Saturday, April 15, 2017

Cyber Updates - 15/04

Hey all,
Here are this week's cyber updates:

(1) A security vulnerability (CVE-2017-0199) has been discovered in Microsoft Word, allowing users to execute operating system commands when a Word document is opened. As opposed to attacks that require the user’s interaction (such as allowing a macro to be executed), this attack merely requires the victim to open the document while not in protected mode.

In particular, the vulnerability resides within the OLE2link parser. A malicious OLE2link object can be placed in the document, causing Word to send a connection to a C&C server and download a malicious HTA file. This file is then automatically executed.

The most important thing to note about this vulnerability is that it can affect any version of Windows!

Comsec has observed malicious entities exploit this vulnerability in the wild. Thus, clients are advised to update their Word as soon as possible. Until the Word version is updated, it is recommended to only view documents in protected mode.
Here are all the details:

(2) Microsoft's developers did not have an easy month. Another vulnerability has been discovered in Microsoft Office (CVE-2017-2605) that remains to be unpatched! The flaw resides in the Encapsulated PostScript (EPS) filter in Microsoft Office, allowing malicious code to be executed when Word is opened. As a countermeasure, Microsoft has issued a “patch” that disables EPS by default.


(3) An ex Marriott employee has hacked the chain’s reservation system after being fired. The employee has changed rooms’ prices to be as cheap as $12 a night. While it is still unclear how the employee has hacked the system, he did not do a fine job in hiding his traces, as his home IP address was logged, leading to his arrest.

While this case was resolved with the hacker’s arrest, many times an organization can’t be sure if a malicious employee has indeed hacked the system. Organizations are thus encouraged to engage with Red Team or Ethical Hacking exercises in order to protect organizations from the internal threat.


(4) Mobile developers often think that sensitive data remains safe if they properly implement PIN code protection. A team of scientists from Newcastle University might make them reconsider the above statement, as they were able to potentially guess users’ PIN code by monitoring the phone’s sensors. 

The team has built a JavaScript code with the ability to access several features of the mobile device (such as the device orientation and motion). This allows the researches to guess a 4 digits PIN code with a success rate of 74% on the first try and over 90% after 4 attempts. 

And the most important aspect of this attack is that is does not require a malicious app to be installed. All the victim needs to do is merely visit a malicious website and have the JavaScript code executed in the background.


(5) Hackers have activated Dallas’ emergency warning sirens for nearly two hours. This has resulted in numerous calls to the 911 system by concerned citizens. 

It appears that the system can be operated using radio signals. The hacker has apparently managed to access the documentation, or the code, used to trigger the sirens. By repeatedly playing the command signal, the sirens kept on whaling until the radio-based system was disabled.

This breach does not come in a good time for Dallas – last year their traffic signals were hacked in order to publish jokes.

Stay tuned for more updates,
Dan Gurfinkel
Head of Offensive Security & Response Unit