Sunday, January 22, 2017

Cyber Updates - 22/01

Hey everyone,
Here are this week’s cyber updates:

(1) Comsec advises its clients to restrict network access from the organization, in order to prevent data leakage to a C&C server.
Recently, Google’s infrastructure was found to be used as a C&C “server”. These servers are usually whitelisted, and thus allow attackers to extract data from organizations.
The script sends and receives commands to and from Google Apps Script, Google Sheets, and Google Forms services. For each infected user a unique Google Sheets spreadsheet is dynamically created in order to manage each victim. The use of a legitimate third party service like this one gives the attacker the ability to hide in plain sight.

(2) Facebook has been hacked. While in the previous cyber updates post I wrote it about Google it wasn’t really Google’s fault, this time Facebook was really hacked.
The website was found to contain a remote code execution vulnerability in its ImageMagick parsing library (CVE-2016–3714).

In particular, Facebook contains an API that gets a URL as a parameter, surfs to an image stored on that URL and displays it back to the end-user. By using an image with the ImageMagick vulnerability in it, security researcher Andrew Leonov has shown Facebook how he could execute commands on the server, and extract their output via DNS tunneling.

(3) This has not been the week of Facebook. Hackers have also found that the Facebook voice messages are vulnerable to SSL Strip attacks.

In particular, Facebook CDN servers do not impose HTTP Strict Transport Security (HSTS) policy, hence permitting this flaw.

And here’s a PoC video:

(4) A new denial of service vulnerability was recently discovered in iOS.
In particular, anyone can crash your iPhone or iPad by just sending an emoji-filled iMessage.
All you have to do to trigger this attack is send an iMessage containing the following: A white Flag emoji, the digit "0" and a Rainbow emoji. Your victim’s iPhone will crash even if they didn’t open the message!

Here’s the PoC video:

(5) The Donald being sworn for presidency can’t go without a cyber-attack.
A radio station in Louisville was hacked, causing it to play anti-Trump songs for nearly 15 minutes. The hackers, most probably used a software used for emergency broadcasts in order to override the program that was already on-air at the time of hack.

Stay tuned for more updates,
Dan Gurfinkel
Head of Offensive Security & Response Unit