Archive for the ‘vulnerabilities’ Category

Whitehats use DoS attack to score key victory against ransomware crooks

July 10th, 2019
A diagram showing how a DoS shut down an ongoing ransomware campaign.

Enlarge / A diagram showing how a DoS shut down an ongoing ransomware campaign. (credit: Intezer)

Whitehats used a novel denial-of-service hack to score a key victory against ransomware criminals. Unfortunately, the blackhats have struck back by updating their infrastructure, leaving the fight with no clear winner.

Researchers at security firm Intezer performed the DoS technique against ransomware dubbed QNAPCrypt, a largely undetected strain that, as its name suggests, infects network storage devices made by Taiwan-based QNAP Systems and possibly other manufacturers. The hack spread by exploiting secure shell, (or SSH) connections that used weak passwords. The researchers’ analysis found that each victim received a unique bitcoin wallet for sending ransoms, a measure that was most likely intended to prevent the attackers from being traced. The analysis also showed that QNAPCrypt only encrypted devices after they received the wallet address and a public RSA key from the command-and-control server.

Intezer researchers soon noticed two key weaknesses in that process:

Read 4 remaining paragraphs | Comments

Posted in Biz & IT, exploits, NAS, network attached storage, ransomware, vulnerabilities | Comments (0)

D-Link agrees to new security monitoring to settle FTC charges

July 3rd, 2019
D-Link agrees to new security monitoring to settle FTC charges

Enlarge (credit: Penn State / Flickr)

Router and webcam maker D-Link has agreed to implement a new security program to settle charges it failed to safeguard its hardware against well-known and preventable hacks and misrepresented its existing security regimen.

Tuesday’s agreement settles a 2017 complaint by the US Federal Trade Commission that alleged D-Link left thousands of customers open to potentially costly hack attacks. The hardware maker, the FTC said, failed to test its gear against security flaws ranked among the most critical and widespread by the Open Web Application Security Project. The 2017 suit also said that, despite the lack of testing and hardening of its products, D-Link misrepresented its security regimen as reasonable.

Specific shortcomings cited by the FTC included:

Read 6 remaining paragraphs | Comments

Posted in Biz & IT, d-link, Federal Trade Commission, FTC, routers, vulnerabilities, webcams | Comments (0)

In-the-wild Mac malware kept busy in June—here’s a rundown

June 29th, 2019
In-the-wild Mac malware kept busy in June—here’s a rundown

June was a busy month for Mac malware with the active circulation of at least six threats, several of which were able to bypass security protections Apple has built into modern versions of its macOS.

The latest discovery was published Friday by Mac antivirus provider Intego, which disclosed malware dubbed OSX/CrescentCore that's available through Google search results and other mainstream channels. It masquerades as an updater or installer for Adobe’s Flash media player, but it's in fact just a persistent means for its operators to install malicious Safari extensions, rogue disk cleaners, and potentially other unwanted software.

“The team at Intego has observed OSX/CrescentCore in the wild being distributed via numerous sites,” Intego’s Joshua Long wrote of two separate versions of the malware his company has found. “Mac users should beware that they may encounter it, even via seemingly innocuous sources such as Google search results.”

Read 7 remaining paragraphs | Comments

Posted in apple, Biz & IT, exploits, MacOS, Macs, malware, social engineering, vulnerabilities | Comments (0)

New ransomware infections are the worst drive-by attacks in recent memory

June 27th, 2019
Screenshot of ransomware.

Enlarge (credit: Malwarebytes)

An ongoing operation that’s installing ransomware and other malware on the computers of unsuspecting website visitors is one of the most potent drive-by attack campaigns researchers have seen in recent memory.

The attacks install three pieces of malware using an exploit kit called GreenFlash Sundown, which researchers identified in 2015 and have continued to follow since. Attacks in recent weeks have spiked again as ShadowGate—one of the names given to the hacker group behind the campaign—has unleashed a highly revamped version of the exploit kit on hacked ad servers run by Web publishers. The most notable compromise is of an ad server belonging to onlinevideoconverter[.]com, a site with more than 200 million visitors per month that converts YouTube videos into video files that can be stored on a computer hard drive.

“They are ongoing and with a scale we haven’t seen in a couple of years when it comes to exploit kit-related attacks,” Jérôme Segura, a Malwarebytes researcher tracking the campaign, said of the attacks on onlinevideoconverter[.]com visitors. “We literally noticed a huge spike in our telemetry starting a few days ago, which is very unusual. Given what we see in our telemetry, this is the most successful drive-by campaign we have seen in quite a while, so we can infer many people were affected by it.”

Read 12 remaining paragraphs | Comments

Posted in Biz & IT, drive-by attacks, exploits, ransomware, vulnerabilities | Comments (0)

Potent Firefox 0-day used to install undetected backdoors on Macs

June 20th, 2019
The fox animoji.

Enlarge / The fox animoji. (credit: Samuel Axon)

Hackers exploited a pair of potent zero-day vulnerabilities in Firefox to infect Mac users with a largely undetected backdoor, according to accounts pieced together from multiple people.

Mozilla released an update on Tuesday that fixed a code-execution vulnerability in a JavaScript programming method known as Array.pop. On Thursday, Mozilla issued a second patch fixing a privilege-escalation flaw that allowed code to break out of a security sandbox that Firefox uses to prevent untrusted content from interacting with sensitive parts of a computer operating system. Interestingly, a researcher at Google's Project Zero had privately reported the code-execution flaw to Mozilla in mid April.

On Monday, as Mozilla was readying a fix for the array.pop flaw, unknown hackers deployed an attack that combined working exploits for both vulnerabilities. The hackers then used the attack against employees of Coinbase, according to Philip Martin, chief information security officer for the digital currency exchange.

Read 12 remaining paragraphs | Comments

Posted in Biz & IT, exploits, Firefox, vulnerabilities, zeroday | Comments (0)

Oracle issues emergency update to patch actively exploited WebLogic flaw

June 19th, 2019
Security team KnownSec404 proof-of-concept image, showing an instance of Windows Calculator being run on the remote WebLogic server.

Enlarge / Security team KnownSec404 proof-of-concept image, showing an instance of Windows Calculator being run on the remote WebLogic server. (credit: KnownSec 404)

Oracle on Tuesday published an out-of-band update patching a critical code-execution vulnerability in its WebLogic server after researchers warned that the flaw was being actively exploited in the wild.

The vulnerability, tracked as CVE-2019-2729, allows an attacker to run malicious code on the WebLogic server without any need for authentication. That capability earned the vulnerability a Common Vulnerability Scoring System score of 9.8 out of 10. The vulnerability is a deserialization attack targeting two Web applications that WebLogic appears to expose to the Internet by default—wls9_async_response and wls-wsat.war.

The flaw in Oracle's WebLogic Java application servers came to light as a zero-day four days ago when it was reported by security firm KnownSec404.

Read 3 remaining paragraphs | Comments

Posted in Biz & IT, exploits, oracle, vulnerabilities, WebLogic | Comments (0)

If you haven’t patched Vim or NeoVim text editors, you really, really should

June 13th, 2019
If you haven’t patched Vim or NeoVim text editors, you really, really should

Enlarge (credit: unknown)

A recently patched vulnerability in text editors preinstalled in a variety of Linux distributions allows hackers to take control of computers when users open a malicious text file. The latest version of Apple’s macOS is continuing to use a vulnerable version, although attacks only work when users have changed a default setting that enables a feature called modelines.

Vim and its forked derivative, NeoVim, contained a flaw that resided in modelines. This feature lets users specify window dimensions and other custom options near the start or end of a text file. While modelines restricts the commands available and runs them inside a sandbox that’s cordoned off from the operating system, researcher Armin Razmjou noticed the source! command (including the bang on the end) bypassed that protection.

“It reads and executes commands from a given file as if typed manually, running them after the sandbox has been left,” the researcher wrote in a post earlier this month.

Read 5 remaining paragraphs | Comments

Posted in Biz & IT, exploits, linux, MacOS, neovim, text editors, vim, vulnerabilities | Comments (0)

Warnings of world-wide worm attacks are the real deal, new exploit shows

June 5th, 2019
Warnings of world-wide worm attacks are the real deal, new exploit shows

(credit: flattop341)

For the past three weeks, security professionals have warned with increasing urgency that a recently patched Windows vulnerability has the potential to trigger attacks not seen since the WannaCry worm that paralyzed much of the world in 2017. A demonstration video circulating on the Internet is the latest evidence to prove those warnings are the real deal.

It was posted Tuesday by Sean Dillon, a senior security researcher and RiskSense. A play-by-play helps to underscore the significance of the feat.

The video shows a module Dillon wrote for the Metasploit exploit framework remotely connecting to a Windows Server 2008 R2 computer that has yet to install a patch Microsoft released in mid May. At about 14 seconds, a Metasploit payload called Meterpreter uses the getuid command to prove that the connection has highly privileged System privileges. In the remaining six seconds, the hacker uses the open source Mimikatz application to obtain the cryptographic hashes of passwords belonging to other computers on the same network the hacked machine is connected to.

Read 9 remaining paragraphs | Comments

Posted in Biz & IT, bluekeep, exploits, microsoft, vulnerabilities, Windows | Comments (0)

Microsoft practically begs Windows users to fix wormable BlueKeep flaw

May 31st, 2019
Microsoft practically begs Windows users to fix wormable BlueKeep flaw

Enlarge (credit: Aurich Lawson)

Microsoft security officials say they are confident an exploit exists for BlueKeep, the recently patched vulnerability that has the potential to trigger self-replicating attacks as destructive as the 2017 WannaCry attack that shut down computers all over the world.

In a Blog post published late Thursday night, members of the Microsoft Security Response Center cited findings published Tuesday by Errata Security CEO Rob Graham that almost 1 million Internet-connected computers remain vulnerable to the attacks. That indicates those machines have yet to install an update Microsoft issued two weeks ago patching against the so-called BlueKeep vulnerability, which is formally tracked as CVE-2019-0708. The exploits can reliably execute malicious code with no interaction on the part of an end user. The severity prompted Microsoft to take the unusual step of issuing patches for Windows 2003, XP, and Vista, which haven’t been supported in four, five, and two years, respectively.

Thursday’s post warned, once again, that the inaction could trigger another worm of the magnitude of WannaCry, which caused hospitals to turn away patients and paralyzed banks, shipping docks, and transportation hubs around the world. In Thursday’s post MSRC officials wrote:

Read 4 remaining paragraphs | Comments

Posted in Biz & IT, exploits, microsoft, vulnerabilities, Windows, Worms | Comments (0)

Why a Windows flaw patched nine days ago is still spooking the Internet

May 23rd, 2019
Artist's impression of a malicious hacker coding up a BlueKeep-based exploit.

Enlarge / Artist's impression of a malicious hacker coding up a BlueKeep-based exploit. (credit: Getty Images / Bill Hinton)

It has been nine days since Microsoft patched the high-severity vulnerability known as BlueKeep, and yet the dire advisories about its potential to sow worldwide disruptions keep coming.

Until recently, there was little independent corroboration that exploits could spread virally from computer to computer in a way not seen since the WannaCry and NotPetya worms shut down computers worldwide in 2017. Some researchers felt Microsoft has been unusually tight-lipped with partners about this vulnerability, possibly out of concern that any details, despite everyone’s best efforts, might hasten the spread of working exploit code.

Until recently, researchers had to take Microsoft's word the vulnerability was severe. Then five researchers from security firm McAfee reported last Tuesday that they were able to exploit the vulnerability and gain remote code execution without any end-user interaction. The post affirmed that CVE-2019-0708, as the vulnerability is indexed, is every bit as critical as Microsoft said it was.

Read 16 remaining paragraphs | Comments

Posted in Biz & IT, exploits, microsoft, vulnerabilities, Windows | Comments (0)