BOISE, Idaho (AP) — Idaho prison officials say 364 inmates exploited
vulnerable software in the JPay tablets they use for email, music and
games to collectively transfer nearly a quarter million dollars into
their own accounts.
Here the link to the story https://apnews.com/dfd5dccdf75c4b5dbc97ff5ecf3f3d5b, this show where this a way people will find it and use it to their own ends
Tuesday, July 31, 2018
Wednesday, July 25, 2018
Ransomware
No More Ransomware Web Site
https://www.nomoreransom.org/en/index.html
is a site you should save in your favorite.
This site has lost of resources to help you deal with
ransomware.
Ransomware is malware that locks your computer and mobile
devices or encrypts your electronic files. When this happens, you can’t get to
the data unless you pay a ransom. However, this is not guaranteed, and you
should try this site for a solution 1st.
The site has Crypto Sheriff an upload page where you can
submit a file and the site may give you a solution on how to remove the ransomware
Part of the site has solution for many types of ransomware.
How to prevent a
ransomware attack?
1. Back-up! Back-up! Back-up! Have a recovery system in
place so a ransomware infection can’t destroy your personal data forever. It’s
best to create two back-up copies: one to be stored in the cloud (remember to
use a service that makes an automatic backup of your files) and one to store physically
(portable hard drive, thumb drive, extra laptop, etc.). Disconnect these from
your computer when you are done. Your back up copies will also come in handy
should you accidentally delete a critical file or experience a hard drive
failure.
2. Use robust antivirus software to protect your system from
ransomware. Do not switch off the ‘heuristic functions’ as these help the
solution to catch samples of ransomware that have not yet been formally
detected.
3. Keep all the software on your computer up to date. When
your operating system (OS) or applications release a new version, install it.
And if the software offers the option of automatic updating, take it.
4. Trust no one. Literally. Any account can be compromised,
and malicious links can be sent from the accounts of friends on social media,
colleagues or an online gaming partner. Never open attachments in emails from
someone you don’t know. Cybercriminals often distribute fake email messages
that look very much like email notifications from an online store, a bank, the
police, a court or a tax collection agency, luring recipients into clicking on
a malicious link and releasing the malware into their system.
5. Enable the ‘Show file extensions’ option in the Windows
settings on your computer. This will make it much easier to spot potentially
malicious files. Stay away from file extensions like ‘.exe’, ‘.vbs’ and ‘.scr’.
Scammers can use several extensions to disguise a malicious file as a video,
photo, or document (like hot-chics.avi.exe or doc.scr).
6. If you discover a rogue or unknown process on your
machine, disconnect it immediately from the internet or other network
connections (such as home Wi-Fi) — this will prevent the infection from
spreading.
Other resources
If you are a member of InfraGard look at the resource here as well.
Microsoft go here
https://www.microsoft.com/en-us/wdsi/threats/ransomware
if you are a MAC User look at this
https://www.cnet.com/news/apple-users-beware-first-live-ransomware-targeting-mac-found-in-the-wild/
Tuesday, July 24, 2018
Apache Releases Security Updates for Apache Tomcat
The Apache Software Foundation has released security updates to
address vulnerabilities in Apache Tomcat versions 9.0.0.M9 to 9.0.9,
8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86. A remote
attacker could exploit one of these vulnerabilities to obtain sensitive
information.
NCCIC encourages users and administrators to review the Apache security advisories for CVE-2018-8037 and CVE-2018-1336 and apply the necessary updates
NCCIC encourages users and administrators to review the Apache security advisories for CVE-2018-8037 and CVE-2018-1336 and apply the necessary updates
Bluetooth Vulnerability
Bluetooth implementations may not sufficiently validate elliptic curve parameters during Diffie-Hellman key exchange.
Bluetooth firmware or operating system software drivers may not sufficiently validate elliptic curve parameters used to generate public keys during a Diffie-Hellman key exchange, which may allow a remote attacker to obtain the encryption key used by the device.
Impact
Overview
Bluetooth firmware or operating system software drivers may not sufficiently validate elliptic curve parameters used to generate public keys during a Diffie-Hellman key exchange, which may allow a remote attacker to obtain the encryption key used by the device.
Description
| CWE-325: Missing Required Cryptographic Step - CVE-2018-5383
Bluetooth utilizes a device pairing mechanism based on elliptic-curve Diffie-Hellman (ECDH) key exchange to allow encrypted communication between devices. The ECDH key pair consists of a private and a public key, and the public keys are exchanged to produce a shared pairing key. The devices must also agree on the elliptic curve parameters being used. Previous work on the "Invalid Curve Attack" showed that the ECDH parameters are not always validated before being used in computing the resulted shared key, which reduces attacker effort to obtain the private key of the device under attack if the implementation does not validate all of the parameters before computing the shared key. In some implementations, the elliptic curve parameters are not all validated by the cryptographic algorithm implementation, which may allow a remote attacker within wireless range to inject an invalid public key to determine the session key with high probability. Such an attacker can then passively intercept and decrypt all device messages, and/or forge and inject malicious messages. Both Bluetooth low energy (LE) implementations of Secure Connections Pairing in operating system software and BR/EDR implementations of Secure Simple Pairing in device firmware may be affected. Bluetooth device users are encouraged to consult with their device vendor for further information. Since the vulnerability was identified, the Bluetooth SIG has updated the Bluetooth specifications to require validation of any public key received as part of public key-based security procedures, thereby providing a remedy to the vulnerability from a specification perspective. In addition, the Bluetooth SIG has added testing for this vulnerability within its Bluetooth Qualification Program. The Bluetooth SIG has also released a public statement regarding the vulnerability. |
Impact
| An unauthenticated, remote attacker within range may be able to utilize a man-in-the-middle network position to determine the cryptographic keys used by the device. The attacker can then intercept and decrypt and/or forge and inject device messages. |
Solution
| Apply an update Both software and firmware updates are expected over the coming weeks. Affected users should check with their device vendor for availability of updates. Vendor Information
|
Saturday, July 14, 2018
Another type of phishing attack
Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication.
Here a new one that has started to circulate.
__________________________________________
Here a new one that has started to circulate.
__________________________________________
You don't know me and you're thinking why you received this
e mail, right?
Well, I actually placed a malware on the porn website and guess what, you visited this web site to have fun (you know what I mean). While you were watching the video, your web browser acted as a RDP (Remote Desktop) and a keylogger which provided me access to your display screen and webcam. Right after that, my software gathered all your contacts from your Messenger, Facebook account, and email account.
What exactly did I do?
I made a split-screen video. First part recorded the video you were viewing (you've got a fine taste haha), and next part recorded your webcam (Yep! It's you doing nasty things!).
What should you do?
Well, I believe, $1900 is a fair price for our little secret. You'll make the payment via Bitcoin to the below address (if you don't know this, search "how to buy bitcoin" in Google).
BTC Address: XXXXXXXXXXXXX
(It is cAsE sensitive, so copy and paste it)
Important:
You have 24 hours in order to make the payment. (I have an unique pixel within this email message, and right now I know that you have read this email). If I don't get the payment, I will send your video to all of your contacts including relatives, coworkers, and so forth. Nonetheless, if I do get paid, I will erase the video immidiately. If you want evidence, reply with "Yes!" and I will send your video recording to your 5 friends. This is a non-negotiable offer, so don't waste my time and yours by replying to this email.
Well, I actually placed a malware on the porn website and guess what, you visited this web site to have fun (you know what I mean). While you were watching the video, your web browser acted as a RDP (Remote Desktop) and a keylogger which provided me access to your display screen and webcam. Right after that, my software gathered all your contacts from your Messenger, Facebook account, and email account.
What exactly did I do?
I made a split-screen video. First part recorded the video you were viewing (you've got a fine taste haha), and next part recorded your webcam (Yep! It's you doing nasty things!).
What should you do?
Well, I believe, $1900 is a fair price for our little secret. You'll make the payment via Bitcoin to the below address (if you don't know this, search "how to buy bitcoin" in Google).
BTC Address: XXXXXXXXXXXXX
(It is cAsE sensitive, so copy and paste it)
Important:
You have 24 hours in order to make the payment. (I have an unique pixel within this email message, and right now I know that you have read this email). If I don't get the payment, I will send your video to all of your contacts including relatives, coworkers, and so forth. Nonetheless, if I do get paid, I will erase the video immidiately. If you want evidence, reply with "Yes!" and I will send your video recording to your 5 friends. This is a non-negotiable offer, so don't waste my time and yours by replying to this email.
______________________________________________
FYI i wish they would learn to use a spell checker..
ONCE AGAIN, IF YOU DO NOT KNOW THE SENDER DO NOT OPEN UP
THINK BERFORE YOU CLICK
CERT Advisory (ICSMA-18-179-01) Medtronic MyCareLink Patient Monitor
1. EXECUTIVE SUMMARY
- CVSS v3 6.4
- Vendor: Medtronic
- Equipment: MyCareLink Patient Monitor
- Vulnerabilities: Use of Hard-coded Password, Exposed Dangerous Method or Function
2. RISK EVALUATION
If exploited, these vulnerabilities may allow privileged access to the monitor’s operating system. However, physical access to the MyCareLink monitor is required. Additionally, these vulnerabilities may allow a MyCareLink monitor, when operated within close physical proximity of an implantable cardiac device, to read and write arbitrary memory values of that device.3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following MyCareLink Monitors are affected:- 24950 MyCareLink Monitor, all versions,
- 24952 MyCareLink Monitor, all versions.
3.2 VULNERABILITY OVERVIEW
3.2.1 USE OF HARD-CODED PASSWORD CWE-259The affected product contains a hard-coded operating system password. An attacker with physical access can remove the case of the device, connect to the debug port, and use the password to gain privileged access to the operating system
CVE-2018-8870 has been assigned to this vulnerability. A CVSS v3 base score of 6.4 has been assigned; the CVSS vector string is (AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
3.2.2 EXPOSED DANGEROUS METHOD OR FUNCTION CWE-749
The affected product contains debug code meant to test the functionality of the monitor’s communication interfaces, including the interface between the monitor and implantable cardiac device. An attacker with physical access to the device can apply the other vulnerabilities within this advisory to access this debug functionality.
This debug functionality provides the ability to read and write arbitrary memory values to implantable cardiac devices via inductive or short range wireless protocols. An attacker with close physical proximity to a target implantable cardiac device can use this debug functionality.
CVE-2018-8868 has been assigned to this vulnerability. A CVSS v3 base score of 6.2 has been assigned; the CVSS vector string is (AV:P/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L).
3.3 BACKGROUND
- CRITICAL INFRASTRUCTURE SECTORS: Healthcare and Public Health
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION: Dublin, Ireland
3.4 RESEARCHER
Peter Morgan of Clever Security reported these vulnerabilities to NCCIC.4. MITIGATIONS
Medtronic will release several rolling over-the-air product updates that will mitigate the vulnerabilities described within this advisory. These updates will be applied to devices automatically as part of standard, reoccurring update processes. In addition, Medtronic has increased security monitoring of affected devices and related infrastructure.Medtronic recommends users take additional defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:
- Maintain good physical controls over the home monitor as the best mitigation to these vulnerabilities.
- Only use home monitors obtained directly from their healthcare provider or a Medtronic representative to ensure integrity of the system.
- Report any concerning behavior regarding their home monitor to their healthcare provider or a Medtronic representative.
https://www.medtronic.com/security
NCCIC recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
- Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.
No known public exploits specifically target these vulnerabilities. These vulnerabilities are not exploitable remotely. High skill level is needed to exploit.
Contact Information
For any questions related to this report, please contact the NCCIC at:Email: NCCICCUSTOMERSERVICE@hq.dhs.gov
CERT Advisory (ICSMA-18-107-01) Abbott Laboratories Defibrillator
1. EXECUTIVE SUMMARY
- CVSS v3 7.5
- ATTENTION: Exploitable remotely
- Vendor: Abbott Laboratories
- Equipment: Implantable Cardioverter Defibrillator and Cardiac Synchronization Therapy Defibrillator
- Vulnerabilities: Improper Authentication and Improper Restriction of Power Consumption
The Food and Drug Administration (FDA) released a safety communication on April 17, 2018, titled “Battery Performance Alert and Cybersecurity Firmware Updates for Certain Abbott (formerly St. Jude Medical) Implantable Cardiac Devices: FDA Safety Communication,” regarding the identified vulnerabilities and corresponding mitigation. In response, NCCIC is releasing this advisory to provide additional detail to patients and healthcare providers.
2. RISK EVALUATION
Successful exploitation of these vulnerabilities may allow a nearby attacker to gain unauthorized access to an ICD to issue commands, change settings, or otherwise interfere with the intended function of the ICD.Impact to individual organizations depends on many factors unique to each organization. NCCIC recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment and specific clinical usage.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following ICDs and CRT-Ds manufactured and distributed prior to April 19, 2018, are affected:- Fortify,
- Fortify Assura,
- Quadra Assura,
- Quadra Assura MP,
- Unify,
- Unify Assura,
- Unify Quadra,
- Promote Quadra,
- Ellipse,
- Current,
- Promote.
3.2 VULNERABILITY OVERVIEW
3.2.1 IMPROPER AUTHENTICATION CWE-287
The device’s authentication algorithm, which involves an authentication key and time stamp, can be compromised or bypassed, which may allow a nearby attacker to issue unauthorized commands to the ICD or CRT-D via RF communications.CVE-2017-12712 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
3.2.2 IMPROPER RESTRICTION OF POWER CONSUMPTION CWE-920
The ICDs and CRT-Ds do not restrict or limit the number of correctly formatted “RF wake-up” commands that can be received, which may allow a nearby attacker to repeatedly send commands to reduce device battery life.CVE-2017-12714 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been assigned; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).
Abbott is a U.S.-based company headquartered in Abbott Park, Illinois.
The affected ICDs and CRT-Ds are implantable medical devices designed to deliver high voltage electrical pulses to correct a fast or irregular heartbeat. According to Abbott, these devices are deployed across the healthcare and public health sector. Abbott indicates that these products are used worldwide.
3.3 BACKGROUND
Abbott is a U.S.-based company headquartered in Abbott Park, Illinois.The affected ICDs and CRT-Ds are implantable medical devices designed to deliver high voltage electrical pulses to correct a fast or irregular heartbeat. According to Abbott, these devices are deployed across the healthcare and public health sector. Abbott indicates that these products are used worldwide.
3.4 RESEARCHER
MedSec Holdings Ltd., reported these vulnerabilities to Abbott Laboratories and NCCIC.4. MITIGATIONS
Abbott has developed a firmware update to help mitigate the identified vulnerabilities.The firmware update provides additional security to reduce the risk of unauthorized access by bypassing authentication to the following high voltage device families that utilize wireless radio frequency (RF) communication: Fortify, Fortify Assura, Quadra Assura, Quadra Assura MP, Unify, Unify Assura, Unify Quadra, Promote Quadra, and Ellipse.
The firmware update can be applied to an eligible implanted ICD or CRT-D via the Merlin PCS Programmer by a healthcare provider. Abbott and FDA have recommended the update to all eligible patients at the next regularly scheduled visit or when appropriate depending on the preferences of the patient and physician. ICDs and CRT-Ds manufactured beginning April 25, 2018, will have these updates preloaded on devices.
Abbott states that firmware updates should be approached with caution. As with any software update, firmware updates can cause devices to malfunction. Potential risks include discomfort due to back-up VVI pacing settings, reloading of previous firmware version due to incomplete upgrade, inability to treat VT/VF while in back-up mode given high voltage therapy is disabled, device remaining in back-up mode due to unsuccessful upgrade, and loss of currently-programmed device settings or diagnostic data. The Abbott Cybersecurity Medical Advisory Board has reviewed this firmware update and the associated risk of performing the update in the context of potential cybersecurity risk.
While not intended to serve as a substitute for clinician judgment as to whether the firmware update is advisable for a particular patient, the Cybersecurity Medical Advisory Board recommends the following:
- Healthcare providers and patients should discuss the risks and benefits of the cybersecurity vulnerabilities and associated firmware update during the next regularly scheduled visit or when appropriate depending on the preferences of the patient and physician. As part of this discussion, it is important to consider patient-specific issues such as pacemaker dependence, frequency of high voltage therapy, age of device, patient preference, and provide patients with the “Patient Communication.”
- Determine if the update is appropriate given the risk of update for the patient. If deemed appropriate, install this firmware update following the instructions provided by the manufacturer.
- The cybersecurity firmware update should be performed in a facility where appropriate monitoring and external defibrillation are readily available.
Therefore, the Medical Advisory Boards recommends the following:
- Healthcare providers and patients should discuss the risks of cybersecurity vulnerabilities and benefits of remote monitoring at the next regularly scheduled visit or when appropriate depending on the preferences of the patient and physician.
- If deemed appropriate, RF communication may be permanently disabled during an in-clinic device interrogation with the Merlin programmer software.
Battery Performance Alert and Cybersecurity Firmware Updates for Certain Abbott (formerly St. Jude Medical) Implantable Cardiac Devices: FDA Safety Communication: FDA Safety Communication is available at the following location:
https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm604706.htm
NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available in the ICS-CERT Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT website.
No known public exploits specifically target these vulnerabilities. High skill level is needed to exploit.
Contact Information
For any questions related to this report, please contact the NCCIC at:Email: NCCICCUSTOMERSERVICE@hq.dhs.gov
Toll Free: 1-888-282-0870
Keen Security Lab Finds 14 Security Vulnerabilities in BMW Vehicles
The Chinese cybersecurity research team known as Keen Security Lab has disclosed 14 security vulnerabilities affecting a range of BMW vehicles. Eight of the flaws affect the infotainment system, four affect the Telematics Control Unit (TCU), and two affect the Central Gateway Module (CGM). The TCU handles remote communication in the vehicle, such as the ability to unlock the doors remotely. The CGM handles communication between the different subsystems and dispatches the communications appropriately across different Controller Area Network (CAN) buses.
Most vehicle vulnerabilities found in the past have relied on having physical access to the vehicle. These types of vulnerabilities could be triggered by plugging in a malicious USB device or accessing diagnostic ports inside the vehicle. While vulnerabilities requiring physical access can still be dangerous, the risk of compromise is much lower than a remote vulnerability.
In order to identify remote vulnerabilities, the research team setup their own mock GSM cellular network in order to middleman the traffic coming from the vehicle. By capturing and analyzing the traffic from the vehicle they were able to find a flaw in the ConnectedDrive service. This flaw was exploited by the team to gain a root shell on the vehicle’s head unit. The team also attacked the Bluetooth functionality of the head unit to explore different avenues of remote exploitation. While they were not able to gain remote access via Bluetooth, they were able to cause the head unit to reboot at will by sending malformed packets to it. This vulnerability however requires the system to be in pairing mode for successful exploitation.
The flaws discovered in the various subsystems can be chained together to impact the vehicles in a more meaningful way than just requiring a reboot of the head unit. For example one could send arbitrary messages to the vehicles Engine Control Unit (ECU), which is the brain of the vehicles drive system. These vulnerabilities in the hands of sufficiently motivated and technical attackers could possibly result in takeover of the exploited vehicle. The team found that the exploits discovered were able to be triggered even when the vehicle is in motion.
BMW was notified of the vulnerabilities found in advance of the team’s publication of their findings. BMW acknowledged the team’s findings and has begun rolling out fixes to the systems which can be updated via over the air updates. Some systems cannot be patched in this method however and require the vehicles to be brought to a dealer to be updated.
Sources:
https://thehackernews.com/2018/05/bmw-smart-car-hacking.html
https://keenlab.tencent.com/en/Experimental_Security_Assessment_of_BMW_ Cars_by_KeenLab.pdf
https://www.helpnetsecurity.com/2018/05/23/hack-bmw-cars/
Most vehicle vulnerabilities found in the past have relied on having physical access to the vehicle. These types of vulnerabilities could be triggered by plugging in a malicious USB device or accessing diagnostic ports inside the vehicle. While vulnerabilities requiring physical access can still be dangerous, the risk of compromise is much lower than a remote vulnerability.
In order to identify remote vulnerabilities, the research team setup their own mock GSM cellular network in order to middleman the traffic coming from the vehicle. By capturing and analyzing the traffic from the vehicle they were able to find a flaw in the ConnectedDrive service. This flaw was exploited by the team to gain a root shell on the vehicle’s head unit. The team also attacked the Bluetooth functionality of the head unit to explore different avenues of remote exploitation. While they were not able to gain remote access via Bluetooth, they were able to cause the head unit to reboot at will by sending malformed packets to it. This vulnerability however requires the system to be in pairing mode for successful exploitation.
The flaws discovered in the various subsystems can be chained together to impact the vehicles in a more meaningful way than just requiring a reboot of the head unit. For example one could send arbitrary messages to the vehicles Engine Control Unit (ECU), which is the brain of the vehicles drive system. These vulnerabilities in the hands of sufficiently motivated and technical attackers could possibly result in takeover of the exploited vehicle. The team found that the exploits discovered were able to be triggered even when the vehicle is in motion.
BMW was notified of the vulnerabilities found in advance of the team’s publication of their findings. BMW acknowledged the team’s findings and has begun rolling out fixes to the systems which can be updated via over the air updates. Some systems cannot be patched in this method however and require the vehicles to be brought to a dealer to be updated.
Sources:
https://thehackernews.com/2018/05/bmw-smart-car-hacking.html
https://keenlab.tencent.com/en/Experimental_Security_Assessment_of_BMW_ Cars_by_KeenLab.pdf
https://www.helpnetsecurity.com/2018/05/23/hack-bmw-cars/
New Malware Strain Spreads Through Documents
MuddyWater malware is believed to be
once again targeting organizations across the world. This malware was first reported when it
targeted the Saudi government back in 2017 and
was reported to have also targeted other organizations in the US,
Turkey, and other Middle Eastern countries.
Although it is unclear who is behind these attacks, there is some attribution information that links these attacks with the FIN7 threat group that has been known to be a financially motivated. MuddyWater itself is document-based malware, which is often spread by phishing campaigns specifically targeting unaware users.
The malware leverages Microsoft Office documents to deliver macro-enabled
code execution after tricking unaware users into opening the file. The
infection chain starts with the attackers enticing a victim to open a Microsoft
Office file with macros enabled. Once this happens, an initial VBScript is
automatically executed which then executes other PowerShell scripts.
Once the PowerShell scripts execute, a backdoor payload runs on the victim machine, which automatically calls home and waits for commands from the attackers. Interestingly, the most noteworthy enhancements between the malware strains look to be in the obfuscation techniques. The malware starts with a VBScript that uses character substitution to initially hide its direct intentions when manipulating images shown in the document body, then performs the initial PowerShell script execution. The initial PowerShell Script “invoker.ps1”, then calls other data within the document and performs a cryptographic decoding to build other PowerShell scripts that then have the ability to execute the actual payload
“PRB-Backdoor” within the file. Once PRB-Backdoor is executed it attempts to communicate with its Command- and-Control server, hxxp://outl00k[.]net to send and receive commands. According to malware researchers there have been over ten possible specific types of commands and functionality discovered between the malware and the attackers over the Command-and-Control channel. Some of the more interesting capabilities are gathering system information, file interaction, key- loggers, and stealing passwords.
Although this malware is not overly sophisticated, it does present us a good opportunity to learn more about the tools, techniques, and tactics of our adversaries. To combat such types of attacks, users should be cognizant of suspicious emails and cautious of file attachments Additionally, there exists others tools that can help defend an organization's infrastructure from these types of attacks including hosted email security, deep packet inspection by network perimeter devices, and customized end point protection.
Although it is unclear who is behind these attacks, there is some attribution information that links these attacks with the FIN7 threat group that has been known to be a financially motivated. MuddyWater itself is document-based malware, which is often spread by phishing campaigns specifically targeting unaware users.
Once the PowerShell scripts execute, a backdoor payload runs on the victim machine, which automatically calls home and waits for commands from the attackers. Interestingly, the most noteworthy enhancements between the malware strains look to be in the obfuscation techniques. The malware starts with a VBScript that uses character substitution to initially hide its direct intentions when manipulating images shown in the document body, then performs the initial PowerShell script execution. The initial PowerShell Script “invoker.ps1”, then calls other data within the document and performs a cryptographic decoding to build other PowerShell scripts that then have the ability to execute the actual payload
“PRB-Backdoor” within the file. Once PRB-Backdoor is executed it attempts to communicate with its Command- and-Control server, hxxp://outl00k[.]net to send and receive commands. According to malware researchers there have been over ten possible specific types of commands and functionality discovered between the malware and the attackers over the Command-and-Control channel. Some of the more interesting capabilities are gathering system information, file interaction, key- loggers, and stealing passwords.
Although this malware is not overly sophisticated, it does present us a good opportunity to learn more about the tools, techniques, and tactics of our adversaries. To combat such types of attacks, users should be cognizant of suspicious emails and cautious of file attachments Additionally, there exists others tools that can help defend an organization's infrastructure from these types of attacks including hosted email security, deep packet inspection by network perimeter devices, and customized end point protection.
Sources
·
https://blog.trendmicro.com/t
rendlabs-security- intelligence/another-potential- muddywater-campaign-uses-
powershell-based-prb- backdoor/
Read My Mail, Please…
It was announced that European researchers discovered that the popular PGP and S/MIME email encryption standards are vulnerable to being hacked. Dubbed EFAIL, it is described as vulnerabilities in the end-to-end encryption technologies OpenPGP and S/MIME. From the website, EFAIL abuses active content of HTML emails to exfiltrate plaintext through requested URLs. In “Direct Exfiltration”, the victim’s stolen encrypted message is sent to the victim sandwiched between two parts of an HTML request for delivering the text back to the attacker as an image request. This leverages vulnerabilities in Apple Mail, iOS Mail, and Mozilla Thunderbird. The “CBC/CFB Gadget Attack” abuses a weakness in the Cyber Block Chaining (CBC) mode of operation used in S/MIME. If you know some of the text that is encrypted – and you do, because most encrypted messages have that phrase at the beginning, you can build a “gadget” – which is just a set of bits in a cipher stream that you can insert into the existing cipher stream with the text you want to insert. OpenPGP uses Cipher Feedback (CFB) which has similar cryptographic properties allowing the same abuse, but by embedding it in the cipher stream any standard-conforming client will be vulnerable. PGP also compresses the plaintext before encrypting it, which complicates guessing any known plaintext bytes.
Different vendors have different CVEs for specific security issues relevant to EFAIL, but there are two CVE numbers for the CBC and CFB gadget attacks: CVE-201717688: OpenPGP CFB gadget attacks and CVE-2017-17689: S/MIME CBC gadget attacks. The researchers stated that their analysis showed that EFAIL plaintext exfiltration channels exist for 25 of the 35 tested S/MIME email clients and 10 of the 28 tested OpenPGP email clients.
Synack’s CTO and Co-Founder Mark Kuhr pointed out that independent security researcher are advising people to stop using PGP, and the media is following suit. But his opinion is that this is a terrible idea. “This is like saying ‘your lock may not work, so leave your door wide open.’” Lee Neely on the editorial board of SANS NewsBites in Volume 20 Number 38 states it best “These flaws are relatively low risk as exploiting these vulnerabilities is tricky and relies on several things.”
Time will tell as to just how dangerous and exploitable these flaws are. Don’t read us wrong - should these flaws be addressed? Absolutely. We all need to implement mitigations (a number of which were outlined on the website), address correcting the clients, follow the CVEs and patches as available, and address the systemic fixes to PGP and S/MIME protocols. But we also need to address the underlying conflicts between usability and capability vs. security that are in our opinion at the root of this issue, and look toward making email more secure.
Sources: https://www.reuters.com/article/us-cyber-encryption/popularencrypted-email-standards-are-unsafe-european-researchersidUSKCN1IF1LL https://www.independent.co.uk/life-style/gadgets-and-tech/news/emailsecurity-s-mime-pgp-encryption-latest-broken-not-working-fix-how-toa8351116.html
Different vendors have different CVEs for specific security issues relevant to EFAIL, but there are two CVE numbers for the CBC and CFB gadget attacks: CVE-201717688: OpenPGP CFB gadget attacks and CVE-2017-17689: S/MIME CBC gadget attacks. The researchers stated that their analysis showed that EFAIL plaintext exfiltration channels exist for 25 of the 35 tested S/MIME email clients and 10 of the 28 tested OpenPGP email clients.
Synack’s CTO and Co-Founder Mark Kuhr pointed out that independent security researcher are advising people to stop using PGP, and the media is following suit. But his opinion is that this is a terrible idea. “This is like saying ‘your lock may not work, so leave your door wide open.’” Lee Neely on the editorial board of SANS NewsBites in Volume 20 Number 38 states it best “These flaws are relatively low risk as exploiting these vulnerabilities is tricky and relies on several things.”
Time will tell as to just how dangerous and exploitable these flaws are. Don’t read us wrong - should these flaws be addressed? Absolutely. We all need to implement mitigations (a number of which were outlined on the website), address correcting the clients, follow the CVEs and patches as available, and address the systemic fixes to PGP and S/MIME protocols. But we also need to address the underlying conflicts between usability and capability vs. security that are in our opinion at the root of this issue, and look toward making email more secure.
Sources: https://www.reuters.com/article/us-cyber-encryption/popularencrypted-email-standards-are-unsafe-european-researchersidUSKCN1IF1LL https://www.independent.co.uk/life-style/gadgets-and-tech/news/emailsecurity-s-mime-pgp-encryption-latest-broken-not-working-fix-how-toa8351116.html
Red Hat DHCP: Gateway to Full Root Access
Red Hat Enterprise Linux (RHEL) is a popular distribution used by many organizations for servers and other network endpoints. Two free versions of the operating system have also branched out of RHEL, Fedora and CentOS. US-CERT issued an alert Wednesday that a critical vulnerability had been discovered in the Network Manager application and how it handles Dynamic Host Configuration Protocol (DHCP) responses. With these responses, this vulnerability could lead to commands being run on the system with full root privileges.
When a device connects to a network and is configured to use DHCP (as most endpoints are), it sends a request out on the network saying that it needs an IP address and other related network information. When the DHCP server receives the request, it assigns an IP address to the requestor and sends a response with the address as well as other network configuration parameters such as DNS servers. This allows automatic, central management of network addresses such that duplication doesn’t occur, which would cause network routing and traffic issues. Google researcher Felix Wilhelm discovered a vulnerability in the Network Manager package included in RHEL and related operating systems. This package runs a script to set the network configuration on the host when a response from a DHCP server is received. However, the script is vulnerable to malicious responses that can cause arbitrary commands to be run on the host with root privileges. For instance, a reverse remote terminal session could be opened, allowing the attacker to run commands on the host at will with full access. A malicious response can be sent by someone spoofing a DHCP server on the local network or if the legitimate DHCP server is already compromised. While this does require the attacker and target to be on the same local network, this could also be done remotely if both are on a public Wi-Fi connection or in combination with another attack that could compromise other machines on the local network.
Patches for this vulnerability have already been released for most systems and users are urged to update immediately. Patches released so far: RHEL version 6 and 7, Fedora versions 26, 27, and 28. Red Hat Virtualization 4.1 is also vulnerable but Network Manager is turned off by default. However, Red Hat Virtualization 4.2 contains the fix. CentOS has also patched the vulnerability in version 7. Additionally, there is a workaround by disabling or removing the vulnerable script, but Red Hat says “…this will prevent certain configuration parameters provided by the DHCP server from being configured on a local system, such as addresses of the local NTP or NIS servers.” Patching is recommended over the workaround.
Sources: https://threatpost.com/critical-linux-flaw-opens-the-door-to-full-rootaccess/132034/ https://thehackernews.com/2018/05/linux-dhcp-hacking.html https://bugzilla.redhat.com/show_bug.cgi?id=1567974
When a device connects to a network and is configured to use DHCP (as most endpoints are), it sends a request out on the network saying that it needs an IP address and other related network information. When the DHCP server receives the request, it assigns an IP address to the requestor and sends a response with the address as well as other network configuration parameters such as DNS servers. This allows automatic, central management of network addresses such that duplication doesn’t occur, which would cause network routing and traffic issues. Google researcher Felix Wilhelm discovered a vulnerability in the Network Manager package included in RHEL and related operating systems. This package runs a script to set the network configuration on the host when a response from a DHCP server is received. However, the script is vulnerable to malicious responses that can cause arbitrary commands to be run on the host with root privileges. For instance, a reverse remote terminal session could be opened, allowing the attacker to run commands on the host at will with full access. A malicious response can be sent by someone spoofing a DHCP server on the local network or if the legitimate DHCP server is already compromised. While this does require the attacker and target to be on the same local network, this could also be done remotely if both are on a public Wi-Fi connection or in combination with another attack that could compromise other machines on the local network.
Patches for this vulnerability have already been released for most systems and users are urged to update immediately. Patches released so far: RHEL version 6 and 7, Fedora versions 26, 27, and 28. Red Hat Virtualization 4.1 is also vulnerable but Network Manager is turned off by default. However, Red Hat Virtualization 4.2 contains the fix. CentOS has also patched the vulnerability in version 7. Additionally, there is a workaround by disabling or removing the vulnerable script, but Red Hat says “…this will prevent certain configuration parameters provided by the DHCP server from being configured on a local system, such as addresses of the local NTP or NIS servers.” Patching is recommended over the workaround.
Sources: https://threatpost.com/critical-linux-flaw-opens-the-door-to-full-rootaccess/132034/ https://thehackernews.com/2018/05/linux-dhcp-hacking.html https://bugzilla.redhat.com/show_bug.cgi?id=1567974
The Cyber-view From DC
It was a busy end of May for cybersecurity in our nation’s capital. The White House Office of Management and Budget issued a report saying that most federal agencies are not prepared for cyberattacks, while noting that almost three quarters of the agencies assessed have programs that are at risk or high risk. At nearly the same time, the FBI reported a botnet with ties to Russia has infected the nation’s routers and that they should all be rebooted. Now, the Department of Commerce and Department of Homeland Security (DHS) has released a report on how the federal government can combat botnets or networks of infected internet-connected devices that can be leveraged by hackers. The report listed six principal themes for reducing distributed threats including: 1) working closely with international partners as these are global threats; 2) utilizing tools that are available but not being commonly used; 3) ensuring devices are secured through all stages of their "lifecycle;" 4) boosting education and awareness of botnets for businesses and citizens; 5) changing market incentives to encourage security; and 6) collaboration to address an ecosystem-wide problem.
To address these, the DHS report outlines five goals: 1) Identify a clear pathway toward an adaptable, sustainable, and secure technology marketplace; 2) Promote innovation in the infrastructure for dynamic adaptation to evolving threats; 3) Promote innovation at the edge of the network to prevent, detect, and mitigate automated, distributed attacks; 4) Promote and support coalitions between the security, infrastructure, and operational technology communities domestically and around the world; 5) Increase awareness and education across the ecosystem.
This report was not unexpected. A year ago, President Trump signed an executive order directing Commerce and Homeland Security to issue a report about combating botnets and automated and distributed attacks, with a deadline of one year. Given these facts, what’s Washington to do about cyber security? The report outlines some steps, but it appears it would take an advocate in the White House to help agencies improve the very cybersecurity programs the initial report calls deficient. Unfortunately the White House eliminated the top cybersecurity post several weeks ago, and although organizing a plan to execute the goals of this latest report would be right in the cyber czar’s swim lane, the responsibilities of White House cybersecurity coordinator have now been delegated to two members of the National Security Council’s team.
Sources: https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity202/2018/05/30/the-cybersecurity-202-white-house-cybersecurity-report-showsfederal-agencies-still-struggling-to-getsecure/5b0d79c81b326b492dd07ed3/?utm_term=.d8258a22e35b https://www.whitehouse.gov/wp-content/uploads/2018/05/Cybersecurity-RiskDetermination-Report-FINAL_May-2018-Release.pd
To address these, the DHS report outlines five goals: 1) Identify a clear pathway toward an adaptable, sustainable, and secure technology marketplace; 2) Promote innovation in the infrastructure for dynamic adaptation to evolving threats; 3) Promote innovation at the edge of the network to prevent, detect, and mitigate automated, distributed attacks; 4) Promote and support coalitions between the security, infrastructure, and operational technology communities domestically and around the world; 5) Increase awareness and education across the ecosystem.
This report was not unexpected. A year ago, President Trump signed an executive order directing Commerce and Homeland Security to issue a report about combating botnets and automated and distributed attacks, with a deadline of one year. Given these facts, what’s Washington to do about cyber security? The report outlines some steps, but it appears it would take an advocate in the White House to help agencies improve the very cybersecurity programs the initial report calls deficient. Unfortunately the White House eliminated the top cybersecurity post several weeks ago, and although organizing a plan to execute the goals of this latest report would be right in the cyber czar’s swim lane, the responsibilities of White House cybersecurity coordinator have now been delegated to two members of the National Security Council’s team.
Sources: https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity202/2018/05/30/the-cybersecurity-202-white-house-cybersecurity-report-showsfederal-agencies-still-struggling-to-getsecure/5b0d79c81b326b492dd07ed3/?utm_term=.d8258a22e35b https://www.whitehouse.gov/wp-content/uploads/2018/05/Cybersecurity-RiskDetermination-Report-FINAL_May-2018-Release.pd
Necurs Recurs!
Since 2012, the Necurs botnet has been an evolving work horse of a botnet, backing up the Jaff ransomware, Dridex banking Trojan, and Locky ransomware campaigns. Most recently it has been found pushing URL files with misleading icons to trick victims into exposing themselves to the malware of the attacker’s choice. It eludes some spam filters by contacting the command and control server instead of directly downloading the malware.
The researchers at Trend Micro have found that the newest iteration of Necurs spreads spam with Internet Query (IQY) files instead. IQY files are test files that are meant to help in adding external resources to an Excel spreadsheet. Once activated, Windows® will automatically execute any commands in an IQY file in Excel. This in turn results in a domino effect which leverages the Dynamic Data Exchange capabilities of Excel, which allows a file-less execution of a PowerShell script, which finally downloads a remote access application.
Figure 1: Infection chain starting with the IQY file
Source: https://blog.trendmicro.com/trendlabs-security-intelligence/necurs-poses-a-newchallenge-using-internet-query-file/
The final payload is known as FlawwedAMMY named after the Ammy Admin remote administration software from which it is derived. FlawwedAMMY can take control of the infected computer using commands such as: File Manager, View Screen, Remote Control, Audio Chat, RDP SessionsService, Disable Desktop Composition, Disable Visual effects, Show Tooltip, or Activate Mouse Cursor Blinking.
The only indication that the IQY file might be malicious is the existence of a URL which makes detection at that stage difficult. But using Dynamic Data Exchange has been a known attack vector by Microsoft so there are two separate warnings that occur before the attack can proceed.
Sources: https://securityaffairs.co/wordpress/73916/malware/necurs-iqfattachments.html https://blog.trendmicro.com/trendlabs-security-intelligence/necurs-poses-anew-challenge-using-internet-query-file/ https://www.securityweek.com/necurs-campaign-uses-internet-query-fileattachments
The researchers at Trend Micro have found that the newest iteration of Necurs spreads spam with Internet Query (IQY) files instead. IQY files are test files that are meant to help in adding external resources to an Excel spreadsheet. Once activated, Windows® will automatically execute any commands in an IQY file in Excel. This in turn results in a domino effect which leverages the Dynamic Data Exchange capabilities of Excel, which allows a file-less execution of a PowerShell script, which finally downloads a remote access application.
Figure 1: Infection chain starting with the IQY file
Source: https://blog.trendmicro.com/trendlabs-security-intelligence/necurs-poses-a-newchallenge-using-internet-query-file/
The final payload is known as FlawwedAMMY named after the Ammy Admin remote administration software from which it is derived. FlawwedAMMY can take control of the infected computer using commands such as: File Manager, View Screen, Remote Control, Audio Chat, RDP SessionsService, Disable Desktop Composition, Disable Visual effects, Show Tooltip, or Activate Mouse Cursor Blinking.
The only indication that the IQY file might be malicious is the existence of a URL which makes detection at that stage difficult. But using Dynamic Data Exchange has been a known attack vector by Microsoft so there are two separate warnings that occur before the attack can proceed.
Sources: https://securityaffairs.co/wordpress/73916/malware/necurs-iqfattachments.html https://blog.trendmicro.com/trendlabs-security-intelligence/necurs-poses-anew-challenge-using-internet-query-file/ https://www.securityweek.com/necurs-campaign-uses-internet-query-fileattachments
Personal Data of 21 Million Compromised in Timehop Breach
The personal data of 21 million Timehop customers has been compromised as hackers were able to breach their backend server environment. Timehop functions by connecting to social media platforms to show users’ past memories. The breach was disclosed on Sunday, July 8th, stating that the breach occurred on the week of July 4th. TimeHop stated in an update on July 11th that the breach included names, email addresses, dates of birth, gender, country codes, and some phone numbers, though no private/direct messages, financial data, social media, or photo content was stolen.
During a technical assessment of the breach, it was shown that the attackers leveraged their attack through stolen admin credentials, which they then used to gain access to the application’s cloud computing environment. From there they attacked Timehop’s production database and started transferring data. Due to the database not using multifactor authentication, it was not hard for hackers to bypass it with the stolen credentials.
Timehop was able to disable the access token keys for all accounts and stated that “none of your memories were accessed”. They also said that the additional data lost was not due to a secondary breach - coincidentally, this was the only data loss incident Timehop has suffered to date. In addition, Timehop reported that there is no evidence to indicate that the attackers were able to use any of the tokens to gain access to social media accounts.
Timehop has updated their statements about the token keys as well. The keys were deauthorized by Timehop acting in concert with social media partners by Sunday, 8 July. Timehop did not report the breach, which was discovered on 5 July 2018 to its users until after it was certain that the keys had been de-authorized and the social media partners had not observed any suspicious activity. Users will have to re-authenticate their token keys to the application in order to continue using it.
Timehop goes on to say that if users used their phone number for login, then Timehop would have the user’s phone number, which in turn would give attackers access to them as well. It is recommended that users take additional security precautions with their cellular provider to ensure that their number cannot be ported, and in the cases of AT&T, Verizon, or Sprint, they can simply add or change their pin. T-Mobile users are recommended to call 611 from a T-Mobile device, or call 1-800-937-8997 to talk with customer services representative to assist with limiting the portability of the customer’s phone number.
Sources https://threatpost.com/timehop-breach-impacts-personal-data-of-21-millionusers/133765/ https://nakedsecurity.sophos.com/2018/07/09/your-social-media-memoriesmay-have-been-compromised/ https://techcrunch.com/2018/07/09/timehop-discloses-july-4-data-breachaffecting-21-million/
During a technical assessment of the breach, it was shown that the attackers leveraged their attack through stolen admin credentials, which they then used to gain access to the application’s cloud computing environment. From there they attacked Timehop’s production database and started transferring data. Due to the database not using multifactor authentication, it was not hard for hackers to bypass it with the stolen credentials.
Timehop was able to disable the access token keys for all accounts and stated that “none of your memories were accessed”. They also said that the additional data lost was not due to a secondary breach - coincidentally, this was the only data loss incident Timehop has suffered to date. In addition, Timehop reported that there is no evidence to indicate that the attackers were able to use any of the tokens to gain access to social media accounts.
Timehop has updated their statements about the token keys as well. The keys were deauthorized by Timehop acting in concert with social media partners by Sunday, 8 July. Timehop did not report the breach, which was discovered on 5 July 2018 to its users until after it was certain that the keys had been de-authorized and the social media partners had not observed any suspicious activity. Users will have to re-authenticate their token keys to the application in order to continue using it.
Timehop goes on to say that if users used their phone number for login, then Timehop would have the user’s phone number, which in turn would give attackers access to them as well. It is recommended that users take additional security precautions with their cellular provider to ensure that their number cannot be ported, and in the cases of AT&T, Verizon, or Sprint, they can simply add or change their pin. T-Mobile users are recommended to call 611 from a T-Mobile device, or call 1-800-937-8997 to talk with customer services representative to assist with limiting the portability of the customer’s phone number.
Sources https://threatpost.com/timehop-breach-impacts-personal-data-of-21-millionusers/133765/ https://nakedsecurity.sophos.com/2018/07/09/your-social-media-memoriesmay-have-been-compromised/ https://techcrunch.com/2018/07/09/timehop-discloses-july-4-data-breachaffecting-21-million/
WordPress Vulnerability Finally Patched After 7 Months
The internet has become a staple of modern life. Having a website has become a necessity for most small businesses to connect with potential customers and provide information on the business and their offerings. However, one of the most common website development tools, WordPress, has a major vulnerability that could allow full control of a website by an attacker.
WordPress is a Content Management System (CMS) for hosting websites. It provides a framework for easy site creation and maintenance without having to code every aspect of the website. WordPress is one of the most popular CMS tools, alongside others such as Drupal and Joomla, and is used in approximately 30% of all websites.
Security researchers at RIPSTech, a security analysis solution provider for PHP, discovered an authenticated arbitrary file deletion vulnerability in WordPress that could lead to attackers being able to execute arbitrary code on the host webservers or completely take down the site. As any responsible security researcher would do, RIPSTech reported the vulnerability to the WordPress security team in November 2017. However, when the WordPress team was unresponsive as to when the issue would be fixed, RIPSTech decided to release the vulnerability information to the public in late June 2018 (a month longer than the Wordpress team’s estimated six months to fix).
The vulnerability stems from a lack of user input sanitization when deleting a thumbnail for an image that was uploaded to the site. The input can redirect the code to delete other files on the system, including important site-related files. For instance the .htaccess file, which can contain security restraints, can be deleted to decrease the site’s security, or the wp-config.php file can be removed which would cause the installation phase to be triggered the next time the site is loaded. This would allow the attacker to create their own administrator credentials providing complete control of the site. The index.php file can also be removed, allowing access to other files and directories on the server that were protected and the entire WordPress installation could be removed. This highlights the importance of maintaining frequent site backups, especially on a different system or network.
This vulnerability does require low-level access to the system with author level privileges at a minimum. This allows uploading of images to, as well as deletion of images on, the site and therefore the ability to exploit the vulnerability. WordPress released version 4.9.7 containing a patch for the vulnerability and users are strongly encouraged to update. Prior to this, RIPSTech released a temporary hotfix that checked to assure user input could not cause a path traversal, protecting security relevant files.
Sources: https://thehackernews.com/2018/06/wordpress-hacking.html https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/ https://indivigital.com/news/wordpress-core-vulnerability-could-give-would-beattackers-the-capability-to-delete-files/
WordPress is a Content Management System (CMS) for hosting websites. It provides a framework for easy site creation and maintenance without having to code every aspect of the website. WordPress is one of the most popular CMS tools, alongside others such as Drupal and Joomla, and is used in approximately 30% of all websites.
Security researchers at RIPSTech, a security analysis solution provider for PHP, discovered an authenticated arbitrary file deletion vulnerability in WordPress that could lead to attackers being able to execute arbitrary code on the host webservers or completely take down the site. As any responsible security researcher would do, RIPSTech reported the vulnerability to the WordPress security team in November 2017. However, when the WordPress team was unresponsive as to when the issue would be fixed, RIPSTech decided to release the vulnerability information to the public in late June 2018 (a month longer than the Wordpress team’s estimated six months to fix).
The vulnerability stems from a lack of user input sanitization when deleting a thumbnail for an image that was uploaded to the site. The input can redirect the code to delete other files on the system, including important site-related files. For instance the .htaccess file, which can contain security restraints, can be deleted to decrease the site’s security, or the wp-config.php file can be removed which would cause the installation phase to be triggered the next time the site is loaded. This would allow the attacker to create their own administrator credentials providing complete control of the site. The index.php file can also be removed, allowing access to other files and directories on the server that were protected and the entire WordPress installation could be removed. This highlights the importance of maintaining frequent site backups, especially on a different system or network.
This vulnerability does require low-level access to the system with author level privileges at a minimum. This allows uploading of images to, as well as deletion of images on, the site and therefore the ability to exploit the vulnerability. WordPress released version 4.9.7 containing a patch for the vulnerability and users are strongly encouraged to update. Prior to this, RIPSTech released a temporary hotfix that checked to assure user input could not cause a path traversal, protecting security relevant files.
Sources: https://thehackernews.com/2018/06/wordpress-hacking.html https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/ https://indivigital.com/news/wordpress-core-vulnerability-could-give-would-beattackers-the-capability-to-delete-files/
RAMpage on Android
Rowhammer vulnerabilities are once again making mainstream news with the addition of CVE-2018-9942, dubbed RAMpage. This new variant of Rowhammer-based vulnerabilities allows attackers to compromise other applications and seize complete control over Android-based devices. What makes this vulnerability unique is how efficient the exploit process has become relative to preceding exploits.
The security community has been aware of Rowhammer-based bugs since 2012. Back then it was recognized as more of a theoretical based hardware reliability issue with Dynamic Random Access Memory (DRAM) chips. Back then, to save on cost and increase system response time, manufacturers were allowing applications to directly access memory instead of utilizing the processor which opened up the doors for possible vulnerabilities. At that point it was known that when repeatedly and rapidly accessing rows of memory it was possible to induce bit flipping into adjacent rows of memory. This type of attack typically might crash an application or induce the hardware device into an error condition. Since exploitation was so difficult and more theoretical it would seem that vendors and manufacturers did not take this problem seriously. However, over the past few years security researchers have uncovered additional problems with android based devices and attackers have matured their exploitation techniques.
Using RAMpage exploits, an attacker can leverage a set of Direct Memory Access (DMA) based Rowhammer attacks to bypass system defenses, compromise other applications, and effectively gain root access on the latest Android OS. The RAMpage attack generally consists of three steps: exhausting the system heap, shrinking the cache pool, and then rooting the mobile device. By using traditional Rowhammer techniques an attacker can drain all ION’s (Android’s Memory Manager) internal memory pools. This allows an attacker to break out of their initial allocated application memory in order to access other interesting memory regions. Then, by shrinking the cache pool using the Flip Feng Shui exploitation technique, attackers can trick the kernel into storing a page table within the vulnerable memory region. Finally, by implementing the initial two steps and leveraging a root exploit to place within the vulnerable memory region an attacker can successfully compromise an android device. The prerequisite for this attack requires an attacker to have access over an application that can carry out such an attack on the device. The research paper is linked at the bottom for further details.
At this time it is unrealistic to fix the vulnerability in hardware as it would be expensive and would not address the devices currently in use. Interestingly, the researchers that initially discovered the issue also released a tool called GuardION - a software based mitigation solution against RAMpage attacks.
Sources https://threatpost.com/rowhammer-variant-rampage-targets-android-devicesall-over-again/133198/ https://vvdveen.com/publications/dimva2018.pdf
The security community has been aware of Rowhammer-based bugs since 2012. Back then it was recognized as more of a theoretical based hardware reliability issue with Dynamic Random Access Memory (DRAM) chips. Back then, to save on cost and increase system response time, manufacturers were allowing applications to directly access memory instead of utilizing the processor which opened up the doors for possible vulnerabilities. At that point it was known that when repeatedly and rapidly accessing rows of memory it was possible to induce bit flipping into adjacent rows of memory. This type of attack typically might crash an application or induce the hardware device into an error condition. Since exploitation was so difficult and more theoretical it would seem that vendors and manufacturers did not take this problem seriously. However, over the past few years security researchers have uncovered additional problems with android based devices and attackers have matured their exploitation techniques.
Using RAMpage exploits, an attacker can leverage a set of Direct Memory Access (DMA) based Rowhammer attacks to bypass system defenses, compromise other applications, and effectively gain root access on the latest Android OS. The RAMpage attack generally consists of three steps: exhausting the system heap, shrinking the cache pool, and then rooting the mobile device. By using traditional Rowhammer techniques an attacker can drain all ION’s (Android’s Memory Manager) internal memory pools. This allows an attacker to break out of their initial allocated application memory in order to access other interesting memory regions. Then, by shrinking the cache pool using the Flip Feng Shui exploitation technique, attackers can trick the kernel into storing a page table within the vulnerable memory region. Finally, by implementing the initial two steps and leveraging a root exploit to place within the vulnerable memory region an attacker can successfully compromise an android device. The prerequisite for this attack requires an attacker to have access over an application that can carry out such an attack on the device. The research paper is linked at the bottom for further details.
At this time it is unrealistic to fix the vulnerability in hardware as it would be expensive and would not address the devices currently in use. Interestingly, the researchers that initially discovered the issue also released a tool called GuardION - a software based mitigation solution against RAMpage attacks.
Sources https://threatpost.com/rowhammer-variant-rampage-targets-android-devicesall-over-again/133198/ https://vvdveen.com/publications/dimva2018.pdf
Subscribe to:
Posts (Atom)