Thursday, January 5, 2017

Cyber Updates - 05/01

Hey all,
Here are this week’s cyber updates:

(1) Google Brazil domain was hacked! Yes, this is not a typo. Google was hacked.
At least that was what all major websites in Brazil have said. However, by looking into Google Brazil’s tweet (https://twitter.com/googlebrasil/status/816359978005106688?ref_src=twsrc%5Etfw), it seems like the attack did not directly target Google, but rather the ISP DNS server used to resolve Google’s DNS to their IP address.

Nevertheless, for about 30 minutes google.com.br has showed a defacement page (you can see how it looked like in the following video: https://youtu.be/YnSLGx4bWRo).
This just shows you why it’s important for clients to add the HSTS header.


(2) iMessage (Apple messaging app) was found to be vulnerable to denial of service.
In particular, due to a high CPU consumption the app crashes when it has to handle a large vCard (contact list) file.

And the good (or bad) news about it, is that it is persistent. Rebooting your device will not solve the issue.

This is how one can exploit this:
·        Generate a large contacts file (one can be found here: http://vincedes3.com/vincedes3.vcf)
·        iMessage the file to your victim of choice.
                                                    i.     Beware! If you are using iPhone, then your phone will also crash when sending.

Here are all the details: https://vincedes3.com/crash-message-app-iphone/ and here is a PoC video: https://youtu.be/N2doEKKywck

If you were infected, either surf to http://vincedes3.com/save.html, or use Siri to reply to the victim with another message.

(3) We always recommend organizations not to publicly expose their administrative interfaces to the internet.
As ransomware attacks are on the rise, attackers have started targeting unusual targets (not workstations).
This time, a new ransomware has started targeting MongoDB instances with blank or default credentials. The ransomware then replaces (yes, replaces, not encrypts) the DB content with a ransom message.

By looking into the attacker’s bitcoin wallet, it seems that so far 16 organization have paid the ransom. However, it is suggested that the hacker does not store the original data (makes since, as it would require the hacker to store terabytes of data on their own server), so the clients have paid for no reason whatsoever.
  

(4) A new Android Malware (known as Switcher) was recently discovered by Kaspersky.
Instead of attacking the user, the malware targets the Wi-Fi router (in particular TP-LINK Wi-Fi routers). The malware conducts a dictionary attack on the router’s web interface, and, if successful, changes its DNS servers.

So far, two packages of the malware were identified (com.baidu.com and com.snda.wifi).

While mostly home users (and in particular in China) are affected, it is still advised to block access to the following malicious DNS servers:
·        101.200.147.153
·        112.33.13.11
·        120.76.249.59


(5) In the previous email Cyber Update blog I’ve mentioned the PHPMailer remote code execution exploit.
Since then, the patch was found to be incomplete and still contains another remote code execution.

Please update your PHPMailer version once again.
  
Stay tuned for more updates,
Dan Gurfinkel
Head of Offensive Security & Response Unit