Monday, December 26, 2016

Cyber Updates - 26/12

Hey all,
Here are this week’s cyber updates:

(1) PHPMailer was found to exposed to a critical remote code execution vulnerability (CVE-2016-10033).
While the security researcher didn’t yet published a working exploit (due to his responsible disclosure), by looking into the diff between version 5.2.17 and 5.2.18 (the patched version) it appears that the “from” email address is not validated. Thus, it is possible to inject commands into that parameter that will later be executed by the OS.

PHPMailer is used by several open-source projects, including: WordPress, Drupal, 1CRM, SugarCRM, Yii and Joomla. 

Clients are requested to update their PHPMailer version immediately.

(2) An SQL injection vulnerability exists in Panasonic Avionics, allowing malicious users to affect the entertainment system in your flight. While illegal, you can try to exploit it the next time you fly with American Airlines, United, Virgin, Emirates, Etihad, Qatar, FinnAir, KLM, Iberia, Scandinavian, Air France, Singapore, or Aerolineas Argentinas. Just in case you had any doubt, I am not telling you to hack these systems and I will definitely not bail you out if you’ve chosen to so J


(3) In a “surprising” timing after this incident, Gogo, one of Panasonic Avionics major competitor, has engaged with a new bug bounty program, asking security researches to find vulnerabilities in their product.
The company’s products are used by numerous airlines, such as: Aeroméxico, Aer Lingus, American Airlines, Air Canada, Alaska Airlines, Beijing Capital, British Airways, Delta Air Lines, GOL, Hainan Airlines, Iberia, Japan Airlines, JTA, United Airlines, Vietnam Airlines, Virgin America and Virgin Atlantic.

(4) This Xmas has brought a surprising “gift” to UK Groupon users. Many of them have reported that their account was hacked.
Groupon says there hasn't been any security breach of its own site or app, but acknowledges it's seen a series of cases where fraudsters have managed to hack into Groupon accounts after accessing log-in and password information via third party websites. In other words, Groupon blames their clients and does not intend to do anything about it.


Stay tuned for more updates,
Dan Gurfinkel
Head of Offensive Security & Response Unit

Sunday, December 18, 2016

Cyber Updates - 17/12

Hey all,
Here are this week’s cyber updates:

(1) In the last emails I’ve discussed how it is possible to gain unauthorized access to a Linux systems by pressing the “Enter” key for 70 seconds (https://comsecglobal.com/UserContent/Files/Ashnav/Comsec%20MA%20-%20Dirty%20Cow%20-%20Unauthorized%20Access.pdf) as well as to Windows (by holding Shift + F10 during Windows 10 update).
This time, it is mac OS’ turn to be vulnerable to password extraction by exploiting two vulnerabilities:
a.      The first issue is that the Mac system does not protect itself against Direct Memory Access (DMA) attacks before macOS is started.
b.     The second is that the password to the FileVault encrypted disk is stored in clear text in memory, even when the computer is in sleep mode or locked. When the computer reboots, the password is put in multiple memory locations within a fixed memory range, making it readable by hacking devices.

The attack is conducted by connecting a hardware and rebooting the mac. Once the mac is rebooted, the DMA protections that macOS previously enabled, are dropped. The memory contents, 
including the password, is still there in plain text. There is a time window of a few seconds before the memory containing the password is overwritten with new content.



(2) This has not been the week of macOS, as yet another vulnerability was discovered in this platform. This time, a backdoor in Skype (yes, you’ve read it right) was discovered. the backdoor could allow any malicious third-party app to bypass authentication procedure and provide nearly complete access to Skype on Mac OS X.
Accessing this backdoor is incredibly easy. All the hackers need to do is change a text string in apps to "Skype Dashbd Wdgt Plugin", and the desktop API would provide access to sensitive features of Skype.
An attacker or any malicious program abusing this hidden backdoor could perform the following actions:
o   Read notifications of incoming messages (and their contents)
o   Intercept, read and modify messages
o   Log and record Skype call audio
o   Create chat sessions
o   Retrieve user contact information


(3) A bug was discovered in Facebook that allows users to exploit CORS is order to read your Facebook messages.
Apparently, Facebook forgot to properly set the access-control-allow-origin header in their chat domain ({number}-edge-chat.facebook.com), thus allowing a malicious website to send a request to Facebook and retrieve the content of your chat messages.

Here’s a PoC video: https://youtu.be/F__Fzt7vOwE

(4) It can’t be a Cyber post without discussing Patch Tuesday. This month Microsoft has patched several products. The most critical one is MS16-144 which allows remote code execution when the victim surfs to a malicious page.
And as always, more patches to Flash - MS16-154.

Stay tuned for more updates,
Dan Gurfinkel
Head of Offensive Security & Response Unit

Thursday, December 8, 2016

Cyber Updates - 08/12

Hey all,
Today I’d like to introduce you to Stegano  - a new exploit kit that was recently in use by malicious ads.

The exploit kit uses MS16-037 (a vulnerability for I.E.) to check if it runs on a malware analysis system. Based on server-side logic, the target is then served either a clean image or a malicious one: a script encoded in its alpha channel (which defines the transparency of each pixel). The script then redirects the user to another URL which attempts to exploit 3 different vulnerabilities for Flash (CVE-2015-8651, CVE-2016-1019, CVE-2016-4117), depending on the victim’s Flash version.

The attached image illustrates the attack.

What is interesting to note is that the exploit creators did not want it to be discovered. As such, the malware is not executed if one of the following processes/modules is running on the system:
                 vmtoolsd.exe
                 VBoxService.exe
                 prl_tools_service.exe
                 VBoxHook.dll
                 SBIEDLL.DLL
                 fiddler.exe (luckily for us, they also check if the tool is installed, so all Comsec’s consultants are in the clear )
                 charles.exe
                 wireshark.exe
                 proxifier.exe
                 procexp.exe
                 ollydbg.exe
                 windbg.exe

Here are all the details:

Stay tuned for more updates,
Dan Gurfinkel
Head of Offensive Security & Response Unit

Thursday, December 1, 2016

Cyber Updates - 01/12

Hey all,
Here are this week’s cyber updates.

As you can see there are many updates and many vulnerabilities published this week, but trust me - it’s worth reading them all.

       (1) Are you using a rooted-Android device? If so, don’t use the Tesla app if you own a Tesla car.
Security researchers managed to steal a Tesla car by hacking the owner’s phone.
Tesla’s app generates an OAuth token when a Tesla owner logs into the Android app for the first time. The app then uses this token, without requiring the username and password combination, every time the owner re-opens the app. This OAuth token is then stored in plain text within the device’s system folder which can be accessed by privileged root user only.

By installing an app which roots the Android device (or installing the app on an already rooted device), the attackers can read the OAuth token from the Tesla app.

          (2) If you are running an Android device, you might have been infected with the new “Gooligan” malware.
The malware is installed as part of legitimate (or not so legitimate) apps downloaded from Google Play. It is already installed on more than 1,000,000 devices; the malware roots the device (usually by exploiting CVE-2013-6282 or CVE-2014-3153), and steals email addresses and access tokens. This means that their owners’ Google accounts were hacked.
The owners of Gooligan wanted to earn some extra cash, so they install an adware on infected devices. However, they wanted to gain more money, so they started buying their apps on Google Play – on your expenses!

Luckily for us, CheckPoint has built a tool that allows everyone to check if their email address was compromised. Feel free to check if your email is infected in the following URL: https://gooligan.checkpoint.com/ (really feel free to do so, otherwise the malware will cause you to pay much more J).

      (3) Two weeks ago I’ve written about an unauthorized access to a Linux machine by pressing the “Enter” key for 70 seconds (https://comsecglobal.com/UserContent/Files/Ashnav/Comsec%20MA%20-%20Dirty%20Cow%20-%20Unauthorized%20Access.pdf).

Apparently, Microsoft wanted to have their go on weird keystrokes combo. A BitLocker-bypass privilege escalation exploit was discovered this week: by holding Shift + F10 during Windows 10 update procedure, an attacker can gain SYSTEM privileges to the workstation.
The SHIFT+F10 feature has existed with earlier versions of Windows as well, and could also be used to bypass BitLocker on Windows 7 and 8, but the feature has become a real flaw only with Windows 10 in-place upgrades.

Most of us (myself included) leave the PC unattended while installing Windows updates. During this time, anyone with local access to the machine can open execute malicious commands with SYSTEM privileges, despite BitLocker's presence.

There is no fix for this vulnerability (yet), making it a 1-day vulnerability.

Check out this URL for more details and PoC video: http://blog.win-fu.com/2016/11/every-windows-10-in-place-upgrade-is.html


      (4) The notorious Mirai botnet was used once again and this time has targeted the a German ISP (Deutsche Telekom).
This time, a remote code execution flaw was discovered on the router. In particular, the NewNTPServer part of a SOAP request was used to download and execute a file in order to infect the vulnerable devices, which, by default, expose the service to all users by listening on port 7547 (used by ISP to manage routers).

The really bad news is that the exploit closes port 7547 to prevent other attackers from hacking to the same machine. While a Shodan search from a couple of days ago presented over 41 million vulnerable devices, now we can see less than 100,000 (meaning that either the ISP acted really fast by closing the port, or that the hackers were fast on their hacking attempts, I’ll let you guess who’s faster J).

More information about the payload can be found in the following URL: https://securelist.com/blog/incidents/76791/new-wave-of-mirai-attacking-home-routers/

Oranizations are requested to check if their routers were infected by checking their logs for DNS queries to the following websites:
(i)                timeserver.host
(ii)              securityupdates.us
(iii)             tr069.pw
(iv)             srrys.pw
(v)        l.ocalhost.host



      (5) Do you think your privacy is protected if you’re using Tor?
A JavaScript 1-day exploit is currently being exploited via a memory corruption flaw in Firefox web browser. This allows the attacker to determine the true IP address of the user, as well as compromising the entire machine.

PoC code of the JavaScript code can be found in the following URL:

Customers who use Tor to mask their privacy can check if they’ve been compromised by checking if their machine has communicated with the attacker’s C&C server (5.39.27.226:80).
This exploit is very similar to the 2013 Tor exploit used by the FBI.

(6) San Francisco commuters have used the merto for free in the last couple of days. No, the mayor didn’t want you to ride free of charge, but had to allow everyone to ride for free as their payment systems were infected by a ransomware.
The city was requested to pay a ransom of 73,000$ to the hacker, but instead decided to roll back to a recent backup (after receiving the advice from the FBI).

BTW, someone managed to hack the hacker’s mailbox (by guessing the answer to the secret question) and provided a history of their ransoms: since August the hacker extorted at least $140,000 in Bitcoin from victim organizations. The hacker has targeted websites vulnerable to the Java unserialize exploit.

      (7) Google Chrome had a (low risk) bug that Microsoft wouldn’t patch for 2 years. This may help you for your reconnaissance phase during an infra P.T.


Stay tuned for more updates,
Dan Gurfinkel
Head of Offensive Security & Response Unit

Thursday, November 10, 2016

Dirty Cow

Hey all,
Two years ago I’m sure you’ve all heard about ShellShock – a remote code execution exploit in bash that existed for about 25 years until discovered.

Three weeks ago a new vulnerability, known as Dirty Cow (or CVE-2016-5195 if you insist), was discovered.
This exploit allows local privilege escalation on almost all Linux distributions and kernels as the vulnerable code existed since 2007 (from kernel version 2.6.22 and even 2.6.18 for some distributions).

While this is only a privilege escalation vulnerability, there are already reports of users gaining limited access to servers and using this vulnerability to escalate their privileges.
In fact, the exploit became public as a security researcher observed the exploit in a pcap file.

Organizations are kindly requested to upgrade their kernel version.

BTW,
This exploit can also be used to root your Android device (https://github.com/timwr/CVE-2016-5195)

Stay tuned for more updates.
Dan Gurfinkel
Head of Offensive Security & Response Unit

Wednesday, November 9, 2016

New DDoS Attack in Finland

Hey all,
I’m sure that most of you are aware about the danger of a DDoS attack.
Having your systems not available for your customers can cause financial damages and reputational damages to your organization.
A DDoS attack can even target an entire country, as we see nowadays with a Mirai botnet targeting the entire internet infrastructure of Liberia.

But, when it comes to DDoS, nobody said anything about damage to human lives. Until now.
Last week a DDoS attack in Finland targeted a heating system in the city of Lappeenranta, Finland. As a result, the heating systems were not working for more than a week.

The attack was short in time, but caused the heating system to enter an endless restart loop, therefore preventing the residents of two blocks in the town to heat their apartment.
Luckily, it’s “only” -6 degrees now in Lappeenranta, so no one lost their life, but think of the damage had the attack been engaged on January or February.

Here are all the details:

BTW,
The water was system was not functioning as well for a week. Now think about taking a shower in -6 degrees the next time your boiler breaks.

Stay tuned for more updates,
Dan Gurfinkel
Head of Offensive Security & Response Unit

Wednesday, October 26, 2016

DynDNS DDoS Attack Details

As most of you know, last Friday there was a massive DDos attack on DynDNS.
This attack has prevented the DNS service from responding to all DNS queries for websites that use DynDNS as their DNS service. This caused many websites to become unavailable, including, but not limited to, Twitter, Reddit, Amazon, Netflix, Spotify and many more.

Here are some interesting fact about the attack:
-        The attack was conducted in 3 waves:
o   1st wave (7AM-9AM EST) managed to cause the service to become unavailable for 2 hours.
o   2nd wave (12PM-1PM) managed to cause the service to become unavailable for yet another hour.
o   3rd wave – unsuccessful.
-        At least part of the attack was done by the notorious Mirai malware.
o   This malware attempts to connect to IoT devices using known (default) credentials.
o   All in all more than 60 different credentials are tested. A partial list can be found here:
o   The same malware was used in last month DDoS against the French ISP (OVH) which reached a record high of 1 TBps of a volumetric attack.
-        10s of millions(!) of discrete IP addresses were spotted during the attack.
-        Xiongmai, a Chinese company that makes IOT devices (DVRs, cameras, routers) created millions of vulnerable devices
o   They used the same default user name (root) & password (xc3511) for all their devices
o   Even if users change the default user name and password, the devices support other protocols (Telnet & SSH) with these same credentials hardcoded to the devices’ firmware(!).
That means that there is no patch / solution for that problem for old devices.
o   Xiongmai fixed the Telnet/SSH problem in September 2015, but there are millions of vulnerable devices that are still in use world-wide.
o   The company has issued a recall for all devices, however it’s still likely to see these devices in future DDoS attacks in the near future.


Stay tuned for more updates,
Dan Gurfinkel

Head of Offensive Security & Response Unit

Monday, August 22, 2016

PCI Security in the Cloud: have you considered everything?


With its scalability, speed of deployment and cost effectiveness, it’s clear to see why cloud computing has become one of today’s most enticing technologies.

Yet, despite the trumpeted business and technical advantages of cloud computing, there appears to be significant concerns over certain aspects of cloud computing, including, reduced control & governance, regulatory requirements, and excessive standardisation. 
However, the biggest area of concern remains that of security. Will corporate and customer data be safe? What about data protection and legal compliance requirements? What are the corporate risks involved in entrusting a single entity with the data of an entire organisation.
Cloud advocates will argue that customers stand to benefit from multiple points of replication and defence and the use of sophisticated technologies that individual companies could not afford; yet others insist that cloud computer is a ‘security nightmare’.
Whilst this view may be a little extreme, cloud computing is already having a major impact on the way we think about PCI compliance and react to a variety of information security issues.

Compliance status assumptions. 

When it comes to cloud security, we tend to ignore several important aspect.

When selecting a cloud service provider and prior to migration, you must ensure that the cloud service provider is PCI DSS compliant and certified.

»       Ask the cloud service provider to provide a valid Attestation of Compliance (AOC).
»       Review the cloud service provider’s AOC to ensure it specifies the exact PCI requirements that the cloud service provider has been assessed against. 


One of the most common wrong assumptions is that the cloud service provider will manage the security features and instances on your behalf. For example, many customers assume that the cloud service provider will be responsible for the security updates of the operation system, which often results in an improper security update procedure which may place the customer’s environment at risk.  Other examples of aspects frequently not covered by the cloud service providers include:

»       Operation system security updates
»       Host based anti-malware solutions
»       Central logging solution
»       Ongoing internal vulnerability assessments
»       Intrusion detection\prevention mechanisms

Establishing and adhering to a shared responsibility matrix will assist in ensuring a secure posture and prevent potential liabilities in the event of an incident. . This will also place both parties in the best position to meet PCI DSS requirements 12.8 & 12.9.

Many companies also tend not to have the required policies in place for the cloud, including access control policy, network access list management, and audit logs review. It’s important that you ensure that there are standards and policies that cover not only the system components but the entire cloud eco system. Example of policies and procedures frequently ignored in a cloud environment include:

»       Access control policy
»       Access control procedures including multi factor authentication
»       Network segregation policies, including the management of the access lists within the environment
»       Audit logs review which includes the cloud service provider’s internal audit logs

It’s important to ensure you have documented policies and procedures for your cloud environment, which are regularly updated and reviewed per the PCI DSS requirements.

Migration to the cloud can be a very efficient way to reduce the IT management costs and management overhead, the PCI scope of assessment and the compliance maintenance burden.

Need help with addressing your cloud environment security challenges? 


For an initial discussion on how Comsec Consulting UK can help please call Lee Porter or Nadav Shatz on 0203-463-8727.

Wednesday, February 24, 2016

There will not be a PCI DSS v4.0 (in the near future)

Hi PCI QSA Tribe,

In a recent article, PCI SSC announced the upcoming release of PCI DSS v3.2, and its intention to cancel the 3-year cycle for new versions update, only to stay with “minor” updates to the standards focusing on specific areas – as the PCI DSS is already a mature standard and does not require big modifications anymore.

Therefore there will not be a PCI DSS v4.0 in 2016, most probably even beyond 2016. The only update would be v3.2 which is expected somewhere around March-April. (we're working on that with SSC)