BlueKeep Vulnerability

Belkin Wemo Insight Smart Plug Vulnerability Remains Exploitable

Google Photos Vulnerability that Lets Retrieve Image Metadata

New Google Chrome Zero-Day Vulnerability Detected

Important Features of Vulnerability Scanners

 

The post NFC Vulnerability May Promote Ghost Screen Taps appeared first on .

The Feasibility Of Tape Backup Against Ransomware

As ransomware continues to become complex year-after-year, there is only one weapon to overcome the challenge raised by cybercriminals – backup system. We are in the age of cloud-storage services ranging from corporate-level to free package supported by advertising. Of course, there is always the traditional NAS and hard drive backups which vary in cost per gigabyte. Given the increasing sophistication of attack methods, there is a concern that the future damage from malware to increase, hence a reliable and effective backup plan should exist for all organizations. Therefore, what is required of the IT departments in various organizations worldwide is a preliminary measure to contain, if not fully reverse ransomware damage. The two pillars are “prevention” of infection through introduction of anti-virus software and “protection” of data by backup in case of emergency. These should have been implemented as part of information security measures before a firm officially starts its day 1 of operations.

However, in the case of ransomware measures, the latter is actually said to be more important. The former is, of course, important in preventing infection, but it is difficult to cope with attacks that use unknown methods, zero-day exploits. If damage occurs due to an infection, no one can reliably use the PC or files contained in the local hard drive, which will have a huge impact on business continuity. Given the possibility that infection cannot be avoided, it is clear that the backup issue needs to be settled early.

The first requirement is “data storage destination.” Companies back up systems and data to various media, but in recent years the adoption of NAS has also increased, driven by lower prices. Hard drives are dirt cheap compared to a decade ago. However, their use is not suitable for ransomware measures because ransomware spreads the infection over the network. Network-aware attacks also makes online NAS and external drives vulnerable. It is likely to be encrypted since the backup is connected live on the network and its contents fully accessible by the operating system’s shell. Given this point, it is necessary to select a medium that can be completely isolated from the network as the backup destination.

The second point is “backup target.” A large amount of data exists in PCs and various applications in companies, and in the past, backups have been performed focusing on those with high business importance in consideration of operation time. However, from the viewpoint of protecting information assets, the entire system must be recovered quickly in the event of an emergency, and not only some applications and user data, but also data related to the system must be included in the entire backup target.

The last requirement is “frequency of backups and retention period of data.” Backup is a highly effective measure, but it is not all-around. In order to reduce the impact on the business at the time of recovery, it is necessary to make the time lag between “now” and backup time as short as possible. To do so, you should increase the frequency of backups, while some ransomware will start working after several months of infiltration. Long-term data retention is also required to ensure data security. As in the past, backups such as 1-2 weeks daily or monthly are not enough, and a fundamental review of backup methods and operation methods is required.

The reason that ransomware infection has spread so much is that storage connected to a network such as NAS or DAS can be recognized as a storage location of data from the OS. The only way is to use a system that is not always online, but only connects to the workstations and servers every time a backup or restore process needs to run. This can be accomplished by tape backup systems, operating systems does not mount these ancient media directly. These days, the property of tape backup is not a disadvantage, but an advantage. A safe and reliable backup which cannot be accessed by the ransomware code provides the greatest protection against malicious data encryption.

Also, Read

Bad Actors Still Raking Profit From Ransomware

Five Important Things about Data Security

Brief Look At The Shade Ransomware (2019 variant)

The post The Feasibility Of Tape Backup Against Ransomware appeared first on .

Scientists uncover vulnerability in FPGAs, affecting cloud services and IoT

Field-programmable gate arrays (FPGAs) are, so to say, a computer manufacturer’s “Lego bricks”: electronic components that can be employed in a more flexible way than other computer chips. Even large data centers that are dedicated to cloud services, such as those provided by some big technology companies, often resort to FPGAs. To date, the use of such services has been considered as relatively secure. Recently, however, scientists at Karlsruhe Institute of Technology (KIT) uncovered potential … More

The post Scientists uncover vulnerability in FPGAs, affecting cloud services and IoT appeared first on Help Net Security.

Tripwire Patch Priority Index for May 2019

Tripwire’s May 2019 Patch Priority Index (PPI) brings together important vulnerabilities from Microsoft and Adobe. First and most importantly this month are the patches available to resolve the BlueKeep (CVE-2019-0708) Remote Desktop Services remote code execution vulnerability. As noted by Microsoft: [This] remote code execution vulnerability exists in Remote Desktop Services – formerly known as […]… Read More

The post Tripwire Patch Priority Index for May 2019 appeared first on The State of Security.

WordPress Plugin’s Administrator Creation Bug Disclosed

WordPress and other CMS (Content Management System) are heaven-sent for non-programmers, as they can build and update the contents of their website without knowing any programming languages or scripting techniques. Developers of CMS are on-top of the situation when it comes to fixing bugs and security vulnerabilities of their products, however, the same CMS feature expansion capabilities that are beyond the full control of the core developers. These are the plugins, created by independent developers which easily extends the capability of the default CMS installation. It is a living case of convenience vs security, since the flexibility provided by an installed plugin increases the security risks and expands the attack surface of CMS.

Here in Hackercombat.com, we continue to inform people what particular Internet-facing software has a current critical issue, to provide you with well-informed option to decide what to do next. This time around, WordPress plugin named Convert Plus has a critical bug which can literally throw the baby with the bath water. Formerly known under the name Convert Plug, the Convert Plus plugin provides a WordPress website with lead-generation capability, which it claims to capture more users and traffic to the site for the long term.

The vulnerable version of Convert Plus provides external user the capability to receive an administrator-level account when trying to submit a form for new user creation for the website. The bug came from the “cp_set_user” value which is in a hidden field, that value can be modified by an outsider, changing the “cp_set_user” to “administrator” makes the account a super user for the website. Convert Plus version 3.4.2 and older have this privilege escalation flaw, and all WordPress administrators that deploys the plugin needs to upgrade to version 3.4.3 which patches the problem.

“This (buggy) code calls the plugin’s function cp_add_new_user_role with the role provided in the AJAX request, which then handles the process of creating the user as directed. Since no filtering is applied when this new subscription is processed, if an attacker submits a subscription form and changes the value of cp_set_user to “administrator”, the plugin will create an administrator user associated with the given email address. The new account is given a randomized password, but the attacker can issue a typical password reset to gain access to their rogue administrator account,” explained Mikey Veenstra, a security researcher for WordFence, as he describe what they call the Unauthenticated Administrator Creation bug.

Elvina Goves of the Convert Plus team acknowledge the responsible disclosure done by WordFence. The latter gave Convert Plus team enough time to issue a patch, perform security audit for its plugin and only released the details on how to trigger the bug after thefix is already made publicly available for download. “We are thankful to the team at Wordfence, who reported a vulnerability. We worked closely with them to understand the issue further and released a fix within 3 days. There is nothing to panic as we’ve not come across any known breakthroughs caused due to this vulnerability. We strongly believe that security is not an absolute and a one time fix that will work. It is a continuous process and should be managed regularly with regular checks and updates. We highly recommend our users to activate their license, so that they do not miss on such update notifications and can update Convert Plus with a single click,” emphasized Goves.

Related Resources:

Yet Another WordPress Hack Exploiting Plugin Vulnerabilities

The 10 Best WordPress Plugins for Small Business Website

How to Clean Malware-Infected WordPress Website

The post WordPress Plugin’s Administrator Creation Bug Disclosed appeared first on .

Siemens LOGO!, a PLC for small automation projects, open to attack

LOGO!, a programmable logic controller (PLC) manufactured by Siemens, sports three vulnerabilities that could allow remote attackers to reconfigure the device, access project files, decrypt files, and access passwords. About LOGO! LOGO! is an intelligent logic module meant for small automation projects in industrial (control of compressors, conveyer belts, door control, etc.), office/commercial and home settings (lighting control, pool-related control tasks, access control, etc.). It is deployed worldwide and can be controlled remotely. About the … More

The post Siemens LOGO!, a PLC for small automation projects, open to attack appeared first on Help Net Security.

Attackers are exploiting WordPress plugin flaw to inject malicious scripts

Attackers are leveraging an easily exploitable bug in the popular WP Live Chat Support plugin to inject a malicious JavaScript in vulnerable sites, Zscaler warns. The company has discovered 47 affected sites (some have been cleaned up in the meantime) but that number is unlikely to be final. The source of the compromise The stored cross-site script vulnerability vulnerability the attackers are exploiting was discovered by Sucuri researchers earlier this year and the plugin developers … More

The post Attackers are exploiting WordPress plugin flaw to inject malicious scripts appeared first on Help Net Security.

Victoria’s Public Health System “Highly Vulnerable”: Report

Victoria’s public health system is “highly vulnerable” to a Singapore-like data breach, according to a recent report.

As per an auditor general report released recently, the public health system in Victoria is vulnerable to an attack like the one that Singapore had experienced last year. The Singapore data breach had led to the exfiltration of almost 1.5 million patient health records.

The report by the auditor general reads, “Victoria’s public health system is highly vulnerable to the kind of cyberattacks recently experienced by the National Health Service (NHS) in England, in Singapore, and at a Melbourne‐based cardiology provider, which resulted in stolen or unusable patient data and disrupted hospital services.”

The report further explains that there are key weaknesses in the “physical security” and “logical security” of the health services. This includes critical aspects like password management and other user access controls. Low data security awareness among the staff, which increases the success of social engineering attacks (like phishing or tailgating into corporate areas where ICT infrastructure and servers may be located), is also highlighted in the report.

The audit covered four health services, namely Barwon Health (BH), the Royal Children’s Hospital (RCH), and the Royal Victorian Eye and Ear Hospital (RVEEH), plus two different areas of the DHHS (Department of Health and Human Services). The auditor-general’s team managed to exploit security vulnerabilities and access patient data in all the four agencies.

The report notes, “The audited health services are not proactive enough, and do not take a whole‐of‐hospital approach to security that recognises that protecting patient data is not just a task for their IT staff.”

It was also noted that health services relied on external services providers, but at the same time, they were not fully aware of the security controls implemented by the platforms that these providers were using.

“The three audited health services are not fully aware of whether their service providers have the necessary security controls. Due to the sector’s reliance on third‐party vendors, health services need to actively monitor vendor performance to ensure that patient data is safe, ” says the report.

Victoria’s public health services, which manage their ICT systems independently, is supported as regards cybersecurity by DHHS’s Digital Health branch, which develops guidance materials, runs awareness and training sessions and funds ICT infrastructure upgrades. A set of 72 baseline cybersecurity controls, which health services need to implement by 2020-21, have also been developed. But none of the public health services in. Victoria has fully implemented these 72 controls to date. They cite different reasons for this.

The audit report explains, “While Digital Health has set a clear roadmap for health services to follow, to date no health service has fully implemented the 72 controls. The audited health services advise that barriers to implementing the controls include a lack of dedicated cybersecurity staff and insufficient resources for ICT projects.”

“While it may be challenging for health services to balance ICT security against clinical projects, implementing all the controls will provide health services with strong baseline protection against cybersecurity risks. Recent, local examples of cyberattacks in health services demonstrate the need for this work to occur, ” the report points out.

That there are no penalties for non-compliance is also perhaps one of the reasons for the slow implementation of the controls,

The audit report has brought to light issues pertaining to access control management. It found unused as well as terminated employee accounts that were still enabled and also found a lack of regular user access reviews. The health services did not keep user access forms, which are needed to authenticate users. The audit also revealed that many passwords, even on administrator accounts, were easily hackable. Some of these were even system default ones. It was also found that health services rarely used multi‐factor authentication, even for ICT staff and administrator accounts.

The report from the Auditor-General’s office also includes a detailed list of recommendations to be followed.

Related Resources:

How Financial Apps Could Render You Vulnerable to Attacks

Vulnerable Legacy Systems Used By Banks, Need A Careful Review

MacOS AirMail 3 App, Vulnerable to Email Leaks

Are Apps Like Slack And Dropbox Actually Vulnerable To Attack?

The post Victoria’s Public Health System “Highly Vulnerable”: Report appeared first on .

BlueKeep RDP flaw: Nearly a million Internet-facing systems are vulnerable

Two weeks have passed since Microsoft released security fixes and mitigation advice to defang expected exploits taking advantage of CVE-2019-0708 (aka BlueKeep), a wormable unauthenticated remote code execution flaw in Remote Desktop Services (RDP). The vulnerability, reported by UK’s National Cyber Security Centre (NCSC), has the potential to be the means for attacks that could rival the 2017 WannaCry onslaught and NotPetya attacks. A recent scanning effort by Robert Graham, head of offensive security research … More

The post BlueKeep RDP flaw: Nearly a million Internet-facing systems are vulnerable appeared first on Help Net Security.

CVE-2019-11815: Experts discovered a privilege escalation vulnerability in the Linux Kernel

Red Hat engineers and experts discovered a memory corruption vulnerability in Linux kernel, which is basically a flaw while implementation of RDS (Remote desktop Protocol) over TCP. This flaw has affected Red Hat, Ubuntu, Debian and SUSE and security advisories have been issued for all. This flaw could enable an…

High-risk behaviors expose most travelers to cyber risks

The travel industry and its customers are increasingly the targets of cyberattacks as criminals seek to monetize highly valuable travel data, according to the new IBM Security research. Compounding the problem, a new survey conducted by Morning Consult on behalf of IBM Security reveals that travelers are still blind to the risks they face on the road. The survey found that only 40% of respondents believed it was likely they would be targeted for cybercrime … More

The post High-risk behaviors expose most travelers to cyber risks appeared first on Help Net Security.

Why You Need to be Careful About the BlueKeep Vulnerability

WannaCry, the ransomware that struck in 2017, shook the very foundations of thousands of businesses worldwide. The NotPetya attack that followed also caught many businesses unawares and dealt them a big blow. Well, if we’re not careful enough, another such devastating cyberattack could happen in the near future, thanks to a critical vulnerability named BlueKeep.

It was the EternalBlue exploit, patch for which was issued by Microsoft and which many users, including thousands of organizations worldwide, had failed to apply on time, that led to the occurrence of two of the most damaging cyberattacks in recent times- the WannaCry attack and the NotPetya attack. Remember, it was not the EternalBlue exploit as such that caused the attacks, but failure on the part of users and enterprises to patch the vulnerability on time that was the real reason. Now, we have reports of another vulnerability, a ‘wormable’ critical RCE (Remote Code Execution) vulnerability named BlueKeep that, if not taken care of, could lead to damaging cyberattacks.

Microsoft had already come up with a patch for the BlueKeep vulnerability for all supported, plus some unsupported, operating systems. All that companies (and individual users) need to do is to update their older Windows systems right away so as to avoid being one among the potential victims of a probable cyberattack.

Experts point out that the BlueKeep vulnerability, found in Remote Desktop Services (also known as Terminal Services), could enable, if exploited successfully by cybercriminals, access to any targeted Windows system via a backdoor, that too without any credentials or user interaction. Moreover, the vulnerability is ‘wormable’, which means that future exploits might even use the vulnerability to spread malware within or outside of computer networks almost in the same way as was done in the case of the WannaCry ransomware attacks.

The flaw- CVE-2019-0708- affects multiple in-support and out-of-support versions of Microsoft’s operating systems. Those users of Windows 7, Windows Server 2008 R2, and Windows Server 2008 who have enabled automatic updates would stay protected. Special updates have also been issued for two versions that are not supported, namely Windows XP and Windows 2003. It’s reported that Windows 10 and Windows 8 are not affected by the BlueKeep vulnerability. Though Windows Vista is also one among the affected OSs, Microsoft hasn’t released patches for it. Users of Windows Vista should, in order to resolve the issue, either disable RDP (Remote Desktop Protocol) completely or else use RDP only when it’s accessed via VPN.

After Microsoft released the patches, security researchers have created several working proofs-of-concept, but none of them have yet been publicly released. There is no proof of the vulnerability being exploited in the wild as of yet.

Remember, given the wormable nature of BlueKeep, if someone publishes a working exploit or some malware author sells one on the underground web, a situation almost similar to the WannaCry or NotPetya attack could arise. Even the rather less skilled among cybercriminals could make use of the exploit to unleash cyberattacks on computer networks and make profits out of it.

How to avoid being a victim of the BlueKeep exploit

There are some very simple things that could help prevent attacks that could happen by exploiting the BlueKeep vulnerability…

  • If you or your organization runs any of the supported versions of Windows, update it. Enabling automatic updates would be the best option. Download and apply patches immediately if you’re still using unsupported versions- Windows XP or Windows 2003.
  • Avoid RDP and use it only where it is needed.
  • If you must use RDP, configure it properly and don’t expose it to the public internet. Filtering RDP access using firewall or using multi-factor authentication could be good options.
  • Disabling RDP, until you apply the patches that Microsoft has released, would be good.
  • It would be good to have NLA (Network Level Authentication) enabled. Thus, authentication would be needed before a remote session is established. (Remember, despite this, attackers who have valid credentials can successfully authenticate remote sessions and carry out RCE exploit-based attacks).
  • Use trusted multi-layered security solutions to detect and prevent attacks on the network level.

Also, Read:

Vulnerability In Intel Processors Affected Millions of PCs

Belkin Wemo Insight Smart Plug Vulnerability Remains Exploitable

Google Photos Vulnerability that Lets Retrieve Image Metadata

New Google Chrome Zero-Day Vulnerability Detected

Important Features of Vulnerability Scanners

 

The post Why You Need to be Careful About the BlueKeep Vulnerability appeared first on .

If you haven’t yet patched the BlueKeep RDP vulnerability, do so now

There is still no public, working exploit code for CVE-2019-0708, a flaw that could allow an unauthenticated remote attacker to execute remote code on a vulnerable target running Remote Desktop Protocol (RDP). But, as many infosec experts have noted, we’re not far off from when one is created and leveraged by attackers in the wild. With the vulnerability being wormable, when it hits, the exploit could end up compromising millions of systems around the world, … More

The post If you haven’t yet patched the BlueKeep RDP vulnerability, do so now appeared first on Help Net Security.

Over half of all reported vulnerabilities in Q1 2019 have a remote attack vector

There were 5,501 vulnerabilities aggregated by Risk Based Security’s VulnDB that were disclosed during the first three months of 2019. This represents a 1% increase over the same period in 2018, making this Q1 an all-time high. The results were released in the Q1 2019 Vulnerability QuickView Report. CVSSv2 scores of 9.0+, deemed critical issues, accounted for 14.0% of all published Q1 2019 vulnerabilities. Risk Based Security’s VulnDB published 2,539 (85%) more vulnerabilities than CVE/NVD … More

The post Over half of all reported vulnerabilities in Q1 2019 have a remote attack vector appeared first on Help Net Security.

Stack Overflow Discloses Digital Attack against Production Systems

Stack Overflow, a popular question and answer site for programmers, disclosed a digital attack in which bad actors accessed its production systems. Mary Ferguson, VP of Engineering at the company, publicly revealed the incident on 16 May. In a statement posted to Stack Overflow’s website, she explained that someone had obtained production-level access to the […]… Read More

The post Stack Overflow Discloses Digital Attack against Production Systems appeared first on The State of Security.

CVE-2019-0708 – A Critical “Wormable” Remote Code Execution Vulnerability in Windows RDP

This is an important security advisory related to a recently patched Critical remote code execution vulnerability in Microsoft Windows Remote Desktop Service (RDP). The vulnerability is identified as “CVE-2019-0708 – Remote Desktop Services Remote Code Execution Vulnerability”. MSRC blog mentions This vulnerability is pre-authentication and requires no user interaction. In other…

Intel MDS attack mitigation: An overview

Intel has revealed on Tuesday that some of its CPUs are vulnerable to a number of new speculative execution attacks that may allow attackers to stealing sensitive data and keys/passwords. ZombieLoad, RIDL and Fallout attacks have been extensively written about by the various groups of researchers that came up with them, but many customers and enterprise users are still unclear on whether these could affect them and what they can do to protect themselves. A … More

The post Intel MDS attack mitigation: An overview appeared first on Help Net Security.

Microsoft Warns WannaCry-like Windows Attack

Microsoft warns users of older versions of Windows of installing Windows Update immediately to protect against potential, widespread attacks. The software giant has fixed vulnerabilities in Remote Desktop Services running on Windows XP, Windows 7, and server versions such as Windows Server 2003, Windows Server 2008 R2, and Windows Server 2008. Microsoft is taking this unusual approach of releasing patches for Windows XP and Windows Server 2003, although both operating systems do not support it. Windows XP users must manually download updates from the Microsoft Update Catalog.

“This vulnerability is pre-authentication and requires no user interaction,” explains Simon Pope, director of incident response at Microsoft’s Security Response Center. “In other words, the vulnerability is ‘virus’, meaning that any future malware that exploits this vulnerability could propagate from the vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017.”

Microsoft said it had not observed the exploitation of this vulnerability. However, after the patch is released, it is only a matter of time before the attacker selects Microsoft patches and creates malware. Fortunately, Windows 8 and Windows 10 computers are not affected by this vulnerability. Although Windows 10 is now more popular than Windows 7, there are still millions of computers running Windows 7 that can make potential attacks very problematic.

Microsoft breaks the tradition of not patching, Windows operating systems that are not supported when thousands of computers in more than 100 countries are affected by the malware known as WannaCry. The malware uses a bug in the old version of Windows to encrypt the computer and asks for a $ 300 ransom before opening it. Microsoft is keen to avoid other WannaCry programs, even though it states that “the best way to resolve this vulnerability is to upgrade to the latest version of Windows.”

Source: https://www.theverge.com/2019/5/14/18623565/microsoft-windows-xp-remote-desktop-services-worm-security-patches

Related Resources:

Microsoft’s Windows 7, 8.1 To Have Defender Advanced Threat Protection

Windows-based Forensic Tools Available for Everyone

145 Windows-malware loaded Play Store Apps, deleted by Google

Latest Windows 10 Comes With Malware Protection

 

 

The post Microsoft Warns WannaCry-like Windows Attack appeared first on .

Vulnerability In Intel Processors Affected Millions of PCs

In early 2018, Intel and AMD processor researchers discovered two important security holes, Spectrum, and Meltdown. Although damage measures have since been released by Intel, AMD, Microsoft, and other major software and software vendors, the method of attack, based on a process called speculative execution, has led researchers to discover a series of four new attacks that affected Intel processors since 2008, reported by Wired.

Intel has flagged the “Microarchitect Data Sampling (MDS) attacks. And while all four attacks are similar to Meltdown and Specter, these new MDS attacks (ZombieLoad, Fallout, and RIDL) seem to be easier to execute.

In these new cases, researchers found that they could use speculative execution to trick Intel’s processors into grabbing sensitive data that’s moving from one component of a chip to another. Unlike Meltdown, which used speculative execution to grab sensitive data sitting in memory, MDS attacks focus on the buffers that sit between a chip components, such as between a processor and its cache, the small portion of memory allotted to the processor to keep frequently accessed data close at hand.

The researchers found that speculative execution can be used to trick Intel processors to capture sensitive data being transferred from one component of a chip to another. Unlike Meltdown, which uses speculative execution to capture sensitive data in memory, MDS attacks focus on buffers between chip components, such as processor and its cache. The small portion of the memory is assigned to the processor to ensure frequent access.

Each variant of the attack can be used as a gateway to display raw data that traverse a processor’s cache before being rejected via the speculative execution process. With fast and successive execution, a hacker could collect enough random data to capture everything from passwords to keys used to decrypt disks.

“In essence, [MDS] puts a glass to the wall that separates security domains, allowing attackers to listen to the babbling of CPU components,” VUSec, one of the firms that discovered the flaws, said in a paper set to be presented next week and seen by Wired.

Those who found the attack included researchers from Austrian universities TU Graz, Vrije Universiteit Amsterdam, University of Michigan, University of Adelaide, KU Leuven in Belgium, Polytechnic Institute, Worcester, Saarland University in Germany and Cyberus, BitDefender, Qihoo360 and Oracle.

Intel when speaking with Wired said their researchers discovered the vulnerability last year and now have fixes available at the hardware and software level. The company said that it fixed vulnerability in several processors that was sent last month.

Intel researchers, however, disagree on the severity of the vulnerability. While Intel described the attack as “low to moderate,” researchers at the institutions said, “If really dig through that raw output to find the valuable information they sought.”

Microsoft has sent patches for Windows PCs. In a statement to Wired, a Microsoft spokesperson said, “We’re aware of this industry-wide issue and have been working closely with affected chip manufacturers to develop and test mitigations to protect our customers.”

Although patches will become available, their applications on PCs and servers affected by four variables will take some time. This raises the concern that millions of computers worldwide is accessing sensitive data before it is repaired.

Source: https://www.zdnet.com/article/patch-status-for-the-new-mds-attacks-against-intel-cpus/

Related Resources:

Important Features of Vulnerability Scanners

7 Useful Android Vulnerability Scanners

Vulnerability Helps Researchers Expose Malware C&C Servers

TOP 10 PHP Vulnerability Scanners

The post Vulnerability In Intel Processors Affected Millions of PCs appeared first on .

Twitter Bug Carelessly Shared Location Data of Some iOS Users

According to Twitter, a bug that revealed the user’s location information, and shared it with an unnamed Twitter partner has been fixed.

“We have discovered that we inadvertently collect and shared iOS location data with one of our trusted partners in certain circumstances,” the company said.

According to the blog posts, the bug only affects iOS users who are using the Twitter app who had a second account on their phone. If a user allows Twitter to access the accurate location information for an account, the settings will automatically be applied to other account, even if they do not share location data

Twitter also finds that the information collected is passed on to trusted partners to serve ads through a process known as real-time bidding. However, privacy issues have been resolved by stating that site data is “fuzzed” to reduce accuracy to the nearest zip code or city.

“We have confirmed with our partner that the location data has not been retained and that it only existed in their systems for a short time, and was then deleted as part of their normal process,” it stated on the help site.

Although Twitter did not announce when the data exchange took place, the social media company said it had notified affected users and asked users to review their privacy settings in the face of security incidents.

It should also be noted that this security issue is Twitter’s fourth mistake in the past year.

Last September, a bug in the Twitter API accidentally published a private message and protected tweets for developers who were not allowed to read.

In December, it was said that government-sponsored actors could have exploited the vulnerability in an online support form to retrieve the user’s country code and determine whether the Twitter account was suspended or not.

In January this year, Twitter found a security flaw in its Android app causing private tweets of an unspecified number of users to be publicly available since 2014.

In January of this year, Twitter experienced a vulnerability in its Android application that caused personal tweets to be publicly available to a number of unspecified users since 2014.

Source: https://www.zdnet.com/article/twitter-bug-shared-location-data-for-some-ios-users/

Related Resources:

Twitter Rolls Out Key Cybersecurity Improvement Vs. Hacking

Twitter to Stop Hackers from Spreading Secrets of 9/11 Attacks

Twitter’s Mobile Phone Integration Is Insecure

The post Twitter Bug Carelessly Shared Location Data of Some iOS Users appeared first on .

Spying on personal alarms and GPS trackers is as simple as sending an SMS

Security experts found that the devices – manufactured in China, and rebadged by multiple companies around the world – are vulnerable to a simple hack that could allow a hacker to track their location, and even secretly listen in via the microphone.

Read more in my article on the Bitdefender BOX blog.

Avoid a Security Endgame: Learn About the Latest “Avengers” Scam

Marvel Studio’s $2.2 billion box-office hit “Avengers: Endgame” has quickly risen to the second-highest grossing film of all time in its first two weekends. Not surprisingly, cybercriminals have wasted no time in capitalizing on the movie’s success by luring victims with free digital downloads of the film. How? By tempting users with security shortcuts so they can watch the film without worrying about spoilers or sold-out movie tickets.

When a victim goes to download the movie from one of the many scam sites popping up around the web, the streaming appears to begin automatically. What the user doesn’t know is that the footage being streamed is just from the movie’s trailer. Soon after, a message pops up stating that the user needs to create an account to continue with the download. The “free” account prompts the user to create a username and password in advance, which could potentially be useful for cybercriminals due to the common practice of password reuse. Once a victim creates an account, they are asked for billing information and credit card details in order to “verify location” and make sure the service is “licensed to distribute” the movie in the victim’s region. These crooks are then able to scrape the victim’s personal and financial data, potentially leading to online account hacks, stolen funds, identity theft, and more.

Luckily, Marvel fans can protect their online data to avoid a cybersecurity endgame by using the following tips:

  • Look out for potential scam activity. If it seems too good to be true, then it probably is. Be wary of websites promising free movie downloads, especially for movies that are still in theaters.
  • Shield your financial data. Be suspicious of “free downloads” that still require you to fill out billing information. If an unknown website asks for your credit card information or your bank account data, it’s best to avoid the site altogether.
  • Make sure your credentials are unique. With this scam, threat actors could use the login credentials provided by the victim to access their other accounts if they didn’t have a unique login. Avoiding username and password reuse makes it a lot harder for cybercriminals to hack into your other online accounts if they gain access to one.
  • Assemble a team of comprehensive security tools. Using a tool like McAfee WebAdvisor can help you avoid dangerous websites and links and will warn you in the event that you do accidentally click on something malicious.

And, as always, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Avoid a Security Endgame: Learn About the Latest “Avengers” Scam appeared first on McAfee Blogs.

Wi-Fi Woes: Android Hotspot App Leaves 2 Million Passwords Exposed

Logging onto a free Wi-Fi network can be tempting, especially when you’re out running errands or waiting to catch a flight at the airport. But this could have serious cybersecurity consequences. One popular Android app, which allowed anyone to search for nearby Wi-Fi networks, was recently left exposed, leaving a database containing over 2 million network passwords unprotected.

How exactly were these passwords exposed? The app, which had been downloaded by millions of users, allowed anyone to search for Wi-Fi networks in their area. The app also lets users upload their Wi-Fi network passwords from their devices to its database for others to use. When the database was left exposed and unprotected, anyone could access and download its contents. Each record in the database contained the Wi-Fi network name, its precise geolocation, its basic service set identifier, and the network password in plaintext. Because the app didn’t require users to obtain permission from the network owner, it would be quite easy for a cybercriminal to modify router settings and point unsuspecting users to malicious websites. What’s more, a threat actor could also read unencrypted traffic that goes across a wireless network, allowing them to steal passwords and private data.

Thankfully, the web host was able to take down the database containing the Wi-Fi passwords within a day of being notified. But it’s important for users to be aware of the cybersecurity implications that free or public Wi-Fi presents. Check out the following tips to help protect your data:

  • Change your Wi-Fi password. If you think your password may have been affected by this exposure, err on the side of caution and reset it. Be sure to make your new password complex and unique.
  • Keep your network password private. Wi-Fi networks could be susceptible to a number of threats if their passwords are left in the wrong hands. Only share your passwords with family, friends, and those you trust, and never upload your password to a public database for strangers to use.
  • Safeguard your online privacy. Use a security solution like McAfee Safe Connect to encrypt your online activity, protect your privacy by hiding your IP address, and better defend against cybercriminals.

And, of course, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home  on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Wi-Fi Woes: Android Hotspot App Leaves 2 Million Passwords Exposed appeared first on McAfee Blogs.

McAfee ATR Team Discovers New IoT Vulnerability in Wemo Insight Smart Plugs

*This blog is originally from August 2018 and was updated April 2019*

From connected baby monitors to smart speakers — IoT devices are becoming commonplace in modern homes. Their convenience and ease of use make them seem like the perfect gadgets for the whole family. However, users can be prone to putting basic security hygiene on the backburner when they get a shiny new IoT toy, such as applying security updates, using complex passwords for home networks and devices, and isolating critical devices or networks from IoT. Additionally, IoT devices’ poor security standards make them conveniently flawed for someone else: cybercriminals, as hackers are constantly tracking flaws which they can weaponize. When a new IoT device is put on the market, these criminals have a new opportunity to expose the device’s weaknesses and access user networks. As a matter of fact, our McAfee Labs Advanced Threat Research team uncovered a flaw in one of these IoT devices: the Wemo Insight Smart Plug, which is a Wi-Fi–connected electric outlet.

Once our research team figured out how exactly the device was vulnerable, they leveraged the flaw to test out a few types of cyberattacks. The team soon discovered an attacker could leverage this vulnerability to turn off or overload the switch, which could overheat circuits or turn a home’s power off. What’s more – this smart plug, like many vulnerable IoT devices, creates a gateway for potential hackers to compromise an entire home Wi-Fi network. In fact, using the Wemo as a sort of “middleman,” our team leveraged this open hole in the network to power a smart TV on and off, which was just one of the many things that could’ve been possibly done.

And as of April 2019, the potential of a threat born from this vulnerability seems as possible as ever. Our ATR team even has reason to believe that cybercriminals already have or are currently working on incorporating the unpatched Wemo Insight vulnerability into IoT malware. IoT malware is enticing for cybercriminals, as these devices are often lacking in their security features. With companies competing to get their versions of the latest IoT device on the market, important cybersecurity features tend to fall by the wayside. This leaves cybercriminals with plenty of opportunities to expose device flaws right off the bat, creating more sophisticated cyberattacks that evolve with the latest IoT trends.

Now, our researchers have reported this vulnerability to Belkin, and, almost a year after initial disclosure, are awaiting a follow-up. However, regardless if you’re a Wemo user or not, it’s still important you take proactive security steps to safeguard all your IoT devices. Start by following these tips:

  • Keep security top of mind when buying an IoT device. When you’re thinking of making your next IoT purchase, make sure to do your research first. Start by looking up the device in question’s security standards. A simple Google search on the product, as well as the manufacturer, will often do the trick.
  • Change default passwords and do an update right away. If you purchase a connected device, be sure to first and foremost change the default password. Default manufacturer passwords are rather easy for criminals to crack. Also, your device’s software will need to be updated at some point. In a lot of cases, devices will have updates waiting from them as soon as they’re taken out of the box. The first time you power up your device, you should check to see if there are any updates or patches from the manufacturer.
  • Keep your firmware up-to-date. Manufacturers often release software updates to protect against these potential vulnerabilities. Set your device to auto-update, if you can, so you always have the latest software. Otherwise, just remember to consistently update your firmware whenever an update is available.
  • Secure your home’s internet at the source. These smart home devices must connect to a home Wi-Fi network in order to run. If they’re vulnerable, they could expose your network as a result. Since it can be challenging to lock down all the IoT devices in a home, utilize a solution like McAfee Secure Home Platform to provide protection at the router-level.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post McAfee ATR Team Discovers New IoT Vulnerability in Wemo Insight Smart Plugs appeared first on McAfee Blogs.

The “Nasty List” Phishing Scam Is out to Steal Your Instagram Login

How often do you check your social media accounts? According to a recent study, internet users spend an average of 2 hours and 22 minutes per day on social networking platforms. Since users are pretty reliant on social media, cybercriminals use it as an avenue to target victims with various cyberattacks. The latest social media scheme called “The Nasty List” scams users into giving up their Instagram credentials and uses their accounts to further promote the phishing scam.

So, how exactly do hackers trick innocent users into handing over their login information? Cybercriminals spread this scam by sending messages through hacked accounts to the user’s followers, stating that they were spotted on a “Nasty List.” These messages will read something like “OMG your actually on here, @TheNastyList_34, your number is 15! its really messed up.” If the recipient visits the profile listed in the message, they will see a link in the profile description. An example of one URL that has been listed in these scam profiles is nastylist-instatop50[.]me. The user is tricked into believing that this link will supposedly allow them to see why they are on this list. This link brings up what appears to be a legitimate Instagram login page. When the victim enters their credentials on the fake login page, the cybercriminals behind this scheme will be able to take over the account and use it to further promote the scam.

Images courtesy of Bleeping Computer.
Images courtesy of Bleeping Computer.

Fortunately, there are a number of steps Instagram users can take to ensure that they don’t fall victim to this trap. Check out the following tips:

  • Be skeptical of messages from unknown users. If you receive a message from someone you don’t know, it’s best to ignore the message altogether or block the user. Additionally, if you think a friend’s social media account has been compromised, look out for spelling mistakes and grammatical errors in their message, which are common in these scams.
  • Exercise caution when inspecting links sent to your messages. Always inspect a URL before you click on it. In the case of this scam, the URL that appears with the fake login page is clearly incorrect, as it ends in a [.]me.
  • Reset your password. If your account was hacked by ‘The Nasty List’ but you still have access to your account, reset your password to regain control of your account.

And, as usual, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home  on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post The “Nasty List” Phishing Scam Is out to Steal Your Instagram Login appeared first on McAfee Blogs.

Emilia Clarke Is the Most Dangerous Game of Thrones® Celebrity

The net is dark and full of terrors, especially for fans of HBO’s popular show Game of Thrones®. As followers of the series gear up for the premiere of the eighth and final season on April 14th, fans may have more than just White Walkers to worry about. According to McAfee’s study on the Most Dangerous Celebrities, it turns out that search results for Emilia Clarke are among those most likely to be infected with malware.

In fact, the actress who portrays Daenerys Targaryen in the TV drama came in at #17 of our 2018 Most Dangerous Celebrities study. Cybercriminals use the allure of celebrities – such as Clarke – to trick unsuspecting users into visiting malicious websites. These sites can be used to install malware on a victim’s device or steal their personal information or passwords. With the premiere of the new season right around the corner, it’s likely that cybercrooks will take advantage of the hype around the show to lure supporters into their trap.

Thankfully, there are plenty of ways fans can keep up with the show and characters without putting their online safety at risk. Follow these tips to pledge your allegiance to your cybersafety:

  • Refrain from using illegal streaming sites. When it comes to dangerous online behavior, using illegal streaming sites is the equivalent of spreading the Mad King’s wildfire to your device. Many illegal streaming sites are riddled with malware or adware disguised as pirated video files. Do your device a favor and stream the show from a reputable source.
  • Be careful what you click. Don’t bend the knee to hackers who tempt users to click on their malicious sites. Users looking for information on the new season should be careful and trust only reliable sources. The safest option is to wait for the official release instead of visiting a potentially malware-ridden third-party website.
  • Keep your device software updated. Install new system and application updates on your devices as soon as they’re available. These updates often include security fixes that can help protect your laptop or computer from an army of undead software bugs.
  • Protect your online realm with a cybersecurity solution. Send your regards to malicious actors with a comprehensive security solution like McAfee Total Protection. This can help protect you from malware, phishing attacks, and other threats. It also includes McAfee WebAdvisor, which helps alert users of malicious websites.

We wish you good fortune in the browsing to come. To stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the United States and other countries. Other names and brands may be claimed as the property of others. Copyright ©2019 McAfee, LLC

The post Emilia Clarke Is the Most Dangerous Game of Thrones® Celebrity appeared first on McAfee Blogs.

Cybercriminals Feast on Earl Enterprises Customer Data Exposed in Data Breach

Most people don’t think about their credit card information being stolen and sold over the dark web while they’re enjoying a night out at an Italian restaurant. However, many people are experiencing this harsh reality. Earl Enterprises, the parent company of Buca di Beppo, Planet Hollywood, Earl of Sandwich, and Mixology 101 in LA, confirmed that the company was involved in a massive data breach, which exposed the credit card information of 2.15 million customers.

The original discovery was made by cybersecurity researcher Brian Krebs, who found the underground hacking forum where the credit card information had been posted for sale. He determined that the data first surfaced on Joker’s Stash, an underground shop that sells large batches of freshly-stolen credit and debit cards on a regular basis. In late February, Joker’s Stash moved a batch of 2.15 million stolen cards onto their system. This breach involved malware remotely installed on the company’s point-of-sale systems, which allowed cybercrooks to steal card details from customers between May 23, 2018, and March 18, 2019. This malicious software was able to capture payment card details including card numbers, expiration dates, and, in some cases, cardholder names. With this information, thieves are able to clone cards and use them as counterfeits to purchase expensive merchandise such as high-value electronics.

It appears that all 67 Buca di Beppo locations in the U.S., a handful of the 31 Earl of Sandwich locations, and the Planet Hollywood locations in Las Vegas, New York, and Orlando were impacted during this breach. Additionally, Tequila Taqueria in Las Vegas, Chicken Guy! in Disney Springs, and Mixology 101 in Los Angeles were also affected by this breach. Earl Enterprises states that online orders were not affected.

While large company data breaches such as this are difficult to avoid, there are a few steps users can take to better protect their personal data from malicious thieves. Check out the following tips:

  • Keep an eye on your bank account. One of the simplest ways to determine whether someone is fraudulently using your credit card information is to monitor your bank statements. If you see any charges that you did not make, report it to the authorities immediately.
  • Check to see if you’ve been affected. If you know you’ve made purchases at an Earl Enterprises establishment in the last ten months, use this tool to check if you could have been potentially affected.
  • Place a fraud alert. If you suspect that your data might have been compromised, place a fraud alert on your credit. This not only ensures that any new or recent requests undergo scrutiny, but also allows you to have extra copies of your credit report so you can check for suspicious activity.
  • Freeze your credit. Freezing your credit will make it impossible for criminals to take out loans or open up new accounts in your name. To do this effectively, you will need to freeze your credit at each of the three major credit-reporting agencies (Equifax, TransUnion, and Experian).
  • Consider using identity theft protection. A solution like McAfee Identify Theft Protection will help you to monitor your accounts and alert you of any suspicious activity.

And, of course, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Cybercriminals Feast on Earl Enterprises Customer Data Exposed in Data Breach appeared first on McAfee Blogs.

The GPS Rollover Bug: 3 Tips to Help You Avoid Phishing Scams

Today, users are extremely reliant on our GPS devices. In fact, we’re so reliant on these devices that map features are programmed into almost every IoT device we use as well as inside of our vehicles. However, the Department of Homeland Security has issued an alert to make users aware of a GPS receiver issue called the GPS Week Number Rollover that is expected to occur on or around April 6, 2019. While this bug is only expected to affect a small number of older GPS devices, users who are impacted could face troubling results.

You may be wondering, what will cause this rollover issue? GPS systems count weeks using a ten-bit parameter, meaning that they start counting at week zero and then reset when they hit week 1,024, or 19.5 years. Because the last reset took place on August 21, 1999, it appears that the next reset will occur on April 6, 2019. This could result in devices resetting their dates and potentially corrupting navigation data, which would throw off location estimates. That means your GPS device could misrepresent your location drastically, as each nanosecond the clock is out translates into a foot of location error.

So, how does this rollover issue translate into a potential cyberthreat? It turns out that the main fix for this problem is to ensure that your GPS device’s software is up-to-date. However, due to the media attention that this bug is receiving, it’s not far-fetched to speculate that cybercriminals will leverage the issue to target users with phishing attacks. These attacks could come in the form of email notifications referencing the rollover notice and suggesting that users install a fraudulent software patch to fix the issue. The emails could contain a malicious payload that leaves the victim with a nasty malware on their device.

While it’s difficult to speculate how exactly cybercriminals will use various events to prey on innocent users, it’s important to be aware of potential threats to help protect your data and safeguard your devices. Check out the following tips to help you spot potential phishing attacks:

  • Validate the email address is from a recognized sender. Always check the validity of signature lines, including the information on the sender’s name, address, and telephone number. If you receive an email from an address that you don’t recognize, it’s best to just delete the email entirely.
  • Hover over links to see and verify the URL. If someone sends you a link to “update your software,” hover over the link without actually clicking on it. This will allow you to see a link preview. If the URL looks suspicious, don’t interact with it and delete the email altogether.
  • Be cautious of emails asking you to take action. If you receive a message asking you to update your software, don’t click on anything within the message. Instead, go straight to your software provider’s website. This will prevent you from downloading malicious content from phishing links.

And, as always, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post The GPS Rollover Bug: 3 Tips to Help You Avoid Phishing Scams appeared first on McAfee Blogs.

iOS Users: Update Your Software to Avoid Security Vulnerabilities

On Monday, Apple made some bold announcements at their keynote event, including new subscription offerings for news, television, video games, and a credit card service. But while these exciting announcements were being made, the release of iOS 12.2 seemed to slip under the radar. This update contains 51 different security fixes and impacts devices ranging from the iPhone 5s and later, the iPad Air, and even products running tvOS. These software patches cover a variety of bugs that cybercriminals could use to obtain effects like denial-of-service, overwrite arbitrary files, or execute malicious code.

The iOS 12.2 update includes patches for vulnerabilities in core apps like Contacts, FaceTime, Mail, Messages, and more. According to security professional Alex Stamos, most of the vulnerabilities were found in Webkit, the browser engine Apple uses in many of its products including Safari, Mail, and App Store. Among these vulnerabilities were memory corruption bugs, which could lead to arbitrary code execution. This type of attack allows malicious actors to run any command on the target system, potentially taking over the victim’s files or allowing them to take over the victim’s system remotely. To prevent arbitrary code execution attacks, Apple improved device memory handling, state, and management. These processes control and coordinate device computer memory in order to optimize overall system performance. Another issue patched by this update is the ability for a cybercriminal to bypass sandbox restrictions, which protect a device’s critical infrastructure from suspicious code. To combat this, Apple issued an improvement to validation checks.

While it can be easy to click the “Remind Me Later” option when you receive a software update notification, the security updates included in iOS 12.2 should not be overlooked. To help keep your iOS devices protected and running smoothly, check out the following tips:

  • Update your software. To update your device to iOS 12.2, go to your Settings, then to General, and then click Software Update. From there, you will be able to download and install the update and patch over 50 security holes.
  • Turn on automatic updates. Turning on automatic updates helps shield you from exposure to threats brought on by software bugs and vulnerabilities. You can enable automatic updates in your Settings as well.
  • Use a security solution. To add an extra layer of protection to all your devices, install a security solution like McAfee Total Protection. This will allow you to have an extra security weapon and help defend your devices from cyberthreats.

And, as always, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post iOS Users: Update Your Software to Avoid Security Vulnerabilities appeared first on McAfee Blogs.

809 Million Records Left Exposed: How Users Can Protect Their Data

It’s no secret that technological advancements and online threats are directly proportional to each other. So now more than ever, it’s imperative that users prioritize the security of their digital presence, especially in the face of advanced malware attacks and massive data leaks. Speaking of the latter — less than two months after the Collection #1 data breach exposed 773 million email addresses, it seems we have another massive data dump in our midst. Last week, researchers discovered a 150-gigabyte database containing 809 million records exposed by the email validation firm, Verifications.io.

You may be wondering how Verifications.io had so much data left to be exposed. Most people have heard of email marketing, but very few realize that these companies often vet user email addresses to ensure their validity. Enter Verifications.io. This company serves as a way email marketing firms can outsource the extensive work involved with validating mass amounts of emails and avoid the risk of having their infrastructure blacklisted by spam filters. Verifications.io was entrusted with a lot of data provided by email marketing firms looking to streamline their processes, creating an information-heavy database.

This unusual data trove contains tons of sensitive information like names, email addresses, phone numbers, physical addresses, gender, date of birth, personal mortgage amounts, interest rates, social media accounts, and characterizations of people’s credit scores. While the data doesn’t contain Social Security Numbers or credit card information, that amount of aggregated data makes it much easier for cybercriminals to run new social engineering scams or expand their target audience. According to security researcher Troy Hunt, owner of HaveIBeenPwned, 35% of the data exposed by Verifications.io is new to his database. With that said, it was the second largest data dump added in terms of email addresses to Hunt’s website, which allows users to check whether their data has been exposed or breached.

Upon discovery, the firm was made aware of the incident. And while proper security measures were taken, users can take various steps themselves to protect their information in the event of largescale data exposure. Check out the following tips:

  • Be vigilant when monitoring your personal and financial data. A good way to determine whether your data has been exposed or compromised is to closely monitor your online accounts. If you see anything fishy, take extra precautions by updating your privacy settings, changing your password, or using two-factor authentication.
  • Use strong, unique passwords. Make sure to use complex passwords for each of your individual accounts, and never reuse your credentials across different platforms. It’s also a good idea to update your passwords on a consistent basis to further protect your data.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post 809 Million Records Left Exposed: How Users Can Protect Their Data appeared first on McAfee Blogs.

Hackers Are Going After Cisco RV110, RV130, and RV215 Routers

Cybercriminals always look for vulnerabilities in routers, and if they find one, it becomes an easy target for them.

We have seen how the hackers were not only scratching the surface, they had set their eyes on how to compromise devices for their malicious activities. They dig vulnerabilities in routers to conduct hacking campaigns.

In 2018 we saw some high profile campaigns of router attacks. The VPNFilter, a malware suspected to be the work of Russians, and the FBI issued a warning to businesses and households to immediately reboot routers to counter the threat.

Nevertheless, it looks like many didn’t heed this warning and that left routers in a vulnerable situation. According to Avast’s Threat Landscape Report for 2019, it suggests that 60 percent of users have never updated their routers firmware, thus exposing themselves to simple vulnerabilities.

Now this latest report from ZDNet, reveals further.

Two days after Cisco patched a critical vulnerability in a well-liked emblem of SOHO routers, and someday after the newsletter of proof-of-concept code, hackers have begun scans and assaults exploiting the mentioned safety computer virus to take over unpatched gadgets.

The vulnerability tracked as CVE-2019-1663, used to be of notice when it got here out on February 27 as it gained a severity ranking from the Cisco group of 9.8 out of 10.

It gained this kind of prime score since the computer virus is trivial to take advantage of and does now not require complex coding talents and sophisticated assault routines; it bypasses authentication procedures altogether; and routers may also be attacked remotely, over the web, without attackers desiring to be bodily provided at the identical native community because the susceptible tool.

Affected fashions come with the Cisco RV110, RV130, and RV215, all of that are WiFi routers deployed in small companies and home properties.

Because of this, the house owners of those gadgets would possibly not most probably be keeping track of Cisco safety signals, and these types of routers will stay unpatched –unlike in massive company environments the place IT staff would have already deployed the Cisco fixes.

In step with a scan through cyber-security company Rapid7, there are over 12,000 of those gadgets readily to be had online, with the overwhelming majority positioned in America, Canada, India, Argentina, Poland, and Romania.

All of those gadgets are actually beneath assault, in step with cyber-security company Unhealthy Packets, which reported detecting scans on March 1.

The corporate detected hackers scanning for some of these routers the use of an exploit that used to be printed an afternoon previous at the weblog of Pen Take a look at Companions, a UK-based cyber-security company.

It used to be probably the most Pen Take a look at Companions’ researchers, alongside two different Chinese language safety mavens, who discovered this actual vulnerability ultimate yr.

In its weblog publish, Pen Take a look at Companions blamed the foundation reason behind CVE-2019-1663 on Cisco coders the use of an infamously insecure serve as of the C programming language -namely strcpy (string replica).

The corporate’s weblog publish incorporated an evidence of ways the use of this C programming serve as left the authentication mechanism of the Cisco RV110, RV130, and RV215 routers open to a buffer overflow that allowed attackers to flood the password box and fasten malicious instructions that were given achieved with admin rights all through authentication procedures.

Attackers who learn the weblog publish seem to be the use of the instance supplied within the Pen Take a look at Companions article to take over susceptible gadgets.

Any proprietor of those gadgets will wish to observe updates once imaginable. In the event that they consider their router has already been compromised, reflashing the tool firmware is really helpful.

The post Hackers Are Going After Cisco RV110, RV130, and RV215 Routers appeared first on .

Implementing Operational Security, The Process and Best Practices

procedural security is what we call operational security (OPSEC), it is kind of risk management process that encourages admin to monitor operations from the perspective of an adversary, and draw conclusions to protect sensitive information from falling into the wrong hands.

OPSEC is becoming popular in the private sector though it was used by the military initially. Things that fall under the OPSEC include monitoring behaviors on social media sites as well as discouraging employees from sharing login credentials via email or text message.

The Process to implement Operational Security can be neatly categorized into five steps:

1. Identify your sensitive data,

The data includes customer information, employee information, product research, financial statements, and intellectual property. This will be the data you will need to on protecting.

2. For each category of information that you deem sensitive identify the kind of possible threats. While you should be cautious of third parties stealing your sensitive information,  you should also keep an eye on the insider threats, such as disgruntled employees and other similar actors.

3. Analyze vulnerabilities and security holes and. Assess your safeguards and determine if any vulnerability exists that may be exploited to gain access to your data.

4. Make a chart of the findings

Flag the risk, associated with each vulnerability. Rank your vulnerabilities in the order to the extent of damage it can do, and the amount of time you would need to recover. The more likely and damaging an attack is, the more you prioritize mitigating the associated risk.

5. Countermeasures in place

The last step of operational security is to create a plan to eliminate threats and mitigate risks. This means updating your hardware/software, putting in place new policies with regards to sensitive data. Countermeasures should be simple, so the employees should be able to practice it without any formal training.

Best Practices for comprehensive operational security program:

  • Change management processes should be Implement in such a way that employees understand when network changes are performed. All changes should be monitored and audited.
  • Use the AAA authentication device to restrict access to network devices.
  • Give minimum access to your employees to perform their jobs, let there be the least privilege in place.
  • Make sure you Implement dual control so that the person working on the network is not the in-charge of the security.
  • Automate the tasks to minimize human intervention. This will help in reduced errors and bypass procedures

Have a plan to identify risks because Incident response and disaster recovery planning are crucial components of a sound security posture. This helps you to respond fast and mitigate potential damages.

Operational security forces enable you to dive deeply into operations and figure out places where a breach can take place. The admin can have a good look at the operations from a malicious third-party’s perspective to spot vulnerabilities they may have otherwise missed.

The post Implementing Operational Security, The Process and Best Practices appeared first on .

Vulnerability Helps Researchers Expose Malware C&C Servers

We usually get to hear of vulnerabilities that cybercriminals exploit to expose or steal data. This time it’s the other way around; the criminals are at the receiving end. A vulnerability has helped researchers expose malware C&C servers.

A vulnerability in a penetration testing tool that was being used by hackers is now helping researchers expose the locations of thousands of malware C&C (Command-and-Control) servers. This vulnerability, which is now patched, affected the penetration testing tool Cobalt Strike, which is a legitimate tool that researchers have been using to emulate cyber-attacks. But for the past five years, cybercriminal groups too had started using Cobalt Strike which has been around for over a decade.

It was because of its ease of use and scalability that Cobalt Strike turned the favorite of cybercriminal gangs like FIN6 and FIN7 (Carbanak) as well as nation-state cyber-espionage groups, like APT29 (Cozy Bear). These threat actors would first use Cobalt Strike to host their C&C servers and then they’d deploy malware on the networks of many enterprises through the Cobalt “beacons” (the implant component of Cobalt Strike is called the “beacon”) that they plant on the infected hosts.

Meanwhile, researchers at the Dutch security firm Fox-IT discovered a bug in the Cobalt Strike server component that allowed them to track hackers for the last few years. Fox-IT researchers have revealed that the Java-based NanoHTTPD web server of Cobalt Strike accidentally added in the server’s HTTP responses an additional whitespace, which helped in detecting Cobalt Strike communications between beacons and their C&C servers across the years.

A Fox-IT blog post dated February 26, 2019 discusses this discovery in detail. The blog post says, “One of Fox-IT’s InTELL analysts, with a trained eye for HTTP header anomalies, spotted an unusual space in the response of a Cobalt Strike team server in one of our global investigations into malicious activity. Though this might seem irrelevant to a casual observer, details such as these can make a substantial difference in combating malicious activity, and warranted additional research into the set-up of the team servers. This ultimately led to Fox-IT being able to better protect our clients from actors using Cobalt Strike.”

The blog post further says, “The webserver of the team server in Cobalt Strike is based on NanoHTTPD, an opensource webserver written in Java. However this webserver unintendedly returns a surplus whitespace in all its HTTP responses. It is difficult to see at first glance, but the whitespace is there in all the HTTP responses from the Cobalt Strike webserver… Using this knowledge it is possible to identify NanoHTTPD servers, including possible Cobalt Strike team servers. We found out that public NanoHTTPD servers are less common than team servers. Even when the team server uses a Malleable C2 Profile, it is still possible to identify the server due to the “extraneous space”.”

When Cobalt Strike 3.13 was released on January 2, 2019, the “extraneous space” was fixed. Fox-IT points out that this indicates that this vulnerability was present in Cobalt Strike for almost 7 years, assuming it used NanoHTTPD since the first version, released in 2012. The Fox-IT blog points out that a careful look can help spot the space in some of the author’s original YouTube videos, dating back to 2014.

Fox-IT has revealed that in total the company has observed 7718 “unique Cobalt Strike team server or NanoHTTPD hosts between the period of 2015-01 and 2019-02”. The company has also published a list of historical IP addresses that used to or are still hosting Cobalt Strike C&C servers. Some of these could be legitimate instances of companies using the tool for testing purposes, but many of these could also be from hacker groups. Hence security teams in companies could use the list to check their network logs and identify breaches if any.

There are reports of companies confirming Fox-IT’s discovery. Anyhow, with servers getting patched post such confirmations, current scans for the bug are yielding fewer results.

Cybercriminals might use pirated, unregistered and cracked versions of Cobalt Strike and hence the bug might remain unpatched for a long time. However, legitimately-owned servers will receive the Cobalt Strike patch and hence most of the servers that come up during scans would be those of cybercriminals.

The post Vulnerability Helps Researchers Expose Malware C&C Servers appeared first on .

Apple Users: Here’s What to Do About the Major FaceTime Bug

FaceTime is a popular way for people of all ages to connect with long-distance loved ones. The feature permits Apple users to video chat with other device owners from essentially anywhere at any time. And now, a bug in the software takes that connection a step further – as it permits users calling via FaceTime to hear the audio coming from the recipient’s phone, even before they’ve accepted or denied the call.

Let’s start with how the eavesdropping bug actually works. First, a user would have to start a FaceTime video call with an iPhone contact and while the call is dialing, they must swipe up from the bottom of the screen and tap “Add Person.” Then, they can add their own phone number to the “Add Person” screen. From there, the user can start a group FaceTime call between themselves and the original person dialed, even if that person hasn’t accepted the call. What’s more – if the user presses the volume up or down, the victim’s front-face camera is exposed too.

This bug acts as a reminder that these days your smartphone is just as data rich as your computer. So, as we adopt new technology into our everyday lives, we all must consider how these emerging technology trends could create security risks if we don’t take steps to protect our data.

Therefore, it’s crucial all iOS users that are running iOS 12.1 or later take the right steps now to protect their device and their data. If you’re an Apple user affected by this bug, be sure to follow these helpful security steps:

  • Update, update, update. Speaking of fixes – patches for bugs are included in software updates that come from the provider. Therefore, make sure you always update your device as soon as one is available. Apple has already confirmed that a fix is underway as we speak.
  • Be sure to disable FaceTime in iOS settings now. Until this bug is fixed, it is best to just disable the feature entirely to be sure no one is listening in on you. When a fix does emerge from Apple, you can look into enabling the service again.
  • Apply additional security to your phone. Though the bug will hopefully be patched within the next software update, it doesn’t hurt to always cover your device with an extra layer of security. To protect your phone from any additional mobile threats coming its way, be sure to use a security solution such as McAfee Mobile Security.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Apple Users: Here’s What to Do About the Major FaceTime Bug appeared first on McAfee Blogs.

The Collection #1 Data Breach: Insights and Tips on This Cyberthreat

As the cybersecurity landscape evolves to match new trends in technology, it’s important for consumers to prioritize the protection of their online presence. That means remaining aware of the internet’s more common cyberthreats, including malware, phishing, and data breaches, and how they could potentially affect you. And while most of us already know about the Equifax data breach, a new monster breach now has to become top of mind for us all. Say hello to Collection #1, a data set exposing 772,904,991 unique email addresses and over 21 million unique passwords.

Discovered by security researcher Troy Hunt, Collection #1 first appeared on the popular cloud service called MEGA. The Collection #1 folder held over 12,000 files that weigh in at over 87 gigabytes. When the storage site was taken down, the folder was then transferred to a public hacking site. What’s truly astonishing about this is that the data was not for sale; it was simply available for anyone to take.

You may be wondering, how was all this data collected? It appears that this data was comprised of a breach of breaches, aggregating over 2,000 leaked databases containing cracked passwords, in order to achieve maximum exposure. The sheer volume of this breach makes Collection #1 the second largest in size to Yahoo, and the largest public breach ever (given the data was openly exposed on the internet).

It appears that this data set is designed for use in credential-stuffing attacks, where cybercriminals will use email and password combinations to hack into consumers’ online accounts. The risks could be even greater for those who reuse credentials across multiple accounts. In order to help protect yourself from this threat, it’s vital that users act fast and use the following tips to help protect their data:

  • Use strong, unique passwords. In addition to making sure all of your passwords are strong and unique, never reuse passwords across multiple accounts. You can also enable a password manager to help keep track of your credentials.
  • Change your passwords. Even if it doesn’t appear that your data was breached, it’s better to err on the side of caution and change all of your passwords to better protect yourself.
  • Enable two-factor authentication. While a strong and unique password is a good first line of defense, enabling app-based two-factor authentication across your accounts will help your cause by providing an added layer of security.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post The Collection #1 Data Breach: Insights and Tips on This Cyberthreat appeared first on McAfee Blogs.

Frequent Fortnite Player? 4 Tips to Combat the New Attack on User Accounts

Epic Games’ Fortnite has risen in popularity rapidly since its debut, and cybercriminals have leveraged that popularity to enact a handful of malicious schemes. Unfortunately, these tricks are showing no signs of slowing, as researchers recently discovered a security flaw that allowed cybercriminals to take over a gamer’s Fortnite account through a malicious link. This attack specifically targeted users who used a third-party website to log in to their Fortnite accounts, such as Facebook, Google, or gaming providers like Microsoft, Nintendo, and Sony. But instead of trying to steal a gamer’s password like many of the hacks we’ve seen, this scheme targeted the special access token the third-party website exchanges with the game when a user logs in.

So, how exactly does this threat work? First, a cybercriminal sends a malicious phishing link to a Fortnite user. To increase the likelihood that a user will click on the link, the cybercriminal would send the link with an enticing message promising perks like free game credits. If the user clicked on the link, they would be redirected to the vulnerable login page. From here, Epic Games would make the request for the SSO (single sign-on) token from the third-party site, given SSO allows a user to leverage one set of login credentials across multiple accounts. This authentication token is usually sent to Fortnite over the back-end, removing the need for the user to remember a password to access the game. However, due to the unsecured login page, the user would be redirected to the attacker’s URL. This allows cybercriminals to intercept the user’s login token and take over their Fortnite account.

After acquiring a login token, a cybercriminal would gain access to a Fortnite user’s personal and financial details. Because Fortnite accounts have partial payment card numbers tied to them, a cybercriminal would be able to make in-game purchases and rack up a slew of charges on the victim’s card.

It’s important for players to understand the realities of gaming security in order to be more prepared for potential cyberthreats such as the Fortnite hack. According to McAfee research, the average gamer has experienced almost five cyberattacks, with 75% of PC gamers worried about the security of gaming. And while Epic Games has thankfully fixed this security flaw, there are a number of techniques players can use to help safeguard their gaming security now and in the future:

  • Go straight to the source70% of breaches start with a phishing email. And phishing scams can be stopped by simply avoiding the email and going straight to the source to be sure you’re working with the real deal. In the case of this particular scheme, you should be able to check your account status on the Fortnite website and determine the legitimacy of the request from there.
  • Use a strong, unique password. If you think your Fortnite account was hacked, err on the side of caution by updating your login credentials. In addition, don’t reuse passwords over multiple accounts. Reusing passwords could allow a cybercriminal to access multiple of your accounts by just hacking into one of them.
  • Stay on top of your financial transactions. Check your bank statements regularly to monitor the activity of the card linked to your Fortnite account. If you see repeat or multiple transactions from your account, or see charges that you don’t recognize, alert your bank to ensure that your funds are protected.
  • Get protection specifically designed for gamers. We’re currently building McAfee Gamer Security to help boost your PC’s performance, while simultaneously safeguarding you from a variety of threats that can disrupt your gaming experience.

And, as always, stay on top of the latest consumer and mobile security threats by following @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Frequent Fortnite Player? 4 Tips to Combat the New Attack on User Accounts appeared first on McAfee Blogs.

IE Scripting Flaw Still a Threat to Unpatched Systems: Analyzing CVE-2018-8653

Microsoft recently patched a critical flaw in Internet Explorer’s scripting engine that could lead to remote code execution. The vulnerability is being exploited in the wild and was originally reported by a researcher from Google’s Threat Analysis Group. Microsoft released an out-of-band patch to fix the vulnerability before the normal patch cycle. McAfee products received an update to detect the threat shortly after the patch was released.

A remote attacker can target Internet Explorer Versions 9 through 11 via a specially crafted website, while a local attacker on a rogue network could also target the Web Proxy Auto-Discovery service, which uses the same vulnerable scripting engine (jscript.dll). Microsoft Edge is not affected; however, other Windows applications that include the scripting engine might be vulnerable until the security patch from Microsoft is applied.

Context

Vulnerabilities targeting Internet Explorer that can be triggered either remotely or locally are prime tools for cybercriminals to compromise many unpatched computers. That is why criminals usually integrate those vulnerabilities into exploit kits, which propagate malware or conduct other nefarious activities against compromised hosts. The threat of exploit kits is one reason to track this type of vulnerability and to ensure all security patches are deployed in a timely manner. In 2018, more than 100 memory corruption vulnerabilities were found in a Microsoft scripting engine (either for Internet Explorer or Edge). See the MITRE website for more details. (For defense-in-depth, products such as McAfee Endpoint Security or McAfee Host Intrusion Prevention can detect and eradicate such threats until patches can be applied.)

Once a CVE ID is released, cybercriminals can take as little as a few weeks (or in some cases days) to integrate it into their exploit kit. For example, CVE-2018-8174 was initially reported to Microsoft in late April by two teams of threat researchers who had observed its exploitation in the wild. Microsoft published an advisory within a week, in early May. Meanwhile, the researchers published their security analysis of the exploit. Only two weeks later a proof-of-concept exploit was publicly released. In the next couple of weeks exploit kits RIG and Magnitude integrated their weaponized versions of the exploit. (A more detailed timeline can be found here.)

It took less than a month for cybercriminals to weaponize the vulnerability initially disclosed by Microsoft; therefore, it is critical to understand the threat posed by these attack vectors, and to ensure counter measures are in place to stop the threat before it can do any damage.

Technical details

The IE scripting engine jscript.dll is a code base that has been heavily audited:

It is no surprise that exploitable bugs are becoming more exotic. This is the case for CVE 2018-8653, which takes three seemingly innocent behaviors and turns them into a use-after-free flaw. A Microsoft-specific extension triggers a rarely explored code path that eventually misbehaves and invokes a frequently used function with unusual arguments. This leads to the use-after-free condition that was exploited in the wild.

The enumerator object: The entry point for this vulnerability is a Microsoft-specific extension, the enumerator object. It offers an API to enumerate opaque objects that belong to the Windows world (mostly ActiveX components, such as a file system descriptor used to list drives on a system). However, it can also be called on a JavaScript array. In this situation, one can access the array member as usual, but objects created this way are stored slightly differently in memory. This is the cause of interesting side effects.

The objects created by calling the Enumerator.prototype.item() function are recognized as an ActiveXObject and, as seen in the creation of eObj, we can under certain circumstances overwrite the “prototype” member that should have been a read-only property.

Unexpected side effect: The ability to overwrite the prototype member of an ActiveXObject can seem innocuous at first, but it can be leveraged to explore a code path that should not be reachable.

When using the “instanceof” keyword, we can see that the right side of the keyword expects a function. However, with a specially crafted object, the instanceof call succeeds and, worse, we can control the code being executed.

The edge case of invoking instanceof on a specially crafted ActiveXObject gives us the opportunity to run custom JavaScript code from a callback we control, which is typically an error-prone situation.

Attackers successfully turned this bug into a use-after-free condition, as we shall see next.

Exploiting the bug: Without getting into too much detail (see the proof of concept later in this document for more info), this bug can be turned into a “delete this” type of primitive, which resembles previously reported bugs.
When the callback function (“f” in our previous example) is invoked, the keyword “this” points to eObj.prototype. If we set it to null and then trigger a garbage collection, the memory backing the object can be freed and later reclaimed. However, as mentioned in the Project Zero bug report, to be successful an entire block of variables needs to be cleared before the memory is freed.

The out-of-band patch: Microsoft released an unscheduled patch to fix this vulnerability. It is common practice for us to look at what changed before and after the patch. Interestingly, this patch changes the strict minimum number of bytes, while the version number of the DLL remains unchanged.

Using the popular diffing tool Diaphora, we compared the version of jscript.dll for Windows 10, x64-bit edition (feature version 1809).

We can see that only a few functions were modified. All but one point to array-related functions. Those were probably patches addressing CVE 2018-8631 (jscript!JsArrayFunctionHeapSort out-of-bounds write). The only one remaining that was substantially modified is NameTbl::InvokeInternal.

Diaphora provides us with a diff of the assembly code of the two versions of the function. In this instance, it is easier to compare the functions side by side in Ida Pro to see what has changed. A quick glance toward the end of the function shows the introduction of two calls to GCRoot::~GCRoot (the destructor of the object GCRoot).

Looking at the implementation of ~GCRoot, we see it is the same code as that inlined in that function created by the compiler in the older version of the DLL.

In the newer version of the DLL, this function is called twice; while in the unpatched version, the code was called only once (inlined by the compiler, hence the absence of a function call). In C++ parlance, ~GCRoot is the destructor of GCRoot, so we may want to find the constructor of GCRoot. An easy trick is to notice the magic offset 0x3D0 to see if this value is used anywhere else. We find it near the top of the same function (the unpatched version is on the left):

Diving into the nitty gritty of garbage collection for jscript.dll is beyond the scope of this post, so let’s make some assumptions. In C++/C#, GCRoot would usually design a template to keep track of references pointing to the object being used, so those do not have garbage collection. Here it looks as though we are saving stack addresses (aka local variables) into a list of GCRoot objects to tell the garbage collector not to collect the objects whose pointers are on those specific locations on the stack. In hindsight this makes sense; we were able to “delete this” because “this” was not tracked by the garbage collector, so now Microsoft makes sure to specifically add that stack variable to the tracked elements.

We can verify this hypothesis by tracing the code around an invocation of instanceof. It turns out that just before invoking our custom “isPrototypeOf” callback function, a call to NameTbl::GetVarThis stores a pointer in the newly “protected” stack variable and then invokes ScrFncObj::Call to execute our callback.

Looking at unexpected behavior in `instanceof`: Curious readers might wonder why it is possible to invoke instanceof on a custom object rather than on a function (as described previously). When instanceof is invoked in JavaScript, the CScriptRuntime::InstOf function is called behind the scene. Early on, the function distinguishes two cases. If the variable type is 0x81 (which seems to be a broad type for a JavaScript object on the heap), then it invokes a virtual function that returns true/false if the object can be called. On the other hand, if the type is not 0x81, a different path is followed; it tries to automatically resolve the prototype object and invoke isPrototypeOf.

The 0x81 path:

The not 0x81 path:

 

 

Proof of concept

Now that we have seen the ins and outs of the bug, let’s look at a simple proof of concept that exhibits the use-after-free behavior.

First, we set up a couple of arrays, so that everything that can be preallocated is allocated, and the heap is in a somewhat ready state for the use after free.

Then, we declare our custom callback and trigger the vulnerability:

For some reason, the objects array needs to be freed and garbage collected before the next step of the exploit. This could be due to some side effect of freeing the ActiveXObject. The memory is reclaimed when we assign “1” to the property reallocPropertyName. That variable is a magic string that will be copied over the recently freed memory to mimic legitimate variables. It is created as shown:

The 0x0003 is a variable type that tells us the following value is an integer and that 1337 is its value. The string needs to be long enough to trigger an allocation of the same or similar size as the memory block that was recently freed.

To summarize, JavaScript variables (here, the RegExp objects) are stored in a block; when all the variables from the block are freed, the block itself is freed. In the right circumstances, the newly allocated string can take the place of the recently freed block, and because “this” is still dangling in our callback, it can be used for some type confusion. (This is the method used by the attackers, but beyond the scope of this post.) In this example, the code will print 1337 instead of an empty RegExp.

McAfee coverage

Please refer to the McAfee product bulletin for full coverage updates. Here is a short summary of current product coverage as of this writing.

Endpoint products: Endpoint Security (ENS), ENS Adaptive Threat Protection (ENS-ATP), Host Intrusion Prevention (HIPS), VirusScan Enterprise (VSE), WSS.

  • ENS (10.2.0+) with Exploit Prevention
    • Proactively covered by McAfee Generic Buffer Overflow Protection Signature ID 428
  • HIPS (8.0.0+)
    • Proactively covered by McAfee Generic Buffer Overflow Protection Signature ID 428
  • ENS (all versions) and WSS (all versions). Coverage based on samples observed so far. This protection is expected to be expanded over the next few days as viable exploitation attempts are seen.
    • Minimum DAT: V3 DAT (3564)
    • Detection names: Exploit-CVE2018-8653 and Exploit-CVE2018-8653.a
  • VSE (8.8+). Coverage based on samples observed so far. This protection is expected to be expanded over the next few days as viable exploitation attempts are seen.
    • Minimum DAT: V2 DAT (9113)
    • Detection names: Exploit-CVE2018-8653 and Exploit-CVE2018-8653.a

Content summary

  • DATs: V2 DAT (9113), V3 DAT (3564)
  • Generic Buffer Overflow Protection Signature ID 428

MITRE score

The base score (CVSS v3.0) for this vulnerability is 7.5 (High) with an impact score of 5.9 and an exploitability score of 1.6.

Conclusion

CVE-2018-8653 targets multiple versions of Internet Explorer and other applications that rely on the same scripting engine. Attackers can execute arbitrary code on unpatched hosts from specifically crafted web pages or JavaScript files. Even though the bug was recently fixed by Microsoft, we can expect exploit kits to soon deploy a weaponized version of this critical vulnerability, leveraging it to target remaining unpatched systems. The technical analysis in this post should provide enough information for defenders to ensure their systems will withstand the threat and to know which primitives to look for as an entry point for the attack. McAfee security products can be leveraged to provide specific “virtual patching” for this threat until full software patches can be deployed, while current generic buffer overflow protection rules can be used to fingerprint exploit attempts against this and similar vulnerabilities.

The post IE Scripting Flaw Still a Threat to Unpatched Systems: Analyzing CVE-2018-8653 appeared first on McAfee Blogs.