Thursday, December 1, 2016

Cyber Updates - 01/12

Hey all,
Here are this week’s cyber updates.

As you can see there are many updates and many vulnerabilities published this week, but trust me - it’s worth reading them all.

       (1) Are you using a rooted-Android device? If so, don’t use the Tesla app if you own a Tesla car.
Security researchers managed to steal a Tesla car by hacking the owner’s phone.
Tesla’s app generates an OAuth token when a Tesla owner logs into the Android app for the first time. The app then uses this token, without requiring the username and password combination, every time the owner re-opens the app. This OAuth token is then stored in plain text within the device’s system folder which can be accessed by privileged root user only.

By installing an app which roots the Android device (or installing the app on an already rooted device), the attackers can read the OAuth token from the Tesla app.

          (2) If you are running an Android device, you might have been infected with the new “Gooligan” malware.
The malware is installed as part of legitimate (or not so legitimate) apps downloaded from Google Play. It is already installed on more than 1,000,000 devices; the malware roots the device (usually by exploiting CVE-2013-6282 or CVE-2014-3153), and steals email addresses and access tokens. This means that their owners’ Google accounts were hacked.
The owners of Gooligan wanted to earn some extra cash, so they install an adware on infected devices. However, they wanted to gain more money, so they started buying their apps on Google Play – on your expenses!

Luckily for us, CheckPoint has built a tool that allows everyone to check if their email address was compromised. Feel free to check if your email is infected in the following URL: https://gooligan.checkpoint.com/ (really feel free to do so, otherwise the malware will cause you to pay much more J).

      (3) Two weeks ago I’ve written about an unauthorized access to a Linux machine by pressing the “Enter” key for 70 seconds (https://comsecglobal.com/UserContent/Files/Ashnav/Comsec%20MA%20-%20Dirty%20Cow%20-%20Unauthorized%20Access.pdf).

Apparently, Microsoft wanted to have their go on weird keystrokes combo. A BitLocker-bypass privilege escalation exploit was discovered this week: by holding Shift + F10 during Windows 10 update procedure, an attacker can gain SYSTEM privileges to the workstation.
The SHIFT+F10 feature has existed with earlier versions of Windows as well, and could also be used to bypass BitLocker on Windows 7 and 8, but the feature has become a real flaw only with Windows 10 in-place upgrades.

Most of us (myself included) leave the PC unattended while installing Windows updates. During this time, anyone with local access to the machine can open execute malicious commands with SYSTEM privileges, despite BitLocker's presence.

There is no fix for this vulnerability (yet), making it a 1-day vulnerability.

Check out this URL for more details and PoC video: http://blog.win-fu.com/2016/11/every-windows-10-in-place-upgrade-is.html


      (4) The notorious Mirai botnet was used once again and this time has targeted the a German ISP (Deutsche Telekom).
This time, a remote code execution flaw was discovered on the router. In particular, the NewNTPServer part of a SOAP request was used to download and execute a file in order to infect the vulnerable devices, which, by default, expose the service to all users by listening on port 7547 (used by ISP to manage routers).

The really bad news is that the exploit closes port 7547 to prevent other attackers from hacking to the same machine. While a Shodan search from a couple of days ago presented over 41 million vulnerable devices, now we can see less than 100,000 (meaning that either the ISP acted really fast by closing the port, or that the hackers were fast on their hacking attempts, I’ll let you guess who’s faster J).

More information about the payload can be found in the following URL: https://securelist.com/blog/incidents/76791/new-wave-of-mirai-attacking-home-routers/

Oranizations are requested to check if their routers were infected by checking their logs for DNS queries to the following websites:
(i)                timeserver.host
(ii)              securityupdates.us
(iii)             tr069.pw
(iv)             srrys.pw
(v)        l.ocalhost.host



      (5) Do you think your privacy is protected if you’re using Tor?
A JavaScript 1-day exploit is currently being exploited via a memory corruption flaw in Firefox web browser. This allows the attacker to determine the true IP address of the user, as well as compromising the entire machine.

PoC code of the JavaScript code can be found in the following URL:

Customers who use Tor to mask their privacy can check if they’ve been compromised by checking if their machine has communicated with the attacker’s C&C server (5.39.27.226:80).
This exploit is very similar to the 2013 Tor exploit used by the FBI.

(6) San Francisco commuters have used the merto for free in the last couple of days. No, the mayor didn’t want you to ride free of charge, but had to allow everyone to ride for free as their payment systems were infected by a ransomware.
The city was requested to pay a ransom of 73,000$ to the hacker, but instead decided to roll back to a recent backup (after receiving the advice from the FBI).

BTW, someone managed to hack the hacker’s mailbox (by guessing the answer to the secret question) and provided a history of their ransoms: since August the hacker extorted at least $140,000 in Bitcoin from victim organizations. The hacker has targeted websites vulnerable to the Java unserialize exploit.

      (7) Google Chrome had a (low risk) bug that Microsoft wouldn’t patch for 2 years. This may help you for your reconnaissance phase during an infra P.T.


Stay tuned for more updates,
Dan Gurfinkel
Head of Offensive Security & Response Unit