Posts Tagged ‘exploit’
Tuesday, February 18, 2014 @ 02:02 PM gHale
An Internet Explorer Zero Day is a part of a new operation called SnowMan targeting U.S. military personnel.
The Zero Day exploit, which impacts IE 9 and 10, on the website of the U.S. Veterans of Foreign Wars (vfw.org), said researchers at FireEye.
The sophisticated group of cybercriminals behind this attack target high-profile organizations. They’ve previously attacked U.S. government entities, defense industrial base companies, law firms, Japanese companies, and NGOs. They’ve also targeted IT and mining companies, mostly by relying on remote access Trojans (RATs).
Microsoft confirmed the existence of the exploit. The company advises customers to update Internet Explorer to version 11 to protect themselves against such attacks.
“We believe the attack is a strategic Web compromise targeting American military personnel amid a paralyzing snowstorm at the U.S. Capitol in the days leading up to the Presidents Day holiday weekend. Based on infrastructure overlaps and tradecraft similarities, we believe the actors behind this campaign are associated with two previously identified campaigns (Operation DeputyDog and Operation Ephemeral Hydra).”
Additional technical details on the IE Zero Day exploit and the SnowMan campaign are available on FireEye’s blog.
Wednesday, October 2, 2013 @ 11:10 AM gHale
While the latest Internet Explorer Zero Day does not yet have a patch, it appears the vulnerability has been suffering exploitation for a longer time than initially believed.
Microsoft did acknowledge the existence of the vulnerability and said attackers were leveraging the holes. The software giant did issue a Fix it tool to mitigate the problems until a patch can release.
Since then, FireEye researchers linked the attacks to the Chinese hacking group that hit Bit9 earlier this year, and said the campaign called “Operation DeputyDog” focused on Japanese organizations and started on August 19 at the latest.
Then, on Thursday, researchers from AlienVault and Websense released their findings regarding the exploit used.
Researcher Jaime Blasco said they spotted the exploit hosted on a subdomain of Taiwan’s Government e-Procurement System, and found users that visited the main page for the first time would instantly end up redirected to the exploit page and served with a malicious file.
Not all visitors ended up targeted as just those whose Windows XP or Windows 7 systems running in English, Chinese, French, German, Japanese, Russian, Korean, and Portuguese, and use Internet Explorer 8 or 9.
Tuesday, July 9, 2013 @ 04:07 PM gHale
Skype is a very popular tool used throughout the manufacturing automation sector, but watch out for a vulnerability in an Android application.
A vulnerability in Skype’s Android application could enable an attacker to bypass the lockscreen on some Android phones, giving them full access to the device.
The bug is in Skype version 188.8.131.5273 and researchers tested it on the Sony Xperia Z, Samsung Galaxy Note 2 and Huawei’s Premia 4G-all Android devices, said Pulser, a moderator at the Android forum XDA Developers.
“The Skype for Android application appears to have a bug which permits the Android inbuilt lockscreen (ie. pattern, PIN, password) to be bypassed relatively easily,” Pulser wrote in a post on the Full Disclosure mailing lists.
The exploit isn’t the easiest to execute, as it involves having access to two separate devices with two separate Skype accounts installed and running.
The hack can start off by calling the victim’s phone, which will cause it to wake, ring and display a Skype prompt on the screen. By accepting the call on the victim’s phone and ending the call on the initial caller’s phone, the lockscreen should pop up on the targeted phone.
Next, the attacker has to turn the phone off and turn it back on and the lockscreen end up bypassed. “The screen will remain bypassed until the device is rebooted,” Pulser said.
The news comes a day after the company pushed version 4.0 of its Android app and on the heels of news this week the app installed on its 100 millionth device worldwide. Skype officials were not immediately available for comment.
The flaw is similar to a vulnerability discovered earlier this spring but since patched in Viber, which like Skype, is a VoIP app that allows its users to send free calls and messages. In Viber, all an attacker had to do to gain access to the phone was send a user a message and combine a series of actions to exploit the way the app handles popup messages.
Researchers have been especially committed to digging up lockscreen bypass flaws as of late. Earlier this year, iPhone users found flaws in iOS 6.1 and the beta version of iOS 7 that could allow an attacker to bypass the screen lock on Apple’s iPhone.
Thursday, May 23, 2013 @ 04:05 PM gHale
There has been a big increase in the number of websites falling victim to the Darkleech attack on Wednesday, with quite a few of them hosted in the UK, said security firm Zscaler.
“The Apache Darkleech attack has been in the news for quite some time now,” said Zscaler’s Krishnan Subramanian. “The first compromise that we identified in our transactions dates back to mid-March. This Darkleech exploit (aka Linux.Cdorked) injects malicious redirections into a website that leads to a Blackhole exploit kit (BEK) landing page.
“We are currently observing a considerable rise in websites being compromised due to this attack. The infected websites redirect to a version of the BEK version 2.”
Subramanian said the complex nature of the attack’s exploit method makes it difficult to know exactly how many sites have been affected, making tracking and combating the threat a difficult task.
“The exploit code targets vulnerabilities in multiple plugins including Adobe PDF and Java when run on IE, causing the attacker to load malicious code in the context of the application. When deobfuscating the PDF exploit, we can see the final URL used for redirection. However, this URL was not accessible (404 error response) at the time of writing, hence it was not possible to retrieve the malicious binary file,” Subramanian said.
“Upon revisiting some of these compromised websites, it was found that the page was no longer serving the injected code. This provides a clue. The attackers probably choose random sites running the Apache Webservers that are vulnerable to the Darkleech exploit and infect them only for a brief period of time and then clean them up. Hence tracking Darkleech infections can be a challenging task.”
The attack already infected thousands of websites when researchers first uncovered it earlier this year. Subramanian said businesses or website owners worried their site has suffered an infection should contact their Apache server host to ensure they have installed the CVE-2012-1557 security patch to fix the flaw.
Monday, May 20, 2013 @ 06:05 PM gHale
An exploit released that proves that normal, logged-in users can gain root access to the Linux kernel via an incorrectly fixed declared pointer.
It all started back in April, when Linux kernel developers fixed an incorrectly declared pointer in the Linux kernel. The problem is, in their rush to fix the issue, they apparently overlooked the potential security implications of the bug, since fact it is possible to gain access to almost any memory area using a suitable event_id.
After realizing the problem, the developers declared the bug as an official security hole (CVE-2013-2094) after the exploit released that proves that normal, logged-in users can gain root access this way.
The bug affects any kernel version between 2.6.37 and 3.8.9 compiled using the PERF_EVENTS option; apparently, this is the case with many distributions. Which exact distributions suffer from the issue will soon become clear when the relevant security updates release. Linux security expert Brad Spengler released a detailed exploit analysis.
Meanwhile, the Ubuntu Security Team closed the vulnerability with updates to Ubuntu 13.04, 12.10, 12.04 LTS and in the Hardware Enablement Kernel for Ubuntu 12.04 LTS based on the Ubuntu 12.10 kernel. The developers caution users that due to ABI changes in the kernel update, all third party modules installed with these kernels have to undergo recompiling and reinstallation. Users who use the linux-restricted-modules package will have to update this package as well, which will happen automatically on systems that include the standard kernel meta packages.
Red Hat said Red Hat Enterprise Linux (RHEL) 4 and 5 do not suffer from the problem. RHEL 6 and Red Hat Enterprise MRG 2, however, do and until the company releases updates that fix the issue, Red Hat recommends mitigating the security risks and gives instructions how to do so on a page on its customer portal web site.
The Debian developers are also working to fix the problem. At the time of writing, Debian stable (Wheezy) and testing (Jessie) are both vulnerable to the exploit, Debian unstable (Sid) is not vulnerable. The fixed kernel package is available in the security update repository for Wheezy, however, and should have an update in the main distribution repository soon.
Tuesday, March 5, 2013 @ 04:03 PM gHale
There are five vulnerabilities in Java SE 7 Update 15 which, when combined, can achieve a complete sandbox bypass.
The new flaws, identified as “issue 56” through “issue 60,” ended up found by researchers at Security Explorations while they were trying to collect new evidence to prove to Oracle “issue 54” is a security hole.
“Two of the issues found (59 and 60) could be potentially affecting Java SE 6 (we haven’t checked this due to Java SE 6 EOL status), but since all of the issues need to be combined together to gain a successful Java SE security compromise, we treat it as affecting Java SE 7 only,” said Adam Gowdiak, chief executive of Security Explorations.
“The attack breaks a couple of security checks introduced to Java SE by Oracle over the recent months (Issues 57 and 58). It also exploits code fragments that were missing proper security checks corresponding to the very mirror code (Issue 59 and 60). Finally, it demonstrates a difference between the JVM specification and its implementation (Issue 56).”
Gowdiak said similar to other vulnerabilities they’ve found, the Reflection API is the component that undergoes exploitation in the attack.
Oracle has the complete details of the newly-discovered flaws, along with a proof-of-concept.