Hey all,
Here are this week’s cyber updates.
As you can see there are many updates and many
vulnerabilities published this week, but trust me - it’s worth reading them
all.
(1) Are you using a
rooted-Android device? If so, don’t use the Tesla app if you own a Tesla car.
Security researchers managed to steal a Tesla car
by hacking the owner’s phone.
Tesla’s app generates an OAuth token when a Tesla
owner logs into the Android app for the first time. The app then uses this
token, without requiring the username and password combination, every time the
owner re-opens the app. This OAuth token is then stored in plain text within
the device’s system folder which can be accessed by privileged root user only.
By installing an app which roots the Android device
(or installing the app on an already rooted device), the attackers can read the
OAuth token from the Tesla app.
(2) If you are running an
Android device, you might have been infected with the new “Gooligan” malware.
The malware is installed as part of legitimate (or
not so legitimate) apps downloaded from Google Play. It is already installed on
more than 1,000,000 devices; the malware roots the device (usually by
exploiting CVE-2013-6282 or CVE-2014-3153), and steals email addresses and access
tokens. This means that their owners’ Google accounts were hacked.
The owners of Gooligan wanted to earn some extra
cash, so they install an adware on infected devices. However, they wanted to
gain more money, so they started buying their apps on Google Play – on your
expenses!
Luckily for us, CheckPoint has built a tool that
allows everyone to check if their email address was compromised. Feel free to
check if your email is infected in the following URL: https://gooligan.checkpoint.com/
(really feel free to do so, otherwise the malware will cause you to pay
much more J).
(3) Two weeks ago I’ve written
about an unauthorized access to a Linux machine by pressing the “Enter” key for
70 seconds (https://comsecglobal.com/UserContent/Files/Ashnav/Comsec%20MA%20-%20Dirty%20Cow%20-%20Unauthorized%20Access.pdf).
Apparently, Microsoft wanted to have their go on
weird keystrokes combo. A BitLocker-bypass privilege escalation exploit
was discovered this week: by holding Shift + F10 during Windows 10
update procedure, an attacker can gain SYSTEM privileges to the
workstation.
The SHIFT+F10 feature has existed with earlier
versions of Windows as well, and could also be used to bypass BitLocker on
Windows 7 and 8, but the feature has become a real flaw only with Windows 10
in-place upgrades.
Most of us (myself included) leave the PC unattended
while installing Windows updates. During this time, anyone with local access to
the machine can open execute malicious commands with SYSTEM privileges, despite
BitLocker's presence.
There is no fix for this vulnerability (yet),
making it a 1-day vulnerability.
Check out this URL for more details and PoC video: http://blog.win-fu.com/2016/11/every-windows-10-in-place-upgrade-is.html
(4) The notorious Mirai botnet
was used once again and this time has targeted the a German ISP (Deutsche
Telekom).
This time, a remote code execution flaw was
discovered on the router. In particular, the NewNTPServer part of a SOAP
request was used to download and execute a file in order to infect the
vulnerable devices, which, by default, expose the service to all users by
listening on port 7547 (used by ISP to manage routers).
The really bad news is that the exploit closes port
7547 to prevent other attackers from hacking to the same machine. While a
Shodan search from a couple of days ago presented over 41 million vulnerable
devices, now we can see less than 100,000 (meaning that either the ISP acted
really fast by closing the port, or that the hackers were fast on their hacking
attempts, I’ll let you guess who’s faster J).
More information about the payload can be found in the following URL: https://securelist.com/blog/incidents/76791/new-wave-of-mirai-attacking-home-routers/
Oranizations are requested to check if their routers were infected by checking
their logs for DNS queries to the following websites:
(i)
timeserver.host
(ii)
securityupdates.us
(iii)
tr069.pw
(iv)
srrys.pw
(v) l.ocalhost.host
(5) Do you think your privacy
is protected if you’re using Tor?
A JavaScript 1-day exploit is currently being
exploited via a memory corruption flaw in Firefox web browser. This allows the
attacker to determine the true IP address of the user, as well as compromising
the entire machine.
PoC code of the JavaScript code can be found in the
following URL:
Customers who use Tor to mask their privacy can check
if they’ve been compromised by checking if their machine has communicated with
the attacker’s C&C server (5.39.27.226:80).
This exploit is very similar to the 2013 Tor exploit
used by the FBI.
(6) San Francisco commuters have used the merto for free in the last couple of days. No, the mayor didn’t want you to ride free of charge,
but had to allow everyone to ride for free as their payment systems were
infected by a ransomware.
The city was requested to pay a ransom of 73,000$ to
the hacker, but instead decided to roll back to a recent backup (after
receiving the advice from the FBI).
BTW, someone managed to hack the hacker’s mailbox (by
guessing the answer to the secret question) and provided a history of their
ransoms: since August the hacker extorted at least $140,000 in Bitcoin
from victim organizations. The hacker has targeted websites vulnerable to the Java
unserialize exploit.
(7) Google Chrome had a (low
risk) bug that Microsoft wouldn’t patch for 2 years. This may help you for your
reconnaissance phase during an infra P.T.
https://threatpost.com/microsoft-silently-fixes-kernel-bug-that-led-to-chrome-sandbox-bypass/122179/
Stay tuned for more updates,
Dan
Gurfinkel
Head of
Offensive Security & Response Unit