Hey all,
Here are this week’s cyber updates:
(1) Google Brazil domain was
hacked! Yes, this is not a typo. Google was hacked.
At least that was what all major websites in Brazil
have said. However, by looking into Google Brazil’s tweet (https://twitter.com/googlebrasil/status/816359978005106688?ref_src=twsrc%5Etfw),
it seems like the attack did not directly target Google, but rather the ISP DNS
server used to resolve Google’s DNS to their IP address.
Nevertheless, for about 30 minutes google.com.br has
showed a defacement page (you can see how it looked like in the following
video: https://youtu.be/YnSLGx4bWRo).
This just shows you why it’s important for clients to add the HSTS header.
Here are the details: https://www.reddit.com/r/hacking/comments/5ltfbp/google_brazil_also_hacked/
(2) iMessage (Apple messaging
app) was found to be vulnerable to denial of service.
In particular, due to a high CPU consumption the app
crashes when it has to handle a large vCard (contact list) file.
And the good (or bad) news about it, is that it is
persistent. Rebooting your device will not solve the issue.
This is how one can exploit this:
·
iMessage the file to your victim of choice.
i. Beware! If you are using iPhone, then your phone will also crash
when sending.
Here are all the details: https://vincedes3.com/crash-message-app-iphone/
and here is a PoC video: https://youtu.be/N2doEKKywck
If you were infected, either surf to http://vincedes3.com/save.html, or
use Siri to reply to the victim with another message.
(3) We always recommend
organizations not to publicly expose their administrative interfaces to the internet.
As ransomware attacks are on the rise, attackers have
started targeting unusual targets (not workstations).
This time, a new ransomware has started targeting
MongoDB instances with blank or default credentials. The ransomware then replaces
(yes, replaces, not encrypts) the DB content with a ransom message.
By looking into the attacker’s bitcoin wallet, it
seems that so far 16 organization have paid the ransom. However, it is
suggested that the hacker does not store the original data (makes since, as it
would require the hacker to store terabytes of data on their own server), so
the clients have paid for no reason whatsoever.
Here are all the details: http://www.theregister.co.uk/2017/01/04/mongodb_installs_wiped_by_bitcoin_ransoming_script/
(4) A new Android Malware
(known as Switcher) was recently discovered by Kaspersky.
Instead of attacking the user, the malware targets
the Wi-Fi router (in particular TP-LINK Wi-Fi routers). The malware conducts a
dictionary attack on the router’s web interface, and, if successful, changes
its DNS servers.
So far, two packages of the malware were identified
(com.baidu.com and com.snda.wifi).
While mostly home users (and in particular in China)
are affected, it is still advised to block access to the
following malicious DNS servers:
·
101.200.147.153
·
112.33.13.11
·
120.76.249.59
Here are all the details: https://securelist.com/blog/mobile/76969/switcher-android-joins-the-attack-the-router-club/
(5) In the previous email Cyber
Update blog I’ve mentioned the PHPMailer remote code execution exploit.
Since then, the patch was found to be incomplete and
still contains another remote code execution.
Please update your PHPMailer
version once again.
Stay tuned for more updates,
Dan
Gurfinkel
Head of
Offensive Security & Response Unit